Implemented parsing and type checking for loop variants

Author: Long Pham

regression/contracts/invar_check_break_pass/main.c

@@ -7,6 +7,7 @@ int main()
 
   while(r > 0)
     __CPROVER_loop_invariant(r >= 0)
+    __CPROVER_decreases(r)
     {
       --r;
       if(r <= 1)

regression/contracts/invar_check_continue/main.c

@@ -7,6 +7,7 @@ int main()
 
   while(r > 0)
     __CPROVER_loop_invariant(r >= 0)
+    __CPROVER_decreases(r)
     {
       --r;
       if(r < 5)

regression/contracts/invar_check_multiple_loops/main.c

@@ -7,11 +7,13 @@ int main()
 
   for(r = 0; r < n; ++r)
     __CPROVER_loop_invariant(0 <= r && r <= n && x == y + r)
+    __CPROVER_decreases(n - r)
     {
       x++;
     }
   while(r > 0)
     __CPROVER_loop_invariant(r >= 0 && x == y + n + (n - r))
+    __CPROVER_decreases(r)
     {
       y--;
       r--;

regression/contracts/invar_check_nested_loops/main.c

@@ -7,12 +7,14 @@ int main()
 
   for(int i = 0; i < n; ++i)
     __CPROVER_loop_invariant(i <= n && s == i)
+    __CPROVER_decreases(n - i)
     {
       int a, b;
       __CPROVER_assume(b >= 0 && a == b);
 
       while(a > 0)
         __CPROVER_loop_invariant(a >= 0 && s == i + (b - a))
+        __CPROVER_decreases(a)
         {
           s++;
           a--;

regression/contracts/invar_check_pointer_modifies-01/main.c

@@ -9,6 +9,7 @@ void main()
   unsigned i;
   while(i > 0)
     __CPROVER_loop_invariant(*data == 42)
+    __CPROVER_decreases(i)
     {
       *data = 42;
       i--;

regression/contracts/invar_check_pointer_modifies-02/main.c

@@ -11,6 +11,7 @@ void main()
   unsigned i;
   while(i > 0)
     __CPROVER_loop_invariant(*data == 42)
+    __CPROVER_decreases(i)
     {
       *data = 42;
       i--;

regression/contracts/invar_check_sufficiency/main.c

@@ -7,6 +7,7 @@ int main()
 
   while(r > 0)
     __CPROVER_loop_invariant(r >= 0)
+    __CPROVER_decreases(r)
     {
       --r;
     }

regression/contracts/invar_loop_constant_no_modify/main.c

@@ -7,6 +7,7 @@ int main()
   __CPROVER_assume(r >= 0);
   while(r > 0)
     __CPROVER_loop_invariant(r >= 0)
+    __CPROVER_decreases(r)
     {
       r--;
     }

regression/contracts/invar_loop_constant_pass/main.c

@@ -6,6 +6,7 @@ int main()
   __CPROVER_assume(r >= 0);
   while(r > 0)
     __CPROVER_loop_invariant(r >= 0 && s == 1)
+    __CPROVER_decreases(r)
     {
       s = 1;
       r--;

regression/contracts/invariant_side_effects/main.c

@@ -8,6 +8,7 @@ int main()
   *a = 0;
   while(*a < N)
     __CPROVER_loop_invariant((0 <= *a) && (*a <= N))
+    __CPROVER_decreases(N - *a)
     {
       ++(*a);
     }

regression/contracts/variant_parsing_fail/main.c

@@ -0,0 +1,13 @@
+int main() 
+{
+  int i = 0; 
+  int N = 10;
+  while (i != N)
+    __CPROVER_loop_invariant(1 == 1)
+    __CPROVER__decreases(N - i)
+  {
+    i++;
+  }
+
+  return 0; 
+}

regression/contracts/variant_parsing_fail/test.desc

@@ -0,0 +1,13 @@
+CORE
+main.c
+--enforce-all-contracts
+^main.c: In function 'main':$
+^main.c:8:1: error: syntax error before '{'$
+^.*{$
+^PARSING ERROR$
+^EXIT=1$
+^SIGNAL=0$
+--
+--
+This test fails because it has two understores (instead of just one)
+between CPROVER and loop. This is a parsing error.  

regression/contracts/variant_typechecking_fail/main.c

@@ -0,0 +1,14 @@
+
+int main()
+{
+  int i = 0; 
+  int N = 10;
+  while (i != N)
+    __CPROVER_loop_invariant(1 == 1)
+    __CPROVER_decreases("This is a string")
+  {
+    i++;
+  }
+
+  return 0;
+}

regression/contracts/variant_typechecking_fail/test.desc

@@ -0,0 +1,14 @@
+CORE
+main.c
+--enforce-all-contracts
+^main.c: In function 'main':$
+^main.c:8:1: error: in expression '"This is a string"':$
+^conversion from 'char \[17l\]' to 'integer': implicit conversion not permitted
+^.*__CPROVER_decreases\("This is a string"\)
+^CONVERSION ERROR$
+^EXIT=1$
+^SIGNAL=0$
+--
+--
+This test fails because a loop variant is a string, and it cannot be
+cast to an integer. Hence, type checing of the loop variant fails. 

src/ansi-c/c_typecheck_base.h

@@ -16,6 +16,7 @@ Author: Daniel Kroening, [email protected]
 #include <util/std_code.h>
 #include <util/symbol_table.h>
 #include <util/typecheck.h>
+#include <util/mathematical_types.h>
 
 #include "designator.h"
 
@@ -120,6 +121,16 @@ class c_typecheck_baset:
     implicit_typecast(expr, bool_typet());
   }
 
+  // This function is necessary for the implementation of loop variants. 
+  // We want to cast loop variants to integers. The class integer_typet from
+  // mathmatical_types.h represents an unbounded integer type. Ideally, 
+  // we want to use a bounded integer type (as opposed to an unbounded integer
+  // type) for loop variants. 
+  virtual void implicit_typecast_int(exprt &expr)
+  {
+    implicit_typecast(expr, integer_typet());
+  }
+
   // code
   virtual void start_typecheck_code();
   virtual void typecheck_code(codet &code);

src/ansi-c/c_typecheck_code.cpp

@@ -485,6 +485,7 @@ void c_typecheck_baset::typecheck_for(codet &code)
   }
 
   typecheck_spec_expr(code, ID_C_spec_loop_invariant);
+  typecheck_spec_expr(code, ID_C_spec_loop_variant);
 }
 
 void c_typecheck_baset::typecheck_label(code_labelt &code)
@@ -773,6 +774,7 @@ void c_typecheck_baset::typecheck_while(code_whilet &code)
   continue_is_allowed=old_continue_is_allowed;
 
   typecheck_spec_expr(code, ID_C_spec_loop_invariant);
+  typecheck_spec_expr(code, ID_C_spec_loop_variant);
 }
 
 void c_typecheck_baset::typecheck_dowhile(code_dowhilet &code)
@@ -806,6 +808,7 @@ void c_typecheck_baset::typecheck_dowhile(code_dowhilet &code)
   continue_is_allowed=old_continue_is_allowed;
 
   typecheck_spec_expr(code, ID_C_spec_loop_invariant);
+  typecheck_spec_expr(code, ID_C_spec_loop_variant);
 }
 
 void c_typecheck_baset::typecheck_spec_expr(codet &code, const irep_idt &spec)
@@ -815,6 +818,11 @@ void c_typecheck_baset::typecheck_spec_expr(codet &code, const irep_idt &spec)
     exprt &constraint = static_cast<exprt &>(code.add(spec));
 
     typecheck_expr(constraint);
-    implicit_typecast_bool(constraint);
+    if (spec == ID_C_spec_loop_invariant) {
+      implicit_typecast_bool(constraint);
+    }
+    else if (spec == ID_C_spec_loop_variant) {
+      implicit_typecast_int(constraint);
+    }
   }
 }

src/ansi-c/c_typecheck_expr.cpp

@@ -51,7 +51,7 @@ void c_typecheck_baset::typecheck_expr(exprt &expr)
     return;
   }
 
-  // fist do sub-nodes
+  // first do sub-nodes
   typecheck_expr_operands(expr);
 
   // now do case-split

src/ansi-c/parser.y

@@ -203,6 +203,7 @@ extern char *yyansi_ctext;
 %token TOK_CPROVER_FINALLY "__CPROVER_finally"
 %token TOK_CPROVER_ID  "__CPROVER_ID"
 %token TOK_CPROVER_LOOP_INVARIANT  "__CPROVER_loop_invariant"
+%token TOK_CPROVER_LOOP_VARIANT "__CPROVER_decreases"
 %token TOK_CPROVER_REQUIRES  "__CPROVER_requires"
 %token TOK_CPROVER_ENSURES  "__CPROVER_ensures"
 %token TOK_CPROVER_ASSIGNS "__CPROVER_assigns"
@@ -497,6 +498,13 @@ loop_invariant_opt:
         { $$=$3; }
         ;
 
+loop_variant_opt:
+        /* nothing */
+        { init($$); parser_stack($$).make_nil(); }
+        | TOK_CPROVER_LOOP_VARIANT '(' ACSL_binding_expression ')'
+        { $$=$3; }
+        ;
+
 statement_expression: '(' compound_statement ')'
         { 
           $$=$1;
@@ -2418,24 +2426,31 @@ declaration_or_expression_statement:
 
 iteration_statement:
         TOK_WHILE '(' comma_expression_opt ')'
-          loop_invariant_opt statement
+          loop_invariant_opt loop_variant_opt 
+          statement
         {
           $$=$1;
           statement($$, ID_while);
-          parser_stack($$).add_to_operands(std::move(parser_stack($3)), std::move(parser_stack($6)));
+          parser_stack($$).add_to_operands(std::move(parser_stack($3)), std::move(parser_stack($7)));
 
           if(parser_stack($5).is_not_nil())
             parser_stack($$).add(ID_C_spec_loop_invariant).swap(parser_stack($5));
+
+          if(parser_stack($6).is_not_nil())
+            parser_stack($$).add(ID_C_spec_loop_variant).swap(parser_stack($6));
         }
         | TOK_DO statement TOK_WHILE '(' comma_expression ')'
-          loop_invariant_opt ';'
+          loop_invariant_opt loop_variant_opt ';'
         {
           $$=$1;
           statement($$, ID_dowhile);
           parser_stack($$).add_to_operands(std::move(parser_stack($5)), std::move(parser_stack($2)));
 
           if(parser_stack($7).is_not_nil())
             parser_stack($$).add(ID_C_spec_loop_invariant).swap(parser_stack($7));
+
+          if(parser_stack($8).is_not_nil())
+            parser_stack($$).add(ID_C_spec_loop_variant).swap(parser_stack($8));
         }
         | TOK_FOR
           {
@@ -2449,7 +2464,7 @@ iteration_statement:
           '(' declaration_or_expression_statement
               comma_expression_opt ';'
               comma_expression_opt ')'
-              loop_invariant_opt
+              loop_invariant_opt loop_variant_opt
           statement
         {
           $$=$1;
@@ -2458,11 +2473,14 @@ iteration_statement:
           mto($$, $4);
           mto($$, $5);
           mto($$, $7);
-          mto($$, $10);
+          mto($$, $11);
 
           if(parser_stack($9).is_not_nil())
             parser_stack($$).add(ID_C_spec_loop_invariant).swap(parser_stack($9));
 
+          if(parser_stack($10).is_not_nil())
+            parser_stack($$).add(ID_C_spec_loop_variant).swap(parser_stack($10));
+
           if(PARSER.for_has_scope)
             PARSER.pop_scope(); // remove the C99 for-scope
         }

src/ansi-c/scanner.l

@@ -1281,6 +1281,7 @@ __decltype          { if(PARSER.cpp98 &&
 {CPROVER_PREFIX}"finally"      { loc(); return TOK_CPROVER_FINALLY; }
 {CPROVER_PREFIX}"ID"           { loc(); return TOK_CPROVER_ID; }
 {CPROVER_PREFIX}"loop_invariant" { loc(); return TOK_CPROVER_LOOP_INVARIANT; }
+{CPROVER_PREFIX}"decreases" { loc(); return TOK_CPROVER_LOOP_VARIANT; }
 {CPROVER_PREFIX}"requires"     { loc(); return TOK_CPROVER_REQUIRES; }
 {CPROVER_PREFIX}"ensures"      { loc(); return TOK_CPROVER_ENSURES; }
 {CPROVER_PREFIX}"assigns"      { loc(); return TOK_CPROVER_ASSIGNS; }

src/goto-instrument/loop_utils.cpp

@@ -116,6 +116,7 @@ void get_modifies_lhs(
     const pointer_arithmetict ptr(to_dereference_expr(lhs).pointer());
     for(const auto &mod : local_may_alias.get(t, ptr.pointer))
     {
+      if(mod.id() == ID_unknown) continue;
       if(ptr.offset.is_nil())
         modifies.insert(dereference_exprt{mod});
       else

src/util/irep_ids.def

@@ -572,6 +572,7 @@ IREP_ID_ONE(is_weak)
 IREP_ID_ONE(used)
 IREP_ID_ONE(is_used)
 IREP_ID_TWO(C_spec_loop_invariant, #spec_loop_invariant)
+IREP_ID_TWO(C_spec_loop_variant, #spec_loop_variant)
 IREP_ID_TWO(C_spec_requires, #spec_requires)
 IREP_ID_TWO(C_spec_ensures, #spec_ensures)
 IREP_ID_TWO(C_spec_assigns, #spec_assigns)