blob: 687ce9b6b8e3c482e759c65a86b9477b3db6efbb (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
// RUN: %clang %s -g -emit-llvm %O0opt -c -o %t.bc
// RUN: rm -rf %t.klee-out
// RUN: %klee --output-dir=%t.klee-out --single-object-resolution %t.bc > %t.log 2>&1
// RUN: FileCheck %s -input-file=%t.log
#include "klee/klee.h"
#include <stdlib.h>
struct A {
long long int y;
long long int y2;
int z;
};
struct B {
long long int x;
struct A y[20];
struct A *y1;
struct A *y2;
int z;
};
int foo(int *pointer) {
//printf("pointer is called\n");
int *ptr = pointer + 123;
return *ptr;
}
int main(int argc, char *argv[]) {
int x;
struct B b;
// create a lot of memory objects
int *ptrs[1024];
for (int i = 0; i < 1024; i++) {
ptrs[i] = malloc(23);
}
klee_make_symbolic(&x, sizeof(x), "x");
b.y1 = malloc(20 * sizeof(struct A));
// dereference of a pointer within a struct
int *tmp = &b.y1[x].z;
// CHECK: SingleObjectResolution.c:26: memory error: out of bound pointer
// CHECK: KLEE: done: completed paths = 1
// CHECK: KLEE: done: partially completed paths = 1
// CHECK: KLEE: done: generated tests = 2
return foo(tmp);
}
|
