Skip to content

Fix memOutOfBounds handling of negative pointer offsets#2017

Merged
sim642 merged 7 commits into
masterfrom
memsafety-neg-offset
May 7, 2026
Merged

Fix memOutOfBounds handling of negative pointer offsets#2017
sim642 merged 7 commits into
masterfrom
memsafety-neg-offset

Conversation

@karoliineh

@karoliineh karoliineh commented May 5, 2026

Copy link
Copy Markdown
Member

This PR fixes a bug in memOutOfBounds where before-start accesses were classified as safe when the offset was negative and precise enough under ana.int.interval, i.e., the bug only manifested when interval domain was turned on. With ana.int.interval, Goblint can compute offsets precisely enough that negative-offset accesses no longer stay at top. This issue was found using the dashboard comparison between Goblint and Mopsa and was exposed by the SV-COMP task list-ext-properties/960521-1_1-1.i.

  • Added regressions for negative-offset memOutOfBounds cases in tests/regression/74-invalid_deref.
  • Fixed memOutOfBounds to warn when the computed byte offset is negative, in addition to the existing past-the-end check.
  • Made the ptr_size_lt_offs comparison sites handle IntDomain.ArithmeticOnIntegerBot consistently by falling back to the existing conservative “could not compare” behavior.
  • Refactored the duplicated offset-bound comparison logic into top-level helpers, while preserving the original distinction between:
    • dereference-offset checks using (size - 1) < offset
    • pointer-offset checks using size < offset

@karoliineh karoliineh self-assigned this May 5, 2026
@karoliineh karoliineh added unsound sv-comp SV-COMP (analyses, results), witnesses labels May 5, 2026
@sim642 sim642 added the bug label May 5, 2026
@sim642 sim642 added this to the SV-COMP 2027 milestone May 5, 2026
@karoliineh karoliineh requested a review from michael-schwarz May 6, 2026 11:19
sim642
sim642 reviewed May 7, 2026
View reviewed changes
Comment thread src/analyses/memOutOfBounds.ml Outdated
michael-schwarz
michael-schwarz reviewed May 7, 2026
View reviewed changes
Comment thread src/analyses/memOutOfBounds.ml
michael-schwarz
michael-schwarz reviewed May 7, 2026
View reviewed changes

@michael-schwarz michael-schwarz left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than the suggestion, LGTM!

Comment thread tests/regression/74-invalid_deref/36-one-past-pointer.c
char *buf = malloc(4);
char *end;
end = buf + 4; //NOWARN
printf("%p", (void *) end); //NOWARN

@michael-schwarz michael-schwarz May 7, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
printf("%p", (void *) end); //NOWARN
printf("%p", (void *) end); //NOWARN
printf("%c", *end); //WARN

So we also see that we do indeed warn if this pointer is dereferenced.

@karoliineh karoliineh May 7, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ha! it seems you just uncovered an unrelated unsoundness with this ;) I suggest we merge this as is and I will add this suggestion on another PR with an appropriate fix.

@michael-schwarz michael-schwarz May 7, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, sounds good!

@karoliineh karoliineh mentioned this pull request May 7, 2026
Draft
@sim642 sim642 merged commit 72f38e1 into master May 7, 2026
19 checks passed
@sim642 sim642 deleted the memsafety-neg-offset branch May 7, 2026 14:57
@karoliineh karoliineh mentioned this pull request May 8, 2026
Open
@sim642 sim642 mentioned this pull request May 12, 2026
Merged
@sim642 sim642 mentioned this pull request Jun 15, 2026
Merged
avsm pushed a commit to ocaml/opam-repository that referenced this pull request Jun 15, 2026
@sim642
[new release] goblint (2.8.0)
a9a0143 
CHANGES:

* Add new may-happen-in-parallel analyses (goblint/analyzer#1805, goblint/analyzer#1865, goblint/analyzer#1913, goblint/analyzer#1928).
* Add Open Verification Dashboard checks output (goblint/analyzer#1838, goblint/analyzer#1929).
* Add negative bitwise shift warnings (goblint/analyzer#1637, goblint/analyzer#1989).
* Add missing function declaration warnings (goblint/analyzer#1911).
* Improve overflow warnings (goblint/analyzer#1894, goblint/analyzer#1895, goblint/analyzer#1896, goblint/analyzer#1905).
* Fix spurious overflow checks (goblint/analyzer#1767, goblint/analyzer#1909, goblint/analyzer#1910, goblint/analyzer#1932, goblint/analyzer#2022).
* Fix missing overflow and out-of-bounds checks (goblint/analyzer#1935, goblint/analyzer#2017, goblint/analyzer#2029).
* Optimize base analysis domain using Patricia trees (goblint/analyzer#2002, goblint/analyzer#2015).
* Optimize field offset calculations (goblint/analyzer#1964, goblint/analyzer#1973, goblint/analyzer#1974).
* Optimize non-incremental top-down solver (goblint/analyzer#1566, goblint/analyzer#1972).
* Add OCaml 5.5 support (goblint/analyzer#2006, goblint/analyzer#2010).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sim642 sim642 sim642 left review comments

@michael-schwarz michael-schwarz michael-schwarz approved these changes

Assignees

@karoliineh karoliineh

Labels

bug sv-comp SV-COMP (analyses, results), witnesses unsound

Projects

None yet

Milestone

SV-COMP 2027

Development

Successfully merging this pull request may close these issues.

3 participants

@karoliineh @sim642 @michael-schwarz