Cover failed assertions #5636
Cover failed assertions #5636
Conversation
These were previously duplicated between 3 different executables.
hannes-steffenhagen-diffblue
requested review from
chrisr-diffblue,
kroening,
martin-cs,
peterschrammel,
smowton and
tautschnig
as code owners
| } | ||
| else | ||
| { | ||
| i_it->turn_into_skip(); |
There was a problem hiding this comment.
Btw we have to skip them rather than just leaving them be because otherwise cbmc would consider these assertions coverage goals.
There was a problem hiding this comment.
Why not make --no-assertions (aka turn-assertions-into-skips) useable with --cover then (as @martin-cs suggests)? That would make the behaviour more transparent to the user.
This adds an option `--cover-failed-assertions` that prevents the default behaviour of coverage stopping at failed assertions by turning assertions into skips rather than assumes (which is the default behaviour for coverage criteria other than `assertion`, which behaves the same with or without the flag).
hannes-steffenhagen-diffblue
force-pushed
the
feature/cover-failed-assertions
branch
from
d0d6748 to
a442dbb
Compare
| proceeds the same as in all-properties mode. Coverage solving is implemented by | ||
| `bmc_covert`, but is structurally practically identical to | ||
| equation solver; In cases where this behaviour is undesirable you can pass the | ||
| `--cover-failed-assertions` which makes coverage checking continue even for |
There was a problem hiding this comment.
BTW shouldn’t this file be under doc rather than src? I don’t really understand our documentation structure...
There was a problem hiding this comment.
The READMEs which are in each module are pulled into here: http://cprover.diffblue.com/folder-walkthrough.html (click on cbmc, for example).
We decided to keep them in the source folders so that they are as close as possible to the code.
Codecov Report
@@ Coverage Diff @@
## develop #5636 +/- ##
========================================
Coverage 69.35% 69.35%
========================================
Files 1241 1241
Lines 100596 100601 +5
========================================
+ Hits 69771 69776 +5
Misses 30825 30825
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Approve because the refactor is good. I would prefer if the new option could be added in to the argument for --cover and I would prefer it even more if we could make assertion transformation orthogonal to and preceeding coverage assertions or at least have a conversation about it but I also realise that you need to get stuff done so approve.
| " --cover CC create test-suite with coverage criterion CC\n" | ||
| #define OPT_COVER \ | ||
| "(cover):" \ | ||
| "(cover-failed-assertions)" |
There was a problem hiding this comment.
Is it possible to have this as an argument to --cover?
src/goto-instrument/cover.h
Outdated
| @@ -22,6 +22,10 @@ class message_handlert; | |||
| class cmdlinet; | |||
| class optionst; | |||
|
|
|||
| #define OPT_COVER "(cover):" | |||
There was a problem hiding this comment.
Thank you for this refactoring. Finding an removing unnecessary and redundant repetition is always good.
| There is one further BMC mode that differs more fundamentally: when `--cover` is | ||
| passed, assertions in the program text are converted into assumptions (these | ||
| There is one further BMC mode that differs more fundamentally: when `--cover` | ||
| is passed, assertions in the program text are converted into assumptions (these |
There was a problem hiding this comment.
I don't want to open a massive can of worms here but ... why is this the default? Is this actually useful? Given that there are options for --no-assertions, --no-assumptions and --assert-to-assume (whether they work or even do anything at all ... is an open question) could we make the transformation of assertions and assumptions orthogonal to --cover. It feels like this should be possible and even desirable...
There was a problem hiding this comment.
@martin-cs I think this is the default because whoever wrote this had the expectation that programs should stop at failed assertions. I suppose we could change it, but I’m always a bit wary about changing defaults.
There was a problem hiding this comment.
@martin-cs FWIW because cover treats each failed goal as something relating to coverage right now we have to do something with asserts. That said, I think the alternative (just making cover cleverer about how it counts coverage) would be more desirable.
I'd consider that as something we can take a look at in terms of future work though.
There was a problem hiding this comment.
Yes, if you are doing a naive count then, I see the need to do something with pre-existing assertions or otherwise true assertions (generally a good thing) will count against your coverage. Smarter counting would certainly be one way to address this.
It feels to me that making the "doing something about asserts" independent might be a desirable option as well. I can see use-cases for converting to SKIP, to ASSUME and leaving as they are.
Then again, I am not a user of this code at the moment and do not have time to work on it so my views maybe not so important.
The tests are failing when the `--paths` flag is set. This is because we understand that the paths code hasn't been exercised thoroughly, and as a result this behaviour may or may not indicate a potential issue - we need to investigate this at a later point.
| @@ -34,6 +34,9 @@ | |||
| ['unknown-argument-suggestion', 'test.desc'], | |||
| # this one produces XML intermingled with main XML output when used with --xml-ui | |||
| ['graphml_witness2', 'test.desc'], | |||
| # these are producing coverage goals which aren't including in the schema | |||
| } | ||
| else | ||
| { | ||
| i_it->turn_into_skip(); |
There was a problem hiding this comment.
Why not make --no-assertions (aka turn-assertions-into-skips) useable with --cover then (as @martin-cs suggests)? That would make the behaviour more transparent to the user.
|
@peterschrammel That said, maybe the better solution would be to make sure cover only checks cover-added assertions for coverage metrics instead of this skip-workaround... |
|
...unless you use |
|
I don’t think the behaviour is any different for It’s just that (only) removing user assertions is actually what we want for |
There was a problem hiding this comment.
Seems reasonable. If it was up to me, I would squash the commits fixing the tests back into the commit where they were added. This is because it could make use of git bisect easier, if we ever need to use it. Please fix the spelling error noted by Peter before this is merged.
src/cbmc/cbmc_parse_options.h
Outdated
| @@ -73,8 +75,9 @@ class optionst; | |||
| "(property):(stop-on-fail)(trace)" \ | |||
| "(error-label):(verbosity):(no-library)" \ | |||
| "(nondet-static)" \ | |||
| "(version)" \ | |||
| "(cover):(symex-coverage-report):" \ | |||
| "(version)" \ | |||
There was a problem hiding this comment.
❔ Is this additional spacing accidental?
| ^EXIT=0$ | ||
| ^SIGNAL=0$ | ||
| -- | ||
| ^warning: ignoring |
There was a problem hiding this comment.
⛏️ It would be nice to have a comment in each of .desc files explaining what the test is intended to test. Even something pretty short could make this a while lot easier to maintain.
| #define HELP_COVER \ | ||
| " --cover CC create test-suite with coverage criterion " \ | ||
| "CC\n" \ | ||
| " --cover-failed-assertions do not stop coverage checking at failed " \ |
There was a problem hiding this comment.
⛏️ Because of the preceding refactor, this option now applies to jdiff and goto-diff as well as cbmc. This means that we should probably test that it works with those entry points.
| " --cover CC create test-suite with coverage criterion CC\n" | ||
| #define OPT_COVER \ | ||
| "(cover):" \ | ||
| "(cover-failed-assertions)" |
There was a problem hiding this comment.
⛏️ If we keep this as a separate option from --cover then we should check that --cover-failed-assertions is not passed without --cover and exit with a suitable error message in the case of that particular invalid usage.
There was a problem hiding this comment.
I understand that this needs a quick fix. But I don't think that the current solution will be the last. The options around goto check assertions, user assertions, cover, the various -no-X options, etc need to be made consistent so that they can be used in a clearly understandable and orthogonal way without subtle side effects.
|
I realise this is easy for me to say as 1. it's not me doing the work and 2. it's not me in need of the urgent fix but... +1 agree with @peterschrammel . This has been a mess for too long. I will leave it up to others (those that 1 and 2 apply to) to decide how this PR should relate to that work. |
This adds an option
--cover-failed-assertionsthat prevents thedefault behaviour of coverage stopping at failed assertions by turning
assertions into skips rather than assumes (which is the default
behaviour for coverage criteria other than
assertion, which behavesthe same with or without the flag).
This is one way to address #5543