Add enumerative loop invariant synthesizer

Author: qinheping

regression/contracts/loop_invariant_synthesis_01/main.c renamed to regression/contracts/loop_contract_synthesis_01/main.c

@@ -1,6 +1,6 @@
 CORE
 main.c
---synthesize-loop-invariants --apply-loop-contracts
+--synthesize-loop-invariants
 ^EXIT=0$
 ^SIGNAL=0$
 ^\[main\.\d+\] line 10 Check loop invariant before entry: SUCCESS$

regression/contracts/loop_invariant_synthesis_01/test.desc renamed to regression/contracts/loop_contract_synthesis_01/test.desc

@@ -0,0 +1,18 @@
+#define SIZE 80
+
+void main()
+{
+  unsigned len;
+  __CPROVER_assume(len <= SIZE);
+  __CPROVER_assume(len >= 8);
+  char *array = malloc(len);
+  unsigned s = 0;
+
+  for(unsigned i = 0; i < SIZE; ++i)
+  __CPROVER_assigns(i, s)
+  {
+    if(i == len-1)
+      break;
+    s += array[i];
+  }
+}

regression/contracts/loop_contract_synthesis_02/main.c

@@ -0,0 +1,11 @@
+CORE
+main.c
+--pointer-check --synthesize-loop-invariants
+^EXIT=0$
+^SIGNAL=0$
+^\[main.pointer\_dereference.\d+\] .* SUCCESS$
+^VERIFICATION SUCCESSFUL$
+--
+--
+This test shows that loop invariant with form of range predicates can be correctly
+synthesized for programs with only pointer checks but no other assertions.

regression/contracts/loop_contract_synthesis_02/test.desc

@@ -0,0 +1,16 @@
+#define SIZE 80
+
+void main()
+{
+  unsigned long len;
+  __CPROVER_assume(len <= SIZE);
+  __CPROVER_assume(len >= 8);
+  char *array = malloc(len);
+  const char *end = array + len;
+  unsigned s = 0;
+
+  while(array != end)
+  {
+    s += *array++;
+  }
+}

regression/contracts/loop_contract_synthesis_03/main.c

@@ -0,0 +1,12 @@
+CORE
+main.c
+--pointer-check --synthesize-loop-invariants
+^EXIT=0$
+^SIGNAL=0$
+^\[main.pointer\_dereference.\d+\] .* SUCCESS$
+^VERIFICATION SUCCESSFUL$
+--
+--
+This test shows that loop invariant with form of range predicates and same
+object predicates can be correctly synthesized for programs with only pointer
+checks but no other assertions.

regression/contracts/loop_contract_synthesis_03/test.desc

@@ -0,0 +1,17 @@
+#define SIZE 80
+
+void main()
+{
+  unsigned long len;
+  __CPROVER_assume(len <= SIZE);
+  __CPROVER_assume(len >= 8);
+  char *array = malloc(len);
+  unsigned long s = 0;
+
+  unsigned long j = 0;
+  for(unsigned long i = 0; i < len; i++)
+  {
+    s += array[j];
+    j++;
+  }
+}

regression/contracts/loop_contract_synthesis_04/main.c

@@ -0,0 +1,11 @@
+CORE
+main.c
+--pointer-check --synthesize-loop-invariants
+^EXIT=0$
+^SIGNAL=0$
+^\[main.pointer\_dereference.\d+\] .* SUCCESS$
+^VERIFICATION SUCCESSFUL$
+--
+--
+This test shows that the loop-invariant synthesizer can enumerate
+strengthening clauses for invariant-not-preserved violation.

regression/contracts/loop_contract_synthesis_04/test.desc

@@ -383,6 +383,53 @@ void dependence_grapht::add_dep(
   nodes[n_to].in[n_from].add(kind);
 }
 
+bool dependence_grapht::is_flow_dependent(
+  const goto_programt::const_targett &from,
+  const goto_programt::const_targett &to)
+{
+  std::set<node_indext> visited = std::set<node_indext>();
+  const dep_graph_domaint from_domain = static_cast<const dep_graph_domaint &>(
+    *storage->abstract_state_before(from, *domain_factory));
+  const dep_graph_domaint to_domain = static_cast<const dep_graph_domaint &>(
+    *storage->abstract_state_before(to, *domain_factory));
+  return is_flow_dependent(from_domain, to_domain, visited);
+}
+
+bool dependence_grapht::is_flow_dependent(
+  const dep_graph_domaint &from,
+  const dep_graph_domaint &to,
+  std::set<node_indext> &visited)
+{
+  // `to` is control dependent on `from`?
+  for(const auto node : to.get_control_deps())
+  {
+    if(visited.count((*this)[node].get_node_id()))
+      continue;
+
+    visited.insert((*this)[node].get_node_id());
+
+    if(
+      from.get_node_id() == (*this)[node].get_node_id() ||
+      is_flow_dependent(from, (*this)[node], visited))
+      return true;
+  }
+
+  // `to` is data dependent on `from`?
+  for(const auto node : to.get_data_deps())
+  {
+    if(visited.count((*this)[node].get_node_id()))
+      continue;
+
+    visited.insert((*this)[node].get_node_id());
+
+    if(
+      from.get_node_id() == (*this)[node].get_node_id() ||
+      is_flow_dependent(from, (*this)[node], visited))
+      return true;
+  }
+  return false;
+}
+
 void dep_graph_domaint::populate_dep_graph(
   dependence_grapht &dep_graph, goto_programt::const_targett this_loc) const
 {

src/analyses/dependence_graph.cpp

@@ -67,6 +67,7 @@ class dep_graph_domaint:public ai_domain_baset
 {
 public:
   typedef grapht<dep_nodet>::node_indext node_indext;
+  typedef std::set<goto_programt::const_targett> depst;
 
   explicit dep_graph_domaint(node_indext id)
     : has_values(false), node_id(id), has_changed(false)
@@ -167,13 +168,20 @@ class dep_graph_domaint:public ai_domain_baset
   void populate_dep_graph(
     dependence_grapht &, goto_programt::const_targett) const;
 
+  depst get_control_deps() const
+  {
+    return control_deps;
+  }
+  depst get_data_deps() const
+  {
+    return data_deps;
+  }
+
 private:
   tvt has_values;
   node_indext node_id;
   bool has_changed;
 
-  typedef std::set<goto_programt::const_targett> depst;
-
   // Set of locations with control instructions on which the instruction at this
   // location has a control dependency on
   depst control_deps;
@@ -279,7 +287,16 @@ class dependence_grapht:
     return rd;
   }
 
+  /// Decide whether the instruction `to` is flow dependent on `from`.
+  bool is_flow_dependent(
+    const goto_programt::const_targett &from,
+    const goto_programt::const_targett &to);
+
 protected:
+  bool is_flow_dependent(
+    const dep_graph_domaint &from,
+    const dep_graph_domaint &to,
+    std::set<node_indext> &visited);
   friend dep_graph_domain_factoryt;
   friend dep_graph_domaint;
   const namespacet &ns;