-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hoare powerset domain widening doesn't guarantee ascending chain condition and more #101
Comments
Yes, that's why it's called PO, but I agree the naming is very confusing since it's more than a partial order. Exceptions seemed the easiest way to implement it. The better alternative was some abstract compare (instead of a analyzer/src/domains/lattice.ml Line 8 in 08316c5
|
Over time I've edited the issue and collected more domains that duplicate the Hoare ordering and operations to varying extents. I've been thinking hard about what a good (and not any less efficient) generalization of them would be. Below is just a long dump of things that I've realized. It might not be legible to anyone but me though...
|
I got thinking about these things again to try to figure out the right generalization that captures both
|
Yes, but this on purpose here! |
Well, that depends on what the purpose exactly is. It would be equally reasonable to make it truly Hoare and keep them apart. This wouldn't be a problem for indexing loops because widening of addresses delegates to the offsets and does, e.g. interval, widening in there. Just like the index variable itself. |
Having implemented general "Hoare" domains with pairwise and projected (e.g. by
This logic is implemented here: Lines 121 to 132 in 8d539ec
This lack of proper partitioning structure is probably another reason for #803, which reveals that some operations of This actually means that other |
How about we consider values derived from the same |
The case I described can be fixed by joining anything (including a must not zero index) with In order to make all offsets of a The current separation tries to avoid those problems by keeping such offsets separate. It's also a matter of precision since currently the "partitions" of joined elements are smaller than just per |
"Generation of Violation Witnesses by Under-Approximating Abstract Interpretation" also contains some improved powerset widening. |
Links
In my attempt to understand the Hoare powerset domain (
SetDomain.Hoare
) used for path-sensitivity I happened upon the following:Issue
Our current widening is implemented as follows:
analyzer/src/domains/setDomain.ml
Lines 623 to 628 in 08316c5
This corresponds exactly to Definition 7 from the latter paper. However, it is only called an "extrapolation heuristics" and not "widening" because it doesn't guarantee the ascending chain condition. So we don't do true widening there.
Possible fix
The same paper also presents three different generic proper widening operators for such a domain using the inner domain's widening. Implementing any of them might not be straightforward though because they all require some kind of additional operator.
Merging in Hoare domains
The paper also discusses merging of elements in a Hoare set. Therefore such notion seems closely related but Goblint has multiple different Hoare powerset domains with quite different characteristics:
PathSensitive2
) domain is defined throughSetDomain.Hoare
with additional joining of elements wrapped around injoin_reduce
throughshould_join
s from innerSpec
s.AddressSet
domain is defined throughSetDomain.HoarePO
but the partitioning of elements into joined sets is deeply encoded intoHoarePO
through questionable means. It assumes the inner domain's operators (e.g.join
) only act on elements which should be joined and raiseLattice.Incomparable
on anything else. From what I understand, this just encodes ashould_join
-like query through exceptions while making no sense as a lattice (two elements can always be joined).PartitionDomain.Set
andPartitionDomain.Make
also use Hoare ordering and seem to use a specialcollapse
function to do joining. This ends up in region analysis domain.PartitionDomain.SetSet
seems to largely duplicate the behavior of the above partition domains although doesn't explicitly contain a merging function (or it is implicit). This ends up in vareq analysis domain.SetDomain.SensitiveConf
is some old and unused path-sensitivity domain that also uses Hoare ordering.PathSensitive2
was directly implemented as a Hoare-like domain before 5f5d8f8.If the
should_join
-like operator is passed to a hoare powerset domain functor and the merging of elements by equivalence is moved to a single place, a single implementation should do. It would remove the need for exception-based control flow hacks while allowing an optimized bucket-based Hoare domain implementation to still be used.The text was updated successfully, but these errors were encountered: