label_properties: do not rely on source_locationt's get_function() #4131
Conversation
tautschnig
requested review from
cesaro,
chrisr-diffblue,
cristina-david,
danpoe,
hannes-steffenhagen-diffblue,
kroening,
martin-cs,
peterschrammel,
pkesseli and
smowton
as code owners
There was a problem hiding this comment.
✔️
Passed Diffblue compatibility checks (cbmc commit: 2ff8e7a).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/100224366
|
I think that there are two cases to consider:
A problem with |
|
Another issue is file-local functions. Say multiple instances of some static function. They all have the same |
|
I'm pretty much open to what the property IDs look like. It's convenient if they are somehow related to the function that contains the assertion, but I wouldn't complain if they were just a sequence number or a hash in order to limit their length. |
|
Closing this as having unresolved status on whether it is the right thing to do as well as being untouched for a couple of years. Please reopen if you believe this is erroneous and can update with a path towards a correct answer. |
|
Reopening since we still very much want something like this. |
tautschnig
changed the title
tautschnig
force-pushed
the
properties-get_function
branch
from
2ff8e7a to
25bd89d
Compare
tautschnig
requested review from
romainbrenguier and
chris-ryder
as code owners
|
Rebased, but various regression test failures need to be debugged. |
tautschnig
force-pushed
the
properties-get_function
branch
from
bdf278b to
d774afe
Compare
tautschnig
force-pushed
the
properties-get_function
branch
from
d774afe to
cb8c5f3
Compare
| @@ -1,7 +1,7 @@ | |||
| CORE | |||
| main.c | |||
| --dfcc main --enforce-contract foo _ --malloc-may-fail --malloc-fail-null | |||
| ^\[foo.assigns.\d+\] line 19 Check that a\[\(signed long (long )?int\)i\] is assignable: SUCCESS$ | |||
| ^\[foo_wrapped_for_contract_checking.assigns.\d+\] line 19 Check that a\[\(signed long (long )?int\)i\] is assignable: SUCCESS$ | |||
There was a problem hiding this comment.
For contracts, we should not refer to the wrapper function, but to the original function (i.e., foo). The user should identify the assignment in the original function that violates the assigns clause. We might want to keep the change from this PR, but fix this in our instrumentation. (cc. @remi-delmas-3000 )
There was a problem hiding this comment.
Yes let's keep it like this in this PR, I'll fix generated locations in contracts in a different PR
There was a problem hiding this comment.
One way to fix this (but I might be missing something) is to rename the original function instead?!
|
I don't understand how deprecating get/set_function solves the problems we currently have ? Is it by forcing us developers in each different context to think harder about where to get a meaningful function ID from ? (instead of reaching for the method that sounds like it gives us what we want). How about adding a section in the developer manual with high level guidance on properties/locations things should be presented to the user, at least in cases mentioned above (preconditions/postconditions, in the presence of inlining, in the presence of name mangling, when inserting generic checks, etc.). |
Yes. That current function produces an arbitrary string that might be good enough for presenting information to a (human) user, but even then could be confusing (think: inlining). Using it to solve other problems in the code base will almost always be wrong, and when it's (seemingly) the only option we have then we might have to build new means for solving the problem.
If we end up retaining |
tautschnig
force-pushed
the
properties-get_function
branch
2 times, most recently
from
7b50599 to
1a0fe1b
Compare
There was a problem hiding this comment.
When checking a function contract on function foo, we rename foo to foo_wrapped_for_contract_checking or __CPROVER_contracts_original_foo in the GOTO functions map but source locations for all instructions keep the foo function attribute.
The original foo function becomes the verification wrapper which is good because pre/post conditions are labelled with foo.
We wanted the mangling to remain transparent to the user and wanted the original funciton id to be used in both wrapper function and original function assertions, but with this change the mangled function name gets exposed in the property id.
Right now apart from doing a specific pass to fix the property_ids afterwards I don't see how to achieve the desired output.
| @@ -1,7 +1,7 @@ | |||
| CORE | |||
| main.c | |||
| --dfcc main --enforce-contract foo _ --malloc-may-fail --malloc-fail-null | |||
| ^\[foo.assigns.\d+\] line 19 Check that a\[\(signed long (long )?int\)i\] is assignable: SUCCESS$ | |||
| ^\[foo_wrapped_for_contract_checking.assigns.\d+\] line 19 Check that a\[\(signed long (long )?int\)i\] is assignable: SUCCESS$ | |||
There was a problem hiding this comment.
Yes let's keep it like this in this PR, I'll fix generated locations in contracts in a different PR
| @@ -45,11 +45,10 @@ void show_properties( | |||
| /// \param property: irep_idt that identifies property | |||
There was a problem hiding this comment.
is this the property class (e.g. assert, assigns, precondition, etc.) ?
There was a problem hiding this comment.
No, this is the full property identifier (a unique key).
src/goto-programs/show_properties.h
Outdated
| @@ -45,11 +45,10 @@ void show_properties( | |||
| /// \param property: irep_idt that identifies property | |||
| /// \param goto_functions: program in which to search for | |||
| /// the property | |||
| /// \return optional<source_locationt> the location of the | |||
| /// \return A pair of function identifier and source location of the | |||
There was a problem hiding this comment.
Suggestion: "A pair of function identifier and source location, where the function identifier is that of the GOTO function that contains the ASSERT instructions matching the property, and the source location is that of the ASSERT instruction matching the property. The function identifier and source location's function attribute are not necessarily equal."
There was a problem hiding this comment.
Thank you, I've updated this comment.
There was a problem hiding this comment.
Maybe we should distinguish between GOTO function and "source function"? What you would like to see in the property names is the source function whereas get_function returns the GOTO function (and is required to return the GOTO function in some places in the code). Source function would then always track the original C function a goto statement is associated with/has been derived from.
feliperodri
removed
aws
Well, but that "source function" is not necessarily unique (just consider static (file-local) functions). So it can't trivially be used as the prefix of property identifiers. |
tautschnig
force-pushed
the
properties-get_function
branch
from
1a0fe1b to
fc24af0
Compare
tautschnig
force-pushed
the
properties-get_function
branch
from
fc24af0 to
3e8d1d5
Compare
A source location is a place in a text file, and the function information stored in there need not coincide with the name we use in the goto model. In this vein, label_properties should use the actual function name so that properties in different instantiations of a function (as may happen when linking static functions) get unique names.
tautschnig
force-pushed
the
properties-get_function
branch
from
3e8d1d5 to
4dc81d5
Compare
A source location is a place in a text file, and the function information stored
in there need not coincide with the name we use in the goto model.
Part 1: label_properties should use the actual function name so that properties
in different instantiations of a function (as may happen when linking static
functions) get unique names.
This is in parts an RFC: it may actually be the right thing to use
source_locationt::get_functionfor this purpose and no change should be made.