-
Java and LLVM verification has been overhauled to use the new Crucible symbolic execution engine. Highlights include:
-
New
crucible_llvm_verifyandcrucible_llvm_extractcommands replacellvm_verifyandllvm_extract, with a different structure for specification blocks. -
LLVM verification tracks undefined behavior more carefully and has a more sophisicated memory model. See the manual for more.
-
New, experimental
crucible_jvm_verifyandcrucible_java_extractcommands will eventually replacejava_verifyandjava_extract. For the moment, the former two are enabled with theenable_experimentalcommand and the latter two are enabled withenable_deprecated. -
More flexible specification language allows convenient description of functions that allocate memory, return arbitrary values, expect explicit aliasing, work with NULL pointers, cast between pointers and integers, or work with opaque pointers.
-
Ghost state is supported in LLVM verification, allowing reasoning about certain complex or unavailable code.
-
Verification of LLVM works for a larger subset of the language, which particularly improves support for C++.
-
-
LLVM bitcode format support is greatly improved. Versions 3.5 to 7.0 are known to be mostly well-supported. We consider parsing failures with any version newer than 3.5 to be a bug, so please report them on GitHub.
-
Greatly improved error messages throughout.
-
Built against Cryptol 2.7.0.
-
New model counting commands
sharpSATandapproxmcbind to the external tools of the same name. -
New proof script commands allow multiple goals and related proof tactics. See the manual.
-
Can be built with Docker, and will be available on DockerHub.
-
Includes an Emacs mode.
-
Released under the 3-clause BSD license
-
Major improvements to the Java and LLVM verification infrastructure, as described in more detail here:
- Major refactoring and polish to
java_verifyandjava_symexec - Major refactoring and polish to
llvm_verifyandllvm_symexec - Fixed soundness bug in
llvm_verifytreatment of heap modifications - Fixed soundness bug related to
java_assertandllvm_assert - Support for branch satisfiability checking to be configured
- Support for some types of allocation in
java_verify, enabled withjava_allow_alloc - Improved support for LLVM structs (including the
llvm_structtype forllvm_verify) - Support for non-scalar return values in
java_verifyandjava_symexec - Support for using
java_ensure_eqon fields of return value - Access to safety conditions in
java_symexecandllvm_symexec - New primitives
llvm_assert_eqandjava_assert_eq
- Major refactoring and polish to
-
Some changes to the SAWScript language:
- Conditional expressions including the keywords
if,then, andelse, and the new constantstrueandfalse - New
eval_intandeval_boolfunctions to expose Cryptol bit vectors andBitvalues asIntandBoolvalues in SAWScript - Pattern matching for tuples
- Improvements to pretty printing, including:
set_baseandset_asciicommands to control the formatting of values; ashowfunction to convert a value to a string without printing it; and the ability to useprintorshowinstead ofllvm_browse_moduleandjava_browse_class - New built-in functions for processing lists
- Conditional expressions including the keywords
-
New proof backends:
- A new
rmeproof tactic, based on the Reed-Muller Expansion normal form for propositional formulas. This tactic is particularly efficient for dealing with polynomials over Galois fields, as used in AES, for instance.
- A new
-
Linked against the latest Cryptol code, which includes the following changes since release 2.3.0:
- An extended prelude with more Haskell-like functions
- Better, more portable seeding for
random - Performance improvements for symbolically executing tables of constant values
- Performance improvements for type checking large constants
-
Internal improvements:
- Simplified Cryptol to SAWCore translation
- Improved performance of Cryptol to SAWCore translation for recursive functions
- Updated bitcode parser to support some of the changes in LLVM 3.7
- Many bug fixes
- Many code cleanups