-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect counterexample in crux-llvm
#587
Comments
Interesting that the verification seems to be doing the right thing. Tweaking the bound up to 5 causes the verification to succeed, which is what I expect from a brief examination of the code. Changing the solver doesn't seem to make any difference. Changing the path strategy to DFS generates other counterexample reports that are also wrong. It seems like there is something strange going on with the counterexample generation or rendering. |
I think what's happening here is that the order of calls to |
Hypothesis: because of the |
Thinking about this some more, I think the correct way to handle this issue is to add an "in universe" event log where we can record events like the creation of fresh symbolic variables. This log will branch and merge in a similar way to how the write log for symbolic memory does. When counterexamples are found, we can concretize and linearize this log (similar to how we do for memory logs), which will give an appropriate sequence of values for replay in a concrete run. |
Update: PR #759 implements a new symbolic sequence type that I intend to use for event tracking. My plan was to have Crux add a new crucible global variable containing log event values of interest to crux. However, I now realize that these event logs actually need to be attached to proof obligations as assertions get made, so we properly capture the state of the log when assertions occur. This means they need to be incorporated somehow into the interface for I'm going to scratch my head a bit about how to deal with this. I'm really reluctant to make this code depend on more type variables or such because the |
If each proof obligation is assigned a unique ID, and if the client (crux-llvm, if I understand the proposed solution) maintains a mapping from obligations to logs, would that solve the issue? |
Kind of. That's pretty much what we are doing now for the "Bad behavior map" in crucible-llvm. The problem here is that this arises on a different axis of parameterization. The LLVM bad behaviors map is a language-specific mapping, and all the places where we make an assertion relevant to LLVM, This is basically why I opened #763. |
#759 doesn't actually fix this issue |
Worth noting with this issue: to reproduce with LLVM 11, I have to compile with |
Given
test.c
:Running
crux-llvm test.c
produces a counter example file whose contents include:However this is not a valid counter-example, as executing the program with this input results in returning from
main
before hitting the assertion. Instead, the counterexample should have the value0x2
as the third entry:The text was updated successfully, but these errors were encountered: