Single-path symex checker [blocks: #3976] #3969
Conversation
peterschrammel
requested review from
cesaro,
chrisr-diffblue,
cristina-david,
kroening,
NathanJPhillips,
pkesseli,
smowton,
tautschnig and
thk123
as code owners
peterschrammel
force-pushed
the
single-path-symex-checker
branch
from
08989a3 to
b59a98e
Compare
peterschrammel
changed the title
peterschrammel
force-pushed
the
single-path-symex-checker
branch
2 times, most recently
from
b9af1f9 to
0420c96
Compare
There was a problem hiding this comment.
🚫
This PR failed Diffblue compatibility checks (cbmc commit: 0420c96).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/98863639
Status will be re-evaluated on next push.
Please contact @peterschrammel, @thk123, or @allredj for support.
Common spurious failures:
- the cbmc commit has disappeared in the mean time (e.g. in a force-push)
- the author is not in the list of contributors (e.g. first-time contributors).
The incompatibility may have been introduced by an earlier PR. In that case merging this
PR should be avoided unless it fixes the current incompatibility.
peterschrammel
changed the title
tautschnig
changed the title
peterschrammel
changed the title
peterschrammel
force-pushed
the
single-path-symex-checker
branch
from
0420c96 to
f94473b
Compare
There was a problem hiding this comment.
✔️
Passed Diffblue compatibility checks (cbmc commit: f94473b).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/99520817
| @@ -69,6 +69,12 @@ void slice( | |||
| const optionst &, | |||
| ui_message_handlert &); | |||
|
|
|||
| void output_coverage_report( | |||
There was a problem hiding this comment.
Documentation would be appreciated. I think the cov_out parameter is the one needing it the most, notably the aspect that an empty string will mean that nothing happens. How about:
/// Output a coverage report as generated by \ref symex_coveraget if \p cov_out is non-empty.
/// \param cov_out: file to write the report to; no report is generated if this is empty
/// \param goto_model: goto model to build the coverage report for
/// \param symex: symbolic execution run to report coverage for
/// \param ui_message_handler: status/warning message handler
src/goto-checker/bmc_util.cpp
Outdated
| { | ||
| // add a partial ordering, if required | ||
| // We won't be able to decide any properties by adding this, | ||
| // but we'd like to see the entire SSA. |
There was a problem hiding this comment.
Does this comment still make sense? I recall requesting it, but now that this is more generic I don't think it's appropriate anymore.
src/goto-checker/bmc_util.cpp
Outdated
| return goto_model.get_goto_function(id); | ||
| }; | ||
|
|
||
| // perform symbolic execution |
There was a problem hiding this comment.
Comments don't always add value: I think it's pretty clear what the next line does, and this just makes it sound like something surprising would happen?
| [&goto_model]( | ||
| const irep_idt &id) -> const goto_functionst::goto_functiont & { | ||
| return goto_model.get_goto_function(id); | ||
| }; |
There was a problem hiding this comment.
Should we maybe tweak the goto_symext interface a bit? Looking at get_function_from_goto_functions (symex_main.cpp) we now define this helper function multiple times.
| @@ -336,3 +336,25 @@ void perform_symex( | |||
|
|
|||
| postprocess_equation(symex, equation, options, ns, ui_message_handler); | |||
| } | |||
|
|
|||
| void perform_symex( | |||
There was a problem hiding this comment.
I'm confused. It seems two commits now introduce the same. They actually do, the lines above already contain the same code.
There was a problem hiding this comment.
Yes, that's exactly the problem. The goto-symex interface is broken in this respect. We should have a function that returns a path_storaget::patht for the initial state at the entry point; and then we can resume from that... and everything becomes nice and uniform.
There was a problem hiding this comment.
That should be fixable?
There was a problem hiding this comment.
Yes, but I'll go ahead with the current version for now and clean up the goto-symex interface later this week. #4071
src/goto-checker/Makefile
Outdated
| @@ -7,6 +7,7 @@ SRC = bmc_util.cpp \ | |||
| goto_verifier.cpp \ | |||
| multi_path_symex_checker.cpp \ | |||
| multi_path_symex_only_checker.cpp \ | |||
| single_path_symex_only_checker.cpp \ | |||
There was a problem hiding this comment.
Lexicographic sorting, please. Applies again in a later commit (introducing single_path_symex_checker.cpp).
src/cbmc/cbmc_parse_options.cpp
Outdated
| options, ui_message_handler, goto_model); | ||
| } | ||
|
|
||
| (void)(*verifier)(); |
There was a problem hiding this comment.
Seems like an unnecessary dance, can't we just run each of them in the branches above?
src/cbmc/cbmc_parse_options.cpp
Outdated
| } | ||
|
|
||
| (void)(*verifier)(); |
There was a problem hiding this comment.
Again, seems unnecessary. Just call each of them in the branches above.
jbmc/src/jbmc/jbmc_parse_options.cpp
Outdated
| } | ||
|
|
||
| (void)(*verifier)(); |
There was a problem hiding this comment.
Just call each of them in the branches above.
jbmc/src/jbmc/jbmc_parse_options.cpp
Outdated
| options, ui_message_handler, goto_model); | ||
| } | ||
|
|
||
| (void)(*verifier)(); |
There was a problem hiding this comment.
Just call each of them.
peterschrammel
force-pushed
the
single-path-symex-checker
branch
from
f94473b to
e9a0a6f
Compare
As introduced into bmct in eb0b86b.
Allows us to remove set_message_handler() calls on solvers in other parts of the code.
Reduces code duplication across goto checkers.
Better provide it as a utility than hiding it inside a class. Reduces code duplication across goto checkers.
Copied from bmct. Going to be used by single_path_symex_checkert.
Utility function to set all UNKNOWN properties to PASS when the verification algorithm has finished. Corresponds to the current behaviour of CBMC replying 'successful' when the given bounds have been reached.
Provides functionality close to solvers/prop/cover_goals but without callbacks. It allows us to iteratively get all counterexamples for a set of properties on a fixed equation. This is used as a component by multi-path and single-path symex checkers.
Replaces the path_explorert variant of bmct. The current implementation of this is overly complicated because path_explorert distinguishes the first run of goto-symex from the following ones. To drastically simplify the code goto-symex/symex_bmc needs to be refactored so that all runs can be handled uniformly (e.g. push entry point into work list and then 'resume' from there). See also single_path_symex_checkert.
We can now use single_path_symex_only_checkert instead of bmct.
Extends single_path_symex_only_checkert with calling the solver and returning traces.
peterschrammel
force-pushed
the
single-path-symex-checker
branch
from
e9a0a6f to
96fec16
Compare
We can now use single_path_symex_checkert instead of bmct.
JBMC requires further setup of symex_bmct.
We can now use single_path_symex_checkert instead of bmct.
peterschrammel
force-pushed
the
single-path-symex-checker
branch
from
96fec16 to
1f9f475
Compare
There was a problem hiding this comment.
✔️
Passed Diffblue compatibility checks (cbmc commit: 1f9f475).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/99702092
Implements the --paths variant of using goto-symex.