3

We've been using Frama-C for 'experimental' static analysis on a commercial project (integrated into our CI, with a few selective blocking checks, on a small section of the overall codebase).

One of the snags that comes up relates to satisfying the proof obligations that the wp plugin generates anytime it encounters a memcpy call. Specifically, the three obligations below: memcpy_proof_obligations

From the 'goal' notes, it looks like Frama-C is trying to prove that the destination and source memory are valid, .

I've tried adding requires \valid() preconditions, but that doesn't seem to help. In these instances, the memcpy call within the function under test is copying data from an input parameter to the function, and placing that data into a local variable (scoped within the function).

To further complicate matters, the local variable where the data is being copied is an attribute within a packed struct.

Concretely, I'm hoping that someone out there is able to share some real examples of memcpy uses where the goals introduced by wp can be satisfied (e.g. what preconditions must I add to make it provable?)

If it matters, I'm running Frama-C Magnesium-20151002 (according to apt-get on Ubuntu 16, this is 'up to date'), and invoking with the following parameters:

frama-c -wp -wp-split -wp-dynamic -lib-entry -wp-proof alt-ergo -wp-report

Also related, but missing a clear working example: Frama-c : Trouble understanding WP memory models

jjmilburn
  • 380
  • 3
  • 12
  • 1
    Adding `-wp-model "Typed+Cast"` was enough to allow these proofs to be satisfied. Would definitely accept an answer that gives examples and further explanation of *why* this is the case, though. – jjmilburn Dec 12 '18 at 07:02

1 Answers1

4

As you mentioned in you comment, the proper solution is to use -wp-model "Typed+Cast" in order to let WP accept casts to/from void* (more precisely, it will consider that p and (void*)p are the same thing for any pointer, which will be sufficient for proving the requires of memcpy). Now, as mentioned in the answer to the question you linked to, the main issue of this memory model (and the reason why it is not the default) is that it is inherently unsafe: it relies on hypotheses that by definition cannot be assessed by WP itself. Here is a small example that highlights this issue:

int x;
char* c;

/*@ assigns c;
    ensures c == ((char *)&x);
*/
void g(void) {
  c = &x;
}

/*@ assigns \nothing;
    ensures \separated(&x,c);
*/
void f() {
}

void main () {
g();
f();
//@ assert \false;
}

Basically, the default Typed memory model ensures the separation between the location pointed to by c and x (i.e. the post-condition of f), because int and char are different, and you neither can prove the post-condition of g or use it as an hypothesis to derive \false in main, because the equality can't be expressed in the model at all.

Now, if you use Typed+Cast, the post-condition of g is now properly understood, and completely trivial to prove. WP won't let you prove at the same time that &x and c are separated, because they are involved together in an assignment. However, in f no such assignment exists, and the post-condition is also easily proved, leading to proving \false in main since we have two contradictory statements about &x and c. More generally, WP relies on a local alias analysis to track potential aliases between pointers of different types (a global analysis would defeat the purpose of having a modular analyzer). Passing option -wp-model +Cast can thus be seen as way to tell WP "Trust me, the program won't create miss-typed aliases". It is however possible to pass alias information by hand (or with the help of e.g. a yet-to-be-written global alias detection plug-in). For instance, with option -wp-alias-vars x,c the post-condition of f becomes Unknown (i.e. the separation between &x and c is not an assumption anymore, even for f).

Virgile
  • 9,724
  • 18
  • 42
  • 1
    This is very helpful, thank you! Some summary points I took away (restating to check if I've got the right idea): 1) If at any point a cast to/from a `(void*)` are performed, `Typed` memory model cannot analyze that pointer . 2) Using `-wp-model=Typed+Cast` lets the wp analyzer assume (unsafely!) that `p` and `(void*)p` are the same, regardless of the type of `p` (as long as `p` is a valid pointer). I'm not familiar with the `/@assert \false` annotation and had some trouble following that part (naively, it seems like that statement should always fail?). How does that work? – jjmilburn Dec 14 '18 at 04:43
  • 2
    @jjmilburn that's a good summary indeed. `/*@ assert \false; */` can basically mean two things (feel free to open a new question for more details, since "comments are not meant for extended discussion" ): either you have introduced a contradiction somewhere (this is the case here: `Typed+Cast` makes assumptions that are violated by the code), or you are on a dead statement (as `/*@ assert p; */` can be understood roughly as "for any execution _that reaches this point_ `p` holds"). – Virgile Dec 14 '18 at 09:55