Path exploration goodies #1915
Merged
Path exploration goodies #1915
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
karkhaz
requested review from
cesaro,
chrisr-diffblue,
forejtv,
kroening,
martin-cs,
mgudemann,
peterschrammel,
smowton,
tautschnig and
thk123
as code owners
|
Also, you might suppose that the code formatting is a bit bizarre in the constructor for |
Merged
karkhaz
force-pushed
the
kk-abstract-paths-worklist
branch
from
66792b2 to
447f131
Compare
|
TG pointer bump (due to change in bmc.cpp) diffblue/test-gen#1567 |
|
@thk123 Not sure what that issue is, as it's private: should I know what this is about, or is it just for diffblue folks? |
src/cbmc/bmc.cpp
Outdated
| safety_checkert::resultt result; | ||
| goto_symext::branch_worklistt worklist; | ||
| safety_checkert::resultt final_result = safety_checkert::resultt::UNKNOWN; | ||
| safety_checkert::resultt tmp_result = safety_checkert::resultt::UNKNOWN; |
There was a problem hiding this comment.
I think tmp_result shouldn't be declared here
src/cbmc/bmc.cpp
Outdated
| bmc.set_ui(ui); | ||
| frontend_configure_bmc(bmc, goto_model); | ||
| result = bmc.run(goto_model.goto_functions); | ||
| tmp_result = bmc.run(goto_model.goto_functions); |
There was a problem hiding this comment.
tmp_result should be const declared here
src/goto-programs/safety_checker.h
Outdated
| a != safety_checkert::resultt::SUSPENDED && | ||
| b != safety_checkert::resultt::SUSPENDED, | ||
| "Cannot compare safety check result to result of suspended symbolic " | ||
| "execution"); |
There was a problem hiding this comment.
this could be a PRECONDITION
|
@karkhaz Hi sorry should have explained - it is a PR on a private repo to verify this change doesn't require changes on our end to incorporate it. Nothing to worry about, I'll post here when it has passed but I'd appreciate if we could hold off merging until that check is complete 🙂 |
thk123
previously requested changes
Mar 8, 2018
|
Could I ask for a rebase as I think I'm getting some unrelated compile errors that I think a rebase would fix. (I think I've fixed the real compile errors but would like to check). |
karkhaz
force-pushed
the
kk-abstract-paths-worklist
branch
2 times, most recently
from
5f5e669 to
e8945a2
Compare
|
@thk123 I have rebased and also applied @romainbrenguier's suggestion. |
|
@karkhaz thanks, got it compiling locally, will let you know once our CI is passing. |
smowton
reviewed
Mar 12, 2018
src/goto-programs/safety_checker.h
Outdated
| enum class resultt { SAFE, UNSAFE, ERROR }; | ||
| enum class resultt | ||
| { | ||
| SAFE, |
There was a problem hiding this comment.
Might as well document the existing ones while you're there!
|
Hi it is failing our CI so until we've investigated can I ask we continue holding off on merging this. |
|
@thk123 please let me know if there's anything I can help with. I'm quite surprised, as I believe that I've only changed aspects of symex that run when @tautschnig suggested an improvement to the test structure today, so please don't merge this until I've pushed that up (I'll do that tomorrow morning). @martin-cs would you mind seeing if you're happy with this approach? This patchset implements your suggestion that symex should save both potential paths rather than saving one and continuing with the other. |
|
@karkhaz yup looks like entirely our problem, but could I ask for another rebase, sorry. |
karkhaz
force-pushed
the
kk-abstract-paths-worklist
branch
from
e8945a2 to
391b00d
Compare
|
@thk123 rebased, cheers. |
|
@karkhaz thanks - updated the bump 👍 |
karkhaz
force-pushed
the
kk-abstract-paths-worklist
branch
from
6a44960 to
f945447
Compare
|
Ping @smowton, @thk123---does this look good to everyone? I'm experimenting with new strategies locally, but I don't want to get too out-of-sync if there are many more changes required from this PR... |
|
Updating the pointer bump now - note I've not really reviewed the PR |
smowton
approved these changes
May 1, 2018
unit/Makefile
Outdated
| ../src/cbmc/symex_bmc$(OBJEXT) \ | ||
| ../src/cbmc/symex_coverage$(OBJEXT) \ | ||
| ../src/cbmc/xml_interface$(OBJEXT) \ | ||
| ../src/jsil/expr2jsil$(OBJEXT) \ |
There was a problem hiding this comment.
Alignment looks odd --mix of spaces and tabs?
|
Sorry to create extra work - but could I ask for a rebase as this has fallen behind develop. |
karkhaz
force-pushed
the
kk-abstract-paths-worklist
branch
from
f945447 to
b6296d1
Compare
|
Apologies - we had a number of breaking changes this week that got merged after your last rebase. Can I ask for another rebase (I'm optimistic it will be the last!) |
This commit introduces a new data type, path_queuet, representing saved symbolic execution paths, used instead of the std::list. This allows us to implement custom logic for saving and removing paths, rather than simply pushing to the back and popping the front. This commit introduces a concrete instantiation of path_queuet, called path_fifot, with the same functionality as the old std::list. This is in preparation for further instantiations that implement more sophisticated logic for deciding which path should be resumed next.
Before this commit, CBMC would occasionally print "Resuming from ''" because the source location that it was accessing was null.
When doing path exploration and encountering a conditional goto instruction, both successors of the goto (the next instruction, and the target) are pushed onto the path exploration workqueue. This allows the symbolic execution caller to have complete control over which path to execute next. Prior to this commit, symex would push one successor onto the workqueue and continue executing the path of the other successor until the path was terminated. This commit introduces the possibility that symbolic execution pauses without reaching the end of a path, and needs to be resumed by the caller. Thus, new safety checker results are introduced (SUSPENDED and UNKNOWN); the former signals to the caller of symex that symex has not reached the end of a branch, and therefore no safety check has been performed. The (currently only) path exploration strategy still pops paths in the order that they were pushed. This behaviour means that the paths that it pops will always alternate between the next instruction of a goto, and the target of that same goto. The test suite is updated to reflect this strategy.
A new class is introduced to hold the names, descriptions and constructor thunks for all path exploration strategies. This provides a uniform way for strategy descriptions to be displayed, which can be done with the --show-symex-strategies flag.
This commits adds the "lifo" strategy, which explores program paths using depth-first search. This is now the default strategy due to its favourable memory consumption compared to other strategies; tests on a few benchmarks show that its memory usage is basically constant and comparable to regular model-checking, since this strategy finishes paths as quickly as possible rather than saving them for later.
karkhaz
force-pushed
the
kk-abstract-paths-worklist
branch
from
b6296d1 to
d15f2e6
Compare
|
@thk123 rebased, cheers. |
karkhaz
force-pushed
the
kk-abstract-paths-worklist
branch
from
d15f2e6 to
122809b
Compare
karkhaz
force-pushed
the
kk-abstract-paths-worklist
branch
from
122809b to
916eb1f
Compare
thk123
approved these changes
May 8, 2018
There was a problem hiding this comment.
🎉 TG pointer bump passes @karkhaz I assume you'd like this merged post-haste? still waiting for approval from I honestly don't know who - something that even @tautschnig or @smowton don't have permission to wave through?
|
@chrisr-diffblue @martin-cs @peterschrammel A review would be greatly appreciated! |
chrisr-diffblue
approved these changes
May 8, 2018
| @@ -281,7 +281,7 @@ OPTIMIZE_OUTPUT_VHDL = NO | |||
| # Note that for custom extensions you also need to set FILE_PATTERNS otherwise | |||
| # the files are not read by doxygen. | |||
|
|
|||
| EXTENSION_MAPPING = | |||
| EXTENSION_MAPPING = h=c++ | |||
There was a problem hiding this comment.
Minor nit: This should probably have been a separate PR... but I won't block the PR :-)
|
@chrisr-diffblue I'll put minor commits in a separate PR from now on, IIRC I kept that commit in because the PR was failing the doxygen check that that commit fixes. Thanks so much for all the reviews! |
NathanJPhillips
pushed a commit
to NathanJPhillips/cbmc
that referenced
this pull request
Aug 22, 2018
20e7bca Merge pull request diffblue#2179 from cesaro/java-concurrency-support3 25e5820 Java concurrency regression tests bc539b5 Adds support for concurrency in java programs 46849e9 Adding concurrency related methods to CProver.java c817486 Merge pull request diffblue#2171 from thomasspriggs/json_tweaks f3670e3 Expose `begin` and `end` methods of underlying `std::vector` in `json_arrayt`. 402bc56 Clang format updates. 2907ba9 Allow constructon of `json_stringt` from `irep_idt`. ce674b5 Update constructor of `jsont` based on the copy and move idiom. 28117d2 Expose `emplace_back` method of underlying `std::vector` in `json_arrayt`. a589a56 Supply `value_type` typedef in `json_arrayt` for STL algorithm usage. 1d0cd01 Merge pull request diffblue#2175 from diffblue/extract-goto-functiont 76d202a use goto_function.h when only goto_functiont is used b9cd297 split out goto_functiont from goto_functions.h into separate file 784b6dd Merge pull request diffblue#2119 from svorenova/gs_tg1121_regression 1b6a939 Merge pull request diffblue#2169 from sonodtt/patch-1 faaacec Add dashboard webhooks to travis 7b0673e Merge pull request diffblue#2154 from diffblue/jar-file-cleanup d069719 Merge pull request diffblue#1915 from karkhaz/kk-abstract-paths-worklist aac16d5 Merge pull request diffblue#2159 from peterschrammel/clean-up-specc d413dd8 Merge pull request diffblue#2123 from smowton/smowton/java-object-factory-zero-initializer 995a548 Merge pull request diffblue#2164 from tautschnig/cleanup-mp-arith a4d1891 Merge pull request diffblue#2160 from diffblue/fix-java-constructor-pretty-name b9db37d Merge pull request diffblue#2163 from tautschnig/fix-test 6b064b3 pretty name of constructors now uses empty declarator b008bf3 add signature to method pretty names a9bb35c strip package name from base_name of Java class symbols 7711933 Merge pull request diffblue#2162 from tautschnig/fix-format 7d91638 Merge pull request diffblue#2148 from diffblue/remove-fixedbv-option 7e09d5f Fix duplicate output of id in format() 033f4c5 Remove unnecessary (and inconsistent) return statement 90d59d8 Remove unused global constant 29763da Fix misleading comments: the required variant of numeric_cast does not exist a2260bd remove the --fixedbv command-line option 78901ef fix in rounder in fixed-point arithmetic class 8414886 Remove SpecC support 88bbe32 Clean up references to php frontend 3f52c59 Clean up commented include 01685b6 Clean up references to SpecC frontend 916eb1f Unit tests for path exploration strategies 88db26f Merge pull request diffblue#2155 from tautschnig/mode-fixes 2fb3d2f Add missing mode 85aba52 Make new LIFO path exploration the default feef069 Doxygen uses C++ parser for .h files 17951c8 Add path strategy chooser class 685937a Path exploration pushes both successors onto queue 2a86fb4 Bugfix: always print path exploration resume point e823538 Symex paths saved onto abstract data structure bbd4253 signal errors while getting file from JAR using optional 48f1af3 Merge pull request diffblue#2145 from cesaro/concurrency-support-for-clinit 8db6b22 Merge pull request diffblue#2139 from romainbrenguier/bugfix/annotations-as-comments 94bbbba Added new cmd option to jbmc, 'java-threading' 48914be Modifies the instrumented clinit_wrapper function ce9f046 Merge pull request diffblue#2146 from diffblue/extra-float-types 46267b5 Merge pull request diffblue#2153 from diffblue/elaborate-format_expr da940a9 Test for assignement of annotated field 9d94bf7 Make annotations comments in irep_idt 52e9737 new gcc floating-point type identifiers, Fixes: diffblue#2151 c6cbf7c Merge pull request diffblue#2147 from diffblue/fix-tempdir-buffer-overflow 957881c format now prints type expressions and the values of named sub-ireps 9609a52 simplify use of get_temporary_directory 5907f68 fix potential non-zero termination of a string buffer 41d7a45 Merge pull request diffblue#2129 from romainbrenguier/bugfix/generic_type_index 53bc892 Add invariant in java_generic_symbol_type e3f240a Use get_name in generic_type_index 4a6ae9b Add java_types unit tests to Makefile 4c5144d Unit test for generic_type_index 8f0f780 Unit test for java_generic_symbol_type 41b3a6a Move java_generic_symbol_typet definitions to cpp 0afbe0f Unit test java_type_from_string and fix doc b7c9ea1 Test for abstract class with two generic arguments c141611 Fix generic_type_index 8127d4d Merge pull request diffblue#2141 from romainbrenguier/bugfix/goto-convert-mode 4948b70 Merge pull request diffblue#1712 from karkhaz/kk-flush-all e0bc5fd Merge pull request diffblue#2143 from diffblue/missing-algorithm-include fbed57e Add precondition ensuring mode is not empty 2ef91e7 Make mode an argument of goto-convert functions 2b4cd76 missing #include <algorithm> for std::find_if_not 7d11e85 Zero-initialize object factory structs 392c765 cleanup the includes in src/java_bytecode 1050637 fix a comment c57439e missing const for parameter 227e83d Adding regression tests for multi-dimensional arrays b8ffa5e Merge pull request diffblue#2135 from diffblue/solver-cleanout 0dc35fd Merge pull request diffblue#2136 from diffblue/unwind_module_cleanout f6a92cc remove bmc_constraints a2d9822 remove OpenSMT 218dc31 remove support for SMT1 e8aaf09 remove unused includes b0f7476 remove do_unwind_module hook 4d75d3d Merge branch 'develop' of github.com:diffblue/cbmc into develop 60c03b3 whitespace fix 3ea32fe Merge pull request diffblue#2134 from peterschrammel/invalid-symbol-mode b2a58c8 Assign mode to invalid objects e4230c6 Merge pull request diffblue#2130 from romainbrenguier/bugfix/if-expr-mode c6beb68 Merge pull request diffblue#2128 from tautschnig/include-cleanup 973b309 Merge pull request diffblue#2073 from tautschnig/reset-namespace a6a825a Remove unused includes b04122e Move definition of base_type_eqt to .cpp 104bc56 Use pointer_offset_bits instead of locally hacking up what it does anyway 99755fe Move asserts to invariants (and provide suitable includes) 3af3d72 Do not unnecessarily use C string functions 3c697da Add test where tmp_if_expr is introduced 746e337 Set mode of if_exprt introduced in preprocessing 73e0c0f Use C++ streams instead of C-style snprintf d351a5d Use a single global INITIALIZE_FUNCTION macro instead of __CPROVER_initialize 9c03ca3 Use iosfwd instead of ostream where possible 6b8583d Merge pull request diffblue#2100 from tautschnig/string-table-cleanup 75caefa Merge pull request diffblue#2116 from peterschrammel/java-new-pass 6c90b35 Merge pull request diffblue#2052 from romainbrenguier/bugfix/default-axioms2#TG-2138 53dfa0a Merge pull request diffblue#2120 from diffblue/optional_optnr 8f7d9f0 use optional<size_t> instead of -1 in cmdlinet a61d03f Remove java_bytecode deps from Makefiles ce9f1fc Use remove_java_new 10d0042 more files to ignore 95ea29a Merge pull request diffblue#2115 from peterschrammel/language-mode-utils ce11613 Factor out java new removal into separate pass baa15f5 Add Makefile dependency for smt2_solver bacfa27 Merge pull request diffblue#2114 from tautschnig/type-renaming 2bdaafc Add more doxygen to language.h and mode.h 74c2c3d Utility functions to get mode and language b934aaf symex_dynamic::dynamic_object_size* are constants ef83f93 array_size symbols: set mode and avoid redundant settings 8b20ebb Merge pull request diffblue#2112 from diffblue/address_of_byte_extract 66aa851 Merge pull request diffblue#2109 from LAJW/lajw/free-lambda-from-cpplint-oppression 7339638 Merge pull request diffblue#2111 from peterschrammel/bugfix/missing-java-modes 18cab61 Rephrase and justify curly brace alignment exceptions 6670703 Added an extension point for irep ids 38782bd Move enum idt to the single translation unit that actually requires it e657da8 Fix Doxygen syntax f79b453 Check that the string table does not include unused entries 61ca5df Remove unused entries from the string table b2e4ca0 Use existing irep_idts instead of strings 2b819e6 Remove unused symbolt::{to,from}_irep 0b82ee2 allow address_of of byte_extract expressions 7747442 Associate dynamic objects with respective language mode 6438ee7 Bugfix: use proper language registration in unit tests c274c15 Set mode in goto_convert auxiliary symbols 9a896f9 Replace asserts by invariants 78191ee Remove NOLINTs for lambdas. 692c4f3 Remove brace checking from cpplint d344dd9 Update coding standard b59a453 Move MAX_CONCRETE_STRING_SIZE definition to magic 05b924c Deprecate string-max-length option 132a26b Add tests showing the effect on string-max-length 0e8a863 Add test for generics array and strings b83182f Get rid of string_max_length field d726577 Make char_array_of_pointer return a reference 2154047 Get rid of default axioms for strings 1d4f26c Assign 0 to string length for null Java String ff25fe2 Weaken invariant for nil exprt as model of array 56e7b37 Make get_array return nil for long strings 5fde05a Use string-max-length as default max input-length b0c6528 Use boolbvt for getting counter examples 5b3a1a4 Remove unnecessary replace_expr a630bb7 Correct bound in test with long string e4cf694 Bugfix: Java symbol types must have mode ID_java e158bb4 Bugfix: Java array symbols must have mode ID_java d475abc Reset namespace after symbolic execution 1ef0f41 Add --flush option to flush all output git-subtree-dir: cbmc git-subtree-split: 20e7bca
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Most of this daunting pull request is tests, I promise. 😇
Implement @martin-cs's suggestion that control of which path to continue executing be moved out of
goto_symex/symex_goto.cppentirely. My previous implementation always saved one path on the queue and continued executing the other, meaning that every symex run ended at the end of a path. We now save both paths and halt symbolic execution, returning control to the caller, who can choose which path to execute (either of the two paths that were just saved, or even any of the paths that were saved earlier). This implies that a symex run shouldn't always be followed by a safety check, since we may not have finished executing a path; thus, I addedsafety_checkert::resultt::SUSPENDEDto indicate that symex was suspended half-way through and the resulting equation has not been safety-checked.The path workqueue now has a custom data type instead of being a
std::list, withpush(),peek(), andpop()methods. The data type is subclassable for implementing different strategies.peek()is intentionally not markedconst, so that the data type can lazily search for the next path to return only whenpeek()is called rather than modifying its state every timepush()is called; I anticipate that future strategies might be time-consuming.There's a data structure called
path_strategy_choosertwhich is both a factory for path exploration strategies, and also holds their stringified names and help texts all in the same place, so that there's a uniform way of setting the path exploration strategy from all the frontends without duplication.Two strategies are implemented: FIFO and progressive FIFO. The paths that FIFO returns will always alternate between the next instruction of a goto, and the target of that same goto, followed by the next and target of another goto, etc. Progressive FIFO will always return the jump targets of all gotos that have been pushed, and only start returning next instructions when the jump targets have all been executed---the idea being to prefer making forward progress rather than dwelling inside loops.
Tests for all of this, courtesy of the Department of Overengineered Solutions. In order to test the functional correctness of strategies, we not only need to test the verification result, but also the order in which paths are popped. This means multi-line regexes in the test suite, but even for short test cases these regexes are hundreds of bytes long---tedious to write and impossible to understand. I therefore wrote an interpreter for a human-friendly language representing the pushes and pops of a path queue. Test writers should write what paths they expect to see in what order in the comments section of a
test.infile, from which atest.descfile gets generated byscripts/make_descs.py. For example, writing thistest.infile:generates this
test.desc: