|
| 1 | +[CPROVER Manual TOC](../) |
| 2 | + |
| 3 | +# Unsound CLI options for various tools |
| 4 | + |
| 5 | +## Context |
| 6 | + |
| 7 | +In [#6480](https://github.com/diffblue/cbmc/issues/6480), there has been some extensive |
| 8 | +conversation about what it means for certain options to produce *unsound* behaviour. |
| 9 | + |
| 10 | +We concluded that *unsound* in this context is a proxy for the following two behaviours |
| 11 | +that we want to avoid: |
| 12 | + |
| 13 | +* **A spurious counter example to an assertion**, which gives a proof that the assertion |
| 14 | + is refuted when it's not, and |
| 15 | +* **Wrong proof to an assertion**, which means that it might indicate an assertion passing |
| 16 | + when it's not. |
| 17 | + |
| 18 | +We expect core CBMC to display none of the behaviour we described above (and if it does, |
| 19 | +it's an extremely serious bug that we aim to fix on an ASAP basis), but be aware that |
| 20 | +certain tools, like `goto-instrument`, may contain components that are experimental in |
| 21 | +nature and thus do transformations that eventually lead to behaviour such as the ones |
| 22 | +described above. |
| 23 | + |
| 24 | +## Unsound Options |
| 25 | + |
| 26 | +Be advised that the following command line options to `cbmc` and `goto-instrument` |
| 27 | +have been reported to be unsound: |
| 28 | + |
| 29 | +* `--full-slice` has been reported to be unsound in issue [cbmc#260](https://github.com/diffblue/cbmc/issues/260) |
| 30 | + In particular, `--full-slice` appears to lead to spurious counter examples, |
| 31 | + because values that get assigned by a function whose body gets sliced out are |
| 32 | + no longer present in the trace, but still result in flipped verification results. |
| 33 | + |
| 34 | +`cbmc` and `goto-instrument` have also been modified to warn that options used |
| 35 | +are unsound as part of their output. An example of how that output looks is shown |
| 36 | +below: |
| 37 | + |
| 38 | +```sh |
| 39 | +$ cbmc --full-slice ~/Devel/cbmc_bugs/6394/before-slice.out |
| 40 | +CBMC version 5.45.0 (cbmc-5.43.0-77-g99c5a92de1-dirty) 64-bit arm64 macos |
| 41 | +Reading GOTO program from file |
| 42 | +Reading: ~/Devel/cbmc_bugs/6394/before-slice.out |
| 43 | +Generating GOTO Program |
| 44 | +Adding CPROVER library (x86_64) |
| 45 | +Removal of function pointers and virtual functions |
| 46 | +Generic Property Instrumentation |
| 47 | +**** WARNING: Unsound option --full-slice |
| 48 | +Performing a full slice |
| 49 | +Running with 8 object bits, 56 offset bits (default) |
| 50 | +Starting Bounded Model Checking |
| 51 | +[...] |
| 52 | +``` |
0 commit comments