Abort after failing C assert

tautschnig · tautschnig · commit f75988ef248d · 2021-02-25T08:51:02.000Z
The C standard specifies behaviour of the "assert" macro as resulting in
an abort when the condition does not evaluate to true. Implement this
behaviour by inserting assume(0) after assert(0).
diff --git a/regression/cbmc-incr-oneloop/multiple-asserts/test.c b/regression/cbmc-incr-oneloop/multiple-asserts/test.c
@@ -2,8 +2,8 @@ int main()
 {
   for(int i = 0; i < 10; ++i)
   {
-    assert(i != 5);
-    assert(i != 8);
+    __CPROVER_assert(i != 5, "");
+    __CPROVER_assert(i != 8, "");
   }
   return 0;
 }
diff --git a/regression/cbmc/Quantifiers-not-exists/fixed.c b/regression/cbmc/Quantifiers-not-exists/fixed.c
@@ -10,33 +10,38 @@ int main()
   // NOLINTNEXTLINE(whitespace/line_length)
   __CPROVER_assume(!__CPROVER_exists { int i; (i>=0 && i<2) && (__CPROVER_exists{int j; (j>=0 && j<2) && a[i][j]<=10}) });
 
-  assert(0);
+  __CPROVER_assert(0, "");
 
   // NOLINTNEXTLINE(whitespace/line_length)
   __CPROVER_assume(__CPROVER_forall { int i; (i>=0 && i<2) ==> (!__CPROVER_exists{int j; (j>=0 && j<2) && b[i][j]>=1 && b[i][j]<=10}) });
 
-  assert(0);
+  __CPROVER_assert(0, "");
 
   // NOLINTNEXTLINE(whitespace/line_length)
   __CPROVER_assume(!__CPROVER_exists { int i; (i>=0 && i<2) && (!__CPROVER_exists{int j; (j>=0 && j<2) && (c[i][j]==0 || c[i][j]<=10)}) });
 
-  assert(0);
+  __CPROVER_assert(0, "");
 
   // NOLINTNEXTLINE(whitespace/line_length)
   __CPROVER_assume(!__CPROVER_exists { int i; (i>=0 && i<2) && (__CPROVER_forall{int j; (j>=0 && j<2) ==> d[i][j]>=1 && d[i][j]<=10}) });
   // clang-format on
 
-  assert(0);
+  __CPROVER_assert(0, "");
 
-  assert(a[0][0] > 10);
+  __CPROVER_assert(a[0][0] > 10, "");
 
-  assert((b[0][0] < 1 || b[0][0] > 10) && (b[0][1] < 1 || b[0][1] > 10));
-  assert((b[1][0] < 1 || b[1][0] > 10) && (b[1][1] < 1 || b[1][1] > 10));
+  __CPROVER_assert(
+    (b[0][0] < 1 || b[0][0] > 10) && (b[0][1] < 1 || b[0][1] > 10), "");
+  __CPROVER_assert(
+    (b[1][0] < 1 || b[1][0] > 10) && (b[1][1] < 1 || b[1][1] > 10), "");
 
-  assert(c[0][0] == 0 || c[0][1] == 0 || c[1][0] <= 10 || c[1][1] <= 10);
+  __CPROVER_assert(
+    c[0][0] == 0 || c[0][1] == 0 || c[1][0] <= 10 || c[1][1] <= 10, "");
 
-  assert(((d[0][0] < 1 || d[0][0] > 10) || (d[0][1] < 1 || d[0][1] > 10)));
-  assert(((d[1][0] < 1 || d[1][0] > 10) || (d[1][1] < 1 || d[1][1] > 10)));
+  __CPROVER_assert(
+    ((d[0][0] < 1 || d[0][0] > 10) || (d[0][1] < 1 || d[0][1] > 10)), "");
+  __CPROVER_assert(
+    ((d[1][0] < 1 || d[1][0] > 10) || (d[1][1] < 1 || d[1][1] > 10)), "");
 
   return 0;
 }
diff --git a/regression/cbmc/Quantifiers-not-exists/fixed.desc b/regression/cbmc/Quantifiers-not-exists/fixed.desc
@@ -2,12 +2,12 @@ CORE
 fixed.c
 
 ^\*\* Results:$
-^\[main.assertion.5\] line 31 assertion a\[.*\]\[.*\] > 10: SUCCESS$
-^\[main.assertion.6\] line 33 assertion tmp_if_expr\$\d+: SUCCESS$
-^\[main.assertion.7\] line 34 assertion tmp_if_expr\$\d+: SUCCESS$
-^\[main.assertion.8\] line 36 assertion tmp_if_expr\$\d+: SUCCESS$
-^\[main.assertion.9\] line 38 assertion tmp_if_expr\$\d+: SUCCESS$
-^\[main.assertion.10\] line 39 assertion tmp_if_expr\$\d+: SUCCESS$
+^\[main.assertion.5\] line 31 assertion: SUCCESS$
+^\[main.assertion.6\] line 33 assertion: SUCCESS$
+^\[main.assertion.7\] line 35 assertion: SUCCESS$
+^\[main.assertion.8\] line 38 assertion: SUCCESS$
+^\[main.assertion.9\] line 41 assertion: SUCCESS$
+^\[main.assertion.10\] line 43 assertion: SUCCESS$
 ^\*\* 4 of 10 failed
 ^VERIFICATION FAILED$
 ^EXIT=10$
diff --git a/regression/goto-harness/do-not-use-nondet-for-selecting-pointers-to-treat-as-equal/test.c b/regression/goto-harness/do-not-use-nondet-for-selecting-pointers-to-treat-as-equal/test.c
@@ -1,8 +1,8 @@
 void test(int *x, int *y)
 {
-  assert(x);
-  assert(y);
-  assert(x == y);
-  assert(x != y);
-  assert(*x == *y);
+  __CPROVER_assert(x, "");
+  __CPROVER_assert(y, "");
+  __CPROVER_assert(x == y, "");
+  __CPROVER_assert(x != y, "");
+  __CPROVER_assert(*x == *y, "");
 }
diff --git a/regression/goto-harness/do-not-use-nondet-for-selecting-pointers-to-treat-as-equal/test.desc b/regression/goto-harness/do-not-use-nondet-for-selecting-pointers-to-treat-as-equal/test.desc
@@ -2,11 +2,11 @@ CORE
 test.c
 --function test --harness-type call-function --treat-pointers-equal x,y --treat-pointers-equal-maybe
 should_make_equal
-\[test.assertion.1\] line 3 assertion x: SUCCESS
-\[test.assertion.2\] line 4 assertion y: SUCCESS
-\[test.assertion.3\] line 5 assertion x == y: FAILURE
-\[test.assertion.4\] line 6 assertion x != y: FAILURE
-\[test.assertion.5\] line 7 assertion \*x == \*y: FAILURE
+\[test.assertion.1\] line 3 assertion: SUCCESS
+\[test.assertion.2\] line 4 assertion: SUCCESS
+\[test.assertion.3\] line 5 assertion: FAILURE
+\[test.assertion.4\] line 6 assertion: FAILURE
+\[test.assertion.5\] line 7 assertion: FAILURE
 ^EXIT=10$
 ^SIGNAL=0$
 --
diff --git a/src/goto-programs/builtin_functions.cpp b/src/goto-programs/builtin_functions.cpp
@@ -760,6 +760,12 @@ void goto_convertt::do_function_call_symbol(
       error() << identifier << " expected not to have LHS" << eom;
       throw 0;
     }
+
+    // The C standard mandates that a failing assertion causes execution to
+    // abort:
+    dest.add(goto_programt::make_assumption(
+      typecast_exprt::conditional_cast(arguments.front(), bool_typet()),
+      function.source_location()));
   }
   else if(identifier == CPROVER_PREFIX "enum_is_in_range")
   {
@@ -1004,6 +1010,11 @@ void goto_convertt::do_function_call_symbol(
     t->source_location.set_property_class(ID_assertion);
     t->source_location.set_comment(description);
     // we ignore any LHS
+
+    // The C standard mandates that a failing assertion causes execution to
+    // abort:
+    dest.add(goto_programt::make_assumption(
+      false_exprt(), function.source_location()));
   }
   else if(identifier=="__assert_rtn" ||
           identifier=="__assert")
@@ -1042,6 +1053,11 @@ void goto_convertt::do_function_call_symbol(
     t->source_location.set_property_class(ID_assertion);
     t->source_location.set_comment(description);
     // we ignore any LHS
+
+    // The C standard mandates that a failing assertion causes execution to
+    // abort:
+    dest.add(goto_programt::make_assumption(
+      false_exprt(), function.source_location()));
   }
   else if(identifier=="__assert_func")
   {
@@ -1076,6 +1092,11 @@ void goto_convertt::do_function_call_symbol(
     t->source_location.set_property_class(ID_assertion);
     t->source_location.set_comment(description);
     // we ignore any LHS
+
+    // The C standard mandates that a failing assertion causes execution to
+    // abort:
+    dest.add(goto_programt::make_assumption(
+      false_exprt(), function.source_location()));
   }
   else if(identifier==CPROVER_PREFIX "fence")
   {

Original file line number	Diff line number	Diff line change
`@@ -2,8 +2,8 @@ int main()`
`2`	`2`	`{`
`3`	`3`	`for(int i = 0; i < 10; ++i)`
`4`	`4`	`{`
`5`		`- assert(i != 5);`
`6`		`- assert(i != 8);`
	`5`	`+ __CPROVER_assert(i != 5, "");`
	`6`	`+ __CPROVER_assert(i != 8, "");`
`7`	`7`	`}`
`8`	`8`	`return 0;`
`9`	`9`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,8 +1,8 @@`
`1`	`1`	`void test(int x, int y)`
`2`	`2`	`{`
`3`		`- assert(x);`
`4`		`- assert(y);`
`5`		`- assert(x == y);`
`6`		`- assert(x != y);`
`7`		`- assert(x == y);`
	`3`	`+ __CPROVER_assert(x, "");`
	`4`	`+ __CPROVER_assert(y, "");`
	`5`	`+ __CPROVER_assert(x == y, "");`
	`6`	`+ __CPROVER_assert(x != y, "");`
	`7`	`+ __CPROVER_assert(x == y, "");`
`8`	`8`	`}`