Java: make null-pointer and similar checks fatal #2191
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
smowton
requested review from
cesaro,
chrisr-diffblue,
kroening,
martin-cs,
mgudemann,
peterschrammel,
tautschnig and
thk123
as code owners
|
This will need a test-gen bump once test-gen#1794 is in. |
tautschnig
reviewed
May 17, 2018
| /// \param loc: original source location | ||
| /// \param comment: human-readable assertion description | ||
| /// \param property_class: assertion property class | ||
| static source_locationt with_assertion_description( |
There was a problem hiding this comment.
Possibly useful, but please make this more generally available. On quick inspection almost every place that git grep -n set_comment highlights could benefit from this.
There was a problem hiding this comment.
I don't think that makes the code more readable.
src/util/assert_or_die.h
Outdated
|
|
||
| #include "std_code.h" | ||
|
|
||
| codet create_assert_or_die(const exprt &condition, const source_locationt &loc); |
There was a problem hiding this comment.
- I think
expr_utilorstd_codeare perfectly good places to put this, no need for a new file. - Be specific about the return type. There is no need to hide the fact that it returns a
code_blockt. - I'm not sure I like the name. How about
aborting_assert?
smowton
force-pushed
the
smowton/feature/java-fatal-assertions
branch
from
95a99fc to
730d9d4
Compare
|
@tautschnig @peterschrammel changes applied, please re-review. |
smowton
force-pushed
the
smowton/feature/java-fatal-assertions
branch
from
730d9d4 to
4ece6fd
Compare
tautschnig
approved these changes
May 17, 2018
| result.copy_to_operands(code_assertt(condition)); | ||
| result.copy_to_operands(code_assumet(condition)); | ||
| for(auto &op : result.operands()) | ||
| op.add_source_location() = loc; |
There was a problem hiding this comment.
How about:
code_blockt result;
result.add(code_assertt(condition), loc);
result.add(code_assumet(condition), loc);
or (leaving the loop intact)
code_blockt result({code_assertt(condition), code_assumet(condition)});
martin-cs
approved these changes
May 17, 2018
|
This has exposed some probably unrelated test failures. To investigate. |
smowton
force-pushed
the
smowton/feature/java-fatal-assertions
branch
from
4ece6fd to
598b3d7
Compare
|
The problem was another fragile string solver test that required some luck to test; it was failing because the md5sum of the binary changed / moon wasn't aligned with Saturn, rather than due to the actual change introduced here.. I've hardened the test, hopefully now this will pass CI. |
peterschrammel
approved these changes
May 18, 2018
smowton
force-pushed
the
smowton/feature/java-fatal-assertions
branch
from
0285250 to
c2fc85e
Compare
These previously used code_assertt, which asserts but then continues -- this changes them to use assert(condition); assume(condition), which ensures subsequent code is not executed in conditions which are in practice impossible. With --java-throw-runtime-exceptions this is irrelevant, as a real exception is raised and the conditional GOTO guarding the throw has the same effect as the assume.
This test previously checked that the *sum* of the arguments' sizes didn't exceed some critical bound, but this didn't exclude the case where one of them is just within bounds (but still long enough to cause a memout when we try to concretise it) and the other just long enough to push the sum over the boundary. Instead we'll check that one or the other is very long, and the other one acceptably short.
smowton
force-pushed
the
smowton/feature/java-fatal-assertions
branch
from
c2fc85e to
48e5b25
Compare
|
BTW, related to this, I would be strongly in favour of making --java-throw-runtime-exceptions the default for jbmc. The Java semantics is very clear on these, this isn't the same situation as in C. There can be a --java-runtime-exceptions-block or the like. |
kroening
approved these changes
May 20, 2018
|
@kroening as a prereq to --java-throw-runtime-exceptions we need to get a lot better at modelling control flow, otherwise a lot of implausible exceptional flows blur symex's certainty about the state of the world and the formula grows remarkably. |
|
@smowton, could using https://github.com/diffblue/cbmc/blob/develop/src/analyses/goto_check.cpp#L1478 improve the situation (at least for NPEs)? |
NathanJPhillips
pushed a commit
to NathanJPhillips/cbmc
that referenced
this pull request
Aug 22, 2018
31ef182 Merge pull request diffblue#2208 from diffblue/cleanout-goto-programs 0e84d3e Merge pull request diffblue#2195 from smowton/smowton/feature/smarter-reachability-slicer c801126 Merge pull request diffblue#2209 from diffblue/travis-no-osx-g++ 3487bf7 Reachability slicer: mark reachable code more precisely 85e8451 Merge pull request diffblue#2066 from tautschnig/bv-endianness 5e5eafb Merge pull request diffblue#2191 from smowton/smowton/feature/java-fatal-assertions 8a68ab8 remove g++ build on OS X; this is identical to the clang++ build 48e5b25 Amend faulty long-string test 3f718ba Java: make null-pointer and similar checks fatal 821eb1d remove basic_blocks and goto_program_irep d87c2db Merge pull request diffblue#2203 from diffblue/typed-lookup d77dea3 strongly type the lookup() methods in namespacet 2382f27 Merge pull request diffblue#2193 from martin-cs/feature/correct-instruction-documentation c314272 Merge pull request diffblue#2181 from diffblue/format-expr-constants 514a0a5 Merge pull request diffblue#2167 from diffblue/parse_unwindset_options 0102452 move escape(s) to string_utils f1b6174 use unwindsett in goto-instrument dcc907a introduce unwindsett for unwinding limits 10aeae8 format_expr now does index, c_bool constants, string constants 92b92d6 Correct the documentation of ASSERT : it does not alter control flow. a11add8 Expand the documentation of the goto-program instructions. a06503b Merge pull request diffblue#2197 from tautschnig/fix-help 05e4bc3 Remove stray whitespace previously demanded by clang-format 3261f4d Fix help output of --generate-function-body-options 7c67b23 Merge pull request diffblue#2110 from tautschnig/type-mismatch-exception 18fb262 Merge pull request diffblue#2025 from tautschnig/stack-depth-fix 9191b6a Merge pull request diffblue#2199 from tautschnig/simplifier-typing f99e631 Merge pull request diffblue#2198 from tautschnig/fix-test-desc 1a79a11 stack depth instrumentation: __CPROVER_initialize may be empty a7690ba Merge pull request diffblue#2185 from smowton/smowton/fix/tolerate-ts18661-types fc02e8f Restore returns before writing the simplified binary 49333eb Make restore_returns handle simplified programs 46f7987 Fix perl regular expressioons in regression test descriptions 9fe432b Merge pull request diffblue#1899 from danpoe/sharing-map-catch-unit-tests 9cc6aae Merge pull request diffblue#2081 from hannes-steffenhagen-diffblue/floating_point_simplificiation da19abe Tolerate TS 18661 (_Float32 et al) types a055454 Try all rounding modes when domain is unknown 5f7bc15 Add float support to constant propagator domain 3dc2244 Move adjust_float_expressions to goto-programs 06d8bea Merge pull request diffblue#2187 from diffblue/move-convert-nondet 6d8c3fa Merge pull request diffblue#2189 from thk123/bugfix/json-parser-restart 2ad157f Merge pull request diffblue#2186 from smowton/smowton/fix/call-graph-uninit-field cd54ad7 Corrected state persistence in the json parser 4447be0 Fix uninitialised collect_callsites field in call_grapht ead0aa3 Merge pull request diffblue#2188 from smowton/smowton/fix/init-string-types-without-refine-strings 57988fc Fix String type initialisation when --refine-strings is not active 6a76aff Move convert_nondet to java_bytecode ac6eb21 Merge pull request diffblue#1858 from danpoe/dependence-graph-fix 10b8b09 Merge pull request diffblue#2011 from thomasspriggs/final_classes a154593 Merge pull request diffblue#2087 from danpoe/feature/small-map 7002909 More dependence graph tests 66263ea Make dependence graph merge() return true when abstract state changes 3aa6dca Control dependency computation fix a408423 Simplified state merging in the dependence graph 0315816 Merge pull request diffblue#2180 from thomasspriggs/json_id2string 8941567 Merge pull request diffblue#2124 from smowton/smowton/feature/fallback-function-provider cd04e70 JBMC: use simple method stubbing pass a6b2cda Add Java simple method stubbing pass ec1127c Lazy goto model: hook for driver program to replace or stub functions b6a4382 Remove `id2string` from inside calls to the `json_stringt` constructor. b673ebb Add storage of final modifier status of java classes in `java_class_typet`. a2ad909 Small map 808dade Provide suitable diagnostics for equality-without-matching-types 89cf6fe Throw appropriate exceptions when converting constraints 2ae66c2 Produce a proper error message when catching a std::runtime_error at top level e7b3ade Workaround for Visual Studio loss of CV qualifier bug 1f661f5 Move sharing map and sharing node unit tests to util 47463a3 Use std::size_t instead of unsigned in the sharing map 3e22217 Sharing map documentation e54f740 Fix sharing map compiler warnings bcc489c Move sharing map unit tests to catch 34114b8 Use a specialised endianness map for flattening git-subtree-dir: cbmc git-subtree-split: 31ef182
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
These previously used code_assertt, which asserts but then continues -- this
changes them to use assert(condition); assume(condition), which ensures subsequent
code is not executed in conditions which are in practice impossible.
With --java-throw-runtime-exceptions this is irrelevant, as a real exception is raised
and the conditional GOTO guarding the throw has the same effect as the assume.