Add new builtin __CPROVER_havoc_slice

[remi-delmas-3000]

Resolves #6351.

This PR adds a new builtin function :

void __CPROVER_havoc_slice(void *p, __CPROVER_size_t size);

Which lets you update size consecutive bytes to nondet values in the object underlying a given pointer p. It requires that __CPROVER_w_ok(p, size) holds.
It is rewritten at goto level to an array_replace(p, q) operation where q is declared a nondet array of size size.

• Each commit message has a non-empty body, explaining why the change was made.
• Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[danielsn]

When you say "object", what do you mean?
For example, should this assertion pass or fail?

struct foo {
  int x;
  int y;
};

struct foo thefoo = {.x = 1; .y = 12};
int* p = &thefoo.y;
__CPROVER_havoc_object(p);
assert(thefoo.x == 1);

[remi-delmas-3000]

the object in that case is the blob of memory that holds the whole struct thefoo so this assertion should fail.
on the other it passes when using __CPROVER_havoc_object_slice(p, sizeof(*p))

[danielsn]

This seems like it could lead to a foot gun:

int foo_stub(int* p) {
   __CPROVER_havoc_object(p);
   return *p;
}

struct foo { int x; int y; };

int main() [
  struct foo thefoo = {.x = 1; .y = 12};
  int v = foo_stub(&thefoo.y);
  assert(thefoo.x == 1);
  assert(thefoo.y == v);
}

I think the user would expect that foo_stub wouldn't modify memory which it doesn't have a valid pointer to. Maybe we need a different name:

__CPROVER_havoc_entire_allocation()

[remi-delmas-3000]

Agreed, we could name __CPROVER_havoc_object differently but it was introduced some time ago so this could be a breaking change for existing users of the primitive.

[jimgrundy]

Can we just add a more explicit warning to the document about havoc_object that it will havoc enclosing structs.

[SaswatPadhi]

To improve readability, could we rewrite this as:

Suggested change

	if(arguments[1].type().id() != ID_unsignedbv)
	if(arguments[1].type().id() != size_type().id())

[remi-delmas-3000]

The idea with this check was to allow users that use the primitive directly from GOTO to use any unsignedbv type and not just size_t to specify sizes. This makes it more general than its C interface.

[SaswatPadhi]

Hmm, thinking more, I think it could actually be:

Suggested change

	if(arguments[1].type().id() != ID_unsignedbv)
	if(arguments[1].type() != size_type())

We define the signature of __CPROVER_havoc_slice as:

 void __CPROVER_havoc_slice(void *p, __CPROVER_size_t size);

for the frontend.

So, shouldn't the check here match the this signature?

Yes it should be an unsignedbv type, but I think it shouldn't be any unsignedbv type. It should match the size_t semantics on the machine, which is computed by size_type():

cbmc/src/util/c_types.cpp

Lines 58 to 72 in 4889328

	unsignedbv_typet size_type()
	{
	// The size type varies. This is unsigned int on some systems,
	// and unsigned long int on others,
	// and unsigned long long on say Windows 64.
	if(config.ansi_c.pointer_width==config.ansi_c.int_width)
	return unsigned_int_type();
	else if(config.ansi_c.pointer_width==config.ansi_c.long_int_width)
	return unsigned_long_int_type();
	else if(config.ansi_c.pointer_width==config.ansi_c.long_long_int_width)
	return unsigned_long_long_int_type();
	else
	INVARIANT(false, "width of size type"); // aaah!
	}

Or am I missing something here?

[codecov]

Codecov Report

Merging #6430 (8ee6305) into develop (bfa4c2c) will increase coverage by 0.01%.
The diff coverage is 70.83%.

@@             Coverage Diff             @@
##           develop    #6430      +/-   ##
===========================================
+ Coverage    76.01%   76.02%   +0.01%     
===========================================
  Files         1527     1527              
  Lines       164465   164510      +45     
===========================================
+ Hits        125013   125068      +55     
+ Misses       39452    39442      -10     

Impacted Files	Coverage Δ
src/goto-programs/goto_convert_class.h	87.30% <ø> (ø)
src/goto-programs/goto_instruction_code.cpp	100.00% <ø> (ø)
src/goto-programs/goto_instruction_code.h	100.00% <ø> (ø)
src/goto-programs/builtin_functions.cpp	56.17% <70.21%> (+0.85%)	⬆️
src/goto-programs/goto_convert_function_call.cpp	47.27% <100.00%> (ø)
src/solvers/lowering/byte_operators.cpp	92.18% <0.00%> (+0.09%)	⬆️
src/analyses/goto_check.cpp	88.98% <0.00%> (+0.20%)	⬆️
src/solvers/flattening/boolbv_shift.cpp	84.37% <0.00%> (+9.37%)	⬆️
src/solvers/flattening/boolbv_member.cpp	97.56% <0.00%> (+43.90%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e27dba6...8ee6305. Read the comment docs.

[feliperodri]

Only minor changes. Almost ready to go 😄

[tautschnig]

Approving, but please address the comments before merging.

[tautschnig]

Rather than fixing up the location after the fact, make these changes to a source location beforehand, like:

source_locationt annotated_location = source_location;
annotated_location.set("user-provided", ...); ...

and then use annotated_location when constructing the goto-program instruction.

[remi-delmas-3000]

done

[tautschnig]

Did you perhaps end up going back and forth on this? It doesn't seem to have been addressed.

[tautschnig]

This needs to be of a code_typet type, and then makes me wonder whether you should rather fetch this symbol from the symbol table. And that, in turn, makes me wonder whether such a function should make sure it is present in the symbol table.

[remi-delmas-3000]

The symbol's signature is only declared in src/ansi-c/cprover_builtin_headers.h.
If someone were to build a goto model programatically without using the C front-end, is there a guarantee that this signature will be present in the symbol table ?

[tautschnig]

No, there is no such guarantee. Hence, it would be necessary to check, and add the symbol if it isn't present just yet.

[feliperodri]

LGTM module a few more tests updates and Michael's comments.

[feliperodri]

I see that you have a different name for each test case (i.e., a .c file and a test description). The usual pattern across the regression tests is to create a folder with a descriptive name (like the ones you're using for each test case) and add a main.c file and a test.desc file inside that folder. At the end of each test description, we add a small explanation of what behavior the test is covering. Not a blocker, but I suggest you to update this test to follow the same pattern.

[feliperodri]

We probably don't have any cases where we try to pass more than 2 parameters, thus, we don't hit this case.

[remi-delmas-3000]

Since tests are expressed in C and uses of havoc_slice are checked by the front end these would be impossible to reach using a test expressed in C.
Covering them would require build and load a goto model directly or create them in C++ directly.

[feliperodri]

Same as above for non-pointer parameters.

[feliperodri]

Same as above. We can create one test to cover these error cases.

[feliperodri]

Same as above.

[tautschnig]

Random place for comment: it would be great if the commit message also answered the "Why?" question. See https://chris.beams.io/posts/git-commit/ as linked from the pull-request template. On this occasion, it would be good to answer the "why did __CPROVER_havoc_object not suffice" question.

[tautschnig]

Did you perhaps end up going back and forth on this? It doesn't seem to have been addressed.

[tautschnig]

Remove inline

[tautschnig]

Remove inline

[tautschnig]

You don't actually need this in the header file anymore.