Permit re-setting --object-bits

Support choosing the number of object bits to be used by CBMC at runtime
even with pre-compiled goto binaries.

Fixes: #5443

fixup! Permit re-setting --object-bits and malloc failure mode

Author: tautschnig

doc/man/goto-cc.1

@@ -96,9 +96,6 @@ files.
 .TP
 \fB\-\-print\-rejected\-preprocessed\-source\fR \fIfile\fR
 Copy failing (preprocessed) source to \fIfile\fR.
-.TP
-\fB\-\-object\-bits\fR \fIN\fR
-Configure the number of bits used for object numbering in CBMC's pointer encoding.
 .SH ENVIRONMENT
 All tools honor the TMPDIR environment variable when generating temporary
 files and directories.

regression/CMakeLists.txt

@@ -63,7 +63,6 @@ else()
   add_subdirectory(goto-cl)
 endif()
 add_subdirectory(goto-cc-cbmc)
-add_subdirectory(goto-cc-cbmc-shared-options)
 add_subdirectory(cbmc-cpp)
 add_subdirectory(goto-cc-goto-analyzer)
 add_subdirectory(goto-analyzer-simplify)

regression/Makefile

@@ -36,7 +36,6 @@ DIRS = cbmc-shadow-memory \
        goto-gcc \
        goto-cl \
        goto-cc-cbmc \
-       goto-cc-cbmc-shared-options \
        cbmc-cpp \
        goto-cc-goto-analyzer \
        goto-analyzer-simplify \

regression/cbmc/simplify_singleton_interval_7690/singleton_interval_in_assume_7690.c

@@ -5,7 +5,6 @@
 #include <stdlib.h>
 #include <stdint.h>
 
-extern size_t __CPROVER_max_malloc_size;
 int __builtin_clzll(unsigned long long);
 
 #define __nof_symex_objects                                                    \

regression/goto-cc-cbmc-shared-options/CMakeLists.txt

@@ -1,4 +1,4 @@
-CORE winbug
+CORE
 test.c
 --function main --object-bits 6
 ^EXIT=10$

regression/goto-cc-cbmc-shared-options/Makefile

@@ -1,4 +1,4 @@
-CORE winbug
+CORE
 test.c
 --function main --object-bits 10
 ^EXIT=10$

regression/goto-cc-cbmc-shared-options/README.md

@@ -130,34 +130,6 @@ static std::string architecture_string(T value, const char *s)
          std::string(s) + "=" + std::to_string(value) + ";\n";
 }
 
-/// The maximum allocation size is determined by the number of bits that
-/// are left in the pointer of width \p pointer_width.
-///
-/// The allocation size cannot exceed the number represented by the (signed)
-/// offset, otherwise it would not be possible to store a pointer into a
-/// valid bit of memory. Therefore, the max allocation size is
-/// 2^(offset_bits - 1), where the offset bits is the number of bits left in the
-/// pointer after the object bits.
-///
-/// The offset must be signed, as a pointer can point to the end of the memory
-/// block, and needs to be able to point back to the start.
-/// \param pointer_width: The width of the pointer
-/// \param object_bits : The number of bits used to represent the ID
-/// \return The size in bytes of the maximum allocation supported.
-static mp_integer
-max_malloc_size(std::size_t pointer_width, std::size_t object_bits)
-{
-  PRECONDITION(pointer_width >= 1);
-  PRECONDITION(object_bits < pointer_width);
-  PRECONDITION(object_bits >= 1);
-  const auto offset_bits = pointer_width - object_bits;
-  // We require the offset to be able to express upto allocation_size - 1,
-  // but also down to -allocation_size, therefore the size is allowable
-  // is number of bits, less the signed bit.
-  const auto bits_for_positive_offset = offset_bits - 1;
-  return ((mp_integer)1) << (mp_integer)bits_for_positive_offset;
-}
-
 void ansi_c_internal_additions(std::string &code)
 {
   // clang-format off
@@ -181,9 +153,9 @@ void ansi_c_internal_additions(std::string &code)
       CPROVER_PREFIX "size_t size, " CPROVER_PREFIX "bool zero);\n"
     "void " CPROVER_PREFIX "deallocate(void *);\n"
 
-    CPROVER_PREFIX "size_t " CPROVER_PREFIX "max_malloc_size="+
-    integer2string(max_malloc_size(config.ansi_c.pointer_width, config
-    .bv_encoding.object_bits))+";\n"
+    CPROVER_PREFIX "thread_local " CPROVER_PREFIX "size_t "
+      CPROVER_PREFIX "max_malloc_size="+
+      integer2string(config.max_malloc_size())+";\n"
 
     // this is ANSI-C
     "extern " CPROVER_PREFIX "thread_local const char __func__["

regression/goto-cc-cbmc-shared-options/chain.sh

@@ -52,4 +52,5 @@ void cprover_c_library_factory_force_load(
   const std::set<irep_idt> &functions,
   symbol_table_baset &symbol_table,
   message_handlert &message_handler);
+
 #endif // CPROVER_ANSI_C_CPROVER_LIBRARY_H

regression/goto-cc-cbmc-shared-options/object-bits/default_bits.desc regression/goto-cc-cbmc/object-bits/default_bits.desc

@@ -26,8 +26,8 @@ extern const void *__CPROVER_deallocated;
 extern const void *__CPROVER_memory_leak;
 
 extern int __CPROVER_malloc_failure_mode;
-extern __CPROVER_size_t __CPROVER_max_malloc_size;
 extern __CPROVER_bool __CPROVER_malloc_may_fail;
+extern __CPROVER_thread_local __CPROVER_size_t __CPROVER_max_malloc_size;
 
 // malloc failure modes
 extern int __CPROVER_malloc_failure_mode_return_null;

regression/goto-cc-cbmc-shared-options/object-bits/fewer_bits.desc regression/goto-cc-cbmc/object-bits/fewer_bits.desc

@@ -7,7 +7,6 @@
 #define __CPROVER_contracts_library_defined
 
 // external dependencies
-extern __CPROVER_size_t __CPROVER_max_malloc_size;
 const void *__CPROVER_alloca_object = 0;
 extern const void *__CPROVER_deallocated;
 const void *__CPROVER_new_object = 0;

regression/goto-cc-cbmc-shared-options/object-bits/more_bits.desc regression/goto-cc-cbmc/object-bits/more_bits.desc

@@ -744,6 +744,8 @@ int cbmc_parse_optionst::get_goto_program(
 
   goto_model = initialize_goto_model(cmdline.args, ui_message_handler, options);
 
+  update_max_malloc_size(goto_model, ui_message_handler);
+
   if(cmdline.isset("show-symbol-table"))
   {
     show_symbol_table(goto_model, ui_message_handler);

regression/goto-cc-cbmc-shared-options/object-bits/test.c regression/goto-cc-cbmc/object-bits/test.c

@@ -29,7 +29,6 @@ const char *goto_cc_options_with_separated_argument[]=
   "--native-linker",
   "--print-rejected-preprocessed-source",
   "--mangle-suffix",
-  "--object-bits",
   nullptr
 };
 

src/ansi-c/ansi_c_internal_additions.cpp

@@ -69,7 +69,6 @@ void goto_cc_modet::help()
   " --mangle-suffix suffix      append suffix to exported file-local symbols\n"
   " --print-rejected-preprocessed-source file\n"
   "                             copy failing (preprocessed) source to file\n"
-  " --object-bits               number of bits used for object addresses\n"
   "\n";
   // clang-format on
 }

src/ansi-c/cprover_library.h

@@ -11,22 +11,26 @@ Author: Daniel Kroening, [email protected]
 
 #include "initialize_goto_model.h"
 
-#include <fstream>
-
+#include <util/arith_tools.h>
+#include <util/c_types.h>
 #include <util/config.h>
 #include <util/message.h>
 #include <util/options.h>
 
+#include <fstream>
+
 #ifdef _MSC_VER
 #  include <util/unicode.h>
 #endif
 
+#include <util/exception_utils.h>
+
+#include <goto-programs/rebuild_goto_start_function.h>
+
 #include <langapi/language.h>
 #include <langapi/language_file.h>
 #include <langapi/mode.h>
-
-#include <goto-programs/rebuild_goto_start_function.h>
-#include <util/exception_utils.h>
+#include <linking/static_lifetime_init.h>
 
 #include "goto_convert_functions.h"
 #include "read_goto_binary.h"
@@ -245,3 +249,29 @@ goto_modelt initialize_goto_model(
 
   return goto_model;
 }
+
+void update_max_malloc_size(
+  goto_modelt &goto_model,
+  message_handlert &message_handler)
+{
+  if(!goto_model.symbol_table.has_symbol(CPROVER_PREFIX "max_malloc_size"))
+    return;
+
+  const auto previous_max_malloc_size_value = numeric_cast<mp_integer>(
+    goto_model.symbol_table.lookup_ref(CPROVER_PREFIX "max_malloc_size").value);
+  const mp_integer current_max_malloc_size = config.max_malloc_size();
+
+  if(
+    !previous_max_malloc_size_value.has_value() ||
+    *previous_max_malloc_size_value != current_max_malloc_size)
+  {
+    symbolt &max_malloc_size_sym = goto_model.symbol_table.get_writeable_ref(
+      CPROVER_PREFIX "max_malloc_size");
+    max_malloc_size_sym.value =
+      from_integer(current_max_malloc_size, size_type());
+    max_malloc_size_sym.value.set(ID_C_no_nondet_initialization, true);
+
+    if(goto_model.can_produce_function(INITIALIZE_FUNCTION))
+      recreate_initialize_function(goto_model, message_handler);
+  }
+}

src/ansi-c/library/cprover.h

@@ -56,4 +56,8 @@ void set_up_custom_entry_point(
   bool try_mode_lookup,
   message_handlert &message_handler);
 
+/// Update the initial value of `__CPROVER_max_malloc_size` in case the number
+/// of object bits has changed.
+void update_max_malloc_size(goto_modelt &, message_handlert &);
+
 #endif // CPROVER_GOTO_PROGRAMS_INITIALIZE_GOTO_MODEL_H

src/ansi-c/library/cprover_contracts.c

@@ -12,6 +12,7 @@ Author: Qinheping Hu
 #include <util/help_formatter.h>
 #include <util/version.h>
 
+#include <goto-programs/initialize_goto_model.h>
 #include <goto-programs/read_goto_binary.h>
 #include <goto-programs/set_properties.h>
 #include <goto-programs/write_goto_binary.h>
@@ -61,6 +62,8 @@ int goto_synthesizer_parse_optionst::doit()
     configure_gcc(gcc_version);
   }
 
+  update_max_malloc_size(goto_model, ui_message_handler);
+
   // Get options and preprocess `goto_model`.
   const auto &options = get_options();
 

src/cbmc/cbmc_parse_options.cpp

@@ -1466,3 +1466,28 @@ irep_idt configt::this_operating_system()
 
   return this_os;
 }
+
+/// The maximum allocation size is determined by the number of bits that
+/// are left in the pointer of width `ansi_c.pointer_width`.
+///
+/// The allocation size cannot exceed the number represented by the (signed)
+/// offset, otherwise it would not be possible to store a pointer into a
+/// valid bit of memory. Therefore, the max allocation size is
+/// 2^(offset_bits - 1), where the offset bits is the number of bits left in the
+/// pointer after the object bits.
+///
+/// The offset must be signed, as a pointer can point to the end of the memory
+/// block, and needs to be able to point back to the start.
+/// \return The size in bytes of the maximum allocation supported.
+mp_integer configt::max_malloc_size() const
+{
+  PRECONDITION(ansi_c.pointer_width >= 1);
+  PRECONDITION(bv_encoding.object_bits < ansi_c.pointer_width);
+  PRECONDITION(bv_encoding.object_bits >= 1);
+  const auto offset_bits = ansi_c.pointer_width - bv_encoding.object_bits;
+  // We require the offset to be able to express upto allocation_size - 1,
+  // but also down to -allocation_size, therefore the size is allowable
+  // is number of bits, less the signed bit.
+  const auto bits_for_positive_offset = offset_bits - 1;
+  return ((mp_integer)1) << (mp_integer)bits_for_positive_offset;
+}

src/goto-cc/gcc_cmdline.cpp

@@ -358,6 +358,7 @@ class configt
 
   void set_object_bits_from_symbol_table(const symbol_table_baset &);
   std::string object_bits_info();
+  mp_integer max_malloc_size() const;
 
   static irep_idt this_architecture();
   static irep_idt this_operating_system();

src/goto-cc/goto_cc_mode.cpp

@@ -49,7 +49,6 @@ SRC += analyses/ai/ai.cpp \
        analyses/variable-sensitivity/variable_sensitivity_domain/to_predicate.cpp \
        analyses/variable-sensitivity/variable_sensitivity_test_helpers.cpp \
        ansi-c/expr2c.cpp \
-       ansi-c/max_malloc_size.cpp \
        ansi-c/type2name.cpp \
        big-int/big-int.cpp \
        compound_block_locations.cpp \
@@ -165,6 +164,7 @@ SRC += analyses/ai/ai.cpp \
        util/json_object.cpp \
        util/lazy.cpp \
        util/lower_byte_operators.cpp \
+       util/max_malloc_size.cpp \
        util/memory_info.cpp \
        util/message.cpp \
        util/optional.cpp \