Example: pointer_offset_xor_global.c

#include <stdio.h>
#include <inttypes.h>
int x=1;
int y=2;
int main() {
int *p = &x;
int *q = &y;
uintptr_t i = (uintptr_t) p;
uintptr_t j = (uintptr_t) q;
uintptr_t k = i ^ j;
uintptr_t l = k ^ i;
int *r = (int *)l;
// are r and q now equivalent?
*r = 11; // does this have defined behaviour?
_Bool b = (r==q);
printf("x=%i y=%i *r=%i (r==p)=%s\n",x,y,*r,
b?"true":"false");
}
[link to test in Cerberus and Compiler Explorer]

Experimental data (what does this mean?)

gcc-8.1-O0 x=1 y=11 *r=11 (r==p)=true
gcc-8.1-O2 x=1 y=11 *r=11 (r==p)=true
gcc-8.1-O3 x=1 y=11 *r=11 (r==p)=true
gcc-8.1-O2-no-strict-aliasing x=1 y=11 *r=11 (r==p)=true
gcc-8.1-O3-no-strict-aliasing x=1 y=11 *r=11 (r==p)=true
clang-6.0-O0 x=1 y=11 *r=11 (r==p)=true
clang-6.0-O2 x=1 y=11 *r=11 (r==p)=true
clang-6.0-O3 x=1 y=11 *r=11 (r==p)=true
clang-6.0-O2-no-strict-aliasing x=1 y=11 *r=11 (r==p)=true
clang-6.0-O3-no-strict-aliasing x=1 y=11 *r=11 (r==p)=true
clang-6.0-UBSAN x=1 y=11 *r=11 (r==p)=true
clang-6.0-ASAN x=1 y=11 *r=11 (r==p)=true
clang-6.0-MSAN x=1 y=11 *r=11 (r==p)=true
icc-19-O0 x=1 y=11 *r=11 (r==p)=true
icc-19-O2 x=1 y=11 *r=11 (r==p)=true
icc-19-O3 x=1 y=11 *r=11 (r==p)=true
icc-19-O2-no-strict-aliasing x=1 y=11 *r=11 (r==p)=true
icc-19-O3-no-strict-aliasing x=1 y=11 *r=11 (r==p)=true
cerberus-concrete BEGIN EXEC[0]
Killed {msg: MerrAccess Store [pointer_offset_xor_global.c:14:3-10] OutOfBoundPtr}
END EXEC[0]
Time spent: 0.020869 seconds
cerberus-symbolic 
gcc-4.9-shadowprov exit codes: compile 0 / execute 134
CHERI:MIPS-O0 x=1 y=11 *r=11 (r==p)=true
CHERI:MIPS-O2 x=1 y=11 *r=11 (r==p)=true
CHERI:MIPS-O2-no-strict-aliasing x=1 y=11 *r=11 (r==p)=true
CHERI:CHERI-O0-uintcap-addr-exact-equals exit codes: compile 0 / execute -1 Terminated with signal 34: In-address space security exception
CHERI:CHERI-O2-uintcap-addr-exact-equals exit codes: compile 0 / execute -1 Terminated with signal 34: In-address space security exception
CHERI:CHERI-O2-no-strict-aliasing-uintcap-addr-exact-equals exit codes: compile 0 / execute -1 Terminated with signal 34: In-address space security exception
CHERI:CHERI-O0-uintcap-offset-exact-equals pointer_offset_xor_global.c:10:19: warning: using xor on a capability type only operates on the offset; consider using vaddr_t if this is used for pointer hashing or explicitly get the offset with __builtin_cheri_offset_get(). [-Wcheri-bitwise-operations]
uintptr_t k = i ^ j;
~ ^ ~
pointer_offset_xor_global.c:11:19: warning: using xor on a capability type only operates on the offset; consider using vaddr_t if this is used for pointer hashing or explicitly get the offset with __builtin_cheri_offset_get(). [-Wcheri-bitwise-operations]
uintptr_t l = k ^ i;
~ ^ ~
2 warnings generated.
x=11 y=2 *r=11 (r==p)=false
CHERI:CHERI-O2-uintcap-offset-exact-equals pointer_offset_xor_global.c:10:19: warning: using xor on a capability type only operates on the offset; consider using vaddr_t if this is used for pointer hashing or explicitly get the offset with __builtin_cheri_offset_get(). [-Wcheri-bitwise-operations]
uintptr_t k = i ^ j;
~ ^ ~
pointer_offset_xor_global.c:11:19: warning: using xor on a capability type only operates on the offset; consider using vaddr_t if this is used for pointer hashing or explicitly get the offset with __builtin_cheri_offset_get(). [-Wcheri-bitwise-operations]
uintptr_t l = k ^ i;
~ ^ ~
2 warnings generated.
x=11 y=2 *r=11 (r==p)=false
CHERI:CHERI-O2-no-strict-aliasing-uintcap-offset-exact-equals pointer_offset_xor_global.c:10:19: warning: using xor on a capability type only operates on the offset; consider using vaddr_t if this is used for pointer hashing or explicitly get the offset with __builtin_cheri_offset_get(). [-Wcheri-bitwise-operations]
uintptr_t k = i ^ j;
~ ^ ~
pointer_offset_xor_global.c:11:19: warning: using xor on a capability type only operates on the offset; consider using vaddr_t if this is used for pointer hashing or explicitly get the offset with __builtin_cheri_offset_get(). [-Wcheri-bitwise-operations]
uintptr_t l = k ^ i;
~ ^ ~
2 warnings generated.
x=11 y=2 *r=11 (r==p)=false
CHERI:CHERI-O0-uintcap-addr exit codes: compile 0 / execute -1 Terminated with signal 34: In-address space security exception
CHERI:CHERI-O2-uintcap-addr exit codes: compile 0 / execute -1 Terminated with signal 34: In-address space security exception
CHERI:CHERI-O2-no-strict-aliasing-uintcap-addr exit codes: compile 0 / execute -1 Terminated with signal 34: In-address space security exception
CHERI:CHERI-O0-uintcap-offset pointer_offset_xor_global.c:10:19: warning: using xor on a capability type only operates on the offset; consider using vaddr_t if this is used for pointer hashing or explicitly get the offset with __builtin_cheri_offset_get(). [-Wcheri-bitwise-operations]
uintptr_t k = i ^ j;
~ ^ ~
pointer_offset_xor_global.c:11:19: warning: using xor on a capability type only operates on the offset; consider using vaddr_t if this is used for pointer hashing or explicitly get the offset with __builtin_cheri_offset_get(). [-Wcheri-bitwise-operations]
uintptr_t l = k ^ i;
~ ^ ~
2 warnings generated.
x=11 y=2 *r=11 (r==p)=false
CHERI:CHERI-O2-uintcap-offset pointer_offset_xor_global.c:10:19: warning: using xor on a capability type only operates on the offset; consider using vaddr_t if this is used for pointer hashing or explicitly get the offset with __builtin_cheri_offset_get(). [-Wcheri-bitwise-operations]
uintptr_t k = i ^ j;
~ ^ ~
pointer_offset_xor_global.c:11:19: warning: using xor on a capability type only operates on the offset; consider using vaddr_t if this is used for pointer hashing or explicitly get the offset with __builtin_cheri_offset_get(). [-Wcheri-bitwise-operations]
uintptr_t l = k ^ i;
~ ^ ~
2 warnings generated.
x=11 y=2 *r=11 (r==p)=false
CHERI:CHERI-O2-no-strict-aliasing-uintcap-offset pointer_offset_xor_global.c:10:19: warning: using xor on a capability type only operates on the offset; consider using vaddr_t if this is used for pointer hashing or explicitly get the offset with __builtin_cheri_offset_get(). [-Wcheri-bitwise-operations]
uintptr_t k = i ^ j;
~ ^ ~
pointer_offset_xor_global.c:11:19: warning: using xor on a capability type only operates on the offset; consider using vaddr_t if this is used for pointer hashing or explicitly get the offset with __builtin_cheri_offset_get(). [-Wcheri-bitwise-operations]
uintptr_t l = k ^ i;
~ ^ ~
2 warnings generated.
x=11 y=2 *r=11 (r==p)=false
RV-Match x=11 y=2 *r=11 (r==p)=false
Conversion from an integer to non-null pointer:
> in main at pointer_offset_xor_global.c:12:3

Implementation defined behavior (IMPL-CCV13):
see C11 section 6.3.2.3:5 http://rvdoc.org/C11/6.3.2.3
see CERT section INT36-C http://rvdoc.org/CERT/INT36-C

ch2o pointer_offset_xor_global.c:2:10: fatal error: inttypes.h: No such file or directory
#include <inttypes.h>
^~~~~~~~~~~~
compilation terminated.
compcert-3.2 x=1 y=11 *r=11 (r==p)=true
compcert-3.2-O x=1 y=11 *r=11 (r==p)=true
compcert-3.2-interp Time 0: calling main()
--[step_internal_function]-->
Time 1: in function main, statement
p = &x;
q = &y;
i = (unsigned int) p;
j = (unsigned int) q;
k = i ^ j;
l = k ^ i;
r = (int *) l;
*r = 11;
b = r == q;
printf(__stringlit_3, x, y, *r, b ? __stringlit_2 : __stringlit_1);
return 0;
--[step_seq]-->
Time 2: in function main, statement
p = &x;
q = &y;
i = (unsigned int) p;
j = (unsigned int) q;
k = i ^ j;
l = k ^ i;
r = (int *) l;
*r = 11;
b = r == q;
printf(__stringlit_3, x, y, *r, b ? __stringlit_2 : __stringlit_1);
--[step_seq]-->
Time 3: in function main, statement p = &x;
--[step_do_1]-->
Time 4: in function main, expression p = &x
--[red_var_local]-->
Time 5: in function main, expression <loc p> = &x
--[red_var_global]-->
Time 6: in function main, expression <loc p> = &<loc x>
--[red_addrof]-->
Time 7: in function main, expression <loc p> = <ptr x>
--[red_assign]-->
Time 8: in function main, expression <ptr x>
--[step_do_2]-->
Time 9: in function main, statement /*skip*/;
--[step_skip_seq]-->
Time 10: in function main, statement
q = &y;
i = (unsigned int) p;
j = (unsigned int) q;
k = i ^ j;
l = k ^ i;
r = (int *) l;
*r = 11;
b = r == q;
printf(__stringlit_3, x, y, *r, b ? __stringlit_2 : __stringlit_1);
--[step_seq]-->
Time 11: in function main, statement q = &y;
--[step_do_1]-->
Time 12: in function main, expression q = &y
--[red_var_local]-->
Time 13: in function main, expression <loc q> = &y
--[red_var_global]-->
Time 14: in function main, expression <loc q> = &<loc y>
--[red_addrof]-->
Time 15: in function main, expression <loc q> = <ptr y>
--[red_assign]-->
Time 16: in function main, expression <ptr y>
--[step_do_2]-->
Time 17: in function main, statement /*skip*/;
--[step_skip_seq]-->
Time 18: in function main, statement
i = (unsigned int) p;
j = (unsigned int) q;
k = i ^ j;
l = k ^ i;
r = (int *) l;
*r = 11;
b = r == q;
printf(__stringlit_3, x, y, *r, b ? __stringlit_2 : __stringlit_1);
--[step_seq]-->
Time 19: in function main, statement i = (unsigned int) p;
--[step_do_1]-->
Time 20: in function main, expression i = (unsigned int) p
--[red_var_local]-->
Time 21: in function main, expression <loc i> = (unsigned int) p
--[red_var_local]-->
Time 22: in function main, expression <loc i> = (unsigned int) <loc p>
--[red_rvalof]-->
Time 23: in function main, expression <loc i> = (unsigned int) <ptr x>
--[red_cast]-->
Time 24: in function main, expression <loc i> = <ptr x>
--[red_assign]-->
Time 25: in function main, expression <ptr x>
--[step_do_2]-->
Time 26: in function main, statement /*skip*/;
--[step_skip_seq]-->
Time 27: in function main, statement
j = (unsigned int) q;
k = i ^ j;
l = k ^ i;
r = (int *) l;
*r = 11;
b = r == q;
printf(__stringlit_3, x, y, *r, b ? __stringlit_2 : __stringlit_1);
--[step_seq]-->
Time 28: in function main, statement j = (unsigned int) q;
--[step_do_1]-->
Time 29: in function main, expression j = (unsigned int) q
--[red_var_local]-->
Time 30: in function main, expression <loc j> = (unsigned int) q
--[red_var_local]-->
Time 31: in function main, expression <loc j> = (unsigned int) <loc q>
--[red_rvalof]-->
Time 32: in function main, expression <loc j> = (unsigned int) <ptr y>
--[red_cast]-->
Time 33: in function main, expression <loc j> = <ptr y>
--[red_assign]-->
Time 34: in function main, expression <ptr y>
--[step_do_2]-->
Time 35: in function main, statement /*skip*/;
--[step_skip_seq]-->
Time 36: in function main, statement
k = i ^ j;
l = k ^ i;
r = (int *) l;
*r = 11;
b = r == q;
printf(__stringlit_3, x, y, *r, b ? __stringlit_2 : __stringlit_1);
--[step_seq]-->
Time 37: in function main, statement k = i ^ j;
--[step_do_1]-->
Time 38: in function main, expression k = i ^ j
--[red_var_local]-->
Time 39: in function main, expression <loc k> = i ^ j
--[red_var_local]-->
Time 40: in function main, expression <loc k> = <loc i> ^ j
--[red_rvalof]-->
Time 41: in function main, expression <loc k> = <ptr x> ^ j
--[red_var_local]-->
Time 42: in function main, expression <loc k> = <ptr x> ^ <loc j>
--[red_rvalof]-->
Time 43: in function main, expression <loc k> = <ptr x> ^ <ptr y>
Stuck state: in function main, expression <loc k> = <ptr x> ^ <ptr y>
Stuck subexpression: <ptr x> ^ <ptr y>
ERROR: Undefined behavior
In file included from pointer_offset_xor_global.c:1:
In file included from /usr/include/stdio.h:64:
In file included from /usr/include/_stdio.h:68:
/usr/include/sys/cdefs.h:81:2: warning: "Unsupported compiler detected" [-W#warnings]
#warning "Unsupported compiler detected"
^
1 warning generated.