Narrowing of globals in TD

[Red-Panda64]

Description

Adds the capability of narrowing globals (and function entry unknowns) to TD. Contributions to each global unknown are tracked per source unknown. When an unknown x triggers a side-effect to y, this side-effect is applied to x's contribution to y by warrowing. The overall value of a global unknown is computed as the join over all contributions to said unknown.

Configuration Options

• ana.base.priv.protection.changes-only: protection-based privatization won't produce spurious side-effects to protected unknowns. Otherwise, abstract values for globals that are refined by a guard edge may be written back to said global without a true write-access ("pseudo-writes"). This should have no benefit when narrowing of globals is disabled, as the pseudo-writes are already subsumed by the respective global. Implemented for base privatization only.
• solvers.td3.narrow-globs.enabled: enables the global narrowing scheme.
• solvers.td3.narrow-globs.conservative-widen: side-effects are only applied to contributions by widening if applying them with a join would affect the overall value of a global.
• solvers.td3.narrow-globs.immediate-growth: irrespective of this option, side-effects from x to y are accumulated throughout an evaluation of x to ensure soundness. This guarantees that the final side-effect will subsume all prior ones from this evaluation. This option permits the immediate application of accumulated values during constraint evaluation, provided they are not subsumed by the current contribution of x to y. Otherwise, the accumulated value is applied after x is fully evaluated.
• solvers.td3.narrow-globs.narrow-gas: limit the number of switches between widening and narrowing per contribution. This is necessary to enforce termination.
• solvers.td3.narrow-globs.eliminate-dead: if an unknown x triggers no side-effect to y but did so previously, its contribution is narrowed with bottom. Should y become bottom and be a function entry unknown, the exit unknown will be queried, propagating bottom throughout the function body.

Modifications to td3.ml

• new structure divided_side_effects: to track current values of contributions, last combination mode (widen or narrow), and counter for remaining mode switches
• new structure narrow_globs_start_values: explicitly track initial values for unknowns to ensure they are accounted for when the join over all contributions is computed
• new structure prev_sides maps unknowns to side-effected targets on the last evaluation

Modifications to basePriv.ml

Optionally track "true writes" for protection based privatizations: in addition to CPA tracking the most precise available value per global variable, the new data structure tracks only values that were written. In particular, this excludes refined values that were obtained via guard edges (e.g. inside an if (g < 10) block), which are also stored in CPA for increased precision but do not correspond to real writes.

Modifications to constraint system

Constraint system can provide a hint in the form of the "postmortem" function, that returns for some side-effect target unknown that has become bottom, which local unknowns might now be worth re-evaluating. The purpose of this is to allow the re-evaluation of function exit nodes, when their entry becomes bottom, in order to propagate this bottom value and remove superfluous side effects along the way.

[Red-Panda64]

For now, this is only a draft because I will see if I can't extract the changes to td3.ml and put them behind a reusable module.

[Red-Panda64]

Although it should be possible to extract this into a module, doing so is a bit of a hassle because of the way td3's current side-effect widening strategies are very closely tied to the internals of td3. In any case, it makes no sense to try and do this until #1442 has been accepted or rejected.