-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support ghost values in all language backends #1958
Conversation
c6ca304
to
4232a42
Compare
* `llvm_declare_ghost_state : String -> TopLevel Ghost` | ||
* `declare_ghost_state : String -> TopLevel Ghost` | ||
|
||
Ghost state variables do not initially have any particluar type, and can | ||
store data of any type. Given an existing ghost variable the following | ||
function can be used to specify its value: | ||
functions can be used to specify its value: | ||
|
||
* `llvm_ghost_value : Ghost -> Term -> LLVMSetup ()` | ||
* `jvm_ghost_value : Ghost -> Term -> JVMSetup ()` | ||
* `mir_ghost_value : Ghost -> Term -> MIRSetup ()` | ||
|
||
Currently, this function can only be used for LLVM verification, though | ||
that will likely be generalized in the future. It can be used in either | ||
the pre state or the post state, to specify the value of ghost state | ||
either before or after the execution of the function, respectively. | ||
These can be used in either the pre state or the post state, to specify the | ||
value of ghost state either before or after the execution of the function, | ||
respectively. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Documentation-related changes involving ghost state.
@@ -0,0 +1,28 @@ | |||
enable_experimental; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A test case involving ghost state in the SAW MIR backend.
@qsctr discovered that SAW will panic when it attempts to combine MIR ghost state with symbolic branching. Here is a small example which triggers the issue: // Meant to be overridden
pub fn f(_x: u32) {}
pub fn g(b: bool) {
if b {
f(27)
} else {
f(42)
}
}
The reason that this does not happen in the LLVM backend is because we add the saw-script/src/SAWScript/Crucible/LLVM/MethodSpecIR.hs Lines 254 to 259 in 0202016
We need to do something similar for the JVM and MIR backends. |
The issue in #1958 (comment) is fixed as of 276a54b. |
We want to be able to declare ghost state in all SAW language backends, so we now use a more general `declare_ghost_state` name for the command to reflect this. The old `llvm_declare_ghost_state` command is now a legacy command whose use is discouraged in favor of `declare_ghost_state`. This is one part of an eventual fix for #1929.
This patch: * Factors out the machinery needed to track ghost state into the `SAWScript.Crucible.Common.Override` and `SAWScript.Builtins` modules. Nothing about ghost state is specific to any language backend, so it deserves to live in a non-LLVM–specific location. * Adds `jvm_ghost_value` and `mir_ghost_value` commands, which behave exactly like the LLVM backend's `llvm_ghost_value` command does, but for the JVM and MIR backends, respectively. * Adds a `test_mir_ghost` test case in SAWScript and the remote API to ensure that everything works as expected. Fixes #1929.
This is not entirely straightforward to do for the JVM backend, as the `jvmSimContext` function (`crucible-jvm`'s API function for constructing a `SimContext`) does not support adding additional intrinsic types, including the intrinsic type needed to support SAW ghost state. For the time being, I have simply inlined the implementation of `jvmSimContext` as needed, and I have opened GaloisInc/crucible#1128 as a reminder to generalize `jvmSimContext` upstream.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, thanks. It's a bit unfortunate that we have to duplicate some more code across the 3 backends, hopefully one day that can be addressed with a solution to #379.
This patch:
SAWScript.Crucible.Common.Override
andSAWScript.Builtins
modules. Nothing about ghost state is specific to any language backend, so it deserves to live in a non-LLVM–specific location.jvm_ghost_value
andmir_ghost_value
commands, which behave exactly like the LLVM backend'sllvm_ghost_value
command does, but for the JVM and MIR backends, respectively.test_mir_ghost
test case in SAWScript and the remote API to ensure that everything works as expected.Fixes #1929.