From 325c6cdcab632a6824be8ca9a926f4c4573adbdb Mon Sep 17 00:00:00 2001 From: Daniel Schemmel Date: Thu, 1 Feb 2024 14:51:37 +0000 Subject: drop llvm 9 and 10 --- test/VectorInstructions/oob-llvm-lt11.c | 44 ---------------------- test/VectorInstructions/oob-read-llvm-geq11.c | 46 ----------------------- test/VectorInstructions/oob-read.c | 45 +++++++++++++++++++++++ test/VectorInstructions/oob-write-llvm-geq11.c | 51 -------------------------- test/VectorInstructions/oob-write.c | 49 +++++++++++++++++++++++++ 5 files changed, 94 insertions(+), 141 deletions(-) delete mode 100644 test/VectorInstructions/oob-llvm-lt11.c delete mode 100644 test/VectorInstructions/oob-read-llvm-geq11.c create mode 100644 test/VectorInstructions/oob-read.c delete mode 100644 test/VectorInstructions/oob-write-llvm-geq11.c create mode 100644 test/VectorInstructions/oob-write.c (limited to 'test/VectorInstructions') diff --git a/test/VectorInstructions/oob-llvm-lt11.c b/test/VectorInstructions/oob-llvm-lt11.c deleted file mode 100644 index 9d80ef7d..00000000 --- a/test/VectorInstructions/oob-llvm-lt11.c +++ /dev/null @@ -1,44 +0,0 @@ -// REQUIRES: lt-llvm-11.0 -// RUN: %clang %s -emit-llvm %O0opt -g -c -o %t1.bc -// RUN: rm -rf %t.klee-out -// NOTE: Have to pass `--optimize=false` to avoid vector operations being -// constant folded away. -// RUN: %klee --output-dir=%t.klee-out --optimize=false %t1.bc > %t.stdout.log 2> %t.stderr.log -// RUN: FileCheck -input-file=%t.stderr.log %s - -#include "klee/klee.h" - -#include -#include -#include - -typedef uint32_t v4ui __attribute__((vector_size(16))); -int main() { - v4ui f = {1, 2, 3, 4}; - int k = klee_range(0, 10, "k"); - - if (k == 0) { - // CHECK-DAG: [[@LINE+1]]: Out of bounds write when inserting element - f[4] = 255; // Out of bounds write - } - - if (k == 1) { - // CHECK-DAG: [[@LINE+1]]: Out of bounds read when extracting element - printf("f[4] = %u\n", f[5]); // Out of bounds - } - - if (k > 6) { - // Performing read should be ExtractElement instruction. - // For now this is an expected limitation. - // CHECK-DAG: [[@LINE+1]]: ExtractElement, support for symbolic index not implemented - uint32_t readValue = f[k]; - } - else { - // Performing write should be InsertElement instructions. - // For now this is an expected limitation. - // CHECK-DAG: [[@LINE+1]]: InsertElement, support for symbolic index not implemented - f[k] = 255; - } - - return 0; -} diff --git a/test/VectorInstructions/oob-read-llvm-geq11.c b/test/VectorInstructions/oob-read-llvm-geq11.c deleted file mode 100644 index 309e05b1..00000000 --- a/test/VectorInstructions/oob-read-llvm-geq11.c +++ /dev/null @@ -1,46 +0,0 @@ -// REQUIRES: geq-llvm-11.0 -// XFAIL: geq-llvm-11.0 - -/* The scalarizer pass in LLVM 11 was changed to generate, for a - read f[k], with k symbolic and f a 4-element vector: - if k == 0 => f[0] - elif k == 1 => f[1] - elif k == 2 => f[2] - elif k == 3 => f[3] - else ==> undef - - Therefore, even though an OOB access might exist at the source code - level, no such OOB accesses exist anymore at the LLVM IR level. - - And since undef is currently treated in KLEE as 0, an overflowing - access is always translated as f[0], which may lead to future - problems being missed. - - This test is marked as XFAIL as a reminder that we need to fix this - behaviour, most likely by having undef return a new symbolic variable. -*/ - -// RUN: %clang %s -emit-llvm %O0opt -g -c -o %t1.bc -// RUN: rm -rf %t.klee-out -// NOTE: Have to pass `--optimize=false` to avoid vector operations being -// constant folded away. -// RUN: %klee --output-dir=%t.klee-out --optimize=false --exit-on-error %t1.bc 2>%t.log -// RUN: FileCheck -input-file=%t.stderr.log %s - -#include "klee/klee.h" - -#include -#include -#include - -typedef uint32_t v4ui __attribute__((vector_size(16))); -int main() { - v4ui f = {1, 2, 3, 4}; - int k = klee_range(4, 10, "k"); - - uint32_t v = f[k]; // Symbolic out-of-bounds read - v = f[v]; // This should trigger an error, but currently this returns f[0] = 1 - assert(v != 1); - - return 0; -} diff --git a/test/VectorInstructions/oob-read.c b/test/VectorInstructions/oob-read.c new file mode 100644 index 00000000..2584b3a0 --- /dev/null +++ b/test/VectorInstructions/oob-read.c @@ -0,0 +1,45 @@ +// XFAIL: * + +/* The scalarizer pass in LLVM 11 was changed to generate, for a + read f[k], with k symbolic and f a 4-element vector: + if k == 0 => f[0] + elif k == 1 => f[1] + elif k == 2 => f[2] + elif k == 3 => f[3] + else ==> undef + + Therefore, even though an OOB access might exist at the source code + level, no such OOB accesses exist anymore at the LLVM IR level. + + And since undef is currently treated in KLEE as 0, an overflowing + access is always translated as f[0], which may lead to future + problems being missed. + + This test is marked as XFAIL as a reminder that we need to fix this + behaviour, most likely by having undef return a new symbolic variable. +*/ + +// RUN: %clang %s -emit-llvm %O0opt -g -c -o %t1.bc +// RUN: rm -rf %t.klee-out +// NOTE: Have to pass `--optimize=false` to avoid vector operations being +// constant folded away. +// RUN: %klee --output-dir=%t.klee-out --optimize=false --exit-on-error %t1.bc 2>%t.log +// RUN: FileCheck -input-file=%t.stderr.log %s + +#include "klee/klee.h" + +#include +#include +#include + +typedef uint32_t v4ui __attribute__((vector_size(16))); +int main() { + v4ui f = {1, 2, 3, 4}; + int k = klee_range(4, 10, "k"); + + uint32_t v = f[k]; // Symbolic out-of-bounds read + v = f[v]; // This should trigger an error, but currently this returns f[0] = 1 + assert(v != 1); + + return 0; +} diff --git a/test/VectorInstructions/oob-write-llvm-geq11.c b/test/VectorInstructions/oob-write-llvm-geq11.c deleted file mode 100644 index 5c3e691c..00000000 --- a/test/VectorInstructions/oob-write-llvm-geq11.c +++ /dev/null @@ -1,51 +0,0 @@ -// REQUIRES: geq-llvm-11.0 - -/* The scalarizer pass in LLVM 11 was changed to generate, for a - write of the form f[k] = v, with f a 4-element vector: - if k == 0 => f[0] = v - if k == 1 => f[1] = v - if k == 2 => f[2] = v - if k == 3 => f[3] = v - - Therefore, even though an OOB write access might exist at the source - code level (e.g., f[5] = v), no such OOB accesses exist anymore at - the LLVM IR level. - - So unlike in the LLVM < 11 test, here we test that the contents of - the vector is unmodified after the OOB write. -*/ - -// RUN: %clang %s -emit-llvm %O0opt -g -c -o %t1.bc -// RUN: rm -rf %t.klee-out -// NOTE: Have to pass `--optimize=false` to avoid vector operations being -// constant folded away. -// RUN: %klee --output-dir=%t.klee-out --optimize=false --exit-on-error %t1.bc - -#include "klee/klee.h" - -#include -#include -#include - -typedef uint32_t v4ui __attribute__((vector_size(16))); -int main() { - v4ui f = {1, 2, 3, 4}; - int k = klee_range(0, 10, "k"); - - if (k < 4) { - f[5] = 3; // Concrete out-of-bounds write - assert(f[0] == 1); - assert(f[1] == 2); - assert(f[2] == 3); - assert(f[3] == 4); - } - else { - f[k] = 255; // Symbolic out-of-bounds write - assert(f[0] == 1); - assert(f[1] == 2); - assert(f[2] == 3); - assert(f[3] == 4); - } - - return 0; -} diff --git a/test/VectorInstructions/oob-write.c b/test/VectorInstructions/oob-write.c new file mode 100644 index 00000000..6906dc62 --- /dev/null +++ b/test/VectorInstructions/oob-write.c @@ -0,0 +1,49 @@ +/* The scalarizer pass in LLVM 11 was changed to generate, for a + write of the form f[k] = v, with f a 4-element vector: + if k == 0 => f[0] = v + if k == 1 => f[1] = v + if k == 2 => f[2] = v + if k == 3 => f[3] = v + + Therefore, even though an OOB write access might exist at the source + code level (e.g., f[5] = v), no such OOB accesses exist anymore at + the LLVM IR level. + + So unlike in the LLVM < 11 test, here we test that the contents of + the vector is unmodified after the OOB write. +*/ + +// RUN: %clang %s -emit-llvm %O0opt -g -c -o %t1.bc +// RUN: rm -rf %t.klee-out +// NOTE: Have to pass `--optimize=false` to avoid vector operations being +// constant folded away. +// RUN: %klee --output-dir=%t.klee-out --optimize=false --exit-on-error %t1.bc + +#include "klee/klee.h" + +#include +#include +#include + +typedef uint32_t v4ui __attribute__((vector_size(16))); +int main() { + v4ui f = {1, 2, 3, 4}; + int k = klee_range(0, 10, "k"); + + if (k < 4) { + f[5] = 3; // Concrete out-of-bounds write + assert(f[0] == 1); + assert(f[1] == 2); + assert(f[2] == 3); + assert(f[3] == 4); + } + else { + f[k] = 255; // Symbolic out-of-bounds write + assert(f[0] == 1); + assert(f[1] == 2); + assert(f[2] == 3); + assert(f[3] == 4); + } + + return 0; +} -- cgit 1.4.1