-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce JML aliases of frame conditions for better tool compatibility #3365
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3365 +/- ##
============================================
- Coverage 38.03% 37.87% -0.16%
- Complexity 17084 17085 +1
============================================
Files 2099 2086 -13
Lines 127194 127537 +343
Branches 21368 21475 +107
============================================
- Hits 48375 48305 -70
- Misses 72856 73309 +453
+ Partials 5963 5923 -40 ☔ View full report in Codecov by Sentry. |
I tried the following example:
In the KeY-2.12.2 (2023-11-10) release: this file can't be loaded:
In the PR: the file can be loaded and you are correctly returned to the main interface. However, the proof doesn't work, it looks like the annotation is just skipped. Besides, it's not in bold as you can see in the screenshot, so I guess you need to add something else for the alias to work. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First of all, I think it is a good idea to be able to parse these keywords. However, I am not sure if we want to allow these as aliases (at least not without a warning). Intuitively, modified
(is changed by the loop/method) and modifiable
(may be changed) have slightly different semantics. Since KeY uses the latter, I am not sure if it is a good idea to allow these aliases.
The original JML reference manual is old and outdated; as far as I can see, there is no framing clause for loops at all. The new one is still unfinished (and will take a while), I could not find a conclusion on the allowed keywords for framing clauses (neither in the PDF nor in the discussion on GitHub). I think that we should come up with our own consistent concept here. My suggestion would be:
- framing clauses for methods:
assignable
,modifiable
,writable
assigns
,modifies
,writes
(*)- I would not support
assigning
etc.
- framing clauses for loops:
- all of the above
- all of the above with additional
loop_
prefixes (although personally I prefer the variants without prefix)
For (*) and the variants with prefix, there should be a warning, since KeY uses modifiable/assignable semantics. Actually, one could argue that there is even a subtle difference between those two (as far as I remember also mentioned in the KeY book in a gray box). However, that would probably go too far ...
Btw.: The clauses still need to be translated to logic, I think this has to be done somewhere in JMLSpecFactory/TextualJMLSpecCase.
Btw.: The support of syntax highlighting in the SourceView panel (screenshot above) is completely independent, as it is done by a handwritten highlighter and has its own list of supported keywords. Not ideal, but very difficult to do better ... |
Since the reason for the failed proof attempt in #3362 was the missing framing clause, it would probably make sense to show a warning if no framing clause is present (default is |
Or take the method's assignable clause as a default like a number of
other tools do. It is a good default.
|
… 'loop_modifies' and 'loop_writes' from OpenJML as JML aliases
59895a8
to
097abe3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, apart from some minor comments, I think that the changes are good. One thing I noticed though: Could it be the case that the performance of the parser dropped? It seems that loading the examples takes longer now (I did not measure, just some impression).
In addition, I put the PR onto the discussion list for our developer meetings (KaKeY), since I am not sure if moving towards "modifiable" is a good idea after having "assignable" basically as default for such a long time (even if it is only in code for now). Maybe we should discuss if everybody is ok with that.
.../src/test/java/de/uka/ilkd/key/symbolic_execution/testcase/TestTruthValueEvaluationUtil.java
Show resolved
Hide resolved
key.core/src/main/java/de/uka/ilkd/key/speclang/njml/JmlTermFactory.java
Outdated
Show resolved
Hide resolved
key.core/src/main/java/de/uka/ilkd/key/speclang/njml/Translator.java
Outdated
Show resolved
Hide resolved
key.core/src/main/java/de/uka/ilkd/key/speclang/njml/Translator.java
Outdated
Show resolved
Hide resolved
key.core/src/main/java/de/uka/ilkd/key/speclang/jml/translation/JMLSpecFactory.java
Outdated
Show resolved
Hide resolved
# Conflicts: # key.core/src/main/java/de/uka/ilkd/key/rule/AbstractLoopInvariantRule.java # key.core/src/main/java/de/uka/ilkd/key/rule/AuxiliaryContractBuilders.java # key.core/src/main/java/de/uka/ilkd/key/rule/WhileInvariantRule.java # key.core/src/main/java/de/uka/ilkd/key/rule/metaconstruct/CreateFrameCond.java # key.core/src/main/java/de/uka/ilkd/key/rule/metaconstruct/IntroAtPreDefsOp.java # key.core/src/main/java/de/uka/ilkd/key/speclang/ContractFactory.java # key.core/src/main/java/de/uka/ilkd/key/speclang/FunctionalOperationContractImpl.java # key.core/src/main/java/de/uka/ilkd/key/speclang/WellDefinednessCheck.java # key.core/src/main/java/de/uka/ilkd/key/speclang/jml/translation/JMLSpecFactory.java
# Conflicts: # key.core/src/main/java/de/uka/ilkd/key/speclang/jml/pretranslation/TextualJMLMergePointDecl.java # key.core/src/main/java/de/uka/ilkd/key/speclang/jml/translation/JMLSpecFactory.java
# Conflicts: # key.core.symbolic_execution/src/test/resources/testcase/set/blockContractModifiableEverything/test/BlockContractModifiableEverything.proof # key.core.symbolic_execution/src/test/resources/testcase/set/blockContractModifiableLocationNotRequested/test/BlockContractModifiableLocationNotRequested.proof # key.core.symbolic_execution/src/test/resources/testcase/set/blockContractModifiableRequestedLocation/test/BlockContractModifiableRequestedLocation.proof # key.core.symbolic_execution/src/test/resources/testcase/set/truthValueExceptionalModifiableNothingTest/test/ExceptionalModifiableNothingTest.proof # key.core.symbolic_execution/src/test/resources/testcase/set/truthValueExceptionalModifiableNothingTest/test/ExceptionalModifiableNothingTest_OSS.proof # key.core.symbolic_execution/src/test/resources/testcase/slicing/blockContractModifiableEverything/BlockContractModifiableEverything.proof # key.core.symbolic_execution/src/test/resources/testcase/slicing/blockContractModifiableLocationNotRequested/BlockContractModifiableLocationNotRequested.proof # key.core.symbolic_execution/src/test/resources/testcase/slicing/blockContractModifiableRequestedLocation/BlockContractModifiableRequestedLocation.proof # key.core.symbolic_execution/src/test/resources/testcase/slicing/methodContractModifiableEverything/MethodContractModifiableExample.proof # key.core.symbolic_execution/src/test/resources/testcase/slicing/methodContractModifiableLocationNotRequested/MethodContractModifiableLocationNotRequested.proof # key.core.symbolic_execution/src/test/resources/testcase/slicing/methodContractModifiableRequestedLocation/MethodContractModifiableRequestedLocation.proof
# Conflicts: # key.core/src/main/java/de/uka/ilkd/key/proof/init/AbstractOperationPO.java # key.core/src/main/java/de/uka/ilkd/key/proof/init/FunctionalBlockContractPO.java # key.core/src/main/java/de/uka/ilkd/key/proof/init/FunctionalOperationContractPO.java # key.core/src/main/java/de/uka/ilkd/key/proof/mgt/SpecificationRepository.java # key.core/src/main/java/de/uka/ilkd/key/speclang/AbstractAuxiliaryContractImpl.java # key.core/src/main/java/de/uka/ilkd/key/speclang/AuxiliaryContract.java # key.core/src/main/java/de/uka/ilkd/key/speclang/ContractAxiom.java # key.core/src/main/java/de/uka/ilkd/key/speclang/ContractFactory.java # key.core/src/main/java/de/uka/ilkd/key/speclang/FunctionalOperationContractImpl.java # key.core/src/main/java/de/uka/ilkd/key/speclang/MethodWellDefinedness.java # key.core/src/main/java/de/uka/ilkd/key/speclang/OperationContract.java # key.core/src/main/java/de/uka/ilkd/key/speclang/PartialInvAxiom.java # key.core/src/main/java/de/uka/ilkd/key/speclang/jml/translation/JMLSpecFactory.java
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I think having support for more framing keywords (also with the warning about possibly unintended semantics) is beneficial.
Also, thanks for removing ambiguities from the variable names, where mod
stood for either modifier
or modality
or modifiable
;-)
This pull request allows handling various aliases for frame conditions within method/block/loop contracts and loop specifications. These aliases cover the ones which are used in various other verification tools with contracts for Java-like programs, e.g., Krakatoa, OpenJML, Dafny, ACSL++, or CorC.
In particular, the following aliases are henceforth supported for frame conditions in method, block, and loop contracts as well as loop specifications:
assignable
,assigns
,assigning
,modifiable
,modifies
,modifying
,writable
,writes
,writing
.Upon usage of the italic versions, we throw a warning in order to distinguish expected semantics, e.g., from runtime verification, as KeY does static analysis, but (other than potentially seeing a warning) these versions are supported in the same way as the other aliases.
For loop specifications, we also support the respective aliases with the prefix
loop_
.During discussions on this pull request, it was noted that the semantics implemented within KeY might be better captured by
modifiable
, but for legacy reasons, we do not move away from (also) usingassignable
.Related Issue
This pull request addresses #3362.
Intended Change
This pull request introduces the aliases for frame conditions which are shown above. Thereby, it increases compatibility with further tools using JML, JML variants, or JML-alikes, such as Krakatoa, OpenJML, Dafny, or ACSL++.
Type of pull request
Ensuring quality
Additional information and contact(s)
Some of the changes are results from work at the HacKeYthon together with @unp1.
The contributions within this pull request are licensed under GPLv2 (only) for inclusion in KeY.