r/w/rw_ok and pointer_in_range depend on deallocated and dead_object

The evaluation of these expressions depends on the specific values of
__CPROVER_deallocated and __CPROVER_dead_object at the time the
expression is used. Therefore, create new prophecy_* variants of these
expressions to retain the properties expected of an expression (as
opposed to a statement/function call).

These prophecy_* expressions can safely be passed on to back-ends, be
simplified, and do not need to be rewritten during instrumentation. For
now, they are just handled by lowering the expressions (in the SAT and
SMT back-ends). We may, in future, decide to have back-end specific (and
possibly more efficient) handling of these.

Author: tautschnig

regression/cbmc/realloc-should-not-free-on-failure-to-allocate/test.desc

@@ -1,7 +1,7 @@
 CORE new-smt-backend
 test.c
 --malloc-may-fail --malloc-fail-null
-^\[main.precondition_instance.\d+] line \d+ double free: SUCCESS$
+^\[free.precondition.\d+] line \d+ double free: SUCCESS$
 ^VERIFICATION SUCCESSFUL$
 ^EXIT=0$
 ^SIGNAL=0$

regression/goto-cc-goto-analyzer/instrument_preconditions_locations/test.desc

@@ -4,7 +4,7 @@ test.c
 ^EXIT=0$
 ^SIGNAL=0$
 Checking assertions
-^\[EVP_MD_CTX_free.precondition_instance.1\] line \d+ free argument must be NULL or valid pointer: SUCCESS
+^\[free.precondition.1\] line \d+ free argument must be NULL or valid pointer: SUCCESS
 --
 Invariant check failed
 --

src/ansi-c/expr2c.cpp

@@ -3572,6 +3572,26 @@ std::string expr2ct::convert_r_or_w_ok(const r_or_w_ok_exprt &src)
   return dest;
 }
 
+std::string
+expr2ct::convert_prophecy_r_or_w_ok(const prophecy_r_or_w_ok_exprt &src)
+{
+  // we hide prophecy expressions in C-style output
+  std::string dest = src.id() == ID_prophecy_r_ok   ? "R_OK"
+                     : src.id() == ID_prophecy_w_ok ? "W_OK"
+                                                    : "RW_OK";
+
+  dest += '(';
+
+  unsigned p;
+  dest += convert_with_precedence(src.pointer(), p);
+  dest += ", ";
+  dest += convert_with_precedence(src.size(), p);
+
+  dest += ')';
+
+  return dest;
+}
+
 std::string expr2ct::convert_pointer_in_range(const pointer_in_range_exprt &src)
 {
   std::string dest = CPROVER_PREFIX "pointer_in_range";
@@ -3590,6 +3610,26 @@ std::string expr2ct::convert_pointer_in_range(const pointer_in_range_exprt &src)
   return dest;
 }
 
+std::string expr2ct::convert_prophecy_pointer_in_range(
+  const prophecy_pointer_in_range_exprt &src)
+{
+  // we hide prophecy expressions in C-style output
+  std::string dest = CPROVER_PREFIX "pointer_in_range";
+
+  dest += '(';
+
+  unsigned p;
+  dest += convert_with_precedence(src.lower_bound(), p);
+  dest += ", ";
+  dest += convert_with_precedence(src.pointer(), p);
+  dest += ", ";
+  dest += convert_with_precedence(src.upper_bound(), p);
+
+  dest += ')';
+
+  return dest;
+}
+
 std::string expr2ct::convert_with_precedence(
   const exprt &src,
   unsigned &precedence)
@@ -4002,9 +4042,22 @@ std::string expr2ct::convert_with_precedence(
   else if(src.id() == ID_r_ok || src.id() == ID_w_ok || src.id() == ID_rw_ok)
     return convert_r_or_w_ok(to_r_or_w_ok_expr(src));
 
+  else if(
+    auto prophecy_r_or_w_ok =
+      expr_try_dynamic_cast<prophecy_r_or_w_ok_exprt>(src))
+  {
+    return convert_prophecy_r_or_w_ok(*prophecy_r_or_w_ok);
+  }
+
   else if(src.id() == ID_pointer_in_range)
     return convert_pointer_in_range(to_pointer_in_range_expr(src));
 
+  else if(src.id() == ID_prophecy_pointer_in_range)
+  {
+    return convert_prophecy_pointer_in_range(
+      to_prophecy_pointer_in_range_expr(src));
+  }
+
   auto function_string_opt = convert_function(src);
   if(function_string_opt.has_value())
     return *function_string_opt;

src/ansi-c/expr2c_class.h

@@ -28,6 +28,8 @@ class qualifierst;
 class namespacet;
 class r_or_w_ok_exprt;
 class pointer_in_range_exprt;
+class prophecy_r_or_w_ok_exprt;
+class prophecy_pointer_in_range_exprt;
 
 class expr2ct
 {
@@ -285,7 +287,10 @@ class expr2ct
   std::string convert_bitreverse(const bitreverse_exprt &src);
 
   std::string convert_r_or_w_ok(const r_or_w_ok_exprt &src);
+  std::string convert_prophecy_r_or_w_ok(const prophecy_r_or_w_ok_exprt &src);
   std::string convert_pointer_in_range(const pointer_in_range_exprt &src);
+  std::string
+  convert_prophecy_pointer_in_range(const prophecy_pointer_in_range_exprt &src);
 };
 
 #endif // CPROVER_ANSI_C_EXPR2C_CLASS_H

src/ansi-c/goto_check_c.cpp

@@ -1444,6 +1444,8 @@ void goto_check_ct::pointer_primitive_check(
   const exprt pointer =
     (expr.id() == ID_r_ok || expr.id() == ID_w_ok || expr.id() == ID_rw_ok)
       ? to_r_or_w_ok_expr(expr).pointer()
+    : can_cast_expr<prophecy_r_or_w_ok_exprt>(expr)
+      ? to_prophecy_r_or_w_ok_expr(expr).pointer()
       : to_unary_expr(expr).op();
 
   CHECK_RETURN(pointer.type().id() == ID_pointer);
@@ -1484,6 +1486,7 @@ bool goto_check_ct::requires_pointer_primitive_check(const exprt &expr)
   // will equally be non-deterministic.
   return can_cast_expr<object_size_exprt>(expr) || expr.id() == ID_r_ok ||
          expr.id() == ID_w_ok || expr.id() == ID_rw_ok ||
+         can_cast_expr<prophecy_r_or_w_ok_exprt>(expr) ||
          expr.id() == ID_is_dynamic_object;
 }
 

src/cprover/state_encoding.cpp

@@ -294,6 +294,20 @@ exprt state_encodingt::evaluate_expr_rec(
                                          : ID_state_rw_ok;
     return ternary_exprt(new_id, state, pointer, size, what.type());
   }
+  else if(
+    const auto r_or_w_ok_expr =
+      expr_try_dynamic_cast<prophecy_r_or_w_ok_exprt>(what))
+  {
+    // we replace prophecy expressions by our state
+    auto pointer =
+      evaluate_expr_rec(loc, state, r_or_w_ok_expr->pointer(), bound_symbols);
+    auto size =
+      evaluate_expr_rec(loc, state, r_or_w_ok_expr->size(), bound_symbols);
+    auto new_id = what.id() == ID_prophecy_r_ok   ? ID_state_r_ok
+                  : what.id() == ID_prophecy_w_ok ? ID_state_w_ok
+                                                  : ID_state_rw_ok;
+    return ternary_exprt(new_id, state, pointer, size, what.type());
+  }
   else if(what.id() == ID_is_cstring)
   {
     // we need to add the state

src/goto-instrument/contracts/instrument_spec_assigns.cpp

@@ -644,9 +644,13 @@ exprt instrument_spec_assignst::target_validity_expr(
   // (or is NULL if we allow it explicitly).
   // This assertion will be falsified whenever `start_address` is invalid or
   // not of the right size (or is NULL if we do not allow it explicitly).
-  auto result =
-    or_exprt{not_exprt{car.condition()},
-             w_ok_exprt{car.target_start_address(), car.target_size()}};
+  symbol_exprt deallocated =
+    ns.lookup(CPROVER_PREFIX "deallocated").symbol_expr();
+  symbol_exprt dead = ns.lookup(CPROVER_PREFIX "dead_object").symbol_expr();
+  auto result = or_exprt{
+    not_exprt{car.condition()},
+    prophecy_w_ok_exprt{
+      car.target_start_address(), car.target_size(), deallocated, dead}};
 
   if(allow_null_target)
     result.add_to_operands(null_object(car.target_start_address()));

src/goto-instrument/contracts/utils.cpp

@@ -178,7 +178,11 @@ exprt all_dereferences_are_valid(const exprt &expr, const namespacet &ns)
     const auto size_of_expr_opt = size_of_expr(expr.type(), ns);
     CHECK_RETURN(size_of_expr_opt.has_value());
 
-    validity_checks.push_back(r_ok_exprt{deref->pointer(), *size_of_expr_opt});
+    symbol_exprt deallocated =
+      ns.lookup(CPROVER_PREFIX "deallocated").symbol_expr();
+    symbol_exprt dead = ns.lookup(CPROVER_PREFIX "dead_object").symbol_expr();
+    validity_checks.push_back(prophecy_r_ok_exprt{
+      deref->pointer(), *size_of_expr_opt, deallocated, dead});
   }
 
   for(const auto &op : expr.operands())

src/goto-programs/builtin_functions.cpp

@@ -669,7 +669,10 @@ void goto_convertt::do_havoc_slice(
   // char nondet_contents[argument[1]];
   // __CPROVER_array_replace(p, nondet_contents);
 
-  r_or_w_ok_exprt ok_expr(ID_w_ok, arguments[0], arguments[1]);
+  symbol_exprt deallocated =
+    ns.lookup(CPROVER_PREFIX "deallocated").symbol_expr();
+  symbol_exprt dead = ns.lookup(CPROVER_PREFIX "dead_object").symbol_expr();
+  prophecy_w_ok_exprt ok_expr{arguments[0], arguments[1], deallocated, dead};
   ok_expr.add_source_location() = source_location;
   source_locationt annotated_location = source_location;
   annotated_location.set("user-provided", false);

src/goto-programs/goto_clean_expr.cpp

@@ -11,6 +11,7 @@ Author: Daniel Kroening, [email protected]
 
 #include "goto_convert_class.h"
 
+#include <util/cprover_prefix.h>
 #include <util/expr_util.h>
 #include <util/fresh_symbol.h>
 #include <util/pointer_expr.h>
@@ -73,6 +74,15 @@ bool goto_convertt::needs_cleaning(const exprt &expr)
     return true;
   }
 
+  // Rewrite rw_ok and pointer_in_range front-end expressions into ones
+  // including prophecy expressions.
+  if(
+    can_cast_expr<r_or_w_ok_exprt>(expr) ||
+    can_cast_expr<pointer_in_range_exprt>(expr))
+  {
+    return true;
+  }
+
   // We can't flatten quantified expressions by introducing new literals for
   // conditional expressions.  This is because the body of the quantified
   // may refer to bound variables, which are not visible outside the scope
@@ -436,6 +446,32 @@ void goto_convertt::clean_expr(
       expr.operands().size() == 1, "ID_compound_literal has a single operand");
     expr = to_unary_expr(expr).op();
   }
+  else if(auto r_or_w_ok = expr_try_dynamic_cast<r_or_w_ok_exprt>(expr))
+  {
+    const auto &id = expr.id();
+    expr =
+      prophecy_r_or_w_ok_exprt{
+        id == ID_r_ok   ? ID_prophecy_r_ok
+        : id == ID_w_ok ? ID_prophecy_w_ok
+                        : ID_prophecy_rw_ok,
+        r_or_w_ok->pointer(),
+        r_or_w_ok->size(),
+        ns.lookup(CPROVER_PREFIX "deallocated").symbol_expr(),
+        ns.lookup(CPROVER_PREFIX "dead_object").symbol_expr()}
+        .with_source_location<exprt>(expr);
+  }
+  else if(
+    auto pointer_in_range = expr_try_dynamic_cast<pointer_in_range_exprt>(expr))
+  {
+    expr =
+      prophecy_pointer_in_range_exprt{
+        pointer_in_range->lower_bound(),
+        pointer_in_range->pointer(),
+        pointer_in_range->upper_bound(),
+        ns.lookup(CPROVER_PREFIX "deallocated").symbol_expr(),
+        ns.lookup(CPROVER_PREFIX "dead_object").symbol_expr()}
+        .with_source_location<exprt>(expr);
+  }
 }
 
 void goto_convertt::clean_expr_address_of(

src/solvers/flattening/bv_pointers.cpp

@@ -18,6 +18,7 @@ Author: Daniel Kroening, [email protected]
 #include <util/pointer_expr.h>
 #include <util/pointer_offset_size.h>
 #include <util/pointer_predicates.h>
+#include <util/simplify_expr.h>
 
 /// Map bytes according to the configured endianness. The key difference to
 /// endianness_mapt is that bv_endianness_mapt is aware of the bit-level
@@ -204,6 +205,18 @@ literalt bv_pointerst::convert_rest(const exprt &expr)
           bv_utilst::representationt::UNSIGNED));
     }
   }
+  else if(
+    auto prophecy_r_or_w_ok =
+      expr_try_dynamic_cast<prophecy_r_or_w_ok_exprt>(expr))
+  {
+    return convert(simplify_expr(prophecy_r_or_w_ok->lower(ns), ns));
+  }
+  else if(
+    auto prophecy_pointer_in_range =
+      expr_try_dynamic_cast<prophecy_pointer_in_range_exprt>(expr))
+  {
+    return convert(simplify_expr(prophecy_pointer_in_range->lower(ns), ns));
+  }
 
   return SUB::convert_rest(expr);
 }

src/solvers/smt2/smt2_conv.cpp

@@ -4864,6 +4864,30 @@ exprt smt2_convt::prepare_for_convert_expr(const exprt &expr)
     !has_byte_operator(lowered_expr),
     "lower_byte_operators should remove all byte operators");
 
+  // Perform rewrites that may introduce new symbols
+  for(auto it = lowered_expr.depth_begin(), itend = lowered_expr.depth_end();
+      it != itend;) // no ++it
+  {
+    if(
+      auto prophecy_r_or_w_ok =
+        expr_try_dynamic_cast<prophecy_r_or_w_ok_exprt>(*it))
+    {
+      exprt lowered = simplify_expr(prophecy_r_or_w_ok->lower(ns), ns);
+      it.mutate() = lowered;
+      it.next_sibling_or_parent();
+    }
+    else if(
+      auto prophecy_pointer_in_range =
+        expr_try_dynamic_cast<prophecy_pointer_in_range_exprt>(*it))
+    {
+      exprt lowered = simplify_expr(prophecy_pointer_in_range->lower(ns), ns);
+      it.mutate() = lowered;
+      it.next_sibling_or_parent();
+    }
+    else
+      ++it;
+  }
+
   // Now create symbols for all composite expressions present in lowered_expr:
   find_symbols(lowered_expr);
 

src/solvers/smt2_incremental/convert_expr_to_smt.cpp

@@ -1463,6 +1463,24 @@ static smt_termt convert_expr_to_smt(
     count_trailing_zeros.pretty());
 }
 
+static smt_termt convert_expr_to_smt(
+  const prophecy_r_or_w_ok_exprt &prophecy_r_or_w_ok,
+  const sub_expression_mapt &converted)
+{
+  UNIMPLEMENTED_FEATURE(
+    "Generation of SMT formula for r/w/rw ok expression: " +
+    prophecy_r_or_w_ok.pretty());
+}
+
+static smt_termt convert_expr_to_smt(
+  const prophecy_pointer_in_range_exprt &prophecy_pointer_in_range,
+  const sub_expression_mapt &converted)
+{
+  UNIMPLEMENTED_FEATURE(
+    "Generation of SMT formula for pointer-in-range expression: " +
+    prophecy_pointer_in_range.pretty());
+}
+
 static smt_termt dispatch_expr_to_smt_conversion(
   const exprt &expr,
   const sub_expression_mapt &converted,
@@ -1798,6 +1816,18 @@ static smt_termt dispatch_expr_to_smt_conversion(
   {
     return convert_expr_to_smt(*count_trailing_zeros, converted);
   }
+  if(
+    const auto prophecy_r_or_w_ok =
+      expr_try_dynamic_cast<prophecy_r_or_w_ok_exprt>(expr))
+  {
+    return convert_expr_to_smt(*prophecy_r_or_w_ok, converted);
+  }
+  if(
+    const auto prophecy_pointer_in_range =
+      expr_try_dynamic_cast<prophecy_pointer_in_range_exprt>(expr))
+  {
+    return convert_expr_to_smt(*prophecy_pointer_in_range, converted);
+  }
 
   UNIMPLEMENTED_FEATURE(
     "Generation of SMT formula for unknown kind of expression: " +

src/solvers/smt2_incremental/smt2_incremental_decision_procedure.cpp

@@ -7,6 +7,7 @@
 #include <util/namespace.h>
 #include <util/nodiscard.h>
 #include <util/range.h>
+#include <util/simplify_expr.h>
 #include <util/std_expr.h>
 #include <util/string_constant.h>
 #include <util/symbol.h>
@@ -273,6 +274,25 @@ smt2_incremental_decision_proceduret::smt2_incremental_decision_proceduret(
   solver_process->send(is_dynamic_object_function.declaration);
 }
 
+static exprt lower_rw_ok_pointer_in_range(exprt expr, const namespacet &ns)
+{
+  expr.visit_pre([&ns](exprt &expr) {
+    if(
+      auto prophecy_r_or_w_ok =
+        expr_try_dynamic_cast<prophecy_r_or_w_ok_exprt>(expr))
+    {
+      expr = simplify_expr(prophecy_r_or_w_ok->lower(ns), ns);
+    }
+    else if(
+      auto prophecy_pointer_in_range =
+        expr_try_dynamic_cast<prophecy_pointer_in_range_exprt>(expr))
+    {
+      expr = simplify_expr(prophecy_pointer_in_range->lower(ns), ns);
+    }
+  });
+  return expr;
+}
+
 void smt2_incremental_decision_proceduret::ensure_handle_for_expr_defined(
   const exprt &in_expr)
 {
@@ -623,8 +643,9 @@ void smt2_incremental_decision_proceduret::define_object_properties()
 
 exprt smt2_incremental_decision_proceduret::lower(exprt expression) const
 {
-  const exprt lowered = struct_encoding.encode(
-    lower_enum(lower_byte_operators(expression, ns), ns));
+  const exprt lowered = struct_encoding.encode(lower_enum(
+    lower_byte_operators(lower_rw_ok_pointer_in_range(expression, ns), ns),
+    ns));
   log.conditional_output(log.debug(), [&](messaget::mstreamt &debug) {
     if(lowered != expression)
       debug << "lowered to -\n  " << lowered.pretty(2, 0) << messaget::eom;