Merge pull request #931 from GaloisInc/lb/bug

uc-crux-llvm: Improve tracking of unclassified errors

Author: langston-barrett

crucible-llvm/src/Lang/Crucible/LLVM/MemModel/Pointer.hs

@@ -45,6 +45,7 @@ module Lang.Crucible.LLVM.MemModel.Pointer
   , llvmPointerView
   , llvmPointerBlock
   , llvmPointerOffset
+  , llvmPointerType
   , muxLLVMPtr
   , llvmPointer_bv
   , mkNullPointer
@@ -114,6 +115,11 @@ llvmPointerBlock (LLVMPointer blk _) = blk
 llvmPointerOffset :: LLVMPtr sym w -> SymBV sym w
 llvmPointerOffset (LLVMPointer _ off) = off
 
+llvmPointerType :: IsExpr (SymExpr sym) => LLVMPtr sym w -> TypeRepr (LLVMPointerType w)
+llvmPointerType ptr =
+  case exprType (llvmPointerOffset ptr) of
+    BaseBVRepr w -> LLVMPointerRepr w
+
 -- | Type family defining how @LLVMPointerType@ unfolds.
 type family LLVMPointerImpl sym ctx where
   LLVMPointerImpl sym (EmptyCtx ::> BVType w) = LLVMPointer sym w

uc-crux-llvm/src/UCCrux/LLVM/Bug.hs

@@ -0,0 +1,103 @@
+{-
+Module           : UCCrux.LLVM.Bug
+Description      : Representation of possible bugs
+Copyright        : (c) Galois, Inc 2021
+License          : BSD3
+Maintainer       : Langston Barrett <[email protected]>
+Stability        : provisional
+-}
+
+{-# LANGUAGE FlexibleContexts #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE GADTs #-}
+{-# LANGUAGE PolyKinds #-}
+
+module UCCrux.LLVM.Bug
+  ( Bug,
+    bugBehavior,
+    bugLoc,
+    makeBug,
+    ppBug,
+    BugBehavior(..),
+    ppBugBehavior,
+    UndefinedBehaviorTag,
+    getUndefinedBehaviorTag,
+    makeUndefinedBehaviorTag,
+  )
+where
+
+{- ORMOLU_DISABLE -}
+import qualified Prettyprinter as PP
+
+import           What4.Interface (IsExpr, SymExpr)
+import qualified What4.ProgramLoc as What4
+
+import           Lang.Crucible.LLVM.MemModel.CallStack (CallStack, ppCallStack)
+import           Lang.Crucible.LLVM.Errors (BadBehavior)
+import qualified Lang.Crucible.LLVM.Errors as LLVMErrors
+import           Lang.Crucible.LLVM.Errors.MemoryError (MemoryErrorReason)
+import qualified Lang.Crucible.LLVM.Errors.MemoryError as MemErrors
+import qualified Lang.Crucible.LLVM.Errors.UndefinedBehavior as UB
+
+import           UCCrux.LLVM.Bug.UndefinedBehaviorTag (UndefinedBehaviorTag, getUndefinedBehaviorTag, makeUndefinedBehaviorTag)
+import           UCCrux.LLVM.PP (ppProgramLoc)
+{- ORMOLU_ENABLE -}
+
+-- | This is different from 'Lang.Crucible.LLVM.Errors.BadBehavior' in that
+-- it stores less data.
+data BugBehavior
+  = BBUndefinedBehaviorTag !UndefinedBehaviorTag
+  | BBMemoryErrorReason !MemoryErrorReason
+  deriving (Eq, Ord)
+
+ppBugBehavior :: BugBehavior -> PP.Doc ann
+ppBugBehavior =
+  \case
+    BBUndefinedBehaviorTag ub -> UB.explain (getUndefinedBehaviorTag ub)
+    BBMemoryErrorReason mer -> MemErrors.ppMemoryErrorReason mer
+
+instance PP.Pretty BugBehavior where
+  pretty = ppBugBehavior
+
+-- | A possible bug: What it is, and where it can occur.
+data Bug =
+  Bug
+    { bugBehavior :: !BugBehavior
+    , bugLoc :: !What4.ProgramLoc
+    , bugCallStack :: !CallStack
+    }
+  deriving (Eq, Ord)
+
+makeBug ::
+  IsExpr (SymExpr sym) =>
+  BadBehavior sym ->
+  What4.ProgramLoc ->
+  CallStack ->
+  Bug
+makeBug bb loc callStack =
+  Bug
+    { bugBehavior =
+        case bb of
+          LLVMErrors.BBUndefinedBehavior ub ->
+            BBUndefinedBehaviorTag (makeUndefinedBehaviorTag ub)
+          LLVMErrors.BBMemoryError (MemErrors.MemoryError _ rsn) ->
+            BBMemoryErrorReason rsn,
+      bugLoc = loc,
+      bugCallStack = callStack
+    }
+
+ppBug :: Bug -> PP.Doc ann
+ppBug (Bug bb loc callStack) =
+  PP.vsep
+    [ ppBugBehavior bb
+    , PP.pretty "at" <> PP.pretty (ppProgramLoc loc)
+    , PP.pretty "in context:"
+    , PP.indent 2 (ppCallStack callStack)
+    ]
+
+-- | Non-lawful instance, only to be used in tests.
+instance Show Bug where
+  show = show . ppBug
+
+instance PP.Pretty Bug where
+  pretty = ppBug

uc-crux-llvm/src/UCCrux/LLVM/Bug/UndefinedBehaviorTag.hs

@@ -0,0 +1,165 @@
+{-
+Module           : UCCrux.LLVM.Bug.UndefinedBehaviorTag
+Description      : Representation of undefined behavior
+Copyright        : (c) Galois, Inc 2021
+License          : BSD3
+Maintainer       : Langston Barrett <[email protected]>
+Stability        : provisional
+-}
+
+{-# LANGUAGE GADTs #-}
+{-# LANGUAGE FlexibleContexts #-}
+{-# LANGUAGE LambdaCase #-}
+
+module UCCrux.LLVM.Bug.UndefinedBehaviorTag
+  ( UndefinedBehaviorTag,
+    getUndefinedBehaviorTag,
+    makeUndefinedBehaviorTag,
+  )
+where
+
+{- ORMOLU_DISABLE -}
+import           Data.Type.Equality (testEquality)
+
+import           Lang.Crucible.Simulator.RegValue (RegValue'(unRV))
+import           Lang.Crucible.Types (BVType, TypeRepr, baseToType)
+
+import           Data.Parameterized.Classes (compareF)
+import           Data.Parameterized.ClassesC (testEqualityC, compareC)
+
+import           What4.Interface (IsExpr, SymExpr, exprType)
+
+import           Lang.Crucible.LLVM.Errors.Poison (Poison(..))
+import           Lang.Crucible.LLVM.Errors.UndefinedBehavior (UndefinedBehavior(..))
+import           Lang.Crucible.LLVM.MemModel.Pointer (LLVMPointerType, llvmPointerType)
+{- ORMOLU_ENABLE -}
+
+-- | A simplification of 'UndefinedBehavior' that keeps less information around.
+-- Used for deduplicating reports about possible bugs/errors in programs and
+-- explaining the provenance of inferred function preconditions.
+newtype UndefinedBehaviorTag =
+  UndefinedBehaviorTag { getUndefinedBehaviorTag :: UndefinedBehavior TypeRepr }
+
+makeUndefinedBehaviorTag ::
+  IsExpr (SymExpr sym) =>
+  UndefinedBehavior (RegValue' sym) ->
+  UndefinedBehaviorTag
+makeUndefinedBehaviorTag =
+  UndefinedBehaviorTag .
+    \case
+      FreeBadOffset ptr ->
+        FreeBadOffset (pointer ptr)
+      FreeUnallocated ptr ->
+        FreeUnallocated (pointer ptr)
+      DoubleFree ptr ->
+        DoubleFree (pointer ptr)
+      MemsetInvalidRegion ptr val len ->
+        MemsetInvalidRegion (pointer ptr) (bv val) (bv len)
+      ReadBadAlignment ptr a ->
+        ReadBadAlignment (pointer ptr) a
+      WriteBadAlignment ptr a ->
+        WriteBadAlignment (pointer ptr) a
+      PtrAddOffsetOutOfBounds ptr off ->
+        PtrAddOffsetOutOfBounds (pointer ptr) (bv off)
+      CompareInvalidPointer op p1 p2 ->
+        CompareInvalidPointer op (pointer p1) (pointer p2)
+      CompareDifferentAllocs p1 p2 ->
+        CompareDifferentAllocs (pointer p1) (pointer p2)
+      PtrSubDifferentAllocs p1 p2 ->
+        PtrSubDifferentAllocs (pointer p1) (pointer p2)
+      PointerFloatCast ptr tp ->
+        PointerFloatCast (pointer ptr) tp
+      PointerIntCast ptr tp ->
+        PointerIntCast (pointer ptr) tp
+      PointerUnsupportedOp ptr msg ->
+        PointerUnsupportedOp (pointer ptr) msg
+      ComparePointerToBV ptr val ->
+        ComparePointerToBV (pointer ptr) (bv val)
+      UDivByZero v1 v2 ->
+        UDivByZero (bv v1) (bv v2)
+      SDivByZero v1 v2 ->
+        SDivByZero (bv v1) (bv v2)
+      URemByZero v1 v2 ->
+        URemByZero (bv v1) (bv v2)
+      SRemByZero v1 v2 ->
+        SRemByZero (bv v1) (bv v2)
+      SDivOverflow v1 v2 ->
+        SDivOverflow (bv v1) (bv v2)
+      SRemOverflow v1 v2 ->
+        SRemOverflow (bv v1) (bv v2)
+      AbsIntMin v ->
+        AbsIntMin (bv v)
+      PoisonValueCreated p ->
+        PoisonValueCreated (poison p)
+  where
+    pointer ::
+      IsExpr (SymExpr sym) =>
+      RegValue' sym (LLVMPointerType w) ->
+      TypeRepr (LLVMPointerType w)
+    pointer = llvmPointerType . unRV
+
+    bv ::
+      IsExpr (SymExpr sym) =>
+      RegValue' sym (BVType w) ->
+      TypeRepr (BVType w)
+    bv = baseToType . exprType . unRV
+
+    poison ::
+      IsExpr (SymExpr sym) =>
+      Poison (RegValue' sym) ->
+      Poison TypeRepr
+    poison =
+      \case
+        AddNoUnsignedWrap v1 v2 ->
+          AddNoUnsignedWrap (bv v1) (bv v2)
+        AddNoSignedWrap v1 v2 ->
+          AddNoSignedWrap (bv v1) (bv v2)
+        SubNoUnsignedWrap v1 v2 ->
+          SubNoUnsignedWrap (bv v1) (bv v2)
+        SubNoSignedWrap v1 v2 ->
+          SubNoSignedWrap (bv v1) (bv v2)
+        MulNoUnsignedWrap v1 v2 ->
+          MulNoUnsignedWrap(bv v1) (bv v2)
+        MulNoSignedWrap v1 v2 ->
+          MulNoSignedWrap (bv v1) (bv v2)
+        UDivExact v1 v2 ->
+          UDivExact (bv v1) (bv v2)
+        SDivExact v1 v2 ->
+          SDivExact (bv v1) (bv v2)
+        ShlOp2Big v1 v2 ->
+          ShlOp2Big (bv v1) (bv v2)
+        ShlNoUnsignedWrap v1 v2 ->
+          ShlNoUnsignedWrap (bv v1) (bv v2)
+        ShlNoSignedWrap v1 v2 ->
+          ShlNoSignedWrap (bv v1) (bv v2)
+        LshrExact v1 v2 ->
+          LshrExact (bv v1) (bv v2)
+        LshrOp2Big v1 v2 ->
+          LshrOp2Big (bv v1) (bv v2)
+        AshrExact v1 v2 ->
+          AshrExact (bv v1) (bv v2)
+        AshrOp2Big v1 v2 ->
+          AshrOp2Big (bv v1) (bv v2)
+        ExtractElementIndex v ->
+          ExtractElementIndex (bv v)
+        InsertElementIndex v ->
+          InsertElementIndex (bv v)
+        GEPOutOfBounds p v ->
+          GEPOutOfBounds (pointer p) (bv v)
+        LLVMAbsIntMin v ->
+          LLVMAbsIntMin (bv v)
+
+-- | This instance is a coarsening of that for 'UndefinedBehavior'. In
+-- particular, there may be instances of 'UndefinedBehavior' that do not compare
+-- equal, but their projections under 'makeUndefinedBehaviorTag' do compare
+-- equal.
+instance Eq UndefinedBehaviorTag where
+  UndefinedBehaviorTag t1 == UndefinedBehaviorTag t2 =
+    testEqualityC testEquality t1 t2
+
+-- | See comment on 'Eq'.
+--
+-- Under the hood, this uses 'unsafeCoerce'.
+instance Ord UndefinedBehaviorTag where
+  compare (UndefinedBehaviorTag t1) (UndefinedBehaviorTag t2) =
+    compareC compareF t1 t2