Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Future-proofing around issue 30 #310

Closed
msaaltink opened this issue Oct 2, 2018 · 2 comments
Closed

Future-proofing around issue 30 #310

msaaltink opened this issue Oct 2, 2018 · 2 comments
Labels
unsoundness Issues that can lead to unsoundness or false verification
Milestone
0.4

Comments

@msaaltink
Copy link
Contributor

While issue #30 is still open, some compositional proofs succeed even though they use overrides that are logically too weak. In particular, SAW appears to infer framing conditions (that is, variable not mentioned in the postcondition are assumed to be unchanged). Or so it seems from some experiments.

When issue #30 is fixed, then, existing proofs are likely to fail. I'd like to guard against that, so want to write postconditions that contain all the information they will need to. So if there is a plan in the works to address issue #30, does it answer the following:

  • Does SAW know that parameters marked const t * cannot be changed directly? Looking at the generated llvm bitcode, it is not clear to me whether that information is transferred from the C sources.

  • Similarly, does SAW know which global variables are constant, and which might change?

  • Will SAW continue to assume that any global not mentioned in a postcondition has not been modified?

  • Will using crucible_alloc_readonly add a framing condition for the associated parameter, so that a caller is assured the corresponding parameter is not modified?

Guidelines in this area will be useful for two reasons: first to avoid falling into the area of unsoundness, by putting enough information in a specification, and second to avoid the proofs breaking when issue #30 is fixed.
@langston-barrett
Copy link
Contributor

langston-barrett commented Oct 8, 2018
edited
Loading

I can address some of these questions that are related to the handling of globals, I think.

After #311 is merged, Crucible-based LLVM specifications will have to explicitly initialize any global variables they use (otherwise, the proof script will raise an error about uninitialized memory). Those initializations become preconditions: SAW will not erroneously rewrite using those lemmas without checking that the global variables have the right values.

@atomb atomb added this to the 1.0 milestone Jun 4, 2019
@langston-barrett langston-barrett added the unsoundness Issues that can lead to unsoundness or false verification label Jun 11, 2019
@weaversa
Copy link
Contributor

weaversa commented Jul 6, 2019
edited
Loading

I'm also very interested in a solution to this.

saw does have some understanding of const values, but I'm not sure exactly what it assumes. If global variables are labeled as const then they do not need to be declared in saw.

I like the crucible_alloc_readonly path, if it's viable.

@atomb atomb modified the milestones: 1.0, 0.4 Oct 1, 2019
@atomb atomb closed this as completed Oct 21, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
unsoundness Issues that can lead to unsoundness or false verification
Projects
None yet
Milestone
0.4
Development

No branches or pull requests
4 participants
@atomb @langston-barrett @weaversa @msaaltink