diff options
-rw-r--r-- | test/Feature/DoubleFree.c | 8 | ||||
-rw-r--r-- | test/Feature/MultipleFreeResolution.c | 10 | ||||
-rw-r--r-- | test/Feature/OneFreeError.c | 8 | ||||
-rw-r--r-- | test/regression/2007-10-11-illegal-access-after-free-and-branch.c | 14 |
4 files changed, 23 insertions, 17 deletions
diff --git a/test/Feature/DoubleFree.c b/test/Feature/DoubleFree.c index 96cf9bcd..c8fb1974 100644 --- a/test/Feature/DoubleFree.c +++ b/test/Feature/DoubleFree.c @@ -1,12 +1,14 @@ // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc // RUN: rm -rf %t.klee-out -// RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s +// RUN: %klee --output-dir=%t.klee-out --kdalloc %t1.bc 2>&1 | FileCheck %s // RUN: test -f %t.klee-out/test000001.ptr.err +#include <stdlib.h> + int main() { - int *x = malloc(4); + int *x = malloc(sizeof(*x)); free(x); - // CHECK: memory error: invalid pointer: free + // CHECK: memory error: double free free(x); return 0; } diff --git a/test/Feature/MultipleFreeResolution.c b/test/Feature/MultipleFreeResolution.c index aa931c13..f30eabed 100644 --- a/test/Feature/MultipleFreeResolution.c +++ b/test/Feature/MultipleFreeResolution.c @@ -1,9 +1,11 @@ // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc // RUN: rm -rf %t.klee-out -// RUN: %klee --output-dir=%t.klee-out --emit-all-errors %t1.bc 2>&1 | FileCheck %s +// RUN: %klee --output-dir=%t.klee-out --kdalloc --emit-all-errors %t1.bc 2>&1 | FileCheck %s // RUN: ls %t.klee-out/ | grep .ktest | wc -l | grep 4 // RUN: ls %t.klee-out/ | grep .err | wc -l | grep 3 +#include "klee/klee.h" + #include <stdio.h> #include <stdlib.h> @@ -34,9 +36,9 @@ int main() { free(buf[s]); for (i = 0; i < 3; i++) { - // CHECK: MultipleFreeResolution.c:[[@LINE+3]]: memory error: out of bound pointer - // CHECK: MultipleFreeResolution.c:[[@LINE+2]]: memory error: out of bound pointer - // CHECK: MultipleFreeResolution.c:[[@LINE+1]]: memory error: out of bound pointer + // CHECK: MultipleFreeResolution.c:[[@LINE+3]]: memory error: use after free + // CHECK: MultipleFreeResolution.c:[[@LINE+2]]: memory error: use after free + // CHECK: MultipleFreeResolution.c:[[@LINE+1]]: memory error: use after free printf("*buf[%d] = %d\n", i, *buf[i]); } diff --git a/test/Feature/OneFreeError.c b/test/Feature/OneFreeError.c index 7eed722a..aa403717 100644 --- a/test/Feature/OneFreeError.c +++ b/test/Feature/OneFreeError.c @@ -1,12 +1,14 @@ // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc // RUN: rm -rf %t.klee-out -// RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s +// RUN: %klee --output-dir=%t.klee-out --kdalloc %t1.bc 2>&1 | FileCheck %s // RUN: test -f %t.klee-out/test000001.ptr.err +#include <stdlib.h> + int main() { - int *x = malloc(4); + int *x = malloc(sizeof(*x)); free(x); - // CHECK: OneFreeError.c:[[@LINE+1]]: memory error: out of bound pointer + // CHECK: OneFreeError.c:[[@LINE+1]]: memory error: use after free x[0] = 1; return 0; } diff --git a/test/regression/2007-10-11-illegal-access-after-free-and-branch.c b/test/regression/2007-10-11-illegal-access-after-free-and-branch.c index 0b4f0833..851c578d 100644 --- a/test/regression/2007-10-11-illegal-access-after-free-and-branch.c +++ b/test/regression/2007-10-11-illegal-access-after-free-and-branch.c @@ -1,21 +1,21 @@ // RUN: %clang %s -emit-llvm -g -c -o %t1.bc // RUN: rm -rf %t.klee-out -// RUN: %klee --output-dir=%t.klee-out --optimize %t1.bc 2>&1 | FileCheck %s +// RUN: %klee --output-dir=%t.klee-out --kdalloc --optimize %t1.bc 2>&1 | FileCheck %s // RUN: test -f %t.klee-out/test000001.ptr.err +#include "klee/klee.h" + #include <stdlib.h> -#include <stdio.h> -#include <assert.h> int main(int argc, char **argv) { unsigned char *buf = malloc(3); klee_make_symbolic(buf, 3, "buf"); - if (buf[0]>4) klee_silent_exit(0); + if (buf[0] > 4) + klee_silent_exit(0); unsigned char x = buf[1]; free(buf); - if (x) - { - // CHECK: 2007-10-11-illegal-access-after-free-and-branch.c:19: memory error: out of bound pointer + if (x) { + // CHECK: 2007-10-11-illegal-access-after-free-and-branch.c:[[@LINE+1]]: memory error: use after free return buf[2]; } klee_silent_exit(0); |