sea-dsa
sea-dsa copied to clipboard
Published
20 hours ago •
seahorn
seahorn
Wrong handling of global pointers in constant structs
Consider the following llvm program:
source_filename = "/tmp/st.c"
target datalayout = "e-m:o-p:32:32-f64:32:64-f80:128-n8:16:32-S128"
target triple = "i386-apple-macosx10.13.0"
%struct.s = type { i16*, i32 } ; struct with a ptr to i16 and a i32 int
@g.ptr = internal unnamed_addr global i16 42, align 4
declare void @verifier.assume.not(i1)
declare void @seahorn.fail()
; Function Attrs: noreturn
declare void @verifier.error() #0
; Function Attrs: noinline nounwind ssp uwtable
define i32 @main() local_unnamed_addr #2 {
entry:
%v1 = load i16, i16* @g.ptr
%v2.p = extractvalue %struct.s {i16* @g.ptr, i32 0}, 0
%v2 = load i16, i16* %v2.p
%cond = icmp eq i16 %v1, %v2
call void @verifier.assume.not(i1 %cond)
br label %verifier.error
verifier.error: ; preds = %entry
call void @seahorn.fail()
br label %verifier.error.split
verifier.error.split: ; preds = %verifier.error
ret i32 42
}
attributes #0 = { noreturn }
attributes #1 = { argmemonly nounwind }
attributes #2 = { noinline nounwind ssp uwtable "correctly-rounded-divide-sqrt-fp-math"="false" "disable-tail-calls"="false" "less-precise-fpmad"="false" "no-frame-pointer-elim"="true" "no-frame-pointer-elim-non-leaf" "no-infs-fp-math"="false" "no-jump-tables"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="false" "stack-protector-buffer-size"="8" "target-cpu"="penryn" "target-features"="+cx16,+fxsr,+mmx,+sse,+sse2,+sse3,+sse4.1,+ssse3,+x87" "unsafe-fp-math"="false" "use-soft-float"="false" }
attributes #3 = { nounwind }
!llvm.module.flags = !{!0, !1, !2}
!llvm.ident = !{!3}
!0 = !{i32 1, !"NumRegisterParameters", i32 0}
!1 = !{i32 1, !"wchar_size", i32 4}
!2 = !{i32 7, !"PIC Level", i32 2}
!3 = !{!"clang version 5.0.2 (tags/RELEASE_502/final)"}
g.ptr must alias v2.p, but sea-dsa says it does not.
Seems like the initialization of constant struct is ignored.
For convenience, the memory graph looks like this:
digraph unnamed {
graph [center=true, ratio=true, bgcolor=lightgray, fontname=Helvetica];
node [fontname=Helvetica, fontsize=11];
Node0x1516560 [shape=record,label="{\{0:i16\}:R}"];
Node0x152a240 [shape=record,label="{\{0:i16*\}:R|{<s0>\<0, i16*\>}}"];
Node0x152af40 [shape=record,label="{\{0:i16\}:SR}"];
Node0x15120e8 [shape=plaintext, label ="v2.p"];
Node0x15120e8 -> Node0x152af40[arrowtail=tee,label="0",fontsize=8,color=purple];
Node0x1511ea0 [shape=plaintext, label ="%struct.s \{ i16* @g.ptr, i32 0 \}"];
Node0x1511ea0 -> Node0x152a240[arrowtail=tee,label="0",fontsize=8,color=purple];
Node0x1510f68 [shape=plaintext, label ="g.ptr"];
Node0x1510f68 -> Node0x1516560[arrowtail=tee,label="0",fontsize=8,color=purple];
Node0x152a240:s0 -> Node0x152af40[arrowtail=tee,label="0, i16*",fontsize=8];
}
The points-to graph that you attach is the one i would expect.
Why do you think that g.ptr and v2.p should alias?
