2021-03-01 23:54 CET

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002376Frama-CPlug-in > jessiepublic2018-05-29 12:58
Reporterfoo 
Assigned Tocmarche 
PrioritynormalSeveritycrashReproducibilityalways
StatusassignedResolutionopen 
Product VersionFrama-C 16-Sulfur 
Target VersionFixed in Version 
Summary0002376: frama-c/jessie crashes with Unexpected error (Cil.SizeOfError("Undefined sizeof on a function.", _)).
DescriptionHi all,

I'm very new to the frama-c and why ecosystem. I hope it's really a bug with frama-c and not jessie.

The C input is:

#include<stdlib.h>

int main(void) {
  char *p =malloc(5);
  p[0] = 4;
  return 3;
}

I'd like to verify that the write to p[0] goes toa valid address.

$ Frama-c -val -jessie t.c
[kernel] Parsing t.c (with preprocessing)
[value] Analyzing a complete application starting at main
[value] Computing initial state
[value] Initial state computed
[value:initial-state] Values of globals at initialization
  __fc_random_counter ∈ [--..--]
  __fc_rand_max ∈ {32767}
  __fc_heap_status ∈ [--..--]
  __fc_mblen_state ∈ [--..--]
  __fc_mbtowc_state ∈ [--..--]
  __fc_wctomb_state ∈ [--..--]
t.c:4:[value] allocating variable __malloc_main_l4
t.c:5:[value] warning: out of bounds write. assert \valid(p + 0);
[value] done for function main
[value] ====== VALUES COMPUTED ======
[value:final-states] Values at end of function main:
  __fc_heap_status ∈ [--..--]
  p ∈ {{ &__malloc_main_l4[0] }}
  __retres ∈ {3}
  __malloc_main_l4[0] ∈ {4}
                  [1..4] ∈ UNINITIALIZED
[jessie] Starting Jessie translation
[jessie] warning: \separated is not supported by Jessie. This predicate will be ignored
[kernel] Current source was: FRAMAC_SHARE/libc/stdlib.h:389
    The full backtrace is:
    Raised at file "src/kernel_services/ast_queries/cil.ml", line 5238, characters 9-67
    Called from file "common.ml", line 329, characters 27-46
    Called from file "norm.ml", line 1551, characters 11-55
    Called from file "norm.ml", line 1571, characters 37-71
    Called from file "norm.ml", line 1614, characters 22-47
    Called from file "norm.ml", line 1685, characters 19-43
    Called from file "src/kernel_services/ast_queries/cil.ml", line 2239, characters 15-31
    Called from file "src/kernel_services/ast_queries/cil.ml" (inlined), line 3543, characters 17-35
    Called from file "src/kernel_services/ast_queries/cil.ml", line 3572, characters 12-19
    Called from file "src/kernel_services/ast_queries/cil.ml", line 2278, characters 13-16
    Called from file "src/kernel_services/ast_queries/cil.ml", line 3576, characters 23-50
    Called from file "src/kernel_services/ast_queries/cil.ml", line 2254, characters 21-41
    Called from file "src/kernel_services/ast_queries/cil.ml", line 3613, characters 14-38
    Called from file "src/kernel_services/ast_queries/cil.ml", line 2254, characters 21-41
    Called from file "src/kernel_services/ast_queries/cil.ml", line 3602, characters 5-80
    Called from file "src/kernel_services/ast_queries/cil.ml", line 3840, characters 16-37
    Called from file "src/kernel_services/ast_queries/cil.ml", line 2278, characters 13-16
    Called from file "src/kernel_services/ast_queries/cil.ml", line 2323, characters 24-57
    Called from file "src/kernel_services/ast_queries/cil.ml", line 3808, characters 5-53
    Called from file "src/kernel_services/ast_queries/cil.ml" (inlined), line 6463, characters 17-37
    Called from file "src/kernel_services/ast_queries/cil.ml", line 6468, characters 24-33
    Called from file "src/kernel_services/ast_queries/cil.ml", line 6470, characters 3-20
    Called from file "src/kernel_services/ast_queries/cil.ml", line 2254, characters 21-41
    Called from file "src/kernel_services/ast_queries/cil.ml", line 6487, characters 15-39
    Called from file "common.ml", line 580, characters 2-13
    Called from file "norm.ml", line 1959, characters 2-26
    Called from file "register.ml", line 158, characters 4-23
    Called from file "register.ml", line 278, characters 6-12
    Called from file "src/kernel_services/plugin_entry_points/journal.ml", line 442, characters 19-22
    Re-raised at file "src/kernel_services/plugin_entry_points/journal.ml", line 457, characters 10-17
    Called from file "queue.ml", line 105, characters 6-15
    Called from file "src/kernel_internals/runtime/boot.ml", line 37, characters 4-20
    Called from file "src/kernel_services/cmdline_parameters/cmdline.ml", line 789, characters 2-9
    Called from file "src/kernel_services/cmdline_parameters/cmdline.ml", line 819, characters 18-64
    Called from file "src/kernel_services/cmdline_parameters/cmdline.ml", line 228, characters 4-8
    
    Unexpected error (Cil.SizeOfError("Undefined sizeof on a function.", _)).
    Please report as 'crash' at http://bts.frama-c.com/.
    Your Frama-C version is Sulfur-20171101.
    Note that a version and a backtrace alone often do not contain enough
    information to understand the bug. Guidelines for reporting bugs are at:
    http://bts.frama-c.com/dokuwiki/doku.php?id=mantis:frama-c:bug_reporting_guidelines
[kernel] writing journal in file `./.frama-c/frama_c_journal.ml'.
Additional InformationI'm using
frama-c Sulfur-20171101
why 2.40
Why3 0.88.3
ocaml 4.06.1
TagsNo tags attached.
Attached Files
  • ? file icon frama_c_journal.ml (1,565 bytes) 2018-05-29 12:58 -
    (* Frama-C journal generated at 12:42 the 29/05/2018 *)
    
    exception Unreachable
    exception Exception of string
    
    (* Run the user commands *)
    let run () =
      Dynamic.Parameter.Bool.set "-val" true;
      Dynamic.Parameter.Bool.set "-jessie" true;
      Dynamic.Parameter.String.set "" "t.c";
      File.init_from_cmdline ();
      !Db.Value.compute ();
      let __ = Callgraph.Cg.get () in
      let __ = Callgraph.Cg.get () in
      let __ = Callgraph.Cg.get () in
      begin try
        (* exception Cil.SizeOfError("Undefined sizeof on a function.", _)
             raised on: Applying dynamic functions "run_analysis" of type
                        unit -> unit *)
        Dynamic.get
      ~plugin:"Jessie"
      "run_analysis"
      (Datatype.func Datatype.unit Datatype.unit)
          ();
        raise Unreachable
      with
      | Unreachable as exn -> raise exn
      | exn (* Cil.SizeOfError("Undefined sizeof on a function.", _) *) ->
        (* continuing: *) raise (Exception (Printexc.to_string exn))
      end
    
    (* Main *)
    let main () =
      Journal.keep_file "./.frama-c/frama_c_journal.ml";
      try run ()
      with
      | Unreachable -> Kernel.fatal "Journal reaches an assumed dead code" 
      | Exception s -> Kernel.log "Journal re-raised the exception %S" s
      | exn ->
        Kernel.fatal
          "Journal raised an unexpected exception: %s"
          (Printexc.to_string exn)
    
    (* Registering *)
    let main : unit -> unit =
      Dynamic.register
        ~plugin:"Frama_c_journal.ml"
        "main"
        (Datatype.func Datatype.unit Datatype.unit)
        ~journalize:false
        main
    
    (* Hooking *)
    let () = Cmdline.run_after_loading_stage main; Cmdline.is_going_to_load ()
    
    ? file icon frama_c_journal.ml (1,565 bytes) 2018-05-29 12:58 +

-Relationships
+Relationships

-Notes
There are no notes attached to this issue.
+Notes

-Issue History
Date Modified Username Field Change
2018-05-29 12:58 foo New Issue
2018-05-29 12:58 foo Status new => assigned
2018-05-29 12:58 foo Assigned To => cmarche
2018-05-29 12:58 foo File Added: frama_c_journal.ml
+Issue History