Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SV-COMP: Add overrides for more __VERIFIER_nondet_* functions #842

Open
7 of 12 tasks
RyanGlScott opened this issue Sep 7, 2021 · 3 comments
Open
7 of 12 tasks

SV-COMP: Add overrides for more __VERIFIER_nondet_* functions #842

RyanGlScott opened this issue Sep 7, 2021 · 3 comments
Labels
crux llvm SV-COMP Issues related to making crux eligible to participate in SV-COMP.

Comments

@RyanGlScott
Copy link
Contributor

RyanGlScott commented Sep 7, 2021
edited
Loading

Currently, crux-llvm has overrides for the following SV-COMP–related __VERIFIER_nondet_* functions:

crucible/crux-llvm/src/Crux/LLVM/Overrides.hs

Lines 249 to 296 in c96a404

svCompOverrides ::
(IsSymInterface sym, HasLLVMAnn sym, HasPtrWidth wptr) =>
[OverrideTemplate (personality sym) sym arch rtp l a]
svCompOverrides =
[ basic_llvm_override $
[llvmOvr| size_t @__VERIFIER_nondet_ulong() |]
(sv_comp_fresh_bits ?ptrWidth)
, basic_llvm_override $
[llvmOvr| size_t @__VERIFIER_nondet_long() |]
(sv_comp_fresh_bits ?ptrWidth)
, basic_llvm_override $
[llvmOvr| i32 @__VERIFIER_nondet_uint() |]
(sv_comp_fresh_bits (knownNat @32))
, basic_llvm_override $
[llvmOvr| i32 @__VERIFIER_nondet_int() |]
(sv_comp_fresh_bits (knownNat @32))
, basic_llvm_override $
[llvmOvr| i16 @__VERIFIER_nondet_ushort() |]
(sv_comp_fresh_bits (knownNat @16))
, basic_llvm_override $
[llvmOvr| i16 @__VERIFIER_nondet_short() |]
(sv_comp_fresh_bits (knownNat @16))
, basic_llvm_override $
[llvmOvr| i8 @__VERIFIER_nondet_uchar() |]
(sv_comp_fresh_bits (knownNat @8))
, basic_llvm_override $
[llvmOvr| i8 @__VERIFIER_nondet_char() |]
(sv_comp_fresh_bits (knownNat @8))
, basic_llvm_override $
[llvmOvr| i1 @__VERIFIER_nondet_bool() |]
(sv_comp_fresh_bits (knownNat @1))
, basic_llvm_override $
[llvmOvr| float @__VERIFIER_nondet_float() |]
(sv_comp_fresh_float SingleFloatRepr)
, basic_llvm_override $
[llvmOvr| double @__VERIFIER_nondet_double() |]
(sv_comp_fresh_float DoubleFloatRepr)
]

This doesn't cover everything, however. Per the 2021 SV-COMP rules:

__VERIFIER_nondet_X(): In order to model nondeterministic values, the following functions can be assumed to return an arbitrary value of the indicated type: __VERIFIER_nondet_X() (and nondet_X(), deprecated) with X in {bool, char, int, float, double, loff_t, long, pchar, pthread_t, sector_t, short, size_t, u32, uchar, uint, ulong, unsigned, ushort} (no side effects, pointer for void *, etc.). The verification tool can assume that the functions are implemented according to the following template:
X __VERIFIER_nondet_X() { X val; return val; }

By my count, crux-llvm is missing overrides for the following __VERIFIER_nondet_* variants:

  • loff_t
  • pchar
  • pthread_t
  • sector_t
  • size_t
  • u32
  • unsigned

I'm unclear if all of these are actually used in SV-COMP in practice, but I have spotted a subset of these in the wild:

In addition to the ones above, I have spotted a number of __VERIFIER_nondet_* variants that aren't specified in the rules:

I'm unclear if we should add support for these right away, as their inclusion in SV-COMP could arguably be considered a bug. I've submitted https://gitlab.com/sosy-lab/benchmarking/sv-benchmarks/-/issues/1304 in an attempt to clarify the situation. EDIT: See #842 (comment).
@RyanGlScott RyanGlScott added llvm crux SV-COMP Issues related to making crux eligible to participate in SV-COMP. labels Sep 7, 2021
@robdockins
Copy link
Contributor

Many of those seem uncomplicated.

The intended semantics of __VERIFIER_nondet_pchar seem pretty mysterious to me. Should the resulting pointer be valid? Should it point to allocated memory? How much? etc.

Not sure it makes sense for us to support pthread_t at this point, since we don't support any pthread overrides. Probably similar for sector_t, although I don't know exactly what API that goes with.

@RyanGlScott
Copy link
Contributor Author

For what it's worth, many of these functions are only used in a small number of programs:

$ git grep -nl "__VERIFIER_nondet_pchar" .
c/ddv-machzwd/ddv_machzwd_all.i
c/ddv-machzwd/ddv_machzwd_inb.i
c/ddv-machzwd/ddv_machzwd_inb_p.i
c/ddv-machzwd/ddv_machzwd_inl.i
c/ddv-machzwd/ddv_machzwd_inl_p.i
c/ddv-machzwd/ddv_machzwd_inw.i
c/ddv-machzwd/ddv_machzwd_inw_p.i
c/ddv-machzwd/ddv_machzwd_outb.i
c/ddv-machzwd/ddv_machzwd_outb_p.i
c/ddv-machzwd/ddv_machzwd_outl.i
c/ddv-machzwd/ddv_machzwd_outl_p.i
c/ddv-machzwd/ddv_machzwd_outw_p.i
c/ddv-machzwd/ddv_machzwd_pthread_mutex_unlock.i

$ git grep -nl "__VERIFIER_nondet_pthread_t" .
c/ddv-machzwd/ddv_machzwd_all.i
c/ddv-machzwd/ddv_machzwd_inb.i
c/ddv-machzwd/ddv_machzwd_inb_p.i
c/ddv-machzwd/ddv_machzwd_inl.i
c/ddv-machzwd/ddv_machzwd_inl_p.i
c/ddv-machzwd/ddv_machzwd_inw.i
c/ddv-machzwd/ddv_machzwd_inw_p.i
c/ddv-machzwd/ddv_machzwd_outb.i
c/ddv-machzwd/ddv_machzwd_outb_p.i
c/ddv-machzwd/ddv_machzwd_outl.i
c/ddv-machzwd/ddv_machzwd_outl_p.i
c/ddv-machzwd/ddv_machzwd_outw_p.i
c/ddv-machzwd/ddv_machzwd_pthread_mutex_unlock.i

$ git grep -nl "__VERIFIER_nondet_sector_t" .
c/ddv-machzwd/ddv_machzwd_all.i
c/ddv-machzwd/ddv_machzwd_inb.i
c/ddv-machzwd/ddv_machzwd_inb_p.i
c/ddv-machzwd/ddv_machzwd_inl.i
c/ddv-machzwd/ddv_machzwd_inl_p.i
c/ddv-machzwd/ddv_machzwd_inw.i
c/ddv-machzwd/ddv_machzwd_inw_p.i
c/ddv-machzwd/ddv_machzwd_outb.i
c/ddv-machzwd/ddv_machzwd_outb_p.i
c/ddv-machzwd/ddv_machzwd_outl.i
c/ddv-machzwd/ddv_machzwd_outl_p.i
c/ddv-machzwd/ddv_machzwd_outw_p.i
c/ddv-machzwd/ddv_machzwd_pthread_mutex_unlock.i

As a result, the answers to questions like "what are the intended semantics?" may very well be "whatever makes the programs in c/ddv-machzwd work". That being said, I think I agree that we should hold off on some of the weirder ones like pthread_t.

@RyanGlScott
Copy link
Contributor Author

RyanGlScott commented Sep 20, 2021
edited
Loading

https://gitlab.com/sosy-lab/benchmarking/sv-benchmarks/-/issues/1304#note_693280508 clarifies that the omission of the longlong, u8 and u16 variants of __VERIFIER_nondet_* from the SV-COMP rules is an oversight, and that uses of __VERIFIER_nondet_charp in the benchmarks should eventually be removed due to its unclear semantics.

RyanGlScott added a commit that referenced this issue Sep 20, 2021
@RyanGlScott
crux-llvm: Add some missing __VERIFIER_nondet_* overrides
b6c1881 
This adds `crux-llvm` overrides for the `u8`, `u16`, `u32`,
`unsigned`, `size_t`, `loff_t`, and `longlong` variants of
`__VERIFIER_nondet_*`.

This checks off several boxes in #842.
@RyanGlScott RyanGlScott mentioned this issue Sep 20, 2021
Merged
@RyanGlScott RyanGlScott mentioned this issue Dec 10, 2021
Open
33 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
crux llvm SV-COMP Issues related to making crux eligible to participate in SV-COMP.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RyanGlScott @robdockins