Open lucasccordeiro opened 6 years ago
The way I have debugged these in the past is inserting lots of assert statements to figure out which is the last one that CBMC can reach.
(Well, you could actually use --cover these days, I guess.)
@tautschnig: CBMC claims that this benchmark is correct for k=1 (i.e., the unwinding assertion holds). However, if I include an assert(0);
in the ldv_assume_label:
, then CBMC detects that and also claims that the unwinding assertion does not hold.
void ldv_assume(int expression )
{
{
if (expression == 0) {
ldv_assume_label: ;
goto ldv_assume_label;
} else {
}
return;
}
I think the unwinding assertion should fail for this particular program (at least for 1k=11). However, I'm still unable to figure out the root cause of this problem.
Have you already analysed it before?
CBMC transforms label: goto label;
into assume(0)
(unless disabled via the option that @peterschrammel introduced to ensure soundness on the termination benchmarks). Thus the question is: is expression == 0
necessarily true at that point?
Here are results of my investigation:
For low unwind constant CBMC terminates with TRUE, for larger constants (e.g. 40) it timeouts (15min). Putting __VERIFIER_assert
into the benchmark showed that CBMC can reach them, except those after calls to
void ldv_stop(void)
{
{
ldv_stop_label: ;
goto ldv_stop_label;
}
}
./cbmc --graphml-witness witness.graphml --64 --propertyfile ../../sv-benchmarks/c/Systems_DeviceDriversLinux64_ReachSafety.prp ../../sv-benchmarks/c/ldv-linux-4.0-rc1-mav/linux-4.0-rc1---drivers--usb--misc--legousbtower.ko_false-unreach-call.cil.c