Function contracts: check loop freeness before instrumentation, skip assignments to locals and prune write set using CFG info.

[remi-delmas-3000]

The first two commits are from this draft PR #6525 which adds a maybe_alive bit to local_bitvector_analysist and is needed by this PR.

This PR adds:

In check_frame_conditions_function:

• a pass that simplifies away GOTO instructions for which the guard is always false
• a check that the program is loop-free before attempting instrumentation
• manual loop unrolling in regression tests that still contained loops and are got rejected because of this new check

For assigns clause checking:

• Assigning to local variables or function parameter variables is always legal so we skip instrumenting these assignments,
• We avoid adding function parameters and local variables to the local write set, except when their address is taken at some point in the program and can later be assigned to indirectly via pointers.
• When generating inclusion checks for assignments, we remove from the local write set targets which are not possibly alive at the ASSIGN instruction that gets instrumented.
• Tests have been simplified by removing function parameters from assigns clauses, and removing function parameters and local variables from test specifications.

The net effect of these changes is a better proof performance because of a reduction in the number of generated assertions and of their size, but otherwise the contract checking functionality remains unchanged.

• Each commit message has a non-empty body, explaining why the change was made.
• Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• [ x] White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[tautschnig]

How does this relate to #6527?

[tautschnig]

Debugging leftover?

[remi-delmas-3000]

fixed

[tautschnig]

s/iriginal/original/

[remi-delmas-3000]

fixed

[tautschnig]

With can_cast_expr you can use

if(auto lhs_symbol = can_cast_expr<symbol_exprt>(lhs))
  return !cfg_info_opt->is_local(lhs_symbol->get_identifier());

[remi-delmas-3000]

lhs_symbol would be a boolean in that case, not the result of the cast ?

[remi-delmas-3000]

fixed

[tautschnig]

Why do you copy these instead of using dirty_analysis when needed?

[remi-delmas-3000]

Removed

[codecov]

Codecov Report

Merging #6533 (f7752cf) into develop (8834dc5) will decrease coverage by 0.00%.
The diff coverage is 93.45%.

@@             Coverage Diff             @@
##           develop    #6533      +/-   ##
===========================================
- Coverage    75.98%   75.98%   -0.01%     
===========================================
  Files         1578     1578              
  Lines       180919   181032     +113     
===========================================
+ Hits        137476   137551      +75     
- Misses       43443    43481      +38     

Impacted Files	Coverage Δ
src/goto-instrument/contracts/assigns.h	100.00% <ø> (ø)
src/goto-instrument/contracts/contracts.h	100.00% <ø> (ø)
src/goto-instrument/contracts/utils.cpp	89.47% <78.57%> (-4.56%)	⬇️
src/goto-instrument/contracts/assigns.cpp	95.83% <90.00%> (-0.60%)	⬇️
src/analyses/goto_check_c.cpp	90.29% <92.30%> (-0.10%)	⬇️
src/goto-instrument/contracts/contracts.cpp	91.13% <98.46%> (-3.99%)	⬇️
src/goto-instrument/contracts/utils.h	100.00% <100.00%> (ø)
src/goto-programs/goto_convert.cpp	92.03% <100.00%> (+0.07%)	⬆️
src/analyses/dirty.h	100.00% <0.00%> (ø)
... and 2 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4ec7d9b...f7752cf. Read the comment docs.

[feliperodri]

This should really be an enum.

[remi-delmas-3000]

An enum with TRUE and FALSE values ?

[tautschnig]

A 2-value enum, where the "true" and "false" values carry meaningful names.

[remi-delmas-3000]

Fixed.
Following that logic we should change all bool return types to SUCCESS/FAILURE for

• replace_calls,
  -enforce_contracts,
• enforce_contract,
• check_frame_conditions_function,
• apply_function_contract,

[feliperodri]

Suggested change

	// Unless proved non-dirty by the CFG analysis we assume it is dirty.
	if(!cfg_info_opt.has_value())
	return true;
	return cfg_info_opt.value().is_not_local_or_dirty_local(
	target->dead_symbol().get_identifier());
	// Unless proved non-dirty by the CFG analysis we assume it is dirty.
	if(cfg_info_opt.has_value())
	return cfg_info_opt.value().is_not_local_or_dirty_local(
	target->dead_symbol().get_identifier());
	return true;

[remi-delmas-3000]

fixed

[feliperodri]

Suggested change

	// skip instructions marked as disabled for assigns clause checking
	// Skip instructions marked as disabled for assigns clause checking.

[remi-delmas-3000]

fixed

[remi-delmas-3000]

The dependency on local_bitvector_analysist and #6533 was removed

[feliperodri]

Only minor comments left.

[feliperodri]

Suggested change

	void simplify_gotos(goto_programt &goto_program, namespacet &ns)
	{
	for(auto &instruction : goto_program.instructions)
	{
	if(instruction.is_goto())
	{
	const auto &condition = instruction.get_condition();
	const auto &simplified = simplify_expr(condition, ns);
	if(simplified.is_false())
	instruction.turn_into_skip();
	}
	}
	}
	void simplify_gotos(goto_programt &goto_program, namespacet &ns)
	{
	for(auto &instruction : goto_program.instructions)
	if(instruction.is_goto() && simplify_expr(instruction.get_condition(), ns).is_false())
	instruction.turn_into_skip();
	}

[remi-delmas-3000]

fixed

[tautschnig]

As discussed earlier today: could be implemented using if(auto sym_expr = expr_try_dynamic_cast<symbol_exprt>(source_expr))

[remi-delmas-3000]

fixed

[tautschnig]

Will this actually introduce the same check in multiple places? Wouldn't it be sufficient to check this once?

[remi-delmas-3000]

it generates an inclusion check for each possible target of the write set, and each check is specify to the lhs of the instrumented assignment, so no doublons are created here.

[tautschnig]

A 2-value enum, where the "true" and "false" values carry meaningful names.

[tautschnig]

Do you really want an iterator that cannot change (const goto_programt::targett&) or an iterator so that whatever it points to cannot change (goto_programt::const_targett)?

[remi-delmas-3000]

Both! Thanks for the tip

[tautschnig]

Comment from the earlier PR: do you really need such an elaborate analysis, or would looking at is_backwards_goto() for all instructions in goto_program also do the trick?

[tautschnig]

Hmm, that indeed does not imply the existence of a loop. But then, would natural_loopst do the trick here and relieve you of some of the heavy lifting?