Skip to content

Add proper handling of integer-overflows #121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 69 commits into from
Nov 26, 2020
Merged

Add proper handling of integer-overflows #121

merged 69 commits into from
Nov 26, 2020

Conversation

@jerhard
Copy link
Member

@jerhard jerhard commented Oct 21, 2020

In order to implement proper handling of integer overflows in the analyzed C code, and to be able to deal with values outside the range of OCaml-int64 (#120), we have to make several changes to the integer domains.

  1. Add ikind information to the integer domains.
  2. Use arbitrary precision integers in the implementation of the domains.
  3. In the implementation of the abstract operations of the integer domains, add detection & handling of overflows.

Regarding 1., I added an functor IntDomLifter, that takes a module of signature IntDomain.S and adds a layer to store the ikind.

TODOs:

  • it is not clear how the top and bot should look like in the IntDomLifter. These either would have to be of some arbitrary ikind or some additional Top and Bottom element
  • 2 and 3. still have to be implemented

jerhard added 16 commits October 21, 2020 16:19
@jerhard
Add test for large unsigned long constants in expressions
1e07dd8
@jerhard
Indentation
9f911c0
@jerhard
Rename test case, use -1 instead of 2^64-1 in sample
2ea0feb
@jerhard
Cleanup test.
bba9480
@jerhard
Add testcase showing multiplication (w/o 0) is not injective.
c47c806 
This shows a problem in the treatment of operations:
    (Excluded (s, r)) op (Definite y)

Excluded(s op y, _) is in general not a correct result value here.
(Where s op y := {x op y | x in s})
This is because there might be an z in gamma(Excluded (s, r)) such that
    z op y (mod 2^32)
is in (s op y).

Some overflow checking is needed.
@jerhard
Rename test case
a3aa5e3
@jerhard
Add test case for the handling of multiplication in branching.
48eff0d
@jerhard
Change UNKNOWN to UNKNOWN!
f3da2fb
@jerhard
Add test case for multiplication in conditions with Interval32.
2841d9e
@jerhard
Make local copy of signature S int IntDomTuple
099322a
@jerhard
Add signature IntDomain.Z and IntDomLifter(I: S): Z
f185ce4 
Some preliminary work to store the ikind for abstract integer values.
We want to have the ikind available for all abstract integer values, when
we perform operations on them, but we don't really want to store the
ikind redundantly in each of the integer domain implementations.

We introduce a IntDomLifter, that takes a integer domain implementation
and adds the ikind information to it. In the future, this
IntDomLifter should pass the ikind to the domain operations that need it.
This is the reason why we need a separate signature Z for instantiations
of the IntDomLifter which is different from the signature S.
In the signature Z only the creation of abstract value expects an ikind,
but - unlike S - the integer operations itself will not require it.

Needs to be reworked inorder not to fail test cases.
@jerhard
IntDomLifter: logical not returns int/Cil.IInt
30d7dd9
@jerhard
Properly handle joins for unions; add cast for arithmetic types in Ba…
ae2df0d 
…se (taken from def_exc_fix branch)
@jerhard
Add incompatible ikinds to error message for operations in IntDomLifter
2b9aa59
@jerhard
Fix casting in invariant
2eb6706
@jerhard
Remove toXML and toXML_f from IntDomLifter
2dc5043
@vogler
Copy link
Collaborator

vogler commented Oct 21, 2020

Instead of copying module type S to module type Z, it'd be better to just include the common values.

@vogler
Copy link
Collaborator

vogler commented Oct 21, 2020

Instead of carrying ikind around we could add it as an argument for operations. Adding an indirection and additional 64 bit for ikind for every abstract int might be costly.
Since a lot of bot/top handling is shared, it's maybe a good idea anyway to merge operations into an unop/binop which gets the operation and ikind.
If we still want to keep the specialized functions like add, sub etc., they could be added by some functor.

michael-schwarz
michael-schwarz reviewed Oct 22, 2020
View reviewed changes
michael-schwarz
michael-schwarz reviewed Oct 22, 2020
View reviewed changes
@jerhard
Copy link
Member Author

jerhard commented Oct 22, 2020
edited
Loading

Instead of carrying ikind around we could add it as an argument for operations.

I think there are places besides the arithmetic operations where we want to know the ikind. E.g. if we perform a widen on ints, it would be useful to know what the ikind of the integers is that is being widened.

jerhard and others added 9 commits October 22, 2020 08:54
jerhard added 11 commits November 18, 2020 18:24
@jerhard
Change INV.is_top to INV.is_top_of for Octagons.
2e1cd70
@jerhard
Use proper name for BigIntOps module in ArrayDomain
09a63cc
@jerhard
Use Interval with default ikind IInt for OctagonDomain
6947c98
@jerhard
Add failing test case
0fe8b96
@jerhard
Base.eval_rv: Do not remove cast if at least one of the arguments is …
b830957 
…of integer type
@jerhard
Use is_top_of instead of is_top in ValueDomain.smart_leq
04510d5
@jerhard
Revert "Base.eval_rv: Do not remove cast if at least one of the argum…
62b21c8 
…ents is of integer type"

This reverts commit b830957.
@jerhard
Base.eval_rv: Don't remove cast from arithmetic type expression
c464af9
@jerhard
Merge branch 'master' into overflow_handling
bdecc78
@jerhard
Interval.invariant: Don't convert to int64, which might fail
35bb167
@jerhard
Add invariant_ikind to IntervalFunctor, IntDomTupleImpl, so it knows …
b688069 
…the right ikind. These are then called by IntDomLifter that keeps the ikind.
@michael-schwarz michael-schwarz mentioned this pull request Nov 23, 2020
Closed
9 tasks
@michael-schwarz michael-schwarz mentioned this pull request Nov 24, 2020
Merged
@jerhard jerhard added the sv-comp SV-COMP (analyses, results), witnesses label Nov 24, 2020
michael-schwarz
michael-schwarz reviewed Nov 25, 2020
View reviewed changes
@jerhard jerhard changed the title WIP: Add proper handling of integer-overflows Add proper handling of integer-overflows Nov 25, 2020
@michael-schwarz
Copy link
Member

michael-schwarz commented Nov 25, 2020
edited
Loading

This causes sv-comp/sv-benchmarks/c/loops/linear_search.c to unsoundly claim that the error is not reached.
Edit: This seems to be UB in the benchmark, see sosy-lab/sv-benchmarks#1241

@michael-schwarz
Copy link
Member

michael-schwarz commented Nov 26, 2020

I pushed a problematic example where the ikinds don't line up:

    signed char* s = malloc(10*sizeof(signed char));
    s[0] = -5;

    unsigned char* us = s;
    *us = 12;

This is valid C, and GCC also doesn't complain, but we currently fail with - Fatal error: exception Failure("ikinds signed char and unsigned char are incompatible. Values: (-5) and (12)")

This is this issue we discussed where it would be necessary to go to supertop for Int of different ikind.

@michael-schwarz michael-schwarz merged commit e602b97 into master Nov 26, 2020
@michael-schwarz michael-schwarz deleted the overflow_handling branch November 26, 2020 12:51
@sim642 sim642 added this to the SV-COMP 2021 milestone Nov 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michael-schwarz michael-schwarz michael-schwarz left review comments

Assignees

No one assigned

Labels

sv-comp SV-COMP (analyses, results), witnesses

Projects

None yet

Milestone

SV-COMP 2021

Development

Successfully merging this pull request may close these issues.

5 participants

@jerhard @vogler @michael-schwarz @sim642