Insert final assert false pass

[nchong-at-aws]

A goto-instrument pass that adds assert(false) to the end of a function body---usually expected to be the test harness. If verification still passes then this might indicate inconsistent assumptions. Useful as an automatic check for vacuous proofs.

• Each commit message has a non-empty body, explaining why the change was made.
• Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[karkhaz]

Thank you for this instrumentation pass, it will be very useful!

Apart from the comments, please could you have a go at writing a regression test? You already wrote a few small programs while creating this patch, it should be reasonably easy to adapt them to a test somewhere under the regression/ directory.

[kroening]

@nchong-at-aws The way people usually check whether there are inconsistent assumptions is using --cover location. Is that good for your use-case?

[karkhaz]

@kroening many of our proofs don't have 100% coverage, for various valid reasons. If using --cover, we would need to check for sudden drops in coverage, rather than checking for less-than-100%. That implies that we need to save the state of the previous coverage check.

@nchong-at-aws's patch is thus very useful because it provides a stateless way of alerting on inconsistent assumptions.

This check is also much simpler and much more black-or-white. There can be nuanced reasons for less-than-100% coverage. But it is certainly a bad sign if code instrumented with this pass successfully verifies, no doubt about it.

[smowton]

No further comments besides @karkhaz's. From a UI perspective, would --assert-function-does-not-terminate make more sense, since that's what we're actually introducing?

[nchong-at-aws]

@kroening Yes, cover is useful for seeing this problem too. This check is another way to sanity check a result.

[allredj]

⚠️
This PR failed Diffblue compatibility checks (cbmc commit: 11c2f8a).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/123517019
Status will be re-evaluated on next push.
Common spurious failures include: the cbmc commit has disappeared in the mean time (e.g. in a force-push); the author is not in the list of contributors (e.g. first-time contributors); compatibility was already broken by an earlier merge.

[nchong-at-aws]

@allredj I think this could be because I'm a first time contributor?

[kroening]

This is now getting ready to merge -- may I suggest that you squash the commits into one.

[allredj]

@nchong-at-aws Very probably. You can ignore the message.

[smowton]

@nchong-at-aws looks like this is good to go, please squash commits

[codecov-io]

Codecov Report

Merging #4985 into develop will decrease coverage by 0.23%.
The diff coverage is 88.88%.

@@             Coverage Diff             @@
##           develop    #4985      +/-   ##
===========================================
- Coverage    69.48%   69.24%   -0.24%     
===========================================
  Files         1310     1311       +1     
  Lines       108813   108471     -342     
===========================================
- Hits         75609    75112     -497     
- Misses       33204    33359     +155

Impacted Files	Coverage Δ
...rc/goto-instrument/goto_instrument_parse_options.h	100% <ø> (ø)	⬆️
src/goto-instrument/insert_final_assert_false.h	100% <100%> (ø)
.../goto-instrument/goto_instrument_parse_options.cpp	56.66% <100%> (+0.39%)	⬆️
src/goto-instrument/insert_final_assert_false.cpp	81.81% <81.81%> (ø)
unit/testing-utils/require_expr.cpp	0% <0%> (-34.38%)	⬇️
src/solvers/prop/bdd_expr.cpp	60.97% <0%> (-29.57%)	⬇️
...bytecode_convert_method/convert_invoke_dynamic.cpp	76.44% <0%> (-23.08%)	⬇️
src/solvers/bdd/bdd_miniBDD.h	84.61% <0%> (-15.39%)	⬇️
src/solvers/bdd/miniBDD/miniBDD.inc	93.47% <0%> (-6.53%)	⬇️
...nit/java-testing-utils/require_goto_statements.cpp	92.61% <0%> (-6.05%)	⬇️
... and 83 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3e42990...639ef81. Read the comment docs.

[allredj]

⚠️
This PR failed Diffblue compatibility checks (cbmc commit: 639ef81).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/123735093
Status will be re-evaluated on next push.
Common spurious failures include: the cbmc commit has disappeared in the mean time (e.g. in a force-push); the author is not in the list of contributors (e.g. first-time contributors); compatibility was already broken by an earlier merge.