Fix local static variables detection in assigns clauses

[remi-delmas-3000]

Function contracts instrumentation:

1. Use the call graph of the function to detect local static variables declared in the functions it calls.

Other changes:

1. subfunction call inlining was moved from code_contractst::check_frame_conditions to code_contractst::check_frame_conditions_function.
2. Recursive functions are now detected during inlining and cause an INVARIANT violation
3. Function pointers are now detected during call graph construction and cause a PRECONDITION violation

• Each commit message has a non-empty body, explaining why the change was made.
• Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[SaswatPadhi]

Wouldn't this create CARs for ALL static local variables, like beyond the current function on which contracts are checked and its subfunction calls?

It might have a significant perf impact if lots of unrelated functions also introduce static local variables, because we'll add their CARs unnecessarily to the write set and check every assignment against them.

[SaswatPadhi]

It might be worth fixing the inlining routine instead. Inlined static locals should just behave as static locals within the caller. It seems weird and inconsistent to have the function body inlined into a caller but be mutating a static local that's tagged with a different function name.

[remi-delmas-3000]

Indeed.
Since all sub-function calls are inlined for contract checking, a better solution would be to detect static locals used in the body of the function under analysis rather than at the symbol table level.

[remi-delmas-3000]

Updated to a better solution is to detect static locals used in the body of the function under analysis rather than at the symbol table level.

[codecov]

Codecov Report

Merging #6447 (59d15d6) into develop (c13e416) will decrease coverage by 0.02%.
The diff coverage is 100.00%.

❗ Current head 59d15d6 differs from pull request most recent head 5fb8ee5. Consider uploading reports for the commit 5fb8ee5 to get more accurate results

@@             Coverage Diff             @@
##           develop    #6447      +/-   ##
===========================================
- Coverage    76.04%   76.01%   -0.03%     
===========================================
  Files         1546     1527      -19     
  Lines       165543   164487    -1056     
===========================================
- Hits        125885   125035     -850     
+ Misses       39658    39452     -206     

Impacted Files	Coverage Δ
src/goto-instrument/contracts/contracts.h	100.00% <ø> (ø)
src/goto-instrument/contracts/contracts.cpp	96.27% <100.00%> (-0.83%)	⬇️
...rc/solvers/smt2_incremental/smt_solver_process.cpp	25.00% <0.00%> (-49.08%)	⬇️
src/solvers/smt2_incremental/smt_solver_process.h	66.66% <0.00%> (-33.34%)	⬇️
src/util/pointer_predicates.cpp	71.60% <0.00%> (-21.95%)	⬇️
unit/solvers/smt2/smt2irep.cpp	83.09% <0.00%> (-16.91%)	⬇️
...ncremental/smt2_incremental_decision_procedure.cpp	78.43% <0.00%> (-11.26%)	⬇️
src/util/piped_process.cpp	76.92% <0.00%> (-3.85%)	⬇️
src/goto-symex/symex_function_call.cpp	93.18% <0.00%> (-2.28%)	⬇️
src/goto-symex/ssa_step.cpp	79.31% <0.00%> (-2.07%)	⬇️
... and 69 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 40fd86b...5fb8ee5. Read the comment docs.

[feliperodri]

Only minor requests.

[feliperodri]

Why do we need --pointer-primitive-check here?

[feliperodri]

?

[tautschnig]

Why is there an underscore here (after bar)?

[remi-delmas-3000]

this underscore separates two groups of options , the first group is passed to goto-instrument to perform the contract instrumentation, and the second set is passed to cbmc to analyse the instrumented contracts.

[feliperodri]

Almost there.

[feliperodri]

LGTM modulo a few minor comments.

[feliperodri]

?

[feliperodri]

Suggested change

	/// \brief Finds symbols declared with a static lifetime in the given
	/// `root_function` or one of the functions it calls,
	/// and adds them to the given `assigns`.
	///
	/// @param functions all functions of the goto_model
	/// @param root_function the root function under which to search statics
	/// @param assigns assigns clause where search results are added
	///
	/// A symbol is considered a static local symbol iff:
	/// - it has a static lifetime annotation
	/// - its source location has a non-empty function attribute
	/// - this function attribute is found in the call graph of the root_function
	/// \brief Finds symbols declared with a static lifetime in the given
	/// `root_function` or one of the functions it calls,
	/// and adds them to the given `assigns`.
	///
	/// @param functions All functions of the `goto_model`.
	/// @param root_function The root function under which to search statics.
	/// @param assigns Assigns clause where search results are added.
	///
	/// A symbol is considered a static local symbol iff:
	/// - it has a static lifetime annotation;
	/// - its source location has a non-empty function attribute;
	/// - this function attribute is found in the call graph of the `root_function`.

[remi-delmas-3000]

We are now collecting symbols from the symbol table that have a static lifetime and are declare in functions occurring in the call graph of the function under analysis

[tautschnig]

Why is there an underscore here (after bar)?

[tautschnig]

Random place for comment: the commit message ...

1. Could make clear that this is about code contracts;
2. Should likely have the "A symbol is ..." all moved into the body of the message;
3. Should likely talk about "called functions" instead of "subfunctions."

[tautschnig]

Much like the commit message: I don't think "subfunctions" is the right terminology.

[tautschnig]

I think the comment could be more useful if it explained why full inlining was necessary. (Also, will this work with recursive functions?)

[remi-delmas-3000]

the reason behind inlining is that in the function f we are instrumenting , a same function g can be called in several locations under different write sets.
Without inlining, for each call site we would have to create a copy of g and instrument for the write set specific to this call site.
Inlining allows us to avoid having to duplicate g and instrument it specifically.

As for inlining recursive functions, I'll implement a check to detect them and error out during inlining

[tautschnig]

What about function pointers?

[remi-delmas-3000]

we suppose function pointers have been removed/restricted before this instrumentation phase so that all possible target functions would appear explicitly in the call graph

[tautschnig]

Hmm, we should really include a PRECONDITION in call_graph.cpp's forall_callsites to replace if(function_expr.id()==ID_symbol) by PRECONDITION_WITH_DIAGNOSTICS(function_expr.id() == ID_symbol, "call graph computation requires function pointer removal");.

[remi-delmas-3000]

PRECONDITION added in call_graph.cpp.

Should we also modify goto_function_inline to warn on unresolved function pointers ?

[tautschnig]

Yes, we should either warn or fail with a PRECONDITION.

[SaswatPadhi]

Some minor comments:

[SaswatPadhi]

LGTM 🎉

[SaswatPadhi]

[nit] missing newline

[feliperodri]

+1

[feliperodri]

@chrisr-diffblue @martin-cs @peterschrammel could you review this PR? It's missing code owner approval.

[SaswatPadhi]

Couple of minor nitpicks but nothing that would block the merge.

[SaswatPadhi]

[nit] this should go above langapi include(s).

[remi-delmas-3000]

fixed

[SaswatPadhi]

Redundant return

[remi-delmas-3000]

fixed

[peterschrammel]

Nothing blocking, just a few remarks for future work:
That's quite a lot in a single commit. It could have been split into a series of commits:

• introduce decorator
• add new tests
• add static local detection
• other changes 1
• other changes 2
• other changes 3
• activate/modify tests (separately or with the corresponding commit that makes the test pass)

each of which with a 'why' description in the commit body to make the intent of the PR clearer and easier and faster to review.

[peterschrammel]

This is file is getting way to large. Consider refactoring/splitting in future.