Bugfix/char array in string solver #3248
Conversation
romainbrenguier
commented
Oct 29, 2018
romainbrenguier
commented
- Each commit message has a non-empty body, explaining why the change was made.
- [na] Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
- Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
- [na] My commit message includes data points confirming performance improvements (if claimed).
- My PR is restricted to a single feature or bugfix.
- White-space or formatting changes outside the feature-related changed lines are in commits of their own.
romainbrenguier
requested review from
kroening,
martin-cs,
peterschrammel,
pkesseli,
smowton and
tautschnig
as code owners
|
A fix suggests a regression test? |
There was a problem hiding this comment.
I agree with @smowton . It is not obvious what the effect of the bug fix is. It would be nice to have at least one test that is wrong before and right afterwards just to make clear one of the higher-level effects of this.
romainbrenguier
force-pushed
the
bugfix/char-array-in-string-solver
branch
from
14268da to
3129270
Compare
|
@smowton @martin-cs I agree that this PR should have tests, and I tried adding some but couldn't manage to do it in two days of work. The issue appears on another of our tool and I couldn't reproduce with JBMC, (the example uses --cover location which no longer exists in JBMC). Unit tests will be good but I encounter lot of bugs in the different layers of the solvers when the formulas don't come from a goto-program but are hand-written for the unit test. I have a PR that add tests for this fix in another of our repository https://github.com/diffblue/test-gen/pull/2428 |
|
To keep effort reasonable I'd say it's ok if there are regression tests elsewhere. |
romainbrenguier
force-pushed
the
bugfix/char-array-in-string-solver
branch
from
3129270 to
1dc3227
Compare
There was a problem hiding this comment.
🚫
This PR failed Diffblue compatibility checks (cbmc commit: 3129270).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/89619587
Status will be re-evaluated on next push.
Please contact @peterschrammel, @thk123, or @allredj for support.
Common spurious failures:
- the cbmc commit has disappeared in the mean time (e.g. in a force-push)
- the author is not in the list of contributors (e.g. first-time contributors).
The incompatibility may have been introduced by an earlier PR. In that case merging this
PR should be avoided unless it fixes the current incompatibility.
There was a problem hiding this comment.
🚫
This PR failed Diffblue compatibility checks (cbmc commit: 1dc3227).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/89626120
Status will be re-evaluated on next push.
Please contact @peterschrammel, @thk123, or @allredj for support.
Common spurious failures:
- the cbmc commit has disappeared in the mean time (e.g. in a force-push)
- the author is not in the list of contributors (e.g. first-time contributors).
The incompatibility may have been introduced by an earlier PR. In that case merging this
PR should be avoided unless it fixes the current incompatibility.
| @@ -36,7 +36,7 @@ class tt | |||
| } | |||
There was a problem hiding this comment.
⛏️ typo in commit message:
WeThe way it was used was inconsistent.
There was a problem hiding this comment.
First sentence also has some problems.
src/util/refined_string_type.cpp
Outdated
| @@ -21,10 +21,10 @@ Author: Romain Brenguier, romain.brenguier@diffblue.com | |||
| #include "std_expr.h" | |||
|
|
|||
| refined_string_typet::refined_string_typet( | |||
| const typet &index_type, const typet &char_type) | |||
| const typet &index_type, | |||
| const typet &content_type) | |||
There was a problem hiding this comment.
Does content_type need to be a pointer_typet? If so, perhaps make this only except a pointer_typet
| @@ -36,7 +36,7 @@ class tt | |||
| } | |||
There was a problem hiding this comment.
First sentence also has some problems.
romainbrenguier
force-pushed
the
bugfix/char-array-in-string-solver
branch
from
1dc3227 to
cc6e0f9
Compare
romainbrenguier
requested review from
cesaro,
cristina-david and
NathanJPhillips
as code owners
romainbrenguier
force-pushed
the
bugfix/char-array-in-string-solver
branch
from
cc6e0f9 to
959d680
Compare
There was a problem hiding this comment.
✔️
Passed Diffblue compatibility checks (cbmc commit: 959d680).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/89785978
romainbrenguier
force-pushed
the
bugfix/char-array-in-string-solver
branch
from
959d680 to
58e6339
Compare
There was a problem hiding this comment.
✔️
Passed Diffblue compatibility checks (cbmc commit: 58e6339).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/89913124
| /// Similar to `symbol_resolve.replace_expr` but doesn't mutate the expression | ||
| /// and return the transformed expression instead. | ||
| static exprt | ||
| transform_expr(const union_find_replacet &symbol_resolve, exprt expr) |
There was a problem hiding this comment.
exprt-> equal_exprt (in the doc you mention equations)
There was a problem hiding this comment.
That's more or less what I had in mind. However transform_expr sounds like do_something_to_expr. 😄
How about substitute_with_repr?
There was a problem hiding this comment.
I would keep transform as it is used in the standard library for operations without side-effects https://en.cppreference.com/w/cpp/algorithm/transform
There was a problem hiding this comment.
Yeah but in std::transform you give the operation as argument, so the generic name makes sense there. Not here, because the caller doesn't know what the operation is.
There was a problem hiding this comment.
Yes you are right, but instead of having a "substitute" and a "replace" function name (difficult to see which one is which from the name), I suggest to name this one replace_expr_copy (following the _copy pattern of the stl), making it clear that this one creates a new copy of the expression.
| /// Substitute sub-expressions in equation by representative elements of | ||
| /// `symbol_resolve` whenever possible. | ||
| /// Similar to `symbol_resolve.replace_expr` but doesn't mutate the expression | ||
| /// and return the transformed expression instead. |
| dependencies, | ||
| eq_with_char_array_replaced_with_representative_elements, | ||
| generator.array_pool); | ||
| if(!node_added) |
There was a problem hiding this comment.
That's much clearer to me. Thanks!
No functional changes
The data should be kept between calls to dec_solve because the set of equations from the last call are not recorded.
In the string refinement we replace symbols corresponding to arrays of characters by cannonical element to ensure that symbols resolving to the same expression are associated the same node. We should not replace char array in equations that are passed to supert, since the underlying solver should handle pointers and arrays, and string_refinementt should not interfer with it.
We make the second argument be the content type. This is more compatible, and is how it is used at least once in the code base. The way it was used was inconsistent.
romainbrenguier
force-pushed
the
bugfix/char-array-in-string-solver
branch
from
58e6339 to
33b005c
Compare
There was a problem hiding this comment.
✔️
Passed Diffblue compatibility checks (cbmc commit: 33b005c).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/90046786
