Merge pull request #5870 from tautschnig/loop-counter

tautschnig · web-flow · commit e317683de20f · 2021-02-26T17:55:58.000+01:00
Loop counter resetting must not result in unlimited unwinding
diff --git a/regression/cbmc/unwind_counters4/main.c b/regression/cbmc/unwind_counters4/main.c
@@ -0,0 +1,24 @@
+int main()
+{
+  int x;
+  int y;
+
+  do
+  {
+    y = 10;
+    goto label;
+    x = 1; // dead code, makes sure the above goto is not removed
+  label:
+    _Bool nondet;
+    if(nondet)
+      __CPROVER_assert(y != 10, "violated via first loop");
+    else
+      __CPROVER_assert(y != 20, "violated via second loop");
+
+    if(x % 2)
+      break; // this statement must not cause the loop counter to be reset
+  } while(1);
+
+  y = 20;
+  goto label;
+}
diff --git a/regression/cbmc/unwind_counters4/test.desc b/regression/cbmc/unwind_counters4/test.desc
@@ -0,0 +1,11 @@
+CORE
+main.c
+--unwind 2
+^EXIT=10$
+^SIGNAL=0$
+^VERIFICATION FAILED$
+^\** 2 of 2 failed
+--
+--
+Loop unwinding must terminate despite the existence of multiple loop entry
+points.
diff --git a/src/goto-symex/symex_main.cpp b/src/goto-symex/symex_main.cpp
@@ -97,7 +97,7 @@ void symex_transition(
     for(const auto &i_e : instruction.incoming_edges)
     {
       if(
-        i_e->is_goto() && i_e->is_backwards_goto() &&
+        i_e->is_backwards_goto() && i_e->get_target() == to &&
         (!is_backwards_goto ||
          state.source.pc->location_number > i_e->location_number))
       {

Original file line number	Diff line number	Diff line change
`@@ -97,7 +97,7 @@ void symex_transition(`
`97`	`97`	`for(const auto &i_e : instruction.incoming_edges)`
`98`	`98`	`{`
`99`	`99`	`if(`
`100`		`- i_e->is_goto() && i_e->is_backwards_goto() &&`
	`100`	`+ i_e->is_backwards_goto() && i_e->get_target() == to &&`
`101`	`101`	`(!is_backwards_goto \|\|`
`102`	`102`	`state.source.pc->location_number > i_e->location_number))`
`103`	`103`	`{`