Extend and cleanup usability of __CPROVER_{r,w}_ok#4485
Extend and cleanup usability of __CPROVER_{r,w}_ok#4485tautschnig merged 3 commits intodiffblue:developfrom
Conversation
tautschnig
requested review from
chrisr-diffblue,
danpoe,
martin-cs,
owen-mc-diffblue,
peterschrammel,
smowton and
thk123
as code owners
tautschnig
force-pushed
the
cprover-rw-ok
branch
from
c4b19af to
b44e86a
Compare
|
You might want to add a test where "r_ok" should pass, but "w_ok" should fail. Something like |
Thank you very much for the suggestion - I have added such a test, but marked it as |
tautschnig
force-pushed
the
cprover-rw-ok
branch
from
fceca1f to
7f8f20e
Compare
allredj
left a comment
allredj
left a comment
There was a problem hiding this comment.
This PR failed Diffblue compatibility checks (cbmc commit: 7f8f20e).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/107129865
Status will be re-evaluated on next push.
Common spurious failures include: the cbmc commit has disappeared in the mean time (e.g. in a force-push); the author is not in the list of contributors (e.g. first-time contributors); compatibility was already broken by an earlier merge.
| assert(__CPROVER_r_ok(arbitrary_size, n)); | ||
| assert(__CPROVER_w_ok(arbitrary_size, n)); | ||
|
|
||
| assert(__CPROVER_r_ok(arbitrary_size, n + 1)); |
There was a problem hiding this comment.
Without --pointer-check any use of __CPROVER_{r,w}_ok is now a no-op (and is now also documented as such), but with --pointer-check this fails as expected (there are two regression tests using the same main.c file included).
There was a problem hiding this comment.
Is this what we want? I would find it more intuitive if these were independent.
There was a problem hiding this comment.
It does make the implementation a lot easier, and also removes a need for documentation, so that seems much better. The only cost is that we will unconditionally need to run the local alias analysis.
There was a problem hiding this comment.
Ok, this will require #4471 to be merged first. And another bug left to be debugged.
There was a problem hiding this comment.
Hmm, actually there is more to it than just #4471, we also seem to be messing up ID_this elsewhere.
There was a problem hiding this comment.
If the cost of the local alias analysis is a concern, there could be a quick scan for the predicate in the function; but so far, that analysis has not been cause for concern.
There was a problem hiding this comment.
Agreed, I just need to fix bugs in the C++ and Java front-ends first as the local alias analysis needs to succeed in doing symbol-table lookups...
tautschnig
changed the title
tautschnig
changed the title
tautschnig
force-pushed
the
cprover-rw-ok
branch
from
7f8f20e to
369495c
Compare
Ensure Java stubbing names parameters [blocks: #4485]
tautschnig
changed the title
We did not have an explicit test of __CPROVER_{r,w}_ok, only implicit
ones as we use these predicates in our model of the C library. While
preparing a test it became apparent that the predicates are only
evaluated when --pointer-check is set. This caused surprising behaviour
as a negated predicate would result in failing assertions. Instead, make
sure the expression is always evaluated, independent of --pointer-check.
This requires always performing a local alias analysis, even when no
pointer checks are enabled.
tautschnig
force-pushed
the
cprover-rw-ok
branch
from
369495c to
1a8b834
Compare
tautschnig
requested review from
NathanJPhillips,
cesaro and
cristina-david
as code owners
tautschnig
assigned
smowton,
peterschrammel,
martin-cs and
chrisr-diffblue and unassigned
tautschnig
src/analyses/goto_check.cpp
Outdated
| // the LHS might invalidate any assertion | ||
| invalidate(code_assign.lhs()); | ||
|
|
||
| if(has_subexpr(i.code.op1(), [](const exprt &expr) { |
There was a problem hiding this comment.
i.code.op1 -> code_assign.rhs
src/analyses/goto_check.cpp
Outdated
| { | ||
| auto rw_ok_cond = rw_ok_check(i.code.op1()); | ||
| if(rw_ok_cond.has_value()) | ||
| i.code.op1() = *rw_ok_cond; |
There was a problem hiding this comment.
Hang on, so if any subexpr was an r_ok or w_ok then you overwrite the whole RHS? That seems surprising, what's the rationale for blowing away arbitrary AST nodes here?
There was a problem hiding this comment.
No, rw_ok_check will take care of only replacing parts of the RHS.
tautschnig
force-pushed
the
cprover-rw-ok
branch
from
1a8b834 to
d7dc902
Compare
allredj
left a comment
allredj
left a comment
There was a problem hiding this comment.
This PR failed Diffblue compatibility checks (cbmc commit: 1a8b834).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/107785716
Status will be re-evaluated on next push.
Common spurious failures include: the cbmc commit has disappeared in the mean time (e.g. in a force-push); the author is not in the list of contributors (e.g. first-time contributors); compatibility was already broken by an earlier merge.
src/analyses/goto_check.cpp
Outdated
| return expr.id() == ID_r_ok || expr.id() == ID_w_ok; | ||
| })) | ||
| { | ||
| auto rw_ok_cond = rw_ok_check(i.code.op0()); |
There was a problem hiding this comment.
to_code_return(code).return_value()
There was a problem hiding this comment.
Oops, thank you for keeping me from being lazy.
We previously only evaluated __CPROVER_{r,w}_ok in assertions (without
telling anyone that was the case). Instead, evaluate it in all contexts
where it might reasonably appear.
We do not currently have a good way of distinguishing lvalues from rvalues, and thus actually treat __CPROVER_w_ok and __CPROVER_r_ok the same. The test shows that this shouldn't always be done.
tautschnig
force-pushed
the
cprover-rw-ok
branch
from
d7dc902 to
7ecf1f6
Compare
allredj
left a comment
allredj
left a comment
There was a problem hiding this comment.
This PR failed Diffblue compatibility checks (cbmc commit: d7dc902).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/107793523
Status will be re-evaluated on next push.
Common spurious failures include: the cbmc commit has disappeared in the mean time (e.g. in a force-push); the author is not in the list of contributors (e.g. first-time contributors); compatibility was already broken by an earlier merge.
allredj
left a comment
allredj
left a comment
There was a problem hiding this comment.
✔️
Passed Diffblue compatibility checks (cbmc commit: 7ecf1f6).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/107802062
8 participants
__CPROVER_r_okand__CPROVER_w_okhad surprising behaviour that wasn't documented. Make the behaviour less surprising and document it.