Robustness Analysis Fails - A Bug In HTML Results Saver

[qutorial]

In the code/applications/HeartBleed on the fortissStable branch running the robustness analyses on Linux generates 36 claims and the defect is detected. On Mac OS X only 12 claims generate and the defect stays unrevealed.

To reproduce: checkout fortissStable branch, open code/applications/HeartBleed, check the first analysis configuration, one claim has to fail. But all succeed. 36 claims have to be there, but only 12 are shown.

[qutorial]

Results saved in: /Users/fortiss/mbeddr/mbeddr.github/code/applications/HeartBleed/solutions/analyses_results/HearBleedImpl/Model1/xmlCBMCRawOutput/HearBleedImpl.Model1_nightly.html java.lang.NullPointerException at com.mbeddr.analyses.cbmc.rt.run.HTMLResultsSaver$1.run(HTMLResultsSaver.java:66) at jetbrains.mps.ide.smodel.WorkbenchModelAccess$2.run(WorkbenchModelAccess.java:116) at com.intellij.openapi.application.impl.ApplicationImpl.runReadAction(ApplicationImpl.java:911) at jetbrains.mps.ide.smodel.WorkbenchModelAccess.runReadAction(WorkbenchModelAccess.java:111) at com.mbeddr.analyses.cbmc.rt.run.HTMLResultsSaver.generateHTMLPage(HTMLResultsSaver.java:63) at com.mbeddr.analyses.cbmc.rt.run.AnalysisConfigurationAnalyzer.doSaveResults(AnalysisConfigurationAnalyzer.java:161) at com.mbeddr.analyses.cbmc.rt.run.AnalysisConfigurationAnalyzer.doInBackground(AnalysisConfigurationAnalyzer.java:100) at com.mbeddr.analyses.cbmc.rt.run.AnalysisConfigurationAnalyzer.doInBackground(AnalysisConfigurationAnalyzer.java:1) at javax.swing.SwingWorker$1.call(SwingWorker.java:277) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) at java.util.concurrent.FutureTask.run(FutureTask.java:138) at javax.swing.SwingWorker.run(SwingWorker.java:316) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918) at java.lang.Thread.run(Thread.java:695)

[qutorial]

Cbmc works fine on it, reporting a problem cbmc HeartBleed.c --bounds-check --pointer-check --function HeartBleed_verification --unwind 30

[danielratiu]

on windows I got 36 results and one claim failed

[qutorial]

Continuing investigation:

1) On Linux and Windows: This is wrong to have 36 claims. They have to be 18. It probably counts from two functions, HeartBleed_verification and HeartBleed_verificationFixed, whereas only one should be taken into account.

2) On Mac: cbmc produces different names for claims. E.g.

instead of something like Is it a compiler option difference? This is a serious problem indeed - different CBMC results mean not configured fully cbmc. Probably CBMC gets the current machine environment into account, whereas the deployment machine environment should count instead. More cbmc options have to be set to fix such things. Maybe taking them from build configuration?

[qutorial]

On mac a total of 24 claims is generated by CBMC, only 12 are shown by mbeddr

[qutorial]

Ok, so it is in the filter claims where things are getting filtered out wrongly.

Why to filter by the call graph, when cbmc accepts the --function property?

[danielratiu]

in the case of analyses starting from a synthethised environment, we do not want to check robustness of that environment (the users would not understand anything since the environments are completely automatic synthethised)

----- Ursprüngliche Mail ----- Von: "qutorial" notifications@github.com An: "mbeddr/mbeddr.core" mbeddr.core@noreply.github.com CC: "danielratiu" ratiu@fortiss.org Gesendet: Freitag, 16. Mai 2014 13:53:26 Betreff: Re: [mbeddr.core] Robustness Analysis Fails - A Bug In HTML Results Saver (#1064)

Ok, so it is in the filter claims where things are getting filtered out wrongly.

Why to filter by the call graph, when cbmc accepts the --function property?

---

Reply to this email directly or view it on GitHub: https://github.com/mbeddr/mbeddr.core/issues/1064#issuecomment-43323069

[qutorial]

An example?

[qutorial]

I brought back the formerly filtered out __built_in CBMC checks. But it still works differently on MAC, producing just 24 claims. None of them fails (one has to).

[qutorial]

Okay.

The memcpy() related bug is classified as an arithmetic overflow problem by CBMC on Mac, instead of a pointer dereference :(

To reproduce, just get the master, and run the simplest, third analysis configuration.

[danielratiu]

my last answer was slightly wrong: when calling "cbmc --show-properties --function foo file.c", cbmc shows ALL claims from file.c, even if they belong to program parts not reachable from function "foo". So, many checks will be superfluous and results true.

----- Ursprüngliche Mail ----- Von: "qutorial" notifications@github.com An: "mbeddr/mbeddr.core" mbeddr.core@noreply.github.com CC: "danielratiu" ratiu@fortiss.org Gesendet: Freitag, 16. Mai 2014 14:51:09 Betreff: Re: [mbeddr.core] Robustness Analysis Fails - A Bug In HTML Results Saver (#1064)

I brought back the formerly filtered out __built_in CBMC checks. But it still works differently on MAC, producing just 24 claims. None of them fails (one has to).

---

Reply to this email directly or view it on GitHub: https://github.com/mbeddr/mbeddr.core/issues/1064#issuecomment-43327242

[qutorial]

I guess we should delete the confusing --function XYZ cbmc setting. It has no effect. Right?

[qutorial]

Ok, it returns also false positives, when memcpy() is used.

uint8[10] src; uint8[10] dst; memcpy(dst,src,5); <--- overflow.

Reported as Arithmetic overflow on signed to unsigned conversion.