Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make meet in AddressDomain more precise #1468

Merged
merged 9 commits into from
Jan 17, 2025
Merged

Make meet in AddressDomain more precise #1468

merged 9 commits into from
Jan 17, 2025
+96 −3

Conversation

michael-schwarz
Copy link
Member

@michael-schwarz michael-schwarz commented May 15, 2024
edited
Loading

Currently, in the address domain inside the buckets, for the meets we use ProjectiveSetPairwiseMeet

analyzer/src/domain/disjointDomain.ml

Lines 190 to 205 in bffc5e3

let meet m1 m2 =
let meet_buckets b1 b2 acc =
B.fold (fun e1 acc ->
B.fold (fun e2 acc ->
if B.may_be_equal e1 e2 then
add e1 (add e2 acc)
else
acc
) b2 acc
) b1 acc
in
fold_buckets (fun _ b1 acc ->
fold_buckets (fun _ b2 acc ->
meet_buckets b1 b2 acc
) m2 acc
) m1 (empty ())

where B.may_be_equal delegates to

analyzer/src/cdomain/value/cdomains/addressDomain.ml

Line 180 in bffc5e3

let may_be_equal a b = Option.value (Addr.semantic_equal a b) ~default:true

Addr.semantic_equal given by

analyzer/src/cdomain/value/cdomains/addressDomain.ml

Lines 102 to 111 in bffc5e3

let semantic_equal x y = match x, y with
| Addr x, Addr y -> Mval.semantic_equal x y
| StrPtr s1, StrPtr s2 -> SD.semantic_equal s1 s2
| NullPtr, NullPtr -> Some true
| UnknownPtr, UnknownPtr
| UnknownPtr, Addr _
| Addr _, UnknownPtr
| UnknownPtr, StrPtr _
| StrPtr _, UnknownPtr -> None
| _, _ -> Some false

which calls SD.sematic_equal

analyzer/src/cdomain/value/cdomains/stringDomain.ml

Lines 77 to 81 in bffc5e3

let semantic_equal x y =
match x, y with
| None, _
| _, None -> Some true
| Some a, Some b -> if a = b then None else Some false

this is needed to handle all sorts of different offsets that may be semantically equal, i.e., evaluate to the same physical address. In this case it keeps both elements.

After some discussion with @jerhard and @hseidl, we reached the following insights:

This behavior is overly conservative, as the mess of the address lattice contains some sub-lattices where the meet operation is semantically correct.

This now checks via a new predicate amenable_to_meet whether for the two addresses a and b this relationship between values and the meet holds. If this is the case, a meet is performed and the element added to the resulting set only if it is distinct from bot.

Currently, we answer amenable_to_meetby true whenever both arguments are strings, or when the both are addresses that differ in the numeric(!) offsets only.

This PR also adds two tests where this yields additional precision.

Closes #1467

@michael-schwarz michael-schwarz changed the title Make meet in AddressDomain more Precise Make meet in AddressDomain more precise May 15, 2024
@michael-schwarz michael-schwarz requested a review from sim642 May 15, 2024 14:17
@michael-schwarz michael-schwarz marked this pull request as ready for review May 15, 2024 14:17
@michael-schwarz michael-schwarz mentioned this pull request May 15, 2024
Closed
7 tasks
sim642
sim642 reviewed May 20, 2024
View reviewed changes
src/cdomain/value/cdomains/addressDomain_intf.ml Outdated Show resolved Hide resolved
src/domain/disjointDomain.ml Outdated Show resolved Hide resolved
src/cdomain/value/cdomains/addressDomain.ml Outdated Show resolved Hide resolved
tests/regression/27-inv_invariants/22-meet-ptrs.c Outdated Show resolved Hide resolved
@michael-schwarz michael-schwarz self-assigned this Dec 15, 2024
@michael-schwarz
Copy link
Member Author

Sorry for being MIA, I will take this up and hopefully get it mergeable before the holidays.

@michael-schwarz
Copy link
Member Author

@sim642 anything blocking the merge here? After your comments are integrated, it now is quite lightweight.

sim642
sim642 reviewed Jan 17, 2025
View reviewed changes
src/domain/disjointDomain.ml Outdated Show resolved Hide resolved
src/domain/disjointDomain.ml Show resolved Hide resolved
tests/regression/13-privatized/89-write-lacking-precision.c Outdated Show resolved Hide resolved
tests/regression/13-privatized/89-write-lacking-precision.c Outdated Show resolved Hide resolved
@sim642 sim642 added this to the v2.6.0 milestone Jan 17, 2025
@michael-schwarz michael-schwarz merged commit cc4a935 into master Jan 17, 2025
21 checks passed
@michael-schwarz michael-schwarz deleted the issue_1467 branch January 17, 2025 12:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sim642 sim642 sim642 approved these changes

Assignees

@michael-schwarz michael-schwarz

Labels
bug precision
Projects
None yet
Milestone
v2.6.0
Development

Successfully merging this pull request may close these issues.

Meet of string pointers in address domain imprecise
2 participants
@michael-schwarz @sim642