Feature #6912
closedSupport for several advices for memory allocation functions (kzalloc)
0%
Description
Memory allocation functions should be instrumented for different aspects
Namely:
1. Common parts of rule models impose restrictions on allocated pointers. For example, the ERR_PTR model should restrict value of successfully allocated pointer. The resulting pointer should be <= LDV_PTR_MAX
2. Rule models itself like 43_1a perform checks of input parameters and may also depend on returning values.
3. Memory allocation functions should not have a body. Thus they should be replaced by some functions without body.
For example, kzalloc is defined as inline function and has a body. It should be replaced, for example, by ldv_kzalloc, declared for verification task.
Suggested workaround approach defines a default model for memory allocation functions
For example,
pointcut ALLOC_AROUND: execution(static inline void *kzalloc(size_t size, gfp_t flags))
around: ALLOC_AROUND
{
void *res;
ldv_before_kzalloc(size, flags);
res = ldv_kzalloc(size, flags);
ldv_after_kzalloc(res, size, flags);
return res;
}
//ldv_kzalloc name is provided as configuration for verification tool void *ldv_kzalloc(size_t size, gfp_t flags); //the following functions may be implemented by commons parts and rule models void ldv_before_kzalloc(size_t size, gfp_t flags); void ldv_after_kzalloc(void *ptr, size_t size, gfp_t flags);
For example, for ERR_PTR:
void ldv_after_kzalloc(void *ptr, size_t size, gfp_t flags) {
ldv_assume(ptr<=LDV_PTR_MAX);
}
for 43_1a:
void ldv_before_kzalloc(size_t size, gfp_t flags) {
ldv_check_alloc_flags(flags);
}
Updated by Evgeny Novikov about 8 years ago
- Subject changed from Support for several aspects for memory allocation functions (kzalloc) to Support for several advices for memory allocation functions (kzalloc)
- Category set to Requirement specifications
- Priority changed from Normal to Urgent
Several additions.
There should be at least a declaration for ldv_kzalloc() to avoid build errors. I hope that it will be presented by Ilja tomorrow.
I guess that ldv_kzalloc() should return not only pointer that isn't greater than LDV_PTR_MAX but the whole successfully allocated region should lie before LDV_PTR_MAX, i.e.
void ldv_after_kzalloc(void *ptr, size_t size, gfp_t flags) {
ldv_assume(ptr + size < LDV_PTR_MAX);
}
I don't think that now we need to pass size to ldv_before_kzalloc() and flags to ldv_after_kzalloc(). Maybe this won't be the case in future.
Updated by Evgeny Novikov almost 8 years ago
- Priority changed from Urgent to Normal
Don't understand why I raised this issue priority.
Updated by Vitaly Mordan almost 8 years ago
Related work to this issue was started in branch fix_6912.
It implements all internal memory allocation and non-deterministic functions through SV-COMP functions.
Alloc aspect is suggested to use for each rule specification, but it will affect verification results (a lot of transitions for verdicts are expected).
Updated by Evgeny Novikov almost 8 years ago
- Status changed from New to Open
- Priority changed from Normal to Urgent
Due to absence of the kzalloc model we get one false alarm in the validation set (2799366670b3~/drivers/target/target_core_iblock.ko/linux:bio).
Don't worry about verdict transitions. We need this model any way.
Updated by Evgeny Novikov almost 8 years ago
- Status changed from Open to Closed
- Published in build set to 3803ab4
The branch was merged to master in 3803ab4, but without corresponding efforts at the verifier side (https://svn.sosy-lab.org/trac/cpachecker/ticket/268) our models of no use.
Updated by Evgeny Novikov almost 8 years ago
- Published in build changed from 3803ab4 to 5b44e4b
One fix was added in 5b44e4b. Before allocating memory with unknown memory sizes couldn't fail.