Adds --expand-pointer-predicates to goto-instrument [depends-on: #3769, blocks #2706]#2644
Adds --expand-pointer-predicates to goto-instrument [depends-on: #3769, blocks #2706]#2644qaphla wants to merge 3 commits intodiffblue:developfrom
Conversation
This change exposes is_lvalue for use outside of goto-programs/builtin_functions.cpp.
qaphla
requested review from
chrisr-diffblue,
kroening,
martin-cs,
peterschrammel,
pkesseli,
smowton and
tautschnig
as code owners
qaphla
force-pushed
the
expand_pointer_predicates
branch
from
9be31ff to
5f9ce75
Compare
The --expand-pointer-predicates pass resolves pointer predicates
(util/pointer_predicates.{cpp, h}) which have side effects and
so require expanding into multiple instructions.
Currently, the only such predicate that needs to be expanded is
__CPROVER_points_to_valid_memory (name subject to change).
The __CPROVER_points_to_valid_memory predicates takes two parameters,
a pointer and a size. Semantically,
__CPROVER_points_to_valid_memory(p, size) should be true if and only
if p points to a memory object which is valid to read/write for at
least size bytes past p. When used in assertions, this will be checked
in a similar manner to how --pointer-check checks validity of a
dereference. When used in assumptions, this predicate creates (if none
exists already) an object for p to refer to, using
local_bitvector_analysis to make that determination, and then makes
assumptions (again corresponding to the assertions made by
--pointer-check) about that object.
qaphla
force-pushed
the
expand_pointer_predicates
branch
from
5f9ce75 to
dd6c63c
Compare
allredj
left a comment
allredj
left a comment
There was a problem hiding this comment.
This PR failed Diffblue compatibility checks (cbmc commit: dd6c63c).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/80542769
Status will be re-evaluated on next push.
Please contact @peterschrammel, @thk123, or @allredj for support.
Common spurious failures:
- the cbmc commit has disappeared in the mean time (e.g. in a force-push)
- the author is not in the list of contributors (e.g. first-time contributors).
smowton
left a comment
smowton
left a comment
There was a problem hiding this comment.
Made a few inline comments on the new commit. Broader points:
(1) what relation if any does this have to the existing memory validity checks introduced by goto_check? Should this be using parts of goto-check instead of implementing a new way of introducing checks?
(2) It seems odd that the meaning of the predicate is remarkably different in assume context from assert context (and not implemented at all in expression or GOTO-guard context). Should these be different operations?
|
(1) As used in assertions, The assumption portion is the main feature that prompted me to develop this, and probably could be put into goto_check if desired, but that seems a bit strange to me, as goto_check seems to deal entirely (almost entirely? I'm not sure what (2) I am admittedly biased, but it doesn't seem strange at all to me that the implementation of the predicate is different in assume and assert contexts. The expression resulting from expanding the predicate is the same in both cases, and the only difference is that in assume context, we add an additional set of instructions to create a new memory object for |
|
Hmm. My instinct is the harness should do the right thing (e.g. when verifying Java we should usually offer a nondet choice between NULL and a fresh object), and the meaning of the predicate should be the same in all contexts, but more senior people (@peterschrammel @tautschnig @kroening) may differ. |
|
I see and agree with @smowton 's concerns about the asymmetry of the semantics of this. I also, very much, see your use case and wanting to be able to generate sane harnesses with a minimal amount of hassle. However I'm not sure this is the right way of going about things. Assuming that something points to a valid location is not the same as assuming that there is a new, unique location that it points to. I think this approach may run into a lot of complexity around aliasing. To my mind the right way of approaching this problem is to have a dual to generate-function-bodies that generates a calling harness (either 1 shot or dynamically builds one up using verification failures) for an arbitrary piece of code. Assumptions about writeability could be used in that to build a sensible context. |
tautschnig
changed the title
tautschnig
changed the title
|
Closing due to age (no further comment on PR content), please reopen with rebase on develop if you intent to continue this work. |
6 participants
This builds on #2635.
The only new commit since then is 9be31ff.
This adds a new built-in predicate,
__CPROVER_points_to_valid_memory, and provides the--expand-pointer-predicatespass to goto-instrument to handle the side effects that it has in assumptions. More detail can be found in the commit message.This differs from #2602 in that unlike
__CPROVER_r_okand__CPROVER_w_ok,__CPROVER_points_to_valid_memory(ptr, size)will, when used in an assumption, ensure that there is a suitable memory object atptrby creating one if necessary. It is, however, likely that__CPROVER_points_to_valid_memorycan be made to take advantage of__CPROVER_r/w_okin its implementation once those make it into develop.