Handle type-implied (but spurious) out-of-bounds in back-end #2166
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tautschnig
requested review from
kroening,
martin-cs and
peterschrammel
as code owners
This was referenced May 7, 2018
martin-cs
approved these changes
May 16, 2018
|
|
||
| int main() | ||
| { | ||
| Struct3 *p = malloc (sizeof (int) + 2 * sizeof(Union)); |
There was a problem hiding this comment.
(sizeof(Struct3) + sizeof(Union)) because padding (think an architecture with strict alignment, 4 byte integers and 8 byte pointers)?
There was a problem hiding this comment.
Good call - done (packing is only requested on for __GNUC__ in this test).
| __CPROVER_assert(p->List[0].a==555, "p->List[0].a==555"); | ||
|
|
||
| // this should be fine | ||
| p->List[1].b = 999; |
There was a problem hiding this comment.
Maybe? I agree (modulo the change above) that this is in the dynamically allocated region, but I don't know that it is in inside the array and I don't know exact A. which we check and B. the standard would use for determining undefined behaviour.
There was a problem hiding this comment.
I'm not sure this is covered by the C standard. As far as I recall this is an example from SV-COMP that originated from the Linux kernel. Using a proper flexible array would work, but I'm not sure it would expose the bug that this test was originally mean to expose (which is that we need to look at the actually allocated object instead of the type).
There was a problem hiding this comment.
Ummm... I'm unsure. At the risk of making this "what exactly is the semantics of ..." week -- what is it that bounds check is checking? Is:
int inputBuffer[LENGTH];
int outputBuffer[LENGTH];
}
x = inputBuffer[LENGTH];```
An error?
|
|
||
| // this is out-of-bounds | ||
| p->List[2].a = 0; | ||
|
|
There was a problem hiding this comment.
Yeah; this one is right out!
tautschnig
force-pushed
the
out-of-bounds
branch
2 times, most recently
from
aa12638 to
8438432
Compare
|
Sorry to be a pain but I've tagged this "do not merge" for now because it is not clear to me if this is a bug or not. |
|
@martin-cs Would you mind clarifying? |
|
@tautschnig : Not at all. I guess the question in my mind is does bounds check: These seem to need a mix of A and B checking. I think I'm going to need to read the C standard very carefully... |
|
Just a note on the size-1 array: that was the way to do it in C90: http://c-faq.com/struct/structhack.html (and https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html). |
tautschnig
requested review from
chrisr-diffblue,
smowton and
thk123
as code owners
|
@martin-cs I have now added your test as a regression test, which of course prompted another fix...! Would you mind taking another look and possibly remove the do-not-merge block? |
|
Top of the stack for tomorrow :-) What policy are we implementing? |
Let me actually put that in the commit message... |
The test Pointer_byte_extract5 was previously only solved properly thanks to hacks in the simplifier. We should not have to rely on those. Also adjust the malloc size computation to not rely on absence of padding.
These are just out-of-bounds accesses.
Example crafted by Martin, which now clarifies which bounds we check: 1) When the object is stack-allocated and does not use flexible array members, the bounds are as specified in the type. 2) When flexible array members are used (zero-sized array), the semantics laid out in the standard are used (the bound is the size of the full object). 3) When the allocation size does not match the type-specified size (necessarily a case of heap allocation), use the size of the allocation.
NathanJPhillips
pushed a commit
to NathanJPhillips/cbmc
that referenced
this pull request
Aug 22, 2018
8de6a33 Merge pull request diffblue#2006 from tautschnig/opt-no-self-loops 6605699 Merge pull request diffblue#2217 from diffblue/c-preprocessing-cleanout f1d787b Merge pull request diffblue#2166 from tautschnig/out-of-bounds 25339d5 Add option not to transform self-loops into assumes 5e6a3af Merge pull request diffblue#2249 from tautschnig/attribute-used d3d888b Bounds check for flexible array members 41003e8 Handle negative byte_extract offsets efea5c4 Fix flattening of access beyond type-specified bounds 0ec87c8 Merge pull request diffblue#2271 from diffblue/letification 090790a Interpret GCC's attribute __used__ 7985716 Merge pull request diffblue#2252 from tautschnig/fresh-symbol-cleanup 022846a letify: use irep_hash_mapt when hashing is expensive 15dff7d Merge pull request diffblue#2260 from antlechner/antonia/annotation-class-value 9a0ffae added irep_hash_mapt da0adfe bugfix: irep_hash_containert now keeps a copy of the contained ireps 45436ce use std::size_t for container sizes 0c26a53 let_count_idt is now a struct e0a5142 Merge pull request diffblue#2206 from diffblue/use-get_identifier e0ad069 Add support for Java annotations with Class value 3817341 Merge pull request diffblue#2237 from smowton/smowton/feature/initialize-class-literals 25c097e use get_identifier() instead of get(ID_identifier) on symbols 4eda8ad Java class literals: init using a library hook when possible 70f13f3 Merge pull request diffblue#1906 from tautschnig/missing-return-semantics 57885a5 Merge pull request diffblue#1868 from tautschnig/fix-1867 b49822e Merge pull request diffblue#2028 from tautschnig/regression-fix 2815e84 Merge pull request diffblue#2259 from smowton/smowton/feature/note-abstract-methods 09b8cf7 Merge pull request diffblue#2014 from tautschnig/cadical-experiment f50237b Merge pull request diffblue#1967 from romainbrenguier/refactor/drop-constraint-inheritance2 3f951dd Merge pull request diffblue#2234 from nmanthey/upstream-fpr c6c2928 Drop inheritance from constraint on exprt 0ffd0ae Replace negation of constraint by a method f653dec use compiler defaults for gcc defines a31f530 remove need to do preprocessing on 16-bit test 24210e9 enable AWS Codebuild to do -m32 bfae4e3 enable Travis to do -m32 34a3d85 Merge pull request diffblue#2247 from antlechner/antonia/annotation-conversion 15ed961 Note when symbol-table entries are abstract methods 3a7135a Add module_dependencies.txt in test folder 1fa0b97 Generalize and rename does_annotation_exist 1db0af4 Define inverse function of convert_annotations ff25b2c get_max: do not parse every symbol name in the symbol table b603703 Add missing override 70da606 Merge pull request diffblue#2251 from tautschnig/rename-cleanup 49429cf Merge pull request diffblue#2257 from owen-jones-diffblue/owen-jones-diffblue/fix-cmake-macro 4b7a195 Improve naming of annotation variables 57d96e5 Fix CMake macro f9058e7 Merge pull request diffblue#2246 from diffblue/z3-fpa 6b0f265 Merge pull request diffblue#2248 from thk123/bugfix/doxygen-including-jbmc 72e99a0 Merge pull request diffblue#2201 from diffblue/remove-incomplete-type-constructors d4abbea smt2 implementation for popcount_exprt e8fa1c9 bswap_exprt now knows how many bits a byte has a6652d2 Merge pull request diffblue#2255 from tautschnig/speedup-no-pointer-check 4b0a2d6 goto_check: do not unnecessarily build size-of expressions 1fe7cd7 remove mathematical_typet() constructor, which produces an incomplete object 25d393b remove vector_typet() constructor, which produces an incomplete object e7c52e4 remove range_typet() constructor, which produces an incomplete object f92083d remove array_typet() constructor, which produces an incomplete object 72f63f3 remove tag_typet() constructor, which produces an incomplete object 516ed14 remove symbol_typet() constructor, which produces an incomplete object 4215f21 Consistently use get_fresh_aux_symbol instead of local implementations e6cd488 Remove unused goto_symext::new_name c24b820 Remove goto_convertt::lookup a816b26 Do not include rename.h when not using its functions 52ab088 called_functions: use unordered_set 157a12c Fix doxyfile to include JBMC documentation 026e93f function-pointer-removal: drop unused set b75fcbc smt2 implementation for bswap_exprt e276b27 Avoid extern/parameter name collisions in show-goto-functions/dump-c output 87c5948 C front-end: Record extern declarations in current scope a47941d perf-test: add -W/--witness-check to validate SV-COMP witness checking 5b0395f perf-test: Update Ubuntu AMI ids for latest version 1288ec7 perf-test: speed up builds just like e7bb127 did afccaec Provide goto-cc in performance tests f802d87 Support CaDiCaL in performance tests, remove redundant script 7872f7c Replace a missing return value by nondet 829068f Don't require the simplifier to solve this regression test git-subtree-dir: cbmc git-subtree-split: 8de6a33
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The Pointer_byte_extract5 test only succeeded because the simplifier was kind enough to flatten some operations. Now the test can also be handled without prior simplification. While at it, negative byte extracts can also be handled safely (they are out-of-bounds, but that's ok).