Support --mmio-region in cbmc

tautschnig · kiro-agent · tautschnig · commit 968160391766 · 2026-02-23T16:33:57.000Z
Add --mmio-region to cbmc so that per-region MMIO instrumentation is
available without requiring goto-instrument as a separate step. The
option is handled in process_goto_program, which is shared by cbmc,
goto-analyzer, goto-diff, and the C++ API.

Per-region instrumentation runs before the callback model so that
declared regions get precise array-backed modeling while callbacks
can still handle remaining dereferences.

Extract parse_mmio_regions() into mm_io.h/mm_io.cpp to eliminate
duplicated region-parsing and overlap-checking logic.

Add cmdline.desc tests for all existing tests that use
__CPROVER_allocated_memory (memory_allocation1/2, Pointer28, union12,
pointer-overflow2, cbmc-incr-smt2/pointer_from_int) with #ifndef
CMDLINE guards so the same source works with both mechanisms.

Includes cbmc man page entry and updated CProver manual and
goto-instrument man page with cross-references.

Co-authored-by: Kiro (autonomous agent) &lt;kiro-agent@users.noreply.github.com&gt;
diff --git a/doc/cprover-manual/modeling-mmio.md b/doc/cprover-manual/modeling-mmio.md
@@ -75,11 +75,13 @@ functions, there are two approaches available.
 
 #### Per-region object model (recommended)
 
-Use `--mmio-region <address>:<size>` (with `goto-instrument` or `cbmc`) to
-declare each contiguous MMIO region as an individual object. Each region becomes
-a byte array in the symbol table, named `__CPROVER_mmio_region_0x<address>`.
-Reads and writes to addresses within a declared region are redirected to the
-corresponding array element.
+Use `--mmio-region <address>:<size>` to declare each
+contiguous MMIO region as an individual object. Each region becomes a byte array
+in the symbol table, named `__CPROVER_mmio_region_0x<address>`. Reads and writes
+to addresses within a declared region are redirected to the corresponding array
+element.
+
+This option is supported by both `cbmc` and `goto-instrument`.
 
 This approach avoids the scalability problems of the single-array callback model:
 each write only updates the targeted region object rather than the entire memory
@@ -89,6 +91,12 @@ For example, given firmware that accesses a UART at `0x40000000` (256 bytes) and
 a GPIO controller at `0x40001000` (64 bytes):
 
 ```sh
+# Directly with cbmc:
+cbmc --mmio-region 0x40000000:256 \
+  --mmio-region 0x40001000:64 \
+  --no-pointer-check --no-bounds-check firmware.c
+
+# Or via goto-instrument:
 goto-cc -o firmware.gb firmware.c
 goto-instrument --mmio-region 0x40000000:256 \
   --mmio-region 0x40001000:64 \
diff --git a/doc/man/cbmc.1 b/doc/man/cbmc.1
@@ -322,6 +322,29 @@ print test suite for coverage criterion (requires \fB\-\-cover\fR)
 \fB\-\-mm\fR MM
 memory consistency model for concurrent programs (default: sc)
 .TP
+\fB\-\-mmio\-region\fR \fIaddress\fR:\fIsize\fR
+Define a contiguous memory\-mapped I/O region starting at \fIaddress\fR with the
+given \fIsize\fR in bytes. The \fIaddress\fR may use a \fB0x\fR prefix for
+hexadecimal notation. This option may be repeated to define multiple regions.
+Regions must not overlap.
+.IP
+Each region is modeled as an individual byte\-array object in the symbol table.
+Reads from and writes to constant addresses that fall within a declared region
+are mapped directly to the corresponding array element. Symbolic addresses are
+handled via a conditional dispatch over all declared regions.
+.IP
+Use \fB\-\-no\-pointer\-check\fR and \fB\-\-no\-bounds\-check\fR when verifying
+programs with MMIO regions, since integer addresses used for memory\-mapped I/O
+are not valid pointers from CBMC's perspective.
+.IP
+Example:
+.EX
+.in +4n
+cbmc \-\-mmio\-region 0x40000000:256 \-\-mmio\-region 0x40001000:64 \\
+  \-\-no\-pointer\-check \-\-no\-bounds\-check firmware.c
+.in
+.EE
+.TP
 \fB\-\-malloc\-may\-fail\fR
 allow malloc calls to return a null pointer
 .TP
diff --git a/doc/man/goto-instrument.1 b/doc/man/goto-instrument.1
@@ -407,6 +407,8 @@ This per\-region model avoids the scalability problems of the single unbounded
 write only updates the targeted region object rather than the entire memory
 array. Both options can be combined.
 .IP
+This option is also supported directly by \fBcbmc\fR(1).
+.IP
 Example:
 .EX
 .in +4n
diff --git a/regression/cbmc-incr-smt2/pointers-conversions/pointer_from_int.c b/regression/cbmc-incr-smt2/pointers-conversions/pointer_from_int.c
@@ -1,7 +1,9 @@
 int main()
 {
   int *p = (int *)4;
+#ifndef CMDLINE
   __CPROVER_allocated_memory(4, sizeof(int));
+#endif
 
   __CPROVER_assert(p == 4, "p == 4: expected success");
   __CPROVER_assert(p != 0, "p != 0: expected success");
diff --git a/regression/cbmc-incr-smt2/pointers-conversions/pointer_from_int_cmdline.desc b/regression/cbmc-incr-smt2/pointers-conversions/pointer_from_int_cmdline.desc
@@ -0,0 +1,15 @@
+CORE
+pointer_from_int.c
+-DCMDLINE --mmio-region 0x4:4 --trace --no-pointer-check --no-bounds-check
+\[main\.assertion\.1\] line \d+ p == 4: expected success: SUCCESS
+\[main\.assertion\.2\] line \d+ p != 0: expected success: SUCCESS
+\[main\.assertion\.3\] line \d+ p == 0x1020304: expected success: SUCCESS
+\[main\.assertion\.4\] line \d+ p != 0: expected success: SUCCESS
+\[main\.assertion\.5\] line \d+ p != 0: expected failure: FAILURE
+^VERIFICATION FAILED$
+^EXIT=10$
+^SIGNAL=0$
+--
+--
+Same as pointer_from_int.desc but uses --mmio-region instead of
+__CPROVER_allocated_memory.
diff --git a/regression/cbmc/Pointer28/cmdline.desc b/regression/cbmc/Pointer28/cmdline.desc
@@ -0,0 +1,11 @@
+KNOWNBUG no-new-smt
+main.c
+-DCMDLINE --mmio-region 0x4:4 --mmio-region 0x8:8 --little-endian --no-pointer-check --no-bounds-check
+^EXIT=0$
+^SIGNAL=0$
+^VERIFICATION SUCCESSFUL$
+--
+^warning: ignoring
+--
+The per-region byte-array model does not support storing and loading
+pointer values through MMIO regions, so the **q test case fails.
diff --git a/regression/cbmc/Pointer28/main.c b/regression/cbmc/Pointer28/main.c
@@ -1,7 +1,9 @@
 int main()
 {
   int *p = (int *)4;
+#ifndef CMDLINE
   __CPROVER_allocated_memory(4, sizeof(int));
+#endif
   int i;
   int **q;
   char *pp;
@@ -21,7 +23,9 @@ int main()
     __CPROVER_assert(p == 0, "i==0 => p==NULL");
 
   q = (int **)8;
+#ifndef CMDLINE
   __CPROVER_allocated_memory(8, sizeof(int *));
+#endif
   *q = &i;
   **q = 0x01020304;
   __CPROVER_assert(i == 0x01020304, "**q");
diff --git a/regression/cbmc/memory_allocation1/cmdline.desc b/regression/cbmc/memory_allocation1/cmdline.desc
@@ -0,0 +1,10 @@
+CORE broken-smt-backend paths-lifo-expected-failure
+main.c
+-DCMDLINE --mmio-region 0x10:4 --no-pointer-check --no-bounds-check
+^EXIT=10$
+^SIGNAL=0$
+^\[main\.assertion\.1\] .* assertion \*p==42: SUCCESS$
+^\[main\.assertion\.2\] .* assertion \*\(p\+1\)==42: FAILURE$
+^VERIFICATION FAILED$
+--
+^warning: ignoring
diff --git a/regression/cbmc/memory_allocation1/main.c b/regression/cbmc/memory_allocation1/main.c
@@ -4,7 +4,9 @@ int main()
 {
   int *p=0x10;
 
+#ifndef CMDLINE
   __CPROVER_allocated_memory(0x10, sizeof(int));
+#endif
   *p=42;
   assert(*p==42);
   *(p+1)=42;
diff --git a/regression/cbmc/memory_allocation2/cmdline.desc b/regression/cbmc/memory_allocation2/cmdline.desc
@@ -0,0 +1,14 @@
+KNOWNBUG
+main.c
+-DCMDLINE --mmio-region 0x1000:400 --mmio-region 0x11000:400 --mmio-region 0x21000:400 --mmio-region 0x31000:400 --no-pointer-check
+^EXIT=10$
+^SIGNAL=0$
+^\[main\.array_bounds\.[1-2]\] .*: SUCCESS$
+^\[main\.array_bounds\.3\] .* upper bound in buffers\[.*0\]->buffer\[.*100\]: FAILURE$
+^VERIFICATION FAILED$
+--
+^warning: ignoring
+--
+The per-region MMIO model uses byte arrays, so structured access via
+buffers[0]->buffer[N] does not preserve the original array bounds.
+All three bounds checks fail instead of only the out-of-bounds one.
diff --git a/regression/cbmc/memory_allocation2/main.c b/regression/cbmc/memory_allocation2/main.c
@@ -24,10 +24,12 @@ static buffert(*const buffers[4]) = {BUF0, BUF1, BUF2, BUF3};
 
 main()
 {
+#ifndef CMDLINE
   __CPROVER_allocated_memory(BUF0_BASE, sizeof(buffert));
   __CPROVER_allocated_memory(BUF1_BASE, sizeof(buffert));
   __CPROVER_allocated_memory(BUF2_BASE, sizeof(buffert));
   __CPROVER_allocated_memory(BUF3_BASE, sizeof(buffert));
+#endif
 
   _cbmc_printf2(sizeof_buffers, sizeof(buffers));
   _cbmc_printf2(sizeof_buffers_0, sizeof(buffers[0]));
diff --git a/regression/cbmc/mmio_per_region/main.c b/regression/cbmc/mmio_per_region/main.c
@@ -0,0 +1,8 @@
+int main()
+{
+  volatile char *p = (volatile char *)0x1000;
+  *p = 0x42;
+  char val = *p;
+  __CPROVER_assert(val == 0x42, "MMIO read-back");
+  return 0;
+}
diff --git a/regression/cbmc/mmio_per_region/test.desc b/regression/cbmc/mmio_per_region/test.desc
@@ -0,0 +1,8 @@
+CORE
+main.c
+--mmio-region 0x1000:256 --no-pointer-check --no-bounds-check
+^EXIT=0$
+^SIGNAL=0$
+^VERIFICATION SUCCESSFUL$
+Replaced MMIO operations
+--
diff --git a/regression/cbmc/pointer-overflow2/cmdline.desc b/regression/cbmc/pointer-overflow2/cmdline.desc
@@ -0,0 +1,15 @@
+KNOWNBUG
+main.c
+-DCMDLINE --mmio-region 0x9:1 --pointer-overflow-check --no-bounds-check
+^EXIT=0$
+^SIGNAL=0$
+\[main.pointer_arithmetic.1\] line \d+ pointer arithmetic: invalid integer address in p - (\(signed long (long )?int\))?1: SUCCESS
+\[main.pointer_arithmetic.2\] line \d+ pointer arithmetic: invalid integer address in p \+ (\(signed long (long )?int\))?1: SUCCESS
+\[main.pointer_arithmetic.3\] line \d+ pointer arithmetic: invalid integer address in p \+ (\(signed long (long )?int\))?-1: SUCCESS
+\[main.pointer_arithmetic.4\] line \d+ pointer arithmetic: invalid integer address in p - (\(signed long (long )?int\))?-1: SUCCESS
+--
+^warning: ignoring
+--
+The per-region MMIO model does not mark integer addresses as valid for
+pointer arithmetic checks. Unlike __CPROVER_allocated_memory, it only
+redirects dereferences to the backing byte array.
diff --git a/regression/cbmc/pointer-overflow2/main.c b/regression/cbmc/pointer-overflow2/main.c
@@ -2,7 +2,9 @@
 
 void main()
 {
+#ifndef CMDLINE
   __CPROVER_allocated_memory(9, sizeof(char));
+#endif
   char *p = (char *)10;
   p -= 1;
   p += 1;
diff --git a/regression/cbmc/union12/cmdline.desc b/regression/cbmc/union12/cmdline.desc
@@ -0,0 +1,10 @@
+CORE broken-smt-backend
+main.c
+-DCMDLINE --mmio-region 0x50000000:1024 --mmio-region 0x40040000:4 --no-pointer-check --no-bounds-check
+^EXIT=10$
+^SIGNAL=0$
+^\[main\.assertion\.2\] line 22 should fail: FAILURE$
+^\*\* 1 of \d+ failed
+^VERIFICATION FAILED$
+--
+^warning: ignoring
diff --git a/regression/cbmc/union12/main.c b/regression/cbmc/union12/main.c
@@ -14,10 +14,14 @@ static S1(*const l[1]) = {((S1 *)((0x50000000UL) + 0x00000))};
 
 void main()
 {
+#ifndef CMDLINE
   __CPROVER_allocated_memory(0x50000000UL, sizeof(S1));
+#endif
   l[0]->access[0] = 0;
   __CPROVER_assert(l[0]->access[0] == 0, "holds");
   __CPROVER_assert(l[0]->access[1] == 0, "should fail");
+#ifndef CMDLINE
   __CPROVER_allocated_memory(0x40000000UL + 0x40000, sizeof(S2));
+#endif
   ((S2 *)((0x40000000UL) + 0x40000))->c = 0x0707;
 }
diff --git a/src/cbmc/cbmc_parse_options.cpp b/src/cbmc/cbmc_parse_options.cpp
@@ -257,6 +257,9 @@ void cbmc_parse_optionst::get_command_line_options(optionst &options)
   if(cmdline.isset("mm"))
     options.set_option("mm", cmdline.get_value("mm"));
 
+  if(cmdline.isset("mmio-region"))
+    options.set_option("mmio-region", cmdline.get_values("mmio-region"));
+
   if(cmdline.isset("symex-complexity-limit"))
   {
     options.set_option(
@@ -1053,6 +1056,8 @@ void cbmc_parse_optionst::help()
     HELP_COVER
     " {y--mm} {uMM} \t memory consistency model for concurrent programs"
     " (default: {ysc})\n"
+    " {y--mmio-region} {uaddr:size} \t"
+    " model MMIO region as individual byte-array object\n"
     HELP_CONFIG_LIBRARY
     HELP_REACHABILITY_SLICER
     " {y--full-slice} \t run full slicer (experimental)\n"
diff --git a/src/cbmc/cbmc_parse_options.h b/src/cbmc/cbmc_parse_options.h
@@ -63,6 +63,7 @@ class optionst;
   OPT_COVER \
   "(symex-coverage-report):" \
   "(mm):" \
+  "(mmio-region):" \
   OPT_TIMESTAMP \
   "(arrays-uf-always)(arrays-uf-never)" \
   OPT_FLUSH \
diff --git a/src/goto-instrument/goto_instrument_parse_options.cpp b/src/goto-instrument/goto_instrument_parse_options.cpp
@@ -1655,84 +1655,14 @@ void goto_instrument_parse_optionst::instrument_goto_program()
     if(cmdline.isset("mmio") || cmdline.isset("mmio-region"))
     {
       log.status() << "Instrumenting memory-mapped I/O" << messaget::eom;
-
+      
       // Per-region instrumentation runs first so that declared regions
       // get precise array-backed modeling.
       if(cmdline.isset("mmio-region"))
       {
-        // Parse MMIO region specifications
-        std::vector<mmio_regiont> regions;
-        
-        for(const auto &region_spec : cmdline.get_values("mmio-region"))
-        {
-          // Parse format: address:size (e.g., "0x1000:256")
-          std::size_t colon_pos = region_spec.find(':');
-          if(colon_pos == std::string::npos)
-          {
-            throw invalid_command_line_argument_exceptiont(
-              "Invalid MMIO region format: " + region_spec +
-              " (expected address:size)",
-              "--mmio-region");
-          }
-          
-          std::string addr_str = region_spec.substr(0, colon_pos);
-          std::string size_str = region_spec.substr(colon_pos + 1);
-          
-          mp_integer start_address;
-          mp_integer size;
-          
-          // Parse address (supports hex with 0x prefix)
-          if(addr_str.find("0x") == 0 || addr_str.find("0X") == 0)
-          {
-            start_address = string2integer(addr_str.substr(2), 16);
-          }
-          else
-          {
-            start_address = string2integer(addr_str);
-          }
-          
-          // Parse size
-          if(size_str.find("0x") == 0 || size_str.find("0X") == 0)
-          {
-            size = string2integer(size_str.substr(2), 16);
-          }
-          else
-          {
-            size = string2integer(size_str);
-          }
-          
-          // Create object name including address
-          std::string object_name = CPROVER_PREFIX "mmio_region_0x" +
-                                   integer2string(start_address, 16);
-          
-          regions.emplace_back(start_address, size, object_name);
-          
-          log.status() << "Registered MMIO region at 0x"
-                       << integer2string(start_address, 16)
-                       << " size " << size << " bytes" << messaget::eom;
-        }
-        
-        // Check for overlapping regions
-        for(std::size_t i = 0; i < regions.size(); i++)
-        {
-          for(std::size_t j = i + 1; j < regions.size(); j++)
-          {
-            const auto &a = regions[i];
-            const auto &b = regions[j];
-            if(
-              a.start_address < b.start_address + b.size &&
-              b.start_address < a.start_address + a.size)
-            {
-              throw invalid_command_line_argument_exceptiont(
-                "MMIO regions overlap: 0x" +
-                  integer2string(a.start_address, 16) + ":" +
-                  integer2string(a.size) + " and 0x" +
-                  integer2string(b.start_address, 16) + ":" +
-                  integer2string(b.size),
-                "--mmio-region");
-            }
-          }
-        }
+        const std::vector<mmio_regiont> regions =
+          parse_mmio_regions(
+            cmdline.get_values("mmio-region"), ui_message_handler);
 
         mm_io(goto_model, regions, ui_message_handler);
       }
diff --git a/src/goto-programs/mm_io.cpp b/src/goto-programs/mm_io.cpp
diff --git a/src/goto-programs/mm_io.h b/src/goto-programs/mm_io.h
diff --git a/src/goto-programs/process_goto_program.cpp b/src/goto-programs/process_goto_program.cpp

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,9 @@`
`1`	`1`	`int main()`
`2`	`2`	`{`
`3`	`3`	`int p = (int )4;`
	`4`	`+#ifndef CMDLINE`
`4`	`5`	`__CPROVER_allocated_memory(4, sizeof(int));`
	`6`	`+#endif`
`5`	`7`
`6`	`8`	`__CPROVER_assert(p == 4, "p == 4: expected success");`
`7`	`9`	`__CPROVER_assert(p != 0, "p != 0: expected success");`
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,9 @@ int main()`
`4`	`4`	`{`
`5`	`5`	`int *p=0x10;`
`6`	`6`
	`7`	`+#ifndef CMDLINE`
`7`	`8`	`__CPROVER_allocated_memory(0x10, sizeof(int));`
	`9`	`+#endif`
`8`	`10`	`*p=42;`
`9`	`11`	`assert(*p==42);`
`10`	`12`	`*(p+1)=42;`