Replace fake ZeroInit lattice with flat lattice

[sim642]

This is to potentially fix the issue from #2030 (comment).

The added test shows a handcrafted case where a malloc blob is joined with a calloc blob, which requires the joining of their ZeroInit values.
Previously, this raised an exception and even caused unsoundness because of the fake lattice being used.

This PR replaces that with a flat boolean lattice which can represent top.

TODO

• Check if this fixes the issue revealed by Improve memOutOfBounds precision for points-to sets which mix allocs with others #2030 (comment).

[sim642]

This already existing logic seems suspicious: seems it could be non-monotonic and unsound that zero_init_value isn't always included.
Maybe this was fine because the malloc and calloc cases were mutually exclusive before, but now with the top possibility, I'm not so sure anymore. If an initialized malloc blob (so not bot) is joined with an uninitialized calloc blob, then this doesn't add the zero-initialization.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[sim642]

In addition to fixing the exceptions introduced by #2030 (comment), this fixes an existing exception Lattice.TopValue verdict on ldv-linux-4.2-rc1/linux-4.2-rc1.tar.xz-43_2a-drivers--net--ethernet--mellanox--mlx5--core--mlx5_core.ko-entry_point.cil.out.
All of these happen on a memcpy which is what the second new test is about.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

[sim642]

This is the dual of #2035 (comment).

[michael-schwarz]

Can you elaborate on why calloc and malloc blobs ever need to be merged? Should we not try to keep these mutually exclusive?

[sim642]

I think we've tried to keep it that way for so long and been surprisingly successful at it. The added tests show cases where such joins are already happening. In one case it caused unsoundness, in the other a crash.

I don't know how else we could fix those. I guess being path-sensitive w.r.t. the kind of allocation for each one in the state would avoid it but that can be exponentially expensive.

[sim642]

I don't know how else we could fix those. I guess being path-sensitive w.r.t. the kind of allocation for each one in the state would avoid it but that can be exponentially expensive.

Another option would be to replace blobs with sets of blobs in the ValueDomain variant to keep both around. But this is a significantly bigger change because it requires lifting all the handling of blobs everywhere.
Given how rarely these actually come up in 1-3 SV-COMP tasks, I don't think it's worth the complexity.

[sim642]

I left a TODO with the possibly strange behavior of top ZeroInit.
Even if it's not ideal, it's slightly better than before because it fixes some unsoundness and a crash, and allows us to make progress cleaning up/improving the memOutOfBounds analysis: #2030 (comment).

I suspect the reason a few more instances where this happens came up in #2030 is a temporary situation. While staring at memOutOfBounds I discovered another significant imprecision in it: for a given points-to-set, it joins all the pointed abstract values and all of their sizes and then does the bounds check, as opposed to checking per-pointee.
It might be that joining of the blobs corresponding to different alloc variables that triggers such situations in the first place. Once that's cleaned up it should be more precise and avoid this occurring there as well.

Although in general it might not be entirely avoidable due to mallocWrappers collapsing things, as seen in one of the tests added here.
This PR should only really change things for the handful of cases that crashed before.