-
Notifications
You must be signed in to change notification settings - Fork 662
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
multiple anomalies in coqchk on CompCert #3026
Comments
Comment author: @xavierleroy I have been trying for several years to run "coqchk" on CompCert, for additional confidence. Below is the current status of my experiments, using the latest Coq release (8.4pl2) and the latest CompCert release (1.13). There are still multiple "anomalies" and several definitions where coqchk just loops or takes forever. The existence of coqchk is an argument in favor of Coq for people who really care about high-assurance software. I would therefore very much appreciate that you make it work properly. How to reproduce: wget http://compcert.inria.fr/release/compcert-1.13.tgz Edit the "check-proof:" entry at end of ./Makefile to add or remove -admit options as described below. Then run "make check-proof". 1- Without any "-admit": loops or takes forever on 2- With "-admit Integers": loops or takes forever on 3- With "-admit Integers -admit Floats": fails on 4- With "-admit Integers -admit Floats -admit AST": fails on 5- With "-admit Integers -admit Floats -admit AST -admit Asm": fails on 6- With "-admit Integers -admit Floats -admit AST -admit Asm -admit Mach": fails on 7- With "-admit Integers -admit Floats -admit AST -admit Asm -admit Mach -admit UnionFind": success! at last! |
Comment author: @letouzey Hi Xavier I've started looking at these issues
3,4,5) Cf #2588 indeed (and maybe #2933). I'm no expert in universes, I'll see with Bruno and/or Hugo.
Best, |
Comment author: @letouzey Created attachment 400 Patch for branch 8.4
|
Comment author: @letouzey Bruno, what do you think of this patch about conversion ? |
Comment author: @letouzey Created attachment 401
|
Comment author: @letouzey Concerning 6) (the NotConvertible in UnionFind), here is a minimal test-case: Module Type FOO. Parameter t : Type. End FOO.
Module Type BAR. Parameter t : Type. End BAR.
Module M (X : BAR) : FOO with Definition t := X.t.
Definition t := X.t.
End M. It seems the universe constraints are simply not loaded by coqchk when inside a functor, see my second patch that appears to solve this... I wonder whether we should also add constraints appearing in module_type_body and in constant_body ? One more time, I'll try to have feedback about this patch before inclusion... Pierre |
Comment author: @maximedenes This patch doesn't seem necessary today (constraints carried by fields of a module are included in the ones of the module itself). The minimal example extracted from UnionFind goes through since 8.4 pl4, probably due to Enrico's fix of #3243. |
Comment author: @Zimmi48 From what I read here https://github.com/AbsInt/CompCert/blob/0b4bcebe701b9cf8756f583768831ad48a7cc79e/Makefile#L280-L285, coqchk still has issues with CompCert. Can this bug be updated to reflect the current limitations? |
From what I understand from the problems encountered in CompCert, the file |
It is not just that the checker doesn't implement it. It is also that it should do something special when defunctorialization removes opacity (of a parameter). |
What's the status of this bug report? I know that I fixed the bug due to |
Let me correct myself: the
|
Right. According to my notes there are two problems remaining: Integers.Int.Z_mod_modulus_range takes forever to check |
@ppedrot When we discussed this at POPL, we thought about making the checker treat fields opacified by module signatures as |
@maximedenes I had a look at that yesterday, and it is actually way harder to do this properly than I originally thought. For instance there is no way to distinguish the use of a constant as an instance of a functor argument or as a standard global variable, which might result in fancy conversion checks. |
@SkySkimmer @maximedenes How far are we from solving this bug since the merge of the checker code base? |
I don't understand what the status of the bug is, there seem to be several separate bugs involved (anomalies as the title says but also perf issues from functor unfolding?) |
You mean something like Definition big := 2.
Module Type T. Parameter x : nat. End T.
Module F(A:T).
Definition one : big = 2 := eq_refl.
Definition two : A.x = A.x := eq_refl.
End F.
Module A. Definition x := big. End A.
Module M := F A. (* when checking M we need to unfold the "big" in "one" but not the one in "two" *) |
@SkySkimmer indeed. |
There might still be issues with the checker and with tactics, but the original problem motivating this PR is gone. Closing then. For the record: to make CompCert go through the checker, a few calls to |
… (part 1 of coq#3026) As shown by Compcert's Integers.v, typechecking functor applications after expansion may be delicate, since concrete module params may bring new possible reductions, and conversion test may become dramatically slow. To avoid this, we restore a minimal conversion oracle, and declare all constants in module params to have a low priority for expansion during conversion test.
… (part 1 of coq#3026) As shown by Compcert's Integers.v, typechecking functor applications after expansion may be delicate, since concrete module params may bring new possible reductions, and conversion test may become dramatically slow. To avoid this, we restore a minimal conversion oracle, and declare all constants in module params to have a low priority for expansion during conversion test.
Should we also add constraints in check_module_type ? In check_constant_declaration ? Cf commit r11348 fixing bug coq#1927
Note: the issue was created automatically with bugzilla2github tool
Original bug ID: BZ#3026
From: @xavierleroy
Reported version: 8.4
CC: @barras, @pirbo, @letouzey
Depends on: BZ#2588, BZ#2933
See also: BZ#3243
The text was updated successfully, but these errors were encountered: