Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix the semantics of strlen on symbolic strings. #469

Merged
merged 1 commit into from
Apr 20, 2020
Merged

Fix the semantics of strlen on symbolic strings. #469

merged 1 commit into from
Apr 20, 2020

Conversation

robdockins
Copy link
Contributor

Previously, strlen would recurse down a string until it
ran into a concrete zero. This is fine, except that it would
assert that each load along the way would succeed, without taking
into account the previous zero tests that had to fail. To correct
this we need to emulate a path condition such that to load
at position n each of the n-1 previous locations must have
been non-zero, and the loads are only required to succeed under
that condition. This allows one, for example, to assume that
some value in a string is 0 (but not specify which one). Previously,
strlen would index off the end of the allocation of such a string
and fail. Now it will succeed because the path condition required
to index out-of-bounds is inconsistent.

Fixes #468

@robdockins
Fix the semantics of strlen on symbolic strings.
67ae4a9 
Previously, `strlen` would recurse down a string until it
ran into a concrete zero.  This is fine, except that it would
assert that each load along the way would succeed, without taking
into account the previous zero tests that had to fail.  To correct
this we need to emulate a path condition such that to load
at position `n` each of the `n-1` previous locations must have
been non-zero, and the loads are only required to succeed under
that condition.  This allows one, for example, to assume that
some value in a string is 0 (but not specify which one).  Previously,
`strlen` would index off the end of the allocation of such a string
and fail.  Now it will succeed because the path condition required
to index out-of-bounds is inconsistent.

Fixes #468
@robdockins robdockins requested a review from brianhuffman April 10, 2020 17:50
@weaversa
Copy link

This allows one, for example, to assume that some value in a string is 0 (but not specify which one).

Oh I like that!

I hate to ask, but is strlen the only function that has this kind of problem?

@robdockins
Copy link
Contributor Author

I hate to ask, but is strlen the only function that has this kind of problem?

I think so. memcpy, memmove and memset are all memory model primitives, so they don't have this issue. All the other functions that deal with strings require the bytes to be fully concrete

If we want to support more of "string.h" we'd arguably be better off providing a library of naive C implementations to avoid running into this issue again.

@robdockins robdockins merged commit a51ac16 into master Apr 20, 2020
@weaversa weaversa mentioned this pull request Apr 22, 2020
Closed
@andreistefanescu andreistefanescu deleted the strlen branch May 7, 2020 20:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brianhuffman brianhuffman Awaiting requested review from brianhuffman

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

strlen
2 participants
@robdockins @weaversa