Add function pointer restriction option

[hannes-steffenhagen-diffblue]

This adds a new option, --restrict-function-pointer, to cbmc. This lets a user
specify a list of possible pointer targets for calls to a particular function
pointer variable, rather than have remove_function_pointers guess possible
values. The intended purpose behind this is to prevent excessive symex time
wasted on exploring paths the user knows the program can never actually take.

• Each commit message has a non-empty body, explaining why the change was made.
• Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[xbauch]

Move above (to the rest of goto-program includes).

[xbauch]

Couldn't you just copy the cmdline part that you need into options instead of passing the whole thing?

[xbauch]

It's called for_each_goto_location but inside you iterate over instructions.

[martin-cs]

I'm not against these but please note the amount of hatred that forall_goto_program_instructions et al. used to get and try to get some kind of agreement on whether we should be doing more or less of this.

[hannes-steffenhagen-diffblue]

I've added this here for now, but I don't feel too strongly about this - I'll remove this if people don't like it.

[martin-cs]

I'm fine with it but I know it was a big source of argument at one point (I don't remember what was decided TBH) so be a little careful. I think it might be in the coding standard...

[xbauch]

PredicateT for consistency?

[xbauch]

a list of function parameters

[xbauch]

This probably deserves documenting as well.

[xbauch]

Also, is there a test for this?

[xbauch]

Not sure it would help much, but you could use the for_each_goto_location_if and split the is_function_call /\ is_dereference as Predicate.

[xbauch]

There is goto_programt::make_assignment.

[xbauch]

Maybe insert_before would be more explicit.

[xbauch]

So is const first or is actual type first?

[hannes-steffenhagen-diffblue]

I removed this function entirely, it was there for an earlier version of this that I since discarded.

[xbauch]

If it gives the same message (as the throw above), couldn't it be merged?

[hannes-steffenhagen-diffblue]

Maybe? But I think of them as two different failure conditions that just happen to have the same text in them.

[xbauch]

Ok, (what about "not a pointer to a function").

[xbauch]

There is also util/format but I'm not sure which should be prefered.

[xbauch]

What?

[hannes-steffenhagen-diffblue]

Fixed thanks

[xbauch]

The loop below does not seem to iterate over restrictions.

[hannes-steffenhagen-diffblue]

Vestigial comment, will fix

[xbauch]

I don't get it.

[hannes-steffenhagen-diffblue]

Brain stopped mid sentence

[xbauch]

First, can we rename this: there already is one pointer_symbol above? Second, can we move it below, closer to it's use?

[hannes-steffenhagen-diffblue]

These two are actually the same thing, I'll remove this one

[NlightNFotis]

We probably don't want this here at all.

[hannes-steffenhagen-diffblue]

I'll keep it in here for now. I'll remove this when this goes out of draft, I'm still hoping someone knows how to do this correctly.

[xbauch]

Couldn't you run this check on target_name_strings?

[xbauch]

pointer_name is a string.

[hannes-steffenhagen-diffblue]

removed thanks

[xbauch]

While this perhaps isn't customer-facing text, I think it's high enough for us to call existing methods dumb. What about "inefficient" or "non-optimal". (Hedging level scientist.)

[martin-cs]

"very over-approximate" or "too much of an over-approximation for some users".

[xbauch]

Maybe: the motivating example above?

[xbauch]

Looks good. Maybe squash a bit.

[martin-cs]

I am not opposed to this from a user-space point of view, nor the code in general. However there are lots of open issues to do with function pointer removal:

#4536
#4650
#2620
#1385
#915

(to mention just a few) and it would be good to try and get some consistency / order / plan here.

As far as I can see, the common theme is to separate the code into two parts:

A. things that get candidate sets of targets for a function pointer : from a user, from the signature, from the signature plus some kind of 'is dirty' analysis for when functions have their address taken, from the expression and the symbol table, from the abstract interpreter, etc.

B. things that use these candidate sets : for transforming the program, for doing AI with the function pointers still in, etc.

Adding this interface / separation should not be too hard.

[martin-cs]

"very over-approximate" or "too much of an over-approximation for some users".

[martin-cs]

IIRC there also used to be a global analysis of "which functions have their addresses taken".

[hannes-steffenhagen-diffblue]

@martin-cs I believe this is still in place actually, so maybe I should update this to be more accurate? On the other hand, I don't really want to replicate the documentation of remove-function-pointers (if it exists) here.

[martin-cs]

It should be accurate and it should be consolidated with any other documentation for this. I don't think there is any but do have a grep through the manual at least.

[martin-cs]

??? I'm not sure what this sentence is saying.

[hannes-steffenhagen-diffblue]

That's because I didn't finish the sentence - this comes back to how FP removal works now, which is to scan for

1. matching functions
2. which have their addresses taken

so I'm adding this so it looks to FP removal as if an int(*)(int) could also pint to g rather than just to f.

[martin-cs]

OK, that makes a little more sense.

[martin-cs]

I'm not against these but please note the amount of hatred that forall_goto_program_instructions et al. used to get and try to get some kind of agreement on whether we should be doing more or less of this.

[allredj]

✔️
Passed Diffblue compatibility checks (cbmc commit: 860117d).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/135089826

[kroening]

A use-case question: This feature appears to be something that requires a specialist user, and I therefore don't expect wide usage. How about adding this to goto-instrument, to avoid adding complexity to CBMC's interface?
(Independently, CBMC's symbolic execution ought to learn how to do function pointers, but that is outside of the scope here).

[hannes-steffenhagen-diffblue]

@kroening I don't particularly mind; However the goal was for these mappings to be generated by something like e.g. goto-analyzer most of the time, so they hopefully shouldn't require too much expertise to use (hand writing these may be useful in some circumstances as well, but that wasn't the main point).

[karkhaz]

We don't mind having this in goto-instrument at all. In general, we don't expect to be generating anything: often we have a good idea of the function that we want to restrict to.

Thank you very much for this work, it looks great, and especially thank you for the documentation and test cases. Here are a couple of cases I'm not sure about.

#include <assert.h>

typedef int (*fptr_t)(int);

void call(fptr_t fptr)
{
  assert(fptr(10) == 10);
}

int f(int x)
{
  return x;
}
int g(int x)
{
  return x + 1;
}
int h(int x)
{
  return x + 2;
}

int main(void)
{
  call(nondet_int() ? f : g);
}

> cbmc test.c --restrict-function-pointer call.function_pointer_call.1/f
** Results:
test.c function call
[call.assertion.2] line 7 assertion fptr(10) == 10: SUCCESS
[call.assertion.1] line 7 dereferenced function pointer at call.function_pointer_call.1 must be f: FAILURE

☝️is that expected? I'm restricting to f, and f has the right type and potentially could be the right function, so why is it failing?

Also, if I change the command line to restrict to h rather than f (which really is an impossible candidate, since we're only choosing between f and g in main), I get an almost identical error message:

[call.assertion.1] line 7 dereferenced function pointer at call.function_pointer_call.1 must be h: FAILURE

Would it be possible for this to be distinct, to make it clear that this is the case of a user error passing in an impossible function?

[hannes-steffenhagen-diffblue]

@karkhaz thanks for having a look at this. The assertion

dereferenced function pointer at call.function_pointer_call.1 must be f

is intended to mean “the function pointer we got passed in was, indeed, a pointer to f”. This is a safeguard to prevent accidental misuse, so for instance in the example you quoted the function could also be g. The option generates code like this:

if(fptr == &f) { f(args...); }
else if...
else { 
  assert(false); // we assume the set of restrictions is a superset of the set of actually possible targets
  assume(false); // if this assumption is wrong we can’t guarantee anything about the following code
}

The assume(false) is necessary because if the restriction of function pointers was incorrect, then we can’t say anything meaningful about that case anymore. The assertion is just there for documentation.

In that regard it is really no different than how the already existing remove_function_pointers works, this is intended to mirror that behaviour except that there is user control over the restriction.

[codecov-io]

Codecov Report

Merging #5168 into develop will increase coverage by 0.02%.
The diff coverage is 80.29%.

@@             Coverage Diff             @@
##           develop    #5168      +/-   ##
===========================================
+ Coverage    67.26%   67.28%   +0.02%     
===========================================
  Files         1155     1157       +2     
  Lines        94476    94686     +210     
===========================================
+ Hits         63545    63713     +168     
- Misses       30931    30973      +42     

Flag	Coverage Δ
#cproversmt2	42.76% <80.29%> (+0.11%)	⬆️
#regression	63.77% <80.29%> (+0.03%)	⬆️
#unit	31.91% <9.35%> (-0.06%)	⬇️

Impacted Files	Coverage Δ
src/cbmc/cbmc_parse_options.h	100.00% <ø> (ø)
src/goto-programs/restrict_function_pointers.cpp	75.46% <75.46%> (ø)
src/cbmc/cbmc_parse_options.cpp	75.30% <100.00%> (+0.24%)	⬆️
src/goto-programs/goto_program.h	91.87% <100.00%> (+0.16%)	⬆️
...oto-programs/label_function_pointer_call_sites.cpp	100.00% <100.00%> (ø)
src/util/irep.h	95.52% <100.00%> (+0.13%)	⬆️
src/util/ieee_float.cpp	88.49% <0.00%> (-0.33%)	⬇️
...code/generic_parameter_specialization_map_keys.cpp	100.00% <0.00%> (ø)
...accelerate/disjunctive_polynomial_acceleration.cpp	0.00% <0.00%> (ø)
... and 5 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7a70b13...860117d. Read the comment docs.