Adds documentation about function contracts

Signed-off-by: Felipe R. Monteiro <[email protected]>

Author: feliperodri

doc/cprover-manual/assigns-clause.md

@@ -1,6 +1,10 @@
-# CBMC Assigns Clause
+# Assigns Clause
 
-## Introduction
+### Definition
+
+```c
+void __CPROVER_assigns(...)
+```
 
 The _assigns_ clause allows the user to specify a list of memory
 locations which may be written within a particular scope. While an assigns
@@ -9,52 +13,12 @@ semantics, this design is based on the former. This means that memory not
 captured by the assigns clause must not be written within the given scope, even
 if the value(s) therein are not modified.
 
+### Parameters
+
 Assigns clauses currently support simple variable types and their pointers,
 structs, and arrays.  Recursive pointer structures are left to future work,
 as their support would require changes to CBMC's memory model.
 
-
-## Syntax
-A special construct is introduced to specify assigns clauses. Its syntax is
-defined as follows.
-
-```
- <assigns_clause> := __CPROVER_assigns ( <target_list> )
-```
-```
- <target_list> := __CPROVER_nothing
-                | <target>
-                | <target_list> , <target>
-```
-```
- <target> := <deref_target>
-           | <target> [ array_index ]
-           | <target> [ array_range ]
-
- <array_index> := <identifier> | <integer>
- <array_range> := <array_index> , <array_index>
-```
-```
- <deref_target> := <member_target>
-                 | * <deref_target>
-```
-```
- <member_target> := <primary_target>
-                  | <member_target> . <member_name>
-                  | <member_target> -> <member_name>
-```
-```
- <primary_target> := <identifier>
-                  | ( <target> )
-```
-
-The assigns clause identifies a list of targets, which may be an identifier
-(e.g. `x`), a member of a struct (e.g. `myStruct.someMember` or
-`myStructPtr->otherMember`), a dereferenced pointer (e.g. `*myPtr`), or an
-array range (e.g. `myArr[5, lastIdx]`).  The `<assigns_clause>` states that only
-memory identified in the target list may be written within the function, as
-described in the next section.
-
 For example, consider the following declarations.
 
 ```c
@@ -76,7 +40,7 @@ clause attached to this definition states that most of the arguments
 can be assigned. However, `myInt2`, `myPair->x`, and the first four
 elements of `myArr` should not be assigned in the body of `foo`.
 
-## Semantics
+### Semantics
 The semantics of an assigns clause *c* of some function *f* can
 be understood in two contexts.  First, one may consider how the expressions in
 *c* are treated when a call to *f* is replaced by its contract specification,
@@ -106,7 +70,7 @@ in a call to function *f* be denoted *args*<sub>*f*</sub>[k] (an identifying
 index may be added to distinguish a *particular* call to *f*, but for simplicity
 it is omitted here).
 
-## Replacement
+#### Replacement
 Assuming an assigns clause *c* is a sound characterization of
 the behavior of the function *f*, a call to *f* may be replaced a series of
 non-deterministic assignments. For each expression *e* &#8712;
@@ -145,7 +109,7 @@ void bar()
 }
 ```
 
-## Enforcement
+#### Enforcement
 In order to determine whether an assigns clause *c* is a
 sound characterization of the behavior of a function *f*, the body of the
 function is instrumented with assertion statements before each statement which

doc/cprover-manual/function-contracts.md

@@ -0,0 +1,140 @@
+# Function Contracts
+
+CBMC offers support for function contracts, which includes three basic
+clauses: _requires_, _ensures_, and _assigns_. These clauses
+accept either symbols or Boolean predicates that formally describe the
+specification of a function, but they might need more expressive constructs to
+fully specify these operations. Therefore, CBMC also provides a series of
+built-in constructus to be used with functions contracts (e.g., _history
+variables_, _quantifiers_, and _memory predicates_).
+
+To learn more about contracts, take a look at the chapter [Design by Contract](http://se.inf.ethz.ch/~meyer/publications/old/dbc_chapter.pdf) from the book Object-Oriented Software Construction by Bertrand Meyer or check it out the notes [Contract-based Design](https://www.georgefairbanks.com/york-university-contract-based-design-2021) by George Fairbanks.
+
+## Overview
+
+Take a look at the example below.
+
+```c
+#include <stdlib.h>
+#include <stdint.h>
+
+#define SUCCESS 0
+#define FAILURE -1
+
+int sum(uint32_t* a, uint32_t* b, uint32_t* out)
+{
+    const uint64_t result = ((uint64_t) *a) + ((uint64_t) *b);
+    if (result > UINT32_MAX) return FAILURE;
+    *out = (uint32_t) result;
+    return SUCCESS;
+}
+
+int foo()
+{
+	uint32_t* a = malloc(sizeof(*a));
+	uint32_t* b = malloc(sizeof(*a));
+	uint32_t out;
+	int rval = sum(a, b, &out);
+	if (rval == SUCCESS) 
+		return out;
+	return rval;
+}
+```
+
+Function `sum` writes the sum of `a` and `b` to `out`, and returns `SUCCESS`; unless there is overflows, in which case it returns `FAILURE`. Let's write a function contract for this function.
+
+A function contract has three parts:
+
+- **Precondition** - describes what the function requires of the arguments supplied by the caller and global variables;
+- **Postcondition** - describes the effects of the function;
+- **Writable Set** - describes the set of locations outside the function that might be written to;
+
+In our example, the developer may require from the caller to properly allocate all
+arguments, thus, pointers must be valid. We can specify the preconditions of a function using `__CPROVER_requires` (see [Requires \& Ensures Clauses](requires-and-ensures-clauses.md) Section for details) and we can specify an allocated object using a predicate called `__CPROVER_is_fresh` (see [Memory Predicate]() Section for details). Thus, for the `sum` function, the set of preconditions are
+
+```c
+/* Precondition */
+__CPROVER_requires(__CPROVER_is_fresh(a, sizeof(*a)))
+__CPROVER_requires(__CPROVER_is_fresh(b, sizeof(*b)))
+__CPROVER_requires(__CPROVER_is_fresh(out, sizeof(*out)))
+```
+
+We can use `__CPROVER_ensures` to specify postconditions (see [Requires \& Ensures Clauses](requires-and-ensures-clauses.md) Section for details).
+In our example, developers can use the built-in construct
+`__CPROVER_return_value`, which represents the return value of a function. As
+postconditions, one may list possible return values (in this
+case, either `SUCCESS` or `FAILURE`) as well as describe the main property of
+this function: if the function returns `SUCCESS`, then `*out` stores the
+result of `*a + *b`.
+We can also check that the value in `out` will be preserved in case of failure by using `__CPROVER_old`, which refers to the value of a given object in the pre-state of a function (see [History Varaibles]() Section for details). Thus, for the `sum` function, the set of postconditions are
+
+
+```c
+/* Postconditions */
+__CPROVER_ensures(__CPROVER_return_value == SUCCESS || __CPROVER_return_value == FAILURE)
+__CPROVER_ensures((__CPROVER_return_value == SUCCESS) ==> (*out == (*a + *b)))
+__CPROVER_ensures((__CPROVER_return_value == SUCCESS) ==> (*out == __CPROVER_old(*out)))
+```
+
+Finally, the _assigns_ clause allows developers to define a frame condition (see [Assigns Clauses](assigns-clause.md) Section for details).
+in general, be interpreted with either _writes_ or _modifies_ semantics, this
+design is based on the former. This means that memory not specified by the
+assigns clause must not be written within the given function scope, even if the
+value(s) therein are not modified. In our example, since we only expect
+that the value pointed by `out` may be modified, we annotate the function using
+`__CPROVER_assigns(*out)`.
+
+```c
+/* Writable Set */
+__CPROVER_assigns(*out)
+```
+
+Here is the whole function with its contract.
+
+```c
+int sum(uint32_t* a, uint32_t* b, uint32_t* out)
+/* Precondition */
+__CPROVER_requires(__CPROVER_is_fresh(a, sizeof(*a)))
+__CPROVER_requires(__CPROVER_is_fresh(b, sizeof(*b)))
+__CPROVER_requires(__CPROVER_is_fresh(out, sizeof(*out)))
+/* Postconditions */
+__CPROVER_ensures(__CPROVER_return_value == SUCCESS || __CPROVER_return_value == FAILURE)
+__CPROVER_ensures((__CPROVER_return_value == SUCCESS) ==> (*out == (*a + *b)))
+__CPROVER_ensures((__CPROVER_return_value == SUCCESS) ==> (*out == __CPROVER_old(*out)))
+/* Writable Set */
+__CPROVER_assigns(*out)
+{
+    const uint64_t result = ((uint64_t) *a) + ((uint64_t) *b);
+    if (result > UINT32_MAX) return FAILURE;
+    *out = (uint32_t) result;
+    return SUCCESS;
+}
+```
+
+First, we have to prove the function contract is correct.
+
+```shell
+   goto-cc -o main.goto *.c
+   goto-instrument --enforce-contract sum main.goto main-checking-contracts.goto
+   cbmc main-checking-contracts.goto
+```
+
+The first command just compiles the GOTO program as usual, the second command instruments the code to check the function contract, and the third one runs CBMC to do the checking.
+
+Now that we proved the function contract is correct, we can use the function contract in place of the function implementation wherever the function is called.
+
+```shell
+   goto-cc -o main.goto *.c
+   goto-instrument --replace-contract sum main.goto main-using-contracts.goto
+   cbmc main-using-contracts.goto
+```
+
+The first command just compiles the goto program as usual, the second command instruments the code to use the function contract in place of the function implementation wherever is invoked, and the third one runs CBMC to check the program using contracts.
+
+## Additional Resources
+
+- [Requires \& Ensures Clauses](requires-and-ensures-clauses.md)
+- [Assigns Clauses](assigns-clause.md)
+- [Memory Predicates](memory-predicates.md)
+- [History Variables](history-variables.md)
+- [Quantifiers](quantifiers.md)

doc/cprover-manual/history-variables.md

@@ -0,0 +1,19 @@
+# Historic variables
+
+### Denfinition
+
+`__CPROVER_old()` refers to the value of a given object
+in the pre-state of a function within the _ensures_ clause. It only supports
+scalars, structs and pointers.
+
+```c
+int add_overflow(uint32_t a, uint32_t b, uint32_t* out)
+/* ... */
+__CPROVER_ensures((__CPROVER_return_value == FAILURE) ==> (*out == __CPROVER_old(*out)))
+/* ... */
+{
+    /* ... */
+}
+```
+
+### Semantics

doc/cprover-manual/memory-predicates.md

@@ -0,0 +1,54 @@
+# Memory Predicates
+
+
+### Definition
+`__CPROVER_is_fresh` specifies freshly allocated objects.
+This allows us to use function contracts without wrapping the function around
+harnesses to perform allocations (e.g., using malloc). Let's improve our first
+example `add_overflow`. Instead of simply requesting `out != NULL`, we can
+specify a fresh allocated object.
+
+```c
+int add_overflow(uint32_t a, uint32_t b, uint32_t* out)
+__CPROVER_requires(__CPROVER_is_fresh(out))
+__CPROVER_ensures(__CPROVER_return_value == SUCCESS || __CPROVER_return_value == FAILURE)
+__CPROVER_ensures((__CPROVER_return_value == SUCCESS) ==> (*out == (a + b)))
+{
+    /* ... */
+}
+```
+
+### Parameters
+
+### Semantics
+
+**Enforcement.** It creates an infinite map that records the allocated elements
+in _requires_ clauses and a function for each type used in a function contract
+that returns an object or array of that type.  For _ensures_ clauses, it ensures
+that an object is *fresh* (e.g., not previously allocated).
+
+```c
+     /* Declarations */
+     static uint8_t __<fn_name>_memory_map[__CPROVER_constant_infinity_uint];
+     
+     /* For each referenced type */
+     static bool __<fn_name>_<type>_requires_is_fresh(<type> *elem, size_t size);
+     static bool __<fn_name>_<type>_ensures_is_fresh(<type> *elem, size_t size);
+```
+
+**Replacement.** CBMC needs to create dual declarations.  For the _requires_
+clauses, CBMC needs to check that all objects mapped to *fresh* objects are
+distinct.  For the _ensures_ clauses, if an object is *fresh*, we need to create
+a new object to represent it.  
+
+```c
+     /* Declarations (per call) */
+     static uint8_t <fn_name>_memory_map[__CPROVER_constant_infinity_uint];
+
+     /* For each referenced type */
+     static bool __call_<fn_name>_<type>_requires_is_fresh(<type> *elem, size_t size);
+     static bool __call_<fn_name>_<type>_ensures_is_fresh(<type> *elem, size_t size);
+```
+
+Note that for a given context, we may have multiple calls to the same function,
+so we have to be sure to create unique identifiers for the declarations.

doc/cprover-manual/quantifiers.md

@@ -0,0 +1,40 @@
+# Quantifiers
+
+### Definition
+
+`__CPROVER_forall{}` and `__CPROVER_exists{}` are both supported in function-contracts context.
+
+```
+__CPROVER_forall { *type identifier* : range; *expression* }
+__CPROVER_exists { *type identifier* : range; *expression* }
+```
+
+
+### Semantics
+
+These expressions support quantification in CBMC.  They have meaning both for
+bounded and unbounded verification by virtue of the range predicate, which
+defines minimum and maximum values for quantification.  These can be arbitrarily
+small and large, within the limits of the C type that is quantified over.
+
+```c
+int foo(int *arr, int len)
+  /* ... */
+  __CPROVER_ensures(__CPROVER_forall {
+    int i;
+    (0 <= i && i < len) ==> arr[i] == i
+  })
+{
+  /* ... */
+}
+
+int bar(int *arr, int len)
+  __CPROVER_requires(__CPROVER_exists {
+    int i;
+    (0 <= i && i < len) && arr[i] == 1
+  })
+  /* ... */
+{
+  /* ... */
+}
+```