SV-COMP fixes #157

The merge function needs to set has_values to unknown, otherwise the analysis fails to run.

If a single SKIP instruction is a target of both a forward and a backward GOTO, a malformed SSA is generated. This commit introduces a workaround that splits such GOTOs into two and redirects all backwards GOTOs to the second SKIP. This changes an SSA index in one test.

When assigning into a dereference, we allowed not to update the pointed dynamic object to simulate the fact that the dynamic object may be abstract (i.e. it may represent more concrete objects). This shouldn't be necessary anymore since we're using dynamic object instances, which should ensure soundness.

In new CBMC, there is a case-split in the malloc function implementation for detecting malloc failures. This however resulted in SSA not being constructed correctly, since it expected the last definition of a symbol to be its allocation and not a phi node. Signed-off-by: František Nečas <[email protected]>

If the solver returns &(X.field) where field has offset 0, this is equivalent to &X. This commit handles the above situation in the heap domain so that the points-to relation to X is properly established in the domain value.

These are non-deterministic boolean variables used to control assignment to CPROVER-specific values during free. They used to be declared-only, now they are explicitly assigned a nondet value, which broke our code that searched for declarations only. Fixing this problem re-enables two true memsafety regression tests.

After the rebase to new CBMC, constant propagation does not work in some cases. This is a problem for our malloc handling as we require to see: malloc_size = sizeof(...) This commit fixes the problem by recursively searching for the malloc size expression to handle cases like: size = sizeof(...) malloc_size = size Also adds a regression test for this case.

CBMC has changed the representation of numerical values in constant_expr (at least for array sizes) - instead of base 2, it now uses base 16. We have to fix this in our assertion that limits the size of arrays in competition mode due to solver unsoundness that appears for arrays of size >=50000.

For now, we disable memcpy as it is implemented via a CBMC built-in operation that we do not support in 2LS, yet.

Signed-off-by: František Nečas <[email protected]>

If there are multiple loops in the program, the assertions after the loops are reachable only if both of the loops exit their execution. Previously, exiting the first loop was sufficient due to the disjunction making the analysis unsound (producing incorrect true results in some cases, including SV-comp benchmarks). Signed-off-by: František Nečas <[email protected]>

The format of the guard changed making the hack not work and causing incorrect true results in bitvector category in SV-comp due to the hoisted assertion being added. Fix this hack. Signed-off-by: František Nečas <[email protected]>

Byte arrays are produced when malloc(N) is used where N is an integer and not a sizeof operator. We still need to propagate the '#concrete' flag to make the memsafety analysis sound.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SV-COMP fixes #157

SV-COMP fixes #157

Commits on Jan 14, 2022