Skip to content

2 full-slicer crashes #2653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
polgreen opened this issue Aug 1, 2018 · 5 comments
Closed

2 full-slicer crashes #2653

polgreen opened this issue Aug 1, 2018 · 5 comments
Labels
pending merge

Comments

@polgreen
Copy link
Contributor

polgreen commented Aug 1, 2018

To recreate both of these issues you will need this Xen binary:
https://drive.google.com/file/d/1Vco57D_iMhQ6N1EXqLTmF1wC9WiSN3mZ/view?usp=sharing
And this branch of cbmc:
https://github.com/diffblue/cbmc/tree/remove_asm_fix
(if you use develop, a different invariant is violated)

Issue 1

To recreate:

goto-instrument --remove-function-pointers xen-syms.binary test.binary
goto-instrument --full-slice test.binary output.binary

This triggers either this invariant: https://github.com/diffblue/cbmc/blob/develop/src/pointer-analysis/value_set_fi.cpp#L1282, or this invariant: https://github.com/diffblue/cbmc/blob/develop/src/pointer-analysis/value_set_fi.cpp#L412

The problem seems to be dereferencing pointers that are NULL. A temporary fix is to introduce this check before these invariants if(expr.op0().id() == ID_null_object) return;.

Issue 2

I've no idea why removing the function pointers in a separate step produces a different result to this, but it does. To recreate:

goto-instrument --full-slice xen-syms.binary output.binary

This terminates with "identifier not found", which comes from value_set_domain_fit::transform being called on something with no identifier and no LOC on the rhs.
@polgreen polgreen mentioned this issue Aug 8, 2018
Open
kroening pushed a commit that referenced this issue Aug 14, 2018
tolerate two cases of imprecision in value_set_fi; addresses issue #2653
8ffe820
@kroening
Copy link
Member

The first issue is addressed in PR #2736

kroening pushed a commit that referenced this issue Aug 15, 2018
properly set function id on instructions added by remove_asm
8aaa411 
fixes issue #2653
kroening pushed a commit that referenced this issue Aug 15, 2018
properly set function id on instructions added by remove_asm
ef4bb3c 
fixes issue #2653
@kroening kroening mentioned this issue Aug 15, 2018
Merged
@kroening
Copy link
Member

The second in PR #2741.

kroening pushed a commit that referenced this issue Aug 16, 2018
tolerate two cases of imprecision in value_set_fi; addresses issue #2653
a10558e
@polgreen
Copy link
Contributor Author

I am running on CBMC with both of the above PR's cherry picked on and I get the following invariant violation from running `goto-instrument --full-slice A.binary B.binary'

--- begin invariant violation report ---
Invariant check failed
File: mp_arith.cpp:197 function: integer2size_t
Condition: n>=0 && n<=std::numeric_limits<std::size_t>::max()
Reason: Precondition

A.binary is here
https://s3.amazonaws.com/cbmc-public-bucket/A.binary

@polgreen
Copy link
Contributor Author

With a different binary, I get the following invariant from running goto-instrument --full-slice C.binary D.binary

--- begin invariant violation report ---
Invariant check failed
File: value_set_fi.cpp:1285 function: assign_rec
Condition: type.id()==ID_array || type.id()==ID_incomplete_array || type.id()=="#REF#"
Reason: operand 0 of index expression must be an array

C.binary here:
https://s3.amazonaws.com/cbmc-public-bucket/C.binary

kroening pushed a commit that referenced this issue Aug 21, 2018
tolerate three cases of imprecision in value_set_fi; addresses issue #…
6f1db4a 
…2653
@kroening kroening mentioned this issue Aug 22, 2018
Merged
@kroening
Copy link
Member

The problem with A.binary is fixed with PR #2822.

kroening pushed a commit that referenced this issue Sep 12, 2018
tolerate three cases of imprecision in value_set_fi; addresses issue #…
aa4dfcc 
…2653
kroening pushed a commit that referenced this issue Sep 12, 2018
tolerate three cases of imprecision in value_set_fi; addresses issue #…
6253048 
…2653
polgreen pushed a commit to polgreen/cbmc that referenced this issue Jan 20, 2020
@polgreen
tolerate two cases of imprecision in value_set_fi; addresses issue di…
5466ffd 
…ffblue#2653
tautschnig pushed a commit that referenced this issue Feb 15, 2022
@tautschnig
Tolerate three cases of imprecision in value_set_fi
8368cc1 
Fixes: #2653
tautschnig added a commit that referenced this issue Feb 26, 2022
@tautschnig
Merge pull request #2736 from diffblue/value_set_fi_hacks
a5092cb 
tolerate two cases of imprecision in value_set_fi; addresses issue #2653
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pending merge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tautschnig @kroening @polgreen