Skip to content

Improve memOutOfBounds precision for points-to sets which mix allocs with others#2030

Open
sim642 wants to merge 2 commits into
masterfrom
memOutOfBounds-blobsize
Open

Improve memOutOfBounds precision for points-to sets which mix allocs with others#2030
sim642 wants to merge 2 commits into
masterfrom
memOutOfBounds-blobsize

Conversation

@sim642
Copy link
Copy Markdown
Member

@sim642 sim642 commented May 13, 2026
edited
Loading

This is on top of #2029.

Pointer may point to either allocated blob or static array.
Currently memOutOfBounds only uses BlobSize query for points-to sets which are definitely alloc, but not a mix.

This moves the decision to be made per-pointee basis, not on the basis of the whole points-to set.
The diff probably looks much nicer with whitespace ignored.

TODO

  • sv-benchmarks
  • Look into TopValue exceptions from sv-benchmarks.

sim642 added 2 commits May 13, 2026 15:44
@sim642
Add test 74-invalid_deref/38-oob-alloc-array-mix
8a5aed1 
Pointer may point to either allocated blob or static array.
Currently memOutOfBounds only uses BlobSize query for points-to sets which are definitely alloc, but not a mix.
@sim642
Improve memOutOfBounds precision for points-to sets which mix allocs …
8323565 
…with others
@sim642 sim642 added this to the SV-COMP 2027 milestone May 13, 2026
@sim642 sim642 self-assigned this May 13, 2026
@sim642 sim642 added sv-comp SV-COMP (analyses, results), witnesses precision labels May 13, 2026
Base automatically changed from memOutOfBounds-one-past-end to master May 13, 2026 17:21
@sim642
Copy link
Copy Markdown
Member Author

sim642 commented May 14, 2026
edited
Loading

According to an sv-benchmarks run with level01, 60s and 1GB, this doesn't improve any verdicts: https://goblint.cs.ut.ee/results/335-all-level01-pr-2030-after/table-generator-cmp.diff.html#/table.

However, there is a regression on

  • ldv-challenges/linux-3.14_linux-kernel-locking-mutex_drivers-net-ethernet-chelsio-cxgb4-cxgb4.cil
  • ldv-challenges/linux-3.14_linux-kernel-locking-spinlock_drivers-net-ethernet-chelsio-cxgb4-cxgb4.cil

where TIMEOUT goes to exception Lattice.TopValue. That's with unreach-call not valid-memsafety. This changes base just to keep the function in sync with memOutOfBounds.
For reference, in SV-COMP we output true after >400s for these but get no points because the witness isn't validated.

Somehow it's coming from the Fake lattice used for ZeroInit of blobs.

EDIT: These are fixed by #2035.

@sim642 sim642 mentioned this pull request May 15, 2026
Open
1 task
@sim642 sim642 marked this pull request as ready for review May 19, 2026 14:29
Copilot AI review requested due to automatic review settings May 19, 2026 14:29
Copilot AI reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves size reasoning for out-of-bounds checks when a pointer may target both allocated memory and non-allocated objects, moving toward per-pointee size handling.

Changes:

  • Refactors pointer target size computation in memOutOfBounds and base to inspect individual points-to elements.
  • Adds a regression test for a pointer that may refer to either a malloc allocation or a static array.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
src/analyses/memOutOfBounds.ml Updates target-size computation for mixed points-to sets.
src/analyses/base.ml Applies analogous target-size handling for memory-copy modeling.
tests/regression/74-invalid_deref/38-oob-alloc-array-mix.c Adds regression coverage for alloc/static-array mixed points-to sets.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/analyses/memOutOfBounds.ml
Comment on lines +89 to +90
(* Ask for BlobSize from the base address (the second component being set to true) in order to avoid BlobSize giving us bot *)
man.ask (Queries.BlobSize {exp = ptr; base_address = true})
Comment thread src/analyses/base.ml
Comment on lines +2361 to +2362
(* Ask for BlobSize from the base address (the second component being set to true) in order to avoid BlobSize giving us bot *)
man.ask (Queries.BlobSize {exp = ptr; base_address = true})
@sim642 sim642 mentioned this pull request May 19, 2026
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@sim642 sim642

Labels

precision sv-comp SV-COMP (analyses, results), witnesses

Projects

None yet

Milestone

SV-COMP 2027

Development

Successfully merging this pull request may close these issues.

2 participants

@sim642