写入指针时出现虚假警告
bogus warning on write to pointer
我是 Frama-c 的新手,有一个非常短的程序导致 frama-c 声称“越界写入”。 assert\valid(iptr):
f4.c:33:[内核] 警告:越界写入。断言 \valid(iptr);
f4.c:34:[value] 为 __retres.
分配不精确的值
我没看到。帮助?
我也不明白下一行是什么意思...
代码:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/*
* f4.c example of a 'valid' clause:
* foo
* and abort.
*
* cmd line: frama-c -val f4.c
*/
int fill( int * iptr, int length );
const int BUF_SIZE = 100;
int main( int argc, char ** argv )
{
int * ptr = malloc( BUF_SIZE * sizeof( int ));
memset( ptr, 0x00, BUF_SIZE * sizeof( int ));
int rv = fill( ptr, BUF_SIZE );
printf("rv = %d\n", rv);
return 0;
}
/*
* @requires \valid(iptr+(0..length+1));
* @requires length >= 1;
* @assigns *iptr;
*/
int fill( int * iptr, int length )
{
*iptr = 3;
return( *iptr );
}
输出:
...framac [0] > frama-c -val -wp f4.c
[kernel] preprocessing with "gcc -C -E -I. f4.c"
/usr/include/i386-linux-gnu/bits/byteswap.h:47:[kernel] warning: Calling undeclared function __builtin_bswap32. Old style K&R code?
/usr/include/i386-linux-gnu/bits/byteswap.h:111:[kernel] warning: Calling undeclared function __builtin_bswap64. Old style K&R code?
[value] Analyzing a complete application starting at main
[value] Computing initial state
[value] Initial state computed
[value] Values of globals at initialization
BUF_SIZE ∈ {100}
[value] computing for function malloc <- main.
Called from f4.c:17.
[kernel] warning: Neither code nor specification for function malloc, generating default assigns from the prototype
[value] using specification for function malloc
[value] Done for function malloc
[value] computing for function memset <- main.
Called from f4.c:18.
[kernel] warning: Neither code nor specification for function memset, generating default assigns from the prototype
[value] using specification for function memset
[value] Done for function memset
[value] computing for function fill <- main.
Called from f4.c:19.
**f4.c:33:[kernel] **warning: out of bounds write. assert \valid(iptr);**
f4.c:34:[value] Assigning imprecise value to __retres.**
The imprecision originates from Library function {f4.c:17}
[value] Recording results for fill
[value] Done for function fill
f4.c:20:[value] Reading left-value rv.
It contains a garbled mix of {alloced_return_malloc} because of
Library function {f4.c:17}.
[value] computing for function printf <- main.
Called from f4.c:20.
[kernel] warning: Neither code nor specification for function printf, generating default assigns from the prototype
[value] using specification for function printf
[value] Done for function printf
[value] Recording results for main
[value] done for function main
[value] ====== VALUES COMPUTED ======
[value] Values at end of function fill:
__retres ∈
{{ garbled mix of &{alloced_return_malloc}
(origin: Library function {f4.c:17}) }}
alloced_return_malloc[...] ∈
{{ garbled mix of &{alloced_return_malloc}
(origin: Library function {f4.c:17}) }}
[value] Values at end of function main:
ptr ∈ {{ NULL + [--..--] ; &alloced_return_malloc + [0..2147483647] }}
rv ∈
{{ garbled mix of &{alloced_return_malloc}
(origin: Library function {f4.c:17}) }}
__retres ∈ {0}
alloced_return_malloc[...] ∈
{{ garbled mix of &{alloced_return_malloc}
(origin: Library function {f4.c:17}) }}
您的问题主要在于以下警告:
[value] computing for function malloc <- main.
Called from f4.c:17.
[kernel] warning: Neither code nor specification for function malloc, generating default assigns from the prototype
[value] using specification for function malloc
基本上,malloc 函数没有实现,也没有 ACSL 规范,因此 Value Analysis 不知道如何处理它,returns 一个非常不精确的结果(即 {{ garbled mix of &{alloced_return_malloc} (origin: Library function {f4.c:17}) }}).从那里开始,预计会出现误报。
如果您打算为 fill 函数提供合适的初始上下文,则应改用静态数组。 Public Frama-C 版本不为 malloc 提供内置函数,用纯 C 模拟它们可能不会让你走得太远。
另外请注意fill函数前的注释不是ACSL规范。这些是由 /*@ 引入的,而不是由 /* 引入的,随后在某个地方后面是 @.
我是 Frama-c 的新手,有一个非常短的程序导致 frama-c 声称“越界写入”。 assert\valid(iptr):
f4.c:33:[内核] 警告:越界写入。断言 \valid(iptr); f4.c:34:[value] 为 __retres.
分配不精确的值我没看到。帮助? 我也不明白下一行是什么意思...
代码:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/*
* f4.c example of a 'valid' clause:
* foo
* and abort.
*
* cmd line: frama-c -val f4.c
*/
int fill( int * iptr, int length );
const int BUF_SIZE = 100;
int main( int argc, char ** argv )
{
int * ptr = malloc( BUF_SIZE * sizeof( int ));
memset( ptr, 0x00, BUF_SIZE * sizeof( int ));
int rv = fill( ptr, BUF_SIZE );
printf("rv = %d\n", rv);
return 0;
}
/*
* @requires \valid(iptr+(0..length+1));
* @requires length >= 1;
* @assigns *iptr;
*/
int fill( int * iptr, int length )
{
*iptr = 3;
return( *iptr );
}
输出: ...framac [0] > frama-c -val -wp f4.c
[kernel] preprocessing with "gcc -C -E -I. f4.c"
/usr/include/i386-linux-gnu/bits/byteswap.h:47:[kernel] warning: Calling undeclared function __builtin_bswap32. Old style K&R code?
/usr/include/i386-linux-gnu/bits/byteswap.h:111:[kernel] warning: Calling undeclared function __builtin_bswap64. Old style K&R code?
[value] Analyzing a complete application starting at main
[value] Computing initial state
[value] Initial state computed
[value] Values of globals at initialization
BUF_SIZE ∈ {100}
[value] computing for function malloc <- main.
Called from f4.c:17.
[kernel] warning: Neither code nor specification for function malloc, generating default assigns from the prototype
[value] using specification for function malloc
[value] Done for function malloc
[value] computing for function memset <- main.
Called from f4.c:18.
[kernel] warning: Neither code nor specification for function memset, generating default assigns from the prototype
[value] using specification for function memset
[value] Done for function memset
[value] computing for function fill <- main.
Called from f4.c:19.
**f4.c:33:[kernel] **warning: out of bounds write. assert \valid(iptr);**
f4.c:34:[value] Assigning imprecise value to __retres.**
The imprecision originates from Library function {f4.c:17}
[value] Recording results for fill
[value] Done for function fill
f4.c:20:[value] Reading left-value rv.
It contains a garbled mix of {alloced_return_malloc} because of
Library function {f4.c:17}.
[value] computing for function printf <- main.
Called from f4.c:20.
[kernel] warning: Neither code nor specification for function printf, generating default assigns from the prototype
[value] using specification for function printf
[value] Done for function printf
[value] Recording results for main
[value] done for function main
[value] ====== VALUES COMPUTED ======
[value] Values at end of function fill:
__retres ∈
{{ garbled mix of &{alloced_return_malloc}
(origin: Library function {f4.c:17}) }}
alloced_return_malloc[...] ∈
{{ garbled mix of &{alloced_return_malloc}
(origin: Library function {f4.c:17}) }}
[value] Values at end of function main:
ptr ∈ {{ NULL + [--..--] ; &alloced_return_malloc + [0..2147483647] }}
rv ∈
{{ garbled mix of &{alloced_return_malloc}
(origin: Library function {f4.c:17}) }}
__retres ∈ {0}
alloced_return_malloc[...] ∈
{{ garbled mix of &{alloced_return_malloc}
(origin: Library function {f4.c:17}) }}
您的问题主要在于以下警告:
[value] computing for function malloc <- main.
Called from f4.c:17.
[kernel] warning: Neither code nor specification for function malloc, generating default assigns from the prototype
[value] using specification for function malloc
基本上,malloc 函数没有实现,也没有 ACSL 规范,因此 Value Analysis 不知道如何处理它,returns 一个非常不精确的结果(即 {{ garbled mix of &{alloced_return_malloc} (origin: Library function {f4.c:17}) }}).从那里开始,预计会出现误报。
如果您打算为 fill 函数提供合适的初始上下文,则应改用静态数组。 Public Frama-C 版本不为 malloc 提供内置函数,用纯 C 模拟它们可能不会让你走得太远。
另外请注意fill函数前的注释不是ACSL规范。这些是由 /*@ 引入的,而不是由 /* 引入的,随后在某个地方后面是 @.