Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CONTRACTS: ignore __CPROVER_dead_object assignments #8554

Merged
merged 2 commits into from
Jan 3, 2025
Merged

CONTRACTS: ignore __CPROVER_dead_object assignments #8554

merged 2 commits into from
Jan 3, 2025

Conversation

remi-delmas-3000
Copy link
Collaborator

@remi-delmas-3000 remi-delmas-3000 commented Jan 3, 2025
edited
Loading

Fixes model-checking/kani#3796.

This change fixes spurious violations on GOTO models generated from MIR programs by Kani. MIR programs declare all stack-allocated place variables at the top of the function regardless of the original scope of the variable, and uses storageLive and storageDead events to delimit their dynamic lifetime. Kani uses a DECL to introduce place variables and uses dynamic assignments to __CPROVER_dead_object to encode storageLive and storageDead. DFCC instrumentation would only pick up storageDead events, not storageLive, resulting in spurious proof failures.

With this change we go back to relying only on DECL/DEAD for object liftetime tracking in DFCC and completely ignoring dynamic assignments to __CPROVER_dead_object. This means that contract instrumentation won't be able to detect bad accesses to objects for which the lifetime is managed via __CPROVER_dead_object anymore, for instance: dynamic stack-allocated objects created using alloca, or MIR place variables (that have their address taken) as encoded by Kani. As a consequence, --pointer-checks have to be enabled when analysing contracts-instrumented code.

  • Each commit message has a non-empty body, explaining why the change was made.
  • Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
  • The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
  • Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
  • My commit message includes data points confirming performance improvements (if claimed).
  • My PR is restricted to a single feature or bugfix.
  • White-space or formatting changes outside the feature-related changed lines are in commits of their own.

CONTRACTS: don't instrument __CPROVER_dead_object anymore.
39f9c87 
This change fixes spurious violations on GOTO models generated from MIR programs by Kani. MIR programs declare all stack-allocated place variables at the top of the function regardless of the original scope of the variable, and uses `storageLive` and `storageDead` events to delimit their dynamic lifetime. Kani uses a DECL to introduce place variables and uses dynamic assignments to `__CPROVER_dead_object` to encode `storageLive` and `storageDead`. DFCC instrumentation would only pick up `storageDead` events, not `storageLive`, resulting in spurious proof failures.

With this change we go back to relying only on DECL/DEAD for object liftetime tracking in DFCC and completely ignoring dynamic assignments `__CPROVER_dead_object`. This means that contract instrumentation won't be able to detect bad accesses to objects for which the lifetime is managed via `__CPROVER_dead_object`, for intance: dynamic stack-allocated objects created using `alloca`, or MIR place variables as encoded by Kani. As a consequence `--pointer-checks` have to be enabled when analysing contracts-instrumented code.
@remi-delmas-3000 remi-delmas-3000 mentioned this pull request Jan 3, 2025
Open
@remi-delmas-3000 remi-delmas-3000 changed the title Do not instrument assignments to __CPROVER_dead_object anymore. CONTRACTS: Ignore __CPROVER_dead_object assignments Jan 3, 2025
@remi-delmas-3000 remi-delmas-3000 changed the title CONTRACTS: Ignore __CPROVER_dead_object assignments CONTRACTS: ignore __CPROVER_dead_object assignments Jan 3, 2025
@codecov Codecov
Copy link

codecov bot commented Jan 3, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.82%. Comparing base (b3e9976) to head (b6bae90).
Report is 24 commits behind head on develop.

Additional details and impacted files 
@@             Coverage Diff             @@
##           develop    #8554      +/-   ##
===========================================
- Coverage    78.89%   78.82%   -0.08%     
===========================================
  Files         1730     1730              
  Lines       198858   199101     +243     
  Branches     18345    18317      -28     
===========================================
+ Hits        156895   156939      +44     
- Misses       41963    42162     +199

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@tautschnig tautschnig merged commit 1e99418 into diffblue:develop Jan 3, 2025
37 of 40 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tautschnig tautschnig tautschnig approved these changes

@feliperodri feliperodri Awaiting requested review from feliperodri feliperodri is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

proof_for_contract rejects code accepted by proof
2 participants
@remi-delmas-3000 @tautschnig