Skip to content

Disable OOB checks during reachability calculations #2022

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sim642 merged 2 commits into from
May 8, 2026
+25 −1
Merged

Disable OOB checks during reachability calculations #2022

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
daaa916
Add zero-length VLA reachability regression
karoliineh May 6, 2026
3ef1233
Disable array bounds checks for reachability
karoliineh May 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions src/analyses/base.ml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -613,10 +613,15 @@ struct
| JmpBuf _ -> empty (* Jump buffers are abstract and nothing known can be reached from them *)
| Mutex -> empty (* mutexes are abstract and nothing known can be reached from them *)

let reachable_from_value ask (value: value) (t: typ) (description: string) =
let@ () = GobRef.wrap AnalysisState.executing_speculative_computations true in
reachable_from_value ask value t description

(* Get the list of addresses accessible immediately from a given address, thus
* all pointers within a structure should be considered, but we don't follow
* pointers. We return a flattend representation, thus simply an address (set). *)
let reachable_from_addr ~man st (addr: Addr.t): address =
let@ () = GobRef.wrap AnalysisState.executing_speculative_computations true in
if M.tracing then M.tracei "reachability" "Checking for %a" Addr.pretty addr;
let res = reachable_from_value (Analyses.ask_of_man man) (get_addr ~man st addr None) (Addr.type_of addr) (Addr.show addr) in
if M.tracing then M.traceu "reachability" "Reachable addresses: %a" AD.pretty res;
Expand Down Expand Up @@ -696,6 +701,7 @@ struct


let reachable_top_pointers_types man (ps: AD.t) : Queries.TS.t =
let@ () = GobRef.wrap AnalysisState.executing_speculative_computations true in
let module TS = Queries.TS in
let empty = AD.empty () in
let reachable_from_address (adr: address) =
Expand Down
4 changes: 3 additions & 1 deletion src/cdomain/value/cdomains/arrayDomain.ml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -802,7 +802,9 @@ end

(* This is the main array out of bounds check *)
let array_oob_check ( type a ) (module Idx: IntDomain.Z with type t = a) (x, l) (e, v) =
if GobConfig.get_bool "ana.arrayoob" then (* The purpose of the following 2 lines is to give the user extra info about the array oob *)
if !AnalysisState.executing_speculative_computations then
()
else if GobConfig.get_bool "ana.arrayoob" then (* The purpose of the following 2 lines is to give the user extra info about the array oob *)
let idx_before_end = Idx.lt v l in (* check whether index is before the end of the array *)
let idx_after_start = Idx.ge v (Idx.of_int (Cilfacade.ptrdiff_ikind ()) Z.zero) in (* check whether the index is non-negative *)
(* For an explanation of the warning types check the Pull Request #255 *)
Expand Down
16 changes: 16 additions & 0 deletions tests/regression/25-vla/07-zero-arg-reach.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
// PARAM: --enable ana.arrayoob
// extracted from SV-COMP task ldv-memsafety/ArraysOfVariableLength2.c

int bar(int b[]) {
return 0;
}

void foo(int n) {
int a[n];
bar(a); //NOWARN
}

int main(void) {
foo(0);
return 0;
}
Loading