Fix extern contract checking on abstract modules #4910
Conversation
There was a problem hiding this comment.
Previously, compiling an abstract module with an {:extern} method using --test-assumptions Externs would cause an assertion failure. This was due to interleaving between the contract checking wrapper generator and the module refinement rewriter.
What is the problem caused by interleaving?
This PR fixes the problem by generating contract checking wrappers for the whole program after resolution is finished, rather than as each module finishes resolution.
Resolution caching is done on a per-module level. Any operation done in internal override void PostResolve(Program program) { is not cached, so we shouldn't have such methods unless they don't relate to a particular module, like RunAllTestsMainMethod which adds a single main method for the whole program.
It seems right to me that this shouldn't be cached as part of resolution. I'd consider it to essentially be part of the compiler, and not something that it would make sense to enable in the IDE, for example. It really is a whole-program transformation, in essence, because it introduces wrappers in one module that are then called (by redirection) from other modules. |
Apply suggestion from @MikaelMayer Co-authored-by: Mikaël Mayer <MikaelMayer@users.noreply.github.com>
The contract checking code creates a resolved wrapper in the abstract module, which is then copied, with resolution information removed, to the refining module, which hasn't yet been resolved. The removal of the resolution information causes the resolver to crash when checking the refining module. That, on its own, could perhaps be fixed in other ways. But even if it was, the contract checking code would then try to create that wrapper again after resolving the refining module. That could be fixed by adding a special case, but that would additionally complicate the code. By running after all modules are revolved, the approach can be straightforward, without complicating special cases that we could easily get wrong. |
Fair, if you do it in
In my experience the term whole-program analysis is used when the analysis of a definition (often a callee, but in this case an imported module) is affected by the usages (often the caller, but in this case an importing module), which I think is not the case here. Case in point: leaving out the refinement related bug, contract-wrapping is already working and it is done one module at a time.
But it should be cached! Everything should be cached. We should design the whole compilation pipeline (by compilation pipeline I mean everything from parsing to code generation) with caching in mind. I'll admit that caching is less important for code generation, but I would still argue that it is better if it is designed so that it could be cached. If code generation can be done for modules independently, then it could also be run in parallel. No need to take action for this now though.
Seems like a general bug not tied to contract-checking
Refinement modules in general collide with meta-programming transformations. Attributes such as They contains code such as if (member.RefinementBase != null) {
// member is inherited from a module where it was already processed
continue;
}to deal with this. That said, those contracts need to be part of refinement, and contract wrapping does not. I think it is indeed easier to do the wrapping transformation after all refinement is done. Could you move the transformation to the compilers/code-generators? It seems there's already a handle |
But it won't do anything unless the option is enabled, which only makes sense when you're compiling.
It processes one module at a time, but it generates calls that go between modules and need to be consistent between them.
That seems reasonable. Part of the process already happens in When it comes to finishing this PR, is moving the code to all run in |
I see. That helps but I'd rather not depend on that.
Yes |
Got it. The latest commit makes that change. Let me know what you think. |
| /// the original members. | ||
| /// | ||
| /// This runs after resolution so that it has access to ghostness | ||
| /// information, attributes and call targets. It runs on the entire |
There was a problem hiding this comment.
The sentence 'it runs on the entire program' doesn't make sense to me.
I think this is a transformation where modules are only affected by modules they import, but not the other way around, so you can do it module by module, which the existing loops indicate. I think you can also cache the results of processing a module, even though we don't need to do that now.
There was a problem hiding this comment.
I guess that comment isn't as relevant as it was before. When running after resolution, there are two possible methods to override, and this was an explanation for why the code overrides the Program version instead of the Module version. After verification, there's only one option, though.
| if (ShouldGenerateWrapper(decl)) { | ||
| membersToWrap.Add((topLevelDecl, decl)); | ||
| /// <param name="program">The program to generate wrappers for and in.</param> | ||
| public override void PostVerification(Program program) { |
There was a problem hiding this comment.
Should
if (Reporter.Options.TestContracts != DafnyOptions.ContractTestingMode.TestedExterns) {
return;
}
on line 270, be moved to the top of the method?
There was a problem hiding this comment.
No. The first two loops should run regardless of that option.
| /// <param name="program">The program to generate wrappers for and in.</param> | ||
| public override void PostVerification(Program program) { | ||
| // Create wrappers | ||
| foreach (var moduleDefinition in program.Modules()) { |
There was a problem hiding this comment.
Sometimes I see program.CompileModules being used and sometimes program.Modules(). Is this difference intentional? They're very similar but one also includes the system module.
There was a problem hiding this comment.
Ah, good catch. I think they should all be program.Modules().
| if (ShouldGenerateWrapper(decl)) { | ||
| membersToWrap.Add((topLevelDecl, decl)); | ||
| /// <param name="program">The program to generate wrappers for and in.</param> | ||
| public override void PostVerification(Program program) { |
There was a problem hiding this comment.
There are three loops in this method that all iterate over modules. Can they be merged into one loop?
There was a problem hiding this comment.
Not without more complex logic that would be easy to get wrong. It needs to ensure that wrappers exist before they're called. The most straightforward way to do that is to construct them all before redirecting calls.
There was a problem hiding this comment.
But the modules returned by .Modules() are already sorted in topological order of the import graph. How would having a single loop be able to get the order wrong?
You can't call a wrapper from a module unless you imported that module, and the imported module has already been processed so its wrappers exist.
There was a problem hiding this comment.
Ah, right! I hadn't realized it was already sorted. So, yes, the first two loops can be merged. I'll do that.
The final loop is checking for whether any extern exists that hasn't been called by a test, and a test could always show up in a later module in the dependency chain, so I think it still needs to run last.
Description
Previously, compiling an abstract module with an
{:extern}method using--test-assumptions Externswould cause an assertion failure. This was due to interleaving between the contract checking wrapper generator and the module refinement rewriter. This PR fixes the problem by generating contract checking wrappers for the whole program after resolution is finished, rather than as each module finishes resolution.Fixes #4845
How has this been tested?
Tested by
contract-wrappers/RefineContract.dfy.By submitting this pull request, I confirm that my contribution is made under the terms of the MIT license.