Add malloc-may-fail option to goto-check

[xbauch]

And append an assert(false) property to every malloc call.

• Each commit message has a non-empty body, explaining why the change was made.
• Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[xbauch]

This may fix #4605.

[allredj]

✔️
Passed Diffblue compatibility checks (cbmc commit: effdd30).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/143378007

[codecov-io]

Codecov Report

Merging #5212 into develop will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@           Coverage Diff            @@
##           develop    #5212   +/-   ##
========================================
  Coverage    68.19%   68.19%           
========================================
  Files         1176     1176           
  Lines        97516    97520    +4     
========================================
+ Hits         66501    66504    +3     
- Misses       31015    31016    +1     

Flag	Coverage Δ
#cproversmt2	42.73% <100.00%> (+<0.01%)	⬆️
#regression	65.37% <100.00%> (+<0.01%)	⬆️
#unit	32.24% <100.00%> (+<0.01%)	⬆️

Impacted Files	Coverage Δ
src/cbmc/cbmc_parse_options.cpp	76.99% <ø> (ø)
src/cbmc/cbmc_parse_options.h	100.00% <ø> (ø)
src/util/config.h	72.72% <ø> (ø)
src/ansi-c/ansi_c_internal_additions.cpp	94.36% <100.00%> (+0.16%)	⬆️
src/util/config.cpp	56.81% <100.00%> (+0.15%)	⬆️
src/util/graph.h	80.26% <0.00%> (-0.44%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7405bfb...d49cfdd. Read the comment docs.

[martin-cs]

Why not just change the model of what malloc does? That seems to keep all of the functionality in one place?

https://github.com/diffblue/cbmc/blob/develop/src/ansi-c/library/stdlib.c#L113

Maybe it is time to change https://github.com/diffblue/cbmc/blob/develop/src/ansi-c/library/stdlib.c#L115 specifically.

[xbauch]

Why not just change the model of what malloc does?

I think the reasoning here is to avoid "false-positive" alarms with every malloc call by default, and only to be correctly reporting the potential of malloc to fail if requested.

[martin-cs]

I think the reasoning here is to avoid "false-positive" alarms with every `malloc` call by default, and only to be correctly reporting the potential of malloc to fail if requested.

Then have a global as part of the model that allows it to be turned on / off / linked to a symbolic value during analysis. It doesn't have to be, and shouldn't be, hard-coded to one way or the other.

[hannes-steffenhagen-diffblue]

? Why is there an assert that this is false? I thought this would be more like if (__CPROVER_malloc_may_fail && __VERIFIER_nondet___CPROVER_bool()) return NULL;

[xbauch]

Because conditionally returning NULL breaks too many things down the line in CBMC.

[xbauch]

I take it back. Returning NULL seems to work here just fine.

[thk123]

❓ Why does this change? The change should go in a separate commit with a why

[xbauch]

This was undefined behaviour (and the changed in malloc exposed that CBMC does not really support that). It now has separate commit with explanation.

[tautschnig]

I find it rather surprising that the changes in this PR expose the lack of support for this C90-hack. What exactly was going wrong here?

[xbauch]

Why this particular PR exposes the problem is a bit more complicated. But the problem itself can be easily reproduced, e.g. (CMBC reports the assertion as failing):

#include <malloc.h>
#include <assert.h>

struct Foo
{
  int i;
  char data[1];
};

int main()
{
  struct Foo* foo = malloc(sizeof(struct Foo) + sizeof(char));
  foo->data[1]='b'; // set data[1]
  assert(foo->data[1]=='b'); // check data[1] -- should succeed

  return 0;
}

[thk123]

❔ should this option be available in other C based tools, like goto-analyzer, or does that not really make sense?

[xbauch]

Ambivalent.

[thk123]

⛏️ ?

Suggested change

	if(cmdline.isset("malloc-may-fail"))
	ansi_c.malloc_may_fail = cmdline.isset("malloc-may-fail");

[xbauch]

Done.

[thk123]

⛏️ in future, we've found it helpful in test-gen to include a description explaining the purpose of the test below the line. for all tests. It helps when a test fails to understand why does it even exist. E.g

--
^warning: ignoring
--
Test that if --malloc-may-fail is enabled, that assert can return a null pointer

[tautschnig]

The changes to extend support to calloc, realloc need to happen before this can be merged. The modified regression test I'd not insist as much on, but still I'd like to see clarification.

[tautschnig]

1. It may be more consistent to just declare a local, uninitialised variable of type __CPROVER_bool to avoid the side-effect of a function call.
2. The non-determinism also needs to be introduced in calloc.
3. realloc now needs to handle the case of a failing malloc.

[xbauch]

Add 1. No can do: using uninitialised variables doesn't even compile with the current flag set. I can initialise it to nondet_bool.

[xbauch]

2,3 are done.

[tautschnig]

I find it rather surprising that the changes in this PR expose the lack of support for this C90-hack. What exactly was going wrong here?

[tautschnig]

The commit message says "will be squashed" so presumably that should happen ;-)

[xbauch]

Squashed.

[martin-cs]

There seems to be some duplication w.r.t. #5210 which is preferred?

[chrisr-diffblue]

@martin-cs I believe the difference between this PR and #5210 is around the behaviour they are modelling. #5210 is modelling the very specific case of what happens if the user code attempts to alloc a chunk of memory that is larger than CBMC can represent. Where as this PR is modelling the case where "the system" (e.g. OS) cannot satisfy a malloc request because of insufficient memory availability. This is a non-deterministic situation, so this PR models the situation where malloc may non-deterministically fail.

[chrisr-diffblue]

Looks pretty good, but would also be super nice if you could extend the user docs at the same time ;-)

[chrisr-diffblue]

Similar to #5210, should this help message move up into the "Program instrumentation options" section?

[xbauch]

Moved to the instrumentation section + the documentation was also added.

[hannes-steffenhagen-diffblue]

This should have an implementation for realloc as well, also I don’t think we should mix up the cases where malloc fails due to some nondeterministic condition and when it fails because we reach cprover internal limits.

[hannes-steffenhagen-diffblue]

I don’t think it makes a lot of sense to have the assertion here in this form, this will always fail the way it is written.

[martin-cs]

I like this approach a lot more than the previous one.