JBMC: enable model and SSA equation verification #3747
Conversation
This had used a typeless symbol expression for ages without us noticing.
This invokes validation using the same arguments as CBMC.
This mirrors existing support in goto_modelt.
smowton
requested review from
cesaro,
cristina-david,
kroening,
NathanJPhillips,
peterschrammel,
pkesseli,
tautschnig and
thk123
as code owners
smowton
changed the title
src/util/symbol.cpp
Outdated
| // "method") | ||
| if( | ||
| !has_suffix(id2string(name), id2string(base_name)) && | ||
| mode != ID_java) |
There was a problem hiding this comment.
I believe @chrisr-diffblue was also looking into this as there are also cases in C where this doesn't hold. Is this correct?
There was a problem hiding this comment.
Yes, I'm looking into other cases - just hadn't got as far as java yet, so Chris has saved me some work here :-)
| @@ -170,7 +170,8 @@ void java_simple_method_stubst::create_method_stub(symbolt &symbol) | |||
| symbol_table); | |||
| const symbol_exprt &init_symbol_expression = init_symbol.symbol_expr(); | |||
| code_assignt get_argument( | |||
| init_symbol_expression, symbol_exprt(this_argument.get_identifier())); | |||
| init_symbol_expression, | |||
| symbol_exprt(this_argument.get_identifier(), this_type)); | |||
There was a problem hiding this comment.
We should really remove the single-argument constructor.
There was a problem hiding this comment.
In another PR, sure
There was a problem hiding this comment.
Sure, that was not meant as a request for work.
| const validation_modet vm = validation_modet::INVARIANT) | ||
| { | ||
| check(code, vm); | ||
|
|
||
| DATA_CHECK( | ||
| vm, | ||
| code.op0().type() == code.op1().type(), | ||
| base_type_eq(code.op0().type(), code.op1().type(), ns), |
There was a problem hiding this comment.
To be debated with @kroening as this appears to work against the effort going on in other PRs.
There was a problem hiding this comment.
Fair enough if we want the strict same-level-of-indirection condition in the future, but we certainly don't even try to do that at present.
There was a problem hiding this comment.
Can this commit be dropped from the PR? I understand that this would mean it doesn't work for Java at the moment, but then we can get all the other improvements in the meantime.
There was a problem hiding this comment.
Well, my intent was to use this as the means of testing the other improvements, by showing particular programs begin to satisfy this constraint when the fixes are applied, so I'd much prefer to have this statement of our current intended guarantee available, then we can chase after a future attempted standard later?
| @@ -966,6 +966,8 @@ void symex_target_equationt::SSA_stept::validate( | |||
| validate_full_expr(ssa_lhs, ns, vm); | |||
| validate_full_expr(ssa_full_lhs, ns, vm); | |||
| validate_full_expr(original_full_lhs, ns, vm); | |||
| if(type == goto_trace_stept::typet::DECL) | |||
| break; | |||
There was a problem hiding this comment.
In this case I'd prefer some copy&paste and just completely separate the ASSIGNMENT and DECL cases.
smowton
force-pushed
the
smowton/feature/jbmc-validation
branch
from
88c3751 to
6db4c22
Compare
There was a problem hiding this comment.
Not going to comment on the base_type_eq debate, but I'm happy for this to go in as it is. I'll leave the final say on base_type_eq to @tautschnig and @kroening
|
@tautschnig spoke with @kroening just now, who said he's happy to go for |
|
@smowton Maybe then do a clean revert of the commit that switched from |
They use a different pattern to that expected for C programs, and changing that will have some impact. For now let's make validation practically usable without making a change with potentially widespread impact.
This reverts commit caae4ce. Reverting because we can't currently meet either the weak (base_type_eq) or the strong (==) consistency requirement. Let's target the weak one first.
smowton
force-pushed
the
smowton/feature/jbmc-validation
branch
from
6db4c22 to
6274264
Compare
|
@tautschnig done |
DECL clauses do not give an RHS, so comparing its type against the LHS is meaningless (and always fails).
The expr version expects two like-structured expressions and validates subexpressions pairwise, which is not the expected situation for VCCs.
Adding an include in a prior commit --> I must sort the other ones, apparently :)
smowton
force-pushed
the
smowton/feature/jbmc-validation
branch
from
32bf0cf to
4232b15
Compare
There was a problem hiding this comment.
✔️
Passed Diffblue compatibility checks (cbmc commit: 4232b15).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/97290653
| // Exception: Java symbols' base names do not have type signatures | ||
| // (for example, they can have name "someclass.method:(II)V" and base name | ||
| // "method") | ||
| if(!has_suffix(id2string(name), id2string(base_name)) && mode != ID_java) |
There was a problem hiding this comment.
Can we check that method is between . and : instead?
There was a problem hiding this comment.
It also differs for field symbols, and generics, and... I'd like to leave (a) setting a convention and (b) enforcing it for a different PR!
This enables validation of the GOTO model and SSA equations in all JBMC regression tests, making the minimal modifications such that they work:
base_type_eq, not exact equalityI package these together here because this enables all these small fixes to be checked throughout the whole regression test suite, but if people prefer they can be split apart. Naturally, recommend reviewing commit by commit.