is_invalid_pointer is now defined as a bi-implication

[kroening]

The previous encoding of is_invalid_pointer is an implication,
which means that constraints that a pointer is not an invalid
pointer have no meaning.

This commit changes the encoding to be a bi-implication, using
the numerical range of the valid pointers.

• Each commit message has a non-empty body, explaining why the change was made.
• n/a Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• n/a The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• n/a My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• n/a White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[codecov]

Codecov Report

Merging #6366 (c9a22ab) into develop (af94148) will increase coverage by 0.00%.
The diff coverage is 89.28%.

@@           Coverage Diff            @@
##           develop    #6366   +/-   ##
========================================
  Coverage    75.97%   75.97%           
========================================
  Files         1523     1523           
  Lines       164191   164196    +5     
========================================
+ Hits        124748   124754    +6     
+ Misses       39443    39442    -1     

Impacted Files	Coverage Δ
src/goto-instrument/dot.cpp	0.00% <0.00%> (ø)
src/goto-programs/goto_program.h	90.49% <ø> (+0.21%)	⬆️
src/solvers/flattening/pointer_logic.cpp	89.61% <ø> (-0.14%)	⬇️
src/solvers/flattening/pointer_logic.h	80.00% <ø> (-5.72%)	⬇️
src/solvers/smt2/smt2_conv.h	100.00% <ø> (ø)
src/goto-symex/symex_main.cpp	86.00% <60.00%> (+0.03%)	⬆️
src/goto-analyzer/taint_analysis.cpp	78.21% <75.00%> (-0.22%)	⬇️
src/goto-instrument/goto_program2code.cpp	69.33% <87.50%> (+0.12%)	⬆️
src/goto-programs/remove_virtual_functions.cpp	92.85% <100.00%> (+0.04%)	⬆️
src/goto-programs/restrict_function_pointers.cpp	82.20% <100.00%> (ø)
... and 3 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 038a53b...c9a22ab. Read the comment docs.

[feliperodri]

@SaswatPadhi @jimgrundy @remi-delmas-3000

[tautschnig]

Is there any data on how much slower things get in practice?

[tautschnig]

Why is this pattern being removed?

[tautschnig]

Why is this pattern being removed?

[tautschnig]

Why is this pattern being removed?

[tautschnig]

Why is this pattern being removed?

[tautschnig]

Why is this pattern being removed?

[tautschnig]

Returning to this after some time. A bunch of thoughts:

1. [SV-COMP'18 11/19] invalid_object(pointer) is true for all non-existent objects #2000 previously proposed a similar solution, but was rejected in out-of-band communication with @kroening for it would be incompatible with incrementally adding objects. Doesn't this problem exist here as well?
2. An aspect that [SV-COMP'18 11/19] invalid_object(pointer) is true for all non-existent objects #2000 tried to tackle in addition to what is covered here are objects that symex created, yet the path condition of which isn't true. [SV-COMP'18 11/19] invalid_object(pointer) is true for all non-existent objects #2000 specifically did this for dynamic objects, but the same would actually apply to stack-allocated data. I would therefore like to ask: should "is invalid object" also be true for objects the life span of which hasn't yet begun?
3. As a possible alternative to address concern 1) above: make "is invalid object" evaluate to false for any known object, but don't specify a value for all other cases. This permits adding constraints in subsequent solver calls.

[jimgrundy]

@tautschnig suggests above

As a possible alternative to address concern 1) above: make "is invalid object" evaluate to false for any known object, but don't specify a value for all other cases. This permits adding constraints in subsequent solver calls.

Does that take us back to being an implication rather than an equivalence, and were we trying to get away from that?

Also, if this is an equivalence, can we please invert the sense and change the name to "is_valid_pointer". It's confusing to have to say that a pointer is valid by saying that it is not invalid.

[tautschnig]

@tautschnig suggests above

As a possible alternative to address concern 1) above: make "is invalid object" evaluate to false for any known object, but don't specify a value for all other cases. This permits adding constraints in subsequent solver calls.

Does that take us back to being an implication rather than an equivalence, and were we trying to get away from that?

It should be noted that the existing implementation (prior to the changes proposed in this PR) was a bi-implication on the object that is singled out as the "invalid" object. Therefore, "is invalid object" (at present) has to be read as "is the invalid object," and not "is not a valid object." It may well be that we should ...

Also, if this is an equivalence, can we please invert the sense and change the name to "is_valid_pointer". It's confusing to have to say that a pointer is valid by saying that it is not invalid.

... keep the current is_invalid_object as-is and instead make the implementation proposed in this PR back a new primitive "is_valid_object" (we shouldn't use "is_valid_pointer," because then we'd also have to check pointer offsets).

[jimgrundy]

... keep the current is_invalid_object as-is and instead make the implementation proposed in this PR back a new primitive "is_valid_object" (we shouldn't use "is_valid_pointer," because then we'd also have to check pointer offsets).

Agree about calling the proposed thing "is_valid_object" (not "is_valid_pointer") for sure.

What would keeping the current "is_invalid_object" do? Would it still track a single distinguished invalid object? Or would it be the negation of "is_valid_object". Is the motivation to keep it to avoid breaking existing code or is there another reason to have "is_invalid_object" kept around?

[kroening]

I think we need a proper 'object factory' facility!

Revoking my approval as the solution likely is not the right one to address the user request.

[tautschnig]

Some notes as @kroening and myself discussed this out of band: the proposed approach may have a substantial performance penalty. This may be fixed by making improvements to post-processing, but even then is_invalid_pointer will not necessarily be what a user even wants: 1) use within assumptions requires a proper object factory as noted above, assumptions over !is_invalid_pointer are not the right approach; 2) is_invalid_pointer does not match the informal understanding of an "invalid" pointer, but really just says that the pointed-to object is CBMC's internal "invalid object."

[jimgrundy]

This one doesn't seem like the way to go. Should we close it to declutter?

[feliperodri]

This one doesn't seem like the way to go. Should we close it to declutter?

@kroening ?