Skip phi assignment if one of the merged states has an uninitialised object [blocks: #35, #2574, #3486] #2220
Conversation
Not entirely: the implementation in #2168 did not yet consider the case that neither branch had SSA level2 at zero, which would occur with uninitialized globals, hence the argc/argv/envp fix in this PR before doing the "cleanup" part. |
|
Aha, in that case can we have a test to exhibit the change here? |
tautschnig
changed the title
|
Cool, in that case lgtm |
tautschnig
force-pushed
the
phi-cleanup
branch
3 times, most recently
from
c82bfd7 to
ec8c07c
Compare
|
@tautschnig is there a reason you dropped this? Looks good to go AFAICT. There were a couple of spurious Travis failures that I just restarted. |
tautschnig
force-pushed
the
phi-cleanup
branch
from
ea7c5c1 to
3f7757e
Compare
tautschnig
changed the title
There was a problem hiding this comment.
✔️
Passed Diffblue compatibility checks (cbmc commit: 2311826).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/90528381
tautschnig
force-pushed
the
phi-cleanup
branch
4 times, most recently
from
7359f23 to
c7f9d6e
Compare
There was a problem hiding this comment.
✔️
Passed Diffblue compatibility checks (cbmc commit: c7f9d6e).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/90998307
tautschnig
force-pushed
the
phi-cleanup
branch
from
c7f9d6e to
124c7ff
Compare
tautschnig
changed the title
tautschnig
force-pushed
the
phi-cleanup
branch
from
124c7ff to
8f1745d
Compare
There was a problem hiding this comment.
✔️
Passed Diffblue compatibility checks (cbmc commit: 8f1745d).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/93272998
tautschnig
force-pushed
the
phi-cleanup
branch
from
8f1745d to
04d5957
Compare
There was a problem hiding this comment.
✔️
Passed Diffblue compatibility checks (cbmc commit: 04d5957).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/93794605
tautschnig
force-pushed
the
phi-cleanup
branch
from
04d5957 to
72f3bea
Compare
|
This now fixes even more bugs with fewer changes. |
src/goto-symex/symex_goto.cpp
Outdated
| { | ||
| rhs = dest_state_rhs; | ||
| if(goto_count == 0) |
There was a problem hiding this comment.
Note the dest_count == 0 && goto_count == 0 case is forbidden above, so this implies `dest_state.guard.is_false() && dest_count != 0) -- not sure if this can be distangled to make that clearer, or perhaps clarify with a comment
There was a problem hiding this comment.
If dest_state.guard.is_false() then really we don't care about dest_count, because it sits on a dead branch. Any idea what you'd like the comment to say?
There was a problem hiding this comment.
How about just pulling out
if(
(dest_state.guard.is_false() && goto_count == 0) ||
(goto_state.guard.is_false() && dest_count == 0))
{
return;
}
It does mean testing is_false() multiple times, but it makes it clearer which cases are possible. Comment-wise, I guess we should add something like // If the symbol is not initialised on one path and the other path is unreachable we don't need to generate anything
There was a problem hiding this comment.
Mind taking another look at the latest version of this PR? Your comments helped make clear which change fixes which bug!
There was a problem hiding this comment.
✔️
Passed Diffblue compatibility checks (cbmc commit: 72f3bea).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/95266652
tautschnig
force-pushed
the
phi-cleanup
branch
from
72f3bea to
6184ab0
Compare
In 646cf29, initialisation of dynamic objects was added, but extern symbols were not considered. Includes a test that fails without this fix.
…object With level-2 counters incremented on declaration and non-deterministic initialisation upon allocation, the only remaining sources are pointer dereferencing, where uninitialised objects necessarily refer to invalid objects. This is a cleaner implementation of 369f077. Removing only the code introduced in 369f077 would yield a wrong result for regression/cbmc/Local_out_of_scope3. Fixes: diffblue#1630
tautschnig
force-pushed
the
phi-cleanup
branch
from
6184ab0 to
eaa7d93
Compare
Well, one of them did... - which was a bug... |
There was a problem hiding this comment.
✔️
Passed Diffblue compatibility checks (cbmc commit: eaa7d93).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/95298901
With level-2 counters incremented on declaration and non-deterministic
initialisation upon allocation, the only remaining sources are pointer
dereferencing, where uninitialised objects necessarily refer to invalid objects.
This is a cleaner implementation of 369f077.
This is another bit factored out from #35.