Constant propagate string-solver function results

[JohnDumbell]

Allows constant propagation to work on a range of general string operations.

• Each commit message has a non-empty body, explaining why the change was made.
• Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[smowton]

Justify 33

[smowton]

get(ID_value) -> to_constant_expr(...).get_value()

[smowton]

Don't parse directly, use numeric_cast_v (

cbmc/src/util/arith_tools.h

Line 149 in 7bbef4a

Target numeric_cast_v(const constant_exprt &arg)

)

[smowton]

Don't set value, use from_integer (

cbmc/src/util/arith_tools.h

Line 160 in 7bbef4a

constant_exprt from_integer(const mp_integer &int_value, const typet &type);

)

[smowton]

Line break after }

[smowton]

Similarly this use of starting-index

[smowton]

Use arith-tools

[smowton]

Use arith-tools

[smowton]

Wrong comment

[smowton]

Given you check the sizes are equal, so this is not a prefix check, surely this is just first_value == second_value

[smowton]

Also, tests: these currently only look at the cases where you do expect a change. Make sure to exercise the cases where there should not be a simplification / constant propagation, and to exercise optional arguments like the starting-index for String.find / findLast

[danpoe]

The tests should also check that constant propagation computes the right result in addition to that there are 0 remaining VCCs after symex.

[danpoe]

Should be it = operands.erase(it)

[JohnDumbell]

Don't think it makes a difference the way I'm using it here though?

[danpoe]

It might work though according to the documentation it becomes invalid when calling erase(it). So I'd say it's safer to use the returned iterator.

[smowton]

+1, it's just luck that it works here based on how std::vector's iterators happen to work (i.e. being pointers to the data array, and the array not usually being reallocated on an erase). How about

auto expr_is_space = [](const exprt &e)
{
  const auto &constant_value = to_constant_expr(*it);
  return numeric_cast_v<int>(constant_value) <= ' ';
}

while(!operands.empty() && expr_is_space(operands.front()))
  operands.erase(operands.begin());
while(!operands.empty() && expr_is_space(operands.back()))
  operands.erase(operands.rbegin().base());

[danpoe]

Thinking about it the current implementation has n^2 worst case runtime due to the repeated shifting of the vector when erasing elements at the beginning. It might be better to use find_if() to get iterators to the first and last non-space characters, and then copy that segment to a new vector (instead of making a copy of the original vector and then modifying it).

[JohnDumbell]

Sure, modified.

[danpoe]

We should remove whitespace characters other than space as well. Also a space is 20 in hex not in decimal.

[danpoe]

The erase(it.base()) invalidates the iterator it.

[danpoe]

propogate -> propagate

[danpoe]

proagate -> propagate

[danpoe]

Can use try_evaluate_constant() instead which does the lookup in the propagation map and returns an optional constant_exprt.

[danpoe]

Since --show-vcc is used, the test only prints the VCCs and checks that we have 0 remaining VCCs after symex. We also need to check though that constant propagation does compute the correct result. We should leave off --show-vcc and check that verification succeeded. (also for the other tests)

Also we should check the negative cases, i.e. here if a string doesn't contain another string.

[JohnDumbell]

Applied all comments and added more tests.

[smowton]

Main comment: the tests for negative cases shouldn't just be positive cases with a ! at the start, they should test cases where we give a proper negative response, such as equalsIgnoreCase("abc", "ADC"), for as many different reasons as our code has reasons to reject the comparison (searched-for string too short and contains a mismatch seem like the obvious ones). The goal is to make sure it doesn't accidentally fire every time. Where there are optional index restrictions as for String.compareTo make sure there are cases where the restriction is the reason for it not to work -- e.g. String.lastIndexOf("abc", "abc") == 0 but String.lastIndexOf("abc", "abc", 1) == -1

[smowton]

This doesn't really test anything more than contains, except that operator! is working -- instead I think you should test some cases where contains should return false. assert !str.contains("fgh"), assert !str.contains("abcdef"), and so on -- things that should evaluate to false for different reasons.

[smowton]

As a non-noprop case I expect these should be decided by the simplifier

[JohnDumbell]

These cases usually resolve in a VCC but with a directly false guard somewhere. Might be to do with building a trace? Always been like this when I've tested and just assumed that's how things were.

[smowton]

As above, test some real negatives, not just verification success vs. failure

[smowton]

Should be decided

[smowton]

Careful, Java chars are 16-bit. It's fine if we only treat ASCII for now, but we should decline to const-prop when we're dealing with e.g. strings of Greek letters, which do have case-change semantics but aren't handled by 8-bit islower etc

[JohnDumbell]

Fair point!

[smowton]

Honestly these are 16-bit ints as far as CBMC is concerned, I'd use from_integer rather than hope you get the expected formatting for constant_exprt's value member

[smowton]

Like this for example:

cbmc/src/solvers/strings/string_constraint_generator_code_points.cpp

Line 40 in 73e410a

exprt hexD800 = from_integer(0xD800, type);

[smowton]

I'm still surprised you're looking for the ID of the expression not the type or the signature of the called function, though. What's going on there, why couldn't a symbol_exprt get passed to the other overload?

[JohnDumbell]

Never did in any of my testing, but yes, it's fragile. I've changed it to check for the signature instead, which is also fragile, just in different ways.

I'll get around to adding the other overload if I have time.

[smowton]

+1, it's just luck that it works here based on how std::vector's iterators happen to work (i.e. being pointers to the data array, and the array not usually being reallocated on an erase). How about

auto expr_is_space = [](const exprt &e)
{
  const auto &constant_value = to_constant_expr(*it);
  return numeric_cast_v<int>(constant_value) <= ' ';
}

while(!operands.empty() && expr_is_space(operands.front()))
  operands.erase(operands.begin());
while(!operands.empty() && expr_is_space(operands.back()))
  operands.erase(operands.rbegin().base());

[smowton]

Again, watch out that you're restricting to ASCII here and refuse to const-prop anything outside that range, since we don't have a C++ widget with the same case semantics as Character.toUpperCase

[romainbrenguier]

I only reviewed until Add String.lastIndexOf(...) but some of the comments could apply to the following commits as well

[romainbrenguier]

use std::find_if

[romainbrenguier]

use curly braces {}

[JohnDumbell]

Where would those go? (And curious about why)

[romainbrenguier]

const array_typet new_char_array_type{char_type, new_char_array_length};
it's the preferred way of constructing an object, here are some reasons why https://stackoverflow.com/questions/18222926/why-is-list-initialization-using-curly-braces-better-than-the-alternatives

[romainbrenguier]

use std::find_if

[romainbrenguier]

can this be marked const or even static? 🌵

[romainbrenguier]

🚫 should use numeric_cast_v<unsigned char> or if unavailable narrow

[romainbrenguier]

why hex_value? this is actually an exprt

[romainbrenguier]

Use ternary if to define starting_offset and make it const. Avoid using auto when the type is not explicit.

[romainbrenguier]

should return -1 in the other case no? 🍊

[JohnDumbell]

Would think so, but no, the other case works fine without it. Assume it's notched along +1 due to the way the reverse iterator works.

Edit: Yeah, something's off with the way the reverse iterator works in this instance, swapped it to use find_end instead.

[romainbrenguier]

🍊

[romainbrenguier]

🚫 check the type of the arguments instead

[smowton]

I don't think this should block, either one achieves what's needed

[romainbrenguier]

that's java specific code in symex

[smowton]

Doh, right, sure. Use the types, as Romain said.

[romainbrenguier]

replace(char, char)

[romainbrenguier]

⛏️ missing new line

[romainbrenguier]

const or can be inlined in the next expression

[romainbrenguier]

numeric_cast_v if possible otherwise use narrow, but actually the next operation doesn't require a char and could directly be done on an mp_integer

[romainbrenguier]

⛏️ inline below

[romainbrenguier]

⛏️ used only once, can be inlined below

[romainbrenguier]

🚫 this seems wrong, if there is no character which is not a whitespace, then the result should be empty

[smowton]

This actually is producing an empty string, but it's not obvious (end_iter must have traversed the whole string too, and so equals operands.begin()). Suggest instead do

exprt::operandst new_operands;
if(start_iter != operands.end())
  new_operands = exprt::operandst{start_iter, end_iter.base()};

[JohnDumbell]

Added more tests, added in both character/string replace, did general clean-up pass. If you want any more tests please just list the specific ones.

[codecov-io]

Codecov Report

Merging #5129 into develop will decrease coverage by 0.01%.
The diff coverage is 100%.

@@             Coverage Diff             @@
##           develop    #5129      +/-   ##
===========================================
- Coverage    67.03%   67.01%   -0.02%     
===========================================
  Files         1149     1147       -2     
  Lines        94030    94042      +12     
===========================================
- Hits         63033    63025       -8     
- Misses       30997    31017      +20

Flag	Coverage Δ
#cproversmt2	42.59% <0%> (-0.12%)	⬇️
#regression	63.51% <100%> (-0.01%)	⬇️
#unit	31.89% <2.25%> (-0.07%)	⬇️

Impacted Files	Coverage Δ
src/goto-symex/goto_symex.h	92.3% <ø> (ø)	⬆️
src/util/simplify_expr.cpp	87.52% <100%> (+0.7%)	⬆️
src/goto-symex/goto_symex.cpp	99.71% <100%> (+0.07%)	⬆️
src/goto-instrument/cover_instrument_other.cpp	63.63% <0%> (-32.2%)	⬇️
...rs/strings/string_constraint_generator_testing.cpp	91.86% <0%> (-8.14%)	⬇️
...bmc/src/java_bytecode/java_static_initializers.cpp	99.11% <0%> (-0.89%)	⬇️
src/solvers/strings/string_refinement.cpp	87.84% <0%> (-0.69%)	⬇️
...lvers/strings/string_constraint_generator_main.cpp	83.33% <0%> (-0.58%)	⬇️
src/goto-symex/symex_goto.cpp	96.1% <0%> (-0.45%)	⬇️
src/util/std_expr.h	89% <0%> (-0.23%)	⬇️
... and 26 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 633d67a...bdde675. Read the comment docs.

[allredj]

✔️
Passed Diffblue compatibility checks (cbmc commit: 2fe2434).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/130009103

[smowton]

Non-blocking suggestions

[smowton]

Might want to note why this one doesn't work, either here or in a comment in the java file

[smowton]

Duplicate of replace

[JohnDumbell]

One takes 2 characters, other takes 2 strings.

[smowton]

Larger and Smaller names the wrong way around here

[smowton]

Again mention the missing support, either here or inline in the java file

[smowton]

Surprising! Pi should be affected by the real JDK method; is our models lib wrong here?

[romainbrenguier]

the builtin upper_case and lower_case are only correct for a (small) subset of unicode (I think ascii and latin-1 supplement) so this is incorrect but expected. It sould be marked as knownbug.

[smowton]

Main ways, or ways? Is there a third unusual one?

[smowton]

INVARIANT that the types are as you expect (String, String by the sounds of it)

[smowton]

This actually is producing an empty string, but it's not obvious (end_iter must have traversed the whole string too, and so equals operands.begin()). Suggest instead do

exprt::operandst new_operands;
if(start_iter != operands.end())
  new_operands = exprt::operandst{start_iter, end_iter.base()};

[smowton]

"If our entire string is empty" -> "If the entire string is whitespace"

[smowton]

"first match you find" -> "always found at the first searched position"?

[JohnDumbell]

@romainbrenguier Mind having another look and seeing if you're blocking issue is dealt with?

[romainbrenguier]

Add a precondition for f_type.domain().size() == 2

[romainbrenguier]

"to"?

[romainbrenguier]

the builtin upper_case and lower_case are only correct for a (small) subset of unicode (I think ascii and latin-1 supplement) so this is incorrect but expected. It sould be marked as knownbug.

[romainbrenguier]

precondition

[romainbrenguier]

precondition

[romainbrenguier]

🌵

blocking comments addressed

[allredj]

✔️
Passed Diffblue compatibility checks (cbmc commit: b5d8053).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/130056711

[allredj]

✔️
Passed Diffblue compatibility checks (cbmc commit: bdde675).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/130408178

[allredj]

✔️
Passed Diffblue compatibility checks (cbmc commit: db1f844).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/130783671