Enforce upper bound on loop count on all instructions in loops #745

Alan-Jowett · 2024-10-18T19:20:07Z

This pull request introduces several significant changes to enhance loop handling and termination checks within the eBPF verifier. Key changes include the addition of a bounded loop count structure, modifications to the control flow graph (CFG) preparation to include termination checks, and updates to various classes and methods to support these new features.

Enhancements to Loop Handling and Termination Checks:

Bounded Loop Count Structure:
- Added struct BoundedLoopCount to src/asm_syntax.hpp to define a limit on loop iterations, preventing infinite loops during verification.
- Implemented std::ostream& operator<<(std::ostream& os, const BoundedLoopCount& a) in src/asm_ostream.cpp for outputting bounded loop counts.
Control Flow Graph (CFG) Preparation:
- Modified prepare_cfg function in src/asm_cfg.cpp to include a check_for_termination parameter, which checks for loop termination by visiting loop heads and inserting loop counters. [1] [2]
Updates to Classes and Methods:
- Updated class ebpf_domain_t in src/crab/ebpf_domain.hpp and src/crab/ebpf_domain.cpp to handle BoundedLoopCount and enforce loop iteration limits. [1] [2]
- Added visit_loop_heads method to class wto_t in src/crab/wto.hpp and src/crab/wto.cpp to iterate over loop heads in the weak topological order (WTO). [1] [2]

Codebase Simplification and Refactoring:

Const Correctness:
- Changed several functions and methods to accept const cfg_t& instead of cfg_t& to ensure immutability where appropriate. [1] [2] [3]
Test Adjustments:
- Updated test cases in src/test/test_verify.cpp to reflect changes in CFG preparation and loop handling. [1] [2]

These changes collectively improve the robustness of the eBPF verifier by ensuring loops are properly bounded and termination is checked, while also enhancing code readability and maintainability.

Summary by CodeRabbit

Release Notes

New Features
- Enhanced loop count determination in reports to improve accuracy.
- Introduced a maximum loop iteration limit to prevent infinite loops.
- Added multiple new test cases to validate loop constructs and termination conditions.
Bug Fixes
- Resolved issues with assertion handling for loop counters, allowing valid assertions instead of failures.
Documentation
- Updated function signatures across various components to enhance clarity and const-correctness.
Refactor
- Streamlined control flow and logic for loop counter initialization and handling within the analysis framework.

coderabbitai · 2024-10-18T19:20:15Z

Walkthrough

The pull request introduces several significant changes across multiple files, primarily focusing on enhancing loop count handling and verification processes. Key updates include modifications to the generate_report function for calculating maximum loop counts, the introduction of a new BoundedLoopCount struct to manage loop iteration limits, and updates to various function signatures to improve const-correctness. Additionally, new test cases have been added to validate loop constructs and termination conditions, ensuring robust testing of the updated functionality.

Changes

File	Change Summary
`src/crab_verifier.cpp`	Updated `generate_report` to iterate through post-invariants for loop counts; removed `max_loop_count` constant; changed `cfg` parameters to const references; updated `prepare_cfg` calls.
`test-data/loop.yaml`	Added multiple test cases for loop constructs, including simple infinite loops and large loop iterations.
`src/asm_syntax.hpp`	Introduced `BoundedLoopCount` struct with a limit constant; updated `AssertionConstraint` to include this struct.
`src/crab/ebpf_domain.cpp`	Added `operator()(const BoundedLoopCount&)` to enforce loop iteration limits; refactored existing operator.
`src/asm_cfg.cpp`	Updated `prepare_cfg` to include a new `check_for_termination` parameter; added methods for loop head processing.
`src/asm_ostream.cpp`	Added overload for `operator<<` for `BoundedLoopCount` type for formatted output.
`src/assertions.cpp`	Modified `AssertExtractor` to handle `IncrementLoopCounter` correctly, returning a valid assertion instead of failing.
`src/crab/cfg.hpp`	Added methods to `basic_block_t` for inserting elements at the front; updated `prepare_cfg` signature.
`src/crab/ebpf_domain.hpp`	Added new method to handle `BoundedLoopCount` in `ebpf_domain_t`.
`src/crab/fwd_analyzer.cpp`	Updated member variable types for const-correctness; simplified loop counter initialization logic.
`src/main/check.cpp`	Updated calls to `prepare_cfg` to include new `check_termination` parameter.
`src/test/test_verify.cpp`	Changed `test_analyze_thread` to accept `const cfg_t*`; updated `prepare_cfg` calls to include new parameter.
`src/crab/fwd_analyzer.hpp`	Updated `run_forward_analyzer` signature for const-correctness.
`src/crab_verifier.hpp`	Changed `run_ebpf_analysis` signature to accept `const cfg_t&`.
`src/crab/wto.hpp`	Added new template method `for_each_loop_head` to process loop heads in `wto_t`.

Possibly related PRs

Cleanup number_t interface and implementation #689: The changes in the main PR involve updates to the generate_report function, which may relate to the handling of numerical types and operations, similar to the introduction of the number_t class in this PR.
Cleanup and modernize ebpf_domain #690: The modifications in the main PR regarding the generate_report function's logic for loop counts may connect with the cleanup and modernization of the ebpf_domain, which also deals with numerical operations.
Use get_if instead of holds_alternative to avoid repetition #703: The changes in the main PR to improve type handling in the generate_report function align with the use of get_if instead of holds_alternative, enhancing type safety in the code.
Cleanup, modernize and silence compiler warnings #704: The focus on improving type safety in the main PR through changes in function signatures and parameter types resonates with the overall goal of modernizing the codebase in this PR.
Use gsl::narrow in ebpf_domain.cpp #709: The introduction of gsl::narrow in the main PR for type safety in arithmetic operations is directly related to the changes made in this PR, which also emphasizes safer type handling.
Use gsl::narrow in asm files #710: The changes in the main PR regarding arithmetic operations and type safety are consistent with the updates made in this PR to enhance type handling in the assembly files.
Log line info when dumping invariants #716: The enhancements to reporting in the main PR may relate to the logging improvements introduced in this PR, which also focuses on better output and error handling.
Reject binary ops where the source is an uninitialized register #740: The stricter type validation introduced in the main PR for binary operations aligns with the changes made in this PR to enhance type safety for pointer comparisons.
Fix off-by-one error in stack access check #755: The modifications in the main PR to improve stack access checks may connect with the changes made in this PR to refine memory access assertions.
Restrict comparisons with pointers to legal operations #758: The focus on enhancing type safety in the main PR through stricter checks aligns with the changes made in this PR regarding pointer comparisons.
Don't permit truncating non-numbers #772: The changes in the main PR to prevent truncating non-numbers relate to the updates made in this PR to ensure that only valid types are permitted in operations.

Suggested reviewers

dthaler
elazarg

Poem

In the land of loops so vast,
A count was set, no longer cast.
With bounds to keep the rabbits safe,
We hop along, no need for strafe.
Through tests we leap, with joy we sing,
For every loop, a bounded spring! 🐇✨

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Generate unit testing code for this file.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
- @coderabbitai generate unit testing code for this file.
- @coderabbitai modularize this function.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read src/utils.ts and generate unit testing code.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
- @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

@coderabbitai pause to pause the reviews on a PR.
@coderabbitai resume to resume the paused reviews.
@coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
@coderabbitai full review to do a full review from scratch and review all the files again.
@coderabbitai summary to regenerate the summary of the PR.
@coderabbitai resolve resolve all the CodeRabbit review comments.
@coderabbitai configuration to show the current CodeRabbit configuration for the repository.
@coderabbitai help to get help.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Files that changed from the base of the PR and between 715aaf9 and 0bc118d.

📒 Files selected for processing (2)

src/crab_verifier.cpp (1 hunks)
test-data/loop.yaml (1 hunks)

🧰 Additional context used

🔇 Additional comments (6)

test-data/loop.yaml (6)

270-287: LGTM: Accurate infinite loop test case for "less than" condition.

This test case correctly implements an infinite loop scenario using a "less than" condition. The messages accurately indicate that the code after the loop and the exit are unreachable.

288-304: LGTM: Accurate infinite loop test case for "less than or equal" condition.

This test case correctly implements an infinite loop scenario using a "less than or equal" condition. The messages accurately indicate that the code after the loop and the exit are unreachable.

305-322: LGTM: Accurate infinite loop test case for "equal" condition.

This test case correctly implements an infinite loop scenario using an "equal" condition. The messages accurately indicate that the code after the loop and the exit are unreachable.

323-340: LGTM: Accurate infinite loop test case for "greater than" condition.

This test case correctly implements an infinite loop scenario using a "greater than" condition. The messages accurately indicate that the code after the loop and the exit are unreachable.

341-357: LGTM: Accurate infinite loop test case for "greater than or equal" condition.

This test case correctly implements an infinite loop scenario using a "greater than or equal" condition. The messages accurately indicate that the code after the loop and the exit are unreachable.

269-357: Excellent addition of comprehensive infinite loop test cases.

The new test cases significantly enhance the coverage of infinite loop scenarios in the test suite. They provide a consistent and thorough set of examples covering all common comparison operators (<, <=, ==, >, and >=). This comprehensive approach will help ensure that the verifier can accurately detect and handle various types of infinite loops.

Some key points:

All new test cases are designed to be unreachable after the first iteration, which is correct for infinite loops.

The consistent structure across all test cases improves readability and maintainability.

The inclusion of the "termination" option in all test cases ensures that the verifier's termination analysis is being tested.

These additions align well with the PR objective of enhancing loop termination checks and will contribute to improving the overall robustness of the program against infinite loops.

src/crab_verifier.cpp

coveralls · 2024-10-18T19:53:37Z

coverage: 90.58% (+0.04%) from 90.541%
when pulling f44316a on Alan-Jowett:issue744
into 076ae86 on vbpf:main.

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Files that changed from the base of the PR and between b55897e and 48d0043.

📒 Files selected for processing (1)

src/crab_verifier.cpp (1 hunks)

🧰 Additional context used

src/crab_verifier.cpp

coderabbitai

Actionable comments posted: 2

🧹 Outside diff range comments (2)

test-data/loop.yaml (2)

Line range hint 1-357: Consider cleaning up commented post-conditions

Several test cases contain commented-out post-conditions (marked with #). If these conditions are no longer valid, consider removing them to improve maintainability. If they're intended for future reference, consider documenting them in a more appropriate location.

Line range hint 1-357: Consider adding test cases for complex scenarios

While the current test suite provides excellent coverage for simple infinite loops, consider adding test cases for:

Nested loops with unreachable exits

Loops with multiple exit points where some are unreachable

This would further strengthen the verification of unreachable exit detection.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Files that changed from the base of the PR and between 48d0043 and 56956d1.

📒 Files selected for processing (2)

src/crab_verifier.cpp (1 hunks)
test-data/loop.yaml (2 hunks)

🧰 Additional context used

🔇 Additional comments (2)

test-data/loop.yaml (2)

189-189: LGTM: Appropriate error message for infinite loop detection

The message "Could not prove termination" correctly indicates that the loop incrementing by 2 can never reach the exit condition of r0 == 9.

269-357: LGTM: Comprehensive test coverage for infinite loop detection

The new test cases provide excellent coverage of infinite loop scenarios:

All comparison operators are tested (less than, less than or equal, equal, greater than, greater than or equal)

Each test case clearly demonstrates the infinite loop condition

Error messages are consistent and accurately indicate both the unreachable code point and unreachable exit

This aligns well with the PR objective of enhancing unreachable code detection.

src/crab_verifier.cpp

coderabbitai

Actionable comments posted: 2

🧹 Outside diff range comments (2)

test-data/loop.yaml (2)
Line range hint 1-188: Consider standardizing post-conditions across similar test cases.

The basic loop test cases (while/until with signed/unsigned comparisons) are well-structured, but there are inconsistencies in the post-conditions. For example:

The "while loop, eq" and "until loop, neq" test cases have commented-out post-conditions

Some test cases verify pc[1] values while others don't

Consider standardizing these to maintain consistency and improve test coverage.

Line range hint 189-269: Document the reason for commented-out shift operations.

In the "realistic forward loop" test case, there's a commented-out section:
#    r2 <<= 32; this fails with "11: Upper bound must be at most packet_size (valid_access(r4.offset, width=1) for read)"
#    r2 >>= 32
Consider adding this information to a proper comment section or documentation to help future maintainers understand the limitation.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Files that changed from the base of the PR and between 56956d1 and 0bb1d34.

📒 Files selected for processing (2)

src/crab_verifier.cpp (1 hunks)
test-data/loop.yaml (2 hunks)

🧰 Additional context used

🔇 Additional comments (2)

test-data/loop.yaml (1)
Line range hint 1-357: Test cases effectively validate unreachable exit detection.

The test suite aligns well with the PR objectives by:

Providing comprehensive coverage of unreachable exit scenarios

Including both simple infinite loops and complex terminating cases

Validating error messages for unreachable code

The test cases will effectively verify the changes made to crab_verifier.cpp for detecting unreachable exits.

✅ Verification successful

Let me gather more specific information about the messages in these test cases.

Let me try one more search to specifically look for the unreachable code messages with a different pattern.

Test cases correctly validate unreachable exit detection with appropriate messages

The verification confirms that:

All infinite loop test cases have the "termination" option enabled

Each infinite loop test case correctly includes the expected unreachable code messages:

"Code is unreachable after 1:2"

"Exit is unreachable"

The test cases effectively validate the PR's goal of enhancing unreachable exit detection by providing consistent error messages across different infinite loop scenarios.
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:
#!/bin/bash
# Verify that all test cases have appropriate termination options and messages

# Check if all infinite loop test cases have the termination option
echo "Checking termination options..."
rg -U 'test-case:.*infinite.*\noptions:.*termination' test-data/loop.yaml

# Check if all infinite loop test cases have unreachable exit messages
echo "Checking unreachable exit messages..."
rg -U 'test-case:.*infinite.*\n.*\n.*\n.*\n.*\n.*\n.*\nmessages:.*unreachable' test-data/loop.yaml
Length of output: 756

Script:
#!/bin/bash
# Check the messages section for each infinite loop test case
echo "Checking messages for infinite loop test cases..."
rg -U 'test-case: simple infinite loop.*(?s).*?messages:.*?(\n\n|$)' test-data/loop.yaml

# Also check for any other test cases with unreachable exit messages
echo "Checking all unreachable exit messages..."
rg -U 'messages:.*unreachable.*exit' test-data/loop.yaml
Length of output: 1496

Script:
#!/bin/bash
# Search for unreachable code messages with a more specific pattern
echo "Checking for unreachable code messages..."
rg -U 'messages:.*(\n\s*-.*unreachable.*)+' test-data/loop.yaml

# Also check for Code is unreachable messages
echo "Checking for 'Code is unreachable' messages..."
rg -U 'messages:.*(\n\s*-.*"Code is unreachable.*)+' test-data/loop.yaml
Length of output: 762
src/crab_verifier.cpp (1)
100-105: ⚠️ Potential issue

Use add_unreachable for consistency with similar unreachable code detection

The code correctly checks for unreachable exits by examining if the last post-invariant is in a "bottom" state. However, for consistency with the rest of the codebase, use add_unreachable instead of add_warning when reporting unreachable code conditions.

Apply this change:
     if (last_inv.is_bottom()) {
-        m_db.add_warning(label_t::exit, "Exit is unreachable.");
+        m_db.add_unreachable(label_t::exit, "Exit is unreachable.");
     }
Likely invalid or redundant comment.

test-data/loop.yaml

src/crab_verifier.cpp

coderabbitai

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Files that changed from the base of the PR and between 0bb1d34 and fdca528.

📒 Files selected for processing (2)

src/crab_verifier.cpp (2 hunks)
test-data/loop.yaml (2 hunks)

🧰 Additional context used

📓 Learnings (1)

src/crab_verifier.cpp (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/crab_verifier.cpp:0-0
Timestamp: 2024-10-22T23:23:41.987Z
Learning: In `src/crab_verifier.cpp`, when the exit is unreachable (i.e., when `last_inv.is_bottom()` is true in `generate_report`), use `add_warning` to emit a warning, as this should cause verification to fail. The `add_unreachable` function is intended for unreachable instructions that do not cause verification to fail.

🪛 yamllint

test-data/loop.yaml

[error] 405-405: wrong indentation: expected 2 but found 4

(indentation)

🪛 GitHub Check: validate-yaml

test-data/loop.yaml

[failure] 405-405:
405:5 [indentation] wrong indentation: expected 2 but found 4

[failure] 405-405:
405:5 [indentation] wrong indentation: expected 2 but found 4

🔇 Additional comments (3)

src/crab_verifier.cpp (3)

26-26: LGTM! Well-defined termination bound constant.

The constant is appropriately defined with a reasonable value and consistent type.

103-107: LGTM! Correct implementation of unreachable exit detection.

The implementation properly uses add_warning to fail verification when the exit is unreachable, as intended. The comments clearly explain the purpose of this check.

109-113: LGTM! Proper implementation of termination bound check.

The implementation correctly uses the TERMINATION_BOUND constant to detect potential infinite loops and appropriately fails verification using add_warning.

test-data/loop.yaml

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Files that changed from the base of the PR and between fdca528 and d22c3cc.

📒 Files selected for processing (1)

test-data/loop.yaml (2 hunks)

🧰 Additional context used

test-data/loop.yaml

coderabbitai

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Files that changed from the base of the PR and between d22c3cc and 03dfb3a.

📒 Files selected for processing (2)

src/crab_verifier.cpp (2 hunks)
test-data/loop.yaml (2 hunks)

🧰 Additional context used

📓 Learnings (2)

src/crab_verifier.cpp (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/crab_verifier.cpp:0-0
Timestamp: 2024-10-22T23:23:41.987Z
Learning: In `src/crab_verifier.cpp`, when the exit is unreachable (i.e., when `last_inv.is_bottom()` is true in `generate_report`), use `add_warning` to emit a warning, as this should cause verification to fail. The `add_unreachable` function is intended for unreachable instructions that do not cause verification to fail.

test-data/loop.yaml (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: test-data/loop.yaml:377-398
Timestamp: 2024-10-25T19:31:59.214Z
Learning: In `test-data/loop.yaml`, for the test case **"very large loop > 100K iterations"**, additional post conditions like `r0.svalue>0` and `r0.uvalue>0` are not required.

🔇 Additional comments (3)

test-data/loop.yaml (3)

270-357: LGTM! Comprehensive coverage of infinite loop scenarios.

The test cases effectively cover all comparison operators (less than, less than or equal, equal, greater than, greater than or equal) with appropriate initialization values and consistent error messages.

359-375: LGTM! Implementation matches the suggested test case.

377-398: LGTM! Well-documented test case for termination bound.

The test case effectively verifies the verifier's behavior with loops exceeding 100K iterations. The comments clearly explain the expected behavior, and the post conditions are comprehensive.

test-data/loop.yaml

src/crab_verifier.cpp

coderabbitai

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Files that changed from the base of the PR and between 55a50fd and fc1d4dc.

📒 Files selected for processing (2)

src/crab_verifier.cpp (2 hunks)
test-data/loop.yaml (2 hunks)

🧰 Additional context used

📓 Learnings (2)

src/crab_verifier.cpp (2)

Learnt from: elazarg
PR: vbpf/ebpf-verifier#692
File: src/crab/ebpf_domain.cpp:1366-1367
Timestamp: 2024-09-27T00:34:47.474Z
Learning: The project is compiled with C++20.

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/crab_verifier.cpp:0-0
Timestamp: 2024-10-22T23:23:41.987Z
Learning: In `src/crab_verifier.cpp`, when the exit is unreachable (i.e., when `last_inv.is_bottom()` is true in `generate_report`), use `add_warning` to emit a warning, as this should cause verification to fail. The `add_unreachable` function is intended for unreachable instructions that do not cause verification to fail.

test-data/loop.yaml (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: test-data/loop.yaml:377-398
Timestamp: 2024-10-25T19:31:59.214Z
Learning: In `test-data/loop.yaml`, for the test case **"very large loop > 100K iterations"**, additional post conditions like `r0.svalue>0` and `r0.uvalue>0` are not required.

🔇 Additional comments (6)

test-data/loop.yaml (5)

189-189: LGTM! Clear error message for unprovable termination.

The message clearly indicates that termination cannot be proven when the maximum loop count is unknown.

270-357: LGTM! Comprehensive coverage of infinite loop detection.

The test cases effectively cover all comparison operators (less than, less than or equal, equal, greater than, greater than or equal) and properly verify unreachable code detection. The error messages are consistent and clear.

358-375: LGTM! Good coverage of multiple exit points.

The test case effectively demonstrates that the verifier can detect infinite loops even when multiple exit points are present. The error messages correctly identify unreachable code at both exit points.

376-398: LGTM! Clear demonstration of termination bound limit.

The test case effectively demonstrates that loops exceeding 100,000 iterations are treated as infinite. The comments and post-conditions clearly explain and verify this behavior.

399-416: LGTM! Good coverage of loops with unknown bounds.

The test case effectively demonstrates how the verifier handles loops where the iteration count cannot be determined statically. The post-conditions and error message clearly verify this behavior.
src/crab_verifier.cpp (1)
26-29: 🧹 Nitpick (assertive)

Enhance documentation with rationale for the chosen bound.

The documentation clearly explains the purpose of TERMINATION_BOUND, but consider adding the rationale for choosing 100,000 as the specific threshold value.
 // Maximum number of loop iterations allowed before considering the loop potentially non-terminating.
 // This bound helps detect infinite loops while allowing reasonable finite loops to pass verification.
+// The value 100,000 was chosen as it's large enough to accommodate practical finite loops
+// while being small enough to catch potential infinite loops in a reasonable time.
 const crab::number_t TERMINATION_BOUND = 100000;
Likely invalid or redundant comment.

src/crab_verifier.cpp

elazarg · 2024-10-31T18:53:55Z

I think exit unreachability is not the same as having an infinite loop. It might happen due to failed assertions or bugs, and an infinite loop on one path may still leave the exit reachable through another path.

Detecting termination can be done through updating max_loop_count on each iteration in generate_report, performed immediately after from_inv(bb);:

from_inv(bb);

m_db.max_loop_count = std::max(m_db.max_loop_count, from_inv.get_loop_count_upper_bound());

I think there needn't be any special handling of bottom in this way - if there's an infinite loop, it should be found. We can even point to the specific location(s) (and counter) if needed. This does not cover the case where from_inv becomes bottom due to a bug, but it's not the responsibility of this code anyway.

Unreachable exit should be an error if and only if we do not have an infinite loop.

What do you think?

dthaler · 2024-10-31T20:31:46Z

I think exit unreachability is not the same as having an infinite loop. It might happen due to failed assertions or bugs, and an infinite loop on one path may still leave the exit reachable through another path.

That's what I told Alan offline too.

Detecting termination can be done through updating max_loop_count on each iteration in generate_report, performed immediately after from_inv(bb);:
from_inv(bb);

m_db.max_loop_count = std::max(m_db.max_loop_count, from_inv.get_loop_count_upper_bound());
I think there needn't be any special handling of bottom in this way - if there's an infinite loop, it should be found. We can even point to the specific location(s) (and counter) if needed. This does not cover the case where from_inv becomes bottom due to a bug, but it's not the responsibility of this code anyway.

Unreachable exit should be an error if and only if we do not have an infinite loop.

What do you think?

Sounds good to me.

Alan-Jowett · 2024-10-31T21:47:27Z

Ok, will make this change.

Alan-Jowett · 2024-10-31T21:51:02Z

My thinking was that either exit would have the max loop count propagated to it or it would have exit unreachable.

But I think I see what you are saying about one branch having an infinite loop that never joins with a pass to exit. This could result in a reachable exit and low loop count.

Would it make more sense to scan the post condition for each state to find any with loop count > threshold?

elazarg · 2024-11-01T00:16:30Z

Would it make more sense to scan the post condition for each state to find any with loop count > threshold?

In order to pinpoint the location? Yes, I think that was my original implementation.

elazarg · 2024-11-01T13:06:45Z

Might be simplest to add a special assertion instruction for each increment. Then you have no special termination handling code in generate report. I'm not sure if thats better overall.

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Reviewing files that changed from the base of the PR and between 9e376d2 and ccbc9d9.

📒 Files selected for processing (2)

src/crab_verifier.cpp (3 hunks)
test-data/loop.yaml (2 hunks)

🧰 Additional context used

📓 Learnings (2)

src/crab_verifier.cpp (1)

Learnt from: elazarg
PR: vbpf/ebpf-verifier#692
File: src/crab/ebpf_domain.cpp:1366-1367
Timestamp: 2024-09-27T00:34:47.474Z
Learning: The project is compiled with C++20.

test-data/loop.yaml (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: test-data/loop.yaml:377-398
Timestamp: 2024-10-25T19:31:59.214Z
Learning: In `test-data/loop.yaml`, for the test case **"very large loop > 100K iterations"**, additional post conditions like `r0.svalue>0` and `r0.uvalue>0` are not required.

🔇 Additional comments (13)

test-data/loop.yaml (8)

189-189: LGTM! Clear error message for infinite loop detection.

The error message clearly indicates that termination cannot be proven due to an unknown loop count.

269-288: LGTM! Comprehensive test case for infinite loop with less than operator.

The test case effectively demonstrates:

Initialization of r0 to 0
Infinite loop condition r0 < 1
Appropriate error messages for unreachable code and termination

289-306: LGTM! Comprehensive test case for infinite loop with less than or equal operator.

The test case effectively demonstrates:

Initialization of r0 to 0
Infinite loop condition r0 <= 1
Appropriate error messages for unreachable code and termination

307-325: LGTM! Comprehensive test case for infinite loop with equal operator.

The test case effectively demonstrates:

Initialization of r0 to 0
Infinite loop condition r0 == 0
Appropriate error messages for unreachable code and termination

326-344: LGTM! Comprehensive test case for infinite loop with greater than operator.

The test case effectively demonstrates:

Initialization of r0 to 1
Infinite loop condition r0 > 0
Appropriate error messages for unreachable code and termination

345-363: LGTM! Comprehensive test case for infinite loop with greater than or equal operator.

The test case effectively demonstrates:

Initialization of r0 to 1
Infinite loop condition r0 >= 0
Appropriate error messages for unreachable code and termination

364-381: LGTM! Comprehensive test case for infinite loop with multiple exits.

The test case effectively demonstrates:

Multiple exit points that are unreachable
Complex loop conditions creating an infinite cycle
Appropriate error messages for each unreachable code point

382-404: LGTM! Edge case test for loop termination bound.

The test case effectively verifies that loops exceeding 100,000 iterations are treated as infinite loops, aligning with the TERMINATION_BOUND constant in crab_verifier.cpp.

src/crab_verifier.cpp (5)

26-28: Well-documented introduction of TERMINATION_BOUND

The addition of the TERMINATION_BOUND constant with clear comments enhances code readability and understanding. The chosen value seems reasonable for detecting potential infinite loops.

39-39: Proper use of std::optional for max_loop_count_label

Including max_loop_count_label as an std::optional<label_t> allows for precise identification of where the maximum loop count was found, improving the reporting mechanism.

106-115: Efficient computation of maximum loop count

The loop correctly iterates over post_invariants to determine the maximum loop count. This ensures that the verifier accurately identifies loops that may cause non-termination.

119-121: Appropriate handling of unreachable exit

The check for last_inv.is_bottom() and the addition of a warning when the exit is unreachable align with the PR's objective to improve detection of infinite loops. This change appropriately causes verification to fail in cases where termination cannot be proven.

125-134: Clear and informative termination warning messages

The conditional warning messages provide specific information about the maximum loop count exceeding the termination bound or being unknown. This enhances the user's ability to diagnose and address termination issues in the code.

test-data/loop.yaml

coderabbitai

Actionable comments posted: 4

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Reviewing files that changed from the base of the PR and between ccbc9d9 and 6262a17.

📒 Files selected for processing (4)

src/asm_syntax.hpp (1 hunks)
src/crab/ebpf_domain.cpp (1 hunks)
src/crab_verifier.cpp (1 hunks)
test-data/loop.yaml (2 hunks)

🧰 Additional context used

📓 Learnings (1)

test-data/loop.yaml (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: test-data/loop.yaml:377-398
Timestamp: 2024-10-25T19:31:59.214Z
Learning: In `test-data/loop.yaml`, for the test case **"very large loop > 100K iterations"**, additional post conditions like `r0.svalue>0` and `r0.uvalue>0` are not required.

🔇 Additional comments (9)

test-data/loop.yaml (5)

189-189: LGTM! Error message format is consistent.

The updated error message follows the standard format and correctly indicates that the loop count exceeds the termination bound.

271-358: LGTM! Comprehensive coverage of infinite loop detection.

The test cases effectively cover all comparison operators (less than, less than or equal, equal, greater than, greater than or equal) and properly verify unreachable code detection. The error messages are consistent and clear.

359-375: LGTM! Good coverage of complex infinite loop scenario.

The test case effectively verifies detection of unreachable code in multiple locations within a cyclic control flow. The error messages correctly identify both unreachable points and the termination issue.

377-398: LGTM! Well-documented boundary test case.

The test case effectively verifies the verifier's behavior at the termination limit boundary (100,000 iterations). The comprehensive post-conditions and clear documentation make the test's purpose explicit.

400-416: LGTM! Good coverage of conditional infinite loop.

The test case effectively verifies detection of potentially infinite loops based on input conditions. The post-conditions correctly specify the state when the loop exits.

src/asm_syntax.hpp (1)

400-400: Verify the loop limit's usage across the codebase.

Let's check how this constant is used to ensure it properly handles edge cases and doesn't have unintended consequences.

✅ Verification successful

Let me gather more context about how this limit is actually used in the code.

Let me check the actual implementation in the test case and the error handling to understand how this limit is enforced.

The loop limit constant is correctly implemented and verified

The constant limit = 100000 is properly used as part of the verifier's infinite loop detection mechanism:

Each loop is assigned a counter that starts at 0 (initialize_loop_counter)
The counter is incremented on each iteration (operator()(const IncrementLoopCounter&))
The verifier enforces the limit by checking counter <= 100000
Test cases confirm the behavior:
- Normal loops under the limit pass verification
- The test "very large loop > 100K iterations" properly fails with "Cannot prove termination (Label 0 loop count 100001 <= 100000)"

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check how the loop limit is used and verify error handling

# Find all references to IncrementLoopCounter
echo "=== IncrementLoopCounter usage ==="
rg -l "IncrementLoopCounter"

# Look for specific limit checks
echo -e "\n=== Limit checks ==="
rg "limit.*100000|100000.*limit"

# Find error messages related to loop limits
echo -e "\n=== Error messages ==="
rg -i "loop.*limit|iteration.*limit"

Length of output: 744

Script:

#!/bin/bash
# Check the implementation around the limit
echo "=== Counter implementation ==="
ast-grep --pattern 'class $_ {
  $$$
  IncrementLoopCounter($$$) {
    $$$
  }
  $$$
}'

# Check for any assertions or error handling
echo -e "\n=== Error handling and assertions ==="
rg -A 5 -B 5 "IncrementLoopCounter"

# Look for test cases
echo -e "\n=== Test cases ==="
rg -l "loop.*test|test.*loop" test-data/

Length of output: 5932

Script:

#!/bin/bash
# Check the test case implementation
echo "=== Loop test case ==="
cat test-data/loop.yaml

# Check the loop counter initialization and error handling
echo -e "\n=== Loop counter initialization ==="
rg -A 10 "initialize_loop_counter" src/

# Check the actual counter increment implementation
echo -e "\n=== Counter increment implementation ==="
rg -A 10 "operator.*IncrementLoopCounter.*\{" src/crab/ebpf_domain.cpp

Length of output: 10087

src/crab/ebpf_domain.cpp (3)

2927-2929: LGTM: Loop counter increment logic is correct.

The implementation properly retrieves the loop counter variable for the given label and increments it by 1 using the existing add method.

2936-2937: LGTM: Termination verification is properly implemented.

The code correctly enforces the loop counter bound check with a clear error message. This is essential for detecting potential infinite loops.

2927-2937: Verify the loop counter limit handling across the codebase.

The implementation adds important checks for loop termination, but we should verify that the limit value is consistently defined and handled across the codebase.

Let's verify the usage of loop counter limits:

✅ Verification successful

Let me gather more specific information about the loop counter implementation.

Based on the gathered information, I can now provide a final response:

Loop counter limit implementation is consistently handled across the codebase

The verification shows that:

Loop counter implementation is centralized in variable_t::loop_counter with consistent initialization and increment patterns
A global limit of 100000 is defined in src/asm_syntax.hpp
Termination checks are uniformly implemented using require(this->m_inv, counter <= ins.limit, "Cannot prove termination")
Loop counters are properly initialized to 0 and tracked throughout their lifecycle

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for consistent loop counter limit usage
# Expected: Find all places where loop counter limits are defined/used

# Look for loop counter limit definitions
echo "Searching for loop counter limit definitions..."
rg -A 2 "limit.*=.*[0-9]+" 

# Look for IncrementLoopCounter usage
echo "Searching for IncrementLoopCounter usage..."
ast-grep --pattern 'IncrementLoopCounter { $$$, limit: $_}'

Length of output: 2200

Script:

#!/bin/bash
# Search for loop counter related code and usage patterns

# Look for loop counter related code
echo "Searching for loop counter implementations..."
rg -A 5 "loop_counter" 

# Look for termination or limit checks
echo "Searching for termination checks..."
rg -A 5 "Cannot prove termination"

# Look for variable_t usage with loop counters
echo "Searching for variable_t loop counter usage..."
ast-grep --pattern 'variable_t::loop_counter($_)'

Length of output: 6646

src/crab_verifier.cpp

src/asm_syntax.hpp

src/crab/ebpf_domain.cpp

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Reviewing files that changed from the base of the PR and between 6262a17 and 054f205.

📒 Files selected for processing (2)

src/asm_syntax.hpp (1 hunks)
src/crab_verifier.cpp (1 hunks)

🔇 Additional comments (2)

src/crab_verifier.cpp (2)

98-99: LGTM! Clear and informative comment.

The comment effectively explains both the what (calculating maximum loop count) and the why (detecting infinite loops and excessive iterations) of the code changes.

100-105: LGTM! Consider verifying the impact on termination checking.

The implementation correctly calculates the maximum loop count by iterating through all post-invariants and skipping bottom (unreachable) states. This aligns well with the PR objectives of improving infinite loop detection.

Let's verify the usage of this loop count in termination checking:

✅ Verification successful

The loop count calculation is correctly integrated with termination checking

The implementation is working as intended:

The max_loop_count is used to track and report program termination bounds
Termination checking is an optional feature enabled via --termination flag
When enabled and verification succeeds, it reports "Program terminates within X loop iterations"
The value is properly propagated through the verification pipeline:
- Calculated in the loop we reviewed
- Stored in verification stats
- Used in the final report

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify how the max_loop_count is used in termination checking
# Look for places where max_loop_count is compared against termination bounds
rg -A 5 "max_loop_count.*TERMINATION_BOUND|TERMINATION_BOUND.*max_loop_count" src/

Length of output: 84

Script:

#!/bin/bash
# Let's try a broader search for max_loop_count usage
rg -A 5 "max_loop_count" src/

# Also search for termination-related checks
rg -A 5 "termination|TERMINATION" src/

# Look for the class/struct definition containing max_loop_count
ast-grep --pattern 'struct $_ {
  $$$
  max_loop_count
  $$$
}'

Length of output: 6786

src/asm_syntax.hpp

Alan-Jowett · 2024-11-02T03:16:14Z

Might be simplest to add a special assertion instruction for each increment. Then you have no special termination handling code in generate report. I'm not sure if thats better overall.

Does the current approach make sense? A require on the instruction seems to make the most sense to me.

elazarg · 2024-11-02T20:07:47Z

Might be simplest to add a special assertion instruction for each increment. Then you have no special termination handling code in generate report. I'm not sure if thats better overall.

Does the current approach make sense? A require on the instruction seems to make the most sense to me.

In principle, require() should only be called from a function that handles an AssertionConstraint (there is currently one violation of this, in Call). The intention is that calculating of the abstract state and checking validity of the abstract states are distinct phases.

src/crab/fwd_analyzer.cpp

test-data/loop.yaml

Alan-Jowett · 2024-11-05T22:22:32Z

Rebased and squashed to a single commit.

coderabbitai

Actionable comments posted: 6

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Reviewing files that changed from the base of the PR and between 5390b2b and 9e3ec85.

📒 Files selected for processing (14)

src/asm_cfg.cpp (1 hunks)
src/asm_ostream.cpp (1 hunks)
src/asm_syntax.hpp (1 hunks)
src/assertions.cpp (1 hunks)
src/crab/cfg.hpp (4 hunks)
src/crab/ebpf_domain.cpp (2 hunks)
src/crab/ebpf_domain.hpp (1 hunks)
src/crab/fwd_analyzer.cpp (4 hunks)
src/crab/fwd_analyzer.hpp (1 hunks)
src/crab_verifier.cpp (7 hunks)
src/crab_verifier.hpp (1 hunks)
src/main/check.cpp (2 hunks)
src/test/test_verify.cpp (2 hunks)
test-data/loop.yaml (2 hunks)

🧰 Additional context used

📓 Learnings (7)

src/assertions.cpp (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/assertions.cpp:44-45
Timestamp: 2024-11-05T20:07:07.356Z
Learning: Labels always contain some value and cannot be empty.

src/crab/cfg.hpp (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/crab/cfg.hpp:451-460
Timestamp: 2024-11-05T20:54:09.276Z
Learning: The `potential_loop_headers()` method in `cfg_t` is only used once per CFG instance, making caching its result unnecessary.

src/crab/ebpf_domain.hpp (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/crab/ebpf_domain.hpp:81-81
Timestamp: 2024-11-05T20:06:15.970Z
Learning: In this codebase, `operator()` method declarations in the `ebpf_domain_t` class typically do not have documentation comments, so adding such comments is unnecessary.

src/crab/fwd_analyzer.cpp (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/crab/fwd_analyzer.hpp:14-14
Timestamp: 2024-11-05T20:59:02.521Z
Learning: When reviewing changes, avoid suggesting documentation additions for pre-existing functions (e.g., `run_forward_analyzer` in `src/crab/fwd_analyzer.hpp`) if they are outside the scope of the current PR.

src/crab/fwd_analyzer.hpp (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/crab/fwd_analyzer.hpp:14-14
Timestamp: 2024-11-05T20:59:02.521Z
Learning: When reviewing changes, avoid suggesting documentation additions for pre-existing functions (e.g., `run_forward_analyzer` in `src/crab/fwd_analyzer.hpp`) if they are outside the scope of the current PR.

src/crab_verifier.hpp (1)

Learnt from: elazarg
PR: vbpf/ebpf-verifier#716
File: src/crab_verifier.cpp:115-115
Timestamp: 2024-10-05T18:27:27.631Z
Learning: In `src/crab_verifier.cpp` and throughout the codebase, it's acceptable to use `const` qualifiers on value parameters to indicate that the parameter is not modified within the function.

test-data/loop.yaml (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: test-data/loop.yaml:377-398
Timestamp: 2024-10-25T19:31:59.214Z
Learning: In `test-data/loop.yaml`, for the test case **"very large loop > 100K iterations"**, additional post conditions like `r0.svalue>0` and `r0.uvalue>0` are not required.

🪛 cppcheck

src/crab/fwd_analyzer.cpp

[style] 122-122: The function 'run_forward_analyzer' is never used.

(unusedFunction)

🔇 Additional comments (28)

src/crab/fwd_analyzer.hpp (1)

14-14: LGTM! The const-correctness improvement has already been reviewed.

src/crab_verifier.hpp (1)

10-11: LGTM! Good const-correctness improvement.

Making the cfg parameter const is a positive change as it:

Prevents unintended modifications to the cfg object
Makes the function's intent clearer
Aligns with the codebase's conventions for const-correctness

src/crab/fwd_analyzer.cpp (5)

53-53: LGTM! Good const-correctness improvement.

Making _cfg a const reference prevents accidental modifications to the CFG during analysis, which is the correct design choice.

71-71: LGTM! Appropriate parameter type improvement.

Using a const reference for the basic block parameter is correct as it prevents unnecessary copying while ensuring the block cannot be modified.

104-104: LGTM! Constructor signature properly updated.

The constructor parameter change to const reference aligns with the member variable's const-correctness improvement.

119-119: LGTM! Friend function declaration properly updated.

The friend function declaration change maintains const-correctness consistency across the API surface.

133-134: ⚠️ Potential issue

Fix incorrect condition for loop counter initialization.

The condition if (label.to != -1) skips the original labels (where to == -1) and processes the non-deterministic labels, which is the opposite of what's intended according to the comment.

Apply this fix:

-            if (label.to != -1) {
+            if (label.to == -1) {
-                continue;
+                entry_inv.initialize_loop_counter(label);
             }
-            entry_inv.initialize_loop_counter(label);

Likely invalid or redundant comment.

test-data/loop.yaml (6)

189-189: LGTM! Clear error message for loop counter limit.

The updated message clearly indicates that the loop counter exceeds the maximum limit of 100,000 iterations.

270-358: LGTM! Comprehensive coverage of infinite loop detection.

The test cases effectively cover all comparison operators (less than, less than or equal, equal, greater than, greater than or equal) and properly verify:

Unreachable code detection
Loop counter limit validation
Consistent error messages

359-375: LGTM! Well-structured test for multiple exit points.

The test case effectively verifies the verifier's ability to:

Detect multiple unreachable code segments
Track loop counters in complex control flow
Generate appropriate error messages for each unreachable segment

400-417: LGTM! Good test for indeterminate loops.

The test case effectively verifies the verifier's handling of loops where termination cannot be proven due to unknown initial conditions.

419-443: LGTM! Good edge case for backwards jumps.

The test case effectively verifies that the verifier:

Correctly identifies non-loop backwards jumps
Computes the proper post-state
Doesn't incorrectly flag loop-related issues

462-463: 🧹 Nitpick (assertive)

Consider using explicit empty array syntax.

For consistency and clarity, consider using explicit empty array syntax.

-post: []
+post:
+  []

Likely invalid or redundant comment.

src/crab_verifier.cpp (3)

59-59: LGTM! Good improvement to const correctness.

The change to use const cfg_t& instead of cfg_t& in function parameters is a good improvement. This makes it clear that these functions don't modify the CFG and prevents accidental modifications.

Also applies to: 137-137, 165-165, 186-186

223-223: LGTM! Consistent addition of termination checking.

The addition of options.check_termination parameter to both prepare_cfg calls is consistent and aligns with the PR's objective of enforcing loop count limits.

Also applies to: 246-246

98-104: 🧹 Nitpick (assertive)

LGTM! Consider enhancing the comment for clarity.

The loop count calculation logic is well-implemented. Consider expanding the comment to better explain why we're checking all post-invariants:

-        // Gather the upper bound of loop counts from post-invariants.
+        // Calculate the maximum loop count across all post-invariants to detect potential
+        // infinite loops or excessive iterations in any part of the program, not just at
+        // the exit points.

Likely invalid or redundant comment.

src/crab/ebpf_domain.hpp (1)

81-81: LGTM! The new operator method is well-placed and consistent.

The addition of operator()(const BoundedLoopCount&) follows the established pattern of instruction handling in the class and aligns with the PR's objective of enforcing loop iteration limits.

src/main/check.cpp (2)

267-267: Changes look good.

The same parameter addition is correctly applied to the cfg domain.

253-253: LGTM! Verify CLI integration with termination checking.

The addition of ebpf_verifier_options.check_termination parameter to prepare_cfg correctly propagates the termination check flag from CLI to the CFG preparation phase.

Let's verify the CLI integration:

✅ Verification successful

CLI integration for termination checking is properly implemented

The verification shows that:

The termination flag is properly integrated in the CLI via --termination flag in check.cpp
The flag is stored in ebpf_verifier_options_t::check_termination (default: false)
The flag is correctly propagated through:
- CLI parsing in main/check.cpp
- prepare_cfg calls in both crab_verifier.cpp and main/check.cpp
- Used in termination checks in crab/fwd_analyzer.cpp and crab/ebpf_domain.cpp

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that the termination flag is properly handled in the CLI and propagated to prepare_cfg.

# Test 1: Check if termination flag is properly documented in help
echo "Checking help documentation for termination flag..."
./check --help | grep -A 2 "termination"

# Test 2: Check if termination-related code exists in prepare_cfg
echo "Checking prepare_cfg implementation..."
rg "prepare_cfg.*check.*termination" "src/"

# Test 3: Check for termination-related test cases
echo "Checking test coverage..."
fd -e cpp -e hpp | xargs rg "test.*termination"

Length of output: 1155

Script:

#!/bin/bash
# Let's verify the CLI integration by checking:
# 1. Command line argument parsing
# 2. How the termination flag is passed through

# Check command line parsing
echo "Checking command line argument handling:"
rg -A 5 "struct.*options" src/

# Check where check_termination is defined and used
echo "Checking check_termination usage:"
rg "check_termination" src/

# Check for test files specifically
echo "Checking test files:"
fd -e cpp -e hpp -e c test | xargs rg "termination"

Length of output: 2586

src/asm_syntax.hpp (1)

410-410: LGTM!

The addition of BoundedLoopCount to AssertionConstraint is well-placed and maintains backward compatibility.

src/asm_ostream.cpp (1)

138-140: LGTM! Implementation aligns with PR objectives.

The operator correctly formats the BoundedLoopCount for output, following the file's established patterns. The output format "<loop_counter> < " effectively represents the loop count constraint, which is essential for the PR's goal of enforcing upper bounds on loop iterations.

The previous review comment suggesting documentation is still valid.

src/crab/cfg.hpp (3)

68-79: LGTM! The insert_front methods are well-implemented.

The methods correctly prevent modifications to entry/exit blocks and provide a symmetric front-insertion capability to match the existing back-insertion methods.

173-187: LGTM! The has_backwards_branch method is well-implemented.

The method effectively identifies backwards branches by comparing instruction numbers, with clear comments explaining the logic. The early exit for exit blocks is a good optimization.

654-655: LGTM! The prepare_cfg signature update is well-placed.

The new check_for_termination parameter is appropriately positioned before the optional parameter and aligns with the PR's objective to enhance loop termination verification.

src/test/test_verify.cpp (2)

589-589: LGTM! Good const correctness improvement.

The change from cfg_t* to const cfg_t* better expresses the intent that the function only needs read access to the cfg parameter.

601-601: LGTM! Good const correctness.

The addition of const qualifier to the cfg variables is appropriate as they are passed to a function expecting const parameters.

Also applies to: 609-609

src/crab/ebpf_domain.cpp (1)

2963-2964: 🧹 Nitpick (assertive)

Consider making the counter variable const.

The implementation correctly increments the loop counter, but could be improved by making the counter variable const since it's only used for lookup.

-    const auto counter = variable_t::loop_counter(to_string(ins.name));
+    const auto counter = variable_t::loop_counter(to_string(ins.name));
     this->add(counter, 1);

Likely invalid or redundant comment.

src/asm_cfg.cpp (1)

366-374: Loop counter insertion logic is correctly implemented and well-documented.

The added code correctly inserts IncrementLoopCounter instructions at potential loop entry points when check_for_termination is enabled. The accompanying comments clearly explain the purpose and functionality of enforcing an upper bound on loop iterations.

test-data/loop.yaml

src/asm_syntax.hpp

src/assertions.cpp

src/crab/cfg.hpp

src/crab/ebpf_domain.cpp

src/asm_cfg.cpp

coderabbitai

Actionable comments posted: 5

🧹 Outside diff range comments (1)

src/main/check.cpp (1)

Line range hint 253-269: Consider enhancing output to include loop information.

Since we're now tracking loop counts and termination, consider:

Adding loop-related metrics (e.g., max loop count, number of loops) to the stats output.

Including loop bound annotations in the CFG visualization.

This would provide valuable insights into the program's loop characteristics and make the termination analysis more transparent.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Reviewing files that changed from the base of the PR and between 9e3ec85 and 1f9383c.

📒 Files selected for processing (14)

src/asm_cfg.cpp (1 hunks)
src/asm_ostream.cpp (1 hunks)
src/asm_syntax.hpp (1 hunks)
src/assertions.cpp (1 hunks)
src/crab/cfg.hpp (4 hunks)
src/crab/ebpf_domain.cpp (2 hunks)
src/crab/ebpf_domain.hpp (1 hunks)
src/crab/fwd_analyzer.cpp (4 hunks)
src/crab/fwd_analyzer.hpp (1 hunks)
src/crab_verifier.cpp (7 hunks)
src/crab_verifier.hpp (1 hunks)
src/main/check.cpp (2 hunks)
src/test/test_verify.cpp (2 hunks)
test-data/loop.yaml (2 hunks)

🧰 Additional context used

📓 Learnings (7)

src/asm_syntax.hpp (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/assertions.cpp:50-51
Timestamp: 2024-11-05T22:59:53.296Z
Learning: In `BoundedLoopCount` within `src/asm_syntax.hpp`, the `limit` field is a static constexpr integer and does not need to be set during construction.

src/assertions.cpp (2)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/assertions.cpp:50-51
Timestamp: 2024-11-05T22:59:53.296Z
Learning: In `BoundedLoopCount` within `src/asm_syntax.hpp`, the `limit` field is a static constexpr integer and does not need to be set during construction.

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/assertions.cpp:44-45
Timestamp: 2024-11-05T20:07:07.356Z
Learning: Labels always contain some value and cannot be empty.

src/crab/ebpf_domain.hpp (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/crab/ebpf_domain.hpp:81-81
Timestamp: 2024-11-05T20:06:15.970Z
Learning: In this codebase, `operator()` method declarations in the `ebpf_domain_t` class typically do not have documentation comments, so adding such comments is unnecessary.

src/crab/fwd_analyzer.cpp (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/crab/fwd_analyzer.hpp:14-14
Timestamp: 2024-11-05T20:59:02.521Z
Learning: When reviewing changes, avoid suggesting documentation additions for pre-existing functions (e.g., `run_forward_analyzer` in `src/crab/fwd_analyzer.hpp`) if they are outside the scope of the current PR.

src/crab/fwd_analyzer.hpp (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/crab/fwd_analyzer.hpp:14-14
Timestamp: 2024-11-05T20:59:02.521Z
Learning: When reviewing changes, avoid suggesting documentation additions for pre-existing functions (e.g., `run_forward_analyzer` in `src/crab/fwd_analyzer.hpp`) if they are outside the scope of the current PR.

src/crab_verifier.hpp (1)

Learnt from: elazarg
PR: vbpf/ebpf-verifier#716
File: src/crab_verifier.cpp:115-115
Timestamp: 2024-10-05T18:27:27.631Z
Learning: In `src/crab_verifier.cpp` and throughout the codebase, it's acceptable to use `const` qualifiers on value parameters to indicate that the parameter is not modified within the function.

test-data/loop.yaml (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: test-data/loop.yaml:377-398
Timestamp: 2024-10-25T19:31:59.214Z
Learning: In `test-data/loop.yaml`, for the test case **"very large loop > 100K iterations"**, additional post conditions like `r0.svalue>0` and `r0.uvalue>0` are not required.

🪛 cppcheck

src/crab/fwd_analyzer.cpp

[style] 122-122: The function 'run_forward_analyzer' is never used.

(unusedFunction)

🔇 Additional comments (30)

src/crab/fwd_analyzer.hpp (1)

14-14: LGTM! Const-correctness improvement.

The change to use const cfg_t& is appropriate as it prevents unintended modifications to the CFG during analysis while allowing both const and non-const CFG instances to be passed.

Let's verify that this const change is consistently applied across related functions:

✅ Verification successful

Based on the rg results, I can now generate the final response as we have comprehensive information about the usage of cfg_t parameters across the codebase:

Const-correctness is consistently applied across the codebase

The change to use const cfg_t& in run_forward_analyzer aligns perfectly with the codebase's patterns:

All analysis and reporting functions use const cfg_t&
Only transformation functions (like explicate_assertions, annotate_potential_loops) use non-const cfg_t&
The change maintains the established const-correctness convention where CFG is only made mutable when modifications are intended

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify consistent const usage for cfg parameters
# Expected: All related analyzer functions should use const cfg_t&

# Search for function declarations with cfg_t parameter
rg "cfg_t\s*[&]\s*\w+" --type cpp

Length of output: 2866

src/crab_verifier.hpp (1)

10-11: LGTM! Good improvement to const-correctness.

The change to make cfg parameter const is a good improvement that:

Prevents unintended modifications to the CFG during analysis
Makes the function's intent clearer
Aligns with the codebase's conventions for const-correctness

src/crab/fwd_analyzer.cpp (2)

53-53: LGTM: Improved const-correctness

The changes to use const references for the CFG improve const-correctness and prevent unintended modifications to the CFG during analysis.

Also applies to: 71-71

104-104: LGTM: Consistent const-correctness in function signatures

Function signatures have been consistently updated to use const references, maintaining the const-correctness improvements throughout the codebase.

Also applies to: 119-119, 122-122

test-data/loop.yaml (6)

189-189: LGTM! Message update is consistent.

The updated message format "Loop counter is too large (pc[1] < 100000)" clearly indicates the reason for termination failure.

270-358: LGTM! Comprehensive coverage of infinite loop detection.

The test cases effectively cover all comparison operators (less than, less than or equal, equal, greater than, greater than or equal) and properly verify unreachable code detection. The error messages are consistent and clear.

359-375: LGTM! Good test case for complex loop scenarios.

The test case effectively verifies the handling of multiple exit points and unreachable code detection. The messages correctly identify unreachable code segments and loop counter limits.

379-398: LGTM! Good edge case for loop count limits.

The test case effectively verifies the verifier's behavior when dealing with loops that exceed the maximum iteration limit. The post-conditions accurately reflect the expected state.

419-443: LGTM! Good test for backwards jump handling.

The test case effectively verifies that the verifier correctly handles backwards jumps that are not part of loops. The post-conditions accurately reflect the expected register values and program counter state.

445-466: LGTM! Good test for nested infinite loops.

The test case effectively verifies:

Detection of infinite inner loop
Unreachable code after the outer loop increment
Proper handling of loop counter limits

src/crab_verifier.cpp (3)

59-59: LGTM! Good const-correctness improvements.

The changes to make parameters const references improve type safety and align with modern C++ best practices, preventing accidental modifications to the input parameters.

Also applies to: 137-137, 165-165, 186-186

98-104: 🧹 Nitpick (assertive)

LGTM! Consider enhancing the comment for clarity.

The loop count calculation logic is well-implemented. Consider expanding the comment to better explain why we're checking all post-invariants:

-        // Gather the upper bound of loop counts from post-invariants.
+        // Calculate the maximum loop count across all post-invariants to detect potential
+        // infinite loops or excessive iterations in any part of the program, skipping
+        // unreachable (bottom) invariants.

Likely invalid or redundant comment.

223-223: Verify the difference in prepare_cfg calls.

The function is called with different parameter patterns:

Line 223: prepare_cfg(..., false) explicitly passes false
Line 246: prepare_cfg(...) uses the default value

Please verify if this difference is intentional or if the signatures should be consistent.

Also applies to: 246-246

✅ Verification successful

Based on the search results, I can now generate the final response since I have enough information about the prepare_cfg function's definition and usage patterns across the codebase.

The difference in prepare_cfg calls is correct and intentional

The function prepare_cfg is defined with a default parameter must_have_exit = true (visible in src/crab/cfg.hpp). The two different call patterns in the review are both valid:

Line 223 explicitly passes false to override the default value
Line 246 omits the parameter to use the default true value

This is consistent with all other usages across the codebase, where most calls omit the last parameter except when specifically needing to override it.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for all prepare_cfg calls to understand the usage pattern
echo "Searching for prepare_cfg calls..."
rg "prepare_cfg\(" -A 1

# Search for prepare_cfg definition to verify the default parameter
echo "Searching for prepare_cfg definition..."
ast-grep --pattern 'cfg_t prepare_cfg($$$)'

Length of output: 1857

src/crab/ebpf_domain.hpp (1)

81-81: LGTM! The operator declaration is well-placed and follows the established pattern.

The addition of operator()(const BoundedLoopCount&) is consistent with the class's design for handling different instruction types. The const reference parameter aligns with the PR's goal of improving const-correctness.

Let's verify that this operator is properly integrated with the loop counting mechanism:

✅ Verification successful

Based on the results, I can now verify the integration of the BoundedLoopCount operator. The results show:

BoundedLoopCount is well-defined in src/asm_syntax.hpp with a limit of 100000 iterations
The operator implementation in src/crab/ebpf_domain.cpp properly enforces the bound by checking the counter against the limit
The loop counting mechanism is integrated through:
- IncrementLoopCounter instructions added to loop headers
- Loop counter initialization in initialize_loop_counter
- Counter increments handled by operator()(const IncrementLoopCounter&)
- Bound checks performed by operator()(const BoundedLoopCount&)

The operator is properly integrated with the loop counting mechanism and follows the expected pattern.

The implementation correctly enforces loop bounds by:

Initializing counters to 0 at loop entry
Incrementing counters at loop headers
Checking against the defined limit of 100000
Using assertions to fail verification if the limit is exceeded

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the integration of BoundedLoopCount with the loop counting mechanism
# Expected: Find related loop counting logic and assertions

# Look for BoundedLoopCount usage and related loop counting logic
rg -A 5 "BoundedLoopCount" 

# Look for loop counter initialization and increment
rg -A 3 "initialize_loop_counter|IncrementLoopCounter"

# Look for loop-related assertions
rg "assert.*loop.*count"

Length of output: 6338

src/main/check.cpp (2)

253-253: LGTM: Change matches previous review.

The modification to include termination checking in the prepare_cfg call aligns with the PR objectives and previous review feedback.

267-267: LGTM: Change matches previous review.

The modification to include termination checking in the prepare_cfg call aligns with the PR objectives and previous review feedback.

src/asm_syntax.hpp (1)

410-410: LGTM!

The BoundedLoopCount type is properly integrated into the AssertionConstraint variant while maintaining alphabetical ordering.

src/assertions.cpp (1)

50-51: LGTM! Implementation correctly integrates with loop bound verification.

The operator properly returns a BoundedLoopCount assertion for loop counter increments, which integrates with the assertion system to enforce upper bounds on loop iterations. The implementation is minimal but correct, as the limit field is const and doesn't need to be set during construction.

src/asm_cfg.cpp (2)

361-369: LGTM! Well-documented and focused implementation.

The function is well-structured with clear documentation explaining its purpose and behavior. It correctly uses the potential_loop_headers() method to identify loop entry points and inserts counter instructions appropriately.

371-372: LGTM! Parameter addition follows existing pattern.

The new check_for_termination parameter is well-placed and follows the existing pattern of boolean flags for optional behavior.

src/asm_ostream.cpp (1)

138-141: LGTM! Implementation aligns with PR objectives.

The output stream operator for BoundedLoopCount is well-implemented, following the file's established patterns and correctly formatting loop counter constraints for verification purposes.

src/test/test_verify.cpp (3)

589-591: LGTM! Good improvement to const-correctness.

The change to make the cfg parameter const correctly prevents unintended modifications to the configuration during analysis.

601-601: LGTM! Good use of const qualifier.

The const qualifier ensures immutability of the cfg object after preparation.

609-609: LGTM! Consistent with previous changes.

The const qualifier and parameters are applied consistently with the first cfg preparation.

src/crab/ebpf_domain.cpp (2)

1438-1444: LGTM! Well-documented loop bound enforcement.

The implementation correctly enforces an upper bound on loop iterations by checking that the loop counter does not exceed the specified limit. The code is well-documented and follows good practices.

2965-2966: 🧹 Nitpick (assertive)

Consider adding documentation and const correctness.

The implementation correctly increments the loop counter, but could be improved with:

A comment explaining the purpose of this operator
Making the counter variable const since it's only used for lookup

-    const auto counter = variable_t::loop_counter(to_string(ins.name));
-    this->add(counter, 1);
+    // Increments the loop counter associated with the given label
+    const auto counter = variable_t::loop_counter(to_string(ins.name));
+    this->add(counter, 1);

Likely invalid or redundant comment.

src/crab/cfg.hpp (4)

68-80: Implementation of insert_front methods is correct

The added insert_front methods allow insertion at the front of the statement list, with appropriate checks to prevent modifications to entry and exit blocks. The implementation aligns with the existing code structure and maintains code consistency.

173-187: Verify the logic in has_backwards_branch() method

The method aims to detect backward branches by comparing labels of previous blocks. Please ensure that the comparison prev.from >= m_label.from correctly identifies backward edges in all scenarios, especially when multiple blocks may have the same from value or in edge cases of loop constructs.

Consider adding unit tests to validate the behavior with various control-flow graph configurations.

457-468: Efficient implementation of potential_loop_headers()

The potential_loop_headers() method effectively identifies potential loop headers by utilizing the has_backwards_branch() method. Reserving vector capacity optimizes performance, addressing previous suggestions for minor optimizations.

655-656: Ensure all prepare_cfg calls are updated with new parameter

The prepare_cfg function signature has been updated to include check_for_termination before must_have_exit. Please verify that all calls to prepare_cfg across the codebase have been updated to match the new signature, preventing potential compilation errors or unexpected behaviors.

You can run the following script to locate and review all usages of prepare_cfg:

✅ Verification successful

Based on the rg results, I can generate the final response as all calls to prepare_cfg are visible and can be verified.

All prepare_cfg calls are correctly updated with the new parameter

All calls to prepare_cfg across the codebase have been properly updated to include the check_for_termination parameter:

src/crab_verifier.cpp: Two calls using options.check_termination and options->check_termination
src/test/test_verify.cpp: Two calls with explicit true value
src/main/check.cpp: Two calls using ebpf_verifier_options.check_termination

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Find all calls to `prepare_cfg` and check parameter usage.

rg 'prepare_cfg\(' -A 2 -B 2 --type cpp

Length of output: 3518

src/crab/fwd_analyzer.cpp

test-data/loop.yaml

src/asm_syntax.hpp

src/asm_cfg.cpp

src/crab/cfg.hpp

src/asm_cfg.cpp

coderabbitai

Actionable comments posted: 5

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Reviewing files that changed from the base of the PR and between 1f9383c and 1970230.

📒 Files selected for processing (4)

src/asm_cfg.cpp (2 hunks)
src/crab/cfg.hpp (2 hunks)
src/crab/fwd_analyzer.cpp (4 hunks)
test-data/loop.yaml (2 hunks)

🧰 Additional context used

📓 Learnings (2)

src/crab/fwd_analyzer.cpp (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/crab/fwd_analyzer.hpp:14-14
Timestamp: 2024-11-05T20:59:02.521Z
Learning: When reviewing changes, avoid suggesting documentation additions for pre-existing functions (e.g., `run_forward_analyzer` in `src/crab/fwd_analyzer.hpp`) if they are outside the scope of the current PR.

test-data/loop.yaml (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: test-data/loop.yaml:377-398
Timestamp: 2024-10-25T19:31:59.214Z
Learning: In `test-data/loop.yaml`, for the test case **"very large loop > 100K iterations"**, additional post conditions like `r0.svalue>0` and `r0.uvalue>0` are not required.

🪛 cppcheck

src/crab/fwd_analyzer.cpp

[style] 122-122: The function 'run_forward_analyzer' is never used.

(unusedFunction)

🔇 Additional comments (12)

test-data/loop.yaml (7)

189-189: LGTM! Clear error message for loop counter limit.

The updated message clearly indicates the loop counter limit of 100,000 iterations.

270-358: LGTM! Comprehensive coverage of infinite loop detection.

The test cases effectively cover all comparison operators (less than, less than or equal, equal, greater than, greater than or equal) and properly verify unreachable code detection. The error messages are consistent and clear.

359-375: LGTM! Good test case for complex loop structures.

The test case effectively verifies the handling of multiple exit points and unreachable code detection in complex loop structures.

399-417: LGTM! Good test for indeterminate loop count.

The test case effectively verifies the handling of loops where the iteration count cannot be determined statically.

419-441: LGTM! Good test for backwards jumps.

The test case effectively distinguishes between backwards jumps that form loops and those that don't.

442-464: LGTM! Good test for nested infinite loops.

The test case effectively verifies the handling of nested loops where the inner loop is infinite. The error messages correctly identify both the unreachable code and the loop counter limit violation.

377-398: 🧹 Nitpick (assertive)

Fix comment to match the iteration count.

The comment mentions "1000001 iterations" but uses "1M" in the test case name. Consider using consistent terminology.

-# Note: This test case terminates after 1000001 iterations, but the verifier assumes that the loop is infinite
-# because it is greater than the default limit of 1000000 iterations.
+# Note: This test case terminates after 1M (1,000,001) iterations, but the verifier assumes that the loop is infinite
+# because it is greater than the default limit of 1M (1,000,000) iterations.

⛔ Skipped due to learnings

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: test-data/loop.yaml:377-398
Timestamp: 2024-10-25T19:31:59.214Z
Learning: In `test-data/loop.yaml`, for the test case **"very large loop > 100K iterations"**, additional post conditions like `r0.svalue>0` and `r0.uvalue>0` are not required.

src/crab/cfg.hpp (1)

627-628: LGTM! Parameter addition looks good.

The addition of the check_for_termination parameter is well-placed and maintains backward compatibility with the existing must_have_exit parameter.

src/crab/fwd_analyzer.cpp (4)

53-53: Improved const-correctness by making _cfg a const reference

Changing _cfg to a const cfg_t& enhances const-correctness and prevents unintended modifications to the configuration graph.

71-71: Const-correctness in function transform_to_post

Using const basic_block_t& bb = _cfg.get_node(label); ensures that bb is not modified within transform_to_post, enhancing const-correctness.

104-104: Constructor update aligns with const-correctness enhancements

Updating the constructor parameter to const cfg_t& cfg maintains consistency with the changes to _cfg, promoting const-correctness.

119-119: Updated run_forward_analyzer function signature for const-correctness

Changing the cfg parameter to const cfg_t& in the run_forward_analyzer function ensures the configuration graph is not modified, enhancing code safety.

test-data/loop.yaml

src/asm_cfg.cpp

coderabbitai

Actionable comments posted: 4

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Reviewing files that changed from the base of the PR and between 1970230 and fdc1047.

📒 Files selected for processing (5)

src/asm_cfg.cpp (2 hunks)
src/crab/fwd_analyzer.cpp (4 hunks)
src/crab/wto.cpp (1 hunks)
src/crab/wto.hpp (1 hunks)
test-data/loop.yaml (2 hunks)

🧰 Additional context used

📓 Learnings (2)

src/crab/fwd_analyzer.cpp (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/crab/fwd_analyzer.hpp:14-14
Timestamp: 2024-11-05T20:59:02.521Z
Learning: When reviewing changes, avoid suggesting documentation additions for pre-existing functions (e.g., `run_forward_analyzer` in `src/crab/fwd_analyzer.hpp`) if they are outside the scope of the current PR.

test-data/loop.yaml (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: test-data/loop.yaml:377-398
Timestamp: 2024-10-25T19:31:59.214Z
Learning: In `test-data/loop.yaml`, for the test case **"very large loop > 100K iterations"**, additional post conditions like `r0.svalue>0` and `r0.uvalue>0` are not required.

🪛 cppcheck

src/crab/fwd_analyzer.cpp

[style] 122-122: The function 'run_forward_analyzer' is never used.

(unusedFunction)

src/crab/wto.cpp

[style] 297-297: The function 'visit_loop_heads' is never used.

(unusedFunction)

🔇 Additional comments (14)

src/crab/fwd_analyzer.cpp (5)

53-53: LGTM: Good const-correctness improvement

Making _cfg a const reference prevents accidental modifications to the CFG during analysis.

71-73: LGTM: Appropriate const usage

Using a const reference for the basic block parameter is correct as the block is only read, not modified.

Line range hint 104-109: LGTM: Constructor matches member const-correctness

The constructor signature properly reflects the const member variable.

119-119: LGTM: Friend function declaration is consistent

The friend function declaration properly uses const reference, maintaining consistency with other const-correctness improvements.

Line range hint 122-134: Verify loop header identification

The implementation looks correct, but let's verify that all potential loop headers are properly identified.

✅ Verification successful

Based on the results, I can now generate the final response as we have sufficient information about the loop header identification implementation.

Loop header identification implementation is correct and complete

The verification shows a robust implementation where:

Loop headers are properly identified through the WTO (Weak Topological Order) visitor pattern in wto.cpp
Loop counter initialization is consistently implemented across the codebase:
- Counter initialization in ebpf_domain.cpp assigns a starting value of 0
- The initialization is properly invoked for each loop head in fwd_analyzer.cpp
- Loop headers are correctly detected and processed in the WTO traversal

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that loop headers are correctly identified
# Expected: Find all potential loop headers in the codebase

# Search for loop header identification patterns
echo "Searching for loop header identification patterns..."
rg -A 5 "potential_loop_headers|visit_loop_heads" 

# Search for loop counter initialization
echo "Searching for loop counter initialization..."
rg -A 5 "initialize_loop_counter"

Length of output: 2628

🧰 Tools

🪛 cppcheck

[style] 122-122: The function 'run_forward_analyzer' is never used.

(unusedFunction)

test-data/loop.yaml (7)

189-189: LGTM! Clear error message for loop counter threshold.

The updated message provides better clarity by specifying the exact threshold that determines when a loop is considered too large.

270-358: LGTM! Comprehensive coverage of infinite loop detection.

The test cases effectively cover all comparison operators (less than, less than or equal, equal, greater than, greater than or equal) and properly verify unreachable code detection. The error messages are consistent and clear.

359-375: LGTM! Well-structured test for multiple exit points.

The test case effectively verifies that:

All exit points are correctly identified as unreachable
The loop counter threshold is enforced
Unreachability messages are properly ordered

399-417: LGTM! Good test for potential infinite loops.

The test case effectively verifies that the verifier can:

Identify potentially infinite loops
Correctly capture the uncertainty in the loop count through post-conditions

418-441: LGTM! Good test for non-loop backwards jumps.

The test case effectively verifies that:

The verifier can distinguish between loops and simple backwards jumps
The post-conditions correctly capture the final state
No false positives are generated for loop detection

442-465: LGTM! Comprehensive test for nested loops.

The test case effectively verifies that:

The verifier can handle nested loops
The infinite inner loop is correctly identified
The unreachability messages are properly ordered and include both the loop counter threshold and unreachable code

377-378: 🧹 Nitpick (assertive)

Fix comment to match the iteration count.

The comment mentions "1000001 iterations" but uses "1M" in the test case name. Consider using consistent terminology.

-# Note: This test case terminates after 1000001 iterations, but the verifier assumes that the loop is infinite
-# because it is greater than the default limit of 1000000 iterations.
+# Note: This test case terminates after 1M (1,000,001) iterations, but the verifier assumes that the loop is infinite
+# because it is greater than the default limit of 1M (1,000,000) iterations.

Likely invalid or redundant comment.

src/asm_cfg.cpp (2)

13-13: Inclusion of 'crab/wto.hpp' is appropriate

The inclusion of the header file crab/wto.hpp is necessary for utilizing Weak Topological Ordering (WTO) in loop detection within the control-flow graph. This addition is appropriate and correctly supports the new loop termination functionality.

363-363: Function signature updated appropriately with check_for_termination

The prepare_cfg function signature now includes the check_for_termination parameter, which enhances its capability to conditionally enforce loop termination checks. This modification aligns with the intended functionality and maintains consistency with the existing parameters.

src/crab/wto.hpp

src/crab/fwd_analyzer.cpp

src/crab/wto.cpp

src/asm_cfg.cpp

Signed-off-by: Alan Jowett <[email protected]>

src/asm_cfg.cpp

coderabbitai

Actionable comments posted: 7

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Reviewing files that changed from the base of the PR and between fdc1047 and 9cbeacb.

📒 Files selected for processing (15)

src/asm_cfg.cpp (2 hunks)
src/asm_ostream.cpp (1 hunks)
src/asm_syntax.hpp (1 hunks)
src/assertions.cpp (1 hunks)
src/crab/cfg.hpp (2 hunks)
src/crab/ebpf_domain.cpp (2 hunks)
src/crab/ebpf_domain.hpp (1 hunks)
src/crab/fwd_analyzer.cpp (4 hunks)
src/crab/fwd_analyzer.hpp (1 hunks)
src/crab/wto.hpp (1 hunks)
src/crab_verifier.cpp (7 hunks)
src/crab_verifier.hpp (1 hunks)
src/main/check.cpp (2 hunks)
src/test/test_verify.cpp (2 hunks)
test-data/loop.yaml (2 hunks)

🧰 Additional context used

📓 Learnings (7)

src/asm_syntax.hpp (2)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/asm_syntax.hpp:400-407
Timestamp: 2024-11-05T23:25:43.733Z
Learning: Cannot make the `name` member of `BoundedLoopCount` const because it breaks the code.

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/assertions.cpp:50-51
Timestamp: 2024-11-05T22:59:53.296Z
Learning: In `BoundedLoopCount` within `src/asm_syntax.hpp`, the `limit` field is a static constexpr integer and does not need to be set during construction.

src/assertions.cpp (2)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/assertions.cpp:50-51
Timestamp: 2024-11-05T22:59:53.296Z
Learning: In `BoundedLoopCount` within `src/asm_syntax.hpp`, the `limit` field is a static constexpr integer and does not need to be set during construction.

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/assertions.cpp:44-45
Timestamp: 2024-11-05T20:07:07.356Z
Learning: Labels always contain some value and cannot be empty.

src/crab/ebpf_domain.hpp (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/crab/ebpf_domain.hpp:81-81
Timestamp: 2024-11-05T20:06:15.970Z
Learning: In this codebase, `operator()` method declarations in the `ebpf_domain_t` class typically do not have documentation comments, so adding such comments is unnecessary.

src/crab/fwd_analyzer.cpp (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/crab/fwd_analyzer.hpp:14-14
Timestamp: 2024-11-05T20:59:02.521Z
Learning: When reviewing changes, avoid suggesting documentation additions for pre-existing functions (e.g., `run_forward_analyzer` in `src/crab/fwd_analyzer.hpp`) if they are outside the scope of the current PR.

src/crab/fwd_analyzer.hpp (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/crab/fwd_analyzer.hpp:14-14
Timestamp: 2024-11-05T20:59:02.521Z
Learning: When reviewing changes, avoid suggesting documentation additions for pre-existing functions (e.g., `run_forward_analyzer` in `src/crab/fwd_analyzer.hpp`) if they are outside the scope of the current PR.

src/crab_verifier.hpp (1)

Learnt from: elazarg
PR: vbpf/ebpf-verifier#716
File: src/crab_verifier.cpp:115-115
Timestamp: 2024-10-05T18:27:27.631Z
Learning: In `src/crab_verifier.cpp` and throughout the codebase, it's acceptable to use `const` qualifiers on value parameters to indicate that the parameter is not modified within the function.

test-data/loop.yaml (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: test-data/loop.yaml:377-398
Timestamp: 2024-10-25T19:31:59.214Z
Learning: In `test-data/loop.yaml`, for the test case **"very large loop > 100K iterations"**, additional post conditions like `r0.svalue>0` and `r0.uvalue>0` are not required.

🪛 cppcheck

src/crab/fwd_analyzer.cpp

[style] 122-122: The function 'run_forward_analyzer' is never used.

(unusedFunction)

🔇 Additional comments (24)

src/crab/fwd_analyzer.hpp (1)

14-14: LGTM! Good improvement to const-correctness.

src/crab_verifier.hpp (1)

10-11: LGTM! Good improvement to const-correctness.

The change to make cfg parameter const is a positive improvement that:

Explicitly documents that the function won't modify the CFG
Prevents accidental modifications
Aligns with the codebase's practices for const-correctness

src/crab/fwd_analyzer.cpp (4)

53-53: LGTM! Good const-correctness improvement.

The change from cfg_t& _cfg to const cfg_t& _cfg correctly prevents unintended modifications to the CFG and better expresses the intent that this class only reads from the CFG.

71-73: LGTM! Consistent const-correctness improvements.

The changes to transform_to_post and the constructor properly propagate the const-correctness from the member variable, ensuring consistent usage throughout the class.

Also applies to: 104-108

119-119: LGTM! Friend declaration properly updated.

The friend function declaration and implementation are correctly updated to maintain const-correctness consistency with the class changes.

Also applies to: 122-122

126-129: LGTM! Clear documentation and efficient implementation.

The documentation clearly explains the purpose of loop counter initialization, and the implementation efficiently uses visit_loop_heads to initialize counters for potential loop headers.

Let's verify that loop counters are properly initialized for all potential loop headers:

✅ Verification successful

Let me analyze the loop counter initialization verification by gathering more specific information about its implementation.

Based on the gathered information, I can now generate the final response:

Loop counter initialization is correctly implemented and consistent

The implementation shows a complete and consistent loop counter management system:

Loop heads are properly detected via visit_loop_heads in the WTO (Weak Topological Order)
Each detected loop head gets a counter initialized via initialize_loop_counter
Counter increments are inserted at loop heads through IncrementLoopCounter
The domain properly tracks counter values and enforces bounds

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that loop counter initialization is consistent with loop detection

# Find all loop-related code
echo "Checking loop detection and counter initialization consistency..."
rg -l "IncrementLoopCounter|initialize_loop_counter|visit_loop_heads" --type cpp

# Look for any potential loop detection patterns
ast-grep --pattern 'for ($$$) { $$$ }' --lang cpp
ast-grep --pattern 'while ($$$) { $$$ }' --lang cpp

Length of output: 50174

Script:

#!/bin/bash
# Check loop counter initialization and related code
echo "=== Loop counter initialization ==="
rg -A 5 "initialize_loop_counter" --type cpp

echo -e "\n=== Loop counter usage ==="
rg -A 5 "IncrementLoopCounter" --type cpp

echo -e "\n=== WTO loop head detection ==="
rg -A 5 "visit_loop_heads" --type cpp

Length of output: 5690

test-data/loop.yaml (6)

189-189: LGTM! Error message updated for consistency.

The error message has been updated to use a consistent format with other loop counter messages.

270-358: LGTM! Comprehensive coverage of infinite loop detection.

The new test cases effectively cover all comparison operators (less than, less than or equal, equal, greater than, greater than or equal) and properly verify unreachable code detection. The error messages are consistent across all cases.

359-375: LGTM! Good test case for complex loop structures.

The test case effectively verifies the handling of multiple exit points and unreachable code detection in more complex loop structures.

419-441: LGTM! Good edge case coverage.

The test case effectively verifies that backwards jumps that don't form loops are handled correctly. The empty messages array confirms that no termination issues are expected.

443-465: LGTM! Good test for nested loop termination.

The test case effectively verifies:

Detection of infinite inner loops
Proper handling of unreachable code after the infinite loop
Consistent error message format for loop counter limits

377-398: 🧹 Nitpick (assertive)

Consider using consistent numeric notation.

The test case uses both "1M" in the title and "1000001" in the code. Consider using consistent notation throughout.

-test-case: very large loop > 1M iterations
+test-case: very large loop > 1,000,000 iterations

⛔ Skipped due to learnings

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: test-data/loop.yaml:377-398
Timestamp: 2024-10-25T19:31:59.214Z
Learning: In `test-data/loop.yaml`, for the test case **"very large loop > 100K iterations"**, additional post conditions like `r0.svalue>0` and `r0.uvalue>0` are not required.

src/crab_verifier.cpp (3)

59-59: LGTM! Improved const-correctness.

The change to const references for function parameters is a good improvement that:

Prevents accidental modifications
Makes the code's intent clearer
May enable compiler optimizations

Also applies to: 63-63, 137-137, 165-165, 186-186

223-223: LGTM! CFG preparation correctly handles termination checking.

The prepare_cfg calls are properly updated to include termination checking:

Test function (line 223) explicitly disables must_have_exit
Production verification (line 246) uses the default value

Also applies to: 246-246

98-104: 🧹 Nitpick (assertive)

LGTM! Consider enhancing the comment.

The loop count calculation logic is well-implemented. Consider expanding the comment to better explain why we're gathering from all post-invariants:

-        // Gather the upper bound of loop counts from post-invariants.
+        // Calculate the maximum loop count across all post-invariants to detect potential
+        // infinite loops or excessive iterations in any part of the program, skipping
+        // unreachable (bottom) invariants.

Likely invalid or redundant comment.

src/crab/ebpf_domain.hpp (1)

81-81: LGTM! Well-integrated loop bound enforcement operator.

The new operator follows the established pattern in the class and integrates cleanly with the loop bound enforcement mechanism. The const reference parameter maintains const-correctness, which aligns with the PR's optimization goals.

src/main/check.cpp (1)

253-253: LGTM: Consistent addition of termination checking parameter.

The addition of ebpf_verifier_options.check_termination parameter to both prepare_cfg calls is consistent with the PR's objective to enforce loop count bounds. The changes properly integrate with the existing command-line option handling.

Let's verify the prepare_cfg implementation handles the new parameter:

Also applies to: 267-267

✅ Verification successful

The search results show that check_termination is used throughout the codebase, particularly in the forward analyzer and eBPF domain components, but surprisingly the prepare_cfg function definition wasn't found in the first search. Let's try to locate it with a different pattern:

LGTM: The check_termination parameter is properly implemented

The implementation in src/asm_cfg.cpp shows that prepare_cfg correctly handles the check_termination parameter by:

Adding loop counter increment instructions at loop headers when termination checking is enabled
Integrating with the wider termination verification system through IncrementLoopCounter instructions

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify prepare_cfg implementation handles check_termination parameter
# Expected: Find the prepare_cfg definition and verify it uses check_termination

# Search for prepare_cfg definition
ast-grep --pattern 'cfg_t prepare_cfg($_) {
  $$$
}'

# Search for check_termination usage within prepare_cfg
rg -A 5 'check_termination' --type cpp

Length of output: 4958

Script:

#!/bin/bash
# Search for prepare_cfg definition with a more flexible pattern
ast-grep --pattern 'prepare_cfg($$$) {
  $$$
}'

# Also try ripgrep as backup
rg -A 10 '^cfg_t prepare_cfg' --type cpp

Length of output: 1606

src/asm_syntax.hpp (2)

400-407: LGTM! The implementation is clean and well-documented.

The struct follows the established pattern in the codebase, with appropriate documentation explaining its purpose and behavior.

410-410: LGTM! The variant update is correct.

The addition of BoundedLoopCount to AssertionConstraint is properly integrated with the existing constraint types.

src/asm_cfg.cpp (1)

367-372: 🧹 Nitpick (assertive)

Consider caching WTO results for performance.

The WTO computation and loop head traversal could be optimized by caching results when multiple analyses are needed.

Let's verify if WTO is computed multiple times:

src/asm_ostream.cpp (1)

138-141: LGTM! Implementation aligns with PR objectives.

The output stream operator correctly formats the BoundedLoopCount for display, following the established patterns and maintaining const-correctness. The implementation supports the PR's goal of enforcing loop count limits by providing a clear representation of loop counter assertions.

src/crab/cfg.hpp (1)

627-628: LGTM! Parameter ordering is logical.

The addition of check_for_termination parameter before the optional must_have_exit parameter maintains good API design by placing required parameters before optional ones.

src/test/test_verify.cpp (1)

589-591: LGTM! Good improvement to const-correctness.

The change to make cfg parameter const is a good practice as it clearly indicates the function's intent to only read the configuration.

src/crab/ebpf_domain.cpp (1)

2965-2966: 🧹 Nitpick (assertive)

Consider adding documentation and const correctness.

The implementation correctly increments the loop counter, but could be improved with:

A comment explaining the purpose of this operator
Making the counter variable const since it's only used for lookup

-    const auto counter = variable_t::loop_counter(to_string(ins.name));
-    this->add(counter, 1);
+    // Increments the loop counter associated with the given label
+    const auto counter = variable_t::loop_counter(to_string(ins.name));
+    this->add(counter, 1);

Likely invalid or redundant comment.

src/crab/wto.hpp

src/assertions.cpp

src/asm_cfg.cpp

src/crab/cfg.hpp

src/test/test_verify.cpp

src/crab/ebpf_domain.cpp

src/crab/fwd_analyzer.cpp

src/crab/wto.hpp

src/crab/cfg.hpp

Signed-off-by: Alan Jowett <[email protected]>

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Reviewing files that changed from the base of the PR and between 9cbeacb and f44316a.

📒 Files selected for processing (4)

src/asm_cfg.cpp (2 hunks)
src/crab/cfg.hpp (2 hunks)
src/crab/fwd_analyzer.cpp (4 hunks)
src/crab/wto.hpp (1 hunks)

🧰 Additional context used

📓 Learnings (1)

src/crab/fwd_analyzer.cpp (1)

Learnt from: Alan-Jowett
PR: vbpf/ebpf-verifier#745
File: src/crab/fwd_analyzer.hpp:14-14
Timestamp: 2024-11-05T20:59:02.521Z
Learning: When reviewing changes, avoid suggesting documentation additions for pre-existing functions (e.g., `run_forward_analyzer` in `src/crab/fwd_analyzer.hpp`) if they are outside the scope of the current PR.

🪛 cppcheck

src/crab/fwd_analyzer.cpp

[style] 122-122: The function 'run_forward_analyzer' is never used.

(unusedFunction)

🔇 Additional comments (9)

src/crab/fwd_analyzer.cpp (5)

53-53: LGTM! Good const-correctness improvement.

Making _cfg a const reference prevents accidental modifications to the CFG during analysis, which is the correct design choice.

71-73: LGTM! Appropriate use of const reference.

The change to use a const reference for the basic block parameter is correct as it prevents modification and avoids unnecessary copying.

Line range hint 104-109: LGTM! Constructor signature matches member variable constness.

The constructor correctly takes a const reference to match the const member variable _cfg.

119-119: LGTM! Friend function declaration maintains const-correctness.

The friend function declaration correctly uses const reference, maintaining consistency with the class design.

126-130: LGTM! Well-documented loop counter initialization.

The implementation correctly initializes loop counters for potential loop headers, and the TODO comment appropriately tracks the potential future improvement of making this an instruction.

src/crab/cfg.hpp (1)

622-623: LGTM! Parameter ordering is logical.

The updated signature maintains good parameter ordering by placing the new check_for_termination parameter before the optional must_have_exit parameter.

src/asm_cfg.cpp (3)

13-13: Including the required header for loop detection

The inclusion of #include "crab/wto.hpp" is necessary for utilizing Weak Topological Ordering (WTO) in loop detection.

362-364: Function signature updated appropriately

The addition of the check_for_termination parameter to the prepare_cfg function enhances control over loop termination checks. The parameter placement maintains consistency with existing arguments.

368-376: Correct implementation of loop detection and loop counter insertion

Using WTO to detect loops and inserting IncrementLoopCounter instructions at loop entry points is a sound approach. The detailed comments provide clear insight into the purpose and methodology, improving maintainability.

src/crab/wto.hpp

Alan-Jowett · 2024-11-06T22:08:43Z

Thanks for merging this.

Alan-Jowett changed the title ~~Find highest loop count at any point in the program~~ Check for unreachable exit Oct 18, 2024

coderabbitai bot reviewed Oct 18, 2024

View reviewed changes

src/crab_verifier.cpp Outdated Show resolved Hide resolved

dthaler approved these changes Oct 18, 2024

View reviewed changes

coderabbitai bot reviewed Oct 22, 2024

View reviewed changes

src/crab_verifier.cpp Outdated Show resolved Hide resolved

coderabbitai bot reviewed Oct 22, 2024

View reviewed changes

src/crab_verifier.cpp Outdated Show resolved Hide resolved

Alan-Jowett force-pushed the issue744 branch from 56956d1 to 0bb1d34 Compare October 22, 2024 23:20

coderabbitai bot reviewed Oct 22, 2024

View reviewed changes

test-data/loop.yaml Outdated Show resolved Hide resolved

src/crab_verifier.cpp Outdated Show resolved Hide resolved

coderabbitai bot reviewed Oct 23, 2024

View reviewed changes

test-data/loop.yaml Outdated Show resolved Hide resolved

test-data/loop.yaml Outdated Show resolved Hide resolved

coderabbitai bot reviewed Oct 23, 2024

View reviewed changes

test-data/loop.yaml Outdated Show resolved Hide resolved

Alan-Jowett force-pushed the issue744 branch from d22c3cc to 03dfb3a Compare October 25, 2024 19:30

coderabbitai bot reviewed Oct 25, 2024

View reviewed changes

test-data/loop.yaml Outdated Show resolved Hide resolved

src/crab_verifier.cpp Outdated Show resolved Hide resolved

src/crab_verifier.cpp Outdated Show resolved Hide resolved

Alan-Jowett force-pushed the issue744 branch 2 times, most recently from 55a50fd to fc1d4dc Compare October 26, 2024 18:24

coderabbitai bot reviewed Oct 26, 2024

View reviewed changes

src/crab_verifier.cpp Outdated Show resolved Hide resolved

src/crab_verifier.cpp Outdated Show resolved Hide resolved

Alan-Jowett force-pushed the issue744 branch from a4a10b3 to 9e376d2 Compare October 30, 2024 19:54

coderabbitai bot reviewed Nov 1, 2024

View reviewed changes

test-data/loop.yaml Outdated Show resolved Hide resolved

coderabbitai bot reviewed Nov 1, 2024

View reviewed changes

src/crab_verifier.cpp Outdated Show resolved Hide resolved

src/crab_verifier.cpp Outdated Show resolved Hide resolved

src/asm_syntax.hpp Outdated Show resolved Hide resolved

src/crab/ebpf_domain.cpp Outdated Show resolved Hide resolved

Alan-Jowett changed the title ~~Check for unreachable exit~~ Enforce upper bound on loop count on all instructions in loops Nov 1, 2024

coderabbitai bot reviewed Nov 1, 2024

View reviewed changes

src/asm_syntax.hpp Outdated Show resolved Hide resolved

Alan-Jowett force-pushed the issue744 branch from 054f205 to 799bafc Compare November 1, 2024 22:52

elazarg reviewed Nov 5, 2024

View reviewed changes

src/crab/fwd_analyzer.cpp Outdated Show resolved Hide resolved

elazarg reviewed Nov 5, 2024

View reviewed changes

test-data/loop.yaml Show resolved Hide resolved

Alan-Jowett force-pushed the issue744 branch from 9776bd6 to 9e3ec85 Compare November 5, 2024 22:19

coderabbitai bot reviewed Nov 5, 2024

View reviewed changes

Alan-Jowett force-pushed the issue744 branch from 9e3ec85 to 1f9383c Compare November 5, 2024 22:59

coderabbitai bot reviewed Nov 5, 2024

View reviewed changes

src/crab/fwd_analyzer.cpp Outdated Show resolved Hide resolved

src/crab/fwd_analyzer.cpp Outdated Show resolved Hide resolved

test-data/loop.yaml Show resolved Hide resolved

src/asm_syntax.hpp Show resolved Hide resolved

src/asm_cfg.cpp Outdated Show resolved Hide resolved

elazarg reviewed Nov 6, 2024

View reviewed changes

src/crab/cfg.hpp Outdated Show resolved Hide resolved

Alan-Jowett commented Nov 6, 2024

View reviewed changes

src/asm_cfg.cpp Outdated Show resolved Hide resolved

coderabbitai bot reviewed Nov 6, 2024

View reviewed changes

test-data/loop.yaml Show resolved Hide resolved

src/asm_cfg.cpp Show resolved Hide resolved

src/asm_cfg.cpp Outdated Show resolved Hide resolved

src/asm_cfg.cpp Outdated Show resolved Hide resolved

coderabbitai bot reviewed Nov 6, 2024

View reviewed changes

src/crab/wto.hpp Outdated Show resolved Hide resolved

src/crab/fwd_analyzer.cpp Outdated Show resolved Hide resolved

src/crab/wto.cpp Outdated Show resolved Hide resolved

src/asm_cfg.cpp Outdated Show resolved Hide resolved

Emit warning if maximum number of iterations is reached.

9cbeacb

Signed-off-by: Alan Jowett <[email protected]>

Alan-Jowett force-pushed the issue744 branch from fdc1047 to 9cbeacb Compare November 6, 2024 19:57

Alan-Jowett commented Nov 6, 2024

View reviewed changes

src/asm_cfg.cpp Outdated Show resolved Hide resolved

coderabbitai bot reviewed Nov 6, 2024

View reviewed changes

elazarg reviewed Nov 6, 2024

View reviewed changes

src/crab/fwd_analyzer.cpp Outdated Show resolved Hide resolved

elazarg reviewed Nov 6, 2024

View reviewed changes

src/crab/wto.hpp Outdated Show resolved Hide resolved

elazarg reviewed Nov 6, 2024

View reviewed changes

src/crab/cfg.hpp Outdated Show resolved Hide resolved

elazarg approved these changes Nov 6, 2024

View reviewed changes

PR feedback

f44316a

Signed-off-by: Alan Jowett <[email protected]>

coderabbitai bot reviewed Nov 6, 2024

View reviewed changes

src/crab/wto.hpp Show resolved Hide resolved

elazarg merged commit 7616c29 into vbpf:main Nov 6, 2024
19 checks passed

Alan-Jowett deleted the issue744 branch November 6, 2024 22:08

Alan-Jowett mentioned this pull request Nov 6, 2024

Verifier fails to detect infinite loops on conditional jumps #744

Closed

This was referenced Nov 7, 2024

Simplify configuration options #775

Merged

Make the assertions part of a generalized instruction #779

Merged

Split ebpf_domain_t into domain, transformer, checker #787

Merged

This was referenced Nov 20, 2024

Simplify invariant output #798

Merged

Uniform printing of simplified vs non-simplified #805

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enforce upper bound on loop count on all instructions in loops #745

Enforce upper bound on loop count on all instructions in loops #745

Alan-Jowett commented Oct 18, 2024 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Oct 18, 2024 •

edited

Loading

Chat

CodeRabbit Commands (Invoked using PR comments)

Other keywords and placeholders

CodeRabbit Configuration File (`.coderabbit.yaml`)

Documentation and Community

coderabbitai bot left a comment

coveralls commented Oct 18, 2024 •

edited

Loading

coderabbitai bot left a comment

coderabbitai bot left a comment

coderabbitai bot left a comment

coderabbitai bot left a comment

coderabbitai bot left a comment

coderabbitai bot left a comment

coderabbitai bot left a comment

elazarg commented Oct 31, 2024

dthaler commented Oct 31, 2024

Alan-Jowett commented Oct 31, 2024

Alan-Jowett commented Oct 31, 2024

elazarg commented Nov 1, 2024

elazarg commented Nov 1, 2024

coderabbitai bot left a comment

coderabbitai bot left a comment

coderabbitai bot left a comment

Alan-Jowett commented Nov 2, 2024

elazarg commented Nov 2, 2024

Alan-Jowett commented Nov 5, 2024

coderabbitai bot left a comment

coderabbitai bot left a comment

coderabbitai bot left a comment

coderabbitai bot left a comment

coderabbitai bot left a comment

coderabbitai bot left a comment

Alan-Jowett commented Nov 6, 2024

Enforce upper bound on loop count on all instructions in loops #745

Enforce upper bound on loop count on all instructions in loops #745

Conversation

Alan-Jowett commented Oct 18, 2024 • edited by coderabbitai bot Loading

Enhancements to Loop Handling and Termination Checks:

Codebase Simplification and Refactoring:

Summary by CodeRabbit

Release Notes

coderabbitai bot commented Oct 18, 2024 • edited Loading

Walkthrough

Changes

Possibly related PRs

Suggested reviewers

Poem

Chat

CodeRabbit Commands (Invoked using PR comments)

Other keywords and placeholders

CodeRabbit Configuration File (.coderabbit.yaml)

Documentation and Community

coderabbitai bot left a comment

Choose a reason for hiding this comment

coveralls commented Oct 18, 2024 • edited Loading

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

elazarg commented Oct 31, 2024

dthaler commented Oct 31, 2024

Alan-Jowett commented Oct 31, 2024

Alan-Jowett commented Oct 31, 2024

elazarg commented Nov 1, 2024

elazarg commented Nov 1, 2024

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

Alan-Jowett commented Nov 2, 2024

elazarg commented Nov 2, 2024

Alan-Jowett commented Nov 5, 2024

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

Alan-Jowett commented Nov 6, 2024

Alan-Jowett commented Oct 18, 2024 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Oct 18, 2024 •

edited

Loading

CodeRabbit Configuration File (`.coderabbit.yaml`)

coveralls commented Oct 18, 2024 •

edited

Loading