Add support for nested quantifiers in function contracts

This adds support for nested quantifiers in funtion contracts.
We recusrively handle quantifiers that are nested within other
quantifiers or within and/or/implies statements.

Author: ArenBabikian

regression/contracts/quantifiers-nested-01/main.c

@@ -0,0 +1,24 @@
+// clang-format off
+int f1(int *arr) __CPROVER_ensures(__CPROVER_forall {
+  int i;
+  __CPROVER_forall
+  {
+    int j;
+    (0 <= i && i < 10 && i <= j && j < 10) ==> arr[i] <= arr[j]
+  }
+})
+// clang-format on
+{
+  for(int i = 0; i < 10; i++)
+  {
+    arr[i] = i;
+  }
+
+  return 0;
+}
+
+int main()
+{
+  int arr[10];
+  f1(arr);
+}

regression/contracts/quantifiers-nested-01/test.desc

@@ -0,0 +1,11 @@
+CORE
+main.c
+--enforce-all-contracts
+^EXIT=0$
+^SIGNAL=0$
+^VERIFICATION SUCCESSFUL$
+--
+--
+Verification:
+This test case checks the handling of a forall expression
+nested within another forall expression.

regression/contracts/quantifiers-nested-02/main.c

@@ -0,0 +1,19 @@
+// clang-format off
+int f1(int *arr) __CPROVER_requires(__CPROVER_forall {
+  int i;
+  0 <= i && i < 9 ==> __CPROVER_forall
+  {
+    int j;
+    (i <= j && j < 10) ==> arr[i] <= arr[j]
+  }
+}) __CPROVER_ensures(__CPROVER_return_value == 0)
+// clang-format on
+{
+  return 0;
+}
+
+int main()
+{
+  int arr[10] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9};
+  f1(arr);
+}

regression/contracts/quantifiers-nested-02/test.desc

@@ -0,0 +1,11 @@
+CORE
+main.c
+--replace-all-calls-with-contracts
+^EXIT=0$
+^SIGNAL=0$
+^VERIFICATION SUCCESSFUL$
+--
+--
+Verification:
+This test case checks the handling of a forall expression
+nested within an implication.

regression/contracts/quantifiers-nested-03/main.c

@@ -0,0 +1,19 @@
+int f1(int *arr)
+  __CPROVER_ensures(__CPROVER_return_value == 0 && __CPROVER_exists {
+    int i;
+    (0 <= i && i < 10) && arr[i] == i
+  })
+{
+  for(int i = 0; i < 10; i++)
+  {
+    arr[i] = i;
+  }
+
+  return 0;
+}
+
+int main()
+{
+  int arr[10];
+  f1(arr);
+}

regression/contracts/quantifiers-nested-03/test.desc

@@ -0,0 +1,11 @@
+CORE
+main.c
+--enforce-all-contracts
+^EXIT=0$
+^SIGNAL=0$
+^VERIFICATION SUCCESSFUL$
+--
+--
+Verification:
+This test case checks the handling of an exists expression
+nested within a conjunction.

regression/contracts/quantifiers-nested-04/main.c

@@ -0,0 +1,21 @@
+// clang-format off
+int f1(int *arr) __CPROVER_requires(
+  __CPROVER_forall {
+    int i;
+    (0 <= i && i < 10) ==> arr[i] == 0
+  } ||
+  arr[9] == -1 ||
+  __CPROVER_exists {
+    int i;
+    (0 <= i && i < 10) && arr[i] == i
+  }) __CPROVER_ensures(__CPROVER_return_value == 0)
+// clang-format on
+{
+  return 0;
+}
+
+int main()
+{
+  int arr[10] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9};
+  f1(arr);
+}

regression/contracts/quantifiers-nested-04/test.desc

@@ -0,0 +1,11 @@
+CORE
+main.c
+--replace-all-calls-with-contracts
+^EXIT=0$
+^SIGNAL=0$
+^VERIFICATION SUCCESSFUL$
+--
+--
+Verification:
+This test case checks the handling of both a forall expression
+and an exists expression nested within a disjunction.

regression/contracts/quantifiers-nested-05/main.c

@@ -0,0 +1,15 @@
+// clang-format off
+int f1(int *arr) __CPROVER_requires(!__CPROVER_forall {
+    int i;
+    (0 <= i && i < 10) ==> arr[i] == 0
+  }) __CPROVER_ensures(__CPROVER_return_value == 0)
+// clang-format on
+{
+  return 0;
+}
+
+int main()
+{
+  int arr[10] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9};
+  f1(arr);
+}

regression/contracts/quantifiers-nested-05/test.desc

@@ -0,0 +1,11 @@
+CORE
+main.c
+--replace-all-calls-with-contracts
+^EXIT=0$
+^SIGNAL=0$
+^VERIFICATION SUCCESSFUL$
+--
+--
+Verification:
+This test case checks the handling of a forall expression
+nested within a negation.

regression/contracts/quantifiers-nested-06/main.c

@@ -0,0 +1,27 @@
+// clang-format off
+int f1(int *arr) __CPROVER_requires(
+  (__CPROVER_forall {
+    int i;
+    (0 <= i && i < 10) ==> arr[i] == 0
+  } ? __CPROVER_exists {
+    int i;
+    (0 <= i && i < 10) ==> arr[i] == 0
+  } : 1 == 0) &&
+  (__CPROVER_forall {
+    int i;
+    (0 <= i && i < 10) ==> arr[i] == i
+  } ? 1 == 0 :
+    __CPROVER_forall {
+      int i;
+      (0 <= i && i < 10) ==> arr[i] == 0
+  })) __CPROVER_ensures(__CPROVER_return_value == 0)
+// clang-format on
+{
+  return 0;
+}
+
+int main()
+{
+  int arr[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+  f1(arr);
+}

regression/contracts/quantifiers-nested-06/test.desc

@@ -0,0 +1,11 @@
+CORE
+main.c
+--replace-all-calls-with-contracts
+^EXIT=0$
+^SIGNAL=0$
+^VERIFICATION SUCCESSFUL$
+--
+--
+Verification:
+This test case checks the handling of forall and exists expressions
+nested within ternary ITE expressions (condition ? true : false).

src/goto-instrument/code_contracts.cpp

@@ -26,6 +26,7 @@ Date: February 2016
 #include <util/expr_util.h>
 #include <util/format_type.h>
 #include <util/fresh_symbol.h>
+#include <util/mathematical_expr.h>
 #include <util/mathematical_types.h>
 #include <util/message.h>
 #include <util/pointer_offset_size.h>
@@ -149,7 +150,7 @@ static void check_apply_invariants(
 
   // change the back edge into assume(false) or assume(guard)
   loop_end->targets.clear();
-  loop_end->type=ASSUME;
+  loop_end->type = ASSUME;
   if(loop_head->is_goto())
     loop_end->set_condition(false_exprt());
   else
@@ -168,23 +169,56 @@ void code_contractst::add_quantified_variable(
   replace_symbolt &replace,
   irep_idt mode)
 {
-  // If the expression is a quantified expression, this function adds
-  // the quantified variable to the symbol table and to the expression map
-
-  // TODO Currently only works if the contract contains only a single
-  // quantified formula
-  // i.e. (1) the top-level element is a quantifier formula
-  // and (2) there are no inner quantifier formulae
-  // This TODO is handled in PR #5968
-
-  if(expression.id() == ID_exists || expression.id() == ID_forall)
+  if(expression.id() == ID_not || expression.id() == ID_typecast)
+  {
+    // For unary connectives, recursively check for
+    // nested quantified formulae in the term
+    unary_exprt unary_expression = to_unary_expr(expression);
+    exprt term = unary_expression.operands().at(0);
+    add_quantified_variable(term, replace, mode);
+  }
+  if(expression.id() == ID_notequal || expression.id() == ID_implies)
+  {
+    // For binary connectives, recursively check for
+    // nested quantified formulae in the left and right terms
+    binary_exprt binary_expression = to_binary_expr(expression);
+    exprt left = binary_expression.operands().at(0);
+    add_quantified_variable(left, replace, mode);
+    exprt right = binary_expression.operands().at(1);
+    add_quantified_variable(right, replace, mode);
+  }
+  if(expression.id() == ID_if)
+  {
+    // For ternary connectives, recursively check for
+    // nested quantified formulae in all three terms
+    if_exprt if_expression = to_if_expr(expression);
+    exprt condition = if_expression.operands().at(0);
+    add_quantified_variable(condition, replace, mode);
+    exprt first = if_expression.operands().at(1);
+    add_quantified_variable(first, replace, mode);
+    exprt second = if_expression.operands().at(2);
+    add_quantified_variable(second, replace, mode);
+  }
+  if(expression.id() == ID_and || expression.id() == ID_or)
+  {
+    // For multi-ary connectives, recursively check for
+    // nested quantified formulae in all terms
+    multi_ary_exprt multi_ary_expression = to_multi_ary_expr(expression);
+    for(auto operand : multi_ary_expression.operands())
+    {
+      add_quantified_variable(operand, replace, mode);
+    }
+  }
+  else if(expression.id() == ID_exists || expression.id() == ID_forall)
   {
-    // get quantified symbol
-    exprt tuple = expression.operands().front();
-    exprt quantified_variable = tuple.operands().front();
+    // When a quantifier expression is found,
+    // 1. get quantified symbol
+    quantifier_exprt quantifier_expression = to_quantifier_expr(expression);
+    exprt tuple = quantifier_expression.operands().at(0);
+    exprt quantified_variable = tuple.operands().at(0);
     symbol_exprt quantified_symbol = to_symbol_expr(quantified_variable);
 
-    // create fresh symbol
+    // 2. create fresh symbol
     symbolt new_symbol = get_fresh_aux_symbol(
       quantified_symbol.type(),
       id2string(quantified_symbol.get_identifier()),
@@ -193,10 +227,14 @@ void code_contractst::add_quantified_variable(
       mode,
       symbol_table);
 
-    // add created fresh symbol to expression map
+    // 3. add created fresh symbol to expression map
     symbol_exprt q(
       quantified_symbol.get_identifier(), quantified_symbol.type());
     replace.insert(q, new_symbol.symbol_expr());
+
+    // 4. recursively check for nested quantified formulae
+    exprt quantified_expression = quantifier_expression.operands().at(1);
+    add_quantified_variable(quantified_expression, replace, mode);
   }
 }
 
@@ -267,7 +305,7 @@ bool code_contractst::apply_function_contract(
   }
 
   // Replace formal parameters
-  code_function_callt::argumentst::const_iterator a_it=
+  code_function_callt::argumentst::const_iterator a_it =
     call.arguments().begin();
   for(code_typet::parameterst::const_iterator p_it = type.parameters().begin();
       p_it != type.parameters().end() && a_it != call.arguments().end();
@@ -482,38 +520,38 @@ void code_contractst::instrument_call_statement(
 
     return;
   }
-    else // Called function has assigns clause
+  else // Called function has assigns clause
+  {
+    replace_symbolt replace;
+    // Replace formal parameters
+    code_function_callt::argumentst::const_iterator a_it =
+      call.arguments().begin();
+    for(code_typet::parameterst::const_iterator p_it =
+          called_type.parameters().begin();
+        p_it != called_type.parameters().end() &&
+        a_it != call.arguments().end();
+        ++p_it, ++a_it)
     {
-      replace_symbolt replace;
-      // Replace formal parameters
-      code_function_callt::argumentst::const_iterator a_it =
-        call.arguments().begin();
-      for(code_typet::parameterst::const_iterator p_it =
-            called_type.parameters().begin();
-          p_it != called_type.parameters().end() &&
-          a_it != call.arguments().end();
-          ++p_it, ++a_it)
+      if(!p_it->get_identifier().empty())
       {
-        if(!p_it->get_identifier().empty())
-        {
-          symbol_exprt p(p_it->get_identifier(), p_it->type());
-          replace.insert(p, *a_it);
-        }
+        symbol_exprt p(p_it->get_identifier(), p_it->type());
+        replace.insert(p, *a_it);
       }
-
-      replace(called_assigns);
-
-      // check compatibility of assigns clause with the called function
-      assigns_clauset called_assigns_clause(
-        called_assigns, *this, function_id, log);
-      exprt compatible =
-        assigns_clause.compatible_expression(called_assigns_clause);
-      goto_programt alias_assertion;
-      alias_assertion.add(goto_programt::make_assertion(
-        compatible, instruction_iterator->source_location));
-      program.insert_before_swap(instruction_iterator, alias_assertion);
-      ++instruction_iterator;
     }
+
+    replace(called_assigns);
+
+    // check compatibility of assigns clause with the called function
+    assigns_clauset called_assigns_clause(
+      called_assigns, *this, function_id, log);
+    exprt compatible =
+      assigns_clause.compatible_expression(called_assigns_clause);
+    goto_programt alias_assertion;
+    alias_assertion.add(goto_programt::make_assertion(
+      compatible, instruction_iterator->source_location));
+    program.insert_before_swap(instruction_iterator, alias_assertion);
+    ++instruction_iterator;
+  }
 }
 
 bool code_contractst::check_for_looped_mallocs(const goto_programt &program)
@@ -787,7 +825,7 @@ void code_contractst::add_contract_check(
                        .symbol_expr();
     check.add(goto_programt::make_decl(r, skip->source_location));
 
-    call.lhs()=r;
+    call.lhs() = r;
     return_stmt = code_returnt(r);
 
     symbol_exprt ret_val(CPROVER_PREFIX "return_value", call.lhs().type());