Skip to content

Conversation

@tautschnig
Copy link
Collaborator

Move try_evaluate_pointer_comparison to a simplifier that can eventually support more cases than just equalities in GOTO conditions. The initial change does not alter behaviour (except that previously try_evaluate_pointer_comparison was even used when simplification was disabled).

A side-effect is that we can also clean up renamedt.

  • Each commit message has a non-empty body, explaining why the change was made.
  • Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
  • n/a The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
  • Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
  • n/a My commit message includes data points confirming performance improvements (if claimed).
  • My PR is restricted to a single feature or bugfix.
  • n/a White-space or formatting changes outside the feature-related changed lines are in commits of their own.

@codecov
Copy link

codecov bot commented May 27, 2025

Codecov Report

Attention: Patch coverage is 97.54386% with 7 lines in your changes missing coverage. Please review.

Project coverage is 80.37%. Comparing base (c9653bd) to head (803954a).
Report is 13 commits behind head on develop.

Files with missing lines Patch % Lines
src/goto-symex/simplify_expr_with_value_set.cpp 98.55% 2 Missing ⚠️
src/goto-symex/symex_clean_expr.cpp 77.77% 2 Missing ⚠️
src/goto-symex/symex_dereference.cpp 75.00% 1 Missing ⚠️
src/goto-symex/symex_other.cpp 66.66% 1 Missing ⚠️
unit/goto-symex/symex_assign.cpp 75.00% 1 Missing ⚠️
Additional details and impacted files
@@           Coverage Diff            @@
##           develop    #8642   +/-   ##
========================================
  Coverage    80.36%   80.37%           
========================================
  Files         1686     1688    +2     
  Lines       206981   207064   +83     
  Branches        73       73           
========================================
+ Hits        166340   166421   +81     
- Misses       40641    40643    +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copy link
Collaborator

@feliperodri feliperodri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have any meaningful comment on the simplification at the symbolic execution level and all the changes LGTM. It's mostly creating simplify_expr_with_value_set with additional clean ups and maintaining the behaviour.

Comment on lines +221 to +224
// all pointed-to objects on the left-hand side are different from any of
// the pointed-to objects on the right-hand side
return expr.id() == ID_equal ? changed(static_cast<exprt>(false_exprt{}))
: changed(static_cast<exprt>(true_exprt{}));
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If pointed-to objects are the same for LHS and RHS but for each object we have statically different symbolic offsets then we could conclude that the comparison is still always false ?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant to say this still seems to rely only on object information, not really using offset info to the fullest ? but this might already be done somewhere else.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note this is simplify_inequality_pointer_object, which really is for POINTER_OBJECT(x) == POINTER_OBJECT(y) comparisons. There is try_evaluate_pointer_comparison where the above suggestions, however, might apply.

Copy link
Collaborator

@remi-delmas-3000 remi-delmas-3000 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The simplifier class could be improved with some more doc explaining how knowledge of the symbolic offsets for pointers are used to simplify pointer comparisons

Move `try_evaluate_pointer_comparison` to a simplifier that can
eventually support more cases than just equalities in GOTO conditions.
The initial change does not alter behaviour (except that previously
`try_evaluate_pointer_comparison` was even used when simplification was
disabled).

A side-effect is that we can also clean up renamedt.
value-set based simplifications may be helpful well outside just GOTO
conditions.
When all candidates in the value set have the same offset we can replace
a pointer_offset expression by the offset value found in the value set.
The value set can help us infer that, e.g., a particular pointer cannot
be among the ones assigned to __CPROVER_dead_object, whereby we can
simplify R_OK/W_OK expressions.
@tautschnig tautschnig merged commit eef9677 into diffblue:develop Jun 20, 2025
57 of 58 checks passed
@tautschnig tautschnig deleted the simp-value-set branch June 20, 2025 22:12
tautschnig added a commit to tautschnig/cbmc that referenced this pull request Jun 25, 2025
This release adds aarch64 va_list support (via diffblue#8572), which makes all
tests pass on aarch64 Linux. We reworked expression simplification
during symbolic execution (via diffblue#8642, diffblue#8647, diffblue#8627) to produce smaller
and quicker-to-solve formulae for scenarios seen by our users.
@tautschnig tautschnig mentioned this pull request Jun 25, 2025
4 tasks
tautschnig added a commit to tautschnig/cbmc that referenced this pull request Jun 25, 2025
This release adds aarch64 va_list support (via diffblue#8572), which makes all
tests pass on aarch64 Linux. We reworked expression simplification
during symbolic execution (via diffblue#8642, diffblue#8647, diffblue#8627) to produce smaller
and quicker-to-solve formulae for scenarios seen by our users.
tautschnig added a commit to tautschnig/cbmc that referenced this pull request Jun 25, 2025
This release adds aarch64 va_list support (via diffblue#8572), which makes all
tests pass on aarch64 Linux. We reworked expression simplification
during symbolic execution (via diffblue#8642, diffblue#8647, diffblue#8627) to produce smaller
and quicker-to-solve formulae for scenarios seen by our users.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants