Skip to content

v1.0
Compare
Choose a tag to compare
@RyanGlScott RyanGlScott released this 27 Jun 14:07
· 521 commits to master since this release
v1.0
f64fbe4

New Features

  • SAW now implements Heapster, which allows extracting functional specifications of memory-safe C programs to Coq. There is now a family of experimental heapster_* commands that support this. For more information, refer to the Heapster README.

  • New commands enable_what4_eval and disable_what4_eval to enable or disable What4 translation for SAWCore expressions during Crucible symbolic execution.

  • New command llvm_alloc_sym_init like llvm_alloc, but assume that the allocation is initialized with symbolic bytes. New commands disable_alloc_sym_init_check and enable_alloc_sym_init_check to disable or enable the allocation initialization check associated with llvm_alloc_sym_init during override application.

  • New command set_crucible_timeout to set the timeout for the SMT solver during the LLVM and X86 Crucible symbolic execution. This is used for path-sat checks, and sat checks when applying overrides.

  • New command w4_unint_z3_using like w4_unint_z3, but use the given Z3 tactic.

  • A new llvm_points_to_bitfield command has been introduced, providing a version of llvm_points_to that is specifically tailored for structs containing bitfields. In order to use llvm_points_to_bitfield, one must also use the new enable_lax_loads_and_stores command, which relaxes some of Crucible's assumptions about reading from uninitialized memory. (This command also comes with a corresponding disable_lax_loads_and_stores command.) For more details on how each of these commands should be used, consult the "Bitfields" section of the SAW manual.

  • A new llvm_cast_pointer function has been added that allows users to directly specify that a pointer should be treated as pointing to a particular type. This mainly affects the results of subsequent llvm_field and llvm_elem calls. This is especially useful for dealing with C union types, as the type information provided by LLVM is imprecise in these cases.

  • A new llvm_union function has been added that uses debug information to allow users to select fields from union types by name. This automates the process of manually applying llvm_cast_pointer with the type of the selected union field. Just as with llvm_field, debug symbols are required for llvm_union to work correctly.

  • A new highly experimental llvm_verify_fixpoint_x86 function that allows partial correctness verification of loops using loop invariants instead of full symbolic unrolling. Only certain very simple styles of loops can currently be accommodated, and the user is required to provide a term that describes how the live variables in the loop evolve over an iteration.

  • A new experimental facility for "tagging" proof obligations in specifications and later using those tags to make decisions in proof tactics. See the new llvm_setup_with_tag, goal_has_tags, and goal_has_some_tag commands.

  • A new experimental option (toggled via enable_single_override_special_case and disable_single_override_special_case) which changes the handling for cases where an overriden function has only one override that could possibly apply. When the special case handling is enabled, preconditions for the override are asserted separately, maintaining their individual metadata instead of being combined into a single precondition for the entire override. This may be advantageous if proving the individual goals is easier than the conjunction of all of them, or if different tactics are needed for different subgoals. Currently, this option only applies to LLVM verifications.

  • Experimental interactive features. Using the new subshell and proof_subshell commands, a user can regain a command-line interface in the middle of a running script for experimentation and exploration purposes. In addition callcc and checkpoint allow the user to have more flexibility with restoring prior states and executing the remaining context of a proof in such an interactive session.

  • A new experimental llvm_verify_x86_with_invariant command that allows verification certain kinds of simple loops by using a user-provided loop invariant.

  • Add a cvc5 family of proof scripts that use the CVC5 SMT solver. (Note that the sbv_cvc5 and sbv_unint_cvc5 are non-functional on Windows at this time due to a downstream issue with CVC5 1.0.4 and earlier.)

  • Add experimental support for verifying Rust programs. For more information, see the mir_* commands documented in the SAW manual.

Changes

  • A significant overhaul of the SAW proof and tactics system. Under the hood, tactics now manipulate sequents instead of just propositions. This allows more the user to specify more precise goal rearrangements, and provides a much nicer interface for proof exploration (especially with the new proof_subshell). There are a variety of new tactics that provide the user with control over proof steps that is similar to that found in an interactive theorem prover. Proofs that do not make use of the new experimental tactics should see no substantive changes, so this is expected to be a highly backward-compatible change.

  • The experimental and rarely-used goal_assume tactic has been removed. The use case it was targeting is better solved via sequents.

  • Support LLVM versions up to 16.

Bug fixes

Assets 18
Loading