-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix both branches dead from bot address in array #1233
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Giving the value inside the array a super-bot value instead of a bottom value of correct type might fix this example, but is not a principled solution one would want to merge.
Such a solution should address what is read.
The points-to set is empty, there is nothing to read! The morally right thing would be to have the value that's actually there: a top address set. But some array domains don't work that way and there's nothing nicer we can do about it before the PLDI deadline. |
Maybe you can use the partitioned array domain and not this one for which it is dubious what it does for programs with undefined behavior such as this example anyway? |
There's nothing undefined about this. It can arise from every unknown pointer and that's simply what happens in all the programs from the issues. It's our as-sound-as-possible handling of unknown pointers that's causing us to be unsound in this case. |
And switching the domain is not an option because it makes the analysis more expensive. This issue arises with the large-program example config that we give and want everyone else to use. |
Then maybe what we have to do for invalidate calls is to assign a |
My change is in that
Partitioned arrays are a single joined value just like trivial arrays if there's no partitioning. If that case of partitioned arrays is somehow more sound, we should just make trivial arrays behave the same way. Invalidation should kill any partitioning anyway, so it's not the partitioning that's making the result more sound here. |
Yes, we just have to make sure it's not at the expense of killing any precision for the non-partitioned array domain in other places where |
I'll review this in detail either tomorrow or Saturday. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems at first glance that top_value
is indeed only called in places where it is not an initial value. I would still feel more comfortable if we could do a run on SV-COMP to confirm it has no precision impact before merging this.
I did before vs after benchmarking on sv-benchmarks and there's no difference in results modulo noise. |
Closes #1232. Closes #1188.
The fix is from #1188 (comment). I'm not sure if this is the right fix, but it is a fix.