Add malloc-may-fail option to cbmc

petr-bauch · petr-bauch · commit 827949708cfa · 2020-02-27T13:03:39.000Z
and hard-code appropriate check inside our `stdlib.c`. Plus some documentation
and test.
diff --git a/doc/cprover-manual/properties.md b/doc/cprover-manual/properties.md
@@ -326,6 +326,7 @@ with `__`.
 |------------------------|-------------------------------------------------|
 | `--malloc-fail-null`   |  in case malloc fails return NULL               |
 | `--malloc-fail-assert` |  in case malloc fails report as failed property |
+| `--malloc-may-fail`    |  malloc may non-deterministically fail          |
 
 Calling `malloc` may fail for a number of reasons and the function may return a
 NULL pointer. The users can choose if and how they want the `malloc`-related
@@ -335,3 +336,7 @@ additional properties inside `malloc` that are checked and if failing the
 verification is terminated (by `assume(false)`). One such property is that the
 allocated size is not too large, i.e. internally representable. When neither of
 those two options are used, CBMC will assume that `malloc` does not fail.
+
+Malloc may also fail for external reasons which are not modelled by CProver. If
+you want to replicate this behaviour use the option `--malloc-may-fail` in
+conjunction with one of the above modes of failure.
diff --git a/regression/cbmc/malloc-may-fail/main.c b/regression/cbmc/malloc-may-fail/main.c
@@ -0,0 +1,7 @@
+#include <stdlib.h>
+
+int main()
+{
+  char *p = malloc(100);
+  assert(p); // should fail, given the malloc-may-fail option
+}
diff --git a/regression/cbmc/malloc-may-fail/test.desc b/regression/cbmc/malloc-may-fail/test.desc
@@ -0,0 +1,9 @@
+CORE
+main.c
+--malloc-may-fail --malloc-fail-null
+^EXIT=10$
+^SIGNAL=0$
+^\[main.assertion.\d+\] line \d+ assertion p: FAILURE$
+^VERIFICATION FAILED$
+--
+^warning: ignoring
diff --git a/regression/cbmc/malloc-may-fail/test_without_option.desc b/regression/cbmc/malloc-may-fail/test_without_option.desc
@@ -0,0 +1,9 @@
+CORE
+main.c
+
+^EXIT=0$
+^SIGNAL=0$
+^\[main.assertion.\d+\] line \d+ assertion p: SUCCESS$
+^VERIFICATION SUCCESSFUL$
+--
+^warning: ignoring
diff --git a/src/ansi-c/ansi_c_internal_additions.cpp b/src/ansi-c/ansi_c_internal_additions.cpp
@@ -155,6 +155,7 @@ void ansi_c_internal_additions(std::string &code)
     "void *" CPROVER_PREFIX "allocate("
       CPROVER_PREFIX "size_t size, " CPROVER_PREFIX "bool zero);\n"
     "const void *" CPROVER_PREFIX "alloca_object = 0;\n"
+
     "int " CPROVER_PREFIX "malloc_failure_mode="+
       std::to_string(config.ansi_c.malloc_failure_mode)+";\n"
     "int " CPROVER_PREFIX "malloc_failure_mode_return_null="+
@@ -164,6 +165,8 @@ void ansi_c_internal_additions(std::string &code)
     CPROVER_PREFIX "size_t " CPROVER_PREFIX "max_malloc_size="+
     std::to_string(1 << (config.ansi_c.pointer_width -
                          config.bv_encoding.object_bits - 1))+";\n"
+    CPROVER_PREFIX "bool " CPROVER_PREFIX "malloc_may_fail = " +
+    std::to_string(config.ansi_c.malloc_may_fail) + ";\n"
 
     // this is ANSI-C
     "extern " CPROVER_PREFIX "thread_local const char __func__["
diff --git a/src/ansi-c/library/cprover.h b/src/ansi-c/library/cprover.h
@@ -16,8 +16,10 @@ extern const void *__CPROVER_malloc_object;
 extern __CPROVER_size_t __CPROVER_malloc_size;
 extern _Bool __CPROVER_malloc_is_new_array;
 extern const void *__CPROVER_memory_leak;
+
 extern int __CPROVER_malloc_failure_mode;
 extern __CPROVER_size_t __CPROVER_max_malloc_size;
+extern _Bool __CPROVER_malloc_may_fail;
 
 // malloc failure modes
 extern int __CPROVER_malloc_failure_mode_return_null;
diff --git a/src/ansi-c/library/stdlib.c b/src/ansi-c/library/stdlib.c
@@ -112,50 +112,55 @@ __CPROVER_bool __VERIFIER_nondet___CPROVER_bool();
 
 inline void *malloc(__CPROVER_size_t malloc_size)
 {
-  // realistically, malloc may return NULL,
-  // and __CPROVER_allocate doesn't, but no one cares
-  __CPROVER_HIDE:;
+// realistically, malloc may return NULL,
+// but we only do so if `--malloc-may-fail` is set
+__CPROVER_HIDE:;
 
+  if(__CPROVER_malloc_failure_mode == __CPROVER_malloc_failure_mode_return_null)
+  {
+    __CPROVER_bool should_malloc_fail = __VERIFIER_nondet___CPROVER_bool();
     if(
-      __CPROVER_malloc_failure_mode ==
-      __CPROVER_malloc_failure_mode_return_null)
-    {
-      if(malloc_size > __CPROVER_max_malloc_size)
-      {
-        return (void *)0;
-      }
-    }
-    else if(
-      __CPROVER_malloc_failure_mode ==
-      __CPROVER_malloc_failure_mode_assert_then_assume)
+      malloc_size > __CPROVER_max_malloc_size ||
+      (__CPROVER_malloc_may_fail && should_malloc_fail))
     {
-      __CPROVER_assert(
-        malloc_size <= __CPROVER_max_malloc_size,
-        "max allocation size exceeded");
-      __CPROVER_assume(malloc_size <= __CPROVER_max_malloc_size);
+      return (void *)0;
     }
+  }
+  else if(
+    __CPROVER_malloc_failure_mode ==
+    __CPROVER_malloc_failure_mode_assert_then_assume)
+  {
+    __CPROVER_assert(
+      malloc_size <= __CPROVER_max_malloc_size, "max allocation size exceeded");
+    __CPROVER_assume(malloc_size <= __CPROVER_max_malloc_size);
+
+    __CPROVER_bool should_malloc_fail = __VERIFIER_nondet___CPROVER_bool();
+    __CPROVER_assert(
+      !__CPROVER_malloc_may_fail || !should_malloc_fail,
+      "max allocation may fail");
+    __CPROVER_assume(!__CPROVER_malloc_may_fail || !should_malloc_fail);
+  }
 
-    void *malloc_res;
-    malloc_res = __CPROVER_allocate(malloc_size, 0);
+  void *malloc_res;
+  malloc_res = __CPROVER_allocate(malloc_size, 0);
 
-    // make sure it's not recorded as deallocated
-    __CPROVER_deallocated =
-      (malloc_res == __CPROVER_deallocated) ? 0 : __CPROVER_deallocated;
+  // make sure it's not recorded as deallocated
+  __CPROVER_deallocated =
+    (malloc_res == __CPROVER_deallocated) ? 0 : __CPROVER_deallocated;
 
-    // record the object size for non-determistic bounds checking
-    __CPROVER_bool record_malloc = __VERIFIER_nondet___CPROVER_bool();
-    __CPROVER_malloc_object =
-      record_malloc ? malloc_res : __CPROVER_malloc_object;
-    __CPROVER_malloc_size = record_malloc ? malloc_size : __CPROVER_malloc_size;
-    __CPROVER_malloc_is_new_array =
-      record_malloc ? 0 : __CPROVER_malloc_is_new_array;
+  // record the object size for non-determistic bounds checking
+  __CPROVER_bool record_malloc = __VERIFIER_nondet___CPROVER_bool();
+  __CPROVER_malloc_object =
+    record_malloc ? malloc_res : __CPROVER_malloc_object;
+  __CPROVER_malloc_size = record_malloc ? malloc_size : __CPROVER_malloc_size;
+  __CPROVER_malloc_is_new_array =
+    record_malloc ? 0 : __CPROVER_malloc_is_new_array;
 
-    // detect memory leaks
-    __CPROVER_bool record_may_leak = __VERIFIER_nondet___CPROVER_bool();
-    __CPROVER_memory_leak =
-      record_may_leak ? malloc_res : __CPROVER_memory_leak;
+  // detect memory leaks
+  __CPROVER_bool record_may_leak = __VERIFIER_nondet___CPROVER_bool();
+  __CPROVER_memory_leak = record_may_leak ? malloc_res : __CPROVER_memory_leak;
 
-    return malloc_res;
+  return malloc_res;
 }
 
 /* FUNCTION: __builtin_alloca */
@@ -446,7 +451,8 @@ inline void *realloc(void *ptr, __CPROVER_size_t malloc_size)
   // this shouldn't move if the new size isn't bigger
   void *res;
   res=malloc(malloc_size);
-  __CPROVER_array_copy(res, ptr);
+  if(res != (void *)0)
+    __CPROVER_array_copy(res, ptr);
   free(ptr);
 
   return res;
diff --git a/src/cbmc/cbmc_parse_options.cpp b/src/cbmc/cbmc_parse_options.cpp
@@ -1084,6 +1084,8 @@ void cbmc_parse_optionst::help()
     "\n"
     "Backend options:\n"
     " --object-bits n              number of bits used for object addresses\n"
+    // NOLINTNEXTLINE(whitespace/line_length)
+    " --malloc-may-fail            allow malloc calls to return a null pointer\n"
     " --dimacs                     generate CNF in DIMACS format\n"
     " --beautify                   beautify the counterexample (greedy heuristic)\n" // NOLINT(*)
     " --localize-faults            localize faults (experimental)\n"
diff --git a/src/cbmc/cbmc_parse_options.h b/src/cbmc/cbmc_parse_options.h
@@ -48,6 +48,7 @@ class optionst;
   "(document-subgoals)(outfile):(test-preprocessor)" \
   "D:I:(c89)(c99)(c11)(cpp98)(cpp03)(cpp11)" \
   "(object-bits):" \
+  "(malloc-may-fail)" \
   OPT_GOTO_CHECK \
   "(no-assertions)(no-assumptions)" \
   "(malloc-fail-assert)(malloc-fail-null)" \
diff --git a/src/util/config.cpp b/src/util/config.cpp
@@ -1103,6 +1103,8 @@ bool configt::set(const cmdlinet &cmdline)
   if(cmdline.isset("malloc-fail-assert"))
     ansi_c.malloc_failure_mode = ansi_c.malloc_failure_mode_assert_then_assume;
 
+  ansi_c.malloc_may_fail = cmdline.isset("malloc-may-fail");
+
   return false;
 }
 
diff --git a/src/util/config.h b/src/util/config.h
@@ -129,6 +129,7 @@ class configt
     libt lib;
 
     bool string_abstraction;
+    bool malloc_may_fail = false;
 
     enum malloc_failure_modet
     {

Original file line number	Diff line number	Diff line change
`@@ -1103,6 +1103,8 @@ bool configt::set(const cmdlinet &cmdline)`
`1103`	`1103`	`if(cmdline.isset("malloc-fail-assert"))`
`1104`	`1104`	`ansi_c.malloc_failure_mode = ansi_c.malloc_failure_mode_assert_then_assume;`
`1105`	`1105`
	`1106`	`+ ansi_c.malloc_may_fail = cmdline.isset("malloc-may-fail");`
	`1107`	`+`
`1106`	`1108`	`return false;`
`1107`	`1109`	`}`
`1108`	`1110`
Original file line number	Diff line number	Diff line change
`@@ -129,6 +129,7 @@ class configt`
`129`	`129`	`libt lib;`
`130`	`130`
`131`	`131`	`bool string_abstraction;`
	`132`	`+ bool malloc_may_fail = false;`
`132`	`133`
`133`	`134`	`enum malloc_failure_modet`
`134`	`135`	`{`