From 1b66227e8a7005b3a2af5fa336211c2bcd36016a Mon Sep 17 00:00:00 2001 From: Ali <35613675+gottschali@users.noreply.github.com> Date: Fri, 13 Dec 2024 11:51:34 +0100 Subject: [PATCH] Chapter 1: overflow (#14) * chore: add overflow section * chore: fixed abs overflow https://github.com/viperproject/gobra/pull/795 --- ci/dictionary.txt | 1 + src/SUMMARY.md | 1 + src/overflow.md | 59 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 61 insertions(+) create mode 100644 src/overflow.md diff --git a/ci/dictionary.txt b/ci/dictionary.txt index 14aa701..f26ae85 100644 --- a/ci/dictionary.txt +++ b/ci/dictionary.txt @@ -11,6 +11,7 @@ Isqrt iteratively LockInv LockP +Mergesorts Mutex Overconstraining PredTrue diff --git a/src/SUMMARY.md b/src/SUMMARY.md index a503626..f3ea24c 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -9,6 +9,7 @@ - [Basic specifications](./basic-specs.md) - [`assert` and `assume`](./assert-assume.md) - [requires, ensures, and preserves](./requires-ensures.md) +- [Overflow Checking](./overflow.md) - [Loops](./loops.md) - [Invariants](./loops-invariant.md) - [Binary Search](./loops-binarysearch.md) diff --git a/src/overflow.md b/src/overflow.md new file mode 100644 index 0000000..6870487 --- /dev/null +++ b/src/overflow.md @@ -0,0 +1,59 @@ +# Overflow Checking +
+Overflow checking is an experimental feature. +It is currently buggy and should be used with care. +
+ +## Usage +On the command line you can enable overflow checking with the `--overflow` or `-o` flag. + +The size of `int` is [implementation-specific](https://go.dev/ref/spec#Numeric_types) in Go and either 32 or 64 bits. +For overflow checking Gobra assumes 64 bit integers. +This can be overridden with the `--int32` flag. + +## Binary Search Example + +If we check our binary search program with overflow checking enabled, Gobra reports that + +``` text +Expression (low + high) / 2 might cause integer overflow. +``` +For example if `low = 2` and `high = MaxInt64 - 1` +their sum cannot be represented by an `int64` and the result will be negative. + +The solution is to replace the offending statement with +`mid = (high-low)/2 + low`. + +After this change, Gobra reports no errors. + +If we tweak the `const N` that denotes the array length to `2147483648` which is larger than `MaxInt32` we get an error if we check with the `--int32` flag but otherwise verification succeeds. + +This bug was actually in Java's standard library ([Read All About It: Nearly All Binary Searches and Mergesorts are Broken](https://research.google/blog/extra-extra-read-all-about-it-nearly-all-binary-searches-and-mergesorts-are-broken/)). +We think this highlights why heavily used code should be verified. + + +## Absolute Value +Can you spot the overflow in the following example? +``` gobra +const MinInt64 = -9223372036854775808 // = -1 << 63 +ensures res >= 0 +func abs(x int64) (res int64) { + if x < 0 { + return -x + } else { + return x + } +} +``` + +``` text +Expression -x might cause integer overflow. +``` +This is because by two's complement arithmetic there is one more negative integer and `abs(MinInt64)` overflows. + + +The program verifies when we add the precondition +``` gobra +requires x > MinInt64 +``` +