Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

goto-symex: assumed pointer equalities must update value set #8494

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

goto-symex: assumed pointer equalities must update value set #8494

wants to merge 1 commit into from

Conversation

tautschnig
Copy link
Collaborator

Value sets and constant propagation are our only sources of points-to information when resolving dereferences in goto-symex. Therefore, assuming or branching on equalities of pointer-typed variables must have us consider both of their value sets to be equal. Else we may end up with spurious counterexamples as seen with the enclosed regression test (where we previously did not have any known value for a).

Fixes: #8492

  • Each commit message has a non-empty body, explaining why the change was made.
  • n/a Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
  • The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
  • Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
  • n/a My commit message includes data points confirming performance improvements (if claimed).
  • My PR is restricted to a single feature or bugfix.
  • n/a White-space or formatting changes outside the feature-related changed lines are in commits of their own.

@codecov Codecov
Copy link

codecov bot commented Nov 4, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 64.70588% with 6 lines in your changes missing coverage. Please review.

Project coverage is 78.89%. Comparing base (018c61c) to head (2a27074).

Files with missing lines Patch % Lines
src/goto-symex/goto_state.cpp 64.70% 6 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##           develop    #8494      +/-   ##
===========================================
- Coverage    78.90%   78.89%   -0.01%     
===========================================
  Files         1727     1727              
  Lines       198425   198452      +27     
  Branches     18523    18499      -24     
===========================================
+ Hits        156561   156568       +7     
- Misses       41864    41884      +20

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@tautschnig
goto-symex: assumed pointer equalities must update value set
2a27074 
Value sets and constant propagation are our only sources of points-to
information when resolving dereferences in goto-symex. Therefore,
assuming or branching on equalities of pointer-typed variables must have
us consider both of their value sets to be equal. Else we may end up
with spurious counterexamples as seen with the enclosed regression test
(where we previously did not have any known value for `a`).

Fixes: diffblue#8492
@tautschnig tautschnig force-pushed the bugfixes/8492-value-set branch from 7834dd5 to 2a27074 Compare November 5, 2024 08:00
remi-delmas-3000
remi-delmas-3000 reviewed Nov 5, 2024
View reviewed changes
src/goto-symex/goto_state.cpp
Comment on lines +130 to +132
// We have a condition a == b. Make both a's and b's value sets the
// union of their previous value sets (the last "true" argument makes
// sure we add rather than replace value sets).
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What would happen in a situation like this ?

p = malloc(4);// o1
q = malloc(4);// o2
__CPROVER_assume(p == q);
// now p and q have both &o1 and &o2 in their value sets
*p = 1; // what happens here ?
*q = 2; // what happens here ?

@kroening
Copy link
Member

kroening commented Nov 5, 2024

This is problematic, and needs a deeper discussion.

I appreciate this is meant as a fix for #8492, but I'd advise to do a contract-specific fix.

@tautschnig tautschnig mentioned this pull request Mar 31, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@remi-delmas-3000 remi-delmas-3000 remi-delmas-3000 left review comments

@kroening kroening Awaiting requested review from kroening kroening is a code owner

@peterschrammel peterschrammel Awaiting requested review from peterschrammel peterschrammel is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
bugfix Symbolic Execution
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Aliasing pre-condition not processed correctly if is_fresh clause it not standalone
3 participants
@tautschnig @kroening @remi-delmas-3000