Don't treat struct padding as invalid memory with stable-symbolic

When `laxLoadsAndStores` + `stable-symbolic` are enabled, all allocations are
backed by fresh SMT arrays. When writing a struct to one of these arrays, we
traverse through the array byte-by-byte, loading each byte in the struct and
updating the array's value accordingly.

Things went awry in the case where the struct has padding, however, as the code
in `crucible-llvm` assumed that loading struct padding should always be an
error. Not only is this possible with `stable-symbolic`, it has a sensible
interpretation: whenever loading a byte of struct padding, just skip updating
the array value corresponding to that byte.

See GaloisInc/saw-script#1684 for the motivation behind this bugfix. I haven't
found a way to trigger the same bug with `crux-llvm`, but I can trigger it
programatically using the `crucible-llvm` API. I've added a test case to the
`crucible-llvm` test suite to ensure that the bug remains fixed.

Author: RyanGlScott

crucible-llvm/crucible-llvm.cabal

@@ -135,6 +135,7 @@ test-suite crucible-llvm-tests
     crucible-llvm,
     directory,
     filepath,
+    lens,
     llvm-pretty,
     llvm-pretty-bc-parser,
     mtl,

crucible-llvm/src/Lang/Crucible/LLVM/MemModel/Common.hs

@@ -446,7 +446,8 @@ data ValueLoad v
   | LastStore ValueView
     -- ^ Load consists of valid bytes within the stored value.
   | InvalidMemory StorageType
-    -- ^ Load touches invalid memory (e.g. trying to read struct padding bytes as a bitvector).
+    -- ^ Load touches invalid memory. Currently, this can only arise when
+    -- trying to read struct padding bytes as a bitvector.
   deriving (Functor,Show)
 
 loadBitvector :: Addr -> Bytes -> Addr -> ValueView -> ValueCtor (ValueLoad Addr)

crucible-llvm/src/Lang/Crucible/LLVM/MemModel/Generic.hs

@@ -1259,52 +1259,76 @@ writeMemWithAllocationCheck is_allocated sym w gsym ptr tp alignment val mem = d
                            , case val of
                                LLVMValInt block _ -> (asNat block) == (Just 0)
                                _ -> True -> do
-      let subFn :: ValueLoad Addr -> IO (PartLLVMVal sym)
+      let -- Return @Just value@ if we have successfully loaded a value and
+          -- should update the corresponding index in the array with that
+          -- value. Return @Nothing@ otherwise.
+          subFn :: ValueLoad Addr -> IO (Maybe (PartLLVMVal sym))
           subFn = \case
-            LastStore val_view -> applyView
+            LastStore val_view -> fmap Just $ applyView
               sym
               (memEndianForm mem)
               mop
               (Partial.totalLLVMVal sym val)
               val_view
-            InvalidMemory tp'-> Partial.partErr sym mop $ Invalid tp'
+            InvalidMemory tp'
+              |  -- With stable-symbolic, loading struct padding is
+                 -- permissible. This is the only case that can return
+                 -- Nothing.
+                 laxLoadsAndStores ?memOpts
+              ,  indeterminateLoadBehavior ?memOpts == StableSymbolic
+              -> pure Nothing
+
+              |  otherwise
+              -> fmap Just $ Partial.partErr sym mop $ Invalid tp'
             OldMemory off _ -> panic "Generic.writeMemWithAllocationCheck"
               [ "Unexpected offset in storage type"
               , "*** Offset:  " ++ show off
               , "*** StorageType:  " ++ show tp
               ]
 
+          -- Given a symbolic array and an index into the array, load a byte
+          -- from the corresponding position in memory and store the byte into
+          -- the array at that index.
           storeArrayByteFn ::
             SymArray sym (SingleCtx (BaseBVType w)) (BaseBVType 8) ->
             Offset ->
             IO (SymArray sym (SingleCtx (BaseBVType w)) (BaseBVType 8))
           storeArrayByteFn acc_arr off = do
-            partial_byte <- genValueCtor sym (memEndianForm mem) mop
-              =<< traverse subFn (loadBitvector off 1 0 (ValueViewVar tp))
-
-            case partial_byte of
-              Partial.NoErr _ (LLVMValInt _ byte)
-                | Just Refl <- testEquality (knownNat @8) (bvWidth byte) -> do
-                  idx <- bvAdd sym (llvmPointerOffset ptr)
-                    =<< bvLit sym w (bytesToBV w off)
-                  arrayUpdate sym acc_arr (Ctx.singleton idx) byte
-
-              Partial.NoErr _ (LLVMValZero _) -> do
-                  byte <- bvLit sym knownRepr (BV.zero knownRepr)
-                  idx <- bvAdd sym (llvmPointerOffset ptr)
-                    =<< bvLit sym w (bytesToBV w off)
-                  arrayUpdate sym acc_arr (Ctx.singleton idx) byte
-
-              Partial.NoErr _ v ->
-                  panic "wrietMemWithAllocationCheck"
-                         [ "Expected byte value when updating SMT array, but got:"
-                         , show v
-                         ]
-              Partial.Err _ ->
-                  panic "wrietMemWithAllocationCheck"
-                         [ "Expected succesful byte load when updating SMT array"
-                         , "but got an error instead"
-                         ]
+            vc <- traverse subFn (loadBitvector off 1 0 (ValueViewVar tp))
+            mb_partial_byte <- traverse (genValueCtor sym (memEndianForm mem) mop)
+                                        (sequenceA vc)
+
+            case mb_partial_byte of
+              Nothing ->
+                -- If we cannot load the byte from memory, skip updating the
+                -- array. Currently, the only way that this can arise is when
+                -- a byte of struct padding is loaded with StableSymbolic
+                -- enabled.
+                pure acc_arr
+              Just partial_byte ->
+                case partial_byte of
+                  Partial.NoErr _ (LLVMValInt _ byte)
+                    | Just Refl <- testEquality (knownNat @8) (bvWidth byte) -> do
+                      idx <- bvAdd sym (llvmPointerOffset ptr)
+                        =<< bvLit sym w (bytesToBV w off)
+                      arrayUpdate sym acc_arr (Ctx.singleton idx) byte
+
+                  Partial.NoErr _ (LLVMValZero _) -> do
+                      byte <- bvLit sym knownRepr (BV.zero knownRepr)
+                      idx <- bvAdd sym (llvmPointerOffset ptr)
+                        =<< bvLit sym w (bytesToBV w off)
+                      arrayUpdate sym acc_arr (Ctx.singleton idx) byte
+
+                  Partial.NoErr _ v ->
+                      panic "writeMemWithAllocationCheck"
+                             [ "Expected byte value when updating SMT array, but got:"
+                             , show v
+                             ]
+                  Partial.Err _ ->
+                      panic "writeMemWithAllocationCheck"
+                             [ "Expected succesful byte load when updating SMT array"
+                             , "but got an error instead"
+                             ]
 
       res_arr <- foldM storeArrayByteFn arr [0 .. (sz - 1)]
       overwriteArrayMem sym w ptr res_arr arr_sz mem

crucible-llvm/test/TestMemory.hs

@@ -12,6 +12,7 @@ module TestMemory
   )
 where
 
+import           Control.Lens ( (^.), _1, _2 )
 import           Control.Monad ( foldM, forM_, void )
 import           Data.Foldable ( foldlM )
 import qualified Data.Vector as V
@@ -33,6 +34,7 @@ import qualified What4.SatResult as W4Sat
 
 import qualified Lang.Crucible.Backend as CB
 import qualified Lang.Crucible.Backend.Online as CBO
+import qualified Lang.Crucible.Simulator as CS
 import qualified Lang.Crucible.Types as Crucible
 
 import           Lang.Crucible.LLVM.DataLayout ( noAlignment )
@@ -51,6 +53,7 @@ memoryTests = T.testGroup "Memory"
   , testMemArrayWithConstants
   , testMemArray
   , testPointerStore
+  , testStructStore
   , testMemArrayCopy
   , testMemArraySet
   , testMemInvalidate
@@ -538,3 +541,63 @@ testPointerStore = testCase "pointer store" $ withMem LLVMD.BigEndian $ \bak mem
       goal <- What4.notPred sym p
       res <- checkSat bak goal
       True @=? W4Sat.isUnsat res
+
+-- | Test storing and retrieving a struct with and without 'laxLoadsAndStores'
+-- enabled.
+testStructStore :: T.TestTree
+testStructStore = testCase "struct store" $ withMem LLVMD.BigEndian $ \bak mem0 ->
+  do let sym = CB.backendGetSym bak
+     sz <- What4.bvLit sym ?ptrWidth $ BV.mkBV ?ptrWidth 64
+     let struct_storage_type = LLVMMem.mkStructType $ V.fromList
+                                 [ (LLVMMem.bitvectorType 2, 2)
+                                 , (LLVMMem.bitvectorType 4, 0)
+                                 ]
+     let w16 = knownNat @16
+     let w32 = knownNat @32
+     let struct_type_repr = Crucible.StructRepr $
+                              Ctx.Empty Ctx.:>
+                              LLVMMem.LLVMPointerRepr w16 Ctx.:>
+                              LLVMMem.LLVMPointerRepr w32
+     let struct_bv1 = BV.mkBV w16 27
+     let struct_bv2 = BV.mkBV w32 42
+     struct_sym_bv1 <- What4.bvLit sym w16 struct_bv1
+     struct_sym_bv2 <- What4.bvLit sym w32 struct_bv2
+     struct_field1 <- LLVMMem.llvmPointer_bv sym struct_sym_bv1
+     struct_field2 <- LLVMMem.llvmPointer_bv sym struct_sym_bv2
+     let struct_val = Ctx.Empty Ctx.:>
+                      CS.RV struct_field1 Ctx.:>
+                      CS.RV struct_field2
+
+     let testWithOpts memOpts = do
+           let ?memOpts = memOpts
+           -- First, allocate some memory on the stack...
+           (ptr, mem1) <- LLVMMem.doAlloca bak mem0 sz noAlignment "<alloca>"
+           -- ...write a struct to it...
+           mem2 <- LLVMMem.doStore bak mem1 ptr
+                     struct_type_repr struct_storage_type
+                     noAlignment struct_val
+           -- ...read back the struct...
+           struct_val' <- LLVMMem.doLoad bak mem2 ptr
+                            struct_storage_type struct_type_repr noAlignment
+           -- ...and finally, check that the struct read from memory is the
+           -- same as the original struct.
+           let checkField ::
+                 forall w sym bak.
+                 CB.IsSymBackend sym bak =>
+                 bak ->
+                 BV.BV w ->
+                 CS.RegValue' sym (LLVMMem.LLVMPointerType w) ->
+                 IO ()
+               checkField bak' expectedBV actualPtrRV = do
+                 actualSymBV <- projectLLVM_bv bak' $ CS.unRV actualPtrRV
+                 Just expectedBV @=? What4.asBV actualSymBV
+           checkField bak struct_bv1 (struct_val'^._1)
+           checkField bak struct_bv2 (struct_val'^._2)
+
+     testWithOpts (?memOpts{ LLVMMem.laxLoadsAndStores = False })
+     testWithOpts (?memOpts{ LLVMMem.laxLoadsAndStores = True
+                           , LLVMMem.indeterminateLoadBehavior = LLVMMem.StableSymbolic
+                           })
+     testWithOpts (?memOpts{ LLVMMem.laxLoadsAndStores = True
+                           , LLVMMem.indeterminateLoadBehavior = LLVMMem.UnstableSymbolic
+                           })