Support reference to prior values (was "Support the deep-copy of history variables")

[feliperodri]

CBMC version: 5.67.0
Operating system: N/A

Problem description

History variables in loop contracts (maybe also in function contracts?) only make shallow copies. This is sufficient for scalars, but arrays and pointers may require a deep copy, like in the example below.

Example

This example shows a case where we wrote function contracts to specify the behavior of the loop. However, the term __CPROVER_loop_entry(listData)[j-1] requires a deep copy of the listData array.

This example is a simplified version of one of the loop contracts I was trying to write for the FreeRTOS Task-Scheduler, but couldn't write, since there was no support for this feature. Further, this feature will likely be necessary for any kind of unbounded functional correctness proofs.

#include <stdlib.h>

main() {
  // A 1d array of integer pointers. 
  int ** listData = (int **) malloc (4 * sizeof(int *));
  if (listData == NULL){
    exit(1);
  }
  //Each integer pointer points to a single integer.
  int b1;
  int b2;
  listData[0] = &b1;
  listData[1] = &b2;

  // Move all elements to the left by 1
  for (int i = 1 ; i < 4; i++)
  __CPROVER_assigns(i, __CPROVER_POINTER_OBJECT(listData))
  __CPROVER_loop_invariant(i>=1 && i<=4)
  __CPROVER_loop_invariant(__CPROVER_forall { int j; 
    (1 <= j && j <= 4) ==>
    ( (j >= i) ==> (listData[j-1]==__CPROVER_loop_entry(listData)[j-1]) )     
  })
  __CPROVER_loop_invariant(__CPROVER_forall { int j; 
      (1 <= j && j <= 3) ==>
     ((j < i) ==>(listData[j-1]==__CPROVER_loop_entry(listData)[j]))     
  })
  __CPROVER_decreases (4-i)
  {
    listData[i-1] = listData[i];
  }
  
  assert(listData[0] == &b2);
}

Challenges

1. Deep copies are expensive. They can potentially touch a large amount of memory.
2. Since C supports type-casting and type-unsafe code, it may be hard to compute the correct deep-copy. For example, we cannot deep copy of a (void *) pointer because we don't know how many bytes to copy.

Possible practical compromise

A practical compromise could be to add new syntax (similar to the __CPROVER_POINTER_OBJECT(listData) from the assigns clause, which performs a 1-level deep havoc) to do a 1-level deep copy, and reject code where we cannot figure out what the deep copy should be (like for a (void*) pointer). This will be sufficient for the example above.

However, this is not the perfect solution since we can construct cases where we need deep copies up to more levels. But this may be the best we can do to avoid the challenges listed above.

[remi-delmas-3000]

To avoid copies we should defer the resolution of history variables to the SSA conversion stage.

If we look at the program below:

#define NOF_ELEMS 3
main() {
  // A 1d array of integer pointers.
  int data[NOF_ELEMS];
  int *ptrs[NOF_ELEMS];

LOOP1_START:
  for (int i = 0 ; i < NOF_ELEMS; i++) {
    ptrs[i] = &data[i];
  }

LOOP2_START:
  for (int i = 1 ; i < NOF_ELEMS; i++)
  {
    ptrs[i-1] = ptrs[i];
  }
  assert(*ptrs[0] == data[1]);
}

The symex steps it generates are:

Call stack:
__CPROVER__start location number: 40
__CPROVER__start location number: 38
main

[Guard size: 1] code statement="decl"(main::1::data)
[Guard size: 1] code statement="decl"(main::1::ptrs)
[Guard size: 1] code statement="decl"(main::1::1::i)
[Guard size: 1] code statement="assign"(main::1::1::i, 0)
[Guard size: 1] code statement="assign"(main::1::ptrs[cast(main::1::1::i, signedbv[64])], address_of(main::1::data[cast(main::1::1::i, signedbv[64])]))
[Guard size: 1] code statement="assign"(main::1::1::i, main::1::1::i + 1)
Unwinding loop main.0 iteration 1 file history.c line 8 function main thread 0
[Guard size: 1] code statement="assign"(main::1::ptrs[cast(main::1::1::i, signedbv[64])], address_of(main::1::data[cast(main::1::1::i, signedbv[64])]))
[Guard size: 1] code statement="assign"(main::1::1::i, main::1::1::i + 1)
Unwinding loop main.0 iteration 2 file history.c line 8 function main thread 0
[Guard size: 1] code statement="assign"(main::1::ptrs[cast(main::1::1::i, signedbv[64])], address_of(main::1::data[cast(main::1::1::i, signedbv[64])]))
[Guard size: 1] code statement="assign"(main::1::1::i, main::1::1::i + 1)
Unwinding loop main.0 iteration 3 file history.c line 8 function main thread 0
[Guard size: 1] code statement="decl"(main::1::2::i)
[Guard size: 1] code statement="assign"(main::1::2::i, 1)
[Guard size: 1] code statement="assign"(main::1::ptrs[cast(main::1::2::i - 1, signedbv[64])], main::1::ptrs[cast(main::1::2::i, signedbv[64])])
[Guard size: 1] code statement="assign"(main::1::2::i, main::1::2::i + 1)
Unwinding loop main.1 iteration 1 file history.c line 13 function main thread 0
[Guard size: 1] code statement="assign"(main::1::ptrs[cast(main::1::2::i - 1, signedbv[64])], main::1::ptrs[cast(main::1::2::i, signedbv[64])])
[Guard size: 1] code statement="assign"(main::1::2::i, main::1::2::i + 1)
Unwinding loop main.1 iteration 2 file history.c line 13 function main thread 0
[Guard size: 1] code statement="return"(side_effect statement="nondet" is_nondet_nullable="1")

Which once translated to SSA gives these equations. We see that several logical versions of the ptrs and the data arrays occur in the formula.

(26) SHARED_WRITE(data!0@1#0)
(27) i!0@1#2 == 0
(28) ptrs!0@1#2[[0]] == data!0@1
(29) i!0@1#3 == 1
(30) ptrs!0@1#2[[1]] == (signed int *)((char *)data!0@1 + 4l)
(31) i!0@1#4 == 2
(32) ptrs!0@1#2[[2]] == (signed int *)((char *)data!0@1 + 8l)
(33) i!0@1#5 == 3
(34) i!0@1#2 == 1
(35) ptrs!0@1#3[[0]] == (signed int *)((char *)data!0@1 + 4l)
(36) i!0@1#3 == 2
(37) ptrs!0@1#3[[1]] == (signed int *)((char *)data!0@1 + 8l)
(38) i!0@1#4 == 3
(39) main!0#1 == nondet_symbol(symex::nondet0)
(40) return'!0#1 == main!0#1

These steps correspond to the first loop

(26) SHARED_WRITE(data!0@1#0)
(27) i!0@1#2 == 0
(28) ptrs!0@1#2[[0]] == data!0@1
(29) i!0@1#3 == 1
(30) ptrs!0@1#2[[1]] == (signed int *)((char *)data!0@1 + 4l)
(31) i!0@1#4 == 2
(32) ptrs!0@1#2[[2]] == (signed int *)((char *)data!0@1 + 8l)
(33) i!0@1#5 == 3

These steps correspond to the second loop:

(34) i!0@1#2 == 1
(35) ptrs!0@1#3[[0]] == (signed int *)((char *)data!0@1 + 4l)
(36) i!0@1#3 == 2
(37) ptrs!0@1#3[[1]] == (signed int *)((char *)data!0@1 + 8l)

Seen from LOOP2, ptrs!0@1#2 represents the array state before entering LOOP2, and ptrs!0@1#3 represents the state of the array inside LOOP2.

We could introduce expressions __CPROVER_at(ptrs, LOOP2_START) in the contracts language,
and have these expression resolved at the SSA conversion stage to the SSA variable
that represents this C variable at the given label,
in this example __CPROVER_at(ptrs, LOOP2_START) ~~> ptrs!0@1#2.

The indexing for SSA variables seems to follow the pattern <variable_name>!<thread_id>@<function_invocation_id>#<update_id>.

Right now I don't see how to use SSA indexing to distinguish the state of the array at loop_entry vs at each loop iteration,
because the #<update_id> suffix is not incremented after every update of the ptrs array in the loop body.

If we modify a loop to repeatedly write at the same location:

BEFORE_LOOP1:
  for (int i = 0 ; i < NOF_ELEMS; i++) {
    ptrs[0] = &data[i];
    ptrs[i] = &data[i];
  }

the SSA becomes:

(27) i!0@1#2 == 0
(28) ptrs!0@1#2[[0]] == data!0@1
(29) ptrs!0@1#3[[0]] == data!0@1
(30) i!0@1#3 == 1
(31) ptrs!0@1#4[[0]] == (signed int *)((char *)data!0@1 + 4l)
(32) ptrs!0@1#2[[1]] == (signed int *)((char *)data!0@1 + 4l)
(33) i!0@1#4 == 2
(34) ptrs!0@1#5[[0]] == (signed int *)((char *)data!0@1 + 8l)
(35) ptrs!0@1#2[[2]] == (signed int *)((char *)data!0@1 + 8l)
(36) i!0@1#5 == 3

and we see that the #idx index gets incremented for the cell [[0]] of the array.
So SSA conversion seems to track array cells as individual variables in this example.

Now if we declare the array with a symbolic size, and unroll the loops a finite number of steps:

#include<stdlib.h>
#define NOF_ELEMS 5
main() {
  size_t size;
  __CPROVER_assume(size > 100000);
  // A 1d array of integer pointers.
  int data[size];
  int *ptrs[size];

BEFORE_LOOP1:
  for (int i = 0 ; i < NOF_ELEMS; i++) {
    ptrs[i] = &data[i];
  }
AFTER_LOOP1:

BEFORE_LOOP2:
  for (int i = 1; i < NOF_ELEMS; i++) {
    ptrs[i - 1] = ptrs[i];
  }
AFTER_LOOP2:
  assert(*ptrs[0] == data[1]);
}

Array updates are represented as functional updates array#{i+1} == array#{i} WITH [idx := new_value] in the SSA, which bumps the #index of the array variable itself at every step.

(30) i!0@1#2 == 0
(31) ptrs!0@1#2 == ptrs!0@1#1 WITH [0l:=data!0@1]
(32) i!0@1#3 == 1
(33) ptrs!0@1#3 == ptrs!0@1#2 WITH [1l:=(signed int *)((char *)data!0@1 + 4l)]
(34) i!0@1#4 == 2
(35) ptrs!0@1#4 == ptrs!0@1#3 WITH [2l:=(signed int *)((char *)data!0@1 + 8l)]
(36) i!0@1#5 == 3

So we could really use an approach like this for history variables instead of snapshots.

[jimgrundy]

+100 on Remi's comment. Maybe change the name of this issue.

[jimgrundy]

Here are some restrictions on when this construct can be used, which an implementation is
expected to check:

• The label and the __CPROVER_at expression must occur in the same function.
• The scope in which the label appears must include the scope of the referencing
  expression.
• Any variables mentioned in the expression must be in scope at both the location of the
  expression and the labeled location. These must be the very same variables, not simply
  variables with the same name and type. The CBMC compilation flow gives variables
  globally unique names. This mechanism can be used to ensure the same variables are
  referenced.
• The labeled program location must be a graph dominator of the location of the
  expression. That is, there is no way to reach the expression without passing through the
  labeled location.

Note that validity assertions about the expression must be generated, and must be generated
using the SSA variables current at the label. For example, consider the following expression:
__CPROVER_at(array[index], label)
It is necessary to generate the check that the value of index when we last executed label is
valid for array.

Another example:

size_t size;
int *a = nondet() ? NULL : malloc(size * sizeof(int));
START:
...
 // this should fail
assert(_CPROVER_at(a[0] == a[0], START));
// this should NOT fail because it is correctly guarded
assert(_CPROVER_at(a, START) != NULL && _CPROVER_at(size) > 0 ==> _CPROVER_at(a[0] == a[0], START));