Skip to content

Havoc non det functions #1585

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Havoc non det functions #1585

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions regression/cbmc/havoc_undefined_functions/main.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
void function(int *a);

int main()
{
int a=0;
function(&a);
__CPROVER_assert(a==0,"");
return 0;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: missing empty line

6 changes: 6 additions & 0 deletions regression/cbmc/havoc_undefined_functions/test.desc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
CORE
main.c
--havoc-undefined-functions
^EXIT=10$
^SIGNAL=0$
^VERIFICATION FAILED$
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: missing empty line

6 changes: 6 additions & 0 deletions src/cbmc/cbmc_parse_options.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,9 @@ void cbmc_parse_optionst::get_command_line_options(optionst &options)
cmdline.get_value("localize-faults-method"));
}

if(cmdline.isset("havoc-undefined-functions"))
options.set_option("havoc-undefined-functions", true);

if(cmdline.isset("unwind"))
options.set_option("unwind", cmdline.get_value("unwind"));

Expand Down Expand Up @@ -995,6 +998,9 @@ void cbmc_parse_optionst::help()
" --partial-loops permit paths with partial loops\n"
" --no-pretty-names do not simplify identifiers\n"
" --graphml-witness filename write the witness in GraphML format to filename\n" // NOLINT(*)
" --havoc-undefined-functions\n"
" for any function that has no body, assign non-deterministic values to\n" // NOLINT(*)
" any parameters passed as non-const pointers and the return value\n" // NOLINT(*)
"\n"
"Backend options:\n"
" --object-bits n number of bits used for object addresses\n"
Expand Down
1 change: 1 addition & 0 deletions src/cbmc/cbmc_parse_options.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ class optionst;
"(show-symbol-table)(show-parse-tree)(show-vcc)" \
"(show-claims)(claim):(show-properties)" \
"(drop-unused-functions)" \
"(havoc-undefined-functions)" \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like a super useful option in other binaries (such as goto-cc/goto-analzyer/goto-instrument), if you have time it'd be great to add it to them as well

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is done during symexing rather than by changing the goto-functions, so I can't very easily move this into goto-instrument, but it can be used for any binary that cbmc can analyse.

I don't really know what you would expect to be inserted into binaries, if it was to be part of goto-instrument, goto-analyze or goto-cc? It could replace the function body with __CPROVER_havoc(whatever the return values and pointer arguments are), but that is only meaningful if you are going to analyze the binary with cbmc afterwards.

"(property):(stop-on-fail)(trace)" \
"(error-label):(verbosity):(no-library)" \
"(nondet-static)" \
Expand Down
10 changes: 8 additions & 2 deletions src/cbmc/symex_bmc.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,13 @@ void symex_bmct::no_body(const irep_idt &identifier)
{
if(body_warnings.insert(identifier).second)
{
warning() <<
"**** WARNING: no body for function " << identifier << eom;
warning() << "**** WARNING: no body for function " << identifier;

if(options.get_bool_option("havoc-undefined-functions"))
{
warning()
<< "; assigning non-deterministic values to any pointer arguments";
}
warning() << eom;
}
}
18 changes: 18 additions & 0 deletions src/goto-symex/symex_function_call.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ Author: Daniel Kroening, [email protected]

#include <util/c_types.h>

#include <pointer-analysis/dereference.h>

#include <analyses/dirty.h>

bool goto_symext::get_unwind_recursion(
Expand Down Expand Up @@ -276,6 +278,22 @@ void goto_symext::symex_function_call_code(
symex_assign_rec(state, code);
}

if(options.get_bool_option("havoc-undefined-functions"))
{
// assign non det to function arguments if pointers
// are not const
for(const auto &arg : call.arguments())
{
if(arg.type().id() == ID_pointer &&
!arg.type().subtype().get_bool(ID_C_constant))
{
exprt object = dereference_exprt(arg, arg.type().subtype());
clean_expr(object, state, true);
havoc_rec(state, guardt(), object);
}
}
}

symex_transition(state);
return;
}
Expand Down