Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unassume witness invariants during solving #796

Merged
merged 141 commits into from
Jan 2, 2023
Merged

Conversation

sim642
Copy link
Member

@sim642 sim642 commented Jul 27, 2022

This PR adds an unassume analysis, which loads a YAML witness before solving and emits Unassume events during the analysis at nodes which have invariants. Both base, apron and var_eq analysis handle these events to make their local states less precise to immediately account for all states matching the invariant. Since the parsed invariants should be from a completed analysis, they correspond to the fixpoint. Thus unassuming the invariants allows the analysis to directly jump to that fixpoint. The benefits of this are two-fold:

  1. It avoids widening-narrowing iterations to reach the same fixpoint, speeding up the analysis (hopefully).
  2. It avoids widening jumping over fixpoints (especially with apron that cannot narrow), making the analysis more precise.

Changes

Besides the unassuming, many surrounding bigger and smaller changes are included:

  1. Extract base analysis branch invariant out to a separate BaseInvariant module. This is a fairly large part of base analysis code, but sufficiently self-contained that it can be decoupled. The real reason for doing this was to use a slightly modified version of invariant for unassuming without a complete copy of invariant.
  2. Add widening tokens, a dynamic way to delay widenings: http://www2.in.tum.de/bib/files/mihaila13widening.pdf. This turned out to be necessary, otherwise unassume itself causes a widening and becomes even less precise than intended.
  3. Add witness.invariant.exact, which allows disabling the generation of exact equality invariants that are useless for unassuming.
  4. Add witness.invariant.exclude-vars, which is a list of regexes for variable names that invariants should not be generated for. This can be tuned for sv-benchmarks which have already been CIL-led and contain awful amounts of temporaries.
  5. Improve base branch refinement for address sets, interval bound non-equality and disjunctions of address/int equalities.

TODO

  • Emit Unassume events after all transfer functions, not just assign.
  • Support unassuming preconditioned invariants.
  • Support unassuming multithreaded invariants about globals (at locations)? This kind of requires us to first generate such invariants properly. (Privatized location invariants in YAML witnesses #833)
  • More precise unassuming than doing an assume on a top state and joining that in? In base, this probably would be an invariant-like recursive computation; in apron, not sure if anything better can be done.
  • Clean up and document widening tokens.
  • Adapt tests to Refactor stub libraries structure #845.

@sim642 sim642 added feature sv-comp SV-COMP (analyses, results), witnesses precision performance Analysis time, memory usage pr-dependency Depends or builds on another PR, which should be merged before labels Jul 27, 2022
@sim642 sim642 self-assigned this Jul 27, 2022
@sim642 sim642 force-pushed the yaml-witness-unassume branch from 1487e6e to 4c8a737 Compare July 27, 2022 09:34
src/analyses/base.ml Outdated Show resolved Hide resolved
@michael-schwarz
Copy link
Member

I think once the comments are addressed and the adaptations necessary because of the new affeq analysis are made, this is ready to be merged.

@sim642 sim642 merged commit 9ce9249 into master Jan 2, 2023
@sim642 sim642 deleted the yaml-witness-unassume branch January 2, 2023 09:42
sim642 added a commit that referenced this pull request Jan 2, 2023
sim642 added a commit to sim642/opam-repository that referenced this pull request Sep 13, 2023
CHANGES:

* Add `setjmp`/`longjmp` analysis (goblint/analyzer#887, goblint/analyzer#970, goblint/analyzer#1015, goblint/analyzer#1019).
* Refactor race analysis to lazy distribution (goblint/analyzer#1084, goblint/analyzer#1089, goblint/analyzer#1136, goblint/analyzer#1016).
* Add thread-unsafe library function call analysis (goblint/analyzer#723, goblint/analyzer#1082).
* Add mutex type analysis and mutex API analysis (goblint/analyzer#800, goblint/analyzer#839, goblint/analyzer#1073).
* Add interval set domain and string literals domain (goblint/analyzer#901, goblint/analyzer#966, goblint/analyzer#994, goblint/analyzer#1048).
* Add affine equalities analysis (goblint/analyzer#592).
* Add use-after-free analysis (goblint/analyzer#1050, goblint/analyzer#1114).
* Add dead code elimination transformation (goblint/analyzer#850, goblint/analyzer#979).
* Add taint analysis for partial contexts (goblint/analyzer#553, goblint/analyzer#952).
* Add YAML witness validation via unassume (goblint/analyzer#796, goblint/analyzer#977, goblint/analyzer#1044, goblint/analyzer#1045, goblint/analyzer#1124).
* Add incremental analysis rename detection (goblint/analyzer#774, goblint/analyzer#777).
* Fix address sets unsoundness (goblint/analyzer#822, goblint/analyzer#967, goblint/analyzer#564, goblint/analyzer#1032, goblint/analyzer#998, goblint/analyzer#1031).
* Fix thread escape analysis unsoundness (goblint/analyzer#939, goblint/analyzer#984, goblint/analyzer#1074, goblint/analyzer#1078).
* Fix many incremental analysis issues (goblint/analyzer#627, goblint/analyzer#836, goblint/analyzer#835, goblint/analyzer#841, goblint/analyzer#932, goblint/analyzer#678, goblint/analyzer#942, goblint/analyzer#949, goblint/analyzer#950, goblint/analyzer#957, goblint/analyzer#955, goblint/analyzer#954, goblint/analyzer#960, goblint/analyzer#959, goblint/analyzer#1004, goblint/analyzer#558, goblint/analyzer#1010, goblint/analyzer#1091).
* Fix server mode for abstract debugging (goblint/analyzer#983, goblint/analyzer#990, goblint/analyzer#997, goblint/analyzer#1000, goblint/analyzer#1001, goblint/analyzer#1013, goblint/analyzer#1018, goblint/analyzer#1017, goblint/analyzer#1026, goblint/analyzer#1027).
* Add documentation for configuration JSON schema and OCaml API (goblint/analyzer#999, goblint/analyzer#1054, goblint/analyzer#1055, goblint/analyzer#1053).
* Add many library function specifications (goblint/analyzer#962, goblint/analyzer#996, goblint/analyzer#1028, goblint/analyzer#1079, goblint/analyzer#1121, goblint/analyzer#1135, goblint/analyzer#1138).
* Add OCaml 5.0 support (goblint/analyzer#1003, goblint/analyzer#945, goblint/analyzer#1162).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature performance Analysis time, memory usage precision sv-comp SV-COMP (analyses, results), witnesses
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants