Skip to content

Behavior of infinite loops with goto-instrument --unwind N --unwinding-assertions differs from cbmc --unwind N --unwinding-assertions #6433

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gsingh93 opened this issue Nov 3, 2021 · 3 comments · Fixed by #6624
Closed

Behavior of infinite loops with goto-instrument --unwind N --unwinding-assertions differs from cbmc --unwind N --unwinding-assertions #6433

gsingh93 opened this issue Nov 3, 2021 · 3 comments · Fixed by #6624
Assignees
@tautschnig
Labels
aws Bugs or features of importance to AWS CBMC users pending merge

Comments

@gsingh93
Copy link

gsingh93 commented Nov 3, 2021
edited
Loading

CBMC version: 5.42.0 (cbmc-5.42.0-2-g038a53b50)
Operating system: Debian
Exact command line resulting in the issue: goto-instrument --unwind 3 --unwinding-assertions test.gb test-unwinding.gb && cbmc test-unwinding.gb --function foo
What behaviour did you expect: No assertion failures
What happened instead: Two assertion failure

I have the following code in test.c:

int foo() {
  while (1) {
  }
  __CPROVER_assert(0, "reachable");
}

When I run cbmc --unwind 3 --unwinding-assertions test.c --function foo, I don't see any assertion failures:

[foo.assertion.1] line 4 reachable: SUCCESS

** 0 of 1 failed (1 iterations)
VERIFICATION SUCCESSFUL

Now I try to do the same thing with goto-instrument:

goto-cc test.c -o test.gb
goto-instrument --unwind 3 --unwinding-assertions test.gb test-unwinding.gb
cbmc test-unwinding.gb --function foo

And I see two failures:

[foo.1] line 2 assertion: FAILURE
[foo.assertion.1] line 4 reachable: FAILURE

** 2 of 2 failed (2 iterations)
VERIFICATION FAILED

The behavior I want is actually what cbmc does, which is to essentially treat the loop as assume(false). Why does goto-instrument behave differently, and is it intended to behave differently?
@jimgrundy
Copy link
Collaborator

CBMC has a special case for "while (1) {}" to convert to "assume(false);". There is a flag to disable this. This was added for code in SVCOMP. But, maybe the default should have been the other way around, or maybe we should be giving you a warning when this special case is invoked.

@tautschnig tautschnig self-assigned this Nov 3, 2021
@martin-cs
Copy link
Collaborator

@jimgrundy is correct, while(1) {} is recognised by CBMC and treated as assume(false); ( It is not entirely clear to me how this interacts with --unwinding-assertion). So the reachable assertion should be safe, or, possibly not even considered because it is clearly unreachable.

As I described in #6432 (comment) the goto-instrument unwinder is a different piece of code. It will duplicate the body. This might break the heuristic that CBMC uses to recognise while(1) {}. It will also insert the unwinding assertion which will then fail. This is reasonably expected behaviour.

The "reachable" failing after seems weird and might well be a bug.

@jimgrundy jimgrundy added the aws Bugs or features of importance to AWS CBMC users label Dec 16, 2021
tautschnig added a commit to tautschnig/cbmc that referenced this issue Feb 1, 2022
@tautschnig
goto-symex: print status note and conditional warning for self-loops
5fbfadd 
Unless CBMC is invoked with --no-self-loops-to-assumptions, self-loops
are replaced by assumptions. This commit now introduces a status output
that such replacement is happening, and also a warning when
--unwinding-assertions is set: as the loop is replaced by an assumption,
no unwinding assertions can possible be generated. This behaviour may be
unexpected by the user, and we should therefore let them know what is
going on.

Fixes: diffblue#6433
tautschnig added a commit to tautschnig/cbmc that referenced this issue Feb 1, 2022
@tautschnig
goto-symex: print status note and conditional warning for self-loops
59a738e 
Unless CBMC is invoked with --no-self-loops-to-assumptions, self-loops
are replaced by assumptions. This commit now introduces a status output
that such replacement is happening, and also a warning when
--unwinding-assertions is set: as the loop is replaced by an assumption,
no unwinding assertions can possible be generated. This behaviour may be
unexpected by the user, and we should therefore let them know what is
going on.

Fixes: diffblue#6433
@tautschnig tautschnig mentioned this issue Feb 1, 2022
Merged
3 tasks
@tautschnig
Copy link
Collaborator

There seem to be at least three, perhaps even more issues hidden in here:

A possible further issue is that --partial-loops is considered conflicting with --unwinding-assertions for no good reason. PR to follow.

tautschnig added a commit to tautschnig/cbmc that referenced this issue Feb 1, 2022
@tautschnig
goto-symex: print status note and conditional warning for self-loops
3f03433 
Unless CBMC is invoked with --no-self-loops-to-assumptions, self-loops
are replaced by assumptions. This commit now introduces a status output
that such replacement is happening, and also a warning when
--unwinding-assertions is set: as the loop is replaced by an assumption,
no unwinding assertions can possible be generated. This behaviour may be
unexpected by the user, and we should therefore let them know what is
going on.

Fixes: diffblue#6433
@TGWDB TGWDB mentioned this issue May 31, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tautschnig tautschnig

Labels
aws Bugs or features of importance to AWS CBMC users pending merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

goto-symex: print status note and conditional warning for self-loops tautschnig/cbmc
4 participants
@gsingh93 @tautschnig @martin-cs @jimgrundy