Mentions légales du service

Skip to content
Find file Blame History Permalink
  • Andrei Paskevich's avatar
    Expr: execute abstract blocks and whiteboxes with unfiltered effect · f9ff4e02
    Andrei Paskevich authored 
    This commit also contains a fix for a curious exploit of our type
system which was made possible by a combination of local exceptions
and a special treatment of abstract blocks and whiteboxes.

Local exceptions allow us to exploit the type inference mechanism
and to force the same regions onto unrelated expressions. This is due
to the fact that local exceptions are region-monomorphic (this may be
relaxed in future). Of course, this was always possible via the API,
and the false aliases do not threaten the soundness of the system,
thanks to the following critical invariant:

  An allocation of a new mutable value always has an associated reset
  effect which invalidates the existing variables of the same type.

So, if two variables share a region, then exactly one of three
conditions must hold:

1. They are actually aliased, and modification of one must change
   the other in the VC.

2. They are not aliased, but the newer one invalidates the other:
   this is a case of false alias made benign by the reset effect.

3. The shared region is not actually reachable from the newer one:
        let x = if true then None else Some r
   this is another false alias, without an associated reset effect,
   yet still benign since the shared region is not reachable from x.

However, the type system and the VC generator must have the exact
same view on who's who's alias. If the VCgen encounters in the
same control flow two variables with a shared region in the type,
then the type system must have ensured one of the three conditions
above. Prior to this commit, there were two cases which violated
this:

- An exception raised in an abstract block that does not have
  an exceptional postcondition for it, escapes into the main
  control flow.

- A whitebox, by its nature, is fully handled inside the main
  control flow.

The violation came from the fact that abstract blocks and whiteboxes
are stored as cexps and so their effect is filtered by Ity.create_cty
in order to hide effects on variables allocated and collected inside
the block. This is a useful and necessary feature, except when the
VC of the block escapes into the main control flow and the forced
false aliases -- unchecked by the type system -- are seen by VCgen.
The implemented fix resolves the issue by restoring the hidden
effects for abstract blocks and whiteboxes.

Check bench/programs/bad-typing/false_alias*.mlw for two concrete
examples.
    f9ff4e02