Multidimensional decreases clauses

[LongPham7]

This pull request is about the implementation of "multidimensional" decreases clauses. "One-dimensional" decreases clauses are already supported by the existing version of CBMC. We extend one-dimensional decreases clauses to multidimensional ones by admitting tuples of integer-typed functions. The syntax of a multidimensional decrease clause is __CPROVER_decreases(f1, ..., fn). We use the lexicographic order to compare two tuples.

• Each commit message has a non-empty body, explaining why the change was made.
• Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[codecov]

Codecov Report

Merging #6236 (36f661e) into develop (0002950) will increase coverage by 8.77%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##           develop    #6236      +/-   ##
===========================================
+ Coverage    67.40%   76.18%   +8.77%     
===========================================
  Files         1157     1478     +321     
  Lines        95236   161669   +66433     
===========================================
+ Hits         64197   123165   +58968     
- Misses       31039    38504    +7465     

Flag	Coverage Δ
cproversmt2	?
regression	?
unit	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
src/util/string_container.cpp	52.94% <0.00%> (-47.06%)	⬇️
src/solvers/prop/prop.cpp	42.85% <0.00%> (-41.76%)	⬇️
src/solvers/flattening/boolbv_member.cpp	53.65% <0.00%> (-38.65%)	⬇️
src/cpp/cpp_storage_spec.cpp	65.00% <0.00%> (-35.00%)	⬇️
src/util/cmdline.h	66.66% <0.00%> (-33.34%)	⬇️
src/solvers/strings/array_pool.h	66.66% <0.00%> (-33.34%)	⬇️
src/solvers/strings/string_refinement.h	66.66% <0.00%> (-33.34%)	⬇️
...rs/strings/string_concatenation_builtin_function.h	0.00% <0.00%> (-33.34%)	⬇️
src/cbmc/c_test_input_generator.cpp	60.00% <0.00%> (-30.33%)	⬇️
src/analyses/local_cfg.h	75.00% <0.00%> (-25.00%)	⬇️
... and 1458 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 03213c1...36f661e. Read the comment docs.

[martin-cs]

Looks good apart from the code placement issue flagged.

[SaswatPadhi]

Some general comments:

• Please remove activate-multi-line-match from .desc files that don't need multi-line regex matching
• Please only check regexes specific to the functionality you want to test (i.e. decreases clauses), because the other assertions (and especially their count, like ^.*0 of 5 failed \(1 iterations\)$) may change in future if we introduce additional default checks.

[SaswatPadhi]

Nice! :) These test.desc files are very well written.

[feliperodri]

Shouldn't we support multiple decreases clauses in the future?

[SaswatPadhi]

It's unclear as of now.

__CPROVER_decreases is unlike the other contracts. You can arbitrarily reorder multiple ENSURES, REQUIRES, ASSIGNS, LOOP_INVARIANT clauses, but the order of expressions matters for DECREASES clauses. They are not a conjunction (or a set), but an ordered tuple.

Moreover,

__CPROVER_decreases(X)
__CPROVER_decreases(Y)

reads as "both" X and Y monotonically decrease at each iteration, but for termination we simply need either one to monotonically decrease, and this sort of annotation would just be confusing.

[kroening]

I would separate the creation of the equalities and the forming of the conjunction. In particular, we have a conjunction(...) helper, which takes exprt::operandst as argument.

[LongPham7]

If we use conjunction(...) to create conjunctions of equalities of all necessary lengths (i.e. from 1 up to the size of the multidimensional decreases clause), I believe it will take quadratic time in total. Of course, the size of multidimensional decreases clauses is usually small. So the algorithmic performance should not be a concern. Nonetheless, I think it is better to simply traverse the vector and incrementally build conjunctions of equalities, which will take linear time.

[feliperodri]

Are there any guarantees that this cast is safe? Take a look at this comment #5403 (comment).

[SaswatPadhi]

Good catch. As suggested on the other thread, we should create "safe" accessors at some point.

However, currently, this issue also applies to invariant contracts, so may be we can table this change for a separate future PR and fix both together?

[LongPham7]

Thanks for the link. For now, I will just leave it as it is. When someone cleans up the code for loop invariants, then we will also clean the code for decreases clauses.

[SaswatPadhi]

Thanks for all the changes!

LGTM with a couple of nitpicks:

[feliperodri]

Thank you for implementing all comments!

[feliperodri]

Kudos for your bar-raising test descriptions! @LongPham7