Instrument strchr to use the string refinement solver

[xbauch]

Reusing and extending the Java-based indexOf. The string refinement assumes that certain associations are made between the char-pointer input, (some) array string (, and it's length). There are also assumption about exactly what kinds of expressions can be passed to the string solver representing string. We added some special handling for byte-extract expressions and string-constants. These modification should not change the java part.

strchr choice is just for demonstration, the intent is to implement all/most of the string.h functions.

• Each commit message has a non-empty body, explaining why the change was made.
• Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[hannes-steffenhagen-diffblue]

There should be a test for the case when a character can’t be found as well, e.g. in this case 't' may or may not be found depending on i.

[thk123]

Note, this currently fails CI on Travis on the following test:

Running string-refinement-strchr2/test.desc  [FAILED]

Specifically fails to find:

^\[main.assertion.\d+\] line \d+ assertion first_o != NULL: SUCCESS$

Instead:

[main.assertion.1] line 10 assertion first_o != ((void *)0): SUCCESS

I guess different platform, different way of printing null?

[thk123]

Neat! I have a number of suggestions of ways we can make the quite dense string solver code a bit more readable, happy to help with applying them.

I would like to see the coverage report as there ends up being lots of new code, and I don't really know when it would be triggered, so would be good to check we're testing it all. Hopefully will just appear, but maybe needs a rebase?

[thk123]

🚫 Magic number here should have some explanation

[romainbrenguier]

documentation of the function needs to be updated, and does it make sense to have signed characters?

[hannes-steffenhagen-diffblue]

@romainbrenguier char is allowed to be either signed or unsigned in C.

[xbauch]

Turns out the magic is not needed at all.

[thk123]

❔ how come this is a precondition? Seems like should be documented at least

[thk123]

❓ Unreachable? You've just asserted this isn't true

[thk123]

❓ What's "maybe" about this? Would returning an optional make sense here?

[xbauch]

Well it always returns some expr. But it acts as identity for expressions that are not byte-extract.

[thk123]

❓ What's the purpose of this lambda...

[hannes-steffenhagen-diffblue]

I am fairly sure there isn’t one. Probably happened by accident during a refactor.

[thk123]

❓ Don't you have a function that does this?

[thk123]

⛏️ naming variables in the header (particularly ones where the type tells you nothing) helps users of the function to figure out what they should be passing in

[thk123]

⛏️ etc. in the commit message is less than ideal, perhaps it should be multiple commits, but should almost certainly list all the changes

[thk123]

hard coded string seems like a bad idea, is it defined anywhere?

[thk123]

🚫 Please add why you need to do this (particularly in light of the comment yesterday about perf cost of byte_extract

[romainbrenguier]

that doesn't seem correct, the length could be assigned twice with different value, while it only has to be equal to one of these depending on the condition

[romainbrenguier]

documentation of the function needs to be updated, and does it make sense to have signed characters?

[majakusber]

Codecov Report

Merging #5200 into develop will increase coverage by 0.07%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##           develop    #5200      +/-   ##
===========================================
+ Coverage    67.43%   67.51%   +0.07%     
===========================================
  Files         1157     1157              
  Lines        95354    95536     +182     
===========================================
+ Hits         64306    64504     +198     
+ Misses       31048    31032      -16     

Flag	Coverage Δ
#cproversmt2	42.55% <2.97%> (-0.13%)	⬇️
#regression	64.05% <87.12%> (+0.09%)	⬆️
#unit	31.90% <13.36%> (-0.05%)	⬇️

Impacted Files	Coverage Δ
src/goto-programs/string_instrumentation.cpp	28.49% <0.00%> (+28.49%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update cccdfd9...0879ad0. Read the comment docs.

[thk123]

Looks like two big areas not currently exercised:

1. maybe_byte_extract_expr never gets a non-zero offset (here)
2. Any of the new code for string_instrumentationt::do_strchr (here)

Not sure exactly what they'd require (possibly the 2nd one is just the code isn't needed?)

[martin-cs]

I'm not the expert on the string solver so perhaps it is not my place to say but this doesn't feel like a particularly good design for supporting a large number of string functions. My experience suggests that you want a minimal number of (ideally orthogonal) primitives that are supported by the solver and the rest of the complexity and modelling can be in the library models. That is a lot easier to edit, test (given an executable form of the primitives), understand and modify.

[martin-cs]

Maybe I am getting mixed up but I thought the "string-abstraction" options did something very different? Maybe that was in goto-instrument.

[romainbrenguier]

@martin-cs

I'm not the expert on the string solver so perhaps it is not my place to say but this doesn't feel like a particularly good design for supporting a large number of string functions. My experience suggests that you want a minimal number of (ideally orthogonal) primitives that are supported by the solver and the rest of the complexity and modelling can be in the library models. That is a lot easier to edit, test (given an executable form of the primitives), understand and modify.

Yes, I agree it would be better to avoid adding new primitives but rather reuse the existing ones and use models to deal with the differences between languages.

[thk123]

When trying this branch out, I noticed the following example on this branch causes an invariant to be hit:

#include <assert.h>
#include <string.h>

void testFunction() {
  int size;
  __CPROVER_assume(size >= 10 && size <= 100);
  char *str = malloc(sizeof(char) * size);
  for(int i = 0; i < size-1; ++i)
  {
    char nondet_char;
    str[i] = nondet_char;
  }
  str[size - 1] = '\0';

  char* result = strchr(str, 'z');
  assert(result - str != 15);
}

[xbauch]

@martin-cs and @romainbrenguier there's a draft PR (#5239) which implements strchr by modelling the functionality inside string.h library and then instrumenting it to call the index-of directly. Have a look if you think that approach would be preferable to separating Java and C implementation. Note that there are some incompatible assumptions about types of things (array-size-type, char-type, etc.) between Java and C, so some changes to the originally java-only primitives are necessary.