Closed
Description
When a C struct encapsulates another struct, it seems CBMC does not identify out of bounds accesses to an inner struct under the following conditions:-
- The access is inside the "outer" struct's bounds.
- The outer struct is accessed via a pointer.
I have enabled both bounds-check and pointer-check so I think this should be picked up?
I've included an example below.
BR
Gareth
#include <stdint.h>
struct bar
{
uint8_t baz[8];
};
struct foo
{
struct bar bars[2];
};
#ifdef PROBLEMMAYBE
int test(struct foo* f)
{
f->bars[0].baz[9] = 0;
}
#endif
int main(int argc, char* argv[])
{
struct foo f;
#ifdef PROBLEMMAYBE
test(&f);
#else
f.bars[0].baz[9] = 0;
#endif
}
gareth@snares:~$ cbmc foo.c --bounds-check --pointer-check -DPROBLEMMAYBE | tail -n 5
file <command-line> line 0: <command-line>:0:0: warning: "__STDC_VERSION__" redefined
file <command-line> line 0: <built-in>: note: this is the location of the previous definition
Solving with MiniSAT 2.2.0 with simplifier
502 variables, 328 clauses
SAT checker inconsistent: negated claim is UNSATISFIABLE, i.e., holds
Runtime decision procedure: 0.001s
VERIFICATION SUCCESSFUL
gareth@snares:~$ cbmc foo.c --bounds-check --pointer-check | tail -n 5
file <command-line> line 0: <command-line>:0:0: warning: "__STDC_VERSION__" redefined
file <command-line> line 0: <built-in>: note: this is the location of the previous definition
file foo.c line 27 function main
array `f'.bars[].baz upper bound in f.bars[(signed long int)0].baz[(signed long int)9]
FALSE
VERIFICATION FAILED
gareth@snares:~$