Merge pull request #7858 from tautschnig/features/objects-bits-set-up

Permit re-setting --object-bits

Author: kroening

doc/cprover-manual/goto-cc.md

@@ -132,9 +132,6 @@ most important architectural parameters are:
     `sizeof(long int)` on various machines.
 -   The width of pointers; for example, compare the value of `sizeof(int *)` on
     various machines.
--   The number of bits in a pointer which are used to differentiate between
-    different objects. The remaining bits of a pointer are used for offsets
-    within objects.
 -   The [endianness](http://en.wikipedia.org/wiki/Endianness) of
     the architecture.
 
@@ -152,8 +149,6 @@ following command-line arguments can be passed to the CPROVER tools:
 -   The word-width can be set with `--16`, `--32`, `--64`.
 -   The endianness can be defined with `--little-endian` and
     `--big-endian`.
--   The number of bits in a pointer used to differentiate between different
-    objects can be set using `--object-bits x`. Where `x` is the number of bits.
 
 When using a goto binary, CBMC and the other tools read the
 configuration from the binary. The setting when running goto-cc is

doc/man/goto-cc.1

@@ -96,9 +96,10 @@ files.
 .TP
 \fB\-\-print\-rejected\-preprocessed\-source\fR \fIfile\fR
 Copy failing (preprocessed) source to \fIfile\fR.
-.TP
-\fB\-\-object\-bits\fR \fIN\fR
-Configure the number of bits used for object numbering in CBMC's pointer encoding.
+.SH BACKWARD COMPATIBILITY
+.B goto\-cc
+will warn and ignore the use of \fB\-\-object\-bits\fR, which previous versions
+processed. This option now instead needs to be passed to \fBcbmc\fR(1).
 .SH ENVIRONMENT
 All tools honor the TMPDIR environment variable when generating temporary
 files and directories.

regression/CMakeLists.txt

@@ -63,7 +63,6 @@ else()
   add_subdirectory(goto-cl)
 endif()
 add_subdirectory(goto-cc-cbmc)
-add_subdirectory(goto-cc-cbmc-shared-options)
 add_subdirectory(cbmc-cpp)
 add_subdirectory(goto-cc-goto-analyzer)
 add_subdirectory(goto-analyzer-simplify)

regression/Makefile

@@ -36,7 +36,6 @@ DIRS = cbmc-shadow-memory \
        goto-gcc \
        goto-cl \
        goto-cc-cbmc \
-       goto-cc-cbmc-shared-options \
        cbmc-cpp \
        goto-cc-goto-analyzer \
        goto-analyzer-simplify \

regression/cbmc/simplify_singleton_interval_7690/singleton_interval_in_assume_7690.c

@@ -5,8 +5,6 @@
 #include <stdlib.h>
 #include <stdint.h>
 
-extern size_t __CPROVER_max_malloc_size;
-
 #if defined(_WIN32) && defined(_M_X64)
 int __builtin_clzll(unsigned long long);
 #define __nof_symex_objects                                                    \

regression/contracts-dfcc/memory-predicates-pointer-in-range-requires/test.desc

@@ -1,4 +1,4 @@
-CORE dfcc-only
+THOROUGH dfcc-only
 main.c
 --malloc-may-fail --malloc-fail-null --dfcc main --enforce-contract foo _ --pointer-check --pointer-primitive-check
 ^EXIT=0$

regression/goto-cc-cbmc-shared-options/CMakeLists.txt

@@ -1,4 +1,4 @@
-CORE winbug
+CORE
 test.c
 --function main --object-bits 6
 ^EXIT=10$

regression/goto-cc-cbmc-shared-options/Makefile

@@ -1,4 +1,4 @@
-CORE winbug
+CORE
 test.c
 --function main --object-bits 10
 ^EXIT=10$

regression/goto-cc-cbmc-shared-options/README.md

@@ -124,34 +124,6 @@ static std::string architecture_string(T value, const char *s)
          std::string(s) + "=" + std::to_string(value) + ";\n";
 }
 
-/// The maximum allocation size is determined by the number of bits that
-/// are left in the pointer of width \p pointer_width.
-///
-/// The allocation size cannot exceed the number represented by the (signed)
-/// offset, otherwise it would not be possible to store a pointer into a
-/// valid bit of memory. Therefore, the max allocation size is
-/// 2^(offset_bits - 1), where the offset bits is the number of bits left in the
-/// pointer after the object bits.
-///
-/// The offset must be signed, as a pointer can point to the end of the memory
-/// block, and needs to be able to point back to the start.
-/// \param pointer_width: The width of the pointer
-/// \param object_bits : The number of bits used to represent the ID
-/// \return The size in bytes of the maximum allocation supported.
-static mp_integer
-max_malloc_size(std::size_t pointer_width, std::size_t object_bits)
-{
-  PRECONDITION(pointer_width >= 1);
-  PRECONDITION(object_bits < pointer_width);
-  PRECONDITION(object_bits >= 1);
-  const auto offset_bits = pointer_width - object_bits;
-  // We require the offset to be able to express upto allocation_size - 1,
-  // but also down to -allocation_size, therefore the size is allowable
-  // is number of bits, less the signed bit.
-  const auto bits_for_positive_offset = offset_bits - 1;
-  return ((mp_integer)1) << (mp_integer)bits_for_positive_offset;
-}
-
 void ansi_c_internal_additions(std::string &code, bool support_float16_type)
 {
   // clang-format off
@@ -175,9 +147,9 @@ void ansi_c_internal_additions(std::string &code, bool support_float16_type)
       CPROVER_PREFIX "size_t size, " CPROVER_PREFIX "bool zero);\n"
     "void " CPROVER_PREFIX "deallocate(void *);\n"
 
-    CPROVER_PREFIX "size_t " CPROVER_PREFIX "max_malloc_size="+
-    integer2string(max_malloc_size(config.ansi_c.pointer_width, config
-    .bv_encoding.object_bits));
+    CPROVER_PREFIX "thread_local " CPROVER_PREFIX "size_t "
+      CPROVER_PREFIX "max_malloc_size="+
+      integer2string(config.max_malloc_size());
   if(config.ansi_c.pointer_width==config.ansi_c.long_int_width)
     code += "UL;\n";
   else if(config.ansi_c.pointer_width==config.ansi_c.long_long_int_width)

regression/goto-cc-cbmc-shared-options/chain.sh

@@ -52,4 +52,5 @@ void cprover_c_library_factory_force_load(
   const std::set<irep_idt> &functions,
   symbol_table_baset &symbol_table,
   message_handlert &message_handler);
+
 #endif // CPROVER_ANSI_C_CPROVER_LIBRARY_H

regression/goto-cc-cbmc-shared-options/object-bits/default_bits.desc regression/goto-cc-cbmc/object-bits/default_bits.desc

@@ -26,8 +26,11 @@ extern const void *__CPROVER_deallocated;
 extern const void *__CPROVER_memory_leak;
 
 extern int __CPROVER_malloc_failure_mode;
-extern __CPROVER_size_t __CPROVER_max_malloc_size;
 extern __CPROVER_bool __CPROVER_malloc_may_fail;
+// The maximum size of an object that we can handle under the object:offset
+// pointer encoding. Marked thread-local as it is a per-analysis constant that
+// can safely be constant-propagated even in concurrent execution.
+extern __CPROVER_thread_local __CPROVER_size_t __CPROVER_max_malloc_size;
 
 // malloc failure modes
 extern int __CPROVER_malloc_failure_mode_return_null;

regression/goto-cc-cbmc-shared-options/object-bits/fewer_bits.desc regression/goto-cc-cbmc/object-bits/fewer_bits.desc

@@ -7,7 +7,6 @@
 #define __CPROVER_contracts_library_defined
 
 // external dependencies
-extern __CPROVER_size_t __CPROVER_max_malloc_size;
 const void *__CPROVER_alloca_object = 0;
 extern const void *__CPROVER_deallocated;
 const void *__CPROVER_new_object = 0;

regression/goto-cc-cbmc-shared-options/object-bits/more_bits.desc regression/goto-cc-cbmc/object-bits/more_bits.desc

@@ -808,6 +808,8 @@ int cbmc_parse_optionst::get_goto_program(
 
   goto_model = initialize_goto_model(cmdline.args, ui_message_handler, options);
 
+  update_max_malloc_size(goto_model, ui_message_handler);
+
   if(cmdline.isset("show-symbol-table"))
   {
     show_symbol_table(goto_model, ui_message_handler);

regression/goto-cc-cbmc-shared-options/object-bits/test.c regression/goto-cc-cbmc/object-bits/test.c

@@ -29,7 +29,6 @@ const char *goto_cc_options_with_separated_argument[]=
   "--native-linker",
   "--print-rejected-preprocessed-source",
   "--mangle-suffix",
-  "--object-bits",
   nullptr
 };
 

src/ansi-c/ansi_c_internal_additions.cpp

@@ -74,7 +74,6 @@ void goto_cc_modet::help()
     "symbols\n"
     " {y--print-rejected-preprocessed-source} {ufile} \t "
     "copy failing (preprocessed) source to file\n"
-    " {y--object-bits} {N} \t number of bits used for object addresses\n"
     "\n");
 }
 

src/ansi-c/cprover_library.h

@@ -77,16 +77,17 @@ bool is_nondet_initializable_static(
 /// assigned to nondet-initializable static variables with nondeterministic
 /// values.
 /// \param ns: Namespace for resolving type information.
-/// \param [out] goto_functions: Existing goto-functions to be updated.
+/// \param [inout] goto_model: Existing goto-functions and symbol table to
+///   be updated.
 /// \param fct_name: Name of the goto-function to be updated.
 static void nondet_static(
   const namespacet &ns,
-  goto_functionst &goto_functions,
+  goto_modelt &goto_model,
   const irep_idt &fct_name)
 {
   goto_functionst::function_mapt::iterator fct_entry =
-    goto_functions.function_map.find(fct_name);
-  CHECK_RETURN(fct_entry != goto_functions.function_map.end());
+    goto_model.goto_functions.function_map.find(fct_name);
+  CHECK_RETURN(fct_entry != goto_model.goto_functions.function_map.end());
 
   goto_programt &init = fct_entry->second.body;
 
@@ -99,11 +100,11 @@ static void nondet_static(
 
       if(is_nondet_initializable_static(sym, ns))
       {
-        const auto source_location = instruction.source_location();
-        instruction = goto_programt::make_assignment(
-          code_assignt(
-            sym, side_effect_expr_nondett(sym.type(), source_location)),
-          source_location);
+        side_effect_expr_nondett nondet{
+          sym.type(), instruction.source_location()};
+        instruction.assign_rhs_nonconst() = nondet;
+        goto_model.symbol_table.get_writeable_ref(sym.get_identifier()).value =
+          nondet;
       }
     }
     else if(instruction.is_function_call())
@@ -113,33 +114,24 @@ static void nondet_static(
       // see cpp/cpp_typecheck.cpp, which creates initialization functions
       if(fsym.get_identifier().starts_with("#cpp_dynamic_initialization#"))
       {
-        nondet_static(ns, goto_functions, fsym.get_identifier());
+        nondet_static(ns, goto_model, fsym.get_identifier());
       }
     }
   }
 
   // update counters etc.
-  goto_functions.update();
-}
-
-/// Nondeterministically initializes global scope variables in
-/// CPROVER_initialize function.
-/// \param ns: Namespace for resolving type information.
-/// \param [out] goto_functions: Existing goto-functions to be updated.
-void nondet_static(const namespacet &ns, goto_functionst &goto_functions)
-{
-  nondet_static(ns, goto_functions, INITIALIZE_FUNCTION);
+  goto_model.goto_functions.update();
 }
 
 /// First main entry point of the module. Nondeterministically initializes
 /// global scope variables, except for constants (such as string literals, final
 /// fields) and internal variables (such as CPROVER and symex variables,
 /// language specific internal variables).
-/// \param [out] goto_model: Existing goto-model to be updated.
+/// \param [inout] goto_model: Existing goto-model to be updated.
 void nondet_static(goto_modelt &goto_model)
 {
   const namespacet ns(goto_model.symbol_table);
-  nondet_static(ns, goto_model.goto_functions);
+  nondet_static(ns, goto_model, INITIALIZE_FUNCTION);
 }
 
 /// Second main entry point of the module. Nondeterministically initializes
@@ -199,7 +191,7 @@ void nondet_static(
     }
   }
 
-  nondet_static(ns, goto_model.goto_functions, INITIALIZE_FUNCTION);
+  nondet_static(ns, goto_model, INITIALIZE_FUNCTION);
 }
 
 /// Nondeterministically initializes global scope variables that
@@ -227,5 +219,5 @@ void nondet_static_matching(goto_modelt &goto_model, const std::string &regex)
   }
 
   const namespacet ns(goto_model.symbol_table);
-  nondet_static(ns, goto_model.goto_functions, INITIALIZE_FUNCTION);
+  nondet_static(ns, goto_model, INITIALIZE_FUNCTION);
 }

src/ansi-c/library/cprover.h

@@ -32,10 +32,6 @@ bool is_nondet_initializable_static(
   const symbol_exprt &symbol_expr,
   const namespacet &ns);
 
-void nondet_static(
-  const namespacet &ns,
-  goto_functionst &goto_functions);
-
 void nondet_static(goto_modelt &);
 
 void nondet_static(goto_modelt &, const std::set<std::string> &);

src/ansi-c/library/cprover_contracts.c

@@ -11,6 +11,8 @@ Author: Daniel Kroening, [email protected]
 
 #include "initialize_goto_model.h"
 
+#include <util/arith_tools.h>
+#include <util/c_types.h>
 #include <util/config.h>
 #include <util/exception_utils.h>
 #include <util/message.h>
@@ -22,6 +24,7 @@ Author: Daniel Kroening, [email protected]
 #include <langapi/language.h>
 #include <langapi/language_file.h>
 #include <langapi/mode.h>
+#include <linking/static_lifetime_init.h>
 
 #include "goto_convert_functions.h"
 #include "read_goto_binary.h"
@@ -236,3 +239,29 @@ goto_modelt initialize_goto_model(
 
   return goto_model;
 }
+
+void update_max_malloc_size(
+  goto_modelt &goto_model,
+  message_handlert &message_handler)
+{
+  if(!goto_model.symbol_table.has_symbol(CPROVER_PREFIX "max_malloc_size"))
+    return;
+
+  const auto previous_max_malloc_size_value = numeric_cast<mp_integer>(
+    goto_model.symbol_table.lookup_ref(CPROVER_PREFIX "max_malloc_size").value);
+  const mp_integer current_max_malloc_size = config.max_malloc_size();
+
+  if(
+    !previous_max_malloc_size_value.has_value() ||
+    *previous_max_malloc_size_value != current_max_malloc_size)
+  {
+    symbolt &max_malloc_size_sym = goto_model.symbol_table.get_writeable_ref(
+      CPROVER_PREFIX "max_malloc_size");
+    max_malloc_size_sym.value =
+      from_integer(current_max_malloc_size, size_type());
+    max_malloc_size_sym.value.set(ID_C_no_nondet_initialization, true);
+
+    if(goto_model.can_produce_function(INITIALIZE_FUNCTION))
+      recreate_initialize_function(goto_model, message_handler);
+  }
+}