Example: provenance_lost_escape_1.c

    #include <stdio.h>
    #include <string.h>
    #include <stdint.h>
    #include "charon_address_guesses.h"
    int x=1; // assume allocation ID @1, at ADDR_PLE_1
    int main() {
      int *p = &x;                      
      uintptr_t i1 = (intptr_t)p;            // (@1,ADDR_PLE_1)
      uintptr_t i2 = i1 & 0x00000000FFFFFFFF;// 
      uintptr_t i3 = i2 & 0xFFFFFFFF00000000;// (@1,0x0)
      uintptr_t i4 = i3 + ADDR_PLE_1;        // (@1,ADDR_PLE_1)
      int *q = (int *)i4;
      printf("Addresses: p=%p\n",(void*)p);
      if (memcmp(&i1, &i4, sizeof(i1)) == 0) {
        *q = 11;  // does this have defined behaviour?
        printf("x=%d *p=%d *q=%d\n",x,*p,*q);
      }
    }

[link to run test in Cerberus]

cerberus-concrete-PVI Addresses: p=(@5, 0x3c) x=11 *p=11 *q=11 cerberus-concrete-PNVI Addresses: p=(@5, 0x3c) x=11 *p=11 *q=11 gcc-8.1-O0 Addresses: p=0x600a50 x=11 *p=11 *q=11 gcc-8.1-O2 Addresses: p=0x6009a8 x=11 *p=11 *q=11 gcc-8.1-O3 Addresses: p=0x6009a8 x=11 *p=11 *q=11 gcc-8.1-O2-no-strict-aliasing Addresses: p=0x6009a8 x=11 *p=11 *q=11 gcc-8.1-O3-no-strict-aliasing Addresses: p=0x6009a8 x=11 *p=11 *q=11 clang-6.0-O0 Addresses: p=0x601038 x=11 *p=11 *q=11 clang-6.0-O2 Addresses: p=0x601038 x=11 *p=11 *q=11 clang-6.0-O3 Addresses: p=0x601038 x=11 *p=11 *q=11 clang-6.0-O2-no-strict-aliasing Addresses: p=0x601038 x=11 *p=11 *q=11 clang-6.0-O3-no-strict-aliasing Addresses: p=0x601038 x=11 *p=11 *q=11 clang-6.0-UBSAN Addresses: p=0x631b50 clang-6.0-ASAN Addresses: p=0x716b60 clang-6.0-MSAN Addresses: p=0x6b7af0 icc-19-O0 Addresses: p=0x600b70 x=11 *p=11 *q=11 icc-19-O2 Addresses: p=0x6046c0 x=1 *p=1 *q=11 icc-19-O3 Addresses: p=0x6046c0 x=1 *p=1 *q=11 icc-19-O2-no-strict-aliasing Addresses: p=0x6046c0 x=1 *p=1 *q=11 icc-19-O3-no-strict-aliasing Addresses: p=0x6046c0 x=1 *p=1 *q=11 compcert-3.4 Addresses: p=0x601040 x=11 *p=11 *q=11 compcert-3.4-O Addresses: p=0x601040 x=11 *p=11 *q=11 kcc-1.0 Addresses: p=(nil) Encountered an unknown error. This may be due to encountering undefined behavior, an unsupported language feature, or a bug in this tool: > in main at provenance_lost_escape_1.c:8:3 Unknown error (UNK-1) Indeterminate value used in an expression: > in main at provenance_lost_escape_1.c:9:3 Undefined behavior (UB-CEE2): see C11 section 6.2.4 http://rvdoc.org/C11/6.2.4 see C11 section 6.7.9 http://rvdoc.org/C11/6.7.9 see C11 section 6.8 http://rvdoc.org/C11/6.8 see C11 section J.2:1 item 11 http://rvdoc.org/C11/J.2 see CERT-C section EXP33-C http://rvdoc.org/CERT-C/EXP33-C see MISRA-C section 8.9:1 http://rvdoc.org/MISRA-C/8.9 see MISRA-C section 8.1:3 http://rvdoc.org/MISRA-C/8.1 Conversion from an integer to non-null pointer: > in main at provenance_lost_escape_1.c:12:3 Implementation defined behavior (IMPL-CCV13): see C11 section 6.3.2.3:5 http://rvdoc.org/C11/6.3.2.3 see CERT section INT36-C http://rvdoc.org/CERT/INT36-C Indeterminate value used in an expression: > in memcmp at /opt/rv-match/c-semantics/profiles/x86_64-linux-gcc-glibc/src/string.c:180:13 in main at provenance_lost_escape_1.c:14:3 Undefined behavior (UB-CEE2): see C11 section 6.2.4 http://rvdoc.org/C11/6.2.4 see C11 section 6.7.9 http://rvdoc.org/C11/6.7.9 see C11 section 6.8 http://rvdoc.org/C11/6.8 see C11 section J.2:1 item 11 http://rvdoc.org/C11/J.2 see CERT-C section EXP33-C http://rvdoc.org/CERT-C/EXP33-C see MISRA-C section 8.9:1 http://rvdoc.org/MISRA-C/8.9 see MISRA-C section 8.1:3 http://rvdoc.org/MISRA-C/8.1 Indeterminate value used in an expression: > in memcmp at /opt/rv-match/c-semantics/profiles/x86_64-linux-gcc-glibc/src/string.c:181:19 in main at provenance_lost_escape_1.c:14:3 Undefined behavior (UB-CEE2): see C11 section 6.2.4 http://rvdoc.org/C11/6.2.4 see C11 section 6.7.9 http://rvdoc.org/C11/6.7.9 see C11 section 6.8 http://rvdoc.org/C11/6.8 see C11 section J.2:1 item 11 http://rvdoc.org/C11/J.2 see CERT-C section EXP33-C http://rvdoc.org/CERT-C/EXP33-C see MISRA-C section 8.9:1 http://rvdoc.org/MISRA-C/8.9 see MISRA-C section 8.1:3 http://rvdoc.org/MISRA-C/8.1

cerberus-concrete-PVI		Addresses: p=(@5, 0x3c) x=11 p=11 q=11
cerberus-concrete-PNVI		Addresses: p=(@5, 0x3c) x=11 p=11 q=11
gcc-8.1-O0		Addresses: p=0x600a50 x=11 p=11 q=11
gcc-8.1-O2		Addresses: p=0x6009a8 x=11 p=11 q=11
gcc-8.1-O3		Addresses: p=0x6009a8 x=11 p=11 q=11
gcc-8.1-O2-no-strict-aliasing		Addresses: p=0x6009a8 x=11 p=11 q=11
gcc-8.1-O3-no-strict-aliasing		Addresses: p=0x6009a8 x=11 p=11 q=11
clang-6.0-O0		Addresses: p=0x601038 x=11 p=11 q=11
clang-6.0-O2		Addresses: p=0x601038 x=11 p=11 q=11
clang-6.0-O3		Addresses: p=0x601038 x=11 p=11 q=11
clang-6.0-O2-no-strict-aliasing		Addresses: p=0x601038 x=11 p=11 q=11
clang-6.0-O3-no-strict-aliasing		Addresses: p=0x601038 x=11 p=11 q=11
clang-6.0-UBSAN		Addresses: p=0x631b50
clang-6.0-ASAN		Addresses: p=0x716b60
clang-6.0-MSAN		Addresses: p=0x6b7af0
icc-19-O0		Addresses: p=0x600b70 x=11 p=11 q=11
icc-19-O2		Addresses: p=0x6046c0 x=1 p=1 q=11
icc-19-O3		Addresses: p=0x6046c0 x=1 p=1 q=11
icc-19-O2-no-strict-aliasing		Addresses: p=0x6046c0 x=1 p=1 q=11
icc-19-O3-no-strict-aliasing		Addresses: p=0x6046c0 x=1 p=1 q=11
compcert-3.4		Addresses: p=0x601040 x=11 p=11 q=11
compcert-3.4-O		Addresses: p=0x601040 x=11 p=11 q=11
kcc-1.0		Addresses: p=(nil) Encountered an unknown error. This may be due to encountering undefined behavior, an unsupported language feature, or a bug in this tool: > in main at provenance_lost_escape_1.c:8:3 Unknown error (UNK-1) Indeterminate value used in an expression: > in main at provenance_lost_escape_1.c:9:3 Undefined behavior (UB-CEE2): see C11 section 6.2.4 http://rvdoc.org/C11/6.2.4 see C11 section 6.7.9 http://rvdoc.org/C11/6.7.9 see C11 section 6.8 http://rvdoc.org/C11/6.8 see C11 section J.2:1 item 11 http://rvdoc.org/C11/J.2 see CERT-C section EXP33-C http://rvdoc.org/CERT-C/EXP33-C see MISRA-C section 8.9:1 http://rvdoc.org/MISRA-C/8.9 see MISRA-C section 8.1:3 http://rvdoc.org/MISRA-C/8.1 Conversion from an integer to non-null pointer: > in main at provenance_lost_escape_1.c:12:3 Implementation defined behavior (IMPL-CCV13): see C11 section 6.3.2.3:5 http://rvdoc.org/C11/6.3.2.3 see CERT section INT36-C http://rvdoc.org/CERT/INT36-C Indeterminate value used in an expression: > in memcmp at /opt/rv-match/c-semantics/profiles/x86_64-linux-gcc-glibc/src/string.c:180:13 in main at provenance_lost_escape_1.c:14:3 Undefined behavior (UB-CEE2): see C11 section 6.2.4 http://rvdoc.org/C11/6.2.4 see C11 section 6.7.9 http://rvdoc.org/C11/6.7.9 see C11 section 6.8 http://rvdoc.org/C11/6.8 see C11 section J.2:1 item 11 http://rvdoc.org/C11/J.2 see CERT-C section EXP33-C http://rvdoc.org/CERT-C/EXP33-C see MISRA-C section 8.9:1 http://rvdoc.org/MISRA-C/8.9 see MISRA-C section 8.1:3 http://rvdoc.org/MISRA-C/8.1 Indeterminate value used in an expression: > in memcmp at /opt/rv-match/c-semantics/profiles/x86_64-linux-gcc-glibc/src/string.c:181:19 in main at provenance_lost_escape_1.c:14:3 Undefined behavior (UB-CEE2): see C11 section 6.2.4 http://rvdoc.org/C11/6.2.4 see C11 section 6.7.9 http://rvdoc.org/C11/6.7.9 see C11 section 6.8 http://rvdoc.org/C11/6.8 see C11 section J.2:1 item 11 http://rvdoc.org/C11/J.2 see CERT-C section EXP33-C http://rvdoc.org/CERT-C/EXP33-C see MISRA-C section 8.9:1 http://rvdoc.org/MISRA-C/8.9 see MISRA-C section 8.1:3 http://rvdoc.org/MISRA-C/8.1

Example: provenance_lost_escape_1.c

Example: `provenance_lost_escape_1.c`