Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add abstract interface to Invariant #1668

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Add abstract interface to Invariant #1668

wants to merge 2 commits into from

Conversation

sim642
Copy link
Member

@sim642 sim642 commented Jan 31, 2025
edited
Loading

This adds the intended abstract interface to clarify that "Invariants for witnesses" are not just CIL expressions: #1665 (comment).

TODO

  • What to do about precondition loop invariants?
  • Make WitnessUtil.InvariantExp work on Invariant.t instead of exp for full type-safety?

@sim642 sim642 added cleanup Refactoring, clean-up type-safety Type-safety improvements sv-comp SV-COMP (analyses, results), witnesses labels Jan 31, 2025
sim642
sim642 commented Jan 31, 2025
View reviewed changes
src/witness/yamlWitness.ml
(* Collect all start states that may satisfy the invariant of current_c *)
List.iter (fun c ->
let x = R.ask_local (c.node, c.context) ~local:c.state (Queries.EvalInt c_inv) in
let x = R.ask_local (c.node, c.context) ~local:c.state (Queries.EvalInt c_inv) in (* TODO: illegal query *)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The generation of our proposed precondition loop invariants performs EvalInt queries with witness invariants, assuming they have implicit casts, etc like expressions from the program.
This would no longer be the case with #1665.

So we have to decide what to do here:

  1. If we don't want to pursue precondition loop invariants and keep them, they could be removed, avoiding the issue.
  2. Otherwise, Invariant.t might need to be turned into a pair of CIL expressions (with and without implicit casts) behind the abstraction. This might be desirable in the long run for Linear Two Variable Equality Domain Refining Value Domain #1635, although that uses separate expression construction from invariant anyway.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should keep them, especially if we intend to work with LMU to extend the witness format.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This probably needs some separate discussion if this is still the kind of entry/invariant we want to propose. LMU+Freiburg have recently proposed function contracts as well: https://arxiv.org/abs/2501.12313.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah! At first glance, I think we can basically encode these in the invariants as a conjunction of implications of the form pre_i \implies post_i where pre_i uses these \at(_, Pre) predicates (which would mean we need an ACSL parser, or some hacks such as functions at and a constant Pre).

@sim642 sim642 mentioned this pull request Jan 31, 2025
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michael-schwarz michael-schwarz michael-schwarz left review comments

Assignees
No one assigned
Labels
cleanup Refactoring, clean-up sv-comp SV-COMP (analyses, results), witnesses type-safety Type-safety improvements
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sim642 @michael-schwarz