goto instrumentation for decreases clauses on loops

[LongPham7]

This pull request contains the full-fledged implementation of one-dimensional loop variants (also known as ranking functions). A loop variant is an integer expression (i) that is bounded below and (ii) strictly decreases after each iteration of a loop. We use loop variants to prove termination of loops.

A loop variant in C is converted to the following statements in the GOTO language:

1. Declarations of two temporary variables
2. Assign a loop variant to the first temporary variable at the "beginning" of a loop body
3. Assign a loop variant to the second temporary variable at the "end" of a loop body
4. Assert that the second temporary variable < first temporary variable
5. Discard the two temporary variables by the "dead" statements in the GOTO language.

• Each commit message has a non-empty body, explaining why the change was made.
• Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[codecov]

Codecov Report

Merging #6197 (fa9bb89) into develop (0002950) will increase coverage by 7.50%.
The diff coverage is n/a.

❗ Current head fa9bb89 differs from pull request most recent head 00608b6. Consider uploading reports for the commit 00608b6 to get more accurate results

@@             Coverage Diff             @@
##           develop    #6197      +/-   ##
===========================================
+ Coverage    67.40%   74.91%   +7.50%     
===========================================
  Files         1157     1456     +299     
  Lines        95236   161233   +65997     
===========================================
+ Hits         64197   120792   +56595     
- Misses       31039    40441    +9402     

Flag	Coverage Δ
cproversmt2	?
regression	?
unit	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
src/util/string_container.cpp	52.94% <0.00%> (-47.06%)	⬇️
src/solvers/prop/prop.cpp	42.85% <0.00%> (-41.76%)	⬇️
src/solvers/flattening/boolbv_member.cpp	53.65% <0.00%> (-38.65%)	⬇️
src/cpp/cpp_storage_spec.cpp	65.00% <0.00%> (-35.00%)	⬇️
src/util/cmdline.h	66.66% <0.00%> (-33.34%)	⬇️
src/solvers/strings/array_pool.h	66.66% <0.00%> (-33.34%)	⬇️
src/solvers/strings/string_refinement.h	66.66% <0.00%> (-33.34%)	⬇️
...rs/strings/string_concatenation_builtin_function.h	0.00% <0.00%> (-33.34%)	⬇️
src/cbmc/c_test_input_generator.cpp	60.00% <0.00%> (-30.33%)	⬇️
src/ansi-c/c_typecheck_base.cpp	54.39% <0.00%> (-26.51%)	⬇️
... and 1435 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a7d4c3d...00608b6. Read the comment docs.

[SaswatPadhi]

Some initial comments below, and could you please:

• fix the formatting issues? (see the build failures for details)
• change the message Compare the old and new variant values to Check that loop variant monotonically decreases?

[martin-cs]

Looks good apart from the things flagged.

[martin-cs]

@tautschnig is this use of goto_convert fitting with how and when / where it is supposed to be used?

[SaswatPadhi]

Couple of minor comments, but otherwise LGTM! Thanks for all the work!

[feliperodri]

Thank you for tackling all comments!

[kroening]

"monotonicity" is perhaps not the right word. It might not be an intuitive description for a broader audience, and being pedantic, you need strict monotonicity to get termination.
How about "ranking function decreases"?

[SaswatPadhi]

I think "ranking function" might also sound unfamiliar, plus we haven't used ranking function elsewhere (the annotation just reads __CPROVER_decreases).

How about simply, "Check decreases clause on loop iteration"?

[LongPham7]

Thanks a lot for both of your suggestions. I will change the comment to "Check decreases clause on loop iteration".

[kroening]

What should happen when there are multiple __CPROVER_decreases clauses for one loop?
You could make that a lexicographic ranking function.

[SaswatPadhi]

What should happen when there are multiple __CPROVER_decreases clauses for one loop?
You could make that a lexicographic ranking function.

Yes, this is a good point. Currently we don't allow multiple invariant and decreases annotations, but my proposal was also to treat multiple decreases clause annotations as tuples that would be compared lexicographically.