-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bitfield-related proof works with llvm_alloc
, but not llvm_alloc_readonly
#1691
Comments
Here is what I believe is happening here:
I'm not quite sure what to do about this. We need to write symbolic bytes to structs with bitfields to ensure that fields in a bitfield can successfully be loaded. On the other hand, writing symbolic bytes prevents other subsequent writes from happening. Is there a way to resolve this tension? |
One possible solution to this problem (which may be half-baked):
|
Previously, `stable-symbolic` would only initialize mutable memory with symbolic bytes when calling `malloc`. `malloc` can also be used to initialize immutable memory, however, so we must also account for this possibility when `stable-symbolic` is enabled. To this end, we create a new `doConstStoreStableSymbolic` function that is like `doStoreStableSymbolic`, but does not check if the memory being written to is mutable. (This is very much in the spirit of the existing `doArrayStore`/`doArrayConstStore`, `storeRaw`/`storeConstRaw`, and `mallocRaw`/`mallocConstRaw` split.) We then pick between `doStoreStableSymbolic` and `doConstStoreStableSymbolic` in the override for `malloc` depending on whether the memory is mutable or immutable, respectively. See GaloisInc/saw-script#1691 for the motivation behind this bugfix.
Actually, the idea in #1691 (comment) isn't baked at all, as it wouldn't even work on the simple test case in #1691 (comment). This is because each
In short, the idea in #1691 (comment) is completely unworkable. Thankfully, it turns out that there is a less hacky way to solve this. My analysis in #1691 (comment) was incorrect in the sense that |
Previously, `stable-symbolic` would only initialize mutable memory with symbolic bytes when calling `malloc`. `malloc` can also be used to initialize immutable memory, however, so we must also account for this possibility when `stable-symbolic` is enabled. To this end, we create a new `doConstStoreStableSymbolic` function that is like `doStoreStableSymbolic`, but does not check if the memory being written to is mutable. (This is very much in the spirit of the existing `doArrayStore`/`doArrayConstStore`, `storeRaw`/`storeConstRaw`, and `mallocRaw`/`mallocConstRaw` split.) We now use `doConstStoreStableSymbolic` in the override for `malloc` to ensure that we do not generate a failing assertion when allocating immutable memory. (We also use it in `doAlloca` since this assertion doesn't buy us much when the memory being allocated is always known to be mutable.) See GaloisInc/saw-script#1691 for the motivation behind this bugfix.
Previously, `stable-symbolic` would only initialize mutable memory with symbolic bytes when calling `malloc`. `malloc` can also be used to initialize immutable memory, however, so we must also account for this possibility when `stable-symbolic` is enabled. To this end, we create a new `doConstStoreStableSymbolic` function that is like `doStoreStableSymbolic`, but does not check if the memory being written to is mutable. (This is very much in the spirit of the existing `doArrayStore`/`doArrayConstStore`, `storeRaw`/`storeConstRaw`, and `mallocRaw`/`mallocConstRaw` split.) We now use `doConstStoreStableSymbolic` in the override for `malloc` to ensure that we do not generate a failing assertion when allocating immutable memory. (We also use it in `doAlloca` since this assertion doesn't buy us much when the memory being allocated is always known to be mutable.) See GaloisInc/saw-script#1691 for the motivation behind this bugfix.
GaloisInc/crucible#1004 has been merged upstream, so all that remains is to bump the |
Now that the `crucible-llvm` memory model has a fix for GaloisInc/crucible#1004, bumping the `crucible` submodule to bring in that change fixes #1691 as a consequence. I have also added a regression test.
Fix #1691 by bringing in GaloisInc/crucible#1004
This SAW proof works with a sufficiently recent nightly build of SAW, as expected:
If I change the use of
llvm_alloc
tollvm_alloc_readonly
inf_spec
, however, then the proof fails:I don't see any reason why this should fail, so this smells like a SAW bug. I will investigate.
The text was updated successfully, but these errors were encountered: