Malloc should fail on too large allocations

[xbauch]

via goto-checker with a dedicated cmdl option and a property that acknowledges pointer-width and object-size.

• Each commit message has a non-empty body, explaining why the change was made.
• Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[xbauch]

This may fix #4604.

[xbauch]

It seems that we have a few regression tests that call malloc with nondeterministic value (of type size_t) without assuming reasonable upper bound.

[chrisr-diffblue]

Can't the object bits size be changed on the command line with --object-bits ? and if so, this probably needs to accommodate that. Ditto for the hardcoded 64, which would probably be wrong if --32 is specified to cbmc :-)

[xbauch]

I moved the check into goto-checker, i.e. the stdlib.c implemetation is unchanged, we can use the pointer-width and object-bits from config, and the whole thing is behind an option, so it won't affect the existing tests.

[chrisr-diffblue]

It would also be nice to have a test for a size that is 1 byte larger than the maximum CBMC can support, and also for a size that is exactly the same as the largest CBMC can support - just to test the boundary condition.

[xbauch]

Added.

[allredj]

✔️
Passed Diffblue compatibility checks (cbmc commit: 640cdcc).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/143393509

[codecov-io]

Codecov Report

Merging #5210 into develop will decrease coverage by 35.53%.
The diff coverage is 25%.

@@             Coverage Diff              @@
##           develop    #5210       +/-   ##
============================================
- Coverage    67.42%   31.89%   -35.54%     
============================================
  Files         1162      910      -252     
  Lines        95620    79452    -16168     
============================================
- Hits         64476    25338    -39138     
- Misses       31144    54114    +22970

Flag	Coverage Δ
#cproversmt2	?
#regression	?
#unit	31.89% <25%> (-0.01%)	⬇️

Impacted Files	Coverage Δ
src/cbmc/cbmc_parse_options.cpp	13.23% <ø> (-62.42%)	⬇️
src/cbmc/cbmc_parse_options.h	0% <ø> (-100%)	⬇️
src/util/config.h	40% <ø> (-32.73%)	⬇️
src/ansi-c/cprover_library.cpp	0% <0%> (-92.86%)	⬇️
src/cpp/cprover_library.cpp	0% <0%> (-90%)	⬇️
src/ansi-c/ansi_c_internal_additions.cpp	85.71% <100%> (-6.74%)	⬇️
src/util/config.cpp	29.64% <50%> (-26.56%)	⬇️
src/cpp/cpp_typecheck_virtual_table.cpp	0% <0%> (-100%)	⬇️
src/cpp/cpp_name.cpp	0% <0%> (-100%)	⬇️
src/cpp/cpp_enum_type.h	0% <0%> (-100%)	⬇️
... and 887 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1f2f1fa...195da86. Read the comment docs.

[chrisr-diffblue]

A really tiny nit pick, so feel free to ignore me :-) But I'd personally write this as:

size_t cbmc_max_alloc_size = ((size_t)1 << (pointer_width - object_bits))-1;
int *p2 = malloc(cbmc_max_alloc_size); // try to allocate exactly the max

just so that the variable names really do mean what they say. Ditto for the other test case - but like I say, it's a really minor nit for me to pick...

[chrisr-diffblue]

Is a better name for this option "malloc-size-check" ? Don't have a strong opinion.

[chrisr-diffblue]

Generally looks good to me, and I like that it's moved into goto-check. Apologies for the niggle comments - take them as suggestions, and not absolute requirements.

[allredj]

✔️
Passed Diffblue compatibility checks (cbmc commit: b73f968).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/143440844

[smowton]

object_size -> object_id_width?

[allredj]

✔️
Passed Diffblue compatibility checks (cbmc commit: 0c2c362).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/143549138

[martin-cs]

On Tue, 2020-01-07 at 06:40 -0800, Chris Ryder wrote: Generally looks good to me, and I like that it's moved into goto- check.

I'm not sure I do. Keeping the modelling of malloc in one place, in the library models seems, to me, to be important. Setting CPROVER globals to control max limits, if malloc can fail, etc. seems a more flexible option and keeps all the modelling together.

[danielsn]

It seems that we have a few regression tests that call malloc with nondeterministic value (of type size_t) without assuming reasonable upper bound.

I see two ways to handle malloc(size) where size is too large:

1. assert(size <= MAX_MALLOC_SIZE)
2. if(size > MAX_MALLOC_SIZE) return NULL

[xbauch]

test group	before	after	slowdown
cbmc-CORE	127.9	146.88	1.14839718530102
cbmc-paths-lifo-CORE	159.87	182.46	1.14130230812535
cbmc-library-CORE	19.11	22.46	1.1753008895866
goto-analyzer-CORE	15.89	17.75	1.11705475141598
ansi-c-CORE	70.67	72.89	1.03141361256545
cbmc-cprover-smt2-CORE	143.8	159.32	1.10792767732962
goto-instrument-CORE	67.93	69.95	1.02973649344914
jbmc-CORE	179.93	196.51	1.09214694603457
strings-smoke-tests-CORE	68.95	69.65	1.01015228426396
strings-smoke-tests-symex-driven-lazy-loading-CORE	260.05	300.16	1.15423956931359
jbmc-symex-driven-lazy-loading-CORE	725.48	802.43	1.1060677068975
jbmc-strings-CORE	317.44	327.24	1.03087197580645
jbmc-strings-symex-driven-lazy-loading-CORE	950.72	1018.15	1.07092519353753
total	2053.73	2233.66	1.0876113218388

There is some time regression but the CI is suddenly takes >1800s to compile (before it was ~50s).

[smowton]

That's ccache.

[xbauch]

That's ccache.

Do you mean that it's ccache that's timing out or that the difference between build times is caused by ccache?

[chrisr-diffblue]

Difference in build times, I suspect. Because you've touched a few header files that are reasonably widely included, ccache is going to end up thinking it does actually need to rebuild a lot of things, rather than just pulling them from the cache.

[chrisr-diffblue]

Since the failing Travis job did actually get as far as saving it's ccache, there's a reasonably high (by Travis standards...) that simply re-running the failed job will make it pass.

[xbauch]

Since the failing Travis job did actually get as far as saving it's ccache, there's a reasonably high (by Travis standards...) that simply re-running the failed job will make it pass.

This was my 4th attempt.

[chrisr-diffblue]

:-s Well that sucks...

[chrisr-diffblue]

Looking a little deeper... the previous Travis run had two of the OSX configs timeout... one of those configs got as far as saving its cache, the other didnt. This most recent Travis run has only a single Travis failure - the config that previously timed out before saving it's cache - while the config that did manage to save it's cache has now passed. So I think it is worth one more attempt to re-run the Travis jobs since I think all the configs have now saved updated caches.

[xbauch]

The changes in this PR cause ~7% slow down (the CORE test suite from 1560s to 1674s). It might be avoided if we figured out how to introduce #ifdefs in the library models based on user options. Any ideas @peterschrammel? Is it worth the trouble?