Fix-up to nondet-static option [TG-4365]

[majakusber]

This PR makes nondet-static option behave in a bit cleaner way:

• we only nondet-initialize custom static fields (before we would also nondet-initialize our variables such inflight_exception etc),
• we replace the original line of CPROVER_init that set the value of a static variable with a line that nondet-initializes it (before we would add the new line after the original assignment).

[majakusber]

Test-gen pointer bump: https://github.com/diffblue/test-gen/pull/2112

[tautschnig]

Please review whether adding a flag (and in particular one that doesn't seem to be widely used) to symbolt is the right design choice. If yes, more changes are required as indicated below.

[tautschnig]

This new field needs to be serialised and de-serialiased when writing/reading goto binaries. Also text output needs to be updated.

[peterschrammel]

Why not just is_nondet_init (or some more grammatically correct name)? (The static information is already in is_static_lifetime if needed).

[tautschnig]

Why take a copy?

[majakusber]

In case the instruction will be overriden, I need some info from the original instruction as it's being overriden (and without making a copy it gets into a loop). I could also make a copy of it only at point when I actually need it.

[tautschnig]

This line should just be removed?

[majakusber]

Yes, it definitely should have been.

[peterschrammel]

PR seems incomplete at the moment.

[peterschrammel]

The commit message could be more informative (e.g. Add is_static_nondet_init to symbol)

[peterschrammel]

Could this replace the __CPROVER prefix check above? (These variables should all have static lifetime anyway?)

[peterschrammel]

Why not just is_nondet_init (or some more grammatically correct name)? (The static information is already in is_static_lifetime if needed).

[majakusber]

From design point of view - we discussed this design with Peter, and it sounded like the cleanest solution. Although CI shows that this breaks how nondet-static works for C. So option (1) would be to keep the new field and correctly set it for fields in Java (this seems easy) and in C (this does not seem that easy as symbols are being created at many places and it's not obvious which ones are user/private). On the other hand, it seems that in C nondet-static was working correctly before the changes so option (2) would be to only fix how it works for Java by adding additional cases in nondet-static.cpp, namely if it's @inflight_exception or ..::clinit_already_run or java.String.Literal (all these are anyway used in Java only?) do not nondet-initialize it. The advantage of option (2) is that it won't break anything that is already working.

[majakusber]

@tautschnig @peterschrammel Here is my branch with option (2) implemented: develop...svorenova:fixup-nondet-static-2

[peterschrammel]

svorenova:fixup-nondet-static-2 is not an option.

[peterschrammel]

Looking at it again, I think using an ID_C comment is more appropriate. This is done similarly in comparable situations such as constant and initialization_required.

[smowton]

I'd say almost certainly rather than make a new symbol flag, either maintain the information you need (presumably a set of symbol IDs to reinit) elsewhere, or perhaps tag the symbol using a comment on its type, as e.g. already done to record a method's defining class, here: https://github.com/diffblue/cbmc/blob/develop/jbmc/src/java_bytecode/java_bytecode_convert_method.cpp#L448)

That strategy isn't clean by any stretch of the imagination, but it does at least preserve the serialized (GBF) format and thus only impacts code that uses the new information.

[smowton]

I wouldn't, this will break GBF compatibility across this change, for example

[smowton]

(The long-term plan is for symbols to have an additional attributes irep for this sort of thing)

[majakusber]

I've re-implemented this using a new comment. Let me know what you think.

[smowton]

Presumably also check for ID_C_constant?

[majakusber]

Constants are checked below, using is_constant_or_has_constant_components

[smowton]

Better! I liked your suggestion of replacing clinit methods though rather than returning all this stuff to __CPROVER_initialize, did that plan not go anywhere?

[majakusber]

@smowton Yes, that change will follow in a separate PR. This PR only cleans up nondet-static a bit but we would still call static initializer. The following PR will make sure that even in the static initializer wrapper we only nondet initialize variables.

[smowton]

@peterschrammel @tautschnig maybe you can think of a better name for "this is internal state, nondet-static shouldn't trash it"?

[smowton]

Braces around multi-line if

[smowton]

Maybe ID_C_is_internal_state? Contrasting user static variables? No strong opinion though.

[allredj]

This PR failed Diffblue compatibility checks (cbmc commit: ec4d5cd).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/80742567
Status will be re-evaluated on next push.
Please contact @peterschrammel, @thk123, or @allredj for support.

Common spurious failures:

• the cbmc commit has disappeared in the mean time (e.g. in a force-push)
• the author is not in the list of contributors (e.g. first-time contributors).

[allredj]

Passed Diffblue compatibility checks (cbmc commit: f0dc854).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/80752951

[martin-cs]

I don't want to say #751 BUT ... what is the correct way of marking that a variable is "internal only" and what should that mean for different transformations?

[martin-cs]

If we are going to switch from marking internal / CPROVER generated variables by a CPROVER_PREFIX and instead use this new comment attribute, please could we do it across the whole code-base as I doubt that nondet-static is the only place that makes this distinction.

Also, "change how we mark internal variables" is a bigger change that should be in a PR marked "Fix-up nondet-static".

[tautschnig]

While I agree with what Martin said (that we should reconsider various __CPROVER_ prefixed symbols): 1) for several of them the main purpose of the prefix is disambiguation (avoid conflicts with user-provided symbols; 2) let's not ask for huge extra work going well beyond the purpose of the PR (this is happening in several PRs and often stalls progress) - create an issue so that it isn't forgotten instead.

[martin-cs]

OK; I'm just want to avoid a proliferation of undocumented, slightly disjoint conventions for what are "internal" variables.

[martin-cs]

Terminological nit-picking but ... what is a proprietary variable in an open source system?

[tautschnig]

I like this approach. I think there are various details that can (and likely should) be improved as noted by the reviewers, but they should all be reasonably easy to address.

[tautschnig]

A bit of nit-picking: "allowed" - who sets those rules? Do I get jailed if I do a nondet-init? :-) More seriously: The commit message, which is the only documentation here, provides examples, but doesn't really set out the rules. Effectively the commit message will need to set out the semantics.

[peterschrammel]

Do I get jailed if I do a nondet-init?

You get punished with false alarms.

[majakusber]

I'll leave out the allowed to make it clear - just no nondet-init, period, don't even try :) I will also amend the commit message in lines with my last message - marking internal variables that are not CPROVER variables, language specific internal variables.

[tautschnig]

While I agree with what Martin said (that we should reconsider various __CPROVER_ prefixed symbols): 1) for several of them the main purpose of the prefix is disambiguation (avoid conflicts with user-provided symbols; 2) let's not ask for huge extra work going well beyond the purpose of the PR (this is happening in several PRs and often stalls progress) - create an issue so that it isn't forgotten instead.

[peterschrammel]

replacing clinit methods though rather than returning all this stuff to __CPROVER_initialize, did that plan not go anywhere?

@smowton, the second part of the static nondet fixes are in #2658.
The third part will then de-duplicate the static initialisations that Java does in two different places.

[peterschrammel]

better name for "this is internal state

The naming is more explicit on purpose because there might not only be 'internal' variables that must not be nondet-initialised. But I'm also fine with calling it differently.

(since when does Github post when you press Enter... grrrrr)

[majakusber]

As Peter mentioned the new comment is supposed to identify variables beyond _CPROVER variables that we do not want to nondet-initialize - for example @inflight_excpetion is not a CPROVER variable and it probably shouldn't be (it's only used in Java?). Now that I think about it, it makes sense to leave the check for CPROVER variables in nondet-static and really consider the new comment as a mean to mark things in the grey zone between core CPROVER variables and user defined variables such as language specific internal variables. Would you agree?

[majakusber]

I now pushed the changes along the lines of my previous comment. These should be reflecting all the comments.

I also changed how the last commit works as I learned about make_skip(), remove_skip(goto_programt) yesterday ;)

[martin-cs]

On Fri, 2018-08-03 at 00:28 -0700, svorenova wrote: As Peter mentioned the new comment is supposed to identify variables beyond _CPROVER variables that we do not want to nondet-initialize - for example ***@***.***_excpetion` is not a CPROVER variable and it probably shouldn't be (it's only used in Java?).

Rounding mode is already a language specific CPROVER variable. I don't know what the inflight exception does but if it's part of the model that CPROVER constructs of how the program works, then maybe it should be.

Now that I think about it, it makes sense to leave the check for CPROVER variables in nondet-static and really consider the new comment as a mean to mark things in the grey zone between core CPROVER variables and user defined variables such as language specific internal variables. Would you agree?

That's part of why I asked the question. I think the behaviour for CPROVER variables should stay unchanged. I can see a case for adding an extra if statement checking for an ID_C_block_nondet_static if you want additional options of blocking which global variables get non- det'd (although, is it better as an argument to nondet static?). This would be making clear that this is just a flag for that one piece of functionality and not about a general treatment of "internal" variables. Ofcourse, if you want something that marks a global variable as "internal" (apart from CPROVER prefixes) and affects multiple subsystems, then that is a different issue and should be addressed differently. But I don't think that is the case here?

[martin-cs]

Thanks for the changes; LGTM now.

[majakusber]

I had to revert the last commit, make_skip, remove_skip was misbehaving. @martin-cs That's right, the comment should only affect nondet-static.

[majakusber]

@martin-cs By language specific variable I meant a variable that only exists for particular languages, not necessarily all that we support, such as inflight_exception which in Java determines whether there is an uncaught exception at any given time. I didn't mean that their value is dependent on the chosen language.

[martin-cs]

On Fri, 2018-08-03 at 03:48 -0700, svorenova wrote: @martin-cs By language specific variable I meant a variable that only exists for particular languages, not necessarily all that we support, such as inflight_exception which in Java determines whether there is an uncaught exception at any given time. I didn't mean that their value is dependent on the chosen language.

Yes; language specific variables can be and do have CPROVER prefixes.

[allredj]

Passed Diffblue compatibility checks (cbmc commit: daff1d1).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/80862172