Skip function parameters and auxiliary variables when checking assigns clauses and check loop-freeness

[remi-delmas-3000]

This PR skips some unnecessary instrumentation when checking assigns clauses.

Skipping function parameters

Assignments to variables storing function parameters, as given by symbolt::is_parameter are always legal so we detect them and skip their instrumentation. We do however still add their CARs to the function's write set since they may be aliased and their addresses passed to sub-function calls.

Skipping auxiliary variables

Auxiliary variables, as given by symbolt::is_auxiliary are introduced by the goto compiler to decompose expressions in subexpressions, to store return values for function calls, etc. are only assigned once, cannot have aliases and are really just names for expressions. So we do not add them to the write set anymore, and we skip their assignments in the instrumentation.

Checking loop freeness

We add a check for loop-freeness of the goto-program before attempting a function's assigns clause instrumentation. The assigns clause instrumentation is not sound in the presence of loops, and we did not check this condition before.
To detect loops we compute strongly connected components of the function's control flow graph and detect components that have a cardinality strictly greater than 1.

• Each commit message has a non-empty body, explaining why the change was made.
• Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[codecov]

Codecov Report

Merging #6527 (bbe628b) into develop (5f33908) will increase coverage by 0.00%.
The diff coverage is 90.12%.

@@           Coverage Diff            @@
##           develop    #6527   +/-   ##
========================================
  Coverage    75.98%   75.98%           
========================================
  Files         1578     1578           
  Lines       180910   180976   +66     
========================================
+ Hits        137467   137522   +55     
- Misses       43443    43454   +11     

Impacted Files	Coverage Δ
src/goto-instrument/contracts/contracts.h	100.00% <ø> (ø)
src/goto-instrument/contracts/utils.h	100.00% <ø> (ø)
src/goto-instrument/contracts/utils.cpp	89.83% <84.31%> (-4.20%)	⬇️
src/goto-instrument/contracts/contracts.cpp	94.72% <100.00%> (-0.33%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update eeddb3f...bbe628b. Read the comment docs.

[feliperodri]

Why remove this loop?

[remi-delmas-3000]

This PR adds a loop freeness check before running the instrumentation, so the loop needs to be eliminated to satisfy this loop-freeness check.
This manual unrolling of loops is just a quick and dirty fix. A better solution would be to modify chain.sh add a pass of loop unrolling or loop contracts instrumentation.

[feliperodri]

Nice!

[feliperodri]

Only a couple of code suggestions.

[feliperodri]

This check is no longer necessary, you can remove it. It checks whether there is malloc within loops, but we assume contract instrumentation happens after all loops have been unrolled.

[feliperodri]

Suggested change

	optionalt<symbol_exprt> sym = {};
	// extract symbol
	if(instruction_it->is_assign())
	{
	const auto &lhs = instruction_it->assign_lhs();
	if(can_cast_expr<symbol_exprt>(lhs))
	sym = to_symbol_expr(lhs);
	}
	// check condition
	if(sym.has_value())
	return ns.lookup(sym.value().get_identifier()).is_parameter;
	return false;
	if(instruction_it->is_assign() && can_cast_expr<symbol_exprt>(instruction_it->assign_lhs()))
	{
	// Extract symbol from lhs
	auto lhs_sym = to_symbol_expr(instruction_it->assign_lhs());
	// Check whether is parameter
	if(lhs_sym.has_value())
	return ns.lookup(lhs_sym.value().get_identifier()).is_parameter;
	}
	return false;

[tautschnig]

On top of what Felipe suggested: there's no need for the optionalt anymore.

[feliperodri]

Suggested change

	bool is_auxiliary_decl_dead_or_assign(
	const goto_programt::targett &instruction_it,
	namespacet &ns)
	{
	optionalt<symbol_exprt> sym = {};
	// extract symbol
	if(instruction_it->is_decl())
	sym = instruction_it->decl_symbol();
	else if(instruction_it->is_dead())
	sym = instruction_it->dead_symbol();
	else if(instruction_it->is_assign())
	{
	const auto &lhs = instruction_it->assign_lhs();
	if(can_cast_expr<symbol_exprt>(lhs))
	sym = to_symbol_expr(lhs);
	}
	// check condition
	if(sym.has_value())
	return ns.lookup(sym.value().get_identifier()).is_auxiliary;
	return false;
	}
	bool is_auxiliary_decl_dead_or_assign(
	const goto_programt::targett &instruction_it,
	namespacet &ns)
	{
	// Extract symbol
	optionalt<symbol_exprt> sym = {};
	if(instruction_it->is_assign() && can_cast_expr<symbol_exprt>(instruction_it->assign_lhs()))
	sym = to_symbol_expr(instruction_it->assign_lhs());
	else if(instruction_it->is_decl())
	sym = instruction_it->decl_symbol();
	else if(instruction_it->is_dead())
	sym = instruction_it->dead_symbol();
	else
	return false;
	// Check whether is auxiliary
	return ns.lookup(sym.value().get_identifier()).is_auxiliary;
	}

[feliperodri]

Suggested change

	void simplify_gotos(goto_programt &goto_program, namespacet &ns)
	{
	for(auto &instruction : goto_program.instructions)
	{
	if(instruction.is_goto())
	{
	const auto &condition = instruction.get_condition();
	const auto &simplified = simplify_expr(condition, ns);
	if(simplified.is_false())
	instruction.turn_into_skip();
	}
	}
	}
	void simplify_gotos(goto_programt &goto_program, namespacet &ns)
	{
	for(auto &it : goto_program.instructions)
	if(it.is_goto() && simplify_expr(it.get_condition(), ns).is_false())
	it.turn_into_skip();
	}

[feliperodri]

We could add a regression test to explore these paths.

[tautschnig]

If we see a need to comment on the Boolean value then it may be better to introduce an enum that has informative values. If we always pass constant values, then it might be even better to use a template parameter.

[tautschnig]

Why is this being changed as part of this PR?

[tautschnig]

You wouldn't have quite as elaborate error messages, but wouldn't a simple test of all instructions for is_backwards_goto() do the trick?

[remi-delmas-3000]

superseded by #6533