Re: [llvm-dev] [GSoC 2018] Integrate with Z3 SMT solver to reduce false positives.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [llvm-dev] [GSoC 2018] Integrate with Z3 SMT solver to reduce false positives.

Louis Dionne via cfe-dev
Hi Brenda,

Great that you are interested in the project! 
I’m reposting this to cfe-dev as Clang development is discussed there (please direct all future email to that list).

As to your question, I think I have answered it in the following email: http://lists.llvm.org/pipermail/cfe-dev/2018-March/057067.html
(yes, lack of easily searchable/browsable archives is a problem..)

Regards,
George

On Mar 14, 2018, at 6:37 PM, Brenda So via llvm-dev <[hidden email]> wrote:

Hi all,

I am a fourth year EE bachelors student who is very interested in compilers. I have taken the only compilers course offered in my school and did an independent study with my CS professor. Although I'll begin to work in a couple of months, I definitely want to pursue my interest in compiler design and optimization as a PhD in the future. I am very interested in the z3 SMT solver project detailed on the LLVM website and have been doing some research about it. 

From what I understand, the current analyzer traces the program, and at each branch, it branches out into the true branch and the false branch. The true and false branch causes certain constraints on the values. If the conditions on the branch causes a constraint to be unsatisfiable, the path is considered to be infeasible. traces the program, and at each branch, it branches out into the true branch and the false branch. The true and false branch causes certain constraints on the values. If the conditions on the branch causes a constraint to be unsatisfiable, the path is considered to be infeasible. In that case, z3 would be useful in proving whether a branch is definitely true or false (i.e. whether the constraints are satisfiable), thus preventing exponential blowup of the analysis. 

However, when I was looking through the github version of LLVM, it seems like z3 is already incorporated: 

I guess my question is, what would the project contribute on top of the z3 manager that is currently implemented for LLVM?

Thanks!
Brenda
_______________________________________________
LLVM Developers mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev


_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: [llvm-dev] [GSoC 2018] Integrate with Z3 SMT solver to reduce false positives.

Louis Dionne via cfe-dev
Hi George,

Thanks for the references, after watching them and a few more videos, I sort of have a high level idea on how z3 will be useful for the static analyzer:

1. For all the feasible paths reported by the bug reporter, initiate z3 solver.
2. Use the ProgramState to add constraints to the z3 solver as we step through the path
3. If at any point the z3 solver returns false (i.e. the constraints cannot be satisfied), the path is infeasible and hence should be flagged as a false positive.

The above procedure is assuming that the bug reporter returns feasible paths, but I am actually still confused about what the bug reporter reports. Does it report bugs? infeasible paths or feasible paths of the program? I am also wondering how the bug reporter and constraint manager interact with each other.

Moreover, on the project description, it says that z3 is useful in "complicated branches that the constraint manager cannot reason about". From the bug reports, or other objects in the static analyzer, how would I know whether the constraint manager can/cannot reason about?

Thanks for all your help and I look forward to hear from you,
Brenda


On Fri, Mar 16, 2018 at 8:52 PM, Brenda So <[hidden email]> wrote:
Hi George,

Thanks for the references, after watching them and a few more videos, I sort of have a high level idea on how z3 will be useful for the static analyzer:

1. For all the feasible paths reported by the bug reporter, initiate z3 solver.
2. Use the ProgramState to add constraints to the z3 solver as we step through the path
3. If at any point the z3 solver returns false (i.e. the constraints cannot be satisfied), the path is infeasible and hence should be flagged as a false positive.

The above procedure is assuming that the bug reporter returns feasible paths, but I am actually still confused about what the bug reporter reports. Does it report bugs? infeasible paths or feasible paths of the program? I am also wondering how the bug reporter and constraint manager interact with each other.

Moreover, on the project description, it says that z3 is useful in "complicated branches that the constraint manager cannot reason about". From the bug reports, or other objects in the static analyzer, how would I know whether the constraint manager can/cannot reason about?

Thanks for all your help and I look forward to hear from you,
Brenda


On Wed, Mar 14, 2018 at 10:16 PM, George Karpenkov <[hidden email]> wrote:
Hi Brenda,

Great that you are interested in the project! 
I’m reposting this to cfe-dev as Clang development is discussed there (please direct all future email to that list).

As to your question, I think I have answered it in the following email: http://lists.llvm.org/pipermail/cfe-dev/2018-March/057067.html
(yes, lack of easily searchable/browsable archives is a problem..)

Regards,
George

On Mar 14, 2018, at 6:37 PM, Brenda So via llvm-dev <[hidden email]> wrote:

Hi all,

I am a fourth year EE bachelors student who is very interested in compilers. I have taken the only compilers course offered in my school and did an independent study with my CS professor. Although I'll begin to work in a couple of months, I definitely want to pursue my interest in compiler design and optimization as a PhD in the future. I am very interested in the z3 SMT solver project detailed on the LLVM website and have been doing some research about it. 

From what I understand, the current analyzer traces the program, and at each branch, it branches out into the true branch and the false branch. The true and false branch causes certain constraints on the values. If the conditions on the branch causes a constraint to be unsatisfiable, the path is considered to be infeasible. traces the program, and at each branch, it branches out into the true branch and the false branch. The true and false branch causes certain constraints on the values. If the conditions on the branch causes a constraint to be unsatisfiable, the path is considered to be infeasible. In that case, z3 would be useful in proving whether a branch is definitely true or false (i.e. whether the constraints are satisfiable), thus preventing exponential blowup of the analysis. 

However, when I was looking through the github version of LLVM, it seems like z3 is already incorporated: 

I guess my question is, what would the project contribute on top of the z3 manager that is currently implemented for LLVM?

Thanks!
Brenda
_______________________________________________
LLVM Developers mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev




_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev