Skip to content

Bachelor's Thesis – tnilboG: Extending Goblint Analyzer with Weakest Preconditions #1946

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
emwint wants to merge 29 commits into
base: master
Choose a base branch
from
Draft

Bachelor's Thesis – tnilboG: Extending Goblint Analyzer with Weakest Preconditions #1946

Show file tree
Hide file tree
Changes from 24 commits
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
9a60066
first new modules
emwint Dec 12, 2025
5faf07f
things happened
emwint Dec 14, 2025
b91d566
changing test program
emwint Dec 14, 2025
b565a75
added better representation in html viewer
emwint Dec 14, 2025
7b532a3
tweaking transfer funcs
emwint Dec 14, 2025
d2cdb8b
now for procedure calls
emwint Dec 16, 2025
b7b41df
and formatted now
emwint Dec 16, 2025
6a9ae2a
more
emwint Dec 31, 2025
d3cdd34
working on combine
emwint Jan 9, 2026
a7e512b
mainly comments from conversations
emwint Jan 19, 2026
9690b86
working on integrating bidirConstraints into control
emwint Jan 30, 2026
6450feb
control AnalyzeCFG_3 forward init
emwint Jan 30, 2026
87b6749
working on backwards init
emwint Feb 2, 2026
a4eb80c
backwards init
emwint Feb 2, 2026
77ac4fe
Backwards_analysis now works as part of bidirectional constraint system!
emwint Feb 2, 2026
d52f916
- forwards and backwards analysis now work
emwint Feb 3, 2026
237399e
working on result to xml
emwint Feb 6, 2026
d8d8913
Working on Backwards-Spec
emwint Feb 8, 2026
e396a37
Bidirconstraints should now construct man_forw whith functional getg
emwint Feb 10, 2026
177ed17
minor fixes
emwint Feb 26, 2026
7994fb5
cleanup and added configuration option
emwint Feb 27, 2026
25845da
Added tests and improved _wp_test.ml_
emwint Feb 27, 2026
45a201e
Cleanup
emwint Feb 28, 2026
48e53bc
Cleanup of analyses
emwint Feb 28, 2026
1a84c57
Cleanup
emwint Mar 3, 2026
f02c447
Removed CastE in liveness analysis since it seems to couse prblems wi…
emwint Mar 3, 2026
9a0fa2c
Work on liveness analysis and tests
emwint Mar 4, 2026
e676dd1
Queries and Correct Warnings for Live Variable analysis
emwint Apr 9, 2026
39a493c
Liveness analysis: soundly overapproximate partial updates
emwint Apr 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
232 changes: 232 additions & 0 deletions src/analyses/wp_analyses/liveness.ml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,232 @@
open GoblintCil
open Analyses

module BackwSpec : BackwAnalyses.BackwSpecSpec = functor (ForwSpec : Analyses.Spec) ->
struct

include BackwAnalyses.DefaultBackwSpec (ForwSpec)
module C = ForwSpec.C

(* Adding these module definitions because the "include" of the DefaultBackwSpec is not enough*)
module D_forw = ForwSpec.D
module G_forw = ForwSpec.G
module V_forw = ForwSpec.V
module P_forw = ForwSpec.P
let name () = "liveness"

module G = Lattice.Unit
module V = EmptyV
module P = EmptyP

module LiveVariableSet = SetDomain.ToppedSet (Basetype.Variables) (struct let topname = "All variables" end)
module D = LiveVariableSet (*Set of program variables as domain*)

let startstate v = D.empty()
let exitstate v = D.empty()

let rec vars_from_lval (l: lval) : varinfo list =
let vars_written_to =
match l with
| Var v, _ -> (
if (Cil.isFunctionType v.vtype) then [] else [v] (*I do not want functions in the set of live variables*)
)
| Mem m, _ -> vars_from_expr m
in

let vars_in_offset =
match l with
| Var _, off -> vars_from_offset off
| Mem _, off -> Logs.debug "(!) vars_in_offset used"; vars_from_offset off
in

(vars_written_to @ vars_in_offset)

and vars_from_offset (off: offset) : varinfo list =
match off with
| NoOffset -> []
| Field (_, off) -> vars_from_offset off (* what to do with fieldinfo?*)
| Index (e, off) ->
let vars_in_e = vars_from_expr e in
let vars_in_off = vars_from_offset off in
(match vars_in_off with
| [] -> []
| vars_in_off -> (vars_in_e @ vars_in_off))
Comment on lines +55 to +60
Copy link

Copilot AI Feb 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

vars_from_offset drops variables used in an index expression when the remaining offset is NoOffset: the Index (e, off) case returns [] if vars_in_off is empty, which incorrectly ignores e for e.g. a[i]. This will make the liveness result wrong. Always include variables from the index expression regardless of the nested offset.

Suggested change
| Index (e, off) ->
let vars_in_e = vars_from_expr e in
let vars_in_off = vars_from_offset off in
(match vars_in_off with
| [] -> []
| vars_in_off -> (vars_in_e @ vars_in_off))
| Index (e, off) ->
let vars_in_e = vars_from_expr e in
let vars_in_off = vars_from_offset off in
vars_in_e @ vars_in_off

Copilot uses AI. Check for mistakes.

and vars_from_expr (e: exp) : varinfo list =
let rec aux acc e =
match e with
| Lval v -> vars_from_lval v @ acc
| BinOp (_, e1, e2, _) ->
let acc1 = aux acc e1 in
aux acc1 e2
| UnOp (_, e1, _) -> aux acc e1
| SizeOfE e1 -> aux acc e1
| AlignOfE e1 -> aux acc e1
| Question (e1, e2, e3, _) ->
let acc1 = aux acc e1 in
let acc2 = aux acc1 e2 in
aux acc2 e3
| CastE (_, e1) -> aux acc e1
| AddrOf (l1) -> (match vars_from_lval l1 with
| [] -> acc
| v -> (v @ acc)
)
(* | AddrOfLabel _ -> Logs.debug "(!) Expression of type AddrOfLabel"; acc
| StartOf l1 -> Logs.debug "(!) Expression of type StartOf"; acc
| Const _ ->Logs.debug "(!) Expression of type Const"; acc
| Real _ -> Logs.debug "(!) Expression of type Real"; acc
| Imag _ -> Logs.debug "(!) Expression of type Imag"; acc
| SizeOf _ -> Logs.debug "(!) Expression of type SizeOf"; acc
| AlignOf _ -> Logs.debug "(!) Expression of type AlignOf"; acc
| SizeOfStr _ -> Logs.debug "(!) Expression of type SizeOfStr"; acc *)
| _ -> acc

in

(* let give_exp_type e =
match e with
| Const _ -> Logs.debug "(!) Expression of type Const"
| Lval _ -> Logs.debug "(!) Expression of type Lval"
| SizeOf _ -> Logs.debug "(!) Expression of type SizeOf"
| Real _ -> Logs.debug "(!) Expression of type Real"
| Imag _ -> Logs.debug "(!) Expression of type Imag"
| SizeOfE _ -> Logs.debug "(!) Expression of type SizeOfE"
| SizeOfStr _ -> Logs.debug "(!) Expression of type SizeOfSTr"
| AlignOf _ -> Logs.debug "(!) Expression of type AlignOf"
| AlignOfE _ -> Logs.debug "(!) Expression of type AlignOfE"
| UnOp _ -> Logs.debug "(!) Expression of type UnOp"
| BinOp _ -> Logs.debug "(!) Expression of type BinOp"
| Question _ -> Logs.debug "(!) Expression of type Question"
| CastE _ -> Logs.debug "(!) Expression of type CastE"
| AddrOf _ -> Logs.debug "(!) Expression of type AddrOf"
| AddrOfLabel _ -> Logs.debug "(!) Expression of type AddrOfLabel"
| StartOf _ -> Logs.debug "(!) Expression of type StartOf"
| _ -> Logs.debug "(!) Impossible: Expression of unknown type"
in
give_exp_type e; *)

aux [] e



let assign man man_forw (lval:lval) (rval:exp) =
let v = vars_from_lval lval in

(* This is wrong. If the variabes describe a memory location, they should instead all be added to the set of live variables!*)
match v with
| [] -> D.join man.local (D.of_list (vars_from_expr rval)) (*if I do not know what the value is assigned to, then all RHS-Variables might be relevant*)
| v->
let l = (D.diff man.local (D.of_list v)) in
if (List.exists (fun elem -> D.mem elem man.local) v) then D.join l (D.of_list (vars_from_expr rval)) (*if anything on the rhs is important, this is live now*)
else (
let loc = M.Location.Node man.node in
(match v with
| v::_ -> M.warn ~loc:loc "Unnecessary assignment to variable %s, as it is not live at this program point" v.vname
| [] -> () (*this case is already handled above*)
); l)

let branch man man_forw (exp:exp) (tv:bool) =
(* This just randomly asks whether all loops terimante to use getg_forw utilized in man.global *)
(* let () =
match man_forw.ask(Queries.MustTermAllLoops) with
| true -> Logs.debug "MustTermAllLoops is TRUE"
| _ -> Logs.debug "MustTermAllLoops is NOT TRUE"
in *)

let branch_irrelevant : bool = (
match Queries.eval_bool (Analyses.ask_of_man man_forw) exp with
| `Lifted b -> tv <> b
| `Bot -> false
| `Top -> false
)
in
if branch_irrelevant then (D.of_list (vars_from_expr exp))
Copy link

Copilot AI Feb 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

branch returns only vars_from_expr exp when the forward analysis indicates this branch is irrelevant. This drops man.local (vars live after the branch) and can also incorrectly treat unreachable edges as contributing variables instead of bot. Consider returning D.bot () for unreachable edges (so they don't affect joins) and otherwise joining with man.local instead of replacing it.

Suggested change
if branch_irrelevant then (D.of_list (vars_from_expr exp))
if branch_irrelevant then D.bot ()

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When eval_bool returns a definite boolean and tv <> b, this branch is unreachable. In that case, branch should propagate D.bot () (to kill the unreachable path), not D.of_list (vars_from_expr exp) which keeps/introduces liveness information on an impossible path.

Suggested change
if branch_irrelevant then (D.of_list (vars_from_expr exp))
if branch_irrelevant then D.bot ()

Copilot uses AI. Check for mistakes.
else D.join man.local (D.of_list (vars_from_expr exp))

let body man man_forw (f:fundec) =
man.local

let return man man_forw (exp:exp option) (f:fundec) =
match exp with
| None -> man.local
| Some e -> D.join man.local (D.of_list(vars_from_expr e))

(* TODO *)
let enter man man_forw (lval: lval option) (f:fundec) (args:exp list) =
(* Logs.debug "=== enter function %s with args %s ===" f.svar.vname
(String.concat ", " (List.map (CilType.Exp.show) args)); *)

let vars =
match lval with
| None -> man.local
| Some lv -> man.local (*i have to check for every arg ... no wait... I do not care about the args here, i care about those at the combine!!!!*)

in

[man.local, man.local]

(* TODO *)
let combine_env man man_forw (lval:lval option) fexp (f:fundec) (args:exp list) fc au (f_ask: Queries.ask) =
(* Logs.debug "=== combine_env of function %s ===" f.svar.vname;
let args_pretty = String.concat ", " (List.map CilType.Exp.show args) in
Logs.debug " args: %s" args_pretty;

let sformals_pretty = String.concat ", " (List.map (fun v -> v.vname) f.sformals) in
Logs.debug " sformals: %s" sformals_pretty; *)

(*map relevant sformals in man.local to the corresponding variables contained in the argument*)

let arg_formal_pairs = List.combine args f.sformals in
let relevant_arg_vars =
List.fold_left (fun acc (arg_exp, formal_var) ->
if D.mem formal_var au then
D.join acc (D.of_list(vars_from_expr arg_exp))
else
acc
) (D.empty()) arg_formal_pairs
Comment on lines +177 to +184
Copy link

Copilot AI Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

combine_env uses List.combine args f.sformals, which raises Invalid_argument if lengths differ. Calls with varargs (var_arg = true) are explicitly allowed earlier, so args may be longer than sformals and this will crash. Use a safe zip (e.g. iterate over List.combine (List.take (List.length f.sformals) args) f.sformals, or fold over formals with List.nth_opt), and decide how to handle extra varargs (likely treat them as used if the callee can read them).

Suggested change
let arg_formal_pairs = List.combine args f.sformals in
let relevant_arg_vars =
List.fold_left (fun acc (arg_exp, formal_var) ->
if D.mem formal_var au then
D.join acc (D.of_list(vars_from_expr arg_exp))
else
acc
) (D.empty()) arg_formal_pairs
(* Safely pair arguments with formals, truncating to the shorter list to avoid List.combine exceptions. *)
let rec combine_truncate args formals acc =
match args, formals with
| arg_exp :: args_tail, formal_var :: formals_tail ->
combine_truncate args_tail formals_tail ((arg_exp, formal_var) :: acc)
| _, _ ->
List.rev acc
in
let arg_formal_pairs = combine_truncate args f.sformals [] in
let relevant_arg_vars =
List.fold_left (fun acc (arg_exp, formal_var) ->
if D.mem formal_var au then
D.join acc (D.of_list (vars_from_expr arg_exp))
else
acc
) (D.empty ()) arg_formal_pairs

Copilot uses AI. Check for mistakes.
in

(*join relevant*)
D.join man.local relevant_arg_vars

let combine_assign man man_forw (lval:lval option) fexp (f:fundec) (args:exp list) fc au (f_ask: Queries.ask) =
(* SHOULD JUST USE THE SIMPLE ASSIGN I ALREADY IMPLEMENT *)
let exp_vars = D.of_list(vars_from_expr fexp) in
(*
Logs.debug "(!) combine_assign: fexp = %s" (CilType.Exp.show fexp);
(* Type of the expression:*)
let exp_type = Cil.typeOf fexp in
Logs.debug "(!) combine_assign: type of fexp = %s" (CilType.Typ.show exp_type);
Logs.debug "(!) combine_assign: exp_vars = %s" (String.concat ", " (List.map (fun v -> v.vname) (D.elements exp_vars))); *)

(* this is problematic. I should only remove the lvar-vars if lval is a simple variable. If it is used to reference memory the variabes are actually wuite important*)
match lval with
| Some lval ->
let lval_vars = D.of_list (vars_from_lval lval) in
if (D.exists (fun e -> D.mem e man.local) lval_vars) then (
let a = (D.union man.local exp_vars) in
D.diff a lval_vars)
else man.local
| _ -> man.local


(** A transfer function which handles the return statement, i.e.,
"return exp" or "return" in the passed function (fundec) *)
let return man man_forw (exp: exp option) (f:fundec) : D.t =

Comment on lines +195 to +198
Copy link

Copilot AI Feb 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return is defined twice in this module (earlier at line ~149 and again here). The later definition silently shadows the earlier one, which is confusing and makes it easy to reason about the wrong behavior. Please keep only one return implementation and remove the other.

Copilot uses AI. Check for mistakes.
(* this does not really work that well, as I pass all live vars which does not generally make the function important *)
let return_val_is_important = (not (D.is_bot man.local)) || (String.equal f.svar.vname "main") in (*this does not take globals int account, only checks for "temp"*)

match exp with
| None -> D.empty()
| Some e -> if return_val_is_important
then D.of_list (vars_from_expr e)
else D.empty()


let special man man_forw (lval: lval option) (f:varinfo) (arglist:exp list) =
man.local

let threadenter man man_forw ~multiple lval f args = [man.local]
let threadspawn man man_forw ~multiple lval f args fman = man.local
end
4 changes: 2 additions & 2 deletions src/common/util/cilfacade.ml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,8 +91,8 @@ let init () =
RmUnused.keepUnused := true;
print_CIL_Input := true;
Cabs2cil.allowDuplication := false; (* needed for ARG uncilling, maybe something else as well? *)
Cabs2cil.silenceLongDoubleWarning := true;
Cabs2cil.addLoopConditionLabels := true
Cabs2cil.silenceLongDoubleWarning := true
(* Cabs2cil.addLoopConditionLabels := true *)
Copy link

Copilot AI Feb 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cabs2cil.addLoopConditionLabels was previously enabled and is now commented out. This changes the generated CIL/CFG globally for all analyses and may affect termination handling and CFG structure. If this is needed for WP experiments, please gate it behind a dedicated option or provide a clear rationale and ensure existing regression tests still pass.

Suggested change
Cabs2cil.silenceLongDoubleWarning := true
(* Cabs2cil.addLoopConditionLabels := true *)
Cabs2cil.silenceLongDoubleWarning := true;
Cabs2cil.addLoopConditionLabels := true

Copilot uses AI. Check for mistakes.

let current_file = ref dummyFile

Expand Down
7 changes: 7 additions & 0 deletions src/config/options.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1298,6 +1298,13 @@
}
},
"additionalProperties": false
},
"wp_run": {
"title": "ana.wp_run",
"description":
"Do a wp analysis, in this case the liveness analysis.",
"type": "boolean",
"default": false
}
},
"additionalProperties": false
Expand Down
8 changes: 4 additions & 4 deletions src/framework/analyses.ml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -429,9 +429,9 @@ module type SpecSys =
sig
module Spec: Spec
module EQSys: Goblint_constraint.ConstrSys.DemandGlobConstrSys with module LVar = VarF (Spec.C)
and module GVar = GVarF (Spec.V)
and module D = Spec.D
and module G = GVarG (Spec.G) (Spec.C)
and module GVar = GVarF (Spec.V)
and module D = Spec.D
and module G = GVarG (Spec.G) (Spec.C)
module LHT: BatHashtbl.S with type key = EQSys.LVar.t
module GHT: BatHashtbl.S with type key = EQSys.GVar.t
end
Expand All @@ -443,4 +443,4 @@ sig

val gh: EQSys.G.t GHT.t
val lh: SpecSys.Spec.D.t LHT.t (* explicit SpecSys to avoid spurious module cycle *)
end
end
Loading
Loading