Siemens fix260 squashed (do not merge) #291
Conversation
Signed-off-by: Lucas Cordeiro <[email protected]>
Signed-off-by: Lucas Cordeiro <[email protected]>
…ing the dependence graph Signed-off-by: Lucas Cordeiro <[email protected]>
Signed-off-by: Lucas Cordeiro <[email protected]>
Signed-off-by: Lucas Cordeiro <[email protected]>
Signed-off-by: Lucas Cordeiro <[email protected]>
Signed-off-by: Lucas Cordeiro <[email protected]>
Signed-off-by: Lucas Cordeiro <[email protected]>
Signed-off-by: Lucas Cordeiro <[email protected]>
Signed-off-by: Lucas Cordeiro <[email protected]>
Signed-off-by: Lucas Cordeiro <[email protected]>
Signed-off-by: Lucas Cordeiro <[email protected]>
…tatements' Signed-off-by: Lucas Cordeiro <[email protected]>
Signed-off-by: Lucas Cordeiro <[email protected]>
Signed-off-by: Lucas Cordeiro <[email protected]>
Signed-off-by: Lucas Cordeiro <[email protected]>
Signed-off-by: Lucas Cordeiro <[email protected]>
Signed-off-by: Lucas Cordeiro <[email protected]>
Signed-off-by: Lucas Cordeiro <[email protected]>
Signed-off-by: Lucas Cordeiro <[email protected]>
Signed-off-by: Lucas Cordeiro <[email protected]>
Signed-off-by: Lucas Cordeiro <[email protected]>
lucasccordeiro
force-pushed
the
siemens_fix260_squashed
branch
from
1da9076 to
517fbd2
Compare
Signed-off-by: Lucas Cordeiro <[email protected]>
There was a problem hiding this comment.
The tests should definitively get merged (even though there's a design decision to be made whether they should genuinely be in a separate directory or just be part of the cbmc/ folder. For the code there are a couple of questions for discussion, and linting is necessary.
| @@ -400,6 +429,9 @@ void full_slicert::operator()( | |||
| Forall_goto_functions(f_it, goto_functions) | |||
| if(f_it->second.body_available()) | |||
| { | |||
| if(f_it->first=="pthread_create") | |||
| throw "--full-slice does not support C/Pthreads yet"; | |||
|
|
|||
There was a problem hiding this comment.
The indent seems wrong here.
There was a problem hiding this comment.
| { | ||
| // some variables are used during symbolic execution only | ||
|
|
||
| const irep_idt &statement=target->code.get(ID_statement); | ||
| if (statement==ID_array_copy) return true; |
There was a problem hiding this comment.
Why does array_copy need to be singled out?
There was a problem hiding this comment.
See #260. There are two test cases that expose this bug in the full slicer: realloc1 and realloc2. If we do not add that check, the full slicer incorrectly cuts all expressions related to array_copy.
| @@ -322,18 +329,38 @@ Function: implicit | |||
|
|
|||
| \*******************************************************************/ | |||
|
|
|||
| static bool implicit(goto_programt::const_targett target) | |||
| static bool implicit(const namespacet &ns, goto_programt::const_targett target) | |||
| { | |||
| // some variables are used during symbolic execution only | |||
There was a problem hiding this comment.
This function now seems to be doing a lot more than what it originally was intended for!
There was a problem hiding this comment.
I have added an explanation in #260. As I reported in the issue, I'm not completely sure whether this is correct or not.
| const irep_idt &statement=target->code.get(ID_statement); | ||
| if (statement==ID_array_copy) return true; | ||
|
|
||
| if (target->is_assume()) return true; |
There was a problem hiding this comment.
Why is that the case? It should not be forced into the slice when there is a control dependency on the condition represented by the assume. Except for bugs, the control-dependency code should be handling this.
There was a problem hiding this comment.
The control-flow dependency code is not handling this. Should we open a bug for this issue then?
| if(!target->is_assign()) return false; | ||
|
|
||
| const code_assignt &a=to_code_assign(target->code); | ||
| if(a.lhs().id()==ID_dereference) return true; |
| if(a.lhs().id()!=ID_symbol) return false; | ||
|
|
||
| const symbol_exprt &s=to_symbol_expr(a.lhs()); | ||
|
|
||
| return s.get_identifier()==CPROVER_PREFIX "rounding_mode"; | ||
| if (s.source_location().get_function().empty()) |
There was a problem hiding this comment.
Why is this restriction required?
There was a problem hiding this comment.
We were incorrectly slicing all global variables inside the __CPROVER_initialize function. Specifically, the call to s.source_location().get_function().empty() returns true for __CPROVER_initialize function.
There was a problem hiding this comment.
The fact that those variables have been wrongly sliced away is a bug, and I'm not sure it actually exists any longer - the bugfix should be via 50383ed. Can you confirm that this change is still necessary?
|
|
||
| // static lifetime? | ||
| if(ns.lookup(s.get_identifier()).is_static_lifetime) | ||
| return true; |
There was a problem hiding this comment.
Why can't those variables not be sliced away?
There was a problem hiding this comment.
The problem is that we were slicing all global variables inside the __CPROVER_initialize function. This was causing a large number of incorrect results for the full-slice option.
There was a problem hiding this comment.
See above - I think this has been fixed via 50383ed.
| // add generic checks | ||
| status() << "Generic Property Instrumentation" << eom; | ||
| goto_check(ns, options, goto_functions); | ||
|
|
There was a problem hiding this comment.
Here we have to ensure that we call the full-slice option just after instrumenting the code with goto_check; otherwise, we the full-slice cuts all assignments that are relevant to checking a given property.
| it!=d_node.in.end(); | ||
| ++it) | ||
| add_to_queue(queue, dep_node_to_cfg[it->first], node.PC); | ||
| if (dep_graph.state_exist(node.PC)) |
There was a problem hiding this comment.
Is it truly possible that a state doesn't exist?
There was a problem hiding this comment.
I have removed this code in https://github.com/lucasccordeiro/cbmc/tree/dependence-graph-fix.
| @@ -274,6 +274,14 @@ class ait:public ai_baset | |||
| ai_baset::clear(); | |||
| } | |||
|
|
|||
| // this one just finds states | |||
| virtual const bool state_exist(locationt l) const | |||
There was a problem hiding this comment.
I think this should be state_exists (with an s)
There was a problem hiding this comment.
This piece of code was already removed in https://github.com/lucasccordeiro/cbmc/tree/dependence-graph-fix
|
@lucasccordeiro perhaps as a first easy step, may I have a separate PR for the tests, please? |
|
@kroening and @tautschnig: I have just created PR #479 to add test cases to check the full-slice option. In particular, I have added all test cases into the cbmc regression suite to make sure that we always test the full-slice option. |
|
@lucasccordeiro can you rebase, please? |
lucasccordeiro
changed the title
SEC-16: Preparation steps for load analysed web apps with libraries included.
|
Closing for now, the PR description doesn't make it clear what the added value for this and there's been no movement on this PR since 2017. |
No description provided.