Handle more formulas than just equations in string solver #5016
Conversation
romainbrenguier
requested review from
martin-cs and
peterschrammel
as code owners
romainbrenguier
force-pushed
the
enhance/solver-equations
branch
8 times, most recently
from
e8e3a4e to
10418f6
Compare
Codecov Report
@@ Coverage Diff @@
## develop #5016 +/- ##
===========================================
+ Coverage 69.48% 69.52% +0.04%
===========================================
Files 1310 1311 +1
Lines 108813 108955 +142
===========================================
+ Hits 75609 75755 +146
+ Misses 33204 33200 -4
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
✔️
Passed Diffblue compatibility checks (cbmc commit: 10418f6).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/123485329
| @@ -188,16 +188,20 @@ class string_dependenciest | |||
| /// If the string builtin_function is not a supported one, mark all the string | |||
| /// arguments as depending on an unknown builtin_function. | |||
| /// \param dependencies: graph to which we add the node | |||
| /// \param equation: an equation whose right hand side is possibly a call to a | |||
There was a problem hiding this comment.
The function description needs updating. It still mentions the rhs.
| /// builtin functions | ||
| /// \return an expression in which function applications have been replaced | ||
| /// by symbols corresponding to the `return_value` field of the associated | ||
| /// builtin function. |
There was a problem hiding this comment.
🚫 Missing: Document that the function returns empty when there is no substitution.
| for(const auto &eq : equations) | ||
| { | ||
| if(auto equal_expr = expr_try_dynamic_cast<equal_exprt>(eq)) | ||
| equalities.push_back(*equal_expr); |
There was a problem hiding this comment.
Not sure I understand. Why do equalities that don't appear as top-level equal_exprts not need to be added to the vector of equalities? 🐎
There was a problem hiding this comment.
If they don't appear at the top then we can't be sure they always hold, for instance if we have g1 => (s1 == s2), we cannot be sure s1 and s2 will be equal in the end and we have to keep them as separate symbols (instead of replacing occurences of s1 by s2).
| equations.push_back(eq_expr); | ||
| } | ||
| if(!value) | ||
| equations.push_back(not_exprt{expr}); |
There was a problem hiding this comment.
Is that to compensate for 🐎 ?
There was a problem hiding this comment.
not really, it's more like the opposite: because we introduce things that may not be equal_exprt in equations they need to be filtered out in the previous commit
Since the argument is a unique_ptr, it cannot be copied so having the function take the argument by copy means that it has to be moved at the function call, which makes clear from there that the argument is moved and shouldn't be used afterwards.
The add_node function was only handling expressions of the form: `lhs = builtin_function(args)` We make it handle more general expressions and look recursively for functions to replace, for instance `(lhs == a) && (builtin_function(b) == builtin_function(c))` would be replaced by `(lhs == a) && (string_builtin_return1 == string_builtin_return2)`.
This makes the function more generic
This make it handle the cases where the function application is not directly the right hand side of the equation but may be deeper inside the expression.
EXplicit that it is not modified by the function.
Accept formulas that are not equations as input. This is to make the solver more robust to different kind of formulas. In particular, formulas of the form `guard1 => result = some_string_builin_function(s)` should be accepted.
Even if they are not equations, they may contain formulas talking about char arrays and other expressions which require special handling by the solver.
This tests the solver directly on a set of desired formula instead of through symex as would a regression test. This can be easier to debug when trying to track a bug or add an new feature, as the correspondence with the string solver code would be easier to see.
romainbrenguier
force-pushed
the
enhance/solver-equations
branch
from
10418f6 to
462d355
Compare
There was a problem hiding this comment.
✔️
Passed Diffblue compatibility checks (cbmc commit: 462d355).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/123848151
Previously the string-solver was restricting builtin-functions to be the left-hand-side of an equations, so formulas like
g1 => c = char_at(string, 10)would be forbidden.This removes this restriction by replacing these function applications by symbols.
The array_to_length and pointer_to_array associations should still only appear on lhs of an equations. Char array equalities should also only appear as an equation.
The changes are tested with unit tests as the current symex is not producing the kind of formulas which were not handled.
The motivation for this feature is that I have seen this kind of equations appear while experimenting with BDD guards #4765