diff options
author | Luca Dariz <l.dariz@imamoter.cnr.t> | 2014-09-23 14:52:00 +0200 |
---|---|---|
committer | Cristian Cadar <c.cadar@imperial.ac.uk> | 2015-02-13 18:49:49 +0000 |
commit | dbe13e13a215aa7212b5737dd8903699301a4940 (patch) | |
tree | 95981808ecab4298b54544bc5c28a1b9a1373b1b /test/Feature | |
parent | 64a404f89da5aa6a99e688c007c56f1f422541bc (diff) | |
download | klee-dbe13e13a215aa7212b5737dd8903699301a4940.tar.gz |
Fix overflow detection in unsigned multiplication
Previously the check was done as unsigned int a, b, c; c = a * b; if (c < a) // error but it is wrong, since it catches only a subset of all the possible overflows. This patch improves the check as unsigned int a, b, c; if ((a > 1) && (b > 1){ if ((UINT_MAX/a) < b) // error } An additional case has been added to the tests, with two 32-bit values that cause overflow and are not detected by the old check. It is also necessary to break the lowering procedure in case the current BasicBlock is splitted; in this case it was necessary in order not to trigger the division by 0 error.
Diffstat (limited to 'test/Feature')
-rw-r--r-- | test/Feature/ubsan_mul_overflow.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/test/Feature/ubsan_mul_overflow.c b/test/Feature/ubsan_mul_overflow.c index bbf6df06..12300b05 100644 --- a/test/Feature/ubsan_mul_overflow.c +++ b/test/Feature/ubsan_mul_overflow.c @@ -1,7 +1,8 @@ // RUN: %llvmgcc %s -fsanitize=unsigned-integer-overflow -emit-llvm -g -O0 -c -o %t.bc // RUN: %klee %t.bc 2> %t.log // RUN: grep -c "overflow on unsigned multiplication" %t.log -// RUN: grep -c "ubsan_mul_overflow.c:16: overflow" %t.log +// RUN: grep -c "ubsan_mul_overflow.c:18: overflow" %t.log +// RUN: grep -c "ubsan_mul_overflow.c:19: overflow" %t.log #include "klee/klee.h" @@ -9,11 +10,13 @@ int main() { unsigned int x; unsigned int y; + uint32_t x2=3147483648, y2=3727483648; volatile unsigned int result; klee_make_symbolic(&x, sizeof(x), "unsigned add 1"); klee_make_symbolic(&y, sizeof(y), "unsigned add 2"); result = x * y; + result = x2 * y2; return 0; } |