Fix a crash when the last running state is terminated during merging

2 files changed, 27 insertions, 3 deletions

diff --git a/lib/Core/Executor.cpp b/lib/Core/Executor.cpp
index 04fd6941..3e37a6c6 100644
--- a/lib/Core/Executor.cpp
+++ b/lib/Core/Executor.cpp
@@ -2584,9 +2584,6 @@ void Executor::executeInstruction(ExecutionState &state, KInstruction *ki) {
 void Executor::updateStates(ExecutionState *current) {
   if (searcher) {
     searcher->update(current, addedStates, removedStates);
-    searcher->update(nullptr, continuedStates, pausedStates);
-    pausedStates.clear();
-    continuedStates.clear();
   }
   
   states.insert(addedStates.begin(), addedStates.end());
@@ -2607,6 +2604,12 @@ void Executor::updateStates(ExecutionState *current) {
     delete es;
   }
   removedStates.clear();
+
+  if (searcher) {
+    searcher->update(nullptr, continuedStates, pausedStates);
+    pausedStates.clear();
+    continuedStates.clear();
+  }
 }
 
 template <typename TypeIt>
diff --git a/test/Merging/state_termination.c b/test/Merging/state_termination.c
new file mode 100644
index 00000000..52986f4b
--- /dev/null
+++ b/test/Merging/state_termination.c
@@ -0,0 +1,21 @@
+// RUN: %llvmgcc -emit-llvm -g -c -o %t.bc %s
+// RUN: rm -rf %t.klee-out
+// RUN: %klee --output-dir=%t.klee-out --use-merge --debug-log-merge --search=dfs  %t.bc 
+
+#include <klee/klee.h>
+
+int main(int argc, char** args){
+
+  int x;
+
+  char str[5];
+  klee_make_symbolic(str, sizeof(str), "str");
+  char *s = str;
+
+  klee_open_merge();
+  while(*s != 's')
+      s++;
+  klee_close_merge();
+
+  return 0;
+}