New intrinsic for initialization of variables

[rafaelsamenezes]

This add the intrinsic __ESBMC_init_var(void*), which initializes the value of a given symbol with nondeterministic values, this is useful for initializing constant-sized arrays and structures.

[lucasccordeiro]

LGTM.

[mikhailramalho]

We don't actually need an intrinsic for that...

Two easier solutions:

1. When processing the goto program, you can add a transformation module that add nondet side effects to all decl_exprt.
2. During symex, you can add the nondet initialization when handling DECL instructions.

On both cases, you'll only need to add a flag to esbmc that should force such behavior (I think cbmc has a flag for that as well) . I suggest going for option 1, which is a more modular approach.

[rafaelsamenezes]

We don't actually need an intrinsic for that...

From what I understood, this means that every non-initialized variable is going to be nondeterministic, right?

How that would work for global arrays? For instance:

char arr[100];
int loop_init() {
        nondet_init_array();
        int a = foo();
        while (a > 1)
                a = a / 2;
        __ESBMC_assert(a == 2, "Failed as expected");

        return 0;
}

[mikhailramalho]

Nope, because global and static variables are initialized by the frontend. If you print the goto program of your example, you'll probably see char arr[100] = array_of(0). Em qui., 29 de abr. de 2021 às 12:33, Rafael Sá Menezes < ***@***.***> escreveu:

…

We don't actually need an intrinsic for that... From what I understood, this means that every non-initialized variable is going to be nondeterministic, right? How that would work for global arrays? For instance: char arr[100];int loop_init() { nondet_init_array(); int a = foo(); while (a > 1) a = a / 2; __ESBMC_assert(a == 2, "Failed as expected"); return 0; } — You are receiving this because your review was requested. Reply to this email directly, view it on GitHub <#436 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAKEJHZDREWFJTHIULH5IUDTLGC45ANCNFSM432CX3TQ> .

-- Mikhail Ramalho.

[rafaelsamenezes]

Nope, because global and static variables are initialized by the frontend.

Is there a way to mark a global array as nondet? This was the main intent of this intrinsic.

[mikhailramalho]

There are a couple of places where this can be implemented: 1. clang_c_convertert::get_var (when initializing global/static variables to zero) 2. static_lifetime_init (clang_c_main.cpp) 3. You can create a decl_expr in init_variable (clang_c_main.cpp) and use the modular approach I suggested in the previous email. We never created a decl_expr in init_variable before because we always expected global to be initialized as zero (except if they are marked as extern). Em qui., 29 de abr. de 2021 às 13:27, Rafael Sá Menezes < ***@***.***> escreveu:

…

Nope, because global and static variables are initialized by the frontend. Is there a way to mark a global array as nondet? This was the main intent of this intrinsic. — You are receiving this because your review was requested. Reply to this email directly, view it on GitHub <#436 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAKEJH2BFW6GQGILVACIFUDTLGJJVANCNFSM432CX3TQ> .

-- Mikhail Ramalho.

[mikhailramalho]

BTW, if you want the benefits of removing these loops, loop transformations would massively benefit esbmc, stuff like converting: char arr[N]; for(int i = 0; i < N; i++) arr[i] = nondet_char() to: char arr[N] = nondet_char_arr(N); Implementing this as a goto transformation and supporting some easy cases should be trivial. Em qui., 29 de abr. de 2021 às 13:50, Mikhail Ramalho Gadelha < ***@***.***> escreveu:

…

There are a couple of places where this can be implemented: 1. clang_c_convertert::get_var (when initializing global/static variables to zero) 2. static_lifetime_init (clang_c_main.cpp) 3. You can create a decl_expr in init_variable (clang_c_main.cpp) and use the modular approach I suggested in the previous email. We never created a decl_expr in init_variable before because we always expected global to be initialized as zero (except if they are marked as extern). Em qui., 29 de abr. de 2021 às 13:27, Rafael Sá Menezes < ***@***.***> escreveu: > Nope, because global and static variables are initialized by the frontend. > > Is there a way to mark a global array as nondet? This was the main intent > of this intrinsic. > > — > You are receiving this because your review was requested. > Reply to this email directly, view it on GitHub > <#436 (comment)>, or > unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAKEJH2BFW6GQGILVACIFUDTLGJJVANCNFSM432CX3TQ> > . > -- Mikhail Ramalho.

-- Mikhail Ramalho.

[rafaelsamenezes]

There still a need for this Intrinsic. Some users want to have a default way not only to mark a variable as nondet but to also keep making it nondet during the flow. Also this should be a part of #652

int a;
__ESBMC_init_var(a);
// do stuff with a ...
__ESBMC_init_var(a);
// do stuff with other a ...

@mikhailramalho could you look into this again?

[rafaelsamenezes]

There still a need for this Intrinsic. Some users want to have a default way not only to mark a variable as nondet but to also keep making it nondet during the flow. Also this should be a part of #652

int a;
__ESBMC_init_var(a);
// do stuff with a ...
__ESBMC_init_var(a);
// do stuff with other a ...

@mikhailramalho could you look into this again?

[mikhailramalho]

There still a need for this Intrinsic. Some users want to have a default way not only to mark a variable as nondet but to also keep making it nondet during the flow. Also this should be a part of #652

int a;
__ESBMC_init_var(a);
// do stuff with a ...
__ESBMC_init_var(a);
// do stuff with other a ...

@mikhailramalho could you look into this again?

Oh, now I see! Indeed, marking a variable nondet is a bit cumbersome because of the return types of our nondet builtins. Let me just try something using macros here and I'll get back to you. My idea is something like:

#define __ESBMC_mark_nondet(var)
    __auto_type(var) nondet##var();
    var = nondet##var();

If that works, we can simply add this macro to the preprocessor!

[mikhailramalho]

@rafaelsamenezes, how about something like:

#include<assert.h>

#define __ESBMC_mark_nondet(var) \
    typeof(var) nondet_##var(); \
    var = nondet_##var() \

int main() {
  int v;
  v = 0;

  assert(v == 0);
  __ESBMC_mark_nondet(v);
  assert(v == 0);
}

drawbacks: we'll create one empty symbol for each variable that we mark nondet (in this example, we are creating a new nondet_v() symbol).

This needs to be expanded to prevent type conflicts, e.g., if we define a variable v in another function in the same TU with a different type the frontend will abort the verification, but we can solve that by using a location macro (LINE maybe?).

Let me know what you think, if this ends up being too complicated, I agree we should use the new builtin.

[rafaelsamenezes]

Let me know what you think, if this ends up being too complicated, I agree we should use the new builtin.

The main drawback for me is that it wont't work for arrays.

int main() {
  int v[10];
  v[5] = 0;

  assert(v[5] == 0);
  __ESBMC_mark_nondet(v);
  assert(v[5] == 0);
}

[mikhailramalho]

Let me know what you think, if this ends up being too complicated, I agree we should use the new builtin.

The main drawback for me is that it wont't work for arrays.

int main() {
  int v[10];
  v[5] = 0;

  assert(v[5] == 0);
  __ESBMC_mark_nondet(v);
  assert(v[5] == 0);
}

True :/

The only thing annoying me is the void*, can we templatefy it? Using C's extension __auto_type?

If we can't use it, I agree we should proceed with the void pointer.

[rafaelsamenezes]

Using C's extension __auto_type?

We can only do this for function definitions: error: a parameter list without types is only allowed in a function definition

[mikhailramalho]

I get the reasoning now, and I'm fine with this PR after checking the 2 comments I left.

[lucasccordeiro]

@fbrausse: could you please review this PR?

[fbrausse]

Besides exception handling and some bikeshedding regarding the name (see comments), LGTM.

[mikhailramalho]

LGTM, just one minor comment.

[mikhailramalho]

Maybe these belong to a separate PR?

[rafaelsamenezes]

oops. Nice catch

[lucasccordeiro]

LGTM.

[lucasccordeiro]

@rafaelsamenezes: could you please update our documentation page https://ssvlab.github.io/esbmc/documentation.html? You have created many intrinsics that are not documented for the ESBMC users.

[lucasccordeiro]

@rafaelsamenezes: could you please update our documentation page https://ssvlab.github.io/esbmc/documentation.html? You have created many intrinsic that are not documented anywhere.

[rafaelsamenezes]

@lucasccordeiro I just added it ssvlab/ssvlab.github.io#9

You have created many intrinsic that are not documented anywhere.

We definitely should define a proper way to document intrinsics.

[lucasccordeiro]

I just added it ssvlab/ssvlab.github.io#9

Thanks!