├── klee ├── lib │ ├── Core │ │ ├── ExecutorTimers.cpp │ │ ├── UserSearcher.h │ │ └── ObjectHolder.h │ ├── Support │ │ ├── README.txt │ │ └── CMakeLists.txt │ ├── Basic │ │ ├── README.txt │ │ └── CMakeLists.txt │ ├── CMakeLists.txt │ ├── README.txt │ ├── Module │ │ └── KInstruction.cpp │ ├── Expr │ │ └── CMakeLists.txt │ └── Solver │ │ └── MetaSMTSolver.h ├── test │ ├── README │ ├── .clang-format │ ├── Solver │ │ ├── lit.local.cfg │ │ ├── FastCexSolver.kquery │ │ ├── AShr_to_smtlib.kquery.good.smt2 │ │ ├── overshift-left-by-constant.kquery │ │ ├── overshift-lright-by-constant.kquery │ │ ├── overshift-aright-by-constant.kquery │ │ ├── STPDumpDebugQueries.c │ │ ├── LargeIntegers.kquery │ │ ├── overshift-left-by-symbolic.kquery │ │ ├── overshift-lright-by-symbolic.kquery │ │ ├── AShr_to_smtlib.kquery │ │ └── overshift-aright-by-symbolic.kquery │ ├── regression │ │ ├── lit.local.cfg │ │ ├── 2016-08-11-entry-point-internalize-pass.c │ │ ├── 2012-05-13-asm-causes-aborts.c │ │ ├── 2018-04-05-make-symbolic-null-name.c │ │ ├── 2007-08-08-free-zero.c │ │ ├── 2008-04-10-bad-alloca-free.c │ │ ├── 2018-05-17-replay-short-names.c │ │ ├── 2018-05-05-number-instructions-dumped-states.c │ │ ├── 2008-05-23-gep-with-global-const.c │ │ ├── 2016-08-06-klee-get-obj-size.c │ │ ├── 2017-11-01-test-with-empty-varname.c │ │ ├── 2007-10-11-free-of-alloca.c │ │ ├── 2008-03-04-free-of-global.c │ │ ├── 2008-03-11-free-of-malloc-zero.c │ │ ├── 2019-09-06-make-const-symbolic.c │ │ ├── 2015-06-22-struct-write.c │ │ ├── 2007-07-25-invalid-stp-array-binding-to-objectstate.c │ │ ├── 2007-07-30-unflushed-byte.c │ │ ├── 2007-08-06-64bit-shift.c │ │ ├── 2016-08-12-empty-file.c │ │ ├── 2007-08-01-cache-unclear-on-overwrite-flushed.c │ │ ├── 2016-12-14-alloc-alignment.c │ │ ├── 2016-04-14-sdiv-2.c │ │ ├── 2018-10-28-alias-to-alias.ll │ │ ├── 2014-12-08-ashr.c │ │ ├── 2016-06-28-div-zero-bug.c │ │ ├── 2007-08-06-access-after-free.c │ │ ├── 2015-08-30-empty-constraints.c │ │ ├── 2017-02-21-pathOS-id.c │ │ ├── 2016-03-22-independence-solver-missing-objects-for-assignment.kquery │ │ ├── 2015-08-30-sdiv-1.c │ │ ├── 2018-10-01-double-segfault.c │ │ ├── 2007-08-16-valid-write-to-freed-object.c │ │ ├── 2007-10-12-failed-make-symbolic-after-copy.c │ │ ├── 2007-10-11-illegal-access-after-free-and-branch.c │ │ ├── 2019-08-01-trap-instruction.ll │ │ ├── 2014-07-04-unflushed-error-report.c │ │ ├── 2015-08-05-invalid-fork.c │ │ ├── 2007-08-01-bool-zext-in-call.ll │ │ └── 2007-08-16-invalid-constant-value.c │ ├── Expr │ │ ├── Evaluate2.kquery │ │ ├── Parser │ │ │ ├── Concat64.kquery │ │ │ ├── TypeChecking.kquery │ │ │ └── MultiByteReads.kquery │ │ └── Evaluate.kquery │ ├── Runtime │ │ ├── Uclibc │ │ │ ├── lit.local.cfg │ │ │ ├── 2008-03-04-libc-atexit-uses-dso-handle.c │ │ │ ├── Environ.c │ │ │ └── 2007-10-08-optimization-calls-wrong-libc-functions.c │ │ ├── POSIX │ │ │ ├── SELinux │ │ │ │ ├── lit.local.cfg │ │ │ │ └── SELinux.c │ │ │ ├── lit.local.cfg │ │ │ ├── CanonicalizeFileName.c │ │ │ ├── Fcntl.c │ │ │ ├── Openat.c │ │ │ ├── Getenv.c │ │ │ ├── Write2.c │ │ │ ├── Write1.c │ │ │ ├── MixedConcreteSymbolic.c │ │ │ ├── FilePerm.c │ │ │ ├── FDNumbers.c │ │ │ ├── FD_Fail.c │ │ │ ├── FreeArgv.c │ │ │ ├── PrgName.c │ │ │ ├── TestMain.c │ │ │ ├── Envp.c │ │ │ ├── Ioctl.c │ │ │ └── Read1.c │ │ └── FreeStanding │ │ │ └── freestanding_only.c │ ├── Coverage │ │ ├── ReadArgs.c │ │ └── ReplayOutDir.c │ ├── Concrete │ │ ├── GlobalVariable.ll │ │ ├── UnconditionalBranch.ll │ │ ├── OneCall.ll │ │ ├── README.txt │ │ ├── ackermann.c │ │ ├── BoolReadWrite.ll │ │ ├── UnconditionalBranchWithSimplePhi.ll │ │ ├── CmpEq.ll │ │ ├── UnorderedPhiNodes.ll │ │ ├── OverlappingPhiNodes.ll │ │ ├── BitwiseOps.ll │ │ ├── Select.ll │ │ ├── SimpleStoreAndLoad.ll │ │ ├── GlobalUndef.ll │ │ ├── Shifts.ll │ │ ├── CMakeLists.txt │ │ └── Casts.ll │ ├── Feature │ │ ├── NonSizedGlobals.c │ │ ├── EntryPoint.c │ │ ├── ExternalWeakLinkage.c │ │ ├── ExitOnErrorType.c │ │ ├── DoubleFree.c │ │ ├── CallToUndefinedExternal.cpp │ │ ├── IndirectCallToExternal.c │ │ ├── Memalign.c │ │ ├── OneFreeError.c │ │ ├── DefineFixedObject.c │ │ ├── IndirectCallToBuiltin.c │ │ ├── OneOutOfBounds.c │ │ ├── ByteSwap.c │ │ ├── StackOverflow.c │ │ ├── DumpStatesOnHalt.c │ │ ├── IsSymbolic.c │ │ ├── NoExternalCallsAllowed.c │ │ ├── MakeSymbolicName.c │ │ ├── GetValue.c │ │ ├── FloatingPt.c │ │ ├── Realloc.c │ │ ├── Float.c │ │ ├── BFSSearcher.c │ │ ├── SolverTimeout.c │ │ ├── Envp.c │ │ ├── Optimize.c │ │ ├── WithLibc.c │ │ ├── DanglingConcreteReadExpr.c │ │ ├── OverlappedError.c │ │ ├── MakeConcreteSymbolic.c │ │ ├── PreferCex.c │ │ ├── CopyOnWrite.c │ │ ├── SetForking.c │ │ ├── CheckMemoryAccess.c │ │ ├── utils.h │ │ ├── CheckForImpliedValue.c.failing │ │ ├── LinkLLVMLib.c │ │ ├── InvalidBitfieldAccess.c.failing │ │ ├── Alias.c │ │ ├── ubsan_signed_overflow.c │ │ ├── FunctionAliasExit.c │ │ ├── ubsan_unsigned_overflow.c │ │ ├── KleeStats.c │ │ ├── AddressOfLabels.c │ │ ├── InAndOutOfBounds.c │ │ ├── KleeReportError.c │ │ ├── WriteCov.c │ │ ├── OvershiftCheck.c │ │ ├── ReplayPath.c │ │ ├── FunctionPointer.c │ │ ├── MultipleReadResolution.c │ │ ├── AddressOfLabelsSymbolic.c │ │ ├── MultipleWriteResolution.c │ │ └── LongDoubleSupport.c │ ├── ASan │ │ ├── global-oob.c │ │ ├── stack-oob.c │ │ ├── memory-leak.c │ │ ├── use-after-free.cpp │ │ ├── heap-oob.cpp │ │ ├── double-free.c │ │ ├── use-after-free.c │ │ └── heap-oob.c │ ├── UBSan │ │ ├── null.c │ │ ├── array_bounds.c │ │ ├── shift1.c │ │ ├── shift2.c │ │ ├── pointer_overflow2.c │ │ ├── pointer_overflow3.c │ │ ├── shift3.c │ │ ├── pointer_overflow1.c │ │ ├── pointer_overflow4.c │ │ ├── integer_overflow1.c │ │ └── integer_overflow2.c │ ├── CXX │ │ ├── Trivial.cpp │ │ ├── symex │ │ │ └── libc++ │ │ │ │ ├── cout.cpp │ │ │ │ ├── vector.cpp │ │ │ │ ├── cout_sym.cpp │ │ │ │ └── atexit.cpp │ │ ├── LandingPad.cpp │ │ ├── StaticConstructor.cpp │ │ ├── New.cpp │ │ ├── StaticDestructor.cpp │ │ ├── ArrayNew.cpp │ │ └── SimpleVirtual.cpp │ ├── Merging │ │ ├── state_termination.c │ │ ├── unexpected_close.c │ │ ├── indirect_value.c │ │ └── batching_break.c │ ├── VectorInstructions │ │ ├── extract_element_symbolic.c │ │ └── insert_element_symbolic.c │ ├── ArrayOpt │ │ └── test_hybrid.c │ ├── Intrinsics │ │ ├── IsConstant.ll │ │ └── IntrinsicTrap.ll │ └── Replay │ │ └── libkleeruntest │ │ ├── replay_simple.c │ │ └── replay_two_objects.c ├── utils │ ├── hacks │ │ └── TreeGraphs │ │ │ ├── Graphics │ │ │ ├── Geometry │ │ │ │ ├── __init__.py │ │ │ │ └── mat2.py │ │ │ └── __init__.py │ │ │ ├── inputs │ │ │ ├── symPaths.ts │ │ │ └── symPaths6.ts │ │ │ └── README.txt │ ├── sanitizers │ │ ├── ubsan.txt │ │ └── lsan.txt │ └── valgrind │ │ ├── README.txt │ │ ├── valgrind-llvm.supp │ │ └── valgrind-stp.supp ├── runtime │ ├── Intrinsic │ │ ├── dso_handle.c │ │ ├── Makefile.cmake.bitcode │ │ ├── klee_int.c │ │ ├── klee_div_zero_check.c │ │ ├── klee_choose.c │ │ └── klee_range.c │ ├── klee-libc │ │ ├── abort.c │ │ ├── strcmp.c │ │ ├── tolower.c │ │ ├── toupper.c │ │ ├── strlen.c │ │ ├── strcpy.c │ │ ├── strcoll.c │ │ ├── atexit.c │ │ ├── bcmp.c │ │ ├── mempcpy.c │ │ ├── putchar.c │ │ ├── strrchr.c │ │ ├── Makefile.cmake.bitcode │ │ └── strchr.c │ ├── POSIX │ │ └── Makefile.cmake.bitcode │ ├── FreeStanding │ │ ├── memset.c │ │ ├── Makefile.cmake.bitcode │ │ ├── memcpy.c │ │ └── memmove.c │ ├── Makefile.cmake.bitcode │ └── Runtest │ │ └── CMakeLists.txt ├── tools │ ├── klee-replay │ │ ├── fd_init.c │ │ ├── klee_init_env.c │ │ ├── CMakeLists.txt │ │ └── klee-replay.h │ ├── converter │ │ └── CMakeLists.txt │ ├── gen-bout │ │ └── CMakeLists.txt │ ├── kleaver │ │ └── CMakeLists.txt │ ├── klee-stats │ │ └── CMakeLists.txt │ ├── ktest-tool │ │ └── CMakeLists.txt │ ├── gen-random-bout │ │ └── CMakeLists.txt │ ├── CMakeLists.txt │ └── klee │ │ └── CMakeLists.txt ├── scripts │ ├── build │ │ ├── v-sqlite.inc │ │ ├── v-tcmalloc.inc │ │ ├── p-stp-osx.inc │ │ ├── p-klee-osx.inc │ │ ├── v-gtest.inc │ │ ├── p-gtest-osx.inc │ │ ├── v-z3.inc │ │ ├── v-metasmt.inc │ │ ├── p-libcxx-osx.inc │ │ ├── v-libcxx.inc │ │ ├── v-stp.inc │ │ ├── p-gtest-linux-ubuntu-16.04.inc │ │ ├── p-tcmalloc-linux-ubuntu-16.04.inc │ │ ├── p-z3-osx.inc │ │ ├── v-clang.inc │ │ ├── p-sqlite-osx.inc │ │ ├── v-uclibc.inc │ │ ├── p-z3-linux-ubuntu-16.04.inc │ │ ├── p-uclibc-linux-ubuntu-16.04.inc │ │ ├── p-stp-linux-ubuntu-16.04.inc │ │ ├── p-libcxx-linux-ubuntu-16.04.inc │ │ ├── patches │ │ │ └── llvm50.patch │ │ ├── p-metasmt-linux-ubuntu-16.04.inc │ │ ├── p-klee-linux-ubuntu-16.04.inc │ │ ├── v-sanitizer_compiler.inc │ │ ├── p-sqlite-linux-ubuntu-16.04.inc │ │ ├── p-llvm-osx.inc │ │ ├── p-clang-osx.inc │ │ ├── v-llvm.inc │ │ ├── common-functions │ │ ├── p-gtest.inc │ │ └── p-clang-linux.inc │ └── genTempFiles.sh ├── unittests │ ├── Ref │ │ └── CMakeLists.txt │ ├── Expr │ │ └── CMakeLists.txt │ ├── Time │ │ └── CMakeLists.txt │ ├── Solver │ │ └── CMakeLists.txt │ ├── Assignment │ │ └── CMakeLists.txt │ ├── TreeStream │ │ └── CMakeLists.txt │ ├── DiscretePDF │ │ └── CMakeLists.txt │ ├── lit-unit-tests-common.cfg │ ├── lit-unit-tests-common.site.cfg.in │ └── TestMain.cpp ├── include │ └── klee │ │ ├── Internal │ │ ├── README.txt │ │ ├── Module │ │ │ └── Cell.h │ │ ├── System │ │ │ └── MemoryUsage.h │ │ └── Support │ │ │ ├── PrintVersion.h │ │ │ ├── FileHandling.h │ │ │ └── Debug.h │ │ ├── Config │ │ ├── CompileTimeInfo.h.cmin │ │ └── Version.h │ │ └── OptionCategories.h ├── docs │ ├── intro │ └── SMT-COMP │ │ └── QF_AUFBV.smt ├── examples │ ├── get_sign │ │ └── get_sign.c │ └── regexp │ │ └── notes.txt └── cmake │ ├── string_to_list.cmake │ └── workaround_llvm_pr39177.ll └── learch ├── requirements.txt ├── train └── trained │ ├── feedforward_0.pt │ ├── feedforward_1.pt │ ├── feedforward_2.pt │ └── feedforward_3.pt ├── replay.sh ├── benchmarks ├── coreutils_train.txt └── coreutils_test.txt └── eval └── replay_tests.sh /klee/lib/Core/ExecutorTimers.cpp: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /klee/test/README: -------------------------------------------------------------------------------- 1 | about tests.... 2 | -------------------------------------------------------------------------------- /klee/utils/hacks/TreeGraphs/Graphics/Geometry/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /klee/runtime/Intrinsic/dso_handle.c: -------------------------------------------------------------------------------- 1 | void* __dso_handle = 0; 2 | -------------------------------------------------------------------------------- /klee/test/.clang-format: -------------------------------------------------------------------------------- 1 | BasedOnStyle: LLVM 2 | ColumnLimit: 0 3 | -------------------------------------------------------------------------------- /klee/tools/klee-replay/fd_init.c: -------------------------------------------------------------------------------- 1 | #include "../../runtime/POSIX/fd_init.c" 2 | -------------------------------------------------------------------------------- /klee/test/Solver/lit.local.cfg: -------------------------------------------------------------------------------- 1 | # Look for .kquery files too 2 | config.suffixes.add('.kquery') 3 | -------------------------------------------------------------------------------- /klee/test/regression/lit.local.cfg: -------------------------------------------------------------------------------- 1 | # Look for .kquery files too 2 | config.suffixes.add('.kquery') 3 | -------------------------------------------------------------------------------- /klee/utils/sanitizers/ubsan.txt: -------------------------------------------------------------------------------- 1 | # Runtime suppression of undefined behavior 2 | # 3 | vptr_check:Module.h 4 | -------------------------------------------------------------------------------- /learch/requirements.txt: -------------------------------------------------------------------------------- 1 | numpy 2 | torch==1.4.0 3 | tqdm 4 | scikit-learn==0.23.2 5 | pandas 6 | wllvm 7 | termcolor -------------------------------------------------------------------------------- /klee/utils/valgrind/README.txt: -------------------------------------------------------------------------------- 1 | A few valgrind suppression files for known leaks. The LLVM ones may be 2 | fixed by now. 3 | -------------------------------------------------------------------------------- /klee/scripts/build/v-sqlite.inc: -------------------------------------------------------------------------------- 1 | artifact_dependency_sqlite=("sanitizer_compiler") 2 | 3 | required_variables_sqlite=("") 4 | -------------------------------------------------------------------------------- /learch/train/trained/feedforward_0.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eth-sri/learch/HEAD/learch/train/trained/feedforward_0.pt -------------------------------------------------------------------------------- /learch/train/trained/feedforward_1.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eth-sri/learch/HEAD/learch/train/trained/feedforward_1.pt -------------------------------------------------------------------------------- /learch/train/trained/feedforward_2.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eth-sri/learch/HEAD/learch/train/trained/feedforward_2.pt -------------------------------------------------------------------------------- /learch/train/trained/feedforward_3.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eth-sri/learch/HEAD/learch/train/trained/feedforward_3.pt -------------------------------------------------------------------------------- /klee/lib/Support/README.txt: -------------------------------------------------------------------------------- 1 | This directory holds basic support facilities (data structures, 2 | utilities, etc.) used by klee. 3 | -------------------------------------------------------------------------------- /klee/scripts/build/v-tcmalloc.inc: -------------------------------------------------------------------------------- 1 | artifact_dependency_tcmalloc=("") 2 | 3 | required_variables_tcmalloc=( 4 | "TCMALLOC_VERSION" 5 | ) -------------------------------------------------------------------------------- /klee/unittests/Ref/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(RefTest 2 | RefTest.cpp) 3 | target_link_libraries(RefTest PRIVATE kleaverExpr) 4 | -------------------------------------------------------------------------------- /klee/unittests/Expr/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(ExprTest 2 | ExprTest.cpp) 3 | target_link_libraries(ExprTest PRIVATE kleaverExpr) 4 | -------------------------------------------------------------------------------- /klee/unittests/Time/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(TimeTest 2 | TimeTest.cpp) 3 | target_link_libraries(TimeTest PRIVATE kleeSupport) 4 | -------------------------------------------------------------------------------- /klee/utils/hacks/TreeGraphs/Graphics/__init__.py: -------------------------------------------------------------------------------- 1 | __all__= ['Formats', 'SubSurf', 'Geometry', 'AqsisInterface', 'TwoD', 'ThreeD', 'Apps'] 2 | -------------------------------------------------------------------------------- /klee/utils/hacks/TreeGraphs/inputs/symPaths.ts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eth-sri/learch/HEAD/klee/utils/hacks/TreeGraphs/inputs/symPaths.ts -------------------------------------------------------------------------------- /klee/utils/hacks/TreeGraphs/inputs/symPaths6.ts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eth-sri/learch/HEAD/klee/utils/hacks/TreeGraphs/inputs/symPaths6.ts -------------------------------------------------------------------------------- /klee/unittests/Solver/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(SolverTest 2 | SolverTest.cpp) 3 | target_link_libraries(SolverTest PRIVATE kleaverSolver) 4 | -------------------------------------------------------------------------------- /klee/unittests/Assignment/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(AssignmentTest 2 | AssignmentTest.cpp) 3 | target_link_libraries(AssignmentTest PRIVATE kleaverExpr) 4 | -------------------------------------------------------------------------------- /klee/scripts/build/p-stp-osx.inc: -------------------------------------------------------------------------------- 1 | install_build_dependencies_stp() { 2 | dependencies=( 3 | bison 4 | flex 5 | ) 6 | brew install "${dependencies[@]}" 7 | } 8 | -------------------------------------------------------------------------------- /klee/tools/klee-replay/klee_init_env.c: -------------------------------------------------------------------------------- 1 | #include "../../runtime/POSIX/klee_init_env.c" 2 | 3 | int __klee_posix_wrapped_main(int argc, char **argv, char **envp) { return 0; } 4 | -------------------------------------------------------------------------------- /klee/unittests/TreeStream/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(TreeStreamTest 2 | TreeStreamTest.cpp) 3 | target_link_libraries(TreeStreamTest PRIVATE kleeBasic kleeSupport) 4 | -------------------------------------------------------------------------------- /klee/scripts/build/p-klee-osx.inc: -------------------------------------------------------------------------------- 1 | # Build dependencies 2 | install_build_dependencies_klee() { 3 | brew upgrade python # upgrade to Python 3 4 | pip3 install lit tabulate 5 | } -------------------------------------------------------------------------------- /klee/scripts/build/v-gtest.inc: -------------------------------------------------------------------------------- 1 | # Build information for gtest 2 | required_variables_gtest=( 3 | "GTEST_VERSION" 4 | ) 5 | 6 | # Artifacts gtest depends on 7 | artifact_dependency_gtest=("") -------------------------------------------------------------------------------- /klee/include/klee/Internal/README.txt: -------------------------------------------------------------------------------- 1 | This directory holds header files for things which are exposed as part 2 | of the internal API of a library, but shouldn't be exposed to 3 | externally. 4 | -------------------------------------------------------------------------------- /klee/scripts/build/p-gtest-osx.inc: -------------------------------------------------------------------------------- 1 | install_build_dependencies_gtest() { 2 | # Install essential dependency 3 | # Ignore if already installed 4 | brew install wget || /usr/bin/true 5 | } 6 | -------------------------------------------------------------------------------- /klee/scripts/build/v-z3.inc: -------------------------------------------------------------------------------- 1 | # Build information for Z3 solver 2 | required_variables_z3=( 3 | "Z3_VERSION" 4 | ) 5 | 6 | # Artifacts Z3 depends on 7 | artifact_dependency_z3=("sanitizer_compiler") -------------------------------------------------------------------------------- /klee/scripts/build/v-metasmt.inc: -------------------------------------------------------------------------------- 1 | # Build information for metaSMT solver 2 | required_variables_metasmt=( 3 | "METASMT_VERSION" 4 | "METASMT_DEFAULT" 5 | ) 6 | 7 | artifact_dependency_metasmt=("") -------------------------------------------------------------------------------- /klee/test/Expr/Evaluate2.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver -evaluate %s > %t.log 2 | 3 | # RUN: grep "Query 0: VALID" %t.log 4 | # XFAIL: * 5 | # see https://github.com/klee/klee/issues/97 6 | (query [false] false) 7 | -------------------------------------------------------------------------------- /klee/tools/converter/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_executable(converter 2 | converter.cpp 3 | ) 4 | 5 | target_link_libraries(converter PRIVATE kleeBasic) 6 | 7 | install(TARGETS converter RUNTIME DESTINATION bin) -------------------------------------------------------------------------------- /klee/scripts/build/p-libcxx-osx.inc: -------------------------------------------------------------------------------- 1 | # Build dependencies 2 | install_build_dependencies_libcxx() { 3 | set +e 4 | brew upgrade python # upgrade to Python 3 5 | set -e 6 | pip3 install wllvm 7 | } -------------------------------------------------------------------------------- /klee/scripts/build/v-libcxx.inc: -------------------------------------------------------------------------------- 1 | required_variables_libcxx=( 2 | "LLVM_VERSION" 3 | ) 4 | 5 | required_variables_check_libcxx() { 6 | return 0 7 | } 8 | 9 | artifact_dependency_libcxx(){ 10 | echo "clang" 11 | } 12 | -------------------------------------------------------------------------------- /klee/unittests/DiscretePDF/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(DiscretePDFTest 2 | DiscretePDFTest.cpp) 3 | # FIXME add the following line to link against libgtest.a 4 | target_link_libraries(DiscretePDFTest PRIVATE kleaverSolver) -------------------------------------------------------------------------------- /klee/lib/Basic/README.txt: -------------------------------------------------------------------------------- 1 | This directory holds the most basic support facilities provided for 2 | both the klee and kleaver libraries. The code in this directory should 3 | have no dependencies on LLVM or any other klee libraries. 4 | -------------------------------------------------------------------------------- /klee/test/Runtime/Uclibc/lit.local.cfg: -------------------------------------------------------------------------------- 1 | def getRoot(config): 2 | if not config.parent: 3 | return config 4 | return getRoot(config.parent) 5 | 6 | if not getRoot(config).enable_uclibc: 7 | config.unsupported = True 8 | -------------------------------------------------------------------------------- /klee/scripts/build/v-stp.inc: -------------------------------------------------------------------------------- 1 | # Build information for STP solver 2 | required_variables_stp=( 3 | "STP_VERSION" 4 | "MINISAT_VERSION" 5 | ) 6 | 7 | # On which artifacts does STP depend on 8 | artifact_dependency_stp=("sanitizer_compiler") -------------------------------------------------------------------------------- /klee/test/Runtime/POSIX/SELinux/lit.local.cfg: -------------------------------------------------------------------------------- 1 | def getRoot(config): 2 | if not config.parent: 3 | return config 4 | return getRoot(config.parent) 5 | 6 | if not getRoot(config).have_selinux: 7 | config.unsupported = True 8 | -------------------------------------------------------------------------------- /klee/test/Runtime/POSIX/lit.local.cfg: -------------------------------------------------------------------------------- 1 | def getRoot(config): 2 | if not config.parent: 3 | return config 4 | return getRoot(config.parent) 5 | 6 | if not getRoot(config).enable_posix_runtime: 7 | config.unsupported = True 8 | -------------------------------------------------------------------------------- /klee/test/regression/2016-08-11-entry-point-internalize-pass.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --entry-point=entry %t.bc 4 | 5 | int entry() { 6 | return 0; 7 | } 8 | -------------------------------------------------------------------------------- /klee/test/Coverage/ReadArgs.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: echo " --output-dir=%t.klee-out " > %t1.args 4 | // RUN: %klee @%t1.args %t1.bc 5 | // RUN: test -d %t.klee-out 6 | 7 | int main() { 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /klee/test/Concrete/GlobalVariable.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | @anInt = global i32 1 6 | @aRef = global i32* @anInt 7 | 8 | define i32 @main() { 9 | call void @print_i32(i32 0) 10 | ret i32 0 11 | } 12 | -------------------------------------------------------------------------------- /klee/test/Concrete/UnconditionalBranch.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | %a = add i32 0, 1 8 | br label %exit 9 | exit: 10 | call void @print_i32(i32 %a) 11 | ret i32 0 12 | } 13 | -------------------------------------------------------------------------------- /klee/test/Feature/NonSizedGlobals.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | struct X; 6 | extern struct X Y; 7 | void *ptr = &Y; 8 | 9 | int main() 10 | { 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /klee/test/regression/2012-05-13-asm-causes-aborts.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | int main(int argc, char *argv[]){ 6 | __asm__ __volatile__ ("movl %eax, %eax"); 7 | return 0; 8 | } 9 | 10 | -------------------------------------------------------------------------------- /klee/test/regression/2018-04-05-make-symbolic-null-name.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include "klee/klee.h" 6 | 7 | int main(int argc, char * argv[]) { 8 | int a = klee_int((void*)0); 9 | } 10 | -------------------------------------------------------------------------------- /klee/scripts/build/p-gtest-linux-ubuntu-16.04.inc: -------------------------------------------------------------------------------- 1 | install_build_dependencies_gtest() { 2 | apt update -y 3 | 4 | dependencies=( 5 | ca-certificates 6 | wget 7 | unzip 8 | ) 9 | 10 | #Install essential dependencies 11 | apt -y --no-install-recommends install "${dependencies[@]}" 12 | } -------------------------------------------------------------------------------- /klee/scripts/build/p-tcmalloc-linux-ubuntu-16.04.inc: -------------------------------------------------------------------------------- 1 | install_build_dependencies_tcmalloc() { 2 | apt update -y 3 | 4 | dependencies=( 5 | build-essential 6 | ca-certificates 7 | cmake 8 | git 9 | wget 10 | ) 11 | 12 | apt -y --no-install-recommends install "${dependencies[@]}" 13 | } -------------------------------------------------------------------------------- /klee/scripts/build/p-z3-osx.inc: -------------------------------------------------------------------------------- 1 | install_binary_artifact_z3 () { 2 | set +e 3 | brew install python@2 4 | if [[ "X$?" != "X0" ]]; then 5 | brew link --overwrite python@2 6 | fi 7 | set -e 8 | brew install z3 9 | } 10 | 11 | is_installed_z3() { 12 | [[ -f "/usr/local/opt/z3/bin/z3" ]] 13 | } -------------------------------------------------------------------------------- /klee/test/regression/2007-08-08-free-zero.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | // RUN: ls %t.klee-out | not grep *.err 5 | 6 | #include 7 | 8 | int main() { 9 | free(0); 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /klee/scripts/build/v-clang.inc: -------------------------------------------------------------------------------- 1 | required_variables_clang=( 2 | "LLVM_VERSION" 3 | ) 4 | 5 | artifact_dependency_clang=("sanitizer") 6 | 7 | setup_variables_clang() { 8 | LLVM_VERSION_SHORT="${LLVM_VERSION/./}" 9 | } 10 | 11 | export_variables_clang=( 12 | "LLVM_CONFIG" 13 | "BITCODE_CC" 14 | "BITCODE_CXX" 15 | ) -------------------------------------------------------------------------------- /klee/scripts/build/p-sqlite-osx.inc: -------------------------------------------------------------------------------- 1 | install_build_dependencies_sqlite() { 2 | return 0 3 | } 4 | install_binary_artifact_sqlite() { 5 | return 0 6 | } 7 | 8 | # Sqlite is installed by default on OSX 9 | is_installed_sqlite() { 10 | return 0 11 | } 12 | 13 | get_docker_config_id_sqlite() { 14 | return 0 15 | } 16 | -------------------------------------------------------------------------------- /klee/scripts/build/v-uclibc.inc: -------------------------------------------------------------------------------- 1 | required_variables_uclibc=( 2 | "UCLIBC_VERSION" 3 | "LLVM_VERSION" 4 | ) 5 | 6 | artifact_dependency_uclibc(){ 7 | # Add llvm if needed; otherwise only use clang package 8 | # TODO this is quite distribution specific; should be handled in a more general case 9 | echo "clang" 10 | } 11 | -------------------------------------------------------------------------------- /klee/test/ASan/global-oob.c: -------------------------------------------------------------------------------- 1 | // RUN: clang global-oob.c -fsanitize=address -emit-llvm -g -c -o global-oob-c.bc 2 | // RUN: rm -rf global-oob-c.klee-out 3 | // RUN: klee --output-dir=global-oob-c.klee-out global-oob-c.bc 4 | 5 | int global_array[100] = {-1}; 6 | int main(int argc, char **argv) { 7 | return global_array[argc + 100]; // BOOM 8 | } -------------------------------------------------------------------------------- /klee/test/Feature/EntryPoint.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --entry-point=other_main %t.bc > %t.log 4 | // RUN: grep "Hello World" %t.log 5 | 6 | #include 7 | 8 | int other_main() { 9 | printf("Hello World\n"); 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /klee/test/Feature/ExternalWeakLinkage.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | void __attribute__((weak)) IAmSoWeak(int); 8 | 9 | int main() { 10 | assert(IAmSoWeak==0); 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /klee/test/Concrete/OneCall.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @sum(i32 %a, i32 %b) { 6 | %c = sub i32 %a, %b 7 | ret i32 %c 8 | } 9 | 10 | define i32 @main() { 11 | %a = call i32 @sum(i32 54, i32 2) 12 | call void @print_i32(i32 %a) 13 | ret i32 0 14 | } 15 | -------------------------------------------------------------------------------- /klee/test/ASan/stack-oob.c: -------------------------------------------------------------------------------- 1 | // RUN: clang stack-oob.c -fsanitize=address -emit-llvm -g -c -o stack-oob-c.bc 2 | // RUN: rm -rf stack-oob-c.klee-out 3 | // RUN: klee --output-dir=stack-oob-c.klee-out stack-oob-c.bc 4 | 5 | int main(int argc, char **argv) { 6 | int stack_array[100]; 7 | stack_array[1] = 0; 8 | return stack_array[argc + 100]; // BOOM 9 | } -------------------------------------------------------------------------------- /klee/test/regression/2008-04-10-bad-alloca-free.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | void f(int *addr) { 6 | klee_make_symbolic(addr, sizeof *addr, "moo"); 7 | } 8 | 9 | int main() { 10 | int x; 11 | f(&x); 12 | return x; 13 | } 14 | -------------------------------------------------------------------------------- /klee/test/Runtime/Uclibc/2008-03-04-libc-atexit-uses-dso-handle.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=uclibc %t1.bc 4 | 5 | // just make sure atexit works ok 6 | 7 | void boo() { 8 | } 9 | 10 | int main() { 11 | atexit(boo); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /klee/test/regression/2018-05-17-replay-short-names.c: -------------------------------------------------------------------------------- 1 | // RUN: rm -rf a 2 | // RUN: mkdir a 3 | // RUN: touch a/b 4 | // RUN: %clang %s -emit-llvm %O0opt -g -c -o %t1.bc 5 | // RUN: rm -rf %t.klee-out 6 | // RUN: %klee -replay-ktest-dir=a --output-dir=%t.klee-out %t1.bc 2>&1 7 | // 8 | 9 | #include "klee/klee.h" 10 | 11 | int main(int argc, char * argv[]) {} 12 | -------------------------------------------------------------------------------- /klee/scripts/build/p-z3-linux-ubuntu-16.04.inc: -------------------------------------------------------------------------------- 1 | # Build dependencies Z3 2 | install_build_dependencies_z3() { 3 | apt update -y 4 | 5 | dependencies=( 6 | build-essential 7 | 8 | python 9 | git 10 | wget 11 | ca-certificates 12 | ) 13 | 14 | #Install essential dependencies 15 | apt -y --no-install-recommends install "${dependencies[@]}" 16 | } -------------------------------------------------------------------------------- /klee/test/regression/2018-05-05-number-instructions-dumped-states.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -max-instructions=1 --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | 5 | // CHECK: KLEE: done: total instructions = 1 6 | 7 | #include "klee/klee.h" 8 | 9 | int main(int argc, char * argv[]) {} 10 | -------------------------------------------------------------------------------- /klee/test/ASan/memory-leak.c: -------------------------------------------------------------------------------- 1 | // RUN: clang memory-leak.c -fsanitize=address -emit-llvm -g -c -o memory-leak-c.bc 2 | // RUN: rm -rf memory-leak-c.klee-out 3 | // RUN: klee --output-dir=memory-leak-c.klee-out memory-leak-c.bc 4 | 5 | #include 6 | 7 | void *p; 8 | 9 | int main() { 10 | p = malloc(7); 11 | p = 0; // The memory is leaked here. 12 | return 0; 13 | } -------------------------------------------------------------------------------- /klee/test/ASan/use-after-free.cpp: -------------------------------------------------------------------------------- 1 | // RUN: clang use-after-free.c -fsanitize=address -emit-llvm -g -c -o use-after-free-cpp.bc 2 | // RUN: rm -rf use-after-free-cpp.klee-out 3 | // RUN: klee --output-dir=use-after-free-cpp.klee-out use-after-free-cpp.bc 4 | 5 | int main(int argc, char **argv) { 6 | int *array = new int[100]; 7 | delete [] array; 8 | return array[argc]; // BOOM 9 | } -------------------------------------------------------------------------------- /klee/test/Coverage/ReplayOutDir.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t1.out %t1.replay 3 | // RUN: %klee --output-dir=%t1.out %t1.bc 4 | // RUN: %klee --output-dir=%t1.replay --replay-ktest-dir=%t1.out %t1.bc 5 | 6 | int main() { 7 | int i; 8 | klee_make_symbolic(&i, sizeof i, "i"); 9 | klee_print_range("i", i); 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /klee/test/Solver/FastCexSolver.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver --use-fast-cex-solver --solver-backend=dummy %s > %t 2 | # RUN: not grep FAIL %t 3 | 4 | array arr1[4] : w32 -> w8 = symbolic 5 | (query [] (Not (Eq 4096 (ReadLSB w32 0 arr1)))) 6 | 7 | array A-data[2] : w32 -> w8 = symbolic 8 | (query [(Ule (Add w8 208 N0:(Read w8 0 A-data)) 9 | 9)] 10 | (Eq 52 N0)) 11 | -------------------------------------------------------------------------------- /klee/docs/intro: -------------------------------------------------------------------------------- 1 | /// @mainpage KLEE 2 | /// 3 | /// @section main_intro Introduction 4 | /// Welcome to KLEE. KLEE is a symbolic execution engine that works on LLVM 5 | /// bitcode. 6 | /// 7 | /// @section Documentation 8 | /// The documentation of KLEE is composed of the Doxygen documentation 9 | /// of the code as well as the following documents: 10 | /// - @subpage overview 11 | -------------------------------------------------------------------------------- /klee/test/Concrete/README.txt: -------------------------------------------------------------------------------- 1 | This directory contains tests which exist just to test the execution of Concrete 2 | code paths -- essentially, that we correctly implement the semantics of the LLVM 3 | IR language. The tests are run using a helper script ``ConcreteTest.py`` which 4 | builds the test bitcode, executes it using both ``lli`` and ``klee``, and checks 5 | that they got the same output. -------------------------------------------------------------------------------- /klee/test/Feature/ExitOnErrorType.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error-type Assert %t1.bc 2>&1 4 | 5 | #include "klee/klee.h" 6 | 7 | #include 8 | 9 | int main() { 10 | assert(klee_int("assert")); 11 | 12 | while (1) { 13 | } 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /klee/unittests/lit-unit-tests-common.cfg: -------------------------------------------------------------------------------- 1 | # Configuration file for the 'lit' test runner. 2 | 3 | import os 4 | 5 | import lit.formats 6 | 7 | # suffixes: A list of file extensions to treat as test files. 8 | config.suffixes = [] 9 | 10 | # testFormat: The test format to use to interpret tests. 11 | config.test_format = lit.formats.GoogleTest('.', config.unit_test_exe_suffix) 12 | -------------------------------------------------------------------------------- /klee/test/Feature/DoubleFree.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ptr.err 5 | 6 | int main() { 7 | int *x = malloc(4); 8 | free(x); 9 | // CHECK: memory error: invalid pointer: free 10 | free(x); 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /klee/test/Runtime/Uclibc/Environ.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=uclibc --exit-on-error %t1.bc 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | int main() { 10 | printf("HOME: %s\n", getenv("HOME")); 11 | assert(getenv("HOME") != 0); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /klee/test/regression/2008-05-23-gep-with-global-const.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm %O0opt -c -o %t.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t.bc 4 | 5 | #include 6 | 7 | int a; 8 | 9 | int main() { 10 | void *p1 = &((char*) 0)[(long) &a]; 11 | void *p2 = &a; 12 | 13 | assert(p1 == p2); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /klee/test/Concrete/ackermann.c: -------------------------------------------------------------------------------- 1 | // RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | #include 4 | 5 | int ackermann(int m, int n) { 6 | if (m == 0) 7 | return n+1; 8 | else 9 | return ackermann(m-1, (n==0) ? 1 : ackermann(m, n-1)); 10 | } 11 | 12 | int main() { 13 | printf("ackerman(%d, %d) = %d\n", 2, 2, ackermann(2, 2)); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /klee/test/Feature/CallToUndefinedExternal.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %clangxx %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.external.err 5 | 6 | extern "C" void poof(void); 7 | 8 | int main() { 9 | // CHECK: failed external call: poof 10 | poof(); 11 | 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /klee/test/ASan/heap-oob.cpp: -------------------------------------------------------------------------------- 1 | // RUN: clang heap-oob.cpp -fsanitize=address -emit-llvm -g -c -o heap-oob-cpp.bc 2 | // RUN: rm -rf heap-oob-cpp.klee-out 3 | // RUN: klee --output-dir=heap-oob-cpp.klee-out heap-oob-cpp.bc 4 | 5 | int main(int argc, char **argv) { 6 | int *array = new int[100]; 7 | array[0] = 0; 8 | int res = array[argc + 100]; // BOOM 9 | delete [] array; 10 | return res; 11 | } -------------------------------------------------------------------------------- /klee/test/Concrete/BoolReadWrite.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i1(i1) 4 | 5 | define i32 @main() { 6 | %mem = alloca i1 7 | store i1 1, i1* %mem 8 | %v = load i1, i1* %mem 9 | br i1 %v, label %ok, label %exit 10 | ok: 11 | call void @print_i1(i1 %v) 12 | br label %exit 13 | exit: 14 | ret i32 0 15 | } 16 | -------------------------------------------------------------------------------- /klee/test/Concrete/UnconditionalBranchWithSimplePhi.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | %a = add i32 0, 1 8 | br label %exit 9 | unused: 10 | %b = add i32 1, 2 11 | br label %exit 12 | exit: 13 | %c = phi i32 [%a, %entry], [%b, %unused] 14 | call void @print_i32(i32 %c) 15 | ret i32 0 16 | } 17 | -------------------------------------------------------------------------------- /klee/test/regression/2016-08-06-klee-get-obj-size.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc 4 | // RUN: test -f %t.klee-out/test000001.assert.err 5 | 6 | #include "klee/klee.h" 7 | 8 | #include 9 | 10 | int main() { 11 | char s[5]; 12 | assert(5 != klee_get_obj_size(s)); 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /klee/examples/get_sign/get_sign.c: -------------------------------------------------------------------------------- 1 | /* 2 | * First KLEE tutorial: testing a small function 3 | */ 4 | 5 | #include "klee/klee.h" 6 | 7 | int get_sign(int x) { 8 | if (x == 0) 9 | return 0; 10 | 11 | if (x < 0) 12 | return -1; 13 | else 14 | return 1; 15 | } 16 | 17 | int main() { 18 | int a; 19 | klee_make_symbolic(&a, sizeof(a), "a"); 20 | return get_sign(a); 21 | } 22 | -------------------------------------------------------------------------------- /klee/test/ASan/double-free.c: -------------------------------------------------------------------------------- 1 | // RUN: clang double-free.c -fsanitize=address -emit-llvm -g -c -o double-free-c.bc 2 | // RUN: rm -rf double-free-c.klee-out 3 | // RUN: klee --output-dir=double-free-c.klee-out double-free-c.bc 4 | 5 | #include 6 | 7 | int main(int argc, char **argv) { 8 | int *array = malloc(100 * sizeof(int)); 9 | free(array); 10 | free(array); // BOOM 11 | return 0; 12 | } -------------------------------------------------------------------------------- /klee/test/Feature/IndirectCallToExternal.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | int (*scmp)(char*,char*) = strcmp; 12 | 13 | assert(scmp("hello","hi") < 0); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /klee/scripts/build/p-uclibc-linux-ubuntu-16.04.inc: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Build dependencies 3 | install_build_dependencies_uclibc() { 4 | apt update -y 5 | 6 | dependencies=( 7 | build-essential 8 | ca-certificates 9 | git 10 | python 11 | libncurses5-dev 12 | wget 13 | ) 14 | 15 | #Install essential dependencies 16 | apt -y --no-install-recommends install "${dependencies[@]}" 17 | } -------------------------------------------------------------------------------- /klee/test/Concrete/CmpEq.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | %a = add i8 0, 1 7 | %b = add i8 %a, -1 8 | %c = icmp eq i8 %b, 0 9 | br i1 %c, label %exitTrue, label %exitFalse 10 | exitTrue: 11 | call void @print_i32(i32 1) 12 | ret i32 0 13 | exitFalse: 14 | call void @print_i32(i32 0) 15 | ret i32 0 16 | } 17 | -------------------------------------------------------------------------------- /klee/test/ASan/use-after-free.c: -------------------------------------------------------------------------------- 1 | // RUN: clang use-after-free.c -fsanitize=address -emit-llvm -g -c -o use-after-free-c.bc 2 | // RUN: rm -rf use-after-free-c.klee-out 3 | // RUN: klee --output-dir=use-after-free-c.klee-out use-after-free-c.bc 4 | 5 | #include 6 | 7 | int main(int argc, char **argv) { 8 | int *array = malloc(100 * sizeof(int)); 9 | free(array); 10 | return array[argc]; // BOOM 11 | } -------------------------------------------------------------------------------- /klee/test/Feature/Memalign.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t.bc > %t.log 4 | 5 | #include 6 | 7 | int main(int argc, char *argv[]) { 8 | int *a = (int *)memalign(8, sizeof(int) * 5); 9 | for (int i = 0; i < 5; ++i) { 10 | a[i] = (i * 100) % 23; 11 | } 12 | free(a); 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /klee/test/Feature/OneFreeError.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ptr.err 5 | 6 | int main() { 7 | int *x = malloc(4); 8 | free(x); 9 | // CHECK: OneFreeError.c:[[@LINE+1]]: memory error: out of bound pointer 10 | x[0] = 1; 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /klee/scripts/build/p-stp-linux-ubuntu-16.04.inc: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Build dependencies 3 | install_build_dependencies_stp() { 4 | apt update -y 5 | 6 | dependencies=( 7 | build-essential 8 | 9 | bison 10 | ca-certificates 11 | cmake 12 | flex 13 | git 14 | zlib1g-dev 15 | ) 16 | 17 | #Install essential dependencies 18 | apt -y --no-install-recommends install "${dependencies[@]}" 19 | } -------------------------------------------------------------------------------- /klee/test/regression/2017-11-01-test-with-empty-varname.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | // RUN: FileCheck %s --input-file=%t.klee-out/warnings.txt 5 | 6 | int main() { 7 | unsigned a; 8 | 9 | klee_make_symbolic(&a, sizeof(a), ""); 10 | // CHECK-NOT: KLEE: WARNING: unable to write output test case, losing it 11 | } 12 | -------------------------------------------------------------------------------- /klee/test/Feature/DefineFixedObject.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -c -o %t1.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | #define ADDRESS ((int*) 0x0080) 8 | 9 | int main() { 10 | klee_define_fixed_object(ADDRESS, 4); 11 | 12 | int *p = ADDRESS; 13 | 14 | *p = 10; 15 | printf("*p: %d\n", *p); 16 | 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /klee/test/Feature/IndirectCallToBuiltin.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | #include 7 | 8 | int main() { 9 | void *(*allocator)(size_t) = malloc; 10 | int *mem = allocator(10); 11 | 12 | printf("mem: %p\n", mem); 13 | printf("mem[0]: %d\n", mem[0]); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /klee/test/Feature/OneOutOfBounds.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ptr.err 5 | 6 | int main() { 7 | int *x = malloc(sizeof(int)); 8 | // CHECK: OneOutOfBounds.c:[[@LINE+1]]: memory error: out of bound pointer 9 | x[1] = 1; 10 | free(x); 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /klee/test/ASan/heap-oob.c: -------------------------------------------------------------------------------- 1 | // RUN: clang heap-oob.c -fsanitize=address -emit-llvm -g -c -o heap-oob-c.bc 2 | // RUN: rm -rf heap-oob-c.klee-out 3 | // RUN: klee --output-dir=heap-oob-c.klee-out heap-oob-c.bc 4 | 5 | #include 6 | 7 | int main(int argc, char **argv) { 8 | int* array = (int*) malloc(100 * sizeof(int)); 9 | array[0] = 0; 10 | int res = array[argc + 100]; 11 | free(array); 12 | return res; 13 | } -------------------------------------------------------------------------------- /klee/test/Feature/ByteSwap.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=klee --exit-on-error %t1.bc 4 | 5 | #include 6 | #include 7 | 8 | int main() { 9 | 10 | uint32_t n = 0; 11 | klee_make_symbolic(&n, sizeof(n), "n"); 12 | 13 | uint32_t h = ntohl(n); 14 | assert(htonl(h) == n); 15 | 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /klee/test/regression/2007-10-11-free-of-alloca.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.free.err 5 | 6 | int main() { 7 | int buf[4]; 8 | // CHECK: 2007-10-11-free-of-alloca.c:9: free of alloca 9 | free(buf); // this should give runtime error, not crash 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /klee/utils/valgrind/valgrind-llvm.supp: -------------------------------------------------------------------------------- 1 | { 2 | LLVM:Tmp1 3 | Memcheck:Leak 4 | fun:_vgrZU_libstdcZpZpZa__Znwj 5 | fun:_ZN4llvm* 6 | } 7 | { 8 | LLVM:Tmp2 9 | Memcheck:Leak 10 | fun:_vgrZU_libcZdsoZa_malloc 11 | fun:_ZN4llvm* 12 | } 13 | { 14 | LLVM:Tmp3 15 | Memcheck:Leak 16 | fun:*nwj* 17 | fun:*llvm* 18 | } 19 | { 20 | LLVM:Tmp4 21 | Memcheck:Leak 22 | fun:malloc 23 | fun:*llvm* 24 | } 25 | -------------------------------------------------------------------------------- /klee/test/Feature/StackOverflow.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -g -c -o %t.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc > %t.output.log 2>&1 4 | // RUN: FileCheck -input-file=%t.output.log %s 5 | 6 | void recursive(unsigned nr){ 7 | if (nr == 0) 8 | return; 9 | recursive(nr-1); 10 | } 11 | 12 | int main() { 13 | recursive(10000); 14 | return 0; 15 | } 16 | // CHECK: Maximum stack size reached 17 | -------------------------------------------------------------------------------- /klee/test/UBSan/null.c: -------------------------------------------------------------------------------- 1 | // RUN: clang null.c -fsanitize=null -emit-llvm -g -c -o null.bc 2 | // RUN: rm -rf null.klee-out 3 | // RUN: klee --output-dir=null.klee-out null.bc 4 | 5 | #include "klee/klee.h" 6 | 7 | int main() { 8 | _Bool null; 9 | volatile int result; 10 | 11 | klee_make_symbolic(&null, sizeof(null), "null"); 12 | 13 | int local = 0; 14 | int *arg = null ? 0x0 : &local; 15 | 16 | result = *arg; 17 | return 0; 18 | } -------------------------------------------------------------------------------- /klee/test/regression/2008-03-04-free-of-global.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.free.err 5 | 6 | int buf[4]; 7 | 8 | int main() { 9 | // CHECK: 2008-03-04-free-of-global.c:10: free of global 10 | free(buf); // this should give runtime error, not crash 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /klee/test/regression/2008-03-11-free-of-malloc-zero.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | // concrete case 9 | void *p = malloc(0); 10 | free(p); 11 | 12 | p = malloc(0); 13 | void *arr[4] = { p, 0, 0, 0 }; 14 | 15 | // symbolic case 16 | free(arr[klee_range(0, 4, "range")]); 17 | } 18 | -------------------------------------------------------------------------------- /klee/test/Feature/DumpStatesOnHalt.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --max-instructions=1 --dump-states-on-halt=true %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | 6 | int main(int argc, char** argv) { 7 | int x = 1; 8 | if (argc == 1) 9 | x = 0; 10 | return x; 11 | } 12 | // CHECK: halting execution, dumping remaining states 13 | -------------------------------------------------------------------------------- /klee/test/Feature/IsSymbolic.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | int x, y, z = 0; 9 | klee_make_symbolic(&x, sizeof x, "x"); 10 | klee_make_symbolic(&y, sizeof y, "y"); 11 | if (x) { 12 | assert(klee_is_symbolic(y)); 13 | } else { 14 | assert(!klee_is_symbolic(z)); 15 | } 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /klee/test/Solver/AShr_to_smtlib.kquery.good.smt2: -------------------------------------------------------------------------------- 1 | ;SMTLIBv2 Query 0 2 | (set-logic QF_AUFBV ) 3 | (declare-fun shift () (Array (_ BitVec 32) (_ BitVec 8) ) ) 4 | (declare-fun value () (Array (_ BitVec 32) (_ BitVec 8) ) ) 5 | (assert (and (= false (= (_ bv0 8) (ite (bvuge (select shift (_ bv0 32) ) (_ bv8 8) ) (_ bv0 8) (bvashr (select value (_ bv0 32) ) (select shift (_ bv0 32) ) ) ) ) ) (bvule (_ bv8 8) (select shift (_ bv0 32) ) ) ) ) 6 | (check-sat) 7 | (exit) 8 | -------------------------------------------------------------------------------- /klee/test/Concrete/UnorderedPhiNodes.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | br label %test 8 | test: 9 | %a = phi i32 [10, %entry], [%b, %test] 10 | %b = phi i32 [%a, %test], [20, %entry] 11 | %c = phi i32 [0, %entry], [1, %test] 12 | %d = icmp eq i32 %c, 1 13 | br i1 %d, label %exit, label %test 14 | exit: 15 | call void @print_i32(i32 %b) 16 | ret i32 0 17 | } 18 | -------------------------------------------------------------------------------- /klee/test/Feature/NoExternalCallsAllowed.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -g -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --external-calls=none %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test %t.klee-out/test000001.user.err 5 | 6 | #include 7 | 8 | int main(int argc, char** argv) { 9 | // CHECK: Disallowed call to external function: abs 10 | int x = abs(argc); 11 | printf("%d\n", argc); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /klee/test/Solver/overshift-left-by-constant.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | array x[4] : w32 -> w8 = symbolic 4 | # ∀ x. x > 0 → ( x << 32 = 0 ) 5 | # Check we overshift to zero for when shifting for all 32-bit values >0 6 | 7 | (query [ (Ult (w32 0) (ReadLSB w32 (w32 0) x)) ] 8 | (Eq 9 | (Shl w32 10 | (ReadLSB w32 (w32 0) x) 11 | (w32 32) 12 | ) 13 | (w32 0) 14 | ) [ ] [x] ) 15 | -------------------------------------------------------------------------------- /klee/test/Solver/overshift-lright-by-constant.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | array x[4] : w32 -> w8 = symbolic 4 | # ∀ x. x > 0 → ( x >> 32 = 0 ) 5 | # Check we overshift to zero for when shifting for all 32-bit values >0 6 | 7 | (query [ (Ult (w32 0) (ReadLSB w32 (w32 0) x)) ] 8 | (Eq 9 | (LShr w32 10 | (ReadLSB w32 (w32 0) x) 11 | (w32 32) 12 | ) 13 | (w32 0) 14 | ) [ ] [x] ) 15 | -------------------------------------------------------------------------------- /klee/test/regression/2019-09-06-make-const-symbolic.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -g -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -output-dir=%t.klee-out %t.bc 2>&1 | FileCheck %s 4 | #include "klee/klee.h" 5 | 6 | const int c = 23; 7 | int main(int argc, char **argv) { 8 | klee_make_symbolic(&c, sizeof(c), "c"); 9 | // CHECK: cannot make readonly object symbolic 10 | 11 | if (c > 20) 12 | return 0; 13 | else 14 | return 1; 15 | } -------------------------------------------------------------------------------- /klee/test/CXX/Trivial.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %clangxx %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --write-no-tests --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | class Test { 8 | int x; 9 | 10 | public: 11 | Test(int _x) : x(_x) {} 12 | ~Test() {} 13 | 14 | int getX() { return x; } 15 | }; 16 | 17 | int main() { 18 | Test rt(2); 19 | 20 | assert(rt.getX()==2); 21 | 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /klee/test/Concrete/OverlappingPhiNodes.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | br label %test 8 | test: 9 | %a = phi i32 [10, %entry], [%b, %test] 10 | %b = phi i32 [20, %entry], [%a, %test] 11 | %c = phi i32 [0, %entry], [1, %test] 12 | %d = icmp eq i32 %c, 1 13 | br i1 %d, label %exit, label %test 14 | exit: 15 | call void @print_i32(i32 %b) 16 | ret i32 0 17 | } 18 | -------------------------------------------------------------------------------- /klee/test/Concrete/BitwiseOps.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | %a = or i32 12345678, 87654321 7 | %b = and i32 %a, 87654321 8 | %check = xor i32 %b, 87654321 9 | %test = icmp eq i32 %check, 0 10 | br i1 %test, label %exitTrue, label %exitFalse 11 | exitTrue: 12 | call void @print_i32(i32 1) 13 | ret i32 0 14 | exitFalse: 15 | call void @print_i32(i32 0) 16 | ret i32 0 17 | } 18 | -------------------------------------------------------------------------------- /klee/test/regression/2015-06-22-struct-write.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | #include "klee/klee.h" 6 | 7 | #include 8 | 9 | union U0 { 10 | signed f3 :18; 11 | }; 12 | 13 | static union U0 u = { 0UL }; 14 | 15 | int main(int argc, char **argv) { 16 | u.f3 = 534; 17 | 18 | klee_assert(u.f3 == 534); 19 | 20 | return 0; 21 | } 22 | 23 | -------------------------------------------------------------------------------- /klee/test/Solver/overshift-aright-by-constant.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | array x[4] : w32 -> w8 = symbolic 4 | # ∀ x. x > 0 → ( ((signed int) x) >> 32 = 0 ) 5 | # Check we overshift to zero for when shifting for all 32-bit values >0 6 | 7 | (query [ (Ult (w32 0) (ReadLSB w32 (w32 0) x)) ] 8 | (Eq 9 | (AShr w32 10 | (ReadLSB w32 (w32 0) x) 11 | (w32 32) 12 | ) 13 | (w32 0) 14 | ) [ ] [x] ) 15 | -------------------------------------------------------------------------------- /klee/test/Expr/Parser/Concat64.kquery: -------------------------------------------------------------------------------- 1 | # RUN: kleaver --print-ast %s 2 | 3 | array arr1[8] : w32 -> w8 = symbolic 4 | (query [(Eq 0 5 | (Concat w64 (Read w8 7 arr1) 6 | (Concat w56 (Read w8 6 arr1) 7 | (Concat w48 (Read w8 5 arr1) 8 | (Concat w40 (Read w8 4 arr1) 9 | (Concat w32 (Read w8 3 arr1) 10 | (Concat w24 (Read w8 2 arr1) 11 | (Concat w16 (Read w8 1 arr1) (Read w8 0 arr1)))))))))] 12 | false) 13 | -------------------------------------------------------------------------------- /klee/test/regression/2007-07-25-invalid-stp-array-binding-to-objectstate.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | 7 | int main(void) { 8 | char c[2]; 9 | 10 | klee_make_symbolic(&c, sizeof(c), "c"); 11 | 12 | if (c[0] > 10) { 13 | int x; 14 | 15 | c[1] = 1; // copy object state 16 | 17 | assert(c[0] > 10); 18 | } 19 | 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /klee/test/Concrete/Select.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | %ten = select i1 true, i32 10, i32 0 7 | %five = select i1 false, i32 0, i32 5 8 | %check = add i32 %ten, %five 9 | %test = icmp eq i32 %check, 15 10 | br i1 %test, label %exitTrue, label %exitFalse 11 | exitTrue: 12 | call void @print_i32(i32 1) 13 | ret i32 0 14 | exitFalse: 15 | call void @print_i32(i32 0) 16 | ret i32 0 17 | } 18 | -------------------------------------------------------------------------------- /klee/test/Feature/MakeSymbolicName.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --search=random-state --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | int a[4] = {1, 2, 3, 4}; 9 | unsigned i; 10 | 11 | klee_make_symbolic(&i, sizeof(i), "index"); 12 | if (i > 3) 13 | klee_silent_exit(0); 14 | 15 | assert(a[i] << 1 != 5); 16 | if (a[i] << 1 == 6) 17 | assert(i == 2); 18 | } 19 | -------------------------------------------------------------------------------- /klee/test/Feature/GetValue.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -c -o %t1.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | #include 7 | 8 | int main() { 9 | int x = klee_int("x"); 10 | klee_assume(x > 10); 11 | klee_assume(x < 20); 12 | 13 | assert(!klee_is_symbolic(klee_get_value_i32(x))); 14 | assert(klee_get_value_i32(x) > 10); 15 | assert(klee_get_value_i32(x) < 20); 16 | 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /klee/test/regression/2007-07-30-unflushed-byte.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | char i, x[3]; 9 | 10 | klee_make_symbolic(&i, sizeof i, "i"); 11 | 12 | x[0] = i; 13 | 14 | // DEMAND FAILED:Memory.cpp:read8:199: is false: "unflushed byte without cache value" 15 | char y = x[1]; 16 | 17 | return 0; 18 | } 19 | 20 | -------------------------------------------------------------------------------- /klee/test/regression/2007-08-06-64bit-shift.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | int d; 9 | 10 | klee_make_symbolic(&d, sizeof(d), "d"); 11 | 12 | int l = d - 1; 13 | unsigned long long m = ((unsigned long long) l << 32) / d; 14 | if (d==2) { 15 | assert(m == 2147483648u); 16 | } 17 | 18 | klee_silent_exit(0); 19 | 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /klee/runtime/klee-libc/abort.c: -------------------------------------------------------------------------------- 1 | /*===-- abort.c -----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | #include "klee/klee.h" 13 | 14 | void abort(void) { 15 | klee_abort(); 16 | } 17 | -------------------------------------------------------------------------------- /klee/test/Merging/state_termination.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -g -c -o %t.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --use-merge --debug-log-merge --search=dfs %t.bc 4 | 5 | #include "klee/klee.h" 6 | 7 | int main(int argc, char** args){ 8 | 9 | int x; 10 | 11 | char str[5]; 12 | klee_make_symbolic(str, sizeof(str), "str"); 13 | char *s = str; 14 | 15 | klee_open_merge(); 16 | while(*s != 's') 17 | s++; 18 | klee_close_merge(); 19 | 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /klee/unittests/lit-unit-tests-common.site.cfg.in: -------------------------------------------------------------------------------- 1 | import sys 2 | import os 3 | 4 | ## @AUTO_GEN_MSG@ 5 | config.name = 'KLEE Unit tests' 6 | config.unit_test_exe_suffix = "@UNIT_TEST_EXE_SUFFIX@" 7 | 8 | # Let the main config do the real work. 9 | lit_config.load_config(config, "@CMAKE_SOURCE_DIR@/unittests/lit-unit-tests-common.cfg") 10 | config.environment['LSAN_OPTIONS'] = "suppressions=@KLEE_UTILS_DIR@/sanitizers/lsan.txt" 11 | config.environment['UBSAN_OPTIONS'] = "suppressions=@KLEE_UTILS_DIR@/sanitizers/ubsan.txt" 12 | -------------------------------------------------------------------------------- /klee/runtime/klee-libc/strcmp.c: -------------------------------------------------------------------------------- 1 | /*===-- strcmp.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | int strcmp(const char *a, const char *b) { 11 | while (*a && *a == *b) 12 | ++a, ++b; 13 | return *a - *b; 14 | } 15 | -------------------------------------------------------------------------------- /klee/runtime/klee-libc/tolower.c: -------------------------------------------------------------------------------- 1 | /*===-- tolower.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | int tolower(int ch) { 11 | if ( (unsigned int)(ch - 'A') < 26u ) 12 | ch -= 'A' - 'a'; 13 | return ch; 14 | } 15 | -------------------------------------------------------------------------------- /klee/runtime/klee-libc/toupper.c: -------------------------------------------------------------------------------- 1 | /*===-- toupper.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | int toupper(int ch) { 11 | if ( (unsigned int)(ch - 'a') < 26u ) 12 | ch += 'A' - 'a'; 13 | return ch; 14 | } 15 | -------------------------------------------------------------------------------- /klee/test/Feature/FloatingPt.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | double a1 = -1.1; 9 | double a2 = 1.2; 10 | 11 | int b1 = (int) a1; 12 | assert(b1 == -1); 13 | 14 | int b2 = (int) a2; 15 | assert(b2 == 1); 16 | 17 | a1 = (double) b1; 18 | assert(a1 == -1); 19 | 20 | a2 = (double) b2; 21 | assert(a2 == 1); 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /klee/test/Concrete/SimpleStoreAndLoad.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | %a = alloca i32, i32 4 8 | %tmp1 = getelementptr i32, i32* %a, i32 0 9 | store i32 0, i32* %tmp1 10 | %tmp2 = load i32, i32* %tmp1 11 | %tmp3 = icmp eq i32 %tmp2, 0 12 | br i1 %tmp3, label %exitTrue, label %exitFalse 13 | exitTrue: 14 | call void @print_i32(i32 1) 15 | ret i32 0 16 | exitFalse: 17 | call void @print_i32(i32 0) 18 | ret i32 0 19 | } 20 | -------------------------------------------------------------------------------- /klee/test/Runtime/Uclibc/2007-10-08-optimization-calls-wrong-libc-functions.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --optimize --libc=uclibc %t1.bc 4 | 5 | #include 6 | #include 7 | 8 | #include "klee/klee.h" 9 | 10 | int main() { 11 | int a; 12 | 13 | klee_make_symbolic(&a, sizeof a, "a"); 14 | 15 | memset(&a, 0, sizeof a); 16 | 17 | if (a) { 18 | assert(0); 19 | } 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /klee/test/CXX/symex/libc++/cout.cpp: -------------------------------------------------------------------------------- 1 | // REQUIRES: libcxx 2 | // REQUIRES: uclibc 3 | // RUN: %clangxx %s -emit-llvm %O0opt -c -std=c++11 -I "%libcxx_include" -g -nostdinc++ -o %t1.bc 4 | // RUN: rm -rf %t.klee-out 5 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=uclibc --libcxx %t1.bc 2>&1 | FileCheck %s 6 | 7 | // CHECK-DAG: cout 8 | // CHECK-DAG: cerr 9 | 10 | #include 11 | 12 | int main(int argc, char** args){ 13 | std::cout << "cout" << std::endl; 14 | std::cerr << "cerr" << std::endl; 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /klee/test/Feature/Realloc.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --warnings-only-to-file=false %t1.bc 2>&1 | FileCheck %s 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | int main() { 10 | int *p = malloc(sizeof(int)*2); 11 | assert(p); 12 | p[1] = 52; 13 | 14 | // CHECK: KLEE: WARNING ONCE: Large alloc 15 | int *p2 = realloc(p, 1<<30); 16 | assert(!p2 || p2[1] == 52); 17 | 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /klee/cmake/string_to_list.cmake: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | function(string_to_list s output_var) 11 | string(REPLACE " " ";" _output "${s}") 12 | set(${output_var} ${_output} PARENT_SCOPE) 13 | endfunction() 14 | -------------------------------------------------------------------------------- /klee/test/CXX/LandingPad.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %clangxx %s -emit-llvm -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | 5 | // CHECK: Using zero size array fix for landingpad instruction filter 6 | 7 | // Check that the zero size array in the landing pad filter does not crash KLEE 8 | int p() throw() { throw 'a'; } 9 | int main(int argc, char **) { 10 | if (argc < 3) { 11 | return 0; 12 | } 13 | 14 | try { 15 | return p(); 16 | } catch (...) { 17 | return 1; 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /klee/lib/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_subdirectory(Basic) 10 | add_subdirectory(Support) 11 | add_subdirectory(Expr) 12 | add_subdirectory(Solver) 13 | add_subdirectory(Module) 14 | add_subdirectory(Core) 15 | -------------------------------------------------------------------------------- /klee/test/Feature/Float.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc > %t.log 4 | // RUN: grep "3.30* -1.10* 2.420*" %t.log 5 | 6 | #include 7 | 8 | float fadd(float a, float b) { 9 | return a + b; 10 | } 11 | 12 | float fsub(float a, float b) { 13 | return a - b; 14 | } 15 | 16 | float fmul(float a, float b) { 17 | return a * b; 18 | } 19 | 20 | int main() { 21 | printf("%f %f %f\n", fadd(1.1, 2.2), fsub(1.1, 2.2), fmul(1.1, 2.2)); 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /learch/replay.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | PROG=${1} 4 | 5 | PROG_NAME=$(basename ${PROG}) 6 | KLEE_REPLAY="klee-replay" 7 | 8 | rm -rf ${SANDBOX_DIR}/sandbox-replay-${PROG_NAME} 9 | mkdir -p ${SANDBOX_DIR}/sandbox-replay-${PROG_NAME} 10 | tar xvf ${SOURCE_DIR}/sandbox.tgz -C ${SANDBOX_DIR}/sandbox-replay-${PROG_NAME} > /dev/null 11 | cd ${SANDBOX_DIR}/sandbox-replay-${PROG_NAME}/sandbox 12 | 13 | for tcase in "${@:2}" 14 | do 15 | env -i /bin/bash -c "(source ${SANDBOX_DIR}/testing-env.sh; timeout 30 klee-replay ${PROG} ${tcase} >& /dev/null)" 16 | done 17 | -------------------------------------------------------------------------------- /klee/runtime/klee-libc/strlen.c: -------------------------------------------------------------------------------- 1 | /*===-- strlen.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | size_t strlen(const char *str) { 13 | const char *s = str; 14 | while (*s) 15 | ++s; 16 | return s - str; 17 | } 18 | -------------------------------------------------------------------------------- /klee/test/CXX/StaticConstructor.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %clangxx %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=klee --write-no-tests --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | // to make sure globals are initialized 8 | int aGlobal = 21; 9 | 10 | class Test { 11 | int x; 12 | 13 | public: 14 | Test() : x(aGlobal + 1) {} 15 | ~Test() {} 16 | 17 | int getX() { return x; } 18 | }; 19 | 20 | Test t; 21 | 22 | int main() { 23 | assert(t.getX() == 22); 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /klee/test/Runtime/POSIX/CanonicalizeFileName.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: not-darwin 2 | // RUN: %clang %s -Wall -emit-llvm -g %O0opt -c -o %t.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --libc=uclibc --posix-runtime --exit-on-error %t.bc 5 | 6 | #define _GNU_SOURCE 7 | #include 8 | #include 9 | #include 10 | 11 | int main(int argc, char * argv[]) { 12 | char cwd[PATH_MAX] = {0}; 13 | 14 | if (!getcwd(cwd, PATH_MAX)) exit(EXIT_FAILURE); 15 | if (!canonicalize_file_name(cwd)) exit(EXIT_FAILURE); 16 | } 17 | -------------------------------------------------------------------------------- /klee/test/UBSan/array_bounds.c: -------------------------------------------------------------------------------- 1 | // RUN: clang array_bounds.c -fsanitize=bounds -emit-llvm -g -c -o array_bounds.bc 2 | // RUN: rm -rf array_bounds.klee-out 3 | // RUN: klee --output-dir=array_bounds.klee-out array_bounds.bc 4 | 5 | #include "klee/klee.h" 6 | 7 | unsigned int array_index(unsigned int n) { 8 | unsigned int a[4] = {0}; 9 | 10 | return a[n]; 11 | } 12 | 13 | int main() { 14 | unsigned int x; 15 | volatile unsigned int result; 16 | 17 | klee_make_symbolic(&x, sizeof(x), "x"); 18 | 19 | result = array_index(x); 20 | 21 | return 0; 22 | } -------------------------------------------------------------------------------- /klee/test/UBSan/shift1.c: -------------------------------------------------------------------------------- 1 | // RUN: clang shift1.c -fsanitize=shift -emit-llvm -g -c -o shift1.bc 2 | // RUN: rm -rf shift1.klee-out 3 | // RUN: klee --output-dir=shift1.klee-out shift1.bc 4 | 5 | #include "klee/klee.h" 6 | 7 | int lsh_overflow(signed int a, signed int b) { 8 | return a << b; 9 | } 10 | 11 | int main() { 12 | signed int a; 13 | signed int b; 14 | volatile signed int result; 15 | 16 | klee_make_symbolic(&a, sizeof(a), "a"); 17 | klee_make_symbolic(&b, sizeof(b), "b"); 18 | 19 | result = lsh_overflow(a, b); 20 | 21 | return 0; 22 | } -------------------------------------------------------------------------------- /klee/test/UBSan/shift2.c: -------------------------------------------------------------------------------- 1 | // RUN: clang shift2.c -fsanitize=shift -emit-llvm -g -c -o shift2.bc 2 | // RUN: rm -rf shift2.klee-out 3 | // RUN: klee --output-dir=shift2.klee-out shift2.bc 4 | 5 | #include "klee/klee.h" 6 | 7 | int rsh_inbounds(signed int a, signed int b) { 8 | return a >> b; 9 | } 10 | 11 | int main() { 12 | signed int a; 13 | signed int b; 14 | volatile signed int result; 15 | 16 | klee_make_symbolic(&a, sizeof(a), "a"); 17 | klee_make_symbolic(&b, sizeof(b), "b"); 18 | 19 | result = rsh_inbounds(a, b); 20 | 21 | return 0; 22 | } -------------------------------------------------------------------------------- /klee/runtime/klee-libc/strcpy.c: -------------------------------------------------------------------------------- 1 | /*===-- strcpy.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | char *strcpy(char *to, const char *from) { 11 | char *start = to; 12 | 13 | while ((*to = *from)) 14 | ++to, ++from; 15 | 16 | return start; 17 | } 18 | -------------------------------------------------------------------------------- /klee/test/CXX/symex/libc++/vector.cpp: -------------------------------------------------------------------------------- 1 | // REQUIRES: libcxx 2 | // REQUIRES: uclibc 3 | // RUN: %clangxx %s -emit-llvm %O0opt -c -std=c++11 -I "%libcxx_include" -g -nostdinc++ -o %t1.bc 4 | // RUN: rm -rf %t.klee-out 5 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=uclibc --libcxx %t1.bc 2>&1 | FileCheck %s 6 | // 7 | // CHECK: KLEE: done: completed paths = 1 8 | 9 | #include "klee/klee.h" 10 | #include 11 | 12 | int main(int argc, char **args) { 13 | std::vector a; 14 | a.push_back(klee_int("Test")); 15 | return a.at(0); 16 | } 17 | -------------------------------------------------------------------------------- /klee/runtime/POSIX/Makefile.cmake.bitcode: -------------------------------------------------------------------------------- 1 | #===--------------------------------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | LEVEL := ../ 10 | 11 | include $(LEVEL)/Makefile.cmake.bitcode.config 12 | 13 | ARCHIVE_NAME=kleeRuntimePOSIX 14 | 15 | include $(LEVEL)/Makefile.cmake.bitcode.rules 16 | -------------------------------------------------------------------------------- /klee/test/Concrete/GlobalUndef.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | target datalayout = 4 | "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128" 5 | target triple = "x86_64-unknown-linux-gnu" 6 | 7 | %struct.anon = type { i8, [3 x i8] } 8 | 9 | @z = global %struct.anon { i8 1, [3 x i8] undef }, align 4 10 | 11 | define i32 @main() nounwind { 12 | entry: 13 | %retval = alloca i32, align 4 14 | store i32 0, i32* %retval 15 | ret i32 0 16 | } 17 | -------------------------------------------------------------------------------- /klee/test/Feature/BFSSearcher.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --max-instructions=500 --search=bfs %t1.bc 2>%t2.log 4 | // RUN: FileCheck -input-file=%t2.log %s 5 | #include "assert.h" 6 | #include "klee/klee.h" 7 | 8 | int nd() { 9 | int r; 10 | klee_make_symbolic(&r, sizeof(r), "r"); 11 | return r; 12 | } 13 | 14 | int main() { 15 | int x = 1; 16 | while (nd() != 0) { 17 | x *= 2; 18 | } 19 | // CHECK: ASSERTION FAIL 20 | klee_assert(0); 21 | return x; 22 | } 23 | -------------------------------------------------------------------------------- /learch/benchmarks/coreutils_train.txt: -------------------------------------------------------------------------------- 1 | b2sum 2 | base32 3 | chcon 4 | chgrp 5 | chmod 6 | chown 7 | chroot 8 | cp 9 | cut 10 | dd 11 | df 12 | dir 13 | dirname 14 | expand 15 | expr 16 | factor 17 | false 18 | ginstall 19 | md5sum 20 | mkdir 21 | mknod 22 | nice 23 | nl 24 | nohup 25 | numfmt 26 | od 27 | paste 28 | pathchk 29 | pr 30 | printenv 31 | pwd 32 | realpath 33 | rm 34 | rmdir 35 | sha1sum 36 | sha256sum 37 | sha512sum 38 | sleep 39 | stat 40 | stdbuf 41 | sync 42 | tac 43 | tee 44 | touch 45 | tr 46 | truncate 47 | tsort 48 | tty 49 | uptime 50 | who 51 | whoami 52 | -------------------------------------------------------------------------------- /klee/scripts/build/p-libcxx-linux-ubuntu-16.04.inc: -------------------------------------------------------------------------------- 1 | install_build_dependencies_libcxx() { 2 | apt-get update -y 3 | 4 | dependencies=( 5 | build-essential 6 | ca-certificates 7 | git 8 | python3 9 | cmake 10 | curl 11 | 12 | file # Needed for wllvm 13 | ) 14 | 15 | #Install essential dependencies 16 | apt -y --no-install-recommends install "${dependencies[@]}" 17 | 18 | curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py 19 | python3 get-pip.py --user 20 | export PATH="${HOME}/.local/bin:$PATH" 21 | pip3 install wllvm 22 | } -------------------------------------------------------------------------------- /learch/benchmarks/coreutils_test.txt: -------------------------------------------------------------------------------- 1 | [ 2 | base64 3 | basename 4 | basenc 5 | cat 6 | cksum 7 | comm 8 | csplit 9 | date 10 | dircolors 11 | du 12 | echo 13 | env 14 | fmt 15 | fold 16 | groups 17 | head 18 | hostid 19 | id 20 | join 21 | link 22 | ln 23 | logname 24 | ls 25 | mkfifo 26 | mktemp 27 | mv 28 | nproc 29 | pinky 30 | printf 31 | readlink 32 | runcon 33 | seq 34 | sha224sum 35 | sha384sum 36 | shred 37 | shuf 38 | sort 39 | split 40 | stty 41 | sum 42 | tail 43 | test 44 | timeout 45 | true 46 | uname 47 | unexpand 48 | uniq 49 | unlink 50 | users 51 | vdir 52 | wc 53 | -------------------------------------------------------------------------------- /klee/runtime/FreeStanding/memset.c: -------------------------------------------------------------------------------- 1 | /*===-- memset.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | void *memset(void *dst, int s, size_t count) { 13 | char *a = dst; 14 | while (count-- > 0) 15 | *a++ = s; 16 | return dst; 17 | } 18 | -------------------------------------------------------------------------------- /klee/runtime/Intrinsic/Makefile.cmake.bitcode: -------------------------------------------------------------------------------- 1 | #===--------------------------------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | LEVEL := ../ 10 | 11 | include $(LEVEL)/Makefile.cmake.bitcode.config 12 | 13 | ARCHIVE_NAME=kleeRuntimeIntrinsic 14 | 15 | include $(LEVEL)/Makefile.cmake.bitcode.rules 16 | -------------------------------------------------------------------------------- /klee/runtime/FreeStanding/Makefile.cmake.bitcode: -------------------------------------------------------------------------------- 1 | #===--------------------------------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | LEVEL := ../ 10 | 11 | include $(LEVEL)/Makefile.cmake.bitcode.config 12 | 13 | ARCHIVE_NAME=kleeRuntimeFreeStanding 14 | 15 | include $(LEVEL)/Makefile.cmake.bitcode.rules 16 | -------------------------------------------------------------------------------- /klee/runtime/Intrinsic/klee_int.c: -------------------------------------------------------------------------------- 1 | //===-- klee_int.c --------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include 11 | #include "klee/klee.h" 12 | 13 | int klee_int(const char *name) { 14 | int x; 15 | klee_make_symbolic(&x, sizeof x, name); 16 | return x; 17 | } 18 | -------------------------------------------------------------------------------- /klee/test/UBSan/pointer_overflow2.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: geq-llvm-10.0 2 | 3 | // RUN: clang pointer_overflow2.c -fsanitize=pointer-overflow -emit-llvm -g -c -o pointer_overflow2.bc 4 | // RUN: rm -rf pointer_overflow2.klee-out 5 | // RUN: klee --output-dir=pointer_overflow2.klee-out pointer_overflow2.bc 6 | 7 | #include "klee/klee.h" 8 | #include 9 | 10 | int main() { 11 | size_t address; 12 | volatile char *result; 13 | 14 | klee_make_symbolic(&address, sizeof(address), "address"); 15 | 16 | char *ptr = (char *)address; 17 | 18 | result = ptr + 1; 19 | return 0; 20 | } -------------------------------------------------------------------------------- /klee/test/UBSan/pointer_overflow3.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: geq-llvm-10.0 2 | 3 | // RUN: clang pointer_overflow3.c -fsanitize=pointer-overflow -emit-llvm -g -c -o pointer_overflow3.bc 4 | // RUN: rm -rf pointer_overflow3.klee-out 5 | // RUN: klee --output-dir=pointer_overflow3.klee-out pointer_overflow3.bc 6 | 7 | #include "klee/klee.h" 8 | #include 9 | 10 | int main() { 11 | size_t address; 12 | volatile char *result; 13 | 14 | klee_make_symbolic(&address, sizeof(address), "address"); 15 | 16 | char *ptr = (char *)address; 17 | 18 | result = ptr + 0; 19 | return 0; 20 | } -------------------------------------------------------------------------------- /klee/runtime/klee-libc/strcoll.c: -------------------------------------------------------------------------------- 1 | /*===-- strcoll.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | /* according to the manpage, this is equiv in the POSIX/C locale. */ 13 | int strcoll(const char *s1, const char *s2) { 14 | return strcmp(s1,s2); 15 | } 16 | -------------------------------------------------------------------------------- /klee/test/Feature/SolverTimeout.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --max-solver-time=1 %t.bc 4 | // 5 | // Note: This test occasionally fails when using Z3 4.4.1 6 | 7 | #include 8 | 9 | int main() { 10 | long long int x, y = 102*75678 + 78, i = 101; 11 | 12 | klee_make_symbolic(&x, sizeof(x), "x"); 13 | 14 | if (x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x + (x*x % (x+12)) == y*y*y*y*y*y*y*y*y*y*y*y*y*y*y*y % i) 15 | printf("Yes\n"); 16 | else printf("No\n"); 17 | 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /klee/runtime/Intrinsic/klee_div_zero_check.c: -------------------------------------------------------------------------------- 1 | //===-- klee_div_zero_check.c ---------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include "klee/klee.h" 11 | 12 | void klee_div_zero_check(long long z) { 13 | if (z == 0) 14 | klee_report_error(__FILE__, __LINE__, "divide by zero", "div.err"); 15 | } 16 | -------------------------------------------------------------------------------- /klee/test/Concrete/Shifts.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | %amt = add i8 2, 5 7 | %a = shl i8 1, 5 8 | %b = lshr i8 %a, 5 9 | %c = shl i8 %b, %amt 10 | %d = lshr i8 %c, %amt 11 | %e = shl i8 %d, 7 12 | %f = ashr i8 %e, 7 13 | %g = shl i8 %f, %amt 14 | %h = ashr i8 %g, %amt 15 | %test = icmp eq i8 %h, -1 16 | br i1 %test, label %exitTrue, label %exitFalse 17 | exitTrue: 18 | call void @print_i32(i32 1) 19 | ret i32 0 20 | exitFalse: 21 | call void @print_i32(i32 0) 22 | ret i32 0 23 | } 24 | -------------------------------------------------------------------------------- /klee/test/Feature/Envp.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | int main(int argc, char **argv, char **envp) { 8 | unsigned i; 9 | assert(argv[argc] == 0); 10 | printf("argc: %d, argv: %p, envp: %p\n", argc, argv, envp); 11 | printf("--environ--\n"); 12 | int haspwd = 0; 13 | for (i=0; envp[i]; i++) { 14 | printf("%d: %s\n", i, envp[i]); 15 | haspwd |= strncmp(envp[i], "PWD=", 4)==0; 16 | } 17 | assert(haspwd); 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /klee/test/regression/2016-08-12-empty-file.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: posix-runtime 2 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: not %klee --output-dir=%t.klee-out %t.bc >%t1.log 2>&1 5 | // RUN: FileCheck -input-file=%t1.log -check-prefix=CHECK-MAIN-NOT-FOUND %s 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: rm -rf %t1.log 8 | // RUN: not %klee --output-dir=%t.klee-out --posix-runtime %t.bc >%t1.log 2>&1 9 | // RUN: FileCheck -input-file=%t1.log -check-prefix=CHECK-MAIN-NOT-FOUND %s 10 | 11 | // CHECK-MAIN-NOT-FOUND: Entry function 'main' not found in module. 12 | -------------------------------------------------------------------------------- /klee/docs/SMT-COMP/QF_AUFBV.smt: -------------------------------------------------------------------------------- 1 | (logic QF_AUFBV 2 | 3 | :written_by {Clark Barrett} 4 | :date {May 7, 2007} 5 | 6 | :theory BV_ArraysEx 7 | 8 | :language 9 | "Closed quantifier-free formulas built over an arbitrary expansion of the 10 | BV_ArraysEx signature with free function and predicate symbols over 11 | the sorts of BV_ArraysEx. Formulas in ite terms must satisfy the same 12 | restriction as well, with the exception that they need not be closed (because 13 | they may be in the scope of a let expression). 14 | " 15 | :extensions 16 | "As in the logic QF_BV." 17 | ) 18 | 19 | 20 | -------------------------------------------------------------------------------- /klee/tools/gen-bout/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_executable(gen-bout 10 | gen-bout.cpp 11 | ) 12 | 13 | set(KLEE_LIBS kleeBasic) 14 | 15 | target_link_libraries(gen-bout ${KLEE_LIBS}) 16 | 17 | install(TARGETS gen-bout RUNTIME DESTINATION bin) 18 | -------------------------------------------------------------------------------- /klee/scripts/build/patches/llvm50.patch: -------------------------------------------------------------------------------- 1 | --- include/llvm/ExecutionEngine/Orc/OrcRemoteTargetClient.h 2 | +++ include/llvm/ExecutionEngine/Orc/OrcRemoteTargetClient.h 3 | @@ -713,7 +713,7 @@ private: 4 | 5 | uint32_t getTrampolineSize() const { return RemoteTrampolineSize; } 6 | 7 | - Expected> readMem(char *Dst, JITTargetAddress Src, 8 | + Expected> readMem(char *Dst, JITTargetAddress Src, 9 | uint64_t Size) { 10 | // Check for an 'out-of-band' error, e.g. from an MM destructor. 11 | if (ExistingError) 12 | -------------------------------------------------------------------------------- /klee/test/Feature/Optimize.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t2.bc 2 | // RUN: rm -f %t2.log 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --max-instructions=100 --optimize %t2.bc > %t3.log 5 | // RUN: echo "good" > %t3.good 6 | // RUN: diff %t3.log %t3.good 7 | 8 | // should complete by 100 instructions if opt is on 9 | 10 | int main() { 11 | int i, res = 0; 12 | 13 | for (i=1; i<=1000; i++) 14 | res += i; 15 | 16 | if (res == (1000*1001)/2) { 17 | printf("good\n"); 18 | } else { 19 | printf("bad\n"); 20 | } 21 | 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /klee/scripts/build/p-metasmt-linux-ubuntu-16.04.inc: -------------------------------------------------------------------------------- 1 | setup_build_variables_metasmt() { 2 | return 0 3 | } 4 | 5 | install_build_dependencies_metasmt() { 6 | apt update -y 7 | 8 | dependencies=( 9 | # libgmp, gperf (required by yices2) 10 | gperf 11 | libgmp-dev 12 | 13 | build-essential 14 | git 15 | wget 16 | ca-certificates 17 | cmake 18 | zlib1g-dev 19 | bison 20 | flex 21 | unzip 22 | python 23 | autoconf 24 | python3 25 | ) 26 | 27 | #Install essential dependencies 28 | apt -y --no-install-recommends install "${dependencies[@]}" 29 | } -------------------------------------------------------------------------------- /klee/test/Concrete/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | if (${LLVM_VERSION_MAJOR} GREATER 4) 10 | set(OZERO_OPT "-O0 -Xclang -disable-O0-optnone") 11 | else() 12 | set(OZERO_OPT "-O0") 13 | endif() 14 | configure_file(Makefile.cmake.test.in Makefile.cmake.test @ONLY) 15 | -------------------------------------------------------------------------------- /klee/test/Runtime/POSIX/Fcntl.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime --exit-on-error %t2.bc --sym-files 1 10 4 | 5 | #include 6 | #include 7 | 8 | int main(int argc, char **argv) { 9 | int fd = open("A", O_RDWR|O_TRUNC); 10 | if (fd == -1) 11 | klee_silent_exit(0); 12 | assert(fd == 3); 13 | assert((fcntl(fd, F_GETFD) & FD_CLOEXEC) == 0); 14 | assert(fcntl(fd, F_SETFD, FD_CLOEXEC, 1) == 0); 15 | assert((fcntl(fd, F_GETFD) & FD_CLOEXEC) != 0); 16 | 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /klee/test/UBSan/shift3.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: geq-llvm-12.0 2 | 3 | // RUN: clang shift3.c -fsanitize=shift -emit-llvm -g -c -o shift3.bc 4 | // RUN: rm -rf shift3.klee-out 5 | // RUN: klee --output-dir=shift3.klee-out shift3.bc 6 | 7 | #include "klee/klee.h" 8 | 9 | int lsh_overflow(unsigned int a, unsigned int b) { 10 | return a << b; 11 | } 12 | 13 | int main() { 14 | unsigned int a; 15 | unsigned int b; 16 | volatile unsigned int result; 17 | 18 | klee_make_symbolic(&a, sizeof(a), "a"); 19 | klee_make_symbolic(&b, sizeof(b), "b"); 20 | 21 | result = lsh_overflow(a, b); 22 | 23 | return 0; 24 | } -------------------------------------------------------------------------------- /klee/tools/kleaver/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_executable(kleaver 10 | main.cpp 11 | ) 12 | 13 | set(KLEE_LIBS 14 | kleaverSolver 15 | ) 16 | 17 | target_link_libraries(kleaver ${KLEE_LIBS}) 18 | 19 | install(TARGETS kleaver RUNTIME DESTINATION bin) 20 | -------------------------------------------------------------------------------- /klee/runtime/klee-libc/atexit.c: -------------------------------------------------------------------------------- 1 | /*==-- atexit.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | int __cxa_atexit(void (*fn)(void*), 11 | void *arg, 12 | void *dso_handle); 13 | 14 | int atexit(void (*fn)(void)) { 15 | return __cxa_atexit((void(*)(void*)) fn, 0, 0); 16 | } 17 | -------------------------------------------------------------------------------- /klee/scripts/build/p-klee-linux-ubuntu-16.04.inc: -------------------------------------------------------------------------------- 1 | install_build_dependencies_klee() { 2 | apt update -y 3 | 4 | dependencies=( 5 | build-essential 6 | cmake 7 | python-pip #for lit 8 | python-setuptools #for lit 9 | python-wheel #for lit 10 | zlib1g-dev 11 | python3 12 | python3-setuptools 13 | python3-pip 14 | python3-wheel 15 | ) 16 | 17 | if [[ $(to_bool "${COVERAGE}") -eq 1 ]]; then 18 | dependencies+=(lcov curl) 19 | fi 20 | 21 | apt -y --no-install-recommends install "${dependencies[@]}" 22 | 23 | pip install lit 24 | pip3 install tabulate 25 | } 26 | -------------------------------------------------------------------------------- /klee/test/Runtime/POSIX/Openat.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime --exit-on-error %t2.bc --sym-files 1 10 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | 6 | #include 7 | #include 8 | 9 | int main(int argc, char **argv) { 10 | int fd = openat(AT_FDCWD, "A", O_RDWR|O_TRUNC); 11 | if (fd != -1) { 12 | char buf[10]; 13 | assert(read(fd, buf, 10) == 10); 14 | assert(klee_is_symbolic(buf[0])); 15 | } else { 16 | klee_silent_exit(0); 17 | } 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /klee/test/Feature/WithLibc.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=klee %t2.bc > %t3.log 4 | // RUN: echo "good" > %t3.good 5 | // RUN: diff %t3.log %t3.good 6 | 7 | int main() { 8 | char buf[4]; 9 | char *s = "foo"; 10 | 11 | klee_make_symbolic(buf, sizeof buf, "buf"); 12 | buf[3] = 0; 13 | 14 | if (strcmp(buf, s)==0) { 15 | if (buf[0]=='f' && buf[1]=='o' && buf[2]=='o' && buf[3]==0) { 16 | printf("good\n"); 17 | } else { 18 | printf("bad\n"); 19 | } 20 | } 21 | 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /klee/test/UBSan/pointer_overflow1.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: geq-llvm-10.0 2 | 3 | // RUN: clang pointer_overflow1.c -fsanitize=pointer-overflow -emit-llvm -g -c -o pointer_overflow1.bc 4 | // RUN: rm -rf pointer_overflow1.klee-out 5 | // RUN: klee --output-dir=pointer_overflow1.klee-out pointer_overflow1.bc 6 | 7 | #include "klee/klee.h" 8 | #include 9 | 10 | int main() { 11 | size_t address; 12 | volatile char *result; 13 | 14 | klee_make_symbolic(&address, sizeof(address), "address"); 15 | klee_assume(address != 0); 16 | 17 | char *ptr = (char *)address; 18 | 19 | result = ptr + 1; 20 | return 0; 21 | } -------------------------------------------------------------------------------- /klee/test/Feature/DanglingConcreteReadExpr.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --optimize=false --output-dir=%t.klee-out %t1.bc 4 | // RUN: grep "total queries = 2" %t.klee-out/info 5 | 6 | #include 7 | 8 | int main() { 9 | unsigned char x, y; 10 | 11 | klee_make_symbolic(&x, sizeof x, "x"); 12 | 13 | y = x; 14 | 15 | // should be exactly two queries (prove x is/is not 10) 16 | // eventually should be 0 when we have fast solver 17 | if (x==10) { 18 | assert(y==10); 19 | } 20 | 21 | klee_silent_exit(0); 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /klee/test/Feature/OverlappedError.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | // RUN: ls %t.klee-out/ | grep .ktest | wc -l | grep 4 5 | // RUN: ls %t.klee-out/ | grep .ptr.err | wc -l | grep 2 6 | 7 | #include 8 | 9 | int main() { 10 | if (klee_range(0,2, "range")) { 11 | char *x = malloc(8); 12 | *((int*) &x[klee_range(0,6, "range")]) = 1; 13 | free(x); 14 | } else { 15 | char *x = malloc(8); 16 | *((int*) &x[klee_range(-1,5, "range")]) = 1; 17 | free(x); 18 | } 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /klee/tools/klee-stats/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | install(PROGRAMS klee-stats DESTINATION bin) 10 | 11 | # Copy into the build directory's binary directory 12 | # so system tests can find it 13 | configure_file(klee-stats "${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/klee-stats" COPYONLY) 14 | -------------------------------------------------------------------------------- /klee/tools/ktest-tool/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | install(PROGRAMS ktest-tool DESTINATION bin) 10 | 11 | # Copy into the build directory's binary directory 12 | # so system tests can find it 13 | configure_file(ktest-tool "${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/ktest-tool" COPYONLY) 14 | -------------------------------------------------------------------------------- /klee/lib/Basic/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | klee_add_component(kleeBasic 10 | KTest.cpp 11 | Statistics.cpp 12 | ) 13 | set(LLVM_COMPONENTS 14 | support 15 | ) 16 | 17 | klee_get_llvm_libs(LLVM_LIBS ${LLVM_COMPONENTS}) 18 | target_link_libraries(kleeBasic PUBLIC ${LLVM_LIBS}) 19 | -------------------------------------------------------------------------------- /klee/scripts/genTempFiles.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # ===-- genTempFiles.sh ---------------------------------------------------===## 4 | # 5 | # The KLEE Symbolic Virtual Machine 6 | # 7 | # This file is distributed under the University of Illinois Open Source 8 | # License. See LICENSE.TXT for details. 9 | # 10 | # ===----------------------------------------------------------------------===## 11 | 12 | if [ -z "$1" ] ; then 13 | echo "No directory given" 14 | exit 1 15 | fi 16 | 17 | mkdir -p $1 18 | for i in `seq 1 100`; do 19 | mkdir -p $1/dir_foo_$i 20 | touch $1/tmp_foo_$i 21 | done 22 | -------------------------------------------------------------------------------- /klee/test/regression/2007-08-01-cache-unclear-on-overwrite-flushed.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | #include 7 | 8 | int main() { 9 | unsigned char x; 10 | 11 | klee_make_symbolic(&x, sizeof x, "x"); 12 | if (x >= 2) klee_silent_exit(0); 13 | 14 | char delete[2] = {0,1}; 15 | 16 | char tmp = delete[ x ]; 17 | char tmp2 = delete[0]; 18 | delete[ x ] = tmp2; 19 | 20 | if (x==1) { 21 | assert(delete[1] == 0); 22 | return 0; 23 | } 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /klee/test/Solver/STPDumpDebugQueries.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: stp 2 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee -solver-backend=stp --output-dir=%t.klee-out -debug-dump-stp-queries %t1.bc 5 | // RUN: cat %t.klee-out/warnings.txt | FileCheck %s 6 | 7 | // Objective: test -debug-dump-stp-queries (just invocation and header in warnings.txt) 8 | 9 | #include "klee/klee.h" 10 | 11 | int main(int argc, char **argv) { 12 | unsigned i; 13 | klee_make_symbolic(&i, sizeof i, "i"); 14 | if (i) 15 | return 0; 16 | else 17 | return 1; 18 | // CHECK: KLEE: WARNING: STP query: 19 | } 20 | -------------------------------------------------------------------------------- /klee/tools/gen-random-bout/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_executable(gen-random-bout 10 | gen-random-bout.cpp 11 | ) 12 | 13 | set(KLEE_LIBS kleeBasic) 14 | 15 | target_link_libraries(gen-random-bout ${KLEE_LIBS}) 16 | 17 | install(TARGETS gen-random-bout RUNTIME DESTINATION bin) 18 | -------------------------------------------------------------------------------- /klee/test/Feature/MakeConcreteSymbolic.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --optimize=false --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | // RUN: grep "done: total queries = 0" %t.klee-out/info 5 | 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: %klee --optimize=false --output-dir=%t.klee-out --make-concrete-symbolic=1 --exit-on-error %t1.bc 8 | // RUN: grep "done: total queries = 2" %t.klee-out/info 9 | 10 | 11 | #include 12 | 13 | #define N 2 14 | int main() { 15 | int i; 16 | char a; 17 | 18 | a = 10; 19 | assert(a == 10); 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /klee/test/Feature/PreferCex.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | // RUN: ktest-tool %t.klee-out/test000001.ktest | FileCheck %s 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | char buf[4]; 12 | 13 | klee_make_symbolic(buf, sizeof buf, "buf"); 14 | // CHECK: Hi\x00\x00 15 | klee_prefer_cex(buf, buf[0]=='H'); 16 | klee_prefer_cex(buf, buf[1]=='i'); 17 | klee_prefer_cex(buf, buf[2]=='\0'); 18 | klee_prefer_cex(buf, buf[3]=='\0'); 19 | 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /klee/test/UBSan/pointer_overflow4.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: geq-llvm-10.0 2 | 3 | // RUN: clang pointer_overflow4.c -fsanitize=pointer-overflow -emit-llvm -g -c -o pointer_overflow4.bc 4 | // RUN: rm -rf pointer_overflow4.klee-out 5 | // RUN: klee --output-dir=pointer_overflow4.klee-out pointer_overflow4.bc 6 | 7 | #include "klee/klee.h" 8 | #include 9 | 10 | int main() { 11 | char c; 12 | char* ptr = &c; 13 | 14 | size_t offset; 15 | volatile char* result; 16 | 17 | klee_make_symbolic(&offset, sizeof(offset), "offset"); 18 | klee_assume((size_t)(ptr) + offset != 0); 19 | 20 | result = ptr + offset; 21 | 22 | return 0; 23 | } -------------------------------------------------------------------------------- /klee/runtime/klee-libc/bcmp.c: -------------------------------------------------------------------------------- 1 | /*===-- bcmp.c ------------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | int bcmp(const void *s1, const void *s2, size_t n) { 13 | const unsigned char *p1 = s1, *p2 = s2; 14 | while (--n != 0) { 15 | if (*p1++ != *p2++) 16 | return 1; 17 | } 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /klee/test/Runtime/POSIX/Getenv.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=klee --posix-runtime --exit-on-error %t2.bc --sym-files 1 10 4 | 5 | #include 6 | 7 | int main(int argc, char **argv) { 8 | char *g = getenv("PWD"); 9 | if (g) { 10 | printf("have PWD\n"); 11 | } else { 12 | printf("have no PWD\n"); 13 | } 14 | 15 | g = getenv("HELLO"); 16 | if (!g || strcmp(g, "nice")==0) { 17 | printf("getenv(\"HELLO\") = %p\n", g); 18 | if (g) assert(strcmp(getenv("HELLO"),"nice") == 0); 19 | } 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /klee/test/Solver/LargeIntegers.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | 3 | array a[64] : w32 -> w8 = symbolic 4 | 5 | # RUN: grep -A 1 "Query 0" %t > %t2 6 | # RUN: grep "Expr 0: 18446744073709551618" %t2 7 | (query [] false [(Concat w128 (w64 1) (w64 2))]) 8 | 9 | # RUN: grep -A 1 "Query 1" %t > %t2 10 | # RUN: grep "Expr 0: 16" %t2 11 | (query [] false [(Extract w5 60 (Concat w128 (w64 1) (w64 2)))]) 12 | 13 | # RUN: grep -A 1 "Query 2" %t > %t2 14 | # RUN: grep "Array 0: a.16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1" %t2 15 | (query [(Eq 0x0102030405060708090A0B0C0D0E0F10 (ReadLSB w128 0 a))] 16 | false 17 | [] [a]) 18 | -------------------------------------------------------------------------------- /klee/tools/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_subdirectory(gen-bout) 10 | add_subdirectory(gen-random-bout) 11 | add_subdirectory(kleaver) 12 | add_subdirectory(klee) 13 | add_subdirectory(klee-replay) 14 | add_subdirectory(klee-stats) 15 | add_subdirectory(ktest-tool) 16 | add_subdirectory(converter) 17 | -------------------------------------------------------------------------------- /klee/runtime/klee-libc/mempcpy.c: -------------------------------------------------------------------------------- 1 | /*===-- mempcpy.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | void *mempcpy(void *destaddr, void const *srcaddr, size_t len) { 13 | char *dest = destaddr; 14 | char const *src = srcaddr; 15 | 16 | while (len-- > 0) 17 | *dest++ = *src++; 18 | return dest; 19 | } 20 | -------------------------------------------------------------------------------- /klee/runtime/klee-libc/putchar.c: -------------------------------------------------------------------------------- 1 | /*===-- putchar.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | #include 12 | 13 | /* Some header may #define putchar. */ 14 | #undef putchar 15 | 16 | int putchar(int c) { 17 | char x = c; 18 | if (1 == write(1, &x, 1)) 19 | return c; 20 | return EOF; 21 | } 22 | -------------------------------------------------------------------------------- /klee/runtime/klee-libc/strrchr.c: -------------------------------------------------------------------------------- 1 | /*===-- strrchr.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | char *strrchr(const char *t, int c) { 13 | char ch; 14 | const char *l=0; 15 | 16 | ch = c; 17 | for (;;) { 18 | if (*t == ch) l=t; if (!*t) return (char*)l; ++t; 19 | } 20 | return (char*)l; 21 | } 22 | -------------------------------------------------------------------------------- /klee/scripts/build/v-sanitizer_compiler.inc: -------------------------------------------------------------------------------- 1 | # Meta-package for solvers 2 | required_variables_sanitizer_compiler=("") 3 | 4 | # On which artifacts does STP depend on 5 | artifact_dependency_sanitizer_compiler(){ 6 | echo "sanitizer" 7 | if [[ -n ${SANITIZER_BUILD+x} ]]; then 8 | [[ "${SANITIZER_BUILD}" == "memory" ]] && echo "llvm" 9 | [[ "${SANITIZER_BUILD}" != "memory" ]] && echo "clang" 10 | fi 11 | } 12 | 13 | 14 | # Setup general variables 15 | setup_variables_sanitizer_compiler() { 16 | for sanitizer in "${SANITIZERS[@]}"; do 17 | [[ -z "${sanitizer}" ]] && continue 18 | SANITIZER_CMAKE_C_COMPILER=("") 19 | done 20 | } -------------------------------------------------------------------------------- /klee/utils/sanitizers/lsan.txt: -------------------------------------------------------------------------------- 1 | # This file tells the LeakSanitizer (LSan)component of the AddressSanitizer (-fsanitizer=address) 2 | # to ignore certain leaks at runtime. To tell LSan about these set the environment variable 3 | # LSAN_OPTIONS=suppressions=/path/to/this/file and then run the sanitized build of KLEE. 4 | # 5 | # Ideally we shouldn't need to suppress anything but currently KLEE seems to be leaking 6 | # The suppressions below are what's needed for ``make unittests`` and ``make check`` to not 7 | # fail due to leaks. 8 | 9 | # Ignore tcmalloc 10 | leak:src/malloc_extension.cc 11 | # Memory leak from klee_replay 12 | leak:klee-replay.c 13 | -------------------------------------------------------------------------------- /klee/runtime/FreeStanding/memcpy.c: -------------------------------------------------------------------------------- 1 | /*===-- memcpy.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | void *memcpy(void *destaddr, void const *srcaddr, size_t len) { 13 | char *dest = destaddr; 14 | char const *src = srcaddr; 15 | 16 | while (len-- > 0) 17 | *dest++ = *src++; 18 | return destaddr; 19 | } 20 | -------------------------------------------------------------------------------- /klee/test/regression/2016-12-14-alloc-alignment.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -Wall -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t.bc 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | // Global should be aligned on a 128-byte boundary 10 | int foo __attribute__((aligned(128))); 11 | 12 | int main() { 13 | int bar __attribute__((aligned(256))); 14 | 15 | // Check alignment of global 16 | assert(((size_t)&foo) % 128 == 0); 17 | 18 | // Check alignment of local 19 | assert(((size_t)&bar) % 256 == 0); 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /klee/examples/regexp/notes.txt: -------------------------------------------------------------------------------- 1 | clang -m32 -I ~/private/klee/include -c -emit-llvm Regexp.c 2 | 3 | klee Regexp.o 4 | klee --only-output-states-covering-new Regexp.o 5 | ls -l klee-out-0 6 | ls -l klee-out-1 7 | ls -l klee-last 8 | 9 | cd klee-last 10 | klee-bout-tool *.bout 11 | klee-bout-tool --trim-zeros *.bout 12 | 13 | Stuff to show: 14 | Adding klee_prefer_cex 15 | 16 | PrintStats.py klee-last 17 | 18 | PrintStats.py klee-last 19 | Why not 100% coverage? 20 | 21 | clang -g -m32 -I ~/private/klee/include -c -emit-llvm Regexp.c 22 | 23 | KCachegrind? 24 | 25 | Disable klee_assume, show coverage again (why is klee-check-div getting pulled 26 | in?) 27 | -------------------------------------------------------------------------------- /klee/include/klee/Internal/Module/Cell.h: -------------------------------------------------------------------------------- 1 | //===-- Cell.h --------------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_CELL_H 11 | #define KLEE_CELL_H 12 | 13 | #include "klee/Expr/Expr.h" 14 | 15 | namespace klee { 16 | class MemoryObject; 17 | 18 | struct Cell { 19 | ref value; 20 | }; 21 | } 22 | 23 | #endif /* KLEE_CELL_H */ 24 | -------------------------------------------------------------------------------- /klee/include/klee/Internal/System/MemoryUsage.h: -------------------------------------------------------------------------------- 1 | //===-- MemoryUsage.h -------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_MEMORYUSAGE_H 11 | #define KLEE_MEMORYUSAGE_H 12 | 13 | #include 14 | 15 | namespace klee { 16 | namespace util { 17 | size_t GetTotalMallocUsage(); 18 | } 19 | } 20 | 21 | #endif /* KLEE_MEMORYUSAGE_H */ 22 | -------------------------------------------------------------------------------- /klee/test/Runtime/POSIX/Write2.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=uclibc --posix-runtime %t.bc --sym-files 1 10 --sym-stdout 2>%t.log 4 | 5 | #include 6 | #include 7 | 8 | int main(int argc, char** argv) { 9 | const char* msg = "This will eventually overflow stdout. "; 10 | char buf[32]; 11 | int i; 12 | 13 | FILE* f = stdout;//fopen("A", "w"); 14 | if (!f) 15 | klee_silent_exit(0); 16 | 17 | for (i = 0; i < 300; i++) 18 | fwrite(msg, sizeof(msg), 1, f); 19 | fclose(f); 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /klee/test/UBSan/integer_overflow1.c: -------------------------------------------------------------------------------- 1 | 2 | // RUN: clang integer_overflow1.c -fsanitize=signed-integer-overflow -emit-llvm -g -c -o integer_overflow1.bc 3 | // RUN: rm -rf integer_overflow1.klee-out 4 | // RUN: klee --output-dir=integer_overflow1.klee-out integer_overflow1.bc 5 | 6 | #include "klee/klee.h" 7 | 8 | int main() { 9 | signed int x; 10 | signed int y; 11 | volatile signed int result; 12 | 13 | klee_make_symbolic(&x, sizeof(x), "x"); 14 | klee_make_symbolic(&y, sizeof(y), "y"); 15 | 16 | result = x + y; 17 | result = x - y; 18 | result = x * y; 19 | result = x / y; 20 | result = x % y; 21 | result = -x; 22 | 23 | return 0; 24 | } -------------------------------------------------------------------------------- /klee/test/UBSan/integer_overflow2.c: -------------------------------------------------------------------------------- 1 | // RUN: clang integer_overflow2.c -fsanitize=signed-integer-overflow -emit-llvm -g -c -o integer_overflow2.bc 2 | // RUN: rm -rf integer_overflow2.klee-out 3 | // RUN: klee --output-dir=integer_overflow2.klee-out integer_overflow2.bc 4 | 5 | #include "klee/klee.h" 6 | 7 | int main() { 8 | unsigned int x; 9 | unsigned int y; 10 | volatile unsigned int result; 11 | 12 | klee_make_symbolic(&x, sizeof(x), "x"); 13 | klee_make_symbolic(&y, sizeof(y), "y"); 14 | 15 | result = x + y; 16 | result = x - y; 17 | result = x * y; 18 | result = x / y; 19 | result = x % y; 20 | result = -x; 21 | 22 | return 0; 23 | } -------------------------------------------------------------------------------- /klee/lib/README.txt: -------------------------------------------------------------------------------- 1 | The klee and kleaver code is organized as follows: 2 | 3 | lib/Basic - Low level support for both klee and kleaver which should 4 | be independent of LLVM. 5 | 6 | lib/Support - Higher level support, but only used by klee. This can 7 | use LLVM facilities. 8 | 9 | lib/Expr - The core kleaver expression library. 10 | 11 | lib/Solver - The kleaver solver library. 12 | 13 | lib/Module - klee facilities for working with LLVM modules, including 14 | the shadow module/instruction structures we use during 15 | execution. 16 | 17 | lib/Core - The core symbolic virtual machine. 18 | 19 | -------------------------------------------------------------------------------- /klee/test/CXX/New.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %clangxx %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --write-no-tests --exit-on-error --external-calls=none %t1.bc 4 | 5 | #include 6 | 7 | class Test { 8 | int x; 9 | 10 | public: 11 | Test(int _x) : x(_x) { 12 | } 13 | ~Test() { 14 | } 15 | 16 | int getX() { return x; } 17 | }; 18 | 19 | // This doesn't do what I want because 20 | // it is being changed to alloca, but 21 | // it is also failing. 22 | int main(int argc) { 23 | Test *rt = new Test(2); 24 | 25 | assert(rt->getX()==2); 26 | 27 | delete rt; 28 | 29 | return 0; 30 | } 31 | -------------------------------------------------------------------------------- /klee/runtime/Makefile.cmake.bitcode: -------------------------------------------------------------------------------- 1 | #===--------------------------------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | LEVEL := ./ 10 | include $(LEVEL)/Makefile.cmake.bitcode.config 11 | 12 | DIRS += Intrinsic 13 | DIRS += klee-libc 14 | DIRS += FreeStanding 15 | 16 | ifneq ($(ENABLE_POSIX_RUNTIME),0) 17 | DIRS += POSIX 18 | endif 19 | 20 | include $(LEVEL)/Makefile.cmake.bitcode.rules 21 | -------------------------------------------------------------------------------- /klee/test/CXX/StaticDestructor.cpp: -------------------------------------------------------------------------------- 1 | // don't optimize this, llvm likes to turn the *p into unreachable 2 | 3 | // RUN: %clangxx %s -emit-llvm -g %O0opt -c -o %t1.bc 4 | // RUN: rm -rf %t.klee-out 5 | // RUN: %klee --output-dir=%t.klee-out --optimize=false --libc=klee --write-no-tests %t1.bc 2> %t1.log 6 | // RUN: FileCheck --input-file %t1.log %s 7 | 8 | #include 9 | 10 | class Test { 11 | int *p; 12 | 13 | public: 14 | Test() : p(0) {} 15 | ~Test() { 16 | assert(!p); 17 | // CHECK: :[[@LINE+1]]: memory error 18 | assert(*p == 10); // crash here 19 | } 20 | }; 21 | 22 | Test t; 23 | 24 | int main(int argc, char **argv) { return 0; } 25 | -------------------------------------------------------------------------------- /klee/test/regression/2016-04-14-sdiv-2.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error -solver-optimize-divides=true %t.bc >%t1.log 4 | // RUN: grep "m is 2" %t1.log 5 | #include 6 | #include 7 | 8 | #include "klee/klee.h" 9 | 10 | int main(void) 11 | { 12 | int n, m; 13 | klee_make_symbolic(&n, sizeof n, "n"); 14 | klee_assume(n < -1); 15 | 16 | if (n/2 > 0) 17 | assert(0); 18 | 19 | klee_make_symbolic(&m, sizeof m, "m"); 20 | klee_assume(m > 0); 21 | 22 | if (m/2 == 2) 23 | printf("m is 2\n"); 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /klee/test/Feature/CopyOnWrite.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --search=random-state --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | #define N 5 8 | 9 | unsigned branches = 0; 10 | 11 | void explode(int *ap, int i, int *result) { 12 | if (i 12 | #include "klee/klee.h" 13 | 14 | int main(int argc, char** args){ 15 | int x = klee_int("x"); 16 | if (x > 0){ 17 | std::cout << "greater: " << x << std::endl; 18 | } else { 19 | std::cout << "lower: " << x << std::endl; 20 | } 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /klee/utils/valgrind/valgrind-stp.supp: -------------------------------------------------------------------------------- 1 | { 2 | STP:BeevMgr 3 | Memcheck:Leak 4 | fun:_vgrZU_libstdcZpZpZa__Znwj 5 | fun:_ZN4BEEV7BeevMgr* 6 | } 7 | { 8 | STP:BeevMgr:strdup 9 | Memcheck:Leak 10 | fun:_vgrZU_libcZdsoZa_malloc 11 | fun:strdup 12 | fun:_ZN4BEEV7BeevMgr* 13 | } 14 | { 15 | STP:c_interface 16 | Memcheck:Leak 17 | fun:_vgrZU_libstdcZpZpZa__Znwj 18 | fun:vc_* 19 | } 20 | { 21 | STP:BeevMgr:vector 22 | Memcheck:Leak 23 | fun:_vgrZU_libstdcZpZpZa__Znwj 24 | fun:_ZNSt6vector* 25 | fun:_ZN4BEEV7BeevMgr* 26 | } 27 | { 28 | LLVM:Tmp1 29 | Memcheck:Leak 30 | fun:_vgrZU_libstdcZpZpZa__Znwj 31 | fun:_ZN4llvm* 32 | } 33 | -------------------------------------------------------------------------------- /klee/test/regression/2018-10-28-alias-to-alias.ll: -------------------------------------------------------------------------------- 1 | ; RUN: rm -rf %t.klee-out 2 | ; RUN: llvm-as -f %s -o - | %klee --output-dir=%t.klee-out 3 | target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128" 4 | target triple = "x86_64-unknown-linux-gnu" 5 | 6 | ; @foo is not known yet 7 | @foo2 = alias i32 (...), i32 (...)* @foo 8 | @foo = alias i32 (...), bitcast (i32 ()* @__foo to i32 (...)*) 9 | 10 | define i32 @__foo() { 11 | entry: 12 | ret i32 42 13 | } 14 | 15 | define i32 @main() { 16 | entry: 17 | call i32 (...) @foo() 18 | call i32 (...) @foo2() 19 | ret i32 0 20 | } 21 | -------------------------------------------------------------------------------- /klee/tools/klee/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_executable(klee 10 | main.cpp 11 | ) 12 | 13 | set(KLEE_LIBS 14 | kleeCore 15 | ) 16 | 17 | target_link_libraries(klee ${KLEE_LIBS}) 18 | 19 | install(TARGETS klee RUNTIME DESTINATION bin) 20 | 21 | # The KLEE binary depends on the runtimes 22 | add_dependencies(klee BuildKLEERuntimes) 23 | -------------------------------------------------------------------------------- /klee/test/Feature/SetForking.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc > %t.log 4 | // RUN: sort %t.log | uniq -c > %t.uniq.log 5 | // RUN: grep "1 A" %t.uniq.log 6 | // RUN: grep "1 B" %t.uniq.log 7 | // RUN: grep "1 C" %t.uniq.log 8 | 9 | #include 10 | 11 | int main() { 12 | klee_set_forking(0); 13 | 14 | if (klee_range(0, 2, "range")) { 15 | printf("A\n"); 16 | } else { 17 | printf("A\n"); 18 | } 19 | 20 | klee_set_forking(1); 21 | 22 | if (klee_range(0, 2, "range")) { 23 | printf("B\n"); 24 | } else { 25 | printf("C\n"); 26 | } 27 | 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /klee/test/Runtime/POSIX/Write1.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=uclibc --posix-runtime %t.bc --sym-files 1 10 --sym-stdout 2>%t.log 4 | 5 | #include 6 | #include 7 | 8 | int main(int argc, char** argv) { 9 | char buf[32]; 10 | 11 | FILE* f = fopen("A", "w"); 12 | if (!f) 13 | klee_silent_exit(0); 14 | fwrite("Hello", sizeof("Hello"), 1, f); 15 | fclose(f); 16 | 17 | f = fopen("A", "r"); 18 | fread(buf, sizeof("Hello"), 1, f); 19 | fclose(f); 20 | 21 | assert(memcmp(buf, "Hello", sizeof("Hello")) == 0); 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /klee/test/regression/2014-12-08-ashr.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | #include "klee/klee.h" 6 | 7 | #include 8 | 9 | int f1(int a, int b) { 10 | return a + b; 11 | } 12 | 13 | int f2(int a, int b) { 14 | int i; 15 | for (i = 0; i < sizeof(b) * 8; i++) 16 | a += (((b >> i) & 1) << i); 17 | 18 | return a; 19 | } 20 | 21 | int main(int argc, char **argv) { 22 | int a, b; 23 | klee_make_symbolic(&a, sizeof(a), "a"); 24 | klee_make_symbolic(&b, sizeof(b), "b"); 25 | 26 | klee_assert(f1(a, b) == f2(a, b)); 27 | 28 | return 0; 29 | } 30 | 31 | -------------------------------------------------------------------------------- /klee/test/regression/2016-06-28-div-zero-bug.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --use-cex-cache=false %t.bc >%t1.log 4 | 5 | // This bug is triggered when using STP up to an including 2.1.0 6 | // See https://github.com/klee/klee/issues/308 7 | // and https://github.com/stp/stp/issues/206 8 | 9 | int b, a, g; 10 | 11 | int *c = &b, *d = &b, *f = &a; 12 | 13 | int safe_div(short p1, int p2) { 14 | return p2 == 0 ? p1 : p2; 15 | } 16 | 17 | int main() { 18 | klee_make_symbolic(&b, sizeof b, "b"); 19 | if (safe_div(*c, 0)) 20 | *f = (int)&b % *c; 21 | 22 | safe_div(a && g, *d); 23 | } 24 | -------------------------------------------------------------------------------- /klee/include/klee/Config/CompileTimeInfo.h.cmin: -------------------------------------------------------------------------------- 1 | //===-- CompileTimeInfo.h ---------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | // @AUTO_GEN_MSG@ 11 | #ifndef KLEE_COMPILETIMEINFO_H 12 | #define KLEE_COMPILETIMEINFO_H 13 | 14 | #define KLEE_BUILD_MODE "@CMAKE_BUILD_TYPE@ (Asserts: @ENABLE_KLEE_ASSERTS@)" 15 | #define KLEE_BUILD_REVISION "@KLEE_GIT_SHA1HASH@" 16 | 17 | #endif /* KLEE_COMPILETIMEINFO_H */ 18 | -------------------------------------------------------------------------------- /klee/test/regression/2007-08-06-access-after-free.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | int a; 9 | unsigned char *p = malloc(4); 10 | 11 | klee_make_symbolic(&a, sizeof a, "a"); 12 | klee_make_symbolic(p, sizeof p, "p"); 13 | 14 | p[0] |= 16; 15 | 16 | if (a) { 17 | free(p); 18 | 19 | // this should give an error instead of 20 | // pulling the state from the parent, where 21 | // it is not free 22 | assert(p[0] > 10); 23 | 24 | return 0; 25 | } 26 | 27 | assert(p[0] > 10); 28 | 29 | return 0; 30 | } 31 | -------------------------------------------------------------------------------- /klee/runtime/Intrinsic/klee_choose.c: -------------------------------------------------------------------------------- 1 | /*===-- klee-choose.c -----------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include "klee/klee.h" 11 | 12 | uintptr_t klee_choose(uintptr_t n) { 13 | uintptr_t x; 14 | klee_make_symbolic(&x, sizeof x, "klee_choose"); 15 | 16 | /* NB: this will *not* work if they don't compare to n values. */ 17 | if(x >= n) 18 | klee_silent_exit(0); 19 | return x; 20 | } 21 | -------------------------------------------------------------------------------- /klee/utils/hacks/TreeGraphs/README.txt: -------------------------------------------------------------------------------- 1 | A little hack which converts KLEE treestream's of path branch information into 2 | images/animations. It is not particularly fast nor is the code very 3 | elegant. It's a hack, after all! 4 | 5 | There are a couple example input streams in inputs/. You can generate a single 6 | image frame with, e.g.:: 7 | 8 | $ ./TreeGraph.py --count=500 inputs/symPaths6.ts t.pdf 9 | 10 | which will generate an image of the first 500 paths that were explored. 11 | 12 | 13 | You can generate a sequence of frames from a file using:: 14 | 15 | $ ./Animate.py --start=10 --end=2000 inputs/symPaths6.ts anim-01 16 | 17 | which will generate a sequence of .pdf frames in anim-01. 18 | -------------------------------------------------------------------------------- /klee/test/regression/2015-08-30-empty-constraints.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc 2> %t.log 4 | // RUN: FileCheck -input-file=%t.log %s 5 | 6 | /** 7 | * This test generates one execution state without constraints. 8 | * 9 | * The state gets terminated (in this case return) and initial values 10 | * are generated. 11 | * Make sure we are able to generate an input. 12 | */ 13 | int main() { 14 | int d; 15 | 16 | klee_make_symbolic(&d, sizeof(d), "d"); 17 | 18 | // CHECK-NOT: unable to compute initial values (invalid constraints?)! 19 | if ((d & 2) / 4) 20 | return 1; 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /klee/test/regression/2017-02-21-pathOS-id.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -write-paths %t.bc 2> %t.log 4 | // RUN: cat %t.klee-out/test000001.path | wc -l | grep -q 1 5 | // RUN: cat %t.klee-out/test000002.path | wc -l | grep -q 1 6 | // RUN: cat %t.klee-out/test000003.path | wc -l | grep -q 1 7 | // RUN: cat %t.klee-out/test000004.path | wc -l | grep -q 1 8 | int main(){ 9 | int a, b; 10 | klee_make_symbolic (&a, sizeof(int), "a"); 11 | klee_make_symbolic (&b, sizeof(int), "b"); 12 | klee_assume(a<2); 13 | klee_assume(a>=0); 14 | malloc(a); 15 | if(b){ 16 | b++;//do something 17 | } 18 | return b; 19 | } 20 | -------------------------------------------------------------------------------- /klee/test/Runtime/POSIX/MixedConcreteSymbolic.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --external-calls=all --exit-on-error --libc=uclibc --posix-runtime %t.bc --sym-stdin 10 2>%t.log | FileCheck %s 4 | 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | 9 | int main(int argc, char **argv) { 10 | char buf[32]; 11 | 12 | fread(buf, 1, 4, stdin); 13 | klee_assume(buf[0] == 'a'); 14 | klee_assume(buf[1] > 'a'); 15 | klee_assume(buf[1] < 'z'); 16 | klee_assume(buf[2] == '\n'); 17 | klee_assume(buf[3] == '\0'); 18 | fwrite(buf, 1, 4, stdout); 19 | //CHECK: a{{[b-y]}} 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /klee/test/regression/2016-03-22-independence-solver-missing-objects-for-assignment.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s 2>&1 | FileCheck %s 2 | array n_args[4] : w32 -> w8 = symbolic 3 | array n_args_1[4] : w32 -> w8 = symbolic 4 | array A-data-stat[144] : w32 -> w8 = symbolic 5 | array stdin-stat[144] : w32 -> w8 = symbolic 6 | (query [(Ult N0:(ReadLSB w32 0 n_args) 2) 7 | (Slt 0 N0) 8 | (Ult N1:(ReadLSB w32 0 n_args_1) 3) 9 | (Slt 0 N1) 10 | (Slt 1 N1) 11 | (Eq false (Eq 0 (And w64 (ReadLSB w64 8 A-data-stat) 2147483647))) 12 | (Ult (ReadLSB w64 56 A-data-stat) 65536) 13 | (Eq false (Eq 0 (And w64 (ReadLSB w64 8 stdin-stat) 2147483647)))] 14 | (Eq false (Ult (ReadLSB w64 56 stdin-stat) 65536)) [] [n_args]) 15 | # CHECK: INVALID 16 | -------------------------------------------------------------------------------- /klee/test/Expr/Parser/TypeChecking.kquery: -------------------------------------------------------------------------------- 1 | # RUN: not %kleaver %s 2> %t.log 2 | 3 | 4 | 5 | # RUN: grep "TypeChecking.kquery:7:9: error: type widths do not match in binary expression" %t.log 6 | array arr1[8] : w32 -> w8 = symbolic 7 | (query [(Eq (ReadLSB w32 0 arr1) true)] 8 | false) 9 | 10 | # RUN: grep "TypeChecking.kquery:14:25: error: invalid write index (doesn't match array domain)" %t.log 11 | # RUN: grep "TypeChecking.kquery:14:35: error: invalid write value (doesn't match array range)" %t.log 12 | # FIXME: Add array declarations 13 | array arr2[8] : w32 -> w8 = symbolic 14 | (query [(Eq (Read w8 0 [ (w17 0) = (w9 0) ] @ arr2) 0)] false) 15 | 16 | # RUN: grep "TypeChecking.kquery: parse failure: 3 errors." %t.log 17 | -------------------------------------------------------------------------------- /klee/test/Feature/CheckMemoryAccess.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc > %t.log 4 | // RUN: grep -q "good" %t.log 5 | // RUN: not grep -q "bad" %t.log 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | int main() { 12 | char buf[4]; 13 | 14 | klee_check_memory_access(&buf, 1); 15 | printf("good\n"); 16 | if (klee_range(0, 2, "range1")) { 17 | klee_check_memory_access(0, 1); 18 | printf("null pointer deref: bad\n"); 19 | } 20 | 21 | if (klee_range(0, 2, "range2")) { 22 | klee_check_memory_access(buf, 5); 23 | printf("oversize access: bad\n"); 24 | } 25 | 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /klee/test/Feature/utils.h: -------------------------------------------------------------------------------- 1 | typedef unsigned char uint8_t; 2 | typedef unsigned short uint16_t; 3 | typedef unsigned int uint32_t; 4 | typedef unsigned long long uint64_t; 5 | 6 | uint32_t util_make_and_i1(uint32_t a, uint32_t b); 7 | uint32_t util_make_or_i1(uint32_t a, uint32_t b); 8 | 9 | uint16_t util_make_concat2(uint8_t a, uint8_t b); 10 | uint32_t util_make_concat4(uint8_t a, uint8_t b, 11 | uint8_t c, uint8_t d); 12 | uint64_t util_make_concat8(uint8_t a, uint8_t b, 13 | uint8_t c, uint8_t d, 14 | uint8_t e, uint8_t f, 15 | uint8_t g, uint8_t h); 16 | uint32_t util_make_select(uint32_t cond, uint32_t true, uint32_t false); 17 | -------------------------------------------------------------------------------- /klee/test/Runtime/POSIX/FilePerm.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime %t.bc --sym-files 1 10 --sym-stdout 2>%t.log 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | // RUN: test -f %t.klee-out/test000002.ktest 6 | // RUN: test -f %t.klee-out/test000003.ktest 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | int main(int argc, char** argv) { 14 | int fd = open("A", O_RDWR); 15 | if (fd != -1) 16 | fprintf(stderr, "File 'A' opened successfully\n"); 17 | else fprintf(stderr, "Cannot open file 'A'\n"); 18 | 19 | if (fd != -1) 20 | close(fd); 21 | } 22 | -------------------------------------------------------------------------------- /klee/test/CXX/symex/libc++/atexit.cpp: -------------------------------------------------------------------------------- 1 | // REQUIRES: libcxx 2 | // REQUIRES: uclibc 3 | // RUN: %clangxx %s -emit-llvm %O0opt -c -std=c++11 -I "%libcxx_include" -g -nostdinc++ -o %t1.bc 4 | // RUN: rm -rf %t.klee-out 5 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=uclibc --libcxx %t1.bc | FileCheck %s 6 | // 7 | // CHECK: Returning from main 8 | // CHECK: atexit_1 9 | // CHECK: atexit_2 10 | 11 | #include 12 | #include 13 | 14 | int main(int argc, char** args){ 15 | auto atexithandler2 = std::atexit([](){std::cout << "atexit_2" << std::endl;}); 16 | auto atexithandler1 = std::atexit([](){std::cout << "atexit_1" << std::endl;}); 17 | std::cout << "Returning from main" << std::endl; 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /klee/test/regression/2015-08-30-sdiv-1.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error -solver-optimize-divides=true %t.bc 4 | // RUN: rm -rf %t.klee-out 5 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error -solver-optimize-divides=false %t.bc 6 | 7 | /* Division by constant can be optimized.using mul/shift 8 | * For signed division, div by 1 or -1 cannot be optimized like that. 9 | */ 10 | #include 11 | int main() { 12 | int32_t dividend; 13 | klee_make_symbolic(÷nd, sizeof dividend, "Dividend"); 14 | if ((3 ^ (dividend & 2)) / 1) 15 | return 1; 16 | if ((3 ^ (dividend & 2)) / -1) 17 | return 1; 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /klee/test/Runtime/POSIX/FDNumbers.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime --exit-on-error %t2.bc --sym-files 1 10 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | int main(int argc, char **argv) { 10 | int fd = open("A", O_TRUNC); 11 | assert(fd == 3); 12 | assert(!close(0)); 13 | assert(!close(1)); 14 | assert(close(0) == -1); 15 | assert(close(1) == -1); 16 | assert(open("A", O_TRUNC) == 0); 17 | assert(dup(0) == 1); 18 | assert(open("A", O_TRUNC) == 4); 19 | assert(!close(1)); 20 | assert(open("A", O_TRUNC) == 1); 21 | assert(dup(0) != 1); 22 | assert(dup2(0,1) == 1); 23 | 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /klee/test/regression/2018-10-01-double-segfault.c: -------------------------------------------------------------------------------- 1 | // REQUIRES: not-asan 2 | // RUN: %clang %s -emit-llvm %O0opt -g -c -o %t.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee -output-dir=%t.klee-out %t.bc 2>&1 | FileCheck %s 5 | // CHECK: failed external call: strdup 6 | // CHECK: failed external call: strdup 7 | 8 | // objective: check handling of more than one failing external call 9 | 10 | 11 | #include "klee/klee.h" 12 | 13 | #include 14 | #include 15 | 16 | int main(int argc, char * argv[]) { 17 | bool b; 18 | klee_make_symbolic(&b, sizeof(bool), "b"); 19 | 20 | char * s0; 21 | if (b) { 22 | s0 = strdup((char *) 0xdeadbeef); 23 | } else { 24 | s0 = strdup((void *) 0xdeafbee5); 25 | } 26 | (void) s0; 27 | } 28 | -------------------------------------------------------------------------------- /klee/test/Feature/CheckForImpliedValue.c.failing: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -f %t1.log 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --log-file %t1.log --debug-check-for-implied-values %t1.bc 5 | // RUN: grep "= 0 (ok)" %t1.log 6 | // RUN: grep "= 2 (missed)" %t1.log 7 | 8 | #define swap(x) (((x)>>16) | (((x)&0xFFFF)<<16)) 9 | int main() { 10 | unsigned x, y; 11 | 12 | klee_make_symbolic(&x, sizeof x, "x"); 13 | klee_make_symbolic(&y, sizeof y, "y"); 14 | 15 | if (!x) { // should give x = 0 hit by ivc 16 | printf("ok\n"); 17 | } else { 18 | if (swap(y) == 0x00020000) { // should give y = 2 missed by ivc 19 | printf("ok\n"); 20 | } 21 | } 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /klee/test/Runtime/POSIX/FD_Fail.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=uclibc --posix-runtime %t1.bc --max-fail 1 | FileCheck %s 4 | 5 | #include 6 | #include 7 | 8 | int main(int argc, char** argv) { 9 | char buf[1024]; 10 | FILE* f = fopen("/etc/mtab", "r"); 11 | assert(f); 12 | 13 | int r = fread(buf, 1, 100, f); 14 | printf("fread(): %s\n", 15 | r ? "ok" : "fail"); 16 | // CHECK-DAG: fread(): ok 17 | // CHECK-DAG: fread(): fail 18 | 19 | r = fclose(f); 20 | printf("fclose(): %s\n", 21 | r ? "ok" : "fail"); 22 | // CHECK-DAG: fclose(): ok 23 | // CHECK-DAG: fclose(): fail 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /klee/test/regression/2007-08-16-valid-write-to-freed-object.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | unsigned sym() { 6 | unsigned x; 7 | klee_make_symbolic(&x, sizeof x, "x"); 8 | return x; 9 | } 10 | 11 | int main() { 12 | unsigned x, y; 13 | 14 | // sym returns a symbolic object, but because it is 15 | // alloca'd it is freed on sym()s return. thats fine, 16 | // but the problem is that IVC is going to try to write 17 | // into the object right here. 18 | // 19 | // to support this we need to have a facility for making 20 | // state local copies of a freed object. 21 | if (sym() == 0) 22 | printf("ok\n"); 23 | 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /klee/test/regression/2007-10-12-failed-make-symbolic-after-copy.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | 6 | int main() { 7 | unsigned x, y[4]; 8 | 9 | klee_make_symbolic(&x, sizeof x, "x"); 10 | if (x>=4) klee_silent_exit(0); 11 | 12 | y[x] = 0; 13 | 14 | if (x) { // force branch so y is copied 15 | klee_make_symbolic(&y, sizeof y, "y"); 16 | if (y[x]==0) klee_silent_exit(0); 17 | return 0; // should be reachable 18 | } else { 19 | // force read here in case we try to optimize copies smartly later 20 | if (y[x]==0) klee_silent_exit(0); 21 | return 0; // not reachable 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /klee/test/Feature/LinkLLVMLib.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc -DLINK_LLVM_LIB_TEST_LIB 2 | // RUN: %llvmar r %t1.a %t1.bc 3 | // 4 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t2.bc -DLINK_LLVM_LIB_TEST_EXEC 5 | // RUN: rm -rf %t.klee-out 6 | // RUN: %klee --link-llvm-lib %t1.a --output-dir=%t.klee-out --emit-all-errors --warnings-only-to-file=false %t2.bc 2>&1 | FileCheck %s 7 | 8 | #ifdef LINK_LLVM_LIB_TEST_EXEC 9 | extern void printint(int d); 10 | 11 | int main(int argc, char * argv[]) { 12 | printint(5); 13 | // CHECK: KLEE: WARNING ONCE: calling external: printf 14 | return 0; 15 | } 16 | #endif 17 | 18 | #ifdef LINK_LLVM_LIB_TEST_LIB 19 | #include 20 | 21 | void printint(int d) { 22 | printf("%d\n", d); 23 | } 24 | #endif 25 | -------------------------------------------------------------------------------- /klee/test/regression/2007-10-11-illegal-access-after-free-and-branch.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --optimize %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ptr.err 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | int main(int argc, char **argv) { 11 | unsigned char *buf = malloc(3); 12 | klee_make_symbolic(buf, 3, "buf"); 13 | if (buf[0]>4) klee_silent_exit(0); 14 | unsigned char x = buf[1]; 15 | free(buf); 16 | if (x) 17 | { 18 | // CHECK: 2007-10-11-illegal-access-after-free-and-branch.c:19: memory error: out of bound pointer 19 | return buf[2]; 20 | } 21 | klee_silent_exit(0); 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /klee/lib/Core/UserSearcher.h: -------------------------------------------------------------------------------- 1 | //===-- UserSearcher.h ------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_USERSEARCHER_H 11 | #define KLEE_USERSEARCHER_H 12 | 13 | namespace klee { 14 | class Executor; 15 | class Searcher; 16 | 17 | // XXX gross, should be on demand? 18 | bool userSearcherRequiresMD2U(); 19 | 20 | void initializeSearchOptions(); 21 | 22 | Searcher *constructUserSearcher(Executor &executor); 23 | } 24 | 25 | #endif /* KLEE_USERSEARCHER_H */ 26 | -------------------------------------------------------------------------------- /klee/test/Feature/InvalidBitfieldAccess.c.failing: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -c -o %t1.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | // This is a bug in llvm-gcc4.0 but seems to be fixed in llvm-gcc4.2, 6 | // its included here mostly as a reminder. 7 | 8 | #include 9 | #include 10 | #include 11 | 12 | struct foo { 13 | unsigned int a : 5; 14 | unsigned int b : 10; 15 | unsigned int c : 1; 16 | } __attribute__((packed)); 17 | 18 | int main() { 19 | struct foo *a = malloc(sizeof *a); 20 | 21 | a->b = 12; // problem here is that llvm-gcc emits a 4 byte access 22 | // which is out of bounds. 23 | 24 | int x = a->b; 25 | 26 | assert(x == 12); 27 | 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /klee/test/regression/2019-08-01-trap-instruction.ll: -------------------------------------------------------------------------------- 1 | ; RUN: rm -rf %t.klee-out 2 | ; RUN: llvm-as -f %s -o - | %klee --output-dir=%t.klee-out 3 | target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128" 4 | target triple = "x86_64-unknown-linux-gnu" 5 | 6 | ; @foo is not known yet 7 | @foo2 = alias i32 (...), i32 (...)* @foo 8 | @foo = alias i32 (...), bitcast (i32 ()* @__foo to i32 (...)*) 9 | 10 | define i32 @__foo() { 11 | entry: 12 | call void @llvm.trap() noreturn nounwind 13 | ret i32 42 14 | } 15 | 16 | define i32 @main() { 17 | entry: 18 | call i32 (...) @foo() 19 | call i32 (...) @foo2() 20 | ret i32 0 21 | } 22 | 23 | declare void @llvm.trap() noreturn nounwind -------------------------------------------------------------------------------- /klee/test/Feature/Alias.c: -------------------------------------------------------------------------------- 1 | // Darwin does not have strong aliases. 2 | // REQUIRES: not-darwin 3 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 4 | // RUN: rm -rf %t.klee-out 5 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 6 | 7 | #include 8 | 9 | // alias for global 10 | int b = 52; 11 | extern int a __attribute__((alias("b"))); 12 | 13 | // alias for alias 14 | // NOTE: this does not have to be before foo is known 15 | extern int foo2() __attribute__((alias("foo"))); 16 | 17 | // alias for function 18 | int __foo() { return 52; } 19 | extern int foo() __attribute__((alias("__foo"))); 20 | 21 | int *c = &a; 22 | 23 | int main() { 24 | assert(a == 52); 25 | assert(foo() == 52); 26 | assert(foo2() == 52); 27 | assert(*c == 52); 28 | 29 | return 0; 30 | } 31 | -------------------------------------------------------------------------------- /klee/test/Feature/ubsan_signed_overflow.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -fsanitize=signed-integer-overflow -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc 2>&1 | FileCheck %s 4 | 5 | #include "klee/klee.h" 6 | 7 | int main() { 8 | signed int x; 9 | signed int y; 10 | volatile signed int result; 11 | 12 | klee_make_symbolic(&x, sizeof(x), "x"); 13 | klee_make_symbolic(&y, sizeof(y), "y"); 14 | 15 | // CHECK: ubsan_signed_overflow.c:[[@LINE+1]]: overflow on addition 16 | result = x + y; 17 | 18 | // CHECK: ubsan_signed_overflow.c:[[@LINE+1]]: overflow on subtraction 19 | result = x - y; 20 | 21 | // CHECK: ubsan_signed_overflow.c:[[@LINE+1]]: overflow on multiplication 22 | result = x * y; 23 | 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /klee/test/Runtime/POSIX/FreeArgv.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime %t.bc --sym-args 1 1 1 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.free.err 5 | // RUN: test -f %t.klee-out/test000002.free.err 6 | // RUN: test -f %t.klee-out/test000003.free.err 7 | 8 | int main(int argc, char **argv) { 9 | switch (klee_range(0, 3, "range")) { 10 | case 0: 11 | // CHECK-DAG: [[@LINE+1]]: free of global 12 | free(argv); 13 | break; 14 | case 1: 15 | // CHECK-DAG: [[@LINE+1]]: free of global 16 | free(argv[0]); 17 | break; 18 | case 2: 19 | // CHECK-DAG: [[@LINE+1]]: free of global 20 | free(argv[1]); 21 | break; 22 | } 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /klee/test/Solver/overshift-left-by-symbolic.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | 4 | array shift[4] : w32 -> w8 = symbolic 5 | # ∀ x. x >= 32 → ( (2 << x) = 0 ) 6 | # Check we left overshift to zero when shifting a constant ALWAYS! 7 | 8 | (query [ (Ule (w32 32) (ReadLSB w32 (w32 0) shift)) ] 9 | (Eq 10 | (Shl w32 (w32 2) 11 | (ReadLSB w32 (w32 0) shift) 12 | ) 13 | (w32 0) 14 | ) [ ] [shift] ) 15 | 16 | # 64-bit version 17 | # ∀ x. x >= 64 → ( (2 << x) = 0 ) 18 | array shift64[8] : w32 -> w8 = symbolic 19 | 20 | (query [ (Ule (w64 64) (ReadLSB w64 (w32 0) shift64)) ] 21 | (Eq 22 | (Shl w64 (w64 2) 23 | (ReadLSB w64 (w32 0) shift64) 24 | ) 25 | (w64 0) 26 | ) [ ] [shift64] ) 27 | -------------------------------------------------------------------------------- /klee/include/klee/Internal/Support/PrintVersion.h: -------------------------------------------------------------------------------- 1 | //===-- PrintVersion.h ------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_PRINTVERSION_H 11 | #define KLEE_PRINTVERSION_H 12 | 13 | #include "llvm/Support/raw_ostream.h" 14 | 15 | #include "klee/Config/Version.h" 16 | 17 | namespace klee { 18 | #if LLVM_VERSION_CODE >= LLVM_VERSION(6, 0) 19 | void printVersion(llvm::raw_ostream &OS); 20 | #else 21 | void printVersion(); 22 | #endif 23 | } 24 | 25 | #endif /* KLEE_PRINTVERSION_H */ 26 | -------------------------------------------------------------------------------- /klee/unittests/TestMain.cpp: -------------------------------------------------------------------------------- 1 | //===--- unittests/TestMain.cpp - unittest driver -------------------------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include "gtest/gtest.h" 11 | 12 | // WARNING: If LLVM's gtest_main target is reused 13 | // or is built from LLVM's source tree, 14 | // this file is ignored. Instead, LLVM's 15 | // utils/unittest/UnitTestMain/TestMain.cpp 16 | // is used. 17 | 18 | int main(int argc, char **argv) { 19 | testing::InitGoogleTest(&argc, argv); 20 | return RUN_ALL_TESTS(); 21 | } 22 | -------------------------------------------------------------------------------- /klee/test/Solver/overshift-lright-by-symbolic.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | 4 | array shift[4] : w32 -> w8 = symbolic 5 | # ∀ x. x >= 32 → ( (2 >> x) = 0 ) 6 | # Check we logical right overshift to zero when shifting a constant ALWAYS! 7 | 8 | (query [ (Ule (w32 32) (ReadLSB w32 (w32 0) shift)) ] 9 | (Eq 10 | (LShr w32 (w32 2) 11 | (ReadLSB w32 (w32 0) shift) 12 | ) 13 | (w32 0) 14 | ) [ ] [shift] ) 15 | 16 | # 64-bit version 17 | # ∀ x. x >= 64 → ( (2 >> x) = 0 ) 18 | array shift64[8] : w32 -> w8 = symbolic 19 | 20 | (query [ (Ule (w64 64) (ReadLSB w64 (w32 0) shift64)) ] 21 | (Eq 22 | (LShr w64 (w64 2) 23 | (ReadLSB w64 (w32 0) shift64) 24 | ) 25 | (w64 0) 26 | ) [ ] [shift64] ) 27 | -------------------------------------------------------------------------------- /klee/test/Feature/FunctionAliasExit.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -function-alias=exit:end %t.bc 2>&1 | FileCheck %s 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | // CHECK: KLEE: function-alias: replaced @exit with @end 10 | 11 | void start(int x) { 12 | // CHECK: START 13 | printf("START\n"); 14 | if (x == 53) 15 | // CHECK: END: status = 1 16 | exit(1); 17 | } 18 | 19 | void __attribute__ ((noinline)) end(int status) { 20 | printf("END: status = %d\n", status); 21 | klee_silent_exit(status); 22 | } 23 | 24 | int main() { 25 | int x; 26 | klee_make_symbolic(&x, sizeof(x), "x"); 27 | 28 | start(x); 29 | // CHECK: END: status = 0 30 | end(0); 31 | } 32 | -------------------------------------------------------------------------------- /klee/test/Feature/ubsan_unsigned_overflow.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -fsanitize=unsigned-integer-overflow -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc 2>&1 | FileCheck %s 4 | 5 | #include "klee/klee.h" 6 | 7 | int main() { 8 | unsigned int x; 9 | unsigned int y; 10 | volatile unsigned int result; 11 | 12 | klee_make_symbolic(&x, sizeof(x), "x"); 13 | klee_make_symbolic(&y, sizeof(y), "y"); 14 | 15 | // CHECK: ubsan_unsigned_overflow.c:[[@LINE+1]]: overflow on addition 16 | result = x + y; 17 | 18 | // CHECK: ubsan_unsigned_overflow.c:[[@LINE+1]]: overflow on subtraction 19 | result = x - y; 20 | 21 | // CHECK: ubsan_unsigned_overflow.c:[[@LINE+1]]: overflow on multiplication 22 | result = x * y; 23 | 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /klee/test/Merging/unexpected_close.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -g -c -o %t.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --use-merge --search=nurs:covnew --max-time=2 %t.bc 4 | 5 | // CHECK: ran into a close at 6 | // CHECK: generated tests = 2{{$}} 7 | 8 | #include "klee/klee.h" 9 | 10 | int main(int argc, char **args) { 11 | 12 | int x; 13 | int a; 14 | int foo = 0; 15 | 16 | klee_make_symbolic(&x, sizeof(x), "x"); 17 | klee_make_symbolic(&a, sizeof(a), "a"); 18 | 19 | if (a == 0) { 20 | klee_open_merge(); 21 | 22 | if (x == 1) { 23 | foo = 5; 24 | } else if (x == 2) { 25 | foo = 6; 26 | } else { 27 | foo = 7; 28 | } 29 | 30 | klee_close_merge(); 31 | } 32 | klee_close_merge(); 33 | 34 | return foo; 35 | } 36 | -------------------------------------------------------------------------------- /klee/test/Runtime/POSIX/PrgName.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime --exit-on-error %t2.bc --sym-arg 10 >%t.log 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | // RUN: test -f %t.klee-out/test000002.ktest 6 | // RUN: grep -q "No" %t.log 7 | // RUN: grep -qv "Yes" %t.log 8 | 9 | 10 | /* Simple test for argv[0] */ 11 | 12 | #include 13 | 14 | int f(int argc, char **argv) { 15 | 16 | if (argv[0][5] == '7') 17 | printf("Yes\n"); 18 | else printf("No\n"); 19 | 20 | printf("%c\n", argv[0][5]); 21 | 22 | if (argv[1][1] == 4) 23 | printf("4\n"); 24 | printf("not 4\n"); 25 | 26 | return 0; 27 | } 28 | 29 | 30 | int main(int argc, char **argv) { 31 | f(argc, argv); 32 | } 33 | -------------------------------------------------------------------------------- /klee/test/regression/2014-07-04-unflushed-error-report.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -check-overshift %t.bc 2> %t.log 4 | // RUN: FileCheck -input-file=%t.klee-out/test000001.overshift.err %s 5 | 6 | /* This test checks that the error file isn't empty and contains the 7 | * right content. 8 | */ 9 | int main() { 10 | unsigned int x = 15; 11 | unsigned int y; 12 | unsigned int z; 13 | volatile unsigned int result; 14 | 15 | /* Overshift if y>= sizeof(x) */ 16 | klee_make_symbolic(&y, sizeof(y), "shift_amount1"); 17 | // CHECK: Error: overshift error 18 | // CHECK-NEXT: 2014-07-04-unflushed-error-report.c 19 | // CHECK-NEXT: Line: [[@LINE+1]] 20 | result = x << y; 21 | 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /learch/eval/replay_tests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | TESTS_DIR=${1} 4 | GCOV_PATH=${2} 5 | GCOV_DIR=${3} 6 | 7 | find ${TESTS_DIR} -type f -name *.gcno | while read f 8 | do 9 | rm ${f} 10 | done 11 | 12 | find ${TESTS_DIR} -type f -name *.gcda | while read f 13 | do 14 | rm ${f} 15 | done 16 | 17 | find ${GCOV_DIR} -type f -name *.gcda | while read f 18 | do 19 | rm ${f} 20 | done 21 | 22 | ${SOURCE_DIR}/replay.sh ${GCOV_PATH} ${TESTS_DIR}/*.ktest 23 | 24 | find ${GCOV_DIR} -type f -name *.gcda | while read f 25 | do 26 | mkdir -p ${TESTS_DIR}/$(dirname ${f}) 27 | cp ${f} ${TESTS_DIR}/${f} 28 | done 29 | 30 | find ${GCOV_DIR} -type f -name *.gcno | while read f 31 | do 32 | mkdir -p ${TESTS_DIR}/$(dirname ${f}) 33 | cp ${f} ${TESTS_DIR}/${f} 34 | done 35 | 36 | rm -rf /tmp/klee-replay-* -------------------------------------------------------------------------------- /klee/test/CXX/ArrayNew.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %clangxx %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --write-no-tests --exit-on-error --external-calls=none %t1.bc 4 | 5 | #include 6 | 7 | static int decon = 0; 8 | 9 | class Test { 10 | int x; 11 | 12 | public: 13 | Test() {} 14 | Test(int _x) : x(_x) { } 15 | ~Test() { decon += x; } 16 | 17 | int getX() { return x; } 18 | void setX(int _x) { x = _x; } 19 | }; 20 | 21 | int main(int argc) { 22 | Test *rt = new Test[4]; 23 | int i; 24 | 25 | for (i=0; i<4; i++) 26 | rt[i].setX(i+1); 27 | 28 | int sum = 0; 29 | for (i=0; i<4; i++) 30 | sum += rt[i].getX(); 31 | 32 | assert(sum==10); 33 | 34 | delete[] rt; 35 | 36 | assert(decon==10); 37 | 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /klee/test/Solver/AShr_to_smtlib.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver -print-smtlib -smtlib-abbreviation-mode=none %s > %t 2 | # RUN: diff -u %t %s.good.smt2 3 | 4 | # This test tries to check that the SMT-LIBv2 we generate when a AShrExpr is 5 | # used is correct. 6 | # 7 | # FIXME: We should really pass the generated query to an SMT solver that supports 8 | # SMT-LIBv2 and check it gives the correct answer ``unsat``. An older version of 9 | # KLEE where AShrExpr wasn't handled correctly would give ``sat`` for this query. 10 | # 11 | # We could fix this if we required STP to be in the user's PATH and made available 12 | # as a substitution in llvm-lit 13 | 14 | array value[1] : w32 -> w8 = symbolic 15 | array shift[1] : w32 -> w8 = symbolic 16 | (query [(Ule 8 (Read w8 0 shift))] (Eq 0 (AShr w8 (Read w8 0 value) (Read w8 0 shift))) ) 17 | -------------------------------------------------------------------------------- /klee/runtime/FreeStanding/memmove.c: -------------------------------------------------------------------------------- 1 | /*===-- memmove.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | void *memmove(void *dst, const void *src, size_t count) { 13 | char *a = dst; 14 | const char *b = src; 15 | 16 | if (src == dst) 17 | return dst; 18 | 19 | if (src > dst) { 20 | while (count--) 21 | *a++ = *b++; 22 | } else { 23 | a += count - 1; 24 | b += count - 1; 25 | while (count--) 26 | *a-- = *b--; 27 | } 28 | 29 | return dst; 30 | } 31 | -------------------------------------------------------------------------------- /klee/scripts/build/p-sqlite-linux-ubuntu-16.04.inc: -------------------------------------------------------------------------------- 1 | install_build_dependencies_sqlite() { 2 | apt update -y 3 | 4 | dependencies=( 5 | build-essential 6 | unzip 7 | git 8 | wget 9 | ) 10 | 11 | apt -y --no-install-recommends install "${dependencies[@]}" 12 | } 13 | install_binary_artifact_sqlite() { 14 | 15 | if [[ "${SANITIZER_SUFFIX}x" != "x" ]]; then 16 | return 1 17 | fi 18 | apt update -y 19 | 20 | dependencies=( 21 | libsqlite3-dev 22 | ) 23 | 24 | #Install essential dependencies 25 | apt -y --no-install-recommends install "${dependencies[@]}" 26 | } 27 | 28 | # Check if the binary artifact is installed 29 | is_installed_sqlite() { 30 | [[ -f /usr/lib/x86_64-linux-gnu/libsqlite3.so ]] || return 1 31 | } 32 | 33 | get_docker_config_id_sqlite() { 34 | return 0 35 | } 36 | -------------------------------------------------------------------------------- /klee/test/Expr/Parser/MultiByteReads.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver -print-ast -pc-multibyte-reads=true %s > %t.log 2 | # RUN: grep -q "(ReadLSB w32 4 arr1)" %t.log 3 | # RUN: grep -q "(ReadMSB w32 2 arr2)" %t.log 4 | 5 | array arr1[8] : w32 -> w8 = symbolic 6 | array arr2[8] : w32 -> w8 = symbolic 7 | 8 | (query [(Not (Slt 100 9 | (Concat w32 (Read w8 7 arr1) 10 | (Concat w24 (Read w8 6 arr1) 11 | (Concat w16 (Read w8 5 arr1) (Read w8 4 arr1))))))] 12 | false) 13 | 14 | 15 | (query [(Not (Slt 100 16 | (Concat w32 (Read w8 2 arr2) 17 | (Concat w24 (Read w8 3 arr2) 18 | (Concat w16 (Read w8 4 arr2) (Read w8 5 arr2))))))] 19 | false) 20 | 21 | -------------------------------------------------------------------------------- /klee/test/Merging/indirect_value.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -g -c -o %t.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --use-merge --debug-log-merge --search=nurs:covnew --use-batching-search %t.bc 2>&1 | FileCheck %s 4 | 5 | // CHECK: generated tests = 2{{$}} 6 | 7 | #include "klee/klee.h" 8 | 9 | #include 10 | #include 11 | 12 | int main(int argc, char** argv) { 13 | 14 | int sym = klee_int("sym"); 15 | int* heap_int = calloc(1, sizeof(*heap_int)); 16 | 17 | klee_open_merge(); 18 | 19 | if(sym != 0) { 20 | *heap_int = 1; 21 | } 22 | 23 | klee_close_merge(); 24 | 25 | klee_print_expr("*heap_int: ", *heap_int); 26 | if(*heap_int != 0) { 27 | printf("true\n"); 28 | } else { 29 | printf("false\n"); 30 | } 31 | 32 | return 0; 33 | } 34 | -------------------------------------------------------------------------------- /klee/test/Feature/KleeStats.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc 2> %t.log 4 | // RUN: klee-stats --print-more %t.klee-out > %t.stats 5 | // RUN: FileCheck -check-prefix=CHECK-STATS -input-file=%t.stats %s 6 | #include "klee/klee.h" 7 | #include 8 | int main(){ 9 | int a; 10 | klee_make_symbolic (&a, sizeof(int), "a"); 11 | if (a) { 12 | abort(); 13 | } 14 | return 0; 15 | } 16 | // First check we find a line with the expected format 17 | // CHECK-STATS: | Path | Instrs| Time(s)| ICov(%)| BCov(%)| ICount| TSolver(%)| 18 | //Check there is a line with .klee-out dir, non zero instruction, less than 1 second execution time and 100 ICov. 19 | // CHECK-STATS: {{.*\.klee-out\|[ ]*[1-9]+\|[ ]*0\.([0-9]+)\|[ ]*100\.00}} 20 | -------------------------------------------------------------------------------- /klee/test/Concrete/Casts.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | %a = add i32 315904, 128 8 | %b = trunc i32 %a to i8 9 | %c0 = icmp eq i8 %b, 128 10 | %d = zext i8 %b to i32 11 | %c1 = icmp eq i32 %d, 128 12 | %e = sext i8 %b to i32 13 | %c2 = icmp eq i32 %e, -128 14 | %c0i = zext i1 %c0 to i32 15 | %c1i = zext i1 %c1 to i32 16 | %c2i = zext i1 %c2 to i32 17 | %c0is = shl i32 %c0i, 0 18 | %c1is = shl i32 %c1i, 1 19 | %c2is = shl i32 %c2i, 2 20 | %tmp = add i32 %c0is, %c1is 21 | %res = add i32 %tmp, %c2is 22 | %p = icmp eq i32 %res, 7 23 | br i1 %p, label %exitTrue, label %exitFalse 24 | exitTrue: 25 | call void @print_i32(i32 1) 26 | ret i32 0 27 | exitFalse: 28 | call void @print_i32(i32 0) 29 | ret i32 0 30 | } 31 | -------------------------------------------------------------------------------- /klee/test/Solver/overshift-aright-by-symbolic.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | 4 | array shift[4] : w32 -> w8 = symbolic 5 | # ∀ x. x >= 32 → ( ( ( (signed int)2 ) >> x) = 0 ) 6 | # Check we arithmetic right overshift to zero when shifting a constant ALWAYS! 7 | 8 | (query [ (Ule (w32 32) (ReadLSB w32 (w32 0) shift)) ] 9 | (Eq 10 | (AShr w32 (w32 2) 11 | (ReadLSB w32 (w32 0) shift) 12 | ) 13 | (w32 0) 14 | ) [ ] [shift] ) 15 | 16 | # 64-bit version 17 | # ∀ x. x >= 64 → ( (((signed int) 2) >> x) = 0 ) 18 | array shift64[8] : w32 -> w8 = symbolic 19 | 20 | (query [ (Ule (w64 64) (ReadLSB w64 (w32 0) shift64)) ] 21 | (Eq 22 | (AShr w64 (w64 2) 23 | (ReadLSB w64 (w32 0) shift64) 24 | ) 25 | (w64 0) 26 | ) [ ] [shift64] ) 27 | -------------------------------------------------------------------------------- /klee/test/regression/2015-08-05-invalid-fork.c: -------------------------------------------------------------------------------- 1 | /* Reported by @kren1 in #262 2 | The test makes sure that the string "Should be printed once" 3 | is printed a single time. 4 | */ 5 | #include "klee/klee.h" 6 | 7 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 8 | // RUN: rm -rf %t.klee-out 9 | // RUN: %klee --output-dir=%t.klee-out %t.bc | FileCheck %s 10 | 11 | static int g_10 = 0x923607A9L; 12 | 13 | int main(int argc, char* argv[]) { 14 | klee_make_symbolic(&g_10,sizeof(g_10), "g_10"); 15 | if (g_10 < (int)0x923607A9L) klee_silent_exit(0); 16 | if (g_10 > (int)0x923607A9L) klee_silent_exit(0); 17 | 18 | int b = 2; 19 | int i = g_10 % (1 % g_10); 20 | i || b; 21 | printf("Should be printed once\n"); 22 | // CHECK: Should be printed once 23 | // CHECK-NOT: Should be printed once 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /klee/test/Feature/AddressOfLabels.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc > %t.log 4 | // RUN: FileCheck --input-file=%t.log %s 5 | 6 | #include 7 | 8 | int main(int argc, char * argv[]) { 9 | // prevent CFGSimplificationPass optimisation 10 | void * dummy = &&one; 11 | switch(argc) { 12 | case 1: break; 13 | case 2: 14 | dummy = &&three; 15 | goto *dummy; 16 | default: 17 | goto *dummy; 18 | } 19 | 20 | // the real test 21 | void * lptr = &&two; 22 | goto *lptr; 23 | 24 | one: 25 | puts("Label one"); 26 | // CHECK-NOT: Label one 27 | return 1; 28 | 29 | two: 30 | puts("Label two"); 31 | // CHECK: Label two 32 | return 0; 33 | 34 | three: 35 | puts("Label three"); 36 | // CHECK-NOT: Label three 37 | return 1; 38 | } 39 | -------------------------------------------------------------------------------- /klee/test/Feature/InAndOutOfBounds.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ptr.err -o -f %t.klee-out/test000002.ptr.err 5 | // RUN: not test -f %t.klee-out/test000001.ptr.err -a -f %t.klee-out/test000002.ptr.err 6 | // RUN: not test -f %t.klee-out/test000003.ktest 7 | 8 | unsigned klee_urange(unsigned start, unsigned end) { 9 | unsigned x; 10 | klee_make_symbolic(&x, sizeof x, "x"); 11 | if (x - start >= end - start) 12 | klee_silent_exit(0); 13 | return x; 14 | } 15 | 16 | int main() { 17 | int *x = malloc(sizeof(int)); 18 | // CHECK: InAndOutOfBounds.c:[[@LINE+1]]: memory error: out of bound pointer 19 | x[klee_urange(0, 2)] = 1; 20 | free(x); 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /klee/test/Runtime/POSIX/TestMain.c: -------------------------------------------------------------------------------- 1 | // Run applications with the posix environment but without additional arguments argc, argv for main 2 | // RUN: %clang -DMAIN1 %s -emit-llvm %O0opt -c -g -o %t.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime %t.bc | FileCheck %s -check-prefix=CHECK-MAIN1 5 | // RUN: %clang -DMAIN2 %s -emit-llvm %O0opt -c -g -o %t.bc 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime %t.bc | FileCheck %s -check-prefix=CHECK-MAIN2 8 | #ifdef MAIN1 9 | #include 10 | int main() { 11 | printf("Execute main1\n"); 12 | // CHECK-MAIN1: Execute main1 13 | return 0; 14 | } 15 | #endif 16 | #ifdef MAIN2 17 | #include 18 | int main(void) { 19 | printf("Execute main2\n"); 20 | // CHECK-MAIN2: Execute main2 21 | return 0; 22 | } 23 | #endif 24 | -------------------------------------------------------------------------------- /klee/test/Feature/KleeReportError.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -g -emit-llvm %O0opt -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --emit-all-errors %t2.bc 2>&1 | FileCheck %s 4 | // RUN: ls %t.klee-out/ | grep .my.err | wc -l | grep 2 5 | #include 6 | #include 7 | 8 | int main(int argc, char **argv) { 9 | int x, y, *p = 0; 10 | 11 | klee_make_symbolic(&x, sizeof x, "x"); 12 | klee_make_symbolic(&y, sizeof y, "y"); 13 | 14 | if (x) 15 | fprintf(stderr, "x\n"); 16 | else 17 | fprintf(stderr, "!x\n"); 18 | 19 | if (y) { 20 | fprintf(stderr, "My error\n"); 21 | // CHECK: KleeReportError.c:[[@LINE+2]]: My error 22 | // CHECK: KleeReportError.c:[[@LINE+1]]: My error 23 | klee_report_error(__FILE__, __LINE__, "My error", "my.err"); 24 | } 25 | 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /klee/lib/Support/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | klee_add_component(kleeSupport 10 | CompressionStream.cpp 11 | ErrorHandling.cpp 12 | FileHandling.cpp 13 | MemoryUsage.cpp 14 | PrintVersion.cpp 15 | RNG.cpp 16 | Time.cpp 17 | Timer.cpp 18 | TreeStream.cpp 19 | ) 20 | 21 | target_link_libraries(kleeSupport PRIVATE ${ZLIB_LIBRARIES}) 22 | 23 | set(LLVM_COMPONENTS 24 | support 25 | ) 26 | klee_get_llvm_libs(LLVM_LIBS ${LLVM_COMPONENTS}) 27 | target_link_libraries(kleeSupport PUBLIC ${LLVM_LIBS}) 28 | -------------------------------------------------------------------------------- /klee/test/regression/2007-08-01-bool-zext-in-call.ll: -------------------------------------------------------------------------------- 1 | ; RUN: rm -rf %t.klee-out 2 | ; RUN: llvm-as -f %s -o - | %klee --output-dir=%t.klee-out 3 | ; RUN: not test -f %t.klee-out/test0001.abort.err 4 | target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128" 5 | target triple = "x86_64-unknown-linux-gnu" 6 | declare void @klee_abort() 7 | 8 | define i32 @foo(i8 signext %val) { 9 | %tmp = zext i8 %val to i32 10 | ret i32 %tmp 11 | } 12 | 13 | define i32 @main() { 14 | %res = call i32 bitcast (i32 (i8)* @foo to i32 (i1)*)( i1 1 ) 15 | %check = icmp ne i32 %res, 255 16 | br i1 %check, label %error, label %exit 17 | 18 | error: 19 | call void @klee_abort() 20 | unreachable 21 | 22 | exit: 23 | ret i32 0 24 | } 25 | -------------------------------------------------------------------------------- /klee/test/Expr/Evaluate.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver -evaluate %s > %t.log 2 | 3 | array arr0[4] : w32 -> w8 = symbolic 4 | array arr1[8] : w32 -> w8 = symbolic 5 | 6 | # RUN: grep "Query 0: INVALID" %t.log 7 | # Query 0 8 | (query [] (Not (Ult (ReadLSB w32 0 arr0) 9 | 16))) 10 | 11 | # RUN: grep "Query 1: VALID" %t.log 12 | # Query 1 13 | (query [(Eq N0:(ReadLSB w32 0 arr1) 10) 14 | (Eq N1:(ReadLSB w32 4 arr1) 20)] 15 | (Eq (Add w32 N0 N1) 16 | 30)) 17 | 18 | # RUN: grep "Query 2: VALID" %t.log 19 | # Query 2 20 | array hello[4] : w32 -> w8 = [ 1 2 3 5 ] 21 | (query [] (Eq (Add w8 (Read w8 0 hello) 22 | (Read w8 3 hello)) 23 | 6)) 24 | 25 | # RUN: grep "Query 3: VALID" %t.log 26 | # Query 2 27 | (query [] (Eq (Not w8 (Read w8 0 arr1)) 28 | (Xor w8 (Read w8 0 arr1) 0xff))) 29 | -------------------------------------------------------------------------------- /klee/test/VectorInstructions/extract_element_symbolic.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: not %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t.log 2>&1 4 | // RUN: FileCheck -input-file=%t.log %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | typedef uint32_t v4ui __attribute__ ((vector_size (16))); 11 | int main() { 12 | v4ui f = { 0, 1, 2, 3 }; 13 | unsigned index = 0; 14 | klee_make_symbolic(&index, sizeof(unsigned), "index"); 15 | // Performing read should be ExtractElement instruction. 16 | // For now this is an expected limitation. 17 | // CHECK: extract_element_symbolic.c:[[@LINE+1]]: ExtractElement, support for symbolic index not implemented 18 | uint32_t readValue = f[index]; 19 | return readValue % 255; 20 | } 21 | -------------------------------------------------------------------------------- /klee/test/Runtime/POSIX/Envp.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --posix-runtime --libc=uclibc %t.bc >%t.log 4 | 5 | /* This test checks that main() with 3 arguments is supported, and that the data in envp for $HOME is consistent with getenv("HOME") */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | int main(int argcPtr, char **argvPtr, char** envp) { 13 | 14 | char* home1 = getenv("HOME"); 15 | printf("home1 = %s\n", home1); 16 | 17 | char* home2 = "invalid$home"; 18 | while (*envp) { 19 | if (strncmp(*envp, "HOME", 4) == 0) 20 | home2 = *envp + 5; 21 | envp++; 22 | } 23 | printf("home2 = %s\n", home2); 24 | assert(strcmp(home1, home2) == 0); 25 | 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /klee/lib/Module/KInstruction.cpp: -------------------------------------------------------------------------------- 1 | //===-- KInstruction.cpp --------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include "klee/Internal/Module/KInstruction.h" 11 | #include 12 | 13 | using namespace llvm; 14 | using namespace klee; 15 | 16 | /***/ 17 | 18 | KInstruction::~KInstruction() { 19 | delete[] operands; 20 | } 21 | 22 | std::string KInstruction::getSourceLocation() const { 23 | if (!info->file.empty()) 24 | return info->file + ":" + std::to_string(info->line) + " " + 25 | std::to_string(info->column); 26 | else return "[no debug info]"; 27 | } 28 | -------------------------------------------------------------------------------- /klee/test/Runtime/POSIX/Ioctl.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime --exit-on-error %t.bc --sym-stdin 4 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | int main() { 13 | struct stat s; 14 | struct termios ts; 15 | 16 | assert(fstat(0, &s) == 0); 17 | 18 | assert(ioctl(10, FIONREAD, &ts) == -1 && errno == EBADF); 19 | 20 | if (S_ISCHR(s.st_mode)) { 21 | printf("is chr\n"); 22 | assert(ioctl(0, TIOCGWINSZ, &ts) == 0); 23 | } else { 24 | printf("not chr\n"); 25 | // I think TC* ioctls basically always fail on nonchr? 26 | assert(ioctl(0, TIOCGWINSZ, &ts) == -1); 27 | assert(errno == ENOTTY); 28 | } 29 | 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /klee/test/VectorInstructions/insert_element_symbolic.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: not %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t.log 2>&1 4 | // RUN: FileCheck -input-file=%t.log %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | typedef uint32_t v4ui __attribute__ ((vector_size (16))); 11 | int main() { 12 | v4ui f = { 0, 1, 2, 3 }; 13 | unsigned index = 0; 14 | klee_make_symbolic(&index, sizeof(unsigned), "index"); 15 | // Performing write should be InsertElement instructions. 16 | // For now this is an expected limitation. 17 | // CHECK: insert_element_symbolic.c:[[@LINE+1]]: InsertElement, support for symbolic index not implemented 18 | f[index] = 255; 19 | klee_print_expr("f after write to [0]", f); 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /klee/test/Feature/WriteCov.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --write-cov %t2.bc 4 | // RUN: grep -c WriteCov.c:16 %t.klee-out/test000001.cov %t.klee-out/test000002.cov >%t3.txt 5 | // RUN: grep -c WriteCov.c:18 %t.klee-out/test000001.cov %t.klee-out/test000002.cov >>%t3.txt 6 | // RUN: grep %t.klee-out/test000001.cov:0 %t3.txt 7 | // RUN: grep %t.klee-out/test000001.cov:1 %t3.txt 8 | // RUN: grep %t.klee-out/test000002.cov:0 %t3.txt 9 | // RUN: grep %t.klee-out/test000002.cov:1 %t3.txt 10 | 11 | #include 12 | #include 13 | 14 | int main() { 15 | if (klee_range(0,2, "range")) { 16 | assert(__LINE__ == 16); printf("__LINE__ = %d\n", __LINE__); 17 | } else { 18 | assert(__LINE__ == 18); printf("__LINE__ = %d\n", __LINE__); 19 | } 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /klee/test/CXX/SimpleVirtual.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %clangxx %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --write-no-tests --exit-on-error --external-calls=none %t1.bc 4 | 5 | #include 6 | 7 | static int decon = 0; 8 | 9 | class Thing { 10 | public: 11 | Thing() {} 12 | virtual ~Thing() { decon += getX(); } 13 | 14 | virtual int getX() { return 1; }; 15 | }; 16 | 17 | class Thing2 : public Thing { 18 | public: 19 | virtual int getX() { return 2; }; 20 | }; 21 | 22 | Thing *getThing(bool which) { 23 | return which ? new Thing() : new Thing2(); 24 | } 25 | 26 | int main(int argc) { 27 | Thing *one = getThing(false); 28 | Thing *two = getThing(true); 29 | 30 | int x = one->getX() + two->getX(); 31 | assert(x==3); 32 | 33 | delete two; 34 | delete one; 35 | 36 | assert(decon==2); 37 | 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /klee/scripts/build/p-llvm-osx.inc: -------------------------------------------------------------------------------- 1 | # Package script for LLVM builds OSX 2 | install_binary_artifact_llvm () { 3 | # Use the brew provided package 4 | LLVM_VERSION_MAJOR="${LLVM_VERSION/.*/}" 5 | brew install "llvm\@${LLVM_VERSION_MAJOR}" 6 | } 7 | 8 | # Check if the binary artifact is installed 9 | is_installed_llvm() { 10 | # Check if llvm-config with the right version exists 11 | LLVM_VERSION_MAJOR="${LLVM_VERSION/.*/}" 12 | [[ -f "/usr/local/opt/llvm@${LLVM_VERSION_MAJOR}/bin/llvm-config" ]] 13 | } 14 | 15 | setup_artifact_variables_llvm() { 16 | LLVM_VERSION_MAJOR="${LLVM_VERSION/.*/}" 17 | LLVM_CONFIG="/usr/local/opt/llvm@${LLVM_VERSION_MAJOR}/bin/llvm-config" 18 | BITCODE_CC="/usr/local/opt/llvm@${LLVM_VERSION_MAJOR}/bin/clang" 19 | BITCODE_CXX="/usr/local/opt/llvm@${LLVM_VERSION_MAJOR}/bin/clang++" 20 | LLVM_INSTALL="/usr/local/opt/llvm@${LLVM_VERSION_MAJOR}/" 21 | } 22 | -------------------------------------------------------------------------------- /klee/test/Feature/OvershiftCheck.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -check-overshift %t.bc 2> %t.log 4 | // RUN: FileCheck --input-file %t.log %s 5 | 6 | /* This test checks that two consecutive potential overshifts 7 | * are reported as errors. 8 | */ 9 | #include "klee/klee.h" 10 | int main() { 11 | unsigned int x = 15; 12 | unsigned int y; 13 | unsigned int z; 14 | volatile unsigned int result; 15 | 16 | /* Overshift if y>= sizeof(x) */ 17 | klee_make_symbolic(&y, sizeof(y), "shift_amount1"); 18 | // CHECK: OvershiftCheck.c:[[@LINE+1]]: overshift error 19 | result = x << y; 20 | 21 | /* Overshift is z>= sizeof(x) */ 22 | klee_make_symbolic(&z, sizeof(z), "shift_amount2"); 23 | // CHECK: OvershiftCheck.c:[[@LINE+1]]: overshift error 24 | result = x >> z; 25 | 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /klee/test/Runtime/POSIX/SELinux/SELinux.c: -------------------------------------------------------------------------------- 1 | /* Very basic test, as right now SELinux support is extremely basic */ 2 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime --exit-on-error %t1.bc --sym-arg 2 > %t.log 5 | // XFAIL: no-selinux 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | int main(int argc, char** argv) { 12 | 13 | security_context_t con; 14 | 15 | assert(argc == 2); 16 | 17 | int selinux = is_selinux_enabled(); 18 | printf("selinux enabled = %d\n", selinux); 19 | 20 | if (setfscreatecon(argv[1]) < 0) 21 | printf("Error: set\n"); 22 | else printf("Success: set\n"); 23 | 24 | if (getfscreatecon(&con) < 0) 25 | printf("Error: get\n"); 26 | else printf("Success: get\n"); 27 | 28 | printf("create_con = %s\n", con); 29 | 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /klee/utils/hacks/TreeGraphs/Graphics/Geometry/mat2.py: -------------------------------------------------------------------------------- 1 | # ===-- mat2.py -----------------------------------------------------------===## 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | # ===----------------------------------------------------------------------===## 9 | 10 | import vec2 11 | 12 | def det(m): 13 | ((m00,m01),(m10,m11))= m 14 | 15 | return m00*m11 - m01*m10 16 | 17 | def mul(a,b): 18 | b_trans= zip(* b) 19 | return tuple([transmulvec2(b_trans, a_r) for a_r in a]) 20 | 21 | # multiple vector v by a transposed matrix 22 | def transmulvec2(m_trans,v): 23 | return tuple([vec2.dot(v, m_c) for m_c in m_trans]) 24 | 25 | def mulvec2(m,v): 26 | return transmulvec2(zip(* m), v) 27 | 28 | def mulN(m,N): 29 | return tuple([vec2.mulN(v,N) for v in m]) 30 | -------------------------------------------------------------------------------- /klee/runtime/Runtest/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | add_library(kleeRuntest SHARED 11 | intrinsics.c 12 | # HACK: 13 | ${CMAKE_SOURCE_DIR}/lib/Basic/KTest.cpp 14 | ) 15 | # Increment version appropriately if ABI/API changes, more details: 16 | # http://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html#AEN135 17 | set(KLEE_RUNTEST_VERSION 1.0) 18 | set_target_properties(kleeRuntest 19 | PROPERTIES 20 | VERSION ${KLEE_RUNTEST_VERSION} 21 | SOVERSION ${KLEE_RUNTEST_VERSION} 22 | ) 23 | 24 | install(TARGETS kleeRuntest 25 | DESTINATION "${CMAKE_INSTALL_FULL_LIBDIR}") 26 | -------------------------------------------------------------------------------- /klee/scripts/build/p-clang-osx.inc: -------------------------------------------------------------------------------- 1 | # Package script for LLVM builds OSX 2 | install_binary_artifact_clang () { 3 | # Use the brew provided package 4 | LLVM_VERSION_MAJOR="${LLVM_VERSION/.*/}" 5 | brew install "llvm\@${LLVM_VERSION_MAJOR}" 6 | } 7 | 8 | # Check if the binary artifact is installed 9 | is_installed_clang() { 10 | # Check if llvm-config with the right version exists 11 | LLVM_VERSION_MAJOR="${LLVM_VERSION/.*/}" 12 | [[ -f "/usr/local/opt/llvm@${LLVM_VERSION_MAJOR}/bin/llvm-config" ]] 13 | } 14 | 15 | setup_artifact_variables_clang() { 16 | local LLVM_VERSION_MAJOR="${LLVM_VERSION/.*/}" 17 | 18 | BITCODE_CC="/usr/local/opt/llvm@${LLVM_VERSION_MAJOR}/bin/clang" 19 | BITCODE_CXX="/usr/local/opt/llvm@${LLVM_VERSION_MAJOR}/bin/clang++" 20 | 21 | SANITIZER_C_COMPILER="${BITCODE_CC}" 22 | SANITIZER_CXX_COMPILER="${BITCODE_CXX}" 23 | LLVM_CONFIG="/usr/local/opt/llvm@${LLVM_VERSION_MAJOR}/bin/llvm-config" 24 | } -------------------------------------------------------------------------------- /klee/include/klee/Internal/Support/FileHandling.h: -------------------------------------------------------------------------------- 1 | //===-- FileHandling.h ------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_FILEHANDLING_H 11 | #define KLEE_FILEHANDLING_H 12 | 13 | #include "llvm/Support/raw_ostream.h" 14 | #include 15 | #include 16 | 17 | namespace klee { 18 | std::unique_ptr 19 | klee_open_output_file(const std::string &path, std::string &error); 20 | 21 | #ifdef HAVE_ZLIB_H 22 | std::unique_ptr 23 | klee_open_compressed_output_file(const std::string &path, std::string &error); 24 | #endif 25 | } // namespace klee 26 | 27 | #endif /* KLEE_FILEHANDLING_H */ 28 | -------------------------------------------------------------------------------- /klee/test/ArrayOpt/test_hybrid.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --write-kqueries --output-dir=%t.klee-out --optimize-array=index %t.bc > %t.log 2>&1 4 | // RUN: FileCheck %s -input-file=%t.log -check-prefix=CHECK-OPT_I 5 | // RUN: test -f %t.klee-out/test000001.kquery 6 | // RUN: not FileCheck %s -input-file=%t.klee-out/test000001.kquery -check-prefix=CHECK-CONST_ARR 7 | 8 | // CHECK-OPT_I: KLEE: WARNING: OPT_I: successful 9 | // CHECK-CONST_ARR: const_arr 10 | 11 | #include 12 | #include "klee/klee.h" 13 | 14 | char array[10] = {1,2,2,4,5,3,1,3,2,2}; 15 | 16 | int main() { 17 | unsigned char k; 18 | 19 | klee_make_symbolic(&k, sizeof(k), "k"); 20 | klee_assume(k < 10); 21 | 22 | // CHECK: Yes 23 | // CHECK-NEXT: No 24 | if (array[k] >= 1) 25 | printf("Yes\n"); 26 | 27 | // CHECK: KLEE: done: completed paths = 1 28 | 29 | return 0; 30 | } 31 | -------------------------------------------------------------------------------- /klee/test/Intrinsics/IsConstant.ll: -------------------------------------------------------------------------------- 1 | ; REQUIRES: geq-llvm-8.0 2 | ; RUN: %llvmas %s -o=%t.bc 3 | ; RUN: rm -rf %t.klee-out 4 | ; RUN: %klee -exit-on-error --output-dir=%t.klee-out --optimize=false %t.bc 5 | 6 | declare i1 @llvm.is.constant.i32(i32) 7 | 8 | declare i32 @klee_is_symbolic(i32) 9 | declare void @klee_abort(i8*) 10 | 11 | define i1 @check1() { 12 | %r = call i1 @llvm.is.constant.i32(i32 123) 13 | 14 | ret i1 %r 15 | } 16 | 17 | define i1 @check2() { 18 | %x = call i32 @klee_is_symbolic(i32 0) 19 | 20 | %r = call i1 @llvm.is.constant.i32(i32 %x) 21 | 22 | %notR = xor i1 %r, 1 23 | 24 | ret i1 %notR 25 | } 26 | 27 | define i32 @main() { 28 | %r1 = call i1 @check1() 29 | %r2 = call i1 @check2() 30 | 31 | br i1 %r1, label %next, label %exitFalse 32 | next: 33 | br i1 %r2, label %exitTrue, label %exitFalse 34 | exitFalse: 35 | call void @klee_abort(i8* null) 36 | ret i32 1 37 | exitTrue: 38 | ret i32 0 39 | } 40 | -------------------------------------------------------------------------------- /klee/test/Merging/batching_break.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -g -c -o %t.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --use-merge --debug-log-merge --search=nurs:covnew %t.bc 2>&1 | FileCheck %s 4 | 5 | // CHECK: open merge: 6 | // CHECK: close merge: 7 | // CHECK: KLEE: done: generated tests = 3{{$}} 8 | 9 | #include "klee/klee.h" 10 | 11 | int main(int argc, char** args){ 12 | 13 | int x; 14 | int p; 15 | int i; 16 | 17 | klee_make_symbolic(&x, sizeof(x), "x"); 18 | x = x % 20; 19 | 20 | klee_open_merge(); 21 | for (i = 0; i < x; ++i){ 22 | if (x % 3 == 0){ 23 | klee_close_merge(); 24 | if (x > 10){ 25 | return 1; 26 | } else { 27 | return 2; 28 | } 29 | } 30 | } 31 | klee_close_merge(); 32 | 33 | klee_open_merge(); 34 | if (x > 10){ 35 | p = 1; 36 | } else { 37 | p = 2; 38 | } 39 | klee_close_merge(); 40 | return p; 41 | 42 | } 43 | -------------------------------------------------------------------------------- /klee/test/Replay/libkleeruntest/replay_simple.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --search=dfs %t.bc 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | // RUN: test -f %t.klee-out/test000002.ktest 6 | 7 | // Now try to replay with libkleeRuntest 8 | // RUN: %cc %s %libkleeruntest -Wl,-rpath %libkleeruntestdir -o %t_runner 9 | // RUN: env KTEST_FILE=%t.klee-out/test000001.ktest %t_runner | FileCheck -check-prefix=TESTONE %s 10 | // RUN: env KTEST_FILE=%t.klee-out/test000002.ktest %t_runner | FileCheck -check-prefix=TESTTWO %s 11 | 12 | #include "klee/klee.h" 13 | #include 14 | 15 | int main(int argc, char** argv) { 16 | int x = 0; 17 | klee_make_symbolic(&x, sizeof(x), "x"); 18 | 19 | if (x == 0) { 20 | printf("x is 0\n"); 21 | } else { 22 | printf("x is not 0\n"); 23 | } 24 | return 0; 25 | } 26 | 27 | // TESTONE: x is not 0 28 | // TESTTWO: x is 0 29 | -------------------------------------------------------------------------------- /klee/test/Feature/ReplayPath.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -DCOND_EXIT -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --write-paths %t1.bc > %t3.good 4 | 5 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t2.bc 6 | // RUN: rm -rf %t.klee-out-2 7 | // RUN: %klee --output-dir=%t.klee-out-2 --replay-path %t.klee-out/test000001.path %t2.bc > %t3.log 8 | // RUN: diff %t3.log %t3.good 9 | 10 | #include 11 | #include 12 | 13 | void cond_exit() { 14 | #ifdef COND_EXIT 15 | klee_silent_exit(0); 16 | #endif 17 | } 18 | 19 | int main() { 20 | int res = 1; 21 | int x; 22 | 23 | klee_make_symbolic(&x, sizeof x, "x"); 24 | 25 | if (x&1) res *= 2; else cond_exit(); 26 | if (x&2) res *= 3; else cond_exit(); 27 | if (x&4) res *= 5; else cond_exit(); 28 | 29 | // get forced branch coverage 30 | if (x&2) res *= 7; 31 | if (!(x&2)) res *= 11; 32 | printf("res: %d\n", res); 33 | 34 | return 0; 35 | } 36 | -------------------------------------------------------------------------------- /klee/scripts/build/v-llvm.inc: -------------------------------------------------------------------------------- 1 | required_variables_llvm=( 2 | "LLVM_VERSION" 3 | "ENABLE_OPTIMIZED" 4 | "ENABLE_DEBUG" 5 | "DISABLE_ASSERTIONS" 6 | "REQUIRES_RTTI" 7 | ) 8 | 9 | required_variables_check_llvm() { 10 | check_bool "ENABLE_DEBUG" 11 | check_bool "ENABLE_OPTIMIZED" 12 | check_bool "DISABLE_ASSERTIONS" 13 | check_bool "REQUIRES_RTTI" 14 | } 15 | 16 | export_variables_llvm=( 17 | "LLVM_CONFIG" 18 | "BITCODE_CC" 19 | "BITCODE_CXX" 20 | ) 21 | 22 | artifact_dependency_llvm=("sanitizer") 23 | 24 | setup_variables_llvm() { 25 | LLVM_VERSION_SHORT="${LLVM_VERSION/./}" 26 | } 27 | 28 | check_export_variables_llvm() { 29 | # Check for variables set and not empty 30 | [[ -n ${LLVM_CONFIG:-} ]] || (echo "LLVM_CONFIG not set"; exit 1) 31 | [[ -n ${LLVM_INSTALL:-} ]] || (echo "LLVM_INSTALL not set"; exit 1) 32 | [[ -n ${BITCODE_CC:-} ]] || (echo "BITCODE_CC not set"; exit 1) 33 | [[ -n ${BITCODE_CXX:-} ]] || (echo "BITCODE_CXX not set"; exit 1) 34 | } -------------------------------------------------------------------------------- /klee/lib/Expr/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | klee_add_component(kleaverExpr 10 | ArrayCache.cpp 11 | ArrayExprOptimizer.cpp 12 | ArrayExprRewriter.cpp 13 | ArrayExprVisitor.cpp 14 | Assignment.cpp 15 | AssignmentGenerator.cpp 16 | Constraints.cpp 17 | ExprBuilder.cpp 18 | Expr.cpp 19 | ExprEvaluator.cpp 20 | ExprPPrinter.cpp 21 | ExprSMTLIBPrinter.cpp 22 | ExprUtil.cpp 23 | ExprVisitor.cpp 24 | Lexer.cpp 25 | Parser.cpp 26 | Updates.cpp 27 | ) 28 | 29 | set(LLVM_COMPONENTS 30 | support 31 | ) 32 | klee_get_llvm_libs(LLVM_LIBS ${LLVM_COMPONENTS}) 33 | target_link_libraries(kleaverExpr PUBLIC ${LLVM_LIBS}) 34 | -------------------------------------------------------------------------------- /klee/scripts/build/common-functions: -------------------------------------------------------------------------------- 1 | # Defines common function and variables used by the scripts 2 | 3 | function git_clone_or_update() { 4 | local url="$1" 5 | local destination="$2" 6 | local branch="$3" 7 | 8 | if [[ ! -e "${destination}/.git" ]]; then 9 | git clone $([ "${branch}x" != "x" ] && echo "--depth 1 -b ${branch}" || echo "") "$url" "$destination" 10 | else 11 | cd "$destination" 12 | git pull 13 | if [[ ! -z "$branch" ]]; then 14 | git checkout "${branch}" 15 | fi 16 | fi 17 | } 18 | 19 | function get_git_hash() { 20 | local url="$1" 21 | local branch="$2" 22 | local commit_id="" 23 | 24 | # List remote git branches and get the commit id of the branch 25 | commit_id="$(git ls-remote -h "$url" |grep "$branch" | cut -d$'\t' -f 1)" 26 | 27 | # If that doesn't work use the branch instead of the commit id 28 | if [[ -z "${commit_id}" ]]; then 29 | echo "${branch}" 30 | else 31 | echo "${commit_id:0:7}" 32 | fi 33 | } -------------------------------------------------------------------------------- /klee/test/Feature/FunctionPointer.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --write-no-tests --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | void foo(const char *msg) { printf("foo: %s\n", msg); } 8 | void baz(const char *msg) { printf("baz: %s\n", msg); } 9 | 10 | void (*xx)(const char *) = foo; 11 | 12 | void bar(void (*fp)(const char *)) { fp("called via bar"); } 13 | 14 | int main(int argc, char **argv) { 15 | void (*fp)(const char *) = foo; 16 | 17 | printf("going to call through fp\n"); 18 | fp("called via fp"); 19 | 20 | printf("calling via pass through\n"); 21 | bar(foo); 22 | 23 | fp = baz; 24 | fp("called via fp"); 25 | 26 | xx("called via xx"); 27 | 28 | #if 0 29 | klee_make_symbolic(&fp, sizeof fp, "fp"); 30 | if(fp == baz) { 31 | printf("fp = %p, baz = %p\n", fp, baz); 32 | fp("calling via symbolic!"); 33 | } 34 | #endif 35 | 36 | return 0; 37 | } 38 | -------------------------------------------------------------------------------- /klee/test/Intrinsics/IntrinsicTrap.ll: -------------------------------------------------------------------------------- 1 | ; RUN: llvm-as %s -f -o %t1.bc 2 | ; RUN: rm -rf %t.klee-out 3 | ; RUN: %klee --output-dir=%t.klee-out --optimize=false %t1.bc 4 | ; RUN: FileCheck %s --input-file=%t.klee-out/assembly.ll 5 | 6 | target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-f128:128:128-n8:16:32:64" 7 | target triple = "x86_64-unknown-linux-gnu" 8 | 9 | define i32 @main() nounwind { 10 | entry: 11 | %a = add i32 1, 2 12 | %b = add i32 %a, 3 13 | %c = icmp ne i32 %b, 6 14 | br i1 %c, label %btrue, label %bfalse 15 | 16 | btrue: 17 | ; CHECK-NOT: call void @llvm.trap() 18 | ; CHECK: call void @abort() 19 | call void @llvm.trap() noreturn nounwind 20 | unreachable 21 | 22 | bfalse: 23 | br label %return 24 | 25 | return: 26 | ret i32 0 27 | } 28 | 29 | ; CHECK-NOT: call void @llvm.trap() 30 | ; CHECK: declare void @abort() 31 | declare void @llvm.trap() noreturn nounwind 32 | -------------------------------------------------------------------------------- /klee/cmake/workaround_llvm_pr39177.ll: -------------------------------------------------------------------------------- 1 | %struct._IO_FILE = type { i32, i8*, i8*, i8*, i8*, i8*, i8*, i8*, i8*, i8*, i8*, i8*, %struct._IO_marker*, %struct._IO_FILE*, i32, i32, i64, i16, i8, [1 x i8], i8*, i64, i8*, i8*, i8*, i8*, i64, i32, [20 x i8] } 2 | %struct._IO_marker = type { %struct._IO_marker*, %struct._IO_FILE*, i32 } 3 | 4 | @stdout = external global %struct._IO_FILE*, align 8 5 | @.str = private unnamed_addr constant [11 x i8] c"abcdefgh!\0A\00", align 1 6 | @fwrite = alias i64 (i8*, i64, i64, %struct._IO_FILE*), i64 (i8*, i64, i64, %struct._IO_FILE*)* @__fwrite_alias 7 | 8 | define i64 @__fwrite_alias(i8*, i64, i64, %struct._IO_FILE*) { 9 | ret i64 0 10 | } 11 | 12 | define void @test() { 13 | %1 = load %struct._IO_FILE*, %struct._IO_FILE** @stdout, align 8 14 | %2 = call i32 (%struct._IO_FILE*, i8*, ...) @fprintf(%struct._IO_FILE* %1, i8* getelementptr inbounds ([11 x i8], [11 x i8]* @.str, i32 0, i32 0)) 15 | ret void 16 | } 17 | 18 | declare i32 @fprintf(%struct._IO_FILE*, i8*, ...) 19 | -------------------------------------------------------------------------------- /klee/include/klee/Internal/Support/Debug.h: -------------------------------------------------------------------------------- 1 | //===-- Debug.h -------------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_DEBUG_H 11 | #define KLEE_DEBUG_H 12 | 13 | #include "klee/Config/config.h" 14 | #include "llvm/Support/Debug.h" 15 | 16 | // We define wrappers around the LLVM DEBUG macros that are conditionalized on 17 | // whether the LLVM we are building against has the symbols needed by these 18 | // checks. 19 | 20 | #ifdef ENABLE_KLEE_DEBUG 21 | #define KLEE_DEBUG_WITH_TYPE(TYPE, X) DEBUG_WITH_TYPE(TYPE, X) 22 | #else 23 | #define KLEE_DEBUG_WITH_TYPE(TYPE, X) do { } while (0) 24 | #endif 25 | #define KLEE_DEBUG(X) KLEE_DEBUG_WITH_TYPE(DEBUG_TYPE, X) 26 | 27 | #endif /* KLEE_DEBUG_H */ 28 | -------------------------------------------------------------------------------- /klee/lib/Core/ObjectHolder.h: -------------------------------------------------------------------------------- 1 | //===-- ObjectHolder.h ------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_OBJECTHOLDER_H 11 | #define KLEE_OBJECTHOLDER_H 12 | 13 | namespace klee { 14 | class ObjectState; 15 | 16 | class ObjectHolder { 17 | ObjectState *os; 18 | 19 | public: 20 | ObjectHolder() : os(0) {} 21 | ObjectHolder(ObjectState *_os); 22 | ObjectHolder(const ObjectHolder &b); 23 | ~ObjectHolder(); 24 | 25 | ObjectHolder &operator=(const ObjectHolder &b); 26 | 27 | operator class ObjectState *() { return os; } 28 | operator class ObjectState *() const { return (ObjectState*) os; } 29 | }; 30 | } 31 | 32 | #endif /* KLEE_OBJECTHOLDER_H */ 33 | -------------------------------------------------------------------------------- /klee/test/Feature/MultipleReadResolution.c: -------------------------------------------------------------------------------- 1 | // RUN: echo "x" > %t1.res 2 | // RUN: echo "x" >> %t1.res 3 | // RUN: echo "x" >> %t1.res 4 | // RUN: echo "x" >> %t1.res 5 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: %klee --output-dir=%t.klee-out %t1.bc > %t1.log 8 | // RUN: diff %t1.res %t1.log 9 | 10 | #include 11 | 12 | unsigned klee_urange(unsigned start, unsigned end) { 13 | unsigned x; 14 | klee_make_symbolic(&x, sizeof x, "x"); 15 | if (x-start>=end-start) klee_silent_exit(0); 16 | return x; 17 | } 18 | 19 | int *make_int(int i) { 20 | int *x = malloc(sizeof(*x)); 21 | *x = i; 22 | return x; 23 | } 24 | 25 | int main() { 26 | int *buf[4]; 27 | int i,s,t; 28 | 29 | for (i=0; i<4; i++) 30 | buf[i] = make_int((i+1)*2); 31 | 32 | s = klee_urange(0,4); 33 | 34 | int x = *buf[s]; 35 | 36 | if (x == 4) 37 | if (s!=1) 38 | abort(); 39 | 40 | printf("x\n"); 41 | fflush(stdout); 42 | 43 | return 0; 44 | } 45 | -------------------------------------------------------------------------------- /klee/include/klee/Config/Version.h: -------------------------------------------------------------------------------- 1 | //===-- Version.h -----------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_VERSION_H 11 | #define KLEE_VERSION_H 12 | 13 | #include "klee/Config/config.h" 14 | 15 | #define LLVM_VERSION(major, minor) (((major) << 8) | (minor)) 16 | #define LLVM_VERSION_CODE LLVM_VERSION(LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR) 17 | 18 | #if LLVM_VERSION_CODE >= LLVM_VERSION(4, 0) 19 | # define KLEE_LLVM_CL_VAL_END 20 | #else 21 | # define KLEE_LLVM_CL_VAL_END , clEnumValEnd 22 | #endif 23 | 24 | #if LLVM_VERSION_CODE >= LLVM_VERSION(5, 0) 25 | # define KLEE_LLVM_GOIF_TERMINATOR 26 | #else 27 | # define KLEE_LLVM_GOIF_TERMINATOR , NULL 28 | #endif 29 | 30 | #endif /* KLEE_VERSION_H */ 31 | -------------------------------------------------------------------------------- /klee/runtime/Intrinsic/klee_range.c: -------------------------------------------------------------------------------- 1 | //===-- klee_range.c ------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include "klee/klee.h" 11 | 12 | #include 13 | 14 | int klee_range(int start, int end, const char* name) { 15 | int x; 16 | 17 | if (start >= end) 18 | klee_report_error(__FILE__, __LINE__, "invalid range", "user"); 19 | 20 | if (start+1==end) { 21 | return start; 22 | } else { 23 | klee_make_symbolic(&x, sizeof x, name); 24 | 25 | /* Make nicer constraint when simple... */ 26 | if (start==0) { 27 | klee_assume((unsigned) x < (unsigned) end); 28 | } else { 29 | klee_assume(start <= x); 30 | klee_assume(x < end); 31 | } 32 | 33 | return x; 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /klee/test/regression/2007-08-16-invalid-constant-value.c: -------------------------------------------------------------------------------- 1 | // RUN: rm -f %t4.out %t4.err %t4.log 2 | // RUN: %clang %s -emit-llvm -O2 -c -o %t1.bc 3 | // RUN: llvm-as -f %p/../Feature/_utils._ll -o %t2.bc 4 | // RUN: llvm-link %t1.bc %t2.bc -o %t3.bc 5 | // RUN: rm -rf %t.klee-out 6 | // RUN: %klee --output-dir=%t.klee-out %t3.bc 7 | 8 | #include 9 | 10 | #include "../Feature/utils.h" 11 | 12 | int main() { 13 | unsigned char a; 14 | 15 | klee_make_symbolic(&a, sizeof a, "a"); 16 | 17 | // demand was firing here because an invalid constant 18 | // value was being created when implied value did not 19 | // subtract using the proper type (so overflowed into 20 | // invalid bits) 21 | if (util_make_concat2(a + 0xCD, 0xCD) == 0xABCD) { 22 | assert(!klee_is_symbolic(a)); 23 | printf("add constant case: %d\n", a); 24 | } 25 | 26 | if (util_make_concat2(0x0B - a, 0xCD) == 0xABCD) { 27 | assert(!klee_is_symbolic(a)); 28 | printf("sub constant case: %d\n", a); 29 | } 30 | 31 | return 0; 32 | } 33 | -------------------------------------------------------------------------------- /klee/scripts/build/p-gtest.inc: -------------------------------------------------------------------------------- 1 | setup_build_variables_gtest() { 2 | GTEST_INSTALL_PATH="${BASE}/googletest-release-${GTEST_VERSION}" 3 | return 0 4 | } 5 | 6 | download_gtest() { 7 | cd "${BASE}" || exit 1 8 | wget "https://github.com/google/googletest/archive/release-${GTEST_VERSION}.zip" 9 | unzip -o "release-${GTEST_VERSION}.zip" 10 | rm "release-${GTEST_VERSION}.zip" 11 | touch "${GTEST_INSTALL_PATH}"/.is_installed 12 | } 13 | 14 | build_gtest() { 15 | return 0 16 | } 17 | 18 | install_gtest() { 19 | return 0 20 | } 21 | 22 | is_installed_gtest() { 23 | ( 24 | setup_build_variables_gtest 25 | [[ -f "${GTEST_INSTALL_PATH}"/.is_installed ]] 26 | ) 27 | } 28 | 29 | get_build_artifacts_gtest() { 30 | ( 31 | setup_build_variables_gtest 32 | echo "${GTEST_INSTALL_PATH}" 33 | ) 34 | } 35 | 36 | setup_artifact_variables_gtest() { 37 | setup_build_variables_gtest 38 | } 39 | 40 | get_docker_config_id_gtest() { 41 | ( 42 | setup_build_variables_gtest 43 | echo "${GTEST_VERSION}" 44 | ) 45 | } -------------------------------------------------------------------------------- /klee/test/Feature/AddressOfLabelsSymbolic.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc > %t.log 2> %t.stderr.log 4 | // RUN: FileCheck %s -check-prefix=CHECK-MSG --input-file=%t.log 5 | // RUN: FileCheck %s -check-prefix=CHECK-ERR --input-file=%t.stderr.log 6 | 7 | #include 8 | 9 | int main(void) { 10 | void * lptr = &&one; 11 | lptr = &&two; 12 | lptr = &&three; 13 | 14 | klee_make_symbolic(&lptr, sizeof(lptr), "lptr"); 15 | // CHECK-ERR: KLEE: ERROR: {{.*}} indirectbr: illegal label address 16 | goto *lptr; 17 | 18 | one: 19 | puts("Label one"); 20 | // CHECK-MSG-DAG: Label one 21 | return 0; 22 | 23 | two: 24 | puts("Label two"); 25 | // CHECK-MSG-DAG: Label two 26 | return 0; 27 | 28 | three: 29 | puts("Label three"); 30 | // CHECK-MSG-DAG: Label three 31 | return 0; 32 | 33 | // LLVM should infer only {one, two, three} as valid targets 34 | four: 35 | puts("Label four"); 36 | // CHECK-MSG-NOT: Label four 37 | return 0; 38 | } 39 | -------------------------------------------------------------------------------- /klee/include/klee/OptionCategories.h: -------------------------------------------------------------------------------- 1 | //===-- OptionCategories.h --------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | /* 11 | * This header defines the option categories used in KLEE. 12 | */ 13 | 14 | #ifndef KLEE_OPTIONCATEGORIES_H 15 | #define KLEE_OPTIONCATEGORIES_H 16 | 17 | #include "llvm/Support/CommandLine.h" 18 | 19 | namespace klee { 20 | extern llvm::cl::OptionCategory DebugCat; 21 | extern llvm::cl::OptionCategory MergeCat; 22 | extern llvm::cl::OptionCategory ModuleCat; 23 | extern llvm::cl::OptionCategory SeedingCat; 24 | extern llvm::cl::OptionCategory SolvingCat; 25 | extern llvm::cl::OptionCategory TerminationCat; 26 | extern llvm::cl::OptionCategory TestGenCat; 27 | } 28 | 29 | #endif /* KLEE_OPTIONCATEGORIES_H */ 30 | -------------------------------------------------------------------------------- /klee/test/Feature/MultipleWriteResolution.c: -------------------------------------------------------------------------------- 1 | // RUN: echo "x" > %t1.res 2 | // RUN: echo "x" >> %t1.res 3 | // RUN: echo "x" >> %t1.res 4 | // RUN: echo "x" >> %t1.res 5 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: %klee --output-dir=%t.klee-out %t1.bc > %t1.log 8 | // RUN: diff %t1.res %t1.log 9 | 10 | #include 11 | 12 | unsigned klee_urange(unsigned start, unsigned end) { 13 | unsigned x; 14 | klee_make_symbolic(&x, sizeof x, "x"); 15 | if (x-start>=end-start) klee_silent_exit(0); 16 | return x; 17 | } 18 | 19 | int *make_int(int i) { 20 | int *x = malloc(sizeof(*x)); 21 | *x = i; 22 | return x; 23 | } 24 | 25 | int main() { 26 | int *buf[4]; 27 | int i,s,t; 28 | 29 | for (i=0; i<4; i++) 30 | buf[i] = make_int((i+1)*2); 31 | 32 | s = klee_urange(0,4); 33 | 34 | *buf[s] = 5; 35 | 36 | if ((*buf[0] + *buf[1] + *buf[2] + *buf[3]) == 17) 37 | if (s!=3) 38 | abort(); 39 | 40 | printf("x\n"); 41 | fflush(stdout); 42 | 43 | return 0; 44 | } 45 | -------------------------------------------------------------------------------- /klee/scripts/build/p-clang-linux.inc: -------------------------------------------------------------------------------- 1 | setup_artifact_variables_clang() { 2 | local LLVM_VERSION_MAJOR="${LLVM_VERSION/.*/}" 3 | local LLVM_VERSION_MINOR="${LLVM_VERSION/*./}" 4 | local version="" 5 | [[ "${LLVM_VERSION_MAJOR}" -le 6 ]] && version="-${LLVM_VERSION}" 6 | [[ "${LLVM_VERSION_MAJOR}" -ge 7 ]] && version="-${LLVM_VERSION_MAJOR}" 7 | 8 | # Only set LLVM_CONFIG if not set yet 9 | [[ -z ${LLVM_CONFIG+x} ]] && LLVM_CONFIG=$(which "llvm-config${version}") 10 | 11 | 12 | local bin_path="" 13 | bin_path="$(dirname "$(readlink -f "$(which "clang${version}")")")" 14 | 15 | BITCODE_CC="${bin_path}/clang" 16 | BITCODE_CXX="${bin_path}/clang++" 17 | 18 | #[[ -z ${SANITIZER_C_COMPILER+x} ]] && 19 | SANITIZER_C_COMPILER="${BITCODE_CC}" 20 | #[[ -z ${SANITIZER_CXX_COMPILER+x} ]] && 21 | SANITIZER_CXX_COMPILER="${BITCODE_CXX}" 22 | } 23 | 24 | # Check if the binary artifact is installed 25 | is_installed_clang() { 26 | # Check if llvm-config with the right version exists 27 | which "llvm-config-${LLVM_VERSION}" 28 | } -------------------------------------------------------------------------------- /klee/test/Runtime/POSIX/Read1.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --posix-runtime %t.bc --sym-files 1 8 >%t.log 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | int main(int argc, char** argv) { 13 | char buf[32]; 14 | 15 | // If count is zero, read() returns zero and has no other results. (man page) 16 | int x = read(0, 0, 0); 17 | assert(x == 0); 18 | 19 | int fd = open("A", O_RDONLY); 20 | assert(fd != -1); 21 | 22 | // EFAULT buf is outside your accessible address space. (man page) 23 | x = read(fd, 0, 1); 24 | assert(x == -1 && errno == EFAULT); 25 | 26 | // EBADF fd is not a valid file descriptor (man page) 27 | x = read(-1, buf, 1); 28 | assert(x == -1 && errno == EBADF); 29 | 30 | fd = open("A", O_RDONLY); 31 | assert(fd != -1); 32 | x = read(fd, buf, 1); 33 | assert(x == 1); 34 | } 35 | 36 | -------------------------------------------------------------------------------- /klee/lib/Solver/MetaSMTSolver.h: -------------------------------------------------------------------------------- 1 | //===-- MetaSMTSolver.h 2 | //---------------------------------------------------===// 3 | // 4 | // The KLEE Symbolic Virtual Machine 5 | // 6 | // This file is distributed under the University of Illinois Open Source 7 | // License. See LICENSE.TXT for details. 8 | // 9 | //===----------------------------------------------------------------------===// 10 | 11 | #ifndef KLEE_METASMTSOLVER_H 12 | #define KLEE_METASMTSOLVER_H 13 | 14 | #include "klee/Solver/Solver.h" 15 | 16 | namespace klee { 17 | 18 | template class MetaSMTSolver : public Solver { 19 | public: 20 | MetaSMTSolver(bool useForked, bool optimizeDivides); 21 | virtual ~MetaSMTSolver(); 22 | 23 | virtual char *getConstraintLog(const Query &); 24 | virtual void setCoreSolverTimeout(time::Span timeout); 25 | }; 26 | 27 | /// createMetaSMTSolver - Create a solver using the metaSMT backend set by 28 | /// the option MetaSMTBackend. 29 | Solver *createMetaSMTSolver(); 30 | } 31 | 32 | #endif /* KLEE_METASMTSOLVER_H */ 33 | -------------------------------------------------------------------------------- /klee/test/Replay/libkleeruntest/replay_two_objects.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm -g %O0opt -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --search=dfs %t.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | // RUN: test ! -f %t.klee-out/test000002.ktest 6 | 7 | // Now try to replay with libkleeRuntest 8 | // RUN: %cc -DPRINT_VALUES %s %libkleeruntest -Wl,-rpath %libkleeruntestdir -o %t_runner 9 | // RUN: env KTEST_FILE=%t.klee-out/test000001.ktest %t_runner | FileCheck -check-prefix=TESTONE %s 10 | 11 | #include "klee/klee.h" 12 | #include 13 | 14 | int main(int argc, char** argv) { 15 | int x = 0; 16 | int y = 0; 17 | klee_make_symbolic(&x, sizeof(x), "x"); 18 | klee_make_symbolic(&y, sizeof(y), NULL); 19 | 20 | klee_assume(x == 1); 21 | klee_assume(y == 128); 22 | 23 | #ifdef PRINT_VALUES 24 | printf("x=%d\n", x); 25 | printf("y=%d\n", y); 26 | #endif 27 | 28 | return 0; 29 | } 30 | // CHECK: KLEE: done: completed paths = 1 31 | 32 | // TESTONE: x=1 33 | // TESTONE: y=128 34 | -------------------------------------------------------------------------------- /klee/test/Feature/LongDoubleSupport.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --optimize=0 --exit-on-error %t1.bc > %t2.out 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | // FIXME: This doesn't really work at all, it just doesn't 10 | // crash. Until we have wide constant support, that is all we care 11 | // about; the only reason this comes up is in initialization of 12 | // constants, we don't actually end up seeing much code which uses long 13 | // double. 14 | int main() { 15 | unsigned N0 = 0, N1 = 0, N2 = 0; 16 | 17 | float V0 = .1; 18 | while (V0 != 0) { 19 | V0 *= V0; 20 | N0++; 21 | } 22 | double V1 = .1; 23 | while (V1 != 0) { 24 | V1 *= V1; 25 | N1++; 26 | } 27 | long double V2 = .1; 28 | while (V2 != 0) { 29 | V2 *= V2; 30 | N2++; 31 | } 32 | 33 | printf("counts: %d, %d, %d\n", N0, N1, N2); 34 | 35 | assert(N0 == 6); 36 | assert(N1 == 9); 37 | assert(N2 == 13); 38 | 39 | return 0; 40 | } 41 | -------------------------------------------------------------------------------- /klee/tools/klee-replay/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | if (HAVE_PTY_H OR HAVE_UTIL_H OR HAVE_LIBUTIL_H) 10 | add_executable(klee-replay 11 | fd_init.c 12 | file-creator.c 13 | klee-replay.c 14 | klee_init_env.c 15 | ) 16 | 17 | target_link_libraries(klee-replay PRIVATE kleeBasic) 18 | 19 | if(LIBCAP_LIBRARIES) 20 | target_link_libraries(klee-replay PRIVATE ${LIBCAP_LIBRARIES}) 21 | endif() 22 | 23 | if (openpty_in_libutil) 24 | target_link_libraries(klee-replay PRIVATE ${LIBUTIL_LIBRARIES}) 25 | endif (openpty_in_libutil) 26 | 27 | install(TARGETS klee-replay RUNTIME DESTINATION bin) 28 | else() 29 | message(WARNING "Not building klee-replay due to missing library for pty functions.") 30 | endif() 31 | -------------------------------------------------------------------------------- /klee/tools/klee-replay/klee-replay.h: -------------------------------------------------------------------------------- 1 | //===-- klee-replay.h ------------------------------------------*- C++ -*--===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_REPLAY_H 11 | #define KLEE_REPLAY_H 12 | 13 | #define _LARGEFILE64_SOURCE 14 | #define _FILE_OFFSET_BITS 64 15 | 16 | #include "klee/Config/config.h" 17 | // FIXME: This is a hack. 18 | #include "../../runtime/POSIX/fd.h" 19 | #include 20 | 21 | // temporary directory used for replay 22 | extern char replay_dir[]; 23 | 24 | // whether to keep the replay directory or delete it 25 | extern int keep_temps; 26 | 27 | void replay_create_files(exe_file_system_t *exe_fs); 28 | void replay_delete_files(); 29 | 30 | void process_status(int status, 31 | time_t elapsed, 32 | const char *pfx) 33 | __attribute__((noreturn)); 34 | 35 | #endif 36 | -------------------------------------------------------------------------------- /klee/test/Runtime/FreeStanding/freestanding_only.c: -------------------------------------------------------------------------------- 1 | // RUN: %clang %s -emit-llvm %O0opt -g -c -D_FORTIFY_SOURCE=0 -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t2.bc 2> %t.log 4 | // RUN: FileCheck %s --input-file=%t.log 5 | // RUN: rm -rf %t.klee-out 6 | // RUN: %klee --optimize --output-dir=%t.klee-out %t2.bc 2> %t.log 7 | // RUN: FileCheck %s --input-file=%t.log 8 | 9 | #include 10 | #include 11 | #include 12 | 13 | #define LENGTH 5 14 | int main(int argc, char **argv) { 15 | char *src = (char *)malloc(LENGTH); 16 | char *dst = (char *)malloc(LENGTH); 17 | 18 | memset(src, 42, LENGTH); 19 | // CHECK-NOT: calling external: memset 20 | 21 | memcpy(dst, src, LENGTH); 22 | // CHECK-NOT: calling external: memcpy 23 | 24 | memmove(dst, src, LENGTH); 25 | // CHECK-NOT: calling external: memmove 26 | 27 | assert(memcmp(src, dst, LENGTH) == 0); 28 | // CHECK-NOT: calling external: memcmp 29 | // CHECK-NOT: calling external: bcmp 30 | 31 | assert(*src == 42); 32 | assert(*src == *dst); 33 | return 0; 34 | } 35 | --------------------------------------------------------------------------------