[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [csmith-dev] Generating ACSL \assigns clauses with programs

To: John Regehr <regehr@cs.utah.edu>, "csmith-dev@flux.utah.edu" <csmith-dev@flux.utah.edu>
Subject: Re: [csmith-dev] Generating ACSL \assigns clauses with programs
From: Xuejun Yang <xuyang@microsoft.com>
Date: Sat, 7 Nov 2015 01:14:17 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is ) smtp.mailfrom=xuyang@microsoft.com;
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=zxVW/2Yp91imJ3FkZZMvgiRJ7jYdoeF2F8XHlZmoyKg=; b=ojpcu9Jl4E0mbwGK2qZus9unh3UOe236CdRI04Pqom8pJHBvcuzHDyn233EF9mYSnzpKi5iHD2b+qxq38Jq/UhV93UXkBlrOVh/gn/J3IUl8KfTvYEFvmzZO0wbHXvDLkXWgk4XdgTSKzq/RuMILMD2MtHvRGBZ9I/8fY2iEUsY=
In-reply-to: <563D29EC.2040305@cs.utah.edu>
List-archive: </listarchives/csmith-dev>
List-help: <mailto:csmith-dev-request@flux.utah.edu?subject=help>
List-id: Csmith Development Mailing List <csmith-dev.flux.utah.edu>
List-post: <mailto:csmith-dev@flux.utah.edu>
List-subscribe: <http://www.flux.utah.edu/mailman/listinfo/csmith-dev>, <mailto:csmith-dev-request@flux.utah.edu?subject=subscribe>
List-unsubscribe: <http://www.flux.utah.edu/mailman/options/csmith-dev>, <mailto:csmith-dev-request@flux.utah.edu?subject=unsubscribe>
References: <1446826375.2068.11.camel@sqc-linux-scd.fokus.fraunhofer.de> <563D29EC.2040305@cs.utah.edu>
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:23
Thread-index: AQHRGK6IeYef0Q/JtUOjglT3Ee28wJ6Pk/8AgAAqn1A=
Thread-topic: [csmith-dev] Generating ACSL \assigns clauses with programs

Hi Robert,

Take a look of FactMgr::map_stm_effect. I think it has the info you needed.

Csmith performs path-sensitive inter-procedural analysis. It is realized with the following steps:

1) Caller (foo) to callee (bar) handover, where foo passes the knowledge, e.g., y is pointing to x, to bar;
2) Effect analysis in bar;
3) Callee (bar) to caller (foo) handover, where bar tells foo that x is modified.

For details, check FunctionInvocationUser::revisit.

-Xuejun

-----Original Message-----
From: csmith-dev-bounces@flux.utah.edu [mailto:csmith-dev-bounces@flux.utah.edu] On Behalf Of John Regehr
Sent: Friday, November 6, 2015 2:30 PM
To: csmith-dev@flux.utah.edu
Subject: Re: [csmith-dev] Generating ACSL \assigns clauses with programs

Hi Robert, this is cool!  I hope we can help Csmith do what you want.

Although it seems like perhaps a weird way to do it, one idea you should keep in mind is instrumenting the program to record dynamic pointer behaviors, running it, and then using that information to create annotations.  This would give you some insulation against imprecisions in Csmith's analyses for example.  Also, by giving you an underapproximation instead of an overapproximation it would let you test Frama-C in the opposite direction.

John

On 11/6/15 5:12 PM, Robert Clausecker wrote:
> Greeting from Berlin!
>
> I'm a student working for the Fraunhofer FOKUS research institute. I 
> currently work on a project where I want to use csmith to generate 
> test cases for the C static-analysis framework Frama C, specifically 
> the WP plugin. For this purpose, I want to expand csmith to generate 
> ACSL [1] annotations for the functions it generates. One of the 
> annotations I want to generate are \assigns clauses that specify what 
> objects a function assigns to. Generating these clauses has proven to 
> be somewhat
> tricky: while csmith keeps record of what objects a function modifies, 
> I haven't found a way to find out the expression through which this 
> modification is being performed. For example, if csmith generated 
> these two functions:
>
>      int z;
>
>      void foo()
>      {
>          int x;
>
>          bar(&x);
>      }
>
>      void bar(int *y)
>      {
>          y = 0;
>          z = 0;
>      }
>
> it would report that bar() modified x, but the identifier x is not in 
> scope in bar. Is there an easy way to find out what objects a function 
> mutates on its own, i.e. without the context of how it is called? For 
> example, for bar() I would like to receive information of the form 
> "bar mutates z and *y," specifically without making assumptions about 
> the place y points to.
>
> I tried to work myself through the csmith source code, but I am a bit 
> overwhelmed and was so far not able to find the information I need.
>
> Thank you for your help,
> Your sincerely,
> Robert Clausecker
>
> [1]: https://en.wikipedia.org/wiki/ANSI/ISO_C_Specification_Language
>

Follow-Ups:
- Re: [csmith-dev] Generating ACSL \assigns clauses with programs
  - From: Robert Clausecker <robert.clausecker@fokus.fraunhofer.de>

References:
- [csmith-dev] Generating ACSL \assigns clauses with programs
  - From: Robert Clausecker <robert.clausecker@fokus.fraunhofer.de>
- Re: [csmith-dev] Generating ACSL \assigns clauses with programs
  - From: John Regehr <regehr@cs.utah.edu>

Prev by Date: Re: [csmith-dev] Generating ACSL \assigns clauses with programs
Next by Date: Re: [csmith-dev] Generating ACSL \assigns clauses with programs
Previous by thread: Re: [csmith-dev] Generating ACSL \assigns clauses with programs
Next by thread: Re: [csmith-dev] Generating ACSL \assigns clauses with programs
Index(es):
- Date
- Thread