Example: provenance_basic_mixed_global_offset+4.c
#include <stdio.h>
#include <string.h>
#include <stdint.h>
#include <inttypes.h>
int y = 2, x=1;
int main() {
intptr_t ux = (intptr_t)&x;
intptr_t uy = (intptr_t)&y;
intptr_t offset = 4;
printf("Addresses: &x=%"PRIiPTR" &y=%"PRIiPTR\
"\n",ux,uy);
int *q = &y;
if (q != NULL) {
int *p = (int *)(ux + offset);
if (memcmp(&p, &q, sizeof(p)) == 0) {
*p = 11; // does this have undefined behaviour?
printf("x=%d y=%d *p=%d *q=%d\n",x,y,*p,*q);
}
}
}
[link to test in Cerberus and Compiler Explorer]
Experimental data (what does this mean?)
gcc-8.1-O0 |   | Addresses: &x=6294116 &y=6294112
|
gcc-8.1-O2 |   | Addresses: &x=6293960 &y=6293964 x=1 y=2 *p=11 *q=2
|
gcc-8.1-O3 |   | Addresses: &x=6293960 &y=6293964 x=1 y=2 *p=11 *q=2
|
gcc-8.1-O2-no-strict-aliasing |   | Addresses: &x=6293960 &y=6293964 x=1 y=2 *p=11 *q=2
|
gcc-8.1-O3-no-strict-aliasing |   | Addresses: &x=6293960 &y=6293964 x=1 y=2 *p=11 *q=2
|
clang-6.0-O0 |   | Addresses: &x=6295612 &y=6295608
|
clang-6.0-O2 |   | Addresses: &x=6295612 &y=6295608
|
clang-6.0-O3 |   | Addresses: &x=6295612 &y=6295608
|
clang-6.0-O2-no-strict-aliasing |   | Addresses: &x=6295612 &y=6295608
|
clang-6.0-O3-no-strict-aliasing |   | Addresses: &x=6295612 &y=6295608
|
clang-6.0-UBSAN |   | Addresses: &x=6495060 &y=6495056
|
clang-6.0-ASAN |   | Addresses: &x=7433120 &y=7433056
|
clang-6.0-MSAN |   | Addresses: &x=7043828 &y=7043824
|
icc-19-O0 |   | Addresses: &x=6294404 &y=6294400
|
icc-19-O2 |   | Addresses: &x=6309572 &y=6309568
|
icc-19-O3 |   | Addresses: &x=6309572 &y=6309568
|
icc-19-O2-no-strict-aliasing |   | Addresses: &x=6309572 &y=6309568
|
icc-19-O3-no-strict-aliasing |   | Addresses: &x=6309572 &y=6309568
|
cerberus-concrete |   | BEGIN EXEC[0] Defined {value: "Specified(0)", stdout: "Addresses: &x=80 &y=76\n", blocked: "false"} END EXEC[0] Time spent: 0.041490 seconds
|
cerberus-symbolic |   | BEGIN EXEC[0] Undefined [other_location(Core parser)]{id: [DUMMY(rev_listFromStr_aux)]} END EXEC[0] Time spent: 0.111844 seconds
|
gcc-4.9-shadowprov |   | exit codes: compile 0 / execute 134
|
CHERI:MIPS-O0 |   | Addresses: &x=196644 &y=196640
|
CHERI:MIPS-O2 |   | Addresses: &x=196644 &y=196640
|
CHERI:MIPS-O2-no-strict-aliasing |   | Addresses: &x=196644 &y=196640
|
CHERI:CHERI-O0-uintcap-addr-exact-equals |   | Addresses: &x=0 &y=0
|
CHERI:CHERI-O2-uintcap-addr-exact-equals |   | Addresses: &x=0 &y=0
|
CHERI:CHERI-O2-no-strict-aliasing-uintcap-addr-exact-equals |   | Addresses: &x=0 &y=0
|
CHERI:CHERI-O0-uintcap-offset-exact-equals |   | Addresses: &x=0 &y=0
|
CHERI:CHERI-O2-uintcap-offset-exact-equals |   | Addresses: &x=0 &y=0
|
CHERI:CHERI-O2-no-strict-aliasing-uintcap-offset-exact-equals |   | Addresses: &x=0 &y=0
|
CHERI:CHERI-O0-uintcap-addr |   | Addresses: &x=0 &y=0
|
CHERI:CHERI-O2-uintcap-addr |   | Addresses: &x=0 &y=0
|
CHERI:CHERI-O2-no-strict-aliasing-uintcap-addr |   | Addresses: &x=0 &y=0
|
CHERI:CHERI-O0-uintcap-offset |   | Addresses: &x=0 &y=0
|
CHERI:CHERI-O2-uintcap-offset |   | Addresses: &x=0 &y=0
|
CHERI:CHERI-O2-no-strict-aliasing-uintcap-offset |   | Addresses: &x=0 &y=0
|
RV-Match |   | Addresses: &x=0 &y=0 x=1 y=2 *p=0 *q=2 Printing an unspecified value: > in printf at provenance_basic_mixed_global_offset+4.c:10:3 in main at provenance_basic_mixed_global_offset+4.c:10:3
Unspecified value or behavior (USP-STDIO2): see C11 section 7.21.6.1:8 http://rvdoc.org/C11/7.21.6.1
Conversion from an integer to non-null pointer: > in main at provenance_basic_mixed_global_offset+4.c:14:5
Implementation defined behavior (IMPL-CCV13): see C11 section 6.3.2.3:5 http://rvdoc.org/C11/6.3.2.3 see CERT section INT36-C http://rvdoc.org/CERT/INT36-C
Comparison of unspecified value: > in memcmp at /opt/rv-match/c-semantics/x86_64-linux-gcc-glibc/src/string.c:180:13 in main at provenance_basic_mixed_global_offset+4.c:15:5
Unspecified value or behavior (USP-CERL7): see C11 section 6.5.9 http://rvdoc.org/C11/6.5.9 see MISRA-C section 8.1:3 http://rvdoc.org/MISRA-C/8.1
Dereferencing a pointer past the end of an array: > in main at provenance_basic_mixed_global_offset+4.c:16:7
Undefined behavior (UB-CER4): see C11 section 6.5.6:8 http://rvdoc.org/C11/6.5.6 see C11 section J.2:1 items 47 and 49 http://rvdoc.org/C11/J.2 see CERT-C section ARR30-C http://rvdoc.org/CERT-C/ARR30-C see CERT-C section ARR37-C http://rvdoc.org/CERT-C/ARR37-C see CERT-C section STR31-C http://rvdoc.org/CERT-C/STR31-C see MISRA-C section 8.18:1 http://rvdoc.org/MISRA-C/8.18 see MISRA-C section 8.1:3 http://rvdoc.org/MISRA-C/8.1
Trying to write outside the bounds of an object: > in main at provenance_basic_mixed_global_offset+4.c:16:7
Undefined behavior (UB-EIO2): see C11 section 6.5.6:8 http://rvdoc.org/C11/6.5.6 see C11 section J.2:1 items 47 and 49 http://rvdoc.org/C11/J.2 see CERT-C section ARR30-C http://rvdoc.org/CERT-C/ARR30-C see CERT-C section ARR37-C http://rvdoc.org/CERT-C/ARR37-C see CERT-C section MEM35-C http://rvdoc.org/CERT-C/MEM35-C see CERT-C section STR31-C http://rvdoc.org/CERT-C/STR31-C see MISRA-C section 8.1:3 http://rvdoc.org/MISRA-C/8.1
Dereferencing a pointer past the end of an array: > in main at provenance_basic_mixed_global_offset+4.c:17:7
Undefined behavior (UB-CER4): see C11 section 6.5.6:8 http://rvdoc.org/C11/6.5.6 see C11 section J.2:1 items 47 and 49 http://rvdoc.org/C11/J.2 see CERT-C section ARR30-C http://rvdoc.org/CERT-C/ARR30-C see CERT-C section ARR37-C http://rvdoc.org/CERT-C/ARR37-C see CERT-C section STR31-C http://rvdoc.org/CERT-C/STR31-C see MISRA-C section 8.18:1 http://rvdoc.org/MISRA-C/8.18 see MISRA-C section 8.1:3 http://rvdoc.org/MISRA-C/8.1
Reading outside the bounds of an object: > in main at provenance_basic_mixed_global_offset+4.c:17:7
Undefined behavior (UB-EIO7): see C11 section 6.3.2.1:1 http://rvdoc.org/C11/6.3.2.1 see C11 section J.2:1 item 19 http://rvdoc.org/C11/J.2 see CERT-C section ARR30-C http://rvdoc.org/CERT-C/ARR30-C see CERT-C section ARR37-C http://rvdoc.org/CERT-C/ARR37-C see CERT-C section STR31-C http://rvdoc.org/CERT-C/STR31-C see CERT-C section STR32-C http://rvdoc.org/CERT-C/STR32-C see MISRA-C section 8.1:3 http://rvdoc.org/MISRA-C/8.1
|
ch2o |   | In file included from /usr/local/Cellar/gcc/7.3.0_1/lib/gcc/7/gcc/x86_64-apple-darwin17.3.0/7.3.0/include/stdint.h:9:0, from provenance_basic_mixed_global_offset+4.c:3: /usr/local/Cellar/gcc/7.3.0_1/lib/gcc/7/gcc/x86_64-apple-darwin17.3.0/7.3.0/include-fixed/stdint.h:27:10: fatal error: sys/_types/_int8_t.h: No such file or directory #include <sys/_types/_int8_t.h> ^~~~~~~~~~~~~~~~~~~~~~ compilation terminated.
|
compcert-3.2 |   | Addresses: &x=6295620 &y=6295616
|
compcert-3.2-O |   | Addresses: &x=6295620 &y=6295616
|
compcert-3.2-interp |   | Time 0: calling main() --[step_internal_function]--> Time 1: in function main, statement ux = (int) &x; uy = (int) &y; offset = 4; printf(__stringlit_1, ux, uy); q = &y; if (q != (void *) 0) { p = (int *) (ux + offset); if (memcmp(&., &., sizeof(int *)) == 0) { *p = 11; printf(__stringlit_2, x, y, *., *.); } } return 0; --[step_seq]--> Time 2: in function main, statement ux = (int) &x; uy = (int) &y; offset = 4; printf(__stringlit_1, ux, uy); q = &y; if (q != (void *) 0) { p = (int *) (ux + offset); if (memcmp(&., &., sizeof(int *)) == 0) { *p = 11; printf(__stringlit_2, x, y, *., *.); } } --[step_seq]--> Time 3: in function main, statement ux = (int) &x; --[step_do_1]--> Time 4: in function main, expression ux = (int) &x --[red_var_local]--> Time 5: in function main, expression <loc ux> = (int) &x --[red_var_global]--> Time 6: in function main, expression <loc ux> = (int) &<loc x> --[red_addrof]--> Time 7: in function main, expression <loc ux> = (int) <ptr x> --[red_cast]--> Time 8: in function main, expression <loc ux> = <ptr x> --[red_assign]--> Time 9: in function main, expression <ptr x> --[step_do_2]--> Time 10: in function main, statement /*skip*/; --[step_skip_seq]--> Time 11: in function main, statement uy = (int) &y; offset = 4; printf(__stringlit_1, ux, uy); q = &y; if (q != (void *) 0) { p = (int *) (ux + offset); if (memcmp(&., &., sizeof(int *)) == 0) { *p = 11; printf(__stringlit_2, x, y, *., *.); } } --[step_seq]--> Time 12: in function main, statement uy = (int) &y; --[step_do_1]--> Time 13: in function main, expression uy = (int) &y --[red_var_local]--> Time 14: in function main, expression <loc uy> = (int) &y --[red_var_global]--> Time 15: in function main, expression <loc uy> = (int) &<loc y> --[red_addrof]--> Time 16: in function main, expression <loc uy> = (int) <ptr y> --[red_cast]--> Time 17: in function main, expression <loc uy> = <ptr y> --[red_assign]--> Time 18: in function main, expression <ptr y> --[step_do_2]--> Time 19: in function main, statement /*skip*/; --[step_skip_seq]--> Time 20: in function main, statement offset = 4; printf(__stringlit_1, ux, uy); q = &y; if (q != (void *) 0) { p = (int *) (ux + offset); if (memcmp(&., &., sizeof(int *)) == 0) { *p = 11; printf(__stringlit_2, x, y, *., *.); } } --[step_seq]--> Time 21: in function main, statement offset = 4; --[step_do_1]--> Time 22: in function main, expression offset = 4 --[red_var_local]--> Time 23: in function main, expression <loc offset> = 4 --[red_assign]--> Time 24: in function main, expression 4 --[step_do_2]--> Time 25: in function main, statement /*skip*/; --[step_skip_seq]--> Time 26: in function main, statement printf(__stringlit_1, ux, uy); q = &y; if (q != (void *) 0) { p = (int *) (ux + offset); if (memcmp(&., &., sizeof(int *)) == 0) { *p = 11; printf(__stringlit_2, x, y, *., *.); } } --[step_seq]--> Time 27: in function main, statement printf(__stringlit_1, ux, uy); --[step_do_1]--> Time 28: in function main, expression printf(__stringlit_1, ux, uy) --[red_var_global]--> Time 29: in function main, expression printf(<loc __stringlit_1>, ux, uy) --[red_rvalof]--> Time 30: in function main, expression printf(<ptr __stringlit_1>, ux, uy) --[red_var_local]--> Time 31: in function main, expression printf(<ptr __stringlit_1>, <loc ux>, uy) --[red_rvalof]--> Time 32: in function main, expression printf(<ptr __stringlit_1>, <ptr x>, uy) --[red_var_local]--> Time 33: in function main, expression printf(<ptr __stringlit_1>, <ptr x>, <loc uy>) --[red_rvalof]--> Time 34: in function main, expression printf(<ptr __stringlit_1>, <ptr x>, <ptr y>) Addresses: &x=<int argument expected> &y=<int argument expected>
Time 34: observable event: extcall printf(& __stringlit_1, & x, & y) -> 65 --[red_builtin]--> Time 35: in function main, expression 65 --[step_do_2]--> Time 36: in function main, statement /*skip*/; --[step_skip_seq]--> Time 37: in function main, statement q = &y; if (q != (void *) 0) { p = (int *) (ux + offset); if (memcmp(&., &., sizeof(int *)) == 0) { *p = 11; printf(__stringlit_2, x, y, *., *.); } } --[step_seq]--> Time 38: in function main, statement q = &y; --[step_do_1]--> Time 39: in function main, expression q = &y --[red_var_local]--> Time 40: in function main, expression <loc q> = &y --[red_var_global]--> Time 41: in function main, expression <loc q> = &<loc y> --[red_addrof]--> Time 42: in function main, expression <loc q> = <ptr y> --[red_assign]--> Time 43: in function main, expression <ptr y> --[step_do_2]--> Time 44: in function main, statement /*skip*/; --[step_skip_seq]--> Time 45: in function main, statement if (q != (void *) 0) { p = (int *) (ux + offset); if (memcmp(&., &., sizeof(int *)) == 0) { *p = 11; printf(__stringlit_2, x, y, *., *.); } } --[step_ifthenelse_1]--> Time 46: in function main, expression q != (void *) 0 --[red_var_local]--> Time 47: in function main, expression <loc q> != (void *) 0 --[red_rvalof]--> Time 48: in function main, expression <ptr y> != (void *) 0 --[red_cast]--> Time 49: in function main, expression <ptr y> != 0 --[red_binop]--> Time 50: in function main, expression 1 --[step_ifthenelse_2]--> Time 51: in function main, statement p = (int *) (ux + offset); if (memcmp(&p, &q, sizeof(int *)) == 0) { *p = 11; printf(__stringlit_2, x, y, *., *.); } --[step_seq]--> Time 52: in function main, statement p = (int *) (ux + offset); --[step_do_1]--> Time 53: in function main, expression p = (int *) (ux + offset) --[red_var_local]--> Time 54: in function main, expression <loc p> = (int *) (ux + offset) --[red_var_local]--> Time 55: in function main, expression <loc p> = (int *) (<loc ux> + offset) --[red_rvalof]--> Time 56: in function main, expression <loc p> = (int *) (<ptr x> + offset) --[red_var_local]--> Time 57: in function main, expression <loc p> = (int *) (<ptr x> + <loc offset>) --[red_rvalof]--> Time 58: in function main, expression <loc p> = (int *) (<ptr x> + 4) Stuck state: in function main, expression <loc p> = (int *) (<ptr x> + 4) Stuck subexpression: <ptr x> + 4 ERROR: Undefined behavior In file included from provenance_basic_mixed_global_offset+4.c:1: In file included from /usr/include/stdio.h:64: In file included from /usr/include/_stdio.h:68: /usr/include/sys/cdefs.h:81:2: warning: "Unsupported compiler detected" [-W#warnings] #warning "Unsupported compiler detected" ^ 1 warning generated.
|