Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

store_tac_with_hint insufficiently general for array of struct #613

Open
andrew-appel opened this issue Jul 29, 2022 · 0 comments
Open

store_tac_with_hint insufficiently general for array of struct #613

andrew-appel opened this issue Jul 29, 2022 · 0 comments

Comments

@andrew-appel
Copy link
Collaborator

[in any recent version of VST such as 2.9, 2.10, master branch]
Consider this program,

void f (struct foo {int x,y;} *p, unsigned i, unsigned n) {
  p[i].x = 0;
}

with this precondition just before the forward command:

H : 0 <= i < n
H0 : field_compatible (tarray t_foo n) [] p
______________________________________(1/1)
semax Delta
  (PROP ( )
   LOCAL (temp _p p; temp _i (Vint (Int.repr i));
   temp _n (Vint (Int.repr n)))
   SEP (data_at_ Ews (tarray t_foo (n - i))
          (field_address (tarray t_foo n) (SUB i) p)))
  ((_p + _i -> _x) = (0);) POSTCONDITION

Then forward_store will give an error message about doing an assert_PROP,
so let's do that and prove, above the line as directed,

H1 : offset_val 0
          (force_val (sem_add_ptr_int (Tstruct _foo noattr) Unsigned p
                                (Vint (Int.repr i))))
   = field_address  (tarray t_foo n) (SUB i) p

Now, forward gives the following error message:

Tactic failure: unexpected failure in load/store_tac_with_hint.
The expression (_p + _i -> _x)%expr has type (Tint I32 Signed noattr)
but is expected to have type (Tstruct _foo noattr) (level 996).

This is wrong; it's a bug in store_tac_with_hint, that comes from insufficient generality in the underlying lemma, semax_PTree_field_store_with_hint.

Below is the complete VST proof script to reproduce this bug.

Require Import VST.floyd.proofauto.
Require Import test_store_array_field.

#[export] Instance CompSpecs : compspecs. make_compspecs prog. Defined.
Definition Vprog : varspecs. mk_varspecs prog. Defined.

Definition t_foo := Tstruct _foo noattr.

Definition f_spec :=
DECLARE _f
 WITH p: val, i: Z, n:Z
 PRE [ tptr (Tstruct _foo noattr), tuint, tuint ]
   PROP(0 <= i < n; field_compatible (tarray t_foo n) nil p)
   PARAMS (p; Vint (Int.repr i); Vint (Int.repr n))
   SEP (data_at_ Ews (tarray t_foo (n-i)) 
            (field_address (tarray t_foo n) (SUB i) p))
 POST [ tvoid ]
   PROP() RETURN()
   SEP (data_at_ Ews (tarray t_foo (n-i)) 
            (field_address (tarray t_foo n) (SUB i) p)).

Definition Gprog : funspecs := nil.

Lemma body_f: semax_body Vprog Gprog f_f f_spec.
Proof.
start_function.
assert_PROP (
  offset_val 0
   (force_val
      (sem_add_ptr_int (Tstruct _foo noattr) Unsigned p
         (Vint (Int.repr i)))) 
  = field_address (tarray t_foo n) (SUB i) p). {
 entailer!.
 rewrite field_address_offset by auto with field_compatible.
 simpl; f_equal; lia.
}
forward.
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@andrew-appel