Tests to check inconsistent assumptions involving __CPROVER_r_ok #5321
Conversation
danpoe
force-pushed
the
tests/pointer-primitives
branch
from
85de939 to
fa60778
Compare
There was a problem hiding this comment.
Looks good - some general comments, also I note these are only for r_ok, we presumably need them for the other primitives.
Overall comments:
- Do we need to test the local and global pointer every time? Produces a lot of duplication, do they end up looking very different in the formulas?
- Should we be testing pointers to memory mallocd with > size of the object (e.g. arrays)
- Should we be testing pointers to statically allocated arrays
- Should we best testing pointers that are passed in from another function
Also, this is a lot of quite specific tests. I'd be tempted to move them out of regression/cbmc (perhaps into a folder called cprover-primitives, or perhaps tag them as THROUGH when they are enabled
| -- | ||
| ^warning: ignoring | ||
| -- | ||
| Tests that an inconsistent assumption involving a pointer to an out of scope |
There was a problem hiding this comment.
Though an explanation of why FUTURE (and link to relevant ticket) would be good
There was a problem hiding this comment.
I think the test and the test description already provide this explanation. The FUTURE just indicates that the test does not currently pass.
regression/cbmc/r_w_ok_inconsistent_dead/test-global-no-cp.desc
Outdated
Show resolved
Hide resolved
| @@ -0,0 +1,10 @@ | |||
| FUTURE | |||
| main.c | |||
| --function test_global_pointer --pointer-check --no-simplify --no-propagation | |||
There was a problem hiding this comment.
❓ Could we include somewhere an explanation why the no-propagation flag is needed to be tested separately?
There was a problem hiding this comment.
Do you think I should add an explanation to every .desc file? Basically we want to test with --no-simplify --no-propagation (which turns off expression simplification and constant propagation) and without those two, so as to check that both the constraint encoding and the simplification/constant propagation work correctly.
| @@ -0,0 +1,11 @@ | |||
| KNOWNBUG | |||
There was a problem hiding this comment.
Why is this knownbug rather than future?
There was a problem hiding this comment.
This particular test made cbmc crash. I'll add a comment to say that, and will add a simpler test too that shows the same bug.
regression/cbmc/r_w_ok_inconsistent_valid/test-global-no-cp.desc
Outdated
Show resolved
Hide resolved
| __CPROVER_assume(p1 != NULL); | ||
|
|
||
| __CPROVER_assume( | ||
| !__CPROVER_r_ok(p1, 1) || |
There was a problem hiding this comment.
I'd highlight the negation here with a comment explaining the purpose
There was a problem hiding this comment.
Ehh only if you think worth it - it is of course also explained in the description
| } | ||
|
|
||
| __CPROVER_assume(__CPROVER_r_ok(p, 1)); | ||
| assert(0); // fails |
There was a problem hiding this comment.
What does "fails" mean. Do you really mean unreachable?
There was a problem hiding this comment.
It means that the assertion fails, i.e. is reachable.
| @@ -0,0 +1,10 @@ | |||
| FUTURE | |||
There was a problem hiding this comment.
Tests that currently don't pass but are not bugs are marked as FUTURE. This is typically used for tests for unimplemented features. Here the test doesn't pass due to the overapproximate behaviour of __CPROVER_r_ok(). If it will be made more pecise in the future it should pass.
danpoe
force-pushed
the
tests/pointer-primitives
branch
from
fa60778 to
f514175
Compare
|
@thk123 Indeed the separate tests for global and local pointers were unnecessary. The intention was to account for differences in the result of the local bitvector analysis but it gives the same result for both cases. |
danpoe
force-pushed
the
tests/pointer-primitives
branch
3 times, most recently
from
f0527ae to
b34b155
Compare
|
@thk123 I've now put the tests in a new directory Regarding your points (2) and (3) above, we don't necessarily need to separately test these cases as the behaviour is exactly the same for malloced objects of size 1 or > 1 and for static objects of size 1 or size > 1 (i.e. statically allocated arrays). Also the behaviour will be the same for pointers passed into functions. |
danpoe
force-pushed
the
tests/pointer-primitives
branch
from
b34b155 to
e9b5146
Compare
There was a problem hiding this comment.
Probably what CI is telling you, but your new folder will need a Makefile and CMakeLists.txt to tell it how to behave. (A short README.md explaining the purpose of the folder would be appreciated, but not required).
Do you think I should add an explanation to every .desc file? Basically we want to test with --no-simplify --no-propagation (which turns off expression simplification and constant propagation) and without those two, so as to check that both the constraint encoding and the simplification/constant propagation work correctly.
Frankly yes - since no way to know what test will be opened, best to put it in all of them. Should of course just be the same sentence copy-pasted!
Anyways, thanks for the tweaks, blocking comments addressed - though would appreciate raising and referencing bugs for the crashes to be sure we turn the tests back on when they're fixed. Just need to add the Make stuff to the folder and we should be good.
regression/cbmc/r_w_ok_bug/test.desc
Outdated
| -- | ||
| ^warning: ignoring | ||
| -- | ||
| Crashes during the flattening |
There was a problem hiding this comment.
This is pretty bad! I guess we should raise a bug?
There was a problem hiding this comment.
We should raise a bug/cbmc issue for this and mention it in the .desc
There was a problem hiding this comment.
Issue recorded as #5328, and added the number to the .desc file.
|
|
||
| void main() | ||
| { | ||
| // pointer with object bits = 123 and offset = 123 |
There was a problem hiding this comment.
Thanks for the improvement - as the reader, I'm still left with the question of why you're constructing such a pointer. I think this would still be improved with a comment as to why this is an interesting pointer. Is it because it tricks cbmc into thinking it is valid?
There was a problem hiding this comment.
Yes, it's a pointer that doesn't point to valid memory but isn't special in any other way. Added a description.
| char *p1 = &c1; | ||
|
|
||
| assert(!__CPROVER_r_ok(p1, 2)); | ||
| assert(!__CPROVER_r_ok(p1 - 1, 1)); | ||
| assert(!__CPROVER_r_ok(p1 + 1, 1)); | ||
|
|
||
| char *p2 = &c2; | ||
|
|
||
| assert(!__CPROVER_r_ok(p2, 2)); | ||
| assert(!__CPROVER_r_ok(p2 - 1, 1)); | ||
| assert(!__CPROVER_r_ok(p2 + 1, 1)); | ||
|
|
||
| char *p3 = malloc(1); | ||
|
|
||
| assert(!__CPROVER_r_ok(p3, 2)); | ||
| assert(!__CPROVER_r_ok(p3 - 1, 1)); | ||
| assert(!__CPROVER_r_ok(p3 + 1, 1)); |
danpoe
force-pushed
the
tests/pointer-primitives
branch
2 times, most recently
from
09be997 to
f6a0800
Compare
…VER_r_ok() Adds tests to check that inconsistent assumptions involving __CPROVER_r_ok() can be detected by checking if a subsequent assert(0) fails.
danpoe
force-pushed
the
tests/pointer-primitives
branch
from
f6a0800 to
b1be232
Compare
Uh oh!
There was an error while loading. Please reload this page.