introduce 'fatal assertions'

This introduces a variant of ASSERT instructions that are fatal when they
are refuted.  Execution paths through fatal assertions that are refuted are
undefined.  Assertions that (otherwise) pass and that are reachable from a
refuted fatal assertion are now reported as UNKNOWN.

The motivating use-case for fatal assertions is undefined behavior in
languages such as C/C++ or Rust.

Noi attempt is made to modify the outcome of ASSERT instructions that are
refuted owing to a trace through a refuted fatal assertion.  The computation
of the trace is not robust enough.

Author: kroening

regression/cbmc-incr-smt2/bitvector-flag-tests/div_by_zero.desc

@@ -2,7 +2,7 @@ CORE
 div_by_zero.c
 --div-by-zero-check --trace
 \[main\.division-by-zero\.1\] line \d division by zero in x / y: FAILURE
-\[main\.division-by-zero\.2\] line \d+ division by zero in x / z: SUCCESS
+\[main\.division-by-zero\.2\] line \d+ division by zero in x / z: UNKNOWN
 y=0
 ^VERIFICATION FAILED$
 ^EXIT=10$

regression/cbmc/Division3/main.c

@@ -0,0 +1,18 @@
+_Bool nondet_bool();
+
+void main()
+{
+  __CPROVER_assert(0, "non-fatal assertion");
+
+  if(nondet_bool())
+  {
+    int divisor = nondet_bool() ? 2 : 0;
+
+    // possible division by zero
+    int result = 10 / divisor;
+
+    __CPROVER_assert(divisor == 2 || divisor == 0, "divisor value");
+  }
+  else
+    __CPROVER_assert(0, "independent assertion");
+}

regression/cbmc/Division3/test.desc

@@ -0,0 +1,13 @@
+CORE
+main.c
+
+^EXIT=10$
+^SIGNAL=0$
+^\[main\.assertion\.1\] line 5 non-fatal assertion: FAILURE$
+^\[main\.division-by-zero\.1\] line 12 division by zero in 10 / divisor: FAILURE$
+^\[main\.assertion\.2\] line 14 divisor value: UNKNOWN$
+^\[main\.assertion\.3\] line 17 independent assertion: FAILURE$
+^\*\* 3 of 4 failed
+^VERIFICATION FAILED$
+--
+^warning: ignoring

regression/cbmc/pragma_cprover_enable_all/test.desc

@@ -8,22 +8,22 @@ main.c
 ^\[main\.float-division-by-zero\.\d+\] line 87 floating-point division by zero in x / den: FAILURE
 ^\[main\.overflow\.\d+\] line 87 arithmetic overflow on floating-point division in x / den: FAILURE
 ^\[main\.division-by-zero\.\d+\] line 88 division by zero in 10 / 0: FAILURE$
-^\[main\.enum-range-check\.\d+\] line 89 enum range check in \(ABC\)10: FAILURE
-^\[main\.overflow\.\d+\] line 90 arithmetic overflow on signed (to unsigned )?type conversion in \(char\)\(\(signed int\)i \+ 1\): FAILURE
-^\[main\.overflow\.\d+\] line 91 arithmetic overflow on signed \+ in k \+ 1: FAILURE
+^\[main\.enum-range-check\.\d+\] line 89 enum range check in \(ABC\)10: UNKNOWN$
+^\[main\.overflow\.\d+\] line 90 arithmetic overflow on signed (to unsigned )?type conversion in \(char\)\(\(signed int\)i \+ 1\): UNKNOWN$
+^\[main\.overflow\.\d+\] line 91 arithmetic overflow on signed \+ in k \+ 1: UNKNOWN$
 ^VERIFICATION FAILED$
 ^EXIT=10$
 ^SIGNAL=0$
 --
-^\[main\.pointer_primitives\.\d+\] line 41 pointer invalid in R_OK\(q, \(unsigned (long (long )?)?int\)1\): FAILURE$
-^\[main\.pointer_primitives\.\d+\] line 41 pointer outside object bounds in R_OK\(q, \(unsigned (long (long )?)?int\)1\): FAILURE$
-^\[main\.pointer_arithmetic\.\d+\] line 42 pointer arithmetic: pointer outside object bounds in p \+ .*2000000000000(l|ll): FAILURE
-^\[main\.NaN\.\d+\] line 48 NaN on / in x / den: FAILURE
-^\[main\.float-division-by-zero\.\d+\] line 49 floating-point division by zero in x / den: FAILURE
-^\[main\.overflow\.\d+\] line 48 arithmetic overflow on floating-point division in x / den: FAILURE
-^\[main\.division-by-zero\.\d+\] line 48 division by zero in 10 / 0: FAILURE$
-^\[main\.enum-range-check\.\d+\] line 49 enum range check in \(ABC\)10: FAILURE
-^\[main\.overflow\.\d+\] line 50 arithmetic overflow on signed type conversion in \(char\)\(signed int\)i \+ 1\): FAILURE
-^\[main\.overflow\.\d+\] line 51 arithmetic overflow on signed \+ in k \+ 1: FAILURE
+^\[main\.pointer_primitives\.\d+\] line 41 pointer invalid in R_OK\(q, \(unsigned (long (long )?)?int\)1\):
+^\[main\.pointer_primitives\.\d+\] line 41 pointer outside object bounds in R_OK\(q, \(unsigned (long (long )?)?int\)1\):
+^\[main\.pointer_arithmetic\.\d+\] line 42 pointer arithmetic: pointer outside object bounds in p \+ .*2000000000000(l|ll):
+^\[main\.NaN\.\d+\] line 48 NaN on / in x / den:
+^\[main\.float-division-by-zero\.\d+\] line 49 floating-point division by zero in x / den:
+^\[main\.overflow\.\d+\] line 48 arithmetic overflow on floating-point division in x / den:
+^\[main\.division-by-zero\.\d+\] line 48 division by zero in 10 / 0:
+^\[main\.enum-range-check\.\d+\] line 49 enum range check in \(ABC\)10:
+^\[main\.overflow\.\d+\] line 50 arithmetic overflow on signed type conversion in \(char\)\(signed int\)i \+ 1\):
+^\[main\.overflow\.\d+\] line 51 arithmetic overflow on signed \+ in k \+ 1:
 --
 This test uses all possible named-checks to maximize coverage.

regression/symtab2gb/multiple_symtabs/test.desc

@@ -7,4 +7,3 @@ user.json_symtab library.json_symtab
 ^\[2\] file library.adb line \d+ assertion: FAILURE$
 ^VERIFICATION FAILED$
 --
-error

regression/symtab2gb/single_symtab/test.desc

@@ -7,4 +7,3 @@ entry_point.json_symtab
 ^\[2\] file entry_point.adb line \d+ assertion: SUCCESS$
 ^VERIFICATION FAILED$
 --
-error

src/ansi-c/goto_check_c.cpp

@@ -1752,6 +1752,9 @@ void goto_check_ct::add_guarded_property(
     }
     else
     {
+      if(property_class == "division-by-zero")
+        annotated_location.property_fatal(true);
+
       new_code.add(goto_programt::make_assertion(
         std::move(guarded_expr), annotated_location));
     }

src/goto-checker/Makefile

@@ -1,11 +1,12 @@
 SRC = bmc_util.cpp \
       counterexample_beautification.cpp \
       cover_goals_report_util.cpp \
-      incremental_goto_checker.cpp \
+      fatal_assertions.cpp \
       goto_symex_fault_localizer.cpp \
       goto_symex_property_decider.cpp \
       goto_trace_storage.cpp \
       goto_verifier.cpp \
+      incremental_goto_checker.cpp \
       multi_path_symex_checker.cpp \
       multi_path_symex_only_checker.cpp \
       properties.cpp \

src/goto-checker/all_properties_verifier_with_trace_storage.h

@@ -12,10 +12,10 @@ Author: Daniel Kroening, Peter Schrammel
 #ifndef CPROVER_GOTO_CHECKER_ALL_PROPERTIES_VERIFIER_WITH_TRACE_STORAGE_H
 #define CPROVER_GOTO_CHECKER_ALL_PROPERTIES_VERIFIER_WITH_TRACE_STORAGE_H
 
-#include "goto_verifier.h"
-
 #include "bmc_util.h"
+#include "fatal_assertions.h"
 #include "goto_trace_storage.h"
+#include "goto_verifier.h"
 #include "incremental_goto_checker.h"
 #include "properties.h"
 #include "report_util.h"
@@ -62,6 +62,9 @@ class all_properties_verifier_with_trace_storaget : public goto_verifiert
       ++iterations;
     }
 
+    propagate_fatal_assertions(
+      properties, traces, goto_model.get_goto_functions());
+
     return determine_result(properties);
   }
 

src/goto-checker/fatal_assertions.cpp

@@ -0,0 +1,219 @@
+/*******************************************************************\
+
+Module: Fatal Assertions
+
+Author: Daniel Kroening, [email protected]
+
+\*******************************************************************/
+
+/// \file
+/// Fatal Assertions
+
+#include "fatal_assertions.h"
+
+#include <util/irep_hash.h>
+
+#include <goto-programs/goto_functions.h>
+
+#include "goto_trace_storage.h"
+
+#include <stack>
+#include <unordered_set>
+
+struct function_loc_pairt
+{
+  using function_itt = goto_functionst::function_mapt::const_iterator;
+  function_loc_pairt(
+    function_itt __function_it,
+    goto_programt::const_targett __target)
+    : function_it(__function_it), target(__target)
+  {
+  }
+  function_itt function_it;
+  goto_programt::const_targett target;
+  bool operator==(const function_loc_pairt &other) const
+  {
+    return function_it->first == other.function_it->first &&
+           target == other.target;
+  }
+};
+
+struct function_itt_hasht
+{
+  using function_itt = goto_functionst::function_mapt::const_iterator;
+  std::size_t operator()(const function_itt &function_it) const
+  {
+    return function_it->first.hash();
+  }
+};
+
+struct function_loc_pair_hasht
+{
+  std::size_t operator()(const function_loc_pairt &p) const
+  {
+    auto h1 = p.function_it->first.hash();
+    auto h2 = const_target_hash{}(p.target);
+    return hash_combine(h1, h2);
+  }
+};
+
+using loc_sett =
+  std::unordered_set<function_loc_pairt, function_loc_pair_hasht>;
+
+static loc_sett
+reachable_fixpoint(const loc_sett &locs, const goto_functionst &goto_functions)
+{
+  // frontier set
+  std::stack<function_loc_pairt> working;
+
+  for(auto loc : locs)
+    working.push(loc);
+
+  loc_sett fixpoint;
+
+  while(!working.empty())
+  {
+    auto loc = working.top();
+    working.pop();
+
+    auto insertion_result = fixpoint.insert(loc);
+    if(!insertion_result.second)
+      continue; // seen already
+
+    if(loc.target->is_function_call())
+    {
+      // get the callee
+      auto &function = loc.target->call_function();
+      if(function.id() == ID_symbol)
+      {
+        // add the callee to the working set
+        auto &function_identifier = to_symbol_expr(function).get_identifier();
+        auto function_iterator =
+          goto_functions.function_map.find(function_identifier);
+        CHECK_RETURN(function_iterator != goto_functions.function_map.end());
+        working.emplace(
+          function_iterator,
+          function_iterator->second.body.instructions.begin());
+      }
+
+      // add the next location to the working set
+      working.emplace(loc.function_it, std::next(loc.target));
+    }
+    else
+    {
+      auto &body = loc.function_it->second.body;
+
+      for(auto successor : body.get_successors(loc.target))
+        working.emplace(loc.function_it, successor);
+    }
+  }
+
+  return fixpoint;
+}
+
+/// Proven assertions after refuted fatal assertions
+/// are marked as UNKNOWN.
+void propagate_fatal_to_proven(
+  propertiest &properties,
+  const goto_functionst &goto_functions)
+{
+  // Iterate to find refuted fatal assertions. Anything reachalble
+  // from there is a 'fatal loc'.
+  loc_sett fatal_locs;
+
+  for(auto function_it = goto_functions.function_map.begin();
+      function_it != goto_functions.function_map.end();
+      function_it++)
+  {
+    auto &body = function_it->second.body;
+    for(auto target = body.instructions.begin();
+        target != body.instructions.end();
+        target++)
+    {
+      if(target->is_assert() && target->source_location().property_fatal())
+      {
+        auto id = target->source_location().get_property_id();
+        auto property = properties.find(id);
+        CHECK_RETURN(property != properties.end());
+
+        // Status?
+        if(property->second.status == property_statust::FAIL)
+        {
+          fatal_locs.emplace(function_it, target);
+        }
+      }
+    }
+  }
+
+  // Saturate fixpoint.
+  auto fixpoint = reachable_fixpoint(fatal_locs, goto_functions);
+
+  // Now mark PASS assertions as UNKNOWN.
+  for(auto &loc : fixpoint)
+  {
+    if(loc.target->is_assert())
+    {
+      auto id = loc.target->source_location().get_property_id();
+      auto property = properties.find(id);
+      CHECK_RETURN(property != properties.end());
+
+      // Status?
+      if(property->second.status == property_statust::PASS)
+      {
+        property->second.status = property_statust::UNKNOWN;
+      }
+    }
+  }
+}
+
+bool passes_through_refuted_fatal(
+  goto_programt::const_targett assertion,
+  const goto_tracet &trace,
+  const propertiest &properties)
+{
+  for(auto &step : trace.steps)
+  {
+    // Ignore the assertion itself.
+    if(step.pc->location_number == assertion->location_number)
+      continue;
+
+    if(
+      step.is_assert() && step.pc->source_location().property_fatal() &&
+      step.cond_value == false)
+    {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+/// Refuted assertions are marked as UNKNOWN iff their
+/// counterexample passes through a non-proven fatal assertion.
+void propagate_fatal_to_refuted(
+  propertiest &properties,
+  const goto_trace_storaget &goto_trace_storage)
+{
+  for(auto &property : properties)
+  {
+    // Status?
+    if(property.second.status == property_statust::FAIL)
+    {
+      auto &trace = goto_trace_storage[property.first];
+      if(passes_through_refuted_fatal(property.second.pc, trace, properties))
+      {
+        // mark as 'UNKNOWN'
+        property.second.status = property_statust::UNKNOWN;
+      }
+    }
+  }
+}
+
+void propagate_fatal_assertions(
+  propertiest &properties,
+  const goto_trace_storaget &goto_trace_storage,
+  const goto_functionst &goto_functions)
+{
+  propagate_fatal_to_proven(properties, goto_functions);
+  propagate_fatal_to_refuted(properties, goto_trace_storage);
+}

src/goto-checker/fatal_assertions.h

@@ -0,0 +1,30 @@
+/*******************************************************************\
+
+Module: Fatal Assertions
+
+Author: Daniel Kroening, [email protected]
+
+\*******************************************************************/
+
+/// \file
+/// Fatal Assertions
+
+#ifndef CPROVER_GOTO_CHECKER_FATAL_ASSERTIONS_H
+#define CPROVER_GOTO_CHECKER_FATAL_ASSERTIONS_H
+
+#include "properties.h"
+
+class goto_functionst;
+class goto_trace_storaget;
+
+/// This has two effects.
+/// 1. Proven assertions after refuted fatal assertions
+///    are marked as UNKNOWN.
+/// 2. Refuted assertions are marked as UNKNOWN iff their
+///    counterexample trace passes through a non-proven fatal assertion.
+void propagate_fatal_assertions(
+  propertiest &,
+  const goto_trace_storaget &,
+  const goto_functionst &);
+
+#endif // CPROVER_GOTO_CHECKER_FATAL_ASSERTIONS_H

src/util/irep_ids.def

@@ -26,6 +26,7 @@ IREP_ID_ONE(line)
 IREP_ID_ONE(column)
 IREP_ID_ONE(comment)
 IREP_ID_ONE(property_class)
+IREP_ID_ONE(property_fatal)
 IREP_ID_ONE(property_id)
 IREP_ID_ONE(function)
 IREP_ID_ONE(mathematical_function)