From ecd057376de847d40e1e29e2bf33e95eae3f835f Mon Sep 17 00:00:00 2001
From: Martin Quinson <martin.quinson@ens-rennes.fr>
Date: Tue, 9 Aug 2022 01:17:39 +0200
Subject: [PATCH] Don't test statequality: it's ~15h w/o DPOR and hard to
 optimize

---
 examples/cpp/CMakeLists.txt                   | 16 +++++----
 .../s4u-mc-failing-assert-statequality.tesh   |  2 +-
 src/mc/compare.cpp                            | 34 ++++++++++++++++++-
 3 files changed, 44 insertions(+), 8 deletions(-)

diff --git a/examples/cpp/CMakeLists.txt b/examples/cpp/CMakeLists.txt
index 4e13fab9ee..1e4132106e 100644
--- a/examples/cpp/CMakeLists.txt
+++ b/examples/cpp/CMakeLists.txt
@@ -216,12 +216,16 @@ endforeach()
 # Test non-DPOR reductions on a given MC test
 foreach(example mc-failing-assert)
   if(SIMGRID_HAVE_MC)
-    ADD_TESH(s4u-${example}-statequality  --setenv bindir=${CMAKE_CURRENT_BINARY_DIR}/${example}
-                                      --setenv libdir=${CMAKE_BINARY_DIR}/lib
-                                      --setenv platfdir=${CMAKE_HOME_DIRECTORY}/examples/platforms
-                                      --setenv srcdir=${CMAKE_CURRENT_SOURCE_DIR}/${example}
-                                      --cd ${CMAKE_CURRENT_SOURCE_DIR}/${example}
-                                      ${CMAKE_HOME_DIRECTORY}/examples/cpp/${example}/s4u-${example}-statequality.tesh)
+# State equality is not tested because it would take about 15 hours to run that test on my machine.
+# We should first optimize mmalloc_heap_differ() which takes ~4sec for each pair to compare (maybe {175 x 174/ 2} pairs here)
+# See the comment on mmalloc_heap_differ() in compare.cpp for more info on why it's hard to optimize.
+#
+#    ADD_TESH(s4u-${example}-statequality  --setenv bindir=${CMAKE_CURRENT_BINARY_DIR}/${example}
+#                                      --setenv libdir=${CMAKE_BINARY_DIR}/lib
+#                                      --setenv platfdir=${CMAKE_HOME_DIRECTORY}/examples/platforms
+#                                      --setenv srcdir=${CMAKE_CURRENT_SOURCE_DIR}/${example}
+#                                      --cd ${CMAKE_CURRENT_SOURCE_DIR}/${example}
+#                                      ${CMAKE_HOME_DIRECTORY}/examples/cpp/${example}/s4u-${example}-statequality.tesh)
 
     ADD_TESH(s4u-${example}-nodpor    --setenv bindir=${CMAKE_CURRENT_BINARY_DIR}/${example}
                                       --setenv libdir=${CMAKE_BINARY_DIR}/lib
diff --git a/examples/cpp/mc-failing-assert/s4u-mc-failing-assert-statequality.tesh b/examples/cpp/mc-failing-assert/s4u-mc-failing-assert-statequality.tesh
index 5489a1e182..97c8085422 100644
--- a/examples/cpp/mc-failing-assert/s4u-mc-failing-assert-statequality.tesh
+++ b/examples/cpp/mc-failing-assert/s4u-mc-failing-assert-statequality.tesh
@@ -2,7 +2,7 @@
 
 ! expect return 1
 ! timeout 300
-$ ${bindir:=.}/../../../bin/simgrid-mc --cfg=model-check/visited:20 -- ${bindir:=.}/s4u-mc-failing-assert ${platfdir}/small_platform.xml --log=root.thresh:critical
+$ ${bindir:=.}/../../../bin/simgrid-mc --cfg=model-check/visited:10000 -- ${bindir:=.}/s4u-mc-failing-assert ${platfdir}/small_platform.xml --log=root.thresh:critical
 > [0.000000] [xbt_cfg/INFO] Configuration change: Set 'model-check/visited' to '20'
 > [0.000000] [mc_dfs/INFO] Start a DFS exploration. Reduction is: dpor.
 > [0.000000] [mc_ModelChecker/INFO] **************************
diff --git a/src/mc/compare.cpp b/src/mc/compare.cpp
index 8acb0dd135..849059b214 100644
--- a/src/mc/compare.cpp
+++ b/src/mc/compare.cpp
@@ -201,6 +201,37 @@ static bool heap_area_differ(const RemoteProcess& process, StateComparator& stat
                              const Snapshot& snapshot1, const Snapshot& snapshot2, HeapLocationPairs* previous,
                              Type* type, int pointer_level);
 
+/* Compares the content of each heap fragment between the two states, at the bit level.
+ *
+ * This operation is costly (about 5 seconds per snapshots' pair to compare on a small program),
+ * but hard to optimize because our algorithm is too hackish.
+ *
+ * Going at bit level can trigger syntaxtic differences on states that are semantically equivalent.
+ *
+ * Padding bytes constitute the first source of such syntaxtic difference: Any malloced memory contains spaces that
+ * are not used to enforce the memory alignment constraints of the CPU. So, cruft of irrelevant changes could get
+ * added on these bits. But this case is handled properly, as any memory block is zeroed by mmalloc before being handled
+ * back, not only for calloc but also for malloc. So the memory interstices due to padding bytes are properly zeroed.
+ *
+ * Another source of such change comes from the order of mallocs, that may well change from one execution path to
+ * another. This will change the malloc fragment in which the data is stored and the pointer values (syntaxtic
+ * difference) while the semantic of the state remains the same.
+ *
+ * To fix this, this code relies on a hugly hack. When we see a difference during the bit-level comparison,
+ * we first check if it could be explained by a pointer-to-block difference. Ie, if when interpreting the memory
+ * area containing that difference as a pointer, I get the pointer to a valid fragment in the heap (in both snapshots).
+ *
+ * This is why we cannot pre-compute a bit-level hash of the heap content: we discover the pointers to other memory
+ * fragment when a difference is found during the bit-level exploration. Fixing this would require to save typing
+ * information about the memory fragments, which is something that could be done with https://github.com/tudasc/TypeART
+ * This would give us all pointers in the mallocated memory, allowing the graph traversal needed to precompute the hash.
+ *
+ * Using a hash without paying attention to malloc fragment reordering would lead to false negatives:
+ * semantically equivalent states would be detected as [syntaxically] different. It's of no importance for the
+ * state-equality reduction (we would re-explore semantically equivalent states), but it would endanger the soundness
+ * of the liveness model-checker, as state-equality is used to detect the loops that constitute the accepting states of
+ * the verified property. So we could miss counter-examples to the verified property. Not good. Not good at all.
+ */
 static bool mmalloc_heap_differ(const RemoteProcess& process, StateComparator& state, const Snapshot& snapshot1,
                                 const Snapshot& snapshot2)
 {
@@ -1247,9 +1278,10 @@ bool Snapshot::operator==(const Snapshot& other)
     }
   }
 
+  XBT_VERB("   Compare heap...");
   /* Compare heap */
   if (mmalloc_heap_differ(process, state_comparator, *this, other)) {
-    XBT_VERB("(%ld - %ld) Different heap (mmalloc_compare)", this->num_state_, other.num_state_);
+    XBT_VERB("(%ld - %ld) Different heap (mmalloc_heap_differ)", this->num_state_, other.num_state_);
     return false;
   }
 
-- 
2.20.1