Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unsoundness for LLVM overrides of functions that return NULL pointers #640

Closed
brianhuffman opened this issue Jan 28, 2020 · 2 comments
Closed
Assignees
Labels
subsystem: crucible-llvm Issues related to LLVM bitcode verification with crucible-llvm type: bug Issues reporting bugs or unexpected/unwanted behavior unsoundness Issues that can lead to unsoundness or false verification
Milestone

Comments

@brianhuffman
Copy link
Contributor

Here's the C code:

#include <stdint.h>
#include <stdlib.h>

uint64_t *foo () {
	return NULL;
}

int bar () {
	return (foo() == NULL);
}

And the saw-script:

bc <- llvm_load_module "return_null.bc";

let i64 = llvm_int 64;

foo_ov <-
  crucible_llvm_verify bc "foo" [] false
    do {
      crucible_execute_func [];
      x <- crucible_alloc i64;
      crucible_return x;
    }
    z3;

bar_ov0 <-
  crucible_llvm_verify bc "bar" [foo_ov] false
    do {
      crucible_execute_func [];
      crucible_return (crucible_term {{ 0 : [32] }});
    }
    z3;

bar_ov1 <-
  crucible_llvm_verify bc "bar" [] false
    do {
      crucible_execute_func [];
      crucible_return (crucible_term {{ 1 : [32] }});
    }
    z3;

Note that we can prove either that bar always returns 0, or that bar always returns 1, depending on whether we use the override for foo. This is obviously unsound.

When checking the spec that we give here for foo (which has a crucible_alloc in the post-state section) saw ought to check that the returned pointer is actually non-NULL, because when we use the override saw always creates a fresh non-NULL pointer.

@brianhuffman brianhuffman added type: bug Issues reporting bugs or unexpected/unwanted behavior subsystem: crucible-llvm Issues related to LLVM bitcode verification with crucible-llvm unsoundness Issues that can lead to unsoundness or false verification labels Jan 28, 2020
@langston-barrett langston-barrett self-assigned this Feb 11, 2020
@atomb atomb added this to the 0.6 milestone Apr 3, 2020
@brianhuffman
Copy link
Contributor Author

This may have been fixed in 8610ae9.

brianhuffman pushed a commit that referenced this issue Jun 17, 2020
brianhuffman pushed a commit that referenced this issue Jun 17, 2020
@langston-barrett
Copy link
Contributor

Closed via #750

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
subsystem: crucible-llvm Issues related to LLVM bitcode verification with crucible-llvm type: bug Issues reporting bugs or unexpected/unwanted behavior unsoundness Issues that can lead to unsoundness or false verification
Projects
None yet
Development

No branches or pull requests

3 participants