Fix EvalAssert transformation to work on coreutil programs #855
Conversation
…ile. Some asserts may contain function identifiers (e.g. to express the value of a function pointer). Inserting the declarations before the function definitions ensures that the asserts can reference the function identifiers.
I didn't check, but this sounds a lot like something I fixed in #796: 73df4ca. If that's the right thing, then you can just cherry pick it. |
…ed-to type is void. If some block has void-type in our abstract domain, we cannot produce meaningful invariants, because we cannot insert the necessary casts easily. To generate invariants even for these casees, one may try to determine the type to cast to by looking at the abstract value more closely.
I needed to additionally add a check whether the pointed to abstract block has type |
…on declarations directly after last type definition.
|
I tested this with However, the executable one obtains crashes with a failed assertion: |
The code is this: #line 605
tmp = malloc(sizeof(*table___0));
#line 605
table___0 = (Hash_table *)tmp;
#line 606
if ((unsigned long )table___0 == (unsigned long )((void *)0)) {
#line 607
return ((Hash_table *)((void *)0));
}
#line 609
if (! tuning) {
#line 610
tuning = & default_tuning;
}and the I think the issue is due to flow-insensitivity of the global alloc variable, which initially has all bot fields, but then gets |
Yes, indeed, we came to the same conclusion on the Munich side with @michael-schwarz. For the general case, involving possible multithreading, one would have to perform a Since at least |
|
Looking at this with @michael-schwarz and Helmut, we found that performing a context-insensitive analysis and not generating asserts for blobs gets rid of the asserts that fail during some simple executions of |
…Assert transformation." This reverts commit 12a7da9.
|
Something else comes to mind here: Do we need to submit Goblint as a validator as well in order to benefit from us being able to solve such huge tasks in sv-comp? Otherwise our ability to reverify these will not benefit us when it comes to points. |
|
That's a good point, but it's too late to do anything about it for this year. We don't have legitimate witness validation support ready (and nor are YAML witnesses as a whole). We can't just use Goblint as a validator, which completely ignores any witness and solves from scratch, because it constitutes as blatant cheating: we would self-confirm all our own witnesses without actually confirming anything. CPAchecker and Ultimate have well-defined and -documented invariant generation subsystems that they disable for validation purposes, we don't. And this is supported by the fact that they have unconfirmed witnesses. We should just focus on getting these benchmarks fixed and merged first. The plan is to publish a non-SV-COMP-tool-paper on a proper approach to witness validation with Goblint and bring that to SV-COMP legitimately, like it was done with the existing GraphML witnesses. |
File moved to bench/scripts/generate_asserts_coreutils.py
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
There are still three issues in the generated code that required manual fixing:
|
The
EvalAsserttransformation is currently not able to produce C-output for thebench/coreutilprograms, caused by several problems.Todo:
Fix generation of asserts about pointers to malloced-memory. With malloced memory, there are (Avoid generating invariants for pointers to abstract values of typetmp-)variables of typevoid*that point to it. The assertions that are currently generated for these variables are not type correct, e.g. because a field offset is applied to a de-referenced void-pointer.TVoidfor now.cp_comb.c:extent-scan.c:107:18: error: ‘struct fiemap’ has no member named ‘f’. Fix generation of invariants for unions.Testing this branch on
bench/coreutilprogramsRun
goblinton the selected input file, e.g.cp_comb.cThis will generate a
transformed.c. One can check whether this compiles as follows: