Description
extern void __VERIFIER_error();
static float one(float *foo){
return *foo;
}
static float two(float *foo){
return *foo;
}
float x = 0;
void step() {
x = one(0);
}
int main(void) {
while (1) {
step();
if (x == 0) {
__VERIFIER_error();
}
}
return 0;
}
CBMC version: 5.8, also tested on 5.11 with same results
Operating system: Ubuntu 18.04
Exact command line resulting in the issue: cbmc --32 --graphml-witness witness.graphml --unwindset main.0:1 --unwinding-assertions main.c
What behaviour did you expect: The scope of assumption "foo = ((float *)NULL);" in the witness should be 'one'.
What happened instead: Scope is 'step'. Assignment to parameter 'foo' is thus ambiguous, since there are two possibilities - either parameter of function 'one' or 'two'.
This behaviour produces 'unknown expression' warnings when I try to validate the witness with CPAChecker and also causes CPAChecker to ignore any of these assumptions in its validation procedure.
I think it might be a cause of why CBMC and CPAChecker disagree on results of verifications in a casy study I am doing where the witnesses from CBMC are validated with CPAChecker. I could have a look at fixing this myself if you would like, though if you pointed me in the right direction it would be much appreciated. I am not very familiar with CBMC sources.
On a slightly different note, the witnesses also contain symbols like NULL, NAN and INFINITY, which have to be replaced for CPAChecker to not give 'unkwnon expression' warnings. In C these are actually macros and not part of the language itself. I was wondering if this behaviour was deliberate.
Here is the source code and the output witness:
source_and_witness.zip