Add llvm_points_to_bitfield and enable_lax_loads_and_stores
#1539
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RyanGlScott
added
subsystem: crucible-llvm
RyanGlScott
commented
Dec 8, 2021
RyanGlScott
changed the title
llvm_points_to_bitfield and enable_lax_loads_and_storesllvm_points_to_bitfield and enable_lax_loads_and_stores
RyanGlScott
added a commit
to RyanGlScott/s2n-tls
that referenced
this pull request
Dec 15, 2021
This uses SAW's new `llvm_points_to_bitfield` command (introduced in GaloisInc/saw-script#1539) to simplify specifications that involve the bitfields in `s2n_config` and `s2n_connection`. In particular, there is no longer any need to manually compute the size of the bitfields or the indices of the fields within the bitfields, as these details are handled automatically by `llvm_points_to_bitfield`. The positions of the fields within bitfields are also no longer important. This, along with a subsequent commit that will restore the bitfields' field order to what they were before aws#3709, will address a review comment in aws#3079 (comment).
This was referenced Dec 15, 2021
robdockins
approved these changes
Dec 21, 2021
This adds support for writing specifications that talk about bitfields in LLVM code by way of the new `llvm_points_to_bitfield` command. Broadly speaking, `llvm_points_to_bitfield ptr fieldName rhs` is like `llvm_points_to (llvm_field ptr fieldName) rhs`, except that `fieldName` is required to be the name of a field within a bitfield. The salient details are: * LLVM bitcode itself does not a built-in concept of bitfields, but LLVM's debug metadata does. Support for retrieving bitfield-related metadata was added to `llvm-pretty` in GaloisInc/llvm-pretty#90, so this patch bumps the `llvm-pretty` submodule to incorporate it. This patch also updates the `crucible` submodule to incorporate corresponding changes in GaloisInc/crucible#936. * The `LLVMPointsTo` data type now has a new `LLVMPointsToBitfield` data constructor that stores all of the necessary information related to the `llvm_points_to_bitfield` command. As a result, the changes in this patch are fairly insulated from the rest of SAW, as most of the new code involves adding additional cases to handle `LLVMPointsToBitfield`. * Two of the key new functions are `storePointsToBitfieldValue` and `matchPointsToBitfieldValue`, which implement the behavior of `llvm_points_to_bitfield` in pre- and post-conditions. These functions implement the necessary bit-twiddling to store values in and retrieve values out of bitfield. I have left extensive comments in each function describing how all of this works. * Accompanying `llvm_points_to_bitfield` is a new set of `{enable,disable}_lax_loads_and_stores` command, which toggles the Crucible-side option of the same name. When `enable_lax_loads_and_stores` is on, reading from uninitialized memory will return a symbolic value rather than failing outright. This is essential to be able to deal with LLVM bitcode involving bitfields, as reading a field from a bitfield involves reading the entire bitfield at once, which may include parts of the struct that have not been initialized yet. * There are various `test_bitfield_*` test cases under `intTests` to test examples of bitfield-related specifications that should and should not verify. * I have also updated `saw-remote-api` and `saw-client` to handle bitfields as well, along with a Python-specific test case. Fixes #1461.
RyanGlScott
added
the
PR: ready to merge
| -- Finally, truncate the bitfield such that only the | ||
| -- bits for the field remain. In the `y` example, this | ||
| -- means truncating 0b000????Y to `0bY`. | ||
| bfBV'' <- liftIO $ W4.bvTrunc sym rhsWidth bfBV' |
There was a problem hiding this comment.
this can be W4.bvSelect sym bfOffset_repr rhsWidth bfBV.
There was a problem hiding this comment.
Ah, good suggestion. I've submitted #1547 to implement this.
| -- well use bitwise-OR, but bitwise-XOR plays nicer with | ||
| -- how What4 represents bitvectors). In our running | ||
| -- example, `bfBV''` is 0b????1???. | ||
| bfBV'' <- W4.bvXorBits sym bfBV' rhsBV'' |
There was a problem hiding this comment.
I think this can be expressed more naturally in terms of bvConcat and bvSelect.
There was a problem hiding this comment.
I actually think the XOR formulation will be better, because the What4 AND/XOR semiring structure ought to mean that subsequent updates to the same field will cancel, and update to disjoint fields will commute, etc.
There was a problem hiding this comment.
I don't have strong opinions on which approach is better per se, but I did try to implement your alternative approach in terms of bvConcat and bvSelect, and it wasn't entirely straightforward to do so. Unless I'm missing something, you have to have three cases:
- The field occurs at the very LSBs of the bitfield. In that case,
bvSelectthe range fromrhsWidthtobfWidth - rhsWidth, and thenbvConcatthat to therhsBV. - The field occurs at the very MSBs of the bitfield. In that case,
bvSelectthe range from0tobfFieldOffset, and thenbvConcatthat to therhsBV. - The field is in the middle of the bitfield, with other bits surrounding it on both sides. In that case, call
bvSelecttwice to obtain the surrounding bits, and then callbvConcattwice to concatenate these bitvectors to therhsBV.
What's more, there's a fair bit of tiresome NatRepr manipulation needed to satisfy the inequalities demanded by bvSelect's type signature. I've implemented it locally, and it is possible to do so, but the resulting code is not much more natural to look at than it is currently.
RyanGlScott
added a commit
to RyanGlScott/s2n-tls
that referenced
this pull request
Jan 4, 2022
This uses SAW's new `llvm_points_to_bitfield` command (introduced in GaloisInc/saw-script#1539) to simplify specifications that involve the bitfields in `s2n_config` and `s2n_connection`. In particular, there is no longer any need to manually compute the size of the bitfields or the indices of the fields within the bitfields, as these details are handled automatically by `llvm_points_to_bitfield`. The positions of the fields within bitfields are also no longer important. This, along with a subsequent commit that will restore the bitfields' field order to what they were before aws#3709, will address a review comment in aws#3079 (comment).
RyanGlScott
added a commit
to RyanGlScott/s2n-tls
that referenced
this pull request
Jan 10, 2022
This uses SAW's new `llvm_points_to_bitfield` command (introduced in GaloisInc/saw-script#1539) to simplify specifications that involve the bitfields in `s2n_config` and `s2n_connection`. In particular, there is no longer any need to manually compute the size of the bitfields or the indices of the fields within the bitfields, as these details are handled automatically by `llvm_points_to_bitfield`. The positions of the fields within bitfields are also no longer important. This addresses a review comment in aws#3079 (comment).
RyanGlScott
added a commit
to RyanGlScott/s2n-tls
that referenced
this pull request
Jan 24, 2022
This uses SAW's new `llvm_points_to_bitfield` command (introduced in GaloisInc/saw-script#1539) to simplify specifications that involve the bitfields in `s2n_config` and `s2n_connection`. In particular, there is no longer any need to manually compute the size of the bitfields or the indices of the fields within the bitfields, as these details are handled automatically by `llvm_points_to_bitfield`. The positions of the fields within bitfields are also no longer important. This addresses a review comment in aws#3079 (comment).
RyanGlScott
added a commit
to RyanGlScott/s2n-tls
that referenced
this pull request
Jan 26, 2022
This uses SAW's new `llvm_points_to_bitfield` command (introduced in GaloisInc/saw-script#1539) to simplify specifications that involve the bitfields in `s2n_config` and `s2n_connection`. In particular, there is no longer any need to manually compute the size of the bitfields or the indices of the fields within the bitfields, as these details are handled automatically by `llvm_points_to_bitfield`. The positions of the fields within bitfields are also no longer important. This addresses a review comment in aws#3079 (comment).
RyanGlScott
added a commit
to RyanGlScott/s2n-tls
that referenced
this pull request
Jan 26, 2022
This uses SAW's new `llvm_points_to_bitfield` command (introduced in GaloisInc/saw-script#1539) to simplify specifications that involve the bitfields in `s2n_config` and `s2n_connection`. In particular, there is no longer any need to manually compute the size of the bitfields or the indices of the fields within the bitfields, as these details are handled automatically by `llvm_points_to_bitfield`. The positions of the fields within bitfields are also no longer important. This addresses a review comment in aws#3079 (comment).
RyanGlScott
added a commit
to RyanGlScott/s2n-tls
that referenced
this pull request
Jan 27, 2022
This uses SAW's new `llvm_points_to_bitfield` command (introduced in GaloisInc/saw-script#1539) to simplify specifications that involve the bitfields in `s2n_config` and `s2n_connection`. In particular, there is no longer any need to manually compute the size of the bitfields or the indices of the fields within the bitfields, as these details are handled automatically by `llvm_points_to_bitfield`. The positions of the fields within bitfields are also no longer important. This addresses a review comment in aws#3079 (comment).
lrstewart
pushed a commit
to aws/s2n-tls
that referenced
this pull request
Jan 29, 2022
This uses SAW's new `llvm_points_to_bitfield` command (introduced in GaloisInc/saw-script#1539) to simplify specifications that involve the bitfields in `s2n_config` and `s2n_connection`. In particular, there is no longer any need to manually compute the size of the bitfields or the indices of the fields within the bitfields, as these details are handled automatically by `llvm_points_to_bitfield`. The positions of the fields within bitfields are also no longer important.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds support for writing specifications that talk about bitfields in LLVM code by way of the new
llvm_points_to_bitfieldcommand. Broadly speaking,llvm_points_to_bitfield ptr fieldName rhsis likellvm_points_to (llvm_field ptr fieldName) rhs, except thatfieldNameis required to be the name of a field within a bitfield. The salient details are:LLVM bitcode itself does not a built-in concept of bitfields, but LLVM's debug metadata does. Support for retrieving bitfield-related metadata was added to
llvm-prettyin Support structs with bitfields inText.LLVM.DebugUtilsllvm-pretty#90, so this patch bumps thellvm-prettysubmodule to incorporate it. This patch also updates thecruciblesubmodule to incorporate corresponding changes in Bumpllvm-pretty{-bc-parser}submodules, adapt toValPoisoncrucible#936.The
LLVMPointsTodata type now has a newLLVMPointsToBitfielddata constructor that stores all of the necessary information related to thellvm_points_to_bitfieldcommand. As a result, the changes in this patch are fairly insulated from the rest of SAW, as most of the new code involves adding additional cases to handleLLVMPointsToBitfield.Two of the key new functions are
storePointsToBitfieldValueandmatchPointsToBitfieldValue, which implement the behavior ofllvm_points_to_bitfieldin pre- and post-conditions. These functions implement the necessary bit-twiddling to store values in and retrieve values out of a bitfield. I have left extensive comments in each function describing how all of this works.Accompanying
llvm_points_to_bitfieldis a new set of{enable,disable}_lax_loads_and_storescommand, which toggles the Crucible-side option of the same name. Whenenable_lax_loads_and_storesis on, reading from uninitialized memory will return a symbolic value rather than failing outright. This is essential to be able to deal with LLVM bitcode involving bitfields, as reading a field from a bitfield involves reading the entire bitfield at once, which may include parts of the struct that have not been initialized yet.There are various
test_bitfield_*test cases underintTeststo test examples of bitfield-related specifications that should and should not verify.I have also updated
saw-remote-apiandsaw-clientto handle bitfields as well, along with a Python-specific test case.Fixes #1461.