Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Array copy set prep #1515

Merged
merged 18 commits into from
Nov 30, 2021
Merged

Array copy set prep #1515

merged 18 commits into from
Nov 30, 2021

Conversation

andreistefanescu
Copy link
Contributor

No description provided.

@andreistefanescu andreistefanescu force-pushed the array-copy-set-prep branch 2 times, most recently from e565c3f to 2087c0e Compare November 17, 2021 04:45
@andreistefanescu andreistefanescu marked this pull request as ready for review November 18, 2021 07:56
src/SAWScript/Interpreter.hs Show resolved Hide resolved
src/SAWScript/Crucible/LLVM/Override.hs Outdated Show resolved Hide resolved
src/SAWScript/Interpreter.hs Show resolved Hide resolved
Copy link
Contributor

@robdockins robdockins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some minor comments on the code. Let's add changelogs and documentation and such for these new options.

src/SAWScript/Interpreter.hs Outdated Show resolved Hide resolved
@@ -220,6 +220,7 @@ initialState readFileFn =
, rwDebugIntrinsics = True
, rwWhat4HashConsing = False
, rwWhat4HashConsingX86 = False
, rwWhat4Eval = False
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's open ticket about plumbing this new option through the RPC server.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For what it's worth, it's fairly easy to add support for toggling options like this in saw-remote-api. You basically just add a new constructor here, and then update the code in setOption, parseOption, and instance Doc.DescribedMethod SetOptionParams OK accordingly.

src/SAWScript/Crucible/LLVM/Builtins.hs Outdated Show resolved Hide resolved
src/SAWScript/Crucible/LLVM/MethodSpecIR.hs Outdated Show resolved Hide resolved
@@ -220,6 +220,7 @@ initialState readFileFn =
, rwDebugIntrinsics = True
, rwWhat4HashConsing = False
, rwWhat4HashConsingX86 = False
, rwWhat4Eval = False
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For what it's worth, it's fairly easy to add support for toggling options like this in saw-remote-api. You basically just add a new constructor here, and then update the code in setOption, parseOption, and instance Doc.DescribedMethod SetOptionParams OK accordingly.

lty

llvm_alloc_sym_init :: L.Type -> LLVMCrucibleSetupM (AllLLVM SetupValue)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm curious: does this work in practice when you apply in an a specification that is assumed with llvm_unsafe_assume_spec? The reason I ask is that I'm doing something quite similar to this as part of ongoing work in #1461, and I couldn't make it work without making some nontrivial changes to the way doInvalidate works in crucible.

I suppose this is a long-winded way of asking for some more test cases using llvm_alloc_sym_init. I'm not sure if you plan to do this as part of this PR or as part of a later PR, however.

@@ -763,7 +770,7 @@ enforcePointerValidity sc cc loc ss =
addAssert c $ Crucible.SimError loc $
Crucible.AssertFailureSimError msg ""

| (LLVMAllocSpec mut _pty alignment psz _ploc fresh, ptr) <- mems
| (LLVMAllocSpec mut _pty alignment psz _ploc fresh _sym_init, ptr) <- mems
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to fix this case; or perhaps the proper fix is elsewhere, I'm not sure exactly.

At any rate, if we assume in a specification that an allocation is backed by symbolic bytes, then that incurs a proof obligation at call sites to ensure that the affected memory can actually be read, and I don't see where that is being checked.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is by design. Similar to what @RyanGlScott is working on, this changes the semantics of memory reads such that there are always some bytes. This is not the same as the combination of llvm_alloc and llvm_points_to_array_prefix. I will update the description to make it more clear.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That doesn't seem right. This isn't a global option, it's a per-spec and per-allocation. I can use llvm_alloc in some places and llvm_alloc_sym_init in some other places, right?

In that case, llvm_alloc_sym_init incurs an obligation we have to check for, because it isn't universal.

@robdockins
Copy link
Contributor

Consider the following program:

#include <stdlib.h>

int g (int* x) {
  return *x;
}

int f (void)  {
  int *x = (int*) malloc( sizeof(int) );
  return g(x);
}

And the following script:

enable_experimental;

m <- llvm_load_module "syminit.bc";

let f_spec = do {
  llvm_execute_func[];
  v <- llvm_fresh_var "v" (llvm_int 32);
  llvm_return (crucible_term v);
};


let g_spec = do {
  x <- llvm_alloc_sym_init (llvm_int 32);
  llvm_execute_func [x];
  v <- llvm_fresh_var "v" (llvm_int 32);
  llvm_return (crucible_term v);
};

g_thm <- llvm_verify m "g" [] false g_spec z3;

llvm_verify m "f" [g_thm] false f_spec z3;
llvm_verify m "f" [] false f_spec z3;

On this branch, the verification of f properly fails if given no overrides; it claims that there is no write that satisfies the read in line 4 of this program, as it should.

However, if I pass it the g_thm, which was proved assuming that the input to g has backing symbolic bytes, the verification goes through, and this represents a soundess bug.

Copy link
Contributor

@robdockins robdockins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Latest patch addresses my soundness concern; the user must take deliberate action to weaken the check.

I'd like to see a little more information in the documentation about what disabling that check means, but otherwise I am happy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants