Emit dead goto-instructions on MIR StatementDead (rust-lang#3063)

This commit adds a new `Dead` goto-instruction that gets codegened
whenever Kani sees a MIR `StatementDead` statement. This new
goto instruction corresponds to the CBMC [code_deadt](
https://diffblue.github.io/cbmc/classcode__deadt.html) statement
that marks the point where a local variable goes out of scope.

This new instruction is needed to detect invalid accesses of dead local
variables.

The commit also codegens a CBMC `Decl` instruction upon seeing a MIR
StatementLive. This ensures that variables that go out of scope at the
end of a loop are not falsely marked as having a dead dereference when
they are accessed on the next loop iteration.

Resolves rust-lang#3061.

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 and MIT licenses.

Author: karkhaz

cprover_bindings/src/goto_program/stmt.rs

@@ -57,6 +57,8 @@ pub enum StmtBody {
     Break,
     /// `continue;`
     Continue,
+    /// End-of-life of a local variable
+    Dead(Expr),
     /// `lhs.typ lhs = value;` or `lhs.typ lhs;`
     Decl {
         lhs: Expr, // SymbolExpr
@@ -232,6 +234,11 @@ impl Stmt {
         BuiltinFn::CProverCover.call(vec![cond], loc).as_stmt(loc)
     }
 
+    /// Local variable goes out of scope
+    pub fn dead(symbol: Expr, loc: Location) -> Self {
+        stmt!(Dead(symbol), loc)
+    }
+
     /// `lhs.typ lhs = value;` or `lhs.typ lhs;`
     pub fn decl(lhs: Expr, value: Option<Expr>, loc: Location) -> Self {
         assert!(lhs.is_symbol());

cprover_bindings/src/irep/to_irep.rs

@@ -433,6 +433,7 @@ impl ToIrep for StmtBody {
             }
             StmtBody::Break => code_irep(IrepId::Break, vec![]),
             StmtBody::Continue => code_irep(IrepId::Continue, vec![]),
+            StmtBody::Dead(symbol) => code_irep(IrepId::Dead, vec![symbol.to_irep(mm)]),
             StmtBody::Decl { lhs, value } => {
                 if value.is_some() {
                     code_irep(

kani-compiler/src/codegen_cprover_gotoc/codegen/place.rs

@@ -381,7 +381,7 @@ impl<'tcx> GotocCtx<'tcx> {
     }
 
     /// Codegen for a local
-    fn codegen_local(&mut self, l: Local) -> Expr {
+    pub fn codegen_local(&mut self, l: Local) -> Expr {
         let local_ty = self.local_ty_stable(l);
         // Check if the local is a function definition (see comment above)
         if let Some(fn_def) = self.codegen_local_fndef(local_ty) {

kani-compiler/src/codegen_cprover_gotoc/codegen/statement.rs

@@ -75,8 +75,10 @@ impl<'tcx> GotocCtx<'tcx> {
                 .goto_expr;
                 self.codegen_set_discriminant(dest_ty, dest_expr, *variant_index, location)
             }
-            StatementKind::StorageLive(_) => Stmt::skip(location), // TODO: fix me
-            StatementKind::StorageDead(_) => Stmt::skip(location), // TODO: fix me
+            StatementKind::StorageLive(var_id) => {
+                Stmt::decl(self.codegen_local(*var_id), None, location)
+            }
+            StatementKind::StorageDead(var_id) => Stmt::dead(self.codegen_local(*var_id), location),
             StatementKind::Intrinsic(NonDivergingIntrinsic::CopyNonOverlapping(
                 CopyNonOverlapping { src, dst, count },
             )) => {

kani-driver/src/call_single_file.rs

@@ -122,6 +122,8 @@ impl KaniSession {
                 "symbol-mangling-version=v0",
                 "-Z",
                 "panic_abort_tests=yes",
+                "-Z",
+                "sanitizer=address",
             ]
             .map(OsString::from),
         );

tests/coverage/reachable/assert-false/expected

@@ -1,8 +1,8 @@
 coverage/reachable/assert-false/main.rs, 6, FULL
 coverage/reachable/assert-false/main.rs, 7, FULL
-coverage/reachable/assert-false/main.rs, 11, FULL
-coverage/reachable/assert-false/main.rs, 12, FULL
-coverage/reachable/assert-false/main.rs, 15, FULL
+coverage/reachable/assert-false/main.rs, 11, PARTIAL
+coverage/reachable/assert-false/main.rs, 12, PARTIAL
+coverage/reachable/assert-false/main.rs, 15, PARTIAL
 coverage/reachable/assert-false/main.rs, 16, FULL
 coverage/reachable/assert-false/main.rs, 17, PARTIAL
 coverage/reachable/assert-false/main.rs, 19, FULL

tests/coverage/reachable/assert/reachable_pass/expected

@@ -1,4 +1,4 @@
 coverage/reachable/assert/reachable_pass/test.rs, 6, FULL
-coverage/reachable/assert/reachable_pass/test.rs, 7, FULL
+coverage/reachable/assert/reachable_pass/test.rs, 7, PARTIAL
 coverage/reachable/assert/reachable_pass/test.rs, 8, FULL
 coverage/reachable/assert/reachable_pass/test.rs, 10, FULL

tests/coverage/reachable/bounds/reachable_fail/expected

@@ -1,4 +1,4 @@
 coverage/reachable/bounds/reachable_fail/test.rs, 5, PARTIAL
 coverage/reachable/bounds/reachable_fail/test.rs, 6, NONE
-coverage/reachable/bounds/reachable_fail/test.rs, 10, FULL
+coverage/reachable/bounds/reachable_fail/test.rs, 10, PARTIAL
 coverage/reachable/bounds/reachable_fail/test.rs, 11, NONE

tests/coverage/reachable/div-zero/reachable_fail/expected

@@ -1,4 +1,4 @@
 coverage/reachable/div-zero/reachable_fail/test.rs, 5, PARTIAL
 coverage/reachable/div-zero/reachable_fail/test.rs, 6, NONE
-coverage/reachable/div-zero/reachable_fail/test.rs, 10, FULL
+coverage/reachable/div-zero/reachable_fail/test.rs, 10, PARTIAL
 coverage/reachable/div-zero/reachable_fail/test.rs, 11, NONE

tests/coverage/reachable/overflow/reachable_fail/expected

@@ -1,5 +1,5 @@
 coverage/reachable/overflow/reachable_fail/test.rs, 8, PARTIAL
 coverage/reachable/overflow/reachable_fail/test.rs, 9, FULL
 coverage/reachable/overflow/reachable_fail/test.rs, 13, FULL
-coverage/reachable/overflow/reachable_fail/test.rs, 14, FULL
+coverage/reachable/overflow/reachable_fail/test.rs, 14, PARTIAL
 coverage/reachable/overflow/reachable_fail/test.rs, 15, NONE