CONTRACTS: Add doxygen doc for DFCC

User doc and developer doc now live
in doxygen land.

Author: Remi Delmas

doc/cprover-manual/contracts-requires-and-ensures.md

@@ -772,6 +772,7 @@ WARN_LOGFILE           =
 # Note: If this tag is empty the current directory is searched.
 
 INPUT                  = . ../doc ../jbmc/src ../unit/testing-utils ../jbmc/unit/java-testing-utils
+INPUT += ansi-c/library/cprover_contracts.c
 
 # This tag can be used to specify the character encoding of the source files
 # that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses

src/doxyfile

@@ -1,6 +1,4 @@
-[CPROVER Manual TOC](../)
-
-# Contracts
+# Code Contracts in CBMC {#contracts-mainpage}
 
 Code contracts in CBMC provide way to safely abstract parts of a program,
 typically in order to accelerate the verification process.
@@ -14,10 +12,8 @@ notes [Contract-based
 Design](https://www.georgefairbanks.com/york-university-contract-based-design-2021)
 by George Fairbanks.
 
-CBMC currently supports contracts on functions and loops:
-
-- [Function Contracts](../contracts/functions/)
-- [Loop Contracts](../contracts/loops/)
-
 For extra steps required to compositionally reason about file-local functions
-[see](static-functions/).
+[please consult this link](todo-link-to-cprover-manual-static-functions).
+
+- @subpage contracts-user
+- @subpage contracts-dev

doc/cprover-manual/contracts.md renamed to src/goto-instrument/contracts/doc/contracts.md

@@ -0,0 +1,48 @@
+# Code Contracts Software Architecture {#contracts-dev-arch}
+
+Back to @ref contracts-dev
+
+@tableofcontents
+
+## Architecture Overview
+
+The code implementing @ref contracts-dev-spec is found in @ref dfcc-module
+
+We go over each class and explain how it works in relation to others.
+
+The @ref dfcct class is the main entry point into the transformation.
+
+The method @ref dfcct#transform_goto_model first separates the functions of the goto model in different groups (functions to instrument, pure contract symbols from which to generate code, functions to check against contracts, functions to replace with contracts) and applies the transformation
+to the whole goto model, by scheduling the translation passes
+described in @ref contracts-dev-spec :
+
+1. @ref contracts-dev-spec-codegen is applied to all contracts to check or replace;
+2. @ref contracts-dev-spec-dfcc is applied to all library or user-defined goto functions;
+3. @ref contracts-dev-spec-harness is applied to the harness function;
+4. @ref contracts-dev-spec-contract-checking is applied to the function to be checked against a contract;
+5. @ref contracts-dev-spec-contract-replacement is applied to each function to be replaced by a contract;
+
+Each of these translation passes is implemented in a specific class:
+
+ Class                           | Specification
+ :-------------------------------|:---------------------------------------
+ @ref dfcc_instrumentt           | Implements @ref contracts-dev-spec-dfcc for @ref goto_functiont, @ref goto_programt, or subsequences of instructions of @ref goto_programt
+ @ref dfcc_is_fresht             | Implements @ref contracts-dev-spec-is-fresh
+ @ref dfcc_is_freeablet          | Implements @ref contracts-dev-spec-is-freeable
+ @ref dfcc_spec_functionst       | Implements @ref contracts-dev-spec-spec-rewriting
+ @ref dfcc_dsl_wrapper_programt  | Implements @ref contracts-dev-spec-contract-checking for DSL-style contracts
+ ^                               | Implements @ref contracts-dev-spec-contract-replacement for DSL-style contracts
+ @ref dfcc_dsl_contract_handlert | Implements @ref contracts-dev-spec-codegen for DSL-style contracts
+ ^                               | Implements the interface @ref dfcc_contract_handlert for DSL-style contract by delegating operations to @ref dfcc_dsl_wrapper_programt
+ @ref dfcc_swap_and_wrapt        | Implements @ref contracts-dev-spec-contract-checking by delegating basic operations to @ref dfcc_contract_handlert
+ ^                               | Implements @ref contracts-dev-spec-contract-replacement by delegating basic operations to @ref dfcc_contract_handlert
+ ^                               | Implements @ref contracts-dev-spec-contract-checking-rec by delegating basic operations to @ref dfcc_contract_handlert
+
+The following classes contain utility methods:
+- @ref dfcc_utilst : Provides basic utility methods to the other classes such as
+  locating a function symbol, adding a parameter to a function symbol, cloning
+  or renaming a function symbol, creating fresh symbols, inlining a function
+  body, etc.
+- @ref dfcc_libraryt : Provides a C++ interface to access C library functions
+  defined in @ref cprover_contracts.c. Using this class it is possible to load
+  the library symbols and post-process them with loop unrolling or inlining, etc.

src/goto-instrument/contracts/doc/developer/contracts-dev-arch.md

@@ -0,0 +1,143 @@
+# Generating GOTO Functions From Contract Clauses {#contracts-dev-spec-codegen}
+
+Back to top @ref contracts-dev-spec
+
+@tableofcontents
+
+## Translating Assigns Clauses to GOTO Functions {#contracts-dev-spec-codegen-assigns}
+
+
+Let's consider a contract `foo` (with corresponding pure contract
+`contract::foo`) with a `__CPROVER_assigns(A)` clause.
+
+```c
+ret_t foo(foo-parameters) __CPROVER_assigns(A);
+```
+We know the elements of A only depend on `foo-parameters` and global variables.
+
+A new GOTO function with the following signature is generated:
+
+```c
+void contract::foo::assigns(foo-parameters);
+```
+
+The body of the function generated from the elements of A as follows:
+- For each target `cond: target` where the target is an lvalue expression:
+    ```c
+    DECL __cond: bool;
+    ASSIGN __cond = <result of goto_convert(cond)>;
+    IF !__cond GOTO SKIP_TARGET;
+    CALL __CPROVER_assignable(&target, sizeof(target), has_ptr_type(target));
+    SKIP_TARGET: SKIP;
+    DEAD __cond;
+    ```
+    where `has_ptr_type(target)` returns true if the target has a pointer-type;
+- For each target `cond: f(parameters)`, where `f` is a void-typed function:
+    ```c
+    DECL __cond: bool;
+    ASSIGN __cond = <result of goto_convert(cond)>;
+    IF !__cond GOTO SKIP_TARGET;
+    CALL f(parameters);
+    SKIP_TARGET: SKIP;
+    DEAD __cond;
+    ```
+
+Remark: The condition expressions needs to be goto_converted during translation
+since they come directly from the front-end and are allowed to contain function
+calls.
+
+The rewriting pass @ref contracts-dev-spec-spec-rewriting-assigns is applied
+to transform the function into a function that accepts two
+write set parameters: The first one is the write set that gets populated with
+assignable locations specified by the function, the second is a write set that
+is used by the function to check its side effects.
+
+```c
+void contract::foo::assigns(
+
+  // function parameters
+  foo-parameters,
+
+  // write set to populate with new targets
+  __CPROVER_contracts_write_set_ptr_t __write_set_to_fill,
+
+  // write set against which to check itself for unwanted side effects
+  __CPROVER_contracts_write_set_ptr_t __write_set_to_check);
+```
+
+The rewriting step @ref contracts-dev-spec-spec-rewriting-havoc is also applied
+to the function in order to generate a havoc function that can be used to model
+contract replacement:
+
+```c
+void contract::foo::havoc(__CPROVER_contracts_write_set_ptr_t __write_set_to_havoc);
+```
+
+## Translating Frees Clauses to GOTO Functions {#contracts-dev-spec-codegen-frees}
+
+Let's consider a contract `foo` (with corresponding pure contract
+`contract::foo`) with a `__CPROVER_frees(F)` clause.
+
+```c
+ret_t foo(foo-parameters) __CPROVER_frees(F);
+```
+We know the elements of F only depend on `foo-parameters` and global variables.
+
+A new GOTO function with the following signature is generated:
+
+```c
+void contract::foo::frees(foo-parameters);
+```
+
+The body of the function generated from the elements of F as follows:
+- For each element of the form  `cond: expr` where `expr` is a pointer-typed
+  expression:
+    ```c
+    DECL __cond: bool;
+    ASSIGN __cond = <result of goto_convert(cond)>;
+    IF !__cond GOTO SKIP_TARGET;
+    CALL __CPROVER_freeable(expr);
+    SKIP_TARGET: SKIP;
+    DEAD __cond;
+    ```
+- For each target of the form `cond: f(params)` where `f` is a void-typed
+  function:
+    ```c
+    DECL __cond: bool;
+    ASSIGN __cond = <result of goto_convert(cond)>;
+    IF !__cond GOTO SKIP_TARGET;
+    CALL f(params);
+    SKIP_TARGET: SKIP;
+    DEAD __cond;
+    ```
+
+Remark: The condition expressions needs to be goto_converted during translation
+since they come directly from the front-end and are allowed to contain function
+calls.
+
+The resulting function is declarative, in the sense that it describes the
+contents of the frees clause but does not have any runtime effects.
+
+The rewriting pass @ref contracts-dev-spec-spec-rewriting-frees is applied
+to transform the function into a function that accepts two
+write set parameters: The first one is the write set that gets populated with
+freeable pointers specified by the function, the second is a write set that is
+used by the function to check its side effects.
+
+```c
+void contract::foo::frees(
+
+  // function parameters
+  foo-parameters,
+
+  // write set to populate with new targets
+  __CPROVER_contracts_write_set_ptr_t __write_set_to_fill,
+
+  // write set against which to check itself for unwanted side effects
+  __CPROVER_contracts_write_set_ptr_t __write_set_to_check);
+```
+
+---
+ Prev | Next
+:-----|:------
+ @ref contracts-dev-spec-transfo-params | @ref contracts-dev-spec-spec-rewriting