[Frama-c-discuss] integer overflow

John Regehr regehr at cs.utah.edu
Thu Jun 11 21:35:24 CEST 2009


On June 5 Pascal Cuoc said:

 > The value analysis *could* take care of that and emit an alarm
 > each time it can't ensure that no overflow occurs. Currently,
 > it assumes that all overflows are desired overflows that are part
 > of the program's logic, and it continues the analysis with a
 > correct superset of the values that can actually be obtained
 > at run-time, assuming 2's complement arithmetic and proper
 > configuration of the characteristics of the target architecture.

This seems slightly worrisome.

Just to be clear, of course C has different kinds of overflow:

First, overflow of unsigned math operators is defined to have modulo behavior.

Second, overflow in lossy integer casts (for example, casting int to short) 
is implementation defined.  However, all common C compiler do the obvious 
thing.

Third, overflow of signed arithmetic (for example, MAX_INT+1) is undefined. 
  Due to C's semantics, the "correct superset of the values that can 
actually be obtained at run-time" does not exist.  Rather, anything at all 
can happen including terminating with a signal, continuing to execute with 
a corrupt state, etc.  A C program should never continue to execute after 
executing an operation with undefined behavior, and so it seems rather 
important for Frama-C to give rigorous warnings in this case.

Optimizing C compilers including gcc routinely exploit the undefined nature 
of signed overflow!

Anyway, I have some C functions for which I want to prove the absence of 
the third kind of overflow, which results in undefined behavior.  Is there 
a way to get Frama-C to help me do this?

Thanks,

John Regehr



More information about the Frama-c-discuss mailing list