Add hybrid BDFS path exploration strategy

From the help text: explore breadth-first until we have N saved paths,
at which point explore depth-first from each of those paths in
round-robin order. N defaults to 8 and can be specified with the flag
--bdfs-diameter N.

This strategy is intended to be a nice compromise between low RAM usage
and high coverage. The fact that we end paths as quickly as possible
keeps memory use low, while branching very high up in the exploration
tree means that we explore many different parts of the program.

Author: karkhaz

src/cbmc/bmc.cpp

@@ -577,6 +577,9 @@ int bmct::do_language_agnostic_bmc(
       if(tmp_result != safety_checkert::resultt::PAUSED)
         final_result &= tmp_result;
       worklist->pop();
+      if(tmp_result != safety_checkert::resultt::PAUSED)
+        if(worklist->interested_in_path_termination())
+          worklist->notify_path_terminated();
     }
   }
   catch(const char *error_msg)

src/cbmc/bmc.h

@@ -300,6 +300,7 @@ class path_explorert : public bmct
   "(no-self-loops-to-assumptions)"                                             \
   "(partial-loops)"                                                            \
   "(paths):"                                                                   \
+  "(bdfs-diameter):"                                                           \
   "(show-symex-strategies)"                                                    \
   "(depth):"                                                                   \
   "(unwind):"                                                                  \
@@ -309,6 +310,7 @@ class path_explorert : public bmct
 
 #define HELP_BMC                                                               \
   " --paths [strategy]           explore paths one at a time\n"                \
+  " --bdfs-diameter N            read output of --show-symex-strategies\n"     \
   " --show-symex-strategies      list strategies for use with --paths\n"       \
   " --program-only               only show program expression\n"               \
   " --show-loops                 show the loops in the program\n"              \

src/goto-symex/path_storage.cpp

@@ -12,6 +12,136 @@ Author: Kareem Khazem <[email protected]>
 
 #include <util/exit_codes.h>
 #include <util/make_unique.h>
+#include <util/string2int.h>
+
+// _____________________________________________________________________________
+// breadth_depth_path_storaget
+
+inline void breadth_depth_path_storaget::notify_path_terminated()
+{
+  if(empty())
+    return;
+  do
+  {
+    ++current_depth_queue;
+    if(current_depth_queue == depth_list.end())
+      current_depth_queue = depth_list.begin();
+  } while(current_depth_queue->empty());
+  last_peeked = current_depth_queue->end();
+}
+
+path_storaget::patht &breadth_depth_path_storaget::private_peek()
+{
+  INVARIANT(
+    depth_list.empty() || current_depth_queue != depth_list.end(),
+    "We have paths to explore DFS, but no pointer to which path to start with");
+
+  if(depth_list.empty())
+    return breadth_list.front();
+
+  INVARIANT(
+    last_peeked == current_depth_queue->end(),
+    "Should have popped or notify_path_terminated() before peeking");
+
+  --last_peeked;
+  return current_depth_queue->back();
+}
+
+void breadth_depth_path_storaget::push(
+  const path_storaget::patht &next_instruction,
+  const path_storaget::patht &jump_target)
+{
+  INVARIANT(
+    depth_list.empty() || current_depth_queue != depth_list.end(),
+    "We have paths to explore DFS, but no pointer to which path to start with");
+
+  source_locationt to_pop;
+
+  if(depth_list.empty())
+  {
+    if(!breadth_list.empty())
+      to_pop = breadth_list.back().state.source.pc->source_location;
+    breadth_list.push_back(next_instruction);
+    breadth_list.push_back(jump_target);
+  }
+  else
+  {
+    current_depth_queue->push_back(next_instruction);
+    current_depth_queue->push_back(jump_target);
+  }
+
+  if(breadth_list.size() > diameter)
+  {
+    for(const auto &path : breadth_list)
+    {
+      std::list<patht> tmp;
+      tmp.push_back(path);
+      depth_list.push_back(tmp);
+      context.log.debug()
+        << "DFS start point: " << path.state.saved_target->source_location
+        << context.log.eom;
+    }
+    // The path that led to next_instruction and jump_target being pushed is
+    // currently the third-last item in breadth_list (the last and second-last
+    // items are the two arguments to this method). We've just transferred
+    // breadth_list into depth_list, but we need to ensure that when private_pop
+    // is called, it actually pops the correct path from depth_list.
+    std::list<std::list<patht>>::iterator tmp = depth_list.end();
+    std::advance(tmp, -3);
+    last_peeked = tmp->begin();
+    INVARIANT(
+      last_peeked->state.source.pc->source_location == to_pop,
+      "Expected last_peeked to point to the precursor of next_instruction "
+      "and jump_target");
+
+    // Meanwhile, when we peek, we should go through all the subtrees in a
+    // round-robin fashion.
+    current_depth_queue = depth_list.begin();
+
+    // From here onward, breadth_list will never be used.
+    breadth_list.clear();
+  }
+}
+
+void breadth_depth_path_storaget::private_pop()
+{
+  INVARIANT(
+    depth_list.empty() || current_depth_queue != depth_list.end(),
+    "We have paths to explore DFS, but no pointer to which path to start with");
+
+  if(depth_list.empty())
+    breadth_list.pop_front();
+  else
+  {
+    INVARIANT(
+      last_peeked != current_depth_queue->end(),
+      "Must peek immediately before popping");
+    current_depth_queue->erase(last_peeked);
+    last_peeked = current_depth_queue->end();
+  }
+}
+
+std::size_t breadth_depth_path_storaget::size() const
+{
+  INVARIANT(
+    depth_list.empty() || current_depth_queue != depth_list.end(),
+    "We have paths to explore DFS, but no pointer to which path to start with");
+
+  if(depth_list.empty())
+    return breadth_list.size();
+
+  std::size_t total = 0;
+  for(const auto &paths : depth_list)
+    total += paths.size();
+  return total;
+}
+
+void breadth_depth_path_storaget::clear()
+{
+  breadth_list.clear();
+  depth_list.clear();
+  current_depth_queue = depth_list.end();
+}
 
 // _____________________________________________________________________________
 // path_lifot
@@ -111,11 +241,37 @@ void path_strategy_choosert::set_path_strategy_options(
   }
   else
     options.set_option("exploration-strategy", default_strategy());
+
+  if(cmdline.isset("bdfs-diameter"))
+  {
+    if(!cmdline.isset("paths")
+    || options.get_option("exploration-strategy") != "hybrid-bdfs")
+    {
+      message.error() << "`--bdfs-diameter` can only be passed when passing "
+                         "`--paths hybrid-bdfs`."
+                      << message.eom;
+      exit(CPROVER_EXIT_USAGE_ERROR);
+    }
+    options.set_option(
+      "bdfs-diameter",
+      unsafe_string2unsigned(cmdline.get_value("bdfs-diameter")));
+  }
 }
 
 path_strategy_choosert::path_strategy_choosert()
   : strategies(
-      {{"lifo",
+      {{"hybrid-bdfs",
+        {" hybrid-bdfs                  explore breadth-first until we have\n"
+         "                              N saved paths, at which point explore\n"
+         "                              depth-first from each of those paths\n"
+         "                              in round-robin order. N defaults to 8\n"
+         "                              and can be specified with the flag\n"
+         "                              --bdfs-diameter N.\n",
+         // NOLINTNEXTLINE(whitespace/braces)
+         [](const path_storaget::strategy_contextt &ctx) {
+           return util_make_unique<breadth_depth_path_storaget>(ctx);
+         }}},
+       {"lifo",
         {" lifo                         next instruction is pushed before\n"
          "                              goto target; paths are popped in\n"
          "                              last-in, first-out order. Explores\n"

src/goto-symex/path_storage.h

@@ -18,8 +18,7 @@
 /// \brief Storage for symbolic execution paths to be resumed later
 ///
 /// This data structure supports saving partially-executed symbolic
-/// execution \ref path_storaget::patht "paths" so that their execution can
-/// be halted and resumed later. The choice of which path should be
+/// execution \ref path_storaget::patht "paths" so that their execution can /// be halted and resumed later. The choice of which path should be
 /// resumed next is implemented by subtypes of this abstract class.
 class path_storaget
 {
@@ -114,6 +113,27 @@ class path_storaget
     return size() == 0;
   };
 
+  /// \brief Callback for clients to notify this path_storaget that we have
+  /// symbolically executed to the end of a path, and the path has been
+  /// model-checked.
+  ///
+  /// This implementation does nothing. There is no need for clients to call
+  /// this method if path_storaget::interested_in_path_termination() returns
+  /// `false`.
+  virtual void notify_path_terminated()
+  {
+  }
+
+  /// \brief Is this path_storaget interested in path termination?
+  ///
+  /// If this method returns `true`, clients should call the
+  /// path_storaget::notify_path_terminated() method whenever the client
+  /// finishes symbolically executing a path.
+  virtual bool interested_in_path_termination() const
+  {
+    return false;
+  }
+
 protected:
   const strategy_contextt &context;
 
@@ -167,6 +187,42 @@ class path_fifot : public path_storaget
   void private_pop() override;
 };
 
+/// \brief Hybrid breadth-then-depth search
+class breadth_depth_path_storaget : public path_storaget
+{
+public:
+  void push(const patht &, const patht &) override;
+  std::size_t size() const override;
+  void clear() override;
+  explicit breadth_depth_path_storaget(const strategy_contextt &ctx)
+  : path_storaget(ctx),
+    diameter(
+      ctx.options.is_set("bdfs-diameter")
+        ? ctx.options.get_unsigned_int_option("bdfs-diameter")
+        : 8U),
+    depth_list(),
+    current_depth_queue(depth_list.end())
+  {
+  }
+
+  virtual void notify_path_terminated() override;
+  virtual bool interested_in_path_termination() const override
+  {
+    return true;
+  }
+
+protected:
+  const unsigned diameter;
+  std::list<patht> breadth_list;
+  std::list<std::list<patht>> depth_list;
+  std::list<std::list<patht>>::iterator current_depth_queue;
+  std::list<patht>::iterator last_peeked;
+
+private:
+  patht &private_peek() override;
+  void private_pop() override;
+};
+
 /// \brief Dummy class for clients who will not use path exploration
 class degenerate_path_storaget : public path_storaget
 {

unit/path_strategies.cpp

@@ -262,6 +262,73 @@ SCENARIO("path strategies")
          symex_eventt::result(symex_eventt::enumt::FAILURE)});
     }
   }
+
+  GIVEN("a very branchy program for testing hybrid strategy")
+  {
+    std::function<void(optionst &)> opts_callback;
+
+    c =
+      "/*  1 */  void foo(int bar)    \n"
+      "/*  2 */  {                    \n"
+      "/*  1 */    if(!bar)           \n"
+      "/*  2 */      return;          \n"
+      "/*  3 */                       \n"
+      "/*  4 */    int x;             \n"
+      "/*  5 */    if(x)              \n"
+      "/*  6 */      foo(bar - 1);    \n"
+      "/*  7 */    else               \n"
+      "/*  9 */      foo(bar - 1);    \n"
+      "/* 10 */  }                    \n"
+      "/* 11 */                       \n"
+      "/* 12 */  int main()           \n"
+      "/* 13 */  {                    \n"
+      "/* 14 */    foo(8);            \n"
+      "/* 15 */  }                    \n";
+
+    const symex_eventt::listt dfs_order =
+      {symex_eventt::resume(symex_eventt::enumt::NEXT, 8),
+       symex_eventt::resume(symex_eventt::enumt::JUMP, 10),
+       symex_eventt::resume(symex_eventt::enumt::NEXT, 8),
+       symex_eventt::resume(symex_eventt::enumt::JUMP, 10),
+       symex_eventt::resume(symex_eventt::enumt::NEXT, 8),
+       symex_eventt::resume(symex_eventt::enumt::JUMP, 10),
+       symex_eventt::resume(symex_eventt::enumt::NEXT, 8),
+       symex_eventt::result(symex_eventt::enumt::SUCCESS),
+       symex_eventt::resume(symex_eventt::enumt::JUMP, 10),
+       symex_eventt::result(symex_eventt::enumt::SUCCESS),
+       symex_eventt::resume(symex_eventt::enumt::NEXT, 8),
+       symex_eventt::result(symex_eventt::enumt::SUCCESS),
+       symex_eventt::resume(symex_eventt::enumt::JUMP, 10),
+       symex_eventt::result(symex_eventt::enumt::SUCCESS),
+       symex_eventt::resume(symex_eventt::enumt::NEXT, 8),
+       symex_eventt::result(symex_eventt::enumt::SUCCESS),
+       symex_eventt::resume(symex_eventt::enumt::JUMP, 10),
+       symex_eventt::result(symex_eventt::enumt::SUCCESS),
+       symex_eventt::resume(symex_eventt::enumt::NEXT, 8),
+       symex_eventt::result(symex_eventt::enumt::SUCCESS),
+       symex_eventt::resume(symex_eventt::enumt::JUMP, 10),
+       symex_eventt::result(symex_eventt::enumt::SUCCESS)};
+
+    // When --bdfs-diameter is huge, hybrid-bdfs should degenerate to BFS---that
+    // is, they have exactly the same sequence of events. This is because
+    // hybrid-bdfs never fills up its queue with enough paths to start DFSing
+    // from the breadth-obtained paths.
+    //
+    opts_callback = [](optionst &opts)
+      {
+        opts.set_option("unwind", 2U);
+        opts.set_option("bdfs-diameter", 1000U);
+      };
+    check_with_strategy("hybrid-bdfs", opts_callback, c, dfs_order);
+    check_with_strategy("fifo", opts_callback, c, dfs_order);
+
+    opts_callback = [](optionst &opts)
+      {
+        opts.set_option("unwind", 2U);
+        opts.set_option("bdfs-diameter", 2U);
+      };
+    check_with_strategy("hybrid-bdfs", opts_callback, c, dfs_order);
+  }
 }
 
 // In theory, there should be no need to change the code below when adding new