Replace asserts and throws under goto-symex #6
Conversation
src/goto-symex/slice_by_trace.cpp
Outdated
| @@ -94,7 +101,7 @@ void symex_slice_by_tracet::slice_by_trace( | |||
| } | |||
| else if(!(g_copy.id()==ID_constant)) | |||
| { | |||
| throw "guards should only be and, symbol, constant, or `not'"; | |||
| UNHANDLED_CASE; | |||
There was a problem hiding this comment.
Some rationale for the changes: This is just for documentation purposes, the INVARIANT above should have crashed it anyway if it's something different.
| @@ -313,8 +307,7 @@ void goto_symext::symex_printf( | |||
| statet &state, | |||
| const exprt &rhs) | |||
| { | |||
| if(rhs.operands().empty()) | |||
| throw "printf expected to have at least one operand"; | |||
There was a problem hiding this comment.
I have made the judgement call to drop what I consider to be redundant error messages, in the cases where the PRECONDITION assertion itself (within the context) seems self evident.
| #endif | ||
| } | ||
| else | ||
| throw "unknown macro: "+id2string(identifier); |
There was a problem hiding this comment.
Here, I consider the whole
if (something)
{
...some computation...
} else {
throw exception
}
to just have the general form:
assert (something)
... do the useful computation ...
so I have rearranged it appropriately.
There was a problem hiding this comment.
That's assuming that (something) is error checked elsewhere, and that its not being provided from user code....
src/goto-symex/symex_dead.cpp
Outdated
| throw "dead expects symbol as first operand"; | ||
|
|
||
| PRECONDITION(code.operands().size()!=1); | ||
| PRECONDITION(code.op0().id()!=ID_symbol); |
There was a problem hiding this comment.
I don't know why there's this preceding space, and also the preconditions are wrong.
Something that is of the form
if (not something)
throw exception
should have the form
assert (something);
| assignment.rhs().type(), ns)) | ||
| throw | ||
| "goto_symext::return_assignment type mismatch at "+ | ||
| instruction.source_location.as_string()+":\n"+ |
There was a problem hiding this comment.
Here I made the judgement call that the error message, especially within the context, was too chatty. I replaced it with an INVARIANT which keeps part of the message, but drops the extraneous information (at least for the usual case)
There was a problem hiding this comment.
or to put in in another way, I have a severe dislike for an error message in an invariant that prints two expressions.pretty()
There was a problem hiding this comment.
a) - Are we sure this is not a user level error?
b) Imagine you made a modification to CBMC and hit this new INVARIANT - how would you go about debugging it? What types mismatch?
| } | ||
|
|
||
| POSTCONDITION(!frame.return_value.is_not_nil()); |
There was a problem hiding this comment.
Replaced the throw "return with unexpected value" with just a POSTCONDITION. I think it's cleaner this way, and more self evident what it does, while not altering the semantics of the code.
src/goto-symex/symex_goto.cpp
Outdated
| if(instruction.targets.size()!=1) | ||
| throw "no support for non-deterministic gotos"; | ||
| DATA_INVARIANT( | ||
| instruction.targets.size()!=1, "no support for non-deterministic gotos"); |
There was a problem hiding this comment.
Again, this hasn't been inverted properly, should be instruction.targets.size() == 1
src/goto-symex/build_goto_trace.cpp
Outdated
| @@ -222,7 +222,7 @@ void build_goto_trace( | |||
| else if(it->is_atomic_end() && current_time<0) | |||
| current_time*=-1; | |||
|
|
|||
| assert(current_time>=0); | |||
| PRECONDITION(current_time>=0); | |||
There was a problem hiding this comment.
This isn't a precondition, this is an invariant that's supposed to be maintained by the current code block.
(Again, difference - Precondition failure is meant to indicate that the function was used incorrectly, whereas most other invariant failures are meant to indicate that the function itself is broken).
| @@ -51,8 +51,7 @@ void goto_symex_statet::level0t::operator()( | |||
|
|
|||
| const symbolt *s; | |||
| const bool found_l0 = !ns.lookup(obj_identifier, s); | |||
| DATA_INVARIANT( | |||
| found_l0, "level0: failed to find " + id2string(obj_identifier)); | |||
| INVARIANT(found_l0, "level0: failed to find " + id2string(obj_identifier)); | |||
There was a problem hiding this comment.
Nice catch, this indeed doesn't seem to meet the definition of DATA_INVARIANT
src/goto-symex/goto_symex_state.cpp
Outdated
| DATA_INVARIANT( | ||
| expr.type().id() == ID_pointer, | ||
| "type of address_of should be ID_pointer"); | ||
| PRECONDITION(expr.type().id() == ID_pointer); |
There was a problem hiding this comment.
This should probably be the first thing that's being checked in this block?
src/goto-symex/goto_symex_state.cpp
Outdated
| @@ -495,12 +493,9 @@ void goto_symex_statet::rename( | |||
| } | |||
| else if(expr.id()==ID_address_of) | |||
| { | |||
| DATA_INVARIANT( | |||
| expr.operands().size() == 1, "address_of should have a single operand"); | |||
| PRECONDITION(expr.operands().size() == 1); | |||
There was a problem hiding this comment.
No, this should be a DATA_INVARIANT.
src/goto-symex/postcondition.cpp
Outdated
| @@ -76,20 +76,19 @@ bool postconditiont::is_used_address_of( | |||
| } | |||
| else if(expr.id()==ID_index) | |||
| { | |||
| assert(expr.operands().size()==2); | |||
|
|
|||
| PRECONDITION(expr.operands().size() == 2); | |||
src/goto-symex/symex_main.cpp
Outdated
| PRECONDITION(expr.operands().size()==2); | ||
| PRECONDITION(expr.op0().id()==ID_symbol); | ||
| PRECONDITION(expr.operands().size() == 2); | ||
| PRECONDITION(expr.op0().id() == ID_symbol); |
There was a problem hiding this comment.
Also DATA_INVARIANT
src/goto-symex/symex_other.cpp
Outdated
| DATA_INVARIANT( | ||
| code.operands().size() == 2, | ||
| "array_copy/array_replace takes two operands"); | ||
| PRECONDITION(code.operands().size() == 2); |
src/goto-symex/symex_other.cpp
Outdated
| @@ -187,7 +185,7 @@ void goto_symext::symex_other( | |||
| // process_array_expr) | |||
| // 3. use the type of the resulting array to construct an array_of | |||
| // expression | |||
| DATA_INVARIANT(code.operands().size() == 2, "array_set takes two operands"); | |||
| PRECONDITION(code.operands().size() == 2); | |||
src/goto-symex/symex_other.cpp
Outdated
| DATA_INVARIANT( | ||
| code.operands().size() == 3, | ||
| "array_equal expected to take three arguments"); | ||
| PRECONDITION(code.operands().size() == 3); |
There was a problem hiding this comment.
DATA_INVARIANT (probably)
src/goto-symex/symex_other.cpp
Outdated
| @@ -266,8 +262,7 @@ void goto_symext::symex_other( | |||
| } | |||
| else if(statement==ID_havoc_object) | |||
| { | |||
| DATA_INVARIANT(code.operands().size()==1, | |||
| "havoc_object must have one operand"); | |||
| PRECONDITION(code.operands().size()==1); | |||
| @@ -234,8 +229,7 @@ void goto_symext::symex_gcc_builtin_va_arg_next( | |||
| const exprt &lhs, | |||
| const side_effect_exprt &code) | |||
| { | |||
| if(code.operands().size()!=1) | |||
| throw "va_arg_next expected to have one operand"; | |||
| PRECONDITION(code.operands().size() != 1); | |||
There was a problem hiding this comment.
Yes, you are right, I don't know why this wasn't changed.
NlightNFotis
force-pushed
the
custom_exception
branch
from
a6bce43 to
c7fb551
Compare
src/goto-symex/symex_decl.cpp
Outdated
| // two-operand decl not supported here | ||
| // we handle the decl with only one operand | ||
| PRECONDITION(code.operands().size()==1); | ||
| PRECONDITION(code.op0().id()!=ID_symbol); |
There was a problem hiding this comment.
Yeah, as John says - formatting for both PRECONDITIONS. Could consider these as DATA_INVARIANTS instead too?
There was a problem hiding this comment.
I wasn't actually commenting on the formatting (although I do agree with Chris).
I was suggesting that I think it should be '==' instead of '!='.
There was a problem hiding this comment.
Argh - yes, good catch John.
There was a problem hiding this comment.
Yes, these were left in by mistake. This was part of a change I had done while I was quickly prototyping some changes during a discussion with Hannes, and forgot to properly go back and re-edit them.
There was a problem hiding this comment.
It's the same thing as with the commented out code below.
| g_copy.id() == ID_not || | ||
| g_copy.id() == ID_and || | ||
| g_copy.id() == ID_constant, | ||
| "guards should only be and, symbol, constant, or `not'"); |
There was a problem hiding this comment.
Previously, this was throwing an exception for ID_and (but the comment suggested that guards can be and). Is this a deliberate change?
There was a problem hiding this comment.
@johnnonweiler No it wasn't (https://github.com/diffblue/cbmc/blob/develop/src/goto-symex/slice_by_trace.cpp#L95). What that did is that it checked if the expression's type is ID_symbol or ID_not which was handled in the first if consequent statement, then it checked if the expression's type is ID_and, which was handled in the second consequent statement (else if (g_copy.id()==ID_and)...) and last it was throwing an exception if the expression's type was anything but a constant (else if (!(g_copy.id()==ID_constant)) - based on the idea that it had checked for the other meaningful types and handled them, and left the constant case unhandled but crashed on anything else).
This INVARIANT does the same thing, just earlier, while it also drops the unneeded exception now.
There was a problem hiding this comment.
Sorry @NlightNFotis - I got confused by GitHub hiding a couple of lines in the diff!
src/goto-symex/symex_assign.cpp
Outdated
| @@ -55,8 +55,9 @@ void goto_symext::symex_assign( | |||
| symex_allocate(state, lhs, side_effect_expr); | |||
| else if(statement==ID_printf) | |||
| { | |||
| if(lhs.is_not_nil()) | |||
| throw "printf: unexpected assignment"; | |||
| PRECONDITION(!lhs.is_not_nil()); | |||
There was a problem hiding this comment.
Could this be lhs.is_nil() (instead of the double negative)?
There was a problem hiding this comment.
Agree with John here - don't like the double negative.
src/goto-symex/symex_assign.cpp
Outdated
| throw "printf: unexpected assignment"; | ||
| PRECONDITION(!lhs.is_not_nil()); | ||
| // if(lhs.is_not_nil()) | ||
| // throw "printf: unexpected assignment"; |
There was a problem hiding this comment.
Why include this commented out code?
There was a problem hiding this comment.
Yep, this code should be removed, not commented.
There was a problem hiding this comment.
Yes, again, as stated before, this was part of some quick prototyping during a discussion with Hannes, that somehow manged to creep in.
src/goto-symex/build_goto_trace.cpp
Outdated
| @@ -92,7 +92,7 @@ exprt build_full_lhs_rec( | |||
| id==ID_byte_extract_big_endian) | |||
| { | |||
| exprt tmp=src_original; | |||
| assert(tmp.operands().size()==2); | |||
| PRECONDITION(tmp.operands().size() == 2); | |||
There was a problem hiding this comment.
Minor nit: Why not move the PRECONDITION to be the first line in the block?
There was a problem hiding this comment.
Should this be a DATA_INVARIANT ?
| @@ -222,7 +222,7 @@ void build_goto_trace( | |||
| else if(it->is_atomic_end() && current_time<0) | |||
| current_time*=-1; | |||
|
|
|||
| assert(current_time>=0); | |||
| INVARIANT(current_time>=0, "time keeping inconsistency"); | |||
There was a problem hiding this comment.
Again, isn't this a DATA_INVARIANT?
There was a problem hiding this comment.
No. This is what the DATA_INVARIANT's documentation says:
// This condition should be used to document that assumptions that are
// made on goto_functions, goto_programs, exprts, etc. being well formed.
// "The data structure is corrupt or malformed"
To my understanding this is to assert properties of fundamental data structures representing the program under analysis. In this case current_time is a local variable that is only required to be consistent during the execution of the function.
There was a problem hiding this comment.
Seems reasonable, thanks.
src/goto-symex/goto_symex_state.cpp
Outdated
| @@ -187,8 +186,7 @@ bool goto_symex_statet::constant_propagation_reference(const exprt &expr) const | |||
| } | |||
| else if(expr.id()==ID_member) | |||
| { | |||
| if(expr.operands().size()!=1) | |||
| throw "member expects one operand"; | |||
| PRECONDITION(expr.operands().size() == 1); | |||
There was a problem hiding this comment.
By definition this falls between multiple categories of the invariant checks (it falls both under DATA_INVARIANT because it checks fundamental data structures like an exprt in this case, but it also falls under the PRECONDITION case, in that it's asserting whether an argument of the function is correct and the rest of the computation can be sound based on that assertion.
But I can certainly change it to the DATA_INVARIANT in case it makes things a little bit cleaner.
src/goto-symex/goto_symex_state.cpp
Outdated
| @@ -495,12 +493,10 @@ void goto_symex_statet::rename( | |||
| } | |||
| else if(expr.id()==ID_address_of) | |||
| { | |||
| PRECONDITION(expr.type().id() == ID_pointer); | |||
There was a problem hiding this comment.
Isn't this DATA_INVARIANT?
There was a problem hiding this comment.
Same thing as above really, but I can change it to make it clearer.
src/goto-symex/goto_symex_state.cpp
Outdated
| DATA_INVARIANT( | ||
| expr.operands().size() == 1, "address_of should have a single operand"); | ||
| expr.operands().size() == 1, "address_of should have a single operand"); |
There was a problem hiding this comment.
Unnecessary (and incorrect) indentation change.
| DATA_INVARIANT(code.operands().size()==1, | ||
| "havoc_object must have one operand"); | ||
| DATA_INVARIANT( | ||
| code.operands().size() == 1, |
There was a problem hiding this comment.
Again, original message was better...
| if(state.atomic_section_id!=0) | ||
| throw "start_thread in atomic section detected"; | ||
| INVARIANT(state.atomic_section_id==0, | ||
| "start_thread in atomic section detected"); |
There was a problem hiding this comment.
This could be a PRE_CONDITION, maybe?
There was a problem hiding this comment.
The message might be better phrased as something like "start_thread not supported in atomic section" ?
There was a problem hiding this comment.
While I agree with you, I find the message to be useful (in that it contains information that can't be transmitted through the condition checked easily), and making this a PRECONDITION would require the message to be killed. I don't believe this to be a good idea, this is why I kept it as an INVARIANT.
However, I can change this if there are strong feelings about it.
There was a problem hiding this comment.
INVARIANT descriptions should describe what condition we expect to be holding, not what error condition they are detecting - I think the description should be updated.
| @@ -10,6 +10,11 @@ Author: Fotis Koutoulakis, [email protected] | |||
| #define CPROVER_UTIL_EXCEPTION_UTILS_H | |||
|
|
|||
| #include <string> | |||
| #include <sstream> | |||
|
|
|||
| #include <goto-symex/symex_target_equation.h> | |||
There was a problem hiding this comment.
I think this is wrong. This means that 'src/util' now has a dependency on 'goto-symex' which I think is wrong. I also don't see why equation_conversion_exceptiont has been moved into this file, since it's so specific to symex....
| @@ -1,47 +0,0 @@ | |||
| /*******************************************************************\ | |||
There was a problem hiding this comment.
I don't see why this was removed! (see also my comments where this exception class was moved to....)
| @@ -38,4 +43,31 @@ class invalid_user_input_exceptiont | |||
| } | |||
| }; | |||
|
|
|||
|
|
|||
| class equation_conversion_exceptiont : public std::runtime_error | |||
There was a problem hiding this comment.
If the intent of moving this exception class into this file was to make it part of the new exception class hierachy, then this class should be inheriting from something other than std::runtime_error...... I whole heartedly agree that this class should move into the new hierachy, but it shouldn't be in this util directory. It should stay in it's original file but just inherit from a suitable class in the new hierachy.
There was a problem hiding this comment.
There's no hierarchy yet, and thinking about how to model one I think it's trickier than it looks to just design one on the spot. I will just revert this commit and note it down as one of the improvements I want to take a look at further down the line.
NlightNFotis
force-pushed
the
custom_exception
branch
from
c7fb551 to
09c7495
Compare
src/goto-symex/symex_decl.cpp
Outdated
| PRECONDITION(code.operands().size()==1); | ||
| PRECONDITION(code.op0().id()!=ID_symbol); | ||
| PRECONDITION(code.operands().size() == 1); | ||
| PRECONDITION(code.op0().id() == ID_symbol); |
There was a problem hiding this comment.
Why has this PRECONDITION changed from != to == ? I don't see why this patch hunk is here as apart from that operator changing, it's just whitespace formatting changing, which is not related to this pr.
There was a problem hiding this comment.
The original code for this was:
if(code.op0().id()!=ID_symbol)
throw "decl expects symbol as first operand";
When we turn these if conditions into PRECONDITIONs, we are changing from checking if something shouldn't happen, to checking that the opposite should always happen. I hadn't made the reversal of the condition properly in one of the previous commits, and this compensates for that.
src/goto-symex/symex_goto.cpp
Outdated
| PRECONDITION(state.atomic_section_id == goto_state.atomic_section_id); | ||
| INVARIANT( | ||
| state.atomic_section_id == goto_state.atomic_section_id, | ||
| "atomic sections differ across branches"); |
There was a problem hiding this comment.
The description here is not quite right - the invariant is more a statement that "atomic section should be the same across branches". The description is a description of what invariant we are expecting to hold, not a description of what has gone wrong.
| @@ -222,7 +222,7 @@ void build_goto_trace( | |||
| else if(it->is_atomic_end() && current_time<0) | |||
| current_time*=-1; | |||
|
|
|||
| assert(current_time>=0); | |||
| INVARIANT(current_time>=0, "time keeping inconsistency"); | |||
There was a problem hiding this comment.
Seems reasonable, thanks.
| assert(dest.operands().size()==1); | ||
| DATA_INVARIANT( | ||
| dest.operands().size() == 1, | ||
| "address_of expression expected to have one operand at this point"); |
There was a problem hiding this comment.
"at this point" isn't needed - keep them tight.
| assert(dest.operands().size()==1); | ||
| DATA_INVARIANT( | ||
| dest.operands().size() == 1, | ||
| "dereference expression expected to have one operand at this point"); | ||
|
|
There was a problem hiding this comment.
"at this point" isn't needed
src/goto-symex/slice_by_trace.cpp
Outdated
| DATA_INVARIANT( | ||
| g_copy.id() == ID_symbol || g_copy.id() == ID_not || | ||
| g_copy.id() == ID_and || g_copy.id() == ID_constant, | ||
| "guards should only be and, symbol, constant, or `not'"); |
There was a problem hiding this comment.
Either put quote marks around all the items, or none - at the moment you only put quote marks around 'not'
There was a problem hiding this comment.
Ahh, I don't. It was like this, and because I've seen this pattern* in a couple of places around cbmc, I'm assuming it is by design. I can change it if you want though.
*: The pattern being something like this always:
``something'`
| throw "trace uses symbol not in alphabet: "+event; | ||
| PRECONDITION(!alphabet.empty()); | ||
| INVARIANT((alphabet.count(event) != 0) == alphabet_parity, | ||
| "trace uses symbol not in alphabet: " + event); |
There was a problem hiding this comment.
Description should describe what is being asserted.... "trace symbol must be in alphabet"
src/goto-symex/symex_dereference.cpp
Outdated
| @@ -155,6 +155,9 @@ exprt goto_symext::address_arithmetic( | |||
| } | |||
| else if(expr.id()==ID_dereference) | |||
| { | |||
| DATA_INVARIANT( | |||
| expr.operands().size() == 1, | |||
| "dereference expression expected to have one operand"); | |||
| exprt value=code.op0(); | ||
| PRECONDITION( | ||
| code.operands().size() == 1 || | ||
| frame.return_value.is_nil()); |
There was a problem hiding this comment.
@chrisr-diffblue The indentation errors were very weird this time around, because the last commit was explicitly passing git-clang-format on HEAD. It appeared that what you saw was new lines that had been indented with TAB rather than spaces, and git-clang-format was (and still is) okay with it. I have changed it manually to spaces to see if it makes it better.
src/goto-symex/slice_by_trace.cpp
Outdated
| DATA_INVARIANT( | ||
| g_copy.id() == ID_symbol || g_copy.id() == ID_not || | ||
| g_copy.id() == ID_and || g_copy.id() == ID_constant, | ||
| "guards should only be and, symbol, constant, or `not'"); |
There was a problem hiding this comment.
Ahh, I don't. It was like this, and because I've seen this pattern* in a couple of places around cbmc, I'm assuming it is by design. I can change it if you want though.
*: The pattern being something like this always:
``something'`
src/goto-symex/symex_decl.cpp
Outdated
| PRECONDITION(code.operands().size()==1); | ||
| PRECONDITION(code.op0().id()!=ID_symbol); | ||
| PRECONDITION(code.operands().size() == 1); | ||
| PRECONDITION(code.op0().id() == ID_symbol); |
There was a problem hiding this comment.
The original code for this was:
if(code.op0().id()!=ID_symbol)
throw "decl expects symbol as first operand";
When we turn these if conditions into PRECONDITIONs, we are changing from checking if something shouldn't happen, to checking that the opposite should always happen. I hadn't made the reversal of the condition properly in one of the previous commits, and this compensates for that.
| if(state.atomic_section_id!=0) | ||
| throw "start_thread in atomic section detected"; | ||
| INVARIANT(state.atomic_section_id==0, | ||
| "start_thread in atomic section detected"); |
There was a problem hiding this comment.
INVARIANT descriptions should describe what condition we expect to be holding, not what error condition they are detecting - I think the description should be updated.
NlightNFotis
force-pushed
the
custom_exception
branch
from
aba3fe5 to
f2a7a37
Compare
No description provided.