View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] |
ID | Project | Category | View Status | Date Submitted | Last Update |
0002252 | Frama-C | Plug-in > E-ACSL | public | 2016-10-14 17:37 | 2017-05-31 19:05 |
|
Reporter | kvorobyov | |
Assigned To | signoles | |
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | |
Platform | | OS | Gentoo | OS Version | |
Product Version | Frama-C GIT, precise the release id | |
Target Version | Frama-C GIT, precise the release id | Fixed in Version | Frama-C 15-Phosphorus | |
|
Summary | 0002252: GMP typing issue |
Description | In the below snippet
1 int i = -1;
2 ...
3 /*@ assert rte: mem_access: \valid_read(srcbuf+i); */
4 if ((int)*(srcbuf + i) == (int)ch)
5 loc = i;
a buffer overflow occurs because of the initial negative value of i, however, assertion generated by E-ACSL features the following line:
__e_acsl_valid_read((void *)(srcbuf + (unsigned long)i), sizeof(char));
which casts i to an unsigned integer and further make the assertion wrongly pass. See the attached code for a more complete example. The code is taken from the ITC toyota benchmark.
|
Tags | No tags attached. |
|
Attached Files | bts2252.c [^] (470 bytes) 2017-01-25 16:40 [Show Content] [Hide Content]/* run.config
COMMENT: bts #2252, failures due to typing of offsets
*/
#include <stdlib.h>
int main() {
char* srcbuf="Test Code";
int i, loc = 1;
char * destbuf = (char*)malloc(10*sizeof(char));
char ch = 'o';
if(destbuf!=NULL) {
for (i = -1; i < 10; i++) {
/*@ assert \valid_read(srcbuf + i); */
if(srcbuf[i]==ch) { /* ERROR: Buffer Underrun */
loc=i;
}
}
strncpy(&destbuf[loc], &srcbuf[loc], 1);
free(destbuf);
}
}
|
|