Load memory snapshot into cbmc #3755
Conversation
danpoe
requested review from
chrisr-diffblue,
kroening,
peterschrammel,
pkesseli,
smowton and
tautschnig
as code owners
|
Sure this can't be done by building a harness, in goto-instrument? The symbolic execution engine appears to be the wrong place for that. |
|
@kroening There was a discussion about this with @tautschnig on the respective Slack channel. If we just want to model check a single function (and its callees) in a specific context it would be possible via a harness. But if we want to be able to model check a program starting from a concrete snapshot theoretically until the end of the program this seems hard to do that way. For that we will also need to initialize the symex call stack from a concrete call stack snapshot in order to be able to return from functions that have been called during the concrete execution. I'm not sure if it's possible to build a harness that can do that. |
This adds const iterators to iterate over the internal_symbols map of the symbol table. So far, only non-const iterators existed.
… location This adds a feature to load a concrete memory snapshot (represented as a JSON symbol table) into cbmc to initialize goto symex with, and then start symex from a given program location. The path to the snapshot must be passed to --memory-snapshot and the initial program location must be specified via --initial-location. This is a basic first version that only supports the initialisation of global variables. Moreover, the concrete memory snapshot does not contain a representation of the stack of the program, hence symex must stop when it reaches the end of the function in which it was started (but it can go into callees and return from them).
This adds several regression tests for the feature of initialising goto symex with a concrete JSON memory snapshot, and start symex from a given program location.
danpoe
force-pushed
the
feature/start-bmc-from-memory-snapshot
branch
from
722c6ca to
f051a4e
Compare
|
For stack snapshotting, would it be best to create a GOTO program with specialisations of the functions on the stack? For example I would add a prefix that declares and sets local variable values, then jumps to the point where the snapshot was taken (subsequent execution will use the real GOTO program) That way the snapshot isn't tied into symex, but rather is a general concept that can be subject to any GOTO program analysis / transformation. |
|
@smowton Yes, I think that would work. Basically we'd add a boolean variable @tautschnig Would you be ok too with doing the memory snapshot loading via instrumentation? |
|
@tautschnig No problem, I think we have resolved this in a Slack conversation back then anyways. So the plan is to move this into the goto-harness tool that @hannes-steffenhagen-diffblue and @NlightNFotis have been working on and do it via instrumentation. |
|
@danpoe Yes, going via |
|
Closed in favor of #4150. |
This is a basic first version of loading a concrete memory snapshot (represented as a JSON symbol table) to initialize goto symex with, and then start symex from a given program location.
This is done in goto symex (as opposed to generating a goto program harness) as this will allow to potentially make the stack part of the snapshot in the future, which would allow to return from functions that have been called during the concrete execution.