Testsuite/arrays

[xbauch]

Building on #79 (thus only the last commit is new) this fixes the arrays test to the point that CBMC parses it. The symex takes a lot of time though.

[sonodtt]

Approved with remarks. - update: blocked -

[sonodtt]

I don't see any use of Alloc_Symbol.Value (so no body?) - or further use of Alloc_Symbol.
Just flagging this.
Not enough gnat2goto experience to say if this is likely a problem going forward.

[xbauch]

Here CBMC was complaining that __new__array is not in the symbol table, but it only needed declaration: the definition is in the builtin functions. So I thought the body would be ignored anyway.

[sonodtt]

FYI. Mostly for future stuff. No big deal - but I get this on the cbmc side:
"**** WARNING: no body for function __new_array"
I think an empty body will do? (this will pass the goto-program validation) - what happens is that if a function is declared but not called (no fn pointer taken etc), then it would not go into the goto-program function_map (nb I havent' verified symbol-table but I think this points to same behaviour). When it is used in any fashion (not just called, e.g. function address is taken to initialise a fn pointer) - then an empty body gets created even when there is only a declaration visible in the sourcecode.
Just a FYI for context - of behaviour that I came across in goto-program validation. So empty body should suffice (fingers crossed).
I'd say this can be fixed later - it is just a warning. ( /opinion )

[xbauch]

Empty body might do, but I'm not sure how to create one in gnat2goto. Make_Nil results in the same warning and New_Irep (I_Code_Block) breaks CBMC.

[sonodtt]

Ok. Thanks for extra effort + info - will look into it as part of the array epic.

[sonodtt]

Have not seen use of aligned name parameters elsewhere - and surprised this passes the compiler?
If it passes, fine, but there's no precedent for this code style.
Nitpick.

[xbauch]

Not sure, but GPS provides this layout as a part of it's auto-completion. I mostly like it, but it can get very verbose sometimes.

[chrisr-diffblue]

I've seen this code style in other parts of GNAT.

[sonodtt]

Lhs_fun_call is set to the LHS of the returned duplicator function. Not sure why it needs that on top of the function return value (?) It's all a bit voodoo...

[xbauch]

I though about it a bit, and it sort of makes sense, i.e. to require function calls to have left-hand sides. Even if a function has a return value, if we didn't store it in the lhs, it would get lost.

[sonodtt]

Hmm. You're saying as a temporary. I think this could therefore be implicit in the make_code_function_call bla bla function.
The return value would be assigned at the call location - or the function can be called for its side effects (temporary not needed).
But nevermind. If that's how it is - that's how it is.

[xbauch]

I find it unfortunate that the relevant Irep does not require the lhs given that CBMC will fail. I'm not sure if make-function-call is the only place a function can be created, but yes: you are right.

[NlightNFotis]

What is q here?

[xbauch]

It's probably an emacs thing.

[sonodtt]

PR will require additional work to fix the non-terminating loop unrolling in goto-symex. This is WIP by @sonodtt.

[sonodtt]

PR will require additional work to investigate and fix issue w.r. to error
"raised CONSTRAINT_ERROR : Symbol_Table_Info.Symbol_Maps.Insert: attempt to insert key already in map"
Minimal reproduction: define an array of int and also an array of floats.
Investigation WIP by @sonodtt - as part of the general 'fix array stuff' https://diffblue.atlassian.net/browse/ADA-223

[xbauch]

Now builds on #91 --> only review the last two commits.

[hannes-steffenhagen-diffblue]

This needs a lot of cleanup before being merged, i.e. removing "note" type comments, removing unrelated changes, removing commented out code and getting changes into a logical order.

[hannes-steffenhagen-diffblue]

This appears to be unrelated to arrays?

[xbauch]

Removed.

[hannes-steffenhagen-diffblue]

why is commented out code being added here?

[xbauch]

Sorry, removed.

[hannes-steffenhagen-diffblue]

Probably shouldn't be a magic number, but for now we're probably alright in most circumstances. I can think of a few ways to make this more robust, but none of them are particularly nice. I'd just keep a reminder comment in here for now pointing out that this is an assumption, and moreover one that doesn't necessarily hold for target platforms...

[hannes-steffenhagen-diffblue]

Commented out code?

[xbauch]

Removed.

[hannes-steffenhagen-diffblue]

Commented out code?

[xbauch]

Well there were two versions and we wanted to get opinions as to which would be better. I removed the less generic version.

[hannes-steffenhagen-diffblue]

Commented out code?

[xbauch]

Removed.

[hannes-steffenhagen-diffblue]

No, this should probably go into driver.adb or something. I don't think it makes sense to do this once per compilation unit.

[xbauch]

Moved.

[hannes-steffenhagen-diffblue]

Why 32 if we hardcoded size_t to 64 bits?

[xbauch]

Changed.

[hannes-steffenhagen-diffblue]

What does this fail with?

[xbauch]

Somewhere in symex flattening. #108

[xbauch]

@hannes-steffenhagen-diffblue I split it a bit more meaningfully (the last 7 commits belong here).

[xbauch]

@sonodtt and @hannes-steffenhagen-diffblue this is now ready for another set of review. I've only added the malloc size fix and a failing test.

[sonodtt]

Nitpick. Rename to Arr3 and Actual3? (or just Arr and Actual)

[xbauch]

Done.

[sonodtt]

I'm not sure we should be removing the body of the old array tests, which documents what was intended to pass as a minimal based on expected state of gnat2goto.
Sure, it fails, in multiple locations, atm. But we can keep it around as a failing test?
You'll need a test that passes - which you have now have so I'd suggest naming the new test e.g. "write_to_array_element.adb"

[sonodtt]

Approved - subject to consensus on tests.

[chrisr-diffblue]

I agree with @sonodtt - we shouldn't be removing tests which currently fail. A better approach would be to split the tests into several parts, then XFAIL the ones that currently fail.

[sonodtt]

If we preserve this line (I'm in favour), then lowercase (and remove 'new')?

[xbauch]

Done.

[hannes-steffenhagen-diffblue]

This is dealing with the main problem we've been having

[hannes-steffenhagen-diffblue]

I've been wondering - isn't this basically just memcpy? We do model that, for instance a C-program like this:

#include <string.h>
#include <assert.h>
#include <stdlib.h>

int main(void) {
  const int array_size = 10;
  int *arr = malloc(sizeof(int) * array_size);
  int *arr_copy = malloc(sizeof(int) * array_size);
  for(int i = 0; i < array_size; ++i) {
    arr[i] = i;
  }
  memcpy(arr_copy, arr, sizeof(int)*array_size);
  for(int i = 0; i < array_size; ++i) {
    assert(arr_copy[i] == i);
  }
}

can be verified just fine. I understand you were having troubles with this function, so maybe that can be mitigated this way? (i.e. you should be able to just call it the same way you deal with malloc)

[xbauch]

will try, ta.

[hannes-steffenhagen-diffblue]

Is this the bit that's triggering your problems with array_copy on the assign/read task? What if you leave it off, i.e. leave Actual7 uninitialized like this: Actual7 : Arr7;?

[xbauch]

It helped a bit, ta.

[xbauch]

@chrisr-diffblue I've reverted the removal of the original test, adding a new, passing one.