Detecting deep bugs with CBMC
37 views
Skip to first unread message
martin...@gmail.com
Jun 23, 2021, 7:46:11 AM6/23/21
to CProver Support
Hi all,
I am wondering how CBMC tries to detect deep counter-examples in simple loops.
For example, consider the following program:
_Bool nondet_bool();
int main() {
int x = 0;
while(1) {
if (nondet_bool())
x = x + 1;
assert(x != 1000);
}
}
This requires a thousand iteration of the loop to hit the assertion violation.
I am trying with CBMC 5.32.1.
If I run cbmc with no arguments, it keeps unwinding the loop as it cannot determine the bound in advance.
I found an option --incremental-loop which checks the assertion after every iteration, which seems to correspond to the classical BMC algorithm. This works, but takes some time to get to the 1000th iteration.
Are there any another options that could be used?
I am aware of the paper Under-approximating loops in C programs for fast counterexample detection (https://link.springer.com/article/10.1007/s10703-015-0228-1) and I would like to know if the current CBMC implementation supports that and if yes, how to enable it.
Note that I don't want to manually specify the bound in the command line (using --unwind) as that is not a general solution for situations when the correct bound is not obvious from the code.
Thanks in advance,
Martin
Martin Nyx Brain
Jun 23, 2021, 12:31:43 PM6/23/21
to cprover...@googlegroups.com
On Wed, 2021-06-23 at 02:00 -0700, martin...@gmail.com wrote:
> Hi all,
>
> I am wondering how CBMC tries to detect deep counter-examples in
> simple
> loops.
> For example, consider the following program:
>
> _Bool nondet_bool();
>
> int main() {
> int x = 0;
> while(1) {
> if (nondet_bool())
> x = x + 1;
> assert(x != 1000);
> }
> }
>
> This requires a thousand iteration of the loop to hit the assertion
> violation.
> I am trying with CBMC 5.32.1.
> If I run cbmc with no arguments, it keeps unwinding the loop as it
> cannot
> determine the bound in advance.
Yes. This is somewhat unfortunate but it is expected behaviour.
> Hi all,
>
> I am wondering how CBMC tries to detect deep counter-examples in
> simple
> loops.
> For example, consider the following program:
>
> _Bool nondet_bool();
>
> int main() {
> int x = 0;
> while(1) {
> if (nondet_bool())
> x = x + 1;
> assert(x != 1000);
> }
> }
>
> This requires a thousand iteration of the loop to hit the assertion
> violation.
> I am trying with CBMC 5.32.1.
> If I run cbmc with no arguments, it keeps unwinding the loop as it
> cannot
> determine the bound in advance.
> I found an option --incremental-loop which checks the assertion after
> every
> iteration, which seems to correspond to the classical BMC algorithm.
> This
> works, but takes some time to get to the 1000th iteration.
> Are there any another options that could be used?
much. Fundamentally the issue is that there is no short counter-
example trace.
> I am aware of the paper Under-approximating loops in C programs for
> fast
> counterexample detection
> (https://link.springer.com/article/10.1007/s10703-015-0228-1) and I
> would
> like to know if the current CBMC implementation supports that and if
> yes,
> how to enable it.
quite a while. If you have a look in regression/acceleration,
particularly accelerate.sh, there are examples of use. A few of the
examples seem to have bit-rotted but it looks like the core of the code
still works.
> Note that I don't want to manually specify the bound in the command
> line
> (using --unwind) as that is not a general solution for situations
> when the
> correct bound is not obvious from the code.
Cheers,
- Martin
Reply all
Reply to author
Forward
0 new messages