Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't use the broken overflow builtins for pointers #791

Closed
wants to merge 3 commits into from
Closed

Don't use the broken overflow builtins for pointers #791

wants to merge 3 commits into from

Conversation

danielsn
Copy link
Contributor

@danielsn danielsn commented Feb 1, 2022
edited
Loading

Description of changes:

Currently, we emit __builtin_overflow_p operations for pointer arithmetic. This is basically broken, since CBMC converts to integers and does integer arithmetic under the hood, which is not what we want.

Resolved issues:

Initial step towards addressing #786

Call-outs:

  1. This relies on --pointer-overflow-check being used on CBMC for soundness. We currently do so, but it would be better to have a __pointer_overflow builtin we could use when we need this behaviour. The overflow intrinsics have surprising behaviour on pointer arithmatic diffblue/cbmc#6627

  2. Also fixed some confusing missing brackets in the typechecking code for binops.

Testing:

  • How is this change tested? Existing regression tests.

  • Is this a refactor change? No

Checklist

  • Each commit message has a non-empty body, explaining why the change was made
  • Methods or procedures are documented
  • Regression or unit tests are included, or existing tests cover the modified code
  • My PR is restricted to a single feature or bugfix

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.

@danielsn danielsn requested a review from a team as a code owner February 1, 2022 22:51
adpaco-aws
adpaco-aws reviewed Feb 1, 2022
View reviewed changes
src/kani-compiler/cbmc/src/goto_program/expr.rs Outdated Show resolved Hide resolved
src/kani-compiler/cbmc/src/goto_program/expr.rs Outdated Show resolved Hide resolved
src/kani-compiler/cbmc/src/goto_program/expr.rs
@@ -851,13 +852,10 @@ impl Expr {
// Floating Point Equalities
IeeeFloatEqual | IeeeFloatNotequal => lhs.typ == rhs.typ && lhs.typ.is_floating_point(),
// Overflow flags
OverflowMinus => {
(lhs.typ == rhs.typ && (lhs.typ.is_pointer() || lhs.typ.is_numeric()))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good to restrict this case to integers because I do not think we were handling floating point numbers anyway.

@celinval
Copy link
Contributor

celinval commented Feb 2, 2022

I don't have a lot of context here, but I thought that was the goal of these checks. They were complementary to CBMC pointer checks. These were just making sure the arithmetic operations would not overflow.

One could argue that they are redundant but I don't know if broken is how I would describe them.

@celinval
Copy link
Contributor

celinval commented Feb 2, 2022

Can you please add a test that would trigger the overflow to ensure the verification will still fail due to other checks?

@danielsn
Copy link
Contributor Author

danielsn commented Feb 3, 2022

Can you please add a test that would trigger the overflow to ensure the verification will still fail due to other checks?

Done

@danielsn
Copy link
Contributor Author

danielsn commented Feb 3, 2022

I don't have a lot of context here, but I thought that was the goal of these checks. They were complementary to CBMC pointer checks. These were just making sure the arithmetic operations would not overflow.

One could argue that they are redundant but I don't know if broken is how I would describe them.

The issue is that the semantics of the arithmetic operation being done, and the semantics of the check, don't line up. The arithmetic operation is doing pointer arithmetic, while the overflow check is doing integer arithmetic. So its possible for the actual addition to overflow, but the overflow check to report no overflow.

@celinval
Copy link
Contributor

celinval commented Feb 3, 2022

I don't have a lot of context here, but I thought that was the goal of these checks. They were complementary to CBMC pointer checks. These were just making sure the arithmetic operations would not overflow.
One could argue that they are redundant but I don't know if broken is how I would describe them.

The issue is that the semantics of the arithmetic operation being done, and the semantics of the check, don't line up. The arithmetic operation is doing pointer arithmetic, while the overflow check is doing integer arithmetic. So its possible for the actual addition to overflow, but the overflow check to report no overflow.

Can we account for the type size?

@celinval
Copy link
Contributor

celinval commented Feb 9, 2022

I believe this change is currently blocked waiting for a CBMC fix to be released. @danielsn Please let us know once this is ready for review again. Cheers!

@zhassan-aws zhassan-aws mentioned this pull request Apr 12, 2022
Merged
4 tasks
@danielsn danielsn closed this Apr 26, 2022
@github-actions github-actions bot mentioned this pull request Oct 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adpaco-aws adpaco-aws adpaco-aws left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@danielsn @celinval @adpaco-aws