-
Notifications
You must be signed in to change notification settings - Fork 705
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CBMC proof for s2n_stuffer_printf #4309
Conversation
tests/cbmc/proofs/s2n_stuffer_wipe_n/s2n_stuffer_wipe_n_harness.c
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for doing this!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These updates are great! I'm quite happy to see such improvements over the CBMC harnesses. I only have a few remarks. First, I got this list of warning from the CBMC HTML report:
Warnings
Functions omitted from test (unexpected):
madvise
s2n_blob_slice
s2n_stuffer_wipe
vsnprintf
Are these expected?
tests/cbmc/proofs/s2n_stuffer_printf/s2n_stuffer_printf_harness.c
Outdated
Show resolved
Hide resolved
The function PROOF_SOURCES += $(PROOF_STUB)/madvise.c |
7557c69
to
ef86db3
Compare
You called out how to fix madvise in your other comment, and I fixed that. I thought I was handling s2n_blob_slice and s2n_stuffer_wipe by using REMOVE_BODY, but I guess not so I removed that. They're never hit because the stuffer never shrinks. vsnprintf is the only one on the list now, and I think that's expected. We could stub it, but idk what we'd do other than the current default "assume it could return anything" behavior. |
Resolved issues:
Resolves #4298 (comment)
Description of changes:
Add a proof for the new s2n_stuffer_printf method.
I also changed the existing s2n_stuffer_wipe_n behavior and rewrote the associated proof. My s2n_stuffer_printf tracked the tainted flag closely and found some unexpected behavior in how s2n_stuffer_wipe_n handled the tainted flag. Previously, if s2n_stuffer_wipe_n resulted in wiping the last few bytes of a stuffer, the stuffer was also wiped-- specifically, the
high_water_mark
andtainted
fields. This makes s2n_stuffer_wipe_n hard to reason about, and seems like a potential way to accidentally "untaint" a stuffer. wipe_n is about wiping individual bytes, not wiping the whole stuffer. I don't know why you'd have an outstanding raw pointer to a stuffer with write_cursor==0, but the memory still exists so you could, and it doesn't seem any different from having an outstanding raw pointer to wiped memory with write_cursor>0.Testing:
Proofs pass.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.