-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Advise on verifying state machines with kani #3016
Comments
Hi @LizardWizzard. Thanks for trying out Kani! Vectors can indeed choke Kani's solver. The general strategies I use to address performance issues are:
Is it possible to share the code? We may be able to suggest workarounds or identify improvements we can make to Kani/CBMC. |
Thanks for your response @zhassan-aws!
Yep, I'm currently in progress of moving everything to arrayvec based collections hoping that it'll make things better, once I finish I'll post an update here with a repo. Sadly full state machine definition is quite large, all code that can be reached by the harness is above 1k loc (with handrolled fixed size array based collections even more), so maybe thats just too big for kani to chew at once, though I'm ok if the process can eventually succeed even if it takes very long time |
You can pass:
to dump a statistics log from CBMC. I'm not sure how reliable/helpul it is at the moment though. |
I finished transition to arrayvec based maps and sets, however that only lead to cbmc crash caused by internal invariant violation. Here is the error I've got:
Failure happened after 11 minutes and ~65G memory used by cbmc. The exact commit this is happened on: LizardWizzard/accord-playground@327cc59 Command I used to run kani:
Kani version is Worth noting that at this point code doesnt pass unit tests with known error. So I'd expect kani to report that. Cbmc generated a coredump, though it is truncated because heap size was huge at the moment of failure. Is there a way kani can use custom cbmc binary? I can try to build cbmc with debug symbols so backtrace is more helpful I'd appreciate any help/advice on how to move this forward |
I suspect the crash is resulting from some overflow as indicated by the extremely high memory usage. I doubt CBMC is able to produce any meaningful result with such high memory usage. Thanks for sending the code. I'll take a look at it and see if anything can be done. |
Hi! Thank you for developing such a great tool!
This is not a request for particular feature. I tried to find a place where to ask questions on kani and I didnt find either of zulip/discord/gh discussions set up so I'm asking here.
I'm trying to verify a protocol which is represented by a number of instances of one state machine. I believe my problem is that the state of this state machine includes collections such as hashmaps, sets and vectors which make verification using kani quite complicated. I was able to move forward past initial struggles by replacing all hash based structures by their emulation on vectors (most of it is based on vector_map crate from one of your examples). I still get poor verification performance (understandably). Loop unwinding can take really long time (I got up to an hour) and even when it succeeds cmbc fails with out of memory error. Judging by logs most of the unwinding takes place on some vector internals (std alloc, raw vec, std ptr, etc). From what I can see unwinding process doesnt make any benefits from setting
-j
argument. I tried to tweak unwinding strategy and I couldnt find a sweet spot. Either it fails with an error that harness reached an iteration that was not reached during unwinding or unwinding takes long time with a following cbmc OOM.What would be the best way to proceed? Is there a way I could replace Vec from std with a stub? In the blog post about stubbing I see only particular functions being replaced and in general I'm not sure what can be the shape of contract that can replace an entire vec. Would be interested in any advice on moving this forward. Thanks in advance!
Worth noting I dont have any relevant unsafe code so if disabling some safety related verification targets can help that would be good. Idea I have now is to replace vectors with fixed size array of
Option<T>
so it doesnt have to go deep into most of alloc/ptr internals. Not sure if it is a good idea, but thats what I have leftThe text was updated successfully, but these errors were encountered: