Skip to content

CBMC segfaults when using flexible array member with union of struct #1209

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
fangyi-zhou opened this issue Aug 4, 2017 · 4 comments
Closed

CBMC segfaults when using flexible array member with union of struct #1209

fangyi-zhou opened this issue Aug 4, 2017 · 4 comments
Labels
pending merge

Comments

@fangyi-zhou
Copy link

Minimal sample

#include <stdlib.h>

typedef struct {
    union {
        struct {
            uint8_t x;
            uint8_t y;
        } a;
        struct {
            uint8_t x;
            uint8_t z;
        } b;
    };
} union_t;

typedef struct {
    uint32_t magic;
    union_t unions[];
} flex;

int flex_init(flex * flex, size_t num)
{
    if (num == 0 || num >= 200) {
        return -1;
    }
    flex->unions[num - 1].b.z = 255;
    return 0;
}

int main() {
    uint8_t num = nondet_size();
    flex * pool = (flex *) malloc(sizeof(flex) + num * sizeof(union_t));
    int ret = flex_init(pool, num);
    if (num > 0 && num < 200) {
        __CPROVER_assert(ret == 0, "Accept inside range");
    } else {
        __CPROVER_assert(ret != 0, "Reject outside range");
    }
}

Run log

% cbmc min.c
CBMC version 5.8 64-bit x86_64 macos
Parsing min.c
Converting
Type-checking min
file min.c line 31 function main: function `nondet_size' is not declared
Generating GOTO Program
Adding CPROVER library (x86_64)
Removal of function pointers and virtual functions
Partial Inlining
Generic Property Instrumentation
Starting Bounded Model Checking
size of program expression: 84 steps
simple slicing removed 5 assignments
Generated 2 VCC(s), 2 remaining after simplification
Passing problem to propositional reduction
converting SSA
[1]    24540 segmentation fault  cbmc min.c

Exit code = 139
@tautschnig
Copy link
Collaborator

Taking a look.

@tautschnig
Copy link
Collaborator

tautschnig commented Aug 4, 2017
edited
Loading

Some part of the code generates a struct expression without any operands. I'll continue debugging on Monday.

tautschnig added a commit to tautschnig/cbmc that referenced this issue Aug 4, 2017
@tautschnig
Enable extractbits over arbitrary types, fix byte extract omission
2f55076 
Extractbits can safely be applied to any type as it just turns the bit sequence
into a bitvector; thus use extractbits directly instead of performing type casts
(which are not as generic) first.

Fix a missing struct operands push where the operand had been constructed but
was never used.

Fixes: diffblue#1209
@tautschnig tautschnig mentioned this issue Aug 4, 2017
Merged
@tautschnig
Copy link
Collaborator

See #1211 for a bug fix.

@fangyi-zhou
Copy link
Author

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pending merge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tautschnig @fangyi-zhou