Merge pull request #146 from FrNecas/instrumentation

Enable and improve GOTO instrumentation

Author: viktormalik

.gitignore

@@ -13,6 +13,7 @@ src/config.inc
 # regression/test files
 *.out
 tests.log
+instrumented.goto
 
 # files stored by editors
 *~

regression/Makefile

@@ -8,7 +8,8 @@ DIRS = \
 	   invariants \
 	   heap \
 	   heap-data \
-	   memsafety
+	   memsafety \
+	 instrumentation
 
 test:
 	$(foreach var,$(DIRS), make -C $(var) test || exit 1;)

regression/instrumentation/Makefile

@@ -0,0 +1,21 @@
+default: tests.log
+
+OUTPUT_GOTO = instrumented.goto
+FLAGS = --verbosity 10 --instrument-output $(OUTPUT_GOTO)
+
+test:
+	@../test.pl -p -c "../../../src/2ls/2ls $(FLAGS)"
+
+tests.log: ../test.pl
+	@../test.pl -p -c "../../../src/2ls/2ls $(FLAGS)"
+
+show:
+	@for dir in *; do \
+		if [ -d "$$dir" ]; then \
+			vim -o "$$dir/*.c" "$$dir/*.out"; \
+		fi; \
+	done;
+
+clean:
+	@rm -f *.log
+	@for dir in *; do rm -f $$dir/*.out $$dir/$(OUTPUT_GOTO); done;

regression/instrumentation/intervals/main.c

@@ -0,0 +1,13 @@
+void main()
+{
+  int x = 0;
+
+  while(x<10)
+  {
+    ++x;
+    assert(x<=10);
+  }
+
+  assert(x==10);
+}
+

regression/instrumentation/intervals/test.desc

@@ -0,0 +1,8 @@
+CORE
+main.c
+
+^EXIT=0$
+^SIGNAL=0$
+^VERIFICATION SUCCESSFUL$
+^\s*ASSUME x <= 10 // invariant generated by 2LS$
+^\s*ASSUME -\(\(signed __CPROVER_bitvector\[33\]\)x\) <= -1 // invariant generated by 2LS$

regression/instrumentation/octagons/main.c

@@ -0,0 +1,16 @@
+#include <assert.h>
+
+void main()
+{
+  int x = 0;
+  unsigned y = 0;
+
+  while(x<10 && y<20)
+  {
+    ++x;
+    ++y;
+  }
+
+  int z=x+y;
+  assert(z<=20);
+}

regression/instrumentation/octagons/test.desc

@@ -0,0 +1,14 @@
+CORE
+main.c
+--octagons
+^EXIT=0$
+^SIGNAL=0$
+^\*\* 0 of 1 failed$
+^\s*ASSUME \(signed __CPROVER_bitvector\[34\]\)-\(\(signed __CPROVER_bitvector\[33\]\)x\) - \(signed __CPROVER_bitvector\[34\]\)y <= -2 // invariant generated by 2LS$
+^\s*ASSUME \(signed __CPROVER_bitvector\[34\]\)x \+ \(signed __CPROVER_bitvector\[34\]\)y <= 20 // invariant generated by 2LS$
+^\s*ASSUME \(signed __CPROVER_bitvector\[34\]\)x - \(signed __CPROVER_bitvector\[34\]\)y <= 0 // invariant generated by 2LS$
+^\s*ASSUME \(signed __CPROVER_bitvector\[34\]\)y - \(signed __CPROVER_bitvector\[34\]\)x <= 0 // invariant generated by 2LS$
+^\s*ASSUME x <= 10 // invariant generated by 2LS$
+^\s*ASSUME -\(\(signed __CPROVER_bitvector\[33\]\)x\) <= -1 // invariant generated by 2LS$
+^\s*ASSUME y <= 10u // invariant generated by 2LS$
+^\s*ASSUME -\(\(signed __CPROVER_bitvector\[33\]\)y\) <= -1 // invariant generated by 2LS$

regression/instrumentation/pointers/main.c

@@ -0,0 +1,15 @@
+typedef struct data {
+    struct data *next;
+    int content;
+} Data;
+
+void main() {
+    Data x1 = {0,};
+    Data x2 = {&x1,};
+    Data x3 = {&x2,};
+    Data *curr = &x3;
+    while (curr) {
+        assert(curr->content == 0);
+        curr = curr->next;
+    }
+}

regression/instrumentation/pointers/test.desc

@@ -0,0 +1,7 @@
+CORE
+main.c
+--heap
+^EXIT=0$
+^SIGNAL=0$
+^VERIFICATION SUCCESSFUL$
+^\s*ASSUME curr == \(\(struct data \*\)NULL\) \|\| curr == &x1 \|\| curr == &x2 // invariant generated by 2LS$

regression/instrumentation/zones/main.c

@@ -0,0 +1,10 @@
+void main()
+{
+  int x=0, y=0;
+  for(; x<100; x++)
+  {
+    for(y=0; y<=x; y++);
+  }
+  assert(x==100);
+  assert(y==100);
+}

regression/instrumentation/zones/test.desc

@@ -0,0 +1,12 @@
+CORE
+main.c
+--zones
+^EXIT=0$
+^SIGNAL=0$
+^VERIFICATION SUCCESSFUL$
+^\s*ASSUME y <= 100 // invariant generated by 2LS$
+^\s*ASSUME -\(\(signed __CPROVER_bitvector\[33\]\)y\) <= -1 // invariant generated by 2LS$
+^\s*ASSUME \(signed __CPROVER_bitvector\[33\]\)x - \(signed __CPROVER_bitvector\[33\]\)y <= 0 // invariant generated by 2LS$
+^\s*ASSUME \(signed __CPROVER_bitvector\[33\]\)y - \(signed __CPROVER_bitvector\[33\]\)x <= 99 // invariant generated by 2LS$
+^\s*ASSUME x <= 100 // invariant generated by 2LS$
+^\s*ASSUME -\(\(signed __CPROVER_bitvector\[33\]\)x\) <= -1 // invariant generated by 2LS$

src/2ls/2ls_parse_options.cpp

@@ -232,12 +232,9 @@ void twols_parse_optionst::get_command_line_options(optionst &options)
     }
   }
 
-  // Heap domain requires full program inlining and usage of symbolic paths
+  // Heap domain requires full program inlining
   if(cmdline.isset("heap"))
-  {
     options.set_option("inline", true);
-    options.set_option("sympath", true);
-  }
 
   // use incremental assertion checks
   if(cmdline.isset("non-incremental"))
@@ -401,6 +398,12 @@ int twols_parse_optionst::doit()
   if(get_goto_program(options, goto_model))
     return 6;
 
+  if(cmdline.isset("heap") && dynamic_memory_detected)
+  {
+    // Only use sympath domain if dynamic memory is used
+    options.set_option("sympath", true);
+  }
+
   const namespacet ns(goto_model.symbol_table);
 
   if(cmdline.isset("show-stats"))
@@ -691,7 +694,9 @@ int twols_parse_optionst::doit()
 
     if(cmdline.isset("instrument-output"))
     {
-      checker->instrument_and_output(goto_model);
+      checker->instrument_and_output(
+        goto_model,
+        ui_message_handler.get_verbosity());
     }
 
     return retval;
@@ -1561,6 +1566,7 @@ void twols_parse_optionst::help()
     " --no-assumptions             ignore user assumptions\n"
     " --inline                     inline all functions into main\n"
     " --inline-partial nr          inline functions smaller than the given nr of instructions\n" // NOLINT(*)
+    " --instrument-output outfile  instrument GOTO code with invariants and export it to outfile\n" // NOLINT(*)
     "\n"
     "Backend options:\n"
     " --all-functions              check each function as entry point\n"

src/2ls/2ls_parse_options.h

@@ -52,7 +52,7 @@ class optionst;
   "(enum-solver)(binsearch-solver)(arrays)"\
   "(string-abstraction)(no-arch)(arch):(floatbv)(fixedbv)" \
   "(round-to-nearest)(round-to-plus-inf)(round-to-minus-inf)(round-to-zero)" \
-  "(inline)(inline-main)(inline-partial):" \
+  "(inline)(inline-main)(inline-partial):(instrument-output):" \
   "(context-sensitive)(termination)(nontermination)" \
   "(lexicographic-ranking-function):(monolithic-ranking-function)" \
   "(max-inner-ranking-iterations):" \

src/2ls/horn_encoding.cpp

@@ -25,6 +25,7 @@ class horn_encodingt
     const optionst &_options,
     std::ostream &_out):
     goto_functions(_goto_model.goto_functions),
+    symbol_table(_goto_model.symbol_table),
     ns(_goto_model.symbol_table),
     options(_options),
     out(_out),
@@ -36,6 +37,7 @@ class horn_encodingt
 
 protected:
   const goto_functionst &goto_functions;
+  const symbol_tablet &symbol_table;
   const namespacet ns;
   const optionst &options;
   std::ostream &out;
@@ -63,7 +65,7 @@ void horn_encodingt::translate(
          ";\n";
 
   // compute SSA
-  local_SSAt local_SSA(f_it->second, ns, options, "");
+  local_SSAt local_SSA(f_it->second, symbol_table, options, "");
 
   const goto_programt &body=f_it->second.body;
 

src/2ls/instrument_goto.cpp

@@ -81,29 +81,17 @@ extern void purify_identifiers(exprt &expr);
 
 void instrument_gotot::instrument_body(
   const local_SSAt &SSA,
+  const symbol_exprt &guard,
   const exprt &expr,
   goto_functionst::goto_functiont &function)
 {
-  // expected format (/\_j g_j)=> inv
-  const exprt &impl=expr.op0();
-  exprt inv=expr.op1(); // copy
-
-  std::cout << "Invariant " << from_expr(inv) << std::endl;
+  // copy the invariant so that it isn't changed by purify_identifiers
+  exprt inv=expr;
+  std::cout << "Invariant " << from_expr(SSA.ns, "", inv) << std::endl;
 
   purify_identifiers(inv);
 
-  local_SSAt::locationt loc;
-  if(impl.id()==ID_symbol)
-  {
-    loc=find_loop_by_guard(SSA, to_symbol_expr(impl));
-  }
-  else if(impl.id()==ID_and)
-  {
-    assert(impl.op0().id()==ID_symbol);
-    loc=find_loop_by_guard(SSA, to_symbol_expr(impl.op0()));
-  }
-  else
-    assert(false);
+  auto loc=find_loop_by_guard(SSA, guard);
 
   Forall_goto_program_instructions(it, function.body)
   {
@@ -138,21 +126,14 @@ void instrument_gotot::instrument_function(
   if(summary.fw_invariant.is_true())
     return;
 
-  // expected format /\_i g_i=> inv_i
-  if(summary.fw_invariant.id()==ID_implies)
+  std::vector<domaint::guard_invariant> inv=
+    summary.fw_domain_ptr->get_guards_and_invariants(*summary.fw_value_ptr);
+  for(auto const &guard_invariant : inv)
   {
-    instrument_body(SSA, summary.fw_invariant, function);
+    const symbol_exprt &guard=to_symbol_expr(guard_invariant.first);
+    exprt invariant=guard_invariant.second;
+    instrument_body(SSA, guard, invariant, function);
   }
-  else if(summary.fw_invariant.id()==ID_and)
-  {
-    for(unsigned i=0; i<summary.fw_invariant.operands().size(); i++)
-    {
-      assert(summary.fw_invariant.operands()[i].id()==ID_implies);
-      instrument_body(SSA, summary.fw_invariant.operands()[i], function);
-    }
-  }
-  else
-    assert(false);
 }
 
 void instrument_gotot::operator()(goto_modelt &goto_model)

src/2ls/instrument_goto.h

@@ -46,7 +46,8 @@ class instrument_gotot:public messaget
 
   void instrument_body(
     const local_SSAt &SSA,
-    const exprt &expr,
+    const symbol_exprt &guard,
+    const exprt &inv,
     goto_functionst::goto_functiont &function);
 
   void instrument_instruction(

src/2ls/show.cpp

@@ -169,16 +169,16 @@ void show_guards(
 void show_ssa(
   const goto_functionst::goto_functiont &goto_function,
   bool simplify,
-  const namespacet &ns,
+  const symbol_tablet &symbol_table,
   const optionst &options,
   std::ostream &out)
 {
   if(!goto_function.body_available())
     return;
 
-  unwindable_local_SSAt local_SSA(goto_function, ns, options);
+  unwindable_local_SSAt local_SSA(goto_function, symbol_table, options);
   if(simplify)
-    ::simplify(local_SSA, ns);
+    ::simplify(local_SSA, local_SSA.ns);
   local_SSA.output_verbose(out);
 }
 
@@ -190,8 +190,6 @@ void show_ssa(
   std::ostream &out,
   message_handlert &message_handler)
 {
-  const namespacet ns(goto_model.symbol_table);
-
   if(!function.empty())
   {
     out << ">>>> Function " << function << "\n";
@@ -200,7 +198,7 @@ void show_ssa(
     if(f_it==goto_model.goto_functions.function_map.end())
       out << "function " << function << " not found\n";
     else
-      show_ssa(f_it->second, simplify, ns, options, out);
+      show_ssa(f_it->second, simplify, goto_model.symbol_table, options, out);
   }
   else
   {
@@ -213,7 +211,7 @@ void show_ssa(
 
       out << ">>>> Function " << f_it->first << "\n";
 
-      show_ssa(f_it->second, simplify, ns, options, out);
+      show_ssa(f_it->second, simplify, goto_model.symbol_table, options, out);
 
       out << "\n";
     }

src/2ls/summary_checker_ai.cpp

@@ -15,9 +15,7 @@ Author: Peter Schrammel
 property_checkert::resultt summary_checker_ait::operator()(
   const goto_modelt &goto_model)
 {
-  const namespacet ns(goto_model.symbol_table);
-
-  SSA_functions(goto_model, ns);
+  SSA_functions(goto_model, goto_model.symbol_table);
 
   ssa_unwinder.init(false, false);
 

src/2ls/summary_checker_base.cpp

@@ -44,7 +44,7 @@ Author: Peter Schrammel
 
 void summary_checker_baset::SSA_functions(
   const goto_modelt &goto_model,
-  const namespacet &ns)
+  const symbol_tablet &symbol_table)
 {
   // compute SSA for all the functions
   forall_goto_functions(f_it, goto_model.goto_functions)
@@ -55,14 +55,14 @@ void summary_checker_baset::SSA_functions(
       continue;
     status() << "Computing SSA of " << f_it->first << messaget::eom;
 
-    ssa_db.create(f_it->first, f_it->second, ns);
+    ssa_db.create(f_it->first, f_it->second, symbol_table);
     local_SSAt &SSA=ssa_db.get(f_it->first);
 
     // simplify, if requested
     if(simplify)
     {
       status() << "Simplifying" << messaget::eom;
-      ::simplify(SSA, ns);
+      ::simplify(SSA, SSA.ns);
     }
 
     SSA.output(debug()); debug() << eom;
@@ -495,10 +495,14 @@ bool summary_checker_baset::is_spurious(
 
 /// instruments the code with the inferred information and outputs it to a goto-
 /// binary
-void summary_checker_baset::instrument_and_output(goto_modelt &goto_model)
+void summary_checker_baset::instrument_and_output(
+  goto_modelt &goto_model,
+  unsigned verbosity)
 {
   instrument_gotot instrument_goto(options, ssa_db, summary_db);
   instrument_goto(goto_model);
+  if(verbosity==10)
+    goto_model.output(std::cout);
   std::string filename=options.get_option("instrument-output");
   status() << "Writing instrumented goto-binary " << filename << eom;
   write_goto_binary(