fix: Improve bidirectional memory allocation model (#205)

metametamoon · web-flow · commit c460acebabdf · 2025-08-04T16:30:34.000+04:00
* feat: bidirectional memory proper handling

* fix: handling pointers in bitwuzla builder

* fix: memory leak in bidirectional

* fix: pointer handling in solvers

* fix: test headers

* fix: caching pointer resolutions wherever safe
(in not isolated states)
diff --git a/lib/Core/Composer.cpp b/lib/Core/Composer.cpp
@@ -221,6 +221,17 @@ ExprVisitor::Action ComposeVisitor::visitSelect(const SelectExpr &select) {
       processSelect(select.cond, select.trueExpr, select.falseExpr));
 }
 
+ExprVisitor::Action
+ComposeVisitor::visitPointer(const PointerExpr &pointerExpr) {
+  return Action::changeTo(processPointer(pointerExpr.base, pointerExpr.value));
+}
+
+ref<Expr> ComposeVisitor::processPointer(ref<Expr> base, ref<Expr> value) {
+  auto trueBase = visit(base)->getValue();
+  auto trueValue = visit(value)->getValue();
+  return PointerExpr::create(trueBase, trueValue);
+}
+
 ref<ObjectState> ComposeVisitor::shareUpdates(ref<ObjectState> os,
                                               const UpdateList &updates) {
   ref<ObjectState> copy(new ObjectState(*os.get()));
diff --git a/lib/Core/Composer.h b/lib/Core/Composer.h
@@ -200,6 +200,9 @@ class ComposeVisitor : public ExprVisitor {
   ExprVisitor::Action visitRead(const ReadExpr &) override;
   ExprVisitor::Action visitConcat(const ConcatExpr &concat) override;
   ExprVisitor::Action visitSelect(const SelectExpr &) override;
+  ExprVisitor::Action visitPointer(const PointerExpr &) override;
+
+  ref<Expr> processPointer(ref<Expr> base, ref<Expr> value);
   ref<Expr> processRead(const Array *root, const UpdateList &updates,
                         ref<Expr> index, Expr::Width width);
   ref<Expr> processSelect(ref<Expr> cond, ref<Expr> trueExpr,
diff --git a/lib/Core/ExecutionState.cpp b/lib/Core/ExecutionState.cpp
@@ -167,9 +167,9 @@ ExecutionState::ExecutionState(const ExecutionState &state)
       forkDisabled(state.forkDisabled), isolated(state.isolated),
       finalComposing(state.finalComposing), returnValue(state.returnValue),
       gepExprBases(state.gepExprBases), multiplexKF(state.multiplexKF),
-      prevTargets_(state.prevTargets_), targets_(state.targets_),
-      prevHistory_(state.prevHistory_), history_(state.history_),
-      isTargeted_(state.isTargeted_) {
+      localObjects(state.localObjects), prevTargets_(state.prevTargets_),
+      targets_(state.targets_), prevHistory_(state.prevHistory_),
+      history_(state.history_), isTargeted_(state.isTargeted_) {
   queryMetaData.id = state.id;
 }
 
diff --git a/lib/Core/ExecutionState.h b/lib/Core/ExecutionState.h
@@ -405,6 +405,9 @@ class ExecutionState {
   // Temp: to know which multiplex path this state has taken
   KFunction *multiplexKF = nullptr;
 
+  // set with reads from alloca instructions
+  std::set<ref<const MemoryObject>> localObjects;
+
 private:
   PersistentSet<ref<Target>> prevTargets_;
   PersistentSet<ref<Target>> targets_;
diff --git a/lib/Core/Executor.cpp b/lib/Core/Executor.cpp
@@ -5391,6 +5391,7 @@ void Executor::run(ExecutionState *initialState,
   } else if (ExecutionMode == ExecutionKind::Bidirectional) {
     InitializerPredicate *predicate = new TraceVerifyPredicate(
         data.specialPoints, *codeGraphInfo.get(), InitializeInJoinBlocks);
+    // object manager assumes ownership over predicate
     objectManager->setPredicate(predicate);
     auto initializer = createIsolatedStatesInitializer(predicate, data);
     isolatedStatesInitializer = initializer.get();
@@ -7380,8 +7381,10 @@ void Executor::lazyInitializeLocalObject(ExecutionState &state, StackFrame &sf,
   ref<const MemoryObject> id = lazyInitializeObject(
       state, pointer, target, elementSize, size, true, conditionExpr,
       state.isolated || UseSymbolicSizeLazyInit);
-  state.addPointerResolution(pointer, id.get());
-  state.addPointerResolution(basePointer, id.get());
+  if (!state.isolated) {
+    state.addPointerResolution(pointer, id.get());
+    state.addPointerResolution(basePointer, id.get());
+  }
   state.addConstraint(EqExpr::create(address, id->getBaseExpr()));
   state.addConstraint(
       Expr::createIsZero(EqExpr::create(address, Expr::createPointer(0))));
@@ -7390,6 +7393,14 @@ void Executor::lazyInitializeLocalObject(ExecutionState &state, StackFrame &sf,
   }
   RefObjectPair op = state.addressSpace.findOrLazyInitializeObject(id.get());
   state.addressSpace.bindObject(op.first, op.second.get());
+  if (state.localObjects.count(id) == 0) {
+    for (auto localObject : state.localObjects) {
+      auto localObjectAddress = localObject->getBaseExpr();
+      state.constraints.addConstraint(Expr::createIsZero(
+          EqExpr::create(id->getBaseExpr(), localObjectAddress)));
+    }
+    state.localObjects.insert(id);
+  }
 }
 
 void Executor::lazyInitializeLocalObject(ExecutionState &state,
diff --git a/lib/Core/ObjectManager.h b/lib/Core/ObjectManager.h
@@ -116,7 +116,7 @@ class ObjectManager {
   std::vector<Subscriber *> subscribers;
   PForest *processForest;
 
-  InitializerPredicate *predicate;
+  std::unique_ptr<InitializerPredicate> predicate;
 
 public:
   ExecutionState *emptyState;
@@ -164,7 +164,7 @@ class ObjectManager {
   }
 
   void setPredicate(InitializerPredicate *predicate_) {
-    predicate = predicate_;
+    predicate = std::unique_ptr<InitializerPredicate>(predicate_);
   }
 };
 
diff --git a/lib/Solver/BitwuzlaBuilder.cpp b/lib/Solver/BitwuzlaBuilder.cpp
@@ -1113,6 +1113,11 @@ Term BitwuzlaBuilder::constructActual(ref<Expr> e, int *width_out) {
     assert(*width_out != 1 && "uncanonicalized FNeg");
     return ctx->mk_term(Kind::FP_NEG, {arg});
   }
+  case Expr::Pointer:
+  case Expr::ConstantPointer: {
+    PointerExpr *pointerExpr = cast<PointerExpr>(e);
+    return constructActual(pointerExpr->getValue(), width_out);
+  };
 
 // unused due to canonicalization
 #if 0
@@ -1124,7 +1129,7 @@ case Expr::Sge:
 #endif
 
   default:
-    assert(0 && "unhandled Expr type");
+    klee_error("unhandled Expr type");
     return getTrue();
   }
 }
diff --git a/lib/Solver/MetaSMTBuilder.h b/lib/Solver/MetaSMTBuilder.h
@@ -658,7 +658,7 @@ MetaSMTBuilder<SolverContext>::constructActual(ref<Expr> e, int *width_out) {
   switch (e->getKind()) {
   case Expr::Pointer:
   case Expr::ConstantPointer: {
-    assert(0 && "unreachable");
+    return constructActual(e->getValue(), width_out);
   }
 
   case Expr::Constant: {
diff --git a/lib/Solver/Z3BitvectorBuilder.cpp b/lib/Solver/Z3BitvectorBuilder.cpp
@@ -273,7 +273,8 @@ Z3ASTHandle Z3BitvectorBuilder::constructActual(ref<Expr> e, int *width_out) {
   switch (e->getKind()) {
   case Expr::Pointer:
   case Expr::ConstantPointer: {
-    assert(0 && "unreachable");
+    auto ptrExpr = cast<PointerExpr>(e);
+    return constructActual(ptrExpr->getValue(), width_out);
   }
 
   case Expr::Constant: {
diff --git a/lib/Solver/Z3CoreBuilder.cpp b/lib/Solver/Z3CoreBuilder.cpp
@@ -206,7 +206,7 @@ Z3ASTHandle Z3CoreBuilder::constructActual(ref<Expr> e, int *width_out) {
   switch (e->getKind()) {
   case Expr::Pointer:
   case Expr::ConstantPointer: {
-    assert(0 && "unreachable");
+    return constructActual(e->getValue(), width_out);
   }
 
   case Expr::Constant: {
diff --git a/test/Bidirectional/Memory/cond-function-pointer-change-2.c b/test/Bidirectional/Memory/cond-function-pointer-change-2.c
@@ -0,0 +1,36 @@
+// RUN: %clang %s -emit-llvm %O0opt -c -fno-discard-value-names -o %t.bc
+// RUN: rm -rf %t.klee-out
+// RUN: %klee --write-kqueries --output-dir=%t.klee-out --max-propagations=5 --max-stack-frames=15 --execution-mode=bidirectional --tmp-skip-fns-in-init=false --initialize-in-join-blocks --function-call-reproduce=reach_error --skip-not-lazy-initialized --forward-ticks=0 --backward-ticks=5 --skip-not-symbolic-objects --write-xml-tests --debug-log=rootpob,backward,conflict,closepob,reached,init --debug-constraints=backward %t.bc 2> %t.log
+// RUN: FileCheck %s -input-file=%t.log
+
+#include "klee/klee.h"
+#include <assert.h>
+#include <stdlib.h>
+
+void reach_error() {
+  klee_assert(0);
+}
+
+void M(int *km, int *kn, int inner_toggle) {
+  if (inner_toggle == 1) {
+    *km = 0;
+  } else {
+    *kn = 0;
+  }
+}
+
+int main() {
+  int m;
+  klee_make_symbolic(&m, sizeof(m), "m");
+  klee_assume(m != 0);
+  int n = 3;
+  int toggle;
+  klee_make_symbolic(&toggle, sizeof(toggle), "toggle");
+  klee_assume(toggle == 0 || toggle == 1);
+  M(&m, &n, toggle);
+  if (m != 0) {
+    reach_error();
+  }
+}
+
+// CHECK: [TRUE POSITIVE] FOUND TRUE POSITIVE AT
diff --git a/test/Bidirectional/Memory/cond-function-pointer-change-3.c b/test/Bidirectional/Memory/cond-function-pointer-change-3.c
@@ -0,0 +1,36 @@
+// RUN: %clang %s -emit-llvm %O0opt -c -fno-discard-value-names -o %t.bc
+// RUN: rm -rf %t.klee-out
+// RUN: %klee --write-kqueries --output-dir=%t.klee-out --max-propagations=5 --max-stack-frames=15 --execution-mode=bidirectional --tmp-skip-fns-in-init=false --initialize-in-join-blocks --function-call-reproduce=reach_error --skip-not-lazy-initialized --forward-ticks=0 --backward-ticks=5 --skip-not-symbolic-objects --write-xml-tests --debug-log=rootpob,backward,conflict,closepob,reached,init --debug-constraints=backward %t.bc 2> %t.log
+// RUN: FileCheck %s -input-file=%t.log
+
+#include "klee/klee.h"
+#include <assert.h>
+#include <stdlib.h>
+
+void reach_error() {
+  klee_assert(0);
+}
+
+void M(int *km, int *kn, int inner_toggle) {
+  if (inner_toggle == 1) {
+    *km = 0;
+  } else {
+    *kn = 0;
+  }
+}
+
+int main() {
+  int m;
+  klee_make_symbolic(&m, sizeof(m), "m");
+  klee_assume(m != 0);
+  int n = 3;
+  int toggle;
+  klee_make_symbolic(&toggle, sizeof(toggle), "toggle");
+  M(&m, &n, toggle);
+  klee_assume(toggle == 1);
+  if (m != 0) {
+    reach_error();
+  }
+}
+
+// CHECK: [FALSE POSITIVE] FOUND FALSE POSITIVE AT
diff --git a/test/Bidirectional/Memory/cond-function-pointer-change.c b/test/Bidirectional/Memory/cond-function-pointer-change.c
@@ -0,0 +1,38 @@
+// RUN: %clang %s -emit-llvm %O0opt -c -fno-discard-value-names -o %t.bc
+// RUN: rm -rf %t.klee-out
+// RUN: %klee --write-kqueries --output-dir=%t.klee-out --max-propagations=5 --max-stack-frames=15 --execution-mode=bidirectional --tmp-skip-fns-in-init=false --initialize-in-join-blocks --function-call-reproduce=reach_error --skip-not-lazy-initialized --forward-ticks=0 --backward-ticks=5 --skip-not-symbolic-objects --write-xml-tests --debug-log=rootpob,backward,conflict,closepob,reached,init --debug-constraints=backward --use-concretizing-solver=false %t.bc 2> %t.log
+// RUN: FileCheck %s -input-file=%t.log
+
+#include "klee/klee.h"
+#include <assert.h>
+#include <stdlib.h>
+
+void reach_error() {
+  klee_assert(0);
+}
+
+void M(int *k) {
+  *k = 0;
+}
+
+int main() {
+  int m;
+  klee_make_symbolic(&m, sizeof(m), "m");
+  klee_assume(m != 0);
+  int n = 3;
+  int toggle;
+  klee_make_symbolic(&toggle, sizeof(toggle), "toggle");
+  klee_assume(toggle == 0 || toggle == 1);
+  int *ptr;
+  if (toggle == 0) {
+    ptr = &m;
+  } else {
+    ptr = &n;
+  }
+  M(ptr);
+  if (m != 0) {
+    reach_error();
+  }
+}
+
+// CHECK: [TRUE POSITIVE] FOUND TRUE POSITIVE AT
diff --git a/test/Bidirectional/Memory/cond-stack-pointer-change.c b/test/Bidirectional/Memory/cond-stack-pointer-change.c
@@ -0,0 +1,34 @@
+// RUN: %clang %s -emit-llvm %O0opt -c -fno-discard-value-names -o %t.bc
+// RUN: rm -rf %t.klee-out
+// RUN: %klee --write-kqueries --output-dir=%t.klee-out --max-propagations=5 --max-stack-frames=15 --execution-mode=bidirectional --tmp-skip-fns-in-init=false --initialize-in-join-blocks --function-call-reproduce=reach_error --skip-not-lazy-initialized --forward-ticks=0 --backward-ticks=5 --skip-not-symbolic-objects --write-xml-tests --debug-log=rootpob,backward,conflict,closepob,reached,init --debug-constraints=backward --use-concretizing-solver=false %t.bc 2> %t.log
+// RUN: FileCheck %s -input-file=%t.log
+
+#include "klee/klee.h"
+#include <assert.h>
+#include <stdlib.h>
+
+void reach_error() {
+  klee_assert(0);
+}
+
+int main() {
+  int m;
+  klee_make_symbolic(&m, sizeof(m), "m");
+  klee_assume(m != 0);
+  int n = 3;
+  int toggle;
+  klee_make_symbolic(&toggle, sizeof(toggle), "toggle");
+  klee_assume(toggle == 0 || toggle == 1);
+  int *ptr;
+  if (toggle == 0) {
+    ptr = &m;
+  } else {
+    ptr = &n;
+  }
+  *ptr = 0;
+  if (m != 0) {
+    reach_error();
+  }
+}
+
+// CHECK: [TRUE POSITIVE] FOUND TRUE POSITIVE AT
diff --git a/test/Bidirectional/Memory/double-alloc-call-possible.c b/test/Bidirectional/Memory/double-alloc-call-possible.c
@@ -0,0 +1,31 @@
+// XFAIL: true
+// do not support good symbolic memory currently
+// RUN: %clang %s -emit-llvm %O0opt -c -fno-discard-value-names -o %t.bc
+// RUN: rm -rf %t.klee-out
+// RUN: %klee --write-kqueries --output-dir=%t.klee-out --max-propagations=3 --max-stack-frames=4 --execution-mode=bidirectional --tmp-skip-fns-in-init=false --initialize-in-join-blocks --function-call-reproduce=reach_error --skip-not-lazy-initialized --forward-ticks=0 --backward-ticks=5 --skip-not-symbolic-objects --use-visitor-hash=false --write-xml-tests --debug-log=rootpob,backward,conflict,closepob,reached,init --debug-constraints=backward %t.bc 2> %t.log
+// RUN: FileCheck %s -input-file=%t.log
+
+#include "klee/klee.h"
+#include <assert.h>
+#include <stdlib.h>
+
+void reach_error() {
+  klee_assert(0);
+}
+
+int *my_alloca() {
+  int *a = malloc(sizeof(int));
+  return a;
+}
+
+int main() {
+  int *x = my_alloca();
+  int *y = my_alloca();
+  if (y != x) {
+    reach_error();
+  }
+  free(x);
+  free(y);
+}
+
+// CHECK: [TRUE POSITIVE]
diff --git a/test/Bidirectional/Memory/fake-function-pointer-change.c b/test/Bidirectional/Memory/fake-function-pointer-change.c
@@ -0,0 +1,30 @@
+// RUN: %clang %s -emit-llvm %O0opt -c -fno-discard-value-names -o %t.bc
+// RUN: rm -rf %t.klee-out
+// RUN: %klee --write-kqueries --output-dir=%t.klee-out --max-propagations=5 --max-stack-frames=15 --execution-mode=bidirectional --tmp-skip-fns-in-init=false --initialize-in-join-blocks --function-call-reproduce=reach_error --skip-not-lazy-initialized --forward-ticks=0 --backward-ticks=5 --skip-not-symbolic-objects --write-xml-tests --debug-log=rootpob,backward,conflict,closepob,reached,init --debug-constraints=backward %t.bc 2> %t.log
+// RUN: FileCheck %s -input-file=%t.log
+
+#include "klee/klee.h"
+#include <assert.h>
+#include <stdlib.h>
+
+void reach_error() {
+  klee_assert(0);
+}
+
+void M(int *k) {
+  *k = 0;
+}
+
+int main() {
+  int m;
+  int n = 4;
+  klee_make_symbolic(&m, sizeof(m), "m");
+  klee_assume(m != 0);
+  int *ptr = &n;
+  M(ptr);
+  if (m != 0) {
+    reach_error();
+  }
+}
+
+// CHECK: [TRUE POSITIVE] FOUND TRUE POSITIVE AT
diff --git a/test/Bidirectional/Memory/fake-stack-pointer-change.c b/test/Bidirectional/Memory/fake-stack-pointer-change.c
@@ -0,0 +1,26 @@
+// RUN: %clang %s -emit-llvm %O0opt -c -fno-discard-value-names -o %t.bc
+// RUN: rm -rf %t.klee-out
+// RUN: %klee --write-kqueries --output-dir=%t.klee-out --max-propagations=5 --max-stack-frames=15 --execution-mode=bidirectional --tmp-skip-fns-in-init=false --initialize-in-join-blocks --function-call-reproduce=reach_error --skip-not-lazy-initialized --forward-ticks=0 --backward-ticks=5 --skip-not-symbolic-objects --write-xml-tests --debug-log=rootpob,backward,conflict,closepob,reached,init --debug-constraints=backward %t.bc 2> %t.log
+// RUN: FileCheck %s -input-file=%t.log
+
+#include "klee/klee.h"
+#include <assert.h>
+#include <stdlib.h>
+
+void reach_error() {
+  klee_assert(0);
+}
+
+int main() {
+  int m;
+  int n = 4;
+  klee_make_symbolic(&m, sizeof(m), "m");
+  klee_assume(m != 0);
+  int *ptr = &n;
+  *ptr = 0;
+  if (m != 0) {
+    reach_error();
+  }
+}
+
+// CHECK: [TRUE POSITIVE] FOUND TRUE POSITIVE AT
diff --git a/test/Bidirectional/Memory/function-pointer-assign-change.c b/test/Bidirectional/Memory/function-pointer-assign-change.c
diff --git a/test/Bidirectional/Memory/function-pointer-change.c b/test/Bidirectional/Memory/function-pointer-change.c
diff --git a/test/Bidirectional/Memory/stack-pointer-change-2.c b/test/Bidirectional/Memory/stack-pointer-change-2.c
diff --git a/test/Bidirectional/Memory/stack-pointer-change.c b/test/Bidirectional/Memory/stack-pointer-change.c
diff --git a/test/regression/2023-02-01-replay-test-with-lazy-initialized-objects.c b/test/regression/2023-02-01-replay-test-with-lazy-initialized-objects.c

Original file line number	Diff line number	Diff line change
`@@ -116,7 +116,7 @@ class ObjectManager {`
`116`	`116`	`std::vector<Subscriber *> subscribers;`
`117`	`117`	`PForest *processForest;`
`118`	`118`
`119`		`- InitializerPredicate *predicate;`
	`119`	`+ std::unique_ptr<InitializerPredicate> predicate;`
`120`	`120`
`121`	`121`	`public:`
`122`	`122`	`ExecutionState *emptyState;`
`@@ -164,7 +164,7 @@ class ObjectManager {`
`164`	`164`	`}`
`165`	`165`
`166`	`166`	`void setPredicate(InitializerPredicate *predicate_) {`
`167`		`- predicate = predicate_;`
	`167`	`+ predicate = std::unique_ptr<InitializerPredicate>(predicate_);`
`168`	`168`	`}`
`169`	`169`	`};`
`170`	`170`
Original file line number	Diff line number	Diff line change
`@@ -1113,6 +1113,11 @@ Term BitwuzlaBuilder::constructActual(ref<Expr> e, int *width_out) {`
`1113`	`1113`	`assert(*width_out != 1 && "uncanonicalized FNeg");`
`1114`	`1114`	`return ctx->mk_term(Kind::FP_NEG, {arg});`
`1115`	`1115`	`}`
	`1116`	`+ case Expr::Pointer:`
	`1117`	`+ case Expr::ConstantPointer: {`
	`1118`	`+ PointerExpr *pointerExpr = cast<PointerExpr>(e);`
	`1119`	`+ return constructActual(pointerExpr->getValue(), width_out);`
	`1120`	`+ };`
`1116`	`1121`
`1117`	`1122`	`// unused due to canonicalization`
`1118`	`1123`	`#if 0`
`@@ -1124,7 +1129,7 @@ case Expr::Sge:`
`1124`	`1129`	`#endif`
`1125`	`1130`
`1126`	`1131`	`default:`
`1127`		`- assert(0 && "unhandled Expr type");`
	`1132`	`+ klee_error("unhandled Expr type");`
`1128`	`1133`	`return getTrue();`
`1129`	`1134`	`}`
`1130`	`1135`	`}`
Original file line number	Diff line number	Diff line change
`@@ -658,7 +658,7 @@ MetaSMTBuilder<SolverContext>::constructActual(ref<Expr> e, int *width_out) {`
`658`	`658`	`switch (e->getKind()) {`
`659`	`659`	`case Expr::Pointer:`
`660`	`660`	`case Expr::ConstantPointer: {`
`661`		`- assert(0 && "unreachable");`
	`661`	`+ return constructActual(e->getValue(), width_out);`
`662`	`662`	`}`
`663`	`663`
`664`	`664`	`case Expr::Constant: {`
Original file line number	Diff line number	Diff line change
`@@ -273,7 +273,8 @@ Z3ASTHandle Z3BitvectorBuilder::constructActual(ref<Expr> e, int *width_out) {`
`273`	`273`	`switch (e->getKind()) {`
`274`	`274`	`case Expr::Pointer:`
`275`	`275`	`case Expr::ConstantPointer: {`
`276`		`- assert(0 && "unreachable");`
	`276`	`+ auto ptrExpr = cast<PointerExpr>(e);`
	`277`	`+ return constructActual(ptrExpr->getValue(), width_out);`
`277`	`278`	`}`
`278`	`279`
`279`	`280`	`case Expr::Constant: {`
Original file line number	Diff line number	Diff line change
`@@ -206,7 +206,7 @@ Z3ASTHandle Z3CoreBuilder::constructActual(ref<Expr> e, int *width_out) {`
`206`	`206`	`switch (e->getKind()) {`
`207`	`207`	`case Expr::Pointer:`
`208`	`208`	`case Expr::ConstantPointer: {`
`209`		`- assert(0 && "unreachable");`
	`209`	`+ return constructActual(e->getValue(), width_out);`
`210`	`210`	`}`
`211`	`211`
`212`	`212`	`case Expr::Constant: {`