Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UB not tracked data-flow-wise #64

Closed
LebedevRI opened this issue Jun 9, 2019 · 7 comments
Closed

UB not tracked data-flow-wise #64

LebedevRI opened this issue Jun 9, 2019 · 7 comments
Assignees
@nunoplopes

Comments

@LebedevRI
Copy link
Contributor

LebedevRI commented Jun 9, 2019
edited 

$ ./third_party/alive2/build/alive /tmp/test.opt 
Processing /tmp/test.opt..

----------------------------------------
Name: undef
  %r = udiv i8 %x, 0
=>
  %r = i8 undef

ERROR: Value mismatch for i8 %r

Example:
i8 %x = undef
Source value: #x00 (0)
Target value: #xff (255, -1)
@LebedevRI
Copy link
Contributor Author

Still happens with master.

@nunoplopes nunoplopes self-assigned this Jun 9, 2019
@nunoplopes
Copy link
Member

The root cause of this is that we don't track UB in the data-flow, only in control-flow. This is fine for translation validation, but not sufficient for standalone alive.
With -root-only it verifies just fine, just not with the default per-register verification.

@nunoplopes nunoplopes changed the title 'undef' not lexed properly? UB not tracked data-flow-wise Jun 9, 2019
@nunoplopes nunoplopes mentioned this issue Oct 6, 2019
Closed
@regehr
Copy link
Contributor

regehr commented Feb 21, 2020

would it be bad to change the default to root-only, and make the other thing available as an option?

@nunoplopes nunoplopes mentioned this issue Mar 19, 2020
Closed
@aqjune
Copy link
Member

aqjune commented May 13, 2020

I find that better UB printing will be very helpful for correctly understanding counter examples; when an input program is too large, what I can do is to just guess which operation raised UB from the values of registers...
How costly will it be if we start to write a code for supporting this? What I immediately see is that there is no explicit mapping from instruction to its UB, which is needed to print the info.

@nunoplopes
Copy link
Member

I don't know what the overhead would be; didn't try it out.
An alternative to store this information is to repeat symbolic execution when printing a counterexample. Instead of assuming that all functions/optimizations are wrong, we just pay a small price when they are.
The bigger challenge is how to handle undefs. That's the biggest complication.

@aqjune
Copy link
Member

aqjune commented May 14, 2020

If it is related with creation of a unique variable name, would it be helpful if the creation is done by alive2 rather than by Z3_mk_fresh_const?
But one concern that I have is that sometimes vcgen takes pretty long time, and printing counter examples will again take a time because it runs symbolic execution again.
For experiment, we have --succinct flag, so the cost can be hidden.

@nunoplopes
Copy link
Member

True, vcgen can take some time. The cost is basically track another expression per statement. Instead of just value & poison, we would need store UB as well.
I would wait a bit until we merge @kevindevos' patch, since this work conflicts with his.

@aqjune aqjune mentioned this issue Aug 20, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nunoplopes nunoplopes

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@LebedevRI @regehr @nunoplopes @aqjune