Spurious warning `Write to unknown address: privatization is unsound.` even though no write occurs

[michael-schwarz]

#include<pthread.h>
#include<assert.h>
int counter = 0;
pthread_mutex_t lock1;

void* producer(void* param) {
    pthread_mutex_lock(&lock1);
    counter = 0;
    pthread_mutex_unlock(&lock1);
}

void* consumer(void* param) {
    pthread_mutex_lock(&lock1);
    assert(counter >= 0);
    pthread_mutex_unlock(&lock1);
}


int main() {
    pthread_t thread;
    pthread_t thread2;
    pthread_create(&thread,NULL,producer,NULL);
    pthread_create(&thread2,NULL,consumer,NULL);
}

For this innocuous program, Goblint currently produces the following output:

./goblint 5.c --enable dbg.debug --enable dbg.regression
[Info][Unsound] Write to unknown address: privatization is unsound. (5.c:15:5-15:25)
Pruning result

Summary for all memory locations:
        safe:            1
        vulnerable:      0
        unsafe:          0
        -------------------
        total:           1

The warning [Info][Unsound] Write to unknown address: privatization is unsound. (5.c:15:5-15:25) happening at counter >= 0 is spurious as no actual write access is happening here.

[sim642]

That's true, the warning doesn't seem to have anything to do with writes, but it's still weird that there's something unknown there.

[michael-schwarz]

analyzer/src/analyses/accessAnalysis.ml

Lines 84 to 108 in eb265b0

	let reach_or_mpt = if reach then ReachableFrom e else MayPointTo e in
	match ctx.ask reach_or_mpt with
	| ls when not (LS.is_top ls) && not (Queries.LS.mem (dummyFunDec.svar,`NoOffset) ls) ->
	(* the case where the points-to set is non top and does not contain unknown values *)
	on_lvals ls false
	| ls when not (LS.is_top ls) ->
	(* the case where the points-to set is non top and contains unknown values *)
	let includes_uk = ref false in
	(* now we need to access all fields that might be pointed to: is this correct? *)
	begin match ctx.ask (ReachableUkTypes e) with
	| ts when Queries.TS.is_top ts ->
	includes_uk := true
	| ts ->
	if Queries.TS.is_empty ts = false then
	includes_uk := true;
	let f = function
	| TComp (ci, _) ->
	add_access_struct (conf - 50) ci
	| _ -> ()
	in
	Queries.TS.iter f ts
	end;
	on_lvals ls !includes_uk
	| _ ->
	add_access (conf - 60) None None

Here, we ask a MayPointTo query for the expression (counter >= 0) which yields T and thus falls through into the default case.