Function type consistency between goto programs and symbol table #3127
Conversation
A simple iteration over goto-functions to check that it's base type is the same as the one stored in the symbol table.
xbauch
requested review from
kroening,
peterschrammel,
pkesseli,
smowton and
tautschnig
as code owners
src/goto-programs/goto_model.h
Outdated
| if(!base_type_eq( | ||
| it->second.type, symbol_table.lookup_ref(it->first).type, ns)) | ||
| { | ||
| msg.error() << "error" << messaget::eom; |
There was a problem hiding this comment.
Yes, a better error message here would be good.
src/cbmc/cbmc_parse_options.cpp
Outdated
| @@ -515,6 +515,10 @@ int cbmc_parse_optionst::doit() | |||
| if(get_goto_program_ret!=-1) | |||
| return get_goto_program_ret; | |||
|
|
|||
| INVARIANT( | |||
| !goto_model.check_internal_invariants(*this), | |||
There was a problem hiding this comment.
I find these a little bit confusing in design, both here and in #3118. Do you think it would be better if check_internal_invariants returned true by default, as the all is good case, and false otherwise? This invariant would also look cleaner as well, as it would just read as the internal invariants of the goto model should always hold, which this is what the invariant will check by essence of it returning true and not if this doesn't return false, then the internal invariants hold. Like, it's the double negative both in the condition here, and the return values of check_internal_invariants that's slightly confusing, as it's inverse logic to what's expected. But that's just me, certainly not required.
There was a problem hiding this comment.
@smowton Within this PR, yes. But we are preparing a larger collection of checks and not all of them target consistency.
There was a problem hiding this comment.
@NlightNFotis it was my understanding that we prefer returning true when things fail. It can of course be negated.
There was a problem hiding this comment.
@NlightNFotis My understanding is that linux programs return 0 to indicate no error and a non-zero integer to represent some kind of error. C programs copy this and return 0 to indicate no error. We follow this by returning false to indicate no error and true to indicate error. I find it confusing too.
There was a problem hiding this comment.
Yeah most functions return true on error and false on success. Let's stick with this convention for consistency for now.
src/goto-programs/goto_model.h
Outdated
| if(!base_type_eq( | ||
| it->second.type, symbol_table.lookup_ref(it->first).type, ns)) | ||
| { | ||
| msg.error() << "error" << messaget::eom; |
There was a problem hiding this comment.
Yes, a better error message here would be good.
src/cbmc/cbmc_parse_options.cpp
Outdated
| @@ -515,6 +515,10 @@ int cbmc_parse_optionst::doit() | |||
| if(get_goto_program_ret!=-1) | |||
| return get_goto_program_ret; | |||
|
|
|||
| INVARIANT( | |||
| !goto_model.check_internal_invariants(*this), | |||
There was a problem hiding this comment.
I find these a little bit confusing in design, both here and in #3118. Do you think it would be better if check_internal_invariants returned true by default, as the all is good case, and false otherwise? This invariant would also look cleaner as well, as it would just read as the internal invariants of the goto model should always hold, which this is what the invariant will check by essence of it returning true and not if this doesn't return false, then the internal invariants hold. Like, it's the double negative both in the condition here, and the return values of check_internal_invariants that's slightly confusing, as it's inverse logic to what's expected. But that's just me, certainly not required.
There was a problem hiding this comment.
Passed Diffblue compatibility checks (cbmc commit: 8558e89).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/87310747
Now reports the id of violating function and the two inconsistent types.
There was a problem hiding this comment.
Passed Diffblue compatibility checks (cbmc commit: 150cf46).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/87323737
src/cbmc/cbmc_parse_options.cpp
Outdated
| @@ -515,6 +515,10 @@ int cbmc_parse_optionst::doit() | |||
| if(get_goto_program_ret!=-1) | |||
| return get_goto_program_ret; | |||
|
|
|||
| INVARIANT( | |||
| !goto_model.check_internal_invariants(*this), | |||
There was a problem hiding this comment.
Yeah most functions return true on error and false on success. Let's stick with this convention for consistency for now.
src/goto-programs/goto_model.h
Outdated
| namespacet ns(symbol_table); | ||
| forall_goto_functions(it, goto_functions) | ||
| { | ||
| if(!base_type_eq( |
There was a problem hiding this comment.
Could use the DATA_CHECK macros.
Using DATA_CHECK instead of calling error handling directly.
There was a problem hiding this comment.
Passed Diffblue compatibility checks (cbmc commit: 43052d5).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/87497802
xbauch
force-pushed
the
program_table_type_consistency
branch
from
408c810 to
7ceafcc
Compare
Builds a goto model with one function and checks that: 1) with the right type in the table the validation succeeds, 2) with the wrong type the validation fails.
xbauch
force-pushed
the
program_table_type_consistency
branch
from
7ceafcc to
00357ff
Compare
There was a problem hiding this comment.
Passed Diffblue compatibility checks (cbmc commit: 00357ff).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/87657183
| /// goto programs, expressions, instructions, etc. Based on the value of the | ||
| /// variable vm (the validation mode), it either uses DATA_INVARIANT() to check | ||
| /// those conditions, or throws an exception when a condition does not hold. | ||
| #define DATA_CHECK(condition, message) \ |
There was a problem hiding this comment.
I'm unclear why we want this. Either something is an invariant or it isn't, I don't see the value in having a single construct for both cases.
|
Moved to #3118. |
A simple iteration over goto-functions to check that it's base type is the same
as the one stored in the symbol table.