Small fix

lib/Core/ExecutionState.cpp

@@ -121,7 +121,8 @@ ExecutionState::ExecutionState()
       depth(0), ptreeNode(nullptr), symbolics(), steppedInstructions(0),
       steppedMemoryInstructions(0), instsSinceCovNew(0),
       roundingMode(llvm::APFloat::rmNearestTiesToEven), coveredNew({}),
-      forkDisabled(false), prevHistory_(TargetsHistory::create()),
+      coveredNewError(new box<bool>(false)), forkDisabled(false),
+      prevHistory_(TargetsHistory::create()),
       history_(TargetsHistory::create()) {
   setID();
 }
@@ -131,7 +132,8 @@ ExecutionState::ExecutionState(KFunction *kf)
       depth(0), ptreeNode(nullptr), symbolics(), steppedInstructions(0),
       steppedMemoryInstructions(0), instsSinceCovNew(0),
       roundingMode(llvm::APFloat::rmNearestTiesToEven), coveredNew({}),
-      forkDisabled(false), prevHistory_(TargetsHistory::create()),
+      coveredNewError(new box<bool>(false)), forkDisabled(false),
+      prevHistory_(TargetsHistory::create()),
       history_(TargetsHistory::create()) {
   pushFrame(nullptr, kf);
   setID();
@@ -142,7 +144,8 @@ ExecutionState::ExecutionState(KFunction *kf, KBlock *kb)
       depth(0), ptreeNode(nullptr), symbolics(), steppedInstructions(0),
       steppedMemoryInstructions(0), instsSinceCovNew(0),
       roundingMode(llvm::APFloat::rmNearestTiesToEven), coveredNew({}),
-      forkDisabled(false), prevHistory_(TargetsHistory::create()),
+      coveredNewError(new box<bool>(false)), forkDisabled(false),
+      prevHistory_(TargetsHistory::create()),
       history_(TargetsHistory::create()) {
   pushFrame(nullptr, kf);
   setID();
@@ -170,11 +173,11 @@ ExecutionState::ExecutionState(const ExecutionState &state)
       unwindingInformation(state.unwindingInformation
                                ? state.unwindingInformation->clone()
                                : nullptr),
-      coveredNew(state.coveredNew), forkDisabled(state.forkDisabled),
-      returnValue(state.returnValue), gepExprBases(state.gepExprBases),
-      prevTargets_(state.prevTargets_), targets_(state.targets_),
-      prevHistory_(state.prevHistory_), history_(state.history_),
-      isTargeted_(state.isTargeted_) {
+      coveredNew(state.coveredNew), coveredNewError(state.coveredNewError),
+      forkDisabled(state.forkDisabled), returnValue(state.returnValue),
+      gepExprBases(state.gepExprBases), prevTargets_(state.prevTargets_),
+      targets_(state.targets_), prevHistory_(state.prevHistory_),
+      history_(state.history_), isTargeted_(state.isTargeted_) {
   queryMetaData.id = state.id;
 }
 

lib/Core/ExecutionState.h

@@ -366,6 +366,7 @@ class ExecutionState {
 
   /// @brief Whether a new instruction was covered in this state
   mutable std::deque<ref<box<bool>>> coveredNew;
+  mutable ref<box<bool>> coveredNewError;
 
   /// @brief Disables forking for this state. Set by user code
   bool forkDisabled = false;
@@ -507,7 +508,12 @@ class ExecutionState {
   bool isCoveredNew() const {
     return !coveredNew.empty() && coveredNew.back()->value;
   }
-  void coverNew() const { coveredNew.push_back(new box<bool>(true)); }
+  bool isCoveredNewError() const { return coveredNewError->value; }
+  void coverNew() const {
+    coveredNew.push_back(new box<bool>(true));
+    coveredNewError->value = false;
+    coveredNewError = new box<bool>(true);
+  }
   void updateCoveredNew() const {
     while (!coveredNew.empty() && !coveredNew.front()->value) {
       coveredNew.pop_front();
@@ -519,6 +525,7 @@ class ExecutionState {
     }
     coveredNew.clear();
   }
+  void clearCoveredNewError() const { coveredNewError->value = false; }
 };
 
 struct ExecutionStateIDCompare {

lib/Core/Executor.cpp

@@ -4355,9 +4355,9 @@ void Executor::initializeTypeManager() {
   typeSystemManager->initModule();
 }
 
-static bool shouldWriteTest(const ExecutionState &state) {
+static bool shouldWriteTest(const ExecutionState &state, bool isError = false) {
   state.updateCoveredNew();
-  bool coveredNew = state.isCoveredNew();
+  bool coveredNew = isError ? state.isCoveredNewError() : state.isCoveredNew();
   return !OnlyOutputStatesCoveringNew || coveredNew;
 }
 
@@ -4721,7 +4721,7 @@ void Executor::terminateStateOnError(ExecutionState &state,
 
   if ((EmitAllErrors ||
        emittedErrors.insert(std::make_pair(lastInst, message)).second) &&
-      shouldWriteTest(state)) {
+      shouldWriteTest(state, true)) {
     std::string filepath = ki->getSourceFilepath();
     if (!filepath.empty()) {
       klee_message("ERROR: %s:%zu: %s", filepath.c_str(), ki->getLine(),
@@ -4752,6 +4752,8 @@ void Executor::terminateStateOnError(ExecutionState &state,
     if (!info_str.empty())
       msg << "Info: \n" << info_str;
 
+    state.clearCoveredNewError();
+
     const std::string ext = terminationTypeFileExtension(terminationType);
     // use user provided suffix from klee_report_error()
     const char *file_suffix = suffix ? suffix : ext.c_str();

test/Feature/LazyInitialization/DerefSymbolicPointer.c

@@ -1,7 +1,6 @@
-// REQUIRES: z3
 // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc
 // RUN: rm -rf %t.klee-out
-// RUN: %klee --write-kqueries --output-dir=%t.klee-out --solver-backend=z3 --skip-not-symbolic-objects %t.bc > %t.log
+// RUN: %klee --write-kqueries --output-dir=%t.klee-out --skip-not-symbolic-objects %t.bc > %t.log
 // RUN: FileCheck %s -input-file=%t.log
 #include "klee/klee.h"
 

test/Feature/LazyInitialization/ImpossibleAddressForLI.c

@@ -1,7 +1,6 @@
-// REQUIRES: z3
 // RUN: %clang %s -emit-llvm -g -c -o %t.bc
 // RUN: rm -rf %t.klee-out
-// RUN: %klee --output-dir=%t.klee-out --solver-backend=z3 --skip-not-symbolic-objects %t.bc 2>&1 | FileCheck %s
+// RUN: %klee --output-dir=%t.klee-out --skip-not-symbolic-objects %t.bc 2>&1 | FileCheck %s
 
 #include "klee/klee.h"
 

test/Feature/LazyInitialization/LazyInitialization.c

@@ -1,7 +1,6 @@
-// REQUIRES: z3
 // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc
 // RUN: rm -rf %t.klee-out
-// RUN: %klee --output-dir=%t.klee-out --solver-backend=z3 --skip-not-symbolic-objects --use-timestamps=false --use-guided-search=none %t.bc > %t.log
+// RUN: %klee --output-dir=%t.klee-out --skip-not-symbolic-objects --use-timestamps=false --use-guided-search=none %t.bc > %t.log
 // RUN: FileCheck %s -input-file=%t.log
 
 struct Node {

test/Feature/LazyInitialization/LinkedList.c

@@ -1,7 +1,6 @@
-// REQUIRES: z3
 // RUN: %clang %s -emit-llvm %O0opt -g -c -o %t.bc
 // RUN: rm -rf %t.klee-out
-// RUN: %klee --write-kqueries --solver-backend=z3 --output-dir=%t.klee-out --skip-not-symbolic-objects %t.bc > %t.log
+// RUN: %klee --write-kqueries --output-dir=%t.klee-out --skip-not-symbolic-objects %t.bc > %t.log
 // RUN: FileCheck %s -input-file=%t.log
 #include "klee/klee.h"
 

test/Feature/LazyInitialization/PointerOffset.c

@@ -1,7 +1,6 @@
-// REQUIRES: z3
 // RUN: %clang %s -emit-llvm %O0opt -c -o %t.bc
 // RUN: rm -rf %t.klee-out
-// RUN: %klee --output-dir=%t.klee-out --solver-backend=z3 --skip-not-symbolic-objects --use-timestamps=false --skip-local=false %t.bc
+// RUN: %klee --output-dir=%t.klee-out --skip-not-symbolic-objects --use-timestamps=false --skip-local=false %t.bc
 // RUN: %ktest-tool %t.klee-out/test*.ktest > %t.log
 // RUN: FileCheck %s -input-file=%t.log
 // CHECK: pointers: [(0, 1, 4)]

test/Feature/LazyInitialization/SingleInitializationAndAccess.c

@@ -1,7 +1,6 @@
-// REQUIRES: z3
 // RUN: %clang %s -emit-llvm -g -c -o %t1.bc
 // RUN: rm -rf %t.klee-out
-// RUN: %klee --output-dir=%t.klee-out --solver-backend=z3 --skip-not-symbolic-objects --skip-local=false --use-sym-size-li --min-number-elements-li=1 %t1.bc 2>&1 | FileCheck %s
+// RUN: %klee --output-dir=%t.klee-out --skip-not-symbolic-objects --skip-local=false --use-sym-size-li --min-number-elements-li=1 %t1.bc 2>&1 | FileCheck %s
 
 #include "klee/klee.h"
 #include <assert.h>

test/Feature/LazyInitialization/TwoObjectsInitialization.c

@@ -1,7 +1,6 @@
-// REQUIRES: z3
 // RUN: %clang %s -emit-llvm -g -c -o %t1.bc
 // RUN: rm -rf %t.klee-out
-// RUN: %klee --output-dir=%t.klee-out --solver-backend=z3 --skip-not-symbolic-objects %t1.bc 2>&1 | FileCheck %s
+// RUN: %klee --output-dir=%t.klee-out --skip-not-symbolic-objects %t1.bc 2>&1 | FileCheck %s
 
 #include "klee/klee.h"
 #include <assert.h>

test/Industry/AssignNull_Scene_BadCase02.c

@@ -49,7 +49,6 @@ void TestBad5(struct STU *pdev, const char *buf, unsigned int count)
     printf("teacher id is %ud", teacherID);
 }
 
-// REQUIRES: z3
 // RUN: %clang %s -emit-llvm -c -g -O0 -Xclang -disable-O0-optnone -o %t1.bc
 // RUN: rm -rf %t.klee-out
 // RUN: %klee --output-dir=%t.klee-out --use-guided-search=error --location-accuracy --mock-external-calls --libc=klee --skip-not-symbolic-objects --skip-not-lazy-initialized --use-lazy-initialization=only --analysis-reproduce=%s.json %t1.bc

test/Industry/AssignNull_Scene_BadCase04.c

@@ -50,7 +50,6 @@ int TestBad7(char *arg, unsigned int count)
     return 1;
 }
 
-// REQUIRES: z3
 // RUN: %clang %s -emit-llvm -c -g -O0 -Xclang -disable-O0-optnone -o %t1.bc
 // RUN: rm -rf %t.klee-out
 // RUN: %klee --output-dir=%t.klee-out --use-guided-search=error --mock-external-calls --check-out-of-memory --libc=klee --skip-not-symbolic-objects --skip-not-lazy-initialized --smart-resolve-entry-function --use-lazy-initialization=only --analysis-reproduce=%s.json %t1.bc

test/Industry/BadCase01_SecB_ForwardNull.c

@@ -140,7 +140,6 @@ void badbad(char *ptr)
 }
 #endif
 
-// REQUIRES: z3
 // RUN: %clang %s -emit-llvm -c -g -O0 -Xclang -disable-O0-optnone -o %t1.bc
 // RUN: rm -rf %t.klee-out
 // RUN: %klee --output-dir=%t.klee-out --use-guided-search=error --mock-external-calls --libc=klee --skip-not-symbolic-objects --skip-not-lazy-initialized --check-out-of-memory --use-lazy-initialization=only --analysis-reproduce=%s.json %t1.bc

test/Industry/CheckNull_Scene_BadCase02.c

@@ -41,7 +41,6 @@ void TestBad2()
     free(errMsg);
 }
 
-// REQUIRES: z3
 // RUN: %clang %s -emit-llvm -c -g -O0 -Xclang -disable-O0-optnone -o %t1.bc
 // RUN: rm -rf %t.klee-out
 // RUN: %klee --output-dir=%t.klee-out --use-guided-search=error --mock-external-calls --check-out-of-memory --libc=klee --skip-not-symbolic-objects --skip-not-lazy-initialized --use-lazy-initialization=only --analysis-reproduce=%s.json %t1.bc

test/Industry/CheckNull_Scene_BadCase04.c

@@ -56,7 +56,6 @@ void TestBad12(int cond1, int cond2)
 	}
 }
 
-// REQUIRES: z3
 // RUN: %clang %s -emit-llvm -c -g -O0 -Xclang -disable-O0-optnone -o %t1.bc
 // RUN: rm -rf %t.klee-out
 // RUN: %klee --output-dir=%t.klee-out --use-guided-search=error --mock-external-calls --check-out-of-memory --libc=klee --skip-not-symbolic-objects --skip-not-lazy-initialized --use-lazy-initialization=only --analysis-reproduce=%s.json %t1.bc

test/Industry/FN_SecB_ForwardNull_filed.c

@@ -1,8 +1,3 @@
-// REQUIRES: z3
-// RUN: %clang %s -emit-llvm -c -g -O0 -Xclang -disable-O0-optnone -o %t1.bc
-// RUN: rm -rf %t.klee-out
-// RUN: %klee --output-dir=%t.klee-out --use-guided-search=error --mock-external-calls --libc=klee --skip-not-symbolic-objects --skip-not-lazy-initialized --use-lazy-initialization=only --analysis-reproduce=%s.json %t1.bc
-// RUN: FileCheck -input-file=%t.klee-out/warnings.txt %s
 /*
  * Copyright (c) Huawei Technologies Co., Ltd. 2021-2021. All rights reserved.
  * @description 空指针解引用 验收失败
@@ -44,8 +39,13 @@ void WB_BadCase_Field(UINT32 inputNum1, UINT32 inputNum2)
 void WB_BadCase_field2(DataInfo *data)
 {
   data->dataBuff = NULL;
-  *data->dataBuff = 'c'; // CHECK: KLEE: WARNING: 100.00% NullPointerException False Negative at: {{.*}}test/Industry/FN_SecB_ForwardNull_filed.c:47 19
+  *data->dataBuff = 'c'; // CHECK: KLEE: WARNING: 100.00% NullPointerException False Negative at: {{.*}}test/Industry/FN_SecB_ForwardNull_filed.c:42 19
 
   char *ptr = NULL;
   *ptr = 'c'; // CHECK: KLEE: WARNING: 100.00% NullPointerException False Positive at trace 1
 }
+
+// RUN: %clang %s -emit-llvm -c -g -O0 -Xclang -disable-O0-optnone -o %t1.bc
+// RUN: rm -rf %t.klee-out
+// RUN: %klee --output-dir=%t.klee-out --use-guided-search=error --mock-external-calls --libc=klee --skip-not-symbolic-objects --skip-not-lazy-initialized --use-lazy-initialization=only --analysis-reproduce=%s.json %t1.bc
+// RUN: FileCheck -input-file=%t.klee-out/warnings.txt %s

test/Industry/FN_SecB_ForwardNull_filed.c.json

@@ -20,7 +20,7 @@
                                                         "uri": "/mnt/d/wsl-ubuntu/test2/forward_null/./FN_SecB_ForwardNull_filed.c"
                                                     },
                                                     "region": {
-                                                        "startLine": 49,
+                                                        "startLine": 44,
                                                         "startColumn": null
                                                     }
                                                 }
@@ -33,7 +33,7 @@
                                                         "uri": "/mnt/d/wsl-ubuntu/test2/forward_null/./FN_SecB_ForwardNull_filed.c"
                                                     },
                                                     "region": {
-                                                        "startLine": 50,
+                                                        "startLine": 45,
                                                         "startColumn": null
                                                     }
                                                 }
@@ -52,7 +52,7 @@
                                     "uri": "/mnt/d/wsl-ubuntu/test2/forward_null/./FN_SecB_ForwardNull_filed.c"
                                 },
                                 "region": {
-                                    "startLine": 50,
+                                    "startLine": 45,
                                     "startColumn": null
                                 }
                             }

test/Industry/MemoryLeak/LocalVar_Alloc_in_Loop_Exit_in_Loop_BadCase01.c

@@ -53,7 +53,6 @@ void call_func(int num)
     ResourceLeak_bad01(num);
 }
 
-// REQUIRES: z3
 // RUN: %clang %s -emit-llvm -c -g -O0 -Xclang -disable-O0-optnone -o %t1.bc
 // RUN: rm -rf %t.klee-out
 // RUN: %klee --output-dir=%t.klee-out --write-kqueries --max-cycles-before-stuck=0 --use-guided-search=error --check-out-of-memory --mock-external-calls --skip-not-symbolic-objects --skip-not-lazy-initialized --use-lazy-initialization=only --analysis-reproduce=%s.json %t1.bc

test/Industry/NullReturn_BadCase_WhiteBox01.c

@@ -1,8 +1,3 @@
-// REQUIRES: z3
-// RUN: %clang %s -emit-llvm -c -g -O0 -Xclang -disable-O0-optnone -o %t1.bc
-// RUN: rm -rf %t.klee-out
-// RUN: %klee --output-dir=%t.klee-out --smart-resolve-entry-function --use-guided-search=error --mock-external-calls --libc=klee --skip-not-symbolic-objects --skip-not-lazy-initialized --use-lazy-initialization=only --analysis-reproduce=%s.json %t1.bc
-// RUN: FileCheck -input-file=%t.klee-out/warnings.txt %s
 /*
  * Copyright (c) Huawei Technologies Co., Ltd. 2022-2022. All rights reserved.
  *
@@ -68,3 +63,8 @@ void NullReturn_BadCase_WhiteBox01(UINT8 index, SchedHarqStru *harqInfo)
         SendMsg(index, usrId, resultInfo);                                                              // (3)
     }
 }
+
+// RUN: %clang %s -emit-llvm -c -g -O0 -Xclang -disable-O0-optnone -o %t1.bc
+// RUN: rm -rf %t.klee-out
+// RUN: %klee --output-dir=%t.klee-out --smart-resolve-entry-function --use-guided-search=error --mock-external-calls --libc=klee --skip-not-symbolic-objects --skip-not-lazy-initialized --use-lazy-initialization=only --analysis-reproduce=%s.json %t1.bc
+// RUN: FileCheck -input-file=%t.klee-out/warnings.txt %s