CONTRACTS: Front-end extensions for assigns clauses

[remi-delmas-3000]

The first commit tags some JBMC tests as THOROUGH because they seem to exceed resources available for the ubuntu 18.04 target when building this PR

Add new functions to specify assignable targets in assigns clauses:

• add polymorhpic builtin __CPROVER_typed_target
• add builtin __CPROVER_assignable
• add builtin __CPROVER_object_whole
• add builtin __CPROVER_object_from
• add builtin __CPROVER_object_upto
• allow function call expressions as assigns
  clause targets as long as they are one of
  the new built-ins

Using __CPROVER_POINTER_OBJECT in assigns clauses is still allowed for now (needed for loop contracts),
will be deprecated in #7127.

• Each commit message has a non-empty body, explaining why the change was made.
• Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• [n/a] My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[codecov]

Codecov Report

Base: 77.88% // Head: 77.89% // Increases project coverage by +0.00% 🎉

Coverage data is based on head (45c677e) compared to base (6d6319f).
Patch coverage: 86.23% of modified lines in pull request are covered.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop    #7086   +/-   ##
========================================
  Coverage    77.88%   77.89%           
========================================
  Files         1576     1576           
  Lines       181859   181913   +54     
========================================
+ Hits        141648   141699   +51     
- Misses       40211    40214    +3     

Impacted Files	Coverage Δ
src/ansi-c/ansi_c_internal_additions.cpp	90.12% <ø> (ø)
src/ansi-c/c_typecheck_base.h	100.00% <ø> (ø)
src/ansi-c/c_typecheck_expr.cpp	74.15% <81.25%> (-0.05%)	⬇️
src/ansi-c/c_typecheck_code.cpp	77.75% <82.14%> (+0.60%)	⬆️
...o-instrument/contracts/instrument_spec_assigns.cpp	98.77% <85.71%> (-0.59%)	⬇️
src/ansi-c/ansi_c_entry_point.cpp	89.57% <100.00%> (ø)
src/ansi-c/c_typecheck_base.cpp	82.99% <100.00%> (+0.49%)	⬆️
src/linking/remove_internal_symbols.cpp	100.00% <100.00%> (ø)
... and 2 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[feliperodri]

I'd suggest that future PRs could be break down into smaller commits and maybe you wanna move everything related to frees clauses to the next PR (which would remove the dependency from the other PR and make both of them much cleaner). Apart from that, only small comments. Great improvement!!!

[feliperodri]

Not true, update the description.

[feliperodri]

+1

[feliperodri]

A few more comments but it should be good to go.

[feliperodri]

+1

[feliperodri]

Do we want to inform users about ID_conditional_target_group? Perhaps we could have a more informative message.

[remi-delmas-3000]

The syntax section of the manual defines a conditional target group as :

conditional-target-group ::= (condition ':')? target (',' target)*

How about using conditional target group instead of ID_conditional_target_group to make it more human-readable ?

[feliperodri]

I like it!

[tautschnig]

Just noting that I posted a bunch of comments in #7091 that apply to the second commit of this PR. Apologies for not noticing that I should have reviewed this one first. Will re-review this one once the updates have been made.

[remi-delmas-3000]

@tautschnig the typedef void __CPROVER_assignable_t has been removed as suggested.

[feliperodri]

Only minor comments.

[feliperodri]

LGTM! @tautschnig I think this PR is ready for your final review.

[tautschnig]

s/to //

[remi-delmas-3000]

fixed

[tautschnig]

Perhaps a sentence or two can be added why assigns clauses are useful/required? The above says what they describe, but (naively speaking) life would be easier if one didn't have to write any such clauses.

[remi-delmas-3000]

fixed

[tautschnig]

So why couldn't we do this for functions as well? Conversely, is it a desirable feature to have this difference in semantics of an unspecified assigns clause? Should we perhaps have a keyword auto that's permitted in loop assigns clauses only?

[remi-delmas-3000]

Thinking about it, I think we can do it today for loops because the assigns clause inference, the loop abstraction and the verification of the inferred clause all happen at the same time in the same analysis.

For function contracts we operate either in contract checking or contract replacement mode and we cannot infer check and replace the assigns clause in a single run.

In a later version we could introduce something like '__CPROVER_assigns(auto)` which would mean "when this contract is used to replace some function call, infer the set of memory locations from the code of the function, check that the result is correct in a separate analysis, and use that inferred clause to havoc state at the replacement site"

One way to figure out the side effects of a particular function could be to check it under an empty assigns clause and to turn all reported violations into an assigns clause.

[nwetzler]

+1