Detect whether ghost variable is phase ghost (#2001)

* Detect if accesses come from different threads

* Add phase ghosts to `goblint_lib.ml`

* More documentation for extraGhosts

* Start second part of phaseGhost detection

* Progress on `phaseGhost` detection

* Test `phaseGhost` detection

* Uniqueness + Example

* Turn into cram test

* Fix verifier atomic type

* Reuse Locator

Author: michael-schwarz

src/analyses/accessAnalysis.ml

@@ -29,7 +29,7 @@ struct
   let init _ =
     collect_local := get_bool "witness.yaml.enabled" && get_bool "witness.invariant.accessed";
     let activated = get_string_list "ana.activated" in
-    emit_single_threaded := List.mem (ModifiedSinceSetjmp.Spec.name ()) activated || List.mem (PoisonVariables.Spec.name ()) activated || List.mem (UseAfterFree.Spec.name ()) activated (* TODO: some of these don't have access as dependency *)
+    emit_single_threaded := List.mem (ModifiedSinceSetjmp.Spec.name ()) activated || List.mem (PoisonVariables.Spec.name ()) activated || List.mem (UseAfterFree.Spec.name ()) activated || List.mem (PhaseGhost.Spec.name ()) activated (* TODO: some of these don't have access as dependency *)
 
   let do_access (man: (D.t, G.t, C.t, V.t) man) (kind:AccessKind.t) (reach:bool) (e:exp) =
     if M.tracing then M.trace "access" "do_access %a %a %B" d_exp e AccessKind.pretty kind reach;

src/analyses/phaseGhost.ml

@@ -0,0 +1,182 @@
+(** Analysis for checking whether ghost globals are only accessed by one unique thread ([phaseGhost]). *)
+
+open Analyses
+open GoblintCil
+
+module TID = ThreadIdDomain.Thread
+module TIDs = ConcDomain.ThreadSet
+
+module Const =
+struct
+  include Lattice.Flat (IntOps.BigIntOps)
+  let name () = "ghost-constant"
+end
+
+module IncByOne =
+struct
+  include BoolDomain.MustBool
+  let name () = "increment-by-one"
+end
+
+module Spec =
+struct
+  include IdentitySpec
+
+  let name () = "phaseGhost"
+
+  module D = MapDomain.MapBot (Basetype.Variables) (Const)
+  include ValueContexts (D)
+  module P = IdentityP (D)
+
+  module V = VarinfoV
+  module G =
+  struct
+    include Lattice.Prod (TIDs) (IncByOne)
+    let tids = fst
+    let inc_by_one = snd
+    let create_tids tids = (tids, IncByOne.bot ())
+    let create_inc_by_one inc_by_one = (TIDs.bot (), inc_by_one)
+  end
+
+  let initial_ghost_values () =
+    List.fold_left (fun acc -> function
+        | GVar (v, initinfo, _) when YamlWitness.VarSet.mem v !(YamlWitness.ghostVars) ->
+          begin match initinfo.init with
+            | Some (SingleInit exp) ->
+              begin match Cil.getInteger (Cil.constFold true exp) with
+                | Some z -> D.add v (`Lifted z) acc
+                | None -> acc
+              end
+            | None when Cil.isIntegralType v.vtype ->
+              D.add v (`Lifted Z.zero) acc
+            | _ ->
+              acc
+          end
+        | _ ->
+          acc
+      ) (D.bot ()) !Cilfacade.current_file.globals
+
+  let startstate _ = initial_ghost_values ()
+  let exitstate _ = initial_ghost_values ()
+
+  let tids_of_current_thread man =
+    match man.ask Queries.CurrentThreadId with
+    | `Lifted tid when TID.is_unique tid -> TIDs.singleton tid
+    | _ -> TIDs.top ()
+
+  let increment_constant lval rval =
+    let is_same_lval e =
+      match Cil.stripCasts e with
+      | Lval lval' -> CilType.Lval.equal lval lval'
+      | _ -> false
+    in
+    let is_one_constant e =
+      match Cil.getInteger (Cil.constFold true e) with
+      | Some k -> Z.equal k Z.one
+      | None -> false
+    in
+    match Cil.stripCasts rval with
+    | BinOp (PlusA, e1, e2, _) ->
+      if is_same_lval e1 then
+        is_one_constant e2
+      else if is_same_lval e2 then
+        is_one_constant e1
+      else
+        false
+    | _ ->
+      false
+
+  (* This local constant folding intentionally disregards writes from other threads.
+     It is only for the phaseGhost checker itself. *)
+  (* This information must **not** be used to refine other analyses or returned by any query,
+     because it is unsound in the presence of other threads interfering. By the same token, it must
+     be not used to raise Deadcode in branch. *)
+  let rec eval_const state e =
+    match Cil.stripCasts e with
+    | Const _ ->
+      Cil.getInteger (Cil.constFold true e)
+    | Lval (Var var, NoOffset) when YamlWitness.VarSet.mem var !(YamlWitness.ghostVars) ->
+      begin match D.find_opt var state with
+        | Some (`Lifted z) -> Some z
+        | _ -> None
+      end
+    | UnOp (Neg, e, _) ->
+      Option.map Z.neg (eval_const state e)
+    | BinOp (PlusA, e1, e2, _)
+    | BinOp (IndexPI, e1, e2, _)
+    | BinOp (PlusPI, e1, e2, _) ->
+      Option.bind (eval_const state e1) (fun z1 ->
+          Option.map (Z.add z1) (eval_const state e2)
+        )
+    | BinOp (MinusA, e1, e2, _) ->
+      Option.bind (eval_const state e1) (fun z1 ->
+          Option.map (Z.sub z1) (eval_const state e2)
+        )
+    | BinOp (Mult, e1, e2, _) ->
+      Option.bind (eval_const state e1) (fun z1 ->
+          Option.map (Z.mul z1) (eval_const state e2)
+        )
+    | _ ->
+      None
+
+  let is_increment_by_one state lval rval =
+    increment_constant lval rval ||
+    match eval_const state (Lval lval), eval_const state rval with
+    | Some old_value, Some new_value ->
+      Z.equal new_value (Z.succ old_value)
+    | _ ->
+      false
+
+  let event man e oman =
+    match e with
+    | Events.Access {ad; _} ->
+      let tids = tids_of_current_thread man in
+      Queries.AD.iter (function
+          | Queries.AD.Addr.Addr (var, _) when YamlWitness.VarSet.mem var !(YamlWitness.ghostVars) ->
+            man.sideg var (G.create_tids tids)
+          | _ ->
+            ()
+        ) ad;
+      man.local
+    | _ ->
+      man.local
+
+  let assign man lval rval =
+    if !AnalysisState.global_initialization then
+      man.local
+    else
+      match lval with
+      | Var var, NoOffset when YamlWitness.VarSet.mem var !(YamlWitness.ghostVars) ->
+        let inc_by_one = is_increment_by_one man.local lval rval in
+        let local =
+          match inc_by_one, eval_const man.local rval with
+          | true, Some z -> D.add var (`Lifted z) man.local
+          | _ -> D.add var (Const.top ()) man.local
+        in
+        man.sideg var (G.create_inc_by_one inc_by_one);
+        local
+      | _ ->
+        man.local
+
+  let query man (type a) (q: a Queries.t): a Queries.result =
+    match q with
+    | Queries.WarnGlobal g ->
+      let g: V.t = Obj.obj g in
+      let (tidset, inc_by_one) = man.global g in
+      if TIDs.is_top tidset then
+        M.warn_noloc ~category:Witness "phaseGhost: global %a is accessed by a non-unique or unknown thread id" CilType.Varinfo.pretty g
+      else
+        (match TIDs.elements tidset with
+         | [tid] when TID.is_unique tid ->
+           if inc_by_one then
+             M.info_noloc ~category:Witness "phaseGhost: global %a is only accessed by unique thread %a and is only ever increased by one" CilType.Varinfo.pretty g TID.pretty tid
+           else
+             M.warn_noloc ~category:Witness "phaseGhost: global %a is only accessed by unique thread %a, but is not only ever increased by one" CilType.Varinfo.pretty g TID.pretty tid
+         | _ ->
+           M.warn_noloc ~category:Witness "phaseGhost: global %a is accessed by multiple unique threads: %a" CilType.Varinfo.pretty g TIDs.pretty tidset)
+    | _ ->
+      Queries.Result.top q
+end
+
+let _ =
+  MCP.register_analysis ~dep:["access"; "threadid"] (module Spec : MCPSpec)

src/config/options.schema.json

@@ -2849,7 +2849,7 @@
             },
             "extraGhosts": {
               "title": "witness.yaml.extraGhosts",
-              "description": "Existing global variables to additionally treat as ghost variables during YAML witness handling.",
+              "description": "Existing global variables to additionally treat as ghost variables during YAML witness handling. N.B. This will assume the global is used in a way that is consistent with the rules for ghosts in witnesses.",
               "type": "array",
               "items": {
                 "type": "string"

src/goblint_lib.ml

@@ -169,6 +169,7 @@ module StackTrace = StackTrace
     Analyses which only support other analyses. *)
 
 module AccessAnalysis = AccessAnalysis
+module PhaseGhost = PhaseGhost
 module WrapperFunctionAnalysis = WrapperFunctionAnalysis
 module TaintPartialContexts = TaintPartialContexts
 module UnassumeAnalysis = UnassumeAnalysis

src/witness/yamlWitness.ml

@@ -425,9 +425,31 @@ let ghost_instr_loc = function
   | Asm (_, _, _, _, _, loc) -> Some loc
   | _ -> None
 
+let show_ghost_update_location (loc: Cil.location) =
+  Printf.sprintf "%s:%d:%d" loc.file loc.line loc.column
+
+module GhostUpdateLocator = WitnessUtil.Locator (CilType.Location)
+module GhostUpdateLocationH = Hashtbl.Make (CilType.Location)
+
+class ghostUpdateLocationVisitor (locations : GhostUpdateLocator.t) = object
+  inherit nopCilVisitor
+
+  method! vstmt s =
+    (match s.skind with
+     | Instr il ->
+       List.iter (fun instr ->
+           Option.iter (fun loc ->
+               GhostUpdateLocator.add locations loc loc
+             ) (ghost_instr_loc instr)
+         ) il
+     | _ -> ());
+    DoChildren
+end
+
 (** CIL visitor that inserts ghost updates around matching statements.
-    [updates] maps ["basename:line"] to the list of assignment instructions
-    to insert after the original instruction at that location.  The original
+    [updates] maps exact resolved instruction locations to the list of
+    assignment instructions to insert after the original instruction at that
+    location. The original
     instruction together with the ghost update assignments are wrapped in
     [__VERIFIER_atomic_begin()] / [__VERIFIER_atomic_end()]:
     {[
@@ -436,9 +458,9 @@ let ghost_instr_loc = function
       ghostupdate;
       __VERIFIER_atomic_end();
     ]}
-    [placed] is populated with every key from [updates] that was successfully
+    [placed] is populated with every location from [updates] that was successfully
     matched; callers can use this to warn about unmatched keys. *)
-class ghostUpdateVisitor (updates : (string, Cil.instr list) Hashtbl.t) (placed : (string, unit) Hashtbl.t) (atomic_begin : Cil.varinfo) (atomic_end : Cil.varinfo) = object
+class ghostUpdateVisitor (updates : Cil.instr list GhostUpdateLocationH.t) (placed : unit GhostUpdateLocationH.t) (atomic_begin : Cil.varinfo) (atomic_end : Cil.varinfo) = object
   inherit nopCilVisitor
 
   method! vstmt s =
@@ -449,11 +471,10 @@ class ghostUpdateVisitor (updates : (string, Cil.instr list) Hashtbl.t) (placed
              match ghost_instr_loc instr with
              | None -> [instr]
              | Some loc ->
-               let key = Filename.basename loc.file ^ ":" ^ string_of_int loc.line in
-               (match Hashtbl.find_opt updates key with
+               (match GhostUpdateLocationH.find_opt updates loc with
                 | None | Some [] -> [instr]
                 | Some update_instrs ->
-                  Hashtbl.replace placed key ();
+                  GhostUpdateLocationH.replace placed loc ();
                   let abegin = Formatcil.cInstr "%v:__VERIFIER_atomic_begin();" loc
                       [("__VERIFIER_atomic_begin", Cil.Fv atomic_begin)] in
                   let aend = Formatcil.cInstr "%v:__VERIFIER_atomic_end();" loc
@@ -476,6 +497,7 @@ let ghostVars = ref VarSet.empty
 let unplaced_ghost_updates : string list ref = ref []
 
 let init () =
+  unplaced_ghost_updates := [];
   let file = !Cilfacade.current_file in
   let find_global_var name =
     List.find_map (function
@@ -578,13 +600,21 @@ let init () =
           | _ -> None
         )
     in
-    let updates : (string, Cil.instr list) Hashtbl.t = Hashtbl.create 16 in
+    let instruction_locations = GhostUpdateLocator.create () in
+    visitCilFile (new ghostUpdateLocationVisitor instruction_locations) file;
+    let updates : Cil.instr list GhostUpdateLocationH.t = GhostUpdateLocationH.create 16 in
+    let add_update_instrs resolved_loc instrs =
+      match GhostUpdateLocationH.find_opt updates resolved_loc with
+      | Some old_instrs ->
+        GhostUpdateLocationH.replace updates resolved_loc (old_instrs @ instrs)
+      | None ->
+        GhostUpdateLocationH.replace updates resolved_loc instrs
+    in
     let collect_ghost_updates yaml_entry =
       match YamlWitnessType.Entry.of_yaml yaml_entry with
       | Ok {entry_type = YamlWitnessType.EntryType.GhostInstrumentation {ghost_updates; _}; _} ->
         List.iter (fun (lu: YamlWitnessType.GhostInstrumentation.LocationUpdate.t) ->
             let loc = loc_of_location lu.location in
-            let key = Filename.basename loc.file ^ ":" ^ string_of_int loc.line in
             let instrs = List.filter_map (fun (upd: YamlWitnessType.GhostInstrumentation.Update.t) ->
                 match find_global_var upd.variable with
                 | None ->
@@ -601,26 +631,32 @@ let init () =
                    | Some value_exp -> Some (Set (Cil.var v, value_exp, loc, locUnknown)))
               ) lu.updates in
             if instrs <> [] then
-              Hashtbl.replace updates key instrs
+              match GhostUpdateLocator.find_opt instruction_locations loc with
+              | Some resolved_locs ->
+                GhostUpdateLocator.ES.iter (fun resolved_loc ->
+                    add_update_instrs resolved_loc instrs
+                  ) resolved_locs
+              | None ->
+                unplaced_ghost_updates := show_ghost_update_location loc :: !unplaced_ghost_updates
           ) ghost_updates
       | Ok _ -> ()
       | Error (`Msg m) ->
         M.error_noloc ~category:Witness "couldn't parse entry while extracting ghost updates: %s" m
     in
     List.iter collect_ghost_updates yaml_entries;
-    if Hashtbl.length updates > 0 then begin
+    if GhostUpdateLocationH.length updates > 0 then begin
       let find_or_make name =
         match find_global_var name with
         | Some v -> v
-        | None -> makeVarinfo true name (TVoid [])
+        | None -> makeVarinfo true name (TFun (TVoid [], Some [], false, []))
       in
       let atomic_begin = find_or_make "__VERIFIER_atomic_begin" in
       let atomic_end = find_or_make "__VERIFIER_atomic_end" in
-      let placed : (string, unit) Hashtbl.t = Hashtbl.create 16 in
+      let placed : unit GhostUpdateLocationH.t = GhostUpdateLocationH.create 16 in
       visitCilFile (new ghostUpdateVisitor updates placed atomic_begin atomic_end) file;
-      Hashtbl.iter (fun key _ ->
-          if not (Hashtbl.mem placed key) then
-            unplaced_ghost_updates := key :: !unplaced_ghost_updates
+      GhostUpdateLocationH.iter (fun loc _ ->
+          if not (GhostUpdateLocationH.mem placed loc) then
+            unplaced_ghost_updates := show_ghost_update_location loc :: !unplaced_ghost_updates
         ) updates
     end
 

tests/regression/19-ghost-witness/02-empire-detect.c

@@ -0,0 +1,41 @@
+// CRAM
+// Dominik's empire thing example
+#include<pthread.h>
+#include<goblint.h>
+extern void __VERIFIER_atomic_begin();
+extern void __VERIFIER_atomic_end();
+
+int x;
+
+
+void fun() {
+    int y = x;
+    while (y> 0) {
+        y--;
+    }
+
+    x++;
+}
+
+int main(void) {
+    int z;
+    int top;
+
+    if(top) { x = 10000; } else { x = 1; }
+
+    pthread_t thread;
+    pthread_create(&thread, NULL, (void*)fun, NULL);
+
+    while(z != 0) {
+        z--;
+    }
+
+    x++;
+
+    pthread_join(thread, NULL);
+
+    top = 8;
+    top = 3;
+
+    return 0;
+}