sprintf causes seg fault, when the buffer is defined on the stack

[lilith218]

The following code causes a segmentation fault in GenMC

version

genmc --version
GenMC (https://plv.mpi-sws.org/genmc):
  GenMC v0.6.1 (commit #ae1ff5c)
  Built with LLVM 8.0.1 (RelWithDebInfo)

#include <stdio.h>
int main(void)
{
    char buff[10] = {0};
    int x         = 10;
    sprintf(buff, "%d", x);
}

output

genmc sprintf-genmc-bug.c 
sprintf-genmc-bug.c:7:5: warning: implicitly declaring library function 'sprintf' with type 'int (char *, const char *, ...)' [-Wimplicit-function-declaration]
    sprintf(buff, "%d", x);
    ^
sprintf-genmc-bug.c:7:5: note: include the header <stdio.h> or explicitly provide a declaration for 'sprintf'
1 warning generated.
WARNING: Memory intrinsic found! Attempting to promote it...
Segmentation fault (core dumped)

core-dump details

Core was generated by `genmc sprintf-genmc-bug.c'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000563426b15aa9 in memcpy (__len=3, __src=0x7ffea2e6f200, __dest=0x2849b7a3) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
34	  return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) bt
#0  0x0000563426b15aa9 in memcpy (__len=3, __src=0x7ffea2e6f200, __dest=0x2849b7a3) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
#1  lle_X_sprintf (FT=<optimized out>, Args=...) at ExternalFunctions.cpp:451
#2  0x0000563426b1823a in llvm::Interpreter::callExternalFunction (this=this@entry=0x56342849c3e0, F=F@entry=0x56342847bb98, ArgVals=std::vector of length 3, capacity 3 = {...}) at ExternalFunctions.cpp:297
#3  0x0000563426b011c1 in llvm::Interpreter::callFunction (this=0x56342849c3e0, F=0x56342847bb98, ArgVals=std::vector of length 123589140548868101, capacity 2931908988897 = {...}) at Execution.cpp:4371
#4  0x0000563426b018ce in llvm::Interpreter::callFunction (ArgVals=std::vector of length 3, capacity 3 = {...}, F=0x56342847bb98, this=0x56342849c3e0) at /usr/lib/llvm-8/include/llvm/Support/Casting.h:255
#5  llvm::Interpreter::visitCallInstWrapper (this=0x56342849c3e0, CS=...) at Execution.cpp:1633
#6  0x0000563426b02497 in llvm::Interpreter::run (this=this@entry=0x56342849c3e0) at Execution.cpp:4484
#7  0x0000563426a75d83 in llvm::Interpreter::runFunction (this=0x56342849c3e0, F=0x5634283d79a8, ArgValues=...) at Interpreter.cpp:750
#8  0x00007f8f7a7c69de in llvm::ExecutionEngine::runFunctionAsMain(llvm::Function*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, char const* const*) () from /usr/lib/x86_64-linux-gnu/libLLVM-8.so.1
#9  0x0000563426a552fa in GenMCDriver::explore (this=this@entry=0x563428473700) at GenMCDriver.cpp:633
#10 0x0000563426a55469 in GenMCDriver::run (this=0x563428473700) at GenMCDriver.cpp:464
#11 0x0000563426a31f28 in main (argc=<optimized out>, argv=0x7ffea2e70d18) at main.cpp:194

I also don't understand the warning about the implicit declaration of sprinf, since I already included stdio.h

[lilith218]

Not only sprintf causes seg fault, the following as well

int
main(void)
{
    char buff[10] = {0};
    printf("%s", buff);
    return 0;
}

#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
65	../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.
(gdb) bt
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
#1  0x00007fd838a91e95 in __vfprintf_internal (s=s@entry=0x7ffd7ab834c0, format=format@entry=0x7ffd7ab83700 "%s", ap=ap@entry=0x7ffd7ab83600, mode_flags=mode_flags@entry=6) at vfprintf-internal.c:1688
#2  0x00007fd838a9e279 in __vsprintf_internal (string=0x7ffd7ab83770 "", maxlen=maxlen@entry=1000, format=0x7ffd7ab83700 "%s", args=args@entry=0x7ffd7ab83600, mode_flags=mode_flags@entry=6) at iovsprintf.c:95
#3  0x00007fd838b46edb in ___sprintf_chk (s=s@entry=0x7ffd7ab83770 "", flag=flag@entry=1, slen=slen@entry=1000, format=<optimized out>) at sprintf_chk.c:40
#4  0x000055ace9a30a85 in sprintf (__fmt=<optimized out>, __s=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/stdio2.h:36
#5  lle_X_sprintf (FT=FT@entry=0x55acebaadd20, Args=std::vector of length 3, capacity 3 = {...}) at ExternalFunctions.cpp:445
#6  0x000055ace9a31d4f in lle_X_printf (FT=0x55acebaadd20, Args=std::vector of length 2, capacity 2 = {...}) at ExternalFunctions.cpp:469
#7  0x000055ace9a3323a in llvm::Interpreter::callExternalFunction (this=this@entry=0x55acebb7c5c0, F=F@entry=0x55acebb5bfa8, ArgVals=std::vector of length 2, capacity 2 = {...}) at ExternalFunctions.cpp:297
#8  0x000055ace9a1c1c1 in llvm::Interpreter::callFunction (this=0x55acebb7c5c0, F=0x55acebb5bfa8, ArgVals=std::vector of length -185212533053011061, capacity 2931805465809 = {...}) at Execution.cpp:4371
#9  0x000055ace9a1c8ce in llvm::Interpreter::callFunction (ArgVals=std::vector of length 2, capacity 2 = {...}, F=0x55acebb5bfa8, this=0x55acebb7c5c0) at /usr/lib/llvm-8/include/llvm/Support/Casting.h:255
#10 llvm::Interpreter::visitCallInstWrapper (this=0x55acebb7c5c0, CS=...) at Execution.cpp:1633
#11 0x000055ace9a1d497 in llvm::Interpreter::run (this=this@entry=0x55acebb7c5c0) at Execution.cpp:4484
#12 0x000055ace9990d83 in llvm::Interpreter::runFunction (this=0x55acebb7c5c0, F=0x55aceba8b9a8, ArgValues=...) at Interpreter.cpp:750
#13 0x00007fd83aafd9de in llvm::ExecutionEngine::runFunctionAsMain(llvm::Function*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, char const* const*) () from /usr/lib/x86_64-linux-gnu/libLLVM-8.so.1
#14 0x000055ace99702fa in GenMCDriver::explore (this=this@entry=0x55acebb53f30) at GenMCDriver.cpp:633
#15 0x000055ace9970469 in GenMCDriver::run (this=0x55acebb53f30) at GenMCDriver.cpp:464
#16 0x000055ace994cf28 in main (argc=<optimized out>, argv=0x7ffd7ab87a28) at main.cpp:194

or

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>

int
main(void)
{
    char buff[10] = {0};
    int x = atoi(buff);
    return 0;
}

#0  __GI_____strtol_l_internal (nptr=0x1ace2c44 <error: Cannot access memory at address 0x1ace2c44>, endptr=endptr@entry=0x0, base=base@entry=10, group=group@entry=0, loc=0x7f2b963344a0 <_nl_global_locale>) at ../stdlib/strtol_l.c:292
292	../stdlib/strtol_l.c: No such file or directory.
(gdb) bt
#0  __GI_____strtol_l_internal (nptr=0x1ace2c44 <error: Cannot access memory at address 0x1ace2c44>, endptr=endptr@entry=0x0, base=base@entry=10, group=group@entry=0, loc=0x7f2b963344a0 <_nl_global_locale>) at ../stdlib/strtol_l.c:292
#1  0x00007f2b96193c36 in __strtol (nptr=<optimized out>, endptr=endptr@entry=0x0, base=base@entry=10) at ../stdlib/strtol.c:106
#2  0x00007f2b9618f744 in __GI_atoi (nptr=<optimized out>) at atoi.c:27
#3  0x00007f2b9a4bfdae in ffi_call_unix64 () from /usr/lib/x86_64-linux-gnu/libffi.so.6
#4  0x00007f2b9a4bf71f in ffi_call () from /usr/lib/x86_64-linux-gnu/libffi.so.6
#5  0x0000555f18c6b224 in ffiInvoke (Result=..., TD=<optimized out>, ArgVals=..., F=<optimized out>, Fn=<optimized out>) at /usr/lib/llvm-8/include/llvm/ADT/SmallVector.h:129
#6  llvm::Interpreter::callExternalFunction (this=this@entry=0x555f1ace3880, F=F@entry=0x555f1acc3a78, ArgVals=std::vector of length 94429796831613770, capacity 2932013690047 = {...}) at ExternalFunctions.cpp:322
#7  0x0000555f18c531c1 in llvm::Interpreter::callFunction (this=0x555f1ace3880, F=0x555f1acc3a78, ArgVals=std::vector of length 94429796831613770, capacity 2932013690047 = {...}) at Execution.cpp:4371
#8  0x0000555f18c538ce in llvm::Interpreter::callFunction (ArgVals=std::vector of length 1, capacity 1 = {...}, F=0x555f1acc3a78, this=0x555f1ace3880) at /usr/lib/llvm-8/include/llvm/Support/Casting.h:255
#9  llvm::Interpreter::visitCallInstWrapper (this=0x555f1ace3880, CS=...) at Execution.cpp:1633
#10 0x0000555f18c54497 in llvm::Interpreter::run (this=this@entry=0x555f1ace3880) at Execution.cpp:4484
#11 0x0000555f18bc7d83 in llvm::Interpreter::runFunction (this=0x555f1ace3880, F=0x555f1abf39a8, ArgValues=...) at Interpreter.cpp:750
#12 0x00007f2b9822f9de in llvm::ExecutionEngine::runFunctionAsMain(llvm::Function*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, char const* const*) () from /usr/lib/x86_64-linux-gnu/libLLVM-8.so.1
#13 0x0000555f18ba72fa in GenMCDriver::explore (this=this@entry=0x555f1acbb730) at GenMCDriver.cpp:633
#14 0x0000555f18ba7469 in GenMCDriver::run (this=0x555f1acbb730) at GenMCDriver.cpp:464
#15 0x0000555f18b83f28 in main (argc=<optimized out>, argv=0x7fffce7476b8) at main.cpp:194

[lilith218]

If I don't declare the array on the stack, the program does not crash. It seems to be related to putting arrays on the stack somehow!

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>

char buff[10] = {0}; // no crash

int
main(void)
{
    printf("%s", buff);
    int x = 10;
    sprintf(buff, "%d", x);
    x = atoi(buff);
    return 0;
}

[michaliskok]

Closing, as this is identical to #10.