Implemented parsing and type checking for loop variants

Author: Long Pham

regression/contracts/invar_check_break_pass/main.c

@@ -6,7 +6,10 @@ int main()
   __CPROVER_assume(r >= 0);
 
   while(r > 0)
+    // clang-format off
     __CPROVER_loop_invariant(r >= 0)
+    __CPROVER_decreases(r)
+    // clang-format on
     {
       --r;
       if(r <= 1)

regression/contracts/invar_check_continue/main.c

@@ -6,7 +6,10 @@ int main()
   __CPROVER_assume(r >= 0);
 
   while(r > 0)
+    // clang-format off
     __CPROVER_loop_invariant(r >= 0)
+    __CPROVER_decreases(r)
+    // clang-format on
     {
       --r;
       if(r < 5)

regression/contracts/invar_check_large/main.c

@@ -22,9 +22,9 @@ int main()
   int l = 0;
   int r = 1;
   while(h > l)
+    // clang-format off
     __CPROVER_loop_invariant(
       // Turn off `clang-format` because it breaks the `==>` operator.
-      /* clang-format off */
       h >= l &&
       0 <= l && l < 5 &&
       0 <= h && h < 5 &&
@@ -44,8 +44,9 @@ int main()
       (2 > h ==> arr2 >= pivot) &&
       (3 > h ==> arr3 >= pivot) &&
       (4 > h ==> arr4 >= pivot)
-      /* clang-format on */
     )
+    __CPROVER_decreases(h - l)
+    // clang-format on
     {
       if(*(arr[h]) <= pivot && *(arr[l]) >= pivot)
       {

regression/contracts/invar_check_multiple_loops/main.c

@@ -6,12 +6,18 @@ int main()
   __CPROVER_assume(n > 0 && x == y);
 
   for(r = 0; r < n; ++r)
+    // clang-format off
     __CPROVER_loop_invariant(0 <= r && r <= n && x == y + r)
+    __CPROVER_decreases(n - r)
+    // clang-format on
     {
       x++;
     }
   while(r > 0)
+    // clang-format off
     __CPROVER_loop_invariant(r >= 0 && x == y + n + (n - r))
+    __CPROVER_decreases(r)
+    // clang-format on
     {
       y--;
       r--;

regression/contracts/invar_check_nested_loops/main.c

@@ -6,13 +6,19 @@ int main()
   __CPROVER_assume(n >= 0);
 
   for(int i = 0; i < n; ++i)
+    // clang-format off
     __CPROVER_loop_invariant(i <= n && s == i)
+    __CPROVER_decreases(n - i)
+    // clang-format on
     {
       int a, b;
       __CPROVER_assume(b >= 0 && a == b);
 
       while(a > 0)
+        // clang-format off
         __CPROVER_loop_invariant(a >= 0 && s == i + (b - a))
+        __CPROVER_decreases(a)
+        // clang-format on
         {
           s++;
           a--;

regression/contracts/invar_check_pointer_modifies-01/main.c

@@ -8,7 +8,10 @@ void main()
 
   unsigned i;
   while(i > 0)
+    // clang-format off
     __CPROVER_loop_invariant(*data == 42)
+    __CPROVER_decreases(i)
+    // clang-format on
     {
       *data = 42;
       i--;

regression/contracts/invar_check_pointer_modifies-02/main.c

@@ -10,7 +10,10 @@ void main()
 
   unsigned i;
   while(i > 0)
+    // clang-format off
     __CPROVER_loop_invariant(*data == 42)
+    __CPROVER_decreases(i)
+    // clang-format on
     {
       *data = 42;
       i--;

regression/contracts/invar_check_sufficiency/main.c

@@ -6,7 +6,10 @@ int main()
   __CPROVER_assume(r >= 0);
 
   while(r > 0)
+    // clang-format off
     __CPROVER_loop_invariant(r >= 0)
+    __CPROVER_decreases(r)
+    // clang-format on
     {
       --r;
     }

regression/contracts/invar_loop_constant_no_modify/main.c

@@ -6,7 +6,10 @@ int main()
   int s = 1;
   __CPROVER_assume(r >= 0);
   while(r > 0)
+    // clang-format off
     __CPROVER_loop_invariant(r >= 0)
+    __CPROVER_decreases(r)
+    // clang-format on
     {
       r--;
     }

regression/contracts/invar_loop_constant_pass/main.c

@@ -5,7 +5,10 @@ int main()
   int r, s = 1;
   __CPROVER_assume(r >= 0);
   while(r > 0)
+    // clang-format off
     __CPROVER_loop_invariant(r >= 0 && s == 1)
+    __CPROVER_decreases(r)
+    // clang-format on
     {
       s = 1;
       r--;

regression/contracts/invariant_side_effects/main.c

@@ -7,7 +7,10 @@ int main()
 
   *a = 0;
   while(*a < N)
+    // clang-format off
     __CPROVER_loop_invariant((0 <= *a) && (*a <= N))
+    __CPROVER_decreases(N - *a)
+    // clang-format on
     {
       ++(*a);
     }

regression/contracts/variant_parsing_statement_fail/main.c

@@ -0,0 +1,16 @@
+
+int main()
+{
+  int i = 0;
+  int N = 10;
+  while(i != N)
+    // clang-format off
+    __CPROVER_loop_invariant(0 <= i && i <= N) 
+    __CPROVER_decreases(int x = 0)
+    // clang-format on
+    {
+      i++;
+    }
+
+  return 0;
+}

regression/contracts/variant_parsing_statement_fail/test.desc

@@ -0,0 +1,13 @@
+CORE
+main.c
+--enforce-all-contracts
+activate-multi-line-match
+^main.c.*error: syntax error before 'int'\n.*__CPROVER_decreases\(int x = 0\)$
+^PARSING ERROR$
+^EXIT=(1|64)$
+^SIGNAL=0$
+--
+--
+This test fails because the loop variant is a statement (more precisely, 
+an assignment) rather than an expression (more precisely, an ACSL binding
+expression).

regression/contracts/variant_parsing_tuple_fail/main.c

@@ -0,0 +1,15 @@
+int main()
+{
+  int i = 0;
+  int N = 10;
+  while(i != N)
+    // clang-format off
+    __CPROVER_loop_invariant(0 <= i && i <= N)
+    __CPROVER_decreases(N - i, 42)
+    // clang-format on
+    {
+      i++;
+    }
+
+  return 0;
+}

regression/contracts/variant_parsing_tuple_fail/test.desc

@@ -0,0 +1,13 @@
+CORE
+main.c
+--enforce-all-contracts
+activate-multi-line-match
+^main.c.*error: syntax error before ','\n.*__CPROVER_decreases\(N - i, 42\)$
+^PARSING ERROR$
+^EXIT=(1|64)$
+^SIGNAL=0$
+--
+--
+This test fails because the loop variant has two arguments instead of just one.
+Currently, we only support loop variants of single arguments - we do not
+support loop variants of tuples (yet). 

src/ansi-c/c_typecheck_base.h

@@ -144,7 +144,8 @@ class c_typecheck_baset:
   virtual void typecheck_while(code_whilet &code);
   virtual void typecheck_dowhile(code_dowhilet &code);
   virtual void typecheck_start_thread(codet &code);
-  virtual void typecheck_spec_expr(codet &code, const irep_idt &spec);
+  virtual void typecheck_spec_loop_invariant(codet &code);
+  virtual void typecheck_spec_decreases(codet &code);
 
   bool break_is_allowed;
   bool continue_is_allowed;

src/ansi-c/c_typecheck_code.cpp

@@ -484,7 +484,8 @@ void c_typecheck_baset::typecheck_for(codet &code)
     typecheck_code(code); // recursive call
   }
 
-  typecheck_spec_expr(code, ID_C_spec_loop_invariant);
+  typecheck_spec_loop_invariant(code);
+  typecheck_spec_decreases(code);
 }
 
 void c_typecheck_baset::typecheck_label(code_labelt &code)
@@ -772,7 +773,8 @@ void c_typecheck_baset::typecheck_while(code_whilet &code)
   break_is_allowed=old_break_is_allowed;
   continue_is_allowed=old_continue_is_allowed;
 
-  typecheck_spec_expr(code, ID_C_spec_loop_invariant);
+  typecheck_spec_loop_invariant(code);
+  typecheck_spec_decreases(code);
 }
 
 void c_typecheck_baset::typecheck_dowhile(code_dowhilet &code)
@@ -805,16 +807,28 @@ void c_typecheck_baset::typecheck_dowhile(code_dowhilet &code)
   break_is_allowed=old_break_is_allowed;
   continue_is_allowed=old_continue_is_allowed;
 
-  typecheck_spec_expr(code, ID_C_spec_loop_invariant);
+  typecheck_spec_loop_invariant(code);
+  typecheck_spec_decreases(code);
 }
 
-void c_typecheck_baset::typecheck_spec_expr(codet &code, const irep_idt &spec)
+void c_typecheck_baset::typecheck_spec_loop_invariant(codet &code)
 {
-  if(code.find(spec).is_not_nil())
+  if(code.find(ID_C_spec_loop_invariant).is_not_nil())
   {
-    exprt &constraint = static_cast<exprt &>(code.add(spec));
+    exprt &invariant = static_cast<exprt &>(code.add(ID_C_spec_loop_invariant));
 
-    typecheck_expr(constraint);
-    implicit_typecast_bool(constraint);
+    typecheck_expr(invariant);
+    implicit_typecast_bool(invariant);
+  }
+}
+
+void c_typecheck_baset::typecheck_spec_decreases(codet &code)
+{
+  if(code.find(ID_C_spec_decreases).is_not_nil())
+  {
+    exprt &variant = static_cast<exprt &>(code.add(ID_C_spec_decreases));
+
+    typecheck_expr(variant);
+    implicit_typecast_arithmetic(variant);
   }
 }

src/ansi-c/c_typecheck_expr.cpp

@@ -51,7 +51,7 @@ void c_typecheck_baset::typecheck_expr(exprt &expr)
     return;
   }
 
-  // fist do sub-nodes
+  // first do sub-nodes
   typecheck_expr_operands(expr);
 
   // now do case-split