Broaden scope of read-unwritten-memory to lax-loads-and-stores

This renamed the `read-unwritten-memory` Crux option to `lax-loads-and-stores`,
reflecting its new purpose of being a catch-all option for relaxing various
validity checks related to loads and stores. This is meant for SV-COMP mode,
which has a different view of fatal errors than Crucible does.

This addresses some of the goals of #783. It does not address the goal of
designing a generic taxonomy of errors.

Author: RyanGlScott

crucible-llvm/crucible-llvm.cabal

@@ -108,6 +108,7 @@ library
     Lang.Crucible.LLVM.Translation.Options
     Lang.Crucible.LLVM.Translation.Types
     Lang.Crucible.LLVM.Types
+    Lang.Crucible.LLVM.Utils
 
   if impl(ghc >= 8.6)
     default-extensions: NoStarIsType

crucible-llvm/src/Lang/Crucible/LLVM/Intrinsics/LLVM.hs

@@ -13,6 +13,7 @@
 {-# LANGUAGE FlexibleContexts #-}
 {-# LANGUAGE FlexibleInstances #-}
 {-# LANGUAGE GADTs #-}
+{-# LANGUAGE ImplicitParams #-}
 {-# LANGUAGE ImpredicativeTypes #-}
 {-# LANGUAGE MultiParamTypeClasses #-}
 {-# LANGUAGE OverloadedStrings #-}
@@ -180,7 +181,8 @@ llvmStackrestore =
   (\_memOps _sym _args -> return ())
 
 llvmMemmoveOverride_8_8_32
-  :: (IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr)
+  :: ( IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr
+     , ?memOpts :: MemOptions )
   => LLVMOverride p sym
          (EmptyCtx ::> LLVMPointerType wptr ::> LLVMPointerType wptr
                    ::> BVType 32 ::> BVType 32 ::> BVType 1)
@@ -190,7 +192,8 @@ llvmMemmoveOverride_8_8_32 =
   (\memOps sym args -> Ctx.uncurryAssignment (\dst src len _align v -> Libc.callMemmove sym memOps dst src len v) args)
 
 llvmMemmoveOverride_8_8_32_noalign
-  :: (IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr)
+  :: ( IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr
+     , ?memOpts :: MemOptions )
   => LLVMOverride p sym
          (EmptyCtx ::> LLVMPointerType wptr ::> LLVMPointerType wptr
                    ::> BVType 32 ::> BVType 1)
@@ -201,7 +204,8 @@ llvmMemmoveOverride_8_8_32_noalign =
 
 
 llvmMemmoveOverride_8_8_64
-  :: (IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr)
+  :: ( IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr
+     , ?memOpts :: MemOptions )
   => LLVMOverride p sym
          (EmptyCtx ::> LLVMPointerType wptr ::> LLVMPointerType wptr
                    ::> BVType 64 ::> BVType 32 ::> BVType 1)
@@ -212,7 +216,8 @@ llvmMemmoveOverride_8_8_64 =
 
 
 llvmMemmoveOverride_8_8_64_noalign
-  :: (IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr)
+  :: ( IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr
+     , ?memOpts :: MemOptions )
   => LLVMOverride p sym
          (EmptyCtx ::> LLVMPointerType wptr ::> LLVMPointerType wptr
                    ::> BVType 64 ::> BVType 1)
@@ -274,7 +279,8 @@ llvmMemsetOverride_8_32_noalign =
 
 
 llvmMemcpyOverride_8_8_32
-  :: (IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr)
+  :: ( IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr
+     , ?memOpts :: MemOptions )
   => LLVMOverride p sym
           (EmptyCtx ::> LLVMPointerType wptr ::> LLVMPointerType wptr
                     ::> BVType 32 ::> BVType 32 ::> BVType 1)
@@ -284,7 +290,8 @@ llvmMemcpyOverride_8_8_32 =
   (\memOps sym args -> Ctx.uncurryAssignment (\dst src len _align v -> Libc.callMemcpy sym memOps dst src len v) args)
 
 llvmMemcpyOverride_8_8_32_noalign
-  :: (IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr)
+  :: ( IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr
+     , ?memOpts :: MemOptions )
   => LLVMOverride p sym
           (EmptyCtx ::> LLVMPointerType wptr ::> LLVMPointerType wptr
                     ::> BVType 32 ::> BVType 1)
@@ -295,7 +302,8 @@ llvmMemcpyOverride_8_8_32_noalign =
 
 
 llvmMemcpyOverride_8_8_64
-  :: (IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr)
+  :: ( IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr
+     , ?memOpts :: MemOptions )
   => LLVMOverride p sym
          (EmptyCtx ::> LLVMPointerType wptr ::> LLVMPointerType wptr
                    ::> BVType 64 ::> BVType 32 ::> BVType 1)
@@ -306,7 +314,8 @@ llvmMemcpyOverride_8_8_64 =
 
 
 llvmMemcpyOverride_8_8_64_noalign
-  :: (IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr)
+  :: ( IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr
+     , ?memOpts :: MemOptions )
   => LLVMOverride p sym
          (EmptyCtx ::> LLVMPointerType wptr ::> LLVMPointerType wptr
                    ::> BVType 64 ::> BVType 1)

crucible-llvm/src/Lang/Crucible/LLVM/Intrinsics/Libc.hs

@@ -67,7 +67,8 @@ import           Lang.Crucible.LLVM.Intrinsics.Options
 
 
 llvmMemcpyOverride
-  :: (IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr)
+  :: ( IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr
+     , ?memOpts :: MemOptions )
   => LLVMOverride p sym
            (EmptyCtx ::> LLVMPointerType wptr
                      ::> LLVMPointerType wptr
@@ -84,7 +85,8 @@ llvmMemcpyOverride =
 
 
 llvmMemcpyChkOverride
-  :: (IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr)
+  :: ( IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr
+     , ?memOpts :: MemOptions )
   => LLVMOverride p sym
          (EmptyCtx ::> LLVMPointerType wptr
                    ::> LLVMPointerType wptr
@@ -102,7 +104,8 @@ llvmMemcpyChkOverride =
     )
 
 llvmMemmoveOverride
-  :: (IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr)
+  :: ( IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr
+     , ?memOpts :: MemOptions )
   => LLVMOverride p sym
          (EmptyCtx ::> (LLVMPointerType wptr)
                    ::> (LLVMPointerType wptr)
@@ -378,7 +381,8 @@ callFree sym mvar
 -- *** Memory manipulation
 
 callMemcpy
-  :: (IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr)
+  :: ( IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr
+     , ?memOpts :: MemOptions )
   => sym
   -> GlobalVar Mem
   -> RegEntry sym (LLVMPointerType wptr)
@@ -400,7 +404,8 @@ callMemcpy sym mvar
 -- ranges are disjoint.  The underlying operation
 -- works correctly in both cases.
 callMemmove
-  :: (IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr)
+  :: ( IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr
+     , ?memOpts :: MemOptions )
   => sym
   -> GlobalVar Mem
   -> RegEntry sym (LLVMPointerType wptr)

crucible-llvm/src/Lang/Crucible/LLVM/MemModel.hs

@@ -243,6 +243,7 @@ import           Lang.Crucible.LLVM.MemModel.Options
 import           Lang.Crucible.LLVM.MemModel.Value
 import           Lang.Crucible.LLVM.Translation.Constant
 import           Lang.Crucible.LLVM.Types
+import           Lang.Crucible.LLVM.Utils
 import           Lang.Crucible.Panic (panic)
 
 
@@ -912,7 +913,8 @@ doArrayConstStore sym mem ptr alignment arr len = do
 -- Precondition: the source and destination pointers fall within valid allocated
 -- regions.
 doMemcpy ::
-  (1 <= w, IsSymInterface sym, HasPtrWidth wptr, Partial.HasLLVMAnn sym) =>
+  ( 1 <= w, IsSymInterface sym, HasPtrWidth wptr, Partial.HasLLVMAnn sym
+  , ?memOpts :: MemOptions ) =>
   sym ->
   NatRepr w ->
   MemImpl sym ->
@@ -931,7 +933,8 @@ doMemcpy sym w mem mustBeDisjoint dest src len = do
 
   let mop = MemCopyOp (gsym_dest, dest) (gsym_src, src) len (memImplHeap mem)
 
-  p1' <- Partial.annotateME sym mop UnreadableRegion p1
+  p1' <- applyUnless (laxLoadsAndStores ?memOpts)
+                     (Partial.annotateME sym mop UnreadableRegion) p1
   p2' <- Partial.annotateME sym mop UnwritableRegion p2
 
   assert sym p1' $ AssertFailureSimError "Mem copy failed" "Invalid copy source"

crucible-llvm/src/Lang/Crucible/LLVM/MemModel/Generic.hs

@@ -111,6 +111,7 @@ import           Lang.Crucible.LLVM.MemModel.Type
 import           Lang.Crucible.LLVM.MemModel.Value
 import           Lang.Crucible.LLVM.MemModel.Partial (PartLLVMVal, HasLLVMAnn)
 import qualified Lang.Crucible.LLVM.MemModel.Partial as Partial
+import           Lang.Crucible.LLVM.Utils
 import           Lang.Crucible.Simulator.RegMap (RegValue'(..))
 
 --------------------------------------------------------------------------------
@@ -718,8 +719,12 @@ readMem sym w gsym l tp alignment m = do
     -- Otherwise, fall back to the less-optimized read case
     _ -> readMem' sym w (memEndianForm m) gsym l m tp alignment (memWrites m)
 
-  Partial.attachMemoryError sym p1 mop UnreadableRegion =<<
-    Partial.attachSideCondition sym p2 (UB.ReadBadAlignment (RV l) alignment) part_val
+  part_val' <- applyUnless (laxLoadsAndStores ?memOpts)
+                           (Partial.attachSideCondition sym p2 (UB.ReadBadAlignment (RV l) alignment))
+                           part_val
+  applyUnless (laxLoadsAndStores ?memOpts)
+              (Partial.attachMemoryError sym p1 mop UnreadableRegion)
+              part_val'
 
 data CacheEntry sym w =
   CacheEntry !(StorageType) !(SymNat sym) !(SymBV sym w)
@@ -767,7 +772,7 @@ readMem' sym w end gsym l0 origMem tp0 alignment (MemWrites ws) =
       ReadMem sym (PartLLVMVal sym)
     fallback0 tp l =
       liftIO $
-        if readUnwrittenMemory ?memOpts
+        if laxLoadsAndStores ?memOpts
         then Partial.totalLLVMVal sym <$> freshLLVMVal sym tp
         else do -- We're playing a trick here.  By making a fresh constant a proof obligation, we can be
                 -- sure it always fails.  But, because it's a variable, it won't be constant-folded away

crucible-llvm/src/Lang/Crucible/LLVM/MemModel/Options.hs

@@ -34,29 +34,47 @@ data MemOptions
       --   will sometimes compare equal if the compiler decides to
       --   consolidate their storage.
 
-    , readUnwrittenMemory :: !Bool
-      -- ^ Should we allow reading from previously unwritten memory? Such a
-      ---  read will return an arbitrary, fixed value of the appropriate type.
+    , laxLoadsAndStores :: !Bool
+      -- ^ Should we relax some of Crucible's validity checks for memory loads
+      --   and stores? If 'True', the following checks will be relaxed:
+      --
+      --   * If reading from previously unwritten memory, rather than throw a
+      --     'NoSatisfyingWrite' error, the read will return an arbitrary,
+      --     fixed value of the appropriate type.
+      --
+      --   * If reading from a region that isn't allocated or isn't large
+      --     enough, Crucible will proceed rather than throw an
+      --     'UnreadableRegion' error.
+      --
+      --   * Reading a value from a pointer with insufficent alignment is not
+      --     treated as undefined behavior. That is, Crucible will not throw a
+      --     'ReadBadAlignment' error.
+      --
+      --   This option is primarily useful for SV-COMP, which does not treat
+      --   the scenarios listed above as fatal errors.
     }
 
 
--- | The default memory model options require strict adherence to
---   the language standard regarding pointer equality and ordering.
+-- | The default memory model options:
+--
+-- * Require strict adherence to the language standard regarding pointer
+--   equality and ordering.
+--
+-- * Perform Crucible's default validity checks for memory loads and stores.
 defaultMemOptions :: MemOptions
 defaultMemOptions =
   MemOptions
   { laxPointerOrdering = False
   , laxConstantEquality = False
-  , readUnwrittenMemory = False
+  , laxLoadsAndStores = False
   }
 
 
--- | The lax pointer memory options allow pointer ordering comparisons
+-- | Like 'defaultMemOptions', but allow pointer ordering comparisons
 --   and equality comparisons of pointers to constant data.
 laxPointerMemOptions :: MemOptions
 laxPointerMemOptions =
-  MemOptions
+  defaultMemOptions
   { laxPointerOrdering = True
   , laxConstantEquality = True
-  , readUnwrittenMemory = False
   }

crucible-llvm/src/Lang/Crucible/LLVM/Utils.hs

@@ -0,0 +1,15 @@
+------------------------------------------------------------------------
+-- |
+-- Module           : Lang.Crucible.LLVM.Utils
+-- Description      : Miscellaneous utility functions.
+-- Copyright        : (c) Galois, Inc 2021
+-- License          : BSD3
+-- Maintainer       : Rob Dockins <[email protected]>
+-- Stability        : provisional
+------------------------------------------------------------------------
+module Lang.Crucible.LLVM.Utils (applyUnless) where
+
+-- | If the first argument is 'False', apply the second argument to the third.
+-- Otherwise, simply return the third argument.
+applyUnless :: Applicative f => Bool -> (a -> f a) -> a -> f a
+applyUnless b f x = if b then pure x else f x

crux-llvm/src/Crux/LLVM/Config.hs

@@ -160,9 +160,9 @@ llvmCruxConfig = do
                        laxConstantEquality <-
                          Crux.section "lax-constant-equality" Crux.yesOrNoSpec False
                            "Allow equality comparisons between pointers to constant data"
-                       readUnwrittenMemory <-
-                         Crux.section "read-unwritten-memory" Crux.yesOrNoSpec False
-                           "Allow reading from previously unwritten memory"
+                       laxLoadsAndStores <-
+                         Crux.section "lax-loads-and-stores" Crux.yesOrNoSpec False
+                           "Relax some of Crucible's validity checks for memory loads and stores"
                        return MemOptions{..}
 
          transOpts <- do laxArith <-

crux-llvm/test-data/golden/T783.config

@@ -0,0 +1 @@
+lax-loads-and-stores: yes

crux-llvm/test-data/golden/T783.c renamed to crux-llvm/test-data/golden/T783a.c

@@ -0,0 +1,14 @@
+struct s {
+  unsigned int a;
+  unsigned int b;
+};
+
+int f() {
+  struct s *ss = malloc(sizeof(struct s));
+  ss->b += 1;
+  return ss->b;
+}
+
+int main() {
+  return f();
+}

crux-llvm/test-data/golden/T783a.config

@@ -0,0 +1 @@
+lax-loads-and-stores: yes

crux-llvm/test-data/golden/T783.good renamed to crux-llvm/test-data/golden/T783a.good

@@ -0,0 +1 @@
+[Crux] Overall status: Valid.