SV-COMP fixes #157
Merged
SV-COMP fixes #157
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Do not merge, yet, more fixes may come. |
viktormalik
force-pushed
the
svcomp22-fixes
branch
from
790f0d5
to
2c857ee
Compare
viktormalik
force-pushed
the
svcomp22-fixes
branch
from
e52a02a
to
b775692
Compare
The merge function needs to set has_values to unknown, otherwise the analysis fails to run.
If a single SKIP instruction is a target of both a forward and a backward GOTO, a malformed SSA is generated. This commit introduces a workaround that splits such GOTOs into two and redirects all backwards GOTOs to the second SKIP. This changes an SSA index in one test.
When assigning into a dereference, we allowed not to update the pointed dynamic object to simulate the fact that the dynamic object may be abstract (i.e. it may represent more concrete objects). This shouldn't be necessary anymore since we're using dynamic object instances, which should ensure soundness.
In new CBMC, there is a case-split in the malloc function implementation for detecting malloc failures. This however resulted in SSA not being constructed correctly, since it expected the last definition of a symbol to be its allocation and not a phi node. Signed-off-by: František Nečas <[email protected]>
If the solver returns &(X.field) where field has offset 0, this is equivalent to &X. This commit handles the above situation in the heap domain so that the points-to relation to X is properly established in the domain value.
These are non-deterministic boolean variables used to control assignment to CPROVER-specific values during free. They used to be declared-only, now they are explicitly assigned a nondet value, which broke our code that searched for declarations only. Fixing this problem re-enables two true memsafety regression tests.
After the rebase to new CBMC, constant propagation does not work in some cases. This is a problem for our malloc handling as we require to see: malloc_size = sizeof(...) This commit fixes the problem by recursively searching for the malloc size expression to handle cases like: size = sizeof(...) malloc_size = size Also adds a regression test for this case.
CBMC has changed the representation of numerical values in constant_expr (at least for array sizes) - instead of base 2, it now uses base 16. We have to fix this in our assertion that limits the size of arrays in competition mode due to solver unsoundness that appears for arrays of size >=50000.
For now, we disable memcpy as it is implemented via a CBMC built-in operation that we do not support in 2LS, yet.
Signed-off-by: František Nečas <[email protected]>
If there are multiple loops in the program, the assertions after the loops are reachable only if both of the loops exit their execution. Previously, exiting the first loop was sufficient due to the disjunction making the analysis unsound (producing incorrect true results in some cases, including SV-comp benchmarks). Signed-off-by: František Nečas <[email protected]>
The format of the guard changed making the hack not work and causing incorrect true results in bitvector category in SV-comp due to the hoisted assertion being added. Fix this hack. Signed-off-by: František Nečas <[email protected]>
Byte arrays are produced when malloc(N) is used where N is an integer and not a sizeof operator. We still need to propagate the '#concrete' flag to make the memsafety analysis sound.
viktormalik
force-pushed
the
svcomp22-fixes
branch
from
b775692
to
9071c90
Compare
FrNecas
reviewed
Jan 14, 2022
| if (loc->is_other()) | ||
| { | ||
| auto st = loc->get_code().get_statement(); | ||
| if(st=="array_copy" || st=="array_replace") |
There was a problem hiding this comment.
Perhaps we could file an issue for support of memcpy?
FrNecas
approved these changes
Jan 14, 2022
peterschrammel
approved these changes
Jan 17, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This implements fixes for problems mostly created during the recent CBMC rebase that were revealed in SV-COMP runs.
These are in particular:
dynobj_instance_analysiswhich caused that dynamic objects were never split into multiple instances. This, however, broke heap regression tests.mallocimplementation in CBMC that makes the regression tests work again.record::freevars w.r.t. newfreeimplementation.Besides that, CBMC prerequisite is updated to the newest version (may require rebase once peterschrammel/cbmc#27 is merged).