Add a __CPROVER_postcondition builtin #4921
Conversation
angelhof
requested review from
kroening,
peterschrammel,
pkesseli,
smowton and
tautschnig
as code owners
|
Please add a regression test exercising the new code. There actually don't appear to be any exercising |
@smowton Thanks, I will add a regression test for both. On a different note, why is CPP-LINT in travis complaining only for the newly added line and not for the ones above that use |
|
I think CPP-LINT in travis only checks newly added lines. This is so that things can be slowly fixed as we go, rather than having to fix them all at once so that we can see if we add any new ones. |
Thanks. Shouldn't this check in cpplint.py only check for uses of |
|
@tautschnig, you wrote that check in cpplint.py (last October), can you help @angelhof? |
|
Here's the check: https://github.com/diffblue/cbmc/blob/develop/scripts/cpplint.py#L4607 I would suggest simply whitelisting paths beginning with |
Wouldn't something like |
|
That precise regex would misfire for |
|
@smowton I don't have any preference between the two. I could implement any of them in a separate PR. Is this PR blocked until the lint check succeeds? |
|
Yes without administrative intervention. I'd recommend making the change as a second commit in this PR. |
angelhof
force-pushed
the
cprover-postcondition
branch
from
6ad9a09 to
44197bb
Compare
Codecov Report
@@ Coverage Diff @@
## develop #4921 +/- ##
===========================================
+ Coverage 69.27% 69.28% +<.01%
===========================================
Files 1307 1307
Lines 108145 108148 +3
===========================================
+ Hits 74918 74926 +8
+ Misses 33227 33222 -5
Continue to review full report at Codecov.
|
|
Could someone review this? |
There was a problem hiding this comment.
This PR failed Diffblue compatibility checks (cbmc commit: 44197bb).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/120852254
Status will be re-evaluated on next push.
Common spurious failures include: the cbmc commit has disappeared in the mean time (e.g. in a force-push); the author is not in the list of contributors (e.g. first-time contributors); compatibility was already broken by an earlier merge.
|
@peterschrammel could you review this? |
|
@peterschrammel @thk123 could you review this PR? |
| @@ -2,6 +2,7 @@ void __CPROVER_assume(__CPROVER_bool assumption); | |||
| void __VERIFIER_assume(__CPROVER_bool assumption); | |||
| void __CPROVER_assert(__CPROVER_bool assertion, const char *description); | |||
| void __CPROVER_precondition(__CPROVER_bool precondition, const char *description); | |||
| void __CPROVER_postcondition(__CPROVER_bool assertion, const char *description); | |||
There was a problem hiding this comment.
Random place for a comment: I think this strictly requires documentation. When should users make use of this? I note that the commit message doesn't have a body either, so it's really hard to see when that should be used.
There was a problem hiding this comment.
Thanks. Where is a good place to add documentation for this?
There was a problem hiding this comment.
As discussed elsewhere: doc/cprover-manual/cbmc-assertions.md is likely the best place for this. @kroening Would you be able to contribute some documentation of __CPROVER_precondition, which AFAIK never got documented?
There was a problem hiding this comment.
I would structure this differently.
__CPROVER_precondition was introduced as a means to add preconditions to library functions, i.e., it was never meant to be used by anyone but CBMC developers.
The new feature, which is contract checking, is a different use-case, and externalises this to users of CBMC. My experience is that users like manuals that are structured by use-case. Thus, I would suggest to add a new chapter, say titled "Modular Verification using Code Contracts", or the like, to discuss this use-case separately.
There was a problem hiding this comment.
[...] never meant to be used by anyone but CBMC developers.
While this is a good intention, I don't think it will remain as constrained if people find it useful in other places as well. Anything that can be used will be used at some point...
The added builtin function, is transformed into an assert (like __CPROVER_precondition) by the goto-cc pass. The reason why it was added, is to allow an analysis on the AST to extract the postconditions from function bodies, to extend their function contracts.
angelhof
force-pushed
the
cprover-postcondition
branch
from
44197bb to
59ab9e9
Compare
There was a problem hiding this comment.
This PR failed Diffblue compatibility checks (cbmc commit: 59ab9e9).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/122362598
Status will be re-evaluated on next push.
Common spurious failures include: the cbmc commit has disappeared in the mean time (e.g. in a force-push); the author is not in the list of contributors (e.g. first-time contributors); compatibility was already broken by an earlier merge.
angelhof
force-pushed
the
cprover-postcondition
branch
from
59ab9e9 to
f4a6f43
Compare
|
The lint error is fixed in #5000. |
angelhof
force-pushed
the
cprover-postcondition
branch
from
8746b52 to
3811798
Compare
angelhof
force-pushed
the
cprover-postcondition
branch
from
3811798 to
119ce60
Compare
There was a problem hiding this comment.
This PR failed Diffblue compatibility checks (cbmc commit: 119ce60).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/122640419
Status will be re-evaluated on next push.
Common spurious failures include: the cbmc commit has disappeared in the mean time (e.g. in a force-push); the author is not in the list of contributors (e.g. first-time contributors); compatibility was already broken by an earlier merge.
Add a builtin __CPROVER_postcondition builtin function that internally becomes an assert (like __CPROVER_precondition).
This will be used (by a later PR) to turn function preconditions, and postconditions to code contracts.