Skip to content

Flaky behavior for memcpy and struct arrays. #7654

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gtrepta opened this issue Apr 6, 2023 · 1 comment · Fixed by #7669
Closed

Flaky behavior for memcpy and struct arrays. #7654

gtrepta opened this issue Apr 6, 2023 · 1 comment · Fixed by #7669
Assignees
@tautschnig
Labels
aws Bugs or features of importance to AWS CBMC users aws-high bug pending merge soundness Soundness bug? Review and add "aws" if it is, or remove "soundness" if it isn't.

Comments

@gtrepta
Copy link

gtrepta commented Apr 6, 2023

CBMC version: 5.80.0
Operating system: Ubuntu Focal

main.c:

#include <assert.h>
#include <string.h>

#define SIZE 1

struct s {
  char a1[1];
  unsigned int a2_len;
  char a2[SIZE];
};

void main() {
  struct s s1;
  char buf[SIZE];

  __CPROVER_assume(s1.a2_len <= SIZE);
  memcpy(buf, s1.a2, s1.a2_len);
  assert(memcmp(buf, s1.a2, s1.a2_len)==0);
}

Exact command line resulting in the issue

cbmc --unwind <SIZE+1> main.c

What behaviour did you expect

A successful verification for the memcmp assertion, regardless of the value of SIZE or how the struct members are declared.

What happened instead

The assertions fails. But, for certain values of SIZE (ie. 4), the assertion passes. Or, with the a1 field omitted from the struct declaration, the assertion also passes.
@tautschnig tautschnig self-assigned this Apr 7, 2023
@tautschnig tautschnig added the bug label Apr 7, 2023
@tautschnig
Copy link
Collaborator

Thank you for your bug report. This looks like a bug in our byte-operator flattening. Investigating.

@feliperodri feliperodri added aws Bugs or features of importance to AWS CBMC users aws-high soundness Soundness bug? Review and add "aws" if it is, or remove "soundness" if it isn't. labels Apr 17, 2023
tautschnig added a commit to tautschnig/cbmc that referenced this issue Apr 17, 2023
@tautschnig
Byte-extract lowering: do not blindly use offsets
30e72b7 
When unpacking an array we must not create 0 bytes up until an offset
when the source array can never be as large. Doing so when within a
struct would spuriously produce a larger member.

Fixes: diffblue#7654
@tautschnig tautschnig mentioned this issue Apr 17, 2023
Merged
3 tasks
tautschnig added a commit to tautschnig/cbmc that referenced this issue Apr 18, 2023
@tautschnig
Byte-extract lowering: do not blindly use offsets
d4e61f8 
When unpacking an array we must not create 0 bytes up until an offset
when the source array can never be as large. Doing so when within a
struct would spuriously produce a larger member.

The test case highlighted a problem in the SMT2 back-end: the first
operand of a struct was not correctly flattened and instead used default
expression conversion (which is only ok when the array theory is never
being used). To avoid this problem creeping in again, factor out the
operand conversion into a lambda and invoke that lambda each time.

Fixes: diffblue#7654
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tautschnig tautschnig

Labels
aws Bugs or features of importance to AWS CBMC users aws-high bug pending merge soundness Soundness bug? Review and add "aws" if it is, or remove "soundness" if it isn't.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Byte-extract lowering: do not blindly use offsets tautschnig/cbmc
3 participants
@tautschnig @feliperodri @gtrepta