Use widened bounds to update bounds in context

[mgrang]

Use the widened bounds calculated by the analysis in BoundsAnalysis.cpp to
widen the bounds of nt_array_ptr.

[dtarditi]

Overall looks good.

[dtarditi]

Could you add a comment describing what this function is doing?

[kkjeer]

After more discussion on the relationship between widened bounds, target bounds, and the bounds context, I'm currently updating the way the bounds context is handled. In particular, CheckDeclRefExpr will no longer use the BlockState.UC context to return the lvalue target bounds (since the widened bounds should not affect the target bounds for a variable). We may need to reevaluate how to use the widened bounds as the observed rvalue bounds for the value of a variable in light of my proposed updates to the bounds context.

[kkjeer]

I tested this locally and ran into some issues with checking an assignment using widened bounds.

In this example:

void widen_bounds_bug(nt_array_ptr<int> a : bounds(a, a + 1),
                      nt_array_ptr<int> p : bounds(p, p + 0),
                      nt_array_ptr<int> b : bounds(b, b + (0 + 1))) {
  if (*p) {
    // Bounds of p have been widened to (p, (p + 0) + 1).
    // The target bounds of a are (a, a + 1).
    // Because the base of p's bounds is p + 0,
    // ProveBoundsDeclValidity is unable to create a base range for p's bounds,
    // and is therefore unable to prove the validity of a's bounds after the assignment.
    a = p;

    // Bounds of b are (b, b + (0 + 1)).
    // The target bounds of a are (a, a + 1).
    // Because the base of b's bounds is b,
    // ProveBoundsDeclValidity is able to create a base range for b's bounds,
    // and is therefore able to prove the validity of a's bounds after the assignment.
    a = b;
  }
}

The assignment a = p results in a warning "unable to prove the declared bounds of a are valid after the assignment". The reason is that the new upper expression for p's widened bounds (p, (p + 0) + 1) is left-associative, so the base of the widened bounds is p + 0. If the upper expression were right-associative (p, p + (0 + 1)), as in the declared bounds for b, then the assignment a = p would be fine (as in the assignment a = b).

I quickly put together a local fix involving SplitIntoBaseAndOffset to split the upper expression of a variable's bounds and use the resulting base and offset to create the new upper expression for the widened bounds, but I haven't fully tested it.

[mgrang]

Yes, SplitIntoBaseAndOffset does not currently handle associativity and multiple arithmetic operators correctly. In BoundsAnalysis I ran into a similar issue wherein I had to correctly determine the offset of the expression being dereferenced. So I wrote an implementation of SplitIntoBaseAndOffset (see https://github.com/microsoft/checkedc-clang/blob/master/clang/lib/Sema/BoundsAnalysis.cpp#L340). This function associates all variables to the LHS and all constants to the RHS. Ideally, we want to merge both these functions into one.

One thing to keep in mind with changing associativity of operators is overflow. The original expression may not overflow but if we change the associativity then an overflow/underflow may occur.

[kkjeer]

Could you add a comment to this function as well as ResetKilledBounds?

[kkjeer]

I think this should be done before saving InitialObservedBounds = BlockState.ObservedBounds. InitialBounds should contain the contents of ObservedBounds before calling Check(S, CSS, BlockState) in order for the observed bounds to be reset after the Check call.

For example:

void pointer_widening() {
  nt_array_ptr<char> p : count(0) = "a";

  if (p[0]) {
    // This assignment kills the widened bounds of p.
    // InitialObservedBounds should contain p => bounds(p, p + 0),
    // not p => bounds(p, p + 0 + 1).
    // After checking this assignment, BlockState.ObservedBounds should contain
    // p => bounds(p, p + 0).
    p = "";
    if (p[1]) // observed bounds of p are (p, p + 0), so this is an out-of-bounds memory access
  }
}

[kkjeer]

I think this should reset ObservedBounds[V] to the normalized declared bounds of V, rather than erasing V from the context. Before calling Check on a statement S, the ObservedBounds context should contain, for each variable V that is in scope at S:

1. If V has widened bounds (lb, ub + i) at S and S does not make an assignment to V, ObservedBounds[V] => bounds(lb, ub + i)
2. Otherwise, if V has declared bounds (lb, ub), ObservedBounds[V] => bounds(lb, ub)

The InitialObservedBounds variable should also contain these bounds. After calling Check on S, ObservedBounds may contain updated bounds due to any assignments in S. These updated observed bounds should be used to check that they imply the declared bounds for each variable. After this check, ObservedBounds should be reset to InitialObservedBounds and contain the bounds described above.

For example:

void pointer_widening() {
  nt_array_ptr<char> p : count(0) = "a";

  if (p[0]) {
    // This assignment kills the widened bounds (p, p + 1) of p.
    // Before checking this assignment, ObservedBounds should contain p => (p, p + 0).
    // The original value of p in this assignment is p - 1.
    // p - 1 should replace p in the observed bounds of p.
    // After checking this assignment, ObservedBounds should contain p => (p - 1, p - 1 + 0).
    // The updated observed bounds (p - 1, p - 1 + 0) should be used to check that they imply
    // the declared bounds (p, p + 0) for p. After this check, ObservedBounds should be reset
    // to the initial observed bounds before checking this assignment: (p, p + 0).
    p = p + 1;
  }
}

[mgrang]

This depends on #829

[kkjeer]

This comment no longer seems quite accurate, since the bounds that are killed by S are being reset to their declared bounds rather than removed from ObservedBounds.

[dtarditi]

This looks great. Thank you!

There are places we are repeatedly allocating AST nodes. We should avoid doing that because those AST nodes are permanently allocated, increased memory usage of the compiler. Please open an issue to track this. It can be addressed in a separate PR.

[dtarditi]

It is inefficient for memory use to call ExpandBoundsToRange repeatedly on the bounds for a variable. ExpandBoundsToRange can allocate AST data structures, and we don't want to do that in a dataflow analysis. Could you open a follow-up issue about reducing allocation of AST nodes and add a TODO here. The solution is to compute it once and attach the canoncialized value to the VarDecl.

This change is beyond the scope of this PR, so I think it should be done separately.

[mgrang]

Created issue to track this: #830

[dtarditi]

Here too we may be allocating AST data structures multiple times. We want to avoid doing that, and do the expansion only once.

[mgrang]

This PR depends on checkedc/checkedc#400