CN VIP: Update failures tests to use byte rep

Author: dc-mak

backend/cn/lib/check.ml

@@ -1406,9 +1406,10 @@ let rec check_expr labels (e : BT.t Mu.expr) (k : IT.t -> unit m) : unit m =
                 | Array (item_ty, _) -> Memory.size_of_ctype item_ty
                 | ct -> Memory.size_of_ctype ct
               in
+              let ub = CF.Undefined.UB048_disjoint_array_pointers_subtraction in
+              let@ () = check_both_eq_alloc loc arg1 arg2 ub in
               let ub_unspec = CF.Undefined.UB_unspec_pointer_sub in
               let ub = CF.Undefined.(UB_CERB004_unspecified ub_unspec) in
-              let@ () = check_both_eq_alloc loc arg1 arg2 ub in
               let@ () =
                 check_live_alloc_bounds `Ptr_diff loc arg1 ub (both_in_bounds arg1 arg2)
               in

tests/cn_vip_testsuite/cheri_03_ii.error.c

@@ -3,7 +3,7 @@ int main() {
   int x[2];
   int *p = &x[0];
   //is this free of undefined behaviour?
-  int *q = p + 11;
+  int *q = p + 11; // CN VIP UB
   q = q - 10;
   *q = 1;
   //CN_VIP printf("x[1]=%i  *q=%i\n",x[1],*q);

tests/cn_vip_testsuite/cn_lemmas.h

@@ -1,98 +1,3 @@
-unsigned char* block_int_ptr_to_block_uchar_arr(int **addr_p)
-/*@
-trusted;
-
-requires
-    take P = Block<int*>(addr_p);
-
-ensures
-    ptr_eq(return, addr_p);
-    take B = Block<unsigned char[sizeof(int*)]>(return);
-@*/
-{
-    return (unsigned char*)addr_p;
-}
-unsigned char* owned_int_ptr_to_owned_uchar_arr(int **addr_p)
-/*@
-trusted;
-
-requires
-    take P = Owned<int*>(addr_p);
-
-ensures
-    ptr_eq(return, addr_p);
-    take B = Owned<unsigned char[(sizeof(int*))]>(return);
-    (u64) P == shift_left((u64)B[7u64], 56u64)
-                + shift_left((u64)B[6u64], 48u64)
-                + shift_left((u64)B[5u64], 40u64)
-                + shift_left((u64)B[4u64], 32u64)
-                + shift_left((u64)B[3u64], 24u64)
-                + shift_left((u64)B[2u64], 16u64)
-                + shift_left((u64)B[1u64], 8u64)
-                + (u64)B[0u64];
-@*/
-{
-    return (unsigned char*)addr_p;
-}
-
-unsigned char* owned_uintptr_t_to_owned_uchar_arr(uintptr_t *addr_p)
-/*@
-trusted;
-
-requires
-    take P = Owned<uintptr_t>(addr_p);
-
-ensures
-    ptr_eq(return, addr_p);
-    take B = Owned<unsigned char[(sizeof(uintptr_t))]>(return);
-    (u64) P == shift_left((u64)B[7u64], 56u64)
-                + shift_left((u64)B[6u64], 48u64)
-                + shift_left((u64)B[5u64], 40u64)
-                + shift_left((u64)B[4u64], 32u64)
-                + shift_left((u64)B[3u64], 24u64)
-                + shift_left((u64)B[2u64], 16u64)
-                + shift_left((u64)B[1u64], 8u64)
-                + (u64)B[0u64];
-@*/
-{
-    return (unsigned char*)addr_p;
-}
-/*@
-lemma byte_ptr_to_int_ptr_ptr(pointer addr_p)
-
-requires
-    take B = Owned<unsigned char[(sizeof(int*))]>(addr_p);
-
-ensures
-    take P = Owned<int*>(addr_p);
-    (u64) P == shift_left((u64)B[7u64], 56u64)
-                + shift_left((u64)B[6u64], 48u64)
-                + shift_left((u64)B[5u64], 40u64)
-                + shift_left((u64)B[4u64], 32u64)
-                + shift_left((u64)B[3u64], 24u64)
-                + shift_left((u64)B[2u64], 16u64)
-                + shift_left((u64)B[1u64], 8u64)
-                + (u64)B[0u64];
-@*/
-
-/*@
-lemma byte_ptr_to_uintptr_t(pointer addr_p)
-
-requires
-    take B = Owned<unsigned char[(sizeof(uintptr_t))]>(addr_p);
-
-ensures
-    take P = Owned<uintptr_t>(addr_p);
-    (u64) P == shift_left((u64)B[7u64], 56u64)
-                + shift_left((u64)B[6u64], 48u64)
-                + shift_left((u64)B[5u64], 40u64)
-                + shift_left((u64)B[4u64], 32u64)
-                + shift_left((u64)B[3u64], 24u64)
-                + shift_left((u64)B[2u64], 16u64)
-                + shift_left((u64)B[1u64], 8u64)
-                + (u64)B[0u64];
-@*/
-
 /*@
 lemma byte_arrays_equal(pointer x, pointer y, u64 n)
 
@@ -151,4 +56,3 @@ requires
 ensures
     x == y;
 @*/
-

tests/cn_vip_testsuite/pointer_copy_user_dataflow_direct_bytewise.unprovable.c tests/cn_vip_testsuite/pointer_copy_user_dataflow_direct_bytewise.c

@@ -13,20 +13,31 @@ int main()
   int *q = &y;
   uintptr_t i = (uintptr_t)p;
   uintptr_t j = (uintptr_t)q;
-  /*CN_VIP*/unsigned char* p_bytes = owned_int_ptr_to_owned_uchar_arr(&p);
-  /*CN_VIP*/unsigned char* q_bytes = owned_int_ptr_to_owned_uchar_arr(&q);
-  /*CN_VIP*/int result = _memcmp(p_bytes, q_bytes, sizeof(p));
-  /*CN_VIP*//*@ apply byte_ptr_to_int_ptr_ptr(p_bytes); @*/
-  /*CN_VIP*//*@ apply byte_ptr_to_int_ptr_ptr(q_bytes); @*/
+  /*CN_VIP*//*@ to_bytes Owned<int*>(&p); @*/
+  /*CN_VIP*//*@ to_bytes Owned<int*>(&q); @*/
+  /*CN_VIP*/int result = _memcmp((unsigned char*)&p, (unsigned char*)&q, sizeof(p));
+  /*CN_VIP*//*@ from_bytes Owned<int*>(&p); @*/
+  /*CN_VIP*//*@ from_bytes Owned<int*>(&q); @*/
+#ifdef NO_ROUND_TRIP
+  /*CN_VIP*/p = copy_alloc_id((uintptr_t)p, &x);
+  /*CN_VIP*/q = copy_alloc_id((uintptr_t)q, &y);
+#endif
   if (result == 0) {
-#if defined(ANNOT)
-    int *r = copy_alloc_id(i, q);
-#else
+#ifdef ANNOT
+    int *r = copy_alloc_id(i, q); // CN VIP UB if ¬NO_ROUND_TRIP & ANNOT
+# else
     int *r = (int *)i;
+#ifdef NO_ROUND_TRIP
+    /*CN_VIP*/r = copy_alloc_id((uintptr_t)r, p);
+#endif
 #endif
-    *r=11;
-    r=r-1;  // is this free of UB?
-    *r=12;  // and this?
+    *r=11;  // CN VIP UB if ¬ANNOT
+    r=r-1;  // CN VIP UB if NO_ROUND TRIP && ANNOT
+    *r=12;
     //CN_VIP printf("x=%d y=%d *q=%d *r=%d\n",x,y,*q,*r);
   }
 }
+
+/* NOTE: see tests/pvni_testsuite for why what
+   vip_artifact/evaluation_cerberus/results.pdf expects for this test is probably
+   wrong. */

tests/cn_vip_testsuite/pointer_from_int_disambiguation_3.error.c

@@ -7,15 +7,18 @@ int main() {
   int x=1, y=2;
   int *p = &x;
   int *q = &y;
-  ptrdiff_t offset = q - p;
+  ptrdiff_t offset = q - p; // CN VIP UB
   int *r = p + offset;
-  /*CN_VIP*/unsigned char* r_bytes = owned_int_ptr_to_owned_uchar_arr(&r);
-  /*CN_VIP*/unsigned char* q_bytes = owned_int_ptr_to_owned_uchar_arr(&q);
-  /*CN_VIP*/int result = _memcmp(r_bytes, q_bytes, sizeof(r));
-  /*CN_VIP*//*@ apply byte_ptr_to_int_ptr_ptr(r_bytes); @*/
-  /*CN_VIP*//*@ apply byte_ptr_to_int_ptr_ptr(q_bytes); @*/
+  /*CN_VIP*//*@ to_bytes Owned<int*>(&r); @*/
+  /*CN_VIP*//*@ to_bytes Owned<int*>(&q); @*/
+  /*CN_VIP*/int result = _memcmp((unsigned char*)&r, (unsigned char*)&q, sizeof(r));
+  /*CN_VIP*//*@ from_bytes Owned<int*>(&r); @*/
+  /*CN_VIP*//*@ from_bytes Owned<int*>(&q); @*/
+#ifdef NO_ROUND_TRIP
+  /*CN_VIP*/r = __cerbvar_copy_alloc_id((uintptr_t)r, &x);
+#endif
   if (result == 0) {
-    *r = 11; // is this free of UB?
+    *r = 11;
     //CN_VIP printf("y=%d *q=%d *r=%d\n",y,*q,*r);
   }
 }

tests/cn_vip_testsuite/pointer_offset_from_ptr_subtraction_auto_xy.error.c

@@ -7,15 +7,18 @@ int main() {
   int y=2, x=1;
   int *p = &x;
   int *q = &y;
-  ptrdiff_t offset = q - p;
+  ptrdiff_t offset = q - p; // CN VIP UB
   int *r = p + offset;
-  /*CN_VIP*/unsigned char* r_bytes = owned_int_ptr_to_owned_uchar_arr(&r);
-  /*CN_VIP*/unsigned char* q_bytes = owned_int_ptr_to_owned_uchar_arr(&q);
-  /*CN_VIP*/int result = _memcmp(r_bytes, q_bytes, sizeof(r));
-  /*CN_VIP*//*@ apply byte_ptr_to_int_ptr_ptr(r_bytes); @*/
-  /*CN_VIP*//*@ apply byte_ptr_to_int_ptr_ptr(q_bytes); @*/
+  /*CN_VIP*//*@ to_bytes Owned<int*>(&r); @*/
+  /*CN_VIP*//*@ to_bytes Owned<int*>(&q); @*/
+  /*CN_VIP*/int result = _memcmp((unsigned char*)&r, (unsigned char*)&q, sizeof(r));
+  /*CN_VIP*//*@ from_bytes Owned<int*>(&r); @*/
+  /*CN_VIP*//*@ from_bytes Owned<int*>(&q); @*/
+#ifdef NO_ROUND_TRIP
+  /*CN_VIP*/r = __cerbvar_copy_alloc_id((uintptr_t)r, &x);
+#endif
   if (result == 0) {
-    *r = 11; // is this free of UB?
+    *r = 11;
     //CN_VIP printf("y=%d *q=%d *r=%d\n",y,*q,*r);
   }
 }

tests/cn_vip_testsuite/pointer_offset_from_ptr_subtraction_auto_yx.error.c

@@ -5,17 +5,20 @@
 #include "cn_lemmas.h"
 int x=1, y=2;
 int main()
-/*CN_VIP*//*@ accesses y; @*/
+/*CN_VIP*//*@ accesses x; accesses y; @*/
 {
   int *p = &x;
   int *q = &y;
-  ptrdiff_t offset = q - p;
+  ptrdiff_t offset = q - p; // CN VIP UB
   int *r = p + offset;
-  /*CN_VIP*/unsigned char* r_bytes = owned_int_ptr_to_owned_uchar_arr(&r);
-  /*CN_VIP*/unsigned char* q_bytes = owned_int_ptr_to_owned_uchar_arr(&q);
-  /*CN_VIP*/int result = _memcmp(r_bytes, q_bytes, sizeof(r));
-  /*CN_VIP*//*@ apply byte_ptr_to_int_ptr_ptr(r_bytes); @*/
-  /*CN_VIP*//*@ apply byte_ptr_to_int_ptr_ptr(q_bytes); @*/
+  /*CN_VIP*//*@ to_bytes Owned<int*>(&r); @*/
+  /*CN_VIP*//*@ to_bytes Owned<int*>(&q); @*/
+  /*CN_VIP*/int result = _memcmp((unsigned char*)&r, (unsigned char*)&q, sizeof(r));
+  /*CN_VIP*//*@ from_bytes Owned<int*>(&r); @*/
+  /*CN_VIP*//*@ from_bytes Owned<int*>(&q); @*/
+#ifdef NO_ROUND_TRIP
+  /*CN_VIP*/r = __cerbvar_copy_alloc_id((uintptr_t)r, &x);
+#endif
   if (result == 0) {
     *r = 11; // is this free of UB?
     //CN_VIP printf("y=%d *q=%d *r=%d\n",y,*q,*r);

tests/cn_vip_testsuite/pointer_offset_from_ptr_subtraction_global_xy.error.c

@@ -5,17 +5,20 @@
 #include "cn_lemmas.h"
 int y=2, x=1;
 int main()
-/*CN_VIP*//*@ accesses y; @*/
+/*CN_VIP*//*@ accesses x; accesses y; @*/
 {
   int *p = &x;
   int *q = &y;
-  ptrdiff_t offset = q - p;
+  ptrdiff_t offset = q - p; // CN VIP UB
   int *r = p + offset;
-  /*CN_VIP*/unsigned char* r_bytes = owned_int_ptr_to_owned_uchar_arr(&r);
-  /*CN_VIP*/unsigned char* q_bytes = owned_int_ptr_to_owned_uchar_arr(&q);
-  /*CN_VIP*/int result = _memcmp(r_bytes, q_bytes, sizeof(r));
-  /*CN_VIP*//*@ apply byte_ptr_to_int_ptr_ptr(r_bytes); @*/
-  /*CN_VIP*//*@ apply byte_ptr_to_int_ptr_ptr(q_bytes); @*/
+  /*CN_VIP*//*@ to_bytes Owned<int*>(&r); @*/
+  /*CN_VIP*//*@ to_bytes Owned<int*>(&q); @*/
+  /*CN_VIP*/int result = _memcmp((unsigned char*)&r, (unsigned char*)&q, sizeof(r));
+  /*CN_VIP*//*@ from_bytes Owned<int*>(&r); @*/
+  /*CN_VIP*//*@ from_bytes Owned<int*>(&q); @*/
+#ifdef NO_ROUND_TRIP
+  /*CN_VIP*/r = __cerbvar_copy_alloc_id((uintptr_t)r, &x);
+#endif
   if (result == 0) {
     *r = 11; // is this free of UB?
     //CN_VIP printf("y=%d *q=%d *r=%d\n",y,*q,*r);

tests/cn_vip_testsuite/pointer_offset_from_ptr_subtraction_global_yx.error.c

@@ -7,13 +7,16 @@ int main() {
   int *p = &x + 1;
   int *q = &y;
   //CN_VIP printf("Addresses: p=%p q=%p\n",(void*)p,(void*)q);
-  /*CN_VIP*/unsigned char* p_bytes = owned_int_ptr_to_owned_uchar_arr(&p);
-  /*CN_VIP*/unsigned char* q_bytes = owned_int_ptr_to_owned_uchar_arr(&q);
-  /*CN_VIP*/int result = _memcmp(p_bytes, q_bytes, sizeof(p));
-  /*CN_VIP*//*@ apply byte_ptr_to_int_ptr_ptr(p_bytes); @*/
-  /*CN_VIP*//*@ apply byte_ptr_to_int_ptr_ptr(q_bytes); @*/
+  /*CN_VIP*//*@ to_bytes Owned<int*>(&p); @*/
+  /*CN_VIP*//*@ to_bytes Owned<int*>(&q); @*/
+  /*CN_VIP*/int result = _memcmp((unsigned char*)&p, (unsigned char*)&q, sizeof(p));
+  /*CN_VIP*//*@ from_bytes Owned<int*>(&p); @*/
+  /*CN_VIP*//*@ from_bytes Owned<int*>(&q); @*/
+#ifdef NO_ROUND_TRIP
+  /*CN_VIP*/p = __cerbvar_copy_alloc_id((uintptr_t)p, &x);
+#endif
   if (result == 0) {
-    *p = 11;  // does this have undefined behaviour?
+    *p = 11;  // CN VIP UB
     //CN_VIP printf("x=%d y=%d *p=%d *q=%d\n",x,y,*p,*q);
   }
 }

tests/cn_vip_testsuite/provenance_basic_auto_yx.error.c

@@ -4,18 +4,21 @@
 #include "cn_lemmas.h"
 int y=2, x=1;
 int main()
-/*CN_VIP*//*@ accesses y; @*/
+/*CN_VIP*//*@ accesses x; accesses y; @*/
 {
   int *p = &x + 1;
   int *q = &y;
   //CN_VIP printf("Addresses: p=%p q=%p\n",(void*)p,(void*)q);
-  /*CN_VIP*/unsigned char* p_bytes = owned_int_ptr_to_owned_uchar_arr(&p);
-  /*CN_VIP*/unsigned char* q_bytes = owned_int_ptr_to_owned_uchar_arr(&q);
-  /*CN_VIP*/int result = _memcmp(p_bytes, q_bytes, sizeof(p));
-  /*CN_VIP*//*@ apply byte_ptr_to_int_ptr_ptr(p_bytes); @*/
-  /*CN_VIP*//*@ apply byte_ptr_to_int_ptr_ptr(q_bytes); @*/
+  /*CN_VIP*//*@ to_bytes Owned<int*>(&p); @*/
+  /*CN_VIP*//*@ to_bytes Owned<int*>(&q); @*/
+  /*CN_VIP*/int result = _memcmp((unsigned char *)&p, (unsigned char*)&q, sizeof(p));
+  /*CN_VIP*//*@ from_bytes Owned<int*>(&p); @*/
+  /*CN_VIP*//*@ from_bytes Owned<int*>(&q); @*/
+#ifdef NO_ROUND_TRIP
+  /*CN_VIP*/p = __cerbvar_copy_alloc_id((uintptr_t)p, &x);
+#endif
   if (result == 0) {
-    *p = 11;  // does this have undefined behaviour?
+    *p = 11;  // CN_VIP UB
     //CN_VIP printf("x=%d y=%d *p=%d *q=%d\n",x,y,*p,*q);
   }
 }

tests/cn_vip_testsuite/provenance_basic_global_yx.error.c

@@ -22,3 +22,20 @@ int main() {
     printf("x=%d y=%d *q=%d *r=%d\n",x,y,*q,*r); 
   }
 }
+
+/* NOTE: vip_artifact/evaluation_cerberus/results.pdf expects for this test:
+
+   |----------------------+----------------------+--------------+--------------|
+   | PNVI-ae-udi no annot | PNVI-ae-udi w/ annot | VIP no annot | VIP w/ annot |
+   |----------------------+----------------------+--------------+--------------|
+   | UB: line 19          | UB: line 19          | UB: line 19  | UB: line 20  |
+   |----------------------+----------------------+--------------+--------------|
+
+   This doesn't make sense, because (a) comments don't line up with numbers and (b)
+
+   PNVI-ae-udi no annot: prov is symbolic (one-past int to pointer),
+                         collapses to q on store, so UB on line 20
+   PNVI-ae-udi w/ annot: prov is copy_alloc_id to @q, so UB on line 20
+           VIP no annot: prov is round-trip preserved to @p, so UB on line 19
+           VIP w/ annot: prov is copy_alloc_id @q, so UB on line 20
+*/