Prevent potential string solver failures#4489
Conversation
romainbrenguier
requested review from
martin-cs and
peterschrammel
as code owners
romainbrenguier
force-pushed
the
bugfix/string-solver-nil-array
branch
2 times, most recently
from
3d387d0 to
a2273f1
Compare
allredj
left a comment
allredj
left a comment
There was a problem hiding this comment.
Some nitpicks, but LGTM even if considered independently of field-sensitive symex branch.
| } | ||
| const auto array = supert::get(current.get()); | ||
| const auto index = get(index_expr->index()); | ||
| if(array.is_nil()) |
There was a problem hiding this comment.
⛏️ A comment explaining why we do that would be useful (the commit message is good in that sense).
| { | ||
| add_lemma(binary_relation_exprt{ | ||
| string.length(), ID_ge, from_integer(0, string.length().type())}); | ||
| } |
There was a problem hiding this comment.
Commit message should be changed to Constrain all generated strings to have non-negative length. I was initially confused because I thought you were excluding 0.
There was a problem hiding this comment.
I'm massively surprised we didn't already have that constraint somewhere though...
There was a problem hiding this comment.
A similar constraint exists in the goto-program for all non-deterministic strings generated there. But we didn't have it for new strings generated by the solver itself.
romainbrenguier
force-pushed
the
bugfix/string-solver-nil-array
branch
from
a2273f1 to
f2fa572
Compare
| ^EXIT=10$ | ||
| ^SIGNAL=0$ | ||
| ^VERIFICATION FAILED | ||
| line 318 no uncaught exception: FAILURE |
There was a problem hiding this comment.
Can you check that the right exception is thrown?
There was a problem hiding this comment.
We could do that, if we didn't use --throw-runtime-exceptions but the failure I observed happened specifically when the option was used so I prefer to keep it. We could look for a particular exception in the trace, but here both NullPointerException and ArrayOutOfBoundsException could be valid counterexample traces.
There was a problem hiding this comment.
Those two exceptions could still be matched by a single regular expression?
If the underlying solver does not know about the existence of an array, it can return nil, which shouldn't be returned inside an index_expression as in particular the type will be broken.
Generated strings should have positive length, not adding these lemmas could potentially lead to overflow errors in check_axioms which means the solver will end with an error because the index set is empty.
allredj
left a comment
allredj
left a comment
There was a problem hiding this comment.
This PR failed Diffblue compatibility checks (cbmc commit: a2273f1).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/107230480
Status will be re-evaluated on next push.
Common spurious failures include: the cbmc commit has disappeared in the mean time (e.g. in a force-push); the author is not in the list of contributors (e.g. first-time contributors); compatibility was already broken by an earlier merge.
allredj
left a comment
allredj
left a comment
There was a problem hiding this comment.
This PR failed Diffblue compatibility checks (cbmc commit: f2fa572).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/107233242
Status will be re-evaluated on next push.
Common spurious failures include: the cbmc commit has disappeared in the mean time (e.g. in a force-push); the author is not in the list of contributors (e.g. first-time contributors); compatibility was already broken by an earlier merge.
| ^SIGNAL=0$ | ||
| ^VERIFICATION FAILED | ||
| line 318 no uncaught exception: FAILURE | ||
| -- |
This is an example for which a branch with changes to symex (field-sensitivity) caused failure in the string solver because a nil expression got into the model.
romainbrenguier
force-pushed
the
bugfix/string-solver-nil-array
branch
from
f2fa572 to
2c2c5ed
Compare
allredj
left a comment
allredj
left a comment
There was a problem hiding this comment.
This PR failed Diffblue compatibility checks (cbmc commit: 2c2c5ed).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/107250045
Status will be re-evaluated on next push.
Common spurious failures include: the cbmc commit has disappeared in the mean time (e.g. in a force-push); the author is not in the list of contributors (e.g. first-time contributors); compatibility was already broken by an earlier merge.
6 participants
Two small corrections which prevent a bug which I observed while testing the field-sensitivity branch (#2574)