GMP typing issue
ID0002252: This issue was created automatically from Mantis Issue 2252. Further discussion may take place here.
|ID0002252||Frama-C||Plug-in > E-ACSL||public||2016-10-14||2017-05-31|
|Product Version||Frama-C GIT, precise the release id||Target Version||Frama-C GIT, precise the release id||Fixed in Version||Frama-C 15-Phosphorus|
In the below snippet
1 int i = -1; 2 ... 3 /*@ assert rte: mem_access: \valid_read(srcbuf+i); / 4 if ((int)(srcbuf + i) == (int)ch) 5 loc = i;
a buffer overflow occurs because of the initial negative value of i, however, assertion generated by E-ACSL features the following line:
__e_acsl_valid_read((void *)(srcbuf + (unsigned long)i), sizeof(char));
which casts i to an unsigned integer and further make the assertion wrongly pass. See the attached code for a more complete example. The code is taken from the ITC toyota benchmark.