Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High offsets cause wrapping-around behavior in CBMC #1150

Open
adpaco-aws opened this issue May 3, 2022 · 2 comments
Open

High offsets cause wrapping-around behavior in CBMC #1150

adpaco-aws opened this issue May 3, 2022 · 2 comments
Labels
[C] Bug This is a bug. Something isn't working. [F] Soundness Kani failed to detect an issue

Comments

@adpaco-aws
Copy link
Contributor

In an example introduced in #1131 , we reproduced an issue where a high offset causes a "wrapping around" behavior in CBMC.
There is more information on the test, but basically we should either enforce stricter checks than Rust (because of CBMC object bits limitations) or add these checks to CBMC itself.
@adpaco-aws adpaco-aws mentioned this issue May 3, 2022
Merged
4 tasks
@celinval celinval added [C] Bug This is a bug. Something isn't working. and removed Effort: Extra Large labels Nov 9, 2022
@celinval celinval added the [F] Soundness Kani failed to detect an issue label Nov 5, 2024
@celinval
Copy link
Contributor

celinval commented Dec 5, 2024

I think we will need to stop using CBMC's pointer offset operation in the case of wrapping_offset. Instead, we need to convert the pointer into a usize, perform a wrapping_add considering the object size, then convert back to a pointer.

celinval added a commit to celinval/kani-dev that referenced this issue Dec 5, 2024
@celinval
Address comments and use integer addition in offset
e1c1549 
I decided to add a new test, and I bumped into issue model-checking#1150.
Thus, I updated our model to use integer arithmetic operations instead
of CBMC pointer arithmetic.
@celinval
Copy link
Contributor

celinval commented Dec 7, 2024

BTW, here is a small example that shows the problem:

/// This harness shows the issue with the current implementation of wrapping offset.
///
/// Invoking `wrapping_byte_offset` should return a pointer that is different from the original
/// pointer if the offset value is not 0.
#[kani::proof]
fn fixme_incorrect_wrapping_offset() {
    let ptr: *const u8 = &0u8;
    let offset = kani::any_where(|v: &isize| *v != 0);
    let new_ptr = ptr.wrapping_byte_offset(offset);
    assert_ne!(ptr, new_ptr, "Expected new_ptr to be different than ptr");
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
[C] Bug This is a bug. Something isn't working. [F] Soundness Kani failed to detect an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@celinval @adpaco-aws