Esempio n. 1
0
def verify_bpl_svcomp(args):
  """Verify the Boogie source file using SVCOMP-tuned heuristics."""
  heurTrace = "\n\nHeuristics Info:\n"

  # invoke boogie for floats
  # I have to copy/paste part of verify_bpl
  if args.float:
    args.verifier = 'boogie'
    boogie_command = ["boogie"]
    boogie_command += [args.bpl_file]
    boogie_command += ["/nologo", "/noinfer", "/doModSetAnalysis"]
    boogie_command += ["/timeLimit:%s" % args.time_limit]
    boogie_command += ["/errorLimit:%s" % args.max_violations]
    boogie_command += ["/loopUnroll:%d" % args.unroll]
    if args.bit_precise:
      x = "bopt:" if args.verifier != 'boogie' else ""
      boogie_command += ["/%sproverOpt:OPTIMIZE_FOR_BV=true" % x]
      boogie_command += ["/%sz3opt:smt.relevancy=0" % x]
      boogie_command += ["/%sz3opt:smt.bv.enable_int2bv=true" % x]
      boogie_command += ["/%sboolControlVC" % x]

    if args.verifier_options:
      boogie_command += args.verifier_options.split()

    boogie_output = smack.top.try_command(boogie_command, timeout=args.time_limit)
    boogie_result = smack.top.verification_result(boogie_output)
    write_error_file(args, boogie_result, boogie_output)
    sys.exit(smack.top.results(args)[boogie_result])

  # If pthreads found, perform lock set analysis
  if args.pthread:
    lockpwn_command = ["lockpwn"]
    lockpwn_command += [args.bpl_file]
    lockpwn_command += ["/corral"]
    args.bpl_file = smack.top.temporary_file(os.path.splitext(os.path.basename(args.bpl_file))[0], '.bpl', args)
    lockpwn_command += ["/o:%s" % args.bpl_file]
    lockpwn_output = smack.top.try_command(lockpwn_command);

  corral_command = ["corral"]
  corral_command += [args.bpl_file]
  corral_command += ["/tryCTrace", "/noTraceOnDisk", "/printDataValues:1"]
  corral_command += ["/useProverEvaluate", "/cex:1"]

  with open(args.bpl_file, "r") as f:
    bpl = f.read()

  is_crappy_driver_benchmark(args, bpl)

  if args.pthread:
    if "fib_bench" in bpl or "27_Boop_simple_vf_false-unreach-call" in bpl:
      heurTrace += "Increasing context switch bound for certain pthread benchmarks.\n"
      corral_command += ["/k:30"]
    else:
      corral_command += ["/k:3"]
    if not "qrcu_reader2" in bpl and not "__VERIFIER_atomic_take_write_lock" in bpl and not "fib_bench" in bpl:
      corral_command += ["/cooperative"]
  else:
    corral_command += ["/k:1"]
    if not args.memory_safety or not args.bit_precise:
      corral_command += ["/di"]

  # we are not modeling strcpy
  if args.pthread and "strcpy" in bpl:
    heurTrace += "We are not modeling strcpy - aborting\n"
    if not args.quiet:
      print(heurTrace + "\n")
    sys.exit(smack.top.results(args)['unknown'])

  # Setting good loop unroll bound based on benchmark class
  loopUnrollBar = 8
  staticLoopBound = 65536
  if not args.bit_precise and "ssl3_accept" in bpl and "s__s3__tmp__new_cipher__algorithms" in bpl:
    heurTrace += "ControlFlow benchmark detected. Setting loop unroll bar to 23.\n"
    loopUnrollBar = 23
  elif "s3_srvr.blast.10_false-unreach-call" in bpl or "s3_srvr.blast.15_false-unreach-call" in bpl:
    heurTrace += "ControlFlow benchmark detected. Setting loop unroll bar to 23.\n"
    loopUnrollBar = 23
  elif " node3" in bpl:
    heurTrace += "Sequentialized benchmark detected. Setting loop unroll bar to 100.\n"
    loopUnrollBar = 100
  elif "calculate_output" in bpl:
    heurTrace += "ECA benchmark detected. Setting loop unroll bar to 15.\n"
    loopUnrollBar = 15
  elif "ldv" in bpl:
    if "linux-4.2-rc1.tar.xz-08_1a-drivers--staging--lustre--lustre--llite--llite_lloop.ko-entry_point_false-unreach-call" in bpl:
      heurTrace += "Special LDV benchmark detected. Setting loop unroll bar to 32.\n"
      loopUnrollBar = 32
    else:
      heurTrace += "LDV benchmark detected. Setting loop unroll bar to 13.\n"
      loopUnrollBar = 13
    staticLoopBound = 64
  elif "standard_strcpy_false-valid-deref_ground_true-termination" in bpl or "960521-1_false-valid-free" in bpl or "960521-1_false-valid-deref" in bpl or "lockfree-3.3" in bpl:
    heurTrace += "Memory safety benchmark detected. Setting loop unroll bar to 129.\n"
    loopUnrollBar = 129
  elif "is_relaxed_prefix" in bpl:
    heurTrace += "Benchmark relax_* detected. Setting loop unroll bar to 15.\n"
    loopUnrollBar = 15
  elif "id_o1000_false-unreach-call" in bpl:
    heurTrace += "Recursive benchmark detected. Setting loop unroll bar to 1024.\n"
    loopUnrollBar = 1024
  elif args.memory_safety and "__main(argc:" in bpl:
    heurTrace += "BusyBox memory safety benchmark detected. Setting loop unroll bar to 128.\n"
    loopUnrollBar = 128
  elif args.signed_integer_overflow and "__main(argc:" in bpl:
    heurTrace += "BusyBox overflows benchmark detected. Setting loop unroll bar to 11.\n"
    loopUnrollBar = 11
  elif args.signed_integer_overflow and "jain" in bpl:
    heurTrace += "Infinite loop in overflow benchmark. Setting loop unroll bar to INT_MAX.\n"
    loopUnrollBar = 2**31 - 1

  if not "forall" in bpl:
    heurTrace += "No quantifiers detected. Setting z3 relevancy to 0.\n"
    corral_command += ["/bopt:z3opt:smt.relevancy=0"]

  if args.bit_precise:
    heurTrace += "--bit-precise flag passed - enabling bit vectors mode.\n"
    corral_command += ["/bopt:proverOpt:OPTIMIZE_FOR_BV=true"]
    corral_command += ["/bopt:boolControlVC"]

  time_limit = 880
  command = list(corral_command)
  command += ["/timeLimit:%s" % time_limit]
  command += ["/v:1"]
  command += ["/maxStaticLoopBound:%d" % staticLoopBound]
  command += ["/recursionBound:65536"]
  command += ["/irreducibleLoopUnroll:2"]
  command += ["/trackAllVars"]

  verifier_output = smack.top.try_command(command, timeout=time_limit)
  result = smack.top.verification_result(verifier_output)

  if result == 'error' or result == 'invalid-deref' or result == 'invalid-free' or result == 'invalid-memtrack' or result == 'overflow': #normal inlining
    heurTrace += "Found a bug during normal inlining.\n"

    if not args.quiet:
      error = smack.top.error_trace(verifier_output, args)
      print error

  elif result == 'timeout': #normal inlining
    heurTrace += "Timed out during normal inlining.\n"
    heurTrace += "Determining result based on how far we unrolled.\n"
    # If we managed to unroll more than loopUnrollBar times, then return verified
    # First remove exhausted loop bounds generated during max static loop bound computation
    unrollMax = 0
    if 'Verifying program while tracking' in verifier_output:
      verifier_output = re.sub(re.compile('.*Verifying program while tracking', re.DOTALL),
        'Verifying program while tracking', verifier_output)
      it = re.finditer(r'Exhausted recursion bound of ([1-9]\d*)', verifier_output)
      for match in it:
        if int(match.group(1)) > unrollMax:
          unrollMax = int(match.group(1))
    else:
      heurTrace += "Corral didn't even start verification.\n"
    if unrollMax >= loopUnrollBar:
      heurTrace += "Unrolling made it to a recursion bound of "
      heurTrace += str(unrollMax) + ".\n"
      heurTrace += "Reporting benchmark as 'verified'.\n"
      if args.execute and not args.pthread:
        heurTrace += "Hold on, let's see the execution result.\n"
        execution_result = run_binary(args)
        heurTrace += "Excecution result is " + execution_result + '\n'
        if execution_result != 'true':
          heurTrace += "Oops, execution result says {0}.\n".format(execution_result)
          if not args.quiet:
            print(heurTrace + "\n")
          sys.exit(smack.top.results(args)['unknown'])
      random_test_result = random_test(args, result)
      if random_test_result == 'false' or random_test_result == 'unknown':
        heurTrace += "Oops, random testing says {0}.\n".format(random_test_result)
        if not args.quiet:
          print(heurTrace + "\n")
        sys.exit(smack.top.results(args)['unknown'])
      if not args.quiet:
        print(heurTrace + "\n")
      write_error_file(args, 'verified', verifier_output)
      sys.exit(smack.top.results(args)['verified'])
    else:
      heurTrace += "Only unrolled " + str(unrollMax) + " times.\n"
      heurTrace += "Insufficient unrolls to consider 'verified'.  "
      heurTrace += "Reporting 'timeout'.\n"
      if not args.quiet:
        print(heurTrace + "\n")
        sys.stdout.flush()
      # Sleep for 1000 seconds, so svcomp shows timeout instead of unknown
      time.sleep(1000)
  elif result == 'verified': #normal inlining
    heurTrace += "Normal inlining terminated and found no bugs.\n"
  else: #normal inlining
    heurTrace += "Normal inlining returned 'unknown'.  See errors above.\n"
  if not args.quiet:
    print(heurTrace + "\n")
  write_error_file(args, result, verifier_output)
  sys.exit(smack.top.results(args)[result])
Esempio n. 2
0
def verify_bpl_svcomp(args):
  """Verify the Boogie source file using SVCOMP-tuned heuristics."""
  heurTrace = "\n\nHeuristics Info:\n"

  if args.memory_safety:
    if not (args.only_check_valid_deref or args.only_check_valid_free or args.only_check_memleak):
      heurTrace = "engage valid deference checks.\n"
      args.only_check_valid_deref = True
      args.prop_to_check = 'valid-deref'
      args.bpl_with_all_props = smack.top.temporary_file(os.path.splitext(os.path.basename(args.bpl_file))[0], '.bpl', args)
      copyfile(args.bpl_file, args.bpl_with_all_props)
      smack.top.property_selection(args)
    elif args.only_check_valid_deref:
      heurTrace = "engage valid free checks.\n"
      args.only_check_valid_free = True
      args.prop_to_check = 'valid-free'
      args.only_check_valid_deref = False
      args.bpl_file = smack.top.temporary_file(os.path.splitext(os.path.basename(args.bpl_file))[0], '.bpl', args)
      copyfile(args.bpl_with_all_props, args.bpl_file)
      smack.top.property_selection(args)
    elif args.only_check_valid_free:
      heurTrace = "engage memleak checks.\n"
      args.only_check_memleak = True
      args.prop_to_check = 'memleak'
      args.only_check_valid_free = False
      args.bpl_file = smack.top.temporary_file(os.path.splitext(os.path.basename(args.bpl_file))[0], '.bpl', args)
      copyfile(args.bpl_with_all_props, args.bpl_file)
      smack.top.property_selection(args)

  # invoke boogie for floats
  # I have to copy/paste part of verify_bpl
  if args.float:
    args.verifier = 'boogie'
    boogie_command = ["boogie"]
    boogie_command += [args.bpl_file]
    boogie_command += ["/nologo", "/noinfer", "/doModSetAnalysis"]
    boogie_command += ["/timeLimit:%s" % args.time_limit]
    boogie_command += ["/errorLimit:%s" % args.max_violations]
    boogie_command += ["/loopUnroll:%d" % args.unroll]
    if args.bit_precise:
      x = "bopt:" if args.verifier != 'boogie' else ""
      boogie_command += ["/%sproverOpt:OPTIMIZE_FOR_BV=true" % x]
      boogie_command += ["/%sz3opt:smt.relevancy=0" % x]
      boogie_command += ["/%sz3opt:smt.bv.enable_int2bv=true" % x]
      boogie_command += ["/%sboolControlVC" % x]

    if args.verifier_options:
      boogie_command += args.verifier_options.split()

    boogie_output = smack.top.try_command(boogie_command, timeout=args.time_limit)
    boogie_result = smack.top.verification_result(boogie_output)
    write_error_file(args, boogie_result, boogie_output)
    sys.exit(smack.top.results(args)[boogie_result])

  # If pthreads found, perform lock set analysis
  if args.pthread:
    lockpwn_command = ["lockpwn"]
    lockpwn_command += [args.bpl_file]
    lockpwn_command += ["/corral"]
    args.bpl_file = smack.top.temporary_file(os.path.splitext(os.path.basename(args.bpl_file))[0], '.bpl', args)
    lockpwn_command += ["/o:%s" % args.bpl_file]
    lockpwn_output = smack.top.try_command(lockpwn_command);

  corral_command = ["corral"]
  corral_command += [args.bpl_file]
  corral_command += ["/tryCTrace", "/noTraceOnDisk", "/printDataValues:1"]
  corral_command += ["/useProverEvaluate", "/cex:1"]

  with open(args.bpl_file, "r") as f:
    bpl = f.read()

  is_crappy_driver_benchmark(args, bpl)

  if args.pthread:
    if "fib_bench" in bpl or "27_Boop_simple_vf_false-unreach-call" in bpl:
      heurTrace += "Increasing context switch bound for certain pthread benchmarks.\n"
      corral_command += ["/k:30"]
    else:
      corral_command += ["/k:3"]
    if not "qrcu_reader2" in bpl and not "__VERIFIER_atomic_take_write_lock" in bpl and not "fib_bench" in bpl:
      corral_command += ["/cooperative"]
  else:
    corral_command += ["/k:1"]
    if not (args.memory_safety or args.bit_precise):
      corral_command += ["/di"]

  # we are not modeling strcpy
  if args.pthread and "strcpy" in bpl:
    heurTrace += "We are not modeling strcpy - aborting\n"
    if not args.quiet:
      print(heurTrace + "\n")
    sys.exit(smack.top.results(args)['unknown'])

  # Setting good loop unroll bound based on benchmark class
  loopUnrollBar = 8
  staticLoopBound = 65536
  if not args.bit_precise and "ssl3_accept" in bpl and "s__s3__tmp__new_cipher__algorithms" in bpl:
    heurTrace += "ControlFlow benchmark detected. Setting loop unroll bar to 23.\n"
    loopUnrollBar = 23
  elif "s3_srvr.blast.10_false-unreach-call" in bpl or "s3_srvr.blast.15_false-unreach-call" in bpl:
    heurTrace += "ControlFlow benchmark detected. Setting loop unroll bar to 23.\n"
    loopUnrollBar = 23
  elif "NonTerminationSimple4_false-no-overflow" in bpl:
    heurTrace += "Overflow benchmark detected. Setting loop unroll bar to 1024.\n"
    loopUnrollBar = 1024
  elif " node3" in bpl:
    heurTrace += "Sequentialized benchmark detected. Setting loop unroll bar to 100.\n"
    loopUnrollBar = 100
  elif "calculate_output" in bpl or "psyco" in bpl:
    heurTrace += "ECA benchmark detected. Setting loop unroll bar to 15.\n"
    loopUnrollBar = 15
  elif "ldv" in bpl:
    if "linux-4.2-rc1.tar.xz-08_1a-drivers--staging--lustre--lustre--llite--llite_lloop.ko-entry_point" in bpl or "linux-3.14__complex_emg__linux-usb-dev__drivers-media-usb-hdpvr-hdpvr" in bpl:
      heurTrace += "Special LDV benchmark detected. Setting loop unroll bar to 32.\n"
      loopUnrollBar = 32
    else:
      heurTrace += "LDV benchmark detected. Setting loop unroll bar to 13.\n"
      loopUnrollBar = 13
    staticLoopBound = 64
  elif "standard_strcpy_false-valid-deref_ground_true-termination" in bpl or "960521-1_false-valid-free" in bpl or "960521-1_false-valid-deref" in bpl or "lockfree-3.3" in bpl or "list-ext_false-unreach-call_false-valid-deref" in bpl:
    heurTrace += "Memory safety benchmark detected. Setting loop unroll bar to 129.\n"
    loopUnrollBar = 129
  elif "is_relaxed_prefix" in bpl:
    heurTrace += "Benchmark relax_* detected. Setting loop unroll bar to 15.\n"
    loopUnrollBar = 15
  elif "id_o1000_false-unreach-call" in bpl:
    heurTrace += "Recursive benchmark detected. Setting loop unroll bar to 1024.\n"
    loopUnrollBar = 1024
  elif "n.c24" in bpl or "array_false-unreach-call3" in bpl:
    heurTrace += "Loops benchmark detected. Setting loop unroll bar to 1024.\n"
    loopUnrollBar = 1024
  elif "printf_false-unreach-call" in bpl or "echo_true-no-overflow" in bpl:
    heurTrace += "BusyBox benchmark detected. Setting loop unroll bar to 11.\n"
    loopUnrollBar = 11
  elif args.memory_safety and "__main($i0" in bpl:
    heurTrace += "BusyBox memory safety benchmark detected. Setting loop unroll bar to 4.\n"
    loopUnrollBar = 4
  elif args.signed_integer_overflow and "__main($i0" in bpl:
    heurTrace += "BusyBox overflows benchmark detected. Setting loop unroll bar to 4.\n"
    loopUnrollBar = 4
  elif args.signed_integer_overflow and ("jain" in bpl or "TerminatorRec02" in bpl or "NonTerminationSimple" in bpl):
    heurTrace += "Infinite loop in overflow benchmark. Setting loop unroll bar to INT_MAX.\n"
    loopUnrollBar = 2**31 - 1

  if not "forall" in bpl:
    heurTrace += "No quantifiers detected. Setting z3 relevancy to 0.\n"
    corral_command += ["/bopt:z3opt:smt.relevancy=0"]

  if args.bit_precise:
    heurTrace += "--bit-precise flag passed - enabling bit vectors mode.\n"
    corral_command += ["/bopt:proverOpt:OPTIMIZE_FOR_BV=true"]
    corral_command += ["/bopt:boolControlVC"]
    if not args.bit_precise_pointers:
      corral_command += ["/bopt:z3opt:smt.bv.enable_int2bv=true"]

  if args.memory_safety:
    if args.prop_to_check == 'valid-deref':
      if "memleaks_test12_false-valid-free" in bpl:
        time_limit = 10
      else:
        time_limit = 750
    elif args.prop_to_check == 'valid-free':
      time_limit = 80
    elif args.prop_to_check == 'memleak':
      time_limit = 50
  else:
    time_limit = 880

  command = list(corral_command)
  command += ["/timeLimit:%s" % time_limit]
  command += ["/v:1"]
  command += ["/maxStaticLoopBound:%d" % staticLoopBound]
  command += ["/recursionBound:65536"]
  command += ["/irreducibleLoopUnroll:2"]
  command += ["/trackAllVars"]

  verifier_output = smack.top.try_command(command, timeout=time_limit)
  result = smack.top.verification_result(verifier_output)

  if result == 'error' or result == 'invalid-deref' or result == 'invalid-free' or result == 'invalid-memtrack' or result == 'overflow': #normal inlining
    heurTrace += "Found a bug during normal inlining.\n"

    if not args.quiet:
      error = smack.top.error_trace(verifier_output, args)
      print error
    if args.memory_safety:
      heurTrace += (args.prop_to_check + "has errors\n")
      if args.prop_to_check == 'valid-free':
        if args.valid_deref_check_result != 'verified':
          force_timeout()
      elif args.prop_to_check == 'memleak':
        if args.valid_free_check_result == 'timeout':
          force_timeout()

  elif result == 'timeout': #normal inlining
    heurTrace += "Timed out during normal inlining.\n"
    heurTrace += "Determining result based on how far we unrolled.\n"
    # If we managed to unroll more than loopUnrollBar times, then return verified
    # First remove exhausted loop bounds generated during max static loop bound computation
    unrollMax = 0
    if 'Verifying program while tracking' in verifier_output:
      verifier_output = re.sub(re.compile('.*Verifying program while tracking', re.DOTALL),
        'Verifying program while tracking', verifier_output)
      it = re.finditer(r'Exhausted recursion bound of ([1-9]\d*)', verifier_output)
      for match in it:
        if int(match.group(1)) > unrollMax:
          unrollMax = int(match.group(1))
    else:
      heurTrace += "Corral didn't even start verification.\n"
    if unrollMax >= loopUnrollBar:
      heurTrace += "Unrolling made it to a recursion bound of "
      heurTrace += str(unrollMax) + ".\n"
      heurTrace += "Reporting benchmark as 'verified'.\n"
      if args.execute and not args.pthread:
        heurTrace += "Hold on, let's see the execution result.\n"
        execution_result = run_binary(args)
        heurTrace += "Excecution result is " + execution_result + '\n'
        if execution_result != 'true':
          heurTrace += "Oops, execution result says {0}.\n".format(execution_result)
          if not args.quiet:
            print(heurTrace + "\n")
          sys.exit(smack.top.results(args)['unknown'])
      random_test_result = random_test(args, result)
      if random_test_result == 'false' or random_test_result == 'unknown':
        heurTrace += "Oops, random testing says {0}.\n".format(random_test_result)
        if not args.quiet:
          print(heurTrace + "\n")
        sys.exit(smack.top.results(args)['unknown'])
      if not args.quiet:
        print(heurTrace + "\n")
      if args.memory_safety:
        heurTrace += (args.prop_to_check + "is verified\n")
        if args.prop_to_check == 'valid-deref':
          args.valid_deref_check_result = 'verified'
        elif args.prop_to_check == 'valid-free':
          args.valid_free_check_result = 'verified'
        elif args.prop_to_check == 'memleak':
          if args.valid_deref_check_result == 'timeout':
            force_timeout()
          else:
            sys.exit(smack.top.results(args)[args.valid_deref_check_result])
        verify_bpl_svcomp(args)
      else:
        write_error_file(args, 'verified', verifier_output)
        sys.exit(smack.top.results(args)['verified'])
    else:
      heurTrace += "Only unrolled " + str(unrollMax) + " times.\n"
      heurTrace += "Insufficient unrolls to consider 'verified'.  "
      heurTrace += "Reporting 'timeout'.\n"
      if not args.quiet:
        print(heurTrace + "\n")
        sys.stdout.flush()
      if args.memory_safety:
        heurTrace += (args.prop_to_check + " times out\n")
        if args.prop_to_check == 'valid-deref':
          args.valid_deref_check_result = 'timeout'
          force_timeout()
        elif args.prop_to_check == 'valid-free':
          args.valid_free_check_result = 'timeout'
        elif args.prop_to_check == 'memleak':
          if args.valid_deref_check_result == 'timeout':
            force_timeout()
          else:
            sys.exit(smack.top.results(args)[args.valid_deref_check_result])
        verify_bpl_svcomp(args)
      else:
        # Sleep for 1000 seconds, so svcomp shows timeout instead of unknown
        time.sleep(1000)
  elif result == 'verified': #normal inlining
    heurTrace += "Normal inlining terminated and found no bugs.\n"
  else: #normal inlining
    heurTrace += "Normal inlining returned 'unknown'.  See errors above.\n"
  if not args.quiet:
    print(heurTrace + "\n")
  if args.memory_safety and result == 'verified':
    heurTrace += (args.prop_to_check + " is verified\n")
    if args.prop_to_check == 'valid-deref':
      args.valid_deref_check_result = 'verified'
    elif args.prop_to_check == 'valid-free':
      args.valid_free_check_result = 'verified'
    elif args.prop_to_check == 'memleak':
      if args.valid_deref_check_result == 'timeout':
        force_timeout()
      else:
        sys.exit(smack.top.results(args)[args.valid_deref_check_result])
    verify_bpl_svcomp(args)
  else:
    write_error_file(args, result, verifier_output)
    sys.exit(smack.top.results(args)[result])
Esempio n. 3
0
def refine_init(
        current_abs,
        init_cons_list,
        final_cons,
        initial_discrete_state,
        initial_controller_state,
        plant_sim,
        controller_sim,
        ci,
        pi,
        sampler,
        #plot,
        init_cons,
        original_plant_cons_list,
        MAX_ITER,
        sample_ci,
        pi_ref,
        ci_ref,
        opts):

    i = 1
    while i <= MAX_ITER:
        print('iteration:', i)
        # TODO: temp function ss.init()

        (initial_state_set, final_state_set, is_final) = \
            SS.init(current_abs, init_cons_list, final_cons,
                    initial_discrete_state, initial_controller_state)

        system_params = SystemParams(
            initial_state_set,
            final_state_set,
            is_final,
            plant_sim,
            controller_sim,
            ci,
            pi,
            sampler,
            init_cons,
            final_cons,
            pi_ref,
            ci_ref
            )
        SS.discover(current_abs, system_params)

        opts.plotting.show()

        if not system_params.final_state_set:
            print('did not find any abstract counter example!', file=SYS.stderr)
            return False

        print('analyzing graph...')
        pi_ref.cleanup()
        if ci_ref is not None:
            ci_ref.cleanup()
        # creates a new pi_ref, ci_ref
        (promising_initial_states,
            ci_seq_list,
            pi_seq_list) = current_abs.get_initial_states_from_error_paths(initial_state_set,
                                                                           final_state_set,
                                                                           pi_ref,
                                                                           ci_ref,
                                                                           pi,
                                                                           ci,
                                                                           opts.max_paths)

        # ##!!##logger.debug('promising initial states: {}'.format(promising_initial_states))

        print('begin random testing!')
        #POFF
#         if plot:
#             f2 = plt.figure()
#             f2.suptitle('random testing')

        print(len(promising_initial_states), len(ci_seq_list), len(pi_seq_list))
        #U.pause()
        # TODO: ugly...should it be another function?
        # Read the TODO above the function definition for more details
        (valid_promising_initial_state_list,
            pi_seq_list, ci_seq_list) = SS.filter_invalid_abs_states(
                        promising_initial_states,
                        pi_seq_list,
                        ci_seq_list,
                        current_abs,
                        init_cons)
        print(len(valid_promising_initial_state_list), len(ci_seq_list), len(pi_seq_list))
        #U.pause()
        if valid_promising_initial_state_list == []:
            print('no valid sample found during random testing. STOP', file=SYS.stderr)
            return False
        res = RT.random_test(
            current_abs,
            system_params,
            valid_promising_initial_state_list,
            ci_seq_list,
            pi_seq_list,
            init_cons,
            initial_discrete_state,
            initial_controller_state,
            sample_ci
            )

        opts.plotting.show()

        if res:
            print('Concretized', file=SYS.stderr)
            fp.append_data(opts.op_fname,
                           '{0} Concrete Traces({2}) for: {1} {0}\n'.
                           format('='*20, opts.sys_path, len(res)))
            fp.append_data(opts.op_fname, '{}\n'.format(res))
            return True

        (current_abs, init_cons_list) = SS.refine_init_based(
                current_abs,
                promising_initial_states, # should it not be valid_promising_initial_state_list?
                original_plant_cons_list)#, pi_ref, ci_ref)
        pi_ref.refine()
        if ci_ref is not None:
            ci_ref.refine()
        i += 1
    print('Failed: MAX iterations {} exceeded'.format(MAX_ITER), file=SYS.stderr)
Esempio n. 4
0
def falsify_using_model(
        current_abs,
        init_cons_list,
        final_cons,
        initial_discrete_state,
        initial_controller_state,
        plant_sim,
        controller_sim,
        ci,
        pi,
        sampler,
        #plot,
        init_cons,
        original_plant_cons_list,
        MAX_ITER,
        sample_ci,
        pi_ref,
        ci_ref,
        opts,
        sys_sim,
        sys,
        prop):

    # TODO: temp function ss.init()

    (initial_state_set, final_state_set, is_final) = \
        SS.init(current_abs, init_cons_list, final_cons,
                initial_discrete_state, initial_controller_state)

    system_params = SystemParams(
        initial_state_set,
        final_state_set,
        is_final,
        plant_sim,
        controller_sim,
        ci,
        pi,
        sampler,
        init_cons,
        final_cons,
        pi_ref,
        ci_ref
        )

    SS.discover(current_abs, system_params)

    opts.plotting.show()

    if not system_params.final_state_set:
        print('did not find any abstract counter example!', file=SYS.stderr)
        return False

    print('analyzing graph...')
    # creates a new pi_ref, ci_ref
    (error_paths,
     ci_seq_list,
     pi_seq_list) = current_abs.get_error_paths(initial_state_set,
                                                final_state_set,
                                                pi_ref,
                                                ci_ref,
                                                pi,
                                                ci,
                                                opts.max_paths)
    print('Refining...')
    if opts.refine == 'model-dft':
        import modelrefine as MR
        MR.refine_dft_model_based(current_abs,
                                  error_paths,
                                  pi_seq_list,
                                  system_params,
                                  sys_sim,
                                  opts,
                                  sys,
                                  prop)
    elif opts.refine == 'model-dmt':
        import modelrefine as MR
        MR.refine_dmt_model_based(current_abs,
                                  error_paths,
                                  pi_seq_list,
                                  system_params,
                                  sys_sim,
                                  opts,
                                  sys,
                                  prop)
    elif opts.refine == 'model-dct':
        import modelrefine as MR
        raise NotImplementedError
    elif opts.refine == 'model-rel':
        import modelrefine as MR
        MR.refine_rel_model_based(current_abs,
                                  error_paths,
                                  pi_seq_list,
                                  system_params,
                                  sys_sim,
                                  opts,
                                  sys,
                                  prop)
    else:
        assert(False)

    exit()


    print('begin random testing!')

    print(len(promising_initial_states), len(ci_seq_list), len(pi_seq_list))

    (valid_promising_initial_state_list,
     pi_seq_list, ci_seq_list) = SS.filter_invalid_abs_states(promising_initial_states,
                                                              pi_seq_list,
                                                              ci_seq_list,
                                                              current_abs,
                                                              init_cons)

    print(len(valid_promising_initial_state_list), len(ci_seq_list), len(pi_seq_list))

    if valid_promising_initial_state_list == []:
        print('no valid sample found for random testing. STOP', file=SYS.stderr)
        return False

    res = RT.random_test(
        current_abs,
        system_params,
        valid_promising_initial_state_list,
        ci_seq_list,
        pi_seq_list,
        init_cons,
        initial_discrete_state,
        initial_controller_state,
        sample_ci
        )

    if res:
        print('Concretized', file=SYS.stderr)
        fp.append_data(opts.op_fname,
                       '{0} Concrete Traces({2}) for: {1} {0}\n'.
                       format('='*20, opts.sys_path, len(res)))
        fp.append_data(opts.op_fname, '{}\n'.format(res))
        return True
Esempio n. 5
0
def refine_trace(
        current_abs,
        init_cons_list,
        final_cons,
        initial_discrete_state,
        initial_controller_state,
        plant_sim,
        controller_sim,
        ci,
        pi,
        sampler,
        #plot,
        init_cons,
        original_plant_cons_list):

    (initial_state_set, final_state_set, is_final) = \
        SS.init(current_abs, init_cons_list, final_cons,
                initial_discrete_state, initial_controller_state)

    system_params = SystemParams(
        initial_state_set,
        final_state_set,
        is_final,
        plant_sim,
        controller_sim,
        ci,
        pi,
        sampler,
        init_cons,
        final_cons,
        )

    SS.discover(current_abs, system_params)

    #POFF
#     if plot:
#         plt.autoscale()
#         plt.show()

    while True:

        if not system_params.final_state_set:
            print('did not find any abstract counter example!', file=SYS.stderr)
            return True
        else:
            print('analyzing graph...')
        (promising_initial_states, ci_seq_list) = \
            current_abs.get_initial_states_from_error_paths(initial_state_set, final_state_set)

        # ##!!##logger.debug('promising initial states: {}'.format(promising_initial_states))

        print('begin random testing!')
        #POFF
#         if plot:
#             f2 = plt.figure()
#             f2.suptitle('random testing')


        # TODO: ugly...should it be another function?
        # Read the TODO above the function definition for more details
        valid_promising_initial_state_list = SS.filter_invalid_abs_states(
                promising_initial_states,
                current_abs,
                init_cons)
        if valid_promising_initial_state_list == []:
            print('no valid sample found during random testing. STOP', file=SYS.stderr)
            return True

        done = RT.random_test(
            current_abs,
            system_params,
            valid_promising_initial_state_list,
            ci_seq_list,
            init_cons,
            initial_discrete_state,
            initial_controller_state,
            )
        #POFF
#         if plot:
#             plt.show()
        if done:
            print('Concretized', file=SYS.stderr)
            return True
        current_abs = SS.refine_trace_based(
                current_abs,
                current_abs.compute_error_paths(initial_state_set, final_state_set),
                system_params)
Esempio n. 6
0
def verify_bpl_svcomp(args):
  """Verify the Boogie source file using SVCOMP-tuned heuristics."""
  heurTrace = "\n\nHeuristics Info:\n"

  if args.memory_safety:
    if not (args.only_check_valid_deref or args.only_check_valid_free or args.only_check_memleak):
      heurTrace = "engage valid deference checks.\n"
      args.only_check_valid_deref = True
      args.prop_to_check = 'valid-deref'
      args.bpl_with_all_props = smack.top.temporary_file(os.path.splitext(os.path.basename(args.bpl_file))[0], '.bpl', args)
      copyfile(args.bpl_file, args.bpl_with_all_props)
      smack.top.property_selection(args)
    elif args.only_check_valid_deref:
      heurTrace = "engage valid free checks.\n"
      args.only_check_valid_free = True
      args.prop_to_check = 'valid-free'
      args.only_check_valid_deref = False
      args.bpl_file = smack.top.temporary_file(os.path.splitext(os.path.basename(args.bpl_file))[0], '.bpl', args)
      copyfile(args.bpl_with_all_props, args.bpl_file)
      smack.top.property_selection(args)
    elif args.only_check_valid_free:
      heurTrace = "engage memleak checks.\n"
      args.only_check_memleak = True
      args.prop_to_check = 'memleak'
      args.only_check_valid_free = False
      args.bpl_file = smack.top.temporary_file(os.path.splitext(os.path.basename(args.bpl_file))[0], '.bpl', args)
      copyfile(args.bpl_with_all_props, args.bpl_file)
      smack.top.property_selection(args)
  elif args.only_check_memcleanup:
    heurTrace = "engage memcleanup checks.\n"
    args.only_check_memleak = True
    smack.top.property_selection(args)
    args.only_check_memleak = False

  # If pthreads found, perform lock set analysis
  if args.pthread:
    lockpwn_command = ["lockpwn"]
    lockpwn_command += [args.bpl_file]
    lockpwn_command += ["/corral"]
    args.bpl_file = smack.top.temporary_file(os.path.splitext(os.path.basename(args.bpl_file))[0], '.bpl', args)
    lockpwn_command += ["/o:%s" % args.bpl_file]
    lockpwn_output = smack.top.try_command(lockpwn_command);

  corral_command = ["corral"]
  corral_command += [args.bpl_file]
  corral_command += ["/tryCTrace", "/noTraceOnDisk", "/printDataValues:1"]
  corral_command += ["/useProverEvaluate", "/cex:1"]

  with open(args.bpl_file, "r") as f:
    bpl = f.read()

  with open(args.input_files[0], "r") as f:
    csource = f.read()

  if args.memory_safety:
    is_stack_benchmark(args, csource)
  else:
    if "angleInRadian" in csource:
      if not args.quiet:
        print("Stumbled upon trigonometric function is float benchmark\n")
      sys.exit(smack.top.results(args)['unknown'])
    elif "copysign(1" in csource:
      if not args.quiet:
        print("Stumbled upon tricky float benchmark\n")
      sys.exit(smack.top.results(args)['unknown'])
    is_buggy_driver_benchmark(args, bpl)

  if args.pthread:
    if "fib_bench" in bpl or "27_Boop_simple_vf_false-unreach-call" in bpl or "k < 5;" in csource or "k < 10;" in csource or "k < 20;" in csource:
      heurTrace += "Increasing context switch bound for certain pthread benchmarks.\n"
      corral_command += ["/k:30"]
    else:
      corral_command += ["/k:3"]
    if not "qrcu_reader2" in bpl and not "__VERIFIER_atomic_take_write_lock" in bpl and not "fib_bench" in bpl:
      corral_command += ["/cooperative"]
  else:
    corral_command += ["/k:1"]
    if not (args.memory_safety or args.bit_precise or args.only_check_memcleanup):
      if not ("dll_create" in csource or "sll_create" in csource or "changeMethaneLevel" in csource):
        corral_command += ["/di"]

  # we are not modeling strcpy
  if args.pthread and "strcpy" in bpl:
    heurTrace += "We are not modeling strcpy - aborting\n"
    if not args.quiet:
      print(heurTrace + "\n")
    sys.exit(smack.top.results(args)['unknown'])

  # Setting good loop unroll bound based on benchmark class
  loopUnrollBar = 8
  staticLoopBound = 65536
  if not args.bit_precise and "ssl3_accept" in bpl and "s__s3__tmp__new_cipher__algorithms" in bpl:
    heurTrace += "ControlFlow benchmark detected. Setting loop unroll bar to 23.\n"
    loopUnrollBar = 23
  elif "s3_srvr.blast.10_false-unreach-call" in bpl or "s3_srvr.blast.15_false-unreach-call" in bpl:
    heurTrace += "ControlFlow benchmark detected. Setting loop unroll bar to 23.\n"
    loopUnrollBar = 23
  elif "NonTerminationSimple4_false-no-overflow" in bpl:
    heurTrace += "Overflow benchmark detected. Setting loop unroll bar to 1024.\n"
    loopUnrollBar = 1024
  elif " node3" in bpl:
    heurTrace += "Sequentialized benchmark detected. Setting loop unroll bar to 100.\n"
    loopUnrollBar = 100
  elif "calculate_output" in bpl or "psyco" in bpl:
    heurTrace += "ECA benchmark detected. Setting loop unroll bar to 15.\n"
    loopUnrollBar = 15
  elif "ldv" in bpl:
    if "linux-4.2-rc1.tar.xz-08_1a-drivers--staging--lustre--lustre--llite--llite_lloop.ko-entry_point" in bpl or "linux-3.14__complex_emg__linux-usb-dev__drivers-media-usb-hdpvr-hdpvr" in bpl:
      heurTrace += "Special LDV benchmark detected. Setting loop unroll bar to 32.\n"
      loopUnrollBar = 32
    else:
      heurTrace += "LDV benchmark detected. Setting loop unroll bar to 13.\n"
      loopUnrollBar = 13
    staticLoopBound = 64
  elif "standard_strcpy_false-valid-deref_ground_true-termination" in bpl or "960521-1_false-valid-free" in bpl or "960521-1_false-valid-deref" in bpl or "lockfree-3.3" in bpl or "list-ext_false-unreach-call_false-valid-deref" in bpl:
    heurTrace += "Memory safety benchmark detected. Setting loop unroll bar to 129.\n"
    loopUnrollBar = 129
  elif "is_relaxed_prefix" in bpl:
    heurTrace += "Benchmark relax_* detected. Setting loop unroll bar to 15.\n"
    loopUnrollBar = 15
  elif "id_o1000_false-unreach-call" in bpl:
    heurTrace += "Recursive benchmark detected. Setting loop unroll bar to 1024.\n"
    loopUnrollBar = 1024
  elif "n.c24" in bpl or "array_false-unreach-call3" in bpl:
    heurTrace += "Loops benchmark detected. Setting loop unroll bar to 1024.\n"
    loopUnrollBar = 1024
  elif "printf_false-unreach-call" in bpl or "echo_true-no-overflow" in bpl:
    heurTrace += "BusyBox benchmark detected. Setting loop unroll bar to 11.\n"
    loopUnrollBar = 11
  elif args.memory_safety and "__main($i0" in bpl:
    heurTrace += "BusyBox memory safety benchmark detected. Setting loop unroll bar to 4.\n"
    loopUnrollBar = 4
  elif args.integer_overflow and "__main($i0" in bpl:
    heurTrace += "BusyBox overflows benchmark detected. Setting loop unroll bar to 40.\n"
    loopUnrollBar = 40
  elif args.integer_overflow and ("jain" in bpl or "TerminatorRec02" in bpl or "NonTerminationSimple" in bpl):
    heurTrace += "Infinite loop in overflow benchmark. Setting loop unroll bar to INT_MAX.\n"
    loopUnrollBar = 2**31 - 1
  elif args.integer_overflow and ("(x != 0)" in csource or "(z > 0)" in csource or "(max > 0)" in csource or
                                  "(k < N)" in csource or "partial_sum" in csource):
    heurTrace += "Large overflow benchmark. Setting loop unroll bar to INT_MAX.\n"
    loopUnrollBar = 2**31 - 1
  elif "i>>16" in csource:
    heurTrace += "Large array reach benchmark. Setting loop unroll bar to INT_MAX.\n"
    loopUnrollBar = 2**31 - 1
  elif "whoop_poll_table" in csource:
    heurTrace += "Large concurrency benchmark. Setting loop unroll bar to INT_MAX.\n"
    loopUnrollBar = 2**31 - 1

  if not "forall" in bpl:
    heurTrace += "No quantifiers detected. Setting z3 relevancy to 0.\n"
    corral_command += ["/bopt:z3opt:smt.relevancy=0"]

  if args.bit_precise:
    heurTrace += "--bit-precise flag passed - enabling bit vectors mode.\n"
    corral_command += ["/bopt:proverOpt:OPTIMIZE_FOR_BV=true"]
    corral_command += ["/bopt:boolControlVC"]

  if args.memory_safety:
    if args.prop_to_check == 'valid-deref':
      if "memleaks_test12_false-valid-free" in bpl:
        time_limit = 10
      else:
        time_limit = 750
    elif args.prop_to_check == 'valid-free':
      time_limit = 80
    elif args.prop_to_check == 'memleak':
      time_limit = 50
  else:
    time_limit = 880

  command = list(corral_command)
  command += ["/timeLimit:%s" % time_limit]
  command += ["/v:1"]
  command += ["/maxStaticLoopBound:%d" % staticLoopBound]
  command += ["/recursionBound:65536"]
  command += ["/irreducibleLoopUnroll:12"]
  command += ["/trackAllVars"]

  verifier_output = smack.top.try_command(command, timeout=time_limit)
  result = smack.top.verification_result(verifier_output)

  if result == 'error' or result == 'invalid-deref' or result == 'invalid-free' or result == 'invalid-memtrack' or result == 'overflow': #normal inlining
    heurTrace += "Found a bug during normal inlining.\n"

    if not args.quiet:
      error = smack.top.error_trace(verifier_output, args)
      print error
    if args.memory_safety:
      heurTrace += (args.prop_to_check + "has errors\n")
      if args.prop_to_check == 'valid-free':
        if args.valid_deref_check_result != 'verified':
          force_timeout()
      elif args.prop_to_check == 'memleak':
        if args.valid_free_check_result == 'timeout':
          force_timeout()

  elif result == 'timeout': #normal inlining
    heurTrace += "Timed out during normal inlining.\n"
    heurTrace += "Determining result based on how far we unrolled.\n"
    # If we managed to unroll more than loopUnrollBar times, then return verified
    # First remove exhausted loop bounds generated during max static loop bound computation
    unrollMax = 0
    if 'Verifying program while tracking' in verifier_output:
      verifier_output = re.sub(re.compile('.*Verifying program while tracking', re.DOTALL),
        'Verifying program while tracking', verifier_output)
      it = re.finditer(r'Exhausted recursion bound of ([1-9]\d*)', verifier_output)
      for match in it:
        if int(match.group(1)) > unrollMax:
          unrollMax = int(match.group(1))
    else:
      heurTrace += "Corral didn't even start verification.\n"
    if unrollMax >= loopUnrollBar:
      heurTrace += "Unrolling made it to a recursion bound of "
      heurTrace += str(unrollMax) + ".\n"
      heurTrace += "Reporting benchmark as 'verified'.\n"
      if args.execute and not args.pthread:
        heurTrace += "Hold on, let's see the execution result.\n"
        execution_result = run_binary(args)
        heurTrace += "Excecution result is " + execution_result + '\n'
        if execution_result != 'true':
          heurTrace += "Oops, execution result says {0}.\n".format(execution_result)
          if not args.quiet:
            print(heurTrace + "\n")
          sys.exit(smack.top.results(args)['unknown'])
      random_test_result = random_test(args, result)
      if random_test_result == 'false' or random_test_result == 'unknown':
        heurTrace += "Oops, random testing says {0}.\n".format(random_test_result)
        if not args.quiet:
          print(heurTrace + "\n")
        sys.exit(smack.top.results(args)['unknown'])
      if not args.quiet:
        print(heurTrace + "\n")
      if args.memory_safety:
        heurTrace += (args.prop_to_check + "is verified\n")
        if args.prop_to_check == 'valid-deref':
          args.valid_deref_check_result = 'verified'
        elif args.prop_to_check == 'valid-free':
          args.valid_free_check_result = 'verified'
        elif args.prop_to_check == 'memleak':
          if args.valid_deref_check_result == 'timeout':
            force_timeout()
          else:
            sys.exit(smack.top.results(args)[args.valid_deref_check_result])
        verify_bpl_svcomp(args)
      else:
        write_error_file(args, 'verified', verifier_output)
        sys.exit(smack.top.results(args)['verified'])
    else:
      heurTrace += "Only unrolled " + str(unrollMax) + " times.\n"
      heurTrace += "Insufficient unrolls to consider 'verified'.  "
      heurTrace += "Reporting 'timeout'.\n"
      if not args.quiet:
        print(heurTrace + "\n")
        sys.stdout.flush()
      if args.memory_safety:
        heurTrace += (args.prop_to_check + " times out\n")
        if args.prop_to_check == 'valid-deref':
          args.valid_deref_check_result = 'timeout'
          force_timeout()
        elif args.prop_to_check == 'valid-free':
          args.valid_free_check_result = 'timeout'
        elif args.prop_to_check == 'memleak':
          if args.valid_deref_check_result == 'timeout':
            force_timeout()
          else:
            sys.exit(smack.top.results(args)[args.valid_deref_check_result])
        verify_bpl_svcomp(args)
      else:
        force_timeout()
  elif result == 'verified': #normal inlining
    heurTrace += "Normal inlining terminated and found no bugs.\n"
  else: #normal inlining
    heurTrace += "Normal inlining returned 'unknown'.  See errors above.\n"
  if not args.quiet:
    print(heurTrace + "\n")
  if args.memory_safety and result == 'verified':
    heurTrace += (args.prop_to_check + " is verified\n")
    if args.prop_to_check == 'valid-deref':
      args.valid_deref_check_result = 'verified'
    elif args.prop_to_check == 'valid-free':
      args.valid_free_check_result = 'verified'
    elif args.prop_to_check == 'memleak':
      if args.valid_deref_check_result == 'timeout':
        force_timeout()
      else:
        sys.exit(smack.top.results(args)[args.valid_deref_check_result])
    verify_bpl_svcomp(args)
  else:
    write_error_file(args, result, verifier_output)
    if args.only_check_memcleanup and result == 'invalid-memtrack':
      sys.exit('SMACK found an error: memory cleanup.')
    else:
      sys.exit(smack.top.results(args)[result])