pthread_cond_wait may return spuriously

The man page states: "In general, whenever a condition wait returns, the thread
has to re-evaluate the predicate associated with the condition wait to determine
whether it can safely proceed, should wait again, or should declare a timeout. A
return from the wait does not imply that the associated predicate is either true
or false."

The regression test is based on
pthread-divine/condvar_spurious_wakeup_false-unreach-call.c from SV-COMP.

Author: tautschnig

regression/cbmc-library/pthread_cond_wait-01/main.c

@@ -1,9 +1,32 @@
 #include <assert.h>
-#include <pthread_lib.h>
+#include <pthread.h>
+
+pthread_mutex_t lock;
+pthread_cond_t cond;
+
+// only accessed in critical section guarded by mutex, so there is no need to
+// make this variable atomic or volatile
+int x;
+
+void *thread(void *arg)
+{
+  (void)arg;
+  pthread_mutex_lock(&lock);
+  pthread_cond_wait(&cond, &lock);
+  // may fail: pthread_cond_wait can be waken up spuriously (see man
+  // pthread_cond_wait)
+  assert(x == 1);
+  pthread_mutex_unlock(&lock);
+  return NULL;
+}
 
 int main()
 {
-  pthread_cond_wait();
-  assert(0);
-  return 0;
+  pthread_t t;
+  pthread_mutex_init(&lock, 0);
+  pthread_cond_init(&cond, 0);
+  pthread_create(&t, NULL, thread, NULL);
+  x = 1;
+  pthread_cond_broadcast(&cond);
+  pthread_join(t, NULL);
 }

regression/cbmc-library/pthread_cond_wait-01/test.desc

@@ -1,8 +1,9 @@
-KNOWNBUG pthread
+CORE pthread
 main.c
---pointer-check --bounds-check
-^EXIT=0$
+--bounds-check
+^EXIT=10$
 ^SIGNAL=0$
-^VERIFICATION SUCCESSFUL$
+^\*\* 1 of 2 failed
+^VERIFICATION FAILED$
 --
 ^warning: ignoring

src/ansi-c/library/pthread_lib.c

@@ -636,8 +636,8 @@ inline int pthread_cond_wait(
   #endif
 
   __CPROVER_atomic_begin();
-  __CPROVER_assume(*((unsigned *)cond));
-  (*((unsigned *)cond))--;
+  if(*((unsigned *)cond))
+    (*((unsigned *)cond))--;
   __CPROVER_atomic_end();
 
   return 0; // we never fail