Skip to content

Refine symex pointer unsoundness #8780

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tautschnig wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

Refine symex pointer unsoundness #8780

tautschnig wants to merge 3 commits into from
+710 −699

Conversation

@tautschnig
Copy link
Collaborator

@tautschnig tautschnig commented Nov 30, 2025
edited
Loading

Please review commit-by-commit.

Fixes: #8714
Fixes: #7957

  • Each commit message has a non-empty body, explaining why the change was made.
  • n/a Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
  • n/a The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
  • Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
  • n/a My commit message includes data points confirming performance improvements (if claimed).
  • My PR is restricted to a single feature or bugfix.
  • n/a White-space or formatting changes outside the feature-related changed lines are in commits of their own.

@tautschnig tautschnig force-pushed the refine-symex-pointer-unsoundness branch from 889225b to 2dc63d4 Compare November 30, 2025 18:43
@codecov
Copy link

codecov bot commented Nov 30, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.00%. Comparing base (3f28523) to head (7d44a79).

Additional details and impacted files 
@@           Coverage Diff            @@
##           develop    #8780   +/-   ##
========================================
  Coverage    80.00%   80.00%           
========================================
  Files         1700     1700           
  Lines       188257   188267   +10     
  Branches        73       73           
========================================
+ Hits        150615   150628   +13     
+ Misses       37642    37639    -3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@tautschnig tautschnig force-pushed the refine-symex-pointer-unsoundness branch 2 times, most recently from c954ba7 to d48dfd7 Compare December 1, 2025 17:29
@tautschnig tautschnig marked this pull request as ready for review December 1, 2025 17:29
@tautschnig
Weak-memory examples: selectively use thread-local variables
5768940 
We cannot soundly handle pointer offsets that are shared across threads,
and will reject this in future to avoid unsound verification results.
Here, however, the pointer offsets are not actually shared, so we can
safely mark them `__CPROVER_thread_local`.
@tautschnig
goto-symex/concurrency: limit unsoundness-abort to dereferencing shar…
aed1da3 
…ed pointers

Reading and writing pointers is not not itself unsound, only the
interaction with value sets may cause unsound results. Hence, do not
reject programs that never dereference a shared pointer.

Fixes: diffblue#8714
Fixes: diffblue#7957
@tautschnig
Do not use value-set supported simplification with multiple threads
7d44a79 
Shared pointers may be updated in yet-to-be-executed threads.
Copilot AI review requested due to automatic review settings January 2, 2026 20:14
@tautschnig tautschnig force-pushed the refine-symex-pointer-unsoundness branch from d48dfd7 to 7d44a79 Compare January 2, 2026 20:14
Copilot AI reviewed Jan 2, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request refines the handling of symex pointer unsoundness in concurrent programs by marking specific variables as thread-local and updating test expectations to properly detect and report unsoundness issues.

  • Added __CPROVER_thread_local qualifier to register variables in weak memory model test files to ensure correct thread-local semantics
  • Updated test descriptors to detect pointer handling unsoundness in concurrent programs instead of silently passing or being marked as known bugs
  • Enabled previously disabled pthread tests on OSX and FreeBSD platforms

Reviewed changes

Copilot reviewed 300 out of 428 changed files in this pull request and generated no comments.

Show a summary per file
File Description
regression/goto-instrument-wmm-core/ppc_*.c Added __CPROVER_thread_local to register variables used in weak memory model tests
regression/cbmc-concurrency/*/test.desc Updated test expectations to detect pointer unsoundness instead of passing or being marked as known bugs
regression/cbmc-concurrency/Makefile Removed OSX and FreeBSD from pthread test exclusions
regression/cbmc-concurrency/CMakeLists.txt Simplified platform check to only exclude Windows for pthread tests
regression/cbmc-library/realloc/test_03.desc Changed from expecting failure to expecting success with --no-malloc-may-fail
regression/cbmc-concurrency/global_pointer1/ Split test into multiple variants to test with/without pointer dereferencing
regression/book-examples/account/C10.desc Changed from KNOWNBUG to CORE test

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kroening kroening Awaiting requested review from kroening kroening is a code owner

@peterschrammel peterschrammel Awaiting requested review from peterschrammel peterschrammel is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@kroening kroening

@peterschrammel peterschrammel

Labels

None yet

Projects

None yet

Milestone

No milestone

3 participants

@tautschnig @kroening @peterschrammel