Preparation to make goto-analyzer work with the goto_verifiert framework #4703
Conversation
hannes-steffenhagen-diffblue
requested review from
chrisr-diffblue,
danpoe,
martin-cs,
owen-mc-diffblue,
peterschrammel,
smowton and
thk123
as code owners
| auto &property_status = property.second.status; | ||
| auto const &property_location = property.second.pc; | ||
| auto condition = property_location->get_condition(); | ||
| auto const predecessor = ai.abstract_state_before(property_location); |
There was a problem hiding this comment.
It is not obvious to me why we want to evaluate the condition in the preceding state, rather than the current one? Is it possible that evaluating the property will change the value of the condition?
There was a problem hiding this comment.
✔️
Passed Diffblue compatibility checks (cbmc commit: 4b0eb7f).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/113100556
hannes-steffenhagen-diffblue
force-pushed
the
feature/goto-analyzer-usability
branch
from
4b0eb7f to
fadb25a
Compare
There was a problem hiding this comment.
✔️
Passed Diffblue compatibility checks (cbmc commit: fadb25a).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/113111770
| } | ||
| else if(condition.is_false()) | ||
| { | ||
| property_status = property_statust::FAIL; |
There was a problem hiding this comment.
Is this a definite fail? If not, then it should be UNKNOWN.
There was a problem hiding this comment.
Yes, if a condition is false that means that using domain information it could be simplified to false, i.e. definite fail.
| } | ||
| else | ||
| { | ||
| property_status = property_statust::UNKNOWN; |
There was a problem hiding this comment.
How can this happen? If the location is never assigned a value then it should be NOT_REACHED.
There was a problem hiding this comment.
This means the condition could not be simplified to true or false using domain information (so it's neither definite fail or success) and the domain state at the location is not bottom so the location is reachable (edit: or rather, potentially reachable), therefore it is unknown.
There was a problem hiding this comment.
It would be helpful to have this commentary on the various states in the code as well, and not just in the PR :-)
There was a problem hiding this comment.
I added some comments explaining what was going on
src/goto-analyzer/static_verifier.h
Outdated
| @@ -9,6 +9,8 @@ Author: Martin Brain, [email protected] | |||
| #ifndef CPROVER_GOTO_ANALYZER_STATIC_VERIFIER_H | |||
| #define CPROVER_GOTO_ANALYZER_STATIC_VERIFIER_H | |||
|
|
|||
| #include <goto-checker/properties.h> | |||
| #include <goto-programs/abstract_goto_model.h> | |||
There was a problem hiding this comment.
Wouldn't a forward declaration be sufficient?
There was a problem hiding this comment.
Do you mean just for abstract_goto_modelt?
| const ai_baset &ai, | ||
| propertiest &properties) | ||
| { | ||
| auto const ns = namespacet{abstract_goto_model.get_symbol_table()}; |
There was a problem hiding this comment.
I have complained about this before and I'll keep doing so: why is the above better than const namespacet ns{abstract_goto_model.get_symbol_table()};? To me it seems that would be shorter and avoid any doubt about 1) the type of the object and 2) whether some operator= is being invoked or not. And if "consistency" is part of the rationale: in fact the above is the only case of auto that's not in violation of our current coding guidelines...
I keep going after this, because I'm worried that we will at some point arrive at write-only code. Explicitly spelling out types may seem like a nuisance to the person writing the code, but they are really helpful to any reader. In the code below, I actually have no idea what the types of property_status or predecessor are. Alas I'm actually unable to judge whether (not) using references is the right thing.
There was a problem hiding this comment.
I have to say I share the concerns of @tautschnig too, though he's put them more eloquently than I probably would have done. I'm not a huge fan of auto in anything other than very trivial contexts.
There was a problem hiding this comment.
I don't omit the types here because I don't care about readability, but rather because in my opinion they're not very useful for readability; I did another scan over the code and tried to clarify as much a possible, adding types where I thought they're useful. I kept the auto in the for loop and for property_status - the former because it'd otherwise just be propertiest::value_type which IMHO doesn't really add much useful information, and the latter because the type would be property_statust which again doesn't really communicate anything over the variable name.
(Side note: operator= is never involved in initialisation)
hannes-steffenhagen-diffblue
force-pushed
the
feature/goto-analyzer-usability
branch
2 times, most recently
from
da3dd1d to
80daeef
Compare
| @@ -23,4 +25,9 @@ bool static_verifier( | |||
| message_handlert &, | |||
| std::ostream &); | |||
|
|
|||
| void static_verifier( | |||
There was a problem hiding this comment.
This should be documented. And it's a bit confusing to use a noun for a function which is returning void. (for me "verifier" here should imply you return an object which has a verify method)
There was a problem hiding this comment.
This is doing more or less the same thing as the other static_verifier function that already is in this file, the only difference is that it writes the result to the propertiest passed in rather than writing them to stdout or to a file.
The "return" value here is the properties parameter (it's an in/out parameter, we read some information from each property and write its verification status back to it)
hannes-steffenhagen-diffblue
force-pushed
the
feature/goto-analyzer-usability
branch
from
80daeef to
17d4503
Compare
|
@hannes-steffenhagen-diffblue Please rebase now that #4729 is in to make CI happy. |
There is no need to restrict it to goto_modelt, this makes it easier to use in some contexts.
This will make it easier to use with static_verifiert going forward.
hannes-steffenhagen-diffblue
force-pushed
the
feature/goto-analyzer-usability
branch
from
17d4503 to
0f4a362
Compare
Codecov Report
@@ Coverage Diff @@
## develop #4703 +/- ##
==========================================
Coverage ? 68.44%
==========================================
Files ? 1270
Lines ? 104817
Branches ? 0
==========================================
Hits ? 71744
Misses ? 33073
Partials ? 0
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
✔️
Passed Diffblue compatibility checks (cbmc commit: 0f4a362).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/114085606
abstract_goto_modeltrather thangoto_modeltstatic_verifierthat works withabstract_goto_modeltandpropertiestThis will (eventually) allow us to use the goto-checker stuff in
goto-analyzer, which will be useful to make reporting of results and things like that more consistent with the rest of CPROVER.