UnitTestBot
diff --git a/‎lib/Core/Executor.cpp‎
Lines changed: 10 additions & 1 deletion b/‎lib/Core/Executor.cpp‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎test/SARIF/GSAC/ContextSensitive/ContextSensitive.c‎
Lines changed: 36 additions & 0 deletions b/‎test/SARIF/GSAC/ContextSensitive/ContextSensitive.c‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎test/SARIF/GSAC/ContextSensitive/pattern.sarif‎
Lines changed: 57 additions & 0 deletions b/‎test/SARIF/GSAC/ContextSensitive/pattern.sarif‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎test/SARIF/GSAC/EASY02/EASY02.c‎
Lines changed: 23 additions & 0 deletions b/‎test/SARIF/GSAC/EASY02/EASY02.c‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎test/SARIF/GSAC/EASY02/pattern.sarif‎
Lines changed: 57 additions & 0 deletions b/‎test/SARIF/GSAC/EASY02/pattern.sarif‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎test/SARIF/GSAC/EASY02_fix/EASY02_fix.c‎
Lines changed: 22 additions & 0 deletions b/‎test/SARIF/GSAC/EASY02_fix/EASY02_fix.c‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎test/SARIF/GSAC/EASY03/EASY03.c‎
Lines changed: 26 additions & 0 deletions b/‎test/SARIF/GSAC/EASY03/EASY03.c‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎test/SARIF/GSAC/EASY03/pattern.sarif‎
Lines changed: 57 additions & 0 deletions b/‎test/SARIF/GSAC/EASY03/pattern.sarif‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎test/SARIF/GSAC/EASY03_fix/EASY03_fix.c‎
Lines changed: 25 additions & 0 deletions b/‎test/SARIF/GSAC/EASY03_fix/EASY03_fix.c‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎test/SARIF/GSAC/FieldSensitive/FieldSensitive.c‎
Lines changed: 41 additions & 0 deletions b/‎test/SARIF/GSAC/FieldSensitive/FieldSensitive.c‎
Lines changed: 41 additions & 0 deletions
@@ -968,6 +968,14 @@ void Executor::allocateGlobalObjects(ExecutionState &state) {
     const KGlobalVariable *kv = kmodule->globalMap.at(&v).get();
     ref<CodeLocation> vCodeLocation = CodeLocation::create(
         kv, kv->getSourceFilepath(), kv->getLine(), std::nullopt);
+
+    if (!isa<ConstantExpr>(size)) {
+      addConstraint(
+          state, UleExpr::create(
+                     ZExtExpr::create(size, Context::get().getPointerWidth()),
+                     Expr::createPointer(MaxSymbolicAllocationSize)));
+    }
+
     MemoryObject *mo = allocate(state, size, /*isLocal=*/false,
                                 /*isGlobal=*/true, /*allocSite=*/vCodeLocation,
                                 /*alignment=*/globalObjectAlignment);
@@ -7316,7 +7324,8 @@ bool resolveOnSymbolics(const std::vector<klee::Symbolic> &symbolics,
   for (const auto &res : symbolics) {
     const auto &mo = res.memoryObject;
     // Check if the provided address is between start and end of the object
-    // [mo->address, mo->address + mo->size) or the object is a 0-sized object.
+    // [mo->address, mo->address + mo->size) or the object is a 0-sized
+    // object.
     ref<klee::ConstantExpr> size =
         cast<klee::ConstantExpr>(assn.evaluate(mo->getSizeExpr()));
     if ((size->getZExtValue() == 0 && address == mo->address) ||
 
@@ -0,0 +1,36 @@
+// RUN: %clang -emit-llvm -g -c %s -o %t.bc
+// RUN: rm -rf %t.klee-out
+// RUN: %klee -write-sarifs --use-sym-size-alloc --use-sym-size-li --skip-not-symbolic-objects --posix-runtime --libc=uclibc -cex-cache-validity-cores --output-dir=%t.klee-out %t.bc > %t.log
+// RUN: python3 %S/../../checker.py %t.klee-out/report.sarif %S/pattern.sarif
+
+/***************************************************************************************
+ *    Title: GSAC
+ *    Author: https://github.com/GSACTech
+ *    Date: 2023
+ *    Code version: 1.0
+ *    Availability: https://github.com/GSACTech/contest
+ *
+ ***************************************************************************************/
+#include <stdlib.h>
+
+int *foo(int size) {
+  int *data = (int *)malloc(size * sizeof(int));
+  return data;
+}
+
+int main() {
+  int size = 5;
+  int *first_data = foo(size++);  // Call of 'foo(5)'
+  int *second_data = foo(size--); // Call of 'foo(6)'
+
+  for (int i = 0; i <= size; i++) {
+    // Length of 'first_data' is 5 and 'size' also is 5
+    first_data[i] = i; // buffer-overflow
+  }
+  for (int i = 0; i <= size; i++) {
+    // Length of 'second_data' is 6
+    second_data[i] = i;
+  }
+  free(first_data);
+  free(second_data);
+}
@@ -0,0 +1,57 @@
+{
+  "runs": [
+    {
+      "results": [
+        {
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "message": {
+                          "text": "Heap memory allocation"
+                        },
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "ContextSensitive.c"
+                          },
+                          "region": {
+                            "endColumn": null,
+                            "endLine": null,
+                            "startColumn": 22,
+                            "startLine": 17
+                          }
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "message": {
+                          "text": "memory error: out of bound pointer"
+                        },
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "ContextSensitive.c"
+                          },
+                          "region": {
+                            "endColumn": null,
+                            "endLine": null,
+                            "startColumn": 19,
+                            "startLine": 28
+                          }
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "version": "2.1.0"
+}
@@ -0,0 +1,23 @@
+// RUN: %clang -emit-llvm -g -c %s -o %t.bc
+// RUN: rm -rf %t.klee-out
+// RUN: %klee -write-sarifs --use-sym-size-alloc --use-sym-size-li --skip-not-symbolic-objects --posix-runtime --libc=uclibc -cex-cache-validity-cores --output-dir=%t.klee-out %t.bc > %t.log
+// RUN: python3 %S/../../checker.py %t.klee-out/report.sarif %S/pattern.sarif
+
+/***************************************************************************************
+ *    Title: GSAC
+ *    Author: https://github.com/GSACTech
+ *    Date: 2023
+ *    Code version: 1.0
+ *    Availability: https://github.com/GSACTech/contest
+ *
+ ***************************************************************************************/
+
+#include <stdlib.h>
+
+int main() {
+  int size = 10;
+  int *arr = malloc(size * sizeof(int)); // Memory allocation
+  // Access is out of bounds
+  arr[size] = 4; // buffer-overflow
+  free(arr);
+}
@@ -0,0 +1,57 @@
+{
+  "runs": [
+    {
+      "results": [
+        {
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "message": {
+                          "text": "Heap memory allocation"
+                        },
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "EASY02.c"
+                          },
+                          "region": {
+                            "endColumn": null,
+                            "endLine": null,
+                            "startColumn": 14,
+                            "startLine": 19
+                          }
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "message": {
+                          "text": "memory error: out of bound pointer"
+                        },
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "EASY02.c"
+                          },
+                          "region": {
+                            "endColumn": null,
+                            "endLine": null,
+                            "startColumn": 13,
+                            "startLine": 21
+                          }
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "version": "2.1.0"
+}
@@ -0,0 +1,22 @@
+// RUN: %clang -emit-llvm -g -c %s -o %t.bc
+// RUN: rm -rf %t.klee-out
+// RUN: %klee -write-sarifs --use-sym-size-alloc --use-sym-size-li --skip-not-symbolic-objects --posix-runtime --libc=uclibc -cex-cache-validity-cores --output-dir=%t.klee-out %t.bc > %t.log
+// RUN: test ! -f %t.klee-out/report.sarif
+
+/***************************************************************************************
+ *    Title: GSAC
+ *    Author: https://github.com/GSACTech
+ *    Date: 2023
+ *    Code version: 1.0
+ *    Availability: https://github.com/GSACTech/contest
+ *
+ ***************************************************************************************/
+
+#include <stdlib.h>
+
+int main() {
+  int size = 10;
+  int *arr = malloc(size * sizeof(int));
+  arr[size - 1] = 4;
+  free(arr);
+}
@@ -0,0 +1,26 @@
+// RUN: %clang -emit-llvm -g -c %s -o %t.bc
+// RUN: rm -rf %t.klee-out
+// RUN: %klee -write-sarifs --use-sym-size-alloc --use-sym-size-li --skip-not-symbolic-objects --posix-runtime --libc=uclibc -cex-cache-validity-cores --output-dir=%t.klee-out %t.bc > %t.log
+// RUN: python3 %S/../../checker.py %t.klee-out/report.sarif %S/pattern.sarif
+
+/***************************************************************************************
+ *    Title: GSAC
+ *    Author: https://github.com/GSACTech
+ *    Date: 2023
+ *    Code version: 1.0
+ *    Availability: https://github.com/GSACTech/contest
+ *
+ ***************************************************************************************/
+
+#include <stdlib.h>
+
+int main() {
+  int *data;
+  int size = 5;
+  data = malloc(size * sizeof(int)); // Memory allocation
+  for (int i = 0; i <= size; i++) {  // Last iteration of this cycle is (size + 1)_th
+    // In the last iteration access is out of bounds
+    data[i] = i; // buffer-overflow
+  }
+  free(data);
+}
@@ -0,0 +1,57 @@
+{
+  "runs": [
+    {
+      "results": [
+        {
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "message": {
+                          "text": "Heap memory allocation"
+                        },
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "EASY03.c"
+                          },
+                          "region": {
+                            "endColumn": null,
+                            "endLine": null,
+                            "startColumn": 10,
+                            "startLine": 20
+                          }
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "message": {
+                          "text": "memory error: out of bound pointer"
+                        },
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "EASY03.c"
+                          },
+                          "region": {
+                            "endColumn": null,
+                            "endLine": null,
+                            "startColumn": 13,
+                            "startLine": 23
+                          }
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "version": "2.1.0"
+}
@@ -0,0 +1,25 @@
+// RUN: %clang -emit-llvm -g -c %s -o %t.bc
+// RUN: rm -rf %t.klee-out
+// RUN: %klee -write-sarifs --use-sym-size-alloc --use-sym-size-li --skip-not-symbolic-objects --posix-runtime --libc=uclibc -cex-cache-validity-cores --output-dir=%t.klee-out %t.bc > %t.log
+// RUN: test ! -f %t.klee-out/report.sarif
+
+/***************************************************************************************
+ *    Title: GSAC
+ *    Author: https://github.com/GSACTech
+ *    Date: 2023
+ *    Code version: 1.0
+ *    Availability: https://github.com/GSACTech/contest
+ *
+ ***************************************************************************************/
+
+#include <stdlib.h>
+
+int main() {
+  int *data;
+  int size = 5;
+  data = malloc(size * sizeof(int));
+  for (int i = 0; i < size; i++) {
+    data[i] = i;
+  }
+  free(data);
+}
@@ -0,0 +1,41 @@
+// RUN: %clang -emit-llvm -g -c %s -o %t.bc
+// RUN: rm -rf %t.klee-out
+// RUN: %klee -write-sarifs --use-sym-size-alloc --use-sym-size-li --skip-not-symbolic-objects --posix-runtime --libc=uclibc -cex-cache-validity-cores --output-dir=%t.klee-out %t.bc > %t.log
+// RUN: python3 %S/../../checker.py %t.klee-out/report.sarif %S/pattern.sarif
+
+/***************************************************************************************
+ *    Title: GSAC
+ *    Author: https://github.com/GSACTech
+ *    Date: 2023
+ *    Code version: 1.0
+ *    Availability: https://github.com/GSACTech/contest
+ *
+ ***************************************************************************************/
+
+#include <stdlib.h>
+
+struct Data {
+  int *first_data;
+  int *second_data;
+};
+
+void foo(struct Data *data, int size) {
+  data->second_data = (int *)malloc(size * sizeof(int)); // Allocated 20 bytes of memory
+  size++;
+  data->first_data = (int *)malloc(size * sizeof(int)); // Allocated 24 bytes of memory
+}
+
+int main() {
+  int size = 5;
+  struct Data data;
+  foo(&data, size);
+  for (int i = 0; i <= size; i++) {
+    data.first_data[i] = i;
+  }
+  // Length of 'second_data' is 5 and 'size' also is 5
+  for (int i = 0; i <= size; i++) {
+    data.second_data[i] = i; // buffer-overflow
+  }
+  free(data.first_data);
+  free(data.second_data);
+}