Add support to ignore suppress pragma #95
Conversation
gnat2goto/driver/tree_walk.adb
Outdated
| Name_Unsuppress | | ||
| Name_Volatile | | ||
| Name_Volatile_Components => | ||
| -- These pragmas are currently ignored |
There was a problem hiding this comment.
I would need to go through the Appendix but I don't think it is safe to ignore all of these.
There was a problem hiding this comment.
At the very least the elaboration related pragmas can have an impact on the semantics of an Ada program.
|
@xbauch Please see the original issue for a clarification of exactly what is needed. I don't think much of a change is needed. |
|
@martin-cs I went through the documentation, added notes and separeted some cases as unsupported for now. |
| (if Which in Pragma_Assert | Pragma_Loop_Invariant | ||
| then I_Code_Assert else I_Code_Assume); | ||
| (if Which in Pragma_Assume | ||
| then I_Code_Assume else I_Code_Assert); |
There was a problem hiding this comment.
This is OK for now but note the open issue on changing these to function calls rather than direct assert / assume.
| Name_Assert_And_Cut | | ||
| -- Assert and introduce a cut point: the prover can safely forget | ||
| -- evaluations of local variables and only assume the asserted | ||
| -- condition. This could be used in symex (making it concolic) |
There was a problem hiding this comment.
I don't see the link to concolic TBH. Cut points will be handled very differently in this system.
There was a problem hiding this comment.
I thought that concolic execution alternates between symex and concrete steps (selecting one evaluation) from which another symex is started. After cut point we continue with only those evaluation satisfying the assertion. It sounds similar to me.
There was a problem hiding this comment.
It's an interesting thought. In this context, cut points are meant in the VC generation / Floyd-Hoare style verification sense. In terms of symbolic execution this would be like throwing away the symbolic environment (havocing / non-det-ing all variables) and replacing the path condition with just the assertion. It is an over-approximation step but it is the key thing that makes Floyd-Hoare style verification scalable.
| Name_Refined_Depends => | ||
| -- We are effectively ignoring the refinement at this point | ||
| -- Using it would (probably) require modification to CBMC |
There was a problem hiding this comment.
These should be handled as a "recognised but unsupported pragma" rather than being ignored.
There was a problem hiding this comment.
Ok, but we won't be able to run gnat2goto on pretty much any Spark code.
There was a problem hiding this comment.
Really? Unless the pragma is used for something else, the refinement things that old-SPARK used to do weren't that commonly used.
There was a problem hiding this comment.
Well at least some of the repositories we're considering to for integration testing that use Spark use refining, but maybe not all of them.
There was a problem hiding this comment.
Thanks for the head's up; let's solve that problem when we come to it. My understanding was that pragma refine* was a SPARK 2014 construct, rather than an old-SPARK construct and I think much of the code we have planned for integration testing is old-SPARK.
gnat2goto/driver/tree_walk.adb
Outdated
| when Name_Postcondition => | ||
| -- Postcondition will eventually also be translated into | ||
| -- assertions but they should hold elsewhere from where they are | ||
| -- defined and they refer to 'Result variables |
There was a problem hiding this comment.
Fair point. I'd rather this was next to the entry for precondition as the handling for them will be similar.
There was a problem hiding this comment.
Will it? I though we could deal with precondition as with any other assertion.
There was a problem hiding this comment.
... they should eventually become a function call, which we may want to translate into just an assertion, or something else.
The way SPARK uses pre and post conditions is that they are a check (a CPROVER style assert), a cut (as above) and an assume (CPROVER style). Preconditions are assert in the caller, and assume in the callee, postconditions are assert in the callee and assumer in the caller. This allows modular decomposition of the verification process.
Although CPROVER has some support for this kind of thing, we won't be using it by default. So, treat pre and post together and they will become function calls which may then just become asserts, or something more complex.
gnat2goto/driver/tree_walk.adb
Outdated
| Name_Volatile_Components => | ||
| -- For a volatile object all reads and updates of the object as a | ||
| -- whole are performed directly to memory. It changes the | ||
| -- semantics wrt to thread interleavings. |
There was a problem hiding this comment.
( Comment not action ) It is also very important to recognise volatile variables during symbolic execution as they are effectively a different variable each time they are accessed.
There was a problem hiding this comment.
Even in sequential execution? Do we account for an external system to modify volatile variables (in Ada)?
There was a problem hiding this comment.
Yes. Hardware, inter-process shared memory, DMA, etc.
|
@xbauch Thank you for going above and beyond in classifying the pragmas and giving appropriate handling for each. I have a few changes that I would like to these; mostly of the form "Ignoring this is probably the thing to do but at the moment I would like to be warned if these are used". |
|
@martin-cs I changed the wording and re-classified some of the pragmas as requested in the comments. I left the changes in a separate commit (easier reviewing), to be squashed once approved. |
gnat2goto/driver/tree_walk.adb
Outdated
| "Unsupported pragma: Volatile"); | ||
| when Name_Attach_Handler => | ||
| -- The expression in the Attach_Handler pragma as evaluated at | ||
| -- object creation time specifies an interrupt. s part of the |
gnat2goto/driver/tree_walk.adb
Outdated
| -- initialization of that object, if the Attach_Handler pragma is | ||
| -- specified, the handler procedure is attached to the specified | ||
| -- interrupt. A check is made that the corresponding interrupt is | ||
| -- not reserved. We do nut support that check yet. |
gnat2goto/driver/tree_walk.adb
Outdated
| CEE := Expressions (Component_Expression); | ||
| Scope_Size := List_Length (CEE); | ||
| else | ||
| Report_Unhandled_Node_Empty (N, "Do_Pragma_Suppress", |
There was a problem hiding this comment.
Message should be "Do_Pragma_Refine" ?
There was a problem hiding this comment.
Many thanks @xbauch for the abundant comments on the pragma types. Some minor typos I've nitpicked on.
There were a few internal sections (Handle_Arg) seem a bit voodoo - I can see how these were handled in the pragma assert, not sure of the differences in the suppress and refine implementations or the rationale.
Maybe a few comments on such in the future? Might cut down on review time.
Regardless, I don't want to get in the way of what's a great body of work, although some sections (as mentioned above) I'm uncertain of without further digging.
|
|
||
| begin | ||
| Iterate_Args (N_Orig); | ||
| if Scope_Size >= 1 |
There was a problem hiding this comment.
this is essentially equivalent to the use of "if 1" (always true) ?
I guess a scope of size 0 does not make sense.
Basically into four categories: 1) supported 2) future support 3) ignored -- no semantic effect 4) not supported
|
@sonodtt thanks for finding the types and pointing to the lack of documentation, I've added a bit about iterating over pragma parameters. |
Very initial PR at this stage (in terms of full pragma coverage); I think most of those pragmas will be ignored for some time. Pre/post-condition should be implemented if we want to compare to Spark.