Add --object-bits option to goto-cc

[thomasspriggs]

So that we can support running with non-default settings of --object-bits in goto-cc. This should address the issue seen in #5272

• Each commit message has a non-empty body, explaining why the change was made.
• Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[codecov]

Codecov Report

Merging #5440 into develop will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff            @@
##           develop    #5440   +/-   ##
========================================
  Coverage    68.22%   68.22%           
========================================
  Files         1178     1178           
  Lines        97580    97580           
========================================
  Hits         66573    66573           
  Misses       31007    31007           

Flag	Coverage Δ
#cproversmt2	42.79% <ø> (ø)
#regression	65.39% <ø> (ø)
#unit	32.26% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
src/goto-cc/gcc_cmdline.cpp	74.48% <ø> (ø)
src/goto-cc/goto_cc_mode.cpp	26.66% <ø> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b3a6cc4...06c5aa1. Read the comment docs.

[hannes-steffenhagen-diffblue]

how does recursion stop excessive unwinding?

[thomasspriggs]

I discovered this by experimentation. The same algorithm written as a loop spent a long time unwinding if no unwind limit was set. The recursive version only unwinds a sufficient number of times for the value of max_malloc_size which is actually specified.

I am not familiar with the unwinding code. However I would hazard a guess that loop unwinding happens early on, using a only a local analysis. Whereas recursion unwinding happens later as part of symmex. The constant being passed to the function is been propagated in this case, leading to unwinding the exact number of times required.

[thomasspriggs]

I haven't been able to reproduce the problem I saw with the iterative version and I never committed that version, so I can't get it back even with git reflog. Therefore I am going to assume there is no problem with unwinding loops / constant propagation. I shall delete this comment in order to avoid being misleading, but leave the recursive version in place because it doesn't seem worth rewriting this.

[hannes-steffenhagen-diffblue]

Shouldn't this be added to the other cmdlinets as well?

[thomasspriggs]

The original ticket referred to goto-cc only, fixing goto-cc only will get a fix ready for use sooner. Yes, the same problem and fix probably applies to the other entry points as well. The time consuming part of fixing the other entry points would be writing tests for each of them.

[thomasspriggs]

There is no standard list of options in the base class. So it would need to be manually added and tested for each cmdlinet in the heirarchy.

[hannes-steffenhagen-diffblue]

So adding the option to the cmdlinet was all that was needed to make this work? Neat.

[hannes-steffenhagen-diffblue]

can you add the expected results for the other assertions in here as well? Clearly it's supposed to be always 2 successes and one failure but that might be easier to see if its spelt out.

[thomasspriggs]

Done.

[danpoe]

I think for now this solution is fine. At some point though, the __CPROVER_max_malloc_size variable will go away anyways (when ADA-576 is implemented) and the conflict will disappear. Then goto-cc should be able to be oblivious to the object bits setting again.

The reason for __CPROVER_max_malloc_size going away is that it is currently used to check that not more memory is allocated than can be addressed by cbmc. However, it turns out that a better way to implement this is to check for pointer overflows instead (see discussion on #5401).

[danpoe]

IMO it would be unnecessary to reverse engineer the object bits here or even use the value of __CPROVER_max_malloc_size. It's probably sufficient to just run cbmc with a non-default object bits setting after goto-cc and check that it suceeds.

[thomasspriggs]

The reason I chose to do it this way is that the previous incorrect behaviour resulted in a warning, but might not actually cause a failure without giving an input program which depends on the implications of the object-bits configuration. I could have used a negative regex to check that the warning message does not appear in the output. However this would not be a robust test because if the text of the message were to be updated then the corresponding test could easily be missed. This may be a little over-engineered but I am happy that this is a robust test and it is clear what the positive regexes are actually checking for.

[danpoe]

Yes, that makes sense.

[chrisr-diffblue]

Have you tested what happens with linking? I'm thinking of the case where you compile one translation unit with one value for object-bits, and another translation unit with a different value for object-bits. How does the linker handle that? (Hopefully with a nice user-friendly error message... :-) )

[thomasspriggs]

@chrisr-diffblue If I feed two different goto binaries into cbmc which were generated using different --object-bits configurations then it generates appropriate warning messages -

$ cbmc ./temp_func.gb ./temp_main.gb
CBMC version 5.12 (cbmc-5.12.4-9-gdae95d970-dirty) 64-bit x86_64 linux
Reading GOTO program from file
Reading: ./temp_func.gb
Reading GOTO program from file
Reading: ./temp_main.gb
file <built-in-additions> line 24: warning: conflicting initializers for variable "__CPROVER_max_malloc_size"
using old value in module temp_func file <built-in-additions> line 24
9007199254740992ul
ignoring new value in module temp_main file <built-in-additions> line 24
144115188075855872ul
Generating GOTO Program
Adding CPROVER library (x86_64)
file <built-in-additions> line 24: warning: conflicting initializers for variable "__CPROVER_max_malloc_size"
using old value in module temp_func file <built-in-additions> line 24
9007199254740992ul
ignoring new value in module <built-in-library> file <built-in-additions> line 24
36028797018963968ul
Removal of function pointers and virtual functions
Generic Property Instrumentation
Running with 8 object bits, 56 offset bits (default)
Starting Bounded Model Checking

[chrisr-diffblue]

I'm glad theres a diagnostic, thanks for checking/demonstrating. It's probably an open question whether that should be an error rather than a warning, but that doesn't have to be fixed in this PR, so feel free to raise a Github bug ticket to cover that. It'd be super nice if there was a test case to demonstrate the diagnostic gets triggered (just so we don't end up accidentally losing that at some point :-) ) but again, I won't block the PR just on that.