Skip to content

Improve memOutOfBounds precision for points-to sets which mix allocs with others#2030

Merged
sim642 merged 3 commits into
masterfrom
memOutOfBounds-blobsize
May 29, 2026
Merged

Improve memOutOfBounds precision for points-to sets which mix allocs with others#2030
sim642 merged 3 commits into
masterfrom
memOutOfBounds-blobsize

Conversation

@sim642

@sim642 sim642 commented May 13, 2026
edited
Loading

Copy link
Copy Markdown
Member

This is on top of #2029.

Pointer may point to either allocated blob or static array.
Currently memOutOfBounds only uses BlobSize query for points-to sets which are definitely alloc, but not a mix.

This moves the decision to be made per-pointee basis, not on the basis of the whole points-to set.
The diff probably looks much nicer with whitespace ignored.

TODO

  • sv-benchmarks
  • Look into TopValue exceptions from sv-benchmarks.

sim642 added 2 commits May 13, 2026 15:44
@sim642
Add test 74-invalid_deref/38-oob-alloc-array-mix
8a5aed1 
Pointer may point to either allocated blob or static array.
Currently memOutOfBounds only uses BlobSize query for points-to sets which are definitely alloc, but not a mix.
@sim642
Improve memOutOfBounds precision for points-to sets which mix allocs …
8323565 
…with others
@sim642 sim642 added this to the SV-COMP 2027 milestone May 13, 2026
@sim642 sim642 self-assigned this May 13, 2026
@sim642 sim642 added sv-comp SV-COMP (analyses, results), witnesses precision labels May 13, 2026
Base automatically changed from memOutOfBounds-one-past-end to master May 13, 2026 17:21
@sim642

sim642 commented May 14, 2026
edited
Loading

Copy link
Copy Markdown
Member Author

According to an sv-benchmarks run with level01, 60s and 1GB, this doesn't improve any verdicts: https://goblint.cs.ut.ee/results/335-all-level01-pr-2030-after/table-generator-cmp.diff.html#/table.

However, there is a regression on

  • ldv-challenges/linux-3.14_linux-kernel-locking-mutex_drivers-net-ethernet-chelsio-cxgb4-cxgb4.cil
  • ldv-challenges/linux-3.14_linux-kernel-locking-spinlock_drivers-net-ethernet-chelsio-cxgb4-cxgb4.cil

where TIMEOUT goes to exception Lattice.TopValue. That's with unreach-call not valid-memsafety. This changes base just to keep the function in sync with memOutOfBounds.
For reference, in SV-COMP we output true after >400s for these but get no points because the witness isn't validated.

Somehow it's coming from the Fake lattice used for ZeroInit of blobs.

EDIT: These are fixed by #2035.

@sim642 sim642 mentioned this pull request May 15, 2026
Merged
1 task
@sim642 sim642 marked this pull request as ready for review May 19, 2026 14:29
Copilot AI review requested due to automatic review settings May 19, 2026 14:29
Copilot AI reviewed May 19, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves size reasoning for out-of-bounds checks when a pointer may target both allocated memory and non-allocated objects, moving toward per-pointee size handling.

Changes:

  • Refactors pointer target size computation in memOutOfBounds and base to inspect individual points-to elements.
  • Adds a regression test for a pointer that may refer to either a malloc allocation or a static array.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
src/analyses/memOutOfBounds.ml Updates target-size computation for mixed points-to sets.
src/analyses/base.ml Applies analogous target-size handling for memory-copy modeling.
tests/regression/74-invalid_deref/38-oob-alloc-array-mix.c Adds regression coverage for alloc/static-array mixed points-to sets.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/analyses/memOutOfBounds.ml Outdated
Comment on lines +89 to +90
(* Ask for BlobSize from the base address (the second component being set to true) in order to avoid BlobSize giving us bot *)
man.ask (Queries.BlobSize {exp = ptr; base_address = true})

@sim642 sim642 May 28, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This currently doesn't make a difference because the sizes are joined here anyway. The same issue is with EvalLength in the array case below. I added TODOs about these to handle when improving this check to be properly relational between the address base size and the offset.

Comment thread src/analyses/base.ml Outdated
@sim642 sim642 mentioned this pull request May 19, 2026
Merged
1 task
@sim642 sim642 merged commit 4c8b277 into master May 29, 2026
18 of 19 checks passed
@sim642 sim642 deleted the memOutOfBounds-blobsize branch May 29, 2026 06:55
sim642 added a commit that referenced this pull request Jun 3, 2026
@sim642
Fix get_size_of_ptr_target indentation (PR #2030)
8b535d8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@sim642 sim642

Labels

precision sv-comp SV-COMP (analyses, results), witnesses

Projects

None yet

Milestone

SV-COMP 2027

Development

Successfully merging this pull request may close these issues.

2 participants

@sim642