CONTRACTS: Dynamic frame condition checking

[remi-delmas-3000]

Replaces #6887

Fixes #7197
Fixes #7198
Fixes #7206

• Each commit message has a non-empty body, explaining why the change was made.
• Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• White-space or formatting changes outside the feature-related changed lines are in commits of their own.

Implement the functionality described below.

Tests adapted from the existing contracts implementation by @nwetzler

Motivation

This new function contracts implementation uses a dynamic method for checking assigns and frees clauses:

• it allows parametric assigns clauses and frees clauses in the contracts language;
• it allows function calls in pre- and post-conditions and checks the absence of side-effects;
• the checking method is dynamic and does not require inlining the program or unwinding loops a priori;
• the checking method is compatible with deferred resolution of function pointers calls during symex;
• the checks are implemented as C library (src/ansi-c/library/cprover_contracts.c), the instrumentation insert calls to the library in the program;
• code duplication for contract checking and contract replacement has been reduced;
• all CPROVER library functions are supported;
• checking contracts on recursive functions is supported (by assuming preconditions and asserting post conditions on the top level call and asserting pre conditions and assuming post conditions on the recursive call)
• the user and developer documentation for the contract system now lives in doxygen

Limitations

• loop contracts are not yet ported to the new framework;
• deferred function pointer resolution is not yet implemented, user-specified function pointer restriction is still required;
• havocing during contract replacement still relies on pointer snapshots known to affect performance;
• more work is performed by symbolic execution which can be felt on runtime;
• source locations for the instrumented code are still very partial and messy;

Dynamic frame condition checking (DFCC) for function contracts

Let’s call f_top​ the top-level function against which the contract is being checked.

We assume f_top​ is itself called from a harness function, which may call other functions besides f_top​.

Let’s consider a function f that is either f_top​ or one of the functions called (directly or indirectly) by f_top​. The goal is to verify that f writes only to memory locations that are part of the frame of the call to f_top but allowed by the contract or that were allocated after entering f_top​ and are hence not part of the frame of the call. To do that, we add ghost code to the program to build representations the following sets of memory locations as the program runs:

• (contract_assigns, contract_frees, allocated, deallocated)
  where:
• contract_assigns is the set of memory locations specified in the assigns clause of the contract being checked
• contract_frees is the set of pointers specified in the frees clause of the contract being checked
• allocated is the set objects identifiers allocated on the stack or the heap since entering f_top​
• deallocated is the set of heap objects identifiers deallocated since entering f_top​ (allows verification that an object was freed as a post-condition of the contract)

The instrumentation transforms all user-defined goto functions and library functions:

ret_t f(<parameters>);

Into functions accepting an extra parameter that is a pointer to a dynamic representation of the sets introduced above:

ret_t f(<parameters>,  __CPROVER_contracts_write_set_ptr_t write_set);

Function bodies is instrumented so that

• when the write_set pointer is NULL no checks are performed,
• when it is not NULL the following checks are performed
  • Assignments LHS are checked for inclusion in contract_assigns or allocated,
  • DECL objects are recorded in allocated
  • Dynamically allocated objects are recorded in allocated
  • DEAD objects or objects assigned to __CPROVER_dead_object are removed from allocated
  • dynamic objects deallocated with __CPROVER_deallocate are checked for inclusion in contract_frees or allocated, and recorded in deallocated (so that if needed we can check in post conditions that the function indeed deallocated the expected memory).
  • The current write set is propagated to all functions calls or function pointer calls.

Since the write set is dynamically updated, a same function called at different call sites can see a different write set.

Write sets are initialised from contracts descriptions and injected in function calls that are checked against contracts, or used to perform inclusion checks against write sets obtained from callers for functions that are replaced by a contract.

---

[codecov]

Codecov Report

Base: 78.03% // Head: 78.22% // Increases project coverage by +0.18% 🎉

Coverage data is based on head (1a0022c) compared to base (21e3260).
Patch has no changes to coverable lines.

❗ Current head 1a0022c differs from pull request most recent head e22a788. Consider uploading reports for the commit e22a788 to get more accurate results

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #7242      +/-   ##
===========================================
+ Coverage    78.03%   78.22%   +0.18%     
===========================================
  Files         1624     1642      +18     
  Lines       187405   189688    +2283     
===========================================
+ Hits        146249   148388    +2139     
- Misses       41156    41300     +144     

Impacted Files	Coverage Δ
src/goto-instrument/contracts/contracts.cpp	95.03% <0.00%> (-0.04%)	⬇️
src/ansi-c/c_expr.h	100.00% <0.00%> (ø)
src/analyses/dirty.h	100.00% <0.00%> (ø)
src/goto-symex/goto_symex.cpp	98.64% <0.00%> (ø)
src/solvers/flattening/boolbv_width.cpp	73.80% <0.00%> (ø)
src/goto-instrument/contracts/contracts.h	100.00% <0.00%> (ø)
...rc/goto-instrument/goto_instrument_parse_options.h	100.00% <0.00%> (ø)
...ntracts/dynamic-frames/dfcc_contract_functions.cpp	83.79% <0.00%> (ø)
...instrument/contracts/dynamic-frames/dfcc_utils.cpp	95.70% <0.00%> (ø)
...ent/contracts/dynamic-frames/dfcc_spec_functions.h	100.00% <0.00%> (ø)
... and 31 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[tautschnig]

Why are we duplicating all (?) the existing contracts tests? I am wondering about:

1. How are we going to address the maintenance burden caused by duplicated code? If we absolutely need new test specifications, then we could just refer to the source files in the other directory.
2. Apart from the different command-line option (which could be addressed by a test profile/makefile rule), if the output is different in some way (which would justify the need for different test specifications) then what's the user story here?

[tautschnig]

Why are we duplicating all (?) the existing contracts tests? I am wondering about:

1. How are we going to address the maintenance burden caused by duplicated code? If we absolutely need new test specifications, then we could just refer to the source files in the other directory.

2. Apart from the different command-line option (which could be addressed by a test profile/makefile rule), if the output is different in some way (which would justify the need for different test specifications) then what's the user story here?

Follow-up comment as discussed out-of-band: we might merge this PR as-is, and then clean up afterwards, with the help of a script to be written.

[tautschnig]

Just a first set of comments, I'll review the remaining parts in my next available time slot.

[tautschnig]

Note to self: we should fix the API of dirtyt: I have no idea why we chose goto_functiont as the most appropriate granularity, agoto_programt should do.

[tautschnig]

Done in #7244 .

[tautschnig]

Will continue my next review from here.

[tautschnig]

Next review will continue from here.

[tautschnig]

Done with a first round of reviewing.

[tautschnig]

Some new comments, but also I noticed that a number of my earlier comments apparently still need addressing/haven't had a response. Perhaps GitHub was just hiding them?

[tautschnig]

Why is disabling these checks the right thing to do?

[remi-delmas-3000]

the other assertions in the body entail these checks.

[tautschnig]

How about doing the initialisation in one step (_CPROVER_contracts_car_t car = {.is_writeable = ptr != 0, .size = size, .lb = ptr, .ub = (char *)ptr + size};)?

[nwetzler]

This looks great. I love the new developer documentation and user documentation. I now have a much clearer picture of how this replaces the older contract instrumentation, and I feel like I might have a chance of supporting it in the future. The code looks really clean and I'm excited to use it.

Review comments are mostly focused on typos and documentation stuff. I tried to make suggestions where possible.

Cheers.

[nwetzler]

Do we need --enforce-contract-rec in this PR? If so, why? I might have expected these to be two separate PRs.

[remi-delmas-3000]

doable but pulling out support for recursive functions from this PR would take me quite some time again

[nwetzler]

Minor nitpick, but is there a reason we can't have a 2 character longer name and get transform-params instead of transfo-params?

[jimgrundy]

+1

[remi-delmas-3000]

fixed

[nwetzler]

Same as above.

[remi-delmas-3000]

fixed

[tautschnig]

Approving as the remaining discussion points are about aesthetics.

[feliperodri]

I couldn't find any blockers, but it'd be nice to maintain the previous git history (list of commits).