Skip to content

Corner case in pointer-overflow-check #6631

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
danielsn opened this issue Feb 2, 2022 · 0 comments · Fixed by #6633
Closed

Corner case in pointer-overflow-check #6631

danielsn opened this issue Feb 2, 2022 · 0 comments · Fixed by #6633
Labels
aws Bugs or features of importance to AWS CBMC users aws-high pending merge soundness Soundness bug? Review and add "aws" if it is, or remove "soundness" if it isn't.

Comments

@danielsn
Copy link
Contributor

danielsn commented Feb 2, 2022

CBMC version: 5.48
Operating system: OSX
Exact command line resulting in the issue: cbmc --pointer-overflow-check test.c
What behaviour did you expect: Overflow detected
What happened instead:

╰─$ cbmc --pointer-overflow-check test.c
CBMC version 5.48.0 (cbmc-5.48.0) 64-bit x86_64 macos
Parsing test.c
Converting
Type-checking test
Generating GOTO Program
Adding CPROVER library (x86_64)
Removal of function pointers and virtual functions
Generic Property Instrumentation
Running with 8 object bits, 56 offset bits (default)
Starting Bounded Model Checking
Runtime Symex: 0.00214797s
size of program expression: 45 steps
simple slicing removed 0 assignments
Generated 2 VCC(s), 0 remaining after simplification
Runtime Postprocess Equation: 2.109e-05s

** Results:
test.c function main
[main.pointer_arithmetic.1] line 7 pointer arithmetic: dead object in p + 9223372036854775807l: SUCCESS
[main.pointer_arithmetic.2] line 7 pointer arithmetic: pointer outside object bounds in p + 9223372036854775807l: SUCCESS

** 0 of 2 failed (1 iterations)
VERIFICATION SUCCESSFUL

#include <limits.h>
#include <stdint.h>

int main() {
    int i[5];
    int*p = &i[1]; // Spurious success. Change to any other offset to get the expected fail
    int*q = p + SSIZE_MAX;
}
@danielsn danielsn added aws Bugs or features of importance to AWS CBMC users aws-high labels Feb 2, 2022
@danielsn danielsn mentioned this issue Feb 2, 2022
Closed
@danielsn danielsn added the soundness Soundness bug? Review and add "aws" if it is, or remove "soundness" if it isn't. label Feb 2, 2022
@danielsn danielsn mentioned this issue Feb 2, 2022
Merged
4 tasks
tautschnig added a commit to tautschnig/cbmc that referenced this issue Feb 2, 2022
@tautschnig
Pointer overflow checks should detect overflow in offset multiplication
5980b0e 
Pointer arithmetic requires multiplication of the offset by the size of
the base type (for any base type larger than 1 byte). Such a
multiplication isn't introduced until the back-end, where no opportunity
for adding properties exists anymore. Therefore, synthesize the
multiplication to generate arithmetic overflow checks at the GOTO level.

Fixes: diffblue#6631
@tautschnig tautschnig mentioned this issue Feb 2, 2022
Merged
3 tasks
tautschnig added a commit to tautschnig/cbmc that referenced this issue Feb 3, 2022
@tautschnig
Pointer overflow checks should detect overflow in offset multiplication
81276c2 
Pointer arithmetic requires multiplication of the offset by the size of
the base type (for any base type larger than 1 byte). Such a
multiplication isn't introduced until the back-end, where no opportunity
for adding properties exists anymore. Therefore, synthesize the
multiplication to generate arithmetic overflow checks at the GOTO level.

Fixes: diffblue#6631
tautschnig added a commit to tautschnig/cbmc that referenced this issue Feb 3, 2022
@tautschnig
Pointer overflow checks should detect overflow in offset multiplication
5204303 
Pointer arithmetic requires multiplication of the offset by the size of
the base type (for any base type larger than 1 byte). Such a
multiplication isn't introduced until the back-end, where no opportunity
for adding properties exists anymore. Therefore, synthesize the
multiplication to generate arithmetic overflow checks at the GOTO level.

Fixes: diffblue#6631
tautschnig added a commit to tautschnig/cbmc that referenced this issue Feb 3, 2022
@tautschnig
Pointer overflow checks should detect overflow in offset multiplication
2a0230e 
Pointer arithmetic requires multiplication of the offset by the size of
the base type (for any base type larger than 1 byte). Such a
multiplication isn't introduced until the back-end, where no opportunity
for adding properties exists anymore. Therefore, synthesize the
multiplication to generate arithmetic overflow checks at the GOTO level.

Fixes: diffblue#6631
@tautschnig tautschnig mentioned this issue Feb 3, 2022
Closed
tautschnig added a commit to tautschnig/cbmc that referenced this issue Feb 3, 2022
@tautschnig
Pointer overflow checks should detect overflow in offset multiplication
f59f341 
Pointer arithmetic requires multiplication of the offset by the size of
the base type (for any base type larger than 1 byte). Such a
multiplication isn't introduced until the back-end, where no opportunity
for adding properties exists anymore. Therefore, synthesize the
multiplication to generate arithmetic overflow checks at the GOTO level.

Fixes: diffblue#6631
tautschnig added a commit to tautschnig/cbmc that referenced this issue Feb 3, 2022
@tautschnig
Pointer overflow checks should detect overflow in offset multiplication
89a5356 
Pointer arithmetic requires multiplication of the offset by the size of
the base type (for any base type larger than 1 byte). Such a
multiplication isn't introduced until the back-end, where no opportunity
for adding properties exists anymore. Therefore, synthesize the
multiplication to generate arithmetic overflow checks at the GOTO level.

Fixes: diffblue#6631
tautschnig added a commit to tautschnig/cbmc that referenced this issue Feb 3, 2022
@tautschnig
Pointer overflow checks should detect overflow in offset multiplication
1f62033 
Pointer arithmetic requires multiplication of the offset by the size of
the base type (for any base type larger than 1 byte). Such a
multiplication isn't introduced until the back-end, where no opportunity
for adding properties exists anymore. Therefore, synthesize the
multiplication to generate arithmetic overflow checks at the GOTO level.

Fixes: diffblue#6631
tautschnig added a commit to tautschnig/cbmc that referenced this issue Feb 3, 2022
@tautschnig
Pointer overflow checks should detect overflow in offset multiplication
52228a5 
Pointer arithmetic requires multiplication of the offset by the size of
the base type (for any base type larger than 1 byte). Such a
multiplication isn't introduced until the back-end, where no opportunity
for adding properties exists anymore. Therefore, synthesize the
multiplication to generate arithmetic overflow checks at the GOTO level.

Fixes: diffblue#6631
tautschnig added a commit to tautschnig/cbmc that referenced this issue Feb 3, 2022
@tautschnig
Pointer overflow checks should detect overflow in offset multiplication
35d46f3 
Pointer arithmetic requires multiplication of the offset by the size of
the base type (for any base type larger than 1 byte). Such a
multiplication isn't introduced until the back-end, where no opportunity
for adding properties exists anymore. Therefore, synthesize the
multiplication to generate arithmetic overflow checks at the GOTO level.

Fixes: diffblue#6631
tautschnig added a commit to tautschnig/cbmc that referenced this issue Feb 3, 2022
@tautschnig
Pointer overflow checks should detect overflow in offset multiplication
6d9219d 
Pointer arithmetic requires multiplication of the offset by the size of
the base type (for any base type larger than 1 byte). Such a
multiplication isn't introduced until the back-end, where no opportunity
for adding properties exists anymore. Therefore, synthesize the
multiplication to generate arithmetic overflow checks at the GOTO level.

Fixes: diffblue#6631
tautschnig added a commit to tautschnig/cbmc that referenced this issue Feb 5, 2022
@tautschnig
Pointer overflow checks should detect overflow in offset multiplication
419837e 
Pointer arithmetic requires multiplication of the offset by the size of
the base type (for any base type larger than 1 byte). Such a
multiplication isn't introduced until the back-end, where no opportunity
for adding properties exists anymore. Therefore, synthesize the
multiplication to generate arithmetic overflow checks at the GOTO level.

Fixes: diffblue#6631
@zhassan-aws zhassan-aws mentioned this issue Mar 16, 2022
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
aws Bugs or features of importance to AWS CBMC users aws-high pending merge soundness Soundness bug? Review and add "aws" if it is, or remove "soundness" if it isn't.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Pointer overflow checks should detect overflow in offset multiplication tautschnig/cbmc
2 participants
@tautschnig @danielsn