-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apron: Invariants for variables of type unsigned long
wrong
#1542
Comments
It does not have anything to do with logic to exclude temporaries, the problem is still there after renaming the variable. |
Adding the assertion as a |
Maybe this has to do with the |
Nevertheless, it should still hold even after making this cast. |
Actually claiming that this holds is in fact wrong! |
unsigned long
wrong
I now have the following minimal program #include<pthread.h>
int *b;
pthread_mutex_t e;
void main() {
int g;
int a;
b = &g;
pthread_mutex_lock(&e);
} where some 4 invariants cannot be shown after locking |
However, the bounds seem to be correct, they result from interval arithmetic. If I don't assign the address of |
This minimal program locks a mutex in single-threaded mode which should be fine, but maybe we handle something incorrectly in such case? Or is the locking there just as a place for |
It also misbehaves if the program starts a thread right at the beginning. I just figured it might be easier to debug if there's no concurrency happening. I haven't tried whether we have the same issue if I generate witnesses at all program points and remove the mutex, I'll try that tomorrow. |
The problem also occurs when dumping invariants at all program points and removing the locking of the mutex. |
The last remaining issue can be observed in this program: #include<pthread.h>
int *b;
pthread_mutex_t e;
void* other(void* arg) {
return NULL;
}
void main() {
pthread_t t;
pthread_create(&t, NULL, other, NULL);
int g = 8;
int a;
if(a) {
g = 4383648;
}
b = &g;
// Invariant generated: (2143100000LL + (long long )a) + (long long )g >= 0LL
pthread_mutex_lock(&e);
} This invariant is an interesting case: At first glance it seems wrong, as it appears as if the case where g is 8 seems to violate the invariant. However, the invariant is actually correct as one can see by case distinction over
If we destroy the relationship about |
It also seems to be related to escaping somehow: To establish the invariant, we attempt to show a contradiction with in the state we have Complete state:
|
Consider the following program extracted from
libaco
which is one of the programs I am considering for #1417:Creating a YAML witness from it (via
./goblint --conf conf/traces-rel.json --set ana.activated[+] apron --set ana.path_sens[+] threadflag --set ana.relation.privatization mutex-meet-tid-cluster12 --enable allglobs -v --enable witness.yaml.enabled notlibaco.c --set witness.yaml.path notlibaco.yml
) yieldsHowever, subsequent self-validation with
./goblint --conf conf/traces-rel.json --set ana.activated[+] apron --set ana.path_sens[+] threadflag --set ana.relation.privatization mutex-meet-tid-cluster12 --enable allglobs -v --set witness.yaml.validate notlibaco.yml notlibaco.c
yields the message that only 2/5 invariants can be confirmed.One of the invariants that cannot be re-confirmed, is
(long long )tmp_gl_ct >= 0LL
.This is correct, as this invariant may not hold (if we assume uninitialized variables are top), as
long long
andunsigned long
have the same bit-length but different ranges.Wrong reasoning I used earlier:
Invaraint holds vacuously astmp_gl_ct
has typeunsigned long
.The text was updated successfully, but these errors were encountered: