[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [csmith-dev] feature request: generate memory unsafe code

To: csmith-dev@flux.utah.edu
Subject: Re: [csmith-dev] feature request: generate memory unsafe code
From: "Arthur O'Dwyer" <arthur.j.odwyer@gmail.com>
Date: Sun, 19 Jun 2011 23:12:03 -0700
In-reply-to: <00c301cc2e95$2f72a8b0$8e57fa10$@utah.edu>
List-archive: </listarchives/csmith-dev>
List-help: <mailto:csmith-dev-request@flux.utah.edu?subject=help>
List-id: Csmith Development Mailing List <csmith-dev.flux.utah.edu>
List-post: <mailto:csmith-dev@flux.utah.edu>
List-subscribe: <http://www.flux.utah.edu/mailman/listinfo/csmith-dev>, <mailto:csmith-dev-request@flux.utah.edu?subject=subscribe>
List-unsubscribe: <http://www.flux.utah.edu/mailman/listinfo/csmith-dev>, <mailto:csmith-dev-request@flux.utah.edu?subject=unsubscribe>
References: <4DEFE792.8040807@cs.utah.edu> <007e01cc2dd7$656fb520$304f1f60$@utah.edu> <BANLkTiknT-d8Ljmcp1M+WAp_sMkEGhMqHA@mail.gmail.com> <00c301cc2e95$2f72a8b0$8e57fa10$@utah.edu>

On Sun, Jun 19, 2011 at 8:25 AM, Xuejun Yang <jxyang@cs.utah.edu> wrote:
[Pascal Cuoq wrote:]
>>
>> This is great. I have one question: does Csmith know,
>> when emitting a possible NULL/dangling access,
>> that it is emitting one, or only that it may be emitting one?
>>
>> In the former case, it could provide some sort of oracle,
>> for instance:
>>
>> p = NULL;
>> a = 3;
>> printf("When this line is reached, it is followed by a NULL
> dereference.\n");
>> b = *p;
>>
>> There are ramifications to this issue [...]
>
> Yes, Csmith knows when there is a potential null/dangling pointer
> dereference. But I hesitated to print a runtime message like you suggested
> because the message may interfere with differential testing of compilers.
> Instead I could print a comment in the random program right above the
> violating statement, what do you think?

I think macros are helpful, in this context.

    #if INSTRUMENT
     #define MAY_BE_NULL(ptr) (puts("possible NULL dereference"), (ptr))
    #else
     #define MAY_BE_NULL(ptr) (ptr)
    #endif

    p = NULL;
    a = 3;
    b = *MAY_BE_NULL(p);

That is, whenever we have a variable v_999 that is a possibly-null
pointer, Csmith should print it as "MAY_BE_NULL(v_999)" in rvalue
contexts.

  The above paragraph may want some adjustment if Csmith can actually
distinguish "possibly-null" pointers from "definitely-null" pointers.
Dereferencing a pointer that is only *possibly* null is not
necessarily a bug.

-Arthur

Follow-Ups:
- Re: [csmith-dev] feature request: generate memory unsafe code
  - From: "Xuejun Yang" <jxyang@cs.utah.edu>

References:
- [csmith-dev] feature request: generate memory unsafe code
  - From: John Regehr <regehr@cs.utah.edu>
- Re: [csmith-dev] feature request: generate memory unsafe code
  - From: "Xuejun Yang" <jxyang@cs.utah.edu>
- Re: [csmith-dev] feature request: generate memory unsafe code
  - From: Pascal Cuoq <pascal.cuoq@gmail.com>
- Re: [csmith-dev] feature request: generate memory unsafe code
  - From: "Xuejun Yang" <jxyang@cs.utah.edu>

Prev by Date: Re: [csmith-dev] feature request: generate memory unsafe code
Next by Date: Re: [csmith-dev] feature request: generate memory unsafe code
Previous by thread: Re: [csmith-dev] feature request: generate memory unsafe code
Next by thread: Re: [csmith-dev] feature request: generate memory unsafe code
Index(es):
- Date
- Thread