gpt4 book ai didi

c - 绕过 CBMC 检测到的无符号加法溢出

转载 作者:太空狗 更新时间:2023-10-29 15:05:37 26 4
gpt4 key购买 nike

CBMC 在以下行中检测到可能存在无符号加法溢出:

l = (t + *b)&(0xffffffffL);
c += (l < t);

我同意第一行可能会溢出,但我正在处理 CBMC 无法查看的下一行中的进位。如果万一出现溢出,我将进位设置为 1。因此,由于我知道这个和这个,这就是我希望我的代码工作的方式,所以我想继续进行验证过程。那么,我如何告诉 CBMC 忽略这个错误并继续前进呢?

最佳答案

TL;DR 这取决于变量的实际类型。在所有情况下,CBMC 都会检测到可能导致未定义行为的实际错误。这意味着,您应该修复代码而不是禁用 CBMC 中的消息。

完整答案:

一般: 据我所知,CBMC 不允许排除特定属性(另一方面,您可以使用 --property 只检查一个特定属性 标志)。如果您想要官方答案/意见或提出功能请求,我建议您在 CProver Support group 中发帖.

(当然,可以使用 __CPROVER_assume 让 CBMC 排除导致错误的痕迹,但这将是一个非常非常非常糟糕的主意,因为这可能会使其他问题无法解决。)

变体 1: 我假设您的代码看起来像(与此相关:请发布自包含示例并准确解释问题所在,这很难猜测这些事情)

long nondet_long(void);

void main(void) {
long l = 0;
int c = 0;
long t = nondet_long();
long s = nondet_long();
long *b = &s;

l = (t + *b) & (0xffffffffL);
c += (l < t);
}

你正在运行

    cbmc --signed-overflow-check test.c

giving an output similar to the following one?

    CBMC version 5.1 64-bit x86_64 macos    Parsing test.c    Converting    Type-checking test    Generating GOTO Program    Adding CPROVER library    Function Pointer Removal    Partial Inlining    Generic Property Instrumentation    Starting Bounded Model Checking    size of program expression: 41 steps    simple slicing removed 3 assignments    Generated 2 VCC(s), 2 remaining after simplification    Passing problem to propositional reduction    converting SSA    Running propositional reduction    Post-processing    Solving with MiniSAT 2.2.0 with simplifier    792 variables, 2302 clauses    SAT checker: negated claim is SATISFIABLE, i.e., does not hold    Runtime decision procedure: 0.006s    Building error trace    Counterexample:    State 17 file test.c line 4 function main thread 0    ----------------------------------------------------      l=0 (0000000000000000000000000000000000000000000000000000000000000000)    State 18 file test.c line 4 function main thread 0    ----------------------------------------------------      l=0 (0000000000000000000000000000000000000000000000000000000000000000)    State 19 file test.c line 5 function main thread 0    ----------------------------------------------------      c=0 (00000000000000000000000000000000)    State 20 file test.c line 5 function main thread 0    ----------------------------------------------------      c=0 (00000000000000000000000000000000)    State 21 file test.c line 6 function main thread 0    ----------------------------------------------------      t=0 (0000000000000000000000000000000000000000000000000000000000000000)    State 22 file test.c line 6 function main thread 0    ----------------------------------------------------      t=-9223372036854775808 (1000000000000000000000000000000000000000000000000000000000000000)    State 23 file test.c line 7 function main thread 0    ----------------------------------------------------      s=0 (0000000000000000000000000000000000000000000000000000000000000000)    State 24 file test.c line 7 function main thread 0    ----------------------------------------------------      s=-9223372036854775807 (1000000000000000000000000000000000000000000000000000000000000001)    State 25 file test.c line 8 function main thread 0    ----------------------------------------------------      b=((long int *)NULL) (0000000000000000000000000000000000000000000000000000000000000000)    State 26 file test.c line 8 function main thread 0    ----------------------------------------------------      b=&s!0@1 (0000001000000000000000000000000000000000000000000000000000000000)    Violated property:      file test.c line 10 function main      arithmetic overflow on signed + in t + *b      !overflow("+", signed long int, t, *b)    VERIFICATION FAILED

I do not think you should disable this property check, even if you could. The reason for this is, as you say, that this addition can overflow, and, integer overflow is undefined behaviour in C, or, as this answer to the question How to check integer overflow in C? nicely puts it:

[O]nce you've executed x + y, if it overflowed, you're already hosed. It's too late to do any checking - your program could have crashed already. Think of it like checking for division by zero - if you wait until after the division has been executed to check, it's already too late.

See also Integer overflow and undefined behavior and How disastrous is integer overflow in C++?.

Thus, this is an actual bug and CBMC has a good reason for telling you about it. What you actually should do is adapt your code so that there are no potential overflows! The answer mentioned above suggests something like (remember to include limits.h):

if ((*b > 0 && t > LONG_MAX - *b) 
|| (*b < 0 && LONG_MIN < *b && t < LONG_MIN - *b)
|| (*b==LONG_MIN && t < 0))
{
/* Overflow will occur, need to do maths in a more elaborate, but safe way! */
/* ... */
}
else
{
/* No overflow, addition is safe! */
l = (t + *b) & (0xffffffffL);
/* ... */
}

变体 2:在这里,我假设您的代码类似于:

unsigned int nondet_uint(void);

void main(void) {
unsigned int l = 0;
unsigned int c = 0;
unsigned int t = nondet_uint();
unsigned int s = nondet_uint();
unsigned int *b = &s;

l = (t + *b) & (0xffffffffL);
c += (l < t);
}

你在运行

    cbmc --unsigned-overflow-check  test.c

giving an output similar to the following one?

CBMC version 5.1 64-bit x86_64 macosParsing test.cConvertingType-checking testGenerating GOTO ProgramAdding CPROVER libraryFunction Pointer RemovalPartial InliningGeneric Property InstrumentationStarting Bounded Model Checkingsize of program expression: 42 stepssimple slicing removed 3 assignmentsGenerated 3 VCC(s), 3 remaining after simplificationPassing problem to propositional reductionconverting SSARunning propositional reductionPost-processingSolving with MiniSAT 2.2.0 with simplifier519 variables, 1306 clausesSAT checker: negated claim is SATISFIABLE, i.e., does not holdRuntime decision procedure: 0.01sBuilding error traceCounterexample:State 17 file test.c line 4 function main thread 0----------------------------------------------------  l=0 (00000000000000000000000000000000)State 18 file test.c line 4 function main thread 0----------------------------------------------------  l=0 (00000000000000000000000000000000)State 19 file test.c line 5 function main thread 0----------------------------------------------------  c=0 (00000000000000000000000000000000)State 20 file test.c line 5 function main thread 0----------------------------------------------------  c=0 (00000000000000000000000000000000)State 21 file test.c line 6 function main thread 0----------------------------------------------------  t=0 (00000000000000000000000000000000)State 22 file test.c line 6 function main thread 0----------------------------------------------------  t=4187126263 (11111001100100100111100111110111)State 23 file test.c line 7 function main thread 0----------------------------------------------------  s=0 (00000000000000000000000000000000)State 24 file test.c line 7 function main thread 0----------------------------------------------------  s=3329066504 (11000110011011011000011000001000)State 25 file test.c line 8 function main thread 0----------------------------------------------------  b=((unsigned int *)NULL) (0000000000000000000000000000000000000000000000000000000000000000)State 26 file test.c line 8 function main thread 0----------------------------------------------------  b=&s!0@1 (0000001000000000000000000000000000000000000000000000000000000000)Violated property:  file test.c line 10 function main  arithmetic overflow on unsigned + in t + *b  !overflow("+", unsigned int, t, *b)VERIFICATION FAILED

Again, this is an actual bug and CBMC has a good reason for telling you about it. This one could be fixed by

l = ((unsigned long)t + (unsigned long)*b) & (0xffffffffL);
c += (l < t);

给出

CBMC version 5.1 64-bit x86_64 macosParsing test.cConvertingType-checking testGenerating GOTO ProgramAdding CPROVER libraryFunction Pointer RemovalPartial InliningGeneric Property InstrumentationStarting Bounded Model Checkingsize of program expression: 42 stepssimple slicing removed 3 assignmentsGenerated 3 VCC(s), 3 remaining after simplificationPassing problem to propositional reductionconverting SSARunning propositional reductionPost-processingSolving with MiniSAT 2.2.0 with simplifier542 variables, 1561 clausesSAT checker inconsistent: negated claim is UNSATISFIABLE, i.e., holdsRuntime decision procedure: 0.002sVERIFICATION SUCCESSFUL

Variant 3: If things are as the previous one, but you have signed int instead of unsigned int, things get a bit more complicated. Here, assuming you use (written in a slightly more elaborate way to better see what is going on)

int nondet_int(void);

void main(void) {
int l = 0;
int c = 0;
int t = nondet_int();
int s = nondet_int();

long longt = (long)t;
long longs = (long)s;
long temp1 = longt + longs;
long temp2 = temp1 & (0xffffffffL);

l = temp2;
c += (l < t);
}

然后运行

    cbmc --signed-overflow-check test.c

you will get

CBMC version 5.1 64-bit x86_64 macosParsing test.cConvertingType-checking testGenerating GOTO ProgramAdding CPROVER libraryFunction Pointer RemovalPartial InliningGeneric Property InstrumentationStarting Bounded Model Checkingsize of program expression: 48 stepssimple slicing removed 3 assignmentsGenerated 3 VCC(s), 3 remaining after simplificationPassing problem to propositional reductionconverting SSARunning propositional reductionPost-processingSolving with MiniSAT 2.2.0 with simplifier872 variables, 2430 clausesSAT checker: negated claim is SATISFIABLE, i.e., does not holdRuntime decision procedure: 0.008sBuilding error traceCounterexample:State 17 file test.c line 4 function main thread 0----------------------------------------------------  l=0 (00000000000000000000000000000000)State 18 file test.c line 4 function main thread 0----------------------------------------------------  l=0 (00000000000000000000000000000000)State 19 file test.c line 5 function main thread 0----------------------------------------------------  c=0 (00000000000000000000000000000000)State 20 file test.c line 5 function main thread 0----------------------------------------------------  c=0 (00000000000000000000000000000000)State 21 file test.c line 6 function main thread 0----------------------------------------------------  t=0 (00000000000000000000000000000000)State 22 file test.c line 6 function main thread 0----------------------------------------------------  t=-2147483648 (10000000000000000000000000000000)State 23 file test.c line 7 function main thread 0----------------------------------------------------  s=0 (00000000000000000000000000000000)State 24 file test.c line 7 function main thread 0----------------------------------------------------  s=1 (00000000000000000000000000000001)State 25 file test.c line 9 function main thread 0----------------------------------------------------  longt=0 (0000000000000000000000000000000000000000000000000000000000000000)State 26 file test.c line 9 function main thread 0----------------------------------------------------  longt=-2147483648 (1111111111111111111111111111111110000000000000000000000000000000)State 27 file test.c line 10 function main thread 0----------------------------------------------------  longs=0 (0000000000000000000000000000000000000000000000000000000000000000)State 28 file test.c line 10 function main thread 0----------------------------------------------------  longs=1 (0000000000000000000000000000000000000000000000000000000000000001)State 29 file test.c line 11 function main thread 0----------------------------------------------------  temp1=0 (0000000000000000000000000000000000000000000000000000000000000000)State 31 file test.c line 11 function main thread 0----------------------------------------------------  temp1=-2147483647 (1111111111111111111111111111111110000000000000000000000000000001)State 32 file test.c line 12 function main thread 0----------------------------------------------------  temp2=0 (0000000000000000000000000000000000000000000000000000000000000000)State 33 file test.c line 12 function main thread 0----------------------------------------------------  temp2=2147483649 (0000000000000000000000000000000010000000000000000000000000000001)Violated property:  file test.c line 14 function main  arithmetic overflow on signed type conversion in (signed int)temp2  temp2 = -2147483648lVERIFICATION FAILED

Or, written more concisely, if you have

t == -2147483648 (0b10000000000000000000000000000000)
s == 1 (0b00000000000000000000000000000001)

然后

temp2 == 2147483649 (0b0000000000000000000000000000000010000000000000000000000000000001)

尝试将其转换为 signed int 很麻烦,因为它超出了范围(另请参见 Does cast between signed and unsigned int maintain exact bit pattern of variable in memory?)。

如您所见,这个反例也是一个实际的错误,CBMC 再次告诉您这一点是正确的。这特别意味着,您的掩码/数学没有按预期工作(您的掩码将负数变成超出范围的正数)并且您需要修复代码,以便结果在必要的范围内。 (为了确保获得正确的结果,仔细考虑您实际想要做什么可能是值得的。)

关于c - 绕过 CBMC 检测到的无符号加法溢出,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/31065205/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com