Remove hard-coded checked declarations from 3C regression tests. #576
Conversation
|
This PR changes most of our regression tests in a significant way. To facilitate review of this issue, could we please extend the description with:
Thanks for your attention and submission, I know there have been some recent PRs that we wish had been reviewed more thoroughly. |
Maybe it will be easier to follow if I reply to your questions individually rather than have you look for the answers in a revised description?
"There is a risk that in the future, the hard-coded declarations of system elements (functions, types, etc.) in our tests' code conflict with the Checked C system headers or cause other problems because they are incorrect in a particular environment."
Indeed, the main issues are described in the commit messages, but perhaps not as clearly as you are looking for. I'll describe them again here.
The tests pass, and if I re-run my script that searches for declarations of system elements in our tests, I see that all of the remaining matches are false positives (because the script uses crude text matching heuristics). But the more important thing is our level of confidence that the original matches were replaced correctly by the script. Update 2021-05-18: I originally interpreted your comment as "the actions that you took", i.e., "the checks that you performed", but based on our discussion in #590 (comment), I assume you mean an actual run of the GitHub workflow. I've started a workflow run.
I did generate this as part of my process, so I'll post it, although it's unclear to me exactly how you plan to use it in review.
In the revised PR as of 2021-05-18, the generated tests are now handled separately in the first commit. (I've deleted the explanation of the previous approach; it's available in the edit history of this comment.)
The high-level goal is to establish whatever level of confidence we want that (1) none of the commits make unintended and harmful behavior changes to the tests and (2) this PR has completely solved the original problem, i.e., no declarations of system elements remain in the tests. I'm proposing that we can trust my scripts with respect to (2) and the two commits marked "Automated and should not affect the behavior of the tests"; part of the work would be to form your own opinion of the validity of this methodology. Beyond that, the appropriate review would depend on the nature of each commit. For example, you could verify that the renaming of intentionally nonstandard declarations was done correctly and the deviations of the remaining declarations from the standard look unimportant. Of course, without thorough knowledge of how every test interacts with 3C, it's hard to be completely certain of (1), so we have to make a judgment call of what level of confidence is appropriate before accepting this PR and moving on. I suspect that I've already gone well beyond the level that Mike would want in the context of our other priorities, but this is another issue on which you would form your own opinion.
You're right that I'm asking for review to be consistently taken seriously, even if it is after the fact because of a deadline. A separate issue I see is that for several of my PRs, you have asked me to write out a lot of explanation where other reviewers might have studied the PR and figured out the intent by themselves, even if the level of review ultimately achieved is the same in both cases. But I'm willing to write the explanation as long as we believe it's a reasonable use of my work time. |
declarations, and run it to update the generated tests. In contrast to my approach in the previous revision of the PR, we have to manually verify that there's no behavior change in the change to testgenerator, but that shouldn't be too hard, and Kyle and Mike suggested that they would find this approach easier to understand.
Hope this doesn't affect the validity of the tests.
script recognizes it. :/
Automated and should not affect the behavior of the tests.
This change was automated, but we need to review it to reassure ourselves that it doesn't affect the validity of the tests.
Automated and should not affect the behavior of the tests.
- Remove `#include <stddef.h>` from files that no longer directly reference `size_t`. - Order of `#include`s, etc.
headers. %clang_cc1 expands to a command line containing -nostdsysteminc, which turns off the use of the system headers. Hope this doesn't affect the validity of the tests. We'll probably end up doing this to all the 3C regression tests as part of #346, but for now, minimize the number of tests we have to think about.
mattmccutchen-cci
force-pushed
the
regtests-checked-decls
branch
from
5c83813 to
aa138e8
Compare
|
I've updated this PR after #590 and updated my previous comment about the PR. Kyle, I think it is ready for you to review again, modulo your desire to see the results of the workflow run (as opposed to just running the regression tests locally). |
|
The main update of extern functions in tests looks great. There were some high-level decisions made with exceptional tests that are probably fine but do potentially change test behavior. I'm unqualified to understand the subtleties myself and would like either a brief explanation of why it should be OK, or for someone else to look at it. from commit 5ee5a81 "Rename references that weren't intended to be to standard declarations." from commit 5a862a9 "Standardize checked declarations." also from 5ee5a81 above from aa138e8 " Replace %clang_cc1 with %clang in two tests that need the system headers." |
Good!
I went ahead and tried to answer your specific questions below. But indeed, at some point, it may be more efficient for someone else to take over the review of the PR if you aren't confident in approving it.
John or Mike may answer these specific cases anyway, but I think it's worth me trying again to state the general idea behind this decision (which I failed to articulate completely earlier). There are two potential problems with the declarations of system elements used in a test:
For any given test, we may not know for sure whether (1) or (2) is a bigger risk. (Both may be low, but we should still make the best decision we can.) Using local versions as you suggest would avoid (2) but expose us to (1). For the
Since
As I mentioned in the commit message, we eventually want to make a decision about this |
|
Great. Since you took the time to understand the purpose of the tests with gmtime and ulong, please leave a brief comment about them in the code (unless I missed an existing one). For The only question left I can see is regarding |
Let me wait for John's review of the main standardization, and maybe he will have an opinion on these cases too that will lead me to implement something different.
Since we're not in a great hurry, I propose that we just have the full discussion of the |
This requires replacing `%clang_cc1 -verify` with `%clang -Xclang -verify` in the tests that use it. This is one part of the RUN command cleanup that we've wanted to do for a while in #346, and now it is blocking part of #576. This is because the single behavior difference we know of between %clang_cc1 and %clang (other than the need for `-Xclang`) is that %clang_cc1 turns off the system headers, and we want two of our tests that currently use %clang_cc1 to be able to get checked declarations from the system headers. As recently as dac3f97 (August 2020), all of the tests that used %clang_cc1 used -verify. Since then, a few tests have been added that use %clang_cc1 and not -verify. This lends support to my theory that the only reason we used %clang_cc1 was that we were unaware that -verify could be used with %clang via -Xclang, and some subsequently added tests copied the use of %clang_cc1 only because the authors didn't know any better. Thus, I believe that the risk of the migration affecting the validity of the tests (e.g., causing them to falsely pass) is low.
Submitted #596. We can proceed with this PR once #596 is resolved and John reviews the standardization issues in this PR. |
There was a problem hiding this comment.
from commit 5a862a9 "Standardize checked declarations."
printf becomes _Unchecked, strlen loses _Unchecked (and restrict): Why would this not effect tests? Why not redefine a local version as done above?
@john-h-kastner or @mwhicks1, could you weigh in on this specifically? The commit is long but it's just printf/strlen repeated, prepping them for their sysheader version. Would this change the tests too much?
Adding and removing _Unchecked should be entirely inconsequential. As far as I'm aware the only place we look at _Checked and _Unchecked annotations is in CheckedRegions.cpp. Examining that file, we look for blocks that are written with an explicit _Checked, but explicit _Unchecked annotations are treated almost the same as a blocks without checked specifiers. For example, here, _Unchecked and un-annotated blocks are equivalent.
checkedc-clang/clang/lib/3C/CheckedRegions.cpp
Lines 122 to 135 in 81cbd4c
In markChecked they're treated a little differently so that we won't accidentally add a _Checked block around an existing _Unchecked block (this strikes me as something we could improve if we get around to working on -addcr again). This isn't relevant the referenced commit because it only changes external function prototypes where we'd never want to add a _Checked region.
checkedc-clang/clang/lib/3C/CheckedRegions.cpp
Lines 424 to 433 in 81cbd4c
The final possible issue is statistics collection. Making the change means these tests will report one fewer unchecked regions. That part of the statistics collection code didn't exist when these tests were written, and none of them are evaluated based on the statistics output.
The restrict are slightly more likely to matter. Any type qualifier on a variable that might be rewritten is relevant, but these functions are never defined, so they shouldn't be rewritten, and preserving qualifiers should never come into play. Also, rewriting with restrict qualifiers is explicitly tested in qualifiers.c
In all, I think the changes are acceptable.
This requires replacing `%clang_cc1 -verify` with `%clang -Xclang -verify` in the tests that use it. This is one part of the RUN command cleanup that we've wanted to do for a while in #346, and now it is blocking part of #576. This is because the single behavior difference we know of between %clang_cc1 and %clang (other than the need for `-Xclang`) is that %clang_cc1 turns off the system headers, and we want two of our tests that currently use %clang_cc1 to be able to get checked declarations from the system headers. As recently as dac3f97 (August 2020), all of the tests that used %clang_cc1 used -verify. Since then, a few tests have been added that use %clang_cc1 and not -verify. This lends support to my theory that the only reason we used %clang_cc1 was that we were unaware that -verify could be used with %clang via -Xclang, and some subsequently added tests copied the use of %clang_cc1 only because the authors didn't know any better. Thus, I believe that the risk of the migration affecting the validity of the tests (e.g., causing them to falsely pass) is low.
5ee5a81. As requested by Kyle in code review.
|
Thanks John and Kyle. I've added comments about the elements I renamed as Kyle previously requested, so I think this PR is ready to go now. Note: When I squash-merge the PR, GitHub defaults to setting the squash commit message to the concatenation of the individual commit messages. I think that's a bit hard to read and more distracting than useful on the whole, so I'm clearing out that part of the message. I believe that anyone who wants the details will be better served by reading this PR thread. |
Fixes #560. As usual, I've broken the change into a sequence of commits to ease review.