Skip to content

Commit 060b59c

Browse files
author
Daniel Kroening
committed
separate pointer check for integer addresses
1 parent 9b5847e commit 060b59c

File tree

5 files changed

+25
-18
lines changed

5 files changed

+25
-18
lines changed

regression/cbmc/Malloc23/test.desc

+1-1
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,6 @@ pointer outside dynamic object bounds in \*p: FAILURE
77
pointer outside dynamic object bounds in \*p: FAILURE
88
pointer outside dynamic object bounds in p2\[.*1\]: FAILURE
99
pointer outside dynamic object bounds in p2\[.*0\]: FAILURE
10-
\*\* 4 of 36 failed
10+
\*\* 4 of [0-9]+ failed
1111
--
1212
^warning: ignoring

regression/cbmc/bounds_check1/test.desc

+1-1
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ main.c
66
\[\(.*\)i2\]: FAILURE
77
dest\[\(.*\)j2\]: FAILURE
88
payload\[\(.*\)[kl]2\]: FAILURE
9-
\*\* 10 of 72 failed
9+
\*\* 10 of [0-9]+ failed
1010
--
1111
^warning: ignoring
1212
\[\(.*\)i\]: FAILURE

regression/cbmc/memcpy1/test.desc

+2-2
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ main.c
44
^EXIT=10$
55
^SIGNAL=0$
66
^VERIFICATION FAILED$
7-
\[(__builtin___memcpy_chk|memcpy)\.pointer_dereference\.16\] dereference failure: pointer outside object bounds in \*\(\(\(const char \*\)src \+ \(signed (long (long )?)?int\)n\) - (\(signed long (long )?int\))?1\): FAILURE$
8-
\*\* 1 of 17 failed
7+
\[(__builtin___memcpy_chk|memcpy)\.pointer_dereference\.[0-9]+\] dereference failure: pointer outside object bounds in \*\(\(\(const char \*\)src \+ \(signed (long (long )?)?int\)n\) - (\(signed long (long )?int\))?1\): FAILURE$
8+
\*\* 1 of [0-9]+ failed
99
--
1010
^warning: ignoring

regression/cbmc/memory_allocation1/test.desc

+4-4
Original file line numberDiff line numberDiff line change
@@ -3,10 +3,10 @@ main.c
33
--pointer-check
44
^EXIT=10$
55
^SIGNAL=0$
6-
\[main.pointer_dereference.[0-9]+\] dereference failure: pointer invalid in \*p: SUCCESS
7-
\[main.assertion.1\] assertion \*p==42: SUCCESS
8-
\[main.pointer_dereference.[0-9]+\] dereference failure: pointer invalid in p\[.*1\]: FAILURE
9-
\[main.assertion.2\] assertion \*\(p\+1\)==42: SUCCESS
6+
^\[main\.pointer_dereference\.2\] dereference failure: invalid integer address in \*p: SUCCESS$
7+
^\[main\.assertion\.1\] assertion \*p==42: SUCCESS$
8+
^\[main\.pointer_dereference\.[0-9]+\] dereference failure: invalid integer address in p\[.*1\]: FAILURE$
9+
^\[main\.assertion\.2\] assertion \*\(p\+1\)==42: SUCCESS$
1010
^VERIFICATION FAILED$
1111
--
1212
^warning: ignoring

src/analyses/goto_check.cpp

+17-10
Original file line numberDiff line numberDiff line change
@@ -1003,8 +1003,7 @@ void goto_checkt::pointer_validity_check(
10031003
guard);
10041004
}
10051005

1006-
if(flags.is_unknown() ||
1007-
flags.is_integer_address())
1006+
if(flags.is_unknown())
10081007
add_guarded_claim(
10091008
or_exprt(allocs, not_exprt(invalid_pointer(pointer))),
10101009
"dereference failure: pointer invalid",
@@ -1023,8 +1022,7 @@ void goto_checkt::pointer_validity_check(
10231022
guard);
10241023

10251024
if(flags.is_unknown() ||
1026-
flags.is_dynamic_heap() ||
1027-
flags.is_integer_address())
1025+
flags.is_dynamic_heap())
10281026
add_guarded_claim(
10291027
or_exprt(allocs, not_exprt(deallocated(pointer, ns))),
10301028
"dereference failure: deallocated dynamic object",
@@ -1034,8 +1032,7 @@ void goto_checkt::pointer_validity_check(
10341032
guard);
10351033

10361034
if(flags.is_unknown() ||
1037-
flags.is_dynamic_local() ||
1038-
flags.is_integer_address())
1035+
flags.is_dynamic_local())
10391036
add_guarded_claim(
10401037
or_exprt(allocs, not_exprt(dead_object(pointer, ns))),
10411038
"dereference failure: dead object",
@@ -1045,8 +1042,7 @@ void goto_checkt::pointer_validity_check(
10451042
guard);
10461043

10471044
if(flags.is_unknown() ||
1048-
flags.is_dynamic_heap() ||
1049-
flags.is_integer_address())
1045+
flags.is_dynamic_heap())
10501046
{
10511047
const or_exprt dynamic_bounds(
10521048
dynamic_object_lower_bound(pointer, ns, access_lb),
@@ -1067,8 +1063,7 @@ void goto_checkt::pointer_validity_check(
10671063

10681064
if(flags.is_unknown() ||
10691065
flags.is_dynamic_local() ||
1070-
flags.is_static_lifetime() ||
1071-
flags.is_integer_address())
1066+
flags.is_static_lifetime())
10721067
{
10731068
const or_exprt object_bounds(
10741069
object_lower_bound(pointer, ns, access_lb),
@@ -1082,6 +1077,18 @@ void goto_checkt::pointer_validity_check(
10821077
expr,
10831078
guard);
10841079
}
1080+
1081+
if(flags.is_unknown() ||
1082+
flags.is_integer_address())
1083+
{
1084+
add_guarded_claim(
1085+
implies_exprt(integer_address(pointer), allocs),
1086+
"dereference failure: invalid integer address",
1087+
"pointer dereference",
1088+
expr.find_source_location(),
1089+
expr,
1090+
guard);
1091+
}
10851092
}
10861093
}
10871094

0 commit comments

Comments
 (0)