Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reading a static mutable reference crashes with empty mux tree #2145

Open
sauclovian-g opened this issue Nov 7, 2024 · 1 comment
Open

Reading a static mutable reference crashes with empty mux tree #2145

sauclovian-g opened this issue Nov 7, 2024 · 1 comment
Labels
needs test Issues for which we should add a regression test subsystem: crucible-mir Issues related to Rust verification with crucible-mir and/or mir-json topics: error-handling Issues involving the way SAW responds to an error condition topics: error-messages Issues involving the messages SAW produces on error type: bug Issues reporting bugs or unexpected/unwanted behavior usability An issue that impedes efficient understanding and use
Milestone
2024T3

Comments

@sauclovian-g
Copy link
Collaborator

foo.rs:

static mut X: u32 = 1;

pub fn f() -> u32 {
   unsafe { X }
}

foo.saw, which is incorrect:

enable_experimental;
m <- mir_load_module "foo.linked-mir.json";

let f_spec = do {
    mir_execute_func [];
    mir_return (mir_term {{ 1 : [32] }});
};
mir_verify m "foo::f" [] false f_spec z3;

Results:

[23:50:41.124] Loading file ".../foo.saw"
[23:50:41.173] Verifying foo/34e0fe10::f[0] ...
[23:50:41.180] Simulating foo/34e0fe10::f[0] ...
[23:50:41.180] Stack trace:
"mir_verify" (.../foo.saw:8:1-8:11)
Symbolic execution failed.
Abort due to assertion failure:
  foo.rs:4:13: 4:14: error: in foo/34e0fe10::f[0]
  attempted to read empty mux tree

It is good that this doesn't verify, since any correct spec needs to engage with the mutable static directly, but this is not how it should be failing.

Closely related to #1960, maybe should just have been a comment there, but seems like potentially a separate problem.
@sauclovian-g sauclovian-g added type: bug Issues reporting bugs or unexpected/unwanted behavior topics: error-messages Issues involving the messages SAW produces on error needs test Issues for which we should add a regression test usability An issue that impedes efficient understanding and use topics: error-handling Issues involving the way SAW responds to an error condition subsystem: crucible-mir Issues related to Rust verification with crucible-mir and/or mir-json labels Nov 7, 2024
@sauclovian-g sauclovian-g added this to the 2024T3 milestone Nov 7, 2024
@RyanGlScott
Copy link
Contributor

For some context, "attempted to read empty mux tree" is a rather generic error message that arises whenever you read from uninitialized MIR memory. You can also trigger the same error by doing something like this:

// foo.rs
pub fn f(x: &u32) -> u32 {
    *x
}
// foo.saw
enable_experimental;
m <- mir_load_module "foo.linked-mir.json";

let f_spec = do {
    x <- mir_alloc mir_u32;
    mir_execute_func [x];
};
mir_verify m "foo::f" [] false f_spec z3;

$ ~/Software/saw-1.2/bin/saw foo.saw
[12:23:16.298] Loading file "/home/ryanscott/Documents/Hacking/SAW/foo.saw"
[12:23:16.319] Verifying foo/145181a5::f[0] ...
[12:23:16.330] Simulating foo/145181a5::f[0] ...
[12:23:16.331] Stack trace:
"mir_verify" (/home/ryanscott/Documents/Hacking/SAW/foo.saw:9:1-9:11)
Symbolic execution failed.
Abort due to assertion failure:
  foo.rs:3:5: 3:7: error: in foo/145181a5::f[0]
  attempted to read empty mux tree

(Note that f_spec allocates x but does not initialize it.)

I agree that it would be nice to improve this error message. I haven't thought deeply about the best way to do so, however.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs test Issues for which we should add a regression test subsystem: crucible-mir Issues related to Rust verification with crucible-mir and/or mir-json topics: error-handling Issues involving the way SAW responds to an error condition topics: error-messages Issues involving the messages SAW produces on error type: bug Issues reporting bugs or unexpected/unwanted behavior usability An issue that impedes efficient understanding and use
Projects
None yet
Milestone
2024T3
Development

No branches or pull requests
2 participants
@RyanGlScott @sauclovian-g