Skip to content

Add support for function contracts in cprover_bindings.#1302

Merged
monal merged 29 commits intomodel-checking:features/function-contractsfrom
monal:main
Jul 15, 2022
Merged

Add support for function contracts in cprover_bindings.#1302
monal merged 29 commits intomodel-checking:features/function-contractsfrom
monal:main

Conversation

@monal
Copy link

@monal monal commented Jun 23, 2022

Description of changes:

Implement CodeWithContract type in cprover_bindings to generate Ireps of type Code but with additional fields for handling function contracts. Adds the #spec_requires and #spec_ensures clauses to the Irep.

Call-outs:

Added a new type Spec with field clauses:Vec<Expr> to store a list of boolean expressions that would serve as pre (or post) conditions on the function. This allows us to handle required #[PartialEq] trait for the clauses.

Testing:

  • How is this change tested?
    By running kani regression tests. As I haven't added the #[kani::requires] and #[kani::ensures] macros on the Rust side yet, it is not straightforward to add additional test cases right now.

  • Is this a refactor change?
    No.

Checklist

  • Each commit message has a non-empty body, explaining why the change was made
  • Methods or procedures are documented
  • Regression or unit tests are included, or existing tests cover the modified code
  • My PR is restricted to a single feature or bugfix

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.

@monal monal requested a review from a team as a code owner June 23, 2022 23:06
@celinval
Copy link
Contributor

celinval commented Jun 23, 2022

Can you push this to a feature branch for now?

@tedinski
Copy link
Contributor

tedinski commented Jun 23, 2022

Can you push this to a feature branch for now?

I thought this was a mergeable unit, or nearly so, so I requested the PR.

I could see merging this as-is, or possibly with a unit test for the irep generation added. We don't yet have many (any?) unit tests for cprover_bindings, so this might be the first, but we do actually want to get tests against this crate and have to start somewhere. :)

@celinval
Copy link
Contributor

celinval commented Jun 24, 2022

We already have unit tests in this crate. It would be great if we can add some food this code.

I would also suggest we tag the new functions with allow_dead with a link to the issue we're trying to solve.

@monal monal marked this pull request as draft June 27, 2022 16:23
@tautschnig
Copy link
Member

tautschnig commented Jun 30, 2022

I note that as of moments ago diffblue/cbmc#6799 is merged, which means that function contracts now live in symbols of their own.

@monal
Copy link
Author

monal commented Jun 30, 2022

Thanks for linking the PR, @tautschnig! I will update my code accordingly.

@monal monal self-assigned this Jul 5, 2022
@monal monal changed the title Add CodeWithContract type to cprover_bindings for supporting function contracts. Add support for function contracts in cprover_bindings. Jul 6, 2022
@monal
Copy link
Author

monal commented Jul 6, 2022

Summary of changes:

  1. Add contract constructor to Symbol to create new symbols for function contracts.

  2. Store the contract information (preconditions, postconditions, assigns, etc.) in the value field of the symbol (on the goto-program side). Hence, add Contract(Contract) to ExprValue.
    During Irep generation, the contract's preconditions and postconditions are added to the type field under #spec_requires and #spec_ensures respectively.

  3. Add LambdaExpression and Tuple to Expr. They are mathematical expressions (Expressions that do not exist immediately in C) but adding them to Expr seems to be the best option right now. We can create a separate MathematicalExpr in the future, if needed.

    • The clauses in #spec_ensures(..) and #spec_requires(..) are wrapped in a lambda expression (using the as_lambda_expression method) to make sure that the contract symbol is self-contained and has a copy of the functions’ parameters. (Refer: CONTRACTS: store contracts in dedicated symbols diffblue/cbmc#6799).
    • The bound variables in a lambda expression are stored as a Tuple.

  4. Add MathematicalFunction to Type to store the type signature of lambda expressions.

danielsn
danielsn reviewed Jul 6, 2022
View reviewed changes
zhassan-aws
zhassan-aws reviewed Jul 6, 2022
View reviewed changes
cprover_bindings/src/goto_program/typ.rs Outdated
Copy link
Contributor

@zhassan-aws zhassan-aws Jul 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need to be an enum?

Copy link
Author

@monal monal Jul 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made it an enum to support different types of contracts. Like LoopContract(...) in the future. Is there an alternative way to do this?

Monal Narasimhamurthy added 18 commits July 8, 2022 12:20
@monal
Add type for "spec_ensures" and "spec_requires" clauses to support fu…
5cea135 
…nction contracts
@monal
Add transfomer code for code_with_contract; Fix comments; Minor imple…
899b300 
…mentation fixes
@monal
Revert "Add transfomer code for code_with_contract; Fix comments; Min…
f424956 
…or implementation fixes"

This reverts commit f4afc1555a8acfb83977de17047a2609b53b7584.
@monal
Revert "Add type for "spec_ensures" and "spec_requires" clauses to su…
0f0212e 
…pport function contracts"

This reverts commit f7171f8134df25bb78891bd0da036e7dbc304165.
@monal
Move function contract to Symbol
d3ebe3b
@monal
Revert "Move function contract to Symbol"
1eeba2b 
This reverts commit ffd3ad20efadee99b82ded5d774fc6e358bbb341.
@monal
Add contract to SymbolValues
7a4a96d
@monal
Update SymbolValues::Contract to have expressions
6d04ada
@monal
Add Contract type; Add Lambda and Tuple to Expr
60eb6b8
@monal
WIP: Add LambdaExpression and Tuple to Expr; Add MathematicalFunction…
363ada5 
… to Type; Generate Ireps
@monal
Update comment to explain pretty_name in contract symbol.
ecbf2cb
@monal
Change type to slice
e61041a
@monal
Remove variables from FunctionContract type
94cc0d5
@monal
Add type checking to the lambda_expression constructor
d00853a
@monal
Change variables field in lambda expression to variables_tuple to avo…
12f381a 
…id misreading the type
@monal
Remove type annotations
d732dd4
@monal
Remove LambdaExpression and Tuple
aeb5550
@monal
Remove FunctionContract type
42e9f8e
@monal monal marked this pull request as ready for review July 8, 2022 19:53
@monal
Copy link
Author

monal commented Jul 8, 2022

  • Removed LambdaExpression and Tuple from Expr. Generating them at the Irep level now.
  • Added a module for Contract and introduced Spec to represent contract clauses.
  • Cleaned up whitespaces; added comments.

@monal monal requested a review from a team July 8, 2022 20:51
zhassan-aws
zhassan-aws approved these changes Jul 8, 2022
View reviewed changes
Copy link
Contributor

@zhassan-aws zhassan-aws left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks!

@monal monal changed the base branch from main to features/function-contracts July 12, 2022 18:30
danielsn
danielsn reviewed Jul 12, 2022
View reviewed changes
cprover_bindings/src/goto_program/contract.rs Outdated
Copy link
Contributor

@danielsn danielsn Jul 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

File comment to explain what contracts are and link to documentation

Copy link
Author

@monal monal Jul 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added comment + CBMC documentation link.

cprover_bindings/src/goto_program/symbol.rs Outdated
Copy link
Contributor

@danielsn danielsn Jul 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be the pretty name of the function? (We might have discussed this already)

Copy link
Author

@monal monal Jul 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On the CBMC side, the pretty_name is still the name of the function and not the name of the contract. Should I set it to the contract's name instead?

cprover_bindings/src/irep/to_irep.rs
id: IrepId::Lambda,
sub: vec![
tuple_irep(binding_variables, mm)
// For binding expressions (quantifies, let, lambda), the type of the `tuple_exprt` is set to just its ID in CBMC.
Copy link
Contributor

@danielsn danielsn Jul 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there other cases where this is different?

Copy link
Author

@monal monal Jul 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tuple_exprt has a constructor with a type argument. So, in CBMC, we can construct tuples with a specific type (and not just the ID). The binding_exprt that sits on top of a tuple_exprt always sets the type to be the ID.

@monal monal merged commit 751ad18 into model-checking:features/function-contracts Jul 15, 2022
zhassan-aws pushed a commit to zhassan-aws/kani that referenced this pull request May 26, 2023
@monal @zhassan-aws
Add support for function contracts in cprover_bindings. (model-checki…
61e33ea 
…ng#1302)

* Add type for "spec_ensures" and "spec_requires" clauses to support function contracts

* Add transfomer code for code_with_contract; Fix comments; Minor implementation fixes

* Revert "Add transfomer code for code_with_contract; Fix comments; Minor implementation fixes"

This reverts commit f4afc1555a8acfb83977de17047a2609b53b7584.

* Revert "Add type for "spec_ensures" and "spec_requires" clauses to support function contracts"

This reverts commit f7171f8134df25bb78891bd0da036e7dbc304165.

* Move function contract to Symbol

* Revert "Move function contract to Symbol"

This reverts commit ffd3ad20efadee99b82ded5d774fc6e358bbb341.

* Add contract to SymbolValues

* Update SymbolValues::Contract to have expressions

* Add Contract type; Add Lambda and Tuple to Expr

* WIP: Add LambdaExpression and Tuple to Expr; Add MathematicalFunction to Type; Generate Ireps

* Update comment to explain pretty_name in contract symbol.

* Change type to slice

* Remove variables from FunctionContract type

* Add type checking to the lambda_expression constructor

* Change variables field in lambda expression to variables_tuple to avoid misreading the type

* Remove type annotations

* Remove LambdaExpression and Tuple

* Remove FunctionContract type

* Remove contracts

* WIP:Move contracts to a separate module; Add spec to handle Irep generation for contracts.

* WIP: Update spec to include location; Add comments

* WIP: Add comments

* WIP: Add location to spec

* WIP: remove whitespace

* WIP: Remove whitespace

* Add file comment

* Change Spec to always have Location

* format

Co-authored-by: Monal Narasimhamurthy <monaln@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tautschnig tautschnig Awaiting requested review from tautschnig

2 more reviewers

@danielsn danielsn danielsn left review comments

@zhassan-aws zhassan-aws zhassan-aws approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@monal monal

Labels

None yet

Projects

No open projects
Kani v0.6
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@monal @celinval @tedinski @tautschnig @danielsn @zhassan-aws