Goto programs validation

[sonodtt]

• Each commit message has a non-empty body, explaining why the change was made.
• Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• White-space or formatting changes outside the feature-related changed lines are in commits of their own.

---

2019-03-01
NB Will squash prior to merge.
Fairly major changes after review by Kroening.

1. check for entry-point now disabled
2. checks for presence of sourcelocation and code.sourcelocation now disabled.
3. goto_modelt::validate now has default values for validation_mode and goto_model_validation_options

---

2019-02-27
There will be a follow up PR to this to re-enable the checks for an entry-point ("validate_goto_modelt::entry_point_exists()")
This is temporarily disabled as some (<6) regression tests have no entry point, and in some
cases this is intentional (e.g. testing json-ui warnings)

---

2018-12-21
The first two commits are not new. Changes to reviews have been put into separate commits - but the last commit is the most consequential as it deals with @daniel.poetzl’s request for a change of location and I break the source location tests out into a new unit test file.

• Relevant to this PR (the bigger picture) are also the remarks on
#751 & more recently on #3188
These are not addressed directly here as such, but I am flagging these as context/reminders for reviewers/ going forward.
In particular:
#3188 (comment)
There are several (hopefully nested but maybe not) ideas of what a "valid" goto-program is that are implicitly assumed by different parts of the code. Part of the point of all of this validity checking was to map out, clarify and correct these. Parts of the code assume that there are no RETURN instructions, parts assume that there are and things like the last instruction (apart from END_INSTRUCTION) should be return. I was asking how your validity checks will cope with this. It seems there are two options:

• The caller specifies which kind of goto-program they want to check for.
• The check reports some auxiliary flags and the caller then checks these separately.

@peterschrammel added:
There are several kinds of Goto program that (should) form a subset chain.
The transformations in process_Goto_program() go through this chain in several feature reduction passes.
Certain analyses may require a specific kind of Goto program.
So, 'valid' depends on the stage of processing. We should make this explicit.

[xbauch]

Please fill the comment (also below).

[sonodtt]

Done. Thanks!

[xbauch]

Is the semicolon necessary?

[sonodtt]

erm..nope! Well spotted.

[martin-cs]

Right direction but not finished yet.

[martin-cs]

??? Why not just use ID_address_of directly?

[sonodtt]

Done.

[martin-cs]

Does this work for pre-linking goto-programs?

[sonodtt]

@martin-cs
That got us thinking... and I rewrote the following check (which now has the comments below)
/// Check that goto-programs that have a body end with an END_FUNCTION
/// instruction.
///
/// NB functions that are only declared, and not used will not appear in the
/// function map. Functions that are declared only and used to e.g.
/// initialise a function pointer will have no body.
void check_last_instruction();

[karkhaz]

@tautschnig suggested that I chime in here: instructionts have a source_location and also a code->source_location(), but these are often inconsistent (sometimes one of them is nil). I'm wondering whether it should be an invariant that those two fields are always identical. I've been using the below code in various places, but it would be nice if there were a consistency check for this sort of thing:

const source_locationt &sloc_of(const goto_programt::const_targett &ins) const
  {
    return ins->code.source_location().is_not_nil()
             ? ins->code.source_location()
             : ins->source_location;
  }

  source_locationt &sloc_of(const goto_programt::const_targett &ins)
  {
    return const_cast<source_locationt &>(
      static_cast<const dispatch_loop_detectort &>(*this).sloc_of(ins));
  }

  const source_locationt &sloc_of(const goto_programt::instructiont &ins) const
  {
    return ins.code.source_location().is_not_nil() ? ins.code.source_location()
                                                   : ins.source_location;
  }

  source_locationt &sloc_of(const goto_programt::instructiont &ins)
  {
    return const_cast<source_locationt &>(
      static_cast<const dispatch_loop_detectort &>(*this).sloc_of(ins));
  }

[sonodtt]

@karkhaz Many thanks for bringing this up. A check is now in place - not currently active as the code needs patching to ensure both locations are set. I'll raise an issue for that.

[allredj]

✔️
Passed Diffblue compatibility checks (cbmc commit: 1fb1129).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/102487466

[kroening]

Given how often that all_true option is used, simply make that the default?

[kroening]

Same for INVARIANT?

[sonodtt]

Done. Also for INVARIANT.

[kroening]

Remove the comma

[kroening]

Note that not every instruction has a code member, so this will fail.

[sonodtt]

Action taken (after team chat). In commit message (reproduced here in case it helps):

Removed previously disabled checks :
Not every instruction has a code member - so removed checks that both
instruction sourcelocation and code sourcelocation are set and identical
Remove also remaining check that every instruction have a non-nil
sourcelocation as this would have to be optional (if enabled fails
many regression tests). This also simplifies considerably the overall
validation pass (removes much passing around of the options structure).

[kroening]

Please note #4266 on the return type.

[sonodtt]

removed in validate_goto_model.cpp

    DATA_CHECK(
      vm,
      goto_function.type.return_type().id() == ID_empty,
      "functions must have empty return type");

[kroening]

Use instr.get_function_call().

[sonodtt]

Done.

[kroening]

Same here

[sonodtt]

Done.

[kroening]

Same here

[sonodtt]

Done.

[kroening]

instructiont::make_end_function is deprecated -- use goto_programt::make_end_function

[sonodtt]

Done.

[kroening]

The source_locationt ireps don't have an ID.

[sonodtt]

Done.

[kroening]

Same here

[sonodtt]

Done.

[allredj]

✔️
Passed Diffblue compatibility checks (cbmc commit: 6ba2cf4).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/102836757

[martin-cs]

As a start this is reasonable but there are many invariants it doesn't check (whether variables follow the DECL - use - DEAD cycle, scoping of variables, whether exprt's are well formed, etc.). I presume these will be in follow-up patches.

[martin-cs]

If this is intended to be comprehensive right now, it should also check for vector and complex. If this is intended to be a general framework then it's not super urgent.

[chrisr-diffblue]

Its a general framework right now - everyone is invited to fill in the additional checks :-)