Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

challenge 06 desync issues #285

Closed
robdockins opened this issue Apr 27, 2022 · 2 comments
Closed

challenge 06 desync issues #285

robdockins opened this issue Apr 27, 2022 · 2 comments
Labels
stale Review - close as 'wontfix' or integrate into other ticket Strongest Postcondition Verifier
Projects
pate

Comments

@robdockins
Copy link
Contributor

The simplified challenge 06 example also suffers from control-flow desync issues, as of 0d80f8d and with the programtargets patch 41765a26fd93c58bd4f0c34233c2f2b29ba96f9e

cabal run pate -- -o ~/code/programtargets/challenge06-simplified/build/program_c -p ~/code/programtargets/challenge06-simplified/build/program_c.patched -V Debug --log-file ch06.log --strongestpost -b ~/code/programtargets/challenge06-simplified/build/challenge06.toml

ConcreteAddress 0x1065c (original) vs. ConcreteAddress 0x10698 (patched) program control flow desynchronized
  Original: 0x10680 analysis failure Just (0x1067c,"0x1067c: BX_A1(0001xxxx.IIIIIIII.0010IIII.xxxx0001) Rm 14, cond 0, QuasiMask0 QuasiMask\"(\"12): 4095")
  Patched:  0x106bc analysis failure Just (0x106b8,"0x106b8: BX_A1(0001xxxx.IIIIIIII.0010IIII.xxxx0001) Rm 14, cond 0, QuasiMask0 QuasiMask\"(\"12): 4095")
ConcreteAddress 0x1065c (original) vs. ConcreteAddress 0x10698 (patched) program control flow desynchronized
  Original: 0x10680 analysis failure Just (0x1067c,"0x1067c: BX_A1(0001xxxx.IIIIIIII.0010IIII.xxxx0001) Rm 14, cond 0, QuasiMask0 QuasiMask\"(\"12): 4095")
  Patched:  0x106bc analysis failure Just (0x106b8,"0x106b8: BX_A1(0001xxxx.IIIIIIII.0010IIII.xxxx0001) Rm 14, cond 0, QuasiMask0 QuasiMask\"(\"12): 4095")
ConcreteAddress 0x10a84 (original) vs. ConcreteAddress 0x10ac0 (patched) program control flow desynchronized
  Original: 0x10554 function call Just (0x10ab4,"0x10ab4: BLX_r_A1(0011xxxx.IIIIIIII.0010IIII.xxxx0001) Rm 3, cond 14, QuasiMask0 QuasiMask\"(\"12): 4095")
  Patched:  0x10588 function call Just (0x10af0,"0x10af0: BLX_r_A1(0011xxxx.IIIIIIII.0010IIII.xxxx0001) Rm 3, cond 14, QuasiMask0 QuasiMask\"(\"12): 4095")
Overall verification verdict: Inequivalent

The BLX is an indirect call, I think, which might be kind of tricky. Perhaps the constant-propagation pass will help.
@crdollar crdollar added this to Needs triage in pate Apr 27, 2022
@travitch
Copy link
Contributor

That is likely the memcpy that was called by function pointer. Constant propagation could (in principle) help there. More generally, we could be in trouble with function pointers. I guess the WP verifier was super unsound around those anyway, but doing it well will be challenging. The mitigation to that complexity is #269.

@robdockins
Copy link
Contributor Author

Backing up to c0f3626 does not seem like it makes a difference for this example.

@thebendavis thebendavis added the stale Review - close as 'wontfix' or integrate into other ticket label May 31, 2024
@thebendavis thebendavis closed this as not planned Won't fix, can't repro, duplicate, stale May 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale Review - close as 'wontfix' or integrate into other ticket Strongest Postcondition Verifier
Projects
No open projects
pate
Needs triage
Milestone
No milestone
Development

No branches or pull requests
3 participants
@travitch @thebendavis @robdockins