Extend state representation to track errno across control-flow

[antoniofrighetto]

An attempt to handle errno in order to prevent Alive2 from treating store-to-load forwarding as valid refinements, if may alias errno. This is achieved by adding a new SMT expression to model errno meant to be used on malloc failure. Also treat malloc et alia as may write errno via LLVM errnomem location kind while translating from LLVM IR.

---

A thank to Nuno for direction on this!

[antoniofrighetto]

We don’t seem to model realloc as of now, correct?

[nunoplopes]

we do support realloc!

[antoniofrighetto]

IIUC, there doesn't appear to exist a separate REALLOC block kind, instead we seem to reuse MALLOC one when encoding realloc calls (AllocKind::Realloc) into SMT expressions:

alive2/ir/instr.cpp

Lines 2774 to 2775 in 2cb1034

	auto [p_new, allocated]
	= m.alloc(&size, getAlign(), Memory::MALLOC, np_size, nonnull);

[antoniofrighetto]

I’m experiencing the following false positive for test attrs/allocsize.srctgt.ll:

declare ptr @my_malloc(i32) allocsize(0)

define ptr @src() {
#0:
  %p = call ptr @my_malloc(i32 23) allocsize(0)
  ret ptr %p
}
=>
declare ptr @my_malloc(i32) allocsize(0)

define ptr @tgt() {
#0:
  %p = call ptr @my_malloc(i32 23) dereferenceable_or_null(23) allocsize(0)
  ret ptr %p
}


src_state.getReturnErrno():
(ite (or malloc_never_fails |#alloc_nondet_nonnull!3|)
     errno_init
     |#malloc_errno!4|)



tgt_state.getReturnErrno():
(ite (or malloc_never_fails |#alloc_nondet_nonnull!6|)
     errno_init
     |#malloc_errno!7|)

Transformation doesn't verify!

ERROR: Mismatch in errno at return

Possibly we shouldn’t use fresh unique symbolic variables for malloc_errno: I tried switching from using mkFreshVar w/ addNonDetVar to using the dedicated helper getFreshNondetVar instead. This fixes this issue but in doing so we don’t ; ERROR: Mismatch in errno at return anymore for the two new added tests (so we allow the refinement as valid). Any idea on what I'm missing?

[regehr]

this is super cool, I never thought about errno being something special we'd need to handle!

[nunoplopes]

this is not the expected behavior. LLVM wants to allow removal of allocation functions.

This is annoying, maybe we need to model alloc functions as written to errno only non-deterministically?

@RalfJung @nikic

[RalfJung]

We generally consider allocation functions to only be called non-deterministically I think -- see llvm/llvm-project#177592.

[nunoplopes]

instead of mkUInt, you can use errno_val.
I would also move this call inside mkIf_fold to avoid creating the expression altogether

[nunoplopes]

you can use the std::variant trick above to keep a DisjointExpr during state execution. This can shrink final expr size.

[antoniofrighetto]

Done, thanks (I originally thought this wasn't necessary for a simple smt::expr).

[RalfJung]

An attempt to handle errno in order to prevent Alive2 from treating store-to-load forwarding as valid refinements, if may alias errno.

What makes errno special here?

[antoniofrighetto]

An attempt to handle errno in order to prevent Alive2 from treating store-to-load forwarding as valid refinements, if may alias errno.

What makes errno special here?

I think, per se, nothing makes errno semantically special here, it's just observable global state. Currently, Alive2 treats malloc has side-effect-free wrt errno, meaning that folding %v to 0 here:

store i32 0, ptr %p
call ptr @malloc(i64 INT64_MAX) ; may set errno
%v = load i32, ptr %p

would be allowed; except that it should not, as %p may happen to alias errno. On a discussion with Nuno, this may be modelled with varying fidelity. Particularly, it was determined to use a single symbolic variable (malloc_failure), and have every failed allocation set errno to such a variable. This RFC shows how errno, now part of MemoryEffects, is in the process of being modelled in LLVM.

[RalfJung]

So the idea is that errno is the only global state observable by the program that malloc is allowed to mutate, and it may also only be mutated on allocation failure (and presumably, malloc is never allowed to itself observe errno, it can only be indiscriminantly overwritten)?

[antoniofrighetto]

Yes, this at least is my understanding. malloc will start, hopefully, being declared as memory(inaccessiblemem: readwrite, errnomem: write) some time soon in LLVM: the inaccessiblemem part is memory outside the control of LLVM, and errno should be the only program global-visibile state malloc may mutate (and, indeed, from the new annotation, malloc should only be allowed to write to it).