blob: 8c4e188e1440e5e035b1f8434d1fc30a90dcd153 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
// RUN: %clang %s -g -emit-llvm %O0opt -c -o %t.bc
// RUN: rm -rf %t.klee-out
// RUN: %klee --search=dfs --output-dir=%t.klee-out --single-object-resolution %t.bc > %t.log 2>&1
// RUN: FileCheck %s -input-file=%t.log
// RUN: %klee-stats --print-columns 'SolverQueries' --table-format=csv %t.klee-out | FileCheck %s --check-prefix CHECK-STATS
// CHECK-STATS: 193
#include "klee/klee.h"
#include <stdlib.h>
struct A {
long long int y;
long long int y2;
int z;
};
struct B {
long long int x;
struct A y[20];
struct A *y1;
struct A *y2;
int z;
};
int bar(int *pointer, int selector) {
int *ptr = 0;
if (selector)
ptr = pointer + 123;
else
ptr = pointer + 124;
// CHECK: SingleObjectResolution.c:[[@LINE+1]]: memory error: out of bound pointer
return *ptr;
}
int foo() {
size_t x;
int y;
struct B b;
// create a lot of memory objects
int *ptrs[1024];
for (int i = 0; i < 1024; i++) {
ptrs[i] = malloc(23);
}
klee_make_symbolic(&x, sizeof(x), "x");
klee_make_symbolic(&y, sizeof(y), "y");
b.y1 = malloc(20 * sizeof(struct A));
// dereference of a pointer within a struct
int *tmp = &b.y1[x].z;
int z = bar(tmp, y);
// cleanup test for heap
free(b.y1);
tmp = &b.y[x].z; // this is to test the cleanup for stack vars
z = bar(tmp, y);
return z;
}
int main(int argc, char *argv[]) {
// CHECK: KLEE: done: completed paths = 2
// CHECK: KLEE: done: partially completed paths = 2
// CHECK: KLEE: done: generated tests = 3
return foo();
}
|
