Values of escaped globals unsoundly not passed to callee

[michael-schwarz]

During #742 I discovered the following unsoundness:

#include <assert.h>

struct list
{
    int n;
    struct list *next;
};

void *allocate_memory()
{
    return malloc(8U);
}

struct list *append(struct list *l, int n)
{
    struct list *new_el;

    new_el = allocate_memory();

    new_el->n = n;
    new_el->next = l;

    return new_el;
}

int main()
{
    struct list *l, m;
    l = &m;
    l->next = 0;
    l->n = 0;

    l = append(l, 1);
    l = append(l, 2);

    assert(l->next->next->n == 0); //UNKNOWN
}

We claim that the assert must fail, but it does hold in the concrete. It seems to be related to our malloc handling, as replacing allocate_memory() with calls to malloc hides the issue.

[michael-schwarz]

I added the example to this branch: https://github.com/goblint/analyzer/tree/issue_755

[sim642]

Surprisingly --set ana.malloc.wrappers[+] allocate_memory doesn't even help.

[michael-schwarz]

ldv-validator-v0.6/linux-stable-af3071a-1-130_7a-drivers--hwmon--s3c-hwmon.ko-entry_point.cil.c and ldv-linux-3.12-rc1/linux-3.12-rc1.tar.xz-144_2a-drivers--input--touchscreen--usbtouchscreen.ko-entry_point.cil are most likely due to the same issue (or at least not due to #742, as they happen on master).

[michael-schwarz]

The issue seems to be that m is treated as escaped, but no corresponding global is created for it. My guess is that we end up with m being bottom and hence the claim that l->next->next->n is not 0.

[sim642]

There is no multithreading in the program though, so escaping shouldn't apply here and everything would be in the local state.

[michael-schwarz]

I think (one of) the issues is that globals (that became globals because they escaped into global variables) are not treated properly, i.e. are not passed to the caller in single-threaded mode. This is probably exasperated by the fact that we seem to ignore pointers that should lead to a supertop when dereferenced. The following assert incorrectly is reported as always failing.

#include <assert.h>
int* ptr;
int nine = 9;

int other() {
    assert(*ptr == 8); //UNKNOWN!
}

int main()
{
    int g = 8;
    int top;

    if(top) {
        ptr = &g;
    } else {
        ptr = &nine;
    }

    other();
}

(There may also be further complications w.r.t. to heap, not sure yet)

Related: #686 #246