Skip to content

Pointer overflow checks should detect overflow in offset multiplication #6633

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Feb 6, 2022
Merged

Pointer overflow checks should detect overflow in offset multiplication #6633

merged 4 commits into from
Feb 6, 2022

Conversation

tautschnig
Copy link
Collaborator

Pointer arithmetic requires multiplication of the offset by the size of
the base type (for any base type larger than 1 byte). Such a
multiplication isn't introduced until the back-end, where no opportunity
for adding properties exists anymore. Therefore, synthesize the
multiplication to generate arithmetic overflow checks at the GOTO level.

Fixes: #6631

  • Each commit message has a non-empty body, explaining why the change was made.
  • n/a Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
  • n/a The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
  • Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
  • n/a My commit message includes data points confirming performance improvements (if claimed).
  • My PR is restricted to a single feature or bugfix.
  • n/a White-space or formatting changes outside the feature-related changed lines are in commits of their own.

@tautschnig tautschnig self-assigned this Feb 2, 2022
@tautschnig tautschnig force-pushed the bugfixes/pointer-arith-overflow branch from 5980b0e to 81276c2 Compare February 3, 2022 08:42
@tautschnig tautschnig marked this pull request as ready for review February 3, 2022 08:42
@tautschnig tautschnig force-pushed the bugfixes/pointer-arith-overflow branch 2 times, most recently from 5204303 to 2a0230e Compare February 3, 2022 12:29
@tautschnig tautschnig mentioned this pull request Feb 3, 2022
Merged
3 tasks
@codecov
Copy link

codecov bot commented Feb 3, 2022
edited
Loading

Codecov Report

Merging #6633 (419837e) into develop (b17a993) will increase coverage by 0.00%.
The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff            @@
##           develop    #6633   +/-   ##
========================================
  Coverage    76.72%   76.72%           
========================================
  Files         1579     1579           
  Lines       181938   181953   +15     
========================================
+ Hits        139587   139602   +15     
  Misses       42351    42351
Impacted Files Coverage Δ
src/analyses/goto_check_c.cpp 90.79% <100.00%> (+0.15%) ⬆️
src/goto-instrument/cover_basic_blocks.cpp 90.76% <100.00%> (+0.07%) ⬆️
src/linking/static_lifetime_init.cpp 98.63% <100.00%> (-0.06%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bfdbce9...419837e. Read the comment docs.

@tautschnig tautschnig force-pushed the bugfixes/pointer-arith-overflow branch 6 times, most recently from 35d46f3 to 6d9219d Compare February 3, 2022 18:13
chris-ryder
chris-ryder approved these changes Feb 5, 2022
View reviewed changes
src/analyses/goto_check_c.cpp Outdated
///
/// A flag's initial value (before any `set_flag` or `disable_flag`) is restored
/// when the entire object goes out of scope.
class flag_resett
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realise this is just code you've moved, but just wondering about the naming of this class (sorry...) Conceptually what this class is really about is less about "resetting" a flag, and more about introducing a "scope" for the flag? So maybe call it something like flag_scopet ? or flag_overridet ? One for a later PR though.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call, I think flag_overridet is the best match for what it does. I've inserted a commit to do the renaming.

@chris-ryder chris-ryder removed their assignment Feb 5, 2022
tautschnig and others added 4 commits February 5, 2022 21:27
@tautschnig
Move flag_resett class to the top to enable use in other methods
1144e48 
No changes in behaviour, just code motion. Upcoming commits will use
this class in `check_rec`.
@tautschnig
flag_resett: use source_locationt, no need for full instruction
d5e2a49 
There isn't any use of fields other than the instruction's source
location, so take just that. Also use `as_string()` instead of
`pretty()` for more nicely formatted error reporting.
@tautschnig @chrisr-diffblue
Rename flag_resett to flag_overridet to be match its behaviour
9719755 
This class no longer is confined to resetting flags, but now has
additional override capabilities.

Co-authored-by: Chris Ryder <[email protected]>
@tautschnig
Pointer overflow checks should detect overflow in offset multiplication
419837e 
Pointer arithmetic requires multiplication of the offset by the size of
the base type (for any base type larger than 1 byte). Such a
multiplication isn't introduced until the back-end, where no opportunity
for adding properties exists anymore. Therefore, synthesize the
multiplication to generate arithmetic overflow checks at the GOTO level.

Fixes: diffblue#6631
@tautschnig tautschnig force-pushed the bugfixes/pointer-arith-overflow branch from 6d9219d to 419837e Compare February 5, 2022 21:31
chris-ryder
chris-ryder approved these changes Feb 6, 2022
View reviewed changes
Copy link

@chris-ryder chris-ryder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-asserting my approval after the extra rename commit, thanks :-)

@tautschnig tautschnig merged commit 8b7bed6 into diffblue:develop Feb 6, 2022
@tautschnig tautschnig deleted the bugfixes/pointer-arith-overflow branch February 6, 2022 22:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chris-ryder chris-ryder chris-ryder approved these changes

@martin-cs martin-cs Awaiting requested review from martin-cs martin-cs is a code owner

@peterschrammel peterschrammel Awaiting requested review from peterschrammel peterschrammel is a code owner

Assignees

@tautschnig tautschnig

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Corner case in pointer-overflow-check
4 participants
@tautschnig @chris-ryder @peterschrammel @martin-cs