├── .clang-format ├── .dockerignore ├── .gitattributes ├── .gitignore ├── .travis.yml ├── .travis ├── install-llvm-and-runtime-compiler.sh ├── install-tcmalloc.sh ├── klee.sh ├── metaSMT.sh ├── sanitizer_flags.sh ├── solvers.sh ├── stp.sh └── testing-utils.sh ├── CMakeLists.txt ├── Dockerfile ├── LICENSE.TXT ├── Makefile ├── Makefile.common ├── Makefile.config.in ├── Makefile.rules ├── MetaSMT.mk ├── NEWS ├── README-CMake.md ├── README.md ├── TODO.txt ├── autoconf ├── AutoRegen.sh ├── config.guess ├── config.sub ├── configure.ac └── install-sh ├── cmake ├── GetGitRevisionDescription.cmake ├── GetGitRevisionDescription.cmake.in ├── add_global_flag.cmake ├── c_flags_override.cmake ├── compiler_warnings.cmake ├── cxx_flags_override.cmake ├── find_bitcode_compiler.cmake ├── find_llvm.cmake ├── find_metasmt.cmake ├── klee_add_component.cmake ├── klee_component_add_cxx_flag.cmake ├── modules │ └── FindZ3.cmake └── string_to_list.cmake ├── configure ├── docs ├── CMakeLists.txt ├── SMT-COMP │ ├── BitVector_ArraysEx.smt │ ├── BitVectors.smt │ ├── QF_AUFBV.smt │ └── QF_BV.smt ├── doxygen.cfg.in ├── intro └── overview ├── examples ├── get_sign │ └── get_sign.c ├── islower │ └── islower.c ├── regexp │ ├── Regexp.c │ └── notes.txt ├── sort │ └── sort.c └── taint │ ├── Makefile │ └── README.md ├── include ├── expr │ ├── Lexer.h │ └── Parser.h └── klee │ ├── CommandLine.h │ ├── Common.h │ ├── Config │ ├── CompileTimeInfo.h.cmin │ ├── Version.h │ ├── config.h.cmin │ └── config.h.in │ ├── Constraints.h │ ├── ExecutionState.h │ ├── Expr.h │ ├── ExprBuilder.h │ ├── IncompleteSolver.h │ ├── Internal │ ├── ADT │ │ ├── DiscretePDF.h │ │ ├── DiscretePDF.inc │ │ ├── ImmutableMap.h │ │ ├── ImmutableSet.h │ │ ├── ImmutableTree.h │ │ ├── KTest.h │ │ ├── MapOfSets.h │ │ ├── RNG.h │ │ └── TreeStream.h │ ├── Module │ │ ├── Cell.h │ │ ├── InstructionInfoTable.h │ │ ├── KInstIterator.h │ │ ├── KInstruction.h │ │ └── KModule.h │ ├── README.txt │ ├── Support │ │ ├── CompressionStream.h │ │ ├── Debug.h │ │ ├── ErrorHandling.h │ │ ├── FloatEvaluation.h │ │ ├── IntEvaluation.h │ │ ├── ModuleUtil.h │ │ ├── PrintVersion.h │ │ ├── QueryLog.h │ │ └── Timer.h │ └── System │ │ ├── MemoryUsage.h │ │ └── Time.h │ ├── Interpreter.h │ ├── Solver.h │ ├── SolverImpl.h │ ├── SolverStats.h │ ├── Statistic.h │ ├── Statistics.h │ ├── Taint.h │ ├── TimerStatIncrementer.h │ ├── klee.h │ └── util │ ├── ArrayCache.h │ ├── ArrayExprHash.h │ ├── Assignment.h │ ├── BitArray.h │ ├── Bits.h │ ├── ExprEvaluator.h │ ├── ExprHashMap.h │ ├── ExprPPrinter.h │ ├── ExprRangeEvaluator.h │ ├── ExprSMTLIBPrinter.h │ ├── ExprUtil.h │ ├── ExprVisitor.h │ ├── GetElementPtrTypeIterator.h │ ├── PrintContext.h │ └── Ref.h ├── lib ├── Basic │ ├── CMakeLists.txt │ ├── CmdLineOptions.cpp │ ├── ConstructSolverChain.cpp │ ├── KTest.cpp │ ├── Makefile │ ├── README.txt │ └── Statistics.cpp ├── CMakeLists.txt ├── Core │ ├── AddressSpace.cpp │ ├── AddressSpace.h │ ├── CMakeLists.txt │ ├── CallPathManager.cpp │ ├── CallPathManager.h │ ├── Context.cpp │ ├── Context.h │ ├── CoreStats.cpp │ ├── CoreStats.h │ ├── ExecutionState.cpp │ ├── Executor.cpp │ ├── Executor.h │ ├── ExecutorTimerInfo.h │ ├── ExecutorTimers.cpp │ ├── ExecutorUtil.cpp │ ├── ExternalDispatcher.cpp │ ├── ExternalDispatcher.h │ ├── ImpliedValue.cpp │ ├── ImpliedValue.h │ ├── Makefile │ ├── Memory.cpp │ ├── Memory.h │ ├── MemoryManager.cpp │ ├── MemoryManager.h │ ├── ObjectHolder.h │ ├── PTree.cpp │ ├── PTree.h │ ├── Searcher.cpp │ ├── Searcher.h │ ├── SeedInfo.cpp │ ├── SeedInfo.h │ ├── SpecialFunctionHandler.cpp │ ├── SpecialFunctionHandler.h │ ├── StatsTracker.cpp │ ├── StatsTracker.h │ ├── Taint.cpp │ ├── TimingSolver.cpp │ ├── TimingSolver.h │ ├── UserSearcher.cpp │ └── UserSearcher.h ├── Expr │ ├── ArrayCache.cpp │ ├── Assigment.cpp │ ├── CMakeLists.txt │ ├── Constraints.cpp │ ├── Expr.cpp │ ├── ExprBuilder.cpp │ ├── ExprEvaluator.cpp │ ├── ExprPPrinter.cpp │ ├── ExprSMTLIBPrinter.cpp │ ├── ExprUtil.cpp │ ├── ExprVisitor.cpp │ ├── Lexer.cpp │ ├── Makefile │ ├── Parser.cpp │ └── Updates.cpp ├── Makefile ├── Module │ ├── CMakeLists.txt │ ├── Checks.cpp │ ├── InstructionInfoTable.cpp │ ├── IntrinsicCleaner.cpp │ ├── KInstruction.cpp │ ├── KModule.cpp │ ├── LowerSwitch.cpp │ ├── Makefile │ ├── ModuleUtil.cpp │ ├── Optimize.cpp │ ├── Passes.h │ ├── PhiCleaner.cpp │ └── RaiseAsm.cpp ├── README.txt ├── Solver │ ├── CMakeLists.txt │ ├── CachingSolver.cpp │ ├── CexCachingSolver.cpp │ ├── ConstantDivision.cpp │ ├── ConstantDivision.h │ ├── CoreSolver.cpp │ ├── DummySolver.cpp │ ├── FastCexSolver.cpp │ ├── IncompleteSolver.cpp │ ├── IndependentSolver.cpp │ ├── KQueryLoggingSolver.cpp │ ├── Makefile │ ├── MetaSMTBuilder.h │ ├── MetaSMTSolver.cpp │ ├── QueryLoggingSolver.cpp │ ├── QueryLoggingSolver.h │ ├── SMTLIBLoggingSolver.cpp │ ├── STPBuilder.cpp │ ├── STPBuilder.h │ ├── STPSolver.cpp │ ├── Solver.cpp │ ├── SolverImpl.cpp │ ├── SolverStats.cpp │ ├── ValidatingSolver.cpp │ ├── Z3Builder.cpp │ ├── Z3Builder.h │ └── Z3Solver.cpp └── Support │ ├── CMakeLists.txt │ ├── CompressionStream.cpp │ ├── ErrorHandling.cpp │ ├── Makefile │ ├── MemoryUsage.cpp │ ├── PrintVersion.cpp │ ├── README.txt │ ├── RNG.cpp │ ├── Time.cpp │ ├── Timer.cpp │ └── TreeStream.cpp ├── runtime ├── CMakeLists.txt ├── Intrinsic │ ├── Makefile │ ├── Makefile.cmake.bitcode │ ├── klee_div_zero_check.c │ ├── klee_int.c │ ├── klee_overshift_check.c │ ├── klee_range.c │ ├── memcpy.c │ ├── memmove.c │ ├── mempcpy.c │ └── memset.c ├── Makefile ├── Makefile.cmake.bitcode ├── Makefile.cmake.bitcode.config.in ├── Makefile.cmake.bitcode.rules ├── POSIX │ ├── Makefile │ ├── Makefile.cmake.bitcode │ ├── fd.c │ ├── fd.h │ ├── fd_32.c │ ├── fd_64.c │ ├── fd_init.c │ ├── illegal.c │ ├── klee_init_env.c │ ├── misc.c │ ├── selinux.c │ └── stubs.c ├── Runtest │ ├── CMakeLists.txt │ ├── Makefile │ └── intrinsics.c ├── klee-libc │ ├── Makefile │ ├── Makefile.cmake.bitcode │ ├── __cxa_atexit.c │ ├── abort.c │ ├── atexit.c │ ├── atoi.c │ ├── calloc.c │ ├── htonl.c │ ├── klee-choose.c │ ├── memchr.c │ ├── memcmp.c │ ├── memcpy.c │ ├── memmove.c │ ├── mempcpy.c │ ├── memset.c │ ├── putchar.c │ ├── stpcpy.c │ ├── strcat.c │ ├── strchr.c │ ├── strcmp.c │ ├── strcoll.c │ ├── strcpy.c │ ├── strlen.c │ ├── strncmp.c │ ├── strncpy.c │ ├── strrchr.c │ ├── strtol.c │ ├── strtoul.c │ ├── tolower.c │ └── toupper.c └── klee-uclibc │ └── Makefile ├── scripts ├── IStatsMerge.py ├── IStatsSum.py ├── coverageServer.py ├── genTempFiles.sh ├── klee-chroot-env ├── klee-clang ├── klee-control ├── klee-gcc └── objdump ├── test ├── CMakeLists.txt ├── CXX │ ├── ArrayNew.cpp │ ├── New.cpp │ ├── SimpleVirtual.cpp │ ├── StaticConstructor.cpp │ ├── StaticDestructor.cpp │ └── Trivial.cpp ├── Concrete │ ├── BitwiseOps.ll │ ├── BoolReadWrite.ll │ ├── CMakeLists.txt │ ├── Casts.ll │ ├── CmpEq.ll │ ├── ConcreteTest.py │ ├── ConstantExpr.ll │ ├── FloatingPointOps.ll │ ├── GlobalInitializers.ll │ ├── GlobalUndef.ll │ ├── GlobalVariable.ll │ ├── ICmp.ll │ ├── Makefile │ ├── Makefile.cmake.test.in │ ├── OneCall.ll │ ├── OverlappingPhiNodes.ll │ ├── README.txt │ ├── Select.ll │ ├── Shifts.ll │ ├── SimpleStoreAndLoad.ll │ ├── UnconditionalBranch.ll │ ├── UnconditionalBranchWithSimplePhi.ll │ ├── UnorderedPhiNodes.ll │ ├── _testingUtils.c │ ├── ackermann.c │ └── arith_test.ll ├── Coverage │ ├── ReadArgs.c │ └── ReplayOutDir.c ├── Dogfood │ └── ImmutableSet.cpp ├── Expr │ ├── Evaluate.kquery │ ├── Evaluate2.kquery │ ├── Lexer │ │ └── Numbers.kquery │ ├── Parser │ │ ├── Concat64.kquery │ │ ├── ConstantFolding.kquery │ │ ├── Exprs.kquery │ │ ├── MultiByteReads.kquery │ │ ├── Simplify.kquery │ │ └── TypeChecking.kquery │ ├── print-smt-let.kquery │ ├── print-smt-let.smt2.good │ ├── print-smt-named.kquery │ ├── print-smt-named.smt2.good │ ├── print-smt-none.kquery │ └── print-smt-none.smt2.good ├── Feature │ ├── Alias.c │ ├── AliasFunction.c │ ├── AliasFunctionExit.c │ ├── BFSSearcher.c │ ├── BitcastAlias.ll │ ├── BitcastAliasMD2U.ll │ ├── ByteSwap.c │ ├── CallToUndefinedExternal.cpp │ ├── CheckForImpliedValue.c.failing │ ├── CheckMemoryAccess.c │ ├── CompressedExprLogging.c │ ├── ConstantStruct.ll │ ├── CopyOnWrite.c │ ├── DanglingConcreteReadExpr.c │ ├── DefineFixedObject.c │ ├── DeterministicSwitch.c │ ├── DoubleFree.c │ ├── DumpStatesOnHalt.c │ ├── EntryPoint.c │ ├── Envp.c │ ├── ExitOnErrorType.c │ ├── ExprLogging.c │ ├── ExternalWeakLinkage.c │ ├── Float.c │ ├── FloatingPt.c │ ├── FunctionPointer.c │ ├── GetElementPtr.ll │ ├── GetValue.c │ ├── ImpliedValue.c.failing │ ├── InAndOutOfBounds.c │ ├── IndirectCallToBuiltin.c │ ├── IndirectCallToExternal.c │ ├── InsertExtractValue.ll │ ├── IntrinsicTrap.ll │ ├── InvalidBitfieldAccess.c.failing │ ├── IsSymbolic.c │ ├── KleeReportError.c │ ├── LargeReturnTypes.cpp │ ├── LinkLLVMLib.c │ ├── LoggingInstructions.c │ ├── LongDouble.cpp │ ├── LongDoubleSupport.c │ ├── LowerSwitch.c │ ├── MakeConcreteSymbolic.c │ ├── MakeSymbolicName.c │ ├── MemoryLimit.c │ ├── MultiMkSym.c │ ├── MultipleFreeResolution.c │ ├── MultipleReadResolution.c │ ├── MultipleReallocResolution.c │ ├── MultipleWriteResolution.c │ ├── NamedSeedMatching.c │ ├── NonSizedGlobals.c │ ├── OneFreeError.c │ ├── OneOutOfBounds.c │ ├── Optimize.c │ ├── Overflow.ll │ ├── OverflowMul.ll │ ├── OverlappedError.c │ ├── OvershiftCheck.c │ ├── PreferCex.c │ ├── RaiseAsm.c │ ├── Realloc.c │ ├── ReplayPath.c │ ├── RewriteEqualities.c │ ├── Searchers.c │ ├── SetForking.c │ ├── SilentKleeAssume.c │ ├── SolverTimeout.c │ ├── SourceMapping.c │ ├── StatesCoveringNew.c │ ├── VarArgLongDouble.c │ ├── Vararg.c │ ├── WithLibc.c │ ├── WriteCov.c │ ├── _utils._ll │ ├── arithmetic-right-overshift-sym-conc.c │ ├── consecutive_divide_by_zero.c │ ├── const_array_opt1.c │ ├── left-overshift-sym-conc.c │ ├── logical-right-overshift-sym-conc.c │ ├── srem.c │ ├── ubsan_signed_overflow.c │ ├── ubsan_unsigned_overflow.c │ └── utils.h ├── Intrinsics │ ├── objectsize.ll │ └── objectsize.llvm29.ll ├── Makefile ├── Makefile.tests ├── Programs │ └── pcregrep.c ├── README ├── Replay │ └── libkleeruntest │ │ ├── replay_invalid_klee_assume.c │ │ ├── replay_invalid_klee_choose.c │ │ ├── replay_invalid_klee_range.c │ │ ├── replay_invalid_num_objects.c │ │ ├── replay_invalid_object_names.c │ │ ├── replay_invalid_object_size.c │ │ ├── replay_posix_runtime.c │ │ ├── replay_simple.c │ │ └── replay_two_objects.c ├── Runtime │ ├── POSIX │ │ ├── DirConsistency.c │ │ ├── DirSeek.c │ │ ├── FDNumbers.c │ │ ├── FD_Fail.c │ │ ├── FD_Fail2.c │ │ ├── Fcntl.c │ │ ├── FilePerm.c │ │ ├── FreeArgv.c │ │ ├── Futimesat.c │ │ ├── Getenv.c │ │ ├── Ioctl.c │ │ ├── Isatty.c │ │ ├── Openat.c │ │ ├── PrgName.c │ │ ├── Read1.c │ │ ├── SELinux │ │ │ ├── SELinux.c │ │ │ └── lit.local.cfg │ │ ├── SeedAndFail.c │ │ ├── Stdin.c │ │ ├── Write1.c │ │ ├── Write2.c │ │ └── lit.local.cfg │ └── Uclibc │ │ ├── 2007-10-08-optimization-calls-wrong-libc-functions.c │ │ ├── 2008-03-04-libc-atexit-uses-dso-handle.c │ │ ├── Environ.c │ │ └── lit.local.cfg ├── Solver │ ├── 2016-04-12-array-parsing-bug.kquery │ ├── AShr_to_smtlib.kquery │ ├── AShr_to_smtlib.kquery.good.smt2 │ ├── FastCexSolver.kquery │ ├── LargeIntegers.kquery │ ├── lit.local.cfg │ ├── overshift-aright-by-constant.kquery │ ├── overshift-aright-by-symbolic.kquery │ ├── overshift-left-by-constant.kquery │ ├── overshift-left-by-symbolic.kquery │ ├── overshift-lright-by-constant.kquery │ └── overshift-lright-by-symbolic.kquery ├── Taint │ ├── AddConst.c │ ├── Arith.c │ ├── Basic.c │ ├── BasicBuffer.c │ ├── BasicUnion.c │ ├── Br.c │ ├── Buffer.c │ ├── BufferStar.c │ ├── Conditional.c │ ├── ConditionalControlFlow.c │ ├── ConstAssign.c │ ├── CovertChannel.c │ ├── CovertChannelCond.c │ ├── Float.c │ ├── Function.c │ ├── GEP.c │ ├── Jump.c │ ├── Load.c │ ├── Malloc.c │ ├── NestedConditionals.c │ ├── Store.c │ ├── Switch.c │ ├── VarAssign.c │ └── While.c ├── TestRunner.sh ├── lit.cfg ├── lit.site.cfg.in └── regression │ ├── 2007-07-25-invalid-stp-array-binding-to-objectstate.c │ ├── 2007-07-30-unflushed-byte.c │ ├── 2007-08-01-bool-zext-in-call.ll │ ├── 2007-08-01-cache-unclear-on-overwrite-flushed.c │ ├── 2007-08-06-64bit-shift.c │ ├── 2007-08-06-access-after-free.c │ ├── 2007-08-08-free-zero.c │ ├── 2007-08-16-invalid-constant-value.c │ ├── 2007-08-16-valid-write-to-freed-object.c │ ├── 2007-10-11-free-of-alloca.c │ ├── 2007-10-11-illegal-access-after-free-and-branch.c │ ├── 2007-10-12-failed-make-symbolic-after-copy.c │ ├── 2008-03-04-free-of-global.c │ ├── 2008-03-11-free-of-malloc-zero.c │ ├── 2008-04-10-bad-alloca-free.c │ ├── 2008-05-23-gep-with-global-const.c │ ├── 2012-05-13-asm-causes-aborts.c │ ├── 2014-07-04-unflushed-error-report.c │ ├── 2014-12-08-ashr.c │ ├── 2015-06-22-struct-write.c │ ├── 2015-08-30-empty-constraints.c │ ├── 2015-08-30-sdiv-1.c │ ├── 2016-03-22-independence-solver-missing-objects-for-assignment.kquery │ ├── 2016-04-14-sdiv-2.c │ ├── 2016-06-28-div-zero-bug.c │ ├── 2016-08-06-klee-get-obj-size.c │ ├── 2016-08-11-entry-point-internalize-pass.c │ ├── 2016-08-12-empty-file.c │ ├── 2016-11-24-bitcast-weak-alias.c │ ├── 2016-12-14-alloc-alignment.c │ ├── 2017-02-21-pathOS-id.c │ └── lit.local.cfg ├── tools ├── CMakeLists.txt ├── Makefile ├── gen-random-bout │ ├── CMakeLists.txt │ ├── Makefile │ └── gen-random-bout.cpp ├── kleaver │ ├── CMakeLists.txt │ ├── Makefile │ └── main.cpp ├── klee-replay │ ├── CMakeLists.txt │ ├── Makefile │ ├── fd_init.c │ ├── file-creator.c │ ├── klee-replay.c │ ├── klee-replay.h │ └── klee_init_env.c ├── klee-stats │ ├── CMakeLists.txt │ ├── Makefile │ └── klee-stats ├── klee │ ├── CMakeLists.txt │ ├── Debug.cpp │ ├── Makefile │ └── main.cpp └── ktest-tool │ ├── CMakeLists.txt │ ├── Makefile │ └── ktest-tool ├── unittests ├── Assignment │ ├── AssignmentTest.cpp │ ├── CMakeLists.txt │ └── Makefile ├── CMakeLists.txt ├── Expr │ ├── CMakeLists.txt │ ├── ExprTest.cpp │ └── Makefile ├── Makefile ├── Ref │ ├── CMakeLists.txt │ ├── Makefile │ └── RefTest.cpp ├── Solver │ ├── CMakeLists.txt │ ├── Makefile │ └── SolverTest.cpp ├── TestMain.cpp ├── lit-unit-tests-common.cfg └── lit-unit-tests-common.site.cfg.in └── utils ├── data └── Queries │ ├── pcresymperf-3.kquery │ └── pcresymperf-4.kquery ├── emacs └── klee-pc-mode.el ├── hacks └── TreeGraphs │ ├── Animate.py │ ├── DumpTreeStream.py │ ├── Graphics │ ├── Canvas │ │ └── __init__.py │ ├── Geometry │ │ ├── Intersect2D.py │ │ ├── __init__.py │ │ ├── mat2.py │ │ ├── mat3.py │ │ ├── mat4.py │ │ ├── quat.py │ │ ├── vec2.py │ │ ├── vec3.py │ │ └── vec4.py │ └── __init__.py │ ├── README.txt │ ├── TreeGraph.py │ └── inputs │ ├── symPaths.ts │ └── symPaths6.ts ├── sanitizers └── lsan.txt └── valgrind ├── README.txt ├── valgrind-llvm.supp └── valgrind-stp.supp /.clang-format: -------------------------------------------------------------------------------- 1 | --- 2 | BasedOnStyle: LLVM 3 | Standard: Cpp03 4 | ... 5 | -------------------------------------------------------------------------------- /.dockerignore: -------------------------------------------------------------------------------- 1 | .git 2 | autom4te.cache 3 | **/.*.swp 4 | Dockerfile 5 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | * text=auto 2 | 3 | *.h text 4 | *.c text 5 | *.cpp text 6 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | Release/ 2 | Release+Asserts/ 3 | Debug/ 4 | Debug+Asserts/ 5 | Output/ 6 | 7 | cscope.* 8 | *~ 9 | 10 | *.log 11 | *.sum 12 | *.out 13 | *.status 14 | 15 | # In source build files 16 | docs/doxygen.cfg 17 | include/klee/Config/CompileTimeInfo.h 18 | *.config 19 | 20 | config.h 21 | site.exp 22 | 23 | # Site file for llvm-lit 24 | lit.site.cfg 25 | 26 | # Autoconf files 27 | autoconf/aclocal.m4 28 | autoconf/autom4te.cache/ 29 | autom4te.cache/ 30 | -------------------------------------------------------------------------------- /.travis/install-tcmalloc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -x 2 | set -ev 3 | 4 | if [ ${USE_TCMALLOC:-0} -eq 1 ] ; then 5 | # Get tcmalloc release 6 | wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.4/gperftools-2.4.tar.gz 7 | tar xfz gperftools-2.4.tar.gz 8 | cd gperftools-2.4 9 | ./configure --disable-dependency-tracking --disable-cpu-profiler --disable-heap-checker --disable-debugalloc --enable-minimal --prefix=/usr 10 | make 11 | sudo make install 12 | fi 13 | -------------------------------------------------------------------------------- /.travis/solvers.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -x 2 | # Make sure we exit if there is a failure 3 | set -e 4 | : ${SOLVERS?"Solvers must be specified"} 5 | 6 | SOLVER_LIST=$(echo "${SOLVERS}" | sed 's/:/ /') 7 | 8 | for solver in ${SOLVER_LIST}; do 9 | echo "Getting solver ${solver}" 10 | case ${solver} in 11 | STP) 12 | echo "STP" 13 | mkdir stp 14 | cd stp 15 | ${KLEE_SRC}/.travis/stp.sh 16 | cd ../ 17 | ;; 18 | Z3) 19 | # FIXME: Move this into its own script 20 | source ${KLEE_SRC}/.travis/sanitizer_flags.sh 21 | if [ "X${IS_SANITIZED_BUILD}" != "X0" ]; then 22 | echo "Error: Requested Sanitized build but Z3 being used is not sanitized" 23 | exit 1 24 | fi 25 | echo "Z3" 26 | # Should we install libz3-dbg too? 27 | sudo apt-get -y install libz3 libz3-dev 28 | ;; 29 | metaSMT) 30 | echo "metaSMT" 31 | ${KLEE_SRC}/.travis/metaSMT.sh 32 | ;; 33 | *) 34 | echo "Unknown solver ${solver}" 35 | exit 1 36 | esac 37 | done 38 | -------------------------------------------------------------------------------- /MetaSMT.mk: -------------------------------------------------------------------------------- 1 | # This file contains common code for linking against MetaSMT 2 | # 3 | # Consume flags generated by metaSMT here. 4 | ifeq ($(ENABLE_METASMT),1) 5 | include $(METASMT_ROOT)/share/metaSMT/metaSMT.makefile 6 | LD.Flags += $(metaSMT_LDFLAGS) 7 | CXX.Flags += -DMETASMT_DEFAULT_BACKEND_IS_$(METASMT_DEFAULT_BACKEND) 8 | CXX.Flags += $(metaSMT_CXXFLAGS) 9 | CXX.Flags += $(metaSMT_INCLUDES) 10 | CXX.Flags := $(filter-out -fno-exceptions,$(CXX.Flags)) 11 | CXX.Flags := $(filter-out -fno-rtti,$(CXX.Flags)) 12 | LIBS += $(metaSMT_LDLIBS) 13 | endif 14 | -------------------------------------------------------------------------------- /cmake/c_flags_override.cmake: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | # 10 | # This file overrides the default compiler flags for CMake's built-in 11 | # configurations (CMAKE_BUILD_TYPE). Most compiler flags should not be set 12 | # here. The main purpose is to make sure ``-DNDEBUG`` is never set by default. 13 | # 14 | #===------------------------------------------------------------------------===# 15 | if (("${CMAKE_C_COMPILER_ID}" MATCHES "Clang") OR ("${CMAKE_C_COMPILER_ID}" MATCHES "GNU")) 16 | # Taken from Modules/Compiler/GNU.cmake but -DNDEBUG is removed 17 | set(CMAKE_C_FLAGS_INIT "") 18 | set(CMAKE_C_FLAGS_DEBUG_INIT "-O0 -g") 19 | set(CMAKE_C_FLAGS_MINSIZEREL_INIT "-Os") 20 | set(CMAKE_C_FLAGS_RELEASE_INIT "-O3") 21 | set(CMAKE_C_FLAGS_RELWITHDEBINFO_INIT "-O2 -g") 22 | else() 23 | message(FATAL_ERROR "Overrides not set for compiler ${CMAKE_C_COMPILER_ID}") 24 | endif() 25 | -------------------------------------------------------------------------------- /cmake/string_to_list.cmake: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | function(string_to_list s output_var) 11 | string(REPLACE " " ";" _output "${s}") 12 | set(${output_var} ${_output} PARENT_SCOPE) 13 | endfunction() 14 | -------------------------------------------------------------------------------- /docs/SMT-COMP/QF_AUFBV.smt: -------------------------------------------------------------------------------- 1 | (logic QF_AUFBV 2 | 3 | :written_by {Clark Barrett} 4 | :date {May 7, 2007} 5 | 6 | :theory BV_ArraysEx 7 | 8 | :language 9 | "Closed quantifier-free formulas built over an arbitrary expansion of the 10 | BV_ArraysEx signature with free function and predicate symbols over 11 | the sorts of BV_ArraysEx. Formulas in ite terms must satisfy the same 12 | restriction as well, with the exception that they need not be closed (because 13 | they may be in the scope of a let expression). 14 | " 15 | :extensions 16 | "As in the logic QF_BV." 17 | ) 18 | 19 | 20 | -------------------------------------------------------------------------------- /docs/intro: -------------------------------------------------------------------------------- 1 | /// @mainpage KLEE 2 | /// 3 | /// @section main_intro Introduction 4 | /// Welcome to KLEE. KLEE is a symbolic execution engine that works on LLVM 5 | /// bitcode. 6 | /// 7 | /// @section Documentation 8 | /// The documentation of KLEE is composed of the Doxygen documentation 9 | /// of the code as well as the following documents: 10 | /// - @subpage overview 11 | -------------------------------------------------------------------------------- /examples/get_sign/get_sign.c: -------------------------------------------------------------------------------- 1 | /* 2 | * First KLEE tutorial: testing a small function 3 | */ 4 | 5 | #include 6 | 7 | int get_sign(int x) { 8 | if (x == 0) 9 | return 0; 10 | 11 | if (x < 0) 12 | return -1; 13 | else 14 | return 1; 15 | } 16 | 17 | int main() { 18 | int a; 19 | klee_make_symbolic(&a, sizeof(a), "a"); 20 | return get_sign(a); 21 | } 22 | -------------------------------------------------------------------------------- /examples/islower/islower.c: -------------------------------------------------------------------------------- 1 | /* 2 | * First KLEE tutorial: testing a small function 3 | */ 4 | 5 | #include 6 | 7 | int my_islower(int x) { 8 | if (x >= 'a' && x <= 'z') 9 | return 1; 10 | else return 0; 11 | } 12 | 13 | int main() { 14 | char c; 15 | klee_make_symbolic(&c, sizeof(c), "input"); 16 | return my_islower(c); 17 | } 18 | -------------------------------------------------------------------------------- /examples/regexp/notes.txt: -------------------------------------------------------------------------------- 1 | clang -m32 -I ~/private/klee/include -c -emit-llvm Regexp.c 2 | 3 | klee Regexp.o 4 | klee --only-output-states-covering-new Regexp.o 5 | ls -l klee-out-0 6 | ls -l klee-out-1 7 | ls -l klee-last 8 | 9 | cd klee-last 10 | klee-bout-tool *.bout 11 | klee-bout-tool --trim-zeros *.bout 12 | 13 | Stuff to show: 14 | Adding klee_prefer_cex 15 | 16 | PrintStats.py klee-last 17 | 18 | PrintStats.py klee-last 19 | Why not 100% coverage? 20 | 21 | clang -g -m32 -I ~/private/klee/include -c -emit-llvm Regexp.c 22 | 23 | KCachegrind? 24 | 25 | Disable klee_assume, show coverage again (why is klee-check-div getting pulled 26 | in?) 27 | -------------------------------------------------------------------------------- /examples/taint/Makefile: -------------------------------------------------------------------------------- 1 | #CC=llvm-gcc --emit-llvm 2 | CC=clang -emit-llvm 3 | 4 | all: direct controlflow regions 5 | 6 | direct: taint_direct.o 7 | echo 8 | echo Testing... 9 | echo There should be no assertion fails! 10 | klee -taint=direct taint_direct.o 11 | echo 12 | 13 | controlflow: taint_controlflow.o 14 | echo 15 | echo Testing... 16 | echo There should be no assertion fails! 17 | klee -taint=control-flow taint_controlflow.o 18 | echo 19 | 20 | regions: taint_regions.o 21 | echo 22 | echo Testing... 23 | echo There should be no assertion fails! 24 | klee -taint=regions taint_regions.o 25 | echo 26 | 27 | taint_direct.o: taint.c 28 | $(CC) -O0 -DDIRECT -c taint.c -I ../../include/ -o taint_direct.o 29 | 30 | taint_controlflow.o: taint.c 31 | $(CC) -O0 -DCONTROLFLOW -c taint.c -I ../../include/ -o taint_controlflow.o 32 | 33 | taint_regions.o: taint.c 34 | $(CC) -O0 -DREGIONS -c taint.c -I ../../include/ -o taint_regions.o 35 | 36 | clean: 37 | rm -Rf klee-* 38 | rm -f taint.o 39 | 40 | -------------------------------------------------------------------------------- /include/klee/Config/CompileTimeInfo.h.cmin: -------------------------------------------------------------------------------- 1 | //===-- CompileTimeInfo.h ---------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | // @AUTO_GEN_MSG@ 11 | #ifndef KLEE_COMPILE_TIME_INFO_H 12 | #define KLEE_COMPILE_TIME_INFO_H 13 | 14 | #define KLEE_BUILD_MODE "@CMAKE_BUILD_TYPE@ (Asserts: @ENABLE_KLEE_ASSERTS@)" 15 | #define KLEE_BUILD_REVISION "@KLEE_GIT_SHA1HASH@" 16 | 17 | #endif 18 | -------------------------------------------------------------------------------- /include/klee/Config/Version.h: -------------------------------------------------------------------------------- 1 | //===-- Version.h -----------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_CONFIG_VERSION_H 11 | #define KLEE_CONFIG_VERSION_H 12 | 13 | #include "klee/Config/config.h" 14 | 15 | #define LLVM_VERSION(major, minor) (((major) << 8) | (minor)) 16 | #define LLVM_VERSION_CODE LLVM_VERSION(LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR) 17 | 18 | #if LLVM_VERSION_CODE >= LLVM_VERSION(3, 0) 19 | # define LLVM_TYPE_Q 20 | #else 21 | # define LLVM_TYPE_Q const 22 | #endif 23 | 24 | #endif 25 | -------------------------------------------------------------------------------- /include/klee/Internal/Module/Cell.h: -------------------------------------------------------------------------------- 1 | //===-- Cell.h --------------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_CELL_H 11 | #define KLEE_CELL_H 12 | 13 | #include 14 | #include 15 | 16 | namespace klee { 17 | class MemoryObject; 18 | 19 | struct Cell { 20 | ref value; 21 | TaintSet taint; 22 | }; 23 | } 24 | 25 | #endif 26 | -------------------------------------------------------------------------------- /include/klee/Internal/README.txt: -------------------------------------------------------------------------------- 1 | This directory holds header files for things which are exposed as part 2 | of the internal API of a library, but shouldn't be exposed to 3 | externally. 4 | -------------------------------------------------------------------------------- /include/klee/Internal/Support/Debug.h: -------------------------------------------------------------------------------- 1 | //===-- Debug.h -------------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_INTERNAL_SUPPORT_DEBUG_H 11 | #define KLEE_INTERNAL_SUPPORT_DEBUG_H 12 | 13 | #include 14 | #include 15 | 16 | // We define wrappers around the LLVM DEBUG macros that are conditionalized on 17 | // whether the LLVM we are building against has the symbols needed by these 18 | // checks. 19 | 20 | #ifdef ENABLE_KLEE_DEBUG 21 | #define KLEE_DEBUG_WITH_TYPE(TYPE, X) DEBUG_WITH_TYPE(TYPE, X) 22 | #else 23 | #define KLEE_DEBUG_WITH_TYPE(TYPE, X) do { } while (0) 24 | #endif 25 | #define KLEE_DEBUG(X) KLEE_DEBUG_WITH_TYPE(DEBUG_TYPE, X) 26 | 27 | #endif 28 | -------------------------------------------------------------------------------- /include/klee/Internal/Support/PrintVersion.h: -------------------------------------------------------------------------------- 1 | //===-- Version.h -----------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_PRINT_VERSION_H 11 | #define KLEE_PRINT_VERSION_H 12 | 13 | namespace klee { 14 | void printVersion(); 15 | } 16 | 17 | #endif 18 | -------------------------------------------------------------------------------- /include/klee/Internal/Support/Timer.h: -------------------------------------------------------------------------------- 1 | //===-- Timer.h -------------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_TIMER_H 11 | #define KLEE_TIMER_H 12 | 13 | #include 14 | 15 | namespace klee { 16 | class WallTimer { 17 | uint64_t startMicroseconds; 18 | 19 | public: 20 | WallTimer(); 21 | 22 | /// check - Return the delta since the timer was created, in microseconds. 23 | uint64_t check(); 24 | }; 25 | } 26 | 27 | #endif 28 | 29 | -------------------------------------------------------------------------------- /include/klee/Internal/System/MemoryUsage.h: -------------------------------------------------------------------------------- 1 | //===-- MemoryUsage.h -------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_UTIL_MEMORYUSAGE_H 11 | #define KLEE_UTIL_MEMORYUSAGE_H 12 | 13 | #include 14 | 15 | namespace klee { 16 | namespace util { 17 | size_t GetTotalMallocUsage(); 18 | } 19 | } 20 | 21 | #endif 22 | -------------------------------------------------------------------------------- /include/klee/Internal/System/Time.h: -------------------------------------------------------------------------------- 1 | //===-- Time.h --------------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_UTIL_TIME_H 11 | #define KLEE_UTIL_TIME_H 12 | 13 | #include 14 | 15 | namespace klee { 16 | namespace util { 17 | 18 | /// Seconds spent by this process in user mode. 19 | double getUserTime(); 20 | 21 | /// Wall time in seconds. 22 | double getWallTime(); 23 | 24 | /// Wall time as TimeValue object. 25 | llvm::sys::TimeValue getWallTimeVal(); 26 | } 27 | } 28 | 29 | #endif 30 | -------------------------------------------------------------------------------- /include/klee/SolverStats.h: -------------------------------------------------------------------------------- 1 | //===-- SolverStats.h -------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_SOLVERSTATS_H 11 | #define KLEE_SOLVERSTATS_H 12 | 13 | #include "klee/Statistic.h" 14 | 15 | namespace klee { 16 | namespace stats { 17 | 18 | extern Statistic cexCacheTime; 19 | extern Statistic queries; 20 | extern Statistic queriesInvalid; 21 | extern Statistic queriesValid; 22 | extern Statistic queryCacheHits; 23 | extern Statistic queryCacheMisses; 24 | extern Statistic queryCexCacheHits; 25 | extern Statistic queryCexCacheMisses; 26 | extern Statistic queryConstructTime; 27 | extern Statistic queryConstructs; 28 | extern Statistic queryCounterexamples; 29 | extern Statistic queryTime; 30 | 31 | #ifdef DEBUG 32 | extern Statistic arrayHashTime; 33 | #endif 34 | 35 | } 36 | } 37 | 38 | #endif 39 | -------------------------------------------------------------------------------- /include/klee/Taint.h: -------------------------------------------------------------------------------- 1 | #ifndef KLEE_TAINT_H 2 | #define KLEE_TAINT_H 3 | 4 | #include 5 | 6 | namespace klee 7 | { 8 | typedef unsigned int TaintSet; 9 | extern TaintSet EMPTYTAINTSET; 10 | void mergeTaint (TaintSet & this_taint, TaintSet const other_taint); 11 | 12 | #define SIZEOFTAINT sizeof(TaintSet)*4 13 | 14 | } 15 | 16 | #endif 17 | -------------------------------------------------------------------------------- /include/klee/TimerStatIncrementer.h: -------------------------------------------------------------------------------- 1 | //===-- TimerStatIncrementer.h ----------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_TIMERSTATINCREMENTER_H 11 | #define KLEE_TIMERSTATINCREMENTER_H 12 | 13 | #include "klee/Statistics.h" 14 | #include "klee/Internal/Support/Timer.h" 15 | 16 | namespace klee { 17 | class TimerStatIncrementer { 18 | private: 19 | WallTimer timer; 20 | Statistic &statistic; 21 | 22 | public: 23 | TimerStatIncrementer(Statistic &_statistic) : statistic(_statistic) {} 24 | ~TimerStatIncrementer() { 25 | statistic += timer.check(); 26 | } 27 | 28 | uint64_t check() { return timer.check(); } 29 | }; 30 | } 31 | 32 | #endif 33 | -------------------------------------------------------------------------------- /lib/Basic/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | klee_add_component(kleeBasic 10 | CmdLineOptions.cpp 11 | ConstructSolverChain.cpp 12 | KTest.cpp 13 | Statistics.cpp 14 | ) 15 | set(LLVM_COMPONENTS 16 | support 17 | ) 18 | 19 | klee_get_llvm_libs(LLVM_LIBS ${LLVM_COMPONENTS}) 20 | target_link_libraries(kleeBasic PUBLIC ${LLVM_LIBS}) 21 | 22 | target_link_libraries(kleeBasic PRIVATE 23 | # FIXME: THIS IS STUPID. 24 | # `ConstructSolverChain.cpp` should be in 25 | # `kleaverSolver` not in in `kleeBasic`. 26 | # We are creating a circular dependency because 27 | # of this because `kleaverSolver` depends on `kleeBasic`. 28 | kleaverSolver 29 | ) 30 | -------------------------------------------------------------------------------- /lib/Basic/Makefile: -------------------------------------------------------------------------------- 1 | #===-- lib/Basic/Makefile ----------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=../.. 11 | 12 | LIBRARYNAME=kleeBasic 13 | DONT_BUILD_RELINKED=1 14 | BUILD_ARCHIVE=1 15 | NO_INSTALL=1 16 | 17 | include $(LEVEL)/Makefile.common 18 | -------------------------------------------------------------------------------- /lib/Basic/README.txt: -------------------------------------------------------------------------------- 1 | This directory holds the most basic support facilities provided for 2 | both the klee and kleaver libraries. The code in this directory should 3 | have no dependencies on LLVM or any other klee libraries. 4 | -------------------------------------------------------------------------------- /lib/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_subdirectory(Basic) 10 | add_subdirectory(Support) 11 | add_subdirectory(Expr) 12 | add_subdirectory(Solver) 13 | add_subdirectory(Module) 14 | add_subdirectory(Core) 15 | -------------------------------------------------------------------------------- /lib/Core/ExecutorTimerInfo.h: -------------------------------------------------------------------------------- 1 | //===-- Executor.h ----------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // Class to wrap information for a timer. 11 | // 12 | //===----------------------------------------------------------------------===// 13 | 14 | #ifndef EXECUTORTIMERINFO_H_ 15 | #define EXECUTORTIMERINFO_H_ 16 | 17 | #include "klee/Internal/System/Time.h" 18 | 19 | namespace klee { 20 | 21 | class Executor::TimerInfo { 22 | public: 23 | Timer *timer; 24 | 25 | /// Approximate delay per timer firing. 26 | double rate; 27 | /// Wall time for next firing. 28 | double nextFireTime; 29 | 30 | public: 31 | TimerInfo(Timer *_timer, double _rate) 32 | : timer(_timer), 33 | rate(_rate), 34 | nextFireTime(util::getWallTime() + rate) {} 35 | ~TimerInfo() { delete timer; } 36 | }; 37 | 38 | 39 | } 40 | 41 | 42 | #endif /* EXECUTORTIMERINFO_H_ */ 43 | -------------------------------------------------------------------------------- /lib/Core/Makefile: -------------------------------------------------------------------------------- 1 | #===-- lib/Core/Makefile -----------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=../.. 11 | 12 | LIBRARYNAME=kleeCore 13 | DONT_BUILD_RELINKED=1 14 | BUILD_ARCHIVE=1 15 | NO_INSTALL=1 16 | 17 | include $(LEVEL)/Makefile.common 18 | -------------------------------------------------------------------------------- /lib/Core/ObjectHolder.h: -------------------------------------------------------------------------------- 1 | //===-- ObjectHolder.h ------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_OBJECTHOLDER_H 11 | #define KLEE_OBJECTHOLDER_H 12 | 13 | namespace klee { 14 | class ObjectState; 15 | 16 | class ObjectHolder { 17 | ObjectState *os; 18 | 19 | public: 20 | ObjectHolder() : os(0) {} 21 | ObjectHolder(ObjectState *_os); 22 | ObjectHolder(const ObjectHolder &b); 23 | ~ObjectHolder(); 24 | 25 | ObjectHolder &operator=(const ObjectHolder &b); 26 | 27 | operator class ObjectState *() { return os; } 28 | operator class ObjectState *() const { return (ObjectState*) os; } 29 | }; 30 | } 31 | 32 | #endif 33 | 34 | -------------------------------------------------------------------------------- /lib/Core/Taint.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | namespace klee 5 | { 6 | TaintSet EMPTYTAINTSET = 0; 7 | 8 | bool hasTaint (TaintSet this_taint, unsigned int bit) 9 | { 10 | assert (bit < SIZEOFTAINT); 11 | return this_taint >> bit & 1; 12 | } 13 | 14 | void addTaint (TaintSet & this_taint, unsigned int bit) 15 | { 16 | assert (bit < SIZEOFTAINT); 17 | this_taint |= 1 << bit; 18 | } 19 | 20 | void delTaint (TaintSet & this_taint, unsigned int bit) 21 | { 22 | assert (bit < SIZEOFTAINT); 23 | this_taint &= ~(1 << bit); 24 | } 25 | 26 | void clearTaint (TaintSet & this_taint) 27 | { 28 | this_taint = 0; 29 | } 30 | 31 | void mergeTaint (TaintSet & this_taint, TaintSet const other_taint) 32 | { 33 | this_taint |= other_taint; 34 | } 35 | /* 36 | void setTaint (TaintSet & this_taint, unsigned int taint const) 37 | { 38 | this_taint = taint; 39 | }; 40 | TaintSet& getTaint (TaintSet & this_taint) 41 | { 42 | return this_taint; 43 | }; 44 | */ 45 | 46 | } 47 | 48 | -------------------------------------------------------------------------------- /lib/Core/UserSearcher.h: -------------------------------------------------------------------------------- 1 | //===-- UserSearcher.h ------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_USERSEARCHER_H 11 | #define KLEE_USERSEARCHER_H 12 | 13 | namespace klee { 14 | class Executor; 15 | class Searcher; 16 | 17 | // XXX gross, should be on demand? 18 | bool userSearcherRequiresMD2U(); 19 | 20 | Searcher *constructUserSearcher(Executor &executor); 21 | } 22 | 23 | #endif 24 | -------------------------------------------------------------------------------- /lib/Expr/Assigment.cpp: -------------------------------------------------------------------------------- 1 | //===-- Assignment.cpp ----------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | #include "klee/util/Assignment.h" 10 | namespace klee { 11 | 12 | void Assignment::dump() { 13 | if (bindings.size() == 0) { 14 | llvm::errs() << "No bindings\n"; 15 | return; 16 | } 17 | for (bindings_ty::iterator i = bindings.begin(), e = bindings.end(); i != e; 18 | ++i) { 19 | llvm::errs() << (*i).first->name << "\n["; 20 | for (int j = 0, k = (*i).second.size(); j < k; ++j) 21 | llvm::errs() << (int)(*i).second[j] << ","; 22 | llvm::errs() << "]\n"; 23 | } 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /lib/Expr/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | klee_add_component(kleaverExpr 10 | ArrayCache.cpp 11 | Assigment.cpp 12 | Constraints.cpp 13 | ExprBuilder.cpp 14 | Expr.cpp 15 | ExprEvaluator.cpp 16 | ExprPPrinter.cpp 17 | ExprSMTLIBPrinter.cpp 18 | ExprUtil.cpp 19 | ExprVisitor.cpp 20 | Lexer.cpp 21 | Parser.cpp 22 | Updates.cpp 23 | ) 24 | 25 | set(LLVM_COMPONENTS 26 | support 27 | ) 28 | klee_get_llvm_libs(LLVM_LIBS ${LLVM_COMPONENTS}) 29 | target_link_libraries(kleaverExpr PUBLIC ${LLVM_LIBS}) 30 | -------------------------------------------------------------------------------- /lib/Expr/Makefile: -------------------------------------------------------------------------------- 1 | #===-- lib/Expr/Makefile -----------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=../.. 11 | 12 | LIBRARYNAME=kleaverExpr 13 | DONT_BUILD_RELINKED=1 14 | BUILD_ARCHIVE=1 15 | NO_INSTALL=1 16 | 17 | include $(LEVEL)/Makefile.common 18 | -------------------------------------------------------------------------------- /lib/Makefile: -------------------------------------------------------------------------------- 1 | #===-- lib/Makefile ----------------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=.. 11 | 12 | PARALLEL_DIRS=Basic Support Expr Solver Module Core 13 | 14 | include $(LEVEL)/Makefile.common 15 | -------------------------------------------------------------------------------- /lib/Module/KInstruction.cpp: -------------------------------------------------------------------------------- 1 | //===-- KInstruction.cpp --------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include "klee/Internal/Module/KInstruction.h" 11 | 12 | using namespace llvm; 13 | using namespace klee; 14 | 15 | /***/ 16 | 17 | KInstruction::~KInstruction() { 18 | delete[] operands; 19 | } 20 | 21 | void KInstruction::printFileLine(llvm::raw_ostream &debugFile) { 22 | if (info->file != "") 23 | debugFile << info->file << ":" << info->line; 24 | else 25 | debugFile << "[no debug info]"; 26 | } 27 | -------------------------------------------------------------------------------- /lib/Module/Makefile: -------------------------------------------------------------------------------- 1 | #===-- lib/Module/Makefile ---------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=../.. 11 | 12 | LIBRARYNAME=kleeModule 13 | DONT_BUILD_RELINKED=1 14 | BUILD_ARCHIVE=1 15 | NO_INSTALL=1 16 | 17 | include $(LEVEL)/Makefile.common 18 | -------------------------------------------------------------------------------- /lib/README.txt: -------------------------------------------------------------------------------- 1 | The klee and kleaver code is organized as follows: 2 | 3 | lib/Basic - Low level support for both klee and kleaver which should 4 | be independent of LLVM. 5 | 6 | lib/Support - Higher level support, but only used by klee. This can 7 | use LLVM facilities. 8 | 9 | lib/Expr - The core kleaver expression library. 10 | 11 | lib/Solver - The kleaver solver library. 12 | 13 | lib/Module - klee facilities for working with LLVM modules, including 14 | the shadow module/instruction structures we use during 15 | execution. 16 | 17 | lib/Core - The core symbolic virtual machine. 18 | 19 | -------------------------------------------------------------------------------- /lib/Solver/Makefile: -------------------------------------------------------------------------------- 1 | #===-- lib/Solver/Makefile ---------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=../.. 11 | 12 | LIBRARYNAME=kleaverSolver 13 | DONT_BUILD_RELINKED=1 14 | BUILD_ARCHIVE=1 15 | NO_INSTALL=1 16 | 17 | include $(LEVEL)/Makefile.common 18 | 19 | include $(PROJ_SRC_ROOT)/MetaSMT.mk 20 | 21 | -------------------------------------------------------------------------------- /lib/Support/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | klee_add_component(kleeSupport 10 | CompressionStream.cpp 11 | ErrorHandling.cpp 12 | MemoryUsage.cpp 13 | PrintVersion.cpp 14 | RNG.cpp 15 | Time.cpp 16 | Timer.cpp 17 | TreeStream.cpp 18 | ) 19 | 20 | target_link_libraries(kleeSupport PRIVATE ${ZLIB_LIBRARIES}) 21 | 22 | set(LLVM_COMPONENTS 23 | support 24 | ) 25 | klee_get_llvm_libs(LLVM_LIBS ${LLVM_COMPONENTS}) 26 | target_link_libraries(kleeSupport PUBLIC ${LLVM_LIBS}) 27 | -------------------------------------------------------------------------------- /lib/Support/PrintVersion.cpp: -------------------------------------------------------------------------------- 1 | //===-- PrintVersion.cpp --------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include "klee/Internal/Support/PrintVersion.h" 11 | #include "klee/Config/config.h" 12 | #include "llvm/Support/raw_ostream.h" 13 | #include "llvm/Support/CommandLine.h" 14 | 15 | #include "klee/Config/CompileTimeInfo.h" 16 | 17 | void klee::printVersion() 18 | { 19 | llvm::outs() << PACKAGE_STRING " (" PACKAGE_URL ")\n"; 20 | #ifdef KLEE_ENABLE_TIMESTAMP 21 | llvm::outs() << " Built " __DATE__ " (" __TIME__ ")\n"; 22 | #endif 23 | llvm::outs() << " Build mode: " << KLEE_BUILD_MODE "\n"; 24 | llvm::outs() << " Build revision: "; 25 | #ifdef KLEE_BUILD_REVISION 26 | llvm::outs() << KLEE_BUILD_REVISION "\n"; 27 | #else 28 | llvm::outs() << "unknown\n"; 29 | #endif 30 | // Show LLVM version information 31 | llvm::outs() << "\n"; 32 | llvm::cl::PrintVersionMessage(); 33 | } 34 | -------------------------------------------------------------------------------- /lib/Support/README.txt: -------------------------------------------------------------------------------- 1 | This directory holds basic support facilities (data structures, 2 | utilities, etc.) used by klee. 3 | -------------------------------------------------------------------------------- /lib/Support/Time.cpp: -------------------------------------------------------------------------------- 1 | //===-- Time.cpp ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include "klee/Config/Version.h" 11 | #include "klee/Internal/System/Time.h" 12 | 13 | #include "llvm/Support/TimeValue.h" 14 | #include "llvm/Support/Process.h" 15 | 16 | using namespace llvm; 17 | using namespace klee; 18 | 19 | double util::getUserTime() { 20 | sys::TimeValue now(0,0),user(0,0),sys(0,0); 21 | sys::Process::GetTimeUsage(now,user,sys); 22 | return (user.seconds() + (double) user.nanoseconds() * 1e-9); 23 | } 24 | 25 | double util::getWallTime() { 26 | sys::TimeValue now = getWallTimeVal(); 27 | return (now.seconds() + ((double) now.nanoseconds() * 1e-9)); 28 | } 29 | 30 | sys::TimeValue util::getWallTimeVal() { 31 | return sys::TimeValue::now(); 32 | } 33 | -------------------------------------------------------------------------------- /lib/Support/Timer.cpp: -------------------------------------------------------------------------------- 1 | //===-- Timer.cpp ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include "klee/Config/Version.h" 11 | #include "klee/Internal/Support/Timer.h" 12 | 13 | #include "klee/Internal/System/Time.h" 14 | 15 | using namespace klee; 16 | using namespace llvm; 17 | 18 | WallTimer::WallTimer() { 19 | startMicroseconds = util::getWallTimeVal().usec(); 20 | } 21 | 22 | uint64_t WallTimer::check() { 23 | return util::getWallTimeVal().usec() - startMicroseconds; 24 | } 25 | -------------------------------------------------------------------------------- /runtime/Intrinsic/Makefile: -------------------------------------------------------------------------------- 1 | #===-- runtime/Intrinsic/Makefile --------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=../.. 11 | 12 | # Needed for LLVM version 13 | include $(LEVEL)/Makefile.config 14 | 15 | ifeq ($(shell python -c "print($(LLVM_VERSION_MAJOR).$(LLVM_VERSION_MINOR) >= 3.3)"), True) 16 | # For these versions of LLVM KLEE expects kleeRuntimeIntrinsic to be a LLVM module rather than an archive 17 | MODULE_NAME=kleeRuntimeIntrinsic 18 | else 19 | # KLEE built against older versions of LLVM expects a library archive instead 20 | BYTECODE_LIBRARY=1 21 | LIBRARYNAME=kleeRuntimeIntrinsic 22 | endif 23 | 24 | DONT_BUILD_RELINKED=1 25 | # Don't strip debug info from the module. 26 | DEBUG_RUNTIME=1 27 | NO_PEDANTIC=1 28 | NO_BUILD_ARCHIVE=1 29 | 30 | C.Flags += -fno-builtin 31 | 32 | include $(LEVEL)/Makefile.common 33 | -------------------------------------------------------------------------------- /runtime/Intrinsic/Makefile.cmake.bitcode: -------------------------------------------------------------------------------- 1 | #===--------------------------------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | LEVEL := ../ 10 | 11 | include $(LEVEL)/Makefile.cmake.bitcode.config 12 | 13 | LLVMCC.Flags += -fno-builtin 14 | 15 | # FIXME: This is a horrible hack 16 | ifeq ($(USE_MODULE_INSTEAD_OF_BCA),1) 17 | MODULE_NAME=kleeRuntimeIntrinsic 18 | else 19 | ARCHIVE_NAME=kleeRuntimeIntrinsic 20 | endif 21 | 22 | include $(LEVEL)/Makefile.cmake.bitcode.rules 23 | -------------------------------------------------------------------------------- /runtime/Intrinsic/klee_div_zero_check.c: -------------------------------------------------------------------------------- 1 | //===-- klee_div_zero_check.c ---------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include 11 | 12 | void klee_div_zero_check(long long z) { 13 | if (z == 0) 14 | klee_report_error(__FILE__, __LINE__, "divide by zero", "div.err"); 15 | } 16 | -------------------------------------------------------------------------------- /runtime/Intrinsic/klee_int.c: -------------------------------------------------------------------------------- 1 | //===-- klee_int.c --------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include 11 | #include "klee/klee.h" 12 | 13 | int klee_int(const char *name) { 14 | int x; 15 | klee_make_symbolic(&x, sizeof x, name); 16 | return x; 17 | } 18 | -------------------------------------------------------------------------------- /runtime/Intrinsic/klee_overshift_check.c: -------------------------------------------------------------------------------- 1 | //===-- klee_overshift_check.c ---------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include 11 | 12 | /* This instrumentation call is used to check for overshifting. 13 | * If we do try to do x << y or x >> y 14 | * where 15 | * bitWidth = sizeof(x)*8 16 | * shift = y 17 | * 18 | * then we can detect overshifting (which has undefined behaviour). 19 | */ 20 | void klee_overshift_check(unsigned long long bitWidth, unsigned long long shift) { 21 | if (shift >= bitWidth) { 22 | /* Maybe we shouldn't throw an error because 23 | * overshifting can be non-fatal? Perhaps 24 | * we should generate a test case but carry 25 | * on executing the state with a warning? 26 | */ 27 | klee_report_error("IGNORED", 0 /*Ignored */, "overshift error", "overshift.err"); 28 | } 29 | } 30 | 31 | 32 | -------------------------------------------------------------------------------- /runtime/Intrinsic/klee_range.c: -------------------------------------------------------------------------------- 1 | //===-- klee_range.c ------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include 11 | #include 12 | 13 | int klee_range(int start, int end, const char* name) { 14 | int x; 15 | 16 | if (start >= end) 17 | klee_report_error(__FILE__, __LINE__, "invalid range", "user"); 18 | 19 | if (start+1==end) { 20 | return start; 21 | } else { 22 | klee_make_symbolic(&x, sizeof x, name); 23 | 24 | /* Make nicer constraint when simple... */ 25 | if (start==0) { 26 | klee_assume((unsigned) x < (unsigned) end); 27 | } else { 28 | klee_assume(start <= x); 29 | klee_assume(x < end); 30 | } 31 | 32 | return x; 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /runtime/Intrinsic/memcpy.c: -------------------------------------------------------------------------------- 1 | //===-- memcpy.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include 11 | 12 | __attribute__((weak)) void *memcpy(void *destaddr, void const *srcaddr, size_t len) { 13 | char *dest = destaddr; 14 | char const *src = srcaddr; 15 | 16 | while (len-- > 0) 17 | *dest++ = *src++; 18 | return destaddr; 19 | } 20 | -------------------------------------------------------------------------------- /runtime/Intrinsic/memmove.c: -------------------------------------------------------------------------------- 1 | //===-- memmove.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include 11 | 12 | __attribute__((weak)) void *memmove(void *dst, const void *src, size_t count) { 13 | char *a = dst; 14 | const char *b = src; 15 | 16 | if (src == dst) 17 | return dst; 18 | 19 | if (src>dst) { 20 | while (count--) *a++ = *b++; 21 | } else { 22 | a+=count-1; 23 | b+=count-1; 24 | while (count--) *a-- = *b--; 25 | } 26 | 27 | return dst; 28 | } 29 | -------------------------------------------------------------------------------- /runtime/Intrinsic/mempcpy.c: -------------------------------------------------------------------------------- 1 | //===-- mempcpy.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include 11 | __attribute__((weak)) void *mempcpy(void *destaddr, void const *srcaddr, size_t len) { 12 | char *dest = destaddr; 13 | char const *src = srcaddr; 14 | 15 | while (len-- > 0) 16 | *dest++ = *src++; 17 | return dest; 18 | } 19 | -------------------------------------------------------------------------------- /runtime/Intrinsic/memset.c: -------------------------------------------------------------------------------- 1 | //===-- memset.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include 11 | __attribute__ ((weak)) void *memset(void * dst, int s, size_t count) { 12 | volatile char * a = dst; 13 | while (count-- > 0) 14 | *a++ = s; 15 | return dst; 16 | } 17 | -------------------------------------------------------------------------------- /runtime/Makefile: -------------------------------------------------------------------------------- 1 | #===-- runtime/Makefile ------------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | # 11 | # Relative path to the top of the source tree. 12 | # 13 | LEVEL=.. 14 | 15 | # 16 | # List all of the subdirectories that we will compile. 17 | # 18 | PARALLEL_DIRS=Intrinsic klee-libc Runtest 19 | 20 | include $(LEVEL)/Makefile.config 21 | 22 | ifeq ($(ENABLE_POSIX_RUNTIME),1) 23 | PARALLEL_DIRS += POSIX 24 | endif 25 | 26 | ifeq ($(ENABLE_UCLIBC),1) 27 | PARALLEL_DIRS += klee-uclibc 28 | endif 29 | 30 | include $(LEVEL)/Makefile.common 31 | -------------------------------------------------------------------------------- /runtime/Makefile.cmake.bitcode: -------------------------------------------------------------------------------- 1 | #===--------------------------------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | LEVEL := ./ 10 | include $(LEVEL)/Makefile.cmake.bitcode.config 11 | 12 | DIRS += Intrinsic 13 | DIRS += klee-libc 14 | ifneq ($(ENABLE_POSIX_RUNTIME),0) 15 | DIRS += POSIX 16 | endif 17 | 18 | include $(LEVEL)/Makefile.cmake.bitcode.rules 19 | -------------------------------------------------------------------------------- /runtime/POSIX/Makefile: -------------------------------------------------------------------------------- 1 | #===-- runtime/POSIX/Makefile ------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=../.. 11 | 12 | LIBRARYNAME=kleeRuntimePOSIX 13 | DONT_BUILD_RELINKED=1 14 | BYTECODE_LIBRARY=1 15 | # Don't strip debug info from the module. 16 | DEBUG_RUNTIME=1 17 | NO_PEDANTIC=1 18 | NO_BUILD_ARCHIVE=1 19 | 20 | include $(LEVEL)/Makefile.common 21 | -------------------------------------------------------------------------------- /runtime/POSIX/Makefile.cmake.bitcode: -------------------------------------------------------------------------------- 1 | #===--------------------------------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | LEVEL := ../ 10 | 11 | include $(LEVEL)/Makefile.cmake.bitcode.config 12 | 13 | ARCHIVE_NAME=kleeRuntimePOSIX 14 | 15 | include $(LEVEL)/Makefile.cmake.bitcode.rules 16 | -------------------------------------------------------------------------------- /runtime/Runtest/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | add_library(kleeRuntest SHARED 11 | intrinsics.c 12 | # HACK: 13 | ${CMAKE_SOURCE_DIR}/lib/Basic/KTest.cpp 14 | ) 15 | # Increment version appropriately if ABI/API changes, more details: 16 | # http://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html#AEN135 17 | set(KLEE_RUNTEST_VERSION 1.0) 18 | set_target_properties(kleeRuntest 19 | PROPERTIES 20 | VERSION ${KLEE_RUNTEST_VERSION} 21 | SOVERSION ${KLEE_RUNTEST_VERSION} 22 | ) 23 | 24 | install(TARGETS kleeRuntest 25 | DESTINATION "${CMAKE_INSTALL_FULL_LIBDIR}") 26 | -------------------------------------------------------------------------------- /runtime/klee-libc/Makefile: -------------------------------------------------------------------------------- 1 | #===-- runtime/klee-libc/Makefile --------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=../.. 11 | 12 | # Needed for LLVM version 13 | include $(LEVEL)/Makefile.config 14 | 15 | ifeq ($(shell python -c "print($(LLVM_VERSION_MAJOR).$(LLVM_VERSION_MINOR) >= 3.3)"), True) 16 | # For these versions of LLVM KLEE expects klee-libc to be a LLVM module rather than an archive 17 | MODULE_NAME=klee-libc 18 | else 19 | # KLEE built against older versions of LLVM expect a library archive instead 20 | BYTECODE_LIBRARY=1 21 | LIBRARYNAME=klee-libc 22 | endif 23 | 24 | #DONT_BUILD_RELINKED=1 25 | # Don't strip debug info from the module. 26 | DEBUG_RUNTIME=1 27 | #NO_PEDANTIC=1 28 | NO_BUILD_ARCHIVE=1 29 | 30 | # Add __NO_INLINE__ to prevent glibc from using inline definitions of some 31 | # builtins. 32 | C.Flags += -D__NO_INLINE__ 33 | 34 | include $(LEVEL)/Makefile.common 35 | -------------------------------------------------------------------------------- /runtime/klee-libc/Makefile.cmake.bitcode: -------------------------------------------------------------------------------- 1 | #===--------------------------------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | LEVEL := ../ 10 | 11 | include $(LEVEL)/Makefile.cmake.bitcode.config 12 | 13 | # Prevent glibc from inlining some definitions 14 | # of builtins 15 | LLVMCC.Flags += -D__NO_INLINE__ 16 | 17 | # FIXME: This is a horrible hack 18 | ifeq ($(USE_MODULE_INSTEAD_OF_BCA),1) 19 | MODULE_NAME=klee-libc 20 | else 21 | ARCHIVE_NAME=klee-libc 22 | endif 23 | 24 | include $(LEVEL)/Makefile.cmake.bitcode.rules 25 | -------------------------------------------------------------------------------- /runtime/klee-libc/abort.c: -------------------------------------------------------------------------------- 1 | /*===-- abort.c -----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | #include "klee/klee.h" 13 | 14 | void abort(void) { 15 | klee_abort(); 16 | } 17 | -------------------------------------------------------------------------------- /runtime/klee-libc/atexit.c: -------------------------------------------------------------------------------- 1 | /*==-- atexit.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | int __cxa_atexit(void (*fn)(void*), 11 | void *arg, 12 | void *dso_handle); 13 | 14 | int atexit(void (*fn)(void)) { 15 | return __cxa_atexit((void(*)(void*)) fn, 0, 0); 16 | } 17 | -------------------------------------------------------------------------------- /runtime/klee-libc/klee-choose.c: -------------------------------------------------------------------------------- 1 | /*===-- klee-choose.c -----------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include "klee/klee.h" 11 | 12 | uintptr_t klee_choose(uintptr_t n) { 13 | uintptr_t x; 14 | klee_make_symbolic(&x, sizeof x, "klee_choose"); 15 | 16 | /* NB: this will *not* work if they don't compare to n values. */ 17 | if(x >= n) 18 | klee_silent_exit(0); 19 | return x; 20 | } 21 | -------------------------------------------------------------------------------- /runtime/klee-libc/memcpy.c: -------------------------------------------------------------------------------- 1 | /*===-- memcpy.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | void *memcpy(void *destaddr, void const *srcaddr, size_t len) { 13 | char *dest = destaddr; 14 | char const *src = srcaddr; 15 | 16 | while (len-- > 0) 17 | *dest++ = *src++; 18 | return destaddr; 19 | } 20 | -------------------------------------------------------------------------------- /runtime/klee-libc/memmove.c: -------------------------------------------------------------------------------- 1 | /*===-- memmove.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | void *memmove(void *dst, const void *src, size_t count) { 13 | char *a = dst; 14 | const char *b = src; 15 | 16 | if (src == dst) 17 | return dst; 18 | 19 | if (src>dst) { 20 | while (count--) *a++ = *b++; 21 | } else { 22 | a+=count-1; 23 | b+=count-1; 24 | while (count--) *a-- = *b--; 25 | } 26 | 27 | return dst; 28 | } 29 | -------------------------------------------------------------------------------- /runtime/klee-libc/mempcpy.c: -------------------------------------------------------------------------------- 1 | /*===-- mempcpy.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | void *mempcpy(void *destaddr, void const *srcaddr, size_t len) { 13 | char *dest = destaddr; 14 | char const *src = srcaddr; 15 | 16 | while (len-- > 0) 17 | *dest++ = *src++; 18 | return dest; 19 | } 20 | -------------------------------------------------------------------------------- /runtime/klee-libc/memset.c: -------------------------------------------------------------------------------- 1 | /*===-- memset.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | void *memset(void * dst, int s, size_t count) { 13 | char * a = dst; 14 | while (count-- > 0) 15 | *a++ = s; 16 | return dst; 17 | } 18 | -------------------------------------------------------------------------------- /runtime/klee-libc/putchar.c: -------------------------------------------------------------------------------- 1 | /*===-- putchar.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | #include 12 | 13 | /* Some header may #define putchar. */ 14 | #undef putchar 15 | 16 | int putchar(int c) { 17 | char x = c; 18 | if (1 == write(1, &x, 1)) 19 | return c; 20 | return EOF; 21 | } 22 | -------------------------------------------------------------------------------- /runtime/klee-libc/strchr.c: -------------------------------------------------------------------------------- 1 | /*===-- strchr.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | char *strchr(const char *p, int ch) { 11 | char c; 12 | 13 | c = ch; 14 | for (;; ++p) { 15 | if (*p == c) { 16 | return ((char *)p); 17 | } else if (*p == '\0') { 18 | return 0; 19 | } 20 | } 21 | /* NOTREACHED */ 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /runtime/klee-libc/strcmp.c: -------------------------------------------------------------------------------- 1 | /*===-- strcmp.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | int strcmp(const char *a, const char *b) { 11 | while (*a && *a == *b) 12 | ++a, ++b; 13 | return *a - *b; 14 | } 15 | -------------------------------------------------------------------------------- /runtime/klee-libc/strcoll.c: -------------------------------------------------------------------------------- 1 | /*===-- strcoll.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | /* according to the manpage, this is equiv in the POSIX/C locale. */ 13 | int strcoll(const char *s1, const char *s2) { 14 | return strcmp(s1,s2); 15 | } 16 | -------------------------------------------------------------------------------- /runtime/klee-libc/strcpy.c: -------------------------------------------------------------------------------- 1 | /*===-- strcpy.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | char *strcpy(char *to, const char *from) { 11 | char *start = to; 12 | 13 | while ((*to = *from)) 14 | ++to, ++from; 15 | 16 | return start; 17 | } 18 | -------------------------------------------------------------------------------- /runtime/klee-libc/strlen.c: -------------------------------------------------------------------------------- 1 | /*===-- strlen.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | size_t strlen(const char *str) { 13 | const char *s = str; 14 | while (*s) 15 | ++s; 16 | return s - str; 17 | } 18 | -------------------------------------------------------------------------------- /runtime/klee-libc/strrchr.c: -------------------------------------------------------------------------------- 1 | /*===-- strrchr.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | char *strrchr(const char *t, int c) { 13 | char ch; 14 | const char *l=0; 15 | 16 | ch = c; 17 | for (;;) { 18 | if (*t == ch) l=t; if (!*t) return (char*)l; ++t; 19 | } 20 | return (char*)l; 21 | } 22 | -------------------------------------------------------------------------------- /runtime/klee-libc/tolower.c: -------------------------------------------------------------------------------- 1 | /*===-- tolower.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | int tolower(int ch) { 11 | if ( (unsigned int)(ch - 'A') < 26u ) 12 | ch -= 'A' - 'a'; 13 | return ch; 14 | } 15 | -------------------------------------------------------------------------------- /runtime/klee-libc/toupper.c: -------------------------------------------------------------------------------- 1 | /*===-- toupper.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | int toupper(int ch) { 11 | if ( (unsigned int)(ch - 'a') < 26u ) 12 | ch += 'A' - 'a'; 13 | return ch; 14 | } 15 | -------------------------------------------------------------------------------- /scripts/genTempFiles.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # ===-- genTempFiles.sh ---------------------------------------------------===## 4 | # 5 | # The KLEE Symbolic Virtual Machine 6 | # 7 | # This file is distributed under the University of Illinois Open Source 8 | # License. See LICENSE.TXT for details. 9 | # 10 | # ===----------------------------------------------------------------------===## 11 | 12 | if [ -z "$1" ] ; then 13 | echo "No directory given" 14 | exit 1 15 | fi 16 | 17 | mkdir -p $1 18 | for i in `seq 1 100`; do 19 | mkdir -p $1/dir_foo_$i 20 | touch $1/tmp_foo_$i 21 | done 22 | -------------------------------------------------------------------------------- /test/CXX/ArrayNew.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgxx %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --no-output --exit-on-error --no-externals %t1.bc 4 | 5 | #include 6 | 7 | static int decon = 0; 8 | 9 | class Test { 10 | int x; 11 | 12 | public: 13 | Test() {} 14 | Test(int _x) : x(_x) { } 15 | ~Test() { decon += x; } 16 | 17 | int getX() { return x; } 18 | void setX(int _x) { x = _x; } 19 | }; 20 | 21 | int main(int argc) { 22 | Test *rt = new Test[4]; 23 | int i; 24 | 25 | for (i=0; i<4; i++) 26 | rt[i].setX(i+1); 27 | 28 | int sum = 0; 29 | for (i=0; i<4; i++) 30 | sum += rt[i].getX(); 31 | 32 | assert(sum==10); 33 | 34 | delete[] rt; 35 | 36 | assert(decon==10); 37 | 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /test/CXX/New.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgxx %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --no-output --exit-on-error --no-externals %t1.bc 4 | 5 | #include 6 | 7 | class Test { 8 | int x; 9 | 10 | public: 11 | Test(int _x) : x(_x) { 12 | } 13 | ~Test() { 14 | } 15 | 16 | int getX() { return x; } 17 | }; 18 | 19 | // This doesn't do what I want because 20 | // it is being changed to alloca, but 21 | // it is also failing. 22 | int main(int argc) { 23 | Test *rt = new Test(2); 24 | 25 | assert(rt->getX()==2); 26 | 27 | delete rt; 28 | 29 | return 0; 30 | } 31 | -------------------------------------------------------------------------------- /test/CXX/SimpleVirtual.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgxx %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --no-output --exit-on-error --no-externals %t1.bc 4 | 5 | #include 6 | 7 | static int decon = 0; 8 | 9 | class Thing { 10 | public: 11 | Thing() {} 12 | virtual ~Thing() { decon += getX(); } 13 | 14 | virtual int getX() { return 1; }; 15 | }; 16 | 17 | class Thing2 : public Thing { 18 | public: 19 | virtual int getX() { return 2; }; 20 | }; 21 | 22 | Thing *getThing(bool which) { 23 | return which ? new Thing() : new Thing2(); 24 | } 25 | 26 | int main(int argc) { 27 | Thing *one = getThing(false); 28 | Thing *two = getThing(true); 29 | 30 | int x = one->getX() + two->getX(); 31 | assert(x==3); 32 | 33 | delete two; 34 | delete one; 35 | 36 | assert(decon==2); 37 | 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /test/CXX/StaticConstructor.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgxx %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=klee --no-output --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | // to make sure globals are initialized 8 | int aGlobal = 21; 9 | 10 | class Test { 11 | int x; 12 | 13 | public: 14 | Test() : x(aGlobal + 1) {} 15 | ~Test() {} 16 | 17 | int getX() { return x; } 18 | }; 19 | 20 | Test t; 21 | 22 | int main() { 23 | assert(t.getX()==22); 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /test/CXX/StaticDestructor.cpp: -------------------------------------------------------------------------------- 1 | // don't optimize this, llvm likes to turn the *p into unreachable 2 | 3 | // RUN: %llvmgxx %s -emit-llvm -g -O0 -c -o %t1.bc 4 | // RUN: rm -rf %t.klee-out 5 | // RUN: %klee --output-dir=%t.klee-out --optimize=false --libc=klee --no-output %t1.bc 2> %t1.log 6 | // RUN: grep ":17: memory error" %t1.log 7 | 8 | #include 9 | 10 | class Test { 11 | int *p; 12 | 13 | public: 14 | Test() : p(0) {} 15 | ~Test() { 16 | assert(!p); 17 | assert(*p == 10); // crash here 18 | } 19 | }; 20 | 21 | Test t; 22 | 23 | int main(int argc, char** argv) { 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /test/CXX/Trivial.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgxx %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --no-output --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | class Test { 8 | int x; 9 | 10 | public: 11 | Test(int _x) : x(_x) {} 12 | ~Test() {} 13 | 14 | int getX() { return x; } 15 | }; 16 | 17 | int main() { 18 | Test rt(2); 19 | 20 | assert(rt.getX()==2); 21 | 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /test/Concrete/BitwiseOps.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | %a = or i32 12345678, 87654321 7 | %b = and i32 %a, 87654321 8 | %check = xor i32 %b, 87654321 9 | %test = icmp eq i32 %check, 0 10 | br i1 %test, label %exitTrue, label %exitFalse 11 | exitTrue: 12 | call void @print_i32(i32 1) 13 | ret i32 0 14 | exitFalse: 15 | call void @print_i32(i32 0) 16 | ret i32 0 17 | } 18 | -------------------------------------------------------------------------------- /test/Concrete/BoolReadWrite.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i1(i1) 4 | 5 | define i32 @main() { 6 | %mem = alloca i1 7 | store i1 1, i1* %mem 8 | %v = load i1* %mem 9 | br i1 %v, label %ok, label %exit 10 | ok: 11 | call void @print_i1(i1 %v) 12 | br label %exit 13 | exit: 14 | ret i32 0 15 | } 16 | -------------------------------------------------------------------------------- /test/Concrete/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | configure_file(Makefile.cmake.test.in Makefile.cmake.test @ONLY) 10 | -------------------------------------------------------------------------------- /test/Concrete/Casts.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | %a = add i32 315904, 128 8 | %b = trunc i32 %a to i8 9 | %c0 = icmp eq i8 %b, 128 10 | %d = zext i8 %b to i32 11 | %c1 = icmp eq i32 %d, 128 12 | %e = sext i8 %b to i32 13 | %c2 = icmp eq i32 %e, -128 14 | %c0i = zext i1 %c0 to i32 15 | %c1i = zext i1 %c1 to i32 16 | %c2i = zext i1 %c2 to i32 17 | %c0is = shl i32 %c0i, 0 18 | %c1is = shl i32 %c1i, 1 19 | %c2is = shl i32 %c2i, 2 20 | %tmp = add i32 %c0is, %c1is 21 | %res = add i32 %tmp, %c2is 22 | %p = icmp eq i32 %res, 7 23 | br i1 %p, label %exitTrue, label %exitFalse 24 | exitTrue: 25 | call void @print_i32(i32 1) 26 | ret i32 0 27 | exitFalse: 28 | call void @print_i32(i32 0) 29 | ret i32 0 30 | } 31 | -------------------------------------------------------------------------------- /test/Concrete/CmpEq.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | %a = add i8 0, 1 7 | %b = add i8 %a, -1 8 | %c = icmp eq i8 %b, 0 9 | br i1 %c, label %exitTrue, label %exitFalse 10 | exitTrue: 11 | call void @print_i32(i32 1) 12 | ret i32 0 13 | exitFalse: 14 | call void @print_i32(i32 0) 15 | ret i32 0 16 | } 17 | -------------------------------------------------------------------------------- /test/Concrete/GlobalUndef.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | target datalayout = 4 | "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128" 5 | target triple = "x86_64-unknown-linux-gnu" 6 | 7 | %struct.anon = type { i8, [3 x i8] } 8 | 9 | @z = global %struct.anon { i8 1, [3 x i8] undef }, align 4 10 | 11 | define i32 @main() nounwind { 12 | entry: 13 | %retval = alloca i32, align 4 14 | store i32 0, i32* %retval 15 | ret i32 0 16 | } 17 | -------------------------------------------------------------------------------- /test/Concrete/GlobalVariable.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | @anInt = global i32 1 6 | @aRef = global i32* @anInt 7 | 8 | define i32 @main() { 9 | call void @print_i32(i32 0) 10 | ret i32 0 11 | } 12 | -------------------------------------------------------------------------------- /test/Concrete/OneCall.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @sum(i32 %a, i32 %b) { 6 | %c = sub i32 %a, %b 7 | ret i32 %c 8 | } 9 | 10 | define i32 @main() { 11 | %a = call i32 @sum(i32 54, i32 2) 12 | call void @print_i32(i32 %a) 13 | ret i32 0 14 | } 15 | -------------------------------------------------------------------------------- /test/Concrete/OverlappingPhiNodes.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | br label %test 8 | test: 9 | %a = phi i32 [10, %entry], [%b, %test] 10 | %b = phi i32 [20, %entry], [%a, %test] 11 | %c = phi i32 [0, %entry], [1, %test] 12 | %d = icmp eq i32 %c, 1 13 | br i1 %d, label %exit, label %test 14 | exit: 15 | call void @print_i32(i32 %b) 16 | ret i32 0 17 | } 18 | -------------------------------------------------------------------------------- /test/Concrete/README.txt: -------------------------------------------------------------------------------- 1 | This directory contains tests which exist just to test the execution of Concrete 2 | code paths -- essentially, that we correctly implement the semantics of the LLVM 3 | IR language. The tests are run using a helper script ``ConcreteTest.py`` which 4 | builds the test bitcode, executes it using both ``lli`` and ``klee``, and checks 5 | that they got the same output. -------------------------------------------------------------------------------- /test/Concrete/Select.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | %ten = select i1 true, i32 10, i32 0 7 | %five = select i1 false, i32 0, i32 5 8 | %check = add i32 %ten, %five 9 | %test = icmp eq i32 %check, 15 10 | br i1 %test, label %exitTrue, label %exitFalse 11 | exitTrue: 12 | call void @print_i32(i32 1) 13 | ret i32 0 14 | exitFalse: 15 | call void @print_i32(i32 0) 16 | ret i32 0 17 | } 18 | -------------------------------------------------------------------------------- /test/Concrete/Shifts.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | %amt = add i8 2, 5 7 | %a = shl i8 1, 5 8 | %b = lshr i8 %a, 5 9 | %c = shl i8 %b, %amt 10 | %d = lshr i8 %c, %amt 11 | %e = shl i8 %d, 7 12 | %f = ashr i8 %e, 7 13 | %g = shl i8 %f, %amt 14 | %h = ashr i8 %g, %amt 15 | %test = icmp eq i8 %h, -1 16 | br i1 %test, label %exitTrue, label %exitFalse 17 | exitTrue: 18 | call void @print_i32(i32 1) 19 | ret i32 0 20 | exitFalse: 21 | call void @print_i32(i32 0) 22 | ret i32 0 23 | } 24 | -------------------------------------------------------------------------------- /test/Concrete/SimpleStoreAndLoad.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | %a = alloca i32, i32 4 8 | %tmp1 = getelementptr i32* %a, i32 0 9 | store i32 0, i32* %tmp1 10 | %tmp2 = load i32* %tmp1 11 | %tmp3 = icmp eq i32 %tmp2, 0 12 | br i1 %tmp3, label %exitTrue, label %exitFalse 13 | exitTrue: 14 | call void @print_i32(i32 1) 15 | ret i32 0 16 | exitFalse: 17 | call void @print_i32(i32 0) 18 | ret i32 0 19 | } 20 | -------------------------------------------------------------------------------- /test/Concrete/UnconditionalBranch.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | %a = add i32 0, 1 8 | br label %exit 9 | exit: 10 | call void @print_i32(i32 %a) 11 | ret i32 0 12 | } 13 | -------------------------------------------------------------------------------- /test/Concrete/UnconditionalBranchWithSimplePhi.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | %a = add i32 0, 1 8 | br label %exit 9 | unused: 10 | %b = add i32 1, 2 11 | br label %exit 12 | exit: 13 | %c = phi i32 [%a, %entry], [%b, %unused] 14 | call void @print_i32(i32 %c) 15 | ret i32 0 16 | } 17 | -------------------------------------------------------------------------------- /test/Concrete/UnorderedPhiNodes.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | br label %test 8 | test: 9 | %a = phi i32 [10, %entry], [%b, %test] 10 | %b = phi i32 [%a, %test], [20, %entry] 11 | %c = phi i32 [0, %entry], [1, %test] 12 | %d = icmp eq i32 %c, 1 13 | br i1 %d, label %exit, label %test 14 | exit: 15 | call void @print_i32(i32 %b) 16 | ret i32 0 17 | } 18 | -------------------------------------------------------------------------------- /test/Concrete/ackermann.c: -------------------------------------------------------------------------------- 1 | // RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | #include 4 | 5 | int ackermann(int m, int n) { 6 | if (m == 0) 7 | return n+1; 8 | else 9 | return ackermann(m-1, (n==0) ? 1 : ackermann(m, n-1)); 10 | } 11 | 12 | int main() { 13 | printf("ackerman(%d, %d) = %d\n", 2, 2, ackermann(2, 2)); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /test/Coverage/ReadArgs.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: echo " --output-dir=%t.klee-out " > %t1.args 4 | // RUN: %klee @%t1.args %t1.bc 5 | // RUN: test -d %t.klee-out 6 | 7 | int main() { 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /test/Coverage/ReplayOutDir.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t1.out %t1.replay 3 | // RUN: %klee --output-dir=%t1.out %t1.bc 4 | // RUN: %klee --output-dir=%t1.replay --replay-ktest-dir=%t1.out %t1.bc 5 | 6 | int main() { 7 | int i; 8 | klee_make_symbolic(&i, sizeof i, "i"); 9 | klee_print_range("i", i); 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /test/Expr/Evaluate.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver -evaluate %s > %t.log 2 | 3 | array arr0[4] : w32 -> w8 = symbolic 4 | array arr1[8] : w32 -> w8 = symbolic 5 | 6 | # RUN: grep "Query 0: INVALID" %t.log 7 | # Query 0 8 | (query [] (Not (Ult (ReadLSB w32 0 arr0) 9 | 16))) 10 | 11 | # RUN: grep "Query 1: VALID" %t.log 12 | # Query 1 13 | (query [(Eq N0:(ReadLSB w32 0 arr1) 10) 14 | (Eq N1:(ReadLSB w32 4 arr1) 20)] 15 | (Eq (Add w32 N0 N1) 16 | 30)) 17 | 18 | # RUN: grep "Query 2: VALID" %t.log 19 | # Query 2 20 | array hello[4] : w32 -> w8 = [ 1 2 3 5 ] 21 | (query [] (Eq (Add w8 (Read w8 0 hello) 22 | (Read w8 3 hello)) 23 | 6)) 24 | 25 | # RUN: grep "Query 3: VALID" %t.log 26 | # Query 2 27 | (query [] (Eq (Not w8 (Read w8 0 arr1)) 28 | (Xor w8 (Read w8 0 arr1) 0xff))) 29 | -------------------------------------------------------------------------------- /test/Expr/Evaluate2.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver -evaluate %s > %t.log 2 | 3 | # RUN: grep "Query 0: VALID" %t.log 4 | # XFAIL: * 5 | (query [false] false) 6 | -------------------------------------------------------------------------------- /test/Expr/Parser/Concat64.kquery: -------------------------------------------------------------------------------- 1 | # RUN: kleaver --print-ast %s 2 | 3 | array arr1[8] : w32 -> w8 = symbolic 4 | (query [(Eq 0 5 | (Concat w64 (Read w8 7 arr1) 6 | (Concat w56 (Read w8 6 arr1) 7 | (Concat w48 (Read w8 5 arr1) 8 | (Concat w40 (Read w8 4 arr1) 9 | (Concat w32 (Read w8 3 arr1) 10 | (Concat w24 (Read w8 2 arr1) 11 | (Concat w16 (Read w8 1 arr1) (Read w8 0 arr1)))))))))] 12 | false) 13 | -------------------------------------------------------------------------------- /test/Expr/Parser/MultiByteReads.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver -print-ast -pc-multibyte-reads=true %s > %t.log 2 | # RUN: grep -q "(ReadLSB w32 4 arr1)" %t.log 3 | # RUN: grep -q "(ReadMSB w32 2 arr2)" %t.log 4 | 5 | array arr1[8] : w32 -> w8 = symbolic 6 | array arr2[8] : w32 -> w8 = symbolic 7 | 8 | (query [(Not (Slt 100 9 | (Concat w32 (Read w8 7 arr1) 10 | (Concat w24 (Read w8 6 arr1) 11 | (Concat w16 (Read w8 5 arr1) (Read w8 4 arr1))))))] 12 | false) 13 | 14 | 15 | (query [(Not (Slt 100 16 | (Concat w32 (Read w8 2 arr2) 17 | (Concat w24 (Read w8 3 arr2) 18 | (Concat w16 (Read w8 4 arr2) (Read w8 5 arr2))))))] 19 | false) 20 | 21 | -------------------------------------------------------------------------------- /test/Expr/Parser/TypeChecking.kquery: -------------------------------------------------------------------------------- 1 | # RUN: not %kleaver %s 2> %t.log 2 | 3 | 4 | 5 | # RUN: grep "TypeChecking.kquery:7:9: error: type widths do not match in binary expression" %t.log 6 | array arr1[8] : w32 -> w8 = symbolic 7 | (query [(Eq (ReadLSB w32 0 arr1) true)] 8 | false) 9 | 10 | # RUN: grep "TypeChecking.kquery:14:25: error: invalid write index (doesn't match array domain)" %t.log 11 | # RUN: grep "TypeChecking.kquery:14:35: error: invalid write value (doesn't match array range)" %t.log 12 | # FIXME: Add array declarations 13 | array arr2[8] : w32 -> w8 = symbolic 14 | (query [(Eq (Read w8 0 [ (w17 0) = (w9 0) ] @ arr2) 0)] false) 15 | 16 | # RUN: grep "TypeChecking.kquery: parse failure: 3 errors." %t.log 17 | -------------------------------------------------------------------------------- /test/Feature/Alias.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | // Darwin does not have strong aliases. 6 | // XFAIL: darwin 7 | 8 | #include 9 | 10 | // alias for global 11 | int b = 52; 12 | extern int a __attribute__((alias("b"))); 13 | 14 | // alias for function 15 | int __foo() { return 52; } 16 | extern int foo() __attribute__((alias("__foo"))); 17 | 18 | int *c = &a; 19 | 20 | int main() { 21 | assert(a == 52); 22 | assert(foo() == 52); 23 | assert(*c == 52); 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /test/Feature/AliasFunction.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc > %t1.log 4 | // RUN: grep -c foo %t1.log | grep 5 5 | // RUN: grep -c bar %t1.log | grep 4 6 | 7 | #include 8 | #include 9 | 10 | void __attribute__ ((noinline)) foo() { printf(" foo()\n"); } 11 | void __attribute__ ((noinline)) bar() { printf(" bar()\n"); } 12 | 13 | int main() { 14 | int x; 15 | klee_make_symbolic(&x, sizeof(x), "x"); 16 | 17 | // call once, so that it is not removed by optimizations 18 | bar(); 19 | 20 | // no aliases 21 | foo(); 22 | 23 | if (x > 10) 24 | { 25 | // foo -> bar 26 | klee_alias_function("foo", "bar"); 27 | 28 | if (x > 20) 29 | foo(); 30 | } 31 | 32 | foo(); 33 | 34 | // undo 35 | klee_alias_function("foo", "foo"); 36 | foo(); 37 | } 38 | -------------------------------------------------------------------------------- /test/Feature/AliasFunctionExit.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc > %t1.log 4 | // RUN: grep -c START %t1.log | grep 1 5 | // RUN: grep -c END %t1.log | grep 2 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | void start(int x) { 12 | printf("START\n"); 13 | if (x == 53) 14 | exit(1); 15 | } 16 | 17 | void __attribute__ ((noinline)) end(int status) { 18 | klee_alias_function("exit", "exit"); 19 | printf("END: status = %d\n", status); 20 | exit(status); 21 | } 22 | 23 | 24 | int main() { 25 | int x; 26 | klee_make_symbolic(&x, sizeof(x), "x"); 27 | 28 | klee_alias_function("exit", "end"); 29 | start(x); 30 | end(0); 31 | } 32 | -------------------------------------------------------------------------------- /test/Feature/BFSSearcher.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --stop-after-n-instructions=500 --search=bfs %t1.bc 2>%t2.log 4 | // RUN: FileCheck -input-file=%t2.log %s 5 | #include "assert.h" 6 | #include "klee/klee.h" 7 | 8 | int nd() { 9 | int r; 10 | klee_make_symbolic(&r, sizeof(r), "r"); 11 | return r; 12 | } 13 | 14 | int main() { 15 | int x = 1; 16 | while (nd() != 0) { 17 | x *= 2; 18 | } 19 | // CHECK: ASSERTION FAIL 20 | klee_assert(0); 21 | return x; 22 | } 23 | -------------------------------------------------------------------------------- /test/Feature/BitcastAlias.ll: -------------------------------------------------------------------------------- 1 | ; RUN: llvm-as %s -f -o %t1.bc 2 | ; RUN: rm -rf %t.klee-out 3 | ; RUN: %klee --output-dir=%t.klee-out -disable-opt %t1.bc > %t2 4 | ; RUN: grep PASS %t2 5 | 6 | target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64" 7 | target triple = "x86_64-unknown-linux-gnu" 8 | 9 | @foo = alias i32 (i32)* @__foo 10 | 11 | define i32 @__foo(i32 %i) nounwind { 12 | entry: 13 | ret i32 %i 14 | } 15 | 16 | declare i32 @puts(i8*) 17 | 18 | @.passstr = private constant [5 x i8] c"PASS\00", align 1 19 | @.failstr = private constant [5 x i8] c"FAIL\00", align 1 20 | 21 | define i32 @main(i32 %argc, i8** nocapture %argv) nounwind readnone { 22 | entry: 23 | %call = call i32 (i64)* bitcast (i32 (i32)* @foo to i32 (i64)*)(i64 52) 24 | %r = icmp eq i32 %call, 52 25 | br i1 %r, label %bbtrue, label %bbfalse 26 | 27 | bbtrue: 28 | %0 = call i32 @puts(i8* getelementptr inbounds ([5 x i8]* @.passstr, i64 0, i64 0)) nounwind 29 | ret i32 0 30 | 31 | bbfalse: 32 | %1 = call i32 @puts(i8* getelementptr inbounds ([5 x i8]* @.failstr, i64 0, i64 0)) nounwind 33 | ret i32 0 34 | } 35 | -------------------------------------------------------------------------------- /test/Feature/BitcastAliasMD2U.ll: -------------------------------------------------------------------------------- 1 | ; RUN: llvm-as %s -f -o %t1.bc 2 | ; RUN: rm -rf %t.klee-out 3 | ; RUN: %klee --output-dir=%t.klee-out -disable-opt -search=nurs:md2u %t1.bc > %t2 4 | ; RUN: grep PASS %t2 5 | 6 | target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64" 7 | target triple = "x86_64-unknown-linux-gnu" 8 | 9 | @foo = alias i32 (i32)* @__foo 10 | 11 | define i32 @__foo(i32 %i) nounwind { 12 | entry: 13 | ret i32 %i 14 | } 15 | 16 | declare i32 @puts(i8*) 17 | 18 | @.passstr = private constant [5 x i8] c"PASS\00", align 1 19 | @.failstr = private constant [5 x i8] c"FAIL\00", align 1 20 | 21 | define i32 @main(i32 %argc, i8** nocapture %argv) nounwind readnone { 22 | entry: 23 | %call = call i32 (i64)* bitcast (i32 (i32)* @foo to i32 (i64)*)(i64 52) 24 | %r = icmp eq i32 %call, 52 25 | br i1 %r, label %bbtrue, label %bbfalse 26 | 27 | bbtrue: 28 | %0 = call i32 @puts(i8* getelementptr inbounds ([5 x i8]* @.passstr, i64 0, i64 0)) nounwind 29 | ret i32 0 30 | 31 | bbfalse: 32 | %1 = call i32 @puts(i8* getelementptr inbounds ([5 x i8]* @.failstr, i64 0, i64 0)) nounwind 33 | ret i32 0 34 | } 35 | -------------------------------------------------------------------------------- /test/Feature/ByteSwap.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=klee --exit-on-error %t1.bc 4 | 5 | #include 6 | #include 7 | 8 | int main() { 9 | 10 | uint32_t n = 0; 11 | klee_make_symbolic(&n, sizeof(n)); 12 | 13 | uint32_t h = ntohl(n); 14 | assert(htonl(h) == n); 15 | 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /test/Feature/CallToUndefinedExternal.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgxx %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.external.err 5 | 6 | extern "C" void poof(void); 7 | 8 | int main() { 9 | // CHECK: failed external call: poof 10 | poof(); 11 | 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /test/Feature/CheckForImpliedValue.c.failing: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -f %t1.log 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --log-file %t1.log --debug-check-for-implied-values %t1.bc 5 | // RUN: grep "= 0 (ok)" %t1.log 6 | // RUN: grep "= 2 (missed)" %t1.log 7 | 8 | #define swap(x) (((x)>>16) | (((x)&0xFFFF)<<16)) 9 | int main() { 10 | unsigned x, y; 11 | 12 | klee_make_symbolic(&x, sizeof x); 13 | klee_make_symbolic(&y, sizeof y); 14 | 15 | if (!x) { // should give x = 0 hit by ivc 16 | printf("ok\n"); 17 | } else { 18 | if (swap(y) == 0x00020000) { // should give y = 2 missed by ivc 19 | printf("ok\n"); 20 | } 21 | } 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /test/Feature/CheckMemoryAccess.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc > %t.log 4 | // RUN: grep -q "good" %t.log 5 | // RUN: not grep -q "bad" %t.log 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | int main() { 12 | char buf[4]; 13 | 14 | klee_check_memory_access(&buf, 1); 15 | printf("good\n"); 16 | if (klee_range(0, 2, "range1")) { 17 | klee_check_memory_access(0, 1); 18 | printf("null pointer deref: bad\n"); 19 | } 20 | 21 | if (klee_range(0, 2, "range2")) { 22 | klee_check_memory_access(buf, 5); 23 | printf("oversize access: bad\n"); 24 | } 25 | 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /test/Feature/CopyOnWrite.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --search=random-state --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | #define N 5 8 | 9 | unsigned branches = 0; 10 | 11 | void explode(int *ap, int i, int *result) { 12 | if (i 7 | 8 | int main() { 9 | unsigned char x, y; 10 | 11 | klee_make_symbolic(&x, sizeof x); 12 | 13 | y = x; 14 | 15 | // should be exactly two queries (prove x is/is not 10) 16 | // eventually should be 0 when we have fast solver 17 | if (x==10) { 18 | assert(y==10); 19 | } 20 | 21 | klee_silent_exit(0); 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /test/Feature/DefineFixedObject.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -emit-llvm -c -o %t1.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | #define ADDRESS ((int*) 0x0080) 8 | 9 | int main() { 10 | klee_define_fixed_object(ADDRESS, 4); 11 | 12 | int *p = ADDRESS; 13 | 14 | *p = 10; 15 | printf("*p: %d\n", *p); 16 | 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /test/Feature/DeterministicSwitch.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -debug-print-instructions=all:stderr --output-dir=%t.klee-out --allow-external-sym-calls --switch-type=internal --search=dfs %t.bc >%t.switch.log 2>&1 4 | // RUN: FileCheck %s -input-file=%t.switch.log -check-prefix=CHECK-DFS 5 | // RUN: rm -rf %t.klee-out 6 | // RUN: %klee -debug-print-instructions=all:stderr --output-dir=%t.klee-out --allow-external-sym-calls --switch-type=internal --search=bfs %t.bc >%t.switch.log 2>&1 7 | // RUN: FileCheck %s -input-file=%t.switch.log -check-prefix=CHECK-BFS 8 | 9 | #include "klee/klee.h" 10 | #include 11 | 12 | int main(int argc, char **argv) { 13 | char c; 14 | 15 | klee_make_symbolic(&c, sizeof(c), "index"); 16 | 17 | switch (c) { 18 | case '\t': 19 | printf("tab\n"); 20 | break; 21 | case ' ': 22 | printf("space\n"); 23 | break; 24 | default: 25 | printf("default\n"); 26 | break; 27 | } 28 | 29 | // CHECK-DFS: default 30 | // CHECK-DFS: space 31 | // CHECK-DFS: tab 32 | 33 | // CHECK-BFS: tab 34 | // CHECK-BFS: space 35 | // CHECK-BFS: default 36 | 37 | return 0; 38 | } 39 | -------------------------------------------------------------------------------- /test/Feature/DoubleFree.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ptr.err 5 | 6 | int main() { 7 | int *x = malloc(4); 8 | free(x); 9 | // CHECK: memory error: invalid pointer: free 10 | free(x); 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /test/Feature/DumpStatesOnHalt.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --stop-after-n-instructions=1 --dump-states-on-halt=true %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | 6 | int main(int argc, char** argv) { 7 | int x = 1; 8 | if (argc == 1) 9 | x = 0; 10 | return x; 11 | } 12 | // CHECK: halting execution, dumping remaining states 13 | -------------------------------------------------------------------------------- /test/Feature/EntryPoint.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --entry-point=other_main %t.bc > %t.log 4 | // RUN: grep "Hello World" %t.log 5 | 6 | #include 7 | 8 | int other_main() { 9 | printf("Hello World\n"); 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /test/Feature/Envp.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | int main(int argc, char **argv, char **envp) { 8 | unsigned i; 9 | assert(argv[argc] == 0); 10 | printf("argc: %d, argv: %p, envp: %p\n", argc, argv, envp); 11 | printf("--environ--\n"); 12 | int haspwd = 0; 13 | for (i=0; envp[i]; i++) { 14 | printf("%d: %s\n", i, envp[i]); 15 | haspwd |= strncmp(envp[i], "PWD=", 4)==0; 16 | } 17 | assert(haspwd); 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /test/Feature/ExitOnErrorType.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error-type Assert %t1.bc 2>&1 4 | 5 | #include 6 | #include 7 | 8 | int main() { 9 | assert(klee_int("assert")); 10 | 11 | while (1) { 12 | } 13 | 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /test/Feature/ExternalWeakLinkage.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | void __attribute__((weak)) IAmSoWeak(int); 8 | 9 | int main() { 10 | assert(IAmSoWeak==0); 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /test/Feature/Float.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc > %t.log 4 | // RUN: grep "3.30* -1.10* 2.420*" %t.log 5 | 6 | #include 7 | 8 | float fadd(float a, float b) { 9 | return a + b; 10 | } 11 | 12 | float fsub(float a, float b) { 13 | return a - b; 14 | } 15 | 16 | float fmul(float a, float b) { 17 | return a * b; 18 | } 19 | 20 | int main() { 21 | printf("%f %f %f\n", fadd(1.1, 2.2), fsub(1.1, 2.2), fmul(1.1, 2.2)); 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /test/Feature/FloatingPt.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | double a1 = -1.1; 9 | double a2 = 1.2; 10 | 11 | int b1 = (int) a1; 12 | assert(b1 == -1); 13 | 14 | int b2 = (int) a2; 15 | assert(b2 == 1); 16 | 17 | a1 = (double) b1; 18 | assert(a1 == -1); 19 | 20 | a2 = (double) b2; 21 | assert(a2 == 1); 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /test/Feature/FunctionPointer.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --no-output --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | void foo(const char *msg) { printf("foo: %s\n", msg); } 8 | void baz(const char *msg) { printf("baz: %s\n", msg); } 9 | 10 | void (*xx)(const char *) = foo; 11 | 12 | void bar(void (*fp)(const char *)) { fp("called via bar"); } 13 | 14 | int main(int argc, char **argv) { 15 | void (*fp)(const char *) = foo; 16 | 17 | printf("going to call through fp\n"); 18 | fp("called via fp"); 19 | 20 | printf("calling via pass through\n"); 21 | bar(foo); 22 | 23 | fp = baz; 24 | fp("called via fp"); 25 | 26 | xx("called via xx"); 27 | 28 | #if 0 29 | klee_make_symbolic(&fp, sizeof fp); 30 | if(fp == baz) { 31 | printf("fp = %p, baz = %p\n", fp, baz); 32 | fp("calling via symbolic!"); 33 | } 34 | #endif 35 | 36 | return 0; 37 | } 38 | -------------------------------------------------------------------------------- /test/Feature/GetElementPtr.ll: -------------------------------------------------------------------------------- 1 | ; RUN: llvm-as %s -f -o %t1.bc 2 | ; RUN: rm -rf %t.klee-out 3 | ; RUN: %klee --output-dir=%t.klee-out -disable-opt %t1.bc > %t2 4 | ; RUN: grep PASS %t2 5 | 6 | target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64" 7 | target triple = "x86_64-unknown-linux-gnu" 8 | 9 | declare i32 @puts(i8*) 10 | 11 | @.passstr = private constant [5 x i8] c"PASS\00", align 1 12 | @.failstr = private constant [5 x i8] c"FAIL\00", align 1 13 | 14 | define i32 @main() { 15 | entry: 16 | %addr = alloca i8, align 4 17 | %addrp1 = getelementptr i8* %addr, i32 1 18 | %addrp1m1 = getelementptr i8* %addrp1, i32 -1 19 | %test = icmp eq i8* %addr, %addrp1m1 20 | br i1 %test, label %bbtrue, label %bbfalse 21 | 22 | bbtrue: 23 | %0 = call i32 @puts(i8* getelementptr inbounds ([5 x i8]* @.passstr, i64 0, i64 0)) nounwind 24 | ret i32 0 25 | 26 | bbfalse: 27 | %1 = call i32 @puts(i8* getelementptr inbounds ([5 x i8]* @.failstr, i64 0, i64 0)) nounwind 28 | ret i32 0 29 | } 30 | -------------------------------------------------------------------------------- /test/Feature/GetValue.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -emit-llvm -c -o %t1.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | #include 7 | 8 | int main() { 9 | int x = klee_int("x"); 10 | klee_assume(x > 10); 11 | klee_assume(x < 20); 12 | 13 | assert(!klee_is_symbolic(klee_get_value_i32(x))); 14 | assert(klee_get_value_i32(x) > 10); 15 | assert(klee_get_value_i32(x) < 20); 16 | 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /test/Feature/InAndOutOfBounds.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ptr.err -o -f %t.klee-out/test000002.ptr.err 5 | // RUN: not test -f %t.klee-out/test000001.ptr.err -a -f %t.klee-out/test000002.ptr.err 6 | // RUN: not test -f %t.klee-out/test000003.ktest 7 | 8 | unsigned klee_urange(unsigned start, unsigned end) { 9 | unsigned x; 10 | klee_make_symbolic(&x, sizeof x); 11 | if (x-start>=end-start) klee_silent_exit(0); 12 | return x; 13 | } 14 | 15 | int main() { 16 | int *x = malloc(sizeof(int)); 17 | // FIXME: Use newer FileCheck syntax to support relative line numbers 18 | // CHECK: InAndOutOfBounds.c:19: memory error: out of bound pointer 19 | x[klee_urange(0,2)] = 1; 20 | free(x); 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /test/Feature/IndirectCallToBuiltin.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | #include 7 | 8 | int main() { 9 | void *(*allocator)(size_t) = malloc; 10 | int *mem = allocator(10); 11 | 12 | printf("mem: %p\n", mem); 13 | printf("mem[0]: %d\n", mem[0]); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /test/Feature/IndirectCallToExternal.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | int (*scmp)(char*,char*) = strcmp; 12 | 13 | assert(scmp("hello","hi") < 0); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /test/Feature/IntrinsicTrap.ll: -------------------------------------------------------------------------------- 1 | ; RUN: llvm-as %s -f -o %t1.bc 2 | ; RUN: rm -rf %t.klee-out 3 | ; RUN: %klee --output-dir=%t.klee-out -disable-opt %t1.bc 4 | ; RUN: FileCheck %s --input-file=%t.klee-out/assembly.ll 5 | 6 | target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-f128:128:128-n8:16:32:64" 7 | target triple = "x86_64-unknown-linux-gnu" 8 | 9 | define i32 @main() nounwind { 10 | entry: 11 | %a = add i32 1, 2 12 | %b = add i32 %a, 3 13 | %c = icmp ne i32 %b, 6 14 | br i1 %c, label %btrue, label %bfalse 15 | 16 | btrue: 17 | ; CHECK-NOT: call void @llvm.trap() 18 | ; CHECK: call void @abort() 19 | call void @llvm.trap() noreturn nounwind 20 | unreachable 21 | 22 | bfalse: 23 | br label %return 24 | 25 | return: 26 | ret i32 0 27 | } 28 | 29 | ; CHECK-NOT: call void @llvm.trap() 30 | ; CHECK: declare void @abort() 31 | declare void @llvm.trap() noreturn nounwind 32 | -------------------------------------------------------------------------------- /test/Feature/InvalidBitfieldAccess.c.failing: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -c -o %t1.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | // This is a bug in llvm-gcc4.0 but seems to be fixed in llvm-gcc4.2, 6 | // its included here mostly as a reminder. 7 | 8 | #include 9 | #include 10 | #include 11 | 12 | struct foo { 13 | unsigned int a : 5; 14 | unsigned int b : 10; 15 | unsigned int c : 1; 16 | } __attribute__((packed)); 17 | 18 | int main() { 19 | struct foo *a = malloc(sizeof *a); 20 | 21 | a->b = 12; // problem here is that llvm-gcc emits a 4 byte access 22 | // which is out of bounds. 23 | 24 | int x = a->b; 25 | 26 | assert(x == 12); 27 | 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /test/Feature/IsSymbolic.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | int x, y, z = 0; 9 | klee_make_symbolic(&x, sizeof x); 10 | klee_make_symbolic(&y, sizeof y); 11 | if (x) { 12 | assert(klee_is_symbolic(y)); 13 | } else { 14 | assert(!klee_is_symbolic(z)); 15 | } 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /test/Feature/KleeReportError.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --emit-all-errors %t2.bc 2>&1 | FileCheck %s 4 | // RUN: ls %t.klee-out/ | grep .my.err | wc -l | grep 2 5 | #include 6 | #include 7 | 8 | int main(int argc, char** argv) { 9 | int x, y, *p = 0; 10 | 11 | klee_make_symbolic(&x, sizeof x); 12 | klee_make_symbolic(&y, sizeof y); 13 | 14 | if (x) 15 | fprintf(stderr, "x\n"); 16 | else fprintf(stderr, "!x\n"); 17 | 18 | if (y) { 19 | fprintf(stderr, "My error\n"); 20 | // CHECK: KleeReportError.c:23: My error 21 | // CHECK: KleeReportError.c:23: My error 22 | // FIXME: Use FileCheck's relative line number syntax 23 | klee_report_error(__FILE__, __LINE__, "My error", "my.err"); 24 | } 25 | 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /test/Feature/LargeReturnTypes.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgxx -g -fno-exceptions -emit-llvm -O0 -c -o %t.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=klee --no-output --exit-on-error %t.bc > %t.log 4 | 5 | /* Tests the ability to call external functions which return large values 6 | * (i.e. structs). In this test case, fstream::ftellg() returns a 7 | * streampos (an {i64, i64} pair) which is implicitly converted to a size_t. */ 8 | 9 | // This test currently doesn't work on darwin because this isn't how things work 10 | // in libc++. This test should be rewritten to not depend on an external 11 | // dependency. 12 | // 13 | // XFAIL: darwin 14 | 15 | #include 16 | 17 | using namespace std; 18 | 19 | size_t fileSize(const char *filename) { 20 | fstream f(filename, fstream::in | fstream::binary); 21 | 22 | if (f.is_open()) { 23 | f.seekg(0, fstream::end); 24 | size_t fileSize = f.tellg(); 25 | return fileSize; 26 | } 27 | 28 | return (size_t) -1; 29 | } 30 | 31 | int main(void) { 32 | size_t size = fileSize("/bin/sh"); 33 | return (size != (size_t) -1) ? 0 : 1; 34 | } 35 | -------------------------------------------------------------------------------- /test/Feature/LinkLLVMLib.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t1.bc -DLINK_LLVM_LIB_TEST_LIB 2 | // RUN: %llvmar r %t1.a %t1.bc 3 | // 4 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t2.bc -DLINK_LLVM_LIB_TEST_EXEC 5 | // RUN: rm -rf %t.klee-out 6 | // RUN: %klee --link-llvm-lib %t1.a --output-dir=%t.klee-out --emit-all-errors --warnings-only-to-file=false %t2.bc 2>&1 | FileCheck %s 7 | 8 | #ifdef LINK_LLVM_LIB_TEST_EXEC 9 | extern void printint(int d); 10 | 11 | int main(int argc, char * argv[]) { 12 | printint(5); 13 | // CHECK: KLEE: WARNING ONCE: calling external: printf 14 | return 0; 15 | } 16 | #endif 17 | 18 | #ifdef LINK_LLVM_LIB_TEST_LIB 19 | #include 20 | 21 | void printint(int d) { 22 | printf("%d\n", d); 23 | } 24 | #endif 25 | -------------------------------------------------------------------------------- /test/Feature/LongDoubleSupport.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --optimize=0 --exit-on-error %t1.bc > %t2.out 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | // FIXME: This doesn't really work at all, it just doesn't 10 | // crash. Until we have wide constant support, that is all we care 11 | // about; the only reason this comes up is in initialization of 12 | // constants, we don't actually end up seeing much code which uses long 13 | // double. 14 | int main() { 15 | unsigned N0 = 0, N1 = 0, N2 = 0; 16 | 17 | float V0 = .1; 18 | while (V0 != 0) { 19 | V0 *= V0; 20 | N0++; 21 | } 22 | double V1 = .1; 23 | while (V1 != 0) { 24 | V1 *= V1; 25 | N1++; 26 | } 27 | long double V2 = .1; 28 | while (V2 != 0) { 29 | V2 *= V2; 30 | N2++; 31 | } 32 | 33 | printf("counts: %d, %d, %d\n", N0, N1, N2); 34 | 35 | assert(N0 == 6); 36 | assert(N1 == 9); 37 | assert(N2 == 13); 38 | 39 | return 0; 40 | } 41 | -------------------------------------------------------------------------------- /test/Feature/LowerSwitch.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --allow-external-sym-calls --switch-type=internal %t.bc 4 | // RUN: not test -f %t.klee-out/test000010.ktest 5 | 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --allow-external-sym-calls --switch-type=simple %t.bc 8 | // RUN: test -f %t.klee-out/test000010.ktest 9 | 10 | #include 11 | 12 | int main(int argc, char **argv) { 13 | int c = klee_range(0, 256, "range"); 14 | 15 | switch(c) { 16 | case 0: printf("0\n"); break; 17 | case 10: printf("10\n"); break; 18 | case 16: printf("16\n"); break; 19 | case 17: printf("17\n"); break; 20 | case 18: printf("18\n"); break; 21 | case 19: printf("19\n"); break; 22 | #define C(x) case x: case x+1: case x+2: case x+3 23 | #define C2(x) C(x): C(x+4): C(x+8): C(x+12) 24 | #define C3(x) C2(x): C2(x+16): C2(x+32): C2(x+48) 25 | C3(128): 26 | printf("bignums: %d\n", c); break; 27 | default: 28 | printf("default\n"); 29 | break; 30 | } 31 | 32 | return 0; 33 | } 34 | -------------------------------------------------------------------------------- /test/Feature/MakeConcreteSymbolic.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --optimize=false --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | // RUN: grep "done: total queries = 0" %t.klee-out/info 5 | 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: %klee --optimize=false --output-dir=%t.klee-out --make-concrete-symbolic=1 --exit-on-error %t1.bc 8 | // RUN: grep "done: total queries = 2" %t.klee-out/info 9 | 10 | 11 | #include 12 | 13 | #define N 2 14 | int main() { 15 | int i; 16 | char a; 17 | 18 | a = 10; 19 | assert(a == 10); 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /test/Feature/MakeSymbolicName.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --search=random-state --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | int a[4] = {1, 2, 3, 4}; 9 | unsigned i; 10 | 11 | klee_make_symbolic(&i, sizeof(i), "index"); 12 | if (i > 3) 13 | klee_silent_exit(0); 14 | 15 | assert(a[i] << 1 != 5); 16 | if (a[i] << 1 == 6) 17 | assert(i == 2); 18 | } 19 | -------------------------------------------------------------------------------- /test/Feature/MultipleReadResolution.c: -------------------------------------------------------------------------------- 1 | // RUN: echo "x" > %t1.res 2 | // RUN: echo "x" >> %t1.res 3 | // RUN: echo "x" >> %t1.res 4 | // RUN: echo "x" >> %t1.res 5 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: %klee --output-dir=%t.klee-out %t1.bc > %t1.log 8 | // RUN: diff %t1.res %t1.log 9 | 10 | #include 11 | 12 | unsigned klee_urange(unsigned start, unsigned end) { 13 | unsigned x; 14 | klee_make_symbolic(&x, sizeof x); 15 | if (x-start>=end-start) klee_silent_exit(0); 16 | return x; 17 | } 18 | 19 | int *make_int(int i) { 20 | int *x = malloc(sizeof(*x)); 21 | *x = i; 22 | return x; 23 | } 24 | 25 | int main() { 26 | int *buf[4]; 27 | int i,s,t; 28 | 29 | for (i=0; i<4; i++) 30 | buf[i] = make_int((i+1)*2); 31 | 32 | s = klee_urange(0,4); 33 | 34 | int x = *buf[s]; 35 | 36 | if (x == 4) 37 | if (s!=1) 38 | abort(); 39 | 40 | printf("x\n"); 41 | fflush(stdout); 42 | 43 | return 0; 44 | } 45 | -------------------------------------------------------------------------------- /test/Feature/MultipleWriteResolution.c: -------------------------------------------------------------------------------- 1 | // RUN: echo "x" > %t1.res 2 | // RUN: echo "x" >> %t1.res 3 | // RUN: echo "x" >> %t1.res 4 | // RUN: echo "x" >> %t1.res 5 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: %klee --output-dir=%t.klee-out %t1.bc > %t1.log 8 | // RUN: diff %t1.res %t1.log 9 | 10 | #include 11 | 12 | unsigned klee_urange(unsigned start, unsigned end) { 13 | unsigned x; 14 | klee_make_symbolic(&x, sizeof x); 15 | if (x-start>=end-start) klee_silent_exit(0); 16 | return x; 17 | } 18 | 19 | int *make_int(int i) { 20 | int *x = malloc(sizeof(*x)); 21 | *x = i; 22 | return x; 23 | } 24 | 25 | int main() { 26 | int *buf[4]; 27 | int i,s,t; 28 | 29 | for (i=0; i<4; i++) 30 | buf[i] = make_int((i+1)*2); 31 | 32 | s = klee_urange(0,4); 33 | 34 | *buf[s] = 5; 35 | 36 | if ((*buf[0] + *buf[1] + *buf[2] + *buf[3]) == 17) 37 | if (s!=3) 38 | abort(); 39 | 40 | printf("x\n"); 41 | fflush(stdout); 42 | 43 | return 0; 44 | } 45 | -------------------------------------------------------------------------------- /test/Feature/NonSizedGlobals.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | struct X; 6 | extern struct X Y; 7 | void *ptr = &Y; 8 | 9 | int main() 10 | { 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /test/Feature/OneFreeError.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ptr.err 5 | 6 | int main() { 7 | int *x = malloc(4); 8 | free(x); 9 | // CHECK: OneFreeError.c:11: memory error: out of bound pointer 10 | // FIXME: Use FileCheck's relative line numbers 11 | x[0] = 1; 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /test/Feature/OneOutOfBounds.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ptr.err 5 | 6 | int main() { 7 | int *x = malloc(sizeof(int)); 8 | // CHECK: OneOutOfBounds.c:10: memory error: out of bound pointer 9 | // FIXME: Use FileCheck's relative line numbers 10 | x[1] = 1; 11 | free(x); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /test/Feature/Optimize.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t2.bc 2 | // RUN: rm -f %t2.log 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --stop-after-n-instructions=100 --optimize %t2.bc > %t3.log 5 | // RUN: echo "good" > %t3.good 6 | // RUN: diff %t3.log %t3.good 7 | 8 | // should complete by 100 instructions if opt is on 9 | 10 | int main() { 11 | int i, res = 0; 12 | 13 | for (i=1; i<=1000; i++) 14 | res += i; 15 | 16 | if (res == (1000*1001)/2) { 17 | printf("good\n"); 18 | } else { 19 | printf("bad\n"); 20 | } 21 | 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /test/Feature/OverlappedError.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | // RUN: ls %t.klee-out/ | grep .ktest | wc -l | grep 4 5 | // RUN: ls %t.klee-out/ | grep .ptr.err | wc -l | grep 2 6 | 7 | #include 8 | 9 | int main() { 10 | if (klee_range(0,2, "range")) { 11 | char *x = malloc(8); 12 | *((int*) &x[klee_range(0,6, "range")]) = 1; 13 | free(x); 14 | } else { 15 | char *x = malloc(8); 16 | *((int*) &x[klee_range(-1,5, "range")]) = 1; 17 | free(x); 18 | } 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /test/Feature/OvershiftCheck.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -check-overshift %t.bc 2> %t.log 4 | // RUN: grep -c "overshift error" %t.log 5 | // RUN: grep -c "OvershiftCheck.c:20: overshift error" %t.log 6 | // RUN: grep -c "OvershiftCheck.c:24: overshift error" %t.log 7 | 8 | /* This test checks that two consecutive potential overshifts 9 | * are reported as errors. 10 | */ 11 | int main() 12 | { 13 | unsigned int x=15; 14 | unsigned int y; 15 | unsigned int z; 16 | volatile unsigned int result; 17 | 18 | /* Overshift if y>= sizeof(x) */ 19 | klee_make_symbolic(&y,sizeof(y),"shift_amount1"); 20 | result = x << y; 21 | 22 | /* Overshift is z>= sizeof(x) */ 23 | klee_make_symbolic(&z,sizeof(z),"shift_amount2"); 24 | result = x >> z; 25 | 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /test/Feature/PreferCex.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | // RUN: ktest-tool %t.klee-out/test000001.ktest | FileCheck %s 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | char buf[4]; 12 | 13 | klee_make_symbolic(buf, sizeof buf); 14 | // CHECK: Hi\x00\x00 15 | klee_prefer_cex(buf, buf[0]=='H'); 16 | klee_prefer_cex(buf, buf[1]=='i'); 17 | klee_prefer_cex(buf, buf[2]=='\0'); 18 | klee_prefer_cex(buf, buf[3]=='\0'); 19 | 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /test/Feature/RaiseAsm.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | typedef unsigned short uint16; 8 | typedef unsigned int uint32; 9 | 10 | uint16 byteswap_uint16(uint16 x) { 11 | return (x << 8) | (x >> 8); 12 | } 13 | uint32 byteswap_uint32(uint32 x) { 14 | return ((byteswap_uint16(x) << 16) | 15 | (byteswap_uint16(x >> 16))); 16 | } 17 | 18 | uint16 byteswap_uint16_asm(uint16 x) { 19 | uint16 res; 20 | __asm__("rorw $8, %w0" : "=r" (res) : "0" (x) : "cc"); 21 | return res; 22 | } 23 | 24 | uint32 byteswap_uint32_asm(uint32 x) { 25 | uint32 res; 26 | __asm__("rorw $8, %w0;" 27 | "rorl $16, %0;" 28 | "rorw $8, %w0" : "=r" (res) : "0" (x) : "cc"); 29 | return res; 30 | } 31 | 32 | int main() { 33 | uint16 ui16 = klee_int("ui16"); 34 | uint32 ui32 = klee_int("ui32"); 35 | 36 | assert(ui16 == byteswap_uint16(byteswap_uint16_asm(ui16))); 37 | assert(ui32 == byteswap_uint32(byteswap_uint32_asm(ui32))); 38 | 39 | __asm__ __volatile__("" : : : "memory"); 40 | 41 | return 0; 42 | } 43 | -------------------------------------------------------------------------------- /test/Feature/Realloc.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --warnings-only-to-file=false %t1.bc 2>&1 | FileCheck %s 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | int main() { 10 | int *p = malloc(sizeof(int)*2); 11 | assert(p); 12 | p[1] = 52; 13 | 14 | // CHECK: KLEE: WARNING ONCE: Large alloc 15 | int *p2 = realloc(p, 1<<30); 16 | assert(p2[1] == 52); 17 | 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /test/Feature/ReplayPath.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -DCOND_EXIT -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --write-paths %t1.bc > %t3.good 4 | 5 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t2.bc 6 | // RUN: rm -rf %t.klee-out-2 7 | // RUN: %klee --output-dir=%t.klee-out-2 --replay-path %t.klee-out/test000001.path %t2.bc > %t3.log 8 | // RUN: diff %t3.log %t3.good 9 | 10 | #include 11 | #include 12 | 13 | void cond_exit() { 14 | #ifdef COND_EXIT 15 | klee_silent_exit(0); 16 | #endif 17 | } 18 | 19 | int main() { 20 | int res = 1; 21 | int x; 22 | 23 | klee_make_symbolic(&x, sizeof x); 24 | 25 | if (x&1) res *= 2; else cond_exit(); 26 | if (x&2) res *= 3; else cond_exit(); 27 | if (x&4) res *= 5; else cond_exit(); 28 | 29 | // get forced branch coverage 30 | if (x&2) res *= 7; 31 | if (!(x&2)) res *= 11; 32 | printf("res: %d\n", res); 33 | 34 | return 0; 35 | } 36 | -------------------------------------------------------------------------------- /test/Feature/RewriteEqualities.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --search=dfs --write-kqueries --rewrite-equalities=false %t.bc 4 | // RUN: grep "N0:(Read w8 2 x)" %t.klee-out/test000003.kquery 5 | // RUN: grep "N0)" %t.klee-out/test000003.kquery 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: %klee --output-dir=%t.klee-out --search=dfs --write-kqueries --rewrite-equalities %t.bc 8 | // RUN: FileCheck -input-file=%t.klee-out/test000003.kquery %s 9 | 10 | #include 11 | #include 12 | 13 | int run(unsigned char * x, unsigned char * y) { 14 | y[6] = 15; 15 | 16 | if(x[2] >= 10){ 17 | return 1; 18 | } 19 | 20 | if(y[x[2]] < 11){ 21 | if(x[2] == 8){ 22 | // CHECK: (query [(Eq 8 (Read w8 2 x))] 23 | // CHECK-NEXT: false) 24 | return 2; 25 | } else{ 26 | return 3; 27 | } 28 | } else{ 29 | return 4; 30 | } 31 | } 32 | 33 | unsigned char y[255]; 34 | 35 | int main() { 36 | unsigned char x[4]; 37 | klee_make_symbolic(&x, sizeof x, "x"); 38 | 39 | return run(x, y); 40 | } 41 | -------------------------------------------------------------------------------- /test/Feature/SetForking.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc > %t.log 4 | // RUN: sort %t.log | uniq -c > %t.uniq.log 5 | // RUN: grep "1 A" %t.uniq.log 6 | // RUN: grep "1 B" %t.uniq.log 7 | // RUN: grep "1 C" %t.uniq.log 8 | 9 | #include 10 | 11 | int main() { 12 | klee_set_forking(0); 13 | 14 | if (klee_range(0, 2, "range")) { 15 | printf("A\n"); 16 | } else { 17 | printf("A\n"); 18 | } 19 | 20 | klee_set_forking(1); 21 | 22 | if (klee_range(0, 2, "range")) { 23 | printf("B\n"); 24 | } else { 25 | printf("C\n"); 26 | } 27 | 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /test/Feature/SolverTimeout.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --max-solver-time=1 %t1.bc 4 | // FIXME: This test occasionally fails when using Z3 4.4.1 but 5 | // not when using Z3 from the master branch. So disable the test for now. 6 | // REQUIRES: stp 7 | #include 8 | 9 | int main() { 10 | long long int x, y = 102*75678 + 78, i = 101; 11 | 12 | klee_make_symbolic(&x, sizeof(x), "x"); 13 | 14 | if (x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x + (x*x % (x+12)) == y*y*y*y*y*y*y*y*y*y*y*y*y*y*y*y % i) 15 | printf("Yes\n"); 16 | else printf("No\n"); 17 | 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /test/Feature/StatesCoveringNew.c: -------------------------------------------------------------------------------- 1 | // Check that we properly detect states covering new instructions. 2 | // 3 | // RUN: %llvmgcc -I../../../include %s -emit-llvm -O0 -c -o %t1.bc 4 | // RUN: rm -rf %t.klee-out 5 | // RUN: %klee --output-dir=%t.klee-out --only-output-states-covering-new %t1.bc 6 | 7 | // We expect 4 different output states, one for each named value and one "other" 8 | // one with the prefered CEX. We verify this by using ktest-tool to dump the 9 | // values, and then checking the output. 10 | // 11 | // RUN: /bin/sh -c "ktest-tool --write-int %t.klee-out/*.ktest" | sort > %t.data-values 12 | // RUN: FileCheck < %t.data-values %s 13 | 14 | // CHECK: object 0: data: 0 15 | // CHECK: object 0: data: 17 16 | // CHECK: object 0: data: 32 17 | // CHECK: object 0: data: 99 18 | 19 | #include 20 | 21 | void f0(void) {} 22 | void f1(void) {} 23 | void f2(void) {} 24 | void f3(void) {} 25 | 26 | int main() { 27 | int x = klee_range(0, 256, "x"); 28 | 29 | if (x == 17) { 30 | f0(); 31 | } else if (x == 32) { 32 | f1(); 33 | } else if (x == 99) { 34 | f2(); 35 | } else { 36 | klee_prefer_cex(&x, x == 0); 37 | f3(); 38 | } 39 | 40 | return 0; 41 | } 42 | -------------------------------------------------------------------------------- /test/Feature/VarArgLongDouble.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc | FileCheck %s 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | void ld_after_zero(int first,...) 10 | { 11 | va_list ap; 12 | long double dub; 13 | 14 | va_start(ap, first); 15 | 16 | while (va_arg(ap, int) != 0) 17 | ; 18 | 19 | dub = va_arg(ap, long double); 20 | 21 | printf("%Lf\n", dub); 22 | 23 | } 24 | 25 | int main() { 26 | long double dub = 1.123456; 27 | int zero = 0; 28 | int one = 1; 29 | 30 | // AMD64-ABI 3.5.7p5: Step 7. Align l->overflow_arg_area upwards to a 16 31 | // byte boundary if alignment needed by type exceeds 8 byte boundary. 32 | // 33 | // the long double dub requires 16 byte alignment. 34 | // we try passing one,zero and one, one, zero 35 | // at least on those will align dub such that it needs the extra alignment 36 | ld_after_zero(one, zero, dub); 37 | // CHECK: 1.123456 38 | ld_after_zero(one, one, zero, dub); 39 | // CHECK-NEXT: 1.123456 40 | 41 | return 0; 42 | } 43 | -------------------------------------------------------------------------------- /test/Feature/WithLibc.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=klee %t2.bc > %t3.log 4 | // RUN: echo "good" > %t3.good 5 | // RUN: diff %t3.log %t3.good 6 | 7 | int main() { 8 | char buf[4]; 9 | char *s = "foo"; 10 | 11 | klee_make_symbolic(buf, sizeof buf); 12 | buf[3] = 0; 13 | 14 | if (strcmp(buf, s)==0) { 15 | if (buf[0]=='f' && buf[1]=='o' && buf[2]=='o' && buf[3]==0) { 16 | printf("good\n"); 17 | } else { 18 | printf("bad\n"); 19 | } 20 | } 21 | 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /test/Feature/WriteCov.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --write-cov %t2.bc 4 | // RUN: grep -c WriteCov.c:16 %t.klee-out/test000001.cov %t.klee-out/test000002.cov >%t3.txt 5 | // RUN: grep -c WriteCov.c:18 %t.klee-out/test000001.cov %t.klee-out/test000002.cov >>%t3.txt 6 | // RUN: grep %t.klee-out/test000001.cov:0 %t3.txt 7 | // RUN: grep %t.klee-out/test000001.cov:1 %t3.txt 8 | // RUN: grep %t.klee-out/test000002.cov:0 %t3.txt 9 | // RUN: grep %t.klee-out/test000002.cov:1 %t3.txt 10 | 11 | #include 12 | #include 13 | 14 | int main() { 15 | if (klee_range(0,2, "range")) { 16 | assert(__LINE__ == 16); printf("__LINE__ = %d\n", __LINE__); 17 | } else { 18 | assert(__LINE__ == 18); printf("__LINE__ = %d\n", __LINE__); 19 | } 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /test/Feature/consecutive_divide_by_zero.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -emit-llvm -c -g -O0 %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -check-div-zero -emit-all-errors=0 %t.bc 2> %t.log 4 | // RUN: grep "completed paths = 3" %t.log 5 | // RUN: grep "generated tests = 3" %t.log 6 | // RUN: grep "consecutive_divide_by_zero.c:25: divide by zero" %t.log 7 | // RUN: grep "consecutive_divide_by_zero.c:28: divide by zero" %t.log 8 | 9 | /* This test case captures a bug where two distinct division 10 | * by zero errors are treated as the same error and so 11 | * only one test case is generated EVEN IF THERE ARE MULTIPLE 12 | * DISTINCT ERRORS! 13 | */ 14 | int main() 15 | { 16 | unsigned int a=15; 17 | unsigned int b=15; 18 | volatile unsigned int d1; 19 | volatile unsigned int d2; 20 | 21 | klee_make_symbolic(&d1, sizeof(d1),"divisor1"); 22 | klee_make_symbolic(&d2, sizeof(d2),"divisor2"); 23 | 24 | // deliberate division by zero possible 25 | unsigned int result1 = a / d1; 26 | 27 | // another deliberate division by zero possible 28 | unsigned int result2 = b / d2; 29 | 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /test/Feature/const_array_opt1.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --const-array-opt --max-time=10 --only-output-states-covering-new %t.bc >%t.log 4 | // grep -q "Finished successfully!\n" 5 | 6 | /* This is testing the const array optimization. On my 2.3GHz machine 7 | this takes under 2 seconds w/ the optimization and almost 6 minutes 8 | w/o. So we kill it in 10 sec and check if it has finished 9 | successfully. */ 10 | 11 | #include 12 | #include 13 | #include 14 | 15 | int main() { 16 | #define N 8192 17 | #define N_IDX 16 18 | unsigned char a[N]; 19 | unsigned i, k[N_IDX]; 20 | 21 | for (i=0; i= N) 28 | klee_silent_exit(0); 29 | 30 | if (a[k[i]] == i) 31 | assert(k[i] % 256 == i); 32 | else klee_silent_exit(0); 33 | } 34 | 35 | printf("Finished successfully!\n"); 36 | 37 | return 0; 38 | } 39 | -------------------------------------------------------------------------------- /test/Feature/srem.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -use-cex-cache=1 %t.bc 4 | // RUN: grep "KLEE: done: explored paths = 5" %t.klee-out/info 5 | // RUN: grep "KLEE: done: generated tests = 4" %t.klee-out/info 6 | #include 7 | #include 8 | 9 | int main(int argc, char** argv) 10 | { 11 | int y; 12 | 13 | klee_make_symbolic(&y, sizeof(y), "y"); 14 | 15 | // Test cases divisor is positive or negative 16 | if (y >= 0) { 17 | if (y < 2) { 18 | // Two test cases generated taking this path, one for y == 0 and y ==1 19 | assert(1 % y == 0); 20 | } else { 21 | assert(1 % y == 1); 22 | } 23 | } else { 24 | if (y > -2) { 25 | assert(1 % y == 0); 26 | } else { 27 | assert(1 % y == 1); 28 | } 29 | } 30 | 31 | assert(0 % y == 0); 32 | assert(-1 % y == -1); 33 | } 34 | -------------------------------------------------------------------------------- /test/Feature/ubsan_signed_overflow.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -fsanitize=signed-integer-overflow -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc 2>&1 | FileCheck %s 4 | 5 | // llvm-gcc 2.9 does not support -fsanitize=signed-integer-overflow 6 | // REQUIRES: not-llvm-2.9 7 | 8 | #include "klee/klee.h" 9 | 10 | int main() 11 | { 12 | signed int x; 13 | signed int y; 14 | volatile signed int result; 15 | 16 | klee_make_symbolic(&x, sizeof(x), "x"); 17 | klee_make_symbolic(&y, sizeof(y), "y"); 18 | 19 | // CHECK: ubsan_signed_overflow.c:20: overflow on unsigned addition 20 | result = x + y; 21 | 22 | // CHECK: ubsan_signed_overflow.c:23: overflow on unsigned subtraction 23 | result = x - y; 24 | 25 | // CHECK: ubsan_signed_overflow.c:26: overflow on unsigned multiplication 26 | result = x * y; 27 | 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /test/Feature/ubsan_unsigned_overflow.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -fsanitize=unsigned-integer-overflow -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc 2>&1 | FileCheck %s 4 | 5 | // llvm-gcc 2.9 does not support -fsanitize=unsigned-integer-overflow 6 | // REQUIRES: not-llvm-2.9 7 | 8 | #include "klee/klee.h" 9 | 10 | int main() 11 | { 12 | unsigned int x; 13 | unsigned int y; 14 | volatile unsigned int result; 15 | 16 | klee_make_symbolic(&x, sizeof(x), "x"); 17 | klee_make_symbolic(&y, sizeof(y), "y"); 18 | 19 | // CHECK: ubsan_unsigned_overflow.c:20: overflow on unsigned addition 20 | result = x + y; 21 | 22 | // CHECK: ubsan_unsigned_overflow.c:23: overflow on unsigned subtraction 23 | result = x - y; 24 | 25 | // CHECK: ubsan_unsigned_overflow.c:26: overflow on unsigned multiplication 26 | result = x * y; 27 | 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /test/Feature/utils.h: -------------------------------------------------------------------------------- 1 | typedef unsigned char uint8_t; 2 | typedef unsigned short uint16_t; 3 | typedef unsigned int uint32_t; 4 | typedef unsigned long long uint64_t; 5 | 6 | uint32_t util_make_and_i1(uint32_t a, uint32_t b); 7 | uint32_t util_make_or_i1(uint32_t a, uint32_t b); 8 | 9 | uint16_t util_make_concat2(uint8_t a, uint8_t b); 10 | uint32_t util_make_concat4(uint8_t a, uint8_t b, 11 | uint8_t c, uint8_t d); 12 | uint64_t util_make_concat8(uint8_t a, uint8_t b, 13 | uint8_t c, uint8_t d, 14 | uint8_t e, uint8_t f, 15 | uint8_t g, uint8_t h); 16 | uint32_t util_make_select(uint32_t cond, uint32_t true, uint32_t false); 17 | -------------------------------------------------------------------------------- /test/Intrinsics/objectsize.llvm29.ll: -------------------------------------------------------------------------------- 1 | ; FIXME: Remove this test case when we drop LLVM 2.9 support 2 | ; REQUIRES: llvm-2.9 3 | ; RUN: %llvmas %s -o=%t.bc 4 | ; RUN: rm -rf %t.klee-out 5 | ; RUN: %klee -exit-on-error --output-dir=%t.klee-out -disable-opt %t.bc 6 | ; ModuleID = 'objectsize.c' 7 | target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128" 8 | target triple = "x86_64-unknown-linux-gnu" 9 | 10 | define i32 @main() nounwind { 11 | entry: 12 | %a = alloca i8*, align 8 13 | %0 = load i8** %a, align 8 14 | %1 = call i64 @llvm.objectsize.i64(i8* %0, i1 true) 15 | %cmp = icmp ne i64 %1, 0 16 | br i1 %cmp, label %abort.block, label %continue.block 17 | 18 | continue.block: 19 | %2 = load i8** %a, align 8 20 | %3 = call i64 @llvm.objectsize.i64(i8* %2, i1 false) 21 | %cmp1 = icmp ne i64 %3, -1 22 | br i1 %cmp1, label %abort.block, label %exit.block 23 | 24 | exit.block: 25 | ret i32 0 26 | 27 | abort.block: 28 | call void @abort() 29 | unreachable 30 | } 31 | 32 | declare i64 @llvm.objectsize.i64(i8*, i1) nounwind readnone 33 | 34 | declare void @abort() noreturn nounwind 35 | -------------------------------------------------------------------------------- /test/README: -------------------------------------------------------------------------------- 1 | about tests.... 2 | -------------------------------------------------------------------------------- /test/Replay/libkleeruntest/replay_simple.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --search=dfs %t.bc 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | // RUN: test -f %t.klee-out/test000002.ktest 6 | 7 | // Now try to replay with libkleeRuntest 8 | // RUN: %cc %s %libkleeruntest -Wl,-rpath %libkleeruntestdir -o %t_runner 9 | // RUN: env KTEST_FILE=%t.klee-out/test000001.ktest %t_runner | FileCheck -check-prefix=TESTONE %s 10 | // RUN: env KTEST_FILE=%t.klee-out/test000002.ktest %t_runner | FileCheck -check-prefix=TESTTWO %s 11 | 12 | #include "klee/klee.h" 13 | #include 14 | 15 | int main(int argc, char** argv) { 16 | int x = 0; 17 | klee_make_symbolic(&x, sizeof(x), "x"); 18 | 19 | if (x == 0) { 20 | printf("x is 0\n"); 21 | } else { 22 | printf("x is not 0\n"); 23 | } 24 | return 0; 25 | } 26 | 27 | // TESTONE: x is not 0 28 | // TESTTWO: x is 0 29 | -------------------------------------------------------------------------------- /test/Replay/libkleeruntest/replay_two_objects.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --search=dfs %t.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | // RUN: test ! -f %t.klee-out/test000002.ktest 6 | 7 | // Now try to replay with libkleeRuntest 8 | // RUN: %cc -DPRINT_VALUES %s %libkleeruntest -Wl,-rpath %libkleeruntestdir -o %t_runner 9 | // RUN: env KTEST_FILE=%t.klee-out/test000001.ktest %t_runner | FileCheck -check-prefix=TESTONE %s 10 | 11 | #include "klee/klee.h" 12 | #include 13 | 14 | int main(int argc, char** argv) { 15 | int x = 0; 16 | int y = 0; 17 | klee_make_symbolic(&x, sizeof(x), "x"); 18 | klee_make_symbolic(&y, sizeof(x), "y"); 19 | 20 | klee_assume(x == 1); 21 | klee_assume(y == 128); 22 | 23 | #ifdef PRINT_VALUES 24 | printf("x=%d\n", x); 25 | printf("y=%d\n", y); 26 | #endif 27 | 28 | return 0; 29 | } 30 | // CHECK: KLEE: done: completed paths = 1 31 | 32 | // TESTONE: x=1 33 | // TESTONE: y=128 34 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/FDNumbers.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime --exit-on-error %t2.bc --sym-files 1 10 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | int main(int argc, char **argv) { 10 | int fd = open("A", O_TRUNC); 11 | assert(fd == 3); 12 | assert(!close(0)); 13 | assert(!close(1)); 14 | assert(close(0) == -1); 15 | assert(close(1) == -1); 16 | assert(open("A", O_TRUNC) == 0); 17 | assert(dup(0) == 1); 18 | assert(open("A", O_TRUNC) == 4); 19 | assert(!close(1)); 20 | assert(open("A", O_TRUNC) == 1); 21 | assert(dup(0) != 1); 22 | assert(dup2(0,1) == 1); 23 | 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/FD_Fail.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=uclibc --posix-runtime %t1.bc --sym-files 0 0 --max-fail 1 > %t.log 4 | // RUN: grep -q "fread(): ok" %t.log 5 | // RUN: grep -q "fread(): fail" %t.log 6 | // RUN: grep -q "fclose(): ok" %t.log 7 | // RUN: grep -q "fclose(): fail" %t.log 8 | 9 | #include 10 | #include 11 | 12 | int main(int argc, char** argv) { 13 | char buf[1024]; 14 | FILE* f = fopen("/etc/fstab", "r"); 15 | assert(f); 16 | 17 | int r = fread(buf, 1, 100, f); 18 | printf("fread(): %s\n", 19 | r ? "ok" : "fail"); 20 | 21 | r = fclose(f); 22 | printf("fclose(): %s\n", 23 | r ? "ok" : "fail"); 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/Fcntl.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime --exit-on-error %t2.bc --sym-files 1 10 4 | 5 | #include 6 | #include 7 | 8 | int main(int argc, char **argv) { 9 | int fd = open("A", O_RDWR|O_TRUNC); 10 | if (fd == -1) 11 | klee_silent_exit(0); 12 | assert(fd == 3); 13 | assert((fcntl(fd, F_GETFD) & FD_CLOEXEC) == 0); 14 | assert(fcntl(fd, F_SETFD, FD_CLOEXEC, 1) == 0); 15 | assert((fcntl(fd, F_GETFD) & FD_CLOEXEC) != 0); 16 | 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/FilePerm.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime %t.bc --sym-files 1 10 --sym-stdout 2>%t.log 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | // RUN: test -f %t.klee-out/test000002.ktest 6 | // RUN: test -f %t.klee-out/test000003.ktest 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | int main(int argc, char** argv) { 14 | int fd = open("A", O_RDWR); 15 | if (fd != -1) 16 | fprintf(stderr, "File 'A' opened successfully\n"); 17 | else fprintf(stderr, "Cannot open file 'A'\n"); 18 | 19 | if (fd != -1) 20 | close(fd); 21 | } 22 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/FreeArgv.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime %t.bc --sym-args 1 1 1 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.free.err 5 | // RUN: test -f %t.klee-out/test000002.free.err 6 | // RUN: test -f %t.klee-out/test000003.free.err 7 | 8 | int main(int argc, char **argv) { 9 | // FIXME: Use FileCheck's CHECK-DAG to check source locations 10 | switch(klee_range(0, 3, "range")) { 11 | case 0: 12 | // CHECK: free of global 13 | free(argv); 14 | break; 15 | case 1: 16 | // CHECK: free of global 17 | free(argv[0]); 18 | break; 19 | case 2: 20 | // CHECK: free of global 21 | free(argv[1]); 22 | break; 23 | } 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/Getenv.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=klee --posix-runtime --exit-on-error %t2.bc --sym-files 1 10 4 | 5 | #include 6 | 7 | int main(int argc, char **argv) { 8 | char *g = getenv("PWD"); 9 | if (g) { 10 | printf("have PWD\n"); 11 | } else { 12 | printf("have no PWD\n"); 13 | } 14 | 15 | g = getenv("HELLO"); 16 | if (!g || strcmp(g, "nice")==0) { 17 | printf("getenv(\"HELLO\") = %p\n", g); 18 | if (g) assert(strcmp(getenv("HELLO"),"nice") == 0); 19 | } 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/Ioctl.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime --exit-on-error %t.bc --sym-files 0 4 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | int main(int argc, char **argv) { 14 | struct stat s; 15 | struct termios ts; 16 | 17 | assert(fstat(0, &s) == 0); 18 | 19 | assert(ioctl(10, FIONREAD, &ts) == -1 && errno == EBADF); 20 | 21 | if (S_ISCHR(s.st_mode)) { 22 | printf("is chr\n"); 23 | assert(ioctl(0, TIOCGWINSZ, &ts) == 0); 24 | } else { 25 | printf("not chr\n"); 26 | // I think TC* ioctls basically always fail on nonchr? 27 | assert(ioctl(0, TIOCGWINSZ, &ts) == -1); 28 | assert(errno == ENOTTY); 29 | } 30 | 31 | return 0; 32 | } 33 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/Openat.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime --exit-on-error %t2.bc --sym-files 1 10 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | 6 | #include 7 | #include 8 | 9 | int main(int argc, char **argv) { 10 | int fd = openat(AT_FDCWD, "A", O_RDWR|O_TRUNC); 11 | if (fd != -1) { 12 | char buf[10]; 13 | assert(read(fd, buf, 10) == 10); 14 | assert(klee_is_symbolic(buf[0])); 15 | } else { 16 | klee_silent_exit(0); 17 | } 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/PrgName.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime --exit-on-error %t2.bc --sym-arg 10 >%t.log 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | // RUN: test -f %t.klee-out/test000002.ktest 6 | // RUN: grep -q "No" %t.log 7 | // RUN: grep -qv "Yes" %t.log 8 | 9 | 10 | /* Simple test for argv[0] */ 11 | 12 | #include 13 | 14 | int f(int argc, char **argv) { 15 | 16 | if (argv[0][5] == '7') 17 | printf("Yes\n"); 18 | else printf("No\n"); 19 | 20 | printf("%c\n", argv[0][5]); 21 | 22 | if (argv[1][1] == 4) 23 | printf("4\n"); 24 | printf("not 4\n"); 25 | 26 | return 0; 27 | } 28 | 29 | 30 | int main(int argc, char **argv) { 31 | f(argc, argv); 32 | } 33 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/Read1.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --posix-runtime %t.bc --sym-files 1 8 >%t.log 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | int main(int argc, char** argv) { 13 | char buf[32]; 14 | 15 | // If count is zero, read() returns zero and has no other results. (man page) 16 | int x = read(0, 0, 0); 17 | assert(x == 0); 18 | 19 | int fd = open("A", O_RDONLY); 20 | assert(fd != -1); 21 | 22 | // EFAULT buf is outside your accessible address space. (man page) 23 | x = read(fd, 0, 1); 24 | assert(x == -1 && errno == EFAULT); 25 | 26 | // EBADF fd is not a valid file descriptor (man page) 27 | x = read(-1, buf, 1); 28 | assert(x == -1 && errno == EBADF); 29 | 30 | fd = open("A", O_RDONLY); 31 | assert(fd != -1); 32 | x = read(fd, buf, 1); 33 | assert(x == 1); 34 | } 35 | 36 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/SELinux/SELinux.c: -------------------------------------------------------------------------------- 1 | /* Very basic test, as right now SELinux support is extremely basic */ 2 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime --exit-on-error %t1.bc --sym-arg 2 > %t.log 5 | // XFAIL: no-selinux 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | int main(int argc, char** argv) { 12 | 13 | security_context_t con; 14 | 15 | assert(argc == 2); 16 | 17 | int selinux = is_selinux_enabled(); 18 | printf("selinux enabled = %d\n", selinux); 19 | 20 | if (setfscreatecon(argv[1]) < 0) 21 | printf("Error: set\n"); 22 | else printf("Success: set\n"); 23 | 24 | if (getfscreatecon(&con) < 0) 25 | printf("Error: get\n"); 26 | else printf("Success: get\n"); 27 | 28 | printf("create_con = %s\n", con); 29 | 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/SELinux/lit.local.cfg: -------------------------------------------------------------------------------- 1 | def getRoot(config): 2 | if not config.parent: 3 | return config 4 | return getRoot(config.parent) 5 | 6 | if not getRoot(config).have_selinux: 7 | config.unsupported = True 8 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/SeedAndFail.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=uclibc --posix-runtime %t.bc --sym-files 1 10 2>%t.log 4 | // RUN: rm -rf %t.klee-out-2 5 | // RUN: %klee --output-dir=%t.klee-out-2 --seed-out-dir=%t.klee-out --zero-seed-extension --libc=uclibc --posix-runtime %t.bc --sym-files 1 10 --max-fail 1 6 | // RUN: ls %t.klee-out-2 | grep -c assert | grep 4 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | 16 | int main(int argc, char** argv) { 17 | char buf[32]; 18 | 19 | int fd = open("A", O_RDWR | O_CREAT, S_IRWXU); 20 | assert(fd != -1); 21 | int nbytes = write(fd, "Hello", sizeof("Hello")); 22 | assert(nbytes == sizeof("Hello")); 23 | 24 | off_t off = lseek(fd, 0, SEEK_SET); 25 | assert(off != (off_t) -1); 26 | 27 | nbytes = read(fd, buf, sizeof("Hello")); 28 | assert(nbytes == sizeof("Hello")); 29 | 30 | int r = close(fd); 31 | assert(r == 0); 32 | 33 | r = memcmp(buf, "Hello", sizeof("Hello")); 34 | assert(r == 0); 35 | 36 | return 0; 37 | } 38 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/Write1.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=uclibc --posix-runtime %t.bc --sym-files 1 10 --sym-stdout 2>%t.log 4 | 5 | #include 6 | #include 7 | 8 | int main(int argc, char** argv) { 9 | char buf[32]; 10 | 11 | FILE* f = fopen("A", "w"); 12 | if (!f) 13 | klee_silent_exit(0); 14 | fwrite("Hello", sizeof("Hello"), 1, f); 15 | fclose(f); 16 | 17 | f = fopen("A", "r"); 18 | fread(buf, sizeof("Hello"), 1, f); 19 | fclose(f); 20 | 21 | assert(memcmp(buf, "Hello", sizeof("Hello")) == 0); 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/Write2.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=uclibc --posix-runtime %t.bc --sym-files 1 10 --sym-stdout 2>%t.log 4 | 5 | #include 6 | #include 7 | 8 | int main(int argc, char** argv) { 9 | const char* msg = "This will eventually overflow stdout. "; 10 | char buf[32]; 11 | int i; 12 | 13 | FILE* f = stdout;//fopen("A", "w"); 14 | if (!f) 15 | klee_silent_exit(0); 16 | 17 | for (i = 0; i < 300; i++) 18 | fwrite(msg, sizeof(msg), 1, f); 19 | fclose(f); 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/lit.local.cfg: -------------------------------------------------------------------------------- 1 | def getRoot(config): 2 | if not config.parent: 3 | return config 4 | return getRoot(config.parent) 5 | 6 | if not getRoot(config).enable_posix_runtime: 7 | config.unsupported = True 8 | -------------------------------------------------------------------------------- /test/Runtime/Uclibc/2007-10-08-optimization-calls-wrong-libc-functions.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --optimize --libc=uclibc %t1.bc 4 | 5 | #include 6 | #include 7 | 8 | #include "klee/klee.h" 9 | 10 | int main() { 11 | int a; 12 | 13 | klee_make_symbolic(&a, sizeof a, "a"); 14 | 15 | memset(&a, 0, sizeof a); 16 | 17 | if (a) { 18 | assert(0); 19 | } 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /test/Runtime/Uclibc/2008-03-04-libc-atexit-uses-dso-handle.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=uclibc %t1.bc 4 | 5 | // just make sure atexit works ok 6 | 7 | void boo() { 8 | } 9 | 10 | int main() { 11 | atexit(boo); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /test/Runtime/Uclibc/Environ.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=uclibc --exit-on-error %t1.bc 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | int main() { 10 | printf("HOME: %s\n", getenv("HOME")); 11 | assert(getenv("HOME") != 0); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /test/Runtime/Uclibc/lit.local.cfg: -------------------------------------------------------------------------------- 1 | def getRoot(config): 2 | if not config.parent: 3 | return config 4 | return getRoot(config.parent) 5 | 6 | if not getRoot(config).enable_uclibc: 7 | config.unsupported = True 8 | -------------------------------------------------------------------------------- /test/Solver/AShr_to_smtlib.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver -print-smtlib -smtlib-abbreviation-mode=none %s > %t 2 | # RUN: diff -u %t %s.good.smt2 3 | 4 | # This test tries to check that the SMT-LIBv2 we generate when a AShrExpr is 5 | # used is correct. 6 | # 7 | # FIXME: We should really pass the generated query to an SMT solver that supports 8 | # SMT-LIBv2 and check it gives the correct answer ``unsat``. An older version of 9 | # KLEE where AShrExpr wasn't handled correctly would give ``sat`` for this query. 10 | # 11 | # We could fix this if we required STP to be in the user's PATH and made available 12 | # as a substitution in llvm-lit 13 | 14 | array value[1] : w32 -> w8 = symbolic 15 | array shift[1] : w32 -> w8 = symbolic 16 | (query [(Ule 8 (Read w8 0 shift))] (Eq 0 (AShr w8 (Read w8 0 value) (Read w8 0 shift))) ) 17 | -------------------------------------------------------------------------------- /test/Solver/AShr_to_smtlib.kquery.good.smt2: -------------------------------------------------------------------------------- 1 | ;SMTLIBv2 Query 0 2 | (set-logic QF_AUFBV ) 3 | (declare-fun shift () (Array (_ BitVec 32) (_ BitVec 8) ) ) 4 | (declare-fun value () (Array (_ BitVec 32) (_ BitVec 8) ) ) 5 | (assert (and (= false (= (_ bv0 8) (ite (bvuge (select shift (_ bv0 32) ) (_ bv8 8) ) (_ bv0 8) (bvashr (select value (_ bv0 32) ) (select shift (_ bv0 32) ) ) ) ) ) (bvule (_ bv8 8) (select shift (_ bv0 32) ) ) ) ) 6 | (check-sat) 7 | (exit) 8 | -------------------------------------------------------------------------------- /test/Solver/FastCexSolver.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver --use-fast-cex-solver --solver-backend=dummy %s > %t 2 | # RUN: not grep FAIL %t 3 | 4 | array arr1[4] : w32 -> w8 = symbolic 5 | (query [] (Not (Eq 4096 (ReadLSB w32 0 arr1)))) 6 | 7 | array A-data[2] : w32 -> w8 = symbolic 8 | (query [(Ule (Add w8 208 N0:(Read w8 0 A-data)) 9 | 9)] 10 | (Eq 52 N0)) 11 | -------------------------------------------------------------------------------- /test/Solver/LargeIntegers.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | 3 | array a[64] : w32 -> w8 = symbolic 4 | 5 | # RUN: grep -A 1 "Query 0" %t > %t2 6 | # RUN: grep "Expr 0: 18446744073709551618" %t2 7 | (query [] false [(Concat w128 (w64 1) (w64 2))]) 8 | 9 | # RUN: grep -A 1 "Query 1" %t > %t2 10 | # RUN: grep "Expr 0: 16" %t2 11 | (query [] false [(Extract w5 60 (Concat w128 (w64 1) (w64 2)))]) 12 | 13 | # RUN: grep -A 1 "Query 2" %t > %t2 14 | # RUN: grep "Array 0: a.16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1" %t2 15 | (query [(Eq 0x0102030405060708090A0B0C0D0E0F10 (ReadLSB w128 0 a))] 16 | false 17 | [] [a]) 18 | -------------------------------------------------------------------------------- /test/Solver/lit.local.cfg: -------------------------------------------------------------------------------- 1 | # Look for .kquery files too 2 | config.suffixes.add('.kquery') 3 | -------------------------------------------------------------------------------- /test/Solver/overshift-aright-by-constant.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | array x[4] : w32 -> w8 = symbolic 4 | # ∀ x. x > 0 → ( ((signed int) x) >> 32 = 0 ) 5 | # Check we overshift to zero for when shifting for all 32-bit values >0 6 | 7 | (query [ (Ult (w32 0) (ReadLSB w32 (w32 0) x)) ] 8 | (Eq 9 | (AShr w32 10 | (ReadLSB w32 (w32 0) x) 11 | (w32 32) 12 | ) 13 | (w32 0) 14 | ) [ ] [x] ) 15 | -------------------------------------------------------------------------------- /test/Solver/overshift-aright-by-symbolic.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | 4 | array shift[4] : w32 -> w8 = symbolic 5 | # ∀ x. x >= 32 → ( ( ( (signed int)2 ) >> x) = 0 ) 6 | # Check we arithmetic right overshift to zero when shifting a constant ALWAYS! 7 | 8 | (query [ (Ule (w32 32) (ReadLSB w32 (w32 0) shift)) ] 9 | (Eq 10 | (AShr w32 (w32 2) 11 | (ReadLSB w32 (w32 0) shift) 12 | ) 13 | (w32 0) 14 | ) [ ] [shift] ) 15 | 16 | # 64-bit version 17 | # ∀ x. x >= 64 → ( (((signed int) 2) >> x) = 0 ) 18 | array shift64[8] : w32 -> w8 = symbolic 19 | 20 | (query [ (Ule (w64 64) (ReadLSB w64 (w32 0) shift64)) ] 21 | (Eq 22 | (AShr w64 (w64 2) 23 | (ReadLSB w64 (w32 0) shift64) 24 | ) 25 | (w64 0) 26 | ) [ ] [shift64] ) 27 | -------------------------------------------------------------------------------- /test/Solver/overshift-left-by-constant.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | array x[4] : w32 -> w8 = symbolic 4 | # ∀ x. x > 0 → ( x << 32 = 0 ) 5 | # Check we overshift to zero for when shifting for all 32-bit values >0 6 | 7 | (query [ (Ult (w32 0) (ReadLSB w32 (w32 0) x)) ] 8 | (Eq 9 | (Shl w32 10 | (ReadLSB w32 (w32 0) x) 11 | (w32 32) 12 | ) 13 | (w32 0) 14 | ) [ ] [x] ) 15 | -------------------------------------------------------------------------------- /test/Solver/overshift-left-by-symbolic.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | 4 | array shift[4] : w32 -> w8 = symbolic 5 | # ∀ x. x >= 32 → ( (2 << x) = 0 ) 6 | # Check we left overshift to zero when shifting a constant ALWAYS! 7 | 8 | (query [ (Ule (w32 32) (ReadLSB w32 (w32 0) shift)) ] 9 | (Eq 10 | (Shl w32 (w32 2) 11 | (ReadLSB w32 (w32 0) shift) 12 | ) 13 | (w32 0) 14 | ) [ ] [shift] ) 15 | 16 | # 64-bit version 17 | # ∀ x. x >= 64 → ( (2 << x) = 0 ) 18 | array shift64[8] : w32 -> w8 = symbolic 19 | 20 | (query [ (Ule (w64 64) (ReadLSB w64 (w32 0) shift64)) ] 21 | (Eq 22 | (Shl w64 (w64 2) 23 | (ReadLSB w64 (w32 0) shift64) 24 | ) 25 | (w64 0) 26 | ) [ ] [shift64] ) 27 | -------------------------------------------------------------------------------- /test/Solver/overshift-lright-by-constant.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | array x[4] : w32 -> w8 = symbolic 4 | # ∀ x. x > 0 → ( x >> 32 = 0 ) 5 | # Check we overshift to zero for when shifting for all 32-bit values >0 6 | 7 | (query [ (Ult (w32 0) (ReadLSB w32 (w32 0) x)) ] 8 | (Eq 9 | (LShr w32 10 | (ReadLSB w32 (w32 0) x) 11 | (w32 32) 12 | ) 13 | (w32 0) 14 | ) [ ] [x] ) 15 | -------------------------------------------------------------------------------- /test/Solver/overshift-lright-by-symbolic.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | 4 | array shift[4] : w32 -> w8 = symbolic 5 | # ∀ x. x >= 32 → ( (2 >> x) = 0 ) 6 | # Check we logical right overshift to zero when shifting a constant ALWAYS! 7 | 8 | (query [ (Ule (w32 32) (ReadLSB w32 (w32 0) shift)) ] 9 | (Eq 10 | (LShr w32 (w32 2) 11 | (ReadLSB w32 (w32 0) shift) 12 | ) 13 | (w32 0) 14 | ) [ ] [shift] ) 15 | 16 | # 64-bit version 17 | # ∀ x. x >= 64 → ( (2 >> x) = 0 ) 18 | array shift64[8] : w32 -> w8 = symbolic 19 | 20 | (query [ (Ule (w64 64) (ReadLSB w64 (w32 0) shift64)) ] 21 | (Eq 22 | (LShr w64 (w64 2) 23 | (ReadLSB w64 (w32 0) shift64) 24 | ) 25 | (w64 0) 26 | ) [ ] [shift64] ) 27 | -------------------------------------------------------------------------------- /test/Taint/AddConst.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -taint=direct --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | #include 6 | 7 | /** 8 | * Constants should not contribute any taint 9 | */ 10 | int 11 | main (int argc, char *argv[]) 12 | { 13 | int a = 10; 14 | int b = 10; 15 | klee_set_taint (1, &a, sizeof (a)); 16 | klee_set_taint (1, &b, sizeof (b)); 17 | 18 | int c ; 19 | 20 | c = b+1; 21 | 22 | klee_assert(klee_get_taint (&c, sizeof (c))==1); 23 | } 24 | -------------------------------------------------------------------------------- /test/Taint/Basic.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -taint=direct --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | 6 | /* Basic tainting an int*/ 7 | #include 8 | int 9 | main (int argc, char *argv[]) 10 | { 11 | int i; 12 | int value = 0x41414141; 13 | klee_set_taint(1, &value, sizeof(value)); 14 | for(i=0; i < sizeof value; i++){ 15 | klee_assert(klee_get_taint((char*)&value + i, 1) == 1); 16 | } 17 | klee_assert(klee_get_taint(&value, sizeof value) == 1); 18 | } 19 | -------------------------------------------------------------------------------- /test/Taint/BasicBuffer.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -taint=direct --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | 6 | /* Basic buffer tainting */ 7 | #include 8 | int 9 | main (int argc, char *argv[]) 10 | { 11 | int i; 12 | char value[8] = {0,1,2,3,4,5,6,7}; 13 | for(i=0; i < sizeof value; i++){ 14 | klee_set_taint(1< 8 | int 9 | main (int argc, char *argv[]) 10 | { 11 | int i; 12 | union { 13 | int i; 14 | char c[sizeof (int)]; 15 | } value; 16 | 17 | 18 | klee_set_taint(8, &value, sizeof value); 19 | 20 | klee_set_taint(1, &value.c[2], 1); 21 | 22 | klee_assert(klee_get_taint(&value, sizeof value) == 8|1); 23 | } 24 | -------------------------------------------------------------------------------- /test/Taint/Br.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -taint=direct --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | 6 | 7 | #include 8 | int 9 | main (int argc, char *argv[]) 10 | { 11 | int a = 1; 12 | int b = 2; 13 | int c = 3; 14 | klee_set_taint (1, &a, sizeof (a)); 15 | klee_set_taint (2, &b, sizeof (b)); 16 | klee_set_taint (4, &c, sizeof (c)); 17 | if (a==1) 18 | a=b; 19 | else 20 | a=c; 21 | 22 | klee_assert (klee_get_taint (&a, sizeof (a)) == 2); 23 | klee_assert (klee_get_taint (&b, sizeof (b)) == 2); 24 | klee_assert (klee_get_taint (&c, sizeof (c)) == 4); 25 | } 26 | 27 | -------------------------------------------------------------------------------- /test/Taint/Conditional.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -taint=direct --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | 6 | /* taint propagation by indirect flow in the conditional 7 | */ 8 | #include 9 | int 10 | main (int argc, char *argv[]) 11 | { 12 | 13 | int result; 14 | int param=1; 15 | klee_set_taint(1,¶m,sizeof(param)); 16 | if (param == 1) 17 | result = 1; 18 | else 19 | result = 2; 20 | 21 | klee_assert(klee_get_taint(&result,sizeof(result))==0); 22 | return result; 23 | } 24 | -------------------------------------------------------------------------------- /test/Taint/ConditionalControlFlow.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -taint=controlflow --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | 6 | /* taint propagation by indirect flow in the conditional 7 | */ 8 | #include 9 | int 10 | main (int argc, char *argv[]) 11 | { 12 | 13 | int result; 14 | int param=1; 15 | klee_set_taint(1,¶m,sizeof(param)); 16 | if (param == 1) 17 | result = 1; 18 | else 19 | result = 2; 20 | 21 | klee_assert(klee_get_taint(&result,sizeof(result))==1); 22 | return result; 23 | } 24 | -------------------------------------------------------------------------------- /test/Taint/ConstAssign.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -taint=direct --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | /* assigning a constant to a variable should erase its taintset*/ 6 | #include 7 | int 8 | main (int argc, char *argv[]) 9 | { 10 | int value = 0x12345678; 11 | klee_set_taint(1, &value, sizeof(value)); 12 | value = 10; 13 | klee_assert(klee_get_taint(&value,sizeof(value)) == 0 ); 14 | } 15 | -------------------------------------------------------------------------------- /test/Taint/Function.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -taint=direct --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | #include 6 | 7 | int inner_fun(int parama, int paramb){ 8 | return parama+paramb; 9 | } 10 | 11 | int fun(int parama, int paramb){ 12 | int result; 13 | result = inner_fun(parama, paramb); 14 | return result; 15 | } 16 | 17 | /* Tests taint is mantained under internal function calls 18 | */ 19 | int 20 | main (int argc, char *argv[]) 21 | { 22 | int result; 23 | int parama=100; 24 | int paramb=200; 25 | 26 | klee_set_taint(1, ¶ma, sizeof(parama)); 27 | klee_set_taint(2, ¶mb, sizeof(paramb)); 28 | 29 | result = fun(parama, paramb); 30 | 31 | result = result / 2; 32 | 33 | klee_assert(klee_get_taint(&result, sizeof(result))==3); 34 | 35 | return result; 36 | } 37 | 38 | 39 | -------------------------------------------------------------------------------- /test/Taint/GEP.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -taint=direct --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | 6 | #include 7 | void test_gep() 8 | { 9 | char a[256]; 10 | char i=2; 11 | klee_set_taint (1, &i, sizeof (i)); 12 | int r = *(a+i); 13 | klee_assert (klee_get_taint (&r, sizeof(r)) == 1 ); 14 | } 15 | 16 | 17 | void test_idx() 18 | { 19 | char a[256]; 20 | int i=2; 21 | klee_set_taint (1, &i, sizeof (i)); 22 | a[i]=1; 23 | klee_assert (klee_get_taint (&a[i], sizeof (a[i])) == 1 ); 24 | } 25 | 26 | int 27 | main (int argc, char *argv[]) 28 | { 29 | test_gep(); 30 | test_idx(); 31 | } 32 | 33 | -------------------------------------------------------------------------------- /test/Taint/Jump.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -taint=direct --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | 6 | /* Tests taint propagation in parameter passing to function called by pointer */ 7 | #include 8 | void jmpfun(int *result, int param){ 9 | *result=param; 10 | } 11 | 12 | int 13 | main (int argc, char *argv[]) 14 | { 15 | void (*ptrFun)(); 16 | int result; 17 | int param; 18 | klee_set_taint(1, ¶m, sizeof(param)); 19 | 20 | ptrFun = &jmpfun; 21 | ptrFun(&result, param); 22 | 23 | klee_assert(klee_get_taint(&result,sizeof(result))==1); 24 | } 25 | -------------------------------------------------------------------------------- /test/Taint/Load.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -taint=direct --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | 6 | /* 7 | This shall propagate the taints from both the value and from 8 | the pointer used to set the result 9 | */ 10 | #include 11 | int 12 | main (int argc, char *argv[]) 13 | { 14 | int value = 0x12345678; 15 | int *value_p = &value; 16 | int result; 17 | 18 | klee_set_taint(0,&result,sizeof(result)); 19 | klee_set_taint(1,&value,sizeof(value)); 20 | klee_set_taint(2,&value_p,sizeof(value_p)); 21 | 22 | result = *value_p; 23 | 24 | //printf ("Result taint: 0x%08x\n", klee_get_taint(&result,sizeof(result))); 25 | klee_assert(klee_get_taint(&result,sizeof(result))==3); 26 | 27 | return result; 28 | } 29 | 30 | 31 | -------------------------------------------------------------------------------- /test/Taint/Malloc.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -taint=direct --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | 6 | 7 | #include 8 | int 9 | main (int argc, char *argv[]) 10 | { 11 | int a = 1; 12 | int b = 100; 13 | int c = 0; 14 | klee_set_taint (1, &a, sizeof (a)); 15 | klee_set_taint (2, &b, sizeof (b)); 16 | int *ptr = (int *) malloc(2 * sizeof (int)); 17 | *ptr = a; 18 | *(ptr+1) = b; 19 | c = *ptr + *(ptr+1); 20 | klee_assert (klee_get_taint (&c, sizeof (c)) == 1|2 ); 21 | 22 | free(ptr); 23 | } 24 | 25 | -------------------------------------------------------------------------------- /test/Taint/NestedConditionals.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -taint=direct --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | 6 | /* taint propagation by indirect flow in nested conditionals 7 | */ 8 | #include 9 | int 10 | main (int argc, char *argv[]) 11 | { 12 | int result; 13 | int param=0; 14 | int inner_param=param+1; 15 | 16 | klee_set_taint(1, ¶m, sizeof(param)); 17 | 18 | if (param==1) 19 | { 20 | 21 | if (inner_param==2) 22 | result=1; 23 | else 24 | result=2; 25 | 26 | result = result*2; 27 | } 28 | else 29 | result = 0; 30 | 31 | result = result / 2; 32 | 33 | klee_assert(klee_get_taint(&result,sizeof(result))==0); 34 | 35 | return result; 36 | 37 | } 38 | 39 | -------------------------------------------------------------------------------- /test/Taint/Store.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -taint=direct --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | 6 | /* this function test that taint is propagated through pointers 7 | here value_p points originally to value_w. when *value_p (that is value_w) 8 | is changed to value_r, the taint of value_w should have the combined taints 9 | of value_p and value_r! 10 | */ 11 | #include 12 | int 13 | main (int argc, char *argv[]) 14 | { 15 | int value_w = 0x12345678; 16 | int *value_p = &value_w; 17 | int value_r = 0x1111111; 18 | 19 | klee_set_taint(0, &value_w, sizeof(value_w)); 20 | klee_set_taint(1, &value_p, sizeof(value_p)); 21 | klee_set_taint(2, &value_r, sizeof(value_r)); 22 | 23 | *value_p = value_r; 24 | 25 | klee_assert(klee_get_taint(&value_w,sizeof(value_w))==3); 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /test/Taint/Switch.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -taint=direct --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | 6 | 7 | #include 8 | int 9 | main (int argc, char *argv[]) 10 | { 11 | int a = 1; 12 | int c = 0; 13 | klee_set_taint (1, &a, sizeof (a)); 14 | switch(a) 15 | { 16 | case 0: 17 | c = 0; 18 | break; 19 | case 1: 20 | c = 1; 21 | break; 22 | default: 23 | c=1000; 24 | } 25 | 26 | klee_assert (klee_get_taint (&c, sizeof (c)) == 0 ); 27 | } 28 | 29 | -------------------------------------------------------------------------------- /test/Taint/VarAssign.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -taint=direct --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | /* assigning to a variable should overwrite its taintset*/ 6 | #include 7 | int 8 | main (int argc, char *argv[]) 9 | { 10 | int valuea = 0x41414141; 11 | int valueb = 0x42424242; 12 | klee_set_taint(1, &valuea, sizeof(valuea)); 13 | klee_set_taint(2, &valueb, sizeof(valueb)); 14 | valuea = valueb; 15 | 16 | klee_assert (klee_get_taint(&valuea, sizeof(valuea)) == 2 ); 17 | } 18 | -------------------------------------------------------------------------------- /test/Taint/While.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee -taint=direct --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | 6 | /* taint propagation by indirect flow in the conditional (in the while) 7 | */ 8 | 9 | #include 10 | int 11 | main (int argc, char *argv[]) 12 | { 13 | int result=1; 14 | int param=0; 15 | 16 | klee_set_taint(1,¶m,sizeof(param)); 17 | while (param<=10) { 18 | param++; 19 | result = result*2; 20 | } 21 | result = result / 2; 22 | 23 | klee_assert(klee_get_taint(&result,sizeof(result))==0); 24 | 25 | return result; 26 | } 27 | -------------------------------------------------------------------------------- /test/TestRunner.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Deprecated, use 'llvm-lit'. 3 | 4 | echo "warning: '$0' is deprecated, use 'llvm-lit' instead." 5 | # FIXME: Make test suite work in parallel. 6 | exec llvm-lit --threads=1 "$@" 7 | -------------------------------------------------------------------------------- /test/regression/2007-07-25-invalid-stp-array-binding-to-objectstate.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | 7 | int main(void) { 8 | char c[2]; 9 | 10 | klee_make_symbolic(&c, sizeof(c)); 11 | 12 | if (c[0] > 10) { 13 | int x; 14 | 15 | c[1] = 1; // copy object state 16 | 17 | assert(c[0] > 10); 18 | } 19 | 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /test/regression/2007-07-30-unflushed-byte.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | char i, x[3]; 9 | 10 | klee_make_symbolic(&i, sizeof i); 11 | 12 | x[0] = i; 13 | 14 | // DEMAND FAILED:Memory.cpp:read8:199: is false: "unflushed byte without cache value" 15 | char y = x[1]; 16 | 17 | return 0; 18 | } 19 | 20 | -------------------------------------------------------------------------------- /test/regression/2007-08-01-bool-zext-in-call.ll: -------------------------------------------------------------------------------- 1 | ; RUN: rm -rf %t.klee-out 2 | ; RUN: llvm-as -f %s -o - | %klee --output-dir=%t.klee-out 3 | ; RUN: not test -f %t.klee-out/test0001.abort.err 4 | 5 | declare void @klee_abort() 6 | 7 | define i32 @foo(i8 signext %val) { 8 | %tmp = zext i8 %val to i32 9 | ret i32 %tmp 10 | } 11 | 12 | define i32 @main() { 13 | %res = call i32 bitcast (i32 (i8)* @foo to i32 (i1)*)( i1 1 ) 14 | %check = icmp ne i32 %res, 255 15 | br i1 %check, label %error, label %exit 16 | 17 | error: 18 | call void @klee_abort() 19 | unreachable 20 | 21 | exit: 22 | ret i32 0 23 | } 24 | -------------------------------------------------------------------------------- /test/regression/2007-08-01-cache-unclear-on-overwrite-flushed.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | #include 7 | 8 | int main() { 9 | unsigned char x; 10 | 11 | klee_make_symbolic(&x, sizeof x); 12 | if (x >= 2) klee_silent_exit(0); 13 | 14 | char delete[2] = {0,1}; 15 | 16 | char tmp = delete[ x ]; 17 | char tmp2 = delete[0]; 18 | delete[ x ] = tmp2; 19 | 20 | if (x==1) { 21 | assert(delete[1] == 0); 22 | return 0; 23 | } 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /test/regression/2007-08-06-64bit-shift.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | int d; 9 | 10 | klee_make_symbolic( &d, sizeof(d) ); 11 | 12 | int l = d - 1; 13 | unsigned long long m = ((unsigned long long) l << 32) / d; 14 | if (d==2) { 15 | assert(m == 2147483648u); 16 | } 17 | 18 | klee_silent_exit(0); 19 | 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /test/regression/2007-08-06-access-after-free.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | int a; 9 | unsigned char *p = malloc(4); 10 | 11 | klee_make_symbolic(&a, sizeof a); 12 | klee_make_symbolic(p, sizeof p); 13 | 14 | p[0] |= 16; 15 | 16 | if (a) { 17 | free(p); 18 | 19 | // this should give an error instead of 20 | // pulling the state from the parent, where 21 | // it is not free 22 | assert(p[0] > 10); 23 | 24 | return 0; 25 | } 26 | 27 | assert(p[0] > 10); 28 | 29 | return 0; 30 | } 31 | -------------------------------------------------------------------------------- /test/regression/2007-08-08-free-zero.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | // RUN: ls %t.klee-out | not grep *.err 5 | 6 | #include 7 | 8 | int main() { 9 | free(0); 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /test/regression/2007-08-16-invalid-constant-value.c: -------------------------------------------------------------------------------- 1 | // RUN: rm -f %t4.out %t4.err %t4.log 2 | // RUN: %llvmgcc %s -emit-llvm -O2 -c -o %t1.bc 3 | // RUN: llvm-as -f %p/../Feature/_utils._ll -o %t2.bc 4 | // RUN: llvm-link %t1.bc %t2.bc -o %t3.bc 5 | // RUN: rm -rf %t.klee-out 6 | // RUN: %klee --output-dir=%t.klee-out %t3.bc 7 | 8 | #include 9 | 10 | #include "../Feature/utils.h" 11 | 12 | int main() { 13 | unsigned char a; 14 | 15 | klee_make_symbolic(&a, sizeof a); 16 | 17 | // demand was firing here because an invalid constant 18 | // value was being created when implied value did not 19 | // subtract using the proper type (so overflowed into 20 | // invalid bits) 21 | if (util_make_concat2(a+0xCD,0xCD) == 0xABCD) { 22 | assert(!klee_is_symbolic(a)); 23 | printf("add constant case: %d\n", a); 24 | } 25 | 26 | if (util_make_concat2(0x0B-a,0xCD) == 0xABCD) { 27 | assert(!klee_is_symbolic(a)); 28 | printf("sub constant case: %d\n", a); 29 | } 30 | 31 | return 0; 32 | } 33 | -------------------------------------------------------------------------------- /test/regression/2007-08-16-valid-write-to-freed-object.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | unsigned sym() { 6 | unsigned x; 7 | klee_make_symbolic(&x, sizeof x); 8 | return x; 9 | } 10 | 11 | int main() { 12 | unsigned x, y; 13 | 14 | // sym returns a symbolic object, but because it is 15 | // alloca'd it is freed on sym()s return. thats fine, 16 | // but the problem is that IVC is going to try to write 17 | // into the object right here. 18 | // 19 | // to support this we need to have a facility for making 20 | // state local copies of a freed object. 21 | if (sym() == 0) 22 | printf("ok\n"); 23 | 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /test/regression/2007-10-11-free-of-alloca.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.free.err 5 | 6 | int main() { 7 | int buf[4]; 8 | // CHECK: 2007-10-11-free-of-alloca.c:9: free of alloca 9 | free(buf); // this should give runtime error, not crash 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /test/regression/2007-10-11-illegal-access-after-free-and-branch.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --optimize %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ptr.err 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | int main(int argc, char **argv) { 11 | unsigned char *buf = malloc(3); 12 | klee_make_symbolic(buf, 3); 13 | if (buf[0]>4) klee_silent_exit(0); 14 | unsigned char x = buf[1]; 15 | free(buf); 16 | if (x) 17 | { 18 | // CHECK: 2007-10-11-illegal-access-after-free-and-branch.c:19: memory error: out of bound pointer 19 | return buf[2]; 20 | } 21 | klee_silent_exit(0); 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /test/regression/2007-10-12-failed-make-symbolic-after-copy.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | 6 | int main() { 7 | unsigned x, y[4]; 8 | 9 | klee_make_symbolic(&x, sizeof x, "x"); 10 | if (x>=4) klee_silent_exit(0); 11 | 12 | y[x] = 0; 13 | 14 | if (x) { // force branch so y is copied 15 | klee_make_symbolic(&y, sizeof y, "y"); 16 | if (y[x]==0) klee_silent_exit(0); 17 | return 0; // should be reachable 18 | } else { 19 | // force read here in case we try to optimize copies smartly later 20 | if (y[x]==0) klee_silent_exit(0); 21 | return 0; // not reachable 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /test/regression/2008-03-04-free-of-global.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.free.err 5 | 6 | int buf[4]; 7 | 8 | int main() { 9 | // CHECK: 2008-03-04-free-of-global.c:10: free of global 10 | free(buf); // this should give runtime error, not crash 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /test/regression/2008-03-11-free-of-malloc-zero.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | // concrete case 9 | void *p = malloc(0); 10 | free(p); 11 | 12 | p = malloc(0); 13 | void *arr[4] = { p, 0, 0, 0 }; 14 | 15 | // symbolic case 16 | free(arr[klee_range(0, 4, "range")]); 17 | } 18 | -------------------------------------------------------------------------------- /test/regression/2008-04-10-bad-alloca-free.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | void f(int *addr) { 6 | klee_make_symbolic(addr, sizeof *addr, "moo"); 7 | } 8 | 9 | int main() { 10 | int x; 11 | f(&x); 12 | return x; 13 | } 14 | -------------------------------------------------------------------------------- /test/regression/2008-05-23-gep-with-global-const.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -emit-llvm -O0 -c -o %t.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t.bc 4 | 5 | #include 6 | 7 | int a; 8 | 9 | int main() { 10 | void *p1 = &((char*) 0)[(long) &a]; 11 | void *p2 = &a; 12 | 13 | assert(p1 == p2); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /test/regression/2012-05-13-asm-causes-aborts.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | int main(int argc, char *argv[]){ 6 | __asm__ __volatile__ ("movl %eax, %eax"); 7 | return 0; 8 | } 9 | 10 | -------------------------------------------------------------------------------- /test/regression/2014-07-04-unflushed-error-report.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -check-overshift %t.bc 2> %t.log 4 | // RUN: FileCheck -input-file=%t.klee-out/test000001.overshift.err %s 5 | 6 | /* This test checks that the error file isn't empty and contains the 7 | * right content. 8 | */ 9 | int main() 10 | { 11 | unsigned int x=15; 12 | unsigned int y; 13 | unsigned int z; 14 | volatile unsigned int result; 15 | 16 | /* Overshift if y>= sizeof(x) */ 17 | klee_make_symbolic(&y,sizeof(y),"shift_amount1"); 18 | // CHECK: Error: overshift error 19 | // CHECK-NEXT: 2014-07-04-unflushed-error-report.c 20 | // FIXME: Need newer FileCheck for to do ``Line: [[@LINE+1]]`` 21 | // Just hardcode line number for now 22 | // CHECK-NEXT: Line: 23 23 | result = x << y; 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /test/regression/2014-12-08-ashr.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | #include 6 | #include 7 | 8 | int f1(int a, int b) { 9 | return a + b; 10 | } 11 | 12 | int f2(int a, int b) { 13 | int i; 14 | for (i = 0; i < sizeof(b) * 8; i++) 15 | a += (((b >> i) & 1) << i); 16 | 17 | return a; 18 | } 19 | 20 | int main(int argc, char **argv) { 21 | int a, b; 22 | klee_make_symbolic(&a, sizeof(a), "a"); 23 | klee_make_symbolic(&b, sizeof(b), "b"); 24 | 25 | klee_assert(f1(a, b) == f2(a, b)); 26 | 27 | return 0; 28 | } 29 | 30 | -------------------------------------------------------------------------------- /test/regression/2015-06-22-struct-write.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | #include 6 | #include 7 | 8 | union U0 { 9 | signed f3 :18; 10 | }; 11 | 12 | static union U0 u = { 0UL }; 13 | 14 | int main(int argc, char **argv) { 15 | u.f3 = 534; 16 | 17 | klee_assert(u.f3 == 534); 18 | 19 | return 0; 20 | } 21 | 22 | -------------------------------------------------------------------------------- /test/regression/2015-08-30-empty-constraints.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc 2> %t.log 4 | // RUN: FileCheck -input-file=%t.log %s 5 | 6 | /** 7 | * This test generates one execution state without constraints. 8 | * 9 | * The state gets terminated (in this case return) and initial values 10 | * are generated. 11 | * Make sure we are able to generate an input. 12 | */ 13 | int main() { 14 | int d; 15 | 16 | klee_make_symbolic( &d, sizeof(d) ); 17 | 18 | // CHECK-NOT: unable to compute initial values (invalid constraints?)! 19 | if ((d & 2) / 4) 20 | return 1; 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /test/regression/2015-08-30-sdiv-1.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error -solver-optimize-divides=true %t.bc 4 | // RUN: rm -rf %t.klee-out 5 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error -solver-optimize-divides=false %t.bc 6 | 7 | /* Division by constant can be optimized.using mul/shift 8 | * For signed division, div by 1 or -1 cannot be optimized like that. 9 | */ 10 | #include 11 | int main() { 12 | int32_t dividend; 13 | klee_make_symbolic(÷nd, sizeof dividend, "Dividend"); 14 | if ((3 ^ (dividend & 2)) / 1) 15 | return 1; 16 | if ((3 ^ (dividend & 2)) / -1) 17 | return 1; 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /test/regression/2016-03-22-independence-solver-missing-objects-for-assignment.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s 2>&1 | FileCheck %s 2 | array n_args[4] : w32 -> w8 = symbolic 3 | array n_args_1[4] : w32 -> w8 = symbolic 4 | array A-data-stat[144] : w32 -> w8 = symbolic 5 | array stdin-stat[144] : w32 -> w8 = symbolic 6 | (query [(Ult N0:(ReadLSB w32 0 n_args) 2) 7 | (Slt 0 N0) 8 | (Ult N1:(ReadLSB w32 0 n_args_1) 3) 9 | (Slt 0 N1) 10 | (Slt 1 N1) 11 | (Eq false (Eq 0 (And w64 (ReadLSB w64 8 A-data-stat) 2147483647))) 12 | (Ult (ReadLSB w64 56 A-data-stat) 65536) 13 | (Eq false (Eq 0 (And w64 (ReadLSB w64 8 stdin-stat) 2147483647)))] 14 | (Eq false (Ult (ReadLSB w64 56 stdin-stat) 65536)) [] [n_args]) 15 | # CHECK: INVALID 16 | -------------------------------------------------------------------------------- /test/regression/2016-04-14-sdiv-2.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error -solver-optimize-divides=true %t.bc >%t1.log 4 | // RUN: grep "m is 2" %t1.log 5 | #include 6 | #include 7 | 8 | #include "klee/klee.h" 9 | 10 | int main(void) 11 | { 12 | int n, m; 13 | klee_make_symbolic(&n, sizeof n, "n"); 14 | klee_assume(n < -1); 15 | 16 | if (n/2 > 0) 17 | assert(0); 18 | 19 | klee_make_symbolic(&m, sizeof m, "m"); 20 | klee_assume(m > 0); 21 | 22 | if (m/2 == 2) 23 | printf("m is 2\n"); 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /test/regression/2016-06-28-div-zero-bug.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --use-cex-cache=false %t.bc >%t1.log 4 | 5 | // This bug is triggered when using STP up to an including 2.1.0 6 | // See https://github.com/klee/klee/issues/308 7 | // and https://github.com/stp/stp/issues/206 8 | 9 | int b, a, g; 10 | 11 | int *c = &b, *d = &b, *f = &a; 12 | 13 | int safe_div(short p1, int p2) { 14 | return p2 == 0 ? p1 : p2; 15 | } 16 | 17 | int main() { 18 | klee_make_symbolic(&b, sizeof b); 19 | if (safe_div(*c, 0)) 20 | *f = (int)&b % *c; 21 | 22 | safe_div(a && g, *d); 23 | } 24 | -------------------------------------------------------------------------------- /test/regression/2016-08-06-klee-get-obj-size.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc 4 | // RUN: test -f %t.klee-out/test000001.assert.err 5 | 6 | 7 | #include 8 | #include 9 | 10 | int main() { 11 | char s[5]; 12 | assert(5 != klee_get_obj_size(s)); 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /test/regression/2016-08-11-entry-point-internalize-pass.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --entry-point=entry %t.bc 4 | 5 | int entry() { 6 | return 0; 7 | } 8 | -------------------------------------------------------------------------------- /test/regression/2016-08-12-empty-file.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: not %klee --output-dir=%t.klee-out %t.bc >%t1.log 2>&1 4 | // RUN: FileCheck -input-file=%t1.log -check-prefix=CHECK-MAIN-NOT-FOUND %s 5 | // RUN: rm -rf %t.klee-out 6 | // RUN: rm -rf %t1.log 7 | // RUN: not %klee --output-dir=%t.klee-out --posix-runtime %t.bc >%t1.log 2>&1 8 | // RUN: FileCheck -input-file=%t1.log -check-prefix=CHECK-MAIN-NOT-FOUND %s 9 | 10 | // CHECK-MAIN-NOT-FOUND: 'main' function not found in module. 11 | -------------------------------------------------------------------------------- /test/regression/2016-12-14-alloc-alignment.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -Wall -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t.bc 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | // Global should be aligned on a 128-byte boundary 10 | int foo __attribute__((aligned(128))); 11 | 12 | int main() { 13 | int bar __attribute__((aligned(256))); 14 | 15 | // Check alignment of global 16 | assert(((size_t)&foo) % 128 == 0); 17 | 18 | // Check alignment of local 19 | assert(((size_t)&bar) % 256 == 0); 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /test/regression/2017-02-21-pathOS-id.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -write-paths %t.bc 2> %t.log 4 | // RUN: cat %t.klee-out/test000001.path | wc -l | grep -q 1 5 | // RUN: cat %t.klee-out/test000002.path | wc -l | grep -q 1 6 | // RUN: cat %t.klee-out/test000003.path | wc -l | grep -q 1 7 | // RUN: cat %t.klee-out/test000004.path | wc -l | grep -q 1 8 | int main(){ 9 | int a, b; 10 | klee_make_symbolic (&a, sizeof(int), "a"); 11 | klee_make_symbolic (&b, sizeof(int), "b"); 12 | klee_assume(a<2); 13 | klee_assume(a>=0); 14 | malloc(a); 15 | if(b){ 16 | b++;//do something 17 | } 18 | return b; 19 | } 20 | -------------------------------------------------------------------------------- /test/regression/lit.local.cfg: -------------------------------------------------------------------------------- 1 | # Look for .kquery files too 2 | config.suffixes.add('.kquery') 3 | -------------------------------------------------------------------------------- /tools/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_subdirectory(gen-random-bout) 10 | add_subdirectory(kleaver) 11 | add_subdirectory(klee) 12 | add_subdirectory(klee-replay) 13 | add_subdirectory(klee-stats) 14 | add_subdirectory(ktest-tool) 15 | -------------------------------------------------------------------------------- /tools/Makefile: -------------------------------------------------------------------------------- 1 | #===-- tools/Makefile --------------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | # 11 | # Relative path to the top of the source tree. 12 | # 13 | LEVEL=.. 14 | 15 | # 16 | # List all of the subdirectories that we will compile. 17 | # 18 | PARALLEL_DIRS=klee kleaver ktest-tool gen-random-bout klee-stats 19 | 20 | include $(LEVEL)/Makefile.config 21 | 22 | ifeq ($(ENABLE_POSIX_RUNTIME),1) 23 | PARALLEL_DIRS += klee-replay 24 | endif 25 | 26 | include $(LEVEL)/Makefile.common 27 | -------------------------------------------------------------------------------- /tools/gen-random-bout/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_executable(gen-random-bout 10 | gen-random-bout.cpp 11 | ) 12 | 13 | set(KLEE_LIBS kleeBasic) 14 | 15 | target_link_libraries(gen-random-bout ${KLEE_LIBS}) 16 | 17 | install(TARGETS gen-random-bout RUNTIME DESTINATION bin) 18 | -------------------------------------------------------------------------------- /tools/gen-random-bout/Makefile: -------------------------------------------------------------------------------- 1 | ##===- tools/klee/Makefile ---------------*- Makefile -*-===## 2 | 3 | LEVEL=../.. 4 | TOOLNAME = gen-random-bout 5 | USEDLIBS = kleeBasic.a 6 | NO_INSTALL=1 7 | 8 | include $(LEVEL)/Makefile.common 9 | -------------------------------------------------------------------------------- /tools/kleaver/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_executable(kleaver 10 | main.cpp 11 | ) 12 | 13 | set(KLEE_LIBS 14 | kleaverSolver 15 | ) 16 | 17 | target_link_libraries(kleaver ${KLEE_LIBS}) 18 | 19 | install(TARGETS kleaver RUNTIME DESTINATION bin) 20 | -------------------------------------------------------------------------------- /tools/kleaver/Makefile: -------------------------------------------------------------------------------- 1 | #===-- tools/kleaver/Makefile ------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=../.. 11 | TOOLNAME = kleaver 12 | 13 | include $(LEVEL)/Makefile.config 14 | 15 | # FIXME: Ideally we wouldn't have any LLVM dependencies here, which 16 | # means kicking out klee's Support. 17 | USEDLIBS = kleeBasic.a kleaverSolver.a kleaverExpr.a kleeSupport.a 18 | LINK_COMPONENTS = support 19 | 20 | include $(LEVEL)/Makefile.common 21 | 22 | ifneq ($(ENABLE_STP),0) 23 | LIBS += $(STP_LDFLAGS) 24 | endif 25 | 26 | ifneq ($(ENABLE_Z3),0) 27 | LIBS += $(Z3_LDFLAGS) 28 | endif 29 | 30 | include $(PROJ_SRC_ROOT)/MetaSMT.mk 31 | 32 | ifeq ($(HAVE_TCMALLOC),1) 33 | LIBS += $(TCMALLOC_LIB) 34 | endif 35 | 36 | ifeq ($(HAVE_ZLIB),1) 37 | LIBS += -lz 38 | endif 39 | -------------------------------------------------------------------------------- /tools/klee-replay/Makefile: -------------------------------------------------------------------------------- 1 | #===-- tools/klee-replay/Makefile --------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=../.. 11 | TOOLNAME = klee-replay 12 | 13 | USEDLIBS = kleeBasic.a 14 | LINK_COMPONENTS = 15 | NO_PEDANTIC=1 16 | 17 | include $(LEVEL)/Makefile.common 18 | 19 | LIBS += -lutil -lcap 20 | -------------------------------------------------------------------------------- /tools/klee-replay/fd_init.c: -------------------------------------------------------------------------------- 1 | #include "../../runtime/POSIX/fd_init.c" 2 | -------------------------------------------------------------------------------- /tools/klee-replay/klee-replay.h: -------------------------------------------------------------------------------- 1 | //===-- klee-replay.h ------------------------------------------*- C++ -*--===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef __KLEE_REPLAY_H__ 11 | #define __KLEE_REPLAY_H__ 12 | 13 | #define _LARGEFILE64_SOURCE 14 | #define _FILE_OFFSET_BITS 64 15 | 16 | // FIXME: This is a hack. 17 | #include "../../runtime/POSIX/fd.h" 18 | #include 19 | 20 | void replay_create_files(exe_file_system_t *exe_fs); 21 | 22 | void process_status(int status, 23 | time_t elapsed, 24 | const char *pfx) 25 | __attribute__((noreturn)); 26 | 27 | #endif 28 | 29 | -------------------------------------------------------------------------------- /tools/klee-replay/klee_init_env.c: -------------------------------------------------------------------------------- 1 | #include "../../runtime/POSIX/klee_init_env.c" 2 | -------------------------------------------------------------------------------- /tools/klee-stats/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | install(PROGRAMS klee-stats DESTINATION bin) 10 | 11 | # Copy into the build directory's binary directory 12 | # so system tests can find it 13 | configure_file(klee-stats "${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/klee-stats" COPYONLY) 14 | -------------------------------------------------------------------------------- /tools/klee/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_executable(klee 10 | main.cpp 11 | ) 12 | 13 | set(KLEE_LIBS 14 | kleeCore 15 | ) 16 | 17 | target_link_libraries(klee ${KLEE_LIBS}) 18 | 19 | install(TARGETS klee RUNTIME DESTINATION bin) 20 | 21 | # The KLEE binary depends on the runtimes 22 | add_dependencies(klee BuildKLEERuntimes) 23 | -------------------------------------------------------------------------------- /tools/klee/Debug.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void kdb_printExpr(klee::Expr *e) { 4 | llvm::errs() << "expr: " << e << " -- "; 5 | if (e) { 6 | llvm::errs() << *e; 7 | } else { 8 | llvm::errs() << "(null)"; 9 | } 10 | llvm::errs() << "\n"; 11 | } 12 | -------------------------------------------------------------------------------- /tools/klee/Makefile: -------------------------------------------------------------------------------- 1 | #===-- tools/klee/Makefile ---------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=../.. 11 | TOOLNAME = klee 12 | 13 | include $(LEVEL)/Makefile.config 14 | 15 | USEDLIBS = kleeCore.a kleeBasic.a kleeModule.a kleaverSolver.a kleaverExpr.a kleeSupport.a 16 | LINK_COMPONENTS = jit bitreader bitwriter ipo linker engine 17 | 18 | ifeq ($(shell python -c "print($(LLVM_VERSION_MAJOR).$(LLVM_VERSION_MINOR) >= 3.3)"), True) 19 | LINK_COMPONENTS += irreader 20 | endif 21 | include $(LEVEL)/Makefile.common 22 | 23 | ifneq ($(ENABLE_STP),0) 24 | LIBS += $(STP_LDFLAGS) 25 | endif 26 | 27 | ifneq ($(ENABLE_Z3),0) 28 | LIBS += $(Z3_LDFLAGS) 29 | endif 30 | 31 | include $(PROJ_SRC_ROOT)/MetaSMT.mk 32 | 33 | ifeq ($(HAVE_TCMALLOC),1) 34 | LIBS += $(TCMALLOC_LIB) 35 | endif 36 | 37 | ifeq ($(HAVE_ZLIB),1) 38 | LIBS += -lz 39 | endif -------------------------------------------------------------------------------- /tools/ktest-tool/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | install(PROGRAMS ktest-tool DESTINATION bin) 10 | 11 | # Copy into the build directory's binary directory 12 | # so system tests can find it 13 | configure_file(ktest-tool "${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/ktest-tool" COPYONLY) 14 | -------------------------------------------------------------------------------- /unittests/Assignment/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(AssignmentTest 2 | AssignmentTest.cpp) 3 | target_link_libraries(AssignmentTest PRIVATE kleaverExpr) 4 | -------------------------------------------------------------------------------- /unittests/Assignment/Makefile: -------------------------------------------------------------------------------- 1 | ##===- unittests/Assignment/Makefile -----------------------*- Makefile -*-===## 2 | 3 | LEVEL := ../.. 4 | include $(LEVEL)/Makefile.config 5 | 6 | TESTNAME := Assignment 7 | USEDLIBS := kleaverExpr.a 8 | LINK_COMPONENTS := support 9 | 10 | include $(LLVM_SRC_ROOT)/unittests/Makefile.unittest 11 | 12 | CXXFLAGS += -DLLVM_29_UNITTEST 13 | -------------------------------------------------------------------------------- /unittests/Expr/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(ExprTest 2 | ExprTest.cpp) 3 | target_link_libraries(ExprTest PRIVATE kleaverExpr) 4 | -------------------------------------------------------------------------------- /unittests/Expr/Makefile: -------------------------------------------------------------------------------- 1 | ##===- unittests/Expr/Makefile -----------------------------*- Makefile -*-===## 2 | 3 | LEVEL := ../.. 4 | include $(LEVEL)/Makefile.config 5 | 6 | TESTNAME := Expr 7 | USEDLIBS := kleaverExpr.a kleeBasic.a 8 | LINK_COMPONENTS := support 9 | 10 | include $(LLVM_SRC_ROOT)/unittests/Makefile.unittest 11 | 12 | CXXFLAGS += -DLLVM_29_UNITTEST 13 | -------------------------------------------------------------------------------- /unittests/Makefile: -------------------------------------------------------------------------------- 1 | ##===- unittests/Makefile ----------------------------------*- Makefile -*-===## 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | # ===----------------------------------------------------------------------===## 9 | 10 | LEVEL = .. 11 | 12 | include $(LEVEL)/Makefile.config 13 | 14 | LIBRARYNAME = UnitTestMain 15 | BUILD_ARCHIVE = 1 16 | CPP.Flags += -I$(LLVM_SRC_ROOT)/utils/unittest/googletest/include/ 17 | CPP.Flags += -Wno-variadic-macros 18 | 19 | # FIXME: Parallel dirs is broken? 20 | DIRS = Expr Solver Ref Assignment 21 | 22 | include $(LEVEL)/Makefile.common 23 | 24 | # Remove -fno-rtti as this prevents typeid() being used 25 | # in gtest 26 | CXX.Flags := $(filter-out -fno-rtti,$(CXX.Flags)) 27 | 28 | clean:: 29 | $(Verb) $(RM) -f *Tests 30 | -------------------------------------------------------------------------------- /unittests/Ref/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(RefTest 2 | RefTest.cpp) 3 | target_link_libraries(RefTest PRIVATE kleaverExpr) 4 | -------------------------------------------------------------------------------- /unittests/Ref/Makefile: -------------------------------------------------------------------------------- 1 | ##===- unittests/Expr/Makefile -----------------------------*- Makefile -*-===## 2 | 3 | LEVEL := ../.. 4 | include $(LEVEL)/Makefile.config 5 | 6 | TESTNAME := RefTest 7 | USEDLIBS := kleaverExpr.a kleeBasic.a 8 | LINK_COMPONENTS := support 9 | 10 | include $(LLVM_SRC_ROOT)/unittests/Makefile.unittest 11 | -------------------------------------------------------------------------------- /unittests/Ref/RefTest.cpp: -------------------------------------------------------------------------------- 1 | //===-- RefTest.cpp ---------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | /* Regression test for a bug caused by assigning a ref to itself. 11 | More details at http://keeda.stanford.edu/pipermail/klee-commits/2012-February/000904.html */ 12 | 13 | #include "gtest/gtest.h" 14 | #include 15 | #include "klee/util/Ref.h" 16 | using klee::ref; 17 | 18 | int finished = 0; 19 | 20 | struct Expr 21 | { 22 | int refCount; 23 | Expr() : refCount(0) { 24 | //std::cout << "Expr(" << this << ") created\n"; 25 | } 26 | ~Expr() { 27 | //std::cout << "Expr(" << this << ") destroyed\n"; 28 | EXPECT_EQ(finished, 1); 29 | } 30 | }; 31 | 32 | TEST(RefTest, SelfAssign) 33 | { 34 | struct Expr *r_e = new Expr(); 35 | ref r(r_e); 36 | EXPECT_EQ(r_e->refCount, 1); 37 | r = r; 38 | EXPECT_EQ(r_e->refCount, 1); 39 | finished = 1; 40 | } 41 | -------------------------------------------------------------------------------- /unittests/Solver/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(SolverTest 2 | SolverTest.cpp) 3 | target_link_libraries(SolverTest PRIVATE kleaverSolver) 4 | -------------------------------------------------------------------------------- /unittests/Solver/Makefile: -------------------------------------------------------------------------------- 1 | ##===- unittests/Solver/Makefile ---------------------------*- Makefile -*-===## 2 | 3 | LEVEL := ../.. 4 | include $(LEVEL)/Makefile.config 5 | 6 | TESTNAME := Solver 7 | USEDLIBS := kleaverSolver.a kleaverExpr.a kleeSupport.a kleeBasic.a 8 | LINK_COMPONENTS := support 9 | 10 | include $(LLVM_SRC_ROOT)/unittests/Makefile.unittest 11 | 12 | ifneq ($(ENABLE_STP),0) 13 | LIBS += $(STP_LDFLAGS) 14 | endif 15 | 16 | ifneq ($(ENABLE_Z3),0) 17 | LIBS += $(Z3_LDFLAGS) 18 | endif 19 | 20 | include $(PROJ_SRC_ROOT)/MetaSMT.mk 21 | -------------------------------------------------------------------------------- /unittests/TestMain.cpp: -------------------------------------------------------------------------------- 1 | //===--- unittests/TestMain.cpp - unittest driver -------------------------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include "gtest/gtest.h" 11 | 12 | int main(int argc, char **argv) { 13 | testing::InitGoogleTest(&argc, argv); 14 | return RUN_ALL_TESTS(); 15 | } 16 | -------------------------------------------------------------------------------- /unittests/lit-unit-tests-common.cfg: -------------------------------------------------------------------------------- 1 | # Configuration file for the 'lit' test runner. 2 | 3 | import os 4 | 5 | import lit.formats 6 | 7 | # suffixes: A list of file extensions to treat as test files. 8 | config.suffixes = [] 9 | 10 | # testFormat: The test format to use to interpret tests. 11 | config.test_format = lit.formats.GoogleTest('.', config.unit_test_exe_suffix) 12 | -------------------------------------------------------------------------------- /unittests/lit-unit-tests-common.site.cfg.in: -------------------------------------------------------------------------------- 1 | import sys 2 | import os 3 | 4 | ## @AUTO_GEN_MSG@ 5 | config.name = 'KLEE Unit tests' 6 | config.unit_test_exe_suffix = "@UNIT_TEST_EXE_SUFFIX@" 7 | 8 | # Let the main config do the real work. 9 | lit_config.load_config(config, "@CMAKE_SOURCE_DIR@/unittests/lit-unit-tests-common.cfg") 10 | -------------------------------------------------------------------------------- /utils/hacks/TreeGraphs/Graphics/Geometry/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/feliam/klee-taint/a16f5b4781ef509d69364e2434520e580d653972/utils/hacks/TreeGraphs/Graphics/Geometry/__init__.py -------------------------------------------------------------------------------- /utils/hacks/TreeGraphs/Graphics/Geometry/mat2.py: -------------------------------------------------------------------------------- 1 | # ===-- mat2.py -----------------------------------------------------------===## 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | # ===----------------------------------------------------------------------===## 9 | 10 | import vec2 11 | 12 | def det(m): 13 | ((m00,m01),(m10,m11))= m 14 | 15 | return m00*m11 - m01*m10 16 | 17 | def mul(a,b): 18 | b_trans= zip(* b) 19 | return tuple([transmulvec2(b_trans, a_r) for a_r in a]) 20 | 21 | # multiple vector v by a transposed matrix 22 | def transmulvec2(m_trans,v): 23 | return tuple([vec2.dot(v, m_c) for m_c in m_trans]) 24 | 25 | def mulvec2(m,v): 26 | return transmulvec2(zip(* m), v) 27 | 28 | def mulN(m,N): 29 | return tuple([vec2.mulN(v,N) for v in m]) 30 | -------------------------------------------------------------------------------- /utils/hacks/TreeGraphs/Graphics/__init__.py: -------------------------------------------------------------------------------- 1 | __all__= ['Formats', 'SubSurf', 'Geometry', 'AqsisInterface', 'TwoD', 'ThreeD', 'Apps'] 2 | -------------------------------------------------------------------------------- /utils/hacks/TreeGraphs/README.txt: -------------------------------------------------------------------------------- 1 | A little hack which converts KLEE treestream's of path branch information into 2 | images/animations. It is not particularly fast nor is the code very 3 | elegant. It's a hack, after all! 4 | 5 | There are a couple example input streams in inputs/. You can generate a single 6 | image frame with, e.g.:: 7 | 8 | $ ./TreeGraph.py --count=500 inputs/symPaths6.ts t.pdf 9 | 10 | which will generate an image of the first 500 paths that were explored. 11 | 12 | 13 | You can generate a sequence of frames from a file using:: 14 | 15 | $ ./Animate.py --start=10 --end=2000 inputs/symPaths6.ts anim-01 16 | 17 | which will generate a sequence of .pdf frames in anim-01. 18 | -------------------------------------------------------------------------------- /utils/hacks/TreeGraphs/inputs/symPaths.ts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/feliam/klee-taint/a16f5b4781ef509d69364e2434520e580d653972/utils/hacks/TreeGraphs/inputs/symPaths.ts -------------------------------------------------------------------------------- /utils/hacks/TreeGraphs/inputs/symPaths6.ts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/feliam/klee-taint/a16f5b4781ef509d69364e2434520e580d653972/utils/hacks/TreeGraphs/inputs/symPaths6.ts -------------------------------------------------------------------------------- /utils/sanitizers/lsan.txt: -------------------------------------------------------------------------------- 1 | # This file tells the LeakSanitizer (LSan)component of the AddressSanitizer (-fsanitizer=address) 2 | # to ignore certain leaks at runtime. To tell LSan about these set the environment variable 3 | # LSAN_OPTIONS=suppressions=/path/to/this/file and then run the sanitized build of KLEE. 4 | # 5 | # Ideally we shouldn't need to suppress anything but currently KLEE seems to be leaking 6 | # The suppressions below are what's needed for ``make unittests`` and ``make check`` to not 7 | # fail due to leaks. 8 | 9 | # Low priority 10 | leak:tools/kleaver/main.cpp 11 | leak:lib/Expr/Parser.cpp 12 | -------------------------------------------------------------------------------- /utils/valgrind/README.txt: -------------------------------------------------------------------------------- 1 | A few valgrind suppression files for known leaks. The LLVM ones may be 2 | fixed by now. 3 | -------------------------------------------------------------------------------- /utils/valgrind/valgrind-llvm.supp: -------------------------------------------------------------------------------- 1 | { 2 | LLVM:Tmp1 3 | Memcheck:Leak 4 | fun:_vgrZU_libstdcZpZpZa__Znwj 5 | fun:_ZN4llvm* 6 | } 7 | { 8 | LLVM:Tmp2 9 | Memcheck:Leak 10 | fun:_vgrZU_libcZdsoZa_malloc 11 | fun:_ZN4llvm* 12 | } 13 | { 14 | LLVM:Tmp3 15 | Memcheck:Leak 16 | fun:*nwj* 17 | fun:*llvm* 18 | } 19 | { 20 | LLVM:Tmp4 21 | Memcheck:Leak 22 | fun:malloc 23 | fun:*llvm* 24 | } 25 | -------------------------------------------------------------------------------- /utils/valgrind/valgrind-stp.supp: -------------------------------------------------------------------------------- 1 | { 2 | STP:BeevMgr 3 | Memcheck:Leak 4 | fun:_vgrZU_libstdcZpZpZa__Znwj 5 | fun:_ZN4BEEV7BeevMgr* 6 | } 7 | { 8 | STP:BeevMgr:strdup 9 | Memcheck:Leak 10 | fun:_vgrZU_libcZdsoZa_malloc 11 | fun:strdup 12 | fun:_ZN4BEEV7BeevMgr* 13 | } 14 | { 15 | STP:c_interface 16 | Memcheck:Leak 17 | fun:_vgrZU_libstdcZpZpZa__Znwj 18 | fun:vc_* 19 | } 20 | { 21 | STP:BeevMgr:vector 22 | Memcheck:Leak 23 | fun:_vgrZU_libstdcZpZpZa__Znwj 24 | fun:_ZNSt6vector* 25 | fun:_ZN4BEEV7BeevMgr* 26 | } 27 | { 28 | LLVM:Tmp1 29 | Memcheck:Leak 30 | fun:_vgrZU_libstdcZpZpZa__Znwj 31 | fun:_ZN4llvm* 32 | } 33 | --------------------------------------------------------------------------------