Added CBMC proof of stringBuilder function #255
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| HARNESS_ENTRY = stringBuilder_harness | ||
| HARNESS_FILE = $(HARNESS_ENTRY) | ||
|
|
||
| # This should be a unique identifier for this proof, and will appear on the | ||
| # Litani dashboard. It can be human-readable and contain spaces if you wish. | ||
| PROOF_UID = stringBuilder | ||
|
|
||
| DEFINES += | ||
| INCLUDES += | ||
|
|
||
| REMOVE_FUNCTION_BODY += | ||
| UNWINDSET += | ||
|
|
||
| CBMC_FLAG_UNWINDING_ASSERTIONS = | ||
|
|
||
| PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c | ||
| PROJECT_SOURCES += $(SRCDIR)/source/ota_mqtt.c | ||
|
|
||
| # If this proof is found to consume huge amounts of RAM, you can set the | ||
| # EXPENSIVE variable. With new enough versions of the proof tools, this will | ||
| # restrict the number of EXPENSIVE CBMC jobs running at once. See the | ||
| # documentation in Makefile.common under the "Job Pools" heading for details. | ||
| # EXPENSIVE = true | ||
|
|
||
| include ../Makefile.common |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| stringBuilder proof | ||
| ============== | ||
|
|
||
| This directory contains a memory safety proof for stringBuilder. | ||
|
|
||
| To run the proof. | ||
| ------------- | ||
|
|
||
| * Add `cbmc`, `goto-cc`, `goto-instrument`, `goto-analyzer`, and `cbmc-viewer` | ||
| to your path. | ||
| * Run `make`. | ||
| * Open html/index.html in a web browser. | ||
|
|
||
| To use [`arpa`](https://github.com/awslabs/aws-proof-build-assistant) to simplify writing Makefiles. | ||
| ------------- | ||
|
|
||
| * Run `make arpa` to generate a Makefile.arpa that contains relevant build information for the proof. | ||
| * Use Makefile.arpa as the starting point for your proof Makefile by: | ||
| 1. Modifying Makefile.arpa (if required). | ||
| 2. Including Makefile.arpa into the existing proof Makefile (add `sinclude Makefile.arpa` at the bottom of the Makefile, right before `include ../Makefile.common`). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| # This file marks this directory as containing a CBMC proof. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| { "expected-missing-functions": | ||
| [ | ||
| ], | ||
| "proof-name": "<__FUNCTION_NAME__>", | ||
| "proof-root": "<__PATH_TO_PROOF_ROOT__>" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| /* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. */ | ||
| /* SPDX-License-Identifier: Apache-2.0 */ | ||
|
|
||
| /** | ||
| * @file stringBuilder_harness.c | ||
| * @brief Implements the proof harness for stringBuilder function. | ||
| */ | ||
| #include "ota_mqtt_private.h" | ||
|
|
||
| /* Declaration of the mangled name function generated by CBMC for static functions. */ | ||
| size_t __CPROVER_file_local_ota_mqtt_c_stringBuilder( char * pBuffer, | ||
| size_t bufferSizeBytes, | ||
| const char * strings[] ); | ||
|
|
||
| void stringBuilder_harness() | ||
| { | ||
| char * pBuffer; | ||
| size_t bufferSizeBytes; | ||
| char ** strings; | ||
|
|
||
| size_t numStrings; | ||
| size_t stringSize; | ||
| size_t i; | ||
| size_t stringLength; | ||
|
|
||
| /* The pBuffer is statically allocated with a non-zero size before passing it to the stringBuilder function.*/ | ||
| __CPROVER_assume( bufferSizeBytes > 0 ); | ||
| pBuffer = ( char * ) malloc( bufferSizeBytes ); | ||
|
|
||
| /* pBuffer can never be NULL since it it always initialized before passing it to the stringBuilder function. */ | ||
| __CPROVER_assume( pBuffer != NULL ); | ||
|
|
||
| /* The minimum and the maximum number of strings inside the numStrings is 11. */ | ||
| __CPROVER_assume( numStrings > 0 && numStrings < UINT32_MAX ); | ||
|
|
||
| /* Initializing an array of strings with size numStrings. */ | ||
| strings = ( char ** ) malloc( numStrings * sizeof( char * ) ); | ||
|
|
||
| /* The strings array cannot be NULL as it is always initialized before | ||
| * passing to the function. */ | ||
| __CPROVER_assume( strings != NULL ); | ||
|
|
||
| for( i = 0; i < numStrings - 1; ++i ) | ||
| { | ||
| strings[ i ] = ( char * ) malloc( stringSize ); | ||
| } | ||
|
There was a problem hiding this comment. This condition: There was a problem hiding this comment. Yes. I have changed the free statement accordingly. In this proof I only to allocate memory for the first |
||
|
|
||
| /* Strings array is always passed with a NULL string at the end. */ | ||
| __CPROVER_assume( strings[ numStrings - 1 ] == NULL ); | ||
yanjos-dev marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| __CPROVER_file_local_ota_mqtt_c_stringBuilder( pBuffer, bufferSizeBytes, strings ); | ||
|
|
||
| /* Free the allocated memory. */ | ||
| free( pBuffer ); | ||
|
|
||
| for( i = 0; i < numStrings; ++i ) | ||
|
There was a problem hiding this comment. This should match your previous memory allocation. I think this is correct though and that the malloc code needs to change, as commented above. There was a problem hiding this comment. Updated it in 6d32385 |
||
| { | ||
| free( strings[ i ] ); | ||
| } | ||
|
|
||
| free( strings ); | ||
| } | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This wording sounds like you are saying both the min and the max are 11. I think you mean to say that the min is 0 and the max is 11.
Also, if the max is 11, then why have the assumption go to UINT32_MAX?
size_tis also a signed data type, so it doesn't make sense to compare it to UINT32_MAX.