Hash table predefined hashes (#364)

* aws_hash_ptr + aws_hash_c_string

* suppress undefined checks

* check inputs to hash functions

* turn on overflow checking, will work once diffblue/cbmc#4666 is merged

* whitespace change to retrigger ci

* Update bounds to aws_hash_c_string proof

Signed-off-by: Felipe R. Monteiro <[email protected]>

* Update bounds to aws_hash_string proof

Signed-off-by: Felipe R. Monteiro <[email protected]>

* Update cbmc-batch.yaml files

Signed-off-by: Felipe R. Monteiro <[email protected]>

* Disable pointers check on parts of hashlittle2

Signed-off-by: Felipe R. Monteiro <[email protected]>

* Update bounds in aws_hash_c_string and aws_hash_string proofs

Signed-off-by: Felipe R. Monteiro <[email protected]>

* Improve documentation on the aws_hash_string proof

Signed-off-by: Felipe R. Monteiro <[email protected]>

* PR comments

Signed-off-by: Felipe R. Monteiro <[email protected]>

* Update cbmc-batch.yaml files

Signed-off-by: Felipe R. Monteiro <[email protected]>

* PR comments

Signed-off-by: Felipe R. Monteiro <[email protected]>

* Update proofs bounds

Signed-off-by: Felipe R. Monteiro <[email protected]>

* Guard CPROVER pragmas with CBMC macro

Signed-off-by: Felipe R. Monteiro <[email protected]>

* Update postconditions

Signed-off-by: Felipe R. Monteiro <[email protected]>

Author: danielsn

.cbmc-batch/jobs/aws_hash_c_string/Makefile

@@ -0,0 +1,40 @@
+# Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You may not use
+# this file except in compliance with the License. A copy of the License is
+# located at
+#
+#     http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied. See the License for the specific language governing permissions and
+# limitations under the License.
+
+###########
+#32: 4s
+#64: 5s
+#128 6s
+#256 11s
+#1024: 2m30s
+MAX_STRING_SIZE ?= 32
+DEFINES += -DMAX_STRING_SIZE=$(MAX_STRING_SIZE) 
+
+UNWINDSET += strlen.0:$(shell echo $$(( $(MAX_STRING_SIZE) + 1)))
+UNWINDSET += __CPROVER_file_local_lookup3_c_hashlittle2.0:$(shell echo $$(( $$(( $(MAX_STRING_SIZE) / 12 )) +1 )) )
+UNWINDSET += __CPROVER_file_local_lookup3_c_hashlittle2.1:$(shell echo $$(( $$(( $(MAX_STRING_SIZE) / 12 )) +1 )) )
+UNWINDSET += __CPROVER_file_local_lookup3_c_hashlittle2.2:$(shell echo $$(( $$(( $(MAX_STRING_SIZE) / 12 )) +1 )) )
+
+CBMCFLAGS +=
+
+DEPENDENCIES += $(HELPERDIR)/source/make_common_data_structures.c
+DEPENDENCIES += $(HELPERDIR)/source/proof_allocators.c
+DEPENDENCIES += $(HELPERDIR)/source/utils.c
+DEPENDENCIES += $(HELPERDIR)/stubs/error.c
+DEPENDENCIES += $(SRCDIR)/source/common.c
+DEPENDENCIES += $(SRCDIR)/source/hash_table.c
+
+ENTRY = aws_hash_c_string_harness
+###########
+
+include ../Makefile.common

.cbmc-batch/jobs/aws_hash_c_string/aws_hash_c_string_harness.c

@@ -0,0 +1,26 @@
+/*
+ * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. A copy of the License is
+ * located at
+ *
+ *     http://aws.amazon.com/apache2.0/
+ *
+ * or in the "license" file accompanying this file. This file is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <aws/common/hash_table.h>
+#include <aws/common/private/hash_table_impl.h>
+#include <proof_helpers/make_common_data_structures.h>
+#include <proof_helpers/proof_allocators.h>
+#include <proof_helpers/utils.h>
+
+void aws_hash_c_string_harness() {
+    const char *str = make_arbitrary_c_str(MAX_STRING_SIZE);
+    /* This function has no pre or post conditions */
+    uint64_t rval = aws_hash_c_string(str);
+}

.cbmc-batch/jobs/aws_hash_c_string/cbmc-batch.yaml

@@ -0,0 +1,4 @@
+jobos: ubuntu16
+cbmcflags: "--bounds-check;--div-by-zero-check;--float-overflow-check;--nan-check;--pointer-check;--pointer-overflow-check;--signed-overflow-check;--undefined-shift-check;--unsigned-overflow-check;--unwind;1;--unwinding-assertions;--unwindset;strlen.0:33,__CPROVER_file_local_lookup3_c_hashlittle2.0:3,__CPROVER_file_local_lookup3_c_hashlittle2.1:3,__CPROVER_file_local_lookup3_c_hashlittle2.2:3;--object-bits;8"
+goto: aws_hash_c_string_harness.goto
+expected: "SUCCESSFUL"

.cbmc-batch/jobs/aws_hash_ptr/Makefile

@@ -0,0 +1,26 @@
+# Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You may not use
+# this file except in compliance with the License. A copy of the License is
+# located at
+#
+#     http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied. See the License for the specific language governing permissions and
+# limitations under the License.
+
+###########
+
+CBMCFLAGS +=
+
+DEPENDENCIES += $(HELPERDIR)/source/utils.c
+DEPENDENCIES += $(HELPERDIR)/stubs/error.c
+DEPENDENCIES += $(SRCDIR)/source/common.c
+DEPENDENCIES += $(SRCDIR)/source/hash_table.c
+
+ENTRY = aws_hash_ptr_harness
+###########
+
+include ../Makefile.common

.cbmc-batch/jobs/aws_hash_ptr/aws_hash_ptr_harness.c

@@ -0,0 +1,26 @@
+/*
+ * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. A copy of the License is
+ * located at
+ *
+ *     http://aws.amazon.com/apache2.0/
+ *
+ * or in the "license" file accompanying this file. This file is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <aws/common/hash_table.h>
+#include <aws/common/private/hash_table_impl.h>
+#include <proof_helpers/make_common_data_structures.h>
+#include <proof_helpers/proof_allocators.h>
+#include <proof_helpers/utils.h>
+
+void aws_hash_ptr_harness() {
+    void *ptr;
+    /* This function has no pre or post conditions */
+    uint64_t rval = aws_hash_ptr(ptr);
+}

.cbmc-batch/jobs/aws_hash_ptr/cbmc-batch.yaml

@@ -0,0 +1,4 @@
+jobos: ubuntu16
+cbmcflags: "--bounds-check;--div-by-zero-check;--float-overflow-check;--nan-check;--pointer-check;--pointer-overflow-check;--signed-overflow-check;--undefined-shift-check;--unsigned-overflow-check;--unwind;1;--unwinding-assertions;--object-bits;8"
+goto: aws_hash_ptr_harness.goto
+expected: "SUCCESSFUL"

.cbmc-batch/jobs/aws_hash_string/Makefile

@@ -0,0 +1,39 @@
+# Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You may not use
+# this file except in compliance with the License. A copy of the License is
+# located at
+#
+#     http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied. See the License for the specific language governing permissions and
+# limitations under the License.
+
+###########
+#32: 4s
+#64: 5s
+#128 6s
+#256 11s
+#1024: 2m 30s
+MAX_STRING_SIZE ?= 32
+DEFINES += -DMAX_STRING_SIZE=$(MAX_STRING_SIZE) 
+
+UNWINDSET += __CPROVER_file_local_lookup3_c_hashlittle2.0:$(shell echo $$(( $$(( $(MAX_STRING_SIZE) / 12 )) +1 )) )
+UNWINDSET += __CPROVER_file_local_lookup3_c_hashlittle2.1:$(shell echo $$(( $$(( $(MAX_STRING_SIZE) / 12 )) +1 )) )
+UNWINDSET += __CPROVER_file_local_lookup3_c_hashlittle2.2:$(shell echo $$(( $$(( $(MAX_STRING_SIZE) / 12 )) +1 )) )
+
+CBMCFLAGS +=
+
+DEPENDENCIES += $(HELPERDIR)/source/make_common_data_structures.c
+DEPENDENCIES += $(HELPERDIR)/source/proof_allocators.c
+DEPENDENCIES += $(HELPERDIR)/source/utils.c
+DEPENDENCIES += $(HELPERDIR)/stubs/error.c
+DEPENDENCIES += $(SRCDIR)/source/common.c
+DEPENDENCIES += $(SRCDIR)/source/hash_table.c
+
+ENTRY = aws_hash_string_harness
+###########
+
+include ../Makefile.common

.cbmc-batch/jobs/aws_hash_string/aws_hash_string_harness.c

@@ -0,0 +1,35 @@
+/*
+ * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. A copy of the License is
+ * located at
+ *
+ *     http://aws.amazon.com/apache2.0/
+ *
+ * or in the "license" file accompanying this file. This file is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <aws/common/hash_table.h>
+#include <aws/common/private/hash_table_impl.h>
+#include <proof_helpers/make_common_data_structures.h>
+#include <proof_helpers/proof_allocators.h>
+#include <proof_helpers/utils.h>
+
+void aws_hash_string_harness() {
+    struct aws_string *str =
+        make_arbitrary_aws_string_nondet_len_with_max(nondet_bool() ? NULL : can_fail_allocator(), MAX_STRING_SIZE);
+    /*
+     * aws_hash_string has no pre or post conditions. #TODO: Currently, CBMC is unable to
+     * check all possible paths in these proof. aws_hash_string function calls hashlittle2
+     * function, which calculates two 32-bit hash values. Internally, it contains two
+     * conditions that test for alignment to 4 byte/2 byte boundaries, but CBMC is unable
+     * to correctly evaluate such conditions, due to its pointer encoding. A potential
+     * fix to this problem is under development.
+     * For more details, see https://github.com/diffblue/cbmc/pull/1086.
+     */
+    uint64_t rval = aws_hash_string(str);
+}

.cbmc-batch/jobs/aws_hash_string/cbmc-batch.yaml

@@ -0,0 +1,4 @@
+jobos: ubuntu16
+cbmcflags: "--bounds-check;--div-by-zero-check;--float-overflow-check;--nan-check;--pointer-check;--pointer-overflow-check;--signed-overflow-check;--undefined-shift-check;--unsigned-overflow-check;--unwind;1;--unwinding-assertions;--unwindset;__CPROVER_file_local_lookup3_c_hashlittle2.0:3,__CPROVER_file_local_lookup3_c_hashlittle2.1:3,__CPROVER_file_local_lookup3_c_hashlittle2.2:3;--object-bits;8"
+goto: aws_hash_string_harness.goto
+expected: "SUCCESSFUL"

include/aws/common/private/lookup3.c

@@ -58,6 +58,11 @@ on 1 byte), but shoehorning those bytes into integers efficiently is messy.
 #pragma warning(disable:4127) /*Disable "conditional expression is constant" */
 #endif /* _MSC_VER */
 
+#ifdef CBMC
+#    pragma CPROVER check push
+#    pragma CPROVER check disable "unsigned-overflow"
+#endif /* CBMC */
+
 /*
  * My best guess at if you are big-endian or little-endian.  This may
  * need adjustment.
@@ -322,12 +327,18 @@ static uint32_t hashlittle( const void *key, size_t length, uint32_t initval)
      * "k[2]&0xffffff" actually reads beyond the end of the string, but
      * then masks off the part it's not allowed to read.  Because the
      * string is aligned, the masked-off tail is in the same word as the
-     * rest of the string.  Every machine with memory protection I've seen
-     * does it on word boundaries, so is OK with this.  But VALGRIND will
-     * still catch it and complain.  The masking trick does make the hash
-     * noticably faster for short strings (like English words).
+     * rest of the string. Every machine with memory protection I've seen
+     * does it on word boundaries, so is OK with this. But VALGRIND and CBMC
+     * will still catch it and complain. CBMC will ignore this type of error
+     * in the code block between the pragmas "CPROVER check push" and
+     * "CPROVER check pop". The masking trick does make the hash noticably
+     * faster for short strings (like English words).
      */
 #ifndef VALGRIND
+#ifdef CBMC
+#    pragma CPROVER check push
+#    pragma CPROVER check disable "pointer"
+#endif
     // changed in aws-c-common: fix unused variable warning
 
     switch(length)
@@ -346,7 +357,9 @@ static uint32_t hashlittle( const void *key, size_t length, uint32_t initval)
     case 1 : a+=k[0]&0xff; break;
     case 0 : return c;              /* zero length strings require no mixing */
     }
-
+#ifdef CBMC
+#    pragma CPROVER check pop
+#endif
 #else /* make valgrind happy */
 
     const uint8_t *k8 = (const uint8_t *)k;
@@ -506,12 +519,18 @@ static void hashlittle2(
      * "k[2]&0xffffff" actually reads beyond the end of the string, but
      * then masks off the part it's not allowed to read.  Because the
      * string is aligned, the masked-off tail is in the same word as the
-     * rest of the string.  Every machine with memory protection I've seen
-     * does it on word boundaries, so is OK with this.  But VALGRIND will
-     * still catch it and complain.  The masking trick does make the hash
-     * noticably faster for short strings (like English words).
+     * rest of the string. Every machine with memory protection I've seen
+     * does it on word boundaries, so is OK with this. But VALGRIND and CBMC
+     * will still catch it and complain. CBMC will ignore this type of error
+     * in the code block between the pragmas "CPROVER check push" and
+     * "CPROVER check pop". The masking trick does make the hash noticably
+     * faster for short strings (like English words).
      */
 #ifndef VALGRIND
+#ifdef CBMC
+#    pragma CPROVER check push
+#    pragma CPROVER check disable "pointer"
+#endif
     // changed in aws-c-common: fix unused variable warning
 
     switch(length)
@@ -531,6 +550,9 @@ static void hashlittle2(
     case 0 : *pc=c; *pb=b; return;  /* zero length strings require no mixing */
     }
 
+#ifdef CBMC
+#    pragma CPROVER check pop
+#endif
 #else /* make valgrind happy */
 
     const uint8_t *k8 = (const uint8_t *)k;
@@ -682,12 +704,18 @@ static uint32_t hashbig( const void *key, size_t length, uint32_t initval)
      * "k[2]<<8" actually reads beyond the end of the string, but
      * then shifts out the part it's not allowed to read.  Because the
      * string is aligned, the illegal read is in the same word as the
-     * rest of the string.  Every machine with memory protection I've seen
-     * does it on word boundaries, so is OK with this.  But VALGRIND will
-     * still catch it and complain.  The masking trick does make the hash
-     * noticably faster for short strings (like English words).
+     * rest of the string. Every machine with memory protection I've seen
+     * does it on word boundaries, so is OK with this. But VALGRIND and CBMC
+     * will still catch it and complain. CBMC will ignore this type of error
+     * in the code block between the pragmas "CPROVER check push" and
+     * "CPROVER check pop". The masking trick does make the hash noticably
+     * faster for short strings (like English words).
      */
 #ifndef VALGRIND
+#ifdef CBMC
+#    pragma CPROVER check push
+#    pragma CPROVER check disable "pointer"
+#endif
     // changed in aws-c-common: fix unused variable warning
 
     switch(length)
@@ -706,7 +734,9 @@ static uint32_t hashbig( const void *key, size_t length, uint32_t initval)
     case 1 : a+=k[0]&0xff000000; break;
     case 0 : return c;              /* zero length strings require no mixing */
     }
-
+#ifdef CBMC
+#    pragma CPROVER check pop
+#endif
 #else  /* make valgrind happy */
 
     const uint8_t *k8 = (const uint8_t *)k;
@@ -1017,3 +1047,7 @@ int main()
 #if _MSC_VER
 #pragma warning(pop)
 #endif /* _MSC_VER */
+
+#ifdef CBMC
+#    pragma CPROVER check pop
+#endif /* CBMC */

source/hash_table.c

@@ -972,6 +972,7 @@ void aws_hash_table_clear(struct aws_hash_table *map) {
 }
 
 uint64_t aws_hash_c_string(const void *item) {
+    AWS_PRECONDITION(aws_c_string_is_valid(item));
     const char *str = item;
 
     /* first digits of pi in hex */
@@ -982,26 +983,31 @@ uint64_t aws_hash_c_string(const void *item) {
 }
 
 uint64_t aws_hash_string(const void *item) {
+    AWS_PRECONDITION(aws_string_is_valid(item));
     const struct aws_string *str = item;
 
     /* first digits of pi in hex */
     uint32_t b = 0x3243F6A8, c = 0x885A308D;
     hashlittle2(aws_string_bytes(str), str->len, &c, &b);
+    AWS_POSTCONDITION(aws_string_is_valid(str));
 
     return ((uint64_t)b << 32) | c;
 }
 
 uint64_t aws_hash_byte_cursor_ptr(const void *item) {
+    AWS_PRECONDITION(aws_byte_cursor_is_valid(item));
     const struct aws_byte_cursor *cur = item;
 
     /* first digits of pi in hex */
     uint32_t b = 0x3243F6A8, c = 0x885A308D;
     hashlittle2(cur->ptr, cur->len, &c, &b);
+    AWS_POSTCONDITION(aws_byte_cursor_is_valid(cur));
 
     return ((uint64_t)b << 32) | c;
 }
 
 uint64_t aws_hash_ptr(const void *item) {
+    /* Since the numeric value of the pointer is considered, not the memory behind it, 0 is an acceptable value */
     /* first digits of e in hex
      * 2.b7e 1516 28ae d2a6 */
     uint32_t b = 0x2b7e1516, c = 0x28aed2a6;