Unsigned long interval unsoundness with refinement

[sim642]

On 37e0d70 we are unsound on the following program:

// PARAM: --enable ana.int.interval --set ana.int.refinement once
#include <assert.h>

int main() {
  for (unsigned long i = 0; i < 1000; i++) {
    assert(1);
  }

  assert(1); // reachable
  return 0;
}

We claim that the second assert is dead code. The abstract value for i at the loop head is def_exc:Unknown int([0,64]); intervals [0,255].
It's fine with unsigned int and just long.

[jerhard]

Interestingly, when additionally enabling the setting ana.int.def_exc_widen_by_join, the result is not unsound. Not sure if that is really related.

[michael-schwarz]

There are bizarre things happening with + here:

For a: (Unknown int([0,64]),[0,9999]) + b: (1,[1,1])

result: (Unknown int([0,8]),[1,10000])
after refine: (Unknown int([0,8]),[1,255])

So the issue is even before any refinement happens...

[sim642]

I guess refinement just exposes the issue which appears to be with def_exc ranges somehow.

[michael-schwarz]

Yup, I suspected an issue with the ikinds but they also seem to be correct... Digging deeper now

[michael-schwarz]

The culprit seems to be this piece of code here: It returns unsigned char as the suitable type for 18446744073709551616 which is the maximum unsigned long.

analyzer/src/cdomains/intDomain.ml

Line 400 in 95f1834

let min_for x = intKindForValue (fst (truncateCilint (max (sign x)) x)) (sign x = `Unsigned)

[michael-schwarz]

In fact, the solution is quite simple: There should be no truncation here!