CBMC detects a possible unsigned addition overflow in the following lines:
l = (t + *b)&(0xffffffffL);
c += (l < t);
I agree that there is a possibility of an overflow in the first line, but I am taking care of the carry in the next line which CBMC is not able to look at. If in case there is an overflow I am setting the carry 1. So since I am aware of this and this and this is how I want my code to work I would like to move on with the verification process. So, how is it that I tell the CBMC to overlook this bug and move on?
TL;DR It depends on what the actual types of the variables are. In all cases, CBMC detects an actual bug that could cause undefined behaviour. This means, you should fix your code rather than disable the message in CBMC.
Full answer:
Generally: To the best of my knowledge, CBMC does not allow the exclusion of specific properties (on the other hand, you can check only one single specific property using the
--property
flag). If you would like a official answer/opinion or make a feature request, I would recommend posting in the CProver Support group.(Of course, one could use
__CPROVER_assume
in order to make CBMC exclude the traces leading to the error, but this would be a very, very, very bad idea, as this might make other problems unreachable.)Variant 1: I assume your code looks something like (related to this: please, please post self-contained examples and explain precisely what the issue is, it's hard to guess these things)
and you are running
giving an output similar to the following one?
I do not think you should disable this property check, even if you could. The reason for this is, as you say, that this addition can overflow, and, integer overflow is undefined behaviour in C, or, as this answer to the question How to check integer overflow in C? nicely puts it:
See also Integer overflow and undefined behavior and How disastrous is integer overflow in C++?.
Thus, this is an actual bug and CBMC has a good reason for telling you about it. What you actually should do is adapt your code so that there are no potential overflows! The answer mentioned above suggests something like (remember to include
limits.h
):Variant 2: Here, I assume, your code looks something like:
and you are running
giving an output similar to the following one?
Again, this is an actual bug and CBMC has a good reason for telling you about it. This one could be fixed by
which gives
Variant 3: If things are as the previous one, but you have
signed int
instead ofunsigned int
, things get a bit more complicated. Here, assuming you use (written in a slightly more elaborate way to better see what is going on)and run
you will get
Or, written more concisely, if you have
then
and an attempt to convert this into a
signed int
is trouble, because it is out of range (see also Does cast between signed and unsigned int maintain exact bit pattern of variable in memory? ).As you can see, this counterexample also is an actual bug, and again, CBMC is right in telling you about it. This means in particular, your masking/maths does not work as expected (your masking turns a negative number into a positive number that is out of bounds) and you need to fix your code, so that the result is within the necessary range. (It's probably worthwhile to carefully think about what you actually want to do in order to make sure you get the right results.)