Skip to content

C library: Do not require stdin, stdout, stderr to be initialised #4283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Feb 27, 2019
Merged

C library: Do not require stdin, stdout, stderr to be initialised #4283

merged 4 commits into from
Feb 27, 2019

Conversation

tautschnig
Copy link
Collaborator

vfprintf and several other library functions dereference a FILE*-typed stream
parameter to make sure pointer checks and bounds checks are triggered. As we do
not set up stdin, stdout, stderr to point to valid FILE-typed objects, make sure
we never attempt such dereferencing if the stream argument is
stdin/stdout/stderr (unless the use of any of those would in itself constitute
an error, as is the case in fseek, for example).

  • Each commit message has a non-empty body, explaining why the change was made.
  • n/a Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
  • n/a The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
  • Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
  • n/a My commit message includes data points confirming performance improvements (if claimed).
  • My PR is restricted to a single feature or bugfix.
  • White-space or formatting changes outside the feature-related changed lines are in commits of their own.

@tautschnig
C library: Do not require stdin, stdout, stderr to be initialised
80e2aa8 
vfprintf and several other library functions dereference a FILE*-typed stream
parameter to make sure pointer checks and bounds checks are triggered. As we do
not set up stdin, stdout, stderr to point to valid FILE-typed objects, make sure
we never attempt such dereferencing if the stream argument is
stdin/stdout/stderr (unless the use of any of those would in itself constitute
an error, as is the case in fseek, for example).
@tautschnig tautschnig requested a review from kroening as a code owner February 26, 2019 22:00
@tautschnig tautschnig mentioned this pull request Feb 26, 2019
Merged
allredj
allredj reviewed Feb 26, 2019
View reviewed changes
Copy link
Contributor

@allredj allredj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✔️
Passed Diffblue compatibility checks (cbmc commit: 3f1ea29).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/102412913

danielsn
danielsn reviewed Feb 27, 2019
View reviewed changes
src/ansi-c/library/stdio.c Outdated
@@ -379,20 +391,27 @@ int __VERIFIER_nondet_int();

inline int fileno(FILE *stream)
{
// just return nondet
__CPROVER_HIDE:;
// just return nondet
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment seems out of place now

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

@kroening
Copy link
Member

Should we instead initialize them?
A problem is that otherwise code like

stderr = 0;
fprintf(stderr, ...)

is valid.

kroening
kroening reviewed Feb 27, 2019
View reviewed changes
src/ansi-c/library/stdio.c
return 1;
else if(stream == stderr)
return 2;

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As long as stdin etc. are uninitialised, the above returns may all be executed.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm working on a follow-up PR to initialise them.

kroening
kroening reviewed Feb 27, 2019
View reviewed changes
src/ansi-c/library/stdio.c
(void)*stream;
#else
(void)*(char *)stream;
#endif
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the VCCs get a bit easier if the type matches that of the allocation.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but that (__linux__ && !__GLIBC__) is the case where FILE remains an incomplete type.

@kroening kroening assigned tautschnig and unassigned kroening Feb 27, 2019
@tautschnig
C library: Constrain the return value of fileno and test it
c02cd78 
The earlier commit made sure it returns 0/1/2 for stdin/stdout/stderr.
@tautschnig
Fix typo: __CPOVER_HIDE -> __CPROVER_HIDE
92a3802 
Note the missing "R".
allredj
allredj reviewed Feb 27, 2019
View reviewed changes
Copy link
Contributor

@allredj allredj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✔️
Passed Diffblue compatibility checks (cbmc commit: 92a3802).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/102475281

@tautschnig tautschnig merged commit 67506ee into diffblue:develop Feb 27, 2019
@tautschnig tautschnig deleted the fprintf branch February 27, 2019 11:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danielsn danielsn danielsn left review comments

@allredj allredj allredj left review comments

@kroening kroening kroening approved these changes

Assignees

@tautschnig tautschnig

Labels
bugfix C Front End
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tautschnig @kroening @danielsn @allredj