Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strange overflow behaviour #1499

Open
DrMichaelPetter opened this issue Jun 3, 2024 · 4 comments
Open

Strange overflow behaviour #1499

DrMichaelPetter opened this issue Jun 3, 2024 · 4 comments
Labels
bug precision relational Relational analyses (Apron, affeq, lin2var)

Comments

@DrMichaelPetter
Copy link
Collaborator

The following issue popped up when doing intensive sv-comp tests:

//SKIP PARAM:  --enable ana.int.interval --set ana.activated[+] affeq --set sem.int.signed_overflow assume_none
int a;

int main() {
    a = 5;
    a = a + 1 - 1; //NOWARN
    return 0;
}

This test would fail due to eval_int of texpr a evaluating for some mysterious reason to top, and then in the next step being incremented by one, causing the overflow in line 6.

This

  1. happens for affeq as well as lin2vareq; it is revealed during the expression conversion that happens for relationalAnalyses in sharedFunctions, since this does some calls to eval_int
  2. happens only for a being a global variable, disappearing for a local a declaration.

Fixing this will make a few no-overflow tasks in sv-comp solvable for lin2vars and affeqs.

A quick dive into what happens during analysis time revealed some interactions with some a#in and a#out that I do not understand yet, but maybe someone wants to lend a hand.
@DrMichaelPetter DrMichaelPetter added bug precision relational Relational analyses (Apron, affeq, lin2var) labels Jun 3, 2024
@sim642
Copy link
Member

sim642 commented Jun 4, 2024

A quick dive into what happens during analysis time revealed some interactions with some a#in and a#out that I do not understand yet, but maybe someone wants to lend a hand.

My quick guess would be that the overflow handling in relational analyses, which makes those queries, doesn't correctly handle those temporary variables and does queries on a#in, which other analyses know nothing about.

@DrMichaelPetter
Copy link
Collaborator Author

A quick dive into what happens during analysis time revealed some interactions with some a#in and a#out that I do not understand yet, but maybe someone wants to lend a hand.

My quick guess would be that the overflow handling in relational analyses, which makes those queries, doesn't correctly handle those temporary variables and does queries on a#in, which other analyses know nothing about.

That is probably what is happening - the resulting value "top" for an eval_int on a#in etc. is intended, then?

@michael-schwarz
Copy link
Member

The worst parts about his are fixed in aed4cec by setting the speculative flag. However, this is not really a viable long-term solution.

@sim642
Copy link
Member

sim642 commented Jun 12, 2024

There might be some discussion somewhere, but the clean solution would be to move overflow warning generation out of int domain operators themselves and have the new MaySignedOverflow query be used explicitly to generate these warnings.
Int domain operators already return overflow_info in addition to the result, so this could simply be used by MaySignedOverflow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug precision relational Relational analyses (Apron, affeq, lin2var)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sim642 @DrMichaelPetter @michael-schwarz