profile
viewpoint
Peter Schrammel peterschrammel www.schrammel.it

blexim/synth 12

Program synthesis

peterschrammel/cbmc 5

C Bounded Model Checker

Charliemowood/cbmc 0

C Bounded Model Checker

cyrille-artho/sv-benchmarks 0

Collection of Verification Tasks

diffblue/BlueCov 0

A tool for instrumenting Java bytecode based on properties defined by JBMC

Diffblue-benchmarks/MiniSat-C 0

C version of MiniSAT solver

marek-trtik/cbmc 0

C Bounded Model Checker

nsv2020/nsv2020.github.io 0

Numerical Software Verification Workshop 2020

push eventdiffblue/2ls

Viktor Malik

commit sha deceb8236513398b6822d348e5cb608ecc520692

Update CBMC prerequisites

view details

Viktor Malik

commit sha 63188110008c2f30e4a6f495a8b86bf074256a83

Fix dynobj_instance_analysis The merge function needs to set has_values to unknown, otherwise the analysis fails to run.

view details

Viktor Malik

commit sha eff6f0fc01cc22338472fa8363f730dd35b50ec8

Workaround problem with GOTO targets If a single SKIP instruction is a target of both a forward and a backward GOTO, a malformed SSA is generated. This commit introduces a workaround that splits such GOTOs into two and redirects all backwards GOTOs to the second SKIP. This changes an SSA index in one test.

view details

Viktor Malik

commit sha c88cdd7ce482b436af241bbfa0b3806f0db7a03d

SSA: drop conditional update of dynamic objects When assigning into a dereference, we allowed not to update the pointed dynamic object to simulate the fact that the dynamic object may be abstract (i.e. it may represent more concrete objects). This shouldn't be necessary anymore since we're using dynamic object instances, which should ensure soundness.

view details

František Nečas

commit sha 090c38de243d79730b89ae2e264227fc7d52aa79

Correctly add allocation guards In new CBMC, there is a case-split in the malloc function implementation for detecting malloc failures. This however resulted in SSA not being constructed correctly, since it expected the last definition of a symbol to be its allocation and not a phi node. Signed-off-by: František Nečas <frantisek.necas@protonmail.com>

view details

Viktor Malik

commit sha bc5b1daab7f84691a0b70da1e1a0734facccadfa

Heap: improve obtaining pointed object from solver If the solver returns &(X.field) where field has offset 0, this is equivalent to &X. This commit handles the above situation in the heap domain so that the points-to relation to X is properly established in the domain value.

view details

Viktor Malik

commit sha 646ac5d568467b5b7ba408519535365842d7a6dd

Fix collection of free::record vars These are non-deterministic boolean variables used to control assignment to CPROVER-specific values during free. They used to be declared-only, now they are explicitly assigned a nondet value, which broke our code that searched for declarations only. Fixing this problem re-enables two true memsafety regression tests.

view details

Viktor Malik

commit sha 25f05f59cfb22d096f91f6e38f81725d843ed0e0

malloc: fix getting malloc size After the rebase to new CBMC, constant propagation does not work in some cases. This is a problem for our malloc handling as we require to see: malloc_size = sizeof(...) This commit fixes the problem by recursively searching for the malloc size expression to handle cases like: size = sizeof(...) malloc_size = size Also adds a regression test for this case.

view details

Viktor Malik

commit sha 5a63242daebf183628d6433de938de7b9b17e6de

Fix assert to limit array size CBMC has changed the representation of numerical values in constant_expr (at least for array sizes) - instead of base 2, it now uses base 16. We have to fix this in our assertion that limits the size of arrays in competition mode due to solver unsoundness that appears for arrays of size >=50000.

view details

Viktor Malik

commit sha 2c45caf7fe97089447b7dac5f246a84266a11627

Disable unsupported operations in competition mode For now, we disable memcpy as it is implemented via a CBMC built-in operation that we do not support in 2LS, yet.

view details

František Nečas

commit sha 11606bc50aad795880fdf19a935190416e4977e9

Configure gcc preprocessing to fix linking Signed-off-by: František Nečas <frantisek.necas@protonmail.com>

view details

František Nečas

commit sha 12cc730f96b5f7d6e8ea08d48ff4f043b89a3aa4

Correctly guard hoisted assertions If there are multiple loops in the program, the assertions after the loops are reachable only if both of the loops exit their execution. Previously, exiting the first loop was sufficient due to the disjunction making the analysis unsound (producing incorrect true results in some cases, including SV-comp benchmarks). Signed-off-by: František Nečas <frantisek.necas@protonmail.com>

view details

František Nečas

commit sha 3f21ab96bc1aef8d0d4de1c297f40f558ecddc83

Fix workaround for signed shl The format of the guard changed making the hack not work and causing incorrect true results in bitvector category in SV-comp due to the hoisted assertion being added. Fix this hack. Signed-off-by: František Nečas <frantisek.necas@protonmail.com>

view details

Viktor Malik

commit sha 9071c907f25b032d747c71b1320c8918e6238c3e

Propagate #concrete for byte-array dynamic objs Byte arrays are produced when malloc(N) is used where N is an integer and not a sizeof operator. We still need to propagate the '#concrete' flag to make the memsafety analysis sound.

view details

Peter Schrammel

commit sha aebe21086ad045859b34e76b24e809b7c9e51030

Merge pull request #157 from viktormalik/svcomp22-fixes SV-COMP fixes

view details

push time in a day

PR merged diffblue/2ls

SV-COMP fixes

This implements fixes for problems mostly created during the recent CBMC rebase that were revealed in SV-COMP runs.

These are in particular:

  • Fix of dynobj_instance_analysis which caused that dynamic objects were never split into multiple instances. This, however, broke heap regression tests.
  • Fix usage of allocation guards w.r.t. new malloc implementation in CBMC that makes the regression tests work again.
  • Fix collection of record::free vars w.r.t. new free implementation.
  • Drop conditional update of dynamic objects which caused some false positive results (due to over-approximation) and which shouldn't be necessary since we use dynamic object instances (that should guarantee soundness).
  • Improve resolution of pointed-to objects obtained from the solver in heap domain.
  • Workaround for an SSA creation bug that occurs when a single SKIP instruction is a target of both a forward and a backward GOTO.
  • ... and some more (see individual commits)

Besides that, CBMC prerequisite is updated to the newest version (may require rebase once peterschrammel/cbmc#27 is merged).

+300 -141

1 comment

18 changed files

viktormalik

pr closed time in a day

PullRequestReviewEvent

issue commentdiffblue/cbmc

"--cover and --unwinding-assertions must not be given together"

I don't see any apparent reason why --unwinding-assertions couldn't be handled when running with --cover. However, one needs to be careful when integrating it into a loop that automatically increments --unwind as the reporting is different with --cover due to the reversed semantics of assertions. As @martin-cs explained, hitting a coverage goal means failing an assertion, which is something good.

tedinski

comment created time in 2 days

push eventpeterschrammel/cbmc

František Nečas

commit sha bce1feabb7db46a7ddeac01644959b3b95a550c4

Revert "Witnesses: add the 'creationtime' attribute" This reverts commit 40046b2c64e410b08900baaae92f4a3f014f194b. A commit achieving the same thing is already present in CBMC causing duplication of the attribute.

view details

František Nečas

commit sha 8f5c6ef61b9214caa5d7da42929c912e44b59392

Correctly consider inlining when searching abort If inlining is performed, the function_identifier parameter will always be __CPROVER_start. However, the former function is still stored in the goto instruction and can be sued for the instrumentation Signed-off-by: František Nečas <frantisek.necas@protonmail.com>

view details

František Nečas

commit sha 36c8f773dd0428d2fbcd735fc10cd17cf1798d70

Do not ignore edges if cond is true This was previously commented out but was dropped in the rebase by accident (the code was moved and merge conflict not correctly resolved). This is necessary for some nontermination witnesses to function correctly. Signed-off-by: František Nečas <frantisek.necas@protonmail.com>

view details

Peter Schrammel

commit sha ddf6447b6e1e14e3ed9a564682d174d1a9aa5926

Merge pull request #27 from FrNecas/frnecas-svcomp-fixes SV-COMP 22 fixes

view details

push time in 4 days

PR merged peterschrammel/cbmc

Reviewers
SV-COMP 22 fixes

@peterschrammel this is a fix for SVcomp, the same change that we had in our fork was applied in the develop branch ( see https://github.com/diffblue/cbmc/pull/5660 ) so it is no longer necessary. Reverting for now, we can drop these commits if we later rebase to a newer version.

+9 -13

5 comments

3 changed files

FrNecas

pr closed time in 4 days

issue commentdiffblue/cbmc

JBMC with Kotlin.

@jkbbwr, JBMC has several options to control how to deal with exceptions. It treats explicitly thrown exceptions differently from runtime exceptions. That's admittedly quite confusing, and primarily has performance reasons. By default, it just asserts on runtime exceptions at the place where they are thrown, whereas explicitly thrown exceptions are propagated as you'd expect and JBMC asserts that there is no uncaught exception, i.e. exception that escapes the entry point method. To make runtime exceptions propagate, use --throw-runtime-exceptions.

Further options are:

 --disable-uncaught-exception-check
                              ignore uncaught exceptions and errors
 --throw-assertion-error      throw java.lang.AssertionError on violated
                              assert statements instead of failing
                              at the location of the assert statement
 --throw-runtime-exceptions   make implicit runtime exceptions explicit
 --assert-no-exceptions-thrown
                              transform `throw` instructions into `assert FALSE`
                              followed by `assume FALSE`.
jkbbwr

comment created time in 5 days

PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent

push eventpeterschrammel/cbmc

Peter Schrammel

commit sha 31316a2776065f76c36a83e2dfda66901d828b60

Fix compilation errors

view details

Peter Schrammel

commit sha 1f8fe6730857e442722ffa9ecde62f050b8084fc

Add errno test

view details

Peter Schrammel

commit sha 671326d74e850ff2d1554c042c924d65de4d5fe5

Fix nondet_initializer

view details

Peter Schrammel

commit sha 6c4f074136e7f5e9c73d6903b27a1b6ff6298a3a

Use INITIALIZE_FUNCTION constant

view details

Peter Schrammel

commit sha 04c78b243ad51a3a155890b1a8b55fddff3132dd

Initialize static variables from library

view details

Peter Schrammel

commit sha 8ae93ec1ae9a33ea99545e7ef9d53bf60a899234

Shadow __CPROVER_errno

view details

Peter Schrammel

commit sha 1312d581c1ee6bc9f17490add4e04c055a649b96

Set malloc_may_fail through symbol table

view details

push time in 22 days

push eventpeterschrammel/cbmc

Peter Schrammel

commit sha 0a48b9f8c99a8c782ab2ce7f3d6d22f2bca9d446

fixup-add

view details

Peter Schrammel

commit sha 2350425919034de1905891b7d237b97a294dc4ac

Shadow __CPROVER_errno

view details

Peter Schrammel

commit sha 909c6e74ba60384a1d3b71c934f93f5ec46d22d1

[debug]

view details

push time in 22 days

push eventpeterschrammel/cbmc

Michael Tautschnig

commit sha abad5560c1b76004969999a9216f491e2f6ca130

Fix GCC-builtin fetcher to work with current GCC GCC has moved from Subversion to Git, and the files providing definitions of built-ins have changed.

view details

Michael Tautschnig

commit sha 4e05bc13129ddd950e6a211c56581544edc50846

Do not clang-format builtin headers We want each declaration to be on a single line to simplify automatic manipulation, e.g., using get-gcc-builtins.sh.

view details

Michael Tautschnig

commit sha 219bce55d2b1665bc6df68265a7af09d467662b8

Update GCC builtin declarations These builtins match GCC revision 425afe1f0c907.

view details

Daniel Kroening

commit sha 4692ac1a62e742420241058bd7369cb24e2c1963

remove goto_check_javat::bounds_check_bit_count The Java front-end does not offer a bit count operator, and thus, this check is redundant.

view details

Daniel Kroening

commit sha abb988945bbb01bfc78e2079add28b3906dcddea

goto_check_javat::undefined_shift_check Shifts in Java have defined semantics for any combination of values; thus, this check is redundant.

view details

Daniel Kroening

commit sha fc7da69f76a8be0e0c426e6bb5a10b6936b328ef

goto_check_javat: remove guard The Java front-end processes Java Byte code, which uses control flow to guard the evaluation of expressions.

view details

Michael Tautschnig

commit sha 249bee173a8b755e76c0bb427b2fbab1c7fe8c41

Fix typing of __builtin_ia32_{pand,pandn,por,pxor} Although https://gcc.gnu.org/onlinedocs/gcc/x86-Built-in-Functions.html claims the types are di (long long), the actual uses im mmintrin.h are 1-element vectors in GCC, and Clang's BuiltinsX86.def confirms this. Fixes: #6470

view details

Michael Tautschnig

commit sha 4ae9bde15fd0e3422e64787e20b4580063b5bc3d

Merge pull request #6503 from diffblue/cleanup_goto_check_java Cleanup goto check java

view details

Michael Tautschnig

commit sha be35b6c782ece1ecbd5c991a0124fe00f7cd0682

Make pointer-primitive-check a no-op when behaviour is always defined pointer_object, pointer_offset have well-defined behaviour even when the input is an unconstrained pointer: the result is equally unconstrained. Regression tests are updated to reflect the reduced number of checks generated by --pointer-primitive-check. Note that the patterns in pointer-primitive-check-03 never were effective as they were placed in the patterns-not-to-seen section of test.desc while also missing proper parenthesis escaping (making the patterns trivially non-matching). Fixes: #6238

view details

Daniel Kroening

commit sha 48bfd20e9267790e96cc967d0e108859a49100c7

Merge pull request #5918 from tautschnig/update-gcc-builtins Update GCC builtin declarations

view details

Daniel Kroening

commit sha 21a6267d3511d041bbcbb3c261022a44f6aa2c8b

move goto_check_java.h/.cpp to the Java frontend This code is specific to the Java frontend, and this commit moves it there.

view details

Daniel Kroening

commit sha fdc7ba50a0939aeca1356040633872a0be80f4e8

Merge pull request #6507 from diffblue/move_goto_check_java move goto_check_java.h/.cpp to the Java frontend

view details

Michael Tautschnig

commit sha d984199b927037b2599dbb0eca46f399885aa449

__CPROVER_llabs returns a long long Fixes the declaration in builtin_headers.h. Type checking actually ignored this declaration and would always generate the expression of the correct type.

view details

Michael Tautschnig

commit sha 1a355b678a4b01173c3e0f306a6bbdac7d755c1f

C library: make all branches of sqrt{,f,l} explicitly return Makes GCC happier when doing library validation. Our C front-end would implicitly generate nondet return values of the correct type, so this does not actually change any verification behaviour.

view details

Michael Tautschnig

commit sha 25a71fcf38000255d54c7420881b6defd31397ab

C library/fread: use __VERIFIER_nondet_char The uninitialised local variable can trip up GCC's validation. Use a __VERIFIER_nondet_ function as is already done elsewhere.

view details

Michael Tautschnig

commit sha 28ae1a4ffe023a8070df08ce726be54831296b00

C library: add __builtin_unreachable to functions that do not return These calls are wrapped in #ifdef LIBRARY_CHECK and exist for the sole purpose of making library_check.sh not warn about `noreturn` functions seemingly returning.

view details

Michael Tautschnig

commit sha 52958450aafde6732d8afb8d509f937956f97dad

C library check: use cprover_builtin_library.h library/cprover.h exists for the sole purpose of syntax-checking the C library using the system's C compiler. The declarations in there, however, did not always match those of the authoritative cprover_builtin_library.h. To avoid this split-brain problem, just include cprover_builtin_library.h after providing a few declarations otherwise generated by ansi_c_internal_additions.cpp.

view details

Michael Tautschnig

commit sha d0c403a11a938ece10a00e30c8688424e9c5cbd8

Merge pull request #6490 from tautschnig/c-library-cleanup C library header de-duplication

view details

Michael Tautschnig

commit sha fd41b5e4da68f0c370e18e222e43ccbd5c96f2c2

Rename assigns to assigns_clause This is to prepare an upcoming change that will rename "modifies" to "assigns."

view details

Michael Tautschnig

commit sha 84d272fe71b48b8ebe7174b711f7bde5dae54ad0

goto-instrument: replace "modifies" by "assigns" terminology All this code collects assignments rather than checking for genuine value changes (modifications). Fixes: #6467

view details

push time in 22 days

PullRequestReviewEvent
PullRequestReviewEvent

Pull request review commentdiffblue/cbmc

Consistently use exprt::is_constant()

 bool check_struct_structure(const struct_exprt &expr)     check_struct_structure(*sub_struct);   else if(!can_cast_expr<constant_exprt>(expr.op0()))     return false;-  if(-    expr.operands().size() > 1 &&-    std::any_of(-      ++expr.operands().begin(),-      expr.operands().end(),-      [&](const exprt &operand) { return operand.id() != ID_constant; }))-  {-    return false;-  }-  return true;++  return expr.operands().size() == 1 ||+         std::all_of(+           ++expr.operands().begin(),

⛏️ std::next(expr.operands().begin())

tautschnig

comment created time in a month

PullRequestReviewEvent
PullRequestReviewEvent

Pull request review commentdiffblue/cbmc

Switch Glucose download source to GitHub

 elseif("${sat_impl}" STREQUAL "glucose")     message(STATUS "Building solvers with glucose")      download_project(PROJ glucose-        URL http://www.labri.fr/perso/lsimon/downloads/softwares/glucose-syrup.tgz+        URL https://github.com/BrunoDutertre/glucose-syrup/archive/refs/heads/main.tar.gz         PATCH_COMMAND patch -p1 -i ${CBMC_SOURCE_DIR}/../scripts/glucose-syrup-patch         COMMAND cmake -E copy ${CBMC_SOURCE_DIR}/../scripts/glucose_CMakeLists.txt CMakeLists.txt-        URL_MD5 b6f040a6c28f011f3be994663338f548+        URL_MD5 89a5183dd9b9eb5296fd9fab2c968a50

My preference would be to fork the repo and manage our patches there. I don't think there's anything to upstream to the original repo in our patches, though. I think the discussion around not having network access in the build environment is not relevant - you already need network access to download minisat in the current setup. Unless this is a new requirement that we must satisfy I don't think subtree is a suitable option for that reason. I'm fine with submodules, but I think they are an overkill for our use case as glucose is optional and the interface of glucose is very stable - i.e. no need to tightly track upgrades. So, my feeling is that fetching the source zip from a fork is probably the must suitable and easiest solution.

tautschnig

comment created time in a month

PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent
more