NULL ptr dereferences found with Calysto static checker

Domagoj Babic babic.domagoj at gmail.com
Fri Jun 15 23:23:39 EDT 2007 

Hi Ken

On 6/15/07, Ken Raeburn <raeburn at mit.edu> wrote:
> On Jun 15, 2007, at 04:38, Domagoj Babic wrote:
> >> > int f(int a, int b) {
> >> >    int a1;
> >> >    if (a%2) { a1 = a + 1; }
> >> >    else { a1 = a; }
> >> >    int c = a1 * a1;
> >> >    assert(c % 4 == 0);
> >> > }
> >>
> >> If I felt like being picky, I'd point out that overflow in signed
> >> integer arithmetic in C produces undefined results according to the
> >> standard, so the assertion may not be met. :-)
> >
> > If it addition overflows, a1+1=0, hence 0*0%4=0. The assertion is
> > always true. Calysto and Spear preserve the properties of 2's
> > complement
> > (bit-vector | modular arithmetic).
>
> Actually, in two's complement with wrapping signed arithmetic, the
> overflow case would be a=INT_MAX and a1=a+1=INT_MIN, which would
> still be even.

Right. For 'unsigned' you would need to use unsigned remainder, for
'signed int' signed remainder. In the first case, UINT_MAX+1=0, in the
second case INT_MAX+1=INT_MIN. Anyways, in both cases, the assertion
holds.

I made a slight mistake, saying a1+1=0, because the example obviously
requires signed remainder, while my explanation was based on unsigned
numbers. Anyways, Spear/Calysto combination handle them exactly as in
the compiled code, supporting both signed and unsigned operators (for
those operators where it actually matters).

>  From what I've read, modern versions of GCC have optimizations that
> take advantage of this undefined behavior to make transformations
> that speed up the code but don't give the wrap-on-signed-overflow
> result.  So, actually, proving whether or not signed arithmetic can
> overflow may also be useful...

Right. Having the correct overflow behaviour was the reason why Spear
theorem prover was designed to handle modulear arithmetic precisely.
Recent JPEG bug was probably the most famous instance of such an
overflow bug (see my MSR tech report with Madan).

I'll reply to the rest later...

Regards,

-- 
        Domagoj Babic

        http://www.domagoj.info/

More information about the Kerberos mailing list