Support for symbolic strings #88
Conversation
|
Note that this change should not be pushed for review until the script_fixes_2 change is merged. |
| verifier::assume(i.is_ascii_alphabetic()); | ||
| } | ||
|
|
||
| for i in a.as_bytes().iter() { |
There was a problem hiding this comment.
Do you need the .iter() here? for does that for you. You can also do all this in one assertion:
verifier::assert!(a.as_bytes().iter().all(char::is_ascii))
There was a problem hiding this comment.
I'm dropping the .iter() here and in the other place that I used '.as_bytes().iter()' a few lines above.
But I find that this point-free style less readable so I prefer the for loop.
alastairreid
force-pushed
the
strings
branch
from
02eea57
to
1749b17
Compare
| } | ||
| match String::from_utf8(r) { | ||
| Ok(r) => r, | ||
| Err(_) => reject(), |
There was a problem hiding this comment.
Maybe this doesn't matter very much, but shouldn't this reject() be unreachable()?
There was a problem hiding this comment.
reject() is equivalent to assume(false) and so it prevents the verifier from reporting errors involving this path. (In KLEE, it silently halts the current path exploration.)
unreachable() generates an error that is treated as a verification error.
In this case, the function is meant to be generating a legal string so we would not want to report an error.
There was a problem hiding this comment.
But you already assume all the bytes are ascii, is the Err branch still reachable?
There was a problem hiding this comment.
Ah, I see.
I am 99.9999% certain that this cannot fail.
But suppose I am wrong, then I would not want to report 'unreachable' because it would be an error in the verification support code not in the code being verified.
It would be good though to get some sort of report that there is a problem in the verification harness.
We should think about this a bit.
I think that this relates to a general problem in verification where you accidentally over-constrain the inputs so that you are not testing inputs that actually matter. In the extreme case (that is surprisingly common), the constraints are contradictory so there are no inputs and the verification is vacuously true.
I have been thinking that we should tackle that using a variation of what hardware engineers do when doing random testing: the System Verilog language lets you gather statistics about how many of the random inputs are in certain ranges - if a given range doesn't have enough values in it, you either need to test more or modify your test.
This would make sense as a proptest extension while for propverify we would just check that each range of interest is satisfiable.
(But exploring this is a problem for the future)
| #[cfg_attr(feature = "verifier-crux", crux_test)] | ||
| fn bytes() { | ||
| let a = verifier::verifier_nondet_bytes(8); | ||
| for i in a.iter() { |
There was a problem hiding this comment.
for i in &a { will call a.iter(). Note the &, otherwise it calls a.into_iter() which moves a and you can no longer use it.
| } | ||
|
|
||
| // force string to be a legal int | ||
| for i in a.as_bytes().into_iter() { |
| } | ||
|
|
||
| // force string to be a legal int | ||
| for i in a.as_bytes().into_iter() { |
|
Sorry this is taking a while to get back to - I wanted to get KLEE up and running with the new cargo-verify frontend before revisiting this. |
This is primarily a test that stubbing out feature tests and implementing posix_memalign fixes the problems we were seeing when trying to use the Regex library. As expected, the Regex library is a major verification bottleneck and you can only use very small, simple regexes. So regexes are still not viable to use at the moment.
|
I acted on all comments apart from the one about using unreachable instead of reject. Also, I moved the regex tests into demos/bottlenecks/regex since they were more about testing our ability to cope with language/tool features than they were about testing the verification annotations crate. (Since I have fixed everything, I would normally self-approve. But that seems to be disabled.) |
|
(It wasn't disabled after all - confusing UI) |
Composed of