undefined shifts are now fatal

kroening · kroening · commit c70148e46a97 · 2024-06-05T05:59:12.000-07:00
There are various criteria for shift expressions that render them undefined
behavior.  The corresponding assertions are now fatal.
diff --git a/regression/cbmc-incr-smt2/bitvector-bitwise-operators/shift_right.desc b/regression/cbmc-incr-smt2/bitvector-bitwise-operators/shift_right.desc
@@ -2,8 +2,8 @@ CORE
 shift_right.c
 --trace
 \[main\.assertion\.1\] line \d+ Right shifting a uint with leftmost bit set is a logical shift: FAILURE
-\[main\.assertion\.2\] line \d+ Right shifting a positive number has a lower bound of 0: SUCCESS
-\[main\.assertion\.3\] line \d+ Right shifting a negative number has a lower bound value of -1: SUCCESS
+\[main\.assertion\.2\] line \d+ Right shifting a positive number has a lower bound of 0: UNKNOWN
+\[main\.assertion\.3\] line \d+ Right shifting a negative number has a lower bound value of -1: UNKNOWN
 second=128
 result_unsigned=(64|'@')
 ^EXIT=10$
diff --git a/regression/cbmc/Undefined_Shift1/main.c b/regression/cbmc/Undefined_Shift1/main.c
@@ -20,9 +20,20 @@ void negative_operand()
   int s = -1 << ((sizeof(int) - 1) * 8); // negative operand
 }
 
+int nondet_int();
+
 int main()
 {
-  shift_distance_too_large();
-  shift_distance_negative();
-  negative_operand();
+  switch(nondet_int())
+  {
+  case 0:
+    shift_distance_too_large();
+    break;
+  case 1:
+    shift_distance_negative();
+    break;
+  case 2:
+    negative_operand();
+    break;
+  }
 }
diff --git a/regression/cbmc/Undefined_Shift1/test.desc b/regression/cbmc/Undefined_Shift1/test.desc
@@ -7,7 +7,7 @@ main.c
 ^\[.*\] line 5 shift operand is negative in .*: SUCCESS$
 ^\[.*\] line 7 shift distance too large in .*: FAILURE$
 ^\[.*\] line 15 shift distance is negative in .*: FAILURE$
-^\[.*\] line 15 shift distance too large in .*: SUCCESS$
+^\[.*\] line 15 shift distance too large in .*: UNKNOWN$
 ^\[.*\] line 20 shift operand is negative in .*: FAILURE$
 ^\*\* 4 of 9 failed
 ^VERIFICATION FAILED$
diff --git a/regression/cbmc/overflow/leftshift_overflow-c89.desc b/regression/cbmc/overflow/leftshift_overflow-c89.desc
@@ -3,15 +3,15 @@ leftshift_overflow.c
 --c89
 ^EXIT=10$
 ^SIGNAL=0$
-^\[.*\] line 8 arithmetic overflow on signed shl in .*: FAILURE$
-^\[.*\] line 11 arithmetic overflow on signed shl in .*: SUCCESS$
-^\[.*\] line 17 arithmetic overflow on signed shl in .*: SUCCESS$
-^\[.*\] line 20 arithmetic overflow on signed shl in .*: FAILURE$
-^\[.*\] line 30 arithmetic overflow on signed shl in .*: SUCCESS$
+^\[leftshift_overflow1\.overflow\.1\] line \d+ arithmetic overflow on signed shl in .*: FAILURE$
+^\[leftshift_overflow2\.overflow\.1\] line \d+ arithmetic overflow on signed shl in .*: SUCCESS$
+^\[leftshift_overflow4\.overflow\.2\] line \d+ arithmetic overflow on signed shl in .*: UNKNOWN$
+^\[leftshift_overflow5\.overflow\.1\] line \d+ arithmetic overflow on signed shl in .*: FAILURE$
+^\[leftshift_overflow8\.overflow\.1\] line \d+ arithmetic overflow on signed shl in .*: SUCCESS$
 ^\*\* 6 of \d+ failed
 ^VERIFICATION FAILED$
 --
 ^warning: ignoring
-^\[.*\] line 14 arithmetic overflow on signed shl in .*: .*
-^\[.*\] line 23 arithmetic overflow on signed shl in .*: .*
-^\[.*\] line 26 arithmetic overflow on signed shl in .*: .*
+^\[leftshift_overflow3\.overflow\..*\] line \d+ arithmetic overflow on signed shl in .*: .*$
+^\[leftshift_overflow6\.overflow\..*\] line \d+ arithmetic overflow on signed shl in .*: .*$
+^\[leftshift_overflow7\.overflow\..*\] line \d+ arithmetic overflow on signed shl in .*: .*$
diff --git a/regression/cbmc/overflow/leftshift_overflow-c99-full-slice.desc b/regression/cbmc/overflow/leftshift_overflow-c99-full-slice.desc
@@ -3,15 +3,15 @@ leftshift_overflow.c
 --c99 --full-slice
 ^EXIT=10$
 ^SIGNAL=0$
-^\[.*\] line 8 arithmetic overflow on signed shl in .*: FAILURE$
-^\[.*\] line 11 arithmetic overflow on signed shl in .*: SUCCESS$
-^\[.*\] line 17 arithmetic overflow on signed shl in .*: SUCCESS$
-^\[.*\] line 20 arithmetic overflow on signed shl in .*: FAILURE$
-^\[.*\] line 26 arithmetic overflow on signed shl in .*: FAILURE$
-^\[.*\] line 30 arithmetic overflow on signed shl in .*: FAILURE$
+^\[leftshift_overflow1\.overflow\.1\] line \d+ arithmetic overflow on signed shl in .*: FAILURE$
+^\[leftshift_overflow2\.overflow\.1\] line \d+ arithmetic overflow on signed shl in .*: SUCCESS$
+^\[leftshift_overflow4\.overflow\.2\] line \d+ arithmetic overflow on signed shl in .*: UNKNOWN$
+^\[leftshift_overflow5\.overflow\.1\] line \d+ arithmetic overflow on signed shl in .*: FAILURE$
+^\[leftshift_overflow7\.overflow\.1\] line \d+ arithmetic overflow on signed shl in .*: FAILURE$
+^\[leftshift_overflow8\.overflow\.1\] line \d+ arithmetic overflow on signed shl in .*: FAILURE$
 ^\*\* 8 of \d+ failed
 ^VERIFICATION FAILED$
 --
 ^warning: ignoring
-^\[.*\] line 14 arithmetic overflow on signed shl in .*: .*
-^\[.*\] line 23 arithmetic overflow on signed shl in .*: .*
+^\[leftshift_overflow3\.overflow\..*\] line \d+ arithmetic overflow on signed shl in .*: .*$
+^\[leftshift_overflow6\.overflow\..*\] line \d+ arithmetic overflow on signed shl in .*: .*$
diff --git a/regression/cbmc/overflow/leftshift_overflow-c99.desc b/regression/cbmc/overflow/leftshift_overflow-c99.desc
@@ -3,15 +3,15 @@ leftshift_overflow.c
 --c99
 ^EXIT=10$
 ^SIGNAL=0$
-^\[.*\] line 8 arithmetic overflow on signed shl in .*: FAILURE$
-^\[.*\] line 11 arithmetic overflow on signed shl in .*: SUCCESS$
-^\[.*\] line 17 arithmetic overflow on signed shl in .*: SUCCESS$
-^\[.*\] line 20 arithmetic overflow on signed shl in .*: FAILURE$
-^\[.*\] line 26 arithmetic overflow on signed shl in .*: FAILURE$
-^\[.*\] line 30 arithmetic overflow on signed shl in .*: FAILURE$
+^\[leftshift_overflow1\.overflow\.1\] line \d+ arithmetic overflow on signed shl in .*: FAILURE$
+^\[leftshift_overflow2\.overflow\.1\] line \d+ arithmetic overflow on signed shl in .*: SUCCESS$
+^\[leftshift_overflow4\.overflow\.2\] line \d+ arithmetic overflow on signed shl in .*: UNKNOWN$
+^\[leftshift_overflow5\.overflow\.1\] line \d+ arithmetic overflow on signed shl in .*: FAILURE$
+^\[leftshift_overflow7\.overflow\.1\] line \d+ arithmetic overflow on signed shl in .*: FAILURE$
+^\[leftshift_overflow8\.overflow\.1\] line \d+ arithmetic overflow on signed shl in .*: FAILURE$
 ^\*\* 8 of \d+ failed
 ^VERIFICATION FAILED$
 --
 ^warning: ignoring
-^\[.*\] line 14 arithmetic overflow on signed shl in .*: .*
-^\[.*\] line 23 arithmetic overflow on signed shl in .*: .*
+^\[leftshift_overflow3\.overflow\..*\] line \d+ arithmetic overflow on signed shl in .*: .*$
+^\[leftshift_overflow6\.overflow\..*\] line \d+ arithmetic overflow on signed shl in .*: .*$
diff --git a/regression/cbmc/overflow/leftshift_overflow.c b/regression/cbmc/overflow/leftshift_overflow.c
@@ -1,33 +1,90 @@
 #include <inttypes.h>
 
-int main()
+void leftshift_overflow1(unsigned char x)
 {
-  unsigned char x;
-
   // signed, owing to promotion, and may overflow
   unsigned r = x << ((sizeof(unsigned) - 1) * 8 + 1);
+}
 
+void leftshift_overflow2(unsigned char x)
+{
   // signed, owing to promotion, and cannot overflow
-  r = x << ((sizeof(unsigned) - 1) * 8 - 1);
+  unsigned r = x << ((sizeof(unsigned) - 1) * 8 - 1);
+}
 
+void leftshift_overflow3(unsigned char x)
+{
   // unsigned
-  r = (unsigned)x << ((sizeof(unsigned) - 1) * 8);
+  unsigned r = (unsigned)x << ((sizeof(unsigned) - 1) * 8);
+}
 
+void leftshift_overflow4(unsigned char x)
+{
   // negative value or zero, not an overflow
   int s = -x << ((sizeof(int) - 1) * 8);
+}
 
+void leftshift_overflow5(unsigned char x)
+{
   // overflow
-  s = 1 << x;
+  int s = 1 << x;
+}
+
+int nondet_int();
 
+void leftshift_overflow6(unsigned char x)
+{
   // distance too far, not an overflow
-  s = s << 100;
+  int s = nondet_int();
+  int t = s << 100;
+}
 
+void leftshift_overflow7(unsigned char x)
+{
   // not an overflow in ANSI-C, but undefined in C99
-  s = 1 << (sizeof(int) * 8 - 1);
+  int s = 1 << (sizeof(int) * 8 - 1);
+}
 
+void leftshift_overflow8(unsigned char x)
+{
   // overflow in an expression where operand and distance types are different
   uint32_t u32;
   int64_t i64 = ((int64_t)u32) << 32;
+}
+
+unsigned char nondet_uchar();
+
+int main()
+{
+  unsigned char x = nondet_uchar();
+
+  switch(nondet_uchar())
+  {
+  case 1:
+    leftshift_overflow1(x);
+    break;
+  case 2:
+    leftshift_overflow2(x);
+    break;
+  case 3:
+    leftshift_overflow3(x);
+    break;
+  case 4:
+    leftshift_overflow4(x);
+    break;
+  case 5:
+    leftshift_overflow5(x);
+    break;
+  case 6:
+    leftshift_overflow6(x);
+    break;
+  case 7:
+    leftshift_overflow7(x);
+    break;
+  case 8:
+    leftshift_overflow8(x);
+    break;
+  }
 
   return 0;
 }
diff --git a/src/ansi-c/goto-conversion/goto_check_c.cpp b/src/ansi-c/goto-conversion/goto_check_c.cpp
@@ -583,7 +583,7 @@ void goto_check_ct::undefined_shift_check(
       inequality,
       "shift distance is negative",
       "undefined-shift",
-      false, // fatal
+      true, // fatal
       expr.find_source_location(),
       expr,
       guard);
@@ -600,7 +600,7 @@ void goto_check_ct::undefined_shift_check(
       binary_relation_exprt(expr.distance(), ID_lt, std::move(width_expr)),
       "shift distance too large",
       "undefined-shift",
-      false, // fatal
+      true, // fatal
       expr.find_source_location(),
       expr,
       guard);
@@ -614,7 +614,7 @@ void goto_check_ct::undefined_shift_check(
         inequality,
         "shift operand is negative",
         "undefined-shift",
-        false, // fatal
+        true, // fatal
         expr.find_source_location(),
         expr,
         guard);
@@ -626,7 +626,7 @@ void goto_check_ct::undefined_shift_check(
       false_exprt(),
       "shift of non-integer type",
       "undefined-shift",
-      false, // fatal
+      true, // fatal
       expr.find_source_location(),
       expr,
       guard);
