-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix empty PVL enums causing verification failure #1248
base: dev
Are you sure you want to change the base?
Conversation
The PVL grammar (but not other front-ends) allows writing enumerations with no constants: enum Empty { } However, the toIntRange axiom that the `EnumToDomain` pass encodes for such an enum doesn't obviously hold, which causes verification to fail, for instance: axiom (\forall Empty i; 0 <= {: empty1(i) :} && empty1(i) < 0); This change makes it so that this axiom is emitted for empty enums.
This is a decent hotfix. The only thing I'm wondering about is whether it should actually be stronger, i.e. if you have an instance of EmptyEnum you should be able to prove false:
I'm not sure how to encode that without viper/z3 picking up this fact without even mentioning |
Actually, you can also assign
Would you mind trying this change out? It's especially important that it doesn't make (false) asserts in unrelated methods suddenly pass, but with the null check in place that should be fine. |
Thanks for taking a look! It looks like the fact that enums can be null is encoded as an Indeed it would be nice if VerCors could prove no instances of With the suggested change, a number of tests break (both Java and PVL). If I try to verify the program from above, the axiom becomes:
I get:
I can find |
You can still refer to another type (i.e. That warning comes from the decreases clauses on these functions. Recently those were changed to no longer count as preconditions for this check but we haven't changed to that viper version yet but it's fine to ignore those warnings for now. |
The PVL grammar (but not other front-ends) allows writing enumerations with no constants:
However, the
toIntRange
axiom that theEnumToDomain
pass encodes for such an enum doesn't obviously hold, which causes verification of any program with such an enum to fail, for instance:This change makes it so that this specific axiom is omitted for empty enums.
Also adds a test that a snippet like the above should verify.
Front-ends are unchanged; for example, the Java frontend still rejects empty enums.
Pre-fix crash log for reference