Hello,
I've run into a problem running some C++ code under KLEE with uclibc. The
problem occurs when an instance of a class is declared as a global variable
and the class's constructor uses a uclibc function (specifically,
sprintf()). The
constructor for the class is called before main() is entered and before
uclibc gets initialized, resulting in a null pointer being dereferenced.
I ran into this when trying to run bochs in KLEE. Bochs declares a global
instance of its CPU class. The constructor for the class makes a call to
sprintf(), which eventually tries to access a uclibc data structure which
hasn't been initialized and the result is, "memory error: out of bound
pointer."
The attached program is a minimal test case demonstrating this behavior. The
code declares a global variable, which is an instance of the sprintftest_c
class. The class's constructor calls sprintf() and it is in the sprintf()
call that KLEE fails. The code runs fine when compiled with llvm-gcc and run
with the llvm-interpreter, lli, but causes the "out of bound pointer" error
when run with KLEE. I've also attached the .ptr.err output file.
The error occurs at line 920 of _vfprintf.c. It is the call to isdigit()
that eventually fails. isdigit is a macro, which gets expanded to:
(((*__ctype_b_loc()))[(int) (('c'))] & (__ctype_mask_t) _ISdigit).
__ctype_b_loc() returns a (non-null) pointer to the __ctype_b field in the
__uclibc_locale_t struct. (This is a struct of type __uclibc_locale_struct,
defined in uClibc_locale.h.) The __ctype_b field is the null pointer so the
dereference ([(int)('c')]) fails with the "memory out of bounds" error.
It is __uClibc_init() (in __uClibc_main.c) that initializes the fields of
the struct. Adding the call __uClibc_init() to the beginning of the
sprintf() function solves the problem, but it is a bit of a kludgy fix (if
for no other reason, than because it causes the libc initialization to be
redone every time sprintf is called). As a slightly better work-around, I
plan to move the init call to my class constructor, but ideally I'd like to
correct the error, not just build a work-around. Is there a way to fix this?
I am running this on a 32-bit install of Ubuntu 10.04. I have llvm 2.7 and
klee-uclibc-0.01 installed.
Thank you.
-Cynthia
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://keeda.Stanford.EDU/pipermail/klee-dev/attachments/20110712/9a070c6c/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: minimaltest.cc
Type: text/x-c++src
Size: 473 bytes
Desc: not available
Url :
http://keeda.Stanford.EDU/pipermail/klee-dev/attachments/20110712/9a070c6c/attachment.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test000001.ptr.err
Type: application/octet-stream
Size: 1077 bytes
Desc: not available
Url :
http://keeda.Stanford.EDU/pipermail/klee-dev/attachments/20110712/9a070c6c/attachment.obj
