Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

termination and order of conditions #856

Closed
msaaltink opened this issue Oct 5, 2020 · 5 comments
Closed

termination and order of conditions #856

msaaltink opened this issue Oct 5, 2020 · 5 comments

Comments

@msaaltink
Copy link
Contributor

Consider this code:

#include <stdint.h>

uint64_t g1(uint64_t x) {
  int i = 0;
  uint64_t r = x;
  do {
    r = r+1;
  } while ( i++ < 3 && r == 0 );
  return r;
}

uint64_t g2(uint64_t x) {
  int i = 0;
  uint64_t r = x;
  do {
    r = r+1;
  } while ( r == 0 && i++ < 3 );
  return r;
}

Both g1 and g2 are guaranteed to terminate. If we try a simple proof in SAW:

m <- llvm_load_module "termination.bc";

let g_spec = do {
  x <- crucible_fresh_var "x" (llvm_int 64);
  crucible_execute_func [crucible_term x];
  };

crucible_llvm_verify m "g1" [] false g_spec z3;

crucible_llvm_verify m "g2" [] false g_spec z3;

the verification of g1 completes, while for g2 the simulator never stops.

Some simple variation makes the problem disappear. For example, if the increment of i is moved in the
loop, then both proofs work.
@atomb
Copy link
Contributor

atomb commented Oct 6, 2020

If you set the fourth argument to crucible_llvm_verify to true in both cases, do they both terminate?

@weaversa
Copy link
Contributor

weaversa commented Oct 6, 2020

If you set the fourth argument to crucible_llvm_verify to true in both cases, do they both terminate?

Isn’t that still broken? See #723

@robdockins
Copy link
Contributor

Humm, yeah g2 is interesting. I can see why the simulator would have trouble with that. I'd expect SAT branch checking to fix the issue, but as @weaversa mentions, that feature has some sort of bug that I need to track down.

@robdockins
Copy link
Contributor

Follow up: compiling g2 with -O1 apparently does enough code motion that the simulator terminates. With crux-llvm I can get g2 to terminate using -O0 provided path-sat checking is enabled, which is what I would expect.

So, simulator path-sat checking does work, there's just something weird about the integration with SAW. This is consistent with what we were seeing in #723. Interestingly, I can see that the simulator is communicating with the solver during simulation (via top), so the feature is enabled and doing something; but it's not clear why it isn't properly pruning branches.

@robdockins
Copy link
Contributor

Following #873, and with path satisfiability checking enabled, the simulator now promptly terminates on g2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@atomb @robdockins @weaversa @msaaltink