CBMC
Loading...
Searching...
No Matches
bmc_util.cpp
Go to the documentation of this file.
1/*******************************************************************\
2
3Module: Bounded Model Checking Utilities
4
5Author: Daniel Kroening, Peter Schrammel
6
7\*******************************************************************/
8
11
12#include "bmc_util.h"
13
14#include <util/json_stream.h>
15#include <util/ui_message.h>
16
17#include <goto-programs/graphml_witness.h>
18#include <goto-programs/json_goto_trace.h>
19#include <goto-programs/xml_goto_trace.h>
20
21#include <goto-symex/build_goto_trace.h>
22#include <goto-symex/memory_model_pso.h>
23#include <goto-symex/slice.h>
24#include <goto-symex/symex_target_equation.h>
25#include <solvers/decision_procedure.h>
26
27#include "goto_symex_property_decider.h"
28#include "symex_bmc.h"
29
30#include <iostream>
31
32void message_building_error_trace(messaget &log)
33{
34 log.status() << "Building error trace" << messaget::eom;
35}
36
37void build_error_trace(
38 goto_tracet &goto_trace,
39 const namespacet &ns,
40 const symex_target_equationt &symex_target_equation,
41 const decision_proceduret &decision_procedure,
42 ui_message_handlert &ui_message_handler)
43{
44 messaget log(ui_message_handler);
45 message_building_error_trace(log);
46
47 build_goto_trace(symex_target_equation, decision_procedure, ns, goto_trace);
48}
49
50ssa_step_predicatet
51ssa_step_matches_failing_property(const irep_idt &property_id)
52{
53 return [property_id](
54 symex_target_equationt::SSA_stepst::const_iterator step,
55 const decision_proceduret &decision_procedure)
56 {
57 return step->is_assert() && step->property_id == property_id &&
58 decision_procedure.get(step->cond_handle) == false;
59 };
60}
61
62void output_error_trace(
63 const goto_tracet &goto_trace,
64 const namespacet &ns,
65 const trace_optionst &trace_options,
66 ui_message_handlert &ui_message_handler)
67{
68 messaget msg(ui_message_handler);
69 switch(ui_message_handler.get_ui())
70 {
71 case ui_message_handlert::uit::PLAIN:
72 msg.result() << "Counterexample:" << messaget::eom;
73 show_goto_trace(msg.result(), ns, goto_trace, trace_options);
74 msg.result() << messaget::eom;
75 break;
76
77 case ui_message_handlert::uit::XML_UI:
78 {
79 const goto_trace_stept &last_step = goto_trace.get_last_step();
80 property_infot info{
81 last_step.pc, last_step.comment, property_statust::FAIL};
82 xmlt xml_result = xml(last_step.property_id, info);
83 convert(ns, goto_trace, xml_result.new_element());
84 msg.result() << xml_result;
85 }
86 break;
87
88 case ui_message_handlert::uit::JSON_UI:
89 {
90 json_stream_objectt &json_result =
91 ui_message_handler.get_json_stream().push_back_stream_object();
92 const goto_trace_stept &step = goto_trace.get_last_step();
93 json_result["property"] = json_stringt(step.property_id);
94 json_result["description"] = json_stringt(step.comment);
95 json_result["status"] = json_stringt("failed");
96 json_stream_arrayt &json_trace =
97 json_result.push_back_stream_array("trace");
98 convert<json_stream_arrayt>(ns, goto_trace, json_trace, trace_options);
99 }
100 break;
101 }
102}
103
105void output_graphml(
106 const goto_tracet &goto_trace,
107 const namespacet &ns,
108 const optionst &options)
109{
110 const std::string graphml = options.get_option("graphml-witness");
111 if(graphml.empty())
112 return;
113
114 graphml_witnesst graphml_witness(ns);
115 graphml_witness(goto_trace);
116
117 if(graphml == "-")
118 write_graphml(graphml_witness.graph(), std::cout);
119 else
120 {
121 std::ofstream out(graphml);
122 write_graphml(graphml_witness.graph(), out);
123 }
124}
125
127void output_graphml(
128 const symex_target_equationt &symex_target_equation,
129 const namespacet &ns,
130 const optionst &options)
131{
132 const std::string graphml = options.get_option("graphml-witness");
133 if(graphml.empty())
134 return;
135
136 graphml_witnesst graphml_witness(ns);
137 graphml_witness(symex_target_equation);
138
139 if(graphml == "-")
140 write_graphml(graphml_witness.graph(), std::cout);
141 else
142 {
143 std::ofstream out(graphml);
144 write_graphml(graphml_witness.graph(), out);
145 }
146}
147
148void convert_symex_target_equation(
149 symex_target_equationt &equation,
150 decision_proceduret &decision_procedure,
151 message_handlert &message_handler)
152{
153 messaget msg(message_handler);
154 msg.status() << "converting SSA" << messaget::eom;
155
156 equation.convert(decision_procedure);
157}
158
159std::unique_ptr<memory_model_baset>
160get_memory_model(const optionst &options, const namespacet &ns)
161{
162 const std::string mm = options.get_option("mm");
163
164 if(mm.empty() || mm == "sc")
165 return std::make_unique<memory_model_sct>(ns);
166 else if(mm == "tso")
167 return std::make_unique<memory_model_tsot>(ns);
168 else if(mm == "pso")
169 return std::make_unique<memory_model_psot>(ns);
170 else
171 {
172 throw "invalid memory model '" + mm + "': use one of sc, tso, pso";
173 }
174}
175
176void slice(
177 symex_bmct &symex,
178 symex_target_equationt &symex_target_equation,
179 const namespacet &ns,
180 const optionst &options,
181 ui_message_handlert &ui_message_handler)
182{
183 messaget msg(ui_message_handler);
184
185 // any properties to check at all?
186 if(symex_target_equation.has_threads())
187 {
188 // we should build a thread-aware SSA slicer
189 msg.statistics() << "no slicing due to threads" << messaget::eom;
190 }
191 else
192 {
193 if(options.get_bool_option("slice-formula"))
194 {
195 ::slice(symex_target_equation);
196 msg.statistics() << "slicing removed "
197 << symex_target_equation.count_ignored_SSA_steps()
198 << " assignments" << messaget::eom;
199 }
200 else
201 {
202 if(options.get_bool_option("simple-slice"))
203 {
204 simple_slice(symex_target_equation);
205 msg.statistics() << "simple slicing removed "
206 << symex_target_equation.count_ignored_SSA_steps()
207 << " assignments" << messaget::eom;
208 }
209 }
210 }
211 msg.statistics() << "Generated " << symex.get_total_vccs() << " VCC(s), "
212 << symex.get_remaining_vccs()
213 << " remaining after simplification" << messaget::eom;
214}
215
216void update_properties_status_from_symex_target_equation(
217 propertiest &properties,
218 std::unordered_set<irep_idt> &updated_properties,
219 const symex_target_equationt &equation)
220{
221 for(const auto &step : equation.SSA_steps)
222 {
223 if(!step.is_assert())
224 continue;
225
226 const irep_idt &property_id = step.property_id;
227 CHECK_RETURN(!property_id.empty());
228
229 // Don't update status of properties that are constant 'false';
230 // we wouldn't have traces for them.
231 const auto status = step.cond_expr == true ? property_statust::PASS
232 : property_statust::UNKNOWN;
233 auto emplace_result = properties.emplace(
234 property_id, property_infot{step.source.pc, step.comment, status});
235
236 if(emplace_result.second)
237 {
238 updated_properties.insert(property_id);
239 }
240 else
241 {
242 property_infot &property_info = emplace_result.first->second;
243 property_statust old_status = property_info.status;
244 property_info.status |= status;
245
246 if(property_info.status != old_status)
247 updated_properties.insert(property_id);
248 }
249 }
250}
251
252void update_status_of_not_checked_properties(
253 propertiest &properties,
254 std::unordered_set<irep_idt> &updated_properties)
255{
256 for(auto &property_pair : properties)
257 {
258 if(property_pair.second.status == property_statust::NOT_CHECKED)
259 {
260 // This could be a NOT_CHECKED, NOT_REACHABLE or PASS,
261 // but the equation doesn't give us precise information.
262 property_pair.second.status = property_statust::PASS;
263 updated_properties.insert(property_pair.first);
264 }
265 }
266}
267
268void update_status_of_unknown_properties(
269 propertiest &properties,
270 std::unordered_set<irep_idt> &updated_properties)
271{
272 for(auto &property_pair : properties)
273 {
274 if(property_pair.second.status == property_statust::UNKNOWN)
275 {
276 // This could have any status except NOT_CHECKED.
277 // We consider them PASS because we do verification modulo bounds.
278 property_pair.second.status = property_statust::PASS;
279 updated_properties.insert(property_pair.first);
280 }
281 }
282}
283
284void output_coverage_report(
285 const std::string &cov_out,
286 const abstract_goto_modelt &goto_model,
287 const symex_bmct &symex,
288 ui_message_handlert &ui_message_handler)
289{
290 if(
291 !cov_out.empty() &&
292 symex.output_coverage_report(goto_model.get_goto_functions(), cov_out))
293 {
294 messaget log(ui_message_handler);
295 log.error() << "Failed to write symex coverage report to '" << cov_out
296 << "'" << messaget::eom;
297 }
298}
299
300void postprocess_equation(
301 symex_bmct &symex,
302 symex_target_equationt &equation,
303 const optionst &options,
304 const namespacet &ns,
305 ui_message_handlert &ui_message_handler)
306{
307 const auto postprocess_equation_start = std::chrono::steady_clock::now();
308 // add a partial ordering, if required
309 if(equation.has_threads())
310 {
311 std::unique_ptr<memory_model_baset> memory_model =
312 get_memory_model(options, ns);
313 (*memory_model)(equation, ui_message_handler);
314 }
315
316 messaget log(ui_message_handler);
317 log.statistics() << "size of program expression: "
318 << equation.SSA_steps.size() << " steps" << messaget::eom;
319
320 slice(symex, equation, ns, options, ui_message_handler);
321
322 if(options.get_bool_option("validate-ssa-equation"))
323 {
324 symex.validate(validation_modet::INVARIANT);
325 }
326
327 const auto postprocess_equation_stop = std::chrono::steady_clock::now();
328 std::chrono::duration<double> postprocess_equation_runtime =
329 std::chrono::duration<double>(
330 postprocess_equation_stop - postprocess_equation_start);
331 log.statistics() << "Runtime Postprocess Equation: "
332 << postprocess_equation_runtime.count() << "s"
333 << messaget::eom;
334}
335
336std::chrono::duration<double> prepare_property_decider(
337 propertiest &properties,
338 symex_target_equationt &equation,
339 goto_symex_property_decidert &property_decider,
340 ui_message_handlert &ui_message_handler)
341{
342 auto solver_start = std::chrono::steady_clock::now();
343
344 messaget log(ui_message_handler);
345 log.status()
346 << "Passing problem to "
347 << property_decider.get_decision_procedure().decision_procedure_text()
348 << messaget::eom;
349
350 convert_symex_target_equation(
351 equation, property_decider.get_decision_procedure(), ui_message_handler);
352 property_decider.update_properties_goals_from_symex_target_equation(
353 properties);
354 property_decider.convert_goals();
355
356 auto solver_stop = std::chrono::steady_clock::now();
357 return std::chrono::duration<double>(solver_stop - solver_start);
358}
359
360void run_property_decider(
361 incremental_goto_checkert::resultt &result,
362 propertiest &properties,
363 goto_symex_property_decidert &property_decider,
364 ui_message_handlert &ui_message_handler,
365 std::chrono::duration<double> solver_runtime,
366 bool set_pass)
367{
368 auto solver_start = std::chrono::steady_clock::now();
369
370 messaget log(ui_message_handler);
371 log.status()
372 << "Running "
373 << property_decider.get_decision_procedure().decision_procedure_text()
374 << messaget::eom;
375
376 property_decider.add_constraint_from_goals(
377 [&properties](const irep_idt &property_id) {
378 return is_property_to_check(properties.at(property_id).status);
379 });
380
381 auto const sat_solver_start = std::chrono::steady_clock::now();
382
383 decision_proceduret::resultt dec_result = property_decider.solve();
384
385 auto const sat_solver_stop = std::chrono::steady_clock::now();
386 std::chrono::duration<double> sat_solver_runtime =
387 std::chrono::duration<double>(sat_solver_stop - sat_solver_start);
388 log.statistics() << "Runtime Solver: " << sat_solver_runtime.count() << "s"
389 << messaget::eom;
390
391 property_decider.update_properties_status_from_goals(
392 properties, result.updated_properties, dec_result, set_pass);
393
394 auto solver_stop = std::chrono::steady_clock::now();
395 solver_runtime += std::chrono::duration<double>(solver_stop - solver_start);
396 log.statistics() << "Runtime decision procedure: " << solver_runtime.count()
397 << "s" << messaget::eom;
398
399 if(dec_result == decision_proceduret::resultt::D_SATISFIABLE)
400 {
401 result.progress = incremental_goto_checkert::resultt::progresst::FOUND_FAIL;
402 }
403}
run_property_decider
void run_property_decider(incremental_goto_checkert::resultt &result, propertiest &properties, goto_symex_property_decidert &property_decider, ui_message_handlert &ui_message_handler, std::chrono::duration< double > solver_runtime, bool set_pass)
Runs the property decider to solve the equation.
Definition bmc_util.cpp:360
slice
void slice(symex_bmct &symex, symex_target_equationt &symex_target_equation, const namespacet &ns, const optionst &options, ui_message_handlert &ui_message_handler)
Definition bmc_util.cpp:176
output_coverage_report
void output_coverage_report(const std::string &cov_out, const abstract_goto_modelt &goto_model, const symex_bmct &symex, ui_message_handlert &ui_message_handler)
Output a coverage report as generated by symex_coveraget if cov_out is non-empty.
Definition bmc_util.cpp:284
output_error_trace
void output_error_trace(const goto_tracet &goto_trace, const namespacet &ns, const trace_optionst &trace_options, ui_message_handlert &ui_message_handler)
Definition bmc_util.cpp:62
prepare_property_decider
std::chrono::duration< double > prepare_property_decider(propertiest &properties, symex_target_equationt &equation, goto_symex_property_decidert &property_decider, ui_message_handlert &ui_message_handler)
Converts the equation and sets up the property decider, but does not call solve.
Definition bmc_util.cpp:336
update_status_of_unknown_properties
void update_status_of_unknown_properties(propertiest &properties, std::unordered_set< irep_idt > &updated_properties)
Sets the property status of UNKNOWN properties to PASS.
Definition bmc_util.cpp:268
message_building_error_trace
void message_building_error_trace(messaget &log)
Outputs a message that an error trace is being built.
Definition bmc_util.cpp:32
get_memory_model
std::unique_ptr< memory_model_baset > get_memory_model(const optionst &options, const namespacet &ns)
Definition bmc_util.cpp:160
update_properties_status_from_symex_target_equation
void update_properties_status_from_symex_target_equation(propertiest &properties, std::unordered_set< irep_idt > &updated_properties, const symex_target_equationt &equation)
Sets property status to PASS for properties whose conditions are constant true in the equation.
Definition bmc_util.cpp:216
update_status_of_not_checked_properties
void update_status_of_not_checked_properties(propertiest &properties, std::unordered_set< irep_idt > &updated_properties)
Sets the property status of NOT_CHECKED properties to PASS.
Definition bmc_util.cpp:252
ssa_step_matches_failing_property
ssa_step_predicatet ssa_step_matches_failing_property(const irep_idt &property_id)
Returns a function that checks whether an SSA step is an assertion with property_id.
Definition bmc_util.cpp:51
build_error_trace
void build_error_trace(goto_tracet &goto_trace, const namespacet &ns, const symex_target_equationt &symex_target_equation, const decision_proceduret &decision_procedure, ui_message_handlert &ui_message_handler)
Definition bmc_util.cpp:37
convert_symex_target_equation
void convert_symex_target_equation(symex_target_equationt &equation, decision_proceduret &decision_procedure, message_handlert &message_handler)
Definition bmc_util.cpp:148
output_graphml
void output_graphml(const goto_tracet &goto_trace, const namespacet &ns, const optionst &options)
outputs an error witness in graphml format
Definition bmc_util.cpp:105
postprocess_equation
void postprocess_equation(symex_bmct &symex, symex_target_equationt &equation, const optionst &options, const namespacet &ns, ui_message_handlert &ui_message_handler)
Post process the equation.
Definition bmc_util.cpp:300
bmc_util.h
Bounded Model Checking Utilities.
build_goto_trace
void build_goto_trace(const symex_target_equationt &target, ssa_step_predicatet is_last_step_to_keep, const decision_proceduret &decision_procedure, const namespacet &ns, goto_tracet &goto_trace)
Build a trace by going through the steps of target and stopping after the step matching a given condi...
Definition build_goto_trace.cpp:207
build_goto_trace.h
Traces of GOTO Programs.
ssa_step_predicatet
std::function< bool(symex_target_equationt::SSA_stepst::const_iterator, const decision_proceduret &)> ssa_step_predicatet
Definition build_goto_trace.h:48
convert
static bool convert(const irep_idt &identifier, const std::ostringstream &s, symbol_table_baset &symbol_table, message_handlert &message_handler)
Definition builtin_factory.cpp:42
abstract_goto_modelt
Abstract interface to eager or lazy GOTO models.
Definition abstract_goto_model.h:22
abstract_goto_modelt::get_goto_functions
virtual const goto_functionst & get_goto_functions() const =0
Accessor to get a raw goto_functionst.
ait
ait supplies three of the four components needed: an abstract interpreter (in this case handling func...
Definition ai.h:562
decision_proceduret
An interface for a decision procedure for satisfiability problems.
Definition decision_procedure.h:22
decision_proceduret::resultt
resultt
Result of running the decision procedure.
Definition decision_procedure.h:45
decision_proceduret::resultt::D_SATISFIABLE
@ D_SATISFIABLE
decision_proceduret::decision_procedure_text
virtual std::string decision_procedure_text() const =0
Return a textual description of the decision procedure.
dstringt
dstringt has one field, an unsigned integer no which is an index into a static table of strings.
Definition dstring.h:38
dstringt::empty
bool empty() const
Definition dstring.h:89
goto_symex_property_decidert
Provides management of goal variables that encode properties.
Definition goto_symex_property_decider.h:24
goto_symex_property_decidert::get_decision_procedure
stack_decision_proceduret & get_decision_procedure() const
Returns the solver instance.
Definition goto_symex_property_decider.cpp:116
goto_symex_property_decidert::solve
decision_proceduret::resultt solve()
Calls solve() on the solver instance.
Definition goto_symex_property_decider.cpp:110
goto_symex_property_decidert::update_properties_goals_from_symex_target_equation
void update_properties_goals_from_symex_target_equation(propertiest &properties)
Get the conditions for the properties from the equation and collect all 'instances' of the properties...
Definition goto_symex_property_decider.cpp:44
goto_symex_property_decidert::update_properties_status_from_goals
void update_properties_status_from_goals(propertiest &properties, std::unordered_set< irep_idt > &updated_properties, decision_proceduret::resultt dec_result, bool set_pass=true) const
Update the property status from the truth value of the goal variable.
Definition goto_symex_property_decider.cpp:131
goto_symex_property_decidert::add_constraint_from_goals
void add_constraint_from_goals(std::function< bool(const irep_idt &property_id)> select_property)
Add disjunction of negated selected properties to the equation.
Definition goto_symex_property_decider.cpp:83
goto_symex_property_decidert::convert_goals
void convert_goals()
Convert the instances of a property into a goal variable.
Definition goto_symex_property_decider.cpp:72
goto_symext::get_remaining_vccs
unsigned get_remaining_vccs() const
Definition goto_symex.h:849
goto_symext::get_total_vccs
unsigned get_total_vccs() const
Definition goto_symex.h:840
goto_symext::validate
void validate(const validation_modet vm) const
Definition goto_symex.h:858
goto_trace_stept
Step of the trace of a GOTO program.
Definition goto_trace.h:50
goto_trace_stept::comment
std::string comment
Definition goto_trace.h:124
goto_trace_stept::property_id
irep_idt property_id
Definition goto_trace.h:123
goto_tracet
Trace of a GOTO program.
Definition goto_trace.h:177
graphml_witnesst
Definition graphml_witness.h:24
json_stream_arrayt
Provides methods for streaming JSON arrays.
Definition json_stream.h:93
json_stream_objectt
Provides methods for streaming JSON objects.
Definition json_stream.h:140
json_stringt
Definition json.h:270
message_handlert
Definition message.h:27
messaget
Class that provides messages with a built-in verbosity 'level'.
Definition message.h:154
messaget::eom
static eomt eom
Definition message.h:289
namespacet
A namespacet is essentially one or two symbol tables bound together, to allow for symbol lookups in t...
Definition namespace.h:91
optionst::get_bool_option
bool get_bool_option(const std::string &option) const
Definition options.cpp:44
optionst::get_option
const std::string get_option(const std::string &option) const
Definition options.cpp:67
symex_bmct
Definition symex_bmc.h:24
symex_bmct::output_coverage_report
bool output_coverage_report(const goto_functionst &goto_functions, const std::string &path) const
Definition symex_bmc.h:75
symex_target_equationt
Inheriting the interface of symex_targett this class represents the SSA form of the input program as ...
Definition symex_target_equation.h:34
symex_target_equationt::SSA_steps
SSA_stepst SSA_steps
Definition symex_target_equation.h:251
symex_target_equationt::convert
void convert(decision_proceduret &decision_procedure)
Interface method to initiate the conversion into a decision procedure format.
Definition symex_target_equation.cpp:347
symex_target_equationt::has_threads
bool has_threads() const
Definition symex_target_equation.h:271
ui_message_handlert
Definition ui_message.h:22
ui_message_handlert::get_ui
virtual uit get_ui() const
Definition ui_message.h:33
ui_message_handlert::uit::JSON_UI
@ JSON_UI
ui_message_handlert::uit::XML_UI
@ XML_UI
ui_message_handlert::uit::PLAIN
@ PLAIN
ui_message_handlert::get_json_stream
virtual json_stream_arrayt & get_json_stream()
Definition ui_message.h:40
xmlt
Definition xml.h:21
decision_procedure.h
Decision Procedure Interface.
goto_symex_property_decider.h
Property Decider for Goto-Symex.
show_goto_trace
void show_goto_trace(messaget::mstreamt &out, const namespacet &ns, const goto_tracet &goto_trace, const trace_optionst &options)
Output the trace on the given stream out.
Definition goto_trace.cpp:786
write_graphml
bool write_graphml(const graphmlt &src, std::ostream &os)
Definition graphml.cpp:203
graphml_witness.h
Witnesses for Traces and Proofs.
json_goto_trace.h
Traces of GOTO Programs.
json_stream.h
log
double log(double x)
Definition math.c:2449
memory_model_pso.h
Memory models for partial order concurrency.
is_property_to_check
bool is_property_to_check(property_statust status)
Return true if the status is NOT_CHECKED or UNKNOWN.
Definition properties.cpp:175
xml
xmlt xml(const irep_idt &property_id, const property_infot &property_info)
Definition properties.cpp:110
property_statust
property_statust
The status of a property.
Definition properties.h:26
property_statust::UNKNOWN
@ UNKNOWN
The checker was unable to determine the status of the property.
property_statust::PASS
@ PASS
The property was not violated.
property_statust::FAIL
@ FAIL
The property was violated.
property_statust::NOT_CHECKED
@ NOT_CHECKED
The property was not checked (also used for initialization)
propertiest
std::map< irep_idt, property_infot > propertiest
A map of property IDs to property infos.
Definition properties.h:76
simple_slice
void simple_slice(symex_target_equationt &equation)
Definition slice.cpp:234
slice.h
Slicer for symex traces.
CHECK_RETURN
#define CHECK_RETURN(CONDITION)
Definition invariant.h:495
incremental_goto_checkert::resultt
Definition incremental_goto_checker.h:43
incremental_goto_checkert::resultt::updated_properties
std::unordered_set< irep_idt > updated_properties
Changed properties since the last call to incremental_goto_checkert::operator()
Definition incremental_goto_checker.h:61
incremental_goto_checkert::resultt::progresst::FOUND_FAIL
@ FOUND_FAIL
The goto checker may be able to find another FAILed property if operator() is called again.
incremental_goto_checkert::resultt::progress
progresst progress
Definition incremental_goto_checker.h:54
property_infot
Definition properties.h:59
property_infot::pc
goto_programt::const_targett pc
A pointer to the corresponding goto instruction.
Definition properties.h:66
trace_optionst
Options for printing the trace using show_goto_trace.
Definition goto_trace.h:221
symex_bmc.h
Bounded Model Checking for ANSI-C.
symex_target_equation.h
Generate Equation using Symbolic Execution.
ui_message.h
validation_modet::INVARIANT
@ INVARIANT
xml_goto_trace.h
Traces of GOTO Programs.