Example: provenance_intra_object_1.c
#include <stdio.h>
#include <string.h>
typedef struct { int x; int y; } st;
int main() {
st s = { .x=1, .y=2 };
int *p = &s.x + 1;
int *q = &s.y;
printf("Addresses: p=%p q=%p\n",(void*)p,(void*)q);
if (memcmp(&p, &q, sizeof(p)) == 0) {
*p = 11; // is this free of undefined behaviour?
printf("s.x=%d s.y=%d *p=%d *q=%d\n",s.x,s.y,*p,*q);
}
}
[link to test in Cerberus and Compiler Explorer]
Experimental data (what does this mean?)
gcc-8.1-O0 |   | Addresses: p=0x7fff8d4d1d7c q=0x7fff8d4d1d7c s.x=1 s.y=11 *p=11 *q=11
|
gcc-8.1-O2 |   | Addresses: p=0x7ffc450ff5ac q=0x7ffc450ff5ac s.x=1 s.y=11 *p=11 *q=11
|
gcc-8.1-O3 |   | Addresses: p=0x7ffee6e53d9c q=0x7ffee6e53d9c s.x=1 s.y=11 *p=11 *q=11
|
gcc-8.1-O2-no-strict-aliasing |   | Addresses: p=0x7ffc9d35a07c q=0x7ffc9d35a07c s.x=1 s.y=11 *p=11 *q=11
|
gcc-8.1-O3-no-strict-aliasing |   | Addresses: p=0x7ffd4a39d00c q=0x7ffd4a39d00c s.x=1 s.y=11 *p=11 *q=11
|
clang-6.0-O0 |   | Addresses: p=0x7ffe5b791f54 q=0x7ffe5b791f54 s.x=1 s.y=11 *p=11 *q=11
|
clang-6.0-O2 |   | Addresses: p=0x7ffefe4d5fc4 q=0x7ffefe4d5fc4 s.x=1 s.y=11 *p=11 *q=11
|
clang-6.0-O3 |   | Addresses: p=0x7ffd6cc6abc4 q=0x7ffd6cc6abc4 s.x=1 s.y=11 *p=11 *q=11
|
clang-6.0-O2-no-strict-aliasing |   | Addresses: p=0x7ffeed297424 q=0x7ffeed297424 s.x=1 s.y=11 *p=11 *q=11
|
clang-6.0-O3-no-strict-aliasing |   | Addresses: p=0x7ffd0f4b84f4 q=0x7ffd0f4b84f4 s.x=1 s.y=11 *p=11 *q=11
|
clang-6.0-UBSAN |   | Addresses: p=0x7fff149fa724 q=0x7fff149fa724 s.x=1 s.y=11 *p=11 *q=11
|
clang-6.0-ASAN |   | Addresses: p=0x7fff56030904 q=0x7fff56030904 s.x=1 s.y=11 *p=11 *q=11
|
clang-6.0-MSAN |   | Addresses: p=0x7ffd8add0294 q=0x7ffd8add0294 s.x=1 s.y=11 *p=11 *q=11
|
icc-19-O0 |   | Addresses: p=0x7fff825efbb4 q=0x7fff825efbb4 s.x=1 s.y=11 *p=11 *q=11
|
icc-19-O2 |   | Addresses: p=0x7fff4883de84 q=0x7fff4883de84 s.x=1 s.y=11 *p=11 *q=11
|
icc-19-O3 |   | Addresses: p=0x7fff826c4984 q=0x7fff826c4984 s.x=1 s.y=11 *p=11 *q=11
|
icc-19-O2-no-strict-aliasing |   | Addresses: p=0x7fff2baeaf84 q=0x7fff2baeaf84 s.x=1 s.y=11 *p=11 *q=11
|
icc-19-O3-no-strict-aliasing |   | Addresses: p=0x7ffeb18d5a04 q=0x7ffeb18d5a04 s.x=1 s.y=11 *p=11 *q=11
|
cerberus-concrete |   | BEGIN EXEC[0] Defined {value: "Specified(0)", stdout: "Addresses: p=<5>:80 q=<5>:80\ns.x=1 s.y=11 *p=11 *q=11\n", blocked: "false"} END EXEC[0] Time spent: 0.034202 seconds
|
cerberus-symbolic |   | BEGIN EXEC[0] Undefined [other_location(Core parser)]{id: [DUMMY(rev_listFromStr_aux)]} END EXEC[0] BOGUS!!!! Time spent: 0.078984 seconds
|
gcc-4.9-shadowprov |   | Addresses: p=0x7ffc76fac2dc q=0x7ffc76fac2dc s.x=1 s.y=11 *p=11 *q=11
|
CHERI:MIPS-O0 |   | Addresses: p=0x7fffffe9ec q=0x7fffffe9ec s.x=1 s.y=11 *p=11 *q=11
|
CHERI:MIPS-O2 |   | Addresses: p=0x7fffffe9f4 q=0x7fffffe9f4 s.x=1 s.y=11 *p=11 *q=11
|
CHERI:MIPS-O2-no-strict-aliasing |   | Addresses: p=0x7fffffe9d4 q=0x7fffffe9d4 s.x=1 s.y=11 *p=11 *q=11
|
CHERI:CHERI-O0-uintcap-addr-exact-equals |   | Addresses: p=0x7fffffe484 q=0x7fffffe484 s.x=1 s.y=11 *p=11 *q=11
|
CHERI:CHERI-O2-uintcap-addr-exact-equals |   | Addresses: p=0x7fffffe43c q=0x7fffffe43c s.x=1 s.y=11 *p=11 *q=11
|
CHERI:CHERI-O2-no-strict-aliasing-uintcap-addr-exact-equals |   | Addresses: p=0x7fffffe41c q=0x7fffffe41c s.x=1 s.y=11 *p=11 *q=11
|
CHERI:CHERI-O0-uintcap-offset-exact-equals |   | Addresses: p=0x7fffffe484 q=0x7fffffe484 s.x=1 s.y=11 *p=11 *q=11
|
CHERI:CHERI-O2-uintcap-offset-exact-equals |   | Addresses: p=0x7fffffe43c q=0x7fffffe43c s.x=1 s.y=11 *p=11 *q=11
|
CHERI:CHERI-O2-no-strict-aliasing-uintcap-offset-exact-equals |   | Addresses: p=0x7fffffe40c q=0x7fffffe40c s.x=1 s.y=11 *p=11 *q=11
|
CHERI:CHERI-O0-uintcap-addr |   | Addresses: p=0x7fffffe4a4 q=0x7fffffe4a4 s.x=1 s.y=11 *p=11 *q=11
|
CHERI:CHERI-O2-uintcap-addr |   | Addresses: p=0x7fffffe45c q=0x7fffffe45c s.x=1 s.y=11 *p=11 *q=11
|
CHERI:CHERI-O2-no-strict-aliasing-uintcap-addr |   | Addresses: p=0x7fffffe42c q=0x7fffffe42c s.x=1 s.y=11 *p=11 *q=11
|
CHERI:CHERI-O0-uintcap-offset |   | Addresses: p=0x7fffffe494 q=0x7fffffe494 s.x=1 s.y=11 *p=11 *q=11
|
CHERI:CHERI-O2-uintcap-offset |   | Addresses: p=0x7fffffe44c q=0x7fffffe44c s.x=1 s.y=11 *p=11 *q=11
|
CHERI:CHERI-O2-no-strict-aliasing-uintcap-offset |   | Addresses: p=0x7fffffe42c q=0x7fffffe42c s.x=1 s.y=11 *p=11 *q=11
|
RV-Match |   | Addresses: p=(nil) q=(nil) s.x=1 s.y=11 *p=11 *q=11 Dereferencing a pointer past the end of an array: > in main at provenance_intra_object_1.c:10:5
Undefined behavior (UB-CER4): see C11 section 6.5.6:8 http://rvdoc.org/C11/6.5.6 see C11 section J.2:1 items 47 and 49 http://rvdoc.org/C11/J.2 see CERT-C section ARR30-C http://rvdoc.org/CERT-C/ARR30-C see CERT-C section ARR37-C http://rvdoc.org/CERT-C/ARR37-C see CERT-C section STR31-C http://rvdoc.org/CERT-C/STR31-C see MISRA-C section 8.18:1 http://rvdoc.org/MISRA-C/8.18 see MISRA-C section 8.1:3 http://rvdoc.org/MISRA-C/8.1
Dereferencing a pointer past the end of an array: > in main at provenance_intra_object_1.c:11:5
Undefined behavior (UB-CER4): see C11 section 6.5.6:8 http://rvdoc.org/C11/6.5.6 see C11 section J.2:1 items 47 and 49 http://rvdoc.org/C11/J.2 see CERT-C section ARR30-C http://rvdoc.org/CERT-C/ARR30-C see CERT-C section ARR37-C http://rvdoc.org/CERT-C/ARR37-C see CERT-C section STR31-C http://rvdoc.org/CERT-C/STR31-C see MISRA-C section 8.18:1 http://rvdoc.org/MISRA-C/8.18 see MISRA-C section 8.1:3 http://rvdoc.org/MISRA-C/8.1
|
ch2o |   | Fatal error: exception Failure("parse_printf") Raised at file "pervasives.ml", line 30, characters 22-33 Called from file "list.ml", line 55, characters 20-23 Called from file "list.ml", line 55, characters 32-39 Called from file "list.ml", line 55, characters 32-39 Called from file "list.ml", line 55, characters 32-39 Called from file "list.ml", line 55, characters 32-39 Called from file "list.ml", line 55, characters 32-39 Called from file "list.ml", line 55, characters 32-39 Called from file "list.ml", line 55, characters 32-39
|
compcert-3.2 |   | Addresses: p=0x7ffc58b3f634 q=0x7ffc58b3f634 s.x=1 s.y=11 *p=11 *q=11
|
compcert-3.2-O |   | Addresses: p=0x7ffe084d77d4 q=0x7ffe084d77d4 s.x=1 s.y=11 *p=11 *q=11
|
compcert-3.2-interp |   | Time 0: calling main() --[step_internal_function]--> Time 1: in function main, statement s.x = 1; s.y = 2; p = &s.x + 1; q = &s.y; printf(__stringlit_1, (void *) p, (void *) q); if (memcmp(&p, &q, sizeof(int *)) == 0) { *p = 11; printf(__stringlit_2, ..x, ..y, *., *.); } return 0; --[step_seq]--> Time 2: in function main, statement s.x = 1; s.y = 2; p = &s.x + 1; q = &s.y; printf(__stringlit_1, (void *) p, (void *) q); if (memcmp(&p, &q, sizeof(int *)) == 0) { *p = 11; printf(__stringlit_2, ..x, ..y, *., *.); } --[step_seq]--> Time 3: in function main, statement s.x = 1; --[step_do_1]--> Time 4: in function main, expression s.x = 1 --[red_var_local]--> Time 5: in function main, expression <loc s>.x = 1 --[red_rvalof]--> Time 6: in function main, expression <ptr s>.x = 1 --[red_field_struct]--> Time 7: in function main, expression <loc s> = 1 --[red_assign]--> Time 8: in function main, expression 1 --[step_do_2]--> Time 9: in function main, statement /*skip*/; --[step_skip_seq]--> Time 10: in function main, statement s.y = 2; p = &s.x + 1; q = &s.y; printf(__stringlit_1, (void *) p, (void *) q); if (memcmp(&p, &q, sizeof(int *)) == 0) { *p = 11; printf(__stringlit_2, ..x, ..y, *., *.); } --[step_seq]--> Time 11: in function main, statement s.y = 2; --[step_do_1]--> Time 12: in function main, expression s.y = 2 --[red_var_local]--> Time 13: in function main, expression <loc s>.y = 2 --[red_rvalof]--> Time 14: in function main, expression <ptr s>.y = 2 --[red_field_struct]--> Time 15: in function main, expression <loc s+4> = 2 --[red_assign]--> Time 16: in function main, expression 2 --[step_do_2]--> Time 17: in function main, statement /*skip*/; --[step_skip_seq]--> Time 18: in function main, statement p = &s.x + 1; q = &s.y; printf(__stringlit_1, (void *) p, (void *) q); if (memcmp(&p, &q, sizeof(int *)) == 0) { *p = 11; printf(__stringlit_2, ..x, ..y, *., *.); } --[step_seq]--> Time 19: in function main, statement p = &s.x + 1; --[step_do_1]--> Time 20: in function main, expression p = &s.x + 1 --[red_var_local]--> Time 21: in function main, expression <loc p> = &s.x + 1 --[red_var_local]--> Time 22: in function main, expression <loc p> = &<loc s>.x + 1 --[red_rvalof]--> Time 23: in function main, expression <loc p> = &<ptr s>.x + 1 --[red_field_struct]--> Time 24: in function main, expression <loc p> = &<loc s> + 1 --[red_addrof]--> Time 25: in function main, expression <loc p> = <ptr s> + 1 --[red_binop]--> Time 26: in function main, expression <loc p> = <ptr s+4> --[red_assign]--> Time 27: in function main, expression <ptr s+4> --[step_do_2]--> Time 28: in function main, statement /*skip*/; --[step_skip_seq]--> Time 29: in function main, statement q = &s.y; printf(__stringlit_1, (void *) p, (void *) q); if (memcmp(&p, &q, sizeof(int *)) == 0) { *p = 11; printf(__stringlit_2, ..x, ..y, *., *.); } --[step_seq]--> Time 30: in function main, statement q = &s.y; --[step_do_1]--> Time 31: in function main, expression q = &s.y --[red_var_local]--> Time 32: in function main, expression <loc q> = &s.y --[red_var_local]--> Time 33: in function main, expression <loc q> = &<loc s>.y --[red_rvalof]--> Time 34: in function main, expression <loc q> = &<ptr s>.y --[red_field_struct]--> Time 35: in function main, expression <loc q> = &<loc s+4> --[red_addrof]--> Time 36: in function main, expression <loc q> = <ptr s+4> --[red_assign]--> Time 37: in function main, expression <ptr s+4> --[step_do_2]--> Time 38: in function main, statement /*skip*/; --[step_skip_seq]--> Time 39: in function main, statement printf(__stringlit_1, (void *) p, (void *) q); if (memcmp(&p, &q, sizeof(int *)) == 0) { *p = 11; printf(__stringlit_2, ..x, ..y, *., *.); } --[step_seq]--> Time 40: in function main, statement printf(__stringlit_1, (void *) p, (void *) q); --[step_do_1]--> Time 41: in function main, expression printf(__stringlit_1, (void *) p, (void *) q) --[red_var_global]--> Time 42: in function main, expression printf(<loc __stringlit_1>, (void *) p, (void *) q) --[red_rvalof]--> Time 43: in function main, expression printf(<ptr __stringlit_1>, (void *) p, (void *) q) --[red_var_local]--> Time 44: in function main, expression printf(<ptr __stringlit_1>, (void *) <loc p>, (void *) q) --[red_rvalof]--> Time 45: in function main, expression printf(<ptr __stringlit_1>, (void *) <ptr s+4>, (void *) q) --[red_cast]--> Time 46: in function main, expression printf(<ptr __stringlit_1>, <ptr s+4>, (void *) q) --[red_var_local]--> Time 47: in function main, expression printf(<ptr __stringlit_1>, <ptr s+4>, (void *) <loc q>) --[red_rvalof]--> Time 48: in function main, expression printf(<ptr __stringlit_1>, <ptr s+4>, (void *) <ptr s+4>) --[red_cast]--> Time 49: in function main, expression printf(<ptr __stringlit_1>, <ptr s+4>, <ptr s+4>) Addresses: p=<57+4> q=<57+4> Stuck state: in function main, expression printf (<ptr __stringlit_1>, <ptr s+4>, <ptr s+4>) Addresses: p=<57+4> q=<57+4> Stuck subexpression: printf (<ptr __stringlit_1>, <ptr s+4>, <ptr s+4>) ERROR: Undefined behavior In file included from provenance_intra_object_1.c:1: In file included from /usr/include/stdio.h:64: In file included from /usr/include/_stdio.h:68: /usr/include/sys/cdefs.h:81:2: warning: "Unsupported compiler detected" [-W#warnings] #warning "Unsupported compiler detected" ^ 1 warning generated.
|