Generating XCFA instead of CFA and some other changes #22
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Handles trivial uses of pointers both in global and local scope.
after adding stub (unsound) implementations to simple memory model so intrinsics do not break the naive simple memory model (see #24 ) |
|
Also resolves #17 |
added 15 commits
August 12, 2020 18:19
added 6 commits
August 31, 2020 11:14
Functions that weren't defined were generated a simple CFA or calls were dropped entirely. When multiple inputs are present, some XCFA, Gazer must not drop these calls. CallGraph check for recursion is disabled.
ghost
Provide annotations via a horrible function definition AnnotateSpecialFunctions must use weak reference for it's definition... getline does not work as expected when using the same source for Windows and Linux. Remove unnecessary prints
AnnotationSpecialFunction uses a horrible function reference to get a list of annotations for a specific functions. Rte tests are stable
ghost
reviewed
Sep 3, 2020
| @@ -70,8 +70,8 @@ endif() | |||
| set(GAZER_CLANG_TEST_COMPILER "clang" CACHE STRING "Clang compiler path for functional tests") | |||
|
|
|||
| add_custom_target(check-functional | |||
| COMMAND GAZER_TOOLS_DIR=${CMAKE_BINARY_DIR}/tools lit -v --timeout=60 ${CMAKE_CURRENT_LIST_DIR}/test | |||
There was a problem hiding this comment.
Removing --timeout is not needed. However, psutil python package (pip3 install psutil) is required then.
ghost
reviewed
Sep 3, 2020
| @@ -32,7 +35,7 @@ set(SOURCE_FILES | |||
| Automaton/ExtensionPoints.cpp | |||
| Automaton/ValueOrMemoryObject.cpp | |||
| Analysis/PDG.cpp | |||
| ) | |||
| Memory/SimpleMemoryModel.cpp) | |||
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a draft PR for possible contributions to the upstream Gazer project.
The point is not to directly merge or cherry-pick from here, rather select features that can be (with some extra work) integrated upstream.
The commits add some features for me to work with. This breaks normal functionality like gazer-bmc, even gazer-theta!, but I can fix these up (in my spare time?) if you'd like to accept some of these contributions.
The changes/features right now:
A bit more precisely:
NOT CLEAN COMMITS: Loops to recursion transformation at the CFA level is disabled (this is useful for non-gazer-bmc). For gazer-theta there is currently an undoing transformation (which does more right now, so I couldn't remove it), which looks as a maintenance overhead.
Note that some codes are disabled which are related to using loops, but I guess disabling the loop registration is enough (because there will be no loops detected to transform to a separate CFA).
This way there is a one-to-one mapping between LLVM functions and CFAs.
EDIT: I don't know whether Phi nodes are handled in this skipped step. (If yes, it would mean unlinked variables along loop exits maybe?) It looks suspicious, but the functional tests did not show anything scary...
NOT CLEAN: XCFA generation seems pretty well working right now (only minor hacks), so creating a common base for CFA generation and XCFA generation can be designed from the changes (What did change, what did not change).
Call transition stmt was added, also some syntax changed (high-level syntax, because of how multiple functions are supported)
NOT CLEAN: Tracing is currently disabled, so most functional tests run well (if used with xcfa-cli instead of cfa-cli on Theta side; with the latest changes in branch https://github.com/ftsrg/theta/xcfa-partial-order ).
RELATIVELY CLEAN Also, I plan to add global variables (or rather, add a storage of regular global vars to AutomataSystem). This seems like a different layer than MemoryModels, but I am not so sure about the implementation...
EDIT:
I will be trying to implement a memory model that handles this. In the future, it would be awesome if this could be composed with another memory model (e.g. try with noaliasing memorymodel, when it would not be sound, work with flat mapping, etc.)
It seems that this problem is closely coupled with how arrays will be handled, so this will probably be related to handling arrays in Theta. I know there are on-going efforts for this, but I don't know how my work will be part of the big picture...
RELATIVELY CLEAN COMMITS: (from the above point) I've implemented a simple memory model, which seems to work for XCFAs. For global variables, it is out-of-scope in the viewpoint of gazer-bmc (as it rolls with its MemSSA instead of what I use) and Theta CFA (not XCFA).
The AutomataSystem contains global variables, I've tested with some of the functional tests.
POC (clean commits, but not configurable as of now): Generate optimizable implementation from known functions. The point would be some intrinsics like llvm.memcpy, for known domain-specific API. There could be overlapping with: gazer.SpecialFunctions gazer.Checks and llvm., but:
call GetFixPointer()->GetFixPointer_varchange could not be implemented. This is because lowering to CFA level probably does not want a pointer returning function. Also, there are a lot of optimizations around pointers, which we could surely use.Demo for non-reentrant mutex usage checks: Enter.* and Exit.* functions are swapped with a global variable check. Also, initialization takes place at the start of main, and usage is checked at the end of the program (just before returning).
(Not entirely functional) A whole demo for using generated XCFAs and calling across them with C calls through declared, but undefined functions. Also contains a small driver which runs Gazer's core through all of the files in the given directory.
Please feel free to add some comments on what would make a good contribution. I'd like to emphasize that the changes in the commits contain only temporary solutions, but looking at them seems like a good way to see what changes would be needed.
Lit output:
Note that some are failing because they are unsupported (and reach an assertion fail in Gazer), some fail because Theta xcfa backend (which does not follow havoc'd variables, because it cannot handle predicate abstractions as of now).
Resolves #17