Conversation
Note that this change should not be pushed for review until the script_fixes_2 change is merged. |
verifier::assume(i.is_ascii_alphabetic()); | ||
} | ||
|
||
for i in a.as_bytes().iter() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you need the .iter()
here? for
does that for you. You can also do all this in one assertion:
verifier::assert!(a.as_bytes().iter().all(char::is_ascii))
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm dropping the .iter() here and in the other place that I used '.as_bytes().iter()' a few lines above.
But I find that this point-free style less readable so I prefer the for loop.
02eea57
to
1749b17
Compare
} | ||
match String::from_utf8(r) { | ||
Ok(r) => r, | ||
Err(_) => reject(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this doesn't matter very much, but shouldn't this reject()
be unreachable()
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reject() is equivalent to assume(false) and so it prevents the verifier from reporting errors involving this path. (In KLEE, it silently halts the current path exploration.)
unreachable() generates an error that is treated as a verification error.
In this case, the function is meant to be generating a legal string so we would not want to report an error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But you already assume all the bytes are ascii, is the Err branch still reachable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I see.
I am 99.9999% certain that this cannot fail.
But suppose I am wrong, then I would not want to report 'unreachable' because it would be an error in the verification support code not in the code being verified.
It would be good though to get some sort of report that there is a problem in the verification harness.
We should think about this a bit.
I think that this relates to a general problem in verification where you accidentally over-constrain the inputs so that you are not testing inputs that actually matter. In the extreme case (that is surprisingly common), the constraints are contradictory so there are no inputs and the verification is vacuously true.
I have been thinking that we should tackle that using a variation of what hardware engineers do when doing random testing: the System Verilog language lets you gather statistics about how many of the random inputs are in certain ranges - if a given range doesn't have enough values in it, you either need to test more or modify your test.
This would make sense as a proptest extension while for propverify we would just check that each range of interest is satisfiable.
(But exploring this is a problem for the future)
#[cfg_attr(feature = "verifier-crux", crux_test)] | ||
fn bytes() { | ||
let a = verifier::verifier_nondet_bytes(8); | ||
for i in a.iter() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for i in &a {
will call a.iter()
. Note the &
, otherwise it calls a.into_iter()
which moves a
and you can no longer use it.
} | ||
|
||
// force string to be a legal int | ||
for i in a.as_bytes().into_iter() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't need .into_iter()
.
} | ||
|
||
// force string to be a legal int | ||
for i in a.as_bytes().into_iter() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't need .into_iter()
.
Sorry this is taking a while to get back to - I wanted to get KLEE up and running with the new cargo-verify frontend before revisiting this. |
This is primarily a test that stubbing out feature tests and implementing posix_memalign fixes the problems we were seeing when trying to use the Regex library. As expected, the Regex library is a major verification bottleneck and you can only use very small, simple regexes. So regexes are still not viable to use at the moment.
I acted on all comments apart from the one about using unreachable instead of reject. Also, I moved the regex tests into demos/bottlenecks/regex since they were more about testing our ability to cope with language/tool features than they were about testing the verification annotations crate. (Since I have fixed everything, I would normally self-approve. But that seems to be disabled.) |
(It wasn't disabled after all - confusing UI) |
Composed of