Cleanup of asserts and throws under the goto-symex directory

[NlightNFotis]

This PR is similar in spirit to #2703 but it targets the goto-symex/ directory.

[tautschnig]

Essentially the same comments as I've put on other PRs related to the assert cleanup: let's please use APIs and thereby lift invariants as much as possible.

[tautschnig]

Let's please use to_byte_extract_expr, and use byte_extract_exprt's API. Otherwise we duplicate consistency checks across the code base and risk getting out-of-sync.

[tautschnig]

Let's use to_member_expr: return constant_propagation_reference(to_member_expr(expr).compound();

[tautschnig]

Please use to_index_expr and use its API below.

[tautschnig]

Please use return is_used_address_of(to_member_expr(expr).compound(), identifier);

[tautschnig]

Please use return is_used(to_dereference_expr(expr).pointer(), identifier);

[tautschnig]

See above: use to_address_of_expr etc - I'll stop putting the same comments, it applies several times below.

[tautschnig]

I believe this should be true by design.

[NlightNFotis]

Still, isn't it a good idea to leave it there, even if only for documentation purposes?

[tautschnig]

Not a big deal, but I think if we were to go down that route we'd have, e.g., any use of an index_exprt prefixed by expr.id() == ID_index.

[tautschnig]

True by virtue of it being a typecast_exprt

[tautschnig]

True for all index_exprt

[tautschnig]

Use to_typecast_expr

[NlightNFotis]

@tautschnig I have implemented most of the changes you suggested. I found them to be very good suggestions. Just two observations: Don't review it yet, I need to go through the whole PR and see where else I could apply the casts with the integrated checks, and also, for some of the superfluous PRECONDITIONs, aren't they okay, even if only for documentation purposes (iirc they are not built into the release builds, so no performance overhead for a user)

[NlightNFotis]

As a general update on this, I'm happy with the changes thus far. It's failing CI on some JBMC regression tests, which are expecting some particular output string to be present, alone, in one line. The exception added here makes the particular errors to be multiline, so the tests are failing. I'm going to fix the tests, but first I'm waiting for #2996 to go in, as it contains some exception classes that I think are more appropriate in a couple of cases. Once that goes in, I'm going to rebase, see the behaviour of the tests, and then I'm going to fix the tests that need fixing based on the error messages coming out of the improved exception classes.

[tautschnig]

I think this should just be removed, as should the DATA_INVARIANT below. We don't even care whether the type of the expression is a pointer, and the subsequent invariant should be replaced by a use of to_address_of_expr

[tautschnig]

Should be to_index_expr

[tautschnig]

to_member_expr

[tautschnig]

to_dereference_expr

[tautschnig]

to_address_of_expr

[tautschnig]

to_dereference_expr

[tautschnig]

to_dereference_expr

[tautschnig]

Should be an exception as one can craft programs exhibiting this.

[tautschnig]

to_quantifier_expr

[tautschnig]

Should be an exception as you can write input programs doing so.

[NlightNFotis]

@tautschnig Hi Michael, I have addressed all the comments in your review, aside from one.

You have suggested to remove some code, after advising with either Matthias or Daniel. It's not easy for me to get hold of either of them now, so I suggest we leave this for a later cleanup (I have already marked it on my todo, so it's not lost, however if you believe that it should be done now, I will see what I can do, I just thought it could be a good idea to not get hung up on this now since this work is relatively high priority).

I want a little bit of advising on a different part of the PR however. In goto_symex_state.cpp:514 there's a DATA_INVARIANT that seems suspiciously general. I thought it a good idea to move it to the transfer functions (to_if_expr), but in doing so some of the tests get broken. This happens because all the tests that use our internal malloc get to code that looks like this:

__CPROVER_deallocated =
    (malloc_res == __CPROVER_deallocated) ? 0 : __CPROVER_deallocated;

where __CPROVER_deallocated is declared as a pointer in a different file. (For a live example of this take a look here. In this case __CPROVER_deallocated's type is a symbol whereas the 0 is a constant, hence the DATA_INVARIANT failing in multiple of the tests. This seems to me that the promotion is not being handled correctly (I have also checked with the C standard n1124 and that should be typechecking, but on the condition that both the consequent and the alternative expressions are of the same type (in this case 6.5.15-3 indicates that it should typecheck on the condition that one operand is a pointer and the other is a null pointer constant).

This made me instinctively want to go and modify the parser, to do automatic implicit typecasts when it parses a conditional expression, however most of what I have tried seems to be convoluted, and most likely wrong (couldn't get them to work). Do you have any particular input on that, or maybe some pointers on what should change? If it's elaborate work, I'm happy to do it as part of a different PR and get this in as it is now if you think it's good as a cleanup PR, I just thought that moving the invariant to the transfer functions is a good piece of work in line with us not duplicating checks.

[tautschnig]

[...] In goto_symex_state.cpp:514 there's a DATA_INVARIANT that seems suspiciously general. I thought it a good idea to move it to the transfer functions (to_if_expr), but in doing so some of the tests get broken. [...]

This sound like a very good idea, and we should dig deeper. Would you mind creating an fresh PR doing just this (CI will fail, of course). Let's then you and I debug this - it seems that symbol types aren't uniformly expanded.

[allredj]

Passed Diffblue compatibility checks (cbmc commit: 8558c57).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/85748730