GMP typing issue
ID0002252: This issue was created automatically from Mantis Issue 2252. Further discussion may take place here.
| Id | Project | Category | View | Due Date | Updated |
|---|---|---|---|---|---|
| ID0002252 | Frama-C | Plug-in > E-ACSL | public | 2016-10-14 | 2017-05-31 |
| Reporter | kvorobyov | Assigned To | signoles | Resolution | fixed |
| Priority | normal | Severity | minor | Reproducibility | always |
| Platform | - | OS | Gentoo | OS Version | - |
| Product Version | Frama-C GIT, precise the release id | Target Version | Frama-C GIT, precise the release id | Fixed in Version | Frama-C 15-Phosphorus |
Description :
In the below snippet
1 int i = -1; 2 ... 3 /*@ assert rte: mem_access: \valid_read(srcbuf+i); / 4 if ((int)(srcbuf + i) == (int)ch) 5 loc = i;
a buffer overflow occurs because of the initial negative value of i, however, assertion generated by E-ACSL features the following line:
__e_acsl_valid_read((void *)(srcbuf + (unsigned long)i), sizeof(char));
which casts i to an unsigned integer and further make the assertion wrongly pass. See the attached code for a more complete example. The code is taken from the ITC toyota benchmark.