Correctly update symbolic variables that have been changed externally

[MartinNowack]

Before, external changes to symbolic variables have not been propagated
back to their internal representation.

Do a byte-by-byte comparison and potential update if required.

The test case is based on the example provided by Mingyi Liu from the
mailing list.

Summary:

Checklist:

• The PR addresses a single issue. If it can be divided into multiple independent PRs, please do so.
• The PR is divided into a logical sequence of commits OR a single commit is sufficient.
• There are no unnecessary commits (e.g. commits fixing issues in a previous commit in the same PR).
• Each commit has a meaningful message documenting what it does.
• All messages added to the codebase, all comments, as well as commit messages are spellchecked.
• The code is commented OR not applicable/necessary.
• The patch is formatted via clang-format OR not applicable (if explicitly overridden leave unchecked and explain).
• There are test cases for the code you added or modified OR no such test cases are required.

[codecov]

Codecov Report

Merging #1407 (7021a89) into master (a01f46c) will increase coverage by 0.01%.
The diff coverage is 70.96%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1407      +/-   ##
==========================================
+ Coverage   70.19%   70.21%   +0.01%     
==========================================
  Files         162      162              
  Lines       19395    19405      +10     
  Branches     4630     4634       +4     
==========================================
+ Hits        13615    13625      +10     
- Misses       3741     3743       +2     
+ Partials     2039     2037       -2     

Files	Coverage Δ
lib/Core/AddressSpace.h	100.00% <ø> (ø)
lib/Core/Executor.h	77.27% <ø> (ø)
lib/Core/Memory.cpp	79.54% <100.00%> (+1.34%)	⬆️
lib/Core/Memory.h	84.90% <ø> (ø)
lib/Core/Executor.cpp	76.96% <88.88%> (+0.03%)	⬆️
lib/Core/AddressSpace.cpp	74.61% <52.94%> (-1.35%)	⬇️

[ccadar]

@MartinNowack thanks for this. I have finally looked at this patch, which is a bit tricky (in particular, I find the ObjectState class to be poorly documented, I'm currently doing a pass over it).

Here's how I would fix this: if the object was modified by the external call (if (memcmp(address, os->concreteStore, mo->size) != 0)) then we just need to mark it as fully concrete from then on and copy all the bytes. So essentially I would add before the existing memcpy(wos->concreteStore, address, mo->size); a call to wos->initializeToZero();.

Does this make sense?

[MartinNowack]

@ccadar Thanks for the review and suggestion. One goal of the implementation was to keep as much symbolic information as possible.
I was thinking about this, the downside from this suggestion is if larger memory objects are used for the external functions call, i.e. pointers into larger pre-allocated buffers.
Of course, with external functions anyway, we loose some of the symbolic information in the first place.

[MartinNowack]

That one is ready to be merged.

[MartinNowack]

@ccadar Please merge this.

[ccadar]

Hi @MartinNowack, thanks for this patch and sorry for the delay. However, this patch is not straightforward at all, despite its small size.

As I said, to me the straightforward solution I suggested in #1407 (comment) makes most sense, but you seem to suggest that a more complex one is needed, and I want to understand why.

Let me start by adding some review comments.

[ccadar]

I'm not sure I understand why this if statement is needed. Can you explain? You cannot rely at this point that wos->concreteStore[i] is valid, can you?

[MartinNowack]

Here is where all the magic happens:

wos->concreteStore[i] contains the concrete object-state representation before the call and is copied to the external address before the call. This includes the concrete values representing symbolic expressions.
update_value represents the current external value at location i after the call. If update_value and wos->concreteStore[i] differ, we know that the external function has changed the object, so we do need to propagate this back to the object. This is especially important, if the external function has changed the value that has been previously represented by a symbolic value. In this case we need to update the object state accordingly, therefore we call the wos->write8() function. This has been handled incorrectly by KLEE before, i.e. not updating the information that a value is not symbolic anymore, only updating the concreteStore representation. This lead to subsequent reads of that object still using the symbolic values instead of the concrete one.

In summary, we have to update the object state's meta-data one way or another.

The major drawback of your solution is that always the full object will be concretised even if only one byte has changed externally.

This PR preserves all the symbolic information of an object that has not been modified by external functions but updates everything else accordingly.
This shouldn't have a higher performance impact for smaller objects.

The performance impact of your suggestion depends on the original state of the object.

[ccadar]

@MartinNowack thanks for the detailed explanation. I would add a (shorter) comment along those lines in the text -- the key part would be the first sentence, I think.

This being said, while your solution is more performant in some cases, it over-approximates things. That's because it can happen that the external call happened to write the same values for some bytes, and keeping those symbolic would lead to inconsistencies. It is easy to construct such an example, and might not be so unlikely in practice given that you do this at the byte granularity (and some values, such as 0, might be quite common).

One solution would be to do this only under the over-approx policy I introduced in #1696, what do you think?

[MartinNowack]

@ccadar Indeed this is a problem. The only upside is that it's less likely to have an impact as the concretisation (i.e. using the results of the solver call) still has the same result. Therefore, recurring queries with the same constraint set would lead to the same results.

I like the over-approx solution, that would make a cleaner design and we could switch between both implementations easily.

[ccadar]

Great, then let's guard this by the --over-approx flag once #1696 is merged.

[MartinNowack]

Sounds like a good plan!

[ccadar]

"Handle the case, that objects" -> "Handle the case when symbolic objects"

[ccadar]

Why not Darwin?

[MartinNowack]

Because the specific printf feature is not supported under Darwin.

[ccadar]

But then can we choose something more portable, maybe sscanf?

[ccadar]

Reminder about this

[ccadar]

constified -> concretized

[ccadar]

Reminder about this

[ccadar]

Good catch! This seems like it could have affected other types of external calls, right?

[MartinNowack]

@ccadar Thanks for the review, I added a comment to the location of interest.

[ccadar]

This seems to be a misspelling

[ccadar]

Can you add a more clear explanation? E.g., reusing the text from toConstant

[ccadar]

Reminder about this

[ccadar]

Reminder about this

[ccadar]

I believe this should be ExternalCalls != ExternalCallPolicy::OverApprox?

[ccadar]

Would it be possible to write a test case demonstrating the bug you fixed?

[MartinNowack]

First comment: This is already guarded in the earlier lines by:

if (ExternalCalls == ExternalCallPolicy::All ||
        ExternalCalls == ExternalCallPolicy::OverApprox) {

I'm using the same approach as in line 4020 to be consistent.

[ccadar]

OK, nothing to do for this one then.

[ccadar]

Thanks, @MartinNowack , great changes. Only a few minor issues left, see comments. The only bigger request, if feasible, would be for a test case demonstrating the bug you fixed.

[ccadar]

Thanks, @MartinNowack, let's merge this one for v3.1, and keep in mind my remaining comments for future work involving external calls.