├── .clang-format ├── .dockerignore ├── .gitattributes ├── .gitignore ├── .travis.yml ├── .travis ├── install-llvm-and-runtime-compiler.sh ├── install-tcmalloc.sh ├── klee.sh ├── metaSMT.sh ├── sanitizer_flags.sh ├── solvers.sh ├── stp.sh └── testing-utils.sh ├── CMakeLists.txt ├── Dockerfile ├── LICENSE.TXT ├── Makefile ├── Makefile.common ├── Makefile.config.in ├── Makefile.rules ├── MetaSMT.mk ├── NEWS ├── README-CMake.md ├── README.md ├── TODO.txt ├── autoconf ├── AutoRegen.sh ├── config.guess ├── config.sub ├── configure.ac └── install-sh ├── cmake ├── GetGitRevisionDescription.cmake ├── GetGitRevisionDescription.cmake.in ├── add_global_flag.cmake ├── c_flags_override.cmake ├── compiler_warnings.cmake ├── cxx_flags_override.cmake ├── find_bitcode_compiler.cmake ├── find_llvm.cmake ├── find_metasmt.cmake ├── klee_add_component.cmake ├── klee_component_add_cxx_flag.cmake ├── modules │ └── FindZ3.cmake └── string_to_list.cmake ├── configure ├── docs ├── CMakeLists.txt ├── SMT-COMP │ ├── BitVector_ArraysEx.smt │ ├── BitVectors.smt │ ├── QF_AUFBV.smt │ └── QF_BV.smt ├── doxygen.cfg.in ├── intro └── overview ├── examples ├── get_sign │ └── get_sign.c ├── islower │ └── islower.c ├── regexp │ ├── Regexp.c │ └── notes.txt └── sort │ └── sort.c ├── include ├── expr │ ├── Lexer.h │ └── Parser.h └── klee │ ├── CommandLine.h │ ├── Common.h │ ├── Config │ ├── CompileTimeInfo.h.cmin │ ├── Version.h │ ├── config.h.cmin │ └── config.h.in │ ├── Constraints.h │ ├── ExecutionState.h │ ├── Expr.h │ ├── ExprBuilder.h │ ├── IncompleteSolver.h │ ├── Internal │ ├── ADT │ │ ├── DiscretePDF.h │ │ ├── DiscretePDF.inc │ │ ├── ImmutableMap.h │ │ ├── ImmutableSet.h │ │ ├── ImmutableTree.h │ │ ├── KTest.h │ │ ├── MapOfSets.h │ │ ├── RNG.h │ │ └── TreeStream.h │ ├── Module │ │ ├── Cell.h │ │ ├── InstructionInfoTable.h │ │ ├── KInstIterator.h │ │ ├── KInstruction.h │ │ └── KModule.h │ ├── README.txt │ ├── Support │ │ ├── CompressionStream.h │ │ ├── Debug.h │ │ ├── ErrorHandling.h │ │ ├── FloatEvaluation.h │ │ ├── IntEvaluation.h │ │ ├── ModuleUtil.h │ │ ├── PrintVersion.h │ │ ├── QueryLog.h │ │ ├── RoundingModeUtil.h │ │ └── Timer.h │ └── System │ │ ├── MemoryUsage.h │ │ └── Time.h │ ├── Interpreter.h │ ├── MergeHandler.h │ ├── Solver.h │ ├── SolverImpl.h │ ├── SolverStats.h │ ├── Statistic.h │ ├── Statistics.h │ ├── TimerStatIncrementer.h │ ├── klee.h │ └── util │ ├── APFloatEval.h │ ├── ArrayCache.h │ ├── ArrayExprHash.h │ ├── Assignment.h │ ├── BitArray.h │ ├── Bits.h │ ├── ExprEvaluator.h │ ├── ExprHashMap.h │ ├── ExprPPrinter.h │ ├── ExprRangeEvaluator.h │ ├── ExprSMTLIBPrinter.h │ ├── ExprUtil.h │ ├── ExprVisitor.h │ ├── GetElementPtrTypeIterator.h │ ├── PrintContext.h │ └── Ref.h ├── lib ├── Basic │ ├── CMakeLists.txt │ ├── CmdLineOptions.cpp │ ├── ConstructSolverChain.cpp │ ├── KTest.cpp │ ├── Makefile │ ├── README.txt │ └── Statistics.cpp ├── CMakeLists.txt ├── Core │ ├── AddressSpace.cpp │ ├── AddressSpace.h │ ├── CMakeLists.txt │ ├── CallPathManager.cpp │ ├── CallPathManager.h │ ├── Context.cpp │ ├── Context.h │ ├── CoreStats.cpp │ ├── CoreStats.h │ ├── ExecutionState.cpp │ ├── Executor.cpp │ ├── Executor.h │ ├── ExecutorTimerInfo.h │ ├── ExecutorTimers.cpp │ ├── ExecutorUtil.cpp │ ├── ExternalDispatcher.cpp │ ├── ExternalDispatcher.h │ ├── ImpliedValue.cpp │ ├── ImpliedValue.h │ ├── Makefile │ ├── Memory.cpp │ ├── Memory.h │ ├── MemoryManager.cpp │ ├── MemoryManager.h │ ├── MergeHandler.cpp │ ├── ObjectHolder.h │ ├── PTree.cpp │ ├── PTree.h │ ├── Searcher.cpp │ ├── Searcher.h │ ├── SeedInfo.cpp │ ├── SeedInfo.h │ ├── SpecialFunctionHandler.cpp │ ├── SpecialFunctionHandler.h │ ├── StatsTracker.cpp │ ├── StatsTracker.h │ ├── TimingSolver.cpp │ ├── TimingSolver.h │ ├── UserSearcher.cpp │ └── UserSearcher.h ├── Expr │ ├── APFloatEval.cpp │ ├── ArrayCache.cpp │ ├── Assigment.cpp │ ├── CMakeLists.txt │ ├── Constraints.cpp │ ├── Expr.cpp │ ├── ExprBuilder.cpp │ ├── ExprEvaluator.cpp │ ├── ExprPPrinter.cpp │ ├── ExprSMTLIBPrinter.cpp │ ├── ExprUtil.cpp │ ├── ExprVisitor.cpp │ ├── FindArrayAckermannizationVisitor.cpp │ ├── FindArrayAckermannizationVisitor.h │ ├── Lexer.cpp │ ├── Makefile │ ├── Parser.cpp │ └── Updates.cpp ├── Makefile ├── Module │ ├── CMakeLists.txt │ ├── Checks.cpp │ ├── InstructionInfoTable.cpp │ ├── IntrinsicCleaner.cpp │ ├── KInstruction.cpp │ ├── KModule.cpp │ ├── LowerSwitch.cpp │ ├── Makefile │ ├── ModuleUtil.cpp │ ├── Optimize.cpp │ ├── Passes.h │ ├── PhiCleaner.cpp │ ├── RaiseAsm.cpp │ └── Scalarizer.cpp ├── README.txt ├── Solver │ ├── AssignmentValidatingSolver.cpp │ ├── CMakeLists.txt │ ├── CachingSolver.cpp │ ├── CexCachingSolver.cpp │ ├── ConstantDivision.cpp │ ├── ConstantDivision.h │ ├── CoreSolver.cpp │ ├── DummySolver.cpp │ ├── FastCexSolver.cpp │ ├── IncompleteSolver.cpp │ ├── IndependentSolver.cpp │ ├── KQueryLoggingSolver.cpp │ ├── Makefile │ ├── MetaSMTBuilder.h │ ├── MetaSMTSolver.cpp │ ├── QueryLoggingSolver.cpp │ ├── QueryLoggingSolver.h │ ├── SMTLIBLoggingSolver.cpp │ ├── STPBuilder.cpp │ ├── STPBuilder.h │ ├── STPSolver.cpp │ ├── Solver.cpp │ ├── SolverImpl.cpp │ ├── SolverStats.cpp │ ├── ValidatingSolver.cpp │ ├── Z3Builder.cpp │ ├── Z3Builder.h │ └── Z3Solver.cpp └── Support │ ├── CMakeLists.txt │ ├── CompressionStream.cpp │ ├── ErrorHandling.cpp │ ├── Makefile │ ├── MemoryUsage.cpp │ ├── PrintVersion.cpp │ ├── README.txt │ ├── RNG.cpp │ ├── RoundingModeUtil.cpp │ ├── Time.cpp │ ├── Timer.cpp │ └── TreeStream.cpp ├── runtime ├── CMakeLists.txt ├── Intrinsic │ ├── Makefile │ ├── Makefile.cmake.bitcode │ ├── fabs.c │ ├── fenv.c │ ├── fpclassify.c │ ├── klee_div_zero_check.c │ ├── klee_int.c │ ├── klee_internal_isinf.ll │ ├── klee_overshift_check.c │ ├── klee_range.c │ ├── klee_set_rounding_mode.c │ ├── memcpy.c │ ├── memmove.c │ ├── mempcpy.c │ ├── memset.c │ └── sqrt.c ├── Makefile ├── Makefile.cmake.bitcode ├── Makefile.cmake.bitcode.config.in ├── Makefile.cmake.bitcode.rules ├── POSIX │ ├── Makefile │ ├── Makefile.cmake.bitcode │ ├── fd.c │ ├── fd.h │ ├── fd_32.c │ ├── fd_64.c │ ├── fd_init.c │ ├── illegal.c │ ├── klee_init_env.c │ ├── misc.c │ ├── selinux.c │ └── stubs.c ├── Runtest │ ├── CMakeLists.txt │ ├── Makefile │ └── intrinsics.c ├── klee-libc │ ├── Makefile │ ├── Makefile.cmake.bitcode │ ├── __cxa_atexit.c │ ├── abort.c │ ├── atexit.c │ ├── atoi.c │ ├── calloc.c │ ├── htonl.c │ ├── klee-choose.c │ ├── memchr.c │ ├── memcmp.c │ ├── memcpy.c │ ├── memmove.c │ ├── mempcpy.c │ ├── memset.c │ ├── putchar.c │ ├── stpcpy.c │ ├── strcat.c │ ├── strchr.c │ ├── strcmp.c │ ├── strcoll.c │ ├── strcpy.c │ ├── strlen.c │ ├── strncmp.c │ ├── strncpy.c │ ├── strrchr.c │ ├── strtol.c │ ├── strtoul.c │ ├── tolower.c │ └── toupper.c └── klee-uclibc │ └── Makefile ├── scripts ├── IStatsMerge.py ├── IStatsSum.py ├── bv2float.py ├── container.Makefile ├── coverageServer.py ├── docker_aachen_build.sh ├── genTempFiles.sh ├── klee-chroot-env ├── klee-clang ├── klee-control ├── klee-gcc ├── objdump ├── patch_aachen.Dockerfile └── patch_aachen.metadata.Dockerfile ├── test ├── CMakeLists.txt ├── CXX │ ├── ArrayNew.cpp │ ├── New.cpp │ ├── SimpleVirtual.cpp │ ├── StaticConstructor.cpp │ ├── StaticDestructor.cpp │ └── Trivial.cpp ├── Concrete │ ├── BitwiseOps.ll │ ├── BoolReadWrite.ll │ ├── CMakeLists.txt │ ├── Casts.ll │ ├── CmpEq.ll │ ├── ConcreteTest.py │ ├── ConstantExpr.ll │ ├── FloatingPointOps.ll │ ├── GlobalInitializers.ll │ ├── GlobalUndef.ll │ ├── GlobalVariable.ll │ ├── ICmp.ll │ ├── Makefile │ ├── Makefile.cmake.test.in │ ├── OneCall.ll │ ├── OverlappingPhiNodes.ll │ ├── README.txt │ ├── Select.ll │ ├── Shifts.ll │ ├── SimpleStoreAndLoad.ll │ ├── UnconditionalBranch.ll │ ├── UnconditionalBranchWithSimplePhi.ll │ ├── UnorderedPhiNodes.ll │ ├── _testingUtils.c │ ├── ackermann.c │ └── arith_test.ll ├── Coverage │ ├── ReadArgs.c │ └── ReplayOutDir.c ├── Dogfood │ └── ImmutableSet.cpp ├── Expr │ ├── Evaluate.kquery │ ├── Evaluate2.kquery │ ├── Lexer │ │ └── Numbers.kquery │ ├── Parser │ │ ├── Concat64.kquery │ │ ├── ConstantFolding.kquery │ │ ├── Exprs.kquery │ │ ├── MultiByteReads.kquery │ │ ├── Simplify.kquery │ │ └── TypeChecking.kquery │ ├── print-smt-let.kquery │ ├── print-smt-let.smt2.good │ ├── print-smt-named.kquery │ ├── print-smt-named.smt2.good │ ├── print-smt-none.kquery │ └── print-smt-none.smt2.good ├── Feature │ ├── Alias.c │ ├── AliasFunction.c │ ├── AliasFunctionExit.c │ ├── BFSSearcher.c │ ├── BitcastAlias.ll │ ├── BitcastAliasMD2U.ll │ ├── ByteSwap.c │ ├── CallToUndefinedExternal.cpp │ ├── CheckForImpliedValue.c.failing │ ├── CheckMemoryAccess.c │ ├── CompressedExprLogging.c │ ├── ConstantStruct.ll │ ├── CopyOnWrite.c │ ├── DanglingConcreteReadExpr.c │ ├── DefineFixedObject.c │ ├── DeterministicSwitch.c │ ├── DoubleFree.c │ ├── DumpStatesOnHalt.c │ ├── EntryPoint.c │ ├── Envp.c │ ├── ExitOnErrorType.c │ ├── ExprLogging.c │ ├── ExternalWeakLinkage.c │ ├── Float.c │ ├── FloatingPt.c │ ├── FunctionPointer.c │ ├── GetElementPtr.ll │ ├── GetValue.c │ ├── ImpliedValue.c.failing │ ├── InAndOutOfBounds.c │ ├── IndirectCallToBuiltin.c │ ├── IndirectCallToExternal.c │ ├── InsertExtractValue.ll │ ├── IntrinsicTrap.ll │ ├── InvalidBitfieldAccess.c.failing │ ├── IsSymbolic.c │ ├── KleeReportError.c │ ├── LargeReturnTypes.cpp │ ├── LinkLLVMLib.c │ ├── LoggingInstructions.c │ ├── LongDouble.c │ ├── LongDoubleSupport.c │ ├── LowerSwitch.c │ ├── MakeConcreteSymbolic.c │ ├── MakeSymbolicName.c │ ├── MemoryLimit.c │ ├── MultiMkSym.c │ ├── MultipleFreeResolution.c │ ├── MultipleReadResolution.c │ ├── MultipleReallocResolution.c │ ├── MultipleWriteResolution.c │ ├── NamedSeedMatching.c │ ├── NonSizedGlobals.c │ ├── OneFreeError.c │ ├── OneOutOfBounds.c │ ├── Optimize.c │ ├── Overflow.ll │ ├── OverflowMul.ll │ ├── OverlappedError.c │ ├── OvershiftCheck.c │ ├── PreferCex.c │ ├── RaiseAsm.c │ ├── Realloc.c │ ├── ReplayPath.c │ ├── RewriteEqualities.c │ ├── Searchers.c │ ├── SetForking.c │ ├── SilentKleeAssume.c │ ├── SolverTimeout.c │ ├── SourceMapping.c │ ├── StatesCoveringNew.c │ ├── VarArgLongDouble.c │ ├── Vararg.c │ ├── WithLibc.c │ ├── WriteCov.c │ ├── _utils._ll │ ├── arithmetic-right-overshift-sym-conc.c │ ├── consecutive_divide_by_zero.c │ ├── const_array_opt1.c │ ├── left-overshift-sym-conc.c │ ├── logical-right-overshift-sym-conc.c │ ├── srem.c │ ├── ubsan_signed_overflow.c │ ├── ubsan_unsigned_overflow.c │ └── utils.h ├── Floats │ ├── absorbing_add.c │ ├── absorbing_add_infeasible.c │ ├── absorbing_sub.c │ ├── absorbing_sub_infeasible.c │ ├── fabs_double_symbolic.c │ ├── fabs_float_symbolic.c │ ├── fabs_long_double_symbolic.c │ ├── fegetround_fesetround.c │ ├── fegetround_fesetround_external_call.c │ ├── fegetround_fesetround_symbolic.c │ ├── float_classify.c │ ├── float_classify_double.c │ ├── float_classify_long_double.c │ ├── float_module_constants.c │ ├── fneg.c │ ├── fpext_single_to_double.c │ ├── fptosi_simple.c │ ├── fptoui_simple.c │ ├── fptoui_simple2.c │ ├── fptrunc_double_to_single.c │ ├── get_and_set_rounding_mode_symbolic.c │ ├── get_and_set_rounding_mode_with_klee_runtime.c │ ├── internal_fabs_double.c │ ├── internal_fabs_double_symbolic.c │ ├── internal_fabs_float.c │ ├── internal_fabs_float_symbolic.c │ ├── internal_fabs_long_double.c │ ├── internal_fabs_long_double_symbolic.c │ ├── internal_sqrt_double.c │ ├── internal_sqrt_double_symbolic.c │ ├── internal_sqrt_float.c │ ├── internal_sqrt_float_symbolic.c │ ├── internal_sqrt_long_double.c │ ├── internal_sqrt_long_double_symbolic.c │ ├── isinf_double.c │ ├── isinf_double_no_fork.c │ ├── isinf_float.c │ ├── isinf_float_no_fork.c │ ├── isinf_long_double.c │ ├── isinf_long_double_no_fork.c │ ├── isnan_double.c │ ├── isnan_long_double.c │ ├── isnanf.c │ ├── isnormal_double.c │ ├── isnormal_float.c │ ├── isnormal_long_double.c │ ├── issubnormal_double.c │ ├── issubnormal_float.c │ ├── issubnormal_long_double.c │ ├── long_double_aligned_access.c │ ├── long_double_make_symbolic.c │ ├── long_double_memcpy.c │ ├── long_double_unnormal_arith.c │ ├── long_double_unnormal_cast.c │ ├── long_double_unnormal_cmp.c │ ├── memcpy_and_check_double.c │ ├── memcpy_and_check_float.c │ ├── memcpy_and_use_as_bitvector_float.c │ ├── set_rounding_mode_fail_external_call.c │ ├── simple_div.c │ ├── simple_mix_float_int.c │ ├── simple_mul.c │ ├── sitofp_simple.c │ ├── sqrt_double_symbolic.c │ ├── sqrt_float_symbolic.c │ ├── sqrt_long_double_symbolic.c │ └── uitofp_simple.c ├── Intrinsics │ ├── objectsize.ll │ └── objectsize.llvm29.ll ├── Makefile ├── Makefile.tests ├── Merging │ ├── batching_break.c │ ├── easy_merge.c │ ├── indirect_value.c │ ├── loop_merge.c │ ├── merge_fail.c │ ├── nested_merge.c │ ├── split_merge.c │ └── unexpected_close.c ├── Programs │ └── pcregrep.c ├── README ├── Replay │ └── libkleeruntest │ │ ├── replay_invalid_klee_assume.c │ │ ├── replay_invalid_klee_choose.c │ │ ├── replay_invalid_klee_range.c │ │ ├── replay_invalid_num_objects.c │ │ ├── replay_invalid_object_names.c │ │ ├── replay_invalid_object_size.c │ │ ├── replay_posix_runtime.c │ │ ├── replay_simple.c │ │ └── replay_two_objects.c ├── Runtime │ ├── POSIX │ │ ├── DirConsistency.c │ │ ├── DirSeek.c │ │ ├── FDNumbers.c │ │ ├── FD_Fail.c │ │ ├── FD_Fail2.c │ │ ├── Fcntl.c │ │ ├── FilePerm.c │ │ ├── FreeArgv.c │ │ ├── Futimesat.c │ │ ├── Getenv.c │ │ ├── Ioctl.c │ │ ├── Isatty.c │ │ ├── Openat.c │ │ ├── PrgName.c │ │ ├── Read1.c │ │ ├── SELinux │ │ │ ├── SELinux.c │ │ │ └── lit.local.cfg │ │ ├── SeedAndFail.c │ │ ├── Stdin.c │ │ ├── Write1.c │ │ ├── Write2.c │ │ └── lit.local.cfg │ └── Uclibc │ │ ├── 2007-10-08-optimization-calls-wrong-libc-functions.c │ │ ├── 2008-03-04-libc-atexit-uses-dso-handle.c │ │ ├── Environ.c │ │ └── lit.local.cfg ├── Solver │ ├── 2016-04-12-array-parsing-bug.kquery │ ├── AShr_to_smtlib.kquery │ ├── AShr_to_smtlib.kquery.good.smt2 │ ├── FastCexSolver.kquery │ ├── LargeIntegers.kquery │ ├── lit.local.cfg │ ├── overshift-aright-by-constant.kquery │ ├── overshift-aright-by-symbolic.kquery │ ├── overshift-left-by-constant.kquery │ ├── overshift-left-by-symbolic.kquery │ ├── overshift-lright-by-constant.kquery │ └── overshift-lright-by-symbolic.kquery ├── TestRunner.sh ├── Vector │ ├── extract_element.c │ ├── extract_element_out_of_bounds.c │ ├── extract_element_symbolic.c │ ├── float_vector_constant.ll │ ├── insert_element.c │ ├── insert_element_out_of_bounds.c │ ├── insert_element_symbolic.c │ └── shuffle_element.c ├── lit.cfg ├── lit.site.cfg.in └── regression │ ├── 2007-07-25-invalid-stp-array-binding-to-objectstate.c │ ├── 2007-07-30-unflushed-byte.c │ ├── 2007-08-01-bool-zext-in-call.ll │ ├── 2007-08-01-cache-unclear-on-overwrite-flushed.c │ ├── 2007-08-06-64bit-shift.c │ ├── 2007-08-06-access-after-free.c │ ├── 2007-08-08-free-zero.c │ ├── 2007-08-16-invalid-constant-value.c │ ├── 2007-08-16-valid-write-to-freed-object.c │ ├── 2007-10-11-free-of-alloca.c │ ├── 2007-10-11-illegal-access-after-free-and-branch.c │ ├── 2007-10-12-failed-make-symbolic-after-copy.c │ ├── 2008-03-04-free-of-global.c │ ├── 2008-03-11-free-of-malloc-zero.c │ ├── 2008-04-10-bad-alloca-free.c │ ├── 2008-05-23-gep-with-global-const.c │ ├── 2012-05-13-asm-causes-aborts.c │ ├── 2014-07-04-unflushed-error-report.c │ ├── 2014-12-08-ashr.c │ ├── 2015-06-22-struct-write.c │ ├── 2015-08-30-empty-constraints.c │ ├── 2015-08-30-sdiv-1.c │ ├── 2016-03-22-independence-solver-missing-objects-for-assignment.kquery │ ├── 2016-04-14-sdiv-2.c │ ├── 2016-06-28-div-zero-bug.c │ ├── 2016-08-06-klee-get-obj-size.c │ ├── 2016-08-11-entry-point-internalize-pass.c │ ├── 2016-08-12-empty-file.c │ ├── 2016-11-24-bitcast-weak-alias.c │ ├── 2016-12-14-alloc-alignment.c │ ├── 2017-02-21-pathOS-id.c │ └── lit.local.cfg ├── tools ├── CMakeLists.txt ├── Makefile ├── gen-random-bout │ ├── CMakeLists.txt │ ├── Makefile │ └── gen-random-bout.cpp ├── kleaver │ ├── CMakeLists.txt │ ├── Makefile │ └── main.cpp ├── klee-replay │ ├── CMakeLists.txt │ ├── Makefile │ ├── fd_init.c │ ├── file-creator.c │ ├── klee-replay.c │ ├── klee-replay.h │ └── klee_init_env.c ├── klee-stats │ ├── CMakeLists.txt │ ├── Makefile │ └── klee-stats ├── klee │ ├── CMakeLists.txt │ ├── Debug.cpp │ ├── Makefile │ └── main.cpp └── ktest-tool │ ├── CMakeLists.txt │ ├── Makefile │ └── ktest-tool ├── unittests ├── Assignment │ ├── AssignmentTest.cpp │ ├── CMakeLists.txt │ └── Makefile ├── CMakeLists.txt ├── Expr │ ├── CMakeLists.txt │ ├── ExprTest.cpp │ └── Makefile ├── Makefile ├── Ref │ ├── CMakeLists.txt │ ├── Makefile │ └── RefTest.cpp ├── Solver │ ├── CMakeLists.txt │ ├── ExprSolverConsistencyTest.cpp │ ├── Makefile │ └── SolverTest.cpp ├── TestMain.cpp ├── lit-unit-tests-common.cfg └── lit-unit-tests-common.site.cfg.in └── utils ├── data └── Queries │ ├── pcresymperf-3.kquery │ └── pcresymperf-4.kquery ├── emacs └── klee-pc-mode.el ├── hacks ├── TreeGraphs │ ├── Animate.py │ ├── DumpTreeStream.py │ ├── Graphics │ │ ├── Canvas │ │ │ └── __init__.py │ │ ├── Geometry │ │ │ ├── Intersect2D.py │ │ │ ├── __init__.py │ │ │ ├── mat2.py │ │ │ ├── mat3.py │ │ │ ├── mat4.py │ │ │ ├── quat.py │ │ │ ├── vec2.py │ │ │ ├── vec3.py │ │ │ └── vec4.py │ │ └── __init__.py │ ├── README.txt │ ├── TreeGraph.py │ └── inputs │ │ ├── symPaths.ts │ │ └── symPaths6.ts └── fp_test │ ├── crash_clang34.cpp │ └── x87_fp80_vs_APFloat.cpp ├── sanitizers └── lsan.txt └── valgrind ├── README.txt ├── valgrind-llvm.supp └── valgrind-stp.supp /.clang-format: -------------------------------------------------------------------------------- 1 | --- 2 | BasedOnStyle: LLVM 3 | Standard: Cpp03 4 | ... 5 | -------------------------------------------------------------------------------- /.dockerignore: -------------------------------------------------------------------------------- 1 | .git 2 | autom4te.cache 3 | **/.*.swp 4 | scripts/patch_aachen.Dockerfile 5 | scripts/docker_aachen_build.sh 6 | scripts/patch_aachen.metadata.Dockerfile 7 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | * text=auto 2 | 3 | *.h text 4 | *.c text 5 | *.cpp text 6 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | Release/ 2 | Release+Asserts/ 3 | Debug/ 4 | Debug+Asserts/ 5 | Output/ 6 | 7 | cscope.* 8 | *~ 9 | 10 | *.log 11 | *.sum 12 | *.out 13 | *.status 14 | 15 | # In source build files 16 | docs/doxygen.cfg 17 | include/klee/Config/CompileTimeInfo.h 18 | *.config 19 | 20 | config.h 21 | site.exp 22 | 23 | # Site file for llvm-lit 24 | lit.site.cfg 25 | 26 | # Autoconf files 27 | autoconf/aclocal.m4 28 | autoconf/autom4te.cache/ 29 | autom4te.cache/ 30 | -------------------------------------------------------------------------------- /.travis/install-tcmalloc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -x 2 | set -ev 3 | 4 | if [ ${USE_TCMALLOC:-0} -eq 1 ] ; then 5 | # Get tcmalloc release 6 | wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.4/gperftools-2.4.tar.gz 7 | tar xfz gperftools-2.4.tar.gz 8 | cd gperftools-2.4 9 | ./configure --disable-dependency-tracking --disable-cpu-profiler --disable-heap-checker --disable-debugalloc --enable-minimal --prefix=/usr 10 | make 11 | sudo make install 12 | fi 13 | -------------------------------------------------------------------------------- /.travis/solvers.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -x 2 | # Make sure we exit if there is a failure 3 | set -e 4 | : ${SOLVERS?"Solvers must be specified"} 5 | 6 | SOLVER_LIST=$(echo "${SOLVERS}" | sed 's/:/ /') 7 | 8 | for solver in ${SOLVER_LIST}; do 9 | echo "Getting solver ${solver}" 10 | case ${solver} in 11 | STP) 12 | echo "STP" 13 | mkdir stp 14 | cd stp 15 | ${KLEE_SRC}/.travis/stp.sh 16 | cd ../ 17 | ;; 18 | Z3) 19 | # FIXME: Move this into its own script 20 | source ${KLEE_SRC}/.travis/sanitizer_flags.sh 21 | if [ "X${IS_SANITIZED_BUILD}" != "X0" ]; then 22 | echo "Error: Requested Sanitized build but Z3 being used is not sanitized" 23 | exit 1 24 | fi 25 | echo "Z3" 26 | # Should we install libz3-dbg too? 27 | sudo apt-get -y install libz3 libz3-dev 28 | ;; 29 | metaSMT) 30 | echo "metaSMT" 31 | ${KLEE_SRC}/.travis/metaSMT.sh 32 | ;; 33 | *) 34 | echo "Unknown solver ${solver}" 35 | exit 1 36 | esac 37 | done 38 | -------------------------------------------------------------------------------- /MetaSMT.mk: -------------------------------------------------------------------------------- 1 | # This file contains common code for linking against MetaSMT 2 | # 3 | # Consume flags generated by metaSMT here. 4 | ifeq ($(ENABLE_METASMT),1) 5 | include $(METASMT_ROOT)/share/metaSMT/metaSMT.makefile 6 | LD.Flags += $(metaSMT_LDFLAGS) 7 | CXX.Flags += -DMETASMT_DEFAULT_BACKEND_IS_$(METASMT_DEFAULT_BACKEND) 8 | CXX.Flags += $(metaSMT_CXXFLAGS) 9 | CXX.Flags += $(metaSMT_INCLUDES) 10 | CXX.Flags := $(filter-out -fno-exceptions,$(CXX.Flags)) 11 | CXX.Flags := $(filter-out -fno-rtti,$(CXX.Flags)) 12 | LIBS += $(metaSMT_LDLIBS) 13 | endif 14 | -------------------------------------------------------------------------------- /cmake/string_to_list.cmake: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | function(string_to_list s output_var) 11 | string(REPLACE " " ";" _output "${s}") 12 | set(${output_var} ${_output} PARENT_SCOPE) 13 | endfunction() 14 | -------------------------------------------------------------------------------- /docs/SMT-COMP/QF_AUFBV.smt: -------------------------------------------------------------------------------- 1 | (logic QF_AUFBV 2 | 3 | :written_by {Clark Barrett} 4 | :date {May 7, 2007} 5 | 6 | :theory BV_ArraysEx 7 | 8 | :language 9 | "Closed quantifier-free formulas built over an arbitrary expansion of the 10 | BV_ArraysEx signature with free function and predicate symbols over 11 | the sorts of BV_ArraysEx. Formulas in ite terms must satisfy the same 12 | restriction as well, with the exception that they need not be closed (because 13 | they may be in the scope of a let expression). 14 | " 15 | :extensions 16 | "As in the logic QF_BV." 17 | ) 18 | 19 | 20 | -------------------------------------------------------------------------------- /docs/intro: -------------------------------------------------------------------------------- 1 | /// @mainpage KLEE 2 | /// 3 | /// @section main_intro Introduction 4 | /// Welcome to KLEE. KLEE is a symbolic execution engine that works on LLVM 5 | /// bitcode. 6 | /// 7 | /// @section Documentation 8 | /// The documentation of KLEE is composed of the Doxygen documentation 9 | /// of the code as well as the following documents: 10 | /// - @subpage overview 11 | -------------------------------------------------------------------------------- /examples/get_sign/get_sign.c: -------------------------------------------------------------------------------- 1 | /* 2 | * First KLEE tutorial: testing a small function 3 | */ 4 | 5 | #include 6 | 7 | int get_sign(int x) { 8 | if (x == 0) 9 | return 0; 10 | 11 | if (x < 0) 12 | return -1; 13 | else 14 | return 1; 15 | } 16 | 17 | int main() { 18 | int a; 19 | klee_make_symbolic(&a, sizeof(a), "a"); 20 | return get_sign(a); 21 | } 22 | -------------------------------------------------------------------------------- /examples/islower/islower.c: -------------------------------------------------------------------------------- 1 | /* 2 | * First KLEE tutorial: testing a small function 3 | */ 4 | 5 | #include 6 | 7 | int my_islower(int x) { 8 | if (x >= 'a' && x <= 'z') 9 | return 1; 10 | else return 0; 11 | } 12 | 13 | int main() { 14 | char c; 15 | klee_make_symbolic(&c, sizeof(c), "input"); 16 | return my_islower(c); 17 | } 18 | -------------------------------------------------------------------------------- /examples/regexp/notes.txt: -------------------------------------------------------------------------------- 1 | clang -m32 -I ~/private/klee/include -c -emit-llvm Regexp.c 2 | 3 | klee Regexp.o 4 | klee --only-output-states-covering-new Regexp.o 5 | ls -l klee-out-0 6 | ls -l klee-out-1 7 | ls -l klee-last 8 | 9 | cd klee-last 10 | klee-bout-tool *.bout 11 | klee-bout-tool --trim-zeros *.bout 12 | 13 | Stuff to show: 14 | Adding klee_prefer_cex 15 | 16 | PrintStats.py klee-last 17 | 18 | PrintStats.py klee-last 19 | Why not 100% coverage? 20 | 21 | clang -g -m32 -I ~/private/klee/include -c -emit-llvm Regexp.c 22 | 23 | KCachegrind? 24 | 25 | Disable klee_assume, show coverage again (why is klee-check-div getting pulled 26 | in?) 27 | -------------------------------------------------------------------------------- /include/klee/Config/CompileTimeInfo.h.cmin: -------------------------------------------------------------------------------- 1 | //===-- CompileTimeInfo.h ---------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | // @AUTO_GEN_MSG@ 11 | #ifndef KLEE_COMPILE_TIME_INFO_H 12 | #define KLEE_COMPILE_TIME_INFO_H 13 | 14 | #define KLEE_BUILD_MODE "@CMAKE_BUILD_TYPE@ (Asserts: @ENABLE_KLEE_ASSERTS@)" 15 | #define KLEE_BUILD_REVISION "@KLEE_GIT_SHA1HASH@" 16 | 17 | #endif 18 | -------------------------------------------------------------------------------- /include/klee/Config/Version.h: -------------------------------------------------------------------------------- 1 | //===-- Version.h -----------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_CONFIG_VERSION_H 11 | #define KLEE_CONFIG_VERSION_H 12 | 13 | #include "klee/Config/config.h" 14 | 15 | #define LLVM_VERSION(major, minor) (((major) << 8) | (minor)) 16 | #define LLVM_VERSION_CODE LLVM_VERSION(LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR) 17 | 18 | #if LLVM_VERSION_CODE >= LLVM_VERSION(3, 0) 19 | # define LLVM_TYPE_Q 20 | #else 21 | # define LLVM_TYPE_Q const 22 | #endif 23 | 24 | #endif 25 | -------------------------------------------------------------------------------- /include/klee/Internal/Module/Cell.h: -------------------------------------------------------------------------------- 1 | //===-- Cell.h --------------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_CELL_H 11 | #define KLEE_CELL_H 12 | 13 | #include 14 | 15 | namespace klee { 16 | class MemoryObject; 17 | 18 | struct Cell { 19 | ref value; 20 | }; 21 | } 22 | 23 | #endif 24 | -------------------------------------------------------------------------------- /include/klee/Internal/README.txt: -------------------------------------------------------------------------------- 1 | This directory holds header files for things which are exposed as part 2 | of the internal API of a library, but shouldn't be exposed to 3 | externally. 4 | -------------------------------------------------------------------------------- /include/klee/Internal/Support/Debug.h: -------------------------------------------------------------------------------- 1 | //===-- Debug.h -------------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_INTERNAL_SUPPORT_DEBUG_H 11 | #define KLEE_INTERNAL_SUPPORT_DEBUG_H 12 | 13 | #include 14 | #include 15 | 16 | // We define wrappers around the LLVM DEBUG macros that are conditionalized on 17 | // whether the LLVM we are building against has the symbols needed by these 18 | // checks. 19 | 20 | #ifdef ENABLE_KLEE_DEBUG 21 | #define KLEE_DEBUG_WITH_TYPE(TYPE, X) DEBUG_WITH_TYPE(TYPE, X) 22 | #else 23 | #define KLEE_DEBUG_WITH_TYPE(TYPE, X) do { } while (0) 24 | #endif 25 | #define KLEE_DEBUG(X) KLEE_DEBUG_WITH_TYPE(DEBUG_TYPE, X) 26 | 27 | #endif 28 | -------------------------------------------------------------------------------- /include/klee/Internal/Support/PrintVersion.h: -------------------------------------------------------------------------------- 1 | //===-- Version.h -----------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_PRINT_VERSION_H 11 | #define KLEE_PRINT_VERSION_H 12 | 13 | namespace klee { 14 | void printVersion(); 15 | } 16 | 17 | #endif 18 | -------------------------------------------------------------------------------- /include/klee/Internal/Support/RoundingModeUtil.h: -------------------------------------------------------------------------------- 1 | //===-- RoundingModeUtil.h --------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | #ifndef KLEE_ROUNDING_MODE_UTIL_H 10 | #include "llvm/ADT/APFloat.h" 11 | 12 | namespace klee { 13 | 14 | int LLVMRoundingModeToCRoundingMode(llvm::APFloat::roundingMode rm); 15 | 16 | const char *LLVMRoundingModeToString(llvm::APFloat::roundingMode rm); 17 | } 18 | 19 | #endif 20 | -------------------------------------------------------------------------------- /include/klee/Internal/Support/Timer.h: -------------------------------------------------------------------------------- 1 | //===-- Timer.h -------------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_TIMER_H 11 | #define KLEE_TIMER_H 12 | 13 | #include 14 | 15 | namespace klee { 16 | class WallTimer { 17 | uint64_t startMicroseconds; 18 | 19 | public: 20 | WallTimer(); 21 | 22 | /// check - Return the delta since the timer was created, in microseconds. 23 | uint64_t check(); 24 | }; 25 | } 26 | 27 | #endif 28 | 29 | -------------------------------------------------------------------------------- /include/klee/Internal/System/MemoryUsage.h: -------------------------------------------------------------------------------- 1 | //===-- MemoryUsage.h -------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_UTIL_MEMORYUSAGE_H 11 | #define KLEE_UTIL_MEMORYUSAGE_H 12 | 13 | #include 14 | 15 | namespace klee { 16 | namespace util { 17 | size_t GetTotalMallocUsage(); 18 | } 19 | } 20 | 21 | #endif 22 | -------------------------------------------------------------------------------- /include/klee/Internal/System/Time.h: -------------------------------------------------------------------------------- 1 | //===-- Time.h --------------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_UTIL_TIME_H 11 | #define KLEE_UTIL_TIME_H 12 | 13 | #include 14 | 15 | namespace klee { 16 | namespace util { 17 | 18 | /// Seconds spent by this process in user mode. 19 | double getUserTime(); 20 | 21 | /// Wall time in seconds. 22 | double getWallTime(); 23 | 24 | /// Wall time as TimeValue object. 25 | llvm::sys::TimeValue getWallTimeVal(); 26 | } 27 | } 28 | 29 | #endif 30 | -------------------------------------------------------------------------------- /include/klee/TimerStatIncrementer.h: -------------------------------------------------------------------------------- 1 | //===-- TimerStatIncrementer.h ----------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_TIMERSTATINCREMENTER_H 11 | #define KLEE_TIMERSTATINCREMENTER_H 12 | 13 | #include "klee/Statistics.h" 14 | #include "klee/Internal/Support/Timer.h" 15 | 16 | namespace klee { 17 | class TimerStatIncrementer { 18 | private: 19 | WallTimer timer; 20 | Statistic &statistic; 21 | 22 | public: 23 | TimerStatIncrementer(Statistic &_statistic) : statistic(_statistic) {} 24 | ~TimerStatIncrementer() { 25 | statistic += timer.check(); 26 | } 27 | 28 | uint64_t check() { return timer.check(); } 29 | }; 30 | } 31 | 32 | #endif 33 | -------------------------------------------------------------------------------- /include/klee/util/APFloatEval.h: -------------------------------------------------------------------------------- 1 | //===-- APFloatEvalSqrt.h ---------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_APFLOAT_EVAL_H 11 | #define KLEE_APFLOAT_EVAL_H 12 | #include "llvm/ADT/APFloat.h" 13 | 14 | namespace klee { 15 | 16 | llvm::APFloat evalSqrt(llvm::APFloat v, llvm::APFloat::roundingMode rm); 17 | 18 | #if defined(__x86_64__) || defined(__i386__) 19 | long double GetNativeX87FP80FromLLVMAPInt(const llvm::APInt &apint); 20 | llvm::APInt GetAPIntFromLongDouble(long double ld); 21 | #endif 22 | } 23 | #endif 24 | -------------------------------------------------------------------------------- /lib/Basic/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | klee_add_component(kleeBasic 10 | CmdLineOptions.cpp 11 | ConstructSolverChain.cpp 12 | KTest.cpp 13 | Statistics.cpp 14 | ) 15 | set(LLVM_COMPONENTS 16 | support 17 | ) 18 | 19 | klee_get_llvm_libs(LLVM_LIBS ${LLVM_COMPONENTS}) 20 | target_link_libraries(kleeBasic PUBLIC ${LLVM_LIBS}) 21 | 22 | target_link_libraries(kleeBasic PRIVATE 23 | # FIXME: THIS IS STUPID. 24 | # `ConstructSolverChain.cpp` should be in 25 | # `kleaverSolver` not in in `kleeBasic`. 26 | # We are creating a circular dependency because 27 | # of this because `kleaverSolver` depends on `kleeBasic`. 28 | kleaverSolver 29 | ) 30 | -------------------------------------------------------------------------------- /lib/Basic/Makefile: -------------------------------------------------------------------------------- 1 | #===-- lib/Basic/Makefile ----------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=../.. 11 | 12 | LIBRARYNAME=kleeBasic 13 | DONT_BUILD_RELINKED=1 14 | BUILD_ARCHIVE=1 15 | NO_INSTALL=1 16 | 17 | include $(LEVEL)/Makefile.common 18 | -------------------------------------------------------------------------------- /lib/Basic/README.txt: -------------------------------------------------------------------------------- 1 | This directory holds the most basic support facilities provided for 2 | both the klee and kleaver libraries. The code in this directory should 3 | have no dependencies on LLVM or any other klee libraries. 4 | -------------------------------------------------------------------------------- /lib/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_subdirectory(Basic) 10 | add_subdirectory(Support) 11 | add_subdirectory(Expr) 12 | add_subdirectory(Solver) 13 | add_subdirectory(Module) 14 | add_subdirectory(Core) 15 | -------------------------------------------------------------------------------- /lib/Core/Makefile: -------------------------------------------------------------------------------- 1 | #===-- lib/Core/Makefile -----------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=../.. 11 | 12 | LIBRARYNAME=kleeCore 13 | DONT_BUILD_RELINKED=1 14 | BUILD_ARCHIVE=1 15 | NO_INSTALL=1 16 | 17 | include $(LEVEL)/Makefile.common 18 | -------------------------------------------------------------------------------- /lib/Core/ObjectHolder.h: -------------------------------------------------------------------------------- 1 | //===-- ObjectHolder.h ------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_OBJECTHOLDER_H 11 | #define KLEE_OBJECTHOLDER_H 12 | 13 | namespace klee { 14 | class ObjectState; 15 | 16 | class ObjectHolder { 17 | ObjectState *os; 18 | 19 | public: 20 | ObjectHolder() : os(0) {} 21 | ObjectHolder(ObjectState *_os); 22 | ObjectHolder(const ObjectHolder &b); 23 | ~ObjectHolder(); 24 | 25 | ObjectHolder &operator=(const ObjectHolder &b); 26 | 27 | operator class ObjectState *() { return os; } 28 | operator class ObjectState *() const { return (ObjectState*) os; } 29 | }; 30 | } 31 | 32 | #endif 33 | 34 | -------------------------------------------------------------------------------- /lib/Core/UserSearcher.h: -------------------------------------------------------------------------------- 1 | //===-- UserSearcher.h ------------------------------------------*- C++ -*-===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef KLEE_USERSEARCHER_H 11 | #define KLEE_USERSEARCHER_H 12 | 13 | namespace klee { 14 | class Executor; 15 | class Searcher; 16 | 17 | // XXX gross, should be on demand? 18 | bool userSearcherRequiresMD2U(); 19 | 20 | void initializeSearchOptions(); 21 | 22 | Searcher *constructUserSearcher(Executor &executor); 23 | } 24 | 25 | #endif 26 | -------------------------------------------------------------------------------- /lib/Expr/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | klee_add_component(kleaverExpr 10 | APFloatEval.cpp 11 | ArrayCache.cpp 12 | Assigment.cpp 13 | Constraints.cpp 14 | ExprBuilder.cpp 15 | Expr.cpp 16 | ExprEvaluator.cpp 17 | ExprPPrinter.cpp 18 | ExprSMTLIBPrinter.cpp 19 | ExprUtil.cpp 20 | ExprVisitor.cpp 21 | FindArrayAckermannizationVisitor.cpp 22 | Lexer.cpp 23 | Parser.cpp 24 | Updates.cpp 25 | ) 26 | 27 | set(LLVM_COMPONENTS 28 | support 29 | ) 30 | klee_get_llvm_libs(LLVM_LIBS ${LLVM_COMPONENTS}) 31 | # FIXME: Refactor some of this x87 fp80 stuff out into kleeSupport so we don't need to depend on kleeSupport. 32 | target_link_libraries(kleaverExpr PUBLIC kleeSupport ${LLVM_LIBS}) 33 | -------------------------------------------------------------------------------- /lib/Expr/Makefile: -------------------------------------------------------------------------------- 1 | #===-- lib/Expr/Makefile -----------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=../.. 11 | 12 | LIBRARYNAME=kleaverExpr 13 | DONT_BUILD_RELINKED=1 14 | BUILD_ARCHIVE=1 15 | NO_INSTALL=1 16 | 17 | include $(LEVEL)/Makefile.common 18 | -------------------------------------------------------------------------------- /lib/Makefile: -------------------------------------------------------------------------------- 1 | #===-- lib/Makefile ----------------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=.. 11 | 12 | PARALLEL_DIRS=Basic Support Expr Solver Module Core 13 | 14 | include $(LEVEL)/Makefile.common 15 | -------------------------------------------------------------------------------- /lib/Module/KInstruction.cpp: -------------------------------------------------------------------------------- 1 | //===-- KInstruction.cpp --------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include "klee/Internal/Module/KInstruction.h" 11 | 12 | using namespace llvm; 13 | using namespace klee; 14 | 15 | /***/ 16 | 17 | KInstruction::~KInstruction() { 18 | delete[] operands; 19 | } 20 | 21 | void KInstruction::printFileLine(llvm::raw_ostream &debugFile) { 22 | if (info->file != "") 23 | debugFile << info->file << ":" << info->line; 24 | else 25 | debugFile << "[no debug info]"; 26 | } 27 | -------------------------------------------------------------------------------- /lib/Module/Makefile: -------------------------------------------------------------------------------- 1 | #===-- lib/Module/Makefile ---------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=../.. 11 | 12 | LIBRARYNAME=kleeModule 13 | DONT_BUILD_RELINKED=1 14 | BUILD_ARCHIVE=1 15 | NO_INSTALL=1 16 | 17 | include $(LEVEL)/Makefile.common 18 | -------------------------------------------------------------------------------- /lib/README.txt: -------------------------------------------------------------------------------- 1 | The klee and kleaver code is organized as follows: 2 | 3 | lib/Basic - Low level support for both klee and kleaver which should 4 | be independent of LLVM. 5 | 6 | lib/Support - Higher level support, but only used by klee. This can 7 | use LLVM facilities. 8 | 9 | lib/Expr - The core kleaver expression library. 10 | 11 | lib/Solver - The kleaver solver library. 12 | 13 | lib/Module - klee facilities for working with LLVM modules, including 14 | the shadow module/instruction structures we use during 15 | execution. 16 | 17 | lib/Core - The core symbolic virtual machine. 18 | 19 | -------------------------------------------------------------------------------- /lib/Solver/Makefile: -------------------------------------------------------------------------------- 1 | #===-- lib/Solver/Makefile ---------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=../.. 11 | 12 | LIBRARYNAME=kleaverSolver 13 | DONT_BUILD_RELINKED=1 14 | BUILD_ARCHIVE=1 15 | NO_INSTALL=1 16 | 17 | include $(LEVEL)/Makefile.common 18 | 19 | include $(PROJ_SRC_ROOT)/MetaSMT.mk 20 | 21 | -------------------------------------------------------------------------------- /lib/Support/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | klee_add_component(kleeSupport 10 | CompressionStream.cpp 11 | ErrorHandling.cpp 12 | MemoryUsage.cpp 13 | PrintVersion.cpp 14 | RNG.cpp 15 | RoundingModeUtil.cpp 16 | Time.cpp 17 | Timer.cpp 18 | TreeStream.cpp 19 | ) 20 | 21 | target_link_libraries(kleeSupport PRIVATE ${ZLIB_LIBRARIES}) 22 | 23 | set(LLVM_COMPONENTS 24 | support 25 | ) 26 | klee_get_llvm_libs(LLVM_LIBS ${LLVM_COMPONENTS}) 27 | target_link_libraries(kleeSupport PUBLIC ${LLVM_LIBS}) 28 | -------------------------------------------------------------------------------- /lib/Support/README.txt: -------------------------------------------------------------------------------- 1 | This directory holds basic support facilities (data structures, 2 | utilities, etc.) used by klee. 3 | -------------------------------------------------------------------------------- /lib/Support/Time.cpp: -------------------------------------------------------------------------------- 1 | //===-- Time.cpp ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include "klee/Config/Version.h" 11 | #include "klee/Internal/System/Time.h" 12 | 13 | #include "llvm/Support/TimeValue.h" 14 | #include "llvm/Support/Process.h" 15 | 16 | using namespace llvm; 17 | using namespace klee; 18 | 19 | double util::getUserTime() { 20 | sys::TimeValue now(0,0),user(0,0),sys(0,0); 21 | sys::Process::GetTimeUsage(now,user,sys); 22 | return (user.seconds() + (double) user.nanoseconds() * 1e-9); 23 | } 24 | 25 | double util::getWallTime() { 26 | sys::TimeValue now = getWallTimeVal(); 27 | return (now.seconds() + ((double) now.nanoseconds() * 1e-9)); 28 | } 29 | 30 | sys::TimeValue util::getWallTimeVal() { 31 | return sys::TimeValue::now(); 32 | } 33 | -------------------------------------------------------------------------------- /lib/Support/Timer.cpp: -------------------------------------------------------------------------------- 1 | //===-- Timer.cpp ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include "klee/Config/Version.h" 11 | #include "klee/Internal/Support/Timer.h" 12 | 13 | #include "klee/Internal/System/Time.h" 14 | 15 | using namespace klee; 16 | using namespace llvm; 17 | 18 | WallTimer::WallTimer() { 19 | startMicroseconds = util::getWallTimeVal().usec(); 20 | } 21 | 22 | uint64_t WallTimer::check() { 23 | return util::getWallTimeVal().usec() - startMicroseconds; 24 | } 25 | -------------------------------------------------------------------------------- /runtime/Intrinsic/Makefile.cmake.bitcode: -------------------------------------------------------------------------------- 1 | #===--------------------------------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | LEVEL := ../ 10 | 11 | include $(LEVEL)/Makefile.cmake.bitcode.config 12 | 13 | LLVMCC.Flags += -fno-builtin 14 | 15 | # FIXME: This is a horrible hack 16 | ifeq ($(USE_MODULE_INSTEAD_OF_BCA),1) 17 | MODULE_NAME=kleeRuntimeIntrinsic 18 | else 19 | ARCHIVE_NAME=kleeRuntimeIntrinsic 20 | endif 21 | 22 | include $(LEVEL)/Makefile.cmake.bitcode.rules 23 | -------------------------------------------------------------------------------- /runtime/Intrinsic/fabs.c: -------------------------------------------------------------------------------- 1 | /*===-- fabs.c ------------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | #include "klee/klee.h" 10 | 11 | double klee_internal_fabs(double d) { 12 | return klee_abs_double(d); 13 | } 14 | 15 | float klee_internal_fabsf(float f) { 16 | return klee_abs_float(f); 17 | } 18 | 19 | #if defined(__x86_64__) || defined(__i386__) 20 | long double klee_internal_fabsl(long double f) { 21 | return klee_abs_long_double(f); 22 | } 23 | #endif 24 | -------------------------------------------------------------------------------- /runtime/Intrinsic/klee_div_zero_check.c: -------------------------------------------------------------------------------- 1 | //===-- klee_div_zero_check.c ---------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include 11 | 12 | void klee_div_zero_check(long long z) { 13 | if (z == 0) 14 | klee_report_error(__FILE__, __LINE__, "divide by zero", "div.err"); 15 | } 16 | -------------------------------------------------------------------------------- /runtime/Intrinsic/klee_int.c: -------------------------------------------------------------------------------- 1 | //===-- klee_int.c --------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include 11 | #include "klee/klee.h" 12 | 13 | int klee_int(const char *name) { 14 | int x; 15 | klee_make_symbolic(&x, sizeof x, name); 16 | return x; 17 | } 18 | -------------------------------------------------------------------------------- /runtime/Intrinsic/klee_range.c: -------------------------------------------------------------------------------- 1 | //===-- klee_range.c ------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include 11 | #include 12 | 13 | int klee_range(int start, int end, const char* name) { 14 | int x; 15 | 16 | if (start >= end) 17 | klee_report_error(__FILE__, __LINE__, "invalid range", "user"); 18 | 19 | if (start+1==end) { 20 | return start; 21 | } else { 22 | klee_make_symbolic(&x, sizeof x, name); 23 | 24 | /* Make nicer constraint when simple... */ 25 | if (start==0) { 26 | klee_assume((unsigned) x < (unsigned) end); 27 | } else { 28 | klee_assume(start <= x); 29 | klee_assume(x < end); 30 | } 31 | 32 | return x; 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /runtime/Intrinsic/memcpy.c: -------------------------------------------------------------------------------- 1 | //===-- memcpy.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include 11 | 12 | __attribute__((weak)) void *memcpy(void *destaddr, void const *srcaddr, size_t len) { 13 | char *dest = destaddr; 14 | char const *src = srcaddr; 15 | 16 | while (len-- > 0) 17 | *dest++ = *src++; 18 | return destaddr; 19 | } 20 | -------------------------------------------------------------------------------- /runtime/Intrinsic/memmove.c: -------------------------------------------------------------------------------- 1 | //===-- memmove.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include 11 | 12 | __attribute__((weak)) void *memmove(void *dst, const void *src, size_t count) { 13 | char *a = dst; 14 | const char *b = src; 15 | 16 | if (src == dst) 17 | return dst; 18 | 19 | if (src>dst) { 20 | while (count--) *a++ = *b++; 21 | } else { 22 | a+=count-1; 23 | b+=count-1; 24 | while (count--) *a-- = *b--; 25 | } 26 | 27 | return dst; 28 | } 29 | -------------------------------------------------------------------------------- /runtime/Intrinsic/mempcpy.c: -------------------------------------------------------------------------------- 1 | //===-- mempcpy.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include 11 | __attribute__((weak)) void *mempcpy(void *destaddr, void const *srcaddr, size_t len) { 12 | char *dest = destaddr; 13 | char const *src = srcaddr; 14 | 15 | while (len-- > 0) 16 | *dest++ = *src++; 17 | return dest; 18 | } 19 | -------------------------------------------------------------------------------- /runtime/Intrinsic/memset.c: -------------------------------------------------------------------------------- 1 | //===-- memset.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include 11 | __attribute__ ((weak)) void *memset(void * dst, int s, size_t count) { 12 | volatile char * a = dst; 13 | while (count-- > 0) 14 | *a++ = s; 15 | return dst; 16 | } 17 | -------------------------------------------------------------------------------- /runtime/Intrinsic/sqrt.c: -------------------------------------------------------------------------------- 1 | /*===-- sqrt.c ------------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | #include "klee/klee.h" 10 | 11 | double klee_internal_sqrt(double d) { 12 | return klee_sqrt_double(d); 13 | } 14 | 15 | float klee_internal_sqrtf(float f) { 16 | return klee_sqrt_float(f); 17 | } 18 | 19 | #if defined(__x86_64__) || defined(__i386__) 20 | long double klee_internal_sqrtl(long double f) { 21 | return klee_sqrt_long_double(f); 22 | } 23 | #endif 24 | -------------------------------------------------------------------------------- /runtime/Makefile: -------------------------------------------------------------------------------- 1 | #===-- runtime/Makefile ------------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | # 11 | # Relative path to the top of the source tree. 12 | # 13 | LEVEL=.. 14 | 15 | # 16 | # List all of the subdirectories that we will compile. 17 | # 18 | PARALLEL_DIRS=Intrinsic klee-libc Runtest 19 | 20 | include $(LEVEL)/Makefile.config 21 | 22 | ifeq ($(ENABLE_POSIX_RUNTIME),1) 23 | PARALLEL_DIRS += POSIX 24 | endif 25 | 26 | ifeq ($(ENABLE_UCLIBC),1) 27 | PARALLEL_DIRS += klee-uclibc 28 | endif 29 | 30 | include $(LEVEL)/Makefile.common 31 | -------------------------------------------------------------------------------- /runtime/Makefile.cmake.bitcode: -------------------------------------------------------------------------------- 1 | #===--------------------------------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | LEVEL := ./ 10 | include $(LEVEL)/Makefile.cmake.bitcode.config 11 | 12 | DIRS += Intrinsic 13 | DIRS += klee-libc 14 | ifneq ($(ENABLE_POSIX_RUNTIME),0) 15 | DIRS += POSIX 16 | endif 17 | 18 | include $(LEVEL)/Makefile.cmake.bitcode.rules 19 | -------------------------------------------------------------------------------- /runtime/POSIX/Makefile: -------------------------------------------------------------------------------- 1 | #===-- runtime/POSIX/Makefile ------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=../.. 11 | 12 | LIBRARYNAME=kleeRuntimePOSIX 13 | DONT_BUILD_RELINKED=1 14 | BYTECODE_LIBRARY=1 15 | # Don't strip debug info from the module. 16 | DEBUG_RUNTIME=1 17 | NO_PEDANTIC=1 18 | NO_BUILD_ARCHIVE=1 19 | 20 | include $(LEVEL)/Makefile.common 21 | -------------------------------------------------------------------------------- /runtime/POSIX/Makefile.cmake.bitcode: -------------------------------------------------------------------------------- 1 | #===--------------------------------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | LEVEL := ../ 10 | 11 | include $(LEVEL)/Makefile.cmake.bitcode.config 12 | 13 | ARCHIVE_NAME=kleeRuntimePOSIX 14 | 15 | include $(LEVEL)/Makefile.cmake.bitcode.rules 16 | -------------------------------------------------------------------------------- /runtime/Runtest/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | add_library(kleeRuntest SHARED 11 | intrinsics.c 12 | # HACK: 13 | ${CMAKE_SOURCE_DIR}/lib/Basic/KTest.cpp 14 | ) 15 | # Increment version appropriately if ABI/API changes, more details: 16 | # http://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html#AEN135 17 | set(KLEE_RUNTEST_VERSION 1.0) 18 | set_target_properties(kleeRuntest 19 | PROPERTIES 20 | VERSION ${KLEE_RUNTEST_VERSION} 21 | SOVERSION ${KLEE_RUNTEST_VERSION} 22 | ) 23 | 24 | install(TARGETS kleeRuntest 25 | DESTINATION "${CMAKE_INSTALL_FULL_LIBDIR}") 26 | -------------------------------------------------------------------------------- /runtime/klee-libc/Makefile.cmake.bitcode: -------------------------------------------------------------------------------- 1 | #===--------------------------------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | LEVEL := ../ 10 | 11 | include $(LEVEL)/Makefile.cmake.bitcode.config 12 | 13 | # Prevent glibc from inlining some definitions 14 | # of builtins 15 | LLVMCC.Flags += -D__NO_INLINE__ 16 | 17 | # FIXME: This is a horrible hack 18 | ifeq ($(USE_MODULE_INSTEAD_OF_BCA),1) 19 | MODULE_NAME=klee-libc 20 | else 21 | ARCHIVE_NAME=klee-libc 22 | endif 23 | 24 | include $(LEVEL)/Makefile.cmake.bitcode.rules 25 | -------------------------------------------------------------------------------- /runtime/klee-libc/abort.c: -------------------------------------------------------------------------------- 1 | /*===-- abort.c -----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | #include "klee/klee.h" 13 | 14 | void abort(void) { 15 | klee_abort(); 16 | } 17 | -------------------------------------------------------------------------------- /runtime/klee-libc/atexit.c: -------------------------------------------------------------------------------- 1 | /*==-- atexit.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | int __cxa_atexit(void (*fn)(void*), 11 | void *arg, 12 | void *dso_handle); 13 | 14 | int atexit(void (*fn)(void)) { 15 | return __cxa_atexit((void(*)(void*)) fn, 0, 0); 16 | } 17 | -------------------------------------------------------------------------------- /runtime/klee-libc/klee-choose.c: -------------------------------------------------------------------------------- 1 | /*===-- klee-choose.c -----------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include "klee/klee.h" 11 | 12 | uintptr_t klee_choose(uintptr_t n) { 13 | uintptr_t x; 14 | klee_make_symbolic(&x, sizeof x, "klee_choose"); 15 | 16 | /* NB: this will *not* work if they don't compare to n values. */ 17 | if(x >= n) 18 | klee_silent_exit(0); 19 | return x; 20 | } 21 | -------------------------------------------------------------------------------- /runtime/klee-libc/memcpy.c: -------------------------------------------------------------------------------- 1 | /*===-- memcpy.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | void *memcpy(void *destaddr, void const *srcaddr, size_t len) { 13 | char *dest = destaddr; 14 | char const *src = srcaddr; 15 | 16 | while (len-- > 0) 17 | *dest++ = *src++; 18 | return destaddr; 19 | } 20 | -------------------------------------------------------------------------------- /runtime/klee-libc/memmove.c: -------------------------------------------------------------------------------- 1 | /*===-- memmove.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | void *memmove(void *dst, const void *src, size_t count) { 13 | char *a = dst; 14 | const char *b = src; 15 | 16 | if (src == dst) 17 | return dst; 18 | 19 | if (src>dst) { 20 | while (count--) *a++ = *b++; 21 | } else { 22 | a+=count-1; 23 | b+=count-1; 24 | while (count--) *a-- = *b--; 25 | } 26 | 27 | return dst; 28 | } 29 | -------------------------------------------------------------------------------- /runtime/klee-libc/mempcpy.c: -------------------------------------------------------------------------------- 1 | /*===-- mempcpy.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | void *mempcpy(void *destaddr, void const *srcaddr, size_t len) { 13 | char *dest = destaddr; 14 | char const *src = srcaddr; 15 | 16 | while (len-- > 0) 17 | *dest++ = *src++; 18 | return dest; 19 | } 20 | -------------------------------------------------------------------------------- /runtime/klee-libc/memset.c: -------------------------------------------------------------------------------- 1 | /*===-- memset.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | void *memset(void * dst, int s, size_t count) { 13 | char * a = dst; 14 | while (count-- > 0) 15 | *a++ = s; 16 | return dst; 17 | } 18 | -------------------------------------------------------------------------------- /runtime/klee-libc/putchar.c: -------------------------------------------------------------------------------- 1 | /*===-- putchar.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | #include 12 | 13 | /* Some header may #define putchar. */ 14 | #undef putchar 15 | 16 | int putchar(int c) { 17 | char x = c; 18 | if (1 == write(1, &x, 1)) 19 | return c; 20 | return EOF; 21 | } 22 | -------------------------------------------------------------------------------- /runtime/klee-libc/strchr.c: -------------------------------------------------------------------------------- 1 | /*===-- strchr.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | char *strchr(const char *p, int ch) { 11 | char c; 12 | 13 | c = ch; 14 | for (;; ++p) { 15 | if (*p == c) { 16 | return ((char *)p); 17 | } else if (*p == '\0') { 18 | return 0; 19 | } 20 | } 21 | /* NOTREACHED */ 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /runtime/klee-libc/strcmp.c: -------------------------------------------------------------------------------- 1 | /*===-- strcmp.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | int strcmp(const char *a, const char *b) { 11 | while (*a && *a == *b) 12 | ++a, ++b; 13 | return *a - *b; 14 | } 15 | -------------------------------------------------------------------------------- /runtime/klee-libc/strcoll.c: -------------------------------------------------------------------------------- 1 | /*===-- strcoll.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | /* according to the manpage, this is equiv in the POSIX/C locale. */ 13 | int strcoll(const char *s1, const char *s2) { 14 | return strcmp(s1,s2); 15 | } 16 | -------------------------------------------------------------------------------- /runtime/klee-libc/strcpy.c: -------------------------------------------------------------------------------- 1 | /*===-- strcpy.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | char *strcpy(char *to, const char *from) { 11 | char *start = to; 12 | 13 | while ((*to = *from)) 14 | ++to, ++from; 15 | 16 | return start; 17 | } 18 | -------------------------------------------------------------------------------- /runtime/klee-libc/strlen.c: -------------------------------------------------------------------------------- 1 | /*===-- strlen.c ----------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | size_t strlen(const char *str) { 13 | const char *s = str; 14 | while (*s) 15 | ++s; 16 | return s - str; 17 | } 18 | -------------------------------------------------------------------------------- /runtime/klee-libc/strrchr.c: -------------------------------------------------------------------------------- 1 | /*===-- strrchr.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | #include 11 | 12 | char *strrchr(const char *t, int c) { 13 | char ch; 14 | const char *l=0; 15 | 16 | ch = c; 17 | for (;;) { 18 | if (*t == ch) l=t; if (!*t) return (char*)l; ++t; 19 | } 20 | return (char*)l; 21 | } 22 | -------------------------------------------------------------------------------- /runtime/klee-libc/tolower.c: -------------------------------------------------------------------------------- 1 | /*===-- tolower.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | int tolower(int ch) { 11 | if ( (unsigned int)(ch - 'A') < 26u ) 12 | ch -= 'A' - 'a'; 13 | return ch; 14 | } 15 | -------------------------------------------------------------------------------- /runtime/klee-libc/toupper.c: -------------------------------------------------------------------------------- 1 | /*===-- toupper.c ---------------------------------------------------------===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===*/ 9 | 10 | int toupper(int ch) { 11 | if ( (unsigned int)(ch - 'a') < 26u ) 12 | ch += 'A' - 'a'; 13 | return ch; 14 | } 15 | -------------------------------------------------------------------------------- /scripts/genTempFiles.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # ===-- genTempFiles.sh ---------------------------------------------------===## 4 | # 5 | # The KLEE Symbolic Virtual Machine 6 | # 7 | # This file is distributed under the University of Illinois Open Source 8 | # License. See LICENSE.TXT for details. 9 | # 10 | # ===----------------------------------------------------------------------===## 11 | 12 | if [ -z "$1" ] ; then 13 | echo "No directory given" 14 | exit 1 15 | fi 16 | 17 | mkdir -p $1 18 | for i in `seq 1 100`; do 19 | mkdir -p $1/dir_foo_$i 20 | touch $1/tmp_foo_$i 21 | done 22 | -------------------------------------------------------------------------------- /scripts/patch_aachen.metadata.Dockerfile: -------------------------------------------------------------------------------- 1 | FROM klee-dev-fpbench-patched-squashed 2 | ARG container_username=user 3 | ARG klee_git_hash 4 | LABEL klee_git_hash=${klee_git_hash} 5 | USER ${container_username} 6 | WORKDIR /home/${container_username}/ 7 | # For wllvm 8 | ENV LLVM_COMPILER=clang 9 | # For fp-bench 10 | ENV KLEE_NATIVE_RUNTIME_INCLUDE_DIR=/home/user/klee/include/ 11 | ENV KLEE_NATIVE_RUNTIME_LIB_DIR=/home/user/klee/build/lib/ 12 | CMD [ "/bin/sh", "-c", "/usr/bin/bash -l" ] 13 | -------------------------------------------------------------------------------- /test/CXX/ArrayNew.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgxx %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --no-output --exit-on-error --no-externals %t1.bc 4 | 5 | #include 6 | 7 | static int decon = 0; 8 | 9 | class Test { 10 | int x; 11 | 12 | public: 13 | Test() {} 14 | Test(int _x) : x(_x) { } 15 | ~Test() { decon += x; } 16 | 17 | int getX() { return x; } 18 | void setX(int _x) { x = _x; } 19 | }; 20 | 21 | int main(int argc) { 22 | Test *rt = new Test[4]; 23 | int i; 24 | 25 | for (i=0; i<4; i++) 26 | rt[i].setX(i+1); 27 | 28 | int sum = 0; 29 | for (i=0; i<4; i++) 30 | sum += rt[i].getX(); 31 | 32 | assert(sum==10); 33 | 34 | delete[] rt; 35 | 36 | assert(decon==10); 37 | 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /test/CXX/New.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgxx %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --no-output --exit-on-error --no-externals %t1.bc 4 | 5 | #include 6 | 7 | class Test { 8 | int x; 9 | 10 | public: 11 | Test(int _x) : x(_x) { 12 | } 13 | ~Test() { 14 | } 15 | 16 | int getX() { return x; } 17 | }; 18 | 19 | // This doesn't do what I want because 20 | // it is being changed to alloca, but 21 | // it is also failing. 22 | int main(int argc) { 23 | Test *rt = new Test(2); 24 | 25 | assert(rt->getX()==2); 26 | 27 | delete rt; 28 | 29 | return 0; 30 | } 31 | -------------------------------------------------------------------------------- /test/CXX/SimpleVirtual.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgxx %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --no-output --exit-on-error --no-externals %t1.bc 4 | 5 | #include 6 | 7 | static int decon = 0; 8 | 9 | class Thing { 10 | public: 11 | Thing() {} 12 | virtual ~Thing() { decon += getX(); } 13 | 14 | virtual int getX() { return 1; }; 15 | }; 16 | 17 | class Thing2 : public Thing { 18 | public: 19 | virtual int getX() { return 2; }; 20 | }; 21 | 22 | Thing *getThing(bool which) { 23 | return which ? new Thing() : new Thing2(); 24 | } 25 | 26 | int main(int argc) { 27 | Thing *one = getThing(false); 28 | Thing *two = getThing(true); 29 | 30 | int x = one->getX() + two->getX(); 31 | assert(x==3); 32 | 33 | delete two; 34 | delete one; 35 | 36 | assert(decon==2); 37 | 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /test/CXX/StaticConstructor.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgxx %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=klee --no-output --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | // to make sure globals are initialized 8 | int aGlobal = 21; 9 | 10 | class Test { 11 | int x; 12 | 13 | public: 14 | Test() : x(aGlobal + 1) {} 15 | ~Test() {} 16 | 17 | int getX() { return x; } 18 | }; 19 | 20 | Test t; 21 | 22 | int main() { 23 | assert(t.getX()==22); 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /test/CXX/StaticDestructor.cpp: -------------------------------------------------------------------------------- 1 | // don't optimize this, llvm likes to turn the *p into unreachable 2 | 3 | // RUN: %llvmgxx %s -emit-llvm -g -O0 -c -o %t1.bc 4 | // RUN: rm -rf %t.klee-out 5 | // RUN: %klee --output-dir=%t.klee-out --optimize=false --libc=klee --no-output %t1.bc 2> %t1.log 6 | // RUN: grep ":17: memory error" %t1.log 7 | 8 | #include 9 | 10 | class Test { 11 | int *p; 12 | 13 | public: 14 | Test() : p(0) {} 15 | ~Test() { 16 | assert(!p); 17 | assert(*p == 10); // crash here 18 | } 19 | }; 20 | 21 | Test t; 22 | 23 | int main(int argc, char** argv) { 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /test/CXX/Trivial.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgxx %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --no-output --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | class Test { 8 | int x; 9 | 10 | public: 11 | Test(int _x) : x(_x) {} 12 | ~Test() {} 13 | 14 | int getX() { return x; } 15 | }; 16 | 17 | int main() { 18 | Test rt(2); 19 | 20 | assert(rt.getX()==2); 21 | 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /test/Concrete/BitwiseOps.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | %a = or i32 12345678, 87654321 7 | %b = and i32 %a, 87654321 8 | %check = xor i32 %b, 87654321 9 | %test = icmp eq i32 %check, 0 10 | br i1 %test, label %exitTrue, label %exitFalse 11 | exitTrue: 12 | call void @print_i32(i32 1) 13 | ret i32 0 14 | exitFalse: 15 | call void @print_i32(i32 0) 16 | ret i32 0 17 | } 18 | -------------------------------------------------------------------------------- /test/Concrete/BoolReadWrite.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i1(i1) 4 | 5 | define i32 @main() { 6 | %mem = alloca i1 7 | store i1 1, i1* %mem 8 | %v = load i1* %mem 9 | br i1 %v, label %ok, label %exit 10 | ok: 11 | call void @print_i1(i1 %v) 12 | br label %exit 13 | exit: 14 | ret i32 0 15 | } 16 | -------------------------------------------------------------------------------- /test/Concrete/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | configure_file(Makefile.cmake.test.in Makefile.cmake.test @ONLY) 10 | -------------------------------------------------------------------------------- /test/Concrete/Casts.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | %a = add i32 315904, 128 8 | %b = trunc i32 %a to i8 9 | %c0 = icmp eq i8 %b, 128 10 | %d = zext i8 %b to i32 11 | %c1 = icmp eq i32 %d, 128 12 | %e = sext i8 %b to i32 13 | %c2 = icmp eq i32 %e, -128 14 | %c0i = zext i1 %c0 to i32 15 | %c1i = zext i1 %c1 to i32 16 | %c2i = zext i1 %c2 to i32 17 | %c0is = shl i32 %c0i, 0 18 | %c1is = shl i32 %c1i, 1 19 | %c2is = shl i32 %c2i, 2 20 | %tmp = add i32 %c0is, %c1is 21 | %res = add i32 %tmp, %c2is 22 | %p = icmp eq i32 %res, 7 23 | br i1 %p, label %exitTrue, label %exitFalse 24 | exitTrue: 25 | call void @print_i32(i32 1) 26 | ret i32 0 27 | exitFalse: 28 | call void @print_i32(i32 0) 29 | ret i32 0 30 | } 31 | -------------------------------------------------------------------------------- /test/Concrete/CmpEq.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | %a = add i8 0, 1 7 | %b = add i8 %a, -1 8 | %c = icmp eq i8 %b, 0 9 | br i1 %c, label %exitTrue, label %exitFalse 10 | exitTrue: 11 | call void @print_i32(i32 1) 12 | ret i32 0 13 | exitFalse: 14 | call void @print_i32(i32 0) 15 | ret i32 0 16 | } 17 | -------------------------------------------------------------------------------- /test/Concrete/GlobalUndef.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | target datalayout = 4 | "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128" 5 | target triple = "x86_64-unknown-linux-gnu" 6 | 7 | %struct.anon = type { i8, [3 x i8] } 8 | 9 | @z = global %struct.anon { i8 1, [3 x i8] undef }, align 4 10 | 11 | define i32 @main() nounwind { 12 | entry: 13 | %retval = alloca i32, align 4 14 | store i32 0, i32* %retval 15 | ret i32 0 16 | } 17 | -------------------------------------------------------------------------------- /test/Concrete/GlobalVariable.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | @anInt = global i32 1 6 | @aRef = global i32* @anInt 7 | 8 | define i32 @main() { 9 | call void @print_i32(i32 0) 10 | ret i32 0 11 | } 12 | -------------------------------------------------------------------------------- /test/Concrete/OneCall.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @sum(i32 %a, i32 %b) { 6 | %c = sub i32 %a, %b 7 | ret i32 %c 8 | } 9 | 10 | define i32 @main() { 11 | %a = call i32 @sum(i32 54, i32 2) 12 | call void @print_i32(i32 %a) 13 | ret i32 0 14 | } 15 | -------------------------------------------------------------------------------- /test/Concrete/OverlappingPhiNodes.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | br label %test 8 | test: 9 | %a = phi i32 [10, %entry], [%b, %test] 10 | %b = phi i32 [20, %entry], [%a, %test] 11 | %c = phi i32 [0, %entry], [1, %test] 12 | %d = icmp eq i32 %c, 1 13 | br i1 %d, label %exit, label %test 14 | exit: 15 | call void @print_i32(i32 %b) 16 | ret i32 0 17 | } 18 | -------------------------------------------------------------------------------- /test/Concrete/README.txt: -------------------------------------------------------------------------------- 1 | This directory contains tests which exist just to test the execution of Concrete 2 | code paths -- essentially, that we correctly implement the semantics of the LLVM 3 | IR language. The tests are run using a helper script ``ConcreteTest.py`` which 4 | builds the test bitcode, executes it using both ``lli`` and ``klee``, and checks 5 | that they got the same output. -------------------------------------------------------------------------------- /test/Concrete/Select.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | %ten = select i1 true, i32 10, i32 0 7 | %five = select i1 false, i32 0, i32 5 8 | %check = add i32 %ten, %five 9 | %test = icmp eq i32 %check, 15 10 | br i1 %test, label %exitTrue, label %exitFalse 11 | exitTrue: 12 | call void @print_i32(i32 1) 13 | ret i32 0 14 | exitFalse: 15 | call void @print_i32(i32 0) 16 | ret i32 0 17 | } 18 | -------------------------------------------------------------------------------- /test/Concrete/Shifts.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | %amt = add i8 2, 5 7 | %a = shl i8 1, 5 8 | %b = lshr i8 %a, 5 9 | %c = shl i8 %b, %amt 10 | %d = lshr i8 %c, %amt 11 | %e = shl i8 %d, 7 12 | %f = ashr i8 %e, 7 13 | %g = shl i8 %f, %amt 14 | %h = ashr i8 %g, %amt 15 | %test = icmp eq i8 %h, -1 16 | br i1 %test, label %exitTrue, label %exitFalse 17 | exitTrue: 18 | call void @print_i32(i32 1) 19 | ret i32 0 20 | exitFalse: 21 | call void @print_i32(i32 0) 22 | ret i32 0 23 | } 24 | -------------------------------------------------------------------------------- /test/Concrete/SimpleStoreAndLoad.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | %a = alloca i32, i32 4 8 | %tmp1 = getelementptr i32* %a, i32 0 9 | store i32 0, i32* %tmp1 10 | %tmp2 = load i32* %tmp1 11 | %tmp3 = icmp eq i32 %tmp2, 0 12 | br i1 %tmp3, label %exitTrue, label %exitFalse 13 | exitTrue: 14 | call void @print_i32(i32 1) 15 | ret i32 0 16 | exitFalse: 17 | call void @print_i32(i32 0) 18 | ret i32 0 19 | } 20 | -------------------------------------------------------------------------------- /test/Concrete/UnconditionalBranch.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | %a = add i32 0, 1 8 | br label %exit 9 | exit: 10 | call void @print_i32(i32 %a) 11 | ret i32 0 12 | } 13 | -------------------------------------------------------------------------------- /test/Concrete/UnconditionalBranchWithSimplePhi.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | %a = add i32 0, 1 8 | br label %exit 9 | unused: 10 | %b = add i32 1, 2 11 | br label %exit 12 | exit: 13 | %c = phi i32 [%a, %entry], [%b, %unused] 14 | call void @print_i32(i32 %c) 15 | ret i32 0 16 | } 17 | -------------------------------------------------------------------------------- /test/Concrete/UnorderedPhiNodes.ll: -------------------------------------------------------------------------------- 1 | ; RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | declare void @print_i32(i32) 4 | 5 | define i32 @main() { 6 | entry: 7 | br label %test 8 | test: 9 | %a = phi i32 [10, %entry], [%b, %test] 10 | %b = phi i32 [%a, %test], [20, %entry] 11 | %c = phi i32 [0, %entry], [1, %test] 12 | %d = icmp eq i32 %c, 1 13 | br i1 %d, label %exit, label %test 14 | exit: 15 | call void @print_i32(i32 %b) 16 | ret i32 0 17 | } 18 | -------------------------------------------------------------------------------- /test/Concrete/ackermann.c: -------------------------------------------------------------------------------- 1 | // RUN: %S/ConcreteTest.py --klee='%klee' --lli=%lli %s 2 | 3 | #include 4 | 5 | int ackermann(int m, int n) { 6 | if (m == 0) 7 | return n+1; 8 | else 9 | return ackermann(m-1, (n==0) ? 1 : ackermann(m, n-1)); 10 | } 11 | 12 | int main() { 13 | printf("ackerman(%d, %d) = %d\n", 2, 2, ackermann(2, 2)); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /test/Coverage/ReadArgs.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: echo " --output-dir=%t.klee-out " > %t1.args 4 | // RUN: %klee @%t1.args %t1.bc 5 | // RUN: test -d %t.klee-out 6 | 7 | int main() { 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /test/Coverage/ReplayOutDir.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t1.out %t1.replay 3 | // RUN: %klee --output-dir=%t1.out %t1.bc 4 | // RUN: %klee --output-dir=%t1.replay --replay-ktest-dir=%t1.out %t1.bc 5 | 6 | int main() { 7 | int i; 8 | klee_make_symbolic(&i, sizeof i, "i"); 9 | klee_print_range("i", i); 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /test/Expr/Evaluate.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver -evaluate %s > %t.log 2 | 3 | array arr0[4] : w32 -> w8 = symbolic 4 | array arr1[8] : w32 -> w8 = symbolic 5 | 6 | # RUN: grep "Query 0: INVALID" %t.log 7 | # Query 0 8 | (query [] (Not (Ult (ReadLSB w32 0 arr0) 9 | 16))) 10 | 11 | # RUN: grep "Query 1: VALID" %t.log 12 | # Query 1 13 | (query [(Eq N0:(ReadLSB w32 0 arr1) 10) 14 | (Eq N1:(ReadLSB w32 4 arr1) 20)] 15 | (Eq (Add w32 N0 N1) 16 | 30)) 17 | 18 | # RUN: grep "Query 2: VALID" %t.log 19 | # Query 2 20 | array hello[4] : w32 -> w8 = [ 1 2 3 5 ] 21 | (query [] (Eq (Add w8 (Read w8 0 hello) 22 | (Read w8 3 hello)) 23 | 6)) 24 | 25 | # RUN: grep "Query 3: VALID" %t.log 26 | # Query 2 27 | (query [] (Eq (Not w8 (Read w8 0 arr1)) 28 | (Xor w8 (Read w8 0 arr1) 0xff))) 29 | -------------------------------------------------------------------------------- /test/Expr/Evaluate2.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver -evaluate %s > %t.log 2 | 3 | # RUN: grep "Query 0: VALID" %t.log 4 | # XFAIL: * 5 | (query [false] false) 6 | -------------------------------------------------------------------------------- /test/Expr/Parser/Concat64.kquery: -------------------------------------------------------------------------------- 1 | # RUN: kleaver --print-ast %s 2 | 3 | array arr1[8] : w32 -> w8 = symbolic 4 | (query [(Eq 0 5 | (Concat w64 (Read w8 7 arr1) 6 | (Concat w56 (Read w8 6 arr1) 7 | (Concat w48 (Read w8 5 arr1) 8 | (Concat w40 (Read w8 4 arr1) 9 | (Concat w32 (Read w8 3 arr1) 10 | (Concat w24 (Read w8 2 arr1) 11 | (Concat w16 (Read w8 1 arr1) (Read w8 0 arr1)))))))))] 12 | false) 13 | -------------------------------------------------------------------------------- /test/Expr/Parser/MultiByteReads.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver -print-ast -pc-multibyte-reads=true %s > %t.log 2 | # RUN: grep -q "(ReadLSB w32 4 arr1)" %t.log 3 | # RUN: grep -q "(ReadMSB w32 2 arr2)" %t.log 4 | 5 | array arr1[8] : w32 -> w8 = symbolic 6 | array arr2[8] : w32 -> w8 = symbolic 7 | 8 | (query [(Not (Slt 100 9 | (Concat w32 (Read w8 7 arr1) 10 | (Concat w24 (Read w8 6 arr1) 11 | (Concat w16 (Read w8 5 arr1) (Read w8 4 arr1))))))] 12 | false) 13 | 14 | 15 | (query [(Not (Slt 100 16 | (Concat w32 (Read w8 2 arr2) 17 | (Concat w24 (Read w8 3 arr2) 18 | (Concat w16 (Read w8 4 arr2) (Read w8 5 arr2))))))] 19 | false) 20 | 21 | -------------------------------------------------------------------------------- /test/Expr/Parser/TypeChecking.kquery: -------------------------------------------------------------------------------- 1 | # RUN: not %kleaver %s 2> %t.log 2 | 3 | 4 | 5 | # RUN: grep "TypeChecking.kquery:7:9: error: type widths do not match in binary expression" %t.log 6 | array arr1[8] : w32 -> w8 = symbolic 7 | (query [(Eq (ReadLSB w32 0 arr1) true)] 8 | false) 9 | 10 | # RUN: grep "TypeChecking.kquery:14:25: error: invalid write index (doesn't match array domain)" %t.log 11 | # RUN: grep "TypeChecking.kquery:14:35: error: invalid write value (doesn't match array range)" %t.log 12 | # FIXME: Add array declarations 13 | array arr2[8] : w32 -> w8 = symbolic 14 | (query [(Eq (Read w8 0 [ (w17 0) = (w9 0) ] @ arr2) 0)] false) 15 | 16 | # RUN: grep "TypeChecking.kquery: parse failure: 3 errors." %t.log 17 | -------------------------------------------------------------------------------- /test/Feature/Alias.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | // Darwin does not have strong aliases. 6 | // XFAIL: darwin 7 | 8 | #include 9 | 10 | // alias for global 11 | int b = 52; 12 | extern int a __attribute__((alias("b"))); 13 | 14 | // alias for function 15 | int __foo() { return 52; } 16 | extern int foo() __attribute__((alias("__foo"))); 17 | 18 | int *c = &a; 19 | 20 | int main() { 21 | assert(a == 52); 22 | assert(foo() == 52); 23 | assert(*c == 52); 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /test/Feature/AliasFunction.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc > %t1.log 4 | // RUN: grep -c foo %t1.log | grep 5 5 | // RUN: grep -c bar %t1.log | grep 4 6 | 7 | #include 8 | #include 9 | 10 | void __attribute__ ((noinline)) foo() { printf(" foo()\n"); } 11 | void __attribute__ ((noinline)) bar() { printf(" bar()\n"); } 12 | 13 | int main() { 14 | int x; 15 | klee_make_symbolic(&x, sizeof(x), "x"); 16 | 17 | // call once, so that it is not removed by optimizations 18 | bar(); 19 | 20 | // no aliases 21 | foo(); 22 | 23 | if (x > 10) 24 | { 25 | // foo -> bar 26 | klee_alias_function("foo", "bar"); 27 | 28 | if (x > 20) 29 | foo(); 30 | } 31 | 32 | foo(); 33 | 34 | // undo 35 | klee_alias_function("foo", "foo"); 36 | foo(); 37 | } 38 | -------------------------------------------------------------------------------- /test/Feature/AliasFunctionExit.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc > %t1.log 4 | // RUN: grep -c START %t1.log | grep 1 5 | // RUN: grep -c END %t1.log | grep 2 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | void start(int x) { 12 | printf("START\n"); 13 | if (x == 53) 14 | exit(1); 15 | } 16 | 17 | void __attribute__ ((noinline)) end(int status) { 18 | klee_alias_function("exit", "exit"); 19 | printf("END: status = %d\n", status); 20 | exit(status); 21 | } 22 | 23 | 24 | int main() { 25 | int x; 26 | klee_make_symbolic(&x, sizeof(x), "x"); 27 | 28 | klee_alias_function("exit", "end"); 29 | start(x); 30 | end(0); 31 | } 32 | -------------------------------------------------------------------------------- /test/Feature/BFSSearcher.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --stop-after-n-instructions=500 --search=bfs %t1.bc 2>%t2.log 4 | // RUN: FileCheck -input-file=%t2.log %s 5 | #include "assert.h" 6 | #include "klee/klee.h" 7 | 8 | int nd() { 9 | int r; 10 | klee_make_symbolic(&r, sizeof(r), "r"); 11 | return r; 12 | } 13 | 14 | int main() { 15 | int x = 1; 16 | while (nd() != 0) { 17 | x *= 2; 18 | } 19 | // CHECK: ASSERTION FAIL 20 | klee_assert(0); 21 | return x; 22 | } 23 | -------------------------------------------------------------------------------- /test/Feature/ByteSwap.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=klee --exit-on-error %t1.bc 4 | 5 | #include 6 | #include 7 | 8 | int main() { 9 | 10 | uint32_t n = 0; 11 | klee_make_symbolic(&n, sizeof(n)); 12 | 13 | uint32_t h = ntohl(n); 14 | assert(htonl(h) == n); 15 | 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /test/Feature/CallToUndefinedExternal.cpp: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgxx %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.external.err 5 | 6 | extern "C" void poof(void); 7 | 8 | int main() { 9 | // CHECK: failed external call: poof 10 | poof(); 11 | 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /test/Feature/CheckForImpliedValue.c.failing: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -f %t1.log 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --log-file %t1.log --debug-check-for-implied-values %t1.bc 5 | // RUN: grep "= 0 (ok)" %t1.log 6 | // RUN: grep "= 2 (missed)" %t1.log 7 | 8 | #define swap(x) (((x)>>16) | (((x)&0xFFFF)<<16)) 9 | int main() { 10 | unsigned x, y; 11 | 12 | klee_make_symbolic(&x, sizeof x); 13 | klee_make_symbolic(&y, sizeof y); 14 | 15 | if (!x) { // should give x = 0 hit by ivc 16 | printf("ok\n"); 17 | } else { 18 | if (swap(y) == 0x00020000) { // should give y = 2 missed by ivc 19 | printf("ok\n"); 20 | } 21 | } 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /test/Feature/CheckMemoryAccess.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc > %t.log 4 | // RUN: grep -q "good" %t.log 5 | // RUN: not grep -q "bad" %t.log 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | int main() { 12 | char buf[4]; 13 | 14 | klee_check_memory_access(&buf, 1); 15 | printf("good\n"); 16 | if (klee_range(0, 2, "range1")) { 17 | klee_check_memory_access(0, 1); 18 | printf("null pointer deref: bad\n"); 19 | } 20 | 21 | if (klee_range(0, 2, "range2")) { 22 | klee_check_memory_access(buf, 5); 23 | printf("oversize access: bad\n"); 24 | } 25 | 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /test/Feature/CopyOnWrite.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --search=random-state --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | #define N 5 8 | 9 | unsigned branches = 0; 10 | 11 | void explode(int *ap, int i, int *result) { 12 | if (i 7 | 8 | int main() { 9 | unsigned char x, y; 10 | 11 | klee_make_symbolic(&x, sizeof x); 12 | 13 | y = x; 14 | 15 | // should be exactly two queries (prove x is/is not 10) 16 | // eventually should be 0 when we have fast solver 17 | if (x==10) { 18 | assert(y==10); 19 | } 20 | 21 | klee_silent_exit(0); 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /test/Feature/DefineFixedObject.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -emit-llvm -c -o %t1.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | #define ADDRESS ((int*) 0x0080) 8 | 9 | int main() { 10 | klee_define_fixed_object(ADDRESS, 4); 11 | 12 | int *p = ADDRESS; 13 | 14 | *p = 10; 15 | printf("*p: %d\n", *p); 16 | 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /test/Feature/DoubleFree.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ptr.err 5 | 6 | int main() { 7 | int *x = malloc(4); 8 | free(x); 9 | // CHECK: memory error: invalid pointer: free 10 | free(x); 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /test/Feature/DumpStatesOnHalt.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --stop-after-n-instructions=1 --dump-states-on-halt=true %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | 6 | int main(int argc, char** argv) { 7 | int x = 1; 8 | if (argc == 1) 9 | x = 0; 10 | return x; 11 | } 12 | // CHECK: halting execution, dumping remaining states 13 | -------------------------------------------------------------------------------- /test/Feature/EntryPoint.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --entry-point=other_main %t.bc > %t.log 4 | // RUN: grep "Hello World" %t.log 5 | 6 | #include 7 | 8 | int other_main() { 9 | printf("Hello World\n"); 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /test/Feature/Envp.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | int main(int argc, char **argv, char **envp) { 8 | unsigned i; 9 | assert(argv[argc] == 0); 10 | printf("argc: %d, argv: %p, envp: %p\n", argc, argv, envp); 11 | printf("--environ--\n"); 12 | int haspwd = 0; 13 | for (i=0; envp[i]; i++) { 14 | printf("%d: %s\n", i, envp[i]); 15 | haspwd |= strncmp(envp[i], "PWD=", 4)==0; 16 | } 17 | assert(haspwd); 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /test/Feature/ExitOnErrorType.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error-type Assert %t1.bc 2>&1 4 | 5 | #include 6 | #include 7 | 8 | int main() { 9 | assert(klee_int("assert")); 10 | 11 | while (1) { 12 | } 13 | 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /test/Feature/ExternalWeakLinkage.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | void __attribute__((weak)) IAmSoWeak(int); 8 | 9 | int main() { 10 | assert(IAmSoWeak==0); 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /test/Feature/Float.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc > %t.log 4 | // RUN: grep "3.30* -1.10* 2.420*" %t.log 5 | 6 | #include 7 | 8 | float fadd(float a, float b) { 9 | return a + b; 10 | } 11 | 12 | float fsub(float a, float b) { 13 | return a - b; 14 | } 15 | 16 | float fmul(float a, float b) { 17 | return a * b; 18 | } 19 | 20 | int main() { 21 | printf("%f %f %f\n", fadd(1.1, 2.2), fsub(1.1, 2.2), fmul(1.1, 2.2)); 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /test/Feature/FloatingPt.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | double a1 = -1.1; 9 | double a2 = 1.2; 10 | 11 | int b1 = (int) a1; 12 | assert(b1 == -1); 13 | 14 | int b2 = (int) a2; 15 | assert(b2 == 1); 16 | 17 | a1 = (double) b1; 18 | assert(a1 == -1); 19 | 20 | a2 = (double) b2; 21 | assert(a2 == 1); 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /test/Feature/FunctionPointer.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --no-output --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | void foo(const char *msg) { printf("foo: %s\n", msg); } 8 | void baz(const char *msg) { printf("baz: %s\n", msg); } 9 | 10 | void (*xx)(const char *) = foo; 11 | 12 | void bar(void (*fp)(const char *)) { fp("called via bar"); } 13 | 14 | int main(int argc, char **argv) { 15 | void (*fp)(const char *) = foo; 16 | 17 | printf("going to call through fp\n"); 18 | fp("called via fp"); 19 | 20 | printf("calling via pass through\n"); 21 | bar(foo); 22 | 23 | fp = baz; 24 | fp("called via fp"); 25 | 26 | xx("called via xx"); 27 | 28 | #if 0 29 | klee_make_symbolic(&fp, sizeof fp); 30 | if(fp == baz) { 31 | printf("fp = %p, baz = %p\n", fp, baz); 32 | fp("calling via symbolic!"); 33 | } 34 | #endif 35 | 36 | return 0; 37 | } 38 | -------------------------------------------------------------------------------- /test/Feature/GetValue.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -emit-llvm -c -o %t1.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | #include 7 | 8 | int main() { 9 | int x = klee_int("x"); 10 | klee_assume(x > 10); 11 | klee_assume(x < 20); 12 | 13 | assert(!klee_is_symbolic(klee_get_value_i32(x))); 14 | assert(klee_get_value_i32(x) > 10); 15 | assert(klee_get_value_i32(x) < 20); 16 | 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /test/Feature/InAndOutOfBounds.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ptr.err -o -f %t.klee-out/test000002.ptr.err 5 | // RUN: not test -f %t.klee-out/test000001.ptr.err -a -f %t.klee-out/test000002.ptr.err 6 | // RUN: not test -f %t.klee-out/test000003.ktest 7 | 8 | unsigned klee_urange(unsigned start, unsigned end) { 9 | unsigned x; 10 | klee_make_symbolic(&x, sizeof x); 11 | if (x-start>=end-start) klee_silent_exit(0); 12 | return x; 13 | } 14 | 15 | int main() { 16 | int *x = malloc(sizeof(int)); 17 | // FIXME: Use newer FileCheck syntax to support relative line numbers 18 | // CHECK: InAndOutOfBounds.c:19: memory error: out of bound pointer 19 | x[klee_urange(0,2)] = 1; 20 | free(x); 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /test/Feature/IndirectCallToBuiltin.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | #include 7 | 8 | int main() { 9 | void *(*allocator)(size_t) = malloc; 10 | int *mem = allocator(10); 11 | 12 | printf("mem: %p\n", mem); 13 | printf("mem[0]: %d\n", mem[0]); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /test/Feature/IndirectCallToExternal.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | int (*scmp)(char*,char*) = strcmp; 12 | 13 | assert(scmp("hello","hi") < 0); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /test/Feature/IntrinsicTrap.ll: -------------------------------------------------------------------------------- 1 | ; RUN: llvm-as %s -f -o %t1.bc 2 | ; RUN: rm -rf %t.klee-out 3 | ; RUN: %klee --output-dir=%t.klee-out -disable-opt %t1.bc 4 | ; RUN: FileCheck %s --input-file=%t.klee-out/assembly.ll 5 | 6 | target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-f128:128:128-n8:16:32:64" 7 | target triple = "x86_64-unknown-linux-gnu" 8 | 9 | define i32 @main() nounwind { 10 | entry: 11 | %a = add i32 1, 2 12 | %b = add i32 %a, 3 13 | %c = icmp ne i32 %b, 6 14 | br i1 %c, label %btrue, label %bfalse 15 | 16 | btrue: 17 | ; CHECK-NOT: call void @llvm.trap() 18 | ; CHECK: call void @abort() 19 | call void @llvm.trap() noreturn nounwind 20 | unreachable 21 | 22 | bfalse: 23 | br label %return 24 | 25 | return: 26 | ret i32 0 27 | } 28 | 29 | ; CHECK-NOT: call void @llvm.trap() 30 | ; CHECK: declare void @abort() 31 | declare void @llvm.trap() noreturn nounwind 32 | -------------------------------------------------------------------------------- /test/Feature/InvalidBitfieldAccess.c.failing: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -c -o %t1.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | // This is a bug in llvm-gcc4.0 but seems to be fixed in llvm-gcc4.2, 6 | // its included here mostly as a reminder. 7 | 8 | #include 9 | #include 10 | #include 11 | 12 | struct foo { 13 | unsigned int a : 5; 14 | unsigned int b : 10; 15 | unsigned int c : 1; 16 | } __attribute__((packed)); 17 | 18 | int main() { 19 | struct foo *a = malloc(sizeof *a); 20 | 21 | a->b = 12; // problem here is that llvm-gcc emits a 4 byte access 22 | // which is out of bounds. 23 | 24 | int x = a->b; 25 | 26 | assert(x == 12); 27 | 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /test/Feature/IsSymbolic.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | int x, y, z = 0; 9 | klee_make_symbolic(&x, sizeof x); 10 | klee_make_symbolic(&y, sizeof y); 11 | if (x) { 12 | assert(klee_is_symbolic(y)); 13 | } else { 14 | assert(!klee_is_symbolic(z)); 15 | } 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /test/Feature/KleeReportError.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --emit-all-errors %t2.bc 2>&1 | FileCheck %s 4 | // RUN: ls %t.klee-out/ | grep .my.err | wc -l | grep 2 5 | #include 6 | #include 7 | 8 | int main(int argc, char** argv) { 9 | int x, y, *p = 0; 10 | 11 | klee_make_symbolic(&x, sizeof x); 12 | klee_make_symbolic(&y, sizeof y); 13 | 14 | if (x) 15 | fprintf(stderr, "x\n"); 16 | else fprintf(stderr, "!x\n"); 17 | 18 | if (y) { 19 | fprintf(stderr, "My error\n"); 20 | // CHECK: KleeReportError.c:23: My error 21 | // CHECK: KleeReportError.c:23: My error 22 | // FIXME: Use FileCheck's relative line number syntax 23 | klee_report_error(__FILE__, __LINE__, "My error", "my.err"); 24 | } 25 | 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /test/Feature/LinkLLVMLib.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t1.bc -DLINK_LLVM_LIB_TEST_LIB 2 | // RUN: %llvmar r %t1.a %t1.bc 3 | // 4 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t2.bc -DLINK_LLVM_LIB_TEST_EXEC 5 | // RUN: rm -rf %t.klee-out 6 | // RUN: %klee --link-llvm-lib %t1.a --output-dir=%t.klee-out --emit-all-errors --warnings-only-to-file=false %t2.bc 2>&1 | FileCheck %s 7 | 8 | #ifdef LINK_LLVM_LIB_TEST_EXEC 9 | extern void printint(int d); 10 | 11 | int main(int argc, char * argv[]) { 12 | printint(5); 13 | // CHECK: KLEE: WARNING ONCE: calling external: printf 14 | return 0; 15 | } 16 | #endif 17 | 18 | #ifdef LINK_LLVM_LIB_TEST_LIB 19 | #include 20 | 21 | void printint(int d) { 22 | printf("%d\n", d); 23 | } 24 | #endif 25 | -------------------------------------------------------------------------------- /test/Feature/LongDoubleSupport.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --optimize=0 --exit-on-error %t1.bc > %t2.out 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | // FIXME: This doesn't really work at all, it just doesn't 10 | // crash. Until we have wide constant support, that is all we care 11 | // about; the only reason this comes up is in initialization of 12 | // constants, we don't actually end up seeing much code which uses long 13 | // double. 14 | int main() { 15 | unsigned N0 = 0, N1 = 0, N2 = 0; 16 | 17 | float V0 = .1; 18 | while (V0 != 0) { 19 | V0 *= V0; 20 | N0++; 21 | } 22 | double V1 = .1; 23 | while (V1 != 0) { 24 | V1 *= V1; 25 | N1++; 26 | } 27 | long double V2 = .1; 28 | while (V2 != 0) { 29 | V2 *= V2; 30 | N2++; 31 | } 32 | 33 | printf("counts: %d, %d, %d\n", N0, N1, N2); 34 | 35 | assert(N0 == 6); 36 | assert(N1 == 9); 37 | assert(N2 == 13); 38 | 39 | return 0; 40 | } 41 | -------------------------------------------------------------------------------- /test/Feature/MakeConcreteSymbolic.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --optimize=false --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | // RUN: grep "done: total queries = 0" %t.klee-out/info 5 | 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: %klee --optimize=false --output-dir=%t.klee-out --make-concrete-symbolic=1 --exit-on-error %t1.bc 8 | // RUN: grep "done: total queries = 2" %t.klee-out/info 9 | 10 | 11 | #include 12 | 13 | #define N 2 14 | int main() { 15 | int i; 16 | char a; 17 | 18 | a = 10; 19 | assert(a == 10); 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /test/Feature/MakeSymbolicName.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --search=random-state --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | int a[4] = {1, 2, 3, 4}; 9 | unsigned i; 10 | 11 | klee_make_symbolic(&i, sizeof(i), "index"); 12 | if (i > 3) 13 | klee_silent_exit(0); 14 | 15 | assert(a[i] << 1 != 5); 16 | if (a[i] << 1 == 6) 17 | assert(i == 2); 18 | } 19 | -------------------------------------------------------------------------------- /test/Feature/MultipleReadResolution.c: -------------------------------------------------------------------------------- 1 | // RUN: echo "x" > %t1.res 2 | // RUN: echo "x" >> %t1.res 3 | // RUN: echo "x" >> %t1.res 4 | // RUN: echo "x" >> %t1.res 5 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: %klee --output-dir=%t.klee-out %t1.bc > %t1.log 8 | // RUN: diff %t1.res %t1.log 9 | 10 | #include 11 | 12 | unsigned klee_urange(unsigned start, unsigned end) { 13 | unsigned x; 14 | klee_make_symbolic(&x, sizeof x); 15 | if (x-start>=end-start) klee_silent_exit(0); 16 | return x; 17 | } 18 | 19 | int *make_int(int i) { 20 | int *x = malloc(sizeof(*x)); 21 | *x = i; 22 | return x; 23 | } 24 | 25 | int main() { 26 | int *buf[4]; 27 | int i,s,t; 28 | 29 | for (i=0; i<4; i++) 30 | buf[i] = make_int((i+1)*2); 31 | 32 | s = klee_urange(0,4); 33 | 34 | int x = *buf[s]; 35 | 36 | if (x == 4) 37 | if (s!=1) 38 | abort(); 39 | 40 | printf("x\n"); 41 | fflush(stdout); 42 | 43 | return 0; 44 | } 45 | -------------------------------------------------------------------------------- /test/Feature/MultipleWriteResolution.c: -------------------------------------------------------------------------------- 1 | // RUN: echo "x" > %t1.res 2 | // RUN: echo "x" >> %t1.res 3 | // RUN: echo "x" >> %t1.res 4 | // RUN: echo "x" >> %t1.res 5 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 6 | // RUN: rm -rf %t.klee-out 7 | // RUN: %klee --output-dir=%t.klee-out %t1.bc > %t1.log 8 | // RUN: diff %t1.res %t1.log 9 | 10 | #include 11 | 12 | unsigned klee_urange(unsigned start, unsigned end) { 13 | unsigned x; 14 | klee_make_symbolic(&x, sizeof x); 15 | if (x-start>=end-start) klee_silent_exit(0); 16 | return x; 17 | } 18 | 19 | int *make_int(int i) { 20 | int *x = malloc(sizeof(*x)); 21 | *x = i; 22 | return x; 23 | } 24 | 25 | int main() { 26 | int *buf[4]; 27 | int i,s,t; 28 | 29 | for (i=0; i<4; i++) 30 | buf[i] = make_int((i+1)*2); 31 | 32 | s = klee_urange(0,4); 33 | 34 | *buf[s] = 5; 35 | 36 | if ((*buf[0] + *buf[1] + *buf[2] + *buf[3]) == 17) 37 | if (s!=3) 38 | abort(); 39 | 40 | printf("x\n"); 41 | fflush(stdout); 42 | 43 | return 0; 44 | } 45 | -------------------------------------------------------------------------------- /test/Feature/NonSizedGlobals.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | struct X; 6 | extern struct X Y; 7 | void *ptr = &Y; 8 | 9 | int main() 10 | { 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /test/Feature/OneFreeError.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ptr.err 5 | 6 | int main() { 7 | int *x = malloc(4); 8 | free(x); 9 | // CHECK: OneFreeError.c:11: memory error: out of bound pointer 10 | // FIXME: Use FileCheck's relative line numbers 11 | x[0] = 1; 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /test/Feature/OneOutOfBounds.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ptr.err 5 | 6 | int main() { 7 | int *x = malloc(sizeof(int)); 8 | // CHECK: OneOutOfBounds.c:10: memory error: out of bound pointer 9 | // FIXME: Use FileCheck's relative line numbers 10 | x[1] = 1; 11 | free(x); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /test/Feature/Optimize.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t2.bc 2 | // RUN: rm -f %t2.log 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --stop-after-n-instructions=100 --optimize %t2.bc > %t3.log 5 | // RUN: echo "good" > %t3.good 6 | // RUN: diff %t3.log %t3.good 7 | 8 | // should complete by 100 instructions if opt is on 9 | 10 | int main() { 11 | int i, res = 0; 12 | 13 | for (i=1; i<=1000; i++) 14 | res += i; 15 | 16 | if (res == (1000*1001)/2) { 17 | printf("good\n"); 18 | } else { 19 | printf("bad\n"); 20 | } 21 | 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /test/Feature/OverlappedError.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | // RUN: ls %t.klee-out/ | grep .ktest | wc -l | grep 4 5 | // RUN: ls %t.klee-out/ | grep .ptr.err | wc -l | grep 2 6 | 7 | #include 8 | 9 | int main() { 10 | if (klee_range(0,2, "range")) { 11 | char *x = malloc(8); 12 | *((int*) &x[klee_range(0,6, "range")]) = 1; 13 | free(x); 14 | } else { 15 | char *x = malloc(8); 16 | *((int*) &x[klee_range(-1,5, "range")]) = 1; 17 | free(x); 18 | } 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /test/Feature/OvershiftCheck.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -check-overshift %t.bc 2> %t.log 4 | // RUN: grep -c "overshift error" %t.log 5 | // RUN: grep -c "OvershiftCheck.c:20: overshift error" %t.log 6 | // RUN: grep -c "OvershiftCheck.c:24: overshift error" %t.log 7 | 8 | /* This test checks that two consecutive potential overshifts 9 | * are reported as errors. 10 | */ 11 | int main() 12 | { 13 | unsigned int x=15; 14 | unsigned int y; 15 | unsigned int z; 16 | volatile unsigned int result; 17 | 18 | /* Overshift if y>= sizeof(x) */ 19 | klee_make_symbolic(&y,sizeof(y),"shift_amount1"); 20 | result = x << y; 21 | 22 | /* Overshift is z>= sizeof(x) */ 23 | klee_make_symbolic(&z,sizeof(z),"shift_amount2"); 24 | result = x >> z; 25 | 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /test/Feature/PreferCex.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | // RUN: ktest-tool %t.klee-out/test000001.ktest | FileCheck %s 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | char buf[4]; 12 | 13 | klee_make_symbolic(buf, sizeof buf); 14 | // CHECK: Hi\x00\x00 15 | klee_prefer_cex(buf, buf[0]=='H'); 16 | klee_prefer_cex(buf, buf[1]=='i'); 17 | klee_prefer_cex(buf, buf[2]=='\0'); 18 | klee_prefer_cex(buf, buf[3]=='\0'); 19 | 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /test/Feature/Realloc.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --warnings-only-to-file=false %t1.bc 2>&1 | FileCheck %s 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | int main() { 10 | int *p = malloc(sizeof(int)*2); 11 | assert(p); 12 | p[1] = 52; 13 | 14 | // CHECK: KLEE: WARNING ONCE: Large alloc 15 | int *p2 = realloc(p, 1<<30); 16 | assert(p2[1] == 52); 17 | 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /test/Feature/ReplayPath.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -DCOND_EXIT -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --write-paths %t1.bc > %t3.good 4 | 5 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t2.bc 6 | // RUN: rm -rf %t.klee-out-2 7 | // RUN: %klee --output-dir=%t.klee-out-2 --replay-path %t.klee-out/test000001.path %t2.bc > %t3.log 8 | // RUN: diff %t3.log %t3.good 9 | 10 | #include 11 | #include 12 | 13 | void cond_exit() { 14 | #ifdef COND_EXIT 15 | klee_silent_exit(0); 16 | #endif 17 | } 18 | 19 | int main() { 20 | int res = 1; 21 | int x; 22 | 23 | klee_make_symbolic(&x, sizeof x); 24 | 25 | if (x&1) res *= 2; else cond_exit(); 26 | if (x&2) res *= 3; else cond_exit(); 27 | if (x&4) res *= 5; else cond_exit(); 28 | 29 | // get forced branch coverage 30 | if (x&2) res *= 7; 31 | if (!(x&2)) res *= 11; 32 | printf("res: %d\n", res); 33 | 34 | return 0; 35 | } 36 | -------------------------------------------------------------------------------- /test/Feature/SetForking.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -emit-llvm -g -c %s -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc > %t.log 4 | // RUN: sort %t.log | uniq -c > %t.uniq.log 5 | // RUN: grep "1 A" %t.uniq.log 6 | // RUN: grep "1 B" %t.uniq.log 7 | // RUN: grep "1 C" %t.uniq.log 8 | 9 | #include 10 | 11 | int main() { 12 | klee_set_forking(0); 13 | 14 | if (klee_range(0, 2, "range")) { 15 | printf("A\n"); 16 | } else { 17 | printf("A\n"); 18 | } 19 | 20 | klee_set_forking(1); 21 | 22 | if (klee_range(0, 2, "range")) { 23 | printf("B\n"); 24 | } else { 25 | printf("C\n"); 26 | } 27 | 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /test/Feature/SolverTimeout.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --max-solver-time=1 %t1.bc 4 | // FIXME: This test occasionally fails when using Z3 4.4.1 but 5 | // not when using Z3 from the master branch. So disable the test for now. 6 | // REQUIRES: stp 7 | #include 8 | 9 | int main() { 10 | long long int x, y = 102*75678 + 78, i = 101; 11 | 12 | klee_make_symbolic(&x, sizeof(x), "x"); 13 | 14 | if (x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x + (x*x % (x+12)) == y*y*y*y*y*y*y*y*y*y*y*y*y*y*y*y % i) 15 | printf("Yes\n"); 16 | else printf("No\n"); 17 | 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /test/Feature/WithLibc.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=klee %t2.bc > %t3.log 4 | // RUN: echo "good" > %t3.good 5 | // RUN: diff %t3.log %t3.good 6 | 7 | int main() { 8 | char buf[4]; 9 | char *s = "foo"; 10 | 11 | klee_make_symbolic(buf, sizeof buf); 12 | buf[3] = 0; 13 | 14 | if (strcmp(buf, s)==0) { 15 | if (buf[0]=='f' && buf[1]=='o' && buf[2]=='o' && buf[3]==0) { 16 | printf("good\n"); 17 | } else { 18 | printf("bad\n"); 19 | } 20 | } 21 | 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /test/Feature/WriteCov.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --write-cov %t2.bc 4 | // RUN: grep -c WriteCov.c:16 %t.klee-out/test000001.cov %t.klee-out/test000002.cov >%t3.txt 5 | // RUN: grep -c WriteCov.c:18 %t.klee-out/test000001.cov %t.klee-out/test000002.cov >>%t3.txt 6 | // RUN: grep %t.klee-out/test000001.cov:0 %t3.txt 7 | // RUN: grep %t.klee-out/test000001.cov:1 %t3.txt 8 | // RUN: grep %t.klee-out/test000002.cov:0 %t3.txt 9 | // RUN: grep %t.klee-out/test000002.cov:1 %t3.txt 10 | 11 | #include 12 | #include 13 | 14 | int main() { 15 | if (klee_range(0,2, "range")) { 16 | assert(__LINE__ == 16); printf("__LINE__ = %d\n", __LINE__); 17 | } else { 18 | assert(__LINE__ == 18); printf("__LINE__ = %d\n", __LINE__); 19 | } 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /test/Feature/srem.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -use-cex-cache=1 %t.bc 4 | // RUN: grep "KLEE: done: explored paths = 5" %t.klee-out/info 5 | // RUN: grep "KLEE: done: generated tests = 4" %t.klee-out/info 6 | #include 7 | #include 8 | 9 | int main(int argc, char** argv) 10 | { 11 | int y; 12 | 13 | klee_make_symbolic(&y, sizeof(y), "y"); 14 | 15 | // Test cases divisor is positive or negative 16 | if (y >= 0) { 17 | if (y < 2) { 18 | // Two test cases generated taking this path, one for y == 0 and y ==1 19 | assert(1 % y == 0); 20 | } else { 21 | assert(1 % y == 1); 22 | } 23 | } else { 24 | if (y > -2) { 25 | assert(1 % y == 0); 26 | } else { 27 | assert(1 % y == 1); 28 | } 29 | } 30 | 31 | assert(0 % y == 0); 32 | assert(-1 % y == -1); 33 | } 34 | -------------------------------------------------------------------------------- /test/Feature/ubsan_signed_overflow.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -fsanitize=signed-integer-overflow -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc 2>&1 | FileCheck %s 4 | 5 | // llvm-gcc 2.9 does not support -fsanitize=signed-integer-overflow 6 | // REQUIRES: not-llvm-2.9 7 | 8 | #include "klee/klee.h" 9 | 10 | int main() 11 | { 12 | signed int x; 13 | signed int y; 14 | volatile signed int result; 15 | 16 | klee_make_symbolic(&x, sizeof(x), "x"); 17 | klee_make_symbolic(&y, sizeof(y), "y"); 18 | 19 | // CHECK: ubsan_signed_overflow.c:20: overflow on unsigned addition 20 | result = x + y; 21 | 22 | // CHECK: ubsan_signed_overflow.c:23: overflow on unsigned subtraction 23 | result = x - y; 24 | 25 | // CHECK: ubsan_signed_overflow.c:26: overflow on unsigned multiplication 26 | result = x * y; 27 | 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /test/Feature/ubsan_unsigned_overflow.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -fsanitize=unsigned-integer-overflow -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc 2>&1 | FileCheck %s 4 | 5 | // llvm-gcc 2.9 does not support -fsanitize=unsigned-integer-overflow 6 | // REQUIRES: not-llvm-2.9 7 | 8 | #include "klee/klee.h" 9 | 10 | int main() 11 | { 12 | unsigned int x; 13 | unsigned int y; 14 | volatile unsigned int result; 15 | 16 | klee_make_symbolic(&x, sizeof(x), "x"); 17 | klee_make_symbolic(&y, sizeof(y), "y"); 18 | 19 | // CHECK: ubsan_unsigned_overflow.c:20: overflow on unsigned addition 20 | result = x + y; 21 | 22 | // CHECK: ubsan_unsigned_overflow.c:23: overflow on unsigned subtraction 23 | result = x - y; 24 | 25 | // CHECK: ubsan_unsigned_overflow.c:26: overflow on unsigned multiplication 26 | result = x * y; 27 | 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /test/Feature/utils.h: -------------------------------------------------------------------------------- 1 | typedef unsigned char uint8_t; 2 | typedef unsigned short uint16_t; 3 | typedef unsigned int uint32_t; 4 | typedef unsigned long long uint64_t; 5 | 6 | uint32_t util_make_and_i1(uint32_t a, uint32_t b); 7 | uint32_t util_make_or_i1(uint32_t a, uint32_t b); 8 | 9 | uint16_t util_make_concat2(uint8_t a, uint8_t b); 10 | uint32_t util_make_concat4(uint8_t a, uint8_t b, 11 | uint8_t c, uint8_t d); 12 | uint64_t util_make_concat8(uint8_t a, uint8_t b, 13 | uint8_t c, uint8_t d, 14 | uint8_t e, uint8_t f, 15 | uint8_t g, uint8_t h); 16 | uint32_t util_make_select(uint32_t cond, uint32_t true, uint32_t false); 17 | -------------------------------------------------------------------------------- /test/Floats/absorbing_add.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | 8 | // This test is based off an example from 9 | // "Symbolic execution of floating-point computations" 10 | // by Bernard Botella, Arnaud Gotlieb, and Claude Michel 11 | int main() { 12 | float x, y, z; 13 | klee_make_symbolic(&x, sizeof(float), "x"); 14 | klee_assume(x > 0.0f); // This also implies x isn't a NaN 15 | y = 1.0e12f; 16 | z = x + y; 17 | if ( z == y ) { 18 | // Note if we use reals to approximate floats this branch won't be feasible 19 | printf("add x absorbed\n"); 20 | } else { 21 | printf("addition visible\n"); 22 | } 23 | return 0; 24 | } 25 | // CHECK-NOT: silently concretizing (reason: floating point) 26 | // CHECK: KLEE: done: completed paths = 2 27 | -------------------------------------------------------------------------------- /test/Floats/absorbing_sub.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | 8 | // This test is based off an example from 9 | // "Symbolic execution of floating-point computations" 10 | // by Bernard Botella, Arnaud Gotlieb, and Claude Michel 11 | int main() { 12 | float x, y, z; 13 | klee_make_symbolic(&x, sizeof(float), "x"); 14 | klee_assume(x > 0.0f); // This also implies x isn't a NaN 15 | y = 1.0e12f; 16 | z = y - x; 17 | if ( z == y ) { 18 | // Note if we use reals to approximate floats this branch won't be feasible 19 | printf("sub x absorbed\n"); 20 | } else { 21 | printf("subtraction visible\n"); 22 | } 23 | return 0; 24 | } 25 | // CHECK-NOT: silently concretizing (reason: floating point) 26 | // CHECK: KLEE: done: completed paths = 2 27 | -------------------------------------------------------------------------------- /test/Floats/fegetround_fesetround.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | #include "klee/klee.h" 5 | #include 6 | #include 7 | 8 | 9 | int main() { 10 | int rm = fegetround(); 11 | int result = 0; 12 | int newRm = 0; 13 | assert(rm == FE_TONEAREST); 14 | 15 | newRm = FE_UPWARD; 16 | result = fesetround(newRm); 17 | assert(result == 0 && "success"); 18 | assert(fegetround() == newRm); 19 | 20 | newRm = FE_DOWNWARD; 21 | result = fesetround(newRm); 22 | assert(result == 0 && "success"); 23 | assert(fegetround() == newRm); 24 | 25 | newRm = FE_TOWARDZERO; 26 | result = fesetround(newRm); 27 | assert(result == 0 && "success"); 28 | assert(fegetround() == newRm); 29 | 30 | // Bad rounding mode 31 | int tryRm = 0x7ff3; 32 | result = fesetround(tryRm); 33 | assert(result != 0 && "expected failure"); 34 | assert(fegetround() != tryRm); 35 | assert(fegetround() == newRm); 36 | return 0; 37 | } 38 | -------------------------------------------------------------------------------- /test/Floats/float_module_constants.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | 7 | int main() { 8 | const float x = 0.5; 9 | const double y = 0.75; 10 | // OLD_CHECK: x:0x1p-1 11 | // CHECK: x:5.0E-1 12 | klee_print_expr("x", x); 13 | // OLD_CHECK: y:0x1.8p-1 14 | // CHECK: y:7.5E-1 15 | klee_print_expr("y", y); 16 | return 0; 17 | } 18 | // CHECK: KLEE: done: completed paths = 1 19 | -------------------------------------------------------------------------------- /test/Floats/fneg.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | 9 | int main() { 10 | float f; 11 | klee_make_symbolic(&f, sizeof(f), "f"); 12 | float result = -f; 13 | if (signbit(f)) { 14 | assert(!signbit(result)); 15 | } else { 16 | if (!isnan(f)) 17 | assert(signbit(result)); 18 | } 19 | return 0; 20 | } 21 | // CHECK: KLEE: done: completed paths = 3 22 | -------------------------------------------------------------------------------- /test/Floats/fpext_single_to_double.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | 9 | int main() { 10 | float x; 11 | double y; 12 | klee_make_symbolic(&x, sizeof(float), "x"); 13 | klee_assume(x > 0.0f); // This also implies x isn't a NaN 14 | y = (double) x; 15 | assert(y > 0.0); 16 | return 0; 17 | } 18 | // CHECK-NOT: silently concretizing (reason: floating point) 19 | // CHECK: KLEE: done: completed paths = 1 20 | -------------------------------------------------------------------------------- /test/Floats/fptosi_simple.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | 9 | int main() { 10 | float x; 11 | signed int y; 12 | klee_make_symbolic(&x, sizeof(float), "x"); 13 | klee_assume(x > -128.9f); // This also implies x isn't a NaN 14 | klee_assume(x < 128.9f); 15 | y = (signed int) x; 16 | assert(y >= -128); 17 | assert(y <= 128); 18 | return 0; 19 | } 20 | // CHECK-NOT: silently concretizing (reason: floating point) 21 | // CHECK: KLEE: done: completed paths = 1 22 | -------------------------------------------------------------------------------- /test/Floats/fptoui_simple.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | 9 | int main() { 10 | float x; 11 | unsigned int y; 12 | klee_make_symbolic(&x, sizeof(float), "x"); 13 | klee_assume(x > 1.0f); // This also implies x isn't a NaN 14 | klee_assume(x < 128.0f); 15 | y = (unsigned int) x; 16 | assert(y > 0); 17 | assert(y < 128); 18 | return 0; 19 | } 20 | // CHECK-NOT: silently concretizing (reason: floating point) 21 | // CHECK: KLEE: done: completed paths = 1 22 | -------------------------------------------------------------------------------- /test/Floats/fptoui_simple2.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | 9 | int main() { 10 | float x; 11 | unsigned int y; 12 | klee_make_symbolic(&x, sizeof(float), "x"); 13 | klee_assume(x > 0.95); // This also implies x isn't a NaN 14 | klee_assume(x < 128.0f); 15 | // The C11 spec (6.3.1.4) says this conversion should 16 | // truncate the fractional part of ``x`` (i.e. 17 | // this is like rounding toward 0). 18 | y = (unsigned int) x; 19 | if (y == 0) { 20 | printf("y is zero\n"); 21 | } else { 22 | printf("y non zero\n"); 23 | } 24 | assert(y < 128); 25 | return 0; 26 | } 27 | // CHECK-NOT: silently concretizing (reason: floating point) 28 | // CHECK: KLEE: done: completed paths = 2 29 | -------------------------------------------------------------------------------- /test/Floats/fptrunc_double_to_single.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | 9 | int main() { 10 | float x; 11 | double y; 12 | // TODO: Set the rounding mode, assume RNE for now 13 | klee_make_symbolic(&y, sizeof(double), "y"); 14 | klee_assume(y > 0.0); // This also implies y isn't a NaN 15 | x = (float)y; 16 | if (x > 0.0f) { 17 | printf("no truncation around 0.0\n"); 18 | } else { 19 | // TODO: If we use RU instead of RNE I don't think this branch is feasible 20 | assert(x == 0.0f); 21 | printf("truncation around 0.0\n"); 22 | } 23 | return 0; 24 | } 25 | // CHECK-NOT: silently concretizing (reason: floating point) 26 | // CHECK: KLEE: done: completed paths = 2 27 | -------------------------------------------------------------------------------- /test/Floats/get_and_set_rounding_mode_with_klee_runtime.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | #include "klee/klee.h" 5 | #include 6 | 7 | typedef enum KleeRoundingMode KleeRoundingModeTy; 8 | 9 | int main() { 10 | KleeRoundingModeTy rm = klee_get_rounding_mode(); 11 | assert(rm == KLEE_FP_RNE); // Correct default. 12 | 13 | klee_set_rounding_mode(KLEE_FP_RNA); 14 | assert(klee_get_rounding_mode() == KLEE_FP_RNA); 15 | 16 | klee_set_rounding_mode(KLEE_FP_RNA); 17 | assert(klee_get_rounding_mode() == KLEE_FP_RNA); 18 | 19 | klee_set_rounding_mode(KLEE_FP_RU); 20 | assert(klee_get_rounding_mode() == KLEE_FP_RU); 21 | 22 | klee_set_rounding_mode(KLEE_FP_RD); 23 | assert(klee_get_rounding_mode() == KLEE_FP_RD); 24 | 25 | klee_set_rounding_mode(KLEE_FP_RZ); 26 | assert(klee_get_rounding_mode() == KLEE_FP_RZ); 27 | return 0; 28 | } 29 | -------------------------------------------------------------------------------- /test/Floats/internal_sqrt_float.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | int main() { 12 | float x = 100.0f; 13 | float result = klee_sqrt_float(x); 14 | printf("sqrt(%f) = %f\n", x, result); 15 | assert(result == 10.f); 16 | 17 | x = -0.0f; 18 | assert(signbit(x)); 19 | result = klee_sqrt_float(x); 20 | printf("sqrt(%f) = %f\n", x, result); 21 | assert(result == -0.0f); 22 | assert(signbit(result)); 23 | 24 | printf("Test sqrt negative\n"); 25 | x = -FLT_MIN; 26 | assert(signbit(x)); 27 | assert(x < 0.0f); 28 | result = klee_sqrt_float(x); 29 | printf("sqrt(%f) = %f\n", x, result); 30 | assert(isnan(result)); 31 | 32 | return 0; 33 | } 34 | // CHECK: KLEE: done: completed paths = 1 35 | -------------------------------------------------------------------------------- /test/Floats/isinf_double.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | double x; 12 | klee_make_symbolic(&x, sizeof(double), "x"); 13 | if (isinf(x)) { 14 | assert(klee_is_infinite_double(x)); 15 | } 16 | else { 17 | assert(!klee_is_infinite_double(x)); 18 | } 19 | } 20 | // CHECK-NOT: silently concretizing (reason: floating point) 21 | // CHECK: KLEE: done: completed paths = 2 22 | -------------------------------------------------------------------------------- /test/Floats/isinf_double_no_fork.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | 6 | #include "klee/klee.h" 7 | #include 8 | #include 9 | #include 10 | 11 | int main() { 12 | double x; 13 | klee_make_symbolic(&x, sizeof(double), "x"); 14 | klee_assume(isinf(x)); 15 | assert(klee_is_infinite_double(x)); 16 | } 17 | // CHECK-NOT: invalid klee_assume call (provably false) 18 | // CHECK: KLEE: done: completed paths = 1 19 | -------------------------------------------------------------------------------- /test/Floats/isinf_float.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | float x; 12 | klee_make_symbolic(&x, sizeof(float), "x"); 13 | if (isinf(x)) { 14 | assert(klee_is_infinite_float(x)); 15 | } 16 | else { 17 | assert(!klee_is_infinite_float(x)); 18 | } 19 | } 20 | // CHECK-NOT: silently concretizing (reason: floating point) 21 | // CHECK: KLEE: done: completed paths = 2 22 | -------------------------------------------------------------------------------- /test/Floats/isinf_float_no_fork.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | 6 | #include "klee/klee.h" 7 | #include 8 | #include 9 | #include 10 | 11 | int main() { 12 | float x; 13 | klee_make_symbolic(&x, sizeof(float), "x"); 14 | klee_assume(isinf(x)); 15 | assert(klee_is_infinite_float(x)); 16 | } 17 | // CHECK-NOT: invalid klee_assume call (provably false) 18 | // CHECK: KLEE: done: completed paths = 1 19 | -------------------------------------------------------------------------------- /test/Floats/isinf_long_double.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | // REQUIRES: x86_64 6 | #include "klee/klee.h" 7 | #include 8 | #include 9 | #include 10 | 11 | int main() { 12 | long double x; 13 | klee_make_symbolic(&x, sizeof(long double), "x"); 14 | if (isinf(x)) { 15 | assert(klee_is_infinite_long_double(x)); 16 | } 17 | else { 18 | assert(!klee_is_infinite_long_double(x)); 19 | } 20 | } 21 | // CHECK-NOT: silently concretizing (reason: floating point) 22 | // CHECK: KLEE: done: completed paths = 2 23 | -------------------------------------------------------------------------------- /test/Floats/isinf_long_double_no_fork.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | // REQUIRES: x86_64 6 | 7 | #include "klee/klee.h" 8 | #include 9 | #include 10 | #include 11 | 12 | int main() { 13 | long double x; 14 | klee_make_symbolic(&x, sizeof(long double), "x"); 15 | klee_assume(isinf(x)); 16 | assert(klee_is_infinite_long_double(x)); 17 | } 18 | // CHECK-NOT: invalid klee_assume call (provably false) 19 | // CHECK: KLEE: done: completed paths = 1 20 | -------------------------------------------------------------------------------- /test/Floats/isnan_double.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | double x; 12 | klee_make_symbolic(&x, sizeof(double), "x"); 13 | if (isnan(x)) { 14 | assert(x != x); 15 | assert(klee_is_nan_double(x)); 16 | } 17 | else { 18 | assert(x == x); 19 | assert(!klee_is_nan_double(x)); 20 | } 21 | } 22 | // CHECK-NOT: silently concretizing (reason: floating point) 23 | // CHECK: KLEE: done: completed paths = 2 24 | -------------------------------------------------------------------------------- /test/Floats/isnan_long_double.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | // REQUIRES: x86_64 6 | #include "klee/klee.h" 7 | #include 8 | #include 9 | #include 10 | 11 | int main() { 12 | long double x; 13 | klee_make_symbolic(&x, sizeof(long double), "x"); 14 | if (isnan(x)) { 15 | assert(x != x); 16 | assert(klee_is_nan_long_double(x)); 17 | } 18 | else { 19 | assert(x == x); 20 | assert(!klee_is_nan_long_double(x)); 21 | } 22 | } 23 | // CHECK-NOT: silently concretizing (reason: floating point) 24 | // CHECK: KLEE: done: completed paths = 2 25 | -------------------------------------------------------------------------------- /test/Floats/isnanf.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | float x; 12 | klee_make_symbolic(&x, sizeof(float), "x"); 13 | if (isnan(x)) { 14 | assert(x != x); 15 | assert(klee_is_nan_float(x)); 16 | } 17 | else { 18 | assert(x == x); 19 | assert(!klee_is_nan_float(x)); 20 | } 21 | } 22 | // CHECK-NOT: silently concretizing (reason: floating point) 23 | // CHECK: KLEE: done: completed paths = 2 24 | -------------------------------------------------------------------------------- /test/Floats/isnormal_double.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | double x; 12 | klee_make_symbolic(&x, sizeof(double), "x"); 13 | if (klee_is_normal_double(x)) { 14 | assert(isnormal(x)); 15 | } else { 16 | assert(!klee_is_normal_double(x)); 17 | // forks in ``isnormal()``: could be 0, NaN, Inf, subnormal 18 | assert(!isnormal(x)); 19 | } 20 | } 21 | // CHECK-NOT: silently concretizing (reason: floating point) 22 | // CHECK: KLEE: done: completed paths = 5 23 | -------------------------------------------------------------------------------- /test/Floats/isnormal_float.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | float x; 12 | klee_make_symbolic(&x, sizeof(float), "x"); 13 | if (klee_is_normal_float(x)) { 14 | assert(isnormal(x)); 15 | } else { 16 | assert(!klee_is_normal_float(x)); 17 | // forks in ``isnormal()``: could be 0, NaN, Inf, subnormal 18 | assert(!isnormal(x)); 19 | } 20 | } 21 | // CHECK-NOT: silently concretizing (reason: floating point) 22 | // CHECK: KLEE: done: completed paths = 5 23 | -------------------------------------------------------------------------------- /test/Floats/isnormal_long_double.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | // REQUIRES: x86_64 6 | #include "klee/klee.h" 7 | #include 8 | #include 9 | #include 10 | 11 | int main() { 12 | long double x; 13 | klee_make_symbolic(&x, sizeof(long double), "x"); 14 | if (klee_is_normal_long_double(x)) { 15 | assert(isnormal(x)); 16 | } else { 17 | assert(!klee_is_normal_long_double(x)); 18 | // forks in ``isnormal()``: could be 0, NaN, Inf, subnormal 19 | assert(!isnormal(x)); 20 | } 21 | } 22 | // CHECK-NOT: silently concretizing (reason: floating point) 23 | // CHECK: KLEE: done: completed paths = 5 24 | -------------------------------------------------------------------------------- /test/Floats/issubnormal_double.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | double x; 12 | klee_make_symbolic(&x, sizeof(double), "x"); 13 | if (klee_is_subnormal_double(x)) { 14 | assert(fpclassify(x) == FP_SUBNORMAL); 15 | } else { 16 | assert(!klee_is_subnormal_double(x)); 17 | // forks in ``fpclassify()``: could be 0, NaN, Inf, normal 18 | assert(fpclassify(x) != FP_SUBNORMAL); 19 | } 20 | } 21 | // CHECK-NOT: silently concretizing (reason: floating point) 22 | // CHECK: KLEE: done: completed paths = 5 23 | -------------------------------------------------------------------------------- /test/Floats/issubnormal_float.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | float x; 12 | klee_make_symbolic(&x, sizeof(float), "x"); 13 | if (klee_is_subnormal_float(x)) { 14 | assert(fpclassify(x) == FP_SUBNORMAL); 15 | } else { 16 | assert(!klee_is_subnormal_float(x)); 17 | // forks in ``fpclassify()``: could be 0, NaN, Inf, normal 18 | assert(fpclassify(x) != FP_SUBNORMAL); 19 | } 20 | } 21 | // CHECK-NOT: silently concretizing (reason: floating point) 22 | // CHECK: KLEE: done: completed paths = 5 23 | -------------------------------------------------------------------------------- /test/Floats/issubnormal_long_double.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | // REQUIRES: x86_64 6 | #include "klee/klee.h" 7 | #include 8 | #include 9 | #include 10 | 11 | int main() { 12 | long double x; 13 | klee_make_symbolic(&x, sizeof(long double), "x"); 14 | if (klee_is_subnormal_long_double(x)) { 15 | assert(fpclassify(x) == FP_SUBNORMAL); 16 | } else { 17 | assert(!klee_is_subnormal_long_double(x)); 18 | // forks in ``fpclassify()``: could be 0, NaN, Inf, normal 19 | assert(fpclassify(x) != FP_SUBNORMAL); 20 | } 21 | } 22 | // CHECK-NOT: silently concretizing (reason: floating point) 23 | // CHECK: KLEE: done: completed paths = 5 24 | -------------------------------------------------------------------------------- /test/Floats/long_double_memcpy.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | // REQUIRES: x86_64 6 | #include "klee/klee.h" 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | long double globalLongDouble = 0.0l; 15 | 16 | void dump_long_double(long double ld) { 17 | uint64_t data[2] = {0, 0}; 18 | memcpy(data, &ld, 10); 19 | printf("a: 0x%.4" PRIx16 " %.16" PRIx64 "\n", (uint16_t)data[1], data[0]); 20 | } 21 | 22 | int main() { 23 | long double x = 1.0l; 24 | 25 | long double localCopy = NAN; 26 | memcpy(&localCopy, &x, sizeof(long double)); 27 | assert(localCopy == x); 28 | 29 | memcpy(&globalLongDouble, &x, sizeof(long double)); 30 | assert(globalLongDouble == x); 31 | return 0; 32 | } 33 | // CHECK: KLEE: done: generated tests = 1 34 | -------------------------------------------------------------------------------- /test/Floats/set_rounding_mode_fail_external_call.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: not %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 0.5 > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | int main(int argc, char **argv) { 13 | klee_set_rounding_mode(KLEE_FP_RNA); 14 | // CHECK: set_rounding_mode_fail_external_call.c:[[@LINE+1]]: Cannot set rounding mode for external call to RNA 15 | puts("doing external call"); 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /test/Floats/simple_div.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | 8 | int main() { 9 | float x, y, z; 10 | klee_make_symbolic(&x, sizeof(float), "x"); 11 | y = 1.0e12f; 12 | z = x / y; 13 | if (z == y) { 14 | printf("z == y\n"); 15 | } else if (z < y) { 16 | printf("z < y\n"); 17 | } else if (z > y) { 18 | printf("z > y\n"); 19 | } else { 20 | // FIXME: Check that this actually is NaN 21 | printf("z is NaN/Inf+/Inf-\n"); 22 | } 23 | return 0; 24 | } 25 | // CHECK-NOT: silently concretizing (reason: floating point) 26 | // CHECK: KLEE: done: completed paths = 4 27 | -------------------------------------------------------------------------------- /test/Floats/simple_mul.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | 8 | int main() { 9 | float x, y, z; 10 | klee_make_symbolic(&x, sizeof(float), "x"); 11 | y = 1.0e12f; 12 | z = x * y; 13 | if (z == y) { 14 | printf("z == y\n"); 15 | } else if (z < y) { 16 | printf("z < y\n"); 17 | } else if (z > y) { 18 | printf("z > y\n"); 19 | } else { 20 | // FIXME: Check that this actually is NaN 21 | printf("z is NaN/Inf+/Inf-\n"); 22 | } 23 | return 0; 24 | } 25 | // CHECK-NOT: silently concretizing (reason: floating point) 26 | // CHECK: KLEE: done: completed paths = 4 27 | -------------------------------------------------------------------------------- /test/Floats/sitofp_simple.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | float x; 12 | int32_t y; 13 | klee_make_symbolic(&y, sizeof(int32_t), "y"); 14 | x = (float) y; 15 | assert(klee_is_symbolic(x)); 16 | assert( x >= -0x1.000000p31); // x >= 2^31 17 | assert( x <= 0x1.000000p31); // x <= 2^31 18 | return 0; 19 | } 20 | // CHECK-NOT: silently concretizing (reason: floating point) 21 | // CHECK: KLEE: done: completed paths = 1 22 | -------------------------------------------------------------------------------- /test/Floats/sqrt_double_symbolic.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | int main() { 12 | double x = 0.0; 13 | klee_make_symbolic(&x, sizeof(double), "x"); 14 | double result = sqrt(x); 15 | 16 | if (isnan(x)) { 17 | assert(isnan(result)); 18 | return 0; 19 | } 20 | 21 | if (x < 0.0) { 22 | assert(isnan(result)); 23 | return 0; 24 | } 25 | 26 | if (isinf(x)) { 27 | assert(isinf(result) == 1); 28 | return 0; 29 | } 30 | 31 | if (x == 0.0) { 32 | assert(result == 0.0); 33 | // check sign bit sqrt(-0.0) == -0.0 34 | if (signbit(x)) { 35 | assert(signbit(result)); 36 | } 37 | return 0; 38 | } 39 | 40 | assert(x > 0.0); 41 | return 0; 42 | } 43 | // CHECK: KLEE: done: completed paths = 6 44 | -------------------------------------------------------------------------------- /test/Floats/sqrt_float_symbolic.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | int main() { 12 | float x = 0.0f; 13 | klee_make_symbolic(&x, sizeof(float), "x"); 14 | float result = sqrtf(x); 15 | 16 | if (isnan(x)) { 17 | assert(isnan(result)); 18 | return 0; 19 | } 20 | 21 | if (x < 0.0f) { 22 | assert(isnan(result)); 23 | return 0; 24 | } 25 | 26 | if (isinf(x)) { 27 | assert(isinf(result) == 1); 28 | return 0; 29 | } 30 | 31 | if (x == 0.0f) { 32 | assert(result == 0.0f); 33 | // check sign bit sqrt(-0.0) == -0.0 34 | if (signbit(x)) { 35 | assert(signbit(result)); 36 | } 37 | return 0; 38 | } 39 | 40 | assert(x > 0.0f); 41 | return 0; 42 | } 43 | // CHECK: KLEE: done: completed paths = 6 44 | -------------------------------------------------------------------------------- /test/Floats/uitofp_simple.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t-output.txt 2>&1 4 | // RUN: FileCheck -input-file=%t-output.txt %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | int main() { 11 | float x; 12 | uint32_t y; 13 | klee_make_symbolic(&y, sizeof(uint32_t), "y"); 14 | x = (float) y; 15 | assert(klee_is_symbolic(x)); 16 | assert( x >= 0.0f); 17 | assert( x <= 0x1.000000p32); // x <= 2^32 18 | return 0; 19 | } 20 | // CHECK-NOT: silently concretizing (reason: floating point) 21 | // CHECK: KLEE: done: completed paths = 1 22 | -------------------------------------------------------------------------------- /test/Merging/batching_break.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -emit-llvm -g -c -o %t.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: klee --output-dir=%t.klee-out --use-merge --debug-log-merge --search=nurs:covnew %t.bc 2>&1 | FileCheck %s 4 | 5 | // CHECK: open merge: 6 | // CHECK: close merge: 7 | // CHECK: KLEE: done: generated tests = 3{{$}} 8 | 9 | #include 10 | 11 | int main(int argc, char** args){ 12 | 13 | int x; 14 | int p; 15 | int i; 16 | 17 | klee_make_symbolic(&x, sizeof(x), "x"); 18 | x = x % 20; 19 | 20 | klee_open_merge(); 21 | for (i = 0; i < x; ++i){ 22 | if (x % 3 == 0){ 23 | klee_close_merge(); 24 | if (x > 10){ 25 | return 1; 26 | } else { 27 | return 2; 28 | } 29 | } 30 | } 31 | klee_close_merge(); 32 | 33 | klee_open_merge(); 34 | if (x > 10){ 35 | p = 1; 36 | } else { 37 | p = 2; 38 | } 39 | klee_close_merge(); 40 | return p; 41 | 42 | } 43 | -------------------------------------------------------------------------------- /test/Merging/indirect_value.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -emit-llvm -g -c -o %t.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: klee --output-dir=%t.klee-out --use-merge --debug-log-merge --search=nurs:covnew --use-batching-search %t.bc 2>&1 | FileCheck %s 4 | 5 | // CHECK: generated tests = 2{{$}} 6 | #include 7 | #include 8 | 9 | #include 10 | 11 | int main(int argc, char** argv) { 12 | 13 | int sym = klee_int("sym"); 14 | int* heap_int = calloc(1, sizeof(*heap_int)); 15 | 16 | klee_open_merge(); 17 | 18 | if(sym != 0) { 19 | *heap_int = 1; 20 | } 21 | 22 | klee_close_merge(); 23 | 24 | klee_print_expr("*heap_int: ", *heap_int); 25 | if(*heap_int != 0) { 26 | printf("true\n"); 27 | } else { 28 | printf("false\n"); 29 | } 30 | 31 | return 0; 32 | } 33 | -------------------------------------------------------------------------------- /test/Merging/unexpected_close.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -emit-llvm -g -c -o %t.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: klee --output-dir=%t.klee-out --use-merge --search=nurs:covnew --max-time=2 %t.bc 4 | 5 | // CHECK: ran into a close at 6 | // CHECK: generated tests = 2{{$}} 7 | 8 | #include 9 | 10 | int main(int argc, char **args) { 11 | 12 | int x; 13 | int a; 14 | int foo = 0; 15 | 16 | klee_make_symbolic(&x, sizeof(x), "x"); 17 | klee_make_symbolic(&a, sizeof(a), "a"); 18 | 19 | if (a == 0) { 20 | klee_open_merge(); 21 | 22 | if (x == 1) { 23 | foo = 5; 24 | } else if (x == 2) { 25 | foo = 6; 26 | } else { 27 | foo = 7; 28 | } 29 | 30 | klee_close_merge(); 31 | } 32 | klee_close_merge(); 33 | 34 | return foo; 35 | } 36 | -------------------------------------------------------------------------------- /test/README: -------------------------------------------------------------------------------- 1 | about tests.... 2 | -------------------------------------------------------------------------------- /test/Replay/libkleeruntest/replay_simple.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --search=dfs %t.bc 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | // RUN: test -f %t.klee-out/test000002.ktest 6 | 7 | // Now try to replay with libkleeRuntest 8 | // RUN: %cc %s %libkleeruntest -Wl,-rpath %libkleeruntestdir -o %t_runner 9 | // RUN: env KTEST_FILE=%t.klee-out/test000001.ktest %t_runner | FileCheck -check-prefix=TESTONE %s 10 | // RUN: env KTEST_FILE=%t.klee-out/test000002.ktest %t_runner | FileCheck -check-prefix=TESTTWO %s 11 | 12 | #include "klee/klee.h" 13 | #include 14 | 15 | int main(int argc, char** argv) { 16 | int x = 0; 17 | klee_make_symbolic(&x, sizeof(x), "x"); 18 | 19 | if (x == 0) { 20 | printf("x is 0\n"); 21 | } else { 22 | printf("x is not 0\n"); 23 | } 24 | return 0; 25 | } 26 | 27 | // TESTONE: x is not 0 28 | // TESTTWO: x is 0 29 | -------------------------------------------------------------------------------- /test/Replay/libkleeruntest/replay_two_objects.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --search=dfs %t.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | // RUN: test ! -f %t.klee-out/test000002.ktest 6 | 7 | // Now try to replay with libkleeRuntest 8 | // RUN: %cc -DPRINT_VALUES %s %libkleeruntest -Wl,-rpath %libkleeruntestdir -o %t_runner 9 | // RUN: env KTEST_FILE=%t.klee-out/test000001.ktest %t_runner | FileCheck -check-prefix=TESTONE %s 10 | 11 | #include "klee/klee.h" 12 | #include 13 | 14 | int main(int argc, char** argv) { 15 | int x = 0; 16 | int y = 0; 17 | klee_make_symbolic(&x, sizeof(x), "x"); 18 | klee_make_symbolic(&y, sizeof(x), "y"); 19 | 20 | klee_assume(x == 1); 21 | klee_assume(y == 128); 22 | 23 | #ifdef PRINT_VALUES 24 | printf("x=%d\n", x); 25 | printf("y=%d\n", y); 26 | #endif 27 | 28 | return 0; 29 | } 30 | // CHECK: KLEE: done: completed paths = 1 31 | 32 | // TESTONE: x=1 33 | // TESTONE: y=128 34 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/FDNumbers.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime --exit-on-error %t2.bc --sym-files 1 10 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | int main(int argc, char **argv) { 10 | int fd = open("A", O_TRUNC); 11 | assert(fd == 3); 12 | assert(!close(0)); 13 | assert(!close(1)); 14 | assert(close(0) == -1); 15 | assert(close(1) == -1); 16 | assert(open("A", O_TRUNC) == 0); 17 | assert(dup(0) == 1); 18 | assert(open("A", O_TRUNC) == 4); 19 | assert(!close(1)); 20 | assert(open("A", O_TRUNC) == 1); 21 | assert(dup(0) != 1); 22 | assert(dup2(0,1) == 1); 23 | 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/FD_Fail.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=uclibc --posix-runtime %t1.bc --sym-files 0 0 --max-fail 1 > %t.log 4 | // RUN: grep -q "fread(): ok" %t.log 5 | // RUN: grep -q "fread(): fail" %t.log 6 | // RUN: grep -q "fclose(): ok" %t.log 7 | // RUN: grep -q "fclose(): fail" %t.log 8 | 9 | #include 10 | #include 11 | 12 | int main(int argc, char** argv) { 13 | char buf[1024]; 14 | FILE* f = fopen("/etc/fstab", "r"); 15 | assert(f); 16 | 17 | int r = fread(buf, 1, 100, f); 18 | printf("fread(): %s\n", 19 | r ? "ok" : "fail"); 20 | 21 | r = fclose(f); 22 | printf("fclose(): %s\n", 23 | r ? "ok" : "fail"); 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/Fcntl.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime --exit-on-error %t2.bc --sym-files 1 10 4 | 5 | #include 6 | #include 7 | 8 | int main(int argc, char **argv) { 9 | int fd = open("A", O_RDWR|O_TRUNC); 10 | if (fd == -1) 11 | klee_silent_exit(0); 12 | assert(fd == 3); 13 | assert((fcntl(fd, F_GETFD) & FD_CLOEXEC) == 0); 14 | assert(fcntl(fd, F_SETFD, FD_CLOEXEC, 1) == 0); 15 | assert((fcntl(fd, F_GETFD) & FD_CLOEXEC) != 0); 16 | 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/FilePerm.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime %t.bc --sym-files 1 10 --sym-stdout 2>%t.log 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | // RUN: test -f %t.klee-out/test000002.ktest 6 | // RUN: test -f %t.klee-out/test000003.ktest 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | int main(int argc, char** argv) { 14 | int fd = open("A", O_RDWR); 15 | if (fd != -1) 16 | fprintf(stderr, "File 'A' opened successfully\n"); 17 | else fprintf(stderr, "Cannot open file 'A'\n"); 18 | 19 | if (fd != -1) 20 | close(fd); 21 | } 22 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/FreeArgv.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime %t.bc --sym-args 1 1 1 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.free.err 5 | // RUN: test -f %t.klee-out/test000002.free.err 6 | // RUN: test -f %t.klee-out/test000003.free.err 7 | 8 | int main(int argc, char **argv) { 9 | // FIXME: Use FileCheck's CHECK-DAG to check source locations 10 | switch(klee_range(0, 3, "range")) { 11 | case 0: 12 | // CHECK: free of global 13 | free(argv); 14 | break; 15 | case 1: 16 | // CHECK: free of global 17 | free(argv[0]); 18 | break; 19 | case 2: 20 | // CHECK: free of global 21 | free(argv[1]); 22 | break; 23 | } 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/Getenv.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=klee --posix-runtime --exit-on-error %t2.bc --sym-files 1 10 4 | 5 | #include 6 | 7 | int main(int argc, char **argv) { 8 | char *g = getenv("PWD"); 9 | if (g) { 10 | printf("have PWD\n"); 11 | } else { 12 | printf("have no PWD\n"); 13 | } 14 | 15 | g = getenv("HELLO"); 16 | if (!g || strcmp(g, "nice")==0) { 17 | printf("getenv(\"HELLO\") = %p\n", g); 18 | if (g) assert(strcmp(getenv("HELLO"),"nice") == 0); 19 | } 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/Ioctl.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime --exit-on-error %t.bc --sym-files 0 4 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | int main(int argc, char **argv) { 14 | struct stat s; 15 | struct termios ts; 16 | 17 | assert(fstat(0, &s) == 0); 18 | 19 | assert(ioctl(10, FIONREAD, &ts) == -1 && errno == EBADF); 20 | 21 | if (S_ISCHR(s.st_mode)) { 22 | printf("is chr\n"); 23 | assert(ioctl(0, TIOCGWINSZ, &ts) == 0); 24 | } else { 25 | printf("not chr\n"); 26 | // I think TC* ioctls basically always fail on nonchr? 27 | assert(ioctl(0, TIOCGWINSZ, &ts) == -1); 28 | assert(errno == ENOTTY); 29 | } 30 | 31 | return 0; 32 | } 33 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/Openat.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime --exit-on-error %t2.bc --sym-files 1 10 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | 6 | #include 7 | #include 8 | 9 | int main(int argc, char **argv) { 10 | int fd = openat(AT_FDCWD, "A", O_RDWR|O_TRUNC); 11 | if (fd != -1) { 12 | char buf[10]; 13 | assert(read(fd, buf, 10) == 10); 14 | assert(klee_is_symbolic(buf[0])); 15 | } else { 16 | klee_silent_exit(0); 17 | } 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/PrgName.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t2.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime --exit-on-error %t2.bc --sym-arg 10 >%t.log 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | // RUN: test -f %t.klee-out/test000002.ktest 6 | // RUN: grep -q "No" %t.log 7 | // RUN: grep -qv "Yes" %t.log 8 | 9 | 10 | /* Simple test for argv[0] */ 11 | 12 | #include 13 | 14 | int f(int argc, char **argv) { 15 | 16 | if (argv[0][5] == '7') 17 | printf("Yes\n"); 18 | else printf("No\n"); 19 | 20 | printf("%c\n", argv[0][5]); 21 | 22 | if (argv[1][1] == 4) 23 | printf("4\n"); 24 | printf("not 4\n"); 25 | 26 | return 0; 27 | } 28 | 29 | 30 | int main(int argc, char **argv) { 31 | f(argc, argv); 32 | } 33 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/Read1.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --posix-runtime %t.bc --sym-files 1 8 >%t.log 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | int main(int argc, char** argv) { 13 | char buf[32]; 14 | 15 | // If count is zero, read() returns zero and has no other results. (man page) 16 | int x = read(0, 0, 0); 17 | assert(x == 0); 18 | 19 | int fd = open("A", O_RDONLY); 20 | assert(fd != -1); 21 | 22 | // EFAULT buf is outside your accessible address space. (man page) 23 | x = read(fd, 0, 1); 24 | assert(x == -1 && errno == EFAULT); 25 | 26 | // EBADF fd is not a valid file descriptor (man page) 27 | x = read(-1, buf, 1); 28 | assert(x == -1 && errno == EBADF); 29 | 30 | fd = open("A", O_RDONLY); 31 | assert(fd != -1); 32 | x = read(fd, buf, 1); 33 | assert(x == 1); 34 | } 35 | 36 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/SELinux/SELinux.c: -------------------------------------------------------------------------------- 1 | /* Very basic test, as right now SELinux support is extremely basic */ 2 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 3 | // RUN: rm -rf %t.klee-out 4 | // RUN: %klee --output-dir=%t.klee-out --posix-runtime --exit-on-error %t1.bc --sym-arg 2 > %t.log 5 | // XFAIL: no-selinux 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | int main(int argc, char** argv) { 12 | 13 | security_context_t con; 14 | 15 | assert(argc == 2); 16 | 17 | int selinux = is_selinux_enabled(); 18 | printf("selinux enabled = %d\n", selinux); 19 | 20 | if (setfscreatecon(argv[1]) < 0) 21 | printf("Error: set\n"); 22 | else printf("Success: set\n"); 23 | 24 | if (getfscreatecon(&con) < 0) 25 | printf("Error: get\n"); 26 | else printf("Success: get\n"); 27 | 28 | printf("create_con = %s\n", con); 29 | 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/SELinux/lit.local.cfg: -------------------------------------------------------------------------------- 1 | def getRoot(config): 2 | if not config.parent: 3 | return config 4 | return getRoot(config.parent) 5 | 6 | if not getRoot(config).have_selinux: 7 | config.unsupported = True 8 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/Write1.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=uclibc --posix-runtime %t.bc --sym-files 1 10 --sym-stdout 2>%t.log 4 | 5 | #include 6 | #include 7 | 8 | int main(int argc, char** argv) { 9 | char buf[32]; 10 | 11 | FILE* f = fopen("A", "w"); 12 | if (!f) 13 | klee_silent_exit(0); 14 | fwrite("Hello", sizeof("Hello"), 1, f); 15 | fclose(f); 16 | 17 | f = fopen("A", "r"); 18 | fread(buf, sizeof("Hello"), 1, f); 19 | fclose(f); 20 | 21 | assert(memcmp(buf, "Hello", sizeof("Hello")) == 0); 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/Write2.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=uclibc --posix-runtime %t.bc --sym-files 1 10 --sym-stdout 2>%t.log 4 | 5 | #include 6 | #include 7 | 8 | int main(int argc, char** argv) { 9 | const char* msg = "This will eventually overflow stdout. "; 10 | char buf[32]; 11 | int i; 12 | 13 | FILE* f = stdout;//fopen("A", "w"); 14 | if (!f) 15 | klee_silent_exit(0); 16 | 17 | for (i = 0; i < 300; i++) 18 | fwrite(msg, sizeof(msg), 1, f); 19 | fclose(f); 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /test/Runtime/POSIX/lit.local.cfg: -------------------------------------------------------------------------------- 1 | def getRoot(config): 2 | if not config.parent: 3 | return config 4 | return getRoot(config.parent) 5 | 6 | if not getRoot(config).enable_posix_runtime: 7 | config.unsupported = True 8 | -------------------------------------------------------------------------------- /test/Runtime/Uclibc/2007-10-08-optimization-calls-wrong-libc-functions.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --optimize --libc=uclibc %t1.bc 4 | 5 | #include 6 | #include 7 | 8 | #include "klee/klee.h" 9 | 10 | int main() { 11 | int a; 12 | 13 | klee_make_symbolic(&a, sizeof a, "a"); 14 | 15 | memset(&a, 0, sizeof a); 16 | 17 | if (a) { 18 | assert(0); 19 | } 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /test/Runtime/Uclibc/2008-03-04-libc-atexit-uses-dso-handle.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error --libc=uclibc %t1.bc 4 | 5 | // just make sure atexit works ok 6 | 7 | void boo() { 8 | } 9 | 10 | int main() { 11 | atexit(boo); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /test/Runtime/Uclibc/Environ.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --libc=uclibc --exit-on-error %t1.bc 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | int main() { 10 | printf("HOME: %s\n", getenv("HOME")); 11 | assert(getenv("HOME") != 0); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /test/Runtime/Uclibc/lit.local.cfg: -------------------------------------------------------------------------------- 1 | def getRoot(config): 2 | if not config.parent: 3 | return config 4 | return getRoot(config.parent) 5 | 6 | if not getRoot(config).enable_uclibc: 7 | config.unsupported = True 8 | -------------------------------------------------------------------------------- /test/Solver/AShr_to_smtlib.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver -print-smtlib -smtlib-abbreviation-mode=none %s > %t 2 | # RUN: diff -u %t %s.good.smt2 3 | 4 | # This test tries to check that the SMT-LIBv2 we generate when a AShrExpr is 5 | # used is correct. 6 | # 7 | # FIXME: We should really pass the generated query to an SMT solver that supports 8 | # SMT-LIBv2 and check it gives the correct answer ``unsat``. An older version of 9 | # KLEE where AShrExpr wasn't handled correctly would give ``sat`` for this query. 10 | # 11 | # We could fix this if we required STP to be in the user's PATH and made available 12 | # as a substitution in llvm-lit 13 | 14 | array value[1] : w32 -> w8 = symbolic 15 | array shift[1] : w32 -> w8 = symbolic 16 | (query [(Ule 8 (Read w8 0 shift))] (Eq 0 (AShr w8 (Read w8 0 value) (Read w8 0 shift))) ) 17 | -------------------------------------------------------------------------------- /test/Solver/AShr_to_smtlib.kquery.good.smt2: -------------------------------------------------------------------------------- 1 | ;SMTLIBv2 Query 0 2 | (set-logic QF_AUFBV ) 3 | (declare-fun shift () (Array (_ BitVec 32) (_ BitVec 8) ) ) 4 | (declare-fun value () (Array (_ BitVec 32) (_ BitVec 8) ) ) 5 | (assert (and (= false (= (_ bv0 8) (ite (bvuge (select shift (_ bv0 32) ) (_ bv8 8) ) (_ bv0 8) (bvashr (select value (_ bv0 32) ) (select shift (_ bv0 32) ) ) ) ) ) (bvule (_ bv8 8) (select shift (_ bv0 32) ) ) ) ) 6 | (check-sat) 7 | (exit) 8 | -------------------------------------------------------------------------------- /test/Solver/FastCexSolver.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver --use-fast-cex-solver --solver-backend=dummy %s > %t 2 | # RUN: not grep FAIL %t 3 | 4 | array arr1[4] : w32 -> w8 = symbolic 5 | (query [] (Not (Eq 4096 (ReadLSB w32 0 arr1)))) 6 | 7 | array A-data[2] : w32 -> w8 = symbolic 8 | (query [(Ule (Add w8 208 N0:(Read w8 0 A-data)) 9 | 9)] 10 | (Eq 52 N0)) 11 | -------------------------------------------------------------------------------- /test/Solver/LargeIntegers.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | 3 | array a[64] : w32 -> w8 = symbolic 4 | 5 | # RUN: grep -A 1 "Query 0" %t > %t2 6 | # RUN: grep "Expr 0: 18446744073709551618" %t2 7 | (query [] false [(Concat w128 (w64 1) (w64 2))]) 8 | 9 | # RUN: grep -A 1 "Query 1" %t > %t2 10 | # RUN: grep "Expr 0: 16" %t2 11 | (query [] false [(Extract w5 60 (Concat w128 (w64 1) (w64 2)))]) 12 | 13 | # RUN: grep -A 1 "Query 2" %t > %t2 14 | # RUN: grep "Array 0: a.16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1" %t2 15 | (query [(Eq 0x0102030405060708090A0B0C0D0E0F10 (ReadLSB w128 0 a))] 16 | false 17 | [] [a]) 18 | -------------------------------------------------------------------------------- /test/Solver/lit.local.cfg: -------------------------------------------------------------------------------- 1 | # Look for .kquery files too 2 | config.suffixes.add('.kquery') 3 | -------------------------------------------------------------------------------- /test/Solver/overshift-aright-by-constant.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | array x[4] : w32 -> w8 = symbolic 4 | # ∀ x. x > 0 → ( ((signed int) x) >> 32 = 0 ) 5 | # Check we overshift to zero for when shifting for all 32-bit values >0 6 | 7 | (query [ (Ult (w32 0) (ReadLSB w32 (w32 0) x)) ] 8 | (Eq 9 | (AShr w32 10 | (ReadLSB w32 (w32 0) x) 11 | (w32 32) 12 | ) 13 | (w32 0) 14 | ) [ ] [x] ) 15 | -------------------------------------------------------------------------------- /test/Solver/overshift-aright-by-symbolic.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | 4 | array shift[4] : w32 -> w8 = symbolic 5 | # ∀ x. x >= 32 → ( ( ( (signed int)2 ) >> x) = 0 ) 6 | # Check we arithmetic right overshift to zero when shifting a constant ALWAYS! 7 | 8 | (query [ (Ule (w32 32) (ReadLSB w32 (w32 0) shift)) ] 9 | (Eq 10 | (AShr w32 (w32 2) 11 | (ReadLSB w32 (w32 0) shift) 12 | ) 13 | (w32 0) 14 | ) [ ] [shift] ) 15 | 16 | # 64-bit version 17 | # ∀ x. x >= 64 → ( (((signed int) 2) >> x) = 0 ) 18 | array shift64[8] : w32 -> w8 = symbolic 19 | 20 | (query [ (Ule (w64 64) (ReadLSB w64 (w32 0) shift64)) ] 21 | (Eq 22 | (AShr w64 (w64 2) 23 | (ReadLSB w64 (w32 0) shift64) 24 | ) 25 | (w64 0) 26 | ) [ ] [shift64] ) 27 | -------------------------------------------------------------------------------- /test/Solver/overshift-left-by-constant.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | array x[4] : w32 -> w8 = symbolic 4 | # ∀ x. x > 0 → ( x << 32 = 0 ) 5 | # Check we overshift to zero for when shifting for all 32-bit values >0 6 | 7 | (query [ (Ult (w32 0) (ReadLSB w32 (w32 0) x)) ] 8 | (Eq 9 | (Shl w32 10 | (ReadLSB w32 (w32 0) x) 11 | (w32 32) 12 | ) 13 | (w32 0) 14 | ) [ ] [x] ) 15 | -------------------------------------------------------------------------------- /test/Solver/overshift-left-by-symbolic.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | 4 | array shift[4] : w32 -> w8 = symbolic 5 | # ∀ x. x >= 32 → ( (2 << x) = 0 ) 6 | # Check we left overshift to zero when shifting a constant ALWAYS! 7 | 8 | (query [ (Ule (w32 32) (ReadLSB w32 (w32 0) shift)) ] 9 | (Eq 10 | (Shl w32 (w32 2) 11 | (ReadLSB w32 (w32 0) shift) 12 | ) 13 | (w32 0) 14 | ) [ ] [shift] ) 15 | 16 | # 64-bit version 17 | # ∀ x. x >= 64 → ( (2 << x) = 0 ) 18 | array shift64[8] : w32 -> w8 = symbolic 19 | 20 | (query [ (Ule (w64 64) (ReadLSB w64 (w32 0) shift64)) ] 21 | (Eq 22 | (Shl w64 (w64 2) 23 | (ReadLSB w64 (w32 0) shift64) 24 | ) 25 | (w64 0) 26 | ) [ ] [shift64] ) 27 | -------------------------------------------------------------------------------- /test/Solver/overshift-lright-by-constant.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | array x[4] : w32 -> w8 = symbolic 4 | # ∀ x. x > 0 → ( x >> 32 = 0 ) 5 | # Check we overshift to zero for when shifting for all 32-bit values >0 6 | 7 | (query [ (Ult (w32 0) (ReadLSB w32 (w32 0) x)) ] 8 | (Eq 9 | (LShr w32 10 | (ReadLSB w32 (w32 0) x) 11 | (w32 32) 12 | ) 13 | (w32 0) 14 | ) [ ] [x] ) 15 | -------------------------------------------------------------------------------- /test/Solver/overshift-lright-by-symbolic.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s > %t 2 | # RUN: not grep INVALID %t 3 | 4 | array shift[4] : w32 -> w8 = symbolic 5 | # ∀ x. x >= 32 → ( (2 >> x) = 0 ) 6 | # Check we logical right overshift to zero when shifting a constant ALWAYS! 7 | 8 | (query [ (Ule (w32 32) (ReadLSB w32 (w32 0) shift)) ] 9 | (Eq 10 | (LShr w32 (w32 2) 11 | (ReadLSB w32 (w32 0) shift) 12 | ) 13 | (w32 0) 14 | ) [ ] [shift] ) 15 | 16 | # 64-bit version 17 | # ∀ x. x >= 64 → ( (2 >> x) = 0 ) 18 | array shift64[8] : w32 -> w8 = symbolic 19 | 20 | (query [ (Ule (w64 64) (ReadLSB w64 (w32 0) shift64)) ] 21 | (Eq 22 | (LShr w64 (w64 2) 23 | (ReadLSB w64 (w32 0) shift64) 24 | ) 25 | (w64 0) 26 | ) [ ] [shift64] ) 27 | -------------------------------------------------------------------------------- /test/TestRunner.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Deprecated, use 'llvm-lit'. 3 | 4 | echo "warning: '$0' is deprecated, use 'llvm-lit' instead." 5 | # FIXME: Make test suite work in parallel. 6 | exec llvm-lit --threads=1 "$@" 7 | -------------------------------------------------------------------------------- /test/Vector/extract_element.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | #include 5 | #include 6 | #include 7 | 8 | typedef uint32_t v4ui __attribute__ ((vector_size (16))); 9 | int main() { 10 | v4ui f = { 0, 1, 2, 3 }; 11 | // Performing these reads should be ExtractElement instructions 12 | printf("f[0]=%u\n", f[0]); 13 | printf("f[1]=%u\n", f[1]); 14 | printf("f[2]=%u\n", f[2]); 15 | printf("f[3]=%u\n", f[3]); 16 | assert(f[0] == 0); 17 | assert(f[1] == 1); 18 | assert(f[2] == 2); 19 | assert(f[3] == 3); 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /test/Vector/extract_element_out_of_bounds.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: not %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t.log 2>&1 4 | // RUN: FileCheck -input-file=%t.log %s 5 | #include 6 | #include 7 | #include 8 | 9 | typedef uint32_t v4ui __attribute__ ((vector_size (16))); 10 | int main() { 11 | v4ui f = { 0, 1, 2, 3 }; 12 | // Performing these reads should be ExtractElement instructions 13 | printf("f[0]=%u\n", f[0]); 14 | printf("f[1]=%u\n", f[1]); 15 | printf("f[2]=%u\n", f[2]); 16 | printf("f[3]=%u\n", f[3]); 17 | // CHECK: extract_element_out_of_bounds.c:[[@LINE+1]]: Out of bounds read when extracting element 18 | printf("f[4]=%u\n", f[4]); // Out of bounds 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /test/Vector/extract_element_symbolic.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: not %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t.log 2>&1 4 | // RUN: FileCheck -input-file=%t.log %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | typedef uint32_t v4ui __attribute__ ((vector_size (16))); 11 | int main() { 12 | v4ui f = { 0, 1, 2, 3 }; 13 | unsigned index = 0; 14 | klee_make_symbolic(&index, sizeof(unsigned), "index"); 15 | // Performing read should be ExtractElement instruction. 16 | // For now this an expected limitation. 17 | // CHECK: extract_element_symbolic.c:[[@LINE+1]]: ExtractElement, support for symbolic index not implemented 18 | uint32_t readValue = f[index]; 19 | return readValue % 255; 20 | } 21 | -------------------------------------------------------------------------------- /test/Vector/insert_element.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | #include 5 | #include 6 | #include 7 | 8 | typedef uint32_t v4ui __attribute__ ((vector_size (16))); 9 | int main() { 10 | v4ui f = { 0, 1, 2, 3 }; 11 | klee_print_expr("f:=", f); 12 | // Performing these writes should be InsertElement instructions 13 | f[0] = 255; 14 | klee_print_expr("f after write to [0]", f); 15 | f[1] = 128; 16 | klee_print_expr("f after write to [1]", f); 17 | f[2] = 1; 18 | klee_print_expr("f after write to [2]", f); 19 | f[3] = 19; 20 | klee_print_expr("f after write to [3]", f); 21 | printf("f[0]=%u\n", f[0]); 22 | printf("f[1]=%u\n", f[1]); 23 | printf("f[2]=%u\n", f[2]); 24 | printf("f[3]=%u\n", f[3]); 25 | assert(f[0] == 255); 26 | assert(f[1] == 128); 27 | assert(f[2] == 1); 28 | assert(f[3] == 19); 29 | return 0; 30 | } 31 | -------------------------------------------------------------------------------- /test/Vector/insert_element_out_of_bounds.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: not %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t.log 2>&1 4 | // RUN: FileCheck -input-file=%t.log %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | typedef uint32_t v4ui __attribute__ ((vector_size (16))); 11 | int main() { 12 | v4ui f = { 0, 1, 2, 3 }; 13 | klee_print_expr("f:=", f); 14 | // Performing these writes should be InsertElement instructions 15 | f[0] = 255; 16 | klee_print_expr("f after write to [0]", f); 17 | f[1] = 128; 18 | klee_print_expr("f after write to [1]", f); 19 | f[2] = 1; 20 | klee_print_expr("f after write to [2]", f); 21 | f[3] = 19; 22 | klee_print_expr("f after write to [3]", f); 23 | // CHECK: insert_element_out_of_bounds.c:[[@LINE+1]]: Out of bounds write when inserting element 24 | f[4] = 255; // Out of bounds write 25 | klee_print_expr("f after write to [4]", f); 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /test/Vector/insert_element_symbolic.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: not %klee --output-dir=%t.klee-out --exit-on-error %t1.bc > %t.log 2>&1 4 | // RUN: FileCheck -input-file=%t.log %s 5 | #include "klee/klee.h" 6 | #include 7 | #include 8 | #include 9 | 10 | typedef uint32_t v4ui __attribute__ ((vector_size (16))); 11 | int main() { 12 | v4ui f = { 0, 1, 2, 3 }; 13 | unsigned index = 0; 14 | klee_make_symbolic(&index, sizeof(unsigned), "index"); 15 | // Performing write should be InsertElement instructions. 16 | // For now this an expected limitation. 17 | // CHECK: insert_element_symbolic.c:[[@LINE+1]]: InsertElement, support for symbolic index not implemented 18 | f[index] = 255; 19 | klee_print_expr("f after write to [0]", f); 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /test/regression/2007-07-25-invalid-stp-array-binding-to-objectstate.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | 7 | int main(void) { 8 | char c[2]; 9 | 10 | klee_make_symbolic(&c, sizeof(c)); 11 | 12 | if (c[0] > 10) { 13 | int x; 14 | 15 | c[1] = 1; // copy object state 16 | 17 | assert(c[0] > 10); 18 | } 19 | 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /test/regression/2007-07-30-unflushed-byte.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | char i, x[3]; 9 | 10 | klee_make_symbolic(&i, sizeof i); 11 | 12 | x[0] = i; 13 | 14 | // DEMAND FAILED:Memory.cpp:read8:199: is false: "unflushed byte without cache value" 15 | char y = x[1]; 16 | 17 | return 0; 18 | } 19 | 20 | -------------------------------------------------------------------------------- /test/regression/2007-08-01-bool-zext-in-call.ll: -------------------------------------------------------------------------------- 1 | ; RUN: rm -rf %t.klee-out 2 | ; RUN: llvm-as -f %s -o - | %klee --output-dir=%t.klee-out 3 | ; RUN: not test -f %t.klee-out/test0001.abort.err 4 | 5 | declare void @klee_abort() 6 | 7 | define i32 @foo(i8 signext %val) { 8 | %tmp = zext i8 %val to i32 9 | ret i32 %tmp 10 | } 11 | 12 | define i32 @main() { 13 | %res = call i32 bitcast (i32 (i8)* @foo to i32 (i1)*)( i1 1 ) 14 | %check = icmp ne i32 %res, 255 15 | br i1 %check, label %error, label %exit 16 | 17 | error: 18 | call void @klee_abort() 19 | unreachable 20 | 21 | exit: 22 | ret i32 0 23 | } 24 | -------------------------------------------------------------------------------- /test/regression/2007-08-01-cache-unclear-on-overwrite-flushed.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | #include 7 | 8 | int main() { 9 | unsigned char x; 10 | 11 | klee_make_symbolic(&x, sizeof x); 12 | if (x >= 2) klee_silent_exit(0); 13 | 14 | char delete[2] = {0,1}; 15 | 16 | char tmp = delete[ x ]; 17 | char tmp2 = delete[0]; 18 | delete[ x ] = tmp2; 19 | 20 | if (x==1) { 21 | assert(delete[1] == 0); 22 | return 0; 23 | } 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /test/regression/2007-08-06-64bit-shift.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | int d; 9 | 10 | klee_make_symbolic( &d, sizeof(d) ); 11 | 12 | int l = d - 1; 13 | unsigned long long m = ((unsigned long long) l << 32) / d; 14 | if (d==2) { 15 | assert(m == 2147483648u); 16 | } 17 | 18 | klee_silent_exit(0); 19 | 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /test/regression/2007-08-06-access-after-free.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | int a; 9 | unsigned char *p = malloc(4); 10 | 11 | klee_make_symbolic(&a, sizeof a); 12 | klee_make_symbolic(p, sizeof p); 13 | 14 | p[0] |= 16; 15 | 16 | if (a) { 17 | free(p); 18 | 19 | // this should give an error instead of 20 | // pulling the state from the parent, where 21 | // it is not free 22 | assert(p[0] > 10); 23 | 24 | return 0; 25 | } 26 | 27 | assert(p[0] > 10); 28 | 29 | return 0; 30 | } 31 | -------------------------------------------------------------------------------- /test/regression/2007-08-08-free-zero.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | // RUN: ls %t.klee-out | not grep *.err 5 | 6 | #include 7 | 8 | int main() { 9 | free(0); 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /test/regression/2007-08-16-invalid-constant-value.c: -------------------------------------------------------------------------------- 1 | // RUN: rm -f %t4.out %t4.err %t4.log 2 | // RUN: %llvmgcc %s -emit-llvm -O2 -c -o %t1.bc 3 | // RUN: llvm-as -f %p/../Feature/_utils._ll -o %t2.bc 4 | // RUN: llvm-link %t1.bc %t2.bc -o %t3.bc 5 | // RUN: rm -rf %t.klee-out 6 | // RUN: %klee --output-dir=%t.klee-out %t3.bc 7 | 8 | #include 9 | 10 | #include "../Feature/utils.h" 11 | 12 | int main() { 13 | unsigned char a; 14 | 15 | klee_make_symbolic(&a, sizeof a); 16 | 17 | // demand was firing here because an invalid constant 18 | // value was being created when implied value did not 19 | // subtract using the proper type (so overflowed into 20 | // invalid bits) 21 | if (util_make_concat2(a+0xCD,0xCD) == 0xABCD) { 22 | assert(!klee_is_symbolic(a)); 23 | printf("add constant case: %d\n", a); 24 | } 25 | 26 | if (util_make_concat2(0x0B-a,0xCD) == 0xABCD) { 27 | assert(!klee_is_symbolic(a)); 28 | printf("sub constant case: %d\n", a); 29 | } 30 | 31 | return 0; 32 | } 33 | -------------------------------------------------------------------------------- /test/regression/2007-08-16-valid-write-to-freed-object.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | unsigned sym() { 6 | unsigned x; 7 | klee_make_symbolic(&x, sizeof x); 8 | return x; 9 | } 10 | 11 | int main() { 12 | unsigned x, y; 13 | 14 | // sym returns a symbolic object, but because it is 15 | // alloca'd it is freed on sym()s return. thats fine, 16 | // but the problem is that IVC is going to try to write 17 | // into the object right here. 18 | // 19 | // to support this we need to have a facility for making 20 | // state local copies of a freed object. 21 | if (sym() == 0) 22 | printf("ok\n"); 23 | 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /test/regression/2007-10-11-free-of-alloca.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.free.err 5 | 6 | int main() { 7 | int buf[4]; 8 | // CHECK: 2007-10-11-free-of-alloca.c:9: free of alloca 9 | free(buf); // this should give runtime error, not crash 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /test/regression/2007-10-11-illegal-access-after-free-and-branch.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --optimize %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.ptr.err 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | int main(int argc, char **argv) { 11 | unsigned char *buf = malloc(3); 12 | klee_make_symbolic(buf, 3); 13 | if (buf[0]>4) klee_silent_exit(0); 14 | unsigned char x = buf[1]; 15 | free(buf); 16 | if (x) 17 | { 18 | // CHECK: 2007-10-11-illegal-access-after-free-and-branch.c:19: memory error: out of bound pointer 19 | return buf[2]; 20 | } 21 | klee_silent_exit(0); 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /test/regression/2007-10-12-failed-make-symbolic-after-copy.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | // RUN: test -f %t.klee-out/test000001.ktest 5 | 6 | int main() { 7 | unsigned x, y[4]; 8 | 9 | klee_make_symbolic(&x, sizeof x, "x"); 10 | if (x>=4) klee_silent_exit(0); 11 | 12 | y[x] = 0; 13 | 14 | if (x) { // force branch so y is copied 15 | klee_make_symbolic(&y, sizeof y, "y"); 16 | if (y[x]==0) klee_silent_exit(0); 17 | return 0; // should be reachable 18 | } else { 19 | // force read here in case we try to optimize copies smartly later 20 | if (y[x]==0) klee_silent_exit(0); 21 | return 0; // not reachable 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /test/regression/2008-03-04-free-of-global.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -g -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 2>&1 | FileCheck %s 4 | // RUN: test -f %t.klee-out/test000001.free.err 5 | 6 | int buf[4]; 7 | 8 | int main() { 9 | // CHECK: 2008-03-04-free-of-global.c:10: free of global 10 | free(buf); // this should give runtime error, not crash 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /test/regression/2008-03-11-free-of-malloc-zero.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | #include 6 | 7 | int main() { 8 | // concrete case 9 | void *p = malloc(0); 10 | free(p); 11 | 12 | p = malloc(0); 13 | void *arr[4] = { p, 0, 0, 0 }; 14 | 15 | // symbolic case 16 | free(arr[klee_range(0, 4, "range")]); 17 | } 18 | -------------------------------------------------------------------------------- /test/regression/2008-04-10-bad-alloca-free.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t1.bc 4 | 5 | void f(int *addr) { 6 | klee_make_symbolic(addr, sizeof *addr, "moo"); 7 | } 8 | 9 | int main() { 10 | int x; 11 | f(&x); 12 | return x; 13 | } 14 | -------------------------------------------------------------------------------- /test/regression/2008-05-23-gep-with-global-const.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc -emit-llvm -O0 -c -o %t.bc %s 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t.bc 4 | 5 | #include 6 | 7 | int a; 8 | 9 | int main() { 10 | void *p1 = &((char*) 0)[(long) &a]; 11 | void *p2 = &a; 12 | 13 | assert(p1 == p2); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /test/regression/2012-05-13-asm-causes-aborts.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -O0 -c -o %t1.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t1.bc 4 | 5 | int main(int argc, char *argv[]){ 6 | __asm__ __volatile__ ("movl %eax, %eax"); 7 | return 0; 8 | } 9 | 10 | -------------------------------------------------------------------------------- /test/regression/2014-07-04-unflushed-error-report.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --search=dfs --output-dir=%t.klee-out -check-overshift %t.bc 2> %t.log 4 | // RUN: FileCheck -input-file=%t.klee-out/test000001.overshift.err %s 5 | 6 | /* This test checks that the error file isn't empty and contains the 7 | * right content. 8 | */ 9 | int main() 10 | { 11 | unsigned int x=15; 12 | unsigned int y; 13 | unsigned int z; 14 | volatile unsigned int result; 15 | 16 | /* Overshift if y>= sizeof(x) */ 17 | klee_make_symbolic(&y,sizeof(y),"shift_amount1"); 18 | // CHECK: Error: overshift error 19 | // CHECK-NEXT: 2014-07-04-unflushed-error-report.c 20 | // FIXME: Need newer FileCheck for to do ``Line: [[@LINE+1]]`` 21 | // Just hardcode line number for now 22 | // CHECK-NEXT: Line: 23 23 | result = x << y; 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /test/regression/2014-12-08-ashr.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | #include 6 | #include 7 | 8 | int f1(int a, int b) { 9 | return a + b; 10 | } 11 | 12 | int f2(int a, int b) { 13 | int i; 14 | for (i = 0; i < sizeof(b) * 8; i++) 15 | a += (((b >> i) & 1) << i); 16 | 17 | return a; 18 | } 19 | 20 | int main(int argc, char **argv) { 21 | int a, b; 22 | klee_make_symbolic(&a, sizeof(a), "a"); 23 | klee_make_symbolic(&b, sizeof(b), "b"); 24 | 25 | klee_assert(f1(a, b) == f2(a, b)); 26 | 27 | return 0; 28 | } 29 | 30 | -------------------------------------------------------------------------------- /test/regression/2015-06-22-struct-write.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error %t.bc 4 | 5 | #include 6 | #include 7 | 8 | union U0 { 9 | signed f3 :18; 10 | }; 11 | 12 | static union U0 u = { 0UL }; 13 | 14 | int main(int argc, char **argv) { 15 | u.f3 = 534; 16 | 17 | klee_assert(u.f3 == 534); 18 | 19 | return 0; 20 | } 21 | 22 | -------------------------------------------------------------------------------- /test/regression/2015-08-30-empty-constraints.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc 2> %t.log 4 | // RUN: FileCheck -input-file=%t.log %s 5 | 6 | /** 7 | * This test generates one execution state without constraints. 8 | * 9 | * The state gets terminated (in this case return) and initial values 10 | * are generated. 11 | * Make sure we are able to generate an input. 12 | */ 13 | int main() { 14 | int d; 15 | 16 | klee_make_symbolic( &d, sizeof(d) ); 17 | 18 | // CHECK-NOT: unable to compute initial values (invalid constraints?)! 19 | if ((d & 2) / 4) 20 | return 1; 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /test/regression/2015-08-30-sdiv-1.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error -solver-optimize-divides=true %t.bc 4 | // RUN: rm -rf %t.klee-out 5 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error -solver-optimize-divides=false %t.bc 6 | 7 | /* Division by constant can be optimized.using mul/shift 8 | * For signed division, div by 1 or -1 cannot be optimized like that. 9 | */ 10 | #include 11 | int main() { 12 | int32_t dividend; 13 | klee_make_symbolic(÷nd, sizeof dividend, "Dividend"); 14 | if ((3 ^ (dividend & 2)) / 1) 15 | return 1; 16 | if ((3 ^ (dividend & 2)) / -1) 17 | return 1; 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /test/regression/2016-03-22-independence-solver-missing-objects-for-assignment.kquery: -------------------------------------------------------------------------------- 1 | # RUN: %kleaver %s 2>&1 | FileCheck %s 2 | array n_args[4] : w32 -> w8 = symbolic 3 | array n_args_1[4] : w32 -> w8 = symbolic 4 | array A-data-stat[144] : w32 -> w8 = symbolic 5 | array stdin-stat[144] : w32 -> w8 = symbolic 6 | (query [(Ult N0:(ReadLSB w32 0 n_args) 2) 7 | (Slt 0 N0) 8 | (Ult N1:(ReadLSB w32 0 n_args_1) 3) 9 | (Slt 0 N1) 10 | (Slt 1 N1) 11 | (Eq false (Eq 0 (And w64 (ReadLSB w64 8 A-data-stat) 2147483647))) 12 | (Ult (ReadLSB w64 56 A-data-stat) 65536) 13 | (Eq false (Eq 0 (And w64 (ReadLSB w64 8 stdin-stat) 2147483647)))] 14 | (Eq false (Ult (ReadLSB w64 56 stdin-stat) 65536)) [] [n_args]) 15 | # CHECK: INVALID 16 | -------------------------------------------------------------------------------- /test/regression/2016-04-14-sdiv-2.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -exit-on-error -solver-optimize-divides=true %t.bc >%t1.log 4 | // RUN: grep "m is 2" %t1.log 5 | #include 6 | #include 7 | 8 | #include "klee/klee.h" 9 | 10 | int main(void) 11 | { 12 | int n, m; 13 | klee_make_symbolic(&n, sizeof n, "n"); 14 | klee_assume(n < -1); 15 | 16 | if (n/2 > 0) 17 | assert(0); 18 | 19 | klee_make_symbolic(&m, sizeof m, "m"); 20 | klee_assume(m > 0); 21 | 22 | if (m/2 == 2) 23 | printf("m is 2\n"); 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /test/regression/2016-06-28-div-zero-bug.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --use-cex-cache=false %t.bc >%t1.log 4 | 5 | // This bug is triggered when using STP up to an including 2.1.0 6 | // See https://github.com/klee/klee/issues/308 7 | // and https://github.com/stp/stp/issues/206 8 | 9 | int b, a, g; 10 | 11 | int *c = &b, *d = &b, *f = &a; 12 | 13 | int safe_div(short p1, int p2) { 14 | return p2 == 0 ? p1 : p2; 15 | } 16 | 17 | int main() { 18 | klee_make_symbolic(&b, sizeof b); 19 | if (safe_div(*c, 0)) 20 | *f = (int)&b % *c; 21 | 22 | safe_div(a && g, *d); 23 | } 24 | -------------------------------------------------------------------------------- /test/regression/2016-08-06-klee-get-obj-size.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out %t.bc 4 | // RUN: test -f %t.klee-out/test000001.assert.err 5 | 6 | 7 | #include 8 | #include 9 | 10 | int main() { 11 | char s[5]; 12 | assert(5 != klee_get_obj_size(s)); 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /test/regression/2016-08-11-entry-point-internalize-pass.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --entry-point=entry %t.bc 4 | 5 | int entry() { 6 | return 0; 7 | } 8 | -------------------------------------------------------------------------------- /test/regression/2016-08-12-empty-file.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: not %klee --output-dir=%t.klee-out %t.bc >%t1.log 2>&1 4 | // RUN: FileCheck -input-file=%t1.log -check-prefix=CHECK-MAIN-NOT-FOUND %s 5 | // RUN: rm -rf %t.klee-out 6 | // RUN: rm -rf %t1.log 7 | // RUN: not %klee --output-dir=%t.klee-out --posix-runtime %t.bc >%t1.log 2>&1 8 | // RUN: FileCheck -input-file=%t1.log -check-prefix=CHECK-MAIN-NOT-FOUND %s 9 | 10 | // CHECK-MAIN-NOT-FOUND: 'main' function not found in module. 11 | -------------------------------------------------------------------------------- /test/regression/2016-12-14-alloc-alignment.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -Wall -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out --exit-on-error %t.bc 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | // Global should be aligned on a 128-byte boundary 10 | int foo __attribute__((aligned(128))); 11 | 12 | int main() { 13 | int bar __attribute__((aligned(256))); 14 | 15 | // Check alignment of global 16 | assert(((size_t)&foo) % 128 == 0); 17 | 18 | // Check alignment of local 19 | assert(((size_t)&bar) % 256 == 0); 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /test/regression/2017-02-21-pathOS-id.c: -------------------------------------------------------------------------------- 1 | // RUN: %llvmgcc %s -emit-llvm -g -O0 -c -o %t.bc 2 | // RUN: rm -rf %t.klee-out 3 | // RUN: %klee --output-dir=%t.klee-out -write-paths %t.bc 2> %t.log 4 | // RUN: cat %t.klee-out/test000001.path | wc -l | grep -q 1 5 | // RUN: cat %t.klee-out/test000002.path | wc -l | grep -q 1 6 | // RUN: cat %t.klee-out/test000003.path | wc -l | grep -q 1 7 | // RUN: cat %t.klee-out/test000004.path | wc -l | grep -q 1 8 | int main(){ 9 | int a, b; 10 | klee_make_symbolic (&a, sizeof(int), "a"); 11 | klee_make_symbolic (&b, sizeof(int), "b"); 12 | klee_assume(a<2); 13 | klee_assume(a>=0); 14 | malloc(a); 15 | if(b){ 16 | b++;//do something 17 | } 18 | return b; 19 | } 20 | -------------------------------------------------------------------------------- /test/regression/lit.local.cfg: -------------------------------------------------------------------------------- 1 | # Look for .kquery files too 2 | config.suffixes.add('.kquery') 3 | -------------------------------------------------------------------------------- /tools/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_subdirectory(gen-random-bout) 10 | add_subdirectory(kleaver) 11 | add_subdirectory(klee) 12 | add_subdirectory(klee-replay) 13 | add_subdirectory(klee-stats) 14 | add_subdirectory(ktest-tool) 15 | -------------------------------------------------------------------------------- /tools/Makefile: -------------------------------------------------------------------------------- 1 | #===-- tools/Makefile --------------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | # 11 | # Relative path to the top of the source tree. 12 | # 13 | LEVEL=.. 14 | 15 | # 16 | # List all of the subdirectories that we will compile. 17 | # 18 | PARALLEL_DIRS=klee kleaver ktest-tool gen-random-bout klee-stats 19 | 20 | include $(LEVEL)/Makefile.config 21 | 22 | ifeq ($(ENABLE_POSIX_RUNTIME),1) 23 | PARALLEL_DIRS += klee-replay 24 | endif 25 | 26 | include $(LEVEL)/Makefile.common 27 | -------------------------------------------------------------------------------- /tools/gen-random-bout/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_executable(gen-random-bout 10 | gen-random-bout.cpp 11 | ) 12 | 13 | set(KLEE_LIBS kleeBasic) 14 | 15 | target_link_libraries(gen-random-bout ${KLEE_LIBS}) 16 | 17 | install(TARGETS gen-random-bout RUNTIME DESTINATION bin) 18 | -------------------------------------------------------------------------------- /tools/gen-random-bout/Makefile: -------------------------------------------------------------------------------- 1 | ##===- tools/klee/Makefile ---------------*- Makefile -*-===## 2 | 3 | LEVEL=../.. 4 | TOOLNAME = gen-random-bout 5 | USEDLIBS = kleeBasic.a 6 | NO_INSTALL=1 7 | 8 | include $(LEVEL)/Makefile.common 9 | -------------------------------------------------------------------------------- /tools/kleaver/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_executable(kleaver 10 | main.cpp 11 | ) 12 | 13 | set(KLEE_LIBS 14 | kleaverSolver 15 | ) 16 | 17 | target_link_libraries(kleaver ${KLEE_LIBS}) 18 | 19 | install(TARGETS kleaver RUNTIME DESTINATION bin) 20 | -------------------------------------------------------------------------------- /tools/kleaver/Makefile: -------------------------------------------------------------------------------- 1 | #===-- tools/kleaver/Makefile ------------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=../.. 11 | TOOLNAME = kleaver 12 | 13 | include $(LEVEL)/Makefile.config 14 | 15 | # FIXME: Ideally we wouldn't have any LLVM dependencies here, which 16 | # means kicking out klee's Support. 17 | USEDLIBS = kleeBasic.a kleaverSolver.a kleaverExpr.a kleeSupport.a 18 | LINK_COMPONENTS = support 19 | 20 | include $(LEVEL)/Makefile.common 21 | 22 | ifneq ($(ENABLE_STP),0) 23 | LIBS += $(STP_LDFLAGS) 24 | endif 25 | 26 | ifneq ($(ENABLE_Z3),0) 27 | LIBS += $(Z3_LDFLAGS) 28 | endif 29 | 30 | include $(PROJ_SRC_ROOT)/MetaSMT.mk 31 | 32 | ifeq ($(HAVE_TCMALLOC),1) 33 | LIBS += $(TCMALLOC_LIB) 34 | endif 35 | 36 | ifeq ($(HAVE_ZLIB),1) 37 | LIBS += -lz 38 | endif 39 | -------------------------------------------------------------------------------- /tools/klee-replay/Makefile: -------------------------------------------------------------------------------- 1 | #===-- tools/klee-replay/Makefile --------------------------*- Makefile -*--===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | 10 | LEVEL=../.. 11 | TOOLNAME = klee-replay 12 | 13 | USEDLIBS = kleeBasic.a 14 | LINK_COMPONENTS = 15 | NO_PEDANTIC=1 16 | 17 | include $(LEVEL)/Makefile.common 18 | 19 | LIBS += -lutil -lcap 20 | -------------------------------------------------------------------------------- /tools/klee-replay/fd_init.c: -------------------------------------------------------------------------------- 1 | #include "../../runtime/POSIX/fd_init.c" 2 | -------------------------------------------------------------------------------- /tools/klee-replay/klee-replay.h: -------------------------------------------------------------------------------- 1 | //===-- klee-replay.h ------------------------------------------*- C++ -*--===// 2 | // 3 | // The KLEE Symbolic Virtual Machine 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #ifndef __KLEE_REPLAY_H__ 11 | #define __KLEE_REPLAY_H__ 12 | 13 | #define _LARGEFILE64_SOURCE 14 | #define _FILE_OFFSET_BITS 64 15 | 16 | // FIXME: This is a hack. 17 | #include "../../runtime/POSIX/fd.h" 18 | #include 19 | 20 | void replay_create_files(exe_file_system_t *exe_fs); 21 | 22 | void process_status(int status, 23 | time_t elapsed, 24 | const char *pfx) 25 | __attribute__((noreturn)); 26 | 27 | #endif 28 | 29 | -------------------------------------------------------------------------------- /tools/klee-replay/klee_init_env.c: -------------------------------------------------------------------------------- 1 | #include "../../runtime/POSIX/klee_init_env.c" 2 | -------------------------------------------------------------------------------- /tools/klee-stats/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | install(PROGRAMS klee-stats DESTINATION bin) 10 | 11 | # Copy into the build directory's binary directory 12 | # so system tests can find it 13 | configure_file(klee-stats "${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/klee-stats" COPYONLY) 14 | -------------------------------------------------------------------------------- /tools/klee/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | add_executable(klee 10 | main.cpp 11 | ) 12 | 13 | set(KLEE_LIBS 14 | kleeCore 15 | ) 16 | 17 | target_link_libraries(klee ${KLEE_LIBS}) 18 | 19 | install(TARGETS klee RUNTIME DESTINATION bin) 20 | 21 | # The KLEE binary depends on the runtimes 22 | add_dependencies(klee BuildKLEERuntimes) 23 | -------------------------------------------------------------------------------- /tools/klee/Debug.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void kdb_printExpr(klee::Expr *e) { 4 | llvm::errs() << "expr: " << e << " -- "; 5 | if (e) { 6 | llvm::errs() << *e; 7 | } else { 8 | llvm::errs() << "(null)"; 9 | } 10 | llvm::errs() << "\n"; 11 | } 12 | -------------------------------------------------------------------------------- /tools/ktest-tool/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | #===------------------------------------------------------------------------===# 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | #===------------------------------------------------------------------------===# 9 | install(PROGRAMS ktest-tool DESTINATION bin) 10 | 11 | # Copy into the build directory's binary directory 12 | # so system tests can find it 13 | configure_file(ktest-tool "${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/ktest-tool" COPYONLY) 14 | -------------------------------------------------------------------------------- /unittests/Assignment/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(AssignmentTest 2 | AssignmentTest.cpp) 3 | target_link_libraries(AssignmentTest PRIVATE kleaverExpr) 4 | -------------------------------------------------------------------------------- /unittests/Assignment/Makefile: -------------------------------------------------------------------------------- 1 | ##===- unittests/Assignment/Makefile -----------------------*- Makefile -*-===## 2 | 3 | LEVEL := ../.. 4 | include $(LEVEL)/Makefile.config 5 | 6 | TESTNAME := Assignment 7 | USEDLIBS := kleaverExpr.a 8 | LINK_COMPONENTS := support 9 | 10 | include $(LLVM_SRC_ROOT)/unittests/Makefile.unittest 11 | 12 | CXXFLAGS += -DLLVM_29_UNITTEST 13 | -------------------------------------------------------------------------------- /unittests/Expr/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(ExprTest 2 | ExprTest.cpp) 3 | target_link_libraries(ExprTest PRIVATE kleaverExpr) 4 | -------------------------------------------------------------------------------- /unittests/Expr/Makefile: -------------------------------------------------------------------------------- 1 | ##===- unittests/Expr/Makefile -----------------------------*- Makefile -*-===## 2 | 3 | LEVEL := ../.. 4 | include $(LEVEL)/Makefile.config 5 | 6 | TESTNAME := Expr 7 | USEDLIBS := kleaverExpr.a kleeBasic.a 8 | LINK_COMPONENTS := support 9 | 10 | include $(LLVM_SRC_ROOT)/unittests/Makefile.unittest 11 | 12 | CXXFLAGS += -DLLVM_29_UNITTEST 13 | -------------------------------------------------------------------------------- /unittests/Makefile: -------------------------------------------------------------------------------- 1 | ##===- unittests/Makefile ----------------------------------*- Makefile -*-===## 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | # ===----------------------------------------------------------------------===## 9 | 10 | LEVEL = .. 11 | 12 | include $(LEVEL)/Makefile.config 13 | 14 | LIBRARYNAME = UnitTestMain 15 | BUILD_ARCHIVE = 1 16 | CPP.Flags += -I$(LLVM_SRC_ROOT)/utils/unittest/googletest/include/ 17 | CPP.Flags += -Wno-variadic-macros 18 | 19 | # FIXME: Parallel dirs is broken? 20 | DIRS = Expr Solver Ref Assignment 21 | 22 | include $(LEVEL)/Makefile.common 23 | 24 | # Remove -fno-rtti as this prevents typeid() being used 25 | # in gtest 26 | CXX.Flags := $(filter-out -fno-rtti,$(CXX.Flags)) 27 | 28 | clean:: 29 | $(Verb) $(RM) -f *Tests 30 | -------------------------------------------------------------------------------- /unittests/Ref/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(RefTest 2 | RefTest.cpp) 3 | target_link_libraries(RefTest PRIVATE kleaverExpr) 4 | -------------------------------------------------------------------------------- /unittests/Ref/Makefile: -------------------------------------------------------------------------------- 1 | ##===- unittests/Expr/Makefile -----------------------------*- Makefile -*-===## 2 | 3 | LEVEL := ../.. 4 | include $(LEVEL)/Makefile.config 5 | 6 | TESTNAME := RefTest 7 | USEDLIBS := kleaverExpr.a kleeBasic.a 8 | LINK_COMPONENTS := support 9 | 10 | include $(LLVM_SRC_ROOT)/unittests/Makefile.unittest 11 | -------------------------------------------------------------------------------- /unittests/Solver/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_klee_unit_test(SolverTest 2 | SolverTest.cpp) 3 | target_link_libraries(SolverTest PRIVATE kleaverSolver) 4 | 5 | add_klee_unit_test(ExprSolverConsistencyTest 6 | ExprSolverConsistencyTest.cpp) 7 | target_link_libraries(ExprSolverConsistencyTest PRIVATE kleaverSolver) 8 | -------------------------------------------------------------------------------- /unittests/Solver/Makefile: -------------------------------------------------------------------------------- 1 | ##===- unittests/Solver/Makefile ---------------------------*- Makefile -*-===## 2 | 3 | LEVEL := ../.. 4 | include $(LEVEL)/Makefile.config 5 | 6 | TESTNAME := Solver 7 | USEDLIBS := kleaverSolver.a kleaverExpr.a kleeSupport.a kleeBasic.a 8 | LINK_COMPONENTS := support 9 | 10 | include $(LLVM_SRC_ROOT)/unittests/Makefile.unittest 11 | 12 | ifneq ($(ENABLE_STP),0) 13 | LIBS += $(STP_LDFLAGS) 14 | endif 15 | 16 | ifneq ($(ENABLE_Z3),0) 17 | LIBS += $(Z3_LDFLAGS) 18 | endif 19 | 20 | include $(PROJ_SRC_ROOT)/MetaSMT.mk 21 | -------------------------------------------------------------------------------- /unittests/TestMain.cpp: -------------------------------------------------------------------------------- 1 | //===--- unittests/TestMain.cpp - unittest driver -------------------------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | 10 | #include "gtest/gtest.h" 11 | 12 | int main(int argc, char **argv) { 13 | testing::InitGoogleTest(&argc, argv); 14 | return RUN_ALL_TESTS(); 15 | } 16 | -------------------------------------------------------------------------------- /unittests/lit-unit-tests-common.cfg: -------------------------------------------------------------------------------- 1 | # Configuration file for the 'lit' test runner. 2 | 3 | import os 4 | 5 | import lit.formats 6 | 7 | # suffixes: A list of file extensions to treat as test files. 8 | config.suffixes = [] 9 | 10 | # testFormat: The test format to use to interpret tests. 11 | config.test_format = lit.formats.GoogleTest('.', config.unit_test_exe_suffix) 12 | -------------------------------------------------------------------------------- /unittests/lit-unit-tests-common.site.cfg.in: -------------------------------------------------------------------------------- 1 | import sys 2 | import os 3 | 4 | ## @AUTO_GEN_MSG@ 5 | config.name = 'KLEE Unit tests' 6 | config.unit_test_exe_suffix = "@UNIT_TEST_EXE_SUFFIX@" 7 | 8 | # Let the main config do the real work. 9 | lit_config.load_config(config, "@CMAKE_SOURCE_DIR@/unittests/lit-unit-tests-common.cfg") 10 | -------------------------------------------------------------------------------- /utils/hacks/TreeGraphs/Graphics/Geometry/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/srg-imperial/klee-float/aa907655cd9ec030036424acf88d9cb41a93a93b/utils/hacks/TreeGraphs/Graphics/Geometry/__init__.py -------------------------------------------------------------------------------- /utils/hacks/TreeGraphs/Graphics/Geometry/mat2.py: -------------------------------------------------------------------------------- 1 | # ===-- mat2.py -----------------------------------------------------------===## 2 | # 3 | # The KLEE Symbolic Virtual Machine 4 | # 5 | # This file is distributed under the University of Illinois Open Source 6 | # License. See LICENSE.TXT for details. 7 | # 8 | # ===----------------------------------------------------------------------===## 9 | 10 | import vec2 11 | 12 | def det(m): 13 | ((m00,m01),(m10,m11))= m 14 | 15 | return m00*m11 - m01*m10 16 | 17 | def mul(a,b): 18 | b_trans= zip(* b) 19 | return tuple([transmulvec2(b_trans, a_r) for a_r in a]) 20 | 21 | # multiple vector v by a transposed matrix 22 | def transmulvec2(m_trans,v): 23 | return tuple([vec2.dot(v, m_c) for m_c in m_trans]) 24 | 25 | def mulvec2(m,v): 26 | return transmulvec2(zip(* m), v) 27 | 28 | def mulN(m,N): 29 | return tuple([vec2.mulN(v,N) for v in m]) 30 | -------------------------------------------------------------------------------- /utils/hacks/TreeGraphs/Graphics/__init__.py: -------------------------------------------------------------------------------- 1 | __all__= ['Formats', 'SubSurf', 'Geometry', 'AqsisInterface', 'TwoD', 'ThreeD', 'Apps'] 2 | -------------------------------------------------------------------------------- /utils/hacks/TreeGraphs/README.txt: -------------------------------------------------------------------------------- 1 | A little hack which converts KLEE treestream's of path branch information into 2 | images/animations. It is not particularly fast nor is the code very 3 | elegant. It's a hack, after all! 4 | 5 | There are a couple example input streams in inputs/. You can generate a single 6 | image frame with, e.g.:: 7 | 8 | $ ./TreeGraph.py --count=500 inputs/symPaths6.ts t.pdf 9 | 10 | which will generate an image of the first 500 paths that were explored. 11 | 12 | 13 | You can generate a sequence of frames from a file using:: 14 | 15 | $ ./Animate.py --start=10 --end=2000 inputs/symPaths6.ts anim-01 16 | 17 | which will generate a sequence of .pdf frames in anim-01. 18 | -------------------------------------------------------------------------------- /utils/hacks/TreeGraphs/inputs/symPaths.ts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/srg-imperial/klee-float/aa907655cd9ec030036424acf88d9cb41a93a93b/utils/hacks/TreeGraphs/inputs/symPaths.ts -------------------------------------------------------------------------------- /utils/hacks/TreeGraphs/inputs/symPaths6.ts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/srg-imperial/klee-float/aa907655cd9ec030036424acf88d9cb41a93a93b/utils/hacks/TreeGraphs/inputs/symPaths6.ts -------------------------------------------------------------------------------- /utils/hacks/fp_test/crash_clang34.cpp: -------------------------------------------------------------------------------- 1 | // Build me with Clang built with debug symbols at -O2. 2 | #include 3 | #include 4 | 5 | int main() { 6 | // These special constants are part of the "Positive Floating point 7 | // Unnormals" as defined in 8.2.2 "Unsupported Double Extended-Precision 8 | // Floating-Point Encodings and Pseduo-Denormals" of the Intel(R) 64 and IA-32 9 | // Architectures Software Developer's Manual. 10 | // 11 | // Significand 12 | // Sign Exponent Integer Fraction 13 | // [0] [111 1111 1111 1110] [1] [ 63 ones ] 14 | const uint64_t lowBits = 0x7fffffffffffffff; 15 | const uint16_t highBits = 0x7ffe; 16 | long double v = 0.0l; 17 | uint64_t* vptr = (uint64_t*) &v; 18 | *vptr = lowBits; 19 | uint16_t* vhighptr = (uint16_t*) ( ((uint8_t*) vptr) + 8 ); 20 | *vhighptr = highBits; 21 | 22 | // Constant folding this hits an assert in llvm::APFloat. 23 | long double result = v + 1; 24 | return result; 25 | } 26 | -------------------------------------------------------------------------------- /utils/sanitizers/lsan.txt: -------------------------------------------------------------------------------- 1 | # This file tells the LeakSanitizer (LSan)component of the AddressSanitizer (-fsanitizer=address) 2 | # to ignore certain leaks at runtime. To tell LSan about these set the environment variable 3 | # LSAN_OPTIONS=suppressions=/path/to/this/file and then run the sanitized build of KLEE. 4 | # 5 | # Ideally we shouldn't need to suppress anything but currently KLEE seems to be leaking 6 | # The suppressions below are what's needed for ``make unittests`` and ``make check`` to not 7 | # fail due to leaks. 8 | 9 | # Low priority 10 | leak:tools/kleaver/main.cpp 11 | leak:lib/Expr/Parser.cpp 12 | -------------------------------------------------------------------------------- /utils/valgrind/README.txt: -------------------------------------------------------------------------------- 1 | A few valgrind suppression files for known leaks. The LLVM ones may be 2 | fixed by now. 3 | -------------------------------------------------------------------------------- /utils/valgrind/valgrind-llvm.supp: -------------------------------------------------------------------------------- 1 | { 2 | LLVM:Tmp1 3 | Memcheck:Leak 4 | fun:_vgrZU_libstdcZpZpZa__Znwj 5 | fun:_ZN4llvm* 6 | } 7 | { 8 | LLVM:Tmp2 9 | Memcheck:Leak 10 | fun:_vgrZU_libcZdsoZa_malloc 11 | fun:_ZN4llvm* 12 | } 13 | { 14 | LLVM:Tmp3 15 | Memcheck:Leak 16 | fun:*nwj* 17 | fun:*llvm* 18 | } 19 | { 20 | LLVM:Tmp4 21 | Memcheck:Leak 22 | fun:malloc 23 | fun:*llvm* 24 | } 25 | -------------------------------------------------------------------------------- /utils/valgrind/valgrind-stp.supp: -------------------------------------------------------------------------------- 1 | { 2 | STP:BeevMgr 3 | Memcheck:Leak 4 | fun:_vgrZU_libstdcZpZpZa__Znwj 5 | fun:_ZN4BEEV7BeevMgr* 6 | } 7 | { 8 | STP:BeevMgr:strdup 9 | Memcheck:Leak 10 | fun:_vgrZU_libcZdsoZa_malloc 11 | fun:strdup 12 | fun:_ZN4BEEV7BeevMgr* 13 | } 14 | { 15 | STP:c_interface 16 | Memcheck:Leak 17 | fun:_vgrZU_libstdcZpZpZa__Znwj 18 | fun:vc_* 19 | } 20 | { 21 | STP:BeevMgr:vector 22 | Memcheck:Leak 23 | fun:_vgrZU_libstdcZpZpZa__Znwj 24 | fun:_ZNSt6vector* 25 | fun:_ZN4BEEV7BeevMgr* 26 | } 27 | { 28 | LLVM:Tmp1 29 | Memcheck:Leak 30 | fun:_vgrZU_libstdcZpZpZa__Znwj 31 | fun:_ZN4llvm* 32 | } 33 | --------------------------------------------------------------------------------