-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Relational mutex-meet unsound on ConcurrencySafety-Main #1440
Comments
For
|
At first glance, it seems that for |
In
Thus, this tasks seems to have UB. Interestingly, fixing this does not fix the UB issues. For this to work, one needs to remove the |
This is with just mutex-meet, not the experimental mutex-meet-atomic, so there should be no special handling of SV-COMP atomics. The same behavior should be observable when replacing them with a single normal pthread mutex I think. |
Hmm, the problem seems to indeed be with the handling of atomic. I extracted this from analyzer/tests/regression/29-svcomp/35-atomic.c Lines 1 to 26 in fa62bdd
Everything after As I do not use |
I extracted the problem in the |
Thanks for the minimized test case, it indeed highlights the problem. Turns out it's the same issue as #1407 (comment), but now with soundness consequences. I'll see if a quick fix to change the type would help. |
The remaining task here was also mentioned in #1498, which should be fixed by #1492. Its initialization issue should be fixed in sv-benchmarks (https://gitlab.com/sosy-lab/benchmarking/sv-benchmarks/-/merge_requests/1551), but that is unrelated to our unsoundness here. |
During #1394 I implemented ghost witness generation for relational mutex-meet. The benchmarks revealed unsoundness which is also present on master (2fa4f55) in:
__VERIFIER_atomic_*()
) (Fix unsoundness from relation analysis reading special mutexes as integer variables #1441)__VERIFIER_atomic_*()
) (Fix unsoundness from relation analysis reading special mutexes as integer variables #1441)The unsoundness only reveals itself when activating the Apron analysis unconditionally.
For example
./goblint --conf conf/svcomp.json --set ana.specification ../sv-benchmarks/c/properties/unreach-call.prp ../sv-benchmarks/c/weaver/popl20-more-buffer-mult.wvr.c --set ana.activated[+] apron
has 60/100 lines dead.
Without unconditional apron, it has 1/104 lines dead. Oddly, if loop unrolling is disabled, things are also sound.
The text was updated successfully, but these errors were encountered: