Make Byte casts have no UB

As per offline review feedback, this commit makes the casts use wrapping
conversions instead of having them be UB. This also fixes the incorrect
(and ad-hoc) behaviour of the IntFromByte.

Both operations now use conv_int to wrap appropriately.

Author: dc-mak

frontend/model/core_eval.lem

@@ -782,8 +782,8 @@ let rec step_eval_pexpr n loc parent_call_loc_opt core_extern env mem_st_opt fil
             , Just [ Core.Vobject (Core.OVinteger ival) ] ) ->
                 EU.return (PEval (Vobject (OVinteger (Mem.bytefromint loc ival))))
           | ( Mem_common.IntFromByte
-            , Just [ Core.Vctype (Ctype.Ctype _ (Ctype.Basic (Ctype.Integer ity))); Core.Vobject (Core.OVinteger ival) ] ) ->
-                EU.return (PEval (Vobject (OVinteger (Mem.intfrombyte loc ity ival))))
+            , Just [ Core.Vobject (Core.OVinteger ival) ] ) ->
+                EU.return (PEval (Vobject (OVinteger (Mem.intfrombyte loc ival))))
           | (_, Just _) ->
               EU.fail $ Illformed_program "PEmemop"
           | (_, Nothing) ->

frontend/model/core_typing.lem

@@ -606,10 +606,9 @@ let rec infer_pexpr tagDefs env ((Pexpr annot _ pexpr_ as pexpr) : generic_pexpr
     | PEmemop Mem_common.ByteFromInt [pe] ->
         typecheck_pexpr tagDefs env (BTy_object OTy_integer) pe >>= fun pe' ->
         E.return (Pexpr annot (InferredType_object OTy_integer) (PEmemop Mem_common.ByteFromInt [pe']))
-    | PEmemop Mem_common.IntFromByte [pe1; pe2] ->
-        typecheck_pexpr tagDefs env BTy_ctype pe1 >>= fun pe1' ->
-        typecheck_pexpr tagDefs env (BTy_object OTy_integer) pe2 >>= fun pe2' ->
-        E.return (Pexpr annot (InferredType_object OTy_integer) (PEmemop Mem_common.IntFromByte [pe1'; pe2']))
+    | PEmemop Mem_common.IntFromByte [pe] ->
+        typecheck_pexpr tagDefs env (BTy_object OTy_integer) pe >>= fun pe' ->
+        E.return (Pexpr annot (InferredType_object OTy_integer) (PEmemop Mem_common.IntFromByte [pe']))
     | PEmemop _ _ ->
         E.fail loc (CoreTyping_TODO (Pp.stringFromCore_pexpr pexpr))
     | PEnot pe ->
@@ -1003,11 +1002,10 @@ and typecheck_pexpr tagDefs (env: typing_env) (bTy: core_base_type) (Pexpr annot
         guard_match loc "memop(bytefromtint)" bTy (BTy_object OTy_integer) >>
         typecheck_pexpr tagDefs env (BTy_object OTy_integer) pe >>= fun pe' ->
         E.return (PEmemop Mem_common.ByteFromInt [pe'])
-    | PEmemop Mem_common.IntFromByte [pe1; pe2] ->
+    | PEmemop Mem_common.IntFromByte [pe] ->
         guard_match loc "memop(intfrombyte)" bTy (BTy_object OTy_integer) >>
-        typecheck_pexpr tagDefs env BTy_ctype pe1 >>= fun pe1' ->
-        typecheck_pexpr tagDefs env (BTy_object OTy_integer) pe2 >>= fun pe2' ->
-        E.return (PEmemop Mem_common.IntFromByte [pe1'; pe2'])
+        typecheck_pexpr tagDefs env (BTy_object OTy_integer) pe >>= fun pe' ->
+        E.return (PEmemop Mem_common.IntFromByte [pe'])
     | PEmemop _ _ ->
         E.fail loc (CoreTyping_TODO (Pp.stringFromCore_pexpr pexpr))
     | PEnot pe ->

frontend/model/mem.lem

@@ -176,7 +176,7 @@ declare ocaml target_rep function copy_alloc_id = `Impl_mem.copy_alloc_id`
 
 (* Byte casting operations *)
 val bytefromint: Loc.t -> integer_value -> integer_value
-val intfrombyte: Loc.t -> Ctype.integerType -> integer_value -> integer_value
+val intfrombyte: Loc.t -> integer_value -> integer_value
 declare ocaml target_rep function bytefromint = `Impl_mem.bytefromint`
 declare ocaml target_rep function intfrombyte = `Impl_mem.intfrombyte`
 

frontend/model/mem_common.lem

@@ -366,7 +366,7 @@ type pure_memop =
   | Ptr_tIntValue
     (* Bytes *)
   | ByteFromInt  (* integer -> byte *)
-  | IntFromByte  (* (integerType, byte) -> integer *)
+  | IntFromByte  (* byte -> integer *)
 
 type generic_memop 'sym =
   | PtrEq

frontend/model/translation.lem

@@ -1944,14 +1944,10 @@ else if AilTypesAux.is_byte cast_ty && AilTypesAux.is_integer e_ty then
                   Caux.mk_pure_e (
                     Caux.mk_case_pe e_wrp.E.sym_pe
                       [ ( Caux.mk_specified_pat obj_wrp.E.sym_pat
-                        , Caux.mk_if_pe
-                            (Caux.mk_op_pe C.OpOr
-                                (Caux.mk_op_pe C.OpLt obj_wrp.E.sym_pe (Caux.mk_integer_pe (~128)))
-                                (Caux.mk_op_pe C.OpLt (Caux.mk_integer_pe 255) obj_wrp.E.sym_pe))
-                            (Caux.mk_undef_pe loc Undefined.UB_Byte_invalid_byte_value)
-                            (Caux.mk_let_pe (Caux.mk_sym_pat let_sym (C.BTy_object C.OTy_integer (* byte *)))
-                                (Caux.mk_memop_pe Mem_common.ByteFromInt [obj_wrp.E.sym_pe])
-                                ((Caux.mk_specified_pe (Caux.mk_sym_pe let_sym)))) )
+                        , Caux.mk_let_pe (Caux.mk_sym_pat let_sym (C.BTy_object C.OTy_integer (* byte *)))
+                            (* only integer values valid for a Ctype.unsigned_char can be cast to a byte *)
+                            (Caux.mk_memop_pe Mem_common.ByteFromInt [stdlib.mkcall_conv_int Ctype.unsigned_char obj_wrp.E.sym_pe])
+                            ((Caux.mk_specified_pe (Caux.mk_sym_pe let_sym))) )
                       ; ( Caux.mk_unspecified_pat (Caux.mk_empty_pat C.BTy_ctype)
                         , (* Casting an unspecified integer to a byte type gives an unspecified byte *)
                           Caux.mk_unspecified_pe cast_ty ) ]
@@ -1964,7 +1960,7 @@ else if AilTypesAux.is_integer cast_ty && AilTypesAux.is_byte e_ty then
                     Caux.mk_case_pe e_wrp.E.sym_pe
                       [ ( Caux.mk_specified_pat obj_wrp.E.sym_pat
                         , Caux.mk_let_pe (Caux.mk_sym_pat let_sym (C.BTy_object C.OTy_integer))
-                            (Caux.mk_memop_pe Mem_common.IntFromByte [Caux.mk_ail_ctype_pe cast_ty; obj_wrp.E.sym_pe])
+                            (stdlib.mkcall_conv_int cast_ty (Caux.mk_memop_pe Mem_common.IntFromByte [obj_wrp.E.sym_pe]))
                             (Caux.mk_specified_pe (Caux.mk_sym_pe let_sym)) )
                       ; ( Caux.mk_unspecified_pat (Caux.mk_empty_pat C.BTy_ctype)
                         , (* Casting an unspecified byte to an integer type gives an unspecified integer *)

frontend/model/undefined.lem

@@ -731,9 +731,6 @@ type undefined_behaviour =
   (* free() is called on a NULL pointer (used in switch stricter than ISO) *)
   | UB_CERB005_free_nullptr
 
-  (* bytes *)
-  | UB_Byte_invalid_byte_value
-
 val std_of_undefined_behaviour: undefined_behaviour -> maybe string
 let std_of_undefined_behaviour = function
   | UB004a_incorrect_main_return_type ->
@@ -1089,7 +1086,6 @@ let ub_str_bimap =
     ; (UB_CHERI_BoundsViolation,"UB_CHERI_BoundsViolation")
     ; (UB_CHERI_UndefinedTag,"UB_CHERI_UndefinedTag")
     ; (UB_CHERI_ZeroLength,"UB_CHERI_ZeroLength")
-    ; (UB_Byte_invalid_byte_value,"UB_Byte_invalid_byte_value")
     ]
 
 
@@ -1250,8 +1246,6 @@ let ub_short_string = function
       "out of bounds pointer in realloc()"
   | UB_CERB003_invalid_function_pointer ->
       "invalid function pointer"
-  | UB_Byte_invalid_byte_value ->
-      "invalid byte value"
   | ub ->
       "(UB missing short message): " ^ show ub
 end
@@ -1421,8 +1415,6 @@ let pretty_string_of_undefined_behaviour = function
       "a call to 'free()' is given a 'NULL' pointer"
   | Invalid_format str ->
       "Invalid_format \"" ^ str ^ "\""
-  | UB_Byte_invalid_byte_value ->
-      "conversion to byte given unrepresentable value"
   | ub ->
       "(UB missing short message): " ^ show ub
 end

memory/concrete/impl_mem.ml

@@ -2769,18 +2769,13 @@ VIP:type pointer_value =
   (* Bytes are always typedef'd to unsigned chars, and I'm assuming unsigned
      chars are always 8 bits. This function flips the interpretation of the
      leading bit if it is 1. *)
-  let bytefromint loc (IV (prov, intval) as ival) =
-    assert (N.(less_equal (of_int (-128)) intval && less_equal intval (of_int 255)));
-    if N.(less_equal zero intval) then
-      ival
-    else 
-      (IV (prov,  N.(add intval (of_int 256))))
-
-  let intfrombyte _loc ity (IV (prov, intval) as ival) =
-    if (AilTypesAux.is_signed_ity ity && N.(greater_equal intval (of_int 128))) then
-      IV (prov, N.(sub intval (of_int 256)))
-    else
-      ival
+  let bytefromint loc (IV (_, intval) as ival) =
+    assert (N.(less_equal (of_int 0) intval && less_equal intval (of_int 255)));
+    ival
+
+  let intfrombyte _loc (IV (_, intval) as ival) =
+    assert (N.(less_equal (of_int 0) intval && less_equal intval (of_int 255)));
+    ival
 
   (* JSON serialisation: Memory layout for UI *)
 

memory/vip/impl_mem.ml

@@ -980,18 +980,13 @@ let update_ival ival x =
    leading bit if it is 1. *)
 let bytefromint _loc ival : integer_value =
   let intval = match ival with IVloc (_, i) | IVint i -> i in
-  assert (N.(less_equal (of_int (-128)) intval && less_equal intval (of_int 255)));
-  if N.(less_equal zero intval) then
-    ival
-  else 
-    update_ival ival (N.(add intval (of_int 256)))
+  assert (N.(less_equal (of_int 0) intval && less_equal intval (of_int 255)));
+  ival
 
-let intfrombyte _loc ity ival : integer_value =
+let intfrombyte _loc ival : integer_value =
   let intval = match ival with IVloc (_, i) | IVint i -> i in
-  if (AilTypesAux.is_signed_ity ity && N.(greater_equal intval (of_int 128))) then
-    update_ival ival N.(sub intval (of_int 256))
-  else
-    ival
+  assert (N.(less_equal (of_int 0) intval && less_equal intval (of_int 255)));
+  ival
 
 
 (* Integer value constructors *)

ocaml_frontend/memory_model.ml

@@ -126,7 +126,7 @@ module type Memory = sig
 
   (* Byte casting operations *)
   val bytefromint: Cerb_location.t -> integer_value -> integer_value
-  val intfrombyte: Cerb_location.t -> Ctype.integerType -> integer_value -> integer_value
+  val intfrombyte: Cerb_location.t -> integer_value -> integer_value
 
 
   (* Integer value constructors *)

tests/bytes/cast_256_byte.exec.c.exec

@@ -1,5 +1 @@
 return code: 0
-bytes/cast_256_byte.exec.c:7:5: error: undefined behaviour: invalid byte value
-    (byte)256;
-    ^~~~~~~~~ 
-no C11 reference