Closed Baltoli closed 7 years ago
When all of these examples are properly checked by the model checking tool, it will be at least as powerful as the specialised checking developed in the initial phase.
It will also be important to track regressions in these examples, as they serve as useful litmus tests for the correctness of the algorithm.
Currently I think all the failing examples are caused by incorrect analysis of the branching from lock_acquire
, and should be fixed by introducing some kind of constraint system.
Updating to the generative model checking algorithm fixes rel_before_indirect
. The extension to return constraints remains the fix for mult_acq
and one_acq
.
Updating to include the return value constraint mechanism. This no longer exhibits such catastrophic exponential behaviour, and allows every test case to be checked correctly.
These are still passing after introducing parallelism and early exit to the checker.
This issue tracks the status of the model checking algorithm with respect to the examples developed to demonstrate the
acq_rel
automaton.basic
: correctly identified as safebasic_indirect
: correctly identified as safemore_usage
: correctly identified as unsafemult_acq
: correctly identified as unsafemult_rel
: correctly identified as unsafeno_acq_rel
: correctly identified as unsafeno_acq
: correctly identified as unsafeno_rel
: correctly identified as unsafeone_acq
: correctly identified as unsafeother
: correctly identified as unsaferel_before_indirect
: correctly identified as unsaferel_before
: correctly identified as unsafeaddress
: incorrectly identified as safe, but this is down tomem2reg
being cleverer than me and removing the store / load.wrong
: correctly identified as unsafe