Fix overflow detection in unsigned multiplication

Previously the check was done as

	unsigned int a, b, c;
	c = a * b;
	if (c < a)
		// error

but it is wrong, since it catches only a subset of all the
possible overflows.
This patch improves the check as

	unsigned int a, b, c;
	if ((a > 1) && (b > 1){
		if ((UINT_MAX/a) < b)
			// error
	}

An additional case has been added to the tests, with two 32-bit
values that cause overflow and are not detected by the old check.

It is also necessary to break the lowering procedure in case the current
BasicBlock is splitted; in this case it was necessary in order not to
trigger the division by 0 error.

1 files changed, 4 insertions, 1 deletions

diff --git a/test/Feature/ubsan_mul_overflow.c b/test/Feature/ubsan_mul_overflow.c
index bbf6df06..12300b05 100644
--- a/test/Feature/ubsan_mul_overflow.c
+++ b/test/Feature/ubsan_mul_overflow.c
@@ -1,7 +1,8 @@
 // RUN: %llvmgcc %s -fsanitize=unsigned-integer-overflow -emit-llvm -g -O0 -c -o %t.bc
 // RUN: %klee %t.bc 2> %t.log
 // RUN: grep -c "overflow on unsigned multiplication" %t.log
-// RUN: grep -c "ubsan_mul_overflow.c:16: overflow" %t.log
+// RUN: grep -c "ubsan_mul_overflow.c:18: overflow" %t.log
+// RUN: grep -c "ubsan_mul_overflow.c:19: overflow" %t.log
 
 #include "klee/klee.h"
 
@@ -9,11 +10,13 @@ int main()
 {
   unsigned int x;
   unsigned int y;
+  uint32_t x2=3147483648, y2=3727483648;
   volatile unsigned int result;
 
   klee_make_symbolic(&x, sizeof(x), "unsigned add 1");
   klee_make_symbolic(&y, sizeof(y), "unsigned add 2");
   result = x * y;
+  result = x2 * y2;
 
   return 0;
 }