Svadev mailing list

[Daniel Huang <dan.e.huang AT gmail.com>]

Hi Svadev,

I've recently run across two pool allocations (double_free004.c and double_free010.c) that seem strange to me.

The first declares a function freeptr which accepts a pointer. However, the pointer points into a pool which is not in scope until the function body. In the code, freeptr is called from the function body after a call to __sc_vacallregister. I'm guessing that the __sc_vacallregister somehow makes it "safe" to make this call. Could I get an explanation of how this works? Furthermore, I don't understand from a typing perspective how this works out because there is no way to create a pointer of that type until we are in the function body. Furthermore, abstracting function arguments over pools that are not in scope doesn't make much sense. 

The second case calls the library function qsort, which accepts as one of its argument's a comparison function. In the instrumented code, the comparison function is polymorphic in 4 pools. The code then calls the qsort function with the pool-allocated comparison function. It seems strange that the qsort function itself is not polymorphic in those 4 regions, since presumably, it will call the comparison function, which needs to be instantiated with those 4 regions. How does SAFECode deal with library functions? Does SAFECode rewrite library function prototypes or instrument library functions?

I've attached the two pool-allocated files in question. 

Thanks in advance,

Dan

Attachment: double_free-004.ll
Description: Binary data

Attachment: double_free-010.ll
Description: Binary data