blob: f30eabed65cc4c2541ef7528c4af02fba138df93 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
// RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc
// RUN: rm -rf %t.klee-out
// RUN: %klee --output-dir=%t.klee-out --kdalloc --emit-all-errors %t1.bc 2>&1 | FileCheck %s
// RUN: ls %t.klee-out/ | grep .ktest | wc -l | grep 4
// RUN: ls %t.klee-out/ | grep .err | wc -l | grep 3
#include "klee/klee.h"
#include <stdio.h>
#include <stdlib.h>
unsigned klee_urange(unsigned start, unsigned end) {
unsigned x;
klee_make_symbolic(&x, sizeof x, "x");
if (x - start >= end - start)
klee_silent_exit(0);
return x;
}
int *make_int(int i) {
int *x = malloc(sizeof(*x));
*x = i;
return x;
}
int main() {
int *buf[4];
int i, s;
for (i = 0; i < 3; i++)
buf[i] = make_int(i);
buf[3] = 0;
s = klee_urange(0, 4);
free(buf[s]);
for (i = 0; i < 3; i++) {
// CHECK: MultipleFreeResolution.c:[[@LINE+3]]: memory error: use after free
// CHECK: MultipleFreeResolution.c:[[@LINE+2]]: memory error: use after free
// CHECK: MultipleFreeResolution.c:[[@LINE+1]]: memory error: use after free
printf("*buf[%d] = %d\n", i, *buf[i]);
}
return 0;
}
// CHECK: KLEE: done: generated tests = 4
|
