Cleanup regression tests for quantified contracts

Author: SaswatPadhi

regression/contracts/quantifiers-exists-both-01/main.c

@@ -1,11 +1,13 @@
 // clang-format off
-int f1(int *arr) __CPROVER_requires(__CPROVER_exists {
-  int i;
-  (0 <= i && i < 8) ==> arr[i] == 0
-}) __CPROVER_ensures(__CPROVER_exists {
-  int i;
-  (0 <= i && i < 8) ==> arr[i] == 0
-})
+int f1(int *arr)
+  __CPROVER_requires(__CPROVER_exists {
+    int i;
+    (0 <= i && i < 8) && arr[i] == 0
+  })
+  __CPROVER_ensures(__CPROVER_exists {
+    int i;
+    (0 <= i && i < 8) && arr[i] == 0
+  })
 // clang-format on
 {
   return 0;

regression/contracts/quantifiers-exists-both-01/test.desc

@@ -3,11 +3,14 @@ main.c
 --enforce-all-contracts
 ^EXIT=0$
 ^SIGNAL=0$
+^\[1\] assertion: SUCCESS$
 ^VERIFICATION SUCCESSFUL$
 --
+^warning: ignoring
 --
-The purpose of this test is to ensure that we can safely use __CPROVER_exists
-in a negative context (which is currently not always the case). By using the
---enforce-all-contracts flag, this test assumes the statement in 
-__CPROVER_requires, then asserts the same statement (in __CPROVER_ensures),
-thus, verification should be successful.
+The purpose of this test is to ensure that we can safely use __CPROVER_exists within both
+positive and negative contexts (ENSURES and REQUIRES clauses).
+
+With the SAT backend existential quantifiers in a positive context,
+e.g., the ENSURES clause being enforced in this case,
+are supported only if the quantifier is bound to a constant range.

regression/contracts/quantifiers-exists-both-02/main.c

@@ -1,18 +1,42 @@
+#include <stdlib.h>
+
+#define MAX_LEN 8
+
 // clang-format off
-int f1(int *arr, int *len) __CPROVER_requires(__CPROVER_exists {
-  int i;
-  (0 <= i && i < len) ==> arr[i] == 0
-}) __CPROVER_ensures(__CPROVER_exists {
-  int i;
-  (0 <= i && i < len) ==> arr[i] == 0
-})
+int f1(int *arr, int len)
+  __CPROVER_requires(
+    len > 0 ==> __CPROVER_exists {
+      int i;
+      // constant bounds for explicit unrolling with SAT backend
+      (0 <= i && i < MAX_LEN) && (
+        // actual symbolic bound for `i`
+        i < len && arr[i] == 0
+      )
+    }
+  )
+  __CPROVER_ensures(
+    len > 0 ==> __CPROVER_exists {
+      int i;
+      // constant bounds for explicit unrolling with SAT backend
+      (0 <= i && i < MAX_LEN) && (
+        // actual symbolic bound for `i`
+        i < len && arr[i] == 0
+      )
+    }
+  )
 // clang-format on
 {
   return 0;
 }
 
 int main()
 {
-  int len, arr[8];
+  int len;
+  __CPROVER_assume(0 <= len && len <= MAX_LEN);
+
+  int *arr = malloc(len);
+  if(len > 0)
+    arr[0] = 0;
+
   f1(arr, len);
 }

regression/contracts/quantifiers-exists-both-02/test.desc

@@ -1,19 +1,16 @@
-KNOWNBUG
+CORE
 main.c
---enforce-all-contracts
+--replace-all-calls-with-contracts
 ^EXIT=0$
 ^SIGNAL=0$
+^\[1\] assertion: SUCCESS$
 ^VERIFICATION SUCCESSFUL$
 --
+^warning: ignoring
 --
-The purpose of this test is to ensure that we can safely use __CPROVER_exists
-in a negative context (which is currently not always the case). By using the
---enforce-all-contracts flag, this test assumes the statement in 
-__CPROVER_requires, then asserts the same statement (in __CPROVER_ensures),
-thus, verification should be successful.
+The purpose of this test is to ensure that we can safely use __CPROVER_exists within both
+positive and negative contexts (ENSURES and REQUIRES clauses).
 
-Known bug:
-The current implementation cannot handle a structure such as
-__CPROVER_assume(__CPROVER_exists(int i; pred(i))), where i is
-not explicitly bounded to a predefined range (i.e. if at least
-one of its bound is only declared and not defined).
+With the SAT backend existential quantifiers in a positive context,
+e.g., the REQUIRES clause being replaced in this case,
+are supported only if the quantifier is bound to a constant range.

regression/contracts/quantifiers-exists-ensures-01/main.c

@@ -3,7 +3,7 @@ int f1(int *arr)
   __CPROVER_assigns(*arr)
   __CPROVER_ensures(__CPROVER_exists {
     int i;
-    (0 <= i && i < 10) ==> arr[i] == i
+    (0 <= i && i < 10) && arr[i] == i
   })
 // clang-format on
 {
@@ -15,8 +15,26 @@ int f1(int *arr)
   return 0;
 }
 
+// clang-format off
+int f2(int *arr)
+  __CPROVER_assigns(*arr)
+  __CPROVER_ensures(__CPROVER_exists {
+    int i;
+    (0 <= i && i < 10) && arr[i] != 0
+  })
+// clang-format on
+{
+  for(int i = 0; i < 10; i++)
+  {
+    arr[i] = 0;
+  }
+
+  return 0;
+}
+
 int main()
 {
   int arr[10];
+  f2(arr);
   f1(arr);
 }

regression/contracts/quantifiers-exists-ensures-01/test.desc

@@ -1,12 +1,15 @@
 CORE
 main.c
 --enforce-all-contracts
-^EXIT=0$
+^EXIT=10$
 ^SIGNAL=0$
-^VERIFICATION SUCCESSFUL$
+^VERIFICATION FAILED$
 --
+^warning: ignoring
 --
 The purpose of this test is to ensure that we can safely use __CPROVER_exists
-in __CPROVER_ensures clauses. By using the --enforce-all-contracts flag, 
-goto-instrument will transform the __CPROVER_ensures clauses into an
-assertion and the verification remains sound when using __CPROVER_exists.
+within positive contexts (enforced ENSURES clauses).
+
+With the SAT backend existential quantifiers in a positive context,
+e.g., the ENSURES clause being enforced in this case,
+are supported only if the quantifier is bound to a constant range.

regression/contracts/quantifiers-exists-ensures-02/main.c

@@ -1,20 +1,41 @@
+#include <assert.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#define MAX_LEN 128
+
 // clang-format off
-int f1(int *arr) __CPROVER_ensures(__CPROVER_exists {
-  int i;
-  (0 <= i && i < 10) ==> arr[i] != 0
-})
+int f1(int *arr, int len)
+  __CPROVER_ensures(
+    len > 0 ==> __CPROVER_exists {
+      int i;
+      // test replacement with symbolic bound
+      (0 <= i && i < len) && arr[i] == 0
+    }
+  )
 // clang-format on
 {
-  for(int i = 0; i < 10; i++)
-  {
-    arr[i] = 0;
-  }
-
+  // we are only checking for contract replacement
   return 0;
 }
 
 int main()
 {
-  int arr[10];
-  f1(arr);
+  int len;
+  __CPROVER_assume(0 <= len && len <= MAX_LEN);
+
+  int *arr = malloc(len * sizeof(int));
+
+  f1(arr, len);
+
+  bool found_zero = false;
+  for(int i = 0; i <= MAX_LEN; i++)
+  {
+    if(i < len)
+      found_zero |= (arr[i] == 0);
+  }
+
+  // clang-format off
+  assert(len > 0 ==> found_zero);
+  // clang-format on
 }

regression/contracts/quantifiers-exists-ensures-02/test.desc

@@ -1,19 +1,14 @@
 CORE
 main.c
---enforce-all-contracts
-^EXIT=10$
+--replace-all-calls-with-contracts
+^EXIT=0$
 ^SIGNAL=0$
-^VERIFICATION FAILED$
+^\[main.assertion.1\] line .* assertion len > 0 ==> found_zero: SUCCESS$
+^VERIFICATION SUCCESSFUL$
 --
+^warning: ignoring
 --
 The purpose of this test is to ensure that we can safely use __CPROVER_exists
-in __CPROVER_ensures clauses. By using the --enforce-all-contracts flag, 
-goto-instrument will transform the __CPROVER_ensures clauses into an
-assertion and the verification remains sound when using __CPROVER_exists.
+within negative contexts (replaced ENSURES clauses).
 
-Known Bug:
-We expect verification to fail because arr[i] is always equal to 0 for
-[0 <= i < 10]. In fact, we expect the (0 <= i && i < 10) statement to act as a
-range for i. However, in the current implementation of quantifier handling,
-the (0 <= i && i < 10) statement is not interpreted as an explicit range, but
-instead, as part of a logic formula, which causes verification to succeed.
+This is fully supported (without requiring full unrolling) with the SAT backend.

regression/contracts/quantifiers-exists-requires-01/main.c

@@ -1,15 +1,39 @@
+#include <stdbool.h>
+#include <stdlib.h>
+
+#define MAX_LEN 64
+
 // clang-format off
-int f1(int *arr) __CPROVER_requires(__CPROVER_exists {
-  int i;
-  (0 <= i && i < 10) ==> arr[i] == 4
-}) __CPROVER_ensures(__CPROVER_return_value == 0)
+bool f1(int *arr, int len)
+  __CPROVER_requires(
+    len > 0 ==> __CPROVER_exists {
+      int i;
+      // test enforcement with symbolic bound
+      (0 <= i && i < len) && arr[i] == 4
+    }
+  )
+  __CPROVER_ensures(
+    __CPROVER_return_value == true
+  )
 // clang-format on
 {
-  return 0;
+  bool found_four = false;
+  for(int i = 0; i <= MAX_LEN; i++)
+  {
+    if(i < len)
+      found_four |= (arr[i] == 4);
+  }
+
+  // clang-format off
+  return (len > 0 ==> found_four);
+  // clang-format on
 }
 
 int main()
 {
-  int arr[10] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9};
-  f1(arr);
+  int len;
+  __CPROVER_assume(0 <= len && len <= MAX_LEN);
+
+  int *arr = malloc(len * sizeof(int));
+  f1(arr, len);
 }

regression/contracts/quantifiers-exists-requires-01/test.desc

@@ -1,12 +1,14 @@
 CORE
 main.c
---replace-all-calls-with-contracts
+--enforce-all-contracts
 ^EXIT=0$
 ^SIGNAL=0$
+^\[1\] assertion: SUCCESS$
 ^VERIFICATION SUCCESSFUL$
 --
+^warning: ignoring
 --
 The purpose of this test is to ensure that we can safely use __CPROVER_exists
-in __CPROVER_requires clauses. By using the --replace-all-calls-with-contracts
-flag, goto-instrument will transform the __CPROVER_requires clauses into an
-assertion and the verification remains sound when using __CPROVER_exists.
+within both negative contexts (enforced REQUIRES clauses).
+
+This is fully supported (without requiring full unrolling) with the SAT backend.