Initial reworking of code contracts [depends-on: #3769, blocks: #2677] #2676
Conversation
qaphla
requested review from
chrisr-diffblue,
kroening,
martin-cs,
peterschrammel,
smowton and
tautschnig
as code owners
There was a problem hiding this comment.
This PR failed Diffblue compatibility checks (cbmc commit: 10e55d8).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/80887591
Status will be re-evaluated on next push.
Please contact @peterschrammel, @thk123, or @allredj for support.
Common spurious failures:
- the cbmc commit has disappeared in the mean time (e.g. in a force-push)
- the author is not in the list of contributors (e.g. first-time contributors).
| if(cmdline.isset("check-code-contracts")) | ||
| { | ||
| status() << "Checking Code Contracts" << eom; | ||
| check_code_contracts(goto_model); | ||
| } | ||
|
|
There was a problem hiding this comment.
Some comment for the "apply-code-contracts" case would be helpful -- it's now easy to be confused between apply-code-contracts and check-code-contracts
src/goto-instrument/loop_utils.cpp
Outdated
| @@ -107,3 +108,41 @@ void get_modifies( | |||
| } | |||
| } | |||
| } | |||
|
|
|||
| // TODO handle aliasing at all | |||
| void get_uses( | |||
There was a problem hiding this comment.
I would rename this to something more verbose, say "get_used_symbols", and also comment that you do include symbols whose address is taken.
src/goto-instrument/loop_utils.cpp
Outdated
| const local_may_aliast &local_may_alias, | ||
| const loopt &loop, | ||
| usest &uses) | ||
| { |
There was a problem hiding this comment.
Also, C++ now has rvalue references, which implies that large data structures can be returned without copy. I'd consider returning directly here.
src/goto-instrument/loop_utils.h
Outdated
| @@ -17,13 +17,19 @@ Author: Daniel Kroening, [email protected] | |||
| class local_may_aliast; | |||
|
|
|||
| typedef std::set<exprt> modifiest; | |||
| typedef std::set<exprt> usest; | |||
| typedef const natural_loops_mutablet::natural_loopt loopt; | |||
.gitignore
Outdated
| @@ -19,6 +19,8 @@ src/.settings/* | |||
| # Visual Studio | |||
| Debug/* | |||
| Release/* | |||
| #vi(m) | |||
| *.swp | |||
|
|
|||
There was a problem hiding this comment.
In the future I think this kind of thing would be better as an independent PR.
| @@ -33,7 +33,7 @@ void foo(bar *x) | |||
| __CPROVER_requires(__CPROVER_VALID_MEM(x, sizeof(bar))) | |||
| { | |||
| x->x += 1; | |||
| return | |||
| return; | |||
There was a problem hiding this comment.
I'm a little concerned about why this wasn't caught earlier. Were these tests just not run?
There was a problem hiding this comment.
This was a test that was introduced as KNOWNBUG (and presumably copied poorly from the original piece of code that inspired it).
src/goto-instrument/loop_utils.cpp
Outdated
| @@ -107,3 +108,41 @@ void get_modifies( | |||
| } | |||
| } | |||
| } | |||
|
|
|||
| // TODO handle aliasing at all | |||
There was a problem hiding this comment.
:-\ This makes me a little nervous...
There was a problem hiding this comment.
I'm working on removing this --- this function was introduced very briefly before it was removed and I thought that it hadn't made it into any of the pull requests. Next revision shouldn't have it (or any of the problems that came with it being very temporary).
src/goto-instrument/loop_utils.cpp
Outdated
| { | ||
| if((*it).id()==ID_symbol) | ||
| { | ||
| uses.insert(*it); |
There was a problem hiding this comment.
Would goto_rw be useful here?
There was a problem hiding this comment.
See #2677 for a replacement of the local_may_alias analysis used in this version with goto_rw.
The previous implementation of code-contracts has a single flag --apply-code-contracts, which created checks to verify that the contracts are satisfied and also used the contracts to abstract out the portions of code which had contracts provided. This commit splits that process into two parts, one of which only uses the contracts, without checking that they hold (--apply-code-contracts) and the other of which (incomplete as of this commit) both checks and applies, in a similar manner to the existing method. While it is clear that applying contracts without checking them is unsound, it is nevertheless useful in verifying large pieces of software in a modular fashion. If we verify a function to satisfy its specification from an arbitrary environment, then we can avoid needing to check that function again by using --apply-code-contracts.
This commit completes the work started in the previous commit by revising the existing contract-handling code into the new pass --check-code-contracts, which first applies all contracts and then checks them. By applying the contracts before checking begins, this checks the relative correctness of each function/loop with respect to the functions called by/loops contained in it. Since there can be no infinite sequence of nested functions/loops, these relative correctness results together imply the correctness of the overall program. We take this approach rather than checking entirely without using contracts because it allows significant reuse of results --- a function that is called many times only needs to be checked once, and all of its invocations will be abstracted out by the contract application.
Several functions from the old implementation of code-contracts that were made dead by the previous commits are removed by this commit. Additionally, some variables which were formerly in use are no longer needed, and so are removed.
|
Apologies for bugging about the difference between "applying" and "checking" code contracts: How about "assume-code-contracts" -- this would make the difference clearer? |
There was a problem hiding this comment.
This PR failed Diffblue compatibility checks (cbmc commit: 9d249ba).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/81044800
Status will be re-evaluated on next push.
Please contact @peterschrammel, @thk123, or @allredj for support.
Common spurious failures:
- the cbmc commit has disappeared in the mean time (e.g. in a force-push)
- the author is not in the list of contributors (e.g. first-time contributors).
There was a problem hiding this comment.
This PR failed Diffblue compatibility checks (cbmc commit: c3c6b8b).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/81048563
Status will be re-evaluated on next push.
Please contact @peterschrammel, @thk123, or @allredj for support.
Common spurious failures:
- the cbmc commit has disappeared in the mean time (e.g. in a force-push)
- the author is not in the list of contributors (e.g. first-time contributors).
|
Would you suggest having assume/check as the pair, or assume/assert as a more closely matched pair? |
|
assume/assert will likely be the most familiar choice for existing users! |
tautschnig
changed the title
tautschnig
changed the title
|
Closing due to age (no further comment on PR content), please reopen with rebase on develop if you intent to continue this work. |
The primary function of this change is to split the --apply-code-contracts pass into two separate passes, one of which uses (without checking) the contracts, and one of which checks and applies the contracts together. More details can be seen in the commit messages.
One key note from the commit messages:
While it is clear that applying contracts without checking them
is unsound, it is nevertheless useful in verifying large pieces
of software in a modular fashion. If we verify a function to
satisfy its specification from an arbitrary environment, then
we can avoid needing to check that function again by using
--apply-code-contracts.