Skip to content

VSD - pointers to heap allocations #6218

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
martin-cs merged 12 commits into from
Jul 27, 2021
Merged

VSD - pointers to heap allocations #6218

martin-cs merged 12 commits into from
Jul 27, 2021

Conversation

@jezhiggins
Copy link
Contributor

@jezhiggins jezhiggins commented Jul 8, 2021
edited
Loading

Extends the variable sensitivity domain to be able to track heap allocated memory.

Within the goto-programs the heap allocation instruction is ALLOCATE(malloc_size, 0 != 0). Within the vsd, this is an expression of type ID_side_effect with a statement of ID_allocate. When we eval this expression, we create a pointer object with a 'heap-object' placeholder expression. There's a little song and dance to propagate through the pointer type casts returns from malloc are subject to, but we can return 'heap-object' pointer back out.

When we assign pointer to a heap allocation to its symbol, we now know that actual (C) type of the object. We replace the 'heap object' placeholder with an array abstract object. The pointer abstract object can now act exactly as normal.

@jezhiggins jezhiggins force-pushed the vsd-pointers-to-heap-allocations branch 2 times, most recently from 5c95d44 to 0fbd46a Compare July 8, 2021 15:41
@codecov
Copy link

codecov bot commented Jul 8, 2021
edited
Loading

Codecov Report

Merging #6218 (1a6a422) into develop (ccfbaee) will increase coverage by 0.00%.
The diff coverage is 94.11%.

Impacted file tree graph

@@           Coverage Diff            @@
##           develop    #6218   +/-   ##
========================================
  Coverage    76.18%   76.19%           
========================================
  Files         1484     1484           
  Lines       162092   162155   +63     
========================================
+ Hits        123495   123558   +63     
  Misses       38597    38597
Impacted Files Coverage Δ
...ses/variable-sensitivity/abstract_pointer_object.h 0.00% <ø> (-100.00%) ⬇️
...ble-sensitivity/constant_pointer_abstract_object.h 100.00% <ø> (ø)
...le-sensitivity/value_set_pointer_abstract_object.h 100.00% <ø> (ø)
...e-sensitivity/variable_sensitivity_configuration.h 100.00% <ø> (ø)
src/analyses/variable-sensitivity/write_stack.cpp 88.50% <50.00%> (ø)
...e-sensitivity/constant_pointer_abstract_object.cpp 84.25% <85.71%> (-2.41%) ⬇️
...yses/variable-sensitivity/abstract_environment.cpp 92.98% <100.00%> (+0.14%) ⬆️
...s/variable-sensitivity/abstract_pointer_object.cpp 83.33% <100.00%> (+6.66%) ⬆️
...-sensitivity/value_set_pointer_abstract_object.cpp 85.71% <100.00%> (+2.59%) ⬆️
...ensitivity/variable_sensitivity_object_factory.cpp 95.60% <100.00%> (+0.54%) ⬆️
... and 7 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9e3edf7...1a6a422. Read the comment docs.

@jezhiggins jezhiggins force-pushed the vsd-pointers-to-heap-allocations branch from 4176f59 to 0d7d37f Compare July 9, 2021 10:13
martin-cs
martin-cs approved these changes Jul 9, 2021
View reviewed changes
src/analyses/variable-sensitivity/abstract_pointer_object.cpp
const abstract_environmentt &environment,
const namespacet &ns) const
{
INVARIANT(is_void_pointer(type()), "Only allow pointer casting from void*");
Copy link
Collaborator

@martin-cs martin-cs Jul 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel kind of conflicted about this. In some ways it should not be an INVARIANT because it can be triggered by a user but also, at the moment we really aren't handling this case. Could we return a TOP pointer of the correct type? Reads from that should give TOP and writes to it could call havoc()?

Copy link
Contributor Author

@jezhiggins jezhiggins Jul 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am similarly conflicted. Right now, the call to typecast() is itself guarded so that it will never be called if this invariant will fire

  if(expr.id() == ID_typecast)
  {
    const typecast_exprt &tce = to_typecast_expr(expr);
    if(tce.op().id() == ID_symbol && is_void_pointer(tce.op().type()))

Consequently existing typecasts, of which there are a handful, will evaluate as they do at the moment. I suppose this invariant is more of warning for future care than a guard against wacky corner cases.

src/analyses/variable-sensitivity/constant_pointer_abstract_object.cpp
const abstract_environmentt &environment,
const namespacet &ns) const
{
INVARIANT(is_void_pointer(type()), "Only allow pointer casting from void*");
Copy link
Collaborator

@martin-cs martin-cs Jul 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As above.

@jezhiggins jezhiggins marked this pull request as ready for review July 9, 2021 14:53
jezhiggins added 12 commits July 27, 2021 09:57
@jezhiggins
Capture heap allocations
913f175 
Create a special 'heap allocation' placeholder expression. Extend
write_stack to be able to store that expression.
@jezhiggins
Allow void* pointers cast to another pointer type
2023081 
That's the expr.type() rather than the representation class.
@jezhiggins
Create heap allocation abstract object on pointer typecast
f018cf9 
We can't ensure the modified pointer object will be properly assigned
back to its symbol if we wait until first write.

If we defer then modified pointer may, or may not, be assigned depending
on how the write is expressed

 *p = 1;   // good :)
 p[0] = 1; // bad :(
@jezhiggins
heap object index expression needs to be signed_size_type
791d042
@jezhiggins
Index expression should used signed_size_type rather than size_type
ed910a2 
I based my code in the previous commit on this code, but then found it
caused a type error. This leads me to believe that while this current
code path may not be called in normal usage, it is in fact a latent bug.
I believe this change is correct.
@jezhiggins
Create symbol name on heap allocation
a2e8439
@jezhiggins
Move heap object creation off into object factory.
4acb533 
This feels like the right place for this, and also gives future options
for configuration/customisation.
@jezhiggins
Create new symbol for each heap-allocation
dc7fb2c
@jezhiggins
remove redundant apply_comb template
786e2a2
@jezhiggins
Typecasting value-set of pointers needs to propagate down
689df79
@jezhiggins
heap allocation and value-set tests
dfa0154
@jezhiggins
vsp = nondet ? malloc(a) : malloc(b) works correctly
1a6a422
@jezhiggins jezhiggins force-pushed the vsd-pointers-to-heap-allocations branch from 6651b77 to 1a6a422 Compare July 27, 2021 08:58
@martin-cs martin-cs merged commit b0b71d0 into diffblue:develop Jul 27, 2021
@jezhiggins jezhiggins deleted the vsd-pointers-to-heap-allocations branch August 12, 2021 10:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@martin-cs martin-cs martin-cs approved these changes

@chrisr-diffblue chrisr-diffblue Awaiting requested review from chrisr-diffblue

@peterschrammel peterschrammel Awaiting requested review from peterschrammel peterschrammel is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jezhiggins @martin-cs