Skipping getenv gives "unbound load" and "memory error: out of bound pointer"

[jordr]

This is on the bc benchmark again. Unfortunately, I was not able to isolate a list of skipped functions that triggers it on vanilla Chopper, so reproducibility is bad for this one. Maybe you would have a clue regardless. This is how it goes:

I specify a list of functions that should not be skipped, and skip everything else. I have narrowed down that if I specify to not skip:

- __errno_location
- __h_errno_location
- __user_main
- __uClibc_main
- isatty
- getenv

then I get no error but if I specify to *not * skip

- __errno_location
- __h_errno_location
- __user_main
- __uClibc_main
- isatty

I get:

$ klee -libc=uclibc -simplify-sym-indices -search=nurs:covnew  -split-search -skip-functions-not=__errno_location,__h_errno_location,__user_main,__uClibc_main,isatty -autokeep=0 bc.bc
[dc58bf] KLEE: ■  __uClibc_main
[dc58bf] KLEE: ■ ■  __wrap_memset
[dc58bf] KLEE: ■ ■  __uClibc_init
[dc58bf] KLEE: ■ ■  __wrap_strrchr
[dc58bf] KLEE: ■ ■  __wrap_llvm.expect.i64
[dc58bf] KLEE: ■ ■  __uClibc_init
[dc58bf] KLEE: ■ ■ ■  __wrap_llvm.expect.i64
[dc58bf] KLEE: ■ ■  __errno_location
[dc58bf] KLEE: ■ ■  __wrap_llvm.expect.i64
[dc58bf] KLEE: ■ ■  __uClibc_init
[dc58bf] KLEE: ■ ■ ■  __wrap_llvm.expect.i64
[dc58bf] KLEE: ■ ■  __h_errno_location
[64b40a] KLEE: WARNING ONCE: calling __user_main with extra arguments.
[dc58bf] KLEE: ■ ■ ■  isatty
[dc58bf] KLEE: ■ ■ ■ ■  __wrap_tcgetattr
[dc58bf] KLEE: ■ ■ ■  setvbuf
[dc58bf] KLEE: ■ ■ ■  __wrap_getenv
[13eaf3] KLEE: WARNING: UNBOUND, inst=load
[d6c361] KLEE: ERROR: /home/ubuntu/code/chopper-experiments/bc/bc-1.06/build/bc/../../bc/main.c:184: memory error: out of bound pointer
[b3874e] KLEE: NOTE: now ignoring this error at this location

Do you know the signification of this WARNING: UNBOUND, inst=load and this memory error: out of bound pointer?