CONTRACTS: Unwind transformed loops after loop contract transformation

[qinheping]

• Each commit message has a non-empty body, explaining why the change was made.
• Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• n/a The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• n/a My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• n/a White-space or formatting changes outside the feature-related changed lines are in commits of their own.

This PR unwinds transformed loops twice after applying loop contracts, so that users don't need to specify loop unwinding bounds for those loops. This PR will fix #7306.

Problem description

Currently, the loop contract transformation will insert a backward jump (https://github.com/diffblue/cbmc/blob/develop/src/goto-instrument/contracts/contracts.cpp#L110) into the result goto program. So after applying loop contracts, there will be loops that execute only one iteration in the place of the original annotated loops, which require users to correctly specify the unwinding bounds for them: either not unwinding them, or unwind them for at least twice. It is an unnecessary usability pain point for users. So backward goto should be avoided during loop contract transformation.

Example

A smaller example to illustrate the problem.

int main()
{
  int i;
  for(i = 0; i < 1; i++)
    __CPROVER_loop_invariant(1 > 1)
    {
      i++;
    }
}

Note that the invariant 1 > 1 is invalid. So that a correct run of CBMC should report loop invariant doesn’t hold before entry of the loop.
Run goto-cc main.c goto-instrument --apply-loop-contracts a.out b.out to apply loop contracts and get the result goto program b.goto. Then with command cbmc b.out (or cbmc --unwind 2 b.out) CBMC will correctly report the failure

[main.1] line 5 Check loop invariant before entry: FAILURE

However, running cbmc --unwind 1 b.out will report no failure.
Running cbmc --unwind 1 --unwinding-assertions b.out will report

[main.unwind.0] line 5 unwinding assertion loop 0: FAILURE

[codecov]

Codecov Report

Base: 78.26% // Head: 78.28% // Increases project coverage by +0.02% 🎉

Coverage data is based on head (aecc7b4) compared to base (557624c).
Patch coverage: 100.00% of modified lines in pull request are covered.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #7318      +/-   ##
===========================================
+ Coverage    78.26%   78.28%   +0.02%     
===========================================
  Files         1642     1642              
  Lines       189830   190012     +182     
===========================================
+ Hits        148568   148752     +184     
+ Misses       41262    41260       -2     

Impacted Files	Coverage Δ
src/goto-instrument/contracts/contracts.h	100.00% <ø> (ø)
src/goto-instrument/contracts/contracts.cpp	95.09% <100.00%> (+0.06%)	⬆️
src/solvers/lowering/byte_operators.cpp	92.76% <100.00%> (+0.02%)	⬆️
...c/solvers/smt2_incremental/convert_expr_to_smt.cpp	82.91% <100.00%> (-0.14%)	⬇️
...ncremental/smt2_incremental_decision_procedure.cpp	96.81% <100.00%> (+0.09%)	⬆️
...t/solvers/smt2_incremental/convert_expr_to_smt.cpp	99.69% <100.00%> (-0.02%)	⬇️
...ncremental/smt2_incremental_decision_procedure.cpp	98.75% <100.00%> (+0.65%)	⬆️
src/analyses/lexical_loops.h	100.00% <0.00%> (ø)
... and 3 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.