search

TrustInSoft / tis-interpreter

An interpreter for finding subtle bugs in programs written in standard C
565 stars 28 forks source link

strtol() raises Builtins_lib_tis_scanf_new.Input_failure #130

Closed tavianator closed 7 years ago

tavianator commented 7 years ago

The following source:

$ cat foo.c
#include <stdlib.h>

int main() {
        const char *str = "";
        char *endptr;
        long value = strtol(str, &endptr, 10);
        return 0;
}

Crashes tis-interpreter:

$ tis-interpreter foo.c
[value] Analyzing a complete application starting at main
[value] Computing initial state
[value] Initial state computed
[kernel] Current source was: foo.c:6
         The full backtrace is:
         Raised at file "src/plugins/value/domains/cvalue/builtins_lib_tis_scanf_new.ml", line 833, characters 38-51
         Called from file "src/plugins/value/domains/cvalue/builtins_lib_tis_scanf_new.ml", line 1771, characters 4-43
         Called from file "src/plugins/value/domains/cvalue/builtins_lib_tis_scanf_new.ml", line 1879, characters 8-77
         Called from file "src/plugins/value/legacy/eval_funs.ml", line 363, characters 14-47
         Called from file "src/libraries/utils/statistics.ml", line 333, characters 21-29
         Re-raised at file "src/libraries/utils/statistics.ml", line 338, characters 14-15
         Called from file "src/plugins/value/legacy/eval_funs.ml", line 398, characters 14-53
         Called from file "src/plugins/value/legacy/eval_funs.ml", line 457, characters 8-18
         Re-raised at file "src/plugins/value/legacy/eval_funs.ml", line 463, characters 10-11
         Called from file "src/libraries/utils/statistics.ml", line 333, characters 21-29
         Re-raised at file "src/libraries/utils/statistics.ml", line 338, characters 14-15
         Called from file "src/plugins/value/legacy/eval_stmt.ml", line 594, characters 14-71
         Called from file "src/plugins/value/legacy/eval_stmt.ml", line 616, characters 10-69
         Called from file "src/plugins/value/legacy/eval_slevel.ml", line 509, characters 6-92
         Called from file "list.ml", line 84, characters 24-34
         Called from file "src/plugins/value/legacy/eval_slevel.ml", line 640, characters 7-81
         Called from file "src/libraries/utils/statistics.ml", line 333, characters 21-29
         Re-raised at file "src/libraries/utils/statistics.ml", line 338, characters 14-15
         Called from file "src/kernel_services/analysis/dataflow2.ml", line 362, characters 28-46
         Called from file "src/kernel_services/analysis/dataflow2.ml", line 512, characters 14-39
         Called from file "src/plugins/value/legacy/eval_funs.ml", line 58, characters 8-36
         Called from file "src/plugins/value/legacy/eval_funs.ml", line 161, characters 8-61
         Called from file "src/plugins/value/legacy/eval_funs.ml", line 321, characters 14-117
         Re-raised at file "src/plugins/value/legacy/eval_funs.ml", line 325, characters 14-15
         Called from file "src/libraries/utils/statistics.ml", line 333, characters 21-29
         Re-raised at file "src/libraries/utils/statistics.ml", line 338, characters 14-15
         Called from file "src/plugins/value/legacy/eval_funs.ml", line 703, characters 11-40
         Re-raised at file "src/plugins/value/legacy/eval_funs.ml", line 731, characters 47-50
         Called from file "src/libraries/project/state_builder.ml", line 978, characters 9-13
         Re-raised at file "src/libraries/project/state_builder.ml", line 986, characters 15-18
         Called from file "src/plugins/value/register.ml", line 108, characters 4-24
         Called from file "queue.ml", line 134, characters 6-20
         Called from file "src/kernel_internals/runtime/boot.ml", line 39, characters 4-20
         Called from file "src/kernel_services/cmdline_parameters/cmdline.ml", line 783, characters 2-9
         Called from file "src/kernel_services/cmdline_parameters/cmdline.ml", line 813, characters 18-64
         Called from file "src/kernel_services/cmdline_parameters/cmdline.ml", line 224, characters 4-8

         Unexpected error (Builtins_lib_tis_scanf_new.Input_failure).
         Please report at https://github.com/TrustInSoft/tis-interpreter/issues
pascal-cuoq commented 7 years ago

sorry: issue not fixed yet, my mistake

pascal-cuoq commented 7 years ago

Sorry for the snafu.

I have augmented the testcase thus:

#include <stdlib.h>
#include <errno.h>
#include <stdio.h>

int main(void) {
        const char *str = "";
        char *endptr;
        long value = strtol(str, &endptr, 10);
        printf("%d %ld %td\n", (int)errno, value, endptr - str);
        return 0;
}

and this case at least now seems to be correctly handled:

$ tis-interpreter.sh t.c
[value] Analyzing a complete application starting at main
[value] Computing initial state
[value] Initial state computed

0 0 0

[value] done for function main
$ gcc t.c && ./a.out
0 0 0

It is a bit tricky to share the bulk, but not the details, of ato*, strto*, and *scanf. This is a great bug report, please do not hesitate to report any further problems you find.