You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is actually a result of a scoping issue: flags is both a local variable in the function and a global variable. Internally one of them is renamed to something like flags___0, but witness invariant generation translates back to original names, which both happen to be the same.
Thus, this requires a more complicated scope check in terms of original names of variables to check for possible shadowing in the original program.
This is similar to the previous one, but here both is are local variables in the same scope.
Thus, the check also needs to account for local multiple variables with the same name, possibly interacting with block scopes.
I think our address domain stores the string literal as StrPtr, but as a C expression this perhaps isn't the proper way to check for string equality (comparing addresses of a literal).
Possibly excessive function pointer casts: (our test also in sv-benchmarks)
The first invariant is from var_eq, the second from base. In both cases casts are inserted because callback has type int (*)(), but &bar has type int (*)(void). Both are declared with () arguments, but in function definition this apparently means (void).
It would probably be good to fix our tests (with more precise function pointer types) and resubmit to sv-benchmarks.
However, independently we could maybe avoid inserting the casts because the function types should be compatible in some sense, just not identical.
While working on witness IDE integration, @karoliineh has looked at some of our witness invariants, which has revealed some questionable ones:
Seemingly pointless reflexive equality:
This is actually a result of a scoping issue:
flagsis both a local variable in the function and a global variable. Internally one of them is renamed to something likeflags___0, but witness invariant generation translates back to original names, which both happen to be the same.Thus, this requires a more complicated scope check in terms of original names of variables to check for possible shadowing in the original program.
Seemingly pointless self-relation:
This is similar to the previous one, but here both
is are local variables in the same scope.Thus, the check also needs to account for local multiple variables with the same name, possibly interacting with block scopes.
Equality with string literal:
I think our address domain stores the string literal as
StrPtr, but as a C expression this perhaps isn't the proper way to check for string equality (comparing addresses of a literal).Possibly excessive function pointer casts: (our test also in sv-benchmarks)
The first invariant is from var_eq, the second from base. In both cases casts are inserted because
callbackhas typeint (*)(), but&barhas typeint (*)(void). Both are declared with()arguments, but in function definition this apparently means(void).It would probably be good to fix our tests (with more precise function pointer types) and resubmit to sv-benchmarks.
However, independently we could maybe avoid inserting the casts because the function types should be compatible in some sense, just not identical.
Anonymous struct field access with CIL offset: