CBMC does not warn when indexing off a void*

[danielsn]

#include <assert.h>
#include <stdlib.h>
#include <stdint.h>
#include <stdio.h>
#include <stdbool.h>

int main(int argc, char* argv[]) {
    void* p = malloc(2);
    void* q = &p[1];
    printf("%p\n", p);
    printf("%p\n", q);
    return 0;
}

CBMC version: 5.12 (cbmc-5.12-104-g97993174d)
Operating system: OSX
Exact command line resulting in the issue:

cbmc  --flush --bounds-check --div-by-zero-check --float-overflow-check --nan-check --pointer-check --pointer-overflow-check --signed-overflow-check --undefined-shift-check --unsigned-overflow-check --unwind 1 --unwinding-assertions test.c

What behaviour did you expect: I expected it to say that you can't index using a void*, since void has no size
What happened instead:

** 0 of 49 failed (1 iterations)
VERIFICATION SUCCESSFUL

[danielsn]

according to 6.5.2.1 array dereference requires a pointer to a complete object type. void is an incomplete object type that cannot be completed (6.2.5.19)

[tautschnig]

@danielsn While there is no question about 6.5.2.1 in the C standard, I don't think that this applies anywhere in the example that you posted above? The only candidate would be &p[1], but taking the address of a dereference always cancels out, irrespective of whether the dereference would be valid or not.

[hannes-steffenhagen-diffblue]

@tautschnig I'm not sure that's necessarily true in this example; To get the address you need to compute the offset, and you can't because void is incomplete.

gcc and probably other compilers though have a hack where they just declare sizeof(void) == 1 because a lot of code incorrectly treats void* equivalent to char*, so I'm not sure this is an error. Maybe there should be a warning, but I'm not sure how exactly we do diagnostics.

[hannes-steffenhagen-diffblue]

This is internally tracked as ADA-567

[feliperodri]

@hannes-steffenhagen-diffblue any updates on this issue? Should we close it?

[hannes-steffenhagen-diffblue]

I reiterate what I said above: There may be some value in having a diagnostic of some description for it, but I'm not convinced the code should be rejected.

[feliperodri]

@danielsn should we close it then?

[jimgrundy]

Dropping AWS label after review with @danielsn as this not a specific AWS need.

[tautschnig]

A couple of experiments with different compilers:

• Visual Studio does not accept this program ("error C2036: 'void *': unknown size")
• GCC warns ("warning: dereferencing 'void *' pointer"), but compiles this to pointer arithmetic (adding 1)
• Clang doesn't even warn, compiles this to pointer arithmetic (adding 1)

GCC and Clang's behaviour is consistent with GCC's documentation: https://gcc.gnu.org/onlinedocs/gcc/Pointer-Arith.html.

CBMC also turns this into pointer arithmetic:

p!0@1#2 == (const void *)dynamic_object1
q!0@1#2 == (const void *)dynamic_object1 + 1l

In several places in the back-end we have comments that highlight that we are treating this the way GCC's documentation describes. Maybe we should warn about this in the front-end when not in GCC mode?

[kroening]

We should error this when in Visual Studio mode.