Fixes for defects reported by Pascal Cuoq.

Xuejun says: "Lhs.cpp is for fixing the first issue reported by Pascal; FactUnion.cpp is for fixing the 2nd and 3rd issues. I have run 100,000 test cases for regression test." `Lhs::make_random()': Handle certain cases in which unsigned bitfields are undesirable. `FactUnion::abstract_fact_for_assign()': If writing to an union field is uncertain (due to dereference of a pointer which may points to a union field or something else), mark the union as unreadable.
csmith-project · Nov 17, 2011 · e876ed1 · e876ed1
1 parent 5fcfcde
commit e876ed1
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 5 deletions.
diff --git a/src/FactUnion.cpp b/src/FactUnion.cpp
@@ -70,8 +70,8 @@ FactUnion::get_last_written_type(void) const
 {
 	assert(var->type && var->type->eType == eUnion);
 	if (is_top() || is_bottom()) return NULL;
-	assert (last_written_fid >= 0 && last_written_fid < (int)(var->type->fields.size()));
-	return var->type->fields[last_written_fid];
+	assert (last_written_fid >= 0 && last_written_fid < (int)(var->field_vars.size()));
+	return var->field_vars[last_written_fid]->type;
 }
 
 std::vector<const Fact*>
@@ -133,8 +133,14 @@ FactUnion::abstract_fact_for_assign(const std::vector<const Fact*>& facts, const
 	for (size_t i=0; i<lvars.size(); i++) {
 		const Variable* v = lvars[i];
 		const FactUnion* fu = 0;
-		if (v->is_union_field()) { 
-			fu = make_fact(v->field_var_of, v->get_field_id());
+		if (v->is_union_field()) {  
+			if (lvars.size() > 1) {
+				// if writing to an union field is uncertain (due to dereference of a pointer which may points to an 
+				// union field or something else), We mark the union as unreadable
+				fu = make_fact(v->field_var_of, BOTTOM);
+			} else {
+				fu = make_fact(v->field_var_of, v->get_field_id());
+			}
 		} else if (v->is_inside_union_field() && (v->type->has_padding() || v->is_packed_after_bitfield())) {
 			fu = make_fact(v->get_container_union(), BOTTOM);
 		}

diff --git a/src/Lhs.cpp b/src/Lhs.cpp
@@ -97,7 +97,8 @@ Lhs::make_random(CGContext &cg_context, const Type* t, const CVQualifiers* qfer,
 		assert(var);
 		bool valid = FactPointTo::opportunistic_validate(var, t, fm->global_facts) && !cg_context.get_effect_stm().is_written(var);
 		// we don't want signed integer for some operations, such as ++/-- which has potential of overflowing
-		if (valid && t->eType == eSimple && no_signed_overflow && var->type->get_base_type()->is_signed()) {
+		// it's possible for unsigned bitfield to overflow: consider a 31-bit unsigned field that is promoted to 32-bit signed int before arithematics  
+		if (valid && t->eType == eSimple && no_signed_overflow && (var->type->get_base_type()->is_signed() || var->isBitfield_)) {
 			valid = false;
 		}
 		if (valid) {