-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Combining mathsat, tuple-sym-flattener and smt-symex-guard gives false true #1771
Comments
Hi @Novak756, The flag Do you have some specific reason why do you want to use it?
|
Not necessarily, it's not urgent, just something I noticed. |
@Novak756
with flags |
Strange... the flags are correct, but my output for
and for
|
@Novak756: It would be great to check the git commit you're in. |
I just rebuilt on the latest commit ( 7736aca ) and it's still there for me. |
The current master can output the failure in bug.c. But the log here is different, You can also check if the uploaded program is the same as your local file.
|
Yes that seems to be the same log I'm getting (see above). I checked against fresh downloads of the files I uploaded. |
Hi, in case it helps with finding the issue, I found (somewhat) smaller cases for unsoundness (no error even though the error is reachable): extern void __VERIFIER_error();
extern char __VERIFIER_nondet_char();
extern int __VERIFIER_nondet_int();
extern unsigned long __VERIFIER_nondet_ulong();
long id(long e) {
char f = 0;
return e;
}
int main()
{
int b = __VERIFIER_nondet_int();
long h = 1;
char d = __VERIFIER_nondet_char();
if (d == 0)
b = 1;
long i[16];
long *array = i;
for (int e = 0; e < 16; e++) {
unsigned int g = (unsigned int)__VERIFIER_nondet_ulong();
array[e] = id(h & g);
}
if ((int)i[0] == 0) {
__VERIFIER_error();
;
}
} and imprecision (claiming div-by-zero error which is clearly not possible as the helper checks right before) extern int __VERIFIER_nondet_int();
int div_zero_helper(f) {
if (f == 0)
return 0;
return __VERIFIER_nondet_int() / f;
}
int main() {
int d = __VERIFIER_nondet_int();
long h[4];
long *a = h;
for (int b = 0; b < 4; b++) {
d = h[3];
a[b] = div_zero_helper((short)d);
}
} These are triggered when running with |
Hi again, this seems to be a rather specific issue:
runnnig
esbmc --mathsat --tuple-sym-flattener --smt-during-symex --smt-symex-guard
on bug.c esbmc returnsVERIFICATION SUCCESFUL
.Correct result should be
VERIFICATION FAILED
, which is also found when using a different backend solver or when running without--tuple-sym-flattener
. It also finds the bug after removing unneccessary array initialisations (seebug_noArray.c
in the zip)Versions:
ESBMC: Built from commit 3462e18
MATHSAT: MathSAT5 version 5.6.10 (9293adc746be) (latest release)
I'll recheck on latest mathsat release once the build has finished.
PS: Sorry for the large WE but it has been difficult to downsize while maintaining the bug (or without running into high runtimes).
The text was updated successfully, but these errors were encountered: