CN VIP: Update annot tests to use byte rep

Author: dc-mak

.github/workflows/ci.yml

@@ -127,6 +127,14 @@ jobs:
         cd tests; USE_OPAM='' ./run-cn-test-gen.sh
         cd ..
 
+    - name: Run CN VIP CI tests
+      run: |
+        opam switch ${{ matrix.version }}
+        eval $(opam env --switch=${{ matrix.version }})
+        cd tests; USE_OPAM='' ./run-cn-vip.sh
+        cd ..
+
+
     - name: Install Cerberus-CHERI
       if: ${{ matrix.version == '4.14.1' }}
       run: |

tests/cn_vip_testsuite/pointer_arith_algebraic_properties_2_global.annot.c

@@ -7,7 +7,7 @@ int main()
 /*@ accesses x; @*/
 {
   /*CN_VIP*//*@ extract Owned<int>, 1u64; @*/
-#if defined(ANNOT)
+#ifdef ANNOT
   int *p= copy_alloc_id(
     (((uintptr_t)&(x[0])) +
     (((uintptr_t)&(y[1]))-((uintptr_t)&(y[0]))))
@@ -17,8 +17,8 @@ int main()
   int *p=(int*)(((uintptr_t)&(x[0])) +
     (((uintptr_t)&(y[1]))-((uintptr_t)&(y[0]))));
 #endif
-  *p = 11;  // is this free of undefined behaviour?
-  /*CN_VIP*//*@ assert(x[1u64] == 11i32 && *p == 11i32); @*/
+  *p = 11;  // CN VIP UB (no annot)
   //CN_VIP printf("x[1]=%d *p=%d\n",x[1],*p);
+  /*CN_VIP*//*@ assert(x[1u64] == 11i32 && *p == 11i32); @*/
   return 0;
 }

tests/cn_vip_testsuite/pointer_arith_algebraic_properties_3_global.annot.c

@@ -18,9 +18,9 @@ int main()
     (((uintptr_t)&(x[0])) + ((uintptr_t)&(y[1])))
     -((uintptr_t)&(y[0])) );
 #endif
-  *p = 11;  // is this free of undefined behaviour?
+  *p = 11;  // CN VIP UB (no annot)
   //(equivalent to the &x[0]+(&(y[1])-&(y[0])) version?)
-  /*CN_VIP*//*@ assert(x[1u64] == 11i32 && *p == 11i32); @*/
   //CN_VIP printf("x[1]=%d *p=%d\n",x[1],*p);
+  /*CN_VIP*//*@ assert(x[1u64] == 11i32 && *p == 11i32); @*/
   return 0;
 }

tests/cn_vip_testsuite/pointer_copy_user_ctrlflow_bitwise.annot.c

@@ -33,12 +33,12 @@ int main()
     else
       j = j;
   }
-#if defined(ANNOT)
+#ifdef ANNOT
   q = copy_alloc_id(j, &x);
 #else
   q = (int *)j;
 #endif
-  *q = 11; // is this free of undefined behaviour?
-  /*CN_VIP*//*@ assert(*p == 11i32 && *q == 11i32); @*/
+  *q = 11; // CN VIP UB (no annot)
   //CN_VIP printf("*p=%d  *q=%d\n",*p,*q);
+  /*CN_VIP*//*@ assert(*p == 11i32 && *q == 11i32); @*/
 }

tests/cn_vip_testsuite/pointer_from_integer_1ig.annot.c

@@ -10,11 +10,10 @@ void f(uintptr_t i) {
 #if defined(ANNOT)
   int *p = copy_alloc_id(i, &j);
 #else
-  int *p = (int*)i;
+  int *p = (int*)i; // not even round-trip can save this
 #endif
-  /*CN_VIP*//*@ assert ((alloc_id) p == (alloc_id) &j);@*/
   if (p==&j) {
-    *p=7;
+    *p=7; // CN VIP UB (no annot)
     /*CN_VIP*//*@ assert (j == 7i32); @*/
   }
   //CN_VIP printf("j=%d &j=%p\n",j,(void*)&j);

tests/cn_vip_testsuite/pointer_offset_from_int_subtraction_auto_xy.annot.c

@@ -24,12 +24,14 @@ int main() {
   /*CN_VIP*//*@ from_bytes Owned<int*>(&p); @*/
   /*CN_VIP*//*@ from_bytes Owned<int*>(&q); @*/
 #ifdef NO_ROUND_TRIP
-  /*CN_VIP*/p = copy_alloc_id((uintptr_t)p, &y);
+#ifdef ANNOT
+  /*CN_VIP*/p = copy_alloc_id((uintptr_t)p, &y); // p has empty prov outside of annot
+#endif
   /*CN_VIP*/q = copy_alloc_id((uintptr_t)q, &y); // for *q in assertion
 #endif
   if (result == 0) {
-    *p = 11; // is this free of UB?
-    /*CN_VIP*//*@ assert (x == 1i32 && y == 11i32 && *p == 11i32 && *q == 11i32); @*/
+    *p = 11; // CN VIP UB (no annot)
     //CN_VIP printf("x=%d y=%d *p=%d *q=%d\n",x,y,*p,*q);
+    /*CN_VIP*//*@ assert(x == 1i32 && y == 11i32 && *p == 11i32 && *q == 11i32); @*/
   }
 }

tests/cn_vip_testsuite/pointer_offset_from_int_subtraction_auto_yx.annot.c

@@ -20,16 +20,18 @@ int main() {
   int *q = &y;
   /*CN_VIP*//*@ to_bytes Owned<int*>(&p); @*/
   /*CN_VIP*//*@ to_bytes Owned<int*>(&q); @*/
-  int result = _memcmp((unsigned char*)&p, (unsigned char*)&q, sizeof(p));
+  /*CN_VIP*/int result = _memcmp((unsigned char *)&p, (unsigned char *)&q, sizeof(p));
   /*CN_VIP*//*@ from_bytes Owned<int*>(&p); @*/
   /*CN_VIP*//*@ from_bytes Owned<int*>(&q); @*/
 #ifdef NO_ROUND_TRIP
-  /*CN_VIP*/p = copy_alloc_id((uintptr_t)p, &y);
+#ifdef ANNOT
+  /*CN_VIP*/p = copy_alloc_id((uintptr_t)p, &y); // p has empty prov outside of annot
+#endif
   /*CN_VIP*/q = copy_alloc_id((uintptr_t)q, &y); // for *q in assertion
 #endif
   if (result == 0) {
-    *p = 11; // is this free of UB?
+    *p = 11; // CN VIP UB (no annot)
     //CN_VIP printf("x=%d y=%d *p=%d *q=%d\n",x,y,*p,*q);
-    /*CN_VIP*/ /*@ assert(x == 1i32 && y == 11i32 && *p == 11i32 && *q == 11i32); @*/
+    /*CN_VIP*//*@ assert(x == 1i32 && y == 11i32 && *p == 11i32 && *q == 11i32); @*/
   }
 }

tests/cn_vip_testsuite/pointer_offset_from_int_subtraction_global_xy.annot.c

@@ -22,16 +22,18 @@ int main()
   int *q = &y;
   /*CN_VIP*//*@ to_bytes Owned<int*>(&p); @*/
   /*CN_VIP*//*@ to_bytes Owned<int*>(&q); @*/
-  /*CN_VIP*/int result = _memcmp((unsigned char*)&p, (unsigned char*)&q, sizeof(p));
+  /*CN_VIP*/int result = _memcmp((unsigned char *)&p, (unsigned char *)&q, sizeof(p));
   /*CN_VIP*//*@ from_bytes Owned<int*>(&p); @*/
   /*CN_VIP*//*@ from_bytes Owned<int*>(&q); @*/
 #ifdef NO_ROUND_TRIP
-  /*CN_VIP*/p = copy_alloc_id((uintptr_t)p, &y);
+#ifdef ANNOT
+  /*CN_VIP*/p = copy_alloc_id((uintptr_t)p, &y); // p has empty prov outside of annot
+#endif
   /*CN_VIP*/q = copy_alloc_id((uintptr_t)q, &y); // for *q in assertion
 #endif
   if (result == 0) {
-    *p = 11; // is this free of UB?
+    *p = 11; // CN VIP UB (no annot)
     //CN_VIP printf("x=%d y=%d *p=%d *q=%d\n",x,y,*p,*q);
-    /*@ assert (x == 1i32 && y == 11i32 && *p == 11i32 && *q == 11i32); @*/
+    /*CN_VIP*//*@ assert(x == 1i32 && y == 11i32 && *p == 11i32 && *q == 11i32); @*/
   }
 }

tests/cn_vip_testsuite/pointer_offset_from_int_subtraction_global_yx.annot.c

@@ -20,19 +20,20 @@ int main()
   int *p = (int *)(ux + offset);
 #endif
   int *q = &y;
-
   /*CN_VIP*//*@ to_bytes Owned<int*>(&p); @*/
   /*CN_VIP*//*@ to_bytes Owned<int*>(&q); @*/
-  /*CN_VIP*/int result = _memcmp((unsigned char*)&p, (unsigned char*)&q, sizeof(p));
+  /*CN_VIP*/int result = _memcmp((unsigned char *)&p, (unsigned char *)&q, sizeof(p));
   /*CN_VIP*//*@ from_bytes Owned<int*>(&p); @*/
   /*CN_VIP*//*@ from_bytes Owned<int*>(&q); @*/
 #ifdef NO_ROUND_TRIP
-  /*CN_VIP*/p = copy_alloc_id((uintptr_t)p, &y);
+#ifdef ANNOT
+  /*CN_VIP*/p = copy_alloc_id((uintptr_t)p, &y); // p has empty prov outside of annot
+#endif
   /*CN_VIP*/q = copy_alloc_id((uintptr_t)q, &y); // for *q in assertion
 #endif
   if (result == 0) {
-    *p = 11; // is this free of UB?
+    *p = 11; // CN VIP UB (no annot)
     //CN_VIP printf("x=%d y=%d *p=%d *q=%d\n",x,y,*p,*q);
-    /*CN_VIP*/ /*@ assert(x == 1i32 && y == 11i32 && *p == 11i32 && *q == 11i32); @*/
+    /*CN_VIP*//*@ assert(x == 1i32 && y == 11i32 && *p == 11i32 && *q == 11i32); @*/
   }
 }

tests/cn_vip_testsuite/pointer_offset_xor_auto.annot.c

@@ -13,11 +13,11 @@ int main() {
 #if defined(ANNOT)
   int *r = copy_alloc_id(l, q);
 #else
-  int *r = (int *)l;
+  int *r = (int *)l; // VIP roundtrip provenance is not preserved via operations
 #endif
   // are r and q now equivalent?
-  *r = 11;     // does this have defined behaviour?
+  *r = 11;     // CN VIP UB (no annot)
   _Bool b = (r==q);
-  /*CN_VIP*//*@ assert (x == 1i32 && y == 11i32 && *r == 11i32 && b == 1u8); @*/
   //CN_VIP printf("x=%i y=%i *r=%i (r==p)=%s\n",x,y,*r, b?"true":"false");
+  /*CN_VIP*//*@ assert(x == 1i32 && y == 11i32 && *r == 11i32 && b == 1u8); @*/
 }

tests/cn_vip_testsuite/pointer_offset_xor_global.annot.c

@@ -19,8 +19,8 @@ int main()
   int *r = (int *)l;
 #endif
   // are r and q now equivalent?
-  *r = 11;     // does this have defined behaviour?
+  *r = 11;     // CN VIP UB (no annot)
   _Bool b = (r==q);
-  /*CN_VIP*//*@ assert (x == 1i32 && y == 11i32 && *r == 11i32 && b == 1u8); @*/
   //CN_VIP printf("x=%i y=%i *r=%i (r==p)=%s\n",x,y,*r, b?"true":"false");
+  /*CN_VIP*//*@ assert(x == 1i32 && y == 11i32 && *r == 11i32 && b == 1u8); @*/
 }

tests/cn_vip_testsuite/provenance_basic_using_uintptr_t_auto_yx.annot.c

@@ -7,6 +7,8 @@
 #include "cn_lemmas.h"
 int main() {
   int y=2, x=1;
+  
+
   uintptr_t ux = (uintptr_t)&x;
   uintptr_t uy = (uintptr_t)&y;
   uintptr_t offset = 4;
@@ -26,12 +28,14 @@ int main() {
   /*CN_VIP*//*@ from_bytes Owned<int*>(&p); @*/
   /*CN_VIP*//*@ from_bytes Owned<int*>(&q); @*/
 #ifdef NO_ROUND_TRIP
+#ifdef ANNOT
   /*CN_VIP*/p = copy_alloc_id((uintptr_t)p, &y);
+#endif
   /*CN_VIP*/q = copy_alloc_id((uintptr_t)q, &y); // for *q in assertion
 #endif
   if (result == 0) {
-    *p = 11; // does this have undefined behaviour?
-    /*CN_VIP*//*@ assert(x == 1i32 && y == 11i32 && *p == 11i32 && *q == 11i32); @*/
+    *p = 11; // CN VIP UB (no annot)
     //CN_VIP printf("x=%d  y=%d  *p=%d  *q=%d\n",x,y,*p,*q);
+    /*CN_VIP*//*@ assert(x == 1i32 && y == 11i32 && *p == 11i32 && *q == 11i32); @*/
   }
 }

tests/cn_vip_testsuite/provenance_basic_using_uintptr_t_global_yx.annot.c

@@ -14,7 +14,7 @@ int main()
   uintptr_t offset = 4;
   ux = ux + offset;
   /*@ apply assert_equal((u64) ux, uy); @*/
-#if defined(ANNOT)
+#ifdef ANNOT
   int *p = copy_alloc_id(ux, &y);
 #else
   int *p = (int *)ux; // does this have undefined behaviour?
@@ -28,12 +28,14 @@ int main()
   /*CN_VIP*//*@ from_bytes Owned<int*>(&p); @*/
   /*CN_VIP*//*@ from_bytes Owned<int*>(&q); @*/
 #ifdef NO_ROUND_TRIP
+#ifdef ANNOT
   /*CN_VIP*/p = copy_alloc_id((uintptr_t)p, &y);
+#endif
   /*CN_VIP*/q = copy_alloc_id((uintptr_t)q, &y); // for *q in assertion
 #endif
   if (result == 0) {
-    *p = 11; // does this have undefined behaviour?
-    /*CN_VIP*//*@ assert(x == 1i32 && y == 11i32 && *p == 11i32 && *q == 11i32); @*/
+    *p = 11; // CN VIP UB (no annot)
     //CN_VIP printf("x=%d  y=%d  *p=%d  *q=%d\n",x,y,*p,*q);
+    /*CN_VIP*//*@ assert(x == 1i32 && y == 11i32 && *p == 11i32 && *q == 11i32); @*/
   }
 }

tests/cn_vip_testsuite/provenance_lost_escape_1.annot.c

@@ -14,7 +14,7 @@ int main()
   uintptr_t i2 = i1 & 0x00000000FFFFFFFF;//
   uintptr_t i3 = i2 & 0xFFFFFFFF00000000;// (@1,0x0)
   uintptr_t i4 = i3 + ADDR_PLE_1;        // (@1,ADDR_PLE_1)
-  /*@ apply assert_equal(i4, (u64)&x); @*/
+  /*CN_VIP*//*@ apply assert_equal(i4, (u64)&x); @*/
 #ifdef ANNOT
   int *q = copy_alloc_id(i4, p);
 #else
@@ -27,8 +27,8 @@ int main()
   /*CN_VIP*//*@ from_bytes Owned<uintptr_t>(&i1); @*/
   /*CN_VIP*//*@ from_bytes Owned<uintptr_t>(&i4); @*/
   if (result == 0) {
-    *q = 11;  // does this have defined behaviour?
-    /*CN_VIP*//*@ assert(x == 11i32 && *p == 11i32 && *q == 11i32); @*/
+    *q = 11;  // CN VIP UB (no annot)
     //CN_VIP printf("x=%d *p=%d *q=%d\n",x,*p,*q);
+    /*CN_VIP*//*@ assert(x == 11i32 && *p == 11i32 && *q == 11i32); @*/
   }
 }

tests/cn_vip_testsuite/provenance_tag_bits_via_uintptr_t_1.annot.c

@@ -17,22 +17,22 @@ int main()
   // construct an integer like &x with low-order bit set
   i = i | 1u;
   // cast back to a pointer
-#if defined(ANNOT)
+#ifdef ANNOT
   int *q = copy_alloc_id(i, p);
 #else
   int *q = (int *) i; // does this have defined behaviour?
 #endif
   // cast to integer and mask out the low-order two bits
   uintptr_t j = ((uintptr_t)q) & ~((uintptr_t)3u);
   // cast back to a pointer
-#if defined(ANNOT)
+#ifdef ANNOT
   int *r = copy_alloc_id(j, p);
 #else
   int *r = (int *) j;
 #endif
   // are r and p now equivalent?
-  *r = 11;           //  does this have defined behaviour?
+  *r = 11;           //  CN VIP UB (no annot)
   _Bool b = (r==p);  //  is this true?
-  /*CN_VIP*//*@ assert (x == 11i32 && *r == 11i32 && b == 1u8); @*/
   //CN_VIP printf("x=%i *r=%i (r==p)=%s\n",x,*r,b?"true":"false");
+  /*CN_VIP*//*@ assert(x == 11i32 && *r == 11i32 && b == 1u8); @*/
 }

tests/run-cn-vip.sh

@@ -33,7 +33,7 @@ function exits_with_code() {
   local -a expected_exit_codes=$3
 
   printf "[$file]...\n"
-  timeout 15 ${action} "$file"
+  timeout 35 ${action} "$file" &> /dev/null
   local result=$?
 
   for code in "${expected_exit_codes[@]}"; do
@@ -51,32 +51,48 @@ DIRNAME=$(dirname "$0")
 
 SUCC=$(
     find $DIRNAME/cn_vip_testsuite -name '*.c' \
+        \! -name '*union*.c' \
+        \! -name '*.unprovable.c' \
         \! -name '*.annot.c' \
         \! -name '*.error.c' \
 )
-FAIL=$(find $DIRNAME/cn_vip_testsuite -name '*.error.c')
+UNION=$(find $DIRNAME/cn_vip_testsuite -name '*union*.c')
+UNPROV=$(find $DIRNAME/cn_vip_testsuite -name '*.unprovable.c' \
+    \! -name 'pointer_copy_user_ctrlflow_bytewise.unprovable.c')
+    # this test hits a CN performance bug
+FAIL=$(find $DIRNAME/cn_vip_testsuite -name '*.error.c' \! -name '*union*.c')
 ANNOT=$(find $DIRNAME/cn_vip_testsuite -name '*.annot.c')
 
 FAILED=''
 
-# for TEST in ${SUCC} ${ANNOT}; do
-#   if ! exits_with_code "cn verify -DVIP -DANNOT -DNO_ROUND_TRIP --solver-type=cvc5" "${TEST}" 0; then
-#       FAILED+=" ${TEST}"
-#   fi
-# done
-
-# TODO add below with both -DNON_DET_TRUE and -DNON_DET_FALSE
-# provenance_equality_auto_yx.c
-# provenance_equality_global_fn_yx.c
-# provenance_equality_global_yx.c
+for TEST in ${SUCC} ${ANNOT}; do
+  if ! exits_with_code "cn verify -DVIP -DANNOT -DNO_ROUND_TRIP --solver-type=cvc5" "${TEST}" 0; then
+      FAILED+=" ${TEST}"
+  fi
+done
 
-for TEST in $FAIL $ANNOT
-do
-  if ! exits_with_code "cn verify -DNO_ROUND_TRIP --solver-type=cvc5" "${TEST}" 1; then
+for TEST in $FAIL $ANNOT $UNPROV; do
+  if ! exits_with_code "cn verify -DVIP -DNO_ROUND_TRIP --solver-type=cvc5" "${TEST}" 1; then
       FAILED+=" ${TEST}"
   fi
 done
 
+
+NON_DET=(
+ $DIRNAME/provenance_equality_auto_yx.c \
+ $DIRNAME/provenance_equality_global_fn_yx.c \
+ $DIRNAME/provenance_equality_global_yx.c \
+)
+
+for TEST in $NON_DET; do
+    if ! exits_with_code "cn verify -DVIP -DNO_ROUND_TRIP -DNON_DET_TRUE --solver-type=cvc5" "${TEST}" 1; then
+        FAILED+=" ${TEST} (nd. true)"
+    fi
+    if ! exits_with_code "cn verify -DVIP -DNO_ROUND_TRIP -DNON_DET_FALSE --solver-type=cvc5" "${TEST}" 1; then
+        FAILED+=" ${TEST} (nd. false)"
+    fi
+done
+
 if [ -z "${FAILED}" ]; then
   exit 0
 else
@@ -85,4 +101,3 @@ else
 fi
 
 
-