Fix segfault in k-induction step case with nested loops#8803
Open
tautschnig wants to merge 1 commit into
Open
Conversation
tautschnig
force-pushed
the
fix-5357-k-induction
branch
from
7884d7e to
41e310e
Compare
kroening
reviewed
Mar 10, 2026
kroening
reviewed
Mar 10, 2026
tautschnig
force-pushed
the
fix-5357-k-induction
branch
from
41e310e to
76d8afc
Compare
There was a problem hiding this comment.
Pull request overview
Fixes a segmentation fault in k-induction instrumentation when handling nested loops by making loop-guard detection more robust and avoiding iterator invalidation during loop processing.
Changes:
- Added
find_loop_guardto derive the loop guard from either the backedge or the loop-head exit goto (and handle unconditional loops). - Changed loop traversal to only instrument outermost loops to avoid invalidating nested-loop iterators.
- Added a regression test covering nested loops.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/goto-instrument/k_induction.cpp | Robustly locate loop guards and avoid processing nested loops directly to prevent segfaults |
| regression/k-induction/nested-loops/test.desc | New regression test expectations for nested-loop k-induction instrumentation |
| regression/k-induction/nested-loops/main.c | New nested-loop reproducer for the prior segfault |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tautschnig
force-pushed
the
fix-5357-k-induction
branch
from
76d8afc to
576cba3
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## develop #8803 +/- ##
===========================================
- Coverage 80.69% 80.68% -0.01%
===========================================
Files 1714 1714
Lines 189597 189612 +15
Branches 73 73
===========================================
+ Hits 152987 152997 +10
- Misses 36610 36615 +5 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
k-induction inserts, just before the loop exit, an assumption that the loop has exited. The original code took this guard from loop_head->condition(), but the loop head need not be a conditional goto (e.g. for nested or do-while loops), which could crash. find_loop_guard now locates the guard in either the backedge or a forward goto at the loop head, and returns the loop *exit* condition (negating the backedge's continue condition) to match how the assumption is consumed. The previous version returned the *continue* condition, which silently dropped the real loop-exit state (unsound). Processing a loop also mutates the goto program. Inserting instructions does not invalidate iterators, but remove_skip erases std::list nodes, which would invalidate the natural-loops iterators still being iterated. Since the unwinder only inserts at k >= 1, defer the single remove_skip until after all loops have been processed. We also process only outermost loops; inner loops are handled as part of the outer loop body during unwinding. Regression tests cover the loop-exit assumption polarity (a post-loop assertion that must pass and a variant that must fail) and two sibling outer loops that each contain a nested loop (previously a segfault). Fixes: diffblue#5357 Co-authored-by: Kiro <kiro-agent@users.noreply.github.com>
tautschnig
force-pushed
the
fix-5357-k-induction
branch
from
576cba3 to
5f87be7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The original code assumed
loop_head->condition()always contained the loop guard, but in nested loop scenarios, the loop structure can vary. The backedge might contain the condition instead, or the loop might be unconditional.Also, when processing nested loops, modifying the outer loop's goto-program could invalidate iterators pointing to the inner loop, causing memory access violations.
Co-authored-by: Kiro autonomous agent
Fixes: #5357