├── .cirrus.yml ├── .clang-format ├── .codecov.yml ├── .dockerignore ├── .gitattributes ├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ ├── feature_request.md │ └── question.md ├── pull_request_template.md └── workflows │ ├── build.yaml │ ├── differential-shellcheck.yml │ └── docker_release_push.yml ├── .gitignore ├── .pre-commit-config.yaml ├── CMakeLists.txt ├── DEBT ├── Dockerfile ├── LICENSE.TXT ├── NEWS ├── README-CMake.md ├── README.md ├── build.sh ├── cmake ├── GetGitRevisionDescription.cmake ├── GetGitRevisionDescription.cmake.in ├── cmake_uninstall.cmake.in ├── compile_bitcode_library.cmake ├── compiler_warnings.cmake ├── find_bitwuzla.cmake ├── find_metasmt.cmake ├── find_stp.cmake ├── find_z3.cmake ├── modules │ └── FindZ3.cmake └── run_klee-config.cmake ├── configs ├── annotations.json └── options.json ├── docs ├── CMakeLists.txt ├── SMT-COMP │ ├── BitVector_ArraysEx.smt │ ├── BitVectors.smt │ ├── QF_AUFBV.smt │ └── QF_BV.smt ├── doxygen.cfg.in ├── intro └── overview ├── examples ├── get_sign │ └── get_sign.c ├── regexp │ ├── Regexp.c │ └── notes.txt └── sort │ └── sort.c ├── include ├── klee-test-comp.c └── klee │ ├── ADT │ ├── BitArray.h │ ├── Bits.h │ ├── DiscretePDF.h │ ├── DisjointSetUnion.h │ ├── Either.h │ ├── FixedSizeStorageAdapter.h │ ├── ImmutableList.h │ ├── ImmutableMap.h │ ├── ImmutableSet.h │ ├── ImmutableTree.h │ ├── Incremental.h │ ├── KTest.h │ ├── MapOfSets.h │ ├── PersistentHashMap.h │ ├── PersistentMap.h │ ├── PersistentSet.h │ ├── PersistentVector.h │ ├── RNG.h │ ├── Ref.h │ ├── SparseStorage.h │ ├── StorageAdapter.h │ ├── TreeStream.h │ └── WeightedQueue.h │ ├── Config │ ├── CompileTimeInfo.h.cmin │ ├── Version.h │ └── config.h.cmin │ ├── Core │ ├── BranchTypes.h │ ├── Context.h │ ├── Interpreter.h │ ├── MockBuilder.h │ ├── TargetedExecutionReporter.h │ └── TerminationTypes.h │ ├── Expr │ ├── AlphaBuilder.h │ ├── ArrayCache.h │ ├── ArrayExprHash.h │ ├── ArrayExprOptimizer.h │ ├── ArrayExprRewriter.h │ ├── ArrayExprVisitor.h │ ├── Assignment.h │ ├── AssignmentGenerator.h │ ├── Constraints.h │ ├── Expr.h │ ├── ExprBuilder.h │ ├── ExprEvaluator.h │ ├── ExprHashMap.h │ ├── ExprPPrinter.h │ ├── ExprRangeEvaluator.h │ ├── ExprSMTLIBPrinter.h │ ├── ExprUtil.h │ ├── ExprVisitor.h │ ├── IndependentConstraintSetUnion.h │ ├── IndependentSet.h │ ├── Parser │ │ ├── Lexer.h │ │ └── Parser.h │ ├── Path.h │ ├── SourceBuilder.h │ ├── SymbolicSource.h │ └── Symcrete.h │ ├── Module │ ├── Annotation.h │ ├── Cell.h │ ├── CodeGraphInfo.h │ ├── KCallable.h │ ├── KInstIterator.h │ ├── KInstruction.h │ ├── KModule.h │ ├── KValue.h │ ├── LocationInfo.h │ ├── SarifReport.h │ ├── Target.h │ ├── TargetForest.h │ └── TargetHash.h │ ├── Solver │ ├── Common.h │ ├── IncompleteSolver.h │ ├── Solver.h │ ├── SolverCmdLine.h │ ├── SolverImpl.h │ ├── SolverStats.h │ └── SolverUtil.h │ ├── Statistics │ ├── Statistic.h │ ├── Statistics.h │ └── TimerStatIncrementer.h │ ├── Support │ ├── Casting.h │ ├── CompilerWarning.h │ ├── CompressionStream.h │ ├── Debug.h │ ├── ErrorHandling.h │ ├── FileHandling.h │ ├── ModuleUtil.h │ ├── OptionCategories.h │ ├── PrintContext.h │ ├── PrintVersion.h │ ├── RoundingModeUtil.h │ └── Timer.h │ ├── System │ ├── MemoryUsage.h │ └── Time.h │ ├── Utilities │ ├── APFloatEval.h │ └── Math.h │ └── klee.h ├── lib ├── ADT │ ├── CMakeLists.txt │ └── SparseStorage.cpp ├── Basic │ ├── CMakeLists.txt │ ├── KTest.cpp │ ├── README.txt │ └── Statistics.cpp ├── CMakeLists.txt ├── Core │ ├── AddressSpace.cpp │ ├── AddressSpace.h │ ├── BidirectionalSearcher.cpp │ ├── BidirectionalSearcher.h │ ├── CMakeLists.txt │ ├── CallPathManager.cpp │ ├── CallPathManager.h │ ├── CodeEvent.h │ ├── CodeLocation.cpp │ ├── CodeLocation.h │ ├── ConstructStorage.h │ ├── Context.cpp │ ├── CoreStats.cpp │ ├── CoreStats.h │ ├── DistanceCalculator.cpp │ ├── DistanceCalculator.h │ ├── EventRecorder.cpp │ ├── EventRecorder.h │ ├── ExecutionState.cpp │ ├── ExecutionState.h │ ├── Executor.cpp │ ├── Executor.h │ ├── ExecutorUtil.cpp │ ├── ExternalDispatcher.cpp │ ├── ExternalDispatcher.h │ ├── GetElementPtrTypeIterator.h │ ├── ImpliedValue.cpp │ ├── ImpliedValue.h │ ├── Memory.cpp │ ├── Memory.h │ ├── MemoryManager.cpp │ ├── MemoryManager.h │ ├── MockBuilder.cpp │ ├── ObjectManager.cpp │ ├── ObjectManager.h │ ├── PForest.cpp │ ├── PForest.h │ ├── PTree.cpp │ ├── PTree.h │ ├── Searcher.cpp │ ├── Searcher.h │ ├── SearcherUtil.h │ ├── SeedInfo.cpp │ ├── SeedInfo.h │ ├── SeedMap.cpp │ ├── SeedMap.h │ ├── SpecialFunctionHandler.cpp │ ├── SpecialFunctionHandler.h │ ├── StatsTracker.cpp │ ├── StatsTracker.h │ ├── TargetCalculator.cpp │ ├── TargetCalculator.h │ ├── TargetManager.cpp │ ├── TargetManager.h │ ├── TargetedExecutionManager.cpp │ ├── TargetedExecutionManager.h │ ├── TargetedExecutionReporter.cpp │ ├── TimingSolver.cpp │ ├── TimingSolver.h │ ├── UserSearcher.cpp │ └── UserSearcher.h ├── Expr │ ├── APFloatEval.cpp │ ├── AlphaBuilder.cpp │ ├── ArrayCache.cpp │ ├── ArrayExprOptimizer.cpp │ ├── ArrayExprRewriter.cpp │ ├── ArrayExprVisitor.cpp │ ├── Assignment.cpp │ ├── AssignmentGenerator.cpp │ ├── CMakeLists.txt │ ├── Constraints.cpp │ ├── Expr.cpp │ ├── ExprBuilder.cpp │ ├── ExprEvaluator.cpp │ ├── ExprPPrinter.cpp │ ├── ExprSMTLIBPrinter.cpp │ ├── ExprUtil.cpp │ ├── ExprVisitor.cpp │ ├── IndependentConstraintSetUnion.cpp │ ├── IndependentSet.cpp │ ├── Lexer.cpp │ ├── Parser.cpp │ ├── Path.cpp │ ├── SourceBuilder.cpp │ ├── SymbolicSource.cpp │ └── Updates.cpp ├── Module │ ├── Annotation.cpp │ ├── CMakeLists.txt │ ├── CallRemover.cpp │ ├── CallSplitter.cpp │ ├── Checks.cpp │ ├── CodeGraphInfo.cpp │ ├── FreezeLower.cpp │ ├── FunctionAlias.cpp │ ├── InstructionOperandTypeCheckPass.cpp │ ├── Instrument.cpp │ ├── InstrumentLegacy.cpp │ ├── IntrinsicCleaner.cpp │ ├── KInstruction.cpp │ ├── KLEEIRMetaData.h │ ├── KModule.cpp │ ├── KValue.cpp │ ├── LocalVarDeclarationFinderPass.cpp │ ├── LocationInfo.cpp │ ├── LowerSwitch.cpp │ ├── ModuleHelper.h │ ├── ModuleUtil.cpp │ ├── OptNone.cpp │ ├── Optimize.cpp │ ├── OptimizeLegacy.cpp │ ├── Passes.h │ ├── PhiCleaner.cpp │ ├── RaiseAsm.cpp │ ├── ReturnLocationFinderPass.cpp │ ├── ReturnSplitter.cpp │ ├── SarifReport.cpp │ ├── Target.cpp │ ├── TargetForest.cpp │ └── TargetHash.cpp ├── README.txt ├── Solver │ ├── AlphaEquivalenceSolver.cpp │ ├── AssignmentValidatingSolver.cpp │ ├── BitwuzlaBuilder.cpp │ ├── BitwuzlaBuilder.h │ ├── BitwuzlaHashConfig.cpp │ ├── BitwuzlaHashConfig.h │ ├── BitwuzlaSolver.cpp │ ├── BitwuzlaSolver.h │ ├── CMakeLists.txt │ ├── CachingSolver.cpp │ ├── CexCachingSolver.cpp │ ├── ConcretizingSolver.cpp │ ├── ConstantDivision.cpp │ ├── ConstantDivision.h │ ├── ConstructSolverChain.cpp │ ├── CoreSolver.cpp │ ├── DummySolver.cpp │ ├── FastCexSolver.cpp │ ├── IncompleteSolver.cpp │ ├── IndependentSolver.cpp │ ├── KQueryLoggingSolver.cpp │ ├── MetaSMTBuilder.h │ ├── MetaSMTSolver.cpp │ ├── MetaSMTSolver.h │ ├── QueryLoggingSolver.cpp │ ├── QueryLoggingSolver.h │ ├── SMTLIBLoggingSolver.cpp │ ├── STPBuilder.cpp │ ├── STPBuilder.h │ ├── STPSolver.cpp │ ├── STPSolver.h │ ├── Solver.cpp │ ├── SolverCmdLine.cpp │ ├── SolverImpl.cpp │ ├── SolverStats.cpp │ ├── SolverUtil.cpp │ ├── ValidatingSolver.cpp │ ├── Z3BitvectorBuilder.cpp │ ├── Z3BitvectorBuilder.h │ ├── Z3Builder.cpp │ ├── Z3Builder.h │ ├── Z3CoreBuilder.cpp │ ├── Z3CoreBuilder.h │ ├── Z3HashConfig.cpp │ ├── Z3HashConfig.h │ ├── Z3Solver.cpp │ └── Z3Solver.h └── Support │ ├── CMakeLists.txt │ ├── CompressionStream.cpp │ ├── ErrorHandling.cpp │ ├── FileHandling.cpp │ ├── MemoryUsage.cpp │ ├── PrintVersion.cpp │ ├── README.txt │ ├── RNG.cpp │ ├── RoundingModeUtil.cpp │ ├── Time.cpp │ ├── Timer.cpp │ └── TreeStream.cpp ├── runtime ├── CMakeLists.txt ├── Fortify │ ├── CMakeLists.txt │ └── fortify.c ├── Freestanding │ ├── CMakeLists.txt │ ├── fortify-fs.c │ ├── memcmp.c │ ├── memcpy.c │ ├── memmove.c │ └── memset.c ├── Intrinsic │ ├── CMakeLists.txt │ ├── dso_handle.c │ ├── klee_choose.c │ ├── klee_div_zero_check.c │ ├── klee_int.c │ ├── klee_is_replay.c │ ├── klee_overshift_check.c │ └── klee_range.c ├── Mocks │ ├── CMakeLists.txt │ └── models.c ├── POSIX │ ├── CMakeLists.txt │ ├── FreeBSD.h │ ├── fd.c │ ├── fd.h │ ├── fd_32.c │ ├── fd_64.c │ ├── fd_init.c │ ├── illegal.c │ ├── input_output.c │ ├── klee_init_env.c │ ├── misc.c │ ├── selinux.c │ └── stubs.c ├── Runtest │ ├── CMakeLists.txt │ └── intrinsics.c ├── Sanitizer │ ├── CMakeLists.txt │ ├── README.md │ ├── sanitizer_common │ │ ├── sanitizer_common.h │ │ ├── sanitizer_internal_defs.h │ │ └── sanitizer_platform.h │ └── ubsan │ │ ├── ubsan_checks.inc │ │ ├── ubsan_diag.h │ │ ├── ubsan_handlers.cpp │ │ ├── ubsan_handlers.h │ │ └── ubsan_value.h ├── klee-eh-cxx │ ├── CMakeLists.txt │ └── klee_eh_cxx.cpp ├── klee-fp │ ├── CMakeLists.txt │ ├── ansidecl.h │ ├── ceil.c │ ├── copysign.c │ ├── copysign.h │ ├── exp.c │ ├── fabs.c │ ├── fenv.c │ ├── fenv.h │ ├── floor.c │ ├── floor.h │ ├── fpclassify.c │ ├── isinf.ll │ ├── klee_set_rounding_mode.c │ ├── log.c │ ├── rint.c │ ├── rint.h │ ├── round.c │ ├── signbit.ll │ ├── sqrt.c │ └── trigonometry.c └── klee-libc │ ├── CMakeLists.txt │ ├── __cxa_atexit.c │ ├── abort.c │ ├── atexit.c │ ├── atoi.c │ ├── bcmp.c │ ├── calloc.c │ ├── fortify-klibc.c │ ├── htonl.c │ ├── memchr.c │ ├── mempcpy.c │ ├── putchar.c │ ├── stpcpy.c │ ├── strcat.c │ ├── strchr.c │ ├── strcmp.c │ ├── strcoll.c │ ├── strcpy.c │ ├── strlen.c │ ├── strncmp.c │ ├── strncpy.c │ ├── strrchr.c │ ├── strtol.c │ ├── strtoul.c │ ├── tolower.c │ └── toupper.c ├── scripts ├── .clang-format ├── IStatsMerge.py ├── IStatsSum.py ├── build │ ├── build-ci-container.py │ ├── build.sh │ ├── common-functions │ ├── d-klee-linux-ubuntu.inc │ ├── p-bitwuzla-linux-ubuntu.inc │ ├── p-bitwuzla-osx.inc │ ├── p-bitwuzla.inc │ ├── p-clang-linux-ubuntu-22.04.inc │ ├── p-clang-linux-ubuntu.inc │ ├── p-clang-linux.inc │ ├── p-clang-osx.inc │ ├── p-clang.inc │ ├── p-cmake-linux-ubuntu.inc │ ├── p-cmake-osx.inc │ ├── p-gtest-linux-ubuntu.inc │ ├── p-gtest-osx.inc │ ├── p-gtest.inc │ ├── p-immer-linux-ubuntu.inc │ ├── p-immer-osx.inc │ ├── p-immer.inc │ ├── p-json-linux-ubuntu.inc │ ├── p-json-osx.inc │ ├── p-json.inc │ ├── p-klee-linux-ubuntu.inc │ ├── p-klee-osx.inc │ ├── p-klee.inc │ ├── p-libcxx-linux-ubuntu.inc │ ├── p-libcxx-osx.inc │ ├── p-libcxx.inc │ ├── p-llvm-linux-ubuntu.inc │ ├── p-llvm-osx.inc │ ├── p-llvm.inc │ ├── p-metasmt-linux-ubuntu.inc │ ├── p-metasmt.inc │ ├── p-sanitizer-linux-ubuntu.inc │ ├── p-sanitizer-linux.inc │ ├── p-sqlite-linux-ubuntu.inc │ ├── p-sqlite-osx.inc │ ├── p-sqlite.inc │ ├── p-stp-linux-ubuntu.inc │ ├── p-stp-osx.inc │ ├── p-stp.inc │ ├── p-tcmalloc-linux-ubuntu.inc │ ├── p-tcmalloc.inc │ ├── p-uclibc-linux-ubuntu.inc │ ├── p-uclibc.inc │ ├── p-z3-linux-ubuntu.inc │ ├── p-z3-osx.inc │ ├── p-z3.inc │ ├── patches │ │ ├── libcxx110.patch │ │ ├── llvm110.patch │ │ ├── llvm120.patch │ │ └── metasmt.patch │ ├── run-tests.sh │ ├── sanitizer │ │ ├── klee.txt │ │ └── sqlite.txt │ ├── v-bitwuzla.inc │ ├── v-clang.inc │ ├── v-cmake.inc │ ├── v-gtest.inc │ ├── v-immer.inc │ ├── v-json.inc │ ├── v-klee.inc │ ├── v-libcxx.inc │ ├── v-llvm.inc │ ├── v-metasmt.inc │ ├── v-sanitizer.inc │ ├── v-sanitizer_compiler.inc │ ├── v-solvers.inc │ ├── v-sqlite.inc │ ├── v-stp.inc │ ├── v-tcmalloc.inc │ ├── v-uclibc.inc │ └── v-z3.inc ├── convert_to_sarif.py ├── filter_locations.py ├── genTempFiles.sh ├── klee-chroot-env ├── klee-control ├── kleef ├── merge_sarif.py ├── objdump ├── replay.sh └── run_tests_with_mocks.py ├── test ├── .clang-format ├── ArrayOpt │ ├── test-mix.c │ ├── test_and.c │ ├── test_array_index_array.c │ ├── test_array_index_array_diffsize.c │ ├── test_cache.c │ ├── test_const_arr-idx.c │ ├── test_expr_arbitrary.c │ ├── test_expr_complex.c │ ├── test_expr_mul.c │ ├── test_expr_simple.c │ ├── test_feasible.c │ ├── test_hybrid.c │ ├── test_mixed_hole.c │ ├── test_multindex.c │ ├── test_multindex_multarray.c │ ├── test_new.c │ ├── test_nier.c │ ├── test_noncontiguous_idx.c │ ├── test_position.c │ ├── test_sub_idx.c │ ├── test_update_list_order.c │ └── test_var_idx.c ├── CMakeLists.txt ├── CXX │ ├── ArrayNew.cpp │ ├── LandingPad.cpp │ ├── New.cpp │ ├── SimpleVirtual.cpp │ ├── StaticConstructor.cpp │ ├── StaticDestructor.cpp │ ├── Trivial.cpp │ └── symex │ │ ├── basic_c++ │ │ ├── diamond.cpp │ │ ├── inheritance.cpp │ │ ├── lambda.cpp │ │ ├── namespace.cpp │ │ ├── reinterpret_cast.cpp │ │ ├── simple.cpp │ │ ├── templates.cpp │ │ └── virtual.cpp │ │ └── libc++ │ │ ├── atexit.cpp │ │ ├── can_catch_test.cpp │ │ ├── catch_recover.cpp │ │ ├── catch_with_adjusted_exception_pointer.cpp │ │ ├── cout.cpp │ │ ├── cout_sym.cpp │ │ ├── dynamic_cast.cpp │ │ ├── exception.cpp │ │ ├── exception_inheritance.cpp │ │ ├── general_catch.cpp │ │ ├── landingpad.cpp │ │ ├── multi_throw.cpp │ │ ├── multi_unwind.cpp │ │ ├── nested.cpp │ │ ├── nested_fail.cpp │ │ ├── rethrow.cpp │ │ ├── simple_exception.cpp │ │ ├── simple_exception_fail.cpp │ │ ├── symbolic_exception.cpp │ │ ├── throw_specifiers.cpp │ │ ├── throwing_exception_destructor.cpp │ │ ├── uncaught_exception.cpp │ │ └── vector.cpp ├── Concrete │ ├── BitwiseOps.ll │ ├── BoolReadWrite.ll │ ├── CMakeLists.txt │ ├── Casts.ll │ ├── CmpEq.ll │ ├── ConcreteTest.py │ ├── ConstantExpr.ll │ ├── ConstantExprOld.ll │ ├── ConstantInit.ll │ ├── FloatingPointOps.ll │ ├── GlobalInitializers.ll │ ├── GlobalUndef.ll │ ├── GlobalVariable.ll │ ├── ICmp.ll │ ├── Makefile.cmake.test.in │ ├── OneCall.ll │ ├── OverlappingPhiNodes.ll │ ├── README.txt │ ├── Select.ll │ ├── Shifts.ll │ ├── SimpleStoreAndLoad.ll │ ├── UnconditionalBranch.ll │ ├── UnconditionalBranchWithSimplePhi.ll │ ├── UnorderedPhiNodes.ll │ ├── _testingUtils.c │ ├── ackermann.c │ └── arith_test.ll ├── Coverage │ ├── ReadArgs.c │ └── ReplayOutDir.c ├── Dogfood │ └── ImmutableSet.cpp ├── Expr │ ├── Evaluate.kquery │ ├── Evaluate2.kquery │ ├── Lexer │ │ └── Numbers.kquery │ ├── Parser │ │ ├── Concat64.kquery │ │ ├── ConstantFolding.kquery │ │ ├── Exprs.kquery │ │ ├── MultiByteReads.kquery │ │ ├── Simplify.kquery │ │ └── TypeChecking.kquery │ ├── ReadExprConsistency.c │ ├── print-smt-let.kquery │ ├── print-smt-let.smt2.good │ ├── print-smt-named.kquery │ ├── print-smt-named.smt2.good │ ├── print-smt-none.kquery │ └── print-smt-none.smt2.good ├── Feature │ ├── AddressOfLabels.c │ ├── AddressOfLabelsSymbolic.c │ ├── Alias.c │ ├── Annotation │ │ ├── AllocSource.c │ │ ├── AllocSource.json │ │ ├── BrokenAnnotation.json │ │ ├── Deref.c │ │ ├── Deref.json │ │ ├── EmptyAnnotation.json │ │ ├── Free.c │ │ ├── Free.json │ │ ├── General.c │ │ ├── General.json │ │ ├── InitNull.c │ │ ├── InitNull.json │ │ └── InitNullEmpty.json │ ├── Atomic.c │ ├── BFSSearcher.c │ ├── BFSSearcherAndDFSSearcherInterleaved.c │ ├── BitcastAlias.ll │ ├── BitcastAliasMD2U.ll │ ├── BlockPath.ll │ ├── ByteSwap.c │ ├── CallToUndefinedExternal.cpp │ ├── CheckForImpliedValue.c.failing │ ├── CheckMemoryAccess.c │ ├── CompressedExprLogging.c │ ├── ConcretizeSymbolicExternals.c │ ├── ConstantArray.ll │ ├── ConstantStruct.ll │ ├── CopyOnWrite.c │ ├── CoverOnTheFly.c │ ├── CoverageCheck.c │ ├── DanglingConcreteReadExpr.c │ ├── DefineFixedObject.c │ ├── DeterministicSwitch.c │ ├── DivCheck.c │ ├── DoubleFree.c │ ├── DumpStatesOnHalt.c │ ├── EntryPoint.c │ ├── EntryPointMissing.c │ ├── EntryPointUclibcPosix.c │ ├── Envp.c │ ├── EscapingFunctions.c │ ├── EscapingFunctionsAlias.c │ ├── ExitOnErrorType.c │ ├── ExprLogging.c │ ├── ExtCall.c │ ├── ExtCallOverapprox.c │ ├── ExtCallWarnings.c │ ├── ExternalWeakLinkage.c │ ├── FNeg.ll │ ├── Float.c │ ├── FloatingPt.c │ ├── FunctionAlias.c │ ├── FunctionAliasExit.c │ ├── FunctionPointer.c │ ├── GetElementPtr.ll │ ├── GetValue.c │ ├── GlobalVariable.ll │ ├── ImpliedValue.c.failing │ ├── InAndOutOfBounds.c │ ├── IndirectCallToBuiltin.c │ ├── IndirectCallToExternal.c │ ├── InsertExtractValue.ll │ ├── InvalidBitfieldAccess.c.failing │ ├── IsSymbolic.c │ ├── KleeReportError.c │ ├── KleeStats.c │ ├── KleeStatsBranches.c │ ├── KleeStatsColumns.test │ ├── KleeStatsCsv.test │ ├── KleeStatsEmpty.test │ ├── KleeStatsNoBr.c │ ├── KleeStatsTermClasses.c │ ├── LargeArrayBecomesSym.c │ ├── LargeReturnTypes.cpp │ ├── LazyInitialization │ │ ├── DerefSymbolicPointer.c │ │ ├── LazyInitialization.c │ │ ├── LinkedList.c │ │ ├── NullPointerDereference.c │ │ ├── PointerOffset.c │ │ ├── SingleInitializationAndAccess.c │ │ └── TwoObjectsInitialization.c │ ├── LinkLLVMLib.c │ ├── LoggingInstructions.c │ ├── LongDouble.c │ ├── LongDoubleSupport.c │ ├── LowerSwitch.c │ ├── MakeConcreteSymbolic.c │ ├── MakeSymbolicAPI.c │ ├── MakeSymbolicName.c │ ├── MaxStaticForkPct.c │ ├── Memalign.c │ ├── MemoryBackends.c │ ├── MemoryLimit.c │ ├── MockPointersDeterministic.c │ ├── MockStrategies.c │ ├── MultiMkSym.c │ ├── MultipleFreeResolution.c │ ├── MultipleReadResolution.c │ ├── MultipleReallocResolution.c │ ├── MultipleWriteResolution.c │ ├── NamedSeedMatching.c │ ├── NoExternalCallsAllowed.c │ ├── NonSizedGlobals.c │ ├── NotCallingUnreachableBranchesInForkErrorGuided.c │ ├── NotCallingUnreachableBranchesInForkErrorGuided.c.json │ ├── NullPointerDereferenceCheck.c │ ├── OneFreeError.c │ ├── OneOutOfBounds.c │ ├── Optimize.c │ ├── OverlappedError.c │ ├── OvershiftCheck.c │ ├── PreferCex.c │ ├── ReadStringAtAddress.c │ ├── Realloc.c │ ├── RecursionPruning │ │ ├── fibonacci.c │ │ ├── regexp.c │ │ └── sum.c │ ├── ReplayPath.c │ ├── RewriteEqualities.c │ ├── Searchers.c │ ├── SetForking.c │ ├── ShiftCheck.c │ ├── SilentKleeAssume.c │ ├── SolverTimeout.c │ ├── SourceMapping.c │ ├── StackOverflow.c │ ├── StackTraceOutput.c │ ├── SymbolicSizes │ │ ├── FirstAndLastElements.c │ │ ├── ImplicitArrayExtension.c │ │ ├── ImplicitSizeConcretization.c │ │ ├── IntArray.c │ │ ├── LazyInstantiationOfSymbolicSize.c │ │ ├── LowerOutOfBound.c │ │ ├── MinimizeSize.c │ │ ├── MultipleAllocations.c │ │ ├── NegativeIndexArray.c │ │ ├── NegativeSize.c │ │ ├── RecomputeModelTwoArrays.c │ │ ├── SegmentComparator.c │ │ ├── SymbolicArrayOnStack.c │ │ ├── SymbolicArrayOnStackWithSkipSymbolics.c │ │ ├── SymbolicSizeUnsizedGlobal.c │ │ ├── UninitializedMemory.c │ │ └── VoidStar.c │ ├── TargetMismatch.c │ ├── TwoUninitializedRegions.c │ ├── UninitializedConstantMemory.c │ ├── VarArgByValOld.c │ ├── WithLibc.c │ ├── WriteCov.c │ ├── _utils._ll │ ├── arithmetic-right-overshift-sym-conc.c │ ├── consecutive_divide_by_zero.c │ ├── const_array_opt1.c │ ├── klee-stats │ │ ├── additional_column │ │ │ ├── info │ │ │ └── run.stats │ │ ├── empty │ │ │ ├── info │ │ │ └── run.stats │ │ ├── missing_column │ │ │ ├── info │ │ │ └── run.stats │ │ └── run │ │ │ ├── info │ │ │ └── run.stats │ ├── left-overshift-sym-conc.c │ ├── logical-right-overshift-sym-conc.c │ ├── srem.c │ ├── uint128.c │ └── utils.h ├── Floats │ ├── absorbing_add.c │ ├── absorbing_add_infeasible.c │ ├── absorbing_sub.c │ ├── absorbing_sub_infeasible.c │ ├── cast_union_loose.c │ ├── cast_union_loose.yml │ ├── cast_union_tight.c │ ├── cast_union_tight.yml │ ├── ceil.c │ ├── copysign.c │ ├── coverage-error-call.prp │ ├── double_req_bl_0670.c │ ├── double_req_bl_0670.yml │ ├── exp.c │ ├── explicit_signbit_double.c │ ├── explicit_signbit_float.c │ ├── explicit_signbit_long_double.c │ ├── fabs_double_symbolic.c │ ├── fabs_float_symbolic.c │ ├── fabs_long_double_symbolic.c │ ├── fegetround_fesetround.c │ ├── fegetround_fesetround_external_call.c │ ├── fegetround_fesetround_symbolic.c │ ├── float_classify.c │ ├── float_classify_double.c │ ├── float_classify_long_double.c │ ├── floor.c │ ├── fmax_intrinsic.c │ ├── fmin_intrinsic.c │ ├── fneg.c │ ├── fpext_single_to_double.c │ ├── fptosi_simple.c │ ├── fptoui_simple.c │ ├── fptoui_simple2.c │ ├── fptrunc_double_to_single.c │ ├── get_and_set_rounding_mode_symbolic.c │ ├── get_and_set_rounding_mode_with_klee_runtime.c │ ├── internal_fabs_double.c │ ├── internal_fabs_double_symbolic.c │ ├── internal_fabs_float.c │ ├── internal_fabs_float_symbolic.c │ ├── internal_fabs_long_double.c │ ├── internal_fabs_long_double_symbolic.c │ ├── internal_sqrt_double.c │ ├── internal_sqrt_double_symbolic.c │ ├── internal_sqrt_float.c │ ├── internal_sqrt_float_symbolic.c │ ├── internal_sqrt_long_double.c │ ├── internal_sqrt_long_double_symbolic.c │ ├── isinf_double.c │ ├── isinf_double_no_fork.c │ ├── isinf_float.c │ ├── isinf_float_no_fork.c │ ├── isinf_long_double.c │ ├── isinf_long_double_no_fork.c │ ├── isnan_double.c │ ├── isnan_long_double.c │ ├── isnanf.c │ ├── isnormal_double.c │ ├── isnormal_float.c │ ├── isnormal_long_double.c │ ├── issubnormal_double.c │ ├── issubnormal_float.c │ ├── issubnormal_long_double.c │ ├── lit.local.cfg │ ├── long_double_aligned_access.c │ ├── long_double_make_symbolic.c │ ├── long_double_memcpy.c │ ├── long_double_unnormal_arith.c │ ├── long_double_unnormal_cast.c │ ├── long_double_unnormal_cmp.c │ ├── memcpy_and_check_double.c │ ├── memcpy_and_check_float.c │ ├── nearbyint.c │ ├── rint.c │ ├── round.c │ ├── set_rounding_mode_fail_external_call.c │ ├── simple_div.c │ ├── simple_mix_float_int.c │ ├── simple_mul.c │ ├── sitofp_simple.c │ ├── sqrt_double_symbolic.c │ ├── sqrt_float_symbolic.c │ ├── sqrt_long_double_symbolic.c │ └── uitofp_simple.c ├── Industry │ ├── .clang-format │ ├── AssignNull_Scene_BadCase02.c │ ├── AssignNull_Scene_BadCase02.c.json │ ├── AssignNull_Scene_BadCase04.c │ ├── AssignNull_Scene_BadCase04.c.json │ ├── BadCase01_SecB_ForwardNull.c │ ├── BadCase01_SecB_ForwardNull.c.json │ ├── CheckNull_Scene_BadCase02.c │ ├── CheckNull_Scene_BadCase02.c.json │ ├── CheckNull_Scene_BadCase04.c │ ├── CheckNull_Scene_BadCase04.c.json │ ├── CoverageBranches │ │ ├── ChenFlurMukhopadhyay-2012SAS-Fig1-alloca.c │ │ ├── CostasArray-17.c │ │ ├── egcd3-ll_valuebound10.c │ │ ├── lit.local.cfg │ │ ├── matrix-2-2.c │ │ └── pals_lcr.3.ufo.UNBOUNDED.pals+Problem12_label00.c │ ├── CoverageErrorCall │ │ ├── 01_fuzzle_30x30.c │ │ ├── 12_fuzzle_50x50_CVE-2016-4492.c │ │ ├── btor2c-lazyMod.mul6.c │ │ ├── coverage-error-call.prp │ │ ├── egcd3-ll_unwindbound10.c │ │ ├── if_etherip-unreach-call.c │ │ └── od-4.c │ ├── FN_SecB_ForwardNull_filed.c │ ├── FN_SecB_ForwardNull_filed.c.json │ ├── MemoryLeak │ │ ├── LocalVar_Alloc_in_Loop_Exit_in_Loop_BadCase01.c │ │ └── LocalVar_Alloc_in_Loop_Exit_in_Loop_BadCase01.c.json │ ├── NullReturn_BadCase_WhiteBox01.c │ ├── NullReturn_BadCase_WhiteBox01.c.json │ ├── NullReturn_Scene_BadCase01.c │ ├── NullReturn_Scene_BadCase01.c.json │ ├── NullReturn_Scene_BadCase02.c │ ├── NullReturn_Scene_BadCase02.c.json │ ├── NullReturn_Scene_BadCase03.c │ ├── NullReturn_Scene_BadCase03.c.json │ ├── NullReturn_Scene_BadCase04.c │ ├── NullReturn_Scene_BadCase04.c.json │ ├── NullReturn_Scene_BadCase06.c │ ├── NullReturn_Scene_BadCase06.c.json │ ├── NullReturn_Scene_BadCase08.cpp │ ├── NullReturn_Scene_BadCase08.cpp.json │ ├── NullReturn_WhiteBox.h │ ├── SecB_ForwardNull.c │ ├── SecB_ForwardNull.c.json │ ├── UseAfterFree │ │ ├── Double_Free_BadCase01.c │ │ ├── Double_Free_BadCase01.c.json │ │ ├── Double_Free_BadCase02.c │ │ ├── Double_Free_BadCase02.c.json │ │ ├── Free_Not_Set_Null_BadCase02.cpp │ │ ├── Free_Not_Set_Null_BadCase02.cpp.json │ │ ├── Prod_Dereference_After_Free_BadCase01.c │ │ └── Prod_Dereference_After_Free_BadCase01.c.json │ ├── ZeroDeref_Scene_BadCase02.c │ ├── ZeroDeref_Scene_BadCase02.c.json │ ├── ZeroDeref_Scene_BadCase05.c │ ├── ZeroDeref_Scene_BadCase05.c.json │ ├── base_type.h │ ├── egcd3-ll_valuebound10.c │ ├── fn_reverse_null.c │ ├── fn_reverse_null.c.json │ ├── fp_forward_null_address.c │ ├── fp_forward_null_address.c.json │ ├── fp_null_returns_self_define.c │ ├── fp_null_returns_self_define.c.json │ ├── fp_null_returns_self_define2.c │ ├── fp_null_returns_self_define2.c.json │ ├── if2.c │ ├── if2.c.json │ ├── ll_create_rec-alloca-2.c │ ├── securec.h │ ├── securectype.h │ ├── test.c │ ├── test.c.json │ ├── test.c.sarif │ ├── while_true.c │ ├── while_true.c.json │ └── wrapped_btor2c-lazyMod.adding.1.prop1-back-serstep.c ├── InlineAsm │ ├── InlineAsm.c │ ├── RaiseAsm.c │ └── asm_lifting.ll ├── Intrinsics │ ├── FMulAdd.ll │ ├── IntrinsicTrap.ll │ ├── IsConstant.ll │ ├── MinMax.ll │ ├── Missing.ll │ ├── Overflow.ll │ ├── OverflowMul.ll │ ├── Saturating.ll │ ├── abs-no-overflow.ll │ ├── abs-overflow.ll │ ├── fabs.ll │ ├── fshlr.ll │ ├── noalias-scope-decl.ll │ └── objectsize.ll ├── README ├── Replay │ ├── klee-replay │ │ ├── KTestGen.c │ │ ├── KTestRandGen.c │ │ └── KleeZesti.c │ └── libkleeruntest │ │ ├── replay_cex_after_assumed_malloc.c │ │ ├── replay_cex_incorrect_result.c │ │ ├── replay_detection.c │ │ ├── replay_float.c │ │ ├── replay_invalid_klee_assume.c │ │ ├── replay_invalid_klee_choose.c │ │ ├── replay_invalid_klee_range.c │ │ ├── replay_invalid_num_objects.c │ │ ├── replay_invalid_object_names.c │ │ ├── replay_invalid_object_size.c │ │ ├── replay_klee_prefer_cex.c │ │ ├── replay_mocks.c │ │ ├── replay_posix_runtime.c │ │ ├── replay_simple.c │ │ └── replay_two_objects.c ├── Runtime │ ├── FreeStanding │ │ ├── freestanding_only.c │ │ ├── memcpy_chk.c │ │ └── memcpy_chk_err.c │ ├── POSIX │ │ ├── CanonicalizeFileName.c │ │ ├── DirConsistency.c │ │ ├── DirSeek.c │ │ ├── Envp.c │ │ ├── FDNumbers.c │ │ ├── FD_Fail.c │ │ ├── FD_Fail2.c │ │ ├── Fcntl.c │ │ ├── FilePerm.c │ │ ├── FileTime.c │ │ ├── FreeArgv.c │ │ ├── Futimesat.c │ │ ├── GetcwdFail.c │ │ ├── Getenv.c │ │ ├── Ioctl.c │ │ ├── Isatty.c │ │ ├── MixedConcreteSymbolic.c │ │ ├── Openat.c │ │ ├── PrgName.c │ │ ├── Read1.c │ │ ├── Replay.c │ │ ├── SELinux │ │ │ ├── SELinux.c │ │ │ └── lit.local.cfg │ │ ├── SeedAndFail.c │ │ ├── Stdin.c │ │ ├── SymFileConsistency.c │ │ ├── TestMain.c │ │ ├── Usage.c │ │ ├── Write1.c │ │ ├── Write2.c │ │ ├── fgetc_example.c │ │ ├── fgets_example.c │ │ ├── file_fgetc_example.c │ │ ├── file_fgets_example.c │ │ ├── file_fputc_example.c │ │ ├── file_fputs_example.c │ │ ├── file_fread_example.c │ │ ├── file_fwrite_example.c │ │ ├── fputc_example.c │ │ ├── fputs_example.c │ │ ├── fread_example.c │ │ ├── fwrite_example.c │ │ ├── getc_example.c │ │ ├── getchar_example.c │ │ ├── gets_example.c │ │ ├── lit.local.cfg │ │ ├── putc_example.c │ │ ├── putchar_example.c │ │ └── puts_example.c │ ├── Uclibc │ │ ├── 2007-10-08-optimization-calls-wrong-libc-functions.c │ │ ├── 2008-03-04-libc-atexit-uses-dso-handle.c │ │ ├── Environ.c │ │ ├── FunctionNotFound.c │ │ ├── lit.local.cfg │ │ └── strcpy_chk.c │ └── klee-libc │ │ ├── atexit_order.c │ │ ├── bcmp.c │ │ ├── cxa_thread_atexit_impl.c │ │ ├── mempcpy.c │ │ └── strcat_chk.c ├── SARIF │ ├── GSAC │ │ ├── ContextSensitive │ │ │ ├── ContextSensitive.c │ │ │ └── pattern.sarif │ │ ├── EASY02 │ │ │ ├── EASY02.c │ │ │ └── pattern.sarif │ │ ├── EASY02_fix │ │ │ └── EASY02_fix.c │ │ ├── EASY03 │ │ │ ├── EASY03.c │ │ │ └── pattern.sarif │ │ ├── EASY03_fix │ │ │ └── EASY03_fix.c │ │ ├── FieldSensitive │ │ │ ├── FieldSensitive.c │ │ │ └── pattern.sarif │ │ ├── FlowSensitive │ │ │ ├── FlowSensitive.c │ │ │ └── pattern.sarif │ │ ├── HARD01 │ │ │ ├── HARD01.c │ │ │ └── pattern.sarif │ │ ├── HARD01_fix │ │ │ └── HARD01_fix.c │ │ ├── HARD02 │ │ │ ├── HARD02.c │ │ │ ├── HARD02.h │ │ │ └── pattern.sarif │ │ ├── HARD02_fix │ │ │ ├── HARD02_fix.c │ │ │ └── HARD02_fix.h │ │ ├── MEDIUM01 │ │ │ ├── MEDIUM01.c │ │ │ └── pattern.sarif │ │ ├── MEDIUM01_fix │ │ │ └── MEDIUM01_fix.c │ │ ├── MEDIUM02 │ │ │ ├── MEDIUM02.c │ │ │ └── pattern.sarif │ │ ├── MEDIUM02_fix │ │ │ └── MEDIUM02_fix.c │ │ ├── MEDIUM03 │ │ │ ├── MEDIUM03.c │ │ │ └── pattern.sarif │ │ ├── MEDIUM03_fix │ │ │ └── MEDIUM03_fix.c │ │ ├── MEDIUM04 │ │ │ ├── MEDIUM04.c │ │ │ └── pattern.sarif │ │ ├── MEDIUM04_fix │ │ │ └── MEDIUM04_fix.c │ │ ├── MEDIUM05 │ │ │ ├── MEDIUM05.c │ │ │ └── pattern.sarif │ │ ├── MEDIUM05_fix │ │ │ └── MEDIUM05_fix.c │ │ └── PathSensitive │ │ │ ├── PathSensitive.c │ │ │ └── pattern.sarif │ ├── Generic │ │ ├── LazyInitialization │ │ │ ├── LazyInitialization.c │ │ │ └── pattern.sarif │ │ └── SymbolicSizeArray │ │ │ ├── SymbolicSizeArray.c │ │ │ └── pattern.sarif │ ├── checker.py │ └── lit.local.cfg ├── Solver │ ├── 2016-04-12-array-parsing-bug.kquery │ ├── AShr_to_smtlib.kquery │ ├── AShr_to_smtlib.kquery.good.smt2 │ ├── AlphaEquivalenceCheck.c │ ├── CallComputeValue.c │ ├── CexCacheCheckBinding.c │ ├── CexCacheValidityCoresCheck.c │ ├── CrosscheckBitwuzlaAndBitwuzlaTreeInc.c │ ├── CrosscheckCoreStpZ3.c │ ├── CrosscheckCoreZ3Bitwuzla.c │ ├── CrosscheckZ3AndZ3TreeInc.c │ ├── DummySolver.c │ ├── ExerciseSolver.c.inc │ ├── FastCexSolver.kquery │ ├── LargeIntegers.kquery │ ├── NoBitwuzla.c │ ├── NoSTP.c │ ├── NoZ3.c │ ├── STPDumpDebugQueries.c │ ├── STPswitchSAT.c │ ├── ValidatingSolver.c │ ├── Z3ConstantArray.c │ ├── Z3LargeConstantArray.kquery │ ├── lit.local.cfg │ ├── overshift-aright-by-constant.kquery │ ├── overshift-aright-by-symbolic.kquery │ ├── overshift-left-by-constant.kquery │ ├── overshift-left-by-symbolic.kquery │ ├── overshift-lright-by-constant.kquery │ ├── overshift-lright-by-symbolic.kquery │ ├── pals_floodmax.5.2.ufo.BOUNDED-10.pals.c │ └── sina2f.c ├── UBSan │ ├── ubsan_alignment-assumption.c │ ├── ubsan_alignment-assumption_with_offset.c │ ├── ubsan_alignment-type-mismatch.c │ ├── ubsan_array_bounds.c │ ├── ubsan_bool.c │ ├── ubsan_builtin.c │ ├── ubsan_enum.cpp │ ├── ubsan_float_cast_overflow.c │ ├── ubsan_float_divide_by_zero.c │ ├── ubsan_implicit_integer_sign_change.c │ ├── ubsan_implicit_signed_integer_truncation.c │ ├── ubsan_implicit_unsigned_integer_truncation.c │ ├── ubsan_integer_divide_by_zero.c │ ├── ubsan_nonnull_attribute.c │ ├── ubsan_null.c │ ├── ubsan_nullability_arg.c │ ├── ubsan_nullability_assign.c │ ├── ubsan_nullability_return.c │ ├── ubsan_pointer_overflow-applying_nonzero_offset_to_nonnull_pointer.c │ ├── ubsan_pointer_overflow-applying_nonzero_offset_to_nonnull_pointer_10.c │ ├── ubsan_pointer_overflow-applying_nonzero_offset_to_null_pointer.c │ ├── ubsan_pointer_overflow-applying_zero_offset_to_null_pointer.c │ ├── ubsan_pointer_overflow-pointer_arithmetic.c │ ├── ubsan_return.cpp │ ├── ubsan_returns_nonnull_attribute.c │ ├── ubsan_shift_base.c │ ├── ubsan_shift_exponent.c │ ├── ubsan_signed_integer_overflow.c │ ├── ubsan_unreachable.c │ ├── ubsan_unsigned_integer_overflow.c │ ├── ubsan_unsigned_shift_base.c │ └── ubsan_vla_bound.c ├── VarArgs │ ├── FunctionAliasVarArg.c │ ├── VarArg.c │ ├── VarArgAlignment.c │ ├── VarArgByVal.c │ ├── VarArgByValReported.c │ └── VarArgLongDouble.c ├── VectorInstructions │ ├── external_call.c │ ├── extract_element.c │ ├── extract_element_symbolic.c │ ├── floating_point_ops_constant.c │ ├── insert_element.c │ ├── insert_element_symbolic.c │ ├── integer_ops_constant.c │ ├── integer_ops_signed_symbolic.c │ ├── integer_ops_unsigned_symbolic.c │ ├── memset.c │ ├── oob-llvm-lt11.c │ ├── oob-read.c │ ├── oob-write.c │ └── shuffle_element.c ├── lit.cfg ├── lit.site.cfg.in └── regression │ ├── 2007-07-25-invalid-stp-array-binding-to-objectstate.c │ ├── 2007-07-30-unflushed-byte.c │ ├── 2007-08-01-bool-zext-in-call.ll │ ├── 2007-08-01-cache-unclear-on-overwrite-flushed.c │ ├── 2007-08-06-64bit-shift.c │ ├── 2007-08-06-access-after-free.c │ ├── 2007-08-08-free-zero.c │ ├── 2007-08-16-invalid-constant-value.c │ ├── 2007-08-16-valid-write-to-freed-object.c │ ├── 2007-10-11-free-of-alloca.c │ ├── 2007-10-11-illegal-access-after-free-and-branch.c │ ├── 2007-10-12-failed-make-symbolic-after-copy.c │ ├── 2008-03-04-free-of-global.c │ ├── 2008-03-11-free-of-malloc-zero.c │ ├── 2008-04-10-bad-alloca-free.c │ ├── 2008-05-23-gep-with-global-const.c │ ├── 2014-07-04-unflushed-error-report.c │ ├── 2014-09-13-debug-info.c │ ├── 2014-12-08-ashr.c │ ├── 2015-06-22-struct-write.c │ ├── 2015-08-05-invalid-fork.c │ ├── 2015-08-30-empty-constraints.c │ ├── 2015-08-30-sdiv-1.c │ ├── 2016-03-22-independence-solver-missing-objects-for-assignment.kquery │ ├── 2016-04-14-sdiv-2.c │ ├── 2016-06-28-div-zero-bug.c │ ├── 2016-08-06-klee-get-obj-size.c │ ├── 2016-08-11-entry-point-internalize-pass.c │ ├── 2016-08-12-empty-file.c │ ├── 2016-11-24-bitcast-weak-alias.c │ ├── 2016-12-14-alloc-alignment.c │ ├── 2017-02-21-pathOS-id.c │ ├── 2017-03-23-early-exit-log-stats.c │ ├── 2017-11-01-test-with-empty-varname.c │ ├── 2018-04-05-make-symbolic-null-name.c │ ├── 2018-05-05-number-instructions-dumped-states.c │ ├── 2018-05-17-replay-short-names.c │ ├── 2018-10-01-double-segfault.c │ ├── 2018-10-28-alias-to-alias.ll │ ├── 2018-10-30-llvm-pr39177.ll │ ├── 2019-05-30_known-bitcast-alias.ll │ ├── 2019-05-30_unknown-bitcast-alias.ll │ ├── 2019-05-31_simple-unknown-bitcast-alias.ll │ ├── 2019-08-01-trap-instruction.ll │ ├── 2019-08-02-missing-switch-default.ll │ ├── 2019-09-06-make-const-symbolic.c │ ├── 2020-01-14-fabs-compare.c │ ├── 2020-02-24-count-paths-nodump.c │ ├── 2020-04-11-batching-search-zero-time-budget.c │ ├── 2020-04-27-stp-array-names.c │ ├── 2022-06-15-concretization-effects.c │ ├── 2022-06-28-asm-causes-error.c │ ├── 2023-02-01-replay-test-with-lazy-initialized-objects.c │ ├── 2023-03-27-lib-function.c │ ├── 2023-08-28-invalid-pointer-dereference.c │ ├── 2023-09-05-bool-to-fp.c │ ├── 2023-10-02-test-from-mocked-global.c │ ├── 2023-10-04-email_spec0_product16.cil.c │ ├── 2023-10-06-Dubois-015.c │ ├── 2023-10-12-inner-types-fix.c │ ├── 2023-10-13-kbfiltr.i.cil-2.c │ ├── 2023-10-13-uninitialized-memory.c │ ├── 2023-11-20-solver.c │ ├── 2023-27-10-SimpleComparison.c │ ├── 2024-07-08-call-to-raise.c │ ├── 2024-07-08-division-in-select.c │ ├── 2024-07-08-resolve-of-select.c │ └── lit.local.cfg ├── tools ├── CMakeLists.txt ├── kleaver │ ├── CMakeLists.txt │ └── main.cpp ├── klee-replay │ ├── CMakeLists.txt │ ├── fd_init.c │ ├── file-creator.c │ ├── klee-replay.c │ ├── klee-replay.h │ └── klee_init_env.c ├── klee-stats │ ├── CMakeLists.txt │ └── klee-stats ├── klee-zesti │ ├── CMakeLists.txt │ └── klee-zesti ├── klee │ ├── CMakeLists.txt │ └── main.cpp ├── ktest-gen │ ├── CMakeLists.txt │ └── ktest-gen.cpp ├── ktest-randgen │ ├── CMakeLists.txt │ └── ktest-randgen.cpp └── ktest-tool │ ├── CMakeLists.txt │ └── ktest-tool ├── unittests ├── Annotations │ ├── AnnotationsTest.cpp │ └── CMakeLists.txt ├── Assignment │ ├── AssignmentTest.cpp │ └── CMakeLists.txt ├── CMakeLists.txt ├── DiscretePDF │ ├── CMakeLists.txt │ └── DiscretePDFTest.cpp ├── Expr │ ├── ArrayExprTest.cpp │ ├── CMakeLists.txt │ └── ExprTest.cpp ├── RNG │ ├── CMakeLists.txt │ └── RNGTest.cpp ├── Ref │ ├── CMakeLists.txt │ └── RefTest.cpp ├── Searcher │ ├── CMakeLists.txt │ └── SearcherTest.cpp ├── Solver │ ├── CMakeLists.txt │ ├── SolverTest.cpp │ └── Z3SolverTest.cpp ├── Storage │ ├── CMakeLists.txt │ └── StorageTest.cpp ├── TestMain.cpp ├── Time │ ├── CMakeLists.txt │ └── TimeTest.cpp ├── TreeStream │ ├── CMakeLists.txt │ └── TreeStreamTest.cpp ├── lit-unit-tests-common.cfg └── lit-unit-tests-common.site.cfg.in ├── utbot-build.sh └── utils ├── data └── Queries │ ├── pcresymperf-3.kquery │ └── pcresymperf-4.kquery ├── emacs └── klee-pc-mode.el ├── grafana ├── Dockerfile ├── dashboard.yml ├── datasource.yml ├── grafana.ini ├── klee_dashboard.json └── upload.sh ├── hacks └── TreeGraphs │ ├── Animate.py │ ├── DumpTreeStream.py │ ├── Graphics │ ├── Canvas │ │ └── __init__.py │ ├── Geometry │ │ ├── Intersect2D.py │ │ ├── __init__.py │ │ ├── mat2.py │ │ ├── mat3.py │ │ ├── mat4.py │ │ ├── quat.py │ │ ├── vec2.py │ │ ├── vec3.py │ │ └── vec4.py │ └── __init__.py │ ├── README.txt │ ├── TreeGraph.py │ └── inputs │ ├── symPaths.ts │ └── symPaths6.ts ├── sanitizers ├── lsan.txt └── ubsan.txt └── valgrind ├── README.txt ├── valgrind-llvm.supp └── valgrind-stp.supp /.codecov.yml: -------------------------------------------------------------------------------- 1 | codecov: 2 | disable_default_path_fixes: true 3 | 4 | coverage: 5 | range: 70...90 6 | precision: 2 7 | round: down 8 | status: 9 | project: no 10 | patch: yes 11 | changes: no 12 | 13 | fixes: 14 | - "/tmp/klee_src::" 15 | 16 | ignore: 17 | - "test/" 18 | - "unittests" 19 | - "**/test-utils" 20 | 21 | comment: 22 | layout: "header, diff, changes, uncovered, tree" 23 | behavior: default 24 | -------------------------------------------------------------------------------- /.dockerignore: -------------------------------------------------------------------------------- 1 | #.git - Don't delete git, we need that to generate the correct version number 2 | autom4te.cache 3 | **/.*.swp 4 | Dockerfile 5 | cmake-*/ 6 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | * text=auto 2 | 3 | *.h text 4 | *.c text 5 | *.cpp text 6 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a bug report to help us improve KLEE 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | If you found a bug in KLEE, please provide: 11 | 1) A clear and concise description of what the bug is: what happened and what you expected to happen. 12 | 2) Steps to reproduce the bug. Ideally, you would provide a small code example triggering the bug and the exact command line used to run KLEE. Please make sure the bug is still present in the mainline. 13 | 3) The warnings and error messages issued by KLEE 14 | 4) Any relevant information about your platform: the output of `klee --version`, OS version, environment variables, directory in which KLEE is run, etc. 15 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest a feature in KLEE 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. E.g., I find it difficult to use KLEE when [...]; I would find it very useful for KLEE to [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/question.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Question 3 | about: Ask a question about KLEE 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | To ask a question about KLEE: 11 | 1. Please first check the documentation at http://klee.github.io/docs/ 12 | 2. Then check the [searchable mailing list archive](https://www.mail-archive.com/klee-dev@imperial.ac.uk/) 13 | 3. If this still doesn’t answer your questions then please send an email to the [klee-dev mailing list](http://klee.github.io/klee-dev/) 14 | 15 | **We will normally not answer questions asked on GitHub.** 16 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | Release/ 2 | Release+Asserts/ 3 | Debug/ 4 | Debug+Asserts/ 5 | Output/ 6 | 7 | # commonly used as cmake build directory 8 | /build 9 | 10 | cscope.* 11 | *~ 12 | 13 | *.log 14 | *.sum 15 | *.out 16 | *.status 17 | 18 | # In source build files 19 | docs/doxygen.cfg 20 | include/klee/Config/CompileTimeInfo.h 21 | *.config 22 | 23 | config.h 24 | site.exp 25 | 26 | # Site file for llvm-lit 27 | lit.site.cfg 28 | 29 | # Autoconf files 30 | autoconf/aclocal.m4 31 | autoconf/autom4te.cache/ 32 | autom4te.cache/ 33 | 34 | .vscode/ 35 | .cache/ 36 | .helix/ 37 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | files: '(^.*\.((((c|C)(c|pp|xx|\+\+)?$)|((h|H)h?(pp|xx|\+\+)?$))|((ino|pde|proto|cu))$)|^(include|lib)\/.*\.inc)$' 2 | 3 | repos: 4 | - repo: https://github.com/pre-commit/mirrors-clang-format 5 | rev: v13.0.1 6 | hooks: 7 | - id: clang-format 8 | -------------------------------------------------------------------------------- /DEBT: -------------------------------------------------------------------------------- 1 | KLEE 3.1, 29 February 2024 2 | ========================== 3 | 4 | - New execution tree implementation and klee-exec-tree tool (@251) 5 | - KDAlloc is now the default allocator in KLEE (KDAlloc was introduced in KLEE 3.0) 6 | - Resolve memory reads/writes to single objects in more cases (@tkuchta) 7 | - Concretize values based on seeds when available (@ccadar) 8 | 9 | 10 | KLEE 3.0, 7 June 2023 11 | ===================== 12 | 13 | - Added support for the KDAlloc memory allocator, which enables KLEE to more robustly detect use-after-free errors, improves the detection of buffer overflows, and provides deterministic memory allocation (@danielschemmel, based on https://srg.doc.ic.ac.uk/publications/22-kdalloc-ecoop.html) 14 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | KLEEF Symbolic Virtual Machine 2 | ============================= 3 | 4 | [![Build Status](https://github.com/UnitTestBot/klee/workflows/CI/badge.svg)](https://github.com/UnitTestBot/klee/actions?query=workflow%3ACI) 5 | [![Coverage](https://codecov.io/gh/UnitTestBot/klee/branch/main/graph/badge.svg)](https://codecov.io/gh/UnitTestBot/klee) 6 | 7 | `KLEEF` is a complete overhaul of the KLEE symbolic execution engine for LLVM, fine-tuned for a robust analysis of industrial C/C++ code. 8 | 9 | For further information, see the [webpage](https://toolchain-labs.com/projects/kleef.html). 10 | -------------------------------------------------------------------------------- /docs/SMT-COMP/QF_AUFBV.smt: -------------------------------------------------------------------------------- 1 | (logic QF_AUFBV 2 | 3 | :written_by {Clark Barrett} 4 | :date {May 7, 2007} 5 | 6 | :theory BV_ArraysEx 7 | 8 | :language 9 | "Closed quantifier-free formulas built over an arbitrary expansion of the 10 | BV_ArraysEx signature with free function and predicate symbols over 11 | the sorts of BV_ArraysEx. Formulas in ite terms must satisfy the same 12 | restriction as well, with the exception that they need not be closed (because 13 | they may be in the scope of a let expression). 14 | " 15 | :extensions 16 | "As in the logic QF_BV." 17 | ) 18 | 19 | 20 | -------------------------------------------------------------------------------- /docs/intro: -------------------------------------------------------------------------------- 1 | /// @mainpage KLEE 2 | /// 3 | /// @section main_intro Introduction 4 | /// Welcome to KLEE. KLEE is a symbolic execution engine that works on LLVM 5 | /// bitcode. 6 | /// 7 | /// @section Documentation 8 | /// The documentation of KLEE is composed of the Doxygen documentation 9 | /// of the code as well as the following documents: 10 | /// - @subpage overview 11 | -------------------------------------------------------------------------------- /examples/get_sign/get_sign.c: -------------------------------------------------------------------------------- 1 | /* 2 | * First KLEE tutorial: testing a small function 3 | */ 4 | 5 | #include "klee/klee.h" 6 | 7 | int get_sign(int x) { 8 | if (x == 0) 9 | return 0; 10 | 11 | if (x < 0) 12 | return -1; 13 | else 14 | return 1; 15 | } 16 | 17 | int main() { 18 | int a; 19 | klee_make_symbolic(&a, sizeof(a), "a"); 20 | return get_sign(a); 21 | } 22 | -------------------------------------------------------------------------------- /examples/regexp/notes.txt: -------------------------------------------------------------------------------- 1 | clang -m32 -I ~/private/klee/include -c -emit-llvm Regexp.c 2 | 3 | klee Regexp.o 4 | klee --only-output-states-covering-new Regexp.o 5 | ls -l klee-out-0 6 | ls -l klee-out-1 7 | ls -l klee-last 8 | 9 | cd klee-last 10 | klee-bout-tool *.bout 11 | klee-bout-tool --trim-zeros *.bout 12 | 13 | Stuff to show: 14 | Adding klee_prefer_cex 15 | 16 | PrintStats.py klee-last 17 | 18 | PrintStats.py klee-last 19 | Why not 100% coverage? 20 | 21 | clang -g -m32 -I ~/private/klee/include -c -emit-llvm Regexp.c 22 | 23 | KCachegrind? 24 | 25 | Disable klee_assume, show coverage again (why is klee-check-div getting pulled 26 | in?) 27 | -------------------------------------------------------------------------------- /include/klee/Config/CompileTimeInfo.h.cmin: -------------------------------------------------------------------------------- 1 | //===-- CompileTimeInfo.h ---------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | // @AUTO_GEN_MSG@ 11 | #ifndef KLEE_COMPILETIMEINFO_H 12 | #define KLEE_COMPILETIMEINFO_H 13 | 14 | #define KLEE_BUILD_MODE "@CMAKE_BUILD_TYPE@ (Asserts: @ENABLE_KLEE_ASSERTS@)" 15 | #define KLEE_BUILD_REVISION "@KLEE_GIT_SHA1HASH@" 16 | 17 | #endif /* KLEE_COMPILETIMEINFO_H */ 18 | -------------------------------------------------------------------------------- /include/klee/Config/Version.h: -------------------------------------------------------------------------------- 1 | //===-- Version.h -----------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_VERSION_H 11 | #define KLEE_VERSION_H 12 | 13 | #include "klee/Config/config.h" 14 | 15 | #define LLVM_VERSION(major, minor) (((major) << 8) | (minor)) 16 | #define LLVM_VERSION_CODE LLVM_VERSION(LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR) 17 | 18 | #endif /* KLEE_VERSION_H */ 19 | -------------------------------------------------------------------------------- /include/klee/Module/Cell.h: -------------------------------------------------------------------------------- 1 | //===-- Cell.h --------------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_CELL_H 11 | #define KLEE_CELL_H 12 | 13 | #include "klee/Expr/Expr.h" 14 | 15 | namespace klee { 16 | class MemoryObject; 17 | 18 | struct Cell { 19 | ref value; 20 | Cell() = default; 21 | explicit Cell(ref value) : value(value) {} 22 | }; 23 | } // namespace klee 24 | 25 | #endif /* KLEE_CELL_H */ 26 | -------------------------------------------------------------------------------- /include/klee/Support/PrintVersion.h: -------------------------------------------------------------------------------- 1 | //===-- PrintVersion.h ------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_PRINTVERSION_H 11 | #define KLEE_PRINTVERSION_H 12 | 13 | #include "llvm/Support/raw_ostream.h" 14 | 15 | namespace klee { 16 | void printVersion(llvm::raw_ostream &OS); 17 | } 18 | 19 | #endif /* KLEE_PRINTVERSION_H */ 20 | -------------------------------------------------------------------------------- /include/klee/Support/RoundingModeUtil.h: -------------------------------------------------------------------------------- 1 | //===-- RoundingModeUtil.h --------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | #ifndef KLEE_ROUNDING_MODE_UTIL_H 10 | 11 | #include "llvm/ADT/APFloat.h" 12 | 13 | namespace klee { 14 | 15 | int LLVMRoundingModeToCRoundingMode(llvm::APFloat::roundingMode rm); 16 | 17 | const char *LLVMRoundingModeToString(llvm::APFloat::roundingMode rm); 18 | } // namespace klee 19 | 20 | #endif 21 | -------------------------------------------------------------------------------- /include/klee/System/MemoryUsage.h: -------------------------------------------------------------------------------- 1 | //===-- MemoryUsage.h -------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_MEMORYUSAGE_H 11 | #define KLEE_MEMORYUSAGE_H 12 | 13 | #include 14 | 15 | namespace klee { 16 | namespace util { 17 | /// Get total malloc usage in bytes 18 | size_t GetTotalMallocUsage(); 19 | } // namespace util 20 | } // namespace klee 21 | 22 | #endif /* KLEE_MEMORYUSAGE_H */ 23 | -------------------------------------------------------------------------------- /lib/Basic/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_library(kleeBasic 10 | KTest.cpp 11 | Statistics.cpp 12 | ) 13 | 14 | llvm_config(kleeBasic "${USE_LLVM_SHARED}" support) 15 | target_compile_options(kleeBasic PRIVATE ${KLEE_COMPONENT_CXX_FLAGS}) 16 | target_compile_definitions(kleeBasic PRIVATE ${KLEE_COMPONENT_CXX_DEFINES}) 17 | 18 | target_include_directories(kleeBasic PRIVATE ${KLEE_INCLUDE_DIRS}) 19 | -------------------------------------------------------------------------------- /lib/Basic/README.txt: -------------------------------------------------------------------------------- 1 | This directory holds the most basic support facilities provided for 2 | both the klee and kleaver libraries. The code in this directory should 3 | have no dependencies on LLVM or any other klee libraries. 4 | -------------------------------------------------------------------------------- /lib/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_subdirectory(ADT) 10 | add_subdirectory(Basic) 11 | add_subdirectory(Support) 12 | add_subdirectory(Expr) 13 | add_subdirectory(Solver) 14 | add_subdirectory(Module) 15 | add_subdirectory(Core) 16 | -------------------------------------------------------------------------------- /lib/Module/Instrument.cpp: -------------------------------------------------------------------------------- 1 | //===-- Instrument.cpp ------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include "ModuleHelper.h" 11 | 12 | using namespace klee; 13 | 14 | void klee::checkModule(bool DontVerfify, llvm::Module *module) { assert(0); } 15 | 16 | void klee::instrument(bool CheckDivZero, bool CheckOvershift, 17 | bool WithFPRuntime, llvm::Module *module) { 18 | assert(0); 19 | } 20 | -------------------------------------------------------------------------------- /lib/Module/KValue.cpp: -------------------------------------------------------------------------------- 1 | #include "klee/Module/KValue.h" 2 | 3 | #include "llvm/ADT/StringRef.h" 4 | #include "llvm/IR/Value.h" 5 | 6 | using namespace klee; 7 | 8 | llvm::Value *KValue::unwrap() const { return value; } 9 | 10 | llvm::StringRef KValue::getName() const { 11 | return value && value->hasName() ? value->getName() : ""; 12 | } 13 | -------------------------------------------------------------------------------- /lib/README.txt: -------------------------------------------------------------------------------- 1 | The klee and kleaver code is organized as follows: 2 | 3 | lib/Basic - Low level support for both klee and kleaver which should 4 | be independent of LLVM. 5 | 6 | lib/Support - Higher level support, but only used by klee. This can 7 | use LLVM facilities. 8 | 9 | lib/Expr - The core kleaver expression library. 10 | 11 | lib/Solver - The kleaver solver library. 12 | 13 | lib/Module - klee facilities for working with LLVM modules, including 14 | the shadow module/instruction structures we use during 15 | execution. 16 | 17 | lib/Core - The core symbolic virtual machine. 18 | 19 | -------------------------------------------------------------------------------- /lib/Solver/BitwuzlaHashConfig.h: -------------------------------------------------------------------------------- 1 | //===-- BitwuzlaHashConfig.h -----------------------------------------*- C++ 2 | //-*-====// 3 | // 4 | // The KLEE Symbolic Virtual Machine 5 | // 6 | // This file is distributed under the University of Illinois Open Source 7 | // License. See LICENSE.TXT for details. 8 | // 9 | //===----------------------------------------------------------------------===// 10 | 11 | #ifndef KLEE_BITWUZLAHASHCONFIG_H 12 | #define KLEE_BITWUZLAHASHCONFIG_H 13 | 14 | #include "llvm/Support/CommandLine.h" 15 | 16 | namespace BitwuzlaHashConfig { 17 | extern llvm::cl::opt UseConstructHashBitwuzla; 18 | } // namespace BitwuzlaHashConfig 19 | #endif // KLEE_BITWUZLAHASHCONFIG_H 20 | -------------------------------------------------------------------------------- /lib/Solver/BitwuzlaSolver.h: -------------------------------------------------------------------------------- 1 | #ifndef BITWUZLASOLVER_H_ 2 | #define BITWUZLASOLVER_H_ 3 | 4 | #include "klee/Solver/Solver.h" 5 | 6 | namespace klee { 7 | 8 | /// BitwuzlaSolver - A complete solver based on Bitwuzla 9 | class BitwuzlaSolver : public Solver { 10 | public: 11 | /// BitwuzlaSolver - Construct a new BitwuzlaSolver. 12 | BitwuzlaSolver(); 13 | }; 14 | 15 | class BitwuzlaTreeSolver : public Solver { 16 | public: 17 | BitwuzlaTreeSolver(unsigned maxSolvers); 18 | }; 19 | 20 | } // namespace klee 21 | 22 | #endif 23 | -------------------------------------------------------------------------------- /lib/Solver/Z3HashConfig.h: -------------------------------------------------------------------------------- 1 | //===-- Z3HashConfig.h -----------------------------------------*- C++ -*-====// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_Z3HASHCONFIG_H 11 | #define KLEE_Z3HASHCONFIG_H 12 | 13 | #include "llvm/Support/CommandLine.h" 14 | 15 | #include 16 | 17 | namespace Z3HashConfig { 18 | extern llvm::cl::opt UseConstructHashZ3; 19 | extern std::atomic Z3InteractionLogOpen; 20 | } // namespace Z3HashConfig 21 | #endif // KLEE_Z3HASHCONFIG_H 22 | -------------------------------------------------------------------------------- /lib/Support/README.txt: -------------------------------------------------------------------------------- 1 | This directory holds basic support facilities (data structures, 2 | utilities, etc.) used by klee. 3 | -------------------------------------------------------------------------------- /runtime/Freestanding/memcpy.c: -------------------------------------------------------------------------------- 1 | /*===-- memcpy.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | void *memcpy(void *destaddr, void const *srcaddr, size_t len) { 13 | char *dest = destaddr; 14 | char const *src = srcaddr; 15 | 16 | while (len-- > 0) 17 | *dest++ = *src++; 18 | return destaddr; 19 | } 20 | -------------------------------------------------------------------------------- /runtime/Freestanding/memset.c: -------------------------------------------------------------------------------- 1 | /*===-- memset.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | void *memset(void *dst, int s, size_t count) { 13 | char *a = dst; 14 | while (count-- > 0) 15 | *a++ = s; 16 | return dst; 17 | } 18 | -------------------------------------------------------------------------------- /runtime/Intrinsic/dso_handle.c: -------------------------------------------------------------------------------- 1 | void *__dso_handle = 0; 2 | -------------------------------------------------------------------------------- /runtime/Intrinsic/klee_choose.c: -------------------------------------------------------------------------------- 1 | /*===-- klee-choose.c -----------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include "klee/klee.h" 11 | 12 | uintptr_t klee_choose(uintptr_t n) { 13 | uintptr_t x; 14 | klee_make_symbolic(&x, sizeof x, "klee_choose"); 15 | 16 | /* NB: this will *not* work if they don't compare to n values. */ 17 | if (x >= n) 18 | klee_silent_exit(0); 19 | return x; 20 | } 21 | -------------------------------------------------------------------------------- /runtime/Intrinsic/klee_div_zero_check.c: -------------------------------------------------------------------------------- 1 | //===-- klee_div_zero_check.c ---------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include "klee/klee.h" 11 | 12 | void klee_div_zero_check(long long z) { 13 | if (z == 0) 14 | klee_report_error(__FILE__, __LINE__, "divide by zero", "div.err"); 15 | } 16 | -------------------------------------------------------------------------------- /runtime/Intrinsic/klee_int.c: -------------------------------------------------------------------------------- 1 | //===-- klee_int.c --------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include "klee/klee.h" 11 | #include 12 | 13 | int klee_int(const char *name) { 14 | int x; 15 | klee_make_symbolic(&x, sizeof x, name); 16 | return x; 17 | } 18 | -------------------------------------------------------------------------------- /runtime/Intrinsic/klee_is_replay.c: -------------------------------------------------------------------------------- 1 | 2 | /*===-- klee_is_replay.c --------------------------------------------------===// 3 | // 4 | // The KLEE Symbolic Virtual Machine 5 | // 6 | // This file is distributed under the University of Illinois Open Source 7 | // License. See LICENSE.TXT for details. 8 | // 9 | //===----------------------------------------------------------------------===*/ 10 | 11 | #include "klee/klee.h" 12 | 13 | unsigned klee_is_replay() { return 0; } 14 | -------------------------------------------------------------------------------- /runtime/Mocks/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | set(LIB_PREFIX "RuntimeMocks") 11 | set(SRC_FILES 12 | models.c 13 | ) 14 | 15 | # Build it 16 | include("${CMAKE_SOURCE_DIR}/cmake/compile_bitcode_library.cmake") 17 | prefix_with_path("${SRC_FILES}" "${CMAKE_CURRENT_SOURCE_DIR}/" runtime_mocks_files) 18 | 19 | add_bitcode_library_targets("${LIB_PREFIX}" "${runtime_mocks_files}" "" "") 20 | -------------------------------------------------------------------------------- /runtime/Sanitizer/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | # Set up 10 | set(LIB_PREFIX "UBSan") 11 | set(SRC_FILES 12 | ubsan/ubsan_handlers.cpp 13 | ) 14 | 15 | # Build it 16 | include("${CMAKE_SOURCE_DIR}/cmake/compile_bitcode_library.cmake") 17 | prefix_with_path("${SRC_FILES}" "${CMAKE_CURRENT_SOURCE_DIR}/" prefixed_files) 18 | add_bitcode_library_targets("${LIB_PREFIX}" "${prefixed_files}" "" "") -------------------------------------------------------------------------------- /runtime/klee-fp/copysign.h: -------------------------------------------------------------------------------- 1 | /*===-- copysign.h --------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #ifndef KLEE_COPYSIGN_H 11 | #define KLEE_COPYSIGN_H 12 | 13 | float copysignf(float x, float y); 14 | double copysign(double x, double y); 15 | long double copysignl(long double x, long double y); 16 | 17 | #endif // KLEE_COPYSIGN_H 18 | -------------------------------------------------------------------------------- /runtime/klee-fp/fabs.c: -------------------------------------------------------------------------------- 1 | /*===-- fabs.c ------------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | #include "klee/klee.h" 10 | 11 | double fabs(double d) { return klee_abs_double(d); } 12 | 13 | float fabsf(float f) { return klee_abs_float(f); } 14 | 15 | #if defined(__x86_64__) || defined(__i386__) 16 | long double fabsl(long double f) { return klee_abs_long_double(f); } 17 | #endif 18 | -------------------------------------------------------------------------------- /runtime/klee-fp/floor.h: -------------------------------------------------------------------------------- 1 | /*===-- floor.h -----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #ifndef KLEE_FLOOR_H 11 | #define KLEE_FLOOR_H 12 | 13 | float floorf(float x); 14 | double floor(double x); 15 | long double floorl(long double x); 16 | 17 | #endif // KLEE_FLOOR_H 18 | -------------------------------------------------------------------------------- /runtime/klee-fp/rint.h: -------------------------------------------------------------------------------- 1 | /*===-- rint.h ------------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #ifndef KLEE_RINT_H 11 | #define KLEE_RINT_H 12 | 13 | float rintf(float arg); 14 | double rint(double arg); 15 | long double rintl(long double arg); 16 | float nearbyintf(float arg); 17 | double nearbyint(double arg); 18 | long double nearbyintl(long double arg); 19 | 20 | #endif // KLEE_RINT_H 21 | -------------------------------------------------------------------------------- /runtime/klee-fp/sqrt.c: -------------------------------------------------------------------------------- 1 | /*===-- sqrt.c ------------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | #include "klee/klee.h" 10 | 11 | double sqrt(double d) { return klee_sqrt_double(d); } 12 | 13 | float sqrtf(float f) { return klee_sqrt_float(f); } 14 | 15 | #if defined(__x86_64__) || defined(__i386__) 16 | long double sqrtl(long double f) { return klee_sqrt_long_double(f); } 17 | #endif 18 | -------------------------------------------------------------------------------- /runtime/klee-libc/abort.c: -------------------------------------------------------------------------------- 1 | /*===-- abort.c -----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | #include "klee/klee.h" 13 | 14 | void abort(void) { klee_abort(); } 15 | -------------------------------------------------------------------------------- /runtime/klee-libc/atexit.c: -------------------------------------------------------------------------------- 1 | /*==-- atexit.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | int __cxa_atexit(void (*fn)(void *), void *arg, void *dso_handle); 11 | 12 | int atexit(void (*fn)(void)) { 13 | return __cxa_atexit((void (*)(void *))fn, 0, 0); 14 | } 15 | -------------------------------------------------------------------------------- /runtime/klee-libc/bcmp.c: -------------------------------------------------------------------------------- 1 | /*===-- bcmp.c ------------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | int bcmp(const void *s1, const void *s2, size_t n) { 13 | const unsigned char *p1 = s1, *p2 = s2; 14 | while (n-- != 0) { 15 | if (*p1++ != *p2++) 16 | return 1; 17 | } 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /runtime/klee-libc/mempcpy.c: -------------------------------------------------------------------------------- 1 | /*===-- mempcpy.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #undef _GNU_SOURCE 11 | 12 | #include 13 | 14 | void *mempcpy(void *destaddr, void const *srcaddr, size_t len) { 15 | return (char *)memcpy(destaddr, srcaddr, len) + len; 16 | } 17 | -------------------------------------------------------------------------------- /runtime/klee-libc/putchar.c: -------------------------------------------------------------------------------- 1 | /*===-- putchar.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | #include 12 | 13 | /* Some header may #define putchar. */ 14 | #undef putchar 15 | 16 | int putchar(int c) { 17 | char x = c; 18 | if (1 == write(1, &x, 1)) 19 | return c; 20 | return EOF; 21 | } 22 | -------------------------------------------------------------------------------- /runtime/klee-libc/strchr.c: -------------------------------------------------------------------------------- 1 | /*===-- strchr.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | char *strchr(const char *p, int ch) { 11 | char c; 12 | 13 | c = ch; 14 | for (;; ++p) { 15 | if (*p == c) { 16 | return ((char *)p); 17 | } else if (*p == '\0') { 18 | return 0; 19 | } 20 | } 21 | /* NOTREACHED */ 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /runtime/klee-libc/strcmp.c: -------------------------------------------------------------------------------- 1 | /*===-- strcmp.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | int strcmp(const char *a, const char *b) { 11 | while (*a && *a == *b) 12 | ++a, ++b; 13 | return *(const unsigned char *)a - *(const unsigned char *)b; 14 | } 15 | -------------------------------------------------------------------------------- /runtime/klee-libc/strcoll.c: -------------------------------------------------------------------------------- 1 | /*===-- strcoll.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | /* according to the manpage, this is equiv in the POSIX/C locale. */ 13 | int strcoll(const char *s1, const char *s2) { return strcmp(s1, s2); } 14 | -------------------------------------------------------------------------------- /runtime/klee-libc/strcpy.c: -------------------------------------------------------------------------------- 1 | /*===-- strcpy.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | char *strcpy(char *to, const char *from) { 11 | char *start = to; 12 | 13 | while ((*to = *from)) 14 | ++to, ++from; 15 | 16 | return start; 17 | } 18 | -------------------------------------------------------------------------------- /runtime/klee-libc/strlen.c: -------------------------------------------------------------------------------- 1 | /*===-- strlen.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | size_t strlen(const char *str) { 13 | const char *s = str; 14 | while (*s) 15 | ++s; 16 | return s - str; 17 | } 18 | -------------------------------------------------------------------------------- /runtime/klee-libc/strrchr.c: -------------------------------------------------------------------------------- 1 | /*===-- strrchr.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | char *strrchr(const char *t, int c) { 13 | char ch; 14 | const char *l = 0; 15 | 16 | ch = c; 17 | for (;;) { 18 | if (*t == ch) 19 | l = t; 20 | if (!*t) 21 | return (char *)l; 22 | ++t; 23 | } 24 | return (char *)l; 25 | } 26 | -------------------------------------------------------------------------------- /runtime/klee-libc/tolower.c: -------------------------------------------------------------------------------- 1 | /*===-- tolower.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | int tolower(int ch) { 11 | if ((unsigned int)(ch - 'A') < 26u) 12 | ch -= 'A' - 'a'; 13 | return ch; 14 | } 15 | -------------------------------------------------------------------------------- /runtime/klee-libc/toupper.c: -------------------------------------------------------------------------------- 1 | /*===-- toupper.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | int toupper(int ch) { 11 | if ((unsigned int)(ch - 'a') < 26u) 12 | ch += 'A' - 'a'; 13 | return ch; 14 | } 15 | -------------------------------------------------------------------------------- /scripts/.clang-format: -------------------------------------------------------------------------------- 1 | DisableFormat: true 2 | SortIncludes: false -------------------------------------------------------------------------------- /scripts/build/p-bitwuzla-linux-ubuntu.inc: -------------------------------------------------------------------------------- 1 | # Build dependencies Bitwuzla 2 | install_build_dependencies_bitwuzla() { 3 | source "${DIR}/common-functions" 4 | with_sudo apt update -y 5 | 6 | dependencies=( 7 | build-essential 8 | 9 | ninja-build 10 | python3 11 | python3-pip 12 | cmake 13 | git 14 | ) 15 | 16 | #Install essential dependencies 17 | with_sudo apt -y --no-install-recommends install "${dependencies[@]}" 18 | 19 | with_sudo apt-get update -y 20 | with_sudo apt-get -y --no-install-recommends install pkg-config cmake-data m4 21 | 22 | pip3 install --user meson 23 | base_path="$(python3 -m site --user-base)" 24 | export PATH="$PATH:${base_path}/bin" 25 | } 26 | -------------------------------------------------------------------------------- /scripts/build/p-bitwuzla-osx.inc: -------------------------------------------------------------------------------- 1 | install_build_dependencies_bitwuzla() { 2 | dependencies=( 3 | ninja 4 | python3 5 | python3-pip 6 | cmake 7 | git 8 | pkg-config 9 | ) 10 | brew install "${dependencies[@]}" 11 | pip3 install --user meson 12 | base_path="$(python3 -m site --user-base)" 13 | export PATH="$PATH:${base_path}/bin" 14 | } 15 | -------------------------------------------------------------------------------- /scripts/build/p-clang-linux-ubuntu-22.04.inc: -------------------------------------------------------------------------------- 1 | get_docker_config_id_clang() { 2 | echo "" 3 | return 0; 4 | } 5 | -------------------------------------------------------------------------------- /scripts/build/p-cmake-osx.inc: -------------------------------------------------------------------------------- 1 | # Package script for LLVM builds OSX 2 | install_binary_artifact_cmake () { 3 | # Use the brew provided package 4 | LLVM_VERSION_MAJOR="${LLVM_VERSION/.*/}" 5 | brew install "cmake" 6 | } 7 | 8 | # Check if the binary artifact is installed 9 | is_installed_cmake() { 10 | if which cmake ; then 11 | return 0 12 | fi 13 | 14 | return 1 15 | } -------------------------------------------------------------------------------- /scripts/build/p-gtest-linux-ubuntu.inc: -------------------------------------------------------------------------------- 1 | install_build_dependencies_gtest() { 2 | source "${DIR}/common-functions" 3 | with_sudo apt update -y 4 | 5 | dependencies=( 6 | ca-certificates 7 | wget 8 | unzip 9 | ) 10 | 11 | #Install essential dependencies 12 | with_sudo apt -y --no-install-recommends install "${dependencies[@]}" 13 | } -------------------------------------------------------------------------------- /scripts/build/p-gtest-osx.inc: -------------------------------------------------------------------------------- 1 | install_build_dependencies_gtest() { 2 | # Install essential dependency 3 | # Ignore if already installed 4 | brew install wget || /usr/bin/true 5 | } 6 | -------------------------------------------------------------------------------- /scripts/build/p-immer-linux-ubuntu.inc: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | install_build_dependencies_immer() { 3 | source "${DIR}/common-functions" 4 | with_sudo apt update -y 5 | 6 | dependencies=( 7 | ca-certificates 8 | wget 9 | unzip 10 | git 11 | ) 12 | 13 | #Install essential dependencies 14 | with_sudo apt -y --no-install-recommends install "${dependencies[@]}" 15 | } 16 | -------------------------------------------------------------------------------- /scripts/build/p-immer-osx.inc: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | install_build_dependencies_immer() { 3 | # Install essential dependency 4 | # Ignore if already installed 5 | brew install wget || /usr/bin/true 6 | } 7 | -------------------------------------------------------------------------------- /scripts/build/p-json-linux-ubuntu.inc: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | install_build_dependencies_json() { 3 | source "${DIR}/common-functions" 4 | with_sudo apt update -y 5 | 6 | dependencies=( 7 | ca-certificates 8 | wget 9 | unzip 10 | git 11 | ) 12 | 13 | #Install essential dependencies 14 | with_sudo apt -y --no-install-recommends install "${dependencies[@]}" 15 | } 16 | -------------------------------------------------------------------------------- /scripts/build/p-json-osx.inc: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | install_build_dependencies_json() { 3 | # Install essential dependency 4 | # Ignore if already installed 5 | brew install wget || /usr/bin/true 6 | } 7 | -------------------------------------------------------------------------------- /scripts/build/p-klee-osx.inc: -------------------------------------------------------------------------------- 1 | # Build dependencies 2 | install_build_dependencies_klee() { 3 | if [[ $(to_bool "${ENABLE_DOXYGEN}") -eq 1 ]]; then 4 | brew install doxygen graphviz 5 | fi 6 | 7 | # Install `lit` required for testing 8 | brew install lit 9 | 10 | brew install pkg-config 11 | brew install coreutils 12 | 13 | # Install package in virtual environment 14 | python3 -m pip install "tabulate" 15 | } 16 | -------------------------------------------------------------------------------- /scripts/build/p-libcxx-linux-ubuntu.inc: -------------------------------------------------------------------------------- 1 | install_build_dependencies_libcxx() { 2 | source "${DIR}/common-functions" 3 | 4 | with_sudo apt-get update -y 5 | dependencies=( 6 | build-essential 7 | ca-certificates 8 | git 9 | python3 10 | python3-pip 11 | curl 12 | file # Needed for wllvm 13 | ) 14 | 15 | with_sudo apt -y --no-install-recommends install "${dependencies[@]}" 16 | 17 | pip3 install --user wllvm 18 | base_path="$(python3 -m site --user-base)" 19 | export PATH="$PATH:${base_path}/bin" 20 | } -------------------------------------------------------------------------------- /scripts/build/p-libcxx-osx.inc: -------------------------------------------------------------------------------- 1 | # Build dependencies 2 | install_build_dependencies_libcxx() { 3 | set +e 4 | brew upgrade python # upgrade to Python 3 5 | set -e 6 | pip3 install --user wllvm 7 | base_path="$(python3 -m site --user-base)" 8 | export PATH="$PATH:${base_path}/bin" 9 | } -------------------------------------------------------------------------------- /scripts/build/p-sqlite-osx.inc: -------------------------------------------------------------------------------- 1 | install_build_dependencies_sqlite() { 2 | return 0 3 | } 4 | install_binary_artifact_sqlite() { 5 | return 0 6 | } 7 | 8 | # Sqlite is installed by default on OSX 9 | is_installed_sqlite() { 10 | return 0 11 | } 12 | 13 | get_docker_config_id_sqlite() { 14 | return 0 15 | } 16 | -------------------------------------------------------------------------------- /scripts/build/p-stp-linux-ubuntu.inc: -------------------------------------------------------------------------------- 1 | # Build dependencies 2 | install_build_dependencies_stp() { 3 | source "${DIR}/common-functions" 4 | with_sudo apt update -y 5 | 6 | dependencies=( 7 | build-essential 8 | bison 9 | ca-certificates 10 | cmake 11 | flex 12 | git 13 | zlib1g-dev 14 | libtinfo-dev 15 | ) 16 | 17 | #Install essential dependencies 18 | with_sudo apt -y --no-install-recommends install "${dependencies[@]}" 19 | } -------------------------------------------------------------------------------- /scripts/build/p-stp-osx.inc: -------------------------------------------------------------------------------- 1 | install_build_dependencies_stp() { 2 | dependencies=( 3 | bison 4 | flex 5 | ) 6 | brew install "${dependencies[@]}" 7 | } 8 | -------------------------------------------------------------------------------- /scripts/build/p-tcmalloc-linux-ubuntu.inc: -------------------------------------------------------------------------------- 1 | install_build_dependencies_tcmalloc() { 2 | source "${DIR}/common-functions" 3 | with_sudo apt update -y 4 | 5 | dependencies=( 6 | build-essential 7 | ca-certificates 8 | cmake 9 | git 10 | wget 11 | ) 12 | 13 | with_sudo apt -y --no-install-recommends install "${dependencies[@]}" 14 | } -------------------------------------------------------------------------------- /scripts/build/p-uclibc-linux-ubuntu.inc: -------------------------------------------------------------------------------- 1 | # Build dependencies 2 | install_build_dependencies_uclibc() { 3 | source "${DIR}/common-functions" 4 | with_sudo apt update -y 5 | 6 | dependencies=( 7 | build-essential 8 | ca-certificates 9 | git 10 | python3 11 | libncurses5-dev 12 | wget 13 | ) 14 | 15 | #Install essential dependencies 16 | with_sudo apt -y --no-install-recommends install "${dependencies[@]}" 17 | } -------------------------------------------------------------------------------- /scripts/build/p-z3-linux-ubuntu.inc: -------------------------------------------------------------------------------- 1 | # Build dependencies Z3 2 | install_build_dependencies_z3() { 3 | source "${DIR}/common-functions" 4 | with_sudo apt update -y 5 | 6 | dependencies=( 7 | build-essential 8 | python3 9 | git 10 | wget 11 | ca-certificates 12 | ) 13 | 14 | #Install essential dependencies 15 | with_sudo apt -y --no-install-recommends install "${dependencies[@]}" 16 | } -------------------------------------------------------------------------------- /scripts/build/p-z3-osx.inc: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # shellcheck disable=SC2034 3 | 4 | install_binary_artifact_z3() { 5 | brew install z3 6 | } 7 | 8 | setup_artifact_variables_z3() { 9 | Z3_INSTALL_PATH="$(brew --cellar z3)/${Z3_VERSION}" 10 | } 11 | 12 | install_build_dependencies_z3() { 13 | return 0 14 | } 15 | -------------------------------------------------------------------------------- /scripts/build/patches/libcxx110.patch: -------------------------------------------------------------------------------- 1 | --- a/libcxx/include/__config 2 | +++ b/libcxx/include/__config 3 | @@ -1167,10 +1167,6 @@ _LIBCPP_FUNC_VIS extern "C" void __sanitizer_annotate_contiguous_container( 4 | _LIBCPP_HAS_NO_THREADS is defined. 5 | #endif 6 | 7 | -#if defined(__STDCPP_THREADS__) && defined(_LIBCPP_HAS_NO_THREADS) 8 | -#error _LIBCPP_HAS_NO_THREADS cannot be set when __STDCPP_THREADS__ is set. 9 | -#endif 10 | - 11 | #if !defined(_LIBCPP_HAS_NO_THREADS) && !defined(__STDCPP_THREADS__) 12 | #define __STDCPP_THREADS__ 1 13 | #endif -------------------------------------------------------------------------------- /scripts/build/patches/llvm120.patch: -------------------------------------------------------------------------------- 1 | diff --git a/msan_suppressions.txt b/msan_suppressions.txt 2 | new file mode 100644 3 | index 000000000..f8c825e6f 4 | --- /dev/null 5 | +++ b/msan_suppressions.txt 6 | @@ -0,0 +1,2 @@ 7 | +# Ignore llvm-config issue 8 | +mainfile:llvm-config.cpp 9 | -------------------------------------------------------------------------------- /scripts/build/sanitizer/klee.txt: -------------------------------------------------------------------------------- 1 | # checkMemoryUsage depends on the malloc library linked with, ignore it 2 | fun:_ZN4klee4util19GetTotalMallocUsageEv 3 | -------------------------------------------------------------------------------- /scripts/build/sanitizer/sqlite.txt: -------------------------------------------------------------------------------- 1 | # Ignore uninit memory for sqlite3 external fstat call 2 | src:sqlite3.c 3 | -------------------------------------------------------------------------------- /scripts/build/v-bitwuzla.inc: -------------------------------------------------------------------------------- 1 | # Build information for Bitwuzla solver 2 | required_variables_bitwuzla=( 3 | "BITWUZLA_VERSION" 4 | ) 5 | 6 | artifact_dependency_bitwuzla=("sanitizer") 7 | 8 | install_build_dependencies_bitwuzla() { 9 | return 0 10 | } 11 | -------------------------------------------------------------------------------- /scripts/build/v-clang.inc: -------------------------------------------------------------------------------- 1 | required_variables_clang=( 2 | "LLVM_VERSION" 3 | ) 4 | 5 | artifact_dependency_clang=("cmake") 6 | 7 | setup_variables_clang() { 8 | local v_a 9 | v_a=(${LLVM_VERSION//./ }) 10 | 11 | LLVM_VERSION_MAJOR="0" 12 | LLVM_VERSION_MINOR="0" 13 | 14 | if [[ "${#v_a[@]}" -ge 1 ]]; then 15 | LLVM_VERSION_MAJOR="${v_a[0]}" 16 | fi 17 | if [[ "${#v_a[@]}" -ge 2 ]]; then 18 | LLVM_VERSION_MINOR="${v_a[1]}" 19 | fi 20 | 21 | LLVM_VERSION_SHORT="${LLVM_VERSION_MAJOR}${LLVM_VERSION_MINOR}" 22 | } 23 | 24 | export_variables_clang=( 25 | "LLVM_CONFIG" 26 | "BITCODE_CC" 27 | "BITCODE_CXX" 28 | ) -------------------------------------------------------------------------------- /scripts/build/v-cmake.inc: -------------------------------------------------------------------------------- 1 | artifact_dependency_cmake=("") 2 | 3 | required_variables_cmake=("") 4 | 5 | get_docker_config_id_cmake() { 6 | return 0 7 | } -------------------------------------------------------------------------------- /scripts/build/v-gtest.inc: -------------------------------------------------------------------------------- 1 | # Build information for gtest 2 | required_variables_gtest=( 3 | "GTEST_VERSION" 4 | ) 5 | 6 | # Artifacts gtest depends on 7 | artifact_dependency_gtest=("") -------------------------------------------------------------------------------- /scripts/build/v-immer.inc: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # shellcheck disable=SC2034 3 | # Build information for immer 4 | required_variables_immer=( 5 | "IMMER_VERSION" 6 | ) 7 | 8 | # Artifacts immer depends on 9 | artifact_dependency_immer=("") 10 | -------------------------------------------------------------------------------- /scripts/build/v-json.inc: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # shellcheck disable=SC2034 3 | 4 | # Build information for json 5 | required_variables_json=( 6 | "JSON_VERSION" 7 | ) 8 | 9 | # Artifacts json depends on 10 | artifact_dependency_json=("") 11 | -------------------------------------------------------------------------------- /scripts/build/v-libcxx.inc: -------------------------------------------------------------------------------- 1 | required_variables_libcxx=( 2 | "LLVM_VERSION" 3 | ) 4 | 5 | required_variables_check_libcxx() { 6 | return 0 7 | } 8 | 9 | artifact_dependency_libcxx(){ 10 | echo "llvm" 11 | echo "cmake" 12 | } 13 | -------------------------------------------------------------------------------- /scripts/build/v-metasmt.inc: -------------------------------------------------------------------------------- 1 | # Build information for metaSMT solver 2 | required_variables_metasmt=( 3 | "METASMT_VERSION" 4 | "METASMT_DEFAULT" 5 | ) 6 | 7 | artifact_dependency_metasmt=("") -------------------------------------------------------------------------------- /scripts/build/v-sanitizer_compiler.inc: -------------------------------------------------------------------------------- 1 | # Meta-package for solvers 2 | required_variables_sanitizer_compiler=("") 3 | 4 | # On which artifacts does STP depend on 5 | artifact_dependency_sanitizer_compiler(){ 6 | echo "sanitizer" 7 | if [[ -n ${SANITIZER_BUILD+x} ]]; then 8 | [[ "${SANITIZER_BUILD}" == "memory" ]] && echo "llvm" 9 | [[ "${SANITIZER_BUILD}" != "memory" ]] && echo "clang" 10 | fi 11 | } 12 | 13 | 14 | # Setup general variables 15 | setup_variables_sanitizer_compiler() { 16 | for sanitizer in "${SANITIZERS[@]}"; do 17 | [[ -z "${sanitizer}" ]] && continue 18 | SANITIZER_CMAKE_C_COMPILER=("") 19 | done 20 | } -------------------------------------------------------------------------------- /scripts/build/v-sqlite.inc: -------------------------------------------------------------------------------- 1 | artifact_dependency_sqlite=("sanitizer") 2 | 3 | required_variables_sqlite=( 4 | "SQLITE_VERSION" 5 | ) 6 | -------------------------------------------------------------------------------- /scripts/build/v-stp.inc: -------------------------------------------------------------------------------- 1 | # Build information for STP solver 2 | required_variables_stp=( 3 | "STP_VERSION" 4 | "MINISAT_VERSION" 5 | ) 6 | 7 | # On which artifacts does STP depend on 8 | artifact_dependency_stp=("sanitizer") 9 | 10 | artifact_dependency_stp() { 11 | echo "sanitizer" 12 | if [[ "${SANITIZER_BUILD:-}" == "memory" ]]; then 13 | echo "llvm" 14 | fi 15 | } -------------------------------------------------------------------------------- /scripts/build/v-tcmalloc.inc: -------------------------------------------------------------------------------- 1 | artifact_dependency_tcmalloc=("") 2 | 3 | required_variables_tcmalloc=( 4 | "TCMALLOC_VERSION" 5 | ) -------------------------------------------------------------------------------- /scripts/build/v-uclibc.inc: -------------------------------------------------------------------------------- 1 | required_variables_uclibc=( 2 | "UCLIBC_VERSION" 3 | "LLVM_VERSION" 4 | ) 5 | 6 | artifact_dependency_uclibc(){ 7 | # Add llvm if needed; otherwise only use clang package 8 | # TODO this is quite distribution specific; should be handled in a more general case 9 | echo "llvm" 10 | } 11 | -------------------------------------------------------------------------------- /scripts/build/v-z3.inc: -------------------------------------------------------------------------------- 1 | # Build information for Z3 solver 2 | required_variables_z3=( 3 | "Z3_VERSION" 4 | ) 5 | 6 | # Artifacts Z3 depends on 7 | artifact_dependency_z3=("sanitizer") -------------------------------------------------------------------------------- /scripts/genTempFiles.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # ===-- genTempFiles.sh ---------------------------------------------------===## 4 | # 5 | # The KLEE Symbolic Virtual Machine 6 | # 7 | # This file is distributed under the University of Illinois Open Source 8 | # License. See LICENSE.TXT for details. 9 | # 10 | # ===----------------------------------------------------------------------===## 11 | 12 | if [ -z "$1" ] ; then 13 | echo "No directory given" 14 | exit 1 15 | fi 16 | 17 | mkdir -p $1 18 | for i in `seq 1 100`; do 19 | mkdir -p $1/dir_foo_$i 20 | touch $1/tmp_foo_$i 21 | done 22 | -------------------------------------------------------------------------------- /scripts/replay.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # ===-- replay.sh --------------------------------------------------------===## 4 | # 5 | # The KLEE Symbolic Virtual Machine 6 | # 7 | # This file is distributed under the University of Illinois Open Source 8 | # License. See LICENSE.TXT for details. 9 | # 10 | # ===----------------------------------------------------------------------===## 11 | 12 | timeout_name="" 13 | if [[ "$OSTYPE" == "linux-gnu"* ]]; then 14 | timeout_name="timeout" 15 | else 16 | timeout_name="gtimeout" 17 | fi 18 | find $1 -name "*.ktest" -type f -exec bash -c 'KLEE_RUN_TEST_ERRORS_NON_FATAL=STOP KTEST_FILE=$1 $3 1 $2' bash {} $2 $timeout_name \; 19 | exit 0 20 | -------------------------------------------------------------------------------- /test/.clang-format: -------------------------------------------------------------------------------- 1 | BasedOnStyle: LLVM 2 | ColumnLimit: 0 3 | -------------------------------------------------------------------------------- /test/CXX/LandingPad.cpp: -------------------------------------------------------------------------------- 1 | // REQUIRES: lt-llvm-15.0 2 | // Different LLVM IR syntax with opaque ptr - it's a nullptr directly, no constant 3 | // RUN: %clangxx %s -emit-llvm -c -o %t1.bc 4 | // RUN: rm -rf %t.klee-out 5 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 6 | 7 | // CHECK: Using zero size array fix for landingpad instruction filter 8 | 9 | // Check that the zero size array in the landing pad filter does not crash KLEE 10 | int p() throw() { throw 'a'; } 11 | int main(int argc, char **) { 12 | if (argc < 3) { 13 | return 0; 14 | } 15 | 16 | try { 17 | return p(); 18 | } catch (...) { 19 | return 1; 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /test/CXX/New.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %clangxx %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --write-no-tests --exit-on-error --external-calls=none %t1.bc 4 | 5 | #include 6 | 7 | class Test { 8 | int x; 9 | 10 | public: 11 | Test(int _x) : x(_x) { 12 | } 13 | ~Test() { 14 | } 15 | 16 | int getX() { return x; } 17 | }; 18 | 19 | // This doesn't do what I want because 20 | // it is being changed to alloca, but 21 | // it is also failing. 22 | int main(int argc) { 23 | Test *rt = new Test(2); 24 | 25 | assert(rt->getX() == 2); 26 | 27 | delete rt; 28 | 29 | return 0; 30 | } 31 | -------------------------------------------------------------------------------- /test/CXX/StaticConstructor.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %clangxx %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=klee --write-no-tests --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | // to make sure globals are initialized 8 | int aGlobal = 21; 9 | 10 | class Test { 11 | int x; 12 | 13 | public: 14 | Test() : x(aGlobal + 1) {} 15 | ~Test() {} 16 | 17 | int getX() { return x; } 18 | }; 19 | 20 | Test t; 21 | 22 | int main() { 23 | assert(t.getX() == 22); 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /test/CXX/StaticDestructor.cpp: -------------------------------------------------------------------------------- 1 | // XFAIL: darwin 2 | 3 | // RUN: %clangxx %s -emit-llvm -g %O0opt -c -o %t1.bc 4 | // RUN: rm -rf %t.klee-out 5 | // RUN: %klee --output-dir=%t.klee-out --libc=klee %t1.bc 2> %t1.log 6 | // RUN: FileCheck --input-file %t1.log %s 7 | 8 | #include 9 | 10 | class Test { 11 | int x; 12 | 13 | public: 14 | Test() : x(13) {} 15 | ~Test() { 16 | // CHECK: :[[@LINE+1]]: divide by zero 17 | x = x / (x - 13); 18 | } 19 | }; 20 | 21 | Test t; 22 | 23 | int main(int argc, char **argv) { return 0; } 24 | -------------------------------------------------------------------------------- /test/CXX/Trivial.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %clangxx %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --write-no-tests --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | class Test { 8 | int x; 9 | 10 | public: 11 | Test(int _x) : x(_x) {} 12 | ~Test() {} 13 | 14 | int getX() { return x; } 15 | }; 16 | 17 | int main() { 18 | Test rt(2); 19 | 20 | assert(rt.getX() == 2); 21 | 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /test/CXX/symex/basic_c++/lambda.cpp: -------------------------------------------------------------------------------- 1 | // REQUIRES: uclibc 2 | // RUN: %clangxx %s -emit-llvm %O0opt -c -std=c++11 -o %t.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --libc=uclibc %t.bc 2>&1 | FileCheck %s 5 | 6 | #include 7 | 8 | int main(int argc, char **args) { 9 | int x = 0; 10 | auto y = [&](int h) { return x + h; }; 11 | auto z = [=](int h) { return x + h; }; 12 | x = 1; 13 | 14 | printf("y(0) == %d\n", y(0)); 15 | // CHECK: y(0) == 1 16 | printf("z(0) == %d\n", z(0)); 17 | // CHECK: z(0) == 0 18 | 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /test/CXX/symex/basic_c++/namespace.cpp: -------------------------------------------------------------------------------- 1 | // REQUIRES: uclibc 2 | // RUN: %clangxx %s -emit-llvm %O0opt -c -o %t.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --libc=uclibc %t.bc 2>&1 | FileCheck %s 5 | 6 | #include 7 | 8 | namespace test { 9 | int a() { 10 | return 2; 11 | } 12 | } // namespace test 13 | 14 | int main(int argc, char **args) { 15 | printf("test::a() == %d\n", test::a()); 16 | // CHECK: test::a() == 2 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /test/CXX/symex/basic_c++/simple.cpp: -------------------------------------------------------------------------------- 1 | // REQUIRES: uclibc 2 | // RUN: %clangxx %s -emit-llvm %O0opt -c -o %t.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --libc=uclibc %t.bc 2>&1 | FileCheck %s 5 | 6 | // CHECK: KLEE: done: completed paths = 5 7 | 8 | #include "klee/klee.h" 9 | 10 | class Test { 11 | int x; 12 | 13 | public: 14 | Test(int _x) : x(_x) {} 15 | 16 | int test() { 17 | if (x % 2 == 0) 18 | return 0; 19 | if (x % 3 == 0) 20 | return 1; 21 | if (x % 5 == 0) 22 | return 2; 23 | if (x % 7 == 0) 24 | return 3; 25 | return 4; 26 | } 27 | }; 28 | 29 | int main(int argc, char **args) { 30 | Test a(klee_int("Test")); 31 | 32 | return a.test(); 33 | } 34 | -------------------------------------------------------------------------------- /test/CXX/symex/basic_c++/templates.cpp: -------------------------------------------------------------------------------- 1 | // REQUIRES: uclibc 2 | // RUN: %clangxx %s -emit-llvm %O0opt -c -o %t.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=uclibc %t.bc 2>&1 5 | 6 | #include 7 | 8 | template 9 | X multiply(X a, Y b) { 10 | return a * b; 11 | } 12 | 13 | template 14 | int add(int summand) { 15 | return A + summand; 16 | } 17 | 18 | int main(int argc, char **args) { 19 | assert(add<7>(3) == 10); 20 | 21 | assert(multiply(7, 3) == 21); 22 | 23 | // Check if the float arguments are handled correctly 24 | assert(multiply(7.1f, 3) > 21); 25 | assert(multiply(3, 7.1f) == 21); 26 | 27 | return 0; 28 | } 29 | -------------------------------------------------------------------------------- /test/CXX/symex/libc++/cout.cpp: -------------------------------------------------------------------------------- 1 | // REQUIRES: not-msan 2 | // Disabling msan because it times out on CI 3 | // REQUIRES: libcxx 4 | // REQUIRES: uclibc 5 | // RUN: %clangxx %s -emit-llvm %O0opt -c -std=c++11 %libcxx_includes -g -nostdinc++ -o %t1.bc 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: %klee --output-dir=%t.klee-out --libc=uclibc --libcxx %t1.bc 2>&1 | FileCheck %s 8 | 9 | // CHECK-DAG: cout 10 | // CHECK-DAG: cerr 11 | 12 | #include 13 | 14 | int main(int argc, char **args) { 15 | std::cout << "cout" << std::endl; 16 | std::cerr << "cerr" << std::endl; 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /test/CXX/symex/libc++/cout_sym.cpp: -------------------------------------------------------------------------------- 1 | // REQUIRES: not-msan 2 | // Disabling msan because it times out on CI 3 | // REQUIRES: libcxx 4 | // REQUIRES: uclibc 5 | // RUN: %clangxx %s -emit-llvm %O0opt -c -std=c++11 %libcxx_includes -g -nostdinc++ -o %t1.bc 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: %klee --output-dir=%t.klee-out --libc=uclibc --libcxx %t1.bc 2>&1 | FileCheck %s 8 | 9 | #include "klee/klee.h" 10 | #include 11 | 12 | int main(int argc, char **args) { 13 | int x = klee_int("x"); 14 | if (x > 0) { 15 | std::cout << "greater: " << x << std::endl; 16 | // CHECK-DAG: greater 17 | } else { 18 | std::cout << "lower: " << x << std::endl; 19 | // CHECK-DAG: lower 20 | } 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /test/CXX/symex/libc++/simple_exception.cpp: -------------------------------------------------------------------------------- 1 | // REQUIRES: not-msan 2 | // Disabling msan because it times out on CI 3 | // REQUIRES: libcxx 4 | // REQUIRES: eh-cxx 5 | // RUN: %clangxx %s -emit-llvm %O0opt -c -std=c++11 %libcxx_includes -g -nostdinc++ -o %t1.bc 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: %klee --output-dir=%t.klee-out --libc=uclibc --libcxx %t1.bc 2>&1 | FileCheck %s 8 | 9 | #include "klee/klee.h" 10 | 11 | #include 12 | #include 13 | 14 | int main(int argc, char **args) { 15 | try { 16 | throw std::runtime_error("foo"); 17 | } catch (const std::runtime_error &ex) { 18 | std::puts(ex.what()); 19 | // CHECK: foo 20 | } 21 | } 22 | 23 | // CHECK: KLEE: done: completed paths = 1 24 | -------------------------------------------------------------------------------- /test/CXX/symex/libc++/simple_exception_fail.cpp: -------------------------------------------------------------------------------- 1 | // REQUIRES: not-msan 2 | // Disabling msan because it times out on CI 3 | // REQUIRES: libcxx 4 | // REQUIRES: eh-cxx 5 | // RUN: %clangxx %s -emit-llvm %O0opt -c -std=c++11 %libcxx_includes -g -nostdinc++ -o %t1.bc 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: %klee --output-dir=%t.klee-out --libc=uclibc --libcxx %t1.bc 2>&1 | FileCheck %s 8 | 9 | #include 10 | 11 | int main(int argc, char **args) { 12 | throw std::runtime_error("foo"); 13 | } 14 | // CHECK: terminating {{.*}} uncaught exception of type std::runtime_error: foo -------------------------------------------------------------------------------- /test/CXX/symex/libc++/uncaught_exception.cpp: -------------------------------------------------------------------------------- 1 | // REQUIRES: not-msan 2 | // Disabling msan because it times out on CI 3 | // REQUIRES: libcxx 4 | // REQUIRES: eh-cxx 5 | // RUN: %clangxx %s -emit-llvm %O0opt -c -std=c++11 %libcxx_includes -g -nostdinc++ -o %t1.bc 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: %klee --output-dir=%t.klee-out --libc=uclibc --libcxx %t1.bc 2>&1 | FileCheck %s 8 | 9 | int main() { 10 | throw 7; 11 | } 12 | 13 | // CHECK: KLEE: ERROR: 14 | // CHECK: KLEE: done: completed paths = 0 15 | // CHECK: KLEE: done: partially completed paths = 1 16 | -------------------------------------------------------------------------------- /test/CXX/symex/libc++/vector.cpp: -------------------------------------------------------------------------------- 1 | // REQUIRES: not-msan 2 | // Disabling msan because it times out on CI 3 | // REQUIRES: libcxx 4 | // REQUIRES: uclibc 5 | // RUN: %clangxx %s -emit-llvm %O0opt -c -std=c++11 %libcxx_includes -g -nostdinc++ -o %t1.bc 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=uclibc --libcxx %t1.bc 2>&1 | FileCheck %s 8 | 9 | #include "klee/klee.h" 10 | #include 11 | 12 | int main(int argc, char **args) { 13 | std::vector a; 14 | a.push_back(klee_int("Test")); 15 | return a.at(0); 16 | } 17 | // CHECK: KLEE: done: completed paths = 1 18 | -------------------------------------------------------------------------------- /test/Concrete/BitwiseOps.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | %a = or i32 12345678, 87654321 7 | %b = and i32 %a, 87654321 8 | %check = xor i32 %b, 87654321 9 | %test = icmp eq i32 %check, 0 10 | br i1 %test, label %exitTrue, label %exitFalse 11 | exitTrue: 12 | call void @print_i32(i32 1) 13 | ret i32 0 14 | exitFalse: 15 | call void @print_i32(i32 0) 16 | ret i32 0 17 | } 18 | -------------------------------------------------------------------------------- /test/Concrete/BoolReadWrite.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i1(i1) 4 | 5 | define i32 @main() { 6 | %mem = alloca i1 7 | store i1 1, i1* %mem 8 | %v = load i1, i1* %mem 9 | br i1 %v, label %ok, label %exit 10 | ok: 11 | call void @print_i1(i1 %v) 12 | br label %exit 13 | exit: 14 | ret i32 0 15 | } 16 | -------------------------------------------------------------------------------- /test/Concrete/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | set(OZERO_OPT "-O0 -Xclang -disable-O0-optnone") 11 | if ("${LLVM_VERSION_MAJOR}" EQUAL 15) 12 | set(LLVM_AS_FLAGS "-opaque-pointers") 13 | set(LLVM_LINK_FLAGS "-opaque-pointers") 14 | endif () 15 | configure_file(Makefile.cmake.test.in Makefile.cmake.test @ONLY) 16 | -------------------------------------------------------------------------------- /test/Concrete/CmpEq.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | %a = add i8 0, 1 7 | %b = add i8 %a, -1 8 | %c = icmp eq i8 %b, 0 9 | br i1 %c, label %exitTrue, label %exitFalse 10 | exitTrue: 11 | call void @print_i32(i32 1) 12 | ret i32 0 13 | exitFalse: 14 | call void @print_i32(i32 0) 15 | ret i32 0 16 | } 17 | -------------------------------------------------------------------------------- /test/Concrete/GlobalUndef.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | %struct.anon = type { i8, [3 x i8] } 4 | 5 | @z = global %struct.anon { i8 1, [3 x i8] undef }, align 4 6 | 7 | define i32 @main() nounwind { 8 | entry: 9 | %retval = alloca i32, align 4 10 | store i32 0, i32* %retval 11 | ret i32 0 12 | } 13 | -------------------------------------------------------------------------------- /test/Concrete/GlobalVariable.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | @anInt = global i32 1 6 | @aRef = global i32* @anInt 7 | 8 | define i32 @main() { 9 | call void @print_i32(i32 0) 10 | ret i32 0 11 | } 12 | -------------------------------------------------------------------------------- /test/Concrete/OneCall.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @sum(i32 %a, i32 %b) { 6 | %c = sub i32 %a, %b 7 | ret i32 %c 8 | } 9 | 10 | define i32 @main() { 11 | %a = call i32 @sum(i32 54, i32 2) 12 | call void @print_i32(i32 %a) 13 | ret i32 0 14 | } 15 | -------------------------------------------------------------------------------- /test/Concrete/OverlappingPhiNodes.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | br label %test 8 | test: 9 | %a = phi i32 [10, %entry], [%b, %test] 10 | %b = phi i32 [20, %entry], [%a, %test] 11 | %c = phi i32 [0, %entry], [1, %test] 12 | %d = icmp eq i32 %c, 1 13 | br i1 %d, label %exit, label %test 14 | exit: 15 | call void @print_i32(i32 %b) 16 | ret i32 0 17 | } 18 | -------------------------------------------------------------------------------- /test/Concrete/README.txt: -------------------------------------------------------------------------------- 1 | This directory contains tests which exist just to test the execution of Concrete 2 | code paths -- essentially, that we correctly implement the semantics of the LLVM 3 | IR language. The tests are run using a helper script ``ConcreteTest.py`` which 4 | builds the test bitcode, executes it using both ``lli`` and ``klee``, and checks 5 | that they got the same output. -------------------------------------------------------------------------------- /test/Concrete/Select.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | %ten = select i1 true, i32 10, i32 0 7 | %five = select i1 false, i32 0, i32 5 8 | %check = add i32 %ten, %five 9 | %test = icmp eq i32 %check, 15 10 | br i1 %test, label %exitTrue, label %exitFalse 11 | exitTrue: 12 | call void @print_i32(i32 1) 13 | ret i32 0 14 | exitFalse: 15 | call void @print_i32(i32 0) 16 | ret i32 0 17 | } 18 | -------------------------------------------------------------------------------- /test/Concrete/Shifts.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | %amt = add i8 2, 5 7 | %a = shl i8 1, 5 8 | %b = lshr i8 %a, 5 9 | %c = shl i8 %b, %amt 10 | %d = lshr i8 %c, %amt 11 | %e = shl i8 %d, 7 12 | %f = ashr i8 %e, 7 13 | %g = shl i8 %f, %amt 14 | %h = ashr i8 %g, %amt 15 | %test = icmp eq i8 %h, -1 16 | br i1 %test, label %exitTrue, label %exitFalse 17 | exitTrue: 18 | call void @print_i32(i32 1) 19 | ret i32 0 20 | exitFalse: 21 | call void @print_i32(i32 0) 22 | ret i32 0 23 | } 24 | -------------------------------------------------------------------------------- /test/Concrete/SimpleStoreAndLoad.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | %a = alloca i32, i32 4 8 | %tmp1 = getelementptr i32, i32* %a, i32 0 9 | store i32 0, i32* %tmp1 10 | %tmp2 = load i32, i32* %tmp1 11 | %tmp3 = icmp eq i32 %tmp2, 0 12 | br i1 %tmp3, label %exitTrue, label %exitFalse 13 | exitTrue: 14 | call void @print_i32(i32 1) 15 | ret i32 0 16 | exitFalse: 17 | call void @print_i32(i32 0) 18 | ret i32 0 19 | } 20 | -------------------------------------------------------------------------------- /test/Concrete/UnconditionalBranch.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | %a = add i32 0, 1 8 | br label %exit 9 | exit: 10 | call void @print_i32(i32 %a) 11 | ret i32 0 12 | } 13 | -------------------------------------------------------------------------------- /test/Concrete/UnconditionalBranchWithSimplePhi.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | %a = add i32 0, 1 8 | br label %exit 9 | unused: 10 | %b = add i32 1, 2 11 | br label %exit 12 | exit: 13 | %c = phi i32 [%a, %entry], [%b, %unused] 14 | call void @print_i32(i32 %c) 15 | ret i32 0 16 | } 17 | -------------------------------------------------------------------------------- /test/Concrete/UnorderedPhiNodes.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | br label %test 8 | test: 9 | %a = phi i32 [10, %entry], [%b, %test] 10 | %b = phi i32 [%a, %test], [20, %entry] 11 | %c = phi i32 [0, %entry], [1, %test] 12 | %d = icmp eq i32 %c, 1 13 | br i1 %d, label %exit, label %test 14 | exit: 15 | call void @print_i32(i32 %b) 16 | ret i32 0 17 | } 18 | -------------------------------------------------------------------------------- /test/Concrete/ackermann.c: -------------------------------------------------------------------------------- 1 | // RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | #include 4 | 5 | int ackermann(int m, int n) { 6 | if (m == 0) 7 | return n + 1; 8 | else 9 | return ackermann(m - 1, (n == 0) ? 1 : ackermann(m, n - 1)); 10 | } 11 | 12 | int main() { 13 | printf("ackerman(%d, %d) = %d\n", 2, 2, ackermann(2, 2)); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /test/Coverage/ReadArgs.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: echo " --output-dir=%t.klee-out " > %t1.args 4 | // RUN: %klee @%t1.args %t1.bc 5 | // RUN: test -d %t.klee-out 6 | 7 | int main() { 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /test/Coverage/ReplayOutDir.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t1.out %t1.replay 3 | // RUN: %klee --output-dir=%t1.out %t1.bc 4 | // RUN: %klee --output-dir=%t1.replay --replay-ktest-dir=%t1.out %t1.bc 5 | 6 | #include "klee/klee.h" 7 | 8 | int main() { 9 | int i; 10 | klee_make_symbolic(&i, sizeof i, "i"); 11 | klee_print_range("i", i); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /test/Expr/Evaluate2.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver -evaluate %s > %t.log 2 | 3 | # RUN: grep "Query 0: VALID" %t.log 4 | # XFAIL: * 5 | # see https://github.com/klee/klee/issues/97 6 | (query [false] false) 7 | -------------------------------------------------------------------------------- /test/Expr/Parser/Concat64.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver --print-ast %s 2 | 3 | makeSymbolic%arr1 : (array (w64 8) (makeSymbolic arr1 0)) 4 | 5 | (query [(Eq 0 6 | (Concat w64 (Read w8 7 makeSymbolic%arr1) 7 | (Concat w56 (Read w8 6 makeSymbolic%arr1) 8 | (Concat w48 (Read w8 5 makeSymbolic%arr1) 9 | (Concat w40 (Read w8 4 makeSymbolic%arr1) 10 | (Concat w32 (Read w8 3 makeSymbolic%arr1) 11 | (Concat w24 (Read w8 2 makeSymbolic%arr1) 12 | (Concat w16 (Read w8 1 makeSymbolic%arr1) (Read w8 0 makeSymbolic%arr1)))))))))] 13 | false) 14 | -------------------------------------------------------------------------------- /test/Expr/Parser/TypeChecking.kquery: -------------------------------------------------------------------------------- 1 | # RUN: not %kleaver %s 2> %t.log 2 | 3 | 4 | 5 | # RUN: grep "TypeChecking.kquery:7:9: error: type widths do not match in binary expression" %t.log 6 | arr1 : (array (w64 8) (makeSymbolic arr1 0)) 7 | (query [(Eq (ReadLSB w32 0 arr1) true)] 8 | false) 9 | 10 | # RUN: grep "TypeChecking.kquery:14:25: error: invalid write index (doesn't match array domain)" %t.log 11 | # RUN: grep "TypeChecking.kquery:14:35: error: invalid write value (doesn't match array range)" %t.log 12 | # FIXME: Add array declarations 13 | arr2 : (array (w64 8) (makeSymbolic arr2 0)) 14 | (query [(Eq (Read w8 0 [ (w17 0) = (w9 0) ] @ arr2) 0)] false) 15 | 16 | # RUN: grep "TypeChecking.kquery: parse failure: 3 errors." %t.log 17 | -------------------------------------------------------------------------------- /test/Feature/Annotation/BrokenAnnotation.json: -------------------------------------------------------------------------------- 1 | { 2 | "maybeDeref1": { 3 | "name": "maybeDeref1", 4 | "annotation": [ 5 | [], 6 | [ 7 | "Deref" 8 | ], 9 | "properties": [] 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /test/Feature/Annotation/EmptyAnnotation.json: -------------------------------------------------------------------------------- 1 | {} 2 | -------------------------------------------------------------------------------- /test/Feature/Annotation/Free.json: -------------------------------------------------------------------------------- 1 | { 2 | "maybeFree1": { 3 | "name": "maybeFree1", 4 | "annotation": [ 5 | [], 6 | [ 7 | "FreeSink::1" 8 | ] 9 | ], 10 | "properties": [] 11 | }, 12 | "maybeFree2": { 13 | "name": "maybeFree2", 14 | "annotation": [ 15 | [], 16 | [ 17 | "FreeSink:*:1" 18 | ] 19 | ], 20 | "properties": [] 21 | }, 22 | "maybeAllocSource1": { 23 | "name": "maybeAllocSource1", 24 | "annotation": [ 25 | [ 26 | "AllocSource::1" 27 | ] 28 | ], 29 | "properties": [] 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /test/Feature/Annotation/General.json: -------------------------------------------------------------------------------- 1 | { 2 | "ptrArg": { 3 | "name": "ptrArg", 4 | "annotation": [ 5 | [], 6 | [], 7 | [ 8 | "InitNull:*", 9 | "AllocSource:*:1" 10 | ] 11 | ], 12 | "properties": [] 13 | }, 14 | "ptrRet": { 15 | "name": "ptrRet", 16 | "annotation": [ 17 | [ 18 | "MaybeInitNull", 19 | "AllocSource::1" 20 | ] 21 | ], 22 | "properties": [] 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /test/Feature/Annotation/InitNullEmpty.json: -------------------------------------------------------------------------------- 1 | { 2 | "maybeInitNull1": { 3 | "name": "maybeInitNull1", 4 | "annotation": [ 5 | [], 6 | [] 7 | ], 8 | "properties": [] 9 | }, 10 | "maybeInitNull2": { 11 | "name": "maybeInitNull2", 12 | "annotation": [ 13 | [], 14 | [] 15 | ], 16 | "properties": [] 17 | }, 18 | "maybeInitNull3": { 19 | "name": "maybeInitNull3", 20 | "annotation": [ 21 | [] 22 | ], 23 | "properties": [] 24 | }, 25 | "maybeInitNull4": { 26 | "name": "maybeInitNull4", 27 | "annotation": [ 28 | [] 29 | ], 30 | "properties": [] 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /test/Feature/BFSSearcher.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --max-instructions=500 --search=bfs %t1.bc 2>%t2.log 4 | // RUN: FileCheck -input-file=%t2.log %s 5 | #include "assert.h" 6 | #include "klee/klee.h" 7 | 8 | int nd() { 9 | int r; 10 | klee_make_symbolic(&r, sizeof(r), "r"); 11 | return r; 12 | } 13 | 14 | int main() { 15 | int x = 1; 16 | while (nd() != 0) { 17 | x *= 2; 18 | } 19 | // CHECK: ASSERTION FAIL 20 | klee_assert(0); 21 | return x; 22 | } 23 | -------------------------------------------------------------------------------- /test/Feature/ByteSwap.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=klee --exit-on-error %t1.bc 4 | #include "klee/klee.h" 5 | #include 6 | #include 7 | 8 | int main() { 9 | 10 | uint32_t n = 0; 11 | klee_make_symbolic(&n, sizeof(n), "n"); 12 | 13 | uint32_t h = ntohl(n); 14 | assert(htonl(h) == n); 15 | 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /test/Feature/CallToUndefinedExternal.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %clangxx %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.external.err 5 | 6 | extern "C" void poof(void); 7 | 8 | int main() { 9 | // CHECK: failed external call: poof 10 | poof(); 11 | 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /test/Feature/CheckForImpliedValue.c.failing: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -f %t1.log 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --log-file %t1.log --debug-check-for-implied-values %t1.bc 5 | // RUN: grep "= 0 (ok)" %t1.log 6 | // RUN: grep "= 2 (missed)" %t1.log 7 | 8 | #define swap(x) (((x)>>16) | (((x)&0xFFFF)<<16)) 9 | int main() { 10 | unsigned x, y; 11 | 12 | klee_make_symbolic(&x, sizeof x, "x"); 13 | klee_make_symbolic(&y, sizeof y, "y"); 14 | 15 | if (!x) { // should give x = 0 hit by ivc 16 | printf("ok\n"); 17 | } else { 18 | if (swap(y) == 0x00020000) { // should give y = 2 missed by ivc 19 | printf("ok\n"); 20 | } 21 | } 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /test/Feature/CheckMemoryAccess.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc > %t.log 4 | // RUN: grep -q "good" %t.log 5 | // RUN: not grep -q "bad" %t.log 6 | #include "klee/klee.h" 7 | #include 8 | #include 9 | #include 10 | 11 | int main() { 12 | char buf[4]; 13 | 14 | klee_check_memory_access(&buf, 1); 15 | printf("good\n"); 16 | if (klee_range(0, 2, "range1")) { 17 | klee_check_memory_access(0, 1); 18 | printf("null pointer deref: bad\n"); 19 | } 20 | 21 | if (klee_range(0, 2, "range2")) { 22 | klee_check_memory_access(buf, 5); 23 | printf("oversize access: bad\n"); 24 | } 25 | 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /test/Feature/CopyOnWrite.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --search=random-state --exit-on-error %t1.bc 4 | #include "klee/klee.h" 5 | #include 6 | 7 | #define N 5 8 | 9 | unsigned branches = 0; 10 | 11 | void explode(int *ap, int i, int *result) { 12 | if (i < N) { 13 | (*result)++; 14 | if (ap[i]) // just cause a fork 15 | branches++; 16 | return explode(ap, i + 1, result); 17 | } 18 | } 19 | 20 | int main() { 21 | int result = 0; 22 | int a[N]; 23 | klee_make_symbolic(a, sizeof a, "a"); 24 | explode(a, 0, &result); 25 | assert(result == N); 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /test/Feature/CoverageCheck.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --use-guided-search=none --use-cov-check=instruction-based --output-dir=%t.klee-out %t.bc > %t.log 4 | #include "klee/klee.h" 5 | #include 6 | 7 | #define a (2) 8 | int main() { 9 | int i, n = 0, sn = 0; 10 | klee_make_symbolic(&n, sizeof(n), "n"); 11 | klee_assume(n > 0); 12 | for (i = 1; i <= n; i++) { 13 | sn = sn + a; 14 | } 15 | assert(sn >= 0); 16 | } 17 | -------------------------------------------------------------------------------- /test/Feature/DanglingConcreteReadExpr.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --optimize=false --output-dir=%t.klee-out %t1.bc 4 | // RUN: grep "total queries = 1" %t.klee-out/info 5 | 6 | #include "klee/klee.h" 7 | #include 8 | 9 | int main() { 10 | unsigned char x, y; 11 | 12 | klee_make_symbolic(&x, sizeof x, "x"); 13 | 14 | y = x; 15 | 16 | // should be exactly one query (prove x is 10) 17 | // eventually should be 0 when we have fast solver 18 | if (x == 10) { 19 | assert(y == 10); 20 | } 21 | 22 | klee_silent_exit(0); 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /test/Feature/DefineFixedObject.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -c -o %t1.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include "klee/klee.h" 6 | #include 7 | 8 | #define ADDRESS ((int *)0x0080) 9 | 10 | int main() { 11 | int *p = klee_define_fixed_object(ADDRESS, 4); 12 | *p = 10; 13 | printf("*p: %d\n", *p); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /test/Feature/DoubleFree.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ptr.err 5 | 6 | #include 7 | 8 | int main() { 9 | int *x = malloc(sizeof(*x)); 10 | free(x); 11 | // CHECK: memory error: invalid pointer: free 12 | free(x); 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /test/Feature/DumpStatesOnHalt.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --max-instructions=1 --dump-states-on-halt=all %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | 6 | int main(int argc, char **argv) { 7 | int x = 1; 8 | if (argc == 1) 9 | x = 0; 10 | return x; 11 | } 12 | // CHECK: halting execution, dumping remaining states 13 | -------------------------------------------------------------------------------- /test/Feature/Envp.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | #include 5 | #include 6 | #include 7 | 8 | int main(int argc, char **argv, char **envp) { 9 | unsigned i; 10 | assert(argv[argc] == 0); 11 | printf("argc: %d, argv: %p, envp: %p\n", argc, argv, envp); 12 | printf("--environ--\n"); 13 | int haspwd = 0; 14 | for (i = 0; envp[i]; i++) { 15 | printf("%d: %s\n", i, envp[i]); 16 | haspwd |= strncmp(envp[i], "PWD=", 4) == 0; 17 | } 18 | assert(haspwd); 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /test/Feature/ExitOnErrorType.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error-type Assert %t1.bc 2>&1 4 | 5 | #include "klee/klee.h" 6 | 7 | #include 8 | 9 | int main() { 10 | assert(klee_int("assert")); 11 | 12 | while (1) { 13 | } 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /test/Feature/ExtCall.c: -------------------------------------------------------------------------------- 1 | // This test checks that symbolic arguments to a function call are correctly concretized 2 | // RUN: %clang %s -emit-llvm %O0opt -g -c -o %t.bc 3 | 4 | // RUN: rm -rf %t.klee-out 5 | // RUN: %klee --output-dir=%t.klee-out --external-calls=all --exit-on-error %t.bc 2>&1 | FileCheck %s 6 | 7 | #include "klee/klee.h" 8 | 9 | #include 10 | #include 11 | #include 12 | 13 | int main() { 14 | int x; 15 | klee_make_symbolic(&x, sizeof(x), "x"); 16 | klee_assume(x >= 0); 17 | 18 | int y = abs(x); 19 | printf("y = %d\n", y); 20 | // CHECK: calling external: abs((ReadLSB w32 0 (array (w64 4) (makeSymbolic x 0)))) 21 | 22 | assert(x == y); 23 | } 24 | -------------------------------------------------------------------------------- /test/Feature/ExternalWeakLinkage.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | void __attribute__((weak)) IAmSoWeak(int); 8 | 9 | int main() { 10 | assert(IAmSoWeak == 0); 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /test/Feature/FNeg.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %llvmas %s -o %t.bc 2 | ; RUN: rm -rf %t.klee-out 3 | ; RUN: %klee -exit-on-error -output-dir=%t.klee-out -optimize=false %t.bc 4 | 5 | define i32 @main() { 6 | %1 = fneg double 2.000000e-01 7 | %2 = fcmp oeq double %1, -2.000000e-01 8 | br i1 %2, label %success, label %fail 9 | 10 | success: 11 | ret i32 0 12 | 13 | fail: 14 | call void @abort() 15 | unreachable 16 | } 17 | 18 | declare void @abort() noreturn nounwind 19 | -------------------------------------------------------------------------------- /test/Feature/Float.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc > %t.log 4 | // RUN: grep "3.30* -1.10* 2.420*" %t.log 5 | 6 | #include 7 | 8 | float fadd(float a, float b) { 9 | return a + b; 10 | } 11 | 12 | float fsub(float a, float b) { 13 | return a - b; 14 | } 15 | 16 | float fmul(float a, float b) { 17 | return a * b; 18 | } 19 | 20 | int main() { 21 | printf("%f %f %f\n", fadd(1.1, 2.2), fsub(1.1, 2.2), fmul(1.1, 2.2)); 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /test/Feature/FloatingPt.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | double a1 = -1.1; 9 | double a2 = 1.2; 10 | 11 | int b1 = (int)a1; 12 | assert(b1 == -1); 13 | 14 | int b2 = (int)a2; 15 | assert(b2 == 1); 16 | 17 | a1 = (double)b1; 18 | assert(a1 == -1); 19 | 20 | a2 = (double)b2; 21 | assert(a2 == 1); 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /test/Feature/GetValue.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -c -o %t1.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | #include "klee/klee.h" 5 | #include 6 | #include 7 | 8 | int main() { 9 | int x = klee_int("x"); 10 | klee_assume(x > 10); 11 | klee_assume(x < 20); 12 | 13 | assert(!klee_is_symbolic(klee_get_value_i32(x))); 14 | assert(klee_get_value_i32(x) > 10); 15 | assert(klee_get_value_i32(x) < 20); 16 | 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /test/Feature/IndirectCallToBuiltin.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | #include 7 | 8 | int main() { 9 | void *(*allocator)(size_t) = malloc; 10 | int *mem = allocator(10); 11 | 12 | printf("mem: %p\n", mem); 13 | printf("mem[0]: %d\n", mem[0]); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /test/Feature/IndirectCallToExternal.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | int (*scmp)(const char *, const char *) = strcmp; 12 | 13 | assert(scmp("hello", "hi") < 0); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /test/Feature/IsSymbolic.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | #include "klee/klee.h" 5 | #include 6 | 7 | int main() { 8 | int x, y, z = 0; 9 | klee_make_symbolic(&x, sizeof x, "x"); 10 | klee_make_symbolic(&y, sizeof y, "y"); 11 | if (x) { 12 | assert(klee_is_symbolic(y)); 13 | } else { 14 | assert(!klee_is_symbolic(z)); 15 | } 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /test/Feature/KleeStatsColumns.test: -------------------------------------------------------------------------------- 1 | // sqlite databases must be opened with write permissions, so we copy the test cases to the output dir 2 | RUN: rm -rf %t.klee-stats 3 | RUN: mkdir %t.klee-stats 4 | RUN: cp -r %S/klee-stats/missing_column %S/klee-stats/run %S/klee-stats/additional_column %t.klee-stats/ 5 | RUN %klee-stats --print-all %t.klee-stats/missing_column %t.klee-stats/run %t.klee-stats/additional_column | FileCheck %s 6 | 7 | // Path, Instrs, ..., extra_column 8 | CHECK: {{^}}| missing_column | |{{.*}}| |{{$}} 9 | CHECK: {{^}}| run | 3|{{.*}}| |{{$}} 10 | CHECK: {{^}}|additional_column| 3|{{.*}}| 4711|{{$}} 11 | -------------------------------------------------------------------------------- /test/Feature/KleeStatsEmpty.test: -------------------------------------------------------------------------------- 1 | // sqlite databases must be opened with write permissions, so we copy the test cases to the output dir 2 | RUN: rm -rf %t.klee-stats 3 | RUN: mkdir %t.klee-stats 4 | RUN: cp -r %S/klee-stats/empty %t.klee-stats/ 5 | RUN: %klee-stats %t.klee-stats/empty | FileCheck %s 6 | 7 | CHECK: {{^}}|{{ *}}Path{{ *}}|{{$}} 8 | CHECK: {{^}}|{{.*}}empty{{ *}}|{{$}} 9 | -------------------------------------------------------------------------------- /test/Feature/KleeStatsNoBr.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc 2> %t.log 4 | // RUN: %klee-stats --print-columns 'BCov(%),Branches,FullBranches,PartialBranches' --table-format=csv %t.klee-out > %t.stats 5 | // RUN: FileCheck -check-prefix=CHECK-STATS -input-file=%t.stats %s 6 | 7 | int main() { 8 | int a = 42; 9 | a -= 42; 10 | return a; 11 | } 12 | 13 | // Check that there are no branches in stats but 100% coverage 14 | // CHECK-STATS: BCov(%),Branches,FullBranches,PartialBranches 15 | // CHECK-STATS: 100.00,0,0,0 16 | -------------------------------------------------------------------------------- /test/Feature/LazyInitialization/DerefSymbolicPointer.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --write-kqueries --output-dir=%t.klee-out --skip-not-symbolic-objects %t.bc > %t.log 4 | // RUN: FileCheck %s -input-file=%t.log 5 | #include "klee/klee.h" 6 | #include 7 | 8 | int main() { 9 | int *a; 10 | klee_make_symbolic(&a, sizeof(a), "a"); 11 | int b = *a; 12 | 13 | // CHECK-DAG: Yes 14 | // CHECK-DAG: No 15 | if (b > 0) { 16 | printf("Yes\n"); 17 | } else { 18 | printf("No\n"); 19 | } 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /test/Feature/LazyInitialization/PointerOffset.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --skip-not-symbolic-objects --use-timestamps=false --skip-local=false %t.bc 4 | // RUN: %ktest-tool %t.klee-out/test*.ktest > %t.log 5 | // RUN: FileCheck %s -input-file=%t.log 6 | // CHECK: pointers: [(0, 1, 4)] 7 | 8 | #include "klee/klee.h" 9 | 10 | int main() { 11 | int *index; 12 | int a[2]; 13 | klee_make_symbolic(&index, sizeof(index), "index"); 14 | klee_make_symbolic(a, sizeof(a), "a"); 15 | a[0] = 0; 16 | a[1] = 0; 17 | 18 | *index = 1; 19 | 20 | if (a[1] == 1) { 21 | return 1; 22 | } else { 23 | return 0; 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /test/Feature/MakeConcreteSymbolic.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --optimize=false --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | // RUN: grep "done: total queries = 0" %t.klee-out/info 5 | 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: %klee --optimize=false --output-dir=%t.klee-out --make-concrete-symbolic=1 --use-guided-search=none --exit-on-error %t1.bc 8 | // RUN: grep "done: total queries = 2" %t.klee-out/info 9 | 10 | #include 11 | 12 | #define N 2 13 | int main() { 14 | int i; 15 | char a; 16 | 17 | a = 10; 18 | assert(a == 10); 19 | 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /test/Feature/MakeSymbolicName.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --search=random-state --exit-on-error %t1.bc 4 | #include "klee/klee.h" 5 | #include 6 | 7 | int main() { 8 | int a[4] = {1, 2, 3, 4}; 9 | unsigned i; 10 | 11 | klee_make_symbolic(&i, sizeof(i), "index"); 12 | if (i > 3) 13 | klee_silent_exit(0); 14 | 15 | assert(a[i] << 1 != 5); 16 | if (a[i] << 1 == 6) 17 | assert(i == 2); 18 | } 19 | -------------------------------------------------------------------------------- /test/Feature/Memalign.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: not-darwin 2 | // RUN: %clang -emit-llvm -g -c %s -o %t.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t.bc > %t.log 5 | #include 6 | #include 7 | int main(int argc, char *argv[]) { 8 | int *a = (int *)memalign(8, sizeof(int) * 5); 9 | for (int i = 0; i < 5; ++i) { 10 | a[i] = (i * 100) % 23; 11 | } 12 | free(a); 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /test/Feature/NoExternalCallsAllowed.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -g -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --external-calls=none %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test %t.klee-out/test000001.user.err 5 | #include 6 | #include 7 | 8 | int main(int argc, char **argv) { 9 | // CHECK: Disallowed call to external function: abs 10 | int x = abs(argc); 11 | printf("%d\n", argc); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /test/Feature/NonSizedGlobals.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | struct X; 6 | extern struct X Y; 7 | void *ptr = &Y; 8 | 9 | int main() { 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /test/Feature/NotCallingUnreachableBranchesInForkErrorGuided.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --use-guided-search=error --analysis-reproduce=%s.json %t1.bc 4 | // RUN: FileCheck -input-file=%t.klee-out/info %s 5 | // 3 = 2 for entrypoint multiplex + 1 for fork 6 | // CHECK: KLEE: done: total queries = 3 7 | #include "assert.h" 8 | #include "klee/klee.h" 9 | 10 | int main(int x) { 11 | if (x > 0) { 12 | return 0; 13 | } 14 | x = 42; 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /test/Feature/NullPointerDereferenceCheck.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --use-gep-opt %t.bc 2>&1 | FileCheck %s 4 | 5 | #include "klee/klee.h" 6 | 7 | int main() { 8 | int *ptr; 9 | klee_make_symbolic(&ptr, sizeof(ptr), "ptr"); 10 | // CHECK: NullPointerDereferenceCheck.c:[[@LINE+1]]: memory error: null pointer exception 11 | *ptr = 10; 12 | } 13 | -------------------------------------------------------------------------------- /test/Feature/OneFreeError.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ptr.err 5 | 6 | #include 7 | 8 | int main() { 9 | int *x = malloc(sizeof(*x)); 10 | free(x); 11 | // CHECK: OneFreeError.c:[[@LINE+1]]: memory error: out of bound pointer 12 | x[0] = 1; 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /test/Feature/OneOutOfBounds.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ptr.err 5 | #include 6 | 7 | int main() { 8 | int *x = malloc(sizeof(int)); 9 | // CHECK: OneOutOfBounds.c:[[@LINE+1]]: memory error: out of bound pointer 10 | x[1] = 1; 11 | free(x); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /test/Feature/Optimize.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t2.bc 2 | // RUN: rm -f %t2.log 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --max-instructions=100 --optimize %t2.bc > %t3.log 5 | // RUN: echo "good" > %t3.good 6 | // RUN: diff %t3.log %t3.good 7 | 8 | // should complete by 100 instructions if opt is on 9 | #include 10 | 11 | int main() { 12 | int i, res = 0; 13 | 14 | for (i = 1; i <= 1000; i++) 15 | res += i; 16 | 17 | if (res == (1000 * 1001) / 2) { 18 | printf("good\n"); 19 | } else { 20 | printf("bad\n"); 21 | } 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /test/Feature/OverlappedError.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --use-timestamps=false %t1.bc 4 | // RUN: ls %t.klee-out/ | grep .ktest | wc -l | grep 4 5 | // RUN: ls %t.klee-out/ | grep .ptr.err | wc -l | grep 2 6 | #include "klee/klee.h" 7 | #include 8 | 9 | int main() { 10 | if (klee_range(0, 2, "range")) { 11 | char *x = malloc(8); 12 | *((int *)&x[klee_range(0, 6, "range")]) = 1; 13 | free(x); 14 | } else { 15 | char *x = malloc(8); 16 | *((int *)&x[klee_range(-1, 5, "range")]) = 1; 17 | free(x); 18 | } 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /test/Feature/PreferCex.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | // RUN: %ktest-tool %t.klee-out/test000001.ktest | FileCheck %s 5 | #include "klee/klee.h" 6 | 7 | int main() { 8 | char buf[4]; 9 | 10 | klee_make_symbolic(buf, sizeof buf, "buf"); 11 | // CHECK: Hi\x00\x00 12 | klee_prefer_cex(buf, buf[0] == 'H'); 13 | klee_prefer_cex(buf, buf[1] == 'i'); 14 | klee_prefer_cex(buf, buf[2] == '\0'); 15 | klee_prefer_cex(buf, buf[3] == '\0'); 16 | 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /test/Feature/Realloc.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --warnings-only-to-file=false %t1.bc 2>&1 | FileCheck %s 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | int main() { 10 | int *p = malloc(sizeof(int) * 2); 11 | assert(p); 12 | p[1] = 52; 13 | 14 | int *p2 = realloc(p, 1 << 30); 15 | // CHECK-NOT: ASSERTION FAIL 16 | assert(!p2 || p2[1] == 52); 17 | 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /test/Feature/SetForking.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc > %t.log 4 | // RUN: sort %t.log | uniq -c > %t.uniq.log 5 | // RUN: grep "1 A" %t.uniq.log 6 | // RUN: grep "1 B" %t.uniq.log 7 | // RUN: grep "1 C" %t.uniq.log 8 | #include "klee/klee.h" 9 | #include 10 | 11 | int main() { 12 | klee_set_forking(0); 13 | 14 | if (klee_range(0, 2, "range")) { 15 | printf("A\n"); 16 | } else { 17 | printf("A\n"); 18 | } 19 | 20 | klee_set_forking(1); 21 | 22 | if (klee_range(0, 2, "range")) { 23 | printf("B\n"); 24 | } else { 25 | printf("C\n"); 26 | } 27 | 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /test/Feature/SolverTimeout.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --max-solver-time=1 %t.bc 2>&1 | FileCheck %s 4 | // 5 | // Note: This test occasionally fails when using Z3 4.4.1 6 | #include "klee/klee.h" 7 | #include 8 | 9 | int main() { 10 | long long int x, y = 102 * 75678 + 78, i = 101; 11 | 12 | klee_make_symbolic(&x, sizeof(x), "x"); 13 | 14 | // CHECK-NOT: Yes 15 | // CHECK: No 16 | if (x * x * x * x * x * x * x * x * x * x * x * x * x * x * x * x + (x * x % (x + 12)) == y * y * y * y * y * y * y * y * y * y * y * y * y * y * y * y % i) 17 | printf("Yes\n"); 18 | else 19 | printf("No\n"); 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /test/Feature/StackOverflow.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -g -c -o %t.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc > %t.output.log 2>&1 4 | // RUN: FileCheck -input-file=%t.output.log %s 5 | 6 | void recursive(unsigned nr) { 7 | if (nr == 0) 8 | return; 9 | recursive(nr - 1); 10 | } 11 | 12 | int main() { 13 | recursive(10000); 14 | return 0; 15 | } 16 | // CHECK: Maximum stack size reached 17 | -------------------------------------------------------------------------------- /test/Feature/SymbolicSizes/LowerOutOfBound.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --use-sym-size-alloc %t1.bc 2>&1 | FileCheck %s 4 | 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | int n; 12 | klee_make_symbolic(&n, sizeof(n), "n"); 13 | if (n >= 5) { 14 | char *c1 = malloc(n); 15 | char *c2 = malloc(9 - n); 16 | // CHECK: LowerOutOfBound.c:[[@LINE+1]]: memory error: out of bound pointer 17 | c2[9 - n - 1] = 20; 18 | } else { 19 | n = 0; 20 | } 21 | } 22 | 23 | // KLEE: done: completed paths = 2 24 | // KLEE: done: generated tests = 3 25 | -------------------------------------------------------------------------------- /test/Feature/SymbolicSizes/MultipleAllocations.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --check-out-of-memory --use-sym-size-alloc %t1.bc 2>&1 | FileCheck %s 4 | 5 | #include "klee/klee.h" 6 | #include 7 | 8 | int main() { 9 | int n = klee_int("n"); 10 | 11 | char *s1 = (char *)malloc(n); // 0 12 | char *s2 = (char *)malloc(n / 2); // 0, 0 13 | char *s3 = (char *)malloc(n / 3 - 2); // 6, 3, 0 14 | 15 | // CHECK-NOT: MultipleAllocations.c:[[@LINE+1]]: memory error: out of bound pointer 16 | s1[1] = 29; 17 | } 18 | -------------------------------------------------------------------------------- /test/Feature/SymbolicSizes/RecomputeModelTwoArrays.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --check-out-of-memory --use-sym-size-alloc --use-merged-pointer-dereference=true %t1.bc 2>&1 | FileCheck %s 4 | 5 | #include "klee/klee.h" 6 | #include 7 | 8 | int main() { 9 | int n = klee_int("n"); 10 | if (n >= 5) { 11 | char *c1 = malloc(n); 12 | char *c2 = malloc(9 - n); 13 | if (n > 7) { 14 | // CHECK: RecomputeModelTwoArrays.c:[[@LINE+1]]: memory error: out of bound pointer 15 | c2[0] = 111; 16 | return 1; 17 | } 18 | } 19 | } 20 | // CHECK: KLEE: done: generated tests = 5 21 | -------------------------------------------------------------------------------- /test/Feature/SymbolicSizes/SymbolicArrayOnStack.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -g -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --check-out-of-memory --use-sym-size-alloc --use-merged-pointer-dereference=true %t.bc 2>&1 | FileCheck %s 4 | 5 | #include "klee/klee.h" 6 | 7 | int main() { 8 | int x = klee_int("x"); 9 | int f[x]; 10 | // CHECK: SymbolicArrayOnStack.c:[[@LINE+2]]: memory error: out of bound pointer 11 | // CHECK-NOT: SymbolicArrayOnStack.c:[[@LINE+1]]: memory error: null pointer exception 12 | f[0] = 10; 13 | } 14 | 15 | // CHECK: KLEE: done: completed paths = 1 16 | // CHECK: KLEE: done: partially completed paths = 1 17 | // CHECK: KLEE: done: generated tests = 2 18 | -------------------------------------------------------------------------------- /test/Feature/SymbolicSizes/SymbolicSizeUnsizedGlobal.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --use-sym-size-alloc --symbolic-allocation-threshold=0 %t1.bc 2>&1 | FileCheck %s 4 | 5 | extern int GLOBAL[]; 6 | 7 | int main() { 8 | // CHECK: SymbolicSizeUnsizedGlobal.c:[[@LINE+1]]: memory error: out of bound pointer 9 | GLOBAL[1] = 0; 10 | // CHECK: SymbolicSizeUnsizedGlobal.c:[[@LINE+1]]: memory error: out of bound pointer 11 | GLOBAL[2] = 0; 12 | // CHECK-NOT: SymbolicSizeUnsizedGlobal.c:[[@LINE+1]]: memory error: out of bound pointer 13 | GLOBAL[0] = 0; 14 | } 15 | -------------------------------------------------------------------------------- /test/Feature/SymbolicSizes/UninitializedMemory.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -g -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --use-sym-size-alloc --skip-not-symbolic-objects --use-merged-pointer-dereference=true %t.bc 2>&1 | FileCheck %s 4 | #include "klee/klee.h" 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | int n; 12 | klee_make_symbolic(&n, sizeof(n), "n"); 13 | 14 | char *s = (char *)malloc(n); 15 | s[2] = 10; 16 | if (s[0] == 0) { 17 | printf("1) 0\n"); 18 | } else { 19 | printf("1) not 0\n"); 20 | } 21 | 22 | // CHECK-DAG: 1) 0 23 | // CHECK-DAG: 1) not 0 24 | } 25 | -------------------------------------------------------------------------------- /test/Feature/TargetMismatch.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -m32 -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error > %t2.out 2>&1 || true 4 | // RUN: FileCheck %s -input-file=%t2.out 5 | 6 | // CHECK: KLEE: WARNING: Module and host target triples do not match 7 | // CHECK-NEXT: This may cause unexpected crashes or assertion violations. 8 | int main(void) {} 9 | -------------------------------------------------------------------------------- /test/Feature/TwoUninitializedRegions.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -g -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc 2>&1 | FileCheck %s 4 | 5 | #include "klee/klee.h" 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | int main() { 12 | char arr1[3]; 13 | char arr2[3]; 14 | 15 | if (arr1[0] == arr2[0]) { 16 | printf("1) equal\n"); 17 | } else { 18 | printf("1) not equal\n"); 19 | } 20 | 21 | // CHECK-DAG: 1) equal 22 | // CHECK-DAG: 1) not equal 23 | } 24 | -------------------------------------------------------------------------------- /test/Feature/UninitializedConstantMemory.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -g -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc 2>&1 | FileCheck %s 4 | #include "klee/klee.h" 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | char arr[3]; 12 | 13 | if (arr[0] == 0) { 14 | printf("1) 0\n"); 15 | } else { 16 | printf("1) not 0\n"); 17 | } 18 | 19 | char *zero_arr = (char *)calloc(3, sizeof(char)); 20 | if (zero_arr[1] == 0) { 21 | return 0; 22 | } else { 23 | // CHECK-NOT: ASSERTION FAIL 24 | assert(0); 25 | } 26 | 27 | // CHECK-DAG: 1) 0 28 | // CHECK-DAG: 1) not 0 29 | } 30 | -------------------------------------------------------------------------------- /test/Feature/WithLibc.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=klee %t2.bc > %t3.log 4 | // RUN: echo "good" > %t3.good 5 | // RUN: diff %t3.log %t3.good 6 | 7 | #include "klee/klee.h" 8 | 9 | #include 10 | #include 11 | 12 | int main() { 13 | char buf[4]; 14 | char *s = "foo"; 15 | 16 | klee_make_symbolic(buf, sizeof buf, "buf"); 17 | buf[3] = 0; 18 | 19 | if (strcmp(buf, s) == 0) { 20 | if (buf[0] == 'f' && buf[1] == 'o' && buf[2] == 'o' && buf[3] == 0) { 21 | printf("good\n"); 22 | } else { 23 | printf("bad\n"); 24 | } 25 | } 26 | 27 | return 0; 28 | } 29 | -------------------------------------------------------------------------------- /test/Feature/klee-stats/additional_column/info: -------------------------------------------------------------------------------- 1 | klee run.bc 2 | PID: 1122888 3 | Using monotonic steady clock with 1/1000000000s resolution 4 | Started: 2020-09-25 18:44:34 5 | BEGIN searcher description 6 | containing 2 searchers: 7 | RandomPathSearcher 8 | WeightedRandomSearcher::CoveringNew 9 | 10 | END searcher description 11 | Finished: 2020-09-25 18:44:34 12 | Elapsed: 00:00:00 13 | KLEE: done: explored paths = 1 14 | KLEE: done: total queries = 0 15 | KLEE: done: valid queries = 0 16 | KLEE: done: invalid queries = 0 17 | KLEE: done: query cex = 0 18 | 19 | KLEE: done: total instructions = 3 20 | KLEE: done: completed paths = 1 21 | KLEE: done: generated tests = 1 22 | -------------------------------------------------------------------------------- /test/Feature/klee-stats/additional_column/run.stats: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UnitTestBot/klee/8098ea85f7ca8818f9043672cac6251e2d46dddd/test/Feature/klee-stats/additional_column/run.stats -------------------------------------------------------------------------------- /test/Feature/klee-stats/empty/info: -------------------------------------------------------------------------------- 1 | klee run.bc 2 | PID: 1122888 3 | Using monotonic steady clock with 1/1000000000s resolution 4 | Started: 2020-09-25 18:44:34 5 | BEGIN searcher description 6 | containing 2 searchers: 7 | RandomPathSearcher 8 | WeightedRandomSearcher::CoveringNew 9 | 10 | END searcher description 11 | Finished: 2020-09-25 18:44:34 12 | Elapsed: 00:00:00 13 | KLEE: done: explored paths = 1 14 | KLEE: done: total queries = 0 15 | KLEE: done: valid queries = 0 16 | KLEE: done: invalid queries = 0 17 | KLEE: done: query cex = 0 18 | 19 | KLEE: done: total instructions = 3 20 | KLEE: done: completed paths = 1 21 | KLEE: done: generated tests = 1 22 | -------------------------------------------------------------------------------- /test/Feature/klee-stats/empty/run.stats: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UnitTestBot/klee/8098ea85f7ca8818f9043672cac6251e2d46dddd/test/Feature/klee-stats/empty/run.stats -------------------------------------------------------------------------------- /test/Feature/klee-stats/missing_column/info: -------------------------------------------------------------------------------- 1 | klee run.bc 2 | PID: 1122888 3 | Using monotonic steady clock with 1/1000000000s resolution 4 | Started: 2020-09-25 18:44:34 5 | BEGIN searcher description 6 | containing 2 searchers: 7 | RandomPathSearcher 8 | WeightedRandomSearcher::CoveringNew 9 | 10 | END searcher description 11 | Finished: 2020-09-25 18:44:34 12 | Elapsed: 00:00:00 13 | KLEE: done: explored paths = 1 14 | KLEE: done: total queries = 0 15 | KLEE: done: valid queries = 0 16 | KLEE: done: invalid queries = 0 17 | KLEE: done: query cex = 0 18 | 19 | KLEE: done: total instructions = 3 20 | KLEE: done: completed paths = 1 21 | KLEE: done: generated tests = 1 22 | -------------------------------------------------------------------------------- /test/Feature/klee-stats/missing_column/run.stats: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UnitTestBot/klee/8098ea85f7ca8818f9043672cac6251e2d46dddd/test/Feature/klee-stats/missing_column/run.stats -------------------------------------------------------------------------------- /test/Feature/klee-stats/run/info: -------------------------------------------------------------------------------- 1 | klee run.bc 2 | PID: 1122888 3 | Using monotonic steady clock with 1/1000000000s resolution 4 | Started: 2020-09-25 18:44:34 5 | BEGIN searcher description 6 | containing 2 searchers: 7 | RandomPathSearcher 8 | WeightedRandomSearcher::CoveringNew 9 | 10 | END searcher description 11 | Finished: 2020-09-25 18:44:34 12 | Elapsed: 00:00:00 13 | KLEE: done: explored paths = 1 14 | KLEE: done: total queries = 0 15 | KLEE: done: valid queries = 0 16 | KLEE: done: invalid queries = 0 17 | KLEE: done: query cex = 0 18 | 19 | KLEE: done: total instructions = 3 20 | KLEE: done: completed paths = 1 21 | KLEE: done: generated tests = 1 22 | -------------------------------------------------------------------------------- /test/Feature/klee-stats/run/run.stats: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UnitTestBot/klee/8098ea85f7ca8818f9043672cac6251e2d46dddd/test/Feature/klee-stats/run/run.stats -------------------------------------------------------------------------------- /test/Feature/uint128.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: target-x86_64 2 | // RUN: %clang %s -emit-llvm %O0opt -c -g -o %t1.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 5 | // CHECK-NOT: failed external call 6 | #include "klee-test-comp.c" 7 | extern unsigned __int128 __VERIFIER_nondet_uint128(); 8 | 9 | int main() { 10 | __int128 x = __VERIFIER_nondet_uint128(); 11 | return x > 0; 12 | } 13 | -------------------------------------------------------------------------------- /test/Feature/utils.h: -------------------------------------------------------------------------------- 1 | typedef unsigned char uint8_t; 2 | typedef unsigned short uint16_t; 3 | typedef unsigned int uint32_t; 4 | typedef unsigned long long uint64_t; 5 | 6 | uint32_t util_make_and_i1(uint32_t a, uint32_t b); 7 | uint32_t util_make_or_i1(uint32_t a, uint32_t b); 8 | 9 | uint16_t util_make_concat2(uint8_t a, uint8_t b); 10 | uint32_t util_make_concat4(uint8_t a, uint8_t b, 11 | uint8_t c, uint8_t d); 12 | uint64_t util_make_concat8(uint8_t a, uint8_t b, 13 | uint8_t c, uint8_t d, 14 | uint8_t e, uint8_t f, 15 | uint8_t g, uint8_t h); 16 | uint32_t util_make_select(uint32_t cond, uint32_t true, uint32_t false); 17 | -------------------------------------------------------------------------------- /test/Floats/cast_union_loose.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | # old file name: cast_union_loose_false-unreach-call_true-termination.c 4 | input_files: 'cast_union_loose.c' 5 | 6 | properties: 7 | - property_file: ../properties/termination.prp 8 | expected_verdict: true 9 | - property_file: ../properties/unreach-call.prp 10 | expected_verdict: false 11 | - property_file: ../properties/coverage-error-call.prp 12 | - property_file: ../properties/coverage-branches.prp 13 | - property_file: ../properties/coverage-conditions.prp 14 | - property_file: ../properties/coverage-statements.prp 15 | 16 | options: 17 | language: C 18 | data_model: ILP32 19 | -------------------------------------------------------------------------------- /test/Floats/cast_union_tight.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | # old file name: cast_union_tight_false-unreach-call_true-termination.c 4 | input_files: 'cast_union_tight.c' 5 | 6 | properties: 7 | - property_file: ../properties/termination.prp 8 | expected_verdict: true 9 | - property_file: ../properties/unreach-call.prp 10 | expected_verdict: false 11 | - property_file: ../properties/coverage-error-call.prp 12 | - property_file: ../properties/coverage-branches.prp 13 | - property_file: ../properties/coverage-conditions.prp 14 | - property_file: ../properties/coverage-statements.prp 15 | 16 | options: 17 | language: C 18 | data_model: ILP32 19 | -------------------------------------------------------------------------------- /test/Floats/ceil.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --fp-runtime --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | // REQUIRES: fp-runtime 6 | #include "klee/klee.h" 7 | #include 8 | 9 | int main() { 10 | float a; 11 | int b; 12 | klee_make_symbolic(&a, sizeof(a), "a"); 13 | klee_make_symbolic(&b, sizeof(b), "b"); 14 | if (ceilf(a) == b) { 15 | return 1; 16 | } else { 17 | return 2; 18 | } 19 | } 20 | // CHECK: KLEE: done: completed paths = 6 21 | -------------------------------------------------------------------------------- /test/Floats/copysign.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --fp-runtime --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | // REQUIRES: fp-runtime 6 | #include "klee/klee.h" 7 | #include 8 | 9 | int main() { 10 | double a, b; 11 | klee_make_symbolic(&a, sizeof(a), "a"); 12 | klee_make_symbolic(&b, sizeof(b), "b"); 13 | if (copysign(a, b) == a) { 14 | return 1; 15 | } else { 16 | return 2; 17 | } 18 | } 19 | // CHECK: KLEE: done: completed paths = {{4|6}} 20 | -------------------------------------------------------------------------------- /test/Floats/coverage-error-call.prp: -------------------------------------------------------------------------------- 1 | COVER( init(main()), FQL(COVER EDGES(@CALL(reach_error))) ) 2 | 3 | -------------------------------------------------------------------------------- /test/Floats/double_req_bl_0670.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | # old file name: double_req_bl_0670_true-unreach-call.c 4 | input_files: 'double_req_bl_0670.c' 5 | 6 | properties: 7 | - property_file: ../properties/unreach-call.prp 8 | expected_verdict: true 9 | - property_file: ../properties/coverage-branches.prp 10 | - property_file: ../properties/coverage-conditions.prp 11 | - property_file: ../properties/coverage-statements.prp 12 | 13 | options: 14 | language: C 15 | data_model: ILP32 16 | -------------------------------------------------------------------------------- /test/Floats/exp.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --fp-runtime --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | // REQUIRES: fp-runtime 6 | #include "klee/klee.h" 7 | #include 8 | 9 | int main() { 10 | float a, b; 11 | klee_make_symbolic(&a, sizeof(a), "a"); 12 | klee_make_symbolic(&b, sizeof(b), "b"); 13 | if (exp(a) == b) { 14 | return 1; 15 | } else { 16 | return 2; 17 | } 18 | } 19 | // CHECK: KLEE: done: completed paths = 7 20 | -------------------------------------------------------------------------------- /test/Floats/floor.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --fp-runtime --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | // REQUIRES: fp-runtime 6 | #include "klee/klee.h" 7 | #include 8 | 9 | int main() { 10 | long double a; 11 | int b; 12 | klee_make_symbolic(&a, sizeof(a), "a"); 13 | klee_make_symbolic(&b, sizeof(b), "b"); 14 | if (floorl(a) == b) { 15 | return 1; 16 | } else { 17 | return 2; 18 | } 19 | } 20 | // CHECK: KLEE: done: completed paths = 4 21 | -------------------------------------------------------------------------------- /test/Floats/fmax_intrinsic.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | 8 | int main() { 9 | float a, b; 10 | klee_make_symbolic(&a, sizeof(a), "a"); 11 | klee_make_symbolic(&b, sizeof(b), "b"); 12 | if (fmaxf(a, b) == a) { 13 | return 1; 14 | } else { 15 | return 2; 16 | } 17 | } 18 | // CHECK: KLEE: done: completed paths = 2 19 | -------------------------------------------------------------------------------- /test/Floats/fmin_intrinsic.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | 8 | int main() { 9 | double a, b; 10 | klee_make_symbolic(&a, sizeof(a), "a"); 11 | klee_make_symbolic(&b, sizeof(b), "b"); 12 | if (fmin(a, b) == a) { 13 | return 1; 14 | } else { 15 | return 2; 16 | } 17 | } 18 | // CHECK: KLEE: done: completed paths = 2 19 | -------------------------------------------------------------------------------- /test/Floats/fneg.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --fp-runtime --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | 9 | int main() { 10 | float f; 11 | klee_make_symbolic(&f, sizeof(f), "f"); 12 | float result = -f; 13 | if (!isnan(f)) { 14 | if (signbit(f)) { 15 | assert(!signbit(result)); 16 | } else { 17 | assert(signbit(result)); 18 | } 19 | } else { 20 | assert(isnan(result)); 21 | } 22 | return 0; 23 | } 24 | // CHECK: KLEE: done: completed paths = 3 25 | -------------------------------------------------------------------------------- /test/Floats/fpext_single_to_double.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | 9 | int main() { 10 | float x; 11 | double y; 12 | klee_make_symbolic(&x, sizeof(float), "x"); 13 | klee_assume(x > 0.0f); // This also implies x isn't a NaN 14 | y = (double)x; 15 | assert(y > 0.0); 16 | return 0; 17 | } 18 | // CHECK-NOT: silently concretizing (reason: floating point) 19 | // CHECK: KLEE: done: completed paths = 1 20 | -------------------------------------------------------------------------------- /test/Floats/fptosi_simple.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | 9 | int main() { 10 | float x; 11 | signed int y; 12 | klee_make_symbolic(&x, sizeof(float), "x"); 13 | klee_assume(x > -128.9f); // This also implies x isn't a NaN 14 | klee_assume(x < 128.9f); 15 | y = (signed int)x; 16 | assert(y >= -128); 17 | assert(y <= 128); 18 | return 0; 19 | } 20 | // CHECK-NOT: silently concretizing (reason: floating point) 21 | // CHECK: KLEE: done: completed paths = 1 22 | -------------------------------------------------------------------------------- /test/Floats/fptoui_simple.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | 9 | int main() { 10 | float x; 11 | unsigned int y; 12 | klee_make_symbolic(&x, sizeof(float), "x"); 13 | klee_assume(x > 1.0f); // This also implies x isn't a NaN 14 | klee_assume(x < 128.0f); 15 | y = (unsigned int)x; 16 | assert(y > 0); 17 | assert(y < 128); 18 | return 0; 19 | } 20 | // CHECK-NOT: silently concretizing (reason: floating point) 21 | // CHECK: KLEE: done: completed paths = 1 22 | -------------------------------------------------------------------------------- /test/Floats/isinf_double.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --fp-runtime --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | // REQUIRES: fp-runtime 6 | #include "klee/klee.h" 7 | #include 8 | #include 9 | #include 10 | 11 | int main() { 12 | double x; 13 | klee_make_symbolic(&x, sizeof(double), "x"); 14 | if (isinf(x)) { 15 | assert(klee_is_infinite_double(x)); 16 | } else { 17 | assert(!klee_is_infinite_double(x)); 18 | } 19 | } 20 | // CHECK-NOT: silently concretizing (reason: floating point) 21 | // CHECK: KLEE: done: completed paths = 2 22 | -------------------------------------------------------------------------------- /test/Floats/isinf_double_no_fork.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --fp-runtime --output-dir=%t.klee-out %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | // REQUIRES: fp-runtime 6 | #include "klee/klee.h" 7 | #include 8 | #include 9 | #include 10 | 11 | int main() { 12 | double x; 13 | klee_make_symbolic(&x, sizeof(double), "x"); 14 | klee_assume(isinf(x)); 15 | assert(klee_is_infinite_double(x)); 16 | } 17 | // CHECK-NOT: invalid klee_assume call (provably false) 18 | // CHECK: KLEE: done: completed paths = 1 19 | -------------------------------------------------------------------------------- /test/Floats/isinf_float.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --fp-runtime --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | // REQUIRES: fp-runtime 6 | #include "klee/klee.h" 7 | #include 8 | #include 9 | #include 10 | 11 | int main() { 12 | float x; 13 | klee_make_symbolic(&x, sizeof(float), "x"); 14 | if (isinf(x)) { 15 | assert(klee_is_infinite_float(x)); 16 | } else { 17 | assert(!klee_is_infinite_float(x)); 18 | } 19 | } 20 | // CHECK-NOT: silently concretizing (reason: floating point) 21 | // CHECK: KLEE: done: completed paths = 2 22 | -------------------------------------------------------------------------------- /test/Floats/isinf_float_no_fork.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --fp-runtime --output-dir=%t.klee-out %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | // REQUIRES: fp-runtime 6 | #include "klee/klee.h" 7 | #include 8 | #include 9 | #include 10 | 11 | int main() { 12 | float x; 13 | klee_make_symbolic(&x, sizeof(float), "x"); 14 | klee_assume(isinf(x)); 15 | assert(klee_is_infinite_float(x)); 16 | } 17 | // CHECK-NOT: invalid klee_assume call (provably false) 18 | // CHECK: KLEE: done: completed paths = 1 19 | -------------------------------------------------------------------------------- /test/Floats/isinf_long_double_no_fork.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --fp-runtime --output-dir=%t.klee-out %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | // REQUIRES: x86_64 6 | // REQUIRES: fp-runtime 7 | #include "klee/klee.h" 8 | #include 9 | #include 10 | #include 11 | 12 | int main() { 13 | long double x; 14 | klee_make_symbolic(&x, sizeof(long double), "x"); 15 | klee_assume(isinf(x)); 16 | assert(klee_is_infinite_long_double(x)); 17 | } 18 | // CHECK-NOT: invalid klee_assume call (provably false) 19 | // CHECK: KLEE: done: completed paths = 1 20 | -------------------------------------------------------------------------------- /test/Floats/isnan_double.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --fp-runtime --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | double x; 12 | klee_make_symbolic(&x, sizeof(double), "x"); 13 | if (isnan(x)) { 14 | assert(x != x); 15 | assert(klee_is_nan_double(x)); 16 | } else { 17 | assert(x == x); 18 | assert(!klee_is_nan_double(x)); 19 | } 20 | } 21 | // CHECK-NOT: silently concretizing (reason: floating point) 22 | // CHECK: KLEE: done: completed paths = 2 23 | -------------------------------------------------------------------------------- /test/Floats/isnanf.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --fp-runtime --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | float x; 12 | klee_make_symbolic(&x, sizeof(float), "x"); 13 | if (isnan(x)) { 14 | assert(x != x); 15 | assert(klee_is_nan_float(x)); 16 | } else { 17 | assert(x == x); 18 | assert(!klee_is_nan_float(x)); 19 | } 20 | } 21 | // CHECK-NOT: silently concretizing (reason: floating point) 22 | // CHECK: KLEE: done: completed paths = 2 23 | -------------------------------------------------------------------------------- /test/Floats/isnormal_double.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --fp-runtime --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | double x; 12 | klee_make_symbolic(&x, sizeof(double), "x"); 13 | if (klee_is_normal_double(x)) { 14 | assert(isnormal(x)); 15 | } else { 16 | assert(!klee_is_normal_double(x)); 17 | assert(!isnormal(x)); 18 | } 19 | } 20 | // CHECK-NOT: silently concretizing (reason: floating point) 21 | // CHECK: KLEE: done: completed paths = 2 22 | -------------------------------------------------------------------------------- /test/Floats/isnormal_float.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --fp-runtime --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | float x; 12 | klee_make_symbolic(&x, sizeof(float), "x"); 13 | if (klee_is_normal_float(x)) { 14 | assert(isnormal(x)); 15 | } else { 16 | assert(!klee_is_normal_float(x)); 17 | assert(!isnormal(x)); 18 | } 19 | } 20 | // CHECK-NOT: silently concretizing (reason: floating point) 21 | // CHECK: KLEE: done: completed paths = 2 22 | -------------------------------------------------------------------------------- /test/Floats/lit.local.cfg: -------------------------------------------------------------------------------- 1 | def getRoot(config): 2 | if not config.parent: 3 | return config 4 | return getRoot(config.parent) 5 | 6 | if not getRoot(config).enable_floating_point: 7 | config.unsupported = True 8 | -------------------------------------------------------------------------------- /test/Floats/nearbyint.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --fp-runtime --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | // REQUIRES: fp-runtime 6 | #include "klee/klee.h" 7 | #include 8 | 9 | int main() { 10 | double a; 11 | int b; 12 | klee_make_symbolic(&a, sizeof(a), "a"); 13 | klee_make_symbolic(&b, sizeof(b), "b"); 14 | if (nearbyint(a) == b) { 15 | return 1; 16 | } else { 17 | return 2; 18 | } 19 | } 20 | // CHECK: KLEE: done: completed paths = 2 21 | -------------------------------------------------------------------------------- /test/Floats/rint.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --fp-runtime --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | // REQUIRES: fp-runtime 6 | #include "klee/klee.h" 7 | #include 8 | 9 | int main() { 10 | float a, b, c; 11 | klee_make_symbolic(&a, sizeof(a), "a"); 12 | klee_make_symbolic(&b, sizeof(b), "b"); 13 | klee_make_symbolic(&c, sizeof(c), "c"); 14 | klee_assume(rintf(c) == 2.0); 15 | if (rintf(a) == b) { 16 | return 1; 17 | } else { 18 | return 2; 19 | } 20 | } 21 | // CHECK: KLEE: done: completed paths = 2 22 | -------------------------------------------------------------------------------- /test/Floats/set_rounding_mode_fail_external_call.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: not %klee --libc=klee --fp-runtime --output-dir=%t.klee-out --exit-on-error %t1.bc 0.5 > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | // REQUIRES: fp-runtime 6 | #include "klee/klee.h" 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | int main(int argc, char **argv) { 14 | klee_set_rounding_mode(KLEE_FP_RNA); 15 | // CHECK: set_rounding_mode_fail_external_call.c:[[@LINE+1]]: Cannot set rounding mode for external call to RNA 16 | puts("doing external call"); 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /test/Floats/sitofp_simple.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | float x; 12 | int32_t y; 13 | klee_make_symbolic(&y, sizeof(int32_t), "y"); 14 | x = (float)y; 15 | assert(klee_is_symbolic(x)); 16 | assert(x >= -0x1.000000p31); // x >= 2^31 17 | assert(x <= 0x1.000000p31); // x <= 2^31 18 | return 0; 19 | } 20 | // CHECK-NOT: silently concretizing (reason: floating point) 21 | // CHECK: KLEE: done: completed paths = 1 22 | -------------------------------------------------------------------------------- /test/Floats/uitofp_simple.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --libc=klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | float x; 12 | uint32_t y; 13 | klee_make_symbolic(&y, sizeof(uint32_t), "y"); 14 | x = (float)y; 15 | assert(klee_is_symbolic(x)); 16 | assert(x >= 0.0f); 17 | assert(x <= 0x1.000000p32); // x <= 2^32 18 | return 0; 19 | } 20 | // CHECK-NOT: silently concretizing (reason: floating point) 21 | // CHECK: KLEE: done: completed paths = 1 22 | -------------------------------------------------------------------------------- /test/Industry/.clang-format: -------------------------------------------------------------------------------- 1 | DisableFormat: true 2 | SortIncludes: false -------------------------------------------------------------------------------- /test/Industry/BadCase01_SecB_ForwardNull.c.json: -------------------------------------------------------------------------------- 1 | { 2 | "runs": [ 3 | { 4 | "tool": { 5 | "driver": { 6 | "name": "SecB" 7 | } 8 | }, 9 | "results": [] 10 | } 11 | ] 12 | } -------------------------------------------------------------------------------- /test/Industry/CoverageBranches/lit.local.cfg: -------------------------------------------------------------------------------- 1 | def getRoot(config): 2 | if not config.parent: 3 | return config 4 | return getRoot(config.parent) 5 | 6 | rootConfig = getRoot(config) 7 | if config.have_asan or config.have_ubsan or config.have_msan: 8 | config.unsupported = True 9 | -------------------------------------------------------------------------------- /test/Industry/CoverageErrorCall/coverage-error-call.prp: -------------------------------------------------------------------------------- 1 | COVER( init(main()), FQL(COVER EDGES(@CALL(reach_error))) ) 2 | 3 | -------------------------------------------------------------------------------- /test/Industry/securectype.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UnitTestBot/klee/8098ea85f7ca8818f9043672cac6251e2d46dddd/test/Industry/securectype.h -------------------------------------------------------------------------------- /test/InlineAsm/InlineAsm.c: -------------------------------------------------------------------------------- 1 | // Not supported on Apple Silicon 2 | // REQUIRES: not-darwin 3 | 4 | // RUN: %clang %s -emit-llvm %O0opt -c -g -o %t.bc 5 | // RUN: rm -rf %t.klee-out 6 | // RUN: %klee --external-calls=all --exit-on-error --output-dir=%t.klee-out %t.bc > %t.output.log 2>&1 7 | 8 | #include "klee/klee.h" 9 | #include 10 | 11 | int main() { 12 | 13 | int x; 14 | klee_make_symbolic(&x, sizeof(x), "x"); 15 | if (x == 239) { 16 | __asm__("neg %0" 17 | : "+r"(x)); 18 | assert(x == -239); 19 | } 20 | 21 | int y = x; 22 | __asm__("add $5, %0" 23 | : "+r"(x)); 24 | __asm__("add $0, %0" 25 | : "+r"(y)); 26 | assert(x == y + 5); 27 | 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /test/Intrinsics/abs-overflow.ll: -------------------------------------------------------------------------------- 1 | ; REQUIRES: geq-llvm-12.0 2 | ; RUN: rm -rf %t.klee-out 3 | ; RUN: %klee --output-dir=%t.klee-out --optimize=false %s 2> %t.stderr.log 4 | ; RUN: FileCheck %s < %t.stderr.log 5 | 6 | define i32 @main() { 7 | %1 = call i32 @llvm.abs.i32(i32 -2147483648, i1 true) 8 | ; CHECK: llvm.abs called with poison and INT_MIN 9 | ret i32 0 10 | } 11 | 12 | declare i32 @llvm.abs.i32(i32, i1 immarg) 13 | -------------------------------------------------------------------------------- /test/README: -------------------------------------------------------------------------------- 1 | about tests.... 2 | -------------------------------------------------------------------------------- /test/Replay/libkleeruntest/replay_cex_after_assumed_malloc.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -S -emit-llvm -g -c -o %t.ll 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.ll 4 | // KLEE just must not fail 5 | #include "klee/klee.h" 6 | #include 7 | 8 | int main() { 9 | char i; 10 | char *p; 11 | char *q; 12 | klee_make_symbolic(&i, sizeof(i), "i"); 13 | klee_make_symbolic(&p, sizeof(p), "p"); 14 | 15 | if (i) { 16 | } 17 | 18 | q = malloc(sizeof(char)); 19 | klee_assume(p == q); 20 | klee_make_symbolic(p, sizeof(char), "p[0]"); 21 | 22 | char condition = (*p); 23 | if (*p) 24 | condition = 1; 25 | klee_prefer_cex(&i, condition); 26 | if (i + 5) { 27 | } 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/CanonicalizeFileName.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: not-darwin 2 | // RUN: %clang %s -Wall -emit-llvm -g %O0opt -c -o %t.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --libc=uclibc --posix-runtime --exit-on-error %t.bc 5 | 6 | #define _GNU_SOURCE 7 | #include 8 | #include 9 | #include 10 | 11 | int main(int argc, char *argv[]) { 12 | char cwd[PATH_MAX] = {0}; 13 | 14 | if (!getcwd(cwd, PATH_MAX)) 15 | exit(EXIT_FAILURE); 16 | if (!canonicalize_file_name(cwd)) 17 | exit(EXIT_FAILURE); 18 | } 19 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/FD_Fail.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=uclibc --posix-runtime %t1.bc --max-fail 1 | FileCheck %s 4 | 5 | #include 6 | #include 7 | 8 | int main(int argc, char **argv) { 9 | char buf[1024]; 10 | FILE *f = fopen("/dev/zero", "rb"); 11 | assert(f); 12 | 13 | int r = fread(buf, 1, 100, f); 14 | printf("fread(): %s\n", 15 | r ? "ok" : "fail"); 16 | // CHECK-DAG: fread(): ok 17 | // CHECK-DAG: fread(): fail 18 | 19 | r = fclose(f); 20 | printf("fclose(): %s\n", 21 | r ? "ok" : "fail"); 22 | // CHECK-DAG: fclose(): ok 23 | // CHECK-DAG: fclose(): fail 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/GetcwdFail.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=klee --posix-runtime %t.bc 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | int main(void) { 10 | // non-null path with 0 size should set EINVAL and return NULL 11 | char *path[42]; 12 | errno = 0; 13 | char *result = getcwd(path, 0); 14 | assert(errno == EINVAL); 15 | assert(result == NULL); 16 | } 17 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/Getenv.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=klee --posix-runtime --exit-on-error %t2.bc --sym-files 1 10 4 | #include 5 | #include 6 | #include 7 | #include 8 | int main(int argc, char **argv) { 9 | char *g = getenv("PWD"); 10 | if (g) { 11 | printf("have PWD\n"); 12 | } else { 13 | printf("have no PWD\n"); 14 | } 15 | 16 | g = getenv("HELLO"); 17 | if (!g || strcmp(g, "nice") == 0) { 18 | printf("getenv(\"HELLO\") = %p\n", g); 19 | if (g) 20 | assert(strcmp(getenv("HELLO"), "nice") == 0); 21 | } 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/MixedConcreteSymbolic.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --external-calls=all --exit-on-error --libc=uclibc --posix-runtime %t.bc --sym-stdin 10 2>%t.log | FileCheck %s 4 | 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | 9 | int main(int argc, char **argv) { 10 | char buf[32]; 11 | 12 | fread(buf, 1, 4, stdin); 13 | klee_assume(buf[0] == 'a'); 14 | klee_assume(buf[1] > 'a'); 15 | klee_assume(buf[1] < 'z'); 16 | klee_assume(buf[2] == '\n'); 17 | klee_assume(buf[3] == '\0'); 18 | fwrite(buf, 1, 4, stdout); 19 | // CHECK: a{{[b-y]}} 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/Openat.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime --exit-on-error %t2.bc --sym-files 1 10 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | int main(int argc, char **argv) { 11 | int fd = openat(AT_FDCWD, "A", O_RDWR | O_TRUNC); 12 | if (fd != -1) { 13 | char buf[10]; 14 | assert(read(fd, buf, 10) == 10); 15 | assert(klee_is_symbolic(buf[0])); 16 | } else { 17 | klee_silent_exit(0); 18 | } 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/SELinux/lit.local.cfg: -------------------------------------------------------------------------------- 1 | def getRoot(config): 2 | if not config.parent: 3 | return config 4 | return getRoot(config.parent) 5 | 6 | if not getRoot(config).have_selinux: 7 | config.unsupported = True 8 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/Write1.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=uclibc --posix-runtime %t.bc --sym-files 1 10 --sym-stdout 2>%t.log 4 | 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | int main(int argc, char **argv) { 11 | char buf[32]; 12 | 13 | FILE *f = fopen("A", "w"); 14 | if (!f) 15 | klee_silent_exit(0); 16 | fwrite("Hello", sizeof("Hello"), 1, f); 17 | fclose(f); 18 | 19 | f = fopen("A", "r"); 20 | fread(buf, sizeof("Hello"), 1, f); 21 | fclose(f); 22 | 23 | assert(memcmp(buf, "Hello", sizeof("Hello")) == 0); 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/Write2.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=uclibc --posix-runtime %t.bc --sym-files 1 10 --sym-stdout 2>%t.log 4 | #include "klee/klee.h" 5 | #include 6 | #include 7 | 8 | int main(int argc, char **argv) { 9 | const char *msg = "This will eventually overflow stdout. "; 10 | char buf[32]; 11 | int i; 12 | 13 | FILE *f = stdout; // fopen("A", "w"); 14 | if (!f) 15 | klee_silent_exit(0); 16 | 17 | for (i = 0; i < 300; i++) 18 | fwrite(msg, sizeof(msg), 1, f); 19 | fclose(f); 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/getchar_example.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: geq-llvm-10.0 2 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime %t.bc --sym-stdin 64 5 | // RUN: test -f %t.klee-out/test000001.ktest 6 | // RUN: test -f %t.klee-out/test000002.ktest 7 | // RUN: test -f %t.klee-out/test000003.ktest 8 | // RUN: not test -f %t.klee-out/test000004.ktest 9 | 10 | #include 11 | 12 | int main() { 13 | unsigned char a = getchar(); 14 | unsigned char b = getchar(); 15 | 16 | if (a + b < 0) { 17 | return -1; 18 | } 19 | 20 | if (a + b < 100) { 21 | return 0; 22 | } else if (a + b < 200) { 23 | return 1; 24 | } else { 25 | return 2; 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/gets_example.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: geq-llvm-10.0 2 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime %t.bc --sym-stdin 64 > %t.log 5 | // RUN: FileCheck %s -input-file=%t.log 6 | 7 | #include 8 | 9 | int main() { 10 | char a[8]; 11 | gets(a); 12 | if (a[0] == 'u' && a[1] == 't' && a[2] == 'b' && a[3] == 'o' && a[4] == 't') { 13 | printf("%c%c%c%c%c\n", a[0], a[1], a[2], a[3], a[4]); 14 | // CHECK: utbot 15 | return 1; 16 | } 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/lit.local.cfg: -------------------------------------------------------------------------------- 1 | def getRoot(config): 2 | if not config.parent: 3 | return config 4 | return getRoot(config.parent) 5 | 6 | if not getRoot(config).enable_posix_runtime: 7 | config.unsupported = True 8 | -------------------------------------------------------------------------------- /test/Runtime/Uclibc/2007-10-08-optimization-calls-wrong-libc-functions.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --optimize --libc=uclibc %t1.bc 4 | 5 | #include 6 | #include 7 | 8 | #include "klee/klee.h" 9 | 10 | int main() { 11 | int a; 12 | 13 | klee_make_symbolic(&a, sizeof a, "a"); 14 | 15 | memset(&a, 0, sizeof a); 16 | 17 | if (a) { 18 | assert(0); 19 | } 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /test/Runtime/Uclibc/2008-03-04-libc-atexit-uses-dso-handle.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=uclibc %t1.bc 4 | 5 | // just make sure atexit works ok 6 | #include 7 | 8 | void boo() { 9 | } 10 | 11 | int main() { 12 | atexit(boo); 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /test/Runtime/Uclibc/Environ.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=uclibc --exit-on-error %t1.bc 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | int main() { 10 | printf("HOME: %s\n", getenv("HOME")); 11 | assert(getenv("HOME") != 0); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /test/Runtime/Uclibc/FunctionNotFound.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: not %klee --entry-points=main --output-dir=%t.klee-out --libc=uclibc --exit-on-error %t1.bc 2>&1 | FileCheck %s 4 | 5 | int foo(int argc, char *argv[]) { 6 | return 0; 7 | } 8 | 9 | // CHECK: KLEE: ERROR: Entry function 'main' not found in module. 10 | -------------------------------------------------------------------------------- /test/Runtime/Uclibc/lit.local.cfg: -------------------------------------------------------------------------------- 1 | def getRoot(config): 2 | if not config.parent: 3 | return config 4 | return getRoot(config.parent) 5 | 6 | if not getRoot(config).enable_uclibc: 7 | config.unsupported = True 8 | -------------------------------------------------------------------------------- /test/Runtime/klee-libc/atexit_order.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=klee %t1.bc 4 | 5 | // make sure the functions passed to atexit are called in reverse order 6 | 7 | #include 8 | 9 | extern void atexit(void (*)()); 10 | 11 | static int counter = 0; 12 | 13 | void first() { 14 | assert(counter == 0); 15 | ++counter; 16 | } 17 | 18 | void second() { 19 | assert(counter == 1); 20 | ++counter; 21 | } 22 | 23 | int main() { 24 | atexit(second); 25 | atexit(first); 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /test/Runtime/klee-libc/bcmp.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=klee %t1.bc 4 | 5 | // test bcmp for sizes including zero 6 | 7 | #include "klee/klee.h" 8 | 9 | #include 10 | #include 11 | #include 12 | 13 | int main() { 14 | for (int i = 0; i < 5; ++i) { 15 | void *s = malloc(i); 16 | if (s) { 17 | klee_make_symbolic(s, i, "s"); 18 | assert(0 == bcmp(s, s, i)); 19 | free(s); 20 | } 21 | } 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /test/Runtime/klee-libc/cxa_thread_atexit_impl.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=klee %t1.bc 4 | 5 | // just make sure __cxa_thread_atexit_impl works ok 6 | 7 | #include 8 | 9 | extern int __cxa_thread_atexit_impl(void (*)(void *), void *, void *); 10 | 11 | static int x; // a global whose address we can take 12 | 13 | void boo(void *h) { 14 | assert(h == (void *)&x); 15 | } 16 | 17 | int main() { 18 | __cxa_thread_atexit_impl(boo, (void *)&x, (void *)0); 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /test/SARIF/Generic/LazyInitialization/LazyInitialization.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --write-sarifs --use-sym-size-alloc --use-sym-size-li --skip-not-symbolic-objects --posix-runtime --libc=uclibc -cex-cache-validity-cores --output-dir=%t.klee-out %t.bc > %t.log 4 | // RUN: %checker %t.klee-out/report.sarif %S/pattern.sarif 5 | 6 | #include "klee/klee.h" 7 | 8 | #include 9 | 10 | int main() { 11 | char *s; 12 | klee_make_symbolic(&s, sizeof(s), "s"); 13 | 14 | *s = 100; 15 | s[200] = 200; 16 | } 17 | -------------------------------------------------------------------------------- /test/SARIF/Generic/SymbolicSizeArray/SymbolicSizeArray.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -write-sarifs --use-sym-size-alloc --use-sym-size-li --skip-not-symbolic-objects --posix-runtime --libc=uclibc -cex-cache-validity-cores --output-dir=%t.klee-out %t.bc > %t.log 4 | // RUN: %checker %t.klee-out/report.sarif %S/pattern.sarif 5 | 6 | #include "klee/klee.h" 7 | 8 | #include 9 | 10 | int main() { 11 | int n; 12 | klee_make_symbolic(&n, sizeof(n), "n"); 13 | 14 | char *s = (char *)malloc(n); 15 | s[1] = 10; 16 | s[2] = 20; 17 | s[0] = 0; 18 | } 19 | -------------------------------------------------------------------------------- /test/SARIF/lit.local.cfg: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | def getRoot(config): 4 | if not config.parent: 5 | return config 6 | return getRoot(config.parent) 7 | 8 | if not getRoot(config).enable_posix_runtime or not getRoot(config).enable_uclibc: 9 | config.unsupported = True 10 | 11 | config.substitutions.append( 12 | ('%checker', f"python3 {os.path.join(os.path.dirname(__file__), 'checker.py')}".strip()) 13 | ) 14 | -------------------------------------------------------------------------------- /test/Solver/AShr_to_smtlib.kquery.good.smt2: -------------------------------------------------------------------------------- 1 | ;SMTLIBv2 Query 0 2 | (set-logic QF_AUFBV ) 3 | (declare-fun makeSymbolic0 () (Array (_ BitVec 32) (_ BitVec 8) ) ) 4 | (declare-fun makeSymbolic1 () (Array (_ BitVec 32) (_ BitVec 8) ) ) 5 | (assert (and (not (= (_ bv0 8) (ite (bvuge (select makeSymbolic1 (_ bv0 32) ) (_ bv8 8) ) (_ bv0 8) (bvashr (select makeSymbolic0 (_ bv0 32) ) (select makeSymbolic1 (_ bv0 32) ) ) ) ) ) (bvule (_ bv8 8) (select makeSymbolic1 (_ bv0 32) ) ) ) ) 6 | (check-sat) 7 | (exit) 8 | -------------------------------------------------------------------------------- /test/Solver/CexCacheCheckBinding.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --debug-cex-cache-check-binding --search=bfs --use-guided-search=none --use-cex-cache=false %t1.bc 2>&1 | FileCheck %s 4 | 5 | #include "ExerciseSolver.c.inc" 6 | 7 | // CHECK: KLEE: done: completed paths = 18 8 | // CHECK: KLEE: done: partially completed paths = 0 9 | -------------------------------------------------------------------------------- /test/Solver/CrosscheckCoreStpZ3.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: stp 2 | // REQUIRES: z3 3 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 4 | // RUN: rm -rf %t.klee-out 5 | // RUN: %klee --output-dir=%t.klee-out --solver-backend=stp --use-forked-solver=false --debug-crosscheck-core-solver=z3 --use-guided-search=none %t1.bc 2>&1 | FileCheck %s 6 | 7 | #include "ExerciseSolver.c.inc" 8 | 9 | // CHECK: KLEE: done: completed paths = 18 10 | // CHECK: KLEE: done: partially completed paths = 0 11 | -------------------------------------------------------------------------------- /test/Solver/CrosscheckCoreZ3Bitwuzla.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: z3 2 | // REQUIRES: bitwuzla 3 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 4 | // RUN: rm -rf %t.klee-out 5 | // RUN: %klee --output-dir=%t.klee-out --solver-backend=z3 --use-forked-solver=false --debug-crosscheck-core-solver=bitwuzla --use-guided-search=none %t1.bc 2>&1 | FileCheck %s 6 | 7 | #include "ExerciseSolver.c.inc" 8 | 9 | // CHECK: KLEE: done: completed paths = 18 10 | // CHECK: KLEE: done: partially completed paths = 0 11 | -------------------------------------------------------------------------------- /test/Solver/DummySolver.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --search=bfs --solver-backend=dummy --use-guided-search=none --use-cex-cache=false %t1.bc 2>&1 | FileCheck %s 4 | 5 | #include "ExerciseSolver.c.inc" 6 | 7 | // CHECK: KLEE: done: completed paths = 0 8 | // CHECK: KLEE: done: partially completed paths = 1 9 | -------------------------------------------------------------------------------- /test/Solver/FastCexSolver.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver --use-fast-cex-solver --solver-backend=dummy %s > %t 2 | # RUN: not grep FAIL %t 3 | 4 | makeSymbolic0 : (array (w64 4) (makeSymbolic arr1 0)) 5 | (query [] (Not (Eq 4096 (ReadLSB w32 0 makeSymbolic0)))) 6 | 7 | makeSymbolic1 : (array (w64 2) (makeSymbolic A_data 0)) 8 | (query [(Ule (Add w8 208 N0:(Read w8 0 makeSymbolic1)) 9 | 9)] 10 | (Eq 52 N0)) 11 | -------------------------------------------------------------------------------- /test/Solver/LargeIntegers.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | 3 | makeSymbolic0 : (array (w64 64) (makeSymbolic a 0)) 4 | 5 | # RUN: grep -A 1 "Query 0" %t > %t2 6 | # RUN: grep "Expr 0: 18446744073709551618" %t2 7 | (query [] false [(Concat w128 (w64 1) (w64 2))]) 8 | 9 | # RUN: grep -A 1 "Query 1" %t > %t2 10 | # RUN: grep "Expr 0: 16" %t2 11 | (query [] false [(Extract w5 60 (Concat w128 (w64 1) (w64 2)))]) 12 | 13 | # RUN: grep -A 1 "Query 2" %t > %t2 14 | # RUN: grep "Array 0: makeSymbolic0.16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1" %t2 15 | (query [(Eq 0x0102030405060708090A0B0C0D0E0F10 (ReadLSB w128 0 makeSymbolic0))] 16 | false 17 | [] [makeSymbolic0]) 18 | -------------------------------------------------------------------------------- /test/Solver/NoBitwuzla.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: not-bitwuzla 2 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: not %klee --output-dir=%t.klee-out --solver-backend=bitwuzla %t1.bc 2>&1 | FileCheck %s 5 | // CHECK: Not compiled with Bitwuzla support 6 | // CHECK: ERROR: Failed to create core solver 7 | 8 | int main(int argc, char **argv) { 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /test/Solver/NoSTP.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: not-stp 2 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: not %klee --output-dir=%t.klee-out --solver-backend=stp %t1.bc 2>&1 | FileCheck %s 5 | // CHECK: Not compiled with STP support 6 | // CHECK: ERROR: Failed to create core solver 7 | 8 | int main(int argc, char **argv) { 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /test/Solver/NoZ3.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: not-z3 2 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: not %klee --output-dir=%t.klee-out --solver-backend=z3 %t1.bc 2>&1 | FileCheck %s 5 | // CHECK: Not compiled with Z3 support 6 | // CHECK: ERROR: Failed to create core solver 7 | 8 | int main(int argc, char **argv) { 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /test/Solver/STPDumpDebugQueries.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: stp 2 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --solver-backend=stp --output-dir=%t.klee-out -debug-dump-stp-queries %t1.bc 5 | // RUN: cat %t.klee-out/warnings.txt | FileCheck %s 6 | 7 | // Objective: test -debug-dump-stp-queries (just invocation and header in warnings.txt) 8 | 9 | #include "klee/klee.h" 10 | 11 | int main(int argc, char **argv) { 12 | unsigned i; 13 | klee_make_symbolic(&i, sizeof i, "i"); 14 | if (i) 15 | return 0; 16 | else 17 | return 1; 18 | // CHECK: KLEE: WARNING: STP query: 19 | } 20 | -------------------------------------------------------------------------------- /test/Solver/ValidatingSolver.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --search=bfs --debug-validate-solver --debug-assignment-validating-solver --use-guided-search=none %t1.bc 2>&1 | FileCheck %s 4 | 5 | #include "ExerciseSolver.c.inc" 6 | 7 | // CHECK: KLEE: done: completed paths = 18 8 | // CHECK: KLEE: done: partially completed paths = 0 -------------------------------------------------------------------------------- /test/Solver/lit.local.cfg: -------------------------------------------------------------------------------- 1 | # Look for .kquery files too 2 | config.suffixes.add('.kquery') 3 | -------------------------------------------------------------------------------- /test/Solver/overshift-aright-by-constant.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | makeSymbolic0 : (array (w64 4) (makeSymbolic x 0)) 4 | # ∀ x. x > 0 → ( ((signed int) x) >> 32 = 0 ) 5 | # Check we overshift to zero for when shifting for all 32-bit values >0 6 | 7 | (query [ (Ult (w32 0) (ReadLSB w32 (w32 0) makeSymbolic0)) ] 8 | (Eq 9 | (AShr w32 10 | (ReadLSB w32 (w32 0) makeSymbolic0) 11 | (w32 32) 12 | ) 13 | (w32 0) 14 | ) [ ] [makeSymbolic0] ) 15 | -------------------------------------------------------------------------------- /test/Solver/overshift-left-by-constant.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | makeSymbolic0 : (array (w64 4) (makeSymbolic x 0)) 4 | # ∀ x. x > 0 → ( x << 32 = 0 ) 5 | # Check we overshift to zero for when shifting for all 32-bit values >0 6 | 7 | (query [ (Ult (w32 0) (ReadLSB w32 (w32 0) makeSymbolic0)) ] 8 | (Eq 9 | (Shl w32 10 | (ReadLSB w32 (w32 0) makeSymbolic0) 11 | (w32 32) 12 | ) 13 | (w32 0) 14 | ) [ ] [makeSymbolic0] ) 15 | -------------------------------------------------------------------------------- /test/Solver/overshift-lright-by-constant.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | makeSymbolic0 : (array (w64 4) (makeSymbolic x 0)) 4 | # ∀ x. x > 0 → ( x >> 32 = 0 ) 5 | # Check we overshift to zero for when shifting for all 32-bit values >0 6 | 7 | (query [ (Ult (w32 0) (ReadLSB w32 (w32 0) makeSymbolic0)) ] 8 | (Eq 9 | (LShr w32 10 | (ReadLSB w32 (w32 0) makeSymbolic0) 11 | (w32 32) 12 | ) 13 | (w32 0) 14 | ) [ ] [makeSymbolic0] ) 15 | -------------------------------------------------------------------------------- /test/UBSan/ubsan_bool.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -fsanitize=bool -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --emit-all-errors --ubsan-runtime %t.bc 2>&1 | FileCheck %s 4 | // RUN: ls %t.klee-out/ | grep .ktest | wc -l | grep 2 5 | // RUN: ls %t.klee-out/ | grep .invalid_load.err | wc -l | grep 1 6 | 7 | #include "klee/klee.h" 8 | 9 | int main() { 10 | unsigned char x; 11 | volatile _Bool result; 12 | 13 | klee_make_symbolic(&x, sizeof(x), "x"); 14 | 15 | // CHECK: KLEE: ERROR: {{.*}}runtime/Sanitizer/ubsan/ubsan_handlers.cpp:{{[0-9]+}}: load invalid value 16 | result = *(_Bool *)&x; 17 | 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /test/UBSan/ubsan_integer_divide_by_zero.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -fsanitize=integer-divide-by-zero -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --emit-all-errors --ubsan-runtime --check-div-zero=false %t.bc 2>&1 | FileCheck %s 4 | // RUN: ls %t.klee-out/ | grep .ktest | wc -l | grep 1 5 | // RUN: ls %t.klee-out/ | grep .overflow.err | wc -l | grep 1 6 | 7 | #include "klee/klee.h" 8 | 9 | int main() { 10 | int x; 11 | volatile int result; 12 | 13 | klee_make_symbolic(&x, sizeof(x), "x"); 14 | 15 | // CHECK: KLEE: ERROR: {{.*}}runtime/Sanitizer/ubsan/ubsan_handlers.cpp:{{[0-9]+}}: integer division overflow 16 | result = x / 0; 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /test/UBSan/ubsan_null.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -fsanitize=null -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --emit-all-errors --ubsan-runtime %t.bc 2>&1 | FileCheck %s 4 | // RUN: ls %t.klee-out/ | grep .ktest | wc -l | grep 2 5 | // RUN: ls %t.klee-out/ | grep .ptr.err | wc -l | grep 1 6 | 7 | #include "klee/klee.h" 8 | 9 | int main() { 10 | _Bool null; 11 | volatile int result; 12 | 13 | klee_make_symbolic(&null, sizeof(null), "null"); 14 | 15 | int local = 0; 16 | int *arg = null ? 0x0 : &local; 17 | 18 | // CHECK: KLEE: ERROR: {{.*}}runtime/Sanitizer/ubsan/ubsan_handlers.cpp:{{[0-9]+}}: null-pointer-use 19 | result = *arg; 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /test/UBSan/ubsan_return.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %clangxx %s -fsanitize=return -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --emit-all-errors --ubsan-runtime %t.bc 2>&1 | FileCheck %s 4 | // RUN: ls %t.klee-out/ | grep .ktest | wc -l | grep 1 5 | // RUN: ls %t.klee-out/ | grep .missing_return.err | wc -l | grep 1 6 | 7 | #include "klee/klee.h" 8 | 9 | int no_return() { 10 | // CHECK: KLEE: ERROR: {{.*}}runtime/Sanitizer/ubsan/ubsan_handlers.cpp:{{[0-9]+}}: missing-return 11 | } 12 | 13 | int main() { 14 | volatile int result = no_return(); 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /test/UBSan/ubsan_unreachable.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -fsanitize=unreachable -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --emit-all-errors --ubsan-runtime %t.bc 2>&1 | FileCheck %s 4 | // RUN: ls %t.klee-out/ | grep .ktest | wc -l | grep 1 5 | // RUN: ls %t.klee-out/ | grep .unreachable_call.err | wc -l | grep 1 6 | 7 | #include "klee/klee.h" 8 | 9 | void _Noreturn f() { 10 | // CHECK: KLEE: ERROR: {{.*}}runtime/Sanitizer/ubsan/ubsan_handlers.cpp:{{[0-9]+}}: unreachable-call 11 | __builtin_unreachable(); 12 | } 13 | 14 | int main() { 15 | f(); 16 | 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /test/UBSan/ubsan_vla_bound.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -fsanitize=vla-bound -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --emit-all-errors --ubsan-runtime %t.bc 2>&1 | FileCheck %s 4 | // RUN: ls %t.klee-out/ | grep .ktest | wc -l | grep 3 5 | // RUN: ls %t.klee-out/ | grep .ptr.err | wc -l | grep 1 6 | // RUN: ls %t.klee-out/ | grep .model.err | wc -l | grep 1 7 | 8 | #include "klee/klee.h" 9 | 10 | int main() { 11 | int x; 12 | volatile int result; 13 | 14 | x = klee_range(-10, 10, "x"); 15 | 16 | // CHECK: KLEE: ERROR: {{.*}}runtime/Sanitizer/ubsan/ubsan_handlers.cpp:{{[0-9]+}}: non-positive-vla-index 17 | int arr[x]; 18 | result = arr[0]; 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /test/VectorInstructions/memset.c: -------------------------------------------------------------------------------- 1 | // RUN: rm -rf %t.klee-out 2 | // RUN: %clang %s -emit-llvm %O0opt -g -c -o %t1.bc 3 | // RUN: %klee --output-dir=%t.klee-out --optimize=true --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | int main(int argc, char **argv) { 8 | char arr[1000]; 9 | memset(arr, 1, sizeof(arr)); 10 | return arr[argc]; 11 | } 12 | -------------------------------------------------------------------------------- /test/regression/2007-07-25-invalid-stp-array-binding-to-objectstate.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include "klee/klee.h" 6 | #include 7 | 8 | int main(void) { 9 | char c[2]; 10 | 11 | klee_make_symbolic(&c, sizeof(c), "c"); 12 | 13 | if (c[0] > 10) { 14 | int x; 15 | 16 | c[1] = 1; // copy object state 17 | 18 | assert(c[0] > 10); 19 | } 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /test/regression/2007-07-30-unflushed-byte.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | #include "klee/klee.h" 5 | #include 6 | 7 | int main() { 8 | char i, x[3]; 9 | 10 | klee_make_symbolic(&i, sizeof i, "i"); 11 | 12 | x[0] = i; 13 | 14 | // DEMAND FAILED:Memory.cpp:read8:199: is false: "unflushed byte without cache value" 15 | char y = x[1]; 16 | 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /test/regression/2007-08-01-cache-unclear-on-overwrite-flushed.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | 9 | int main() { 10 | unsigned char x; 11 | 12 | klee_make_symbolic(&x, sizeof x, "x"); 13 | if (x >= 2) 14 | klee_silent_exit(0); 15 | 16 | char delete[2] = {0, 1}; 17 | 18 | char tmp = delete[x]; 19 | char tmp2 = delete[0]; 20 | delete[x] = tmp2; 21 | 22 | if (x == 1) { 23 | assert(delete[1] == 0); 24 | return 0; 25 | } 26 | 27 | return 0; 28 | } 29 | -------------------------------------------------------------------------------- /test/regression/2007-08-06-64bit-shift.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include "klee/klee.h" 6 | #include 7 | 8 | int main() { 9 | int d; 10 | 11 | klee_make_symbolic(&d, sizeof(d), "d"); 12 | 13 | int l = d - 1; 14 | unsigned long long m = ((unsigned long long)l << 32) / d; 15 | if (d == 2) { 16 | assert(m == 2147483648u); 17 | } 18 | 19 | klee_silent_exit(0); 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /test/regression/2007-08-06-access-after-free.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | 9 | int main() { 10 | int a; 11 | unsigned char *p = malloc(4); 12 | 13 | klee_make_symbolic(&a, sizeof a, "a"); 14 | klee_make_symbolic(p, sizeof p, "p"); 15 | 16 | p[0] |= 16; 17 | 18 | if (a) { 19 | free(p); 20 | 21 | // this should give an error instead of 22 | // pulling the state from the parent, where 23 | // it is not free 24 | assert(p[0] > 10); 25 | 26 | return 0; 27 | } 28 | 29 | assert(p[0] > 10); 30 | 31 | return 0; 32 | } 33 | -------------------------------------------------------------------------------- /test/regression/2007-08-08-free-zero.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | // RUN: ls %t.klee-out | not grep *.err 5 | 6 | #include 7 | 8 | int main() { 9 | free(0); 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /test/regression/2007-10-11-free-of-alloca.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.free.err 5 | #include 6 | int main() { 7 | int buf[4]; 8 | // CHECK: 2007-10-11-free-of-alloca.c:9: free of alloca 9 | free(buf); // this should give runtime error, not crash 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /test/regression/2008-03-04-free-of-global.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.free.err 5 | 6 | #include 7 | int buf[4]; 8 | 9 | int main() { 10 | // CHECK: 2008-03-04-free-of-global.c:[[@LINE+1]]: free of global 11 | free(buf); // this should give runtime error, not crash 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /test/regression/2008-03-11-free-of-malloc-zero.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | #include "klee/klee.h" 5 | #include 6 | 7 | int main() { 8 | // concrete case 9 | void *p = malloc(0); 10 | free(p); 11 | 12 | p = malloc(0); 13 | void *arr[4] = {p, 0, 0, 0}; 14 | 15 | // symbolic case 16 | free(arr[klee_range(0, 4, "range")]); 17 | } 18 | -------------------------------------------------------------------------------- /test/regression/2008-04-10-bad-alloca-free.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include "klee/klee.h" 6 | void f(int *addr) { 7 | klee_make_symbolic(addr, sizeof *addr, "moo"); 8 | } 9 | 10 | int main() { 11 | int x; 12 | f(&x); 13 | return x; 14 | } 15 | -------------------------------------------------------------------------------- /test/regression/2008-05-23-gep-with-global-const.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm %O0opt -c -o %t.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t.bc 4 | 5 | #include 6 | 7 | int a; 8 | 9 | int main() { 10 | void *p1 = &((char *)0)[(long)&a]; 11 | void *p2 = &a; 12 | 13 | assert(p1 == p2); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /test/regression/2014-12-08-ashr.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | #include "klee/klee.h" 6 | 7 | #include 8 | 9 | int f1(int a, int b) { 10 | return a + b; 11 | } 12 | 13 | int f2(int a, int b) { 14 | int i; 15 | for (i = 0; i < sizeof(b) * 8; i++) 16 | a += (((b >> i) & 1) << i); 17 | 18 | return a; 19 | } 20 | 21 | int main(int argc, char **argv) { 22 | int a, b; 23 | klee_make_symbolic(&a, sizeof(a), "a"); 24 | klee_make_symbolic(&b, sizeof(b), "b"); 25 | 26 | klee_assert(f1(a, b) == f2(a, b)); 27 | 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /test/regression/2015-06-22-struct-write.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | #include "klee/klee.h" 6 | 7 | #include 8 | 9 | union U0 { 10 | signed f3 : 18; 11 | }; 12 | 13 | static union U0 u = {0UL}; 14 | 15 | int main(int argc, char **argv) { 16 | u.f3 = 534; 17 | 18 | klee_assert(u.f3 == 534); 19 | 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /test/regression/2015-08-30-empty-constraints.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc 2> %t.log 4 | // RUN: FileCheck -input-file=%t.log %s 5 | 6 | /** 7 | * This test generates one execution state without constraints. 8 | * 9 | * The state gets terminated (in this case return) and initial values 10 | * are generated. 11 | * Make sure we are able to generate an input. 12 | */ 13 | #include "klee/klee.h" 14 | 15 | int main() { 16 | int d; 17 | 18 | klee_make_symbolic(&d, sizeof(d), "d"); 19 | 20 | // CHECK-NOT: unable to compute initial values (invalid constraints?)! 21 | if ((d & 2) / 4) 22 | return 1; 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /test/regression/2016-04-14-sdiv-2.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error -solver-optimize-divides=true %t.bc >%t1.log 4 | // RUN: grep "m is 2" %t1.log 5 | #include 6 | #include 7 | 8 | #include "klee/klee.h" 9 | 10 | int main(void) { 11 | int n, m; 12 | klee_make_symbolic(&n, sizeof n, "n"); 13 | klee_assume(n < -1); 14 | 15 | if (n / 2 > 0) 16 | assert(0); 17 | 18 | klee_make_symbolic(&m, sizeof m, "m"); 19 | klee_assume(m > 0); 20 | 21 | if (m / 2 == 2) 22 | printf("m is 2\n"); 23 | 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /test/regression/2016-06-28-div-zero-bug.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --use-cex-cache=false %t.bc >%t1.log 4 | 5 | // This bug is triggered when using STP up to an including 2.1.0 6 | // See https://github.com/klee/klee/issues/308 7 | // and https://github.com/stp/stp/issues/206 8 | 9 | #include "klee/klee.h" 10 | 11 | int b, a, g; 12 | 13 | int *c = &b, *d = &b, *f = &a; 14 | 15 | int safe_div(short p1, int p2) { 16 | return p2 == 0 ? p1 : p2; 17 | } 18 | 19 | int main() { 20 | klee_make_symbolic(&b, sizeof b, "b"); 21 | if (safe_div(*c, 0)) 22 | *f = (int)&b % *c; 23 | 24 | safe_div(a && g, *d); 25 | } 26 | -------------------------------------------------------------------------------- /test/regression/2016-08-06-klee-get-obj-size.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc 4 | // RUN: test -f %t.klee-out/test000001.assert.err 5 | 6 | #include "klee/klee.h" 7 | 8 | #include 9 | 10 | int main() { 11 | char s[5]; 12 | assert(5 != klee_get_obj_size(s)); 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /test/regression/2016-08-11-entry-point-internalize-pass.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --entry-points=entry %t.bc 4 | 5 | int entry() { 6 | return 0; 7 | } 8 | -------------------------------------------------------------------------------- /test/regression/2016-08-12-empty-file.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: posix-runtime 2 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: not %klee --output-dir=%t.klee-out %t.bc >%t1.log 2>&1 5 | // RUN: FileCheck -input-file=%t1.log -check-prefix=CHECK-MAIN-NOT-FOUND %s 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: rm -rf %t1.log 8 | // RUN: not %klee --output-dir=%t.klee-out --posix-runtime %t.bc >%t1.log 2>&1 9 | // RUN: FileCheck -input-file=%t1.log -check-prefix=CHECK-MAIN-NOT-FOUND %s 10 | 11 | // CHECK-MAIN-NOT-FOUND: Entry function 'main' not found in module. 12 | -------------------------------------------------------------------------------- /test/regression/2016-12-14-alloc-alignment.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -Wall -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t.bc 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | // Global should be aligned on a 128-byte boundary 10 | int foo __attribute__((aligned(128))); 11 | 12 | int main() { 13 | int bar __attribute__((aligned(256))); 14 | 15 | // Check alignment of global 16 | assert(((size_t)&foo) % 128 == 0); 17 | 18 | // Check alignment of local 19 | assert(((size_t)&bar) % 256 == 0); 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /test/regression/2017-11-01-test-with-empty-varname.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | // RUN: FileCheck %s --input-file=%t.klee-out/warnings.txt 5 | #include "klee/klee.h" 6 | 7 | int main() { 8 | unsigned a; 9 | 10 | klee_make_symbolic(&a, sizeof(a), ""); 11 | // CHECK-NOT: KLEE: WARNING: unable to write output test case, losing it 12 | } 13 | -------------------------------------------------------------------------------- /test/regression/2018-04-05-make-symbolic-null-name.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include "klee/klee.h" 6 | 7 | int main(int argc, char *argv[]) { 8 | int a = klee_int((void *)0); 9 | } 10 | -------------------------------------------------------------------------------- /test/regression/2018-05-05-number-instructions-dumped-states.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -max-instructions=1 --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | 5 | // CHECK: KLEE: done: total instructions = 1 6 | 7 | #include "klee/klee.h" 8 | 9 | int main(int argc, char *argv[]) {} 10 | -------------------------------------------------------------------------------- /test/regression/2018-05-17-replay-short-names.c: -------------------------------------------------------------------------------- 1 | // RUN: rm -rf a 2 | // RUN: mkdir a 3 | // RUN: touch a/b 4 | // RUN: %clang %s -emit-llvm %O0opt -g -c -o %t1.bc 5 | // RUN: rm -rf %t.klee-out 6 | // RUN: %klee -replay-ktest-dir=a --output-dir=%t.klee-out %t1.bc 2>&1 7 | // 8 | 9 | #include "klee/klee.h" 10 | 11 | int main(int argc, char *argv[]) {} 12 | -------------------------------------------------------------------------------- /test/regression/2018-10-01-double-segfault.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: not-asan 2 | // RUN: %clang %s -emit-llvm %O0opt -g -c -o %t.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee -output-dir=%t.klee-out %t.bc 2>&1 | FileCheck %s 5 | // CHECK: failed external call: strdup 6 | // CHECK: failed external call: strdup 7 | 8 | // objective: check handling of more than one failing external call 9 | 10 | #include "klee/klee.h" 11 | 12 | #include 13 | #include 14 | 15 | int main(int argc, char *argv[]) { 16 | bool b; 17 | klee_make_symbolic(&b, sizeof(bool), "b"); 18 | 19 | char *s0; 20 | if (b) { 21 | s0 = strdup((char *)0xdeadbeef); 22 | } else { 23 | s0 = strdup((void *)0xdeafbee5); 24 | } 25 | (void)s0; 26 | } 27 | -------------------------------------------------------------------------------- /test/regression/2018-10-28-alias-to-alias.ll: -------------------------------------------------------------------------------- 1 | ; RUN: rm -rf %t.klee-out 2 | ; RUN: %llvmas -f %s -o - | %klee --output-dir=%t.klee-out 3 | target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128" 4 | target triple = "x86_64-unknown-linux-gnu" 5 | 6 | ; @foo is not known yet 7 | @foo2 = alias i32 (...), i32 (...)* @foo 8 | @foo = alias i32 (...), bitcast (i32 ()* @__foo to i32 (...)*) 9 | 10 | define i32 @__foo() { 11 | entry: 12 | ret i32 42 13 | } 14 | 15 | define i32 @main() { 16 | entry: 17 | call i32 (...) @foo() 18 | call i32 (...) @foo2() 19 | ret i32 0 20 | } 21 | -------------------------------------------------------------------------------- /test/regression/2019-05-31_simple-unknown-bitcast-alias.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %llvmas %s -o=%t.bc 2 | ; RUN: rm -rf %t.klee-out 3 | ; RUN: %klee -output-source -output-dir=%t.klee-out %t.bc 4 | 5 | ; bitcast of @foo2, which is not known yet 6 | @foo3 = alias i16 (...), bitcast (i32 (...)* @foo2 to i16 (...)*) 7 | ; @foo is not known yet 8 | @foo2 = alias i32 (...), i32 (...)* @foo 9 | @foo = alias i32 (...), bitcast (i32 ()* @__foo to i32 (...)*) 10 | 11 | define i32 @__foo() { 12 | entry: 13 | ret i32 42 14 | } 15 | 16 | define i32 @main() { 17 | entry: 18 | call i32 (...) @foo() 19 | call i32 (...) @foo2() 20 | call i16 (...) @foo3() 21 | ret i32 0 22 | } 23 | -------------------------------------------------------------------------------- /test/regression/2019-09-06-make-const-symbolic.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -g -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -output-dir=%t.klee-out %t.bc 2>&1 | FileCheck %s 4 | #include "klee/klee.h" 5 | 6 | const int c = 23; 7 | int main(int argc, char **argv) { 8 | klee_make_symbolic(&c, sizeof(c), "c"); 9 | // CHECK: cannot make readonly object symbolic 10 | 11 | if (c > 20) 12 | return 0; 13 | else 14 | return 1; 15 | } 16 | -------------------------------------------------------------------------------- /test/regression/2020-01-14-fabs-compare.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -g -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --exit-on-error --output-dir=%t.klee-out %t.bc 4 | 5 | #include 6 | #include 7 | 8 | int main(void) { 9 | long double a = 0.25; 10 | long double b = -a; 11 | 12 | long double b_abs = fabsl(b); 13 | 14 | assert(a == b_abs); 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /test/regression/2020-02-24-count-paths-nodump.c: -------------------------------------------------------------------------------- 1 | // ASAN fails because KLEE does not cleanup states with -dump-states-on-halt=none 2 | // REQUIRES: not-asan 3 | // RUN: %clang %s -emit-llvm %O0opt -g -c -o %t.bc 4 | // RUN: rm -rf %t.klee-out 5 | // RUN: %klee -dump-states-on-halt=none -max-instructions=1 -output-dir=%t.klee-out %t.bc 2>&1 | FileCheck %s 6 | 7 | int main(int argc, char **argv) { 8 | // just do something 9 | int i = 42; 10 | ++i; 11 | } 12 | 13 | // CHECK: KLEE: done: completed paths = 0 14 | // CHECK: KLEE: done: partially completed paths = 1 -------------------------------------------------------------------------------- /test/regression/2020-04-11-batching-search-zero-time-budget.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -g -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --use-batching-search --batch-time=0 --batch-instructions=1 %t.bc 2>&1 | FileCheck %s 4 | 5 | #include 6 | 7 | #include "klee/klee.h" 8 | 9 | int main(void) { 10 | for (int i = 0; i < 10; ++i) { 11 | struct timespec ts = {.tv_sec = 0, .tv_nsec = 10000000}; // 10 ms 12 | nanosleep(&ts, NULL); 13 | } 14 | // CHECK-NOT: increased time budget 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /test/regression/2020-04-27-stp-array-names.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -std=c89 %s -emit-llvm %O0opt -g -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -output-dir=%t.klee-out --search=bfs --max-instructions=1000 %t.bc 4 | b; 5 | a(c) { 6 | if (!c) 7 | abort(); 8 | } 9 | main() { 10 | int e; 11 | short d; 12 | klee_make_symbolic(&d, sizeof(d), "__sym___VERIFIER_nondet_short"); 13 | b = d; 14 | a(b > 0); 15 | int f[b]; 16 | int g[b]; 17 | for (;;) { 18 | short d; 19 | klee_make_symbolic(&d, sizeof(d), "__sym___VERIFIER_nondet_short"); 20 | a(d >= 0 && d < b); 21 | f[d]; 22 | g[b - 1 - d]; 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /test/regression/2022-06-15-concretization-effects.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -g -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --external-calls=all --exit-on-error --output-dir=%t.klee-out %t.bc > %t.output.log 2>&1 4 | #include "klee/klee.h" 5 | 6 | #include 7 | #include 8 | 9 | int main() { 10 | 11 | int x; 12 | klee_make_symbolic(&x, sizeof(x), "x"); 13 | 14 | if (x >= 0) { 15 | int y = abs(x); 16 | assert(x == y); 17 | } 18 | 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /test/regression/2022-06-28-asm-causes-error.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --external-calls=none --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | 5 | int main(int argc, char *argv[]) { 6 | // CHECK: 2022-06-28-asm-causes-error.c:[[@LINE+1]]: external calls disallowed (in particular inline asm) 7 | __asm__ __volatile__("movl %eax, %eax"); 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /test/regression/2023-10-13-uninitialized-memory.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -g -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --use-sym-size-alloc --skip-not-symbolic-objects --use-merged-pointer-dereference=true %t.bc 2>&1 | FileCheck %s 4 | #include "klee/klee.h" 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | char *s1 = (char *)malloc(1); 12 | char *s2 = (char *)malloc(1); 13 | if (s1[0] == s2[0]) { 14 | printf("1) eq\n"); 15 | } else { 16 | printf("1) not eq\n"); 17 | } 18 | 19 | // CHECK-DAG: 1) eq 20 | // CHECK-DAG: 1) not eq 21 | } 22 | -------------------------------------------------------------------------------- /test/regression/2024-07-08-call-to-raise.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -g -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --mock-policy=all --external-calls=all %t.bc 2>&1 | FileCheck %s 4 | 5 | #include "klee/klee.h" 6 | #include 7 | 8 | int main() { 9 | int n; 10 | klee_make_symbolic(&n, sizeof(n), "n"); 11 | 12 | if (n) { 13 | // CHECK: Call to "raise" is unmodelled 14 | raise(5); 15 | } 16 | // CHECK: KLEE: done: completed paths = 1 17 | } 18 | -------------------------------------------------------------------------------- /test/regression/2024-07-08-division-in-select.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -g -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc 2>&1 | FileCheck %s 4 | 5 | #include "klee/klee.h" 6 | 7 | int main() { 8 | int n, m; 9 | klee_make_symbolic(&n, sizeof(n), "n"); 10 | klee_make_symbolic(&m, sizeof(m), "m"); 11 | 12 | int z = (n ? 1 : 0) / (m ? 1 : 0); 13 | (void)z; 14 | } 15 | // CHECK: KLEE: done 16 | -------------------------------------------------------------------------------- /test/regression/lit.local.cfg: -------------------------------------------------------------------------------- 1 | # Look for .kquery files too 2 | config.suffixes.add('.kquery') 3 | -------------------------------------------------------------------------------- /tools/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_subdirectory(ktest-gen) 10 | add_subdirectory(ktest-randgen) 11 | add_subdirectory(kleaver) 12 | add_subdirectory(klee) 13 | add_subdirectory(klee-replay) 14 | add_subdirectory(klee-stats) 15 | add_subdirectory(klee-zesti) 16 | add_subdirectory(ktest-tool) 17 | -------------------------------------------------------------------------------- /tools/klee-replay/fd_init.c: -------------------------------------------------------------------------------- 1 | #include "../../runtime/POSIX/fd_init.c" 2 | -------------------------------------------------------------------------------- /tools/klee-replay/klee_init_env.c: -------------------------------------------------------------------------------- 1 | #define _LARGEFILE64_SOURCE 2 | #include "../../runtime/POSIX/klee_init_env.c" 3 | 4 | int __klee_posix_wrapped_main(__attribute__((unused)) int argc, 5 | __attribute__((unused)) char **argv, 6 | __attribute__((unused)) char **envp) { 7 | return 0; 8 | } 9 | -------------------------------------------------------------------------------- /tools/klee-stats/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | install(PROGRAMS klee-stats DESTINATION bin) 10 | 11 | # Copy into the build directory's binary directory 12 | # so system tests can find it 13 | configure_file(klee-stats "${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/klee-stats" COPYONLY) 14 | -------------------------------------------------------------------------------- /tools/klee-zesti/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | install(PROGRAMS klee-zesti DESTINATION bin) 10 | 11 | # Copy into the build directory's binary directory 12 | # so system tests can find it 13 | configure_file(klee-zesti "${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/klee-zesti" COPYONLY) 14 | -------------------------------------------------------------------------------- /tools/ktest-gen/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_executable(ktest-gen 10 | ktest-gen.cpp 11 | ) 12 | 13 | set(KLEE_LIBS kleeBasic) 14 | 15 | target_link_libraries(ktest-gen ${KLEE_LIBS}) 16 | target_include_directories(ktest-gen PRIVATE ${KLEE_INCLUDE_DIRS}) 17 | 18 | install(TARGETS ktest-gen RUNTIME DESTINATION bin) 19 | -------------------------------------------------------------------------------- /tools/ktest-randgen/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_executable(ktest-randgen 10 | ktest-randgen.cpp 11 | ) 12 | 13 | set(KLEE_LIBS kleeBasic) 14 | 15 | target_link_libraries(ktest-randgen ${KLEE_LIBS}) 16 | target_include_directories(ktest-randgen PRIVATE ${KLEE_INCLUDE_DIRS}) 17 | 18 | install(TARGETS ktest-randgen RUNTIME DESTINATION bin) 19 | -------------------------------------------------------------------------------- /tools/ktest-tool/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | install(PROGRAMS ktest-tool DESTINATION bin) 10 | 11 | # Copy into the build directory's binary directory 12 | # so system tests can find it 13 | configure_file(ktest-tool "${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/ktest-tool" COPYONLY) 14 | -------------------------------------------------------------------------------- /unittests/Annotations/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(AnnotationsTest 2 | AnnotationsTest.cpp) 3 | target_link_libraries(AnnotationsTest PRIVATE kleaverExpr kleaverSolver) 4 | -------------------------------------------------------------------------------- /unittests/Assignment/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(AssignmentTest 2 | AssignmentTest.cpp) 3 | target_link_libraries(AssignmentTest PRIVATE kleaverExpr kleaverSolver) 4 | target_compile_options(AssignmentTest PRIVATE ${KLEE_COMPONENT_CXX_FLAGS}) 5 | target_compile_definitions(AssignmentTest PRIVATE ${KLEE_COMPONENT_CXX_DEFINES}) 6 | 7 | target_include_directories(AssignmentTest PRIVATE ${KLEE_INCLUDE_DIRS}) 8 | -------------------------------------------------------------------------------- /unittests/DiscretePDF/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(DiscretePDFTest 2 | DiscretePDFTest.cpp) 3 | # FIXME add the following line to link against libgtest.a 4 | target_link_libraries(DiscretePDFTest PRIVATE kleaverSolver) 5 | target_compile_options(DiscretePDFTest PRIVATE ${KLEE_COMPONENT_CXX_FLAGS}) 6 | target_compile_definitions(DiscretePDFTest PRIVATE ${KLEE_COMPONENT_CXX_DEFINES}) 7 | 8 | target_include_directories(DiscretePDFTest PRIVATE ${KLEE_INCLUDE_DIRS}) 9 | -------------------------------------------------------------------------------- /unittests/Expr/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(ExprTest 2 | ExprTest.cpp 3 | ArrayExprTest.cpp) 4 | target_link_libraries(ExprTest PRIVATE kleaverExpr kleeSupport kleaverSolver) 5 | target_compile_options(ExprTest PRIVATE ${KLEE_COMPONENT_CXX_FLAGS}) 6 | target_compile_definitions(ExprTest PRIVATE ${KLEE_COMPONENT_CXX_DEFINES}) 7 | 8 | target_include_directories(ExprTest PRIVATE ${KLEE_INCLUDE_DIRS}) 9 | 10 | -------------------------------------------------------------------------------- /unittests/RNG/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(RNGTest 2 | RNGTest.cpp) 3 | target_link_libraries(RNGTest PRIVATE kleeSupport) 4 | target_compile_options(RNGTest PRIVATE ${KLEE_COMPONENT_CXX_FLAGS}) 5 | target_compile_definitions(RNGTest PRIVATE ${KLEE_COMPONENT_CXX_DEFINES}) 6 | 7 | target_include_directories(RNGTest PRIVATE ${KLEE_INCLUDE_DIRS}) 8 | -------------------------------------------------------------------------------- /unittests/Ref/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(RefTest 2 | RefTest.cpp) 3 | target_link_libraries(RefTest PRIVATE kleaverExpr) 4 | target_compile_options(RefTest PRIVATE ${KLEE_COMPONENT_CXX_FLAGS} "-Wno-self-assign-overloaded" "-Wno-self-move") 5 | target_compile_definitions(RefTest PRIVATE ${KLEE_COMPONENT_CXX_DEFINES}) 6 | 7 | target_include_directories(RefTest PRIVATE ${KLEE_INCLUDE_DIRS}) 8 | -------------------------------------------------------------------------------- /unittests/Searcher/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(SearcherTest 2 | SearcherTest.cpp) 3 | target_link_libraries(SearcherTest PRIVATE kleeCore ${SQLite3_LIBRARIES}) 4 | target_include_directories(SearcherTest BEFORE PRIVATE "${CMAKE_SOURCE_DIR}/lib") 5 | target_compile_options(SearcherTest PRIVATE ${KLEE_COMPONENT_CXX_FLAGS}) 6 | target_compile_definitions(SearcherTest PRIVATE ${KLEE_COMPONENT_CXX_DEFINES}) 7 | 8 | target_include_directories(SearcherTest SYSTEM PRIVATE ${SQLite3_INCLUDE_DIRS}) 9 | target_include_directories(SearcherTest PRIVATE ${KLEE_INCLUDE_DIRS}) 10 | -------------------------------------------------------------------------------- /unittests/Storage/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(StorageTest 2 | StorageTest.cpp) 3 | target_link_libraries(StorageTest PRIVATE kleaverExpr kleaverSolver) 4 | target_compile_options(StorageTest PRIVATE ${KLEE_COMPONENT_CXX_FLAGS}) 5 | target_compile_definitions(StorageTest PRIVATE ${KLEE_COMPONENT_CXX_DEFINES}) 6 | 7 | target_include_directories(StorageTest PRIVATE ${KLEE_INCLUDE_DIRS}) 8 | -------------------------------------------------------------------------------- /unittests/TestMain.cpp: -------------------------------------------------------------------------------- 1 | //===--- unittests/TestMain.cpp - unittest driver -------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include "llvm/ADT/StringRef.h" 11 | #include "llvm/Support/Signals.h" 12 | 13 | #include "gtest/gtest.h" 14 | 15 | int main(int argc, char **argv) { 16 | llvm::sys::PrintStackTraceOnErrorSignal(argv[0], true); 17 | testing::InitGoogleTest(&argc, argv); 18 | return RUN_ALL_TESTS(); 19 | } 20 | -------------------------------------------------------------------------------- /unittests/Time/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(TimeTest 2 | TimeTest.cpp) 3 | target_link_libraries(TimeTest PRIVATE kleeSupport) 4 | target_compile_options(TimeTest PRIVATE ${KLEE_COMPONENT_CXX_FLAGS}) 5 | target_compile_definitions(TimeTest PRIVATE ${KLEE_COMPONENT_CXX_DEFINES}) 6 | target_include_directories(TimeTest PRIVATE ${KLEE_INCLUDE_DIRS}) 7 | -------------------------------------------------------------------------------- /unittests/TreeStream/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(TreeStreamTest 2 | TreeStreamTest.cpp) 3 | target_link_libraries(TreeStreamTest PRIVATE kleeBasic kleeSupport) 4 | target_compile_options(TreeStreamTest PRIVATE ${KLEE_COMPONENT_CXX_FLAGS}) 5 | target_compile_definitions(TreeStreamTest PRIVATE ${KLEE_COMPONENT_CXX_DEFINES}) 6 | target_include_directories(TreeStreamTest PRIVATE ${KLEE_INCLUDE_DIRS}) 7 | -------------------------------------------------------------------------------- /unittests/lit-unit-tests-common.cfg: -------------------------------------------------------------------------------- 1 | # Configuration file for the 'lit' test runner. 2 | 3 | import os 4 | 5 | import lit.formats 6 | 7 | # suffixes: A list of file extensions to treat as test files. 8 | config.suffixes = [] 9 | 10 | # testFormat: The test format to use to interpret tests. 11 | config.test_format = lit.formats.GoogleTest('.', config.unit_test_exe_suffix) 12 | -------------------------------------------------------------------------------- /unittests/lit-unit-tests-common.site.cfg.in: -------------------------------------------------------------------------------- 1 | import sys 2 | import os 3 | 4 | ## @AUTO_GEN_MSG@ 5 | config.name = 'KLEE Unit tests' 6 | config.unit_test_exe_suffix = "@UNIT_TEST_EXE_SUFFIX@" 7 | 8 | # Let the main config do the real work. 9 | lit_config.load_config(config, "@CMAKE_SOURCE_DIR@/unittests/lit-unit-tests-common.cfg") 10 | config.environment['LSAN_OPTIONS'] = "suppressions=@KLEE_UTILS_DIR@/sanitizers/lsan.txt" 11 | config.environment['UBSAN_OPTIONS'] = "print_stacktrace=1,suppressions=@KLEE_UTILS_DIR@/sanitizers/ubsan.txt" 12 | -------------------------------------------------------------------------------- /utils/grafana/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM grafana/grafana 2 | 3 | RUN grafana-cli plugins install grafana-simple-json-datasource 4 | 5 | COPY grafana.ini /etc/grafana/grafana.ini 6 | COPY dashboard.yml /etc/grafana/provisioning/dashboards/dashboard.yml 7 | COPY datasource.yml /etc/grafana/provisioning/datasources/datasource.yml 8 | COPY klee_dashboard.json /var/lib/grafana/dashboards/klee.json 9 | 10 | ENTRYPOINT ["/run.sh"] 11 | -------------------------------------------------------------------------------- /utils/grafana/dashboard.yml: -------------------------------------------------------------------------------- 1 | apiVersion: 1 2 | 3 | providers: 4 | # an unique provider name 5 | - name: 'klee' 6 | # name of the dashboard folder. Required 7 | folder: '' 8 | # provider type. Required 9 | type: file 10 | # enable dashboard editing 11 | editable: true 12 | options: 13 | # path to dashboard files on disk. Required 14 | path: /var/lib/grafana/dashboards 15 | -------------------------------------------------------------------------------- /utils/grafana/datasource.yml: -------------------------------------------------------------------------------- 1 | # config file version 2 | apiVersion: 1 3 | 4 | datasources: 5 | # name of the datasource. Required 6 | - name: KLEE Stats 7 | # datasource type. Required 8 | type: grafana-simple-json-datasource 9 | # access mode. proxy or direct (Server or Browser in the UI). Required 10 | access: proxy 11 | # url 12 | url: http://localhost:5000 13 | # mark as default datasource. Max one per org 14 | isDefault: true 15 | # allow users to edit datasources from the UI. 16 | editable: true 17 | -------------------------------------------------------------------------------- /utils/grafana/grafana.ini: -------------------------------------------------------------------------------- 1 | [auth.anonymous] 2 | enabled = true 3 | org_role = Admin 4 | -------------------------------------------------------------------------------- /utils/grafana/upload.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | docker build -t klee/grafana . 4 | docker push klee/grafana 5 | -------------------------------------------------------------------------------- /utils/hacks/TreeGraphs/Graphics/Geometry/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UnitTestBot/klee/8098ea85f7ca8818f9043672cac6251e2d46dddd/utils/hacks/TreeGraphs/Graphics/Geometry/__init__.py -------------------------------------------------------------------------------- /utils/hacks/TreeGraphs/Graphics/__init__.py: -------------------------------------------------------------------------------- 1 | __all__= ['Formats', 'SubSurf', 'Geometry', 'AqsisInterface', 'TwoD', 'ThreeD', 'Apps'] 2 | -------------------------------------------------------------------------------- /utils/hacks/TreeGraphs/README.txt: -------------------------------------------------------------------------------- 1 | A little hack which converts KLEE treestream's of path branch information into 2 | images/animations. It is not particularly fast nor is the code very 3 | elegant. It's a hack, after all! 4 | 5 | There are a couple example input streams in inputs/. You can generate a single 6 | image frame with, e.g.:: 7 | 8 | $ ./TreeGraph.py --count=500 inputs/symPaths6.ts t.pdf 9 | 10 | which will generate an image of the first 500 paths that were explored. 11 | 12 | 13 | You can generate a sequence of frames from a file using:: 14 | 15 | $ ./Animate.py --start=10 --end=2000 inputs/symPaths6.ts anim-01 16 | 17 | which will generate a sequence of .pdf frames in anim-01. 18 | -------------------------------------------------------------------------------- /utils/hacks/TreeGraphs/inputs/symPaths.ts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UnitTestBot/klee/8098ea85f7ca8818f9043672cac6251e2d46dddd/utils/hacks/TreeGraphs/inputs/symPaths.ts -------------------------------------------------------------------------------- /utils/hacks/TreeGraphs/inputs/symPaths6.ts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UnitTestBot/klee/8098ea85f7ca8818f9043672cac6251e2d46dddd/utils/hacks/TreeGraphs/inputs/symPaths6.ts -------------------------------------------------------------------------------- /utils/sanitizers/lsan.txt: -------------------------------------------------------------------------------- 1 | # This file tells the LeakSanitizer (LSan)component of the AddressSanitizer (-fsanitizer=address) 2 | # to ignore certain leaks at runtime. To tell LSan about these set the environment variable 3 | # LSAN_OPTIONS=suppressions=/path/to/this/file and then run the sanitized build of KLEE. 4 | # 5 | # Ideally we shouldn't need to suppress anything but currently KLEE seems to be leaking 6 | # The suppressions below are what's needed for ``make unittests`` and ``make check`` to not 7 | # fail due to leaks. 8 | 9 | # Ignore tcmalloc 10 | leak:src/malloc_extension.cc 11 | # Memory leak from klee_replay 12 | leak:klee-replay.c 13 | -------------------------------------------------------------------------------- /utils/sanitizers/ubsan.txt: -------------------------------------------------------------------------------- 1 | # Runtime suppression of undefined behavior 2 | # 3 | vptr_check:Module.h 4 | vptr:gtest.cc 5 | vptr:gtest.h 6 | vptr:gtest-death-test.cc 7 | vptr:gtest-matchers.h 8 | vptr:shared_ptr_base.h 9 | shift-base:constantbv.cpp 10 | -------------------------------------------------------------------------------- /utils/valgrind/README.txt: -------------------------------------------------------------------------------- 1 | A few valgrind suppression files for known leaks. The LLVM ones may be 2 | fixed by now. 3 | -------------------------------------------------------------------------------- /utils/valgrind/valgrind-llvm.supp: -------------------------------------------------------------------------------- 1 | { 2 | LLVM:Tmp1 3 | Memcheck:Leak 4 | fun:_vgrZU_libstdcZpZpZa__Znwj 5 | fun:_ZN4llvm* 6 | } 7 | { 8 | LLVM:Tmp2 9 | Memcheck:Leak 10 | fun:_vgrZU_libcZdsoZa_malloc 11 | fun:_ZN4llvm* 12 | } 13 | { 14 | LLVM:Tmp3 15 | Memcheck:Leak 16 | fun:*nwj* 17 | fun:*llvm* 18 | } 19 | { 20 | LLVM:Tmp4 21 | Memcheck:Leak 22 | fun:malloc 23 | fun:*llvm* 24 | } 25 | -------------------------------------------------------------------------------- /utils/valgrind/valgrind-stp.supp: -------------------------------------------------------------------------------- 1 | { 2 | STP:BeevMgr 3 | Memcheck:Leak 4 | fun:_vgrZU_libstdcZpZpZa__Znwj 5 | fun:_ZN4BEEV7BeevMgr* 6 | } 7 | { 8 | STP:BeevMgr:strdup 9 | Memcheck:Leak 10 | fun:_vgrZU_libcZdsoZa_malloc 11 | fun:strdup 12 | fun:_ZN4BEEV7BeevMgr* 13 | } 14 | { 15 | STP:c_interface 16 | Memcheck:Leak 17 | fun:_vgrZU_libstdcZpZpZa__Znwj 18 | fun:vc_* 19 | } 20 | { 21 | STP:BeevMgr:vector 22 | Memcheck:Leak 23 | fun:_vgrZU_libstdcZpZpZa__Znwj 24 | fun:_ZNSt6vector* 25 | fun:_ZN4BEEV7BeevMgr* 26 | } 27 | { 28 | LLVM:Tmp1 29 | Memcheck:Leak 30 | fun:_vgrZU_libstdcZpZpZa__Znwj 31 | fun:_ZN4llvm* 32 | } 33 | --------------------------------------------------------------------------------