Better handling of calls to `malloc` wrapped inside functions such as `ldv_malloc`

[michael-schwarz]

This is a follow-up to #119:

A lot of tests in sv-comp wrap calls to malloc into calls to the helper function ldv_malloc. We only have one abstract heap object for all memory allocated via ldv_malloc (as the malloc for these calls is always in the same place), which might be a big source of imprecision.

The easiest solution would be to treat ldv_malloc specially just like we do malloc, but according to @sim642 there are different versions of ldv_malloc with some of them also simulating failing malloc calls while normally we can assume them to succeed in sv-comp.

Another approach would be to have some limited form of context-sensibility specifically for memory allocated inside functions such as ldv_malloc.

[sim642]

The benchmark that I minimized in #119 is also one that explicitly encodes the possibility of failing into ldv_malloc: https://github.com/sosy-lab/sv-benchmarks/blob/f32eef1e13ae15f9ff593374b66ac82a4eed8f49/c/ldv-consumption/32_7a_cilled_linux-3.8-rc1-32_7a-drivers--usb--host--isp1362-hcd.ko-ldv_main0_sequence_infinite_withcheck_stateful.cil.out.i#L3754-L3763. It makes no difference to that crash but it's where I noticed such a thing.

I haven't investigated how common this is, but considering how SV-COMP by default assumes malloc never failing:

malloc(), free(): We assume that the functions malloc and alloca always return a valid pointer, i.e., the memory allocation never fails, and function free always deallocates the memory and makes the pointer invalid for further dereferences.

It seems very likely that benchmarks use wrapper versions which either use malloc directly or add failure to it.

---

EDIT: In that benchmark three more layers of wrapping is potentially added: __kmalloc, kmalloc and kzalloc. Not in all cases but this could still be relevant.

[michael-schwarz]

__kmalloc, kmalloc and kzalloc

I think we handle these already in Goblint.

[sim642]

Oh yeah, I forgot about that. That could be problematic though because as special functions we'd then be assuming they don't fail while if implemented through a possibly failing ldv_malloc or whatever, they actually could. It would make us unsound.

[sim642]

Unsurprisingly, a new unsoundness case in #120 is exactly because of special handling of kzalloc in which the benchmark actually has an error call that we therefore miss.

• ldv-linux-3.16-rc1/43_2a_bitvector_linux-3.16-rc1.tar.xz-43_2a-drivers--media--platform--timblogiw.ko-entry_point.cil.out.i

[michael-schwarz]

Unsurprisingly, a new unsoundness case in #120 is exactly because of special handling of kzalloc in which the benchmark actually has an error call that we therefore miss.

So I guess for sv-comp we should stop treating kzalloc, and other such things as special functions that map to Malloc and instead analyze them (and maybe have this treating them as Malloc as a fallback in case we don't encounter a body and only a prototype).

[sim642]

The unsoundness aspect shouldn't be difficult to fix because if a function has a definition and is also special, we analyze it normally:

analyzer/src/framework/constraints.ml

Lines 628 to 631 in 5999bcf

	let has_dec = try ignore (Cilfacade.getdec f); true with Not_found -> false in
	if has_dec && not (LibraryFunctions.use_special f.vname)
	then tf_normal_call ctx lv e f args getl sidel getg sideg
	else tf_special_call ctx lv f args

The overrides to that are defined here, where kzalloc is also listed:

analyzer/src/analyses/libraryFunctions.ml

Lines 454 to 456 in 5999bcf

	let lib_funs = ref (Set.String.of_list ["list_empty"; "kzalloc"; "kmalloc"; "__raw_read_unlock"; "__raw_write_unlock"; "spinlock_check"; "spin_trylock"; "spin_unlock_irqrestore"])
	let add_lib_funs funs = lib_funs := List.fold_right Set.String.add funs !lib_funs
	let use_special fn_name = Set.String.mem fn_name !lib_funs

Removing kzalloc from that list makes the result unknown, fixing the unsoundness. Based on the above discussion, it might make sense to similarly remove kmalloc from that list as well. But before we jump the gun, does anyone know why we have such exceptions at all? My initial guess would be the same reason from above: somewhere kzalloc had a definition via some other alloc function but a better (outer scope) location was desired for precision, so this was forcefully special cased to provide that.

[sim642]

According to git blame, these exceptions were originally added by @vesalvojdani: cefd7c7#diff-f11dd379df0d8dcedf47eec4569e585bdf20a8671f9194a6cdfd69e65ce0c4e5R405-R406.

[vesalvojdani]

Yes, almost certainly to avoid all allocs to collapsing to the same location. Ideally, stack traces should be used to distinguish these more robustly, but probably this was an easier fix.

[michael-schwarz]

We decided to have a separate analysis that keeps track of the location of the call of some special functions such as ldv_malloc, kzalloc etc. In the special edge for malloc we will then ask this analysis for what varinfo this is represented by, which it either retrieves from the hashmap or creates and adds to the hashmap.

This way, this is separated from all the things the base analysis does and becomes an easily changeable thing.

[sim642]

That's something I thought about as well. The downside is having to put together a list of such functions that matches the ones occurring in sv-benchmarks.

Something stack trace based would avoid that manual work. We have some stack trace analysis implementations but they also affect function contexts, not just the allocations. Anyway, if the query mechanism for heap variables in in place then this can be experimented with more.

I will remove kzalloc and kmalloc from the exception list for now.