about summary refs log tree commit diff homepage
diff options
context:
space:
mode:
authorCristian Cadar <c.cadar@imperial.ac.uk>2023-08-18 15:32:52 +0100
committerMartinNowack <2443641+MartinNowack@users.noreply.github.com>2023-09-11 11:23:24 +0100
commit2e393db175cd55662f369d15905ce4eb44b154a9 (patch)
tree5fce2165c62b9671ef4a7b91bb93a13afa9005cd
parent9912da3912436a71949b1b97d96975bddcb169e3 (diff)
downloadklee-2e393db175cd55662f369d15905ce4eb44b154a9.tar.gz
Changed use-after-free and double-free tests to expect KDAlloc, plus some small improvements.
-rw-r--r--test/Feature/DoubleFree.c8
-rw-r--r--test/Feature/MultipleFreeResolution.c10
-rw-r--r--test/Feature/OneFreeError.c8
-rw-r--r--test/regression/2007-10-11-illegal-access-after-free-and-branch.c14
4 files changed, 23 insertions, 17 deletions
diff --git a/test/Feature/DoubleFree.c b/test/Feature/DoubleFree.c
index 96cf9bcd..c8fb1974 100644
--- a/test/Feature/DoubleFree.c
+++ b/test/Feature/DoubleFree.c
@@ -1,12 +1,14 @@
 // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc
 // RUN: rm -rf %t.klee-out
-// RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s
+// RUN: %klee --output-dir=%t.klee-out --kdalloc %t1.bc 2>&1 | FileCheck %s
 // RUN: test -f %t.klee-out/test000001.ptr.err
 
+#include <stdlib.h>
+
 int main() {
-  int *x = malloc(4);
+  int *x = malloc(sizeof(*x));
   free(x);
-  // CHECK: memory error: invalid pointer: free
+  // CHECK: memory error: double free
   free(x);
   return 0;
 }
diff --git a/test/Feature/MultipleFreeResolution.c b/test/Feature/MultipleFreeResolution.c
index aa931c13..f30eabed 100644
--- a/test/Feature/MultipleFreeResolution.c
+++ b/test/Feature/MultipleFreeResolution.c
@@ -1,9 +1,11 @@
 // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc
 // RUN: rm -rf %t.klee-out
-// RUN: %klee --output-dir=%t.klee-out --emit-all-errors %t1.bc 2>&1 | FileCheck %s
+// RUN: %klee --output-dir=%t.klee-out --kdalloc --emit-all-errors %t1.bc 2>&1 | FileCheck %s
 // RUN: ls %t.klee-out/ | grep .ktest | wc -l | grep 4
 // RUN: ls %t.klee-out/ | grep .err | wc -l | grep 3
 
+#include "klee/klee.h"
+
 #include <stdio.h>
 #include <stdlib.h>
 
@@ -34,9 +36,9 @@ int main() {
   free(buf[s]);
 
   for (i = 0; i < 3; i++) {
-    // CHECK: MultipleFreeResolution.c:[[@LINE+3]]: memory error: out of bound pointer
-    // CHECK: MultipleFreeResolution.c:[[@LINE+2]]: memory error: out of bound pointer
-    // CHECK: MultipleFreeResolution.c:[[@LINE+1]]: memory error: out of bound pointer
+    // CHECK: MultipleFreeResolution.c:[[@LINE+3]]: memory error: use after free
+    // CHECK: MultipleFreeResolution.c:[[@LINE+2]]: memory error: use after free
+    // CHECK: MultipleFreeResolution.c:[[@LINE+1]]: memory error: use after free
     printf("*buf[%d] = %d\n", i, *buf[i]);
   }
 
diff --git a/test/Feature/OneFreeError.c b/test/Feature/OneFreeError.c
index 7eed722a..aa403717 100644
--- a/test/Feature/OneFreeError.c
+++ b/test/Feature/OneFreeError.c
@@ -1,12 +1,14 @@
 // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc
 // RUN: rm -rf %t.klee-out
-// RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s
+// RUN: %klee --output-dir=%t.klee-out --kdalloc %t1.bc 2>&1 | FileCheck %s
 // RUN: test -f %t.klee-out/test000001.ptr.err
 
+#include <stdlib.h>
+
 int main() {
-  int *x = malloc(4);
+  int *x = malloc(sizeof(*x));
   free(x);
-  // CHECK: OneFreeError.c:[[@LINE+1]]: memory error: out of bound pointer
+  // CHECK: OneFreeError.c:[[@LINE+1]]: memory error: use after free
   x[0] = 1;
   return 0;
 }
diff --git a/test/regression/2007-10-11-illegal-access-after-free-and-branch.c b/test/regression/2007-10-11-illegal-access-after-free-and-branch.c
index 0b4f0833..851c578d 100644
--- a/test/regression/2007-10-11-illegal-access-after-free-and-branch.c
+++ b/test/regression/2007-10-11-illegal-access-after-free-and-branch.c
@@ -1,21 +1,21 @@
 // RUN: %clang %s -emit-llvm -g -c -o %t1.bc
 // RUN: rm -rf %t.klee-out
-// RUN: %klee --output-dir=%t.klee-out --optimize %t1.bc 2>&1 | FileCheck %s
+// RUN: %klee --output-dir=%t.klee-out --kdalloc --optimize %t1.bc 2>&1 | FileCheck %s
 // RUN: test -f %t.klee-out/test000001.ptr.err
 
+#include "klee/klee.h"
+
 #include <stdlib.h>
-#include <stdio.h>
-#include <assert.h>
 
 int main(int argc, char **argv) {
   unsigned char *buf = malloc(3);
   klee_make_symbolic(buf, 3, "buf");
-  if (buf[0]>4) klee_silent_exit(0);
+  if (buf[0] > 4)
+    klee_silent_exit(0);
   unsigned char x = buf[1];
   free(buf);
-  if (x)
-  {
-    // CHECK: 2007-10-11-illegal-access-after-free-and-branch.c:19: memory error: out of bound pointer
+  if (x) {
+    // CHECK: 2007-10-11-illegal-access-after-free-and-branch.c:[[@LINE+1]]: memory error: use after free
     return buf[2];
   }
   klee_silent_exit(0);