CONTRACTS: at most one predicate occurence per pointer

Ensures that at most one pointer predicate is positively
asserted/assumed per pointer.
 Before, `is_fresh(p, n) && is_fresh(p, n)` would
fail in assertion contexts as expected but pass in
assumption contexts by allocating twice.

Author: Remi Delmas

Diff for: regression/contracts-dfcc/test_pointer_pred_unique_enforce_fail/main.c

@@ -0,0 +1,66 @@
+int nondet_int();
+void foo(
+  int *in,
+  int *in1,
+  int *in2,
+  int *in3,
+  int *in4,
+  int *in5,
+  int *in6,
+  int **out1,
+  int **out2,
+  int **out3,
+  int **out4,
+  int **out5,
+  int **out6)
+  // clang-format off
+__CPROVER_requires(__CPROVER_is_fresh(in, sizeof(int)))
+__CPROVER_requires(__CPROVER_is_fresh(in1, sizeof(int)) && __CPROVER_pointer_in_range_dfcc(in, in1, in))
+__CPROVER_requires(__CPROVER_pointer_in_range_dfcc(in, in2, in) && __CPROVER_is_fresh(in2, sizeof(int)))
+__CPROVER_requires(__CPROVER_is_fresh(in3, sizeof(int)) && __CPROVER_pointer_equals(in3, in))
+__CPROVER_requires(__CPROVER_pointer_equals(in4, in) && __CPROVER_is_fresh(in4, sizeof(int)))
+__CPROVER_requires(__CPROVER_pointer_in_range_dfcc(in, in5, in) && __CPROVER_pointer_equals(in5, in))
+__CPROVER_requires(__CPROVER_pointer_equals(in6, in) && __CPROVER_pointer_in_range_dfcc(in, in6, in))
+__CPROVER_requires(__CPROVER_is_fresh(out1, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out2, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out3, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out4, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out5, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out6, sizeof(int *)))
+__CPROVER_assigns(*out1, *out2, *out3, *out4, *out5, *out6)
+__CPROVER_ensures(__CPROVER_is_fresh(*out1, sizeof(int)) && __CPROVER_pointer_in_range_dfcc(in, *out1, in))
+__CPROVER_ensures(__CPROVER_pointer_in_range_dfcc(in, *out2, in) && __CPROVER_is_fresh(*out2, sizeof(int)))
+__CPROVER_ensures(__CPROVER_is_fresh(*out3, sizeof(int)) && __CPROVER_pointer_equals(*out3, in))
+__CPROVER_ensures(__CPROVER_pointer_equals(*out4, in) && __CPROVER_is_fresh(*out4, sizeof(int)))
+__CPROVER_ensures(__CPROVER_pointer_in_range_dfcc(in, *out5, in) && __CPROVER_pointer_equals(*out5, in))
+__CPROVER_ensures(__CPROVER_pointer_equals(*out6, in) && __CPROVER_pointer_in_range_dfcc(in, *out6, in))
+// clang-format on
+{
+  int *tmp1 = malloc(sizeof(int));
+  __CPROVER_assume(tmp1);
+  *out1 = nondet_int() ? tmp1 : in;
+
+  int *tmp2 = malloc(sizeof(int));
+  __CPROVER_assume(tmp2);
+  *out2 = nondet_int() ? tmp2 : in;
+
+  int *tmp3 = malloc(sizeof(int));
+  __CPROVER_assume(tmp3);
+  *out3 = nondet_int() ? tmp3 : in;
+
+  int *tmp4 = malloc(sizeof(int));
+  __CPROVER_assume(tmp4);
+  *out4 = nondet_int() ? tmp4 : in;
+
+  *out5 = in;
+
+  *out6 = in;
+}
+
+int main()
+{
+  int *in, *in1, *in2, *in3, *in4, *in5, *in6;
+  int **out1, **out2, **out3, **out4, **out5, **out6;
+  foo(in, in1, in2, in3, in4, in5, in6, out1, out2, out3, out4, out5, out6);
+  return 0;
+}

Diff for: regression/contracts-dfcc/test_pointer_pred_unique_enforce_fail/test.desc

@@ -0,0 +1,19 @@
+CORE dfcc-only
+main.c
+--dfcc main --enforce-contract foo _ --arrays-uf-always --slice-formula
+^\[__CPROVER_contracts_is_fresh.assertion.\d+] line \d+ __CPROVER_is_fresh does not conflict with other pointer predicate in assume context: FAILURE$
+^\[__CPROVER_contracts_is_fresh.assertion.\d+] line \d+ __CPROVER_is_fresh does not conflict with other pointer predicate in assert context: FAILURE$
+^\[__CPROVER_contracts_pointer_equals.assertion.\d+] line \d+ __CPROVER_pointer_equals does not conflict with other pointer predicate in assume context: FAILURE$
+^\[__CPROVER_contracts_pointer_equals.assertion.\d+] line \d+ __CPROVER_pointer_equals does not conflict with other pointer predicate in assert context: FAILURE$
+^\[__CPROVER_contracts_pointer_in_range_dfcc.assertion.\d+] line \d+ __CPROVER_pointer_in_range_dfcc does not conflict with other pointer predicate in assume context: FAILURE$
+^\[__CPROVER_contracts_pointer_in_range_dfcc.assertion.\d+] line \d+ __CPROVER_pointer_in_range_dfcc does not conflict with other predicate in assert context: FAILURE$
+^EXIT=10$
+^SIGNAL=0$
+^VERIFICATION FAILED$
+--
+--
+Tests that the analysis fails when a same pointer is the target of multiple
+pointer predicates at the same time.
+
+We test all 6 pairwise combinations of is_fresh, poitner_equals,
+pointer_in_range_dfcc in mode assume-requires/assert-ensures.

Diff for: regression/contracts-dfcc/test_pointer_pred_unique_enforce_pass/main.c

@@ -0,0 +1,61 @@
+int nondet_int();
+void foo(
+  int *in,
+  int *in1,
+  int *in2,
+  int *in3,
+  int *in4,
+  int *in5,
+  int *in6,
+  int **out1,
+  int **out2,
+  int **out3,
+  int **out4,
+  int **out5,
+  int **out6)
+  // clang-format off
+__CPROVER_requires(__CPROVER_is_fresh(in, sizeof(int)))
+__CPROVER_requires(__CPROVER_is_fresh(in1, sizeof(int)) || __CPROVER_pointer_in_range_dfcc(in, in1, in))
+__CPROVER_requires(__CPROVER_pointer_in_range_dfcc(in, in2, in) || __CPROVER_is_fresh(in2, sizeof(int)))
+__CPROVER_requires(__CPROVER_is_fresh(in3, sizeof(int)) || __CPROVER_pointer_equals(in3, in))
+__CPROVER_requires(__CPROVER_pointer_equals(in4, in) || __CPROVER_is_fresh(in4, sizeof(int)))
+__CPROVER_requires(__CPROVER_pointer_in_range_dfcc(in, in5, in) || __CPROVER_pointer_equals(in5, in))
+__CPROVER_requires(__CPROVER_pointer_equals(in6, in) || __CPROVER_pointer_in_range_dfcc(in, in6, in))
+__CPROVER_requires(__CPROVER_is_fresh(out1, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out2, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out3, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out4, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out5, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out6, sizeof(int *)))
+__CPROVER_assigns(*out1, *out2, *out3, *out4, *out5, *out6)
+__CPROVER_ensures(__CPROVER_is_fresh(*out1, sizeof(int)) || __CPROVER_pointer_in_range_dfcc(in, *out1, in))
+__CPROVER_ensures(__CPROVER_pointer_in_range_dfcc(in, *out2, in) || __CPROVER_is_fresh(*out2, sizeof(int)))
+__CPROVER_ensures(__CPROVER_is_fresh(*out3, sizeof(int)) || __CPROVER_pointer_equals(*out3, in))
+__CPROVER_ensures(__CPROVER_pointer_equals(*out4, in) || __CPROVER_is_fresh(*out4, sizeof(int)))
+__CPROVER_ensures(__CPROVER_pointer_in_range_dfcc(in, *out5, in) || __CPROVER_pointer_equals(*out5, in))
+__CPROVER_ensures(__CPROVER_pointer_equals(*out6, in) || __CPROVER_pointer_in_range_dfcc(in, *out6, in))
+// clang-format on
+{
+  int *tmp1 = malloc(sizeof(int));
+  __CPROVER_assume(tmp1);
+  *out1 = nondet_int() ? tmp1 : in;
+  int *tmp2 = malloc(sizeof(int));
+  __CPROVER_assume(tmp2);
+  *out2 = nondet_int() ? tmp2 : in;
+  int *tmp3 = malloc(sizeof(int));
+  __CPROVER_assume(tmp3);
+  *out3 = nondet_int() ? tmp3 : in;
+  int *tmp4 = malloc(sizeof(int));
+  __CPROVER_assume(tmp4);
+  *out4 = nondet_int() ? tmp4 : in;
+  *out5 = in;
+  *out6 = in;
+}
+
+int main()
+{
+  int *in, *in1, *in2, *in3, *in4, *in5, *in6;
+  int **out1, **out2, **out3, **out4, **out5, **out6;
+  foo(in, in1, in2, in3, in4, in5, in6, out1, out2, out3, out4, out5, out6);
+  return 0;
+}

Diff for: regression/contracts-dfcc/test_pointer_pred_unique_enforce_pass/test.desc

@@ -0,0 +1,19 @@
+CORE dfcc-only
+main.c
+--dfcc main --enforce-contract foo _ --arrays-uf-always --slice-formula
+^\[__CPROVER_contracts_is_fresh.assertion.\d+\] line \d+ __CPROVER_is_fresh does not conflict with other pointer predicate in assume context: SUCCESS$
+^\[__CPROVER_contracts_is_fresh.assertion.\d+\] line \d+ __CPROVER_is_fresh does not conflict with other pointer predicate in assert context: SUCCESS$
+^\[__CPROVER_contracts_pointer_equals.assertion.\d+\] line \d+ __CPROVER_pointer_equals does not conflict with other pointer predicate in assume context: SUCCESS$
+^\[__CPROVER_contracts_pointer_equals.assertion.\d+\] line \d+ __CPROVER_pointer_equals does not conflict with other pointer predicate in assert context: SUCCESS$
+^\[__CPROVER_contracts_pointer_in_range_dfcc.assertion.\d+\] line \d+ __CPROVER_pointer_in_range_dfcc does not conflict with other pointer predicate in assume context: SUCCESS$
+^\[__CPROVER_contracts_pointer_in_range_dfcc.assertion.\d+\] line \d+ __CPROVER_pointer_in_range_dfcc does not conflict with other predicate in assert context: SUCCESS$
+^EXIT=0$
+^SIGNAL=0$
+^VERIFICATION SUCCESSFUL$
+--
+--
+Tests that a same pointer can be the target of multiple pointer predicates as
+long as they do not apply at the same time.
+
+We test all 6 pairwise combinations of is_fresh, poitner_equals,
+pointer_in_range_dfcc in mode assume-requires/assert-ensures.

Diff for: regression/contracts-dfcc/test_pointer_pred_unique_replace_fail/main.c

@@ -0,0 +1,89 @@
+int nondet_int();
+void foo(
+  int *in,
+  int *in1,
+  int *in2,
+  int *in3,
+  int *in4,
+  int *in5,
+  int *in6,
+  int **out1,
+  int **out2,
+  int **out3,
+  int **out4,
+  int **out5,
+  int **out6)
+  // clang-format off
+__CPROVER_requires(__CPROVER_is_fresh(in, sizeof(int)))
+__CPROVER_requires(__CPROVER_is_fresh(in1, sizeof(int)) && __CPROVER_pointer_in_range_dfcc(in, in1, in))
+__CPROVER_requires(__CPROVER_pointer_in_range_dfcc(in, in2, in) && __CPROVER_is_fresh(in2, sizeof(int)))
+__CPROVER_requires(__CPROVER_is_fresh(in3, sizeof(int)) && __CPROVER_pointer_equals(in3, in))
+__CPROVER_requires(__CPROVER_pointer_equals(in4, in) && __CPROVER_is_fresh(in4, sizeof(int)))
+__CPROVER_requires(__CPROVER_pointer_in_range_dfcc(in, in5, in) && __CPROVER_pointer_equals(in5, in))
+__CPROVER_requires(__CPROVER_pointer_equals(in6, in) && __CPROVER_pointer_in_range_dfcc(in, in6, in))
+__CPROVER_requires(__CPROVER_is_fresh(out1, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out2, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out3, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out4, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out5, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out6, sizeof(int *)))
+__CPROVER_assigns(*out1, *out2, *out3, *out4, *out5, *out6)
+__CPROVER_ensures(__CPROVER_is_fresh(*out1, sizeof(int)) && __CPROVER_pointer_in_range_dfcc(in, *out1, in))
+__CPROVER_ensures(__CPROVER_pointer_in_range_dfcc(in, *out2, in) && __CPROVER_is_fresh(*out2, sizeof(int)))
+__CPROVER_ensures(__CPROVER_is_fresh(*out3, sizeof(int)) && __CPROVER_pointer_equals(*out3, in))
+__CPROVER_ensures(__CPROVER_pointer_equals(*out4, in) && __CPROVER_is_fresh(*out4, sizeof(int)))
+__CPROVER_ensures(__CPROVER_pointer_in_range_dfcc(in, *out5, in) && __CPROVER_pointer_equals(*out5, in))
+__CPROVER_ensures(__CPROVER_pointer_equals(*out6, in) && __CPROVER_pointer_in_range_dfcc(in, *out6, in))
+// clang-format on
+{
+  int *tmp1 = malloc(sizeof(int));
+  __CPROVER_assume(tmp1);
+  *out1 = nondet_int() ? tmp1 : in;
+
+  int *tmp2 = malloc(sizeof(int));
+  __CPROVER_assume(tmp2);
+  *out2 = nondet_int() ? tmp2 : in;
+
+  int *tmp3 = malloc(sizeof(int));
+  __CPROVER_assume(tmp3);
+  *out3 = nondet_int() ? tmp3 : in;
+
+  int *tmp4 = malloc(sizeof(int));
+  __CPROVER_assume(tmp4);
+  *out4 = nondet_int() ? tmp4 : in;
+
+  *out5 = in;
+
+  *out6 = in;
+}
+
+void bar()
+  // clang-format off
+__CPROVER_requires(1)
+__CPROVER_assigns()
+__CPROVER_ensures(1)
+// clang-format on
+{
+  int in, in1, in2, in3, in4, in5, in6;
+  int *out1, *out2, *out3, *out4, *out5, *out6;
+  foo(
+    &in,
+    nondet_bool() ? &in : &in1,
+    nondet_bool() ? &in : &in2,
+    nondet_bool() ? &in : &in3,
+    nondet_bool() ? &in : &in4,
+    &in,
+    &in,
+    &out1,
+    &out2,
+    &out3,
+    &out4,
+    &out5,
+    &out6);
+}
+
+int main()
+{
+  bar();
+  return 0;
+}

Diff for: regression/contracts-dfcc/test_pointer_pred_unique_replace_fail/test.desc

@@ -0,0 +1,19 @@
+CORE dfcc-only
+main.c
+--dfcc main --replace-call-with-contract foo _ --arrays-uf-always --slice-formula
+^\[__CPROVER_contracts_is_fresh.assertion.\d+] line \d+ __CPROVER_is_fresh does not conflict with other pointer predicate in assume context: FAILURE$
+^\[__CPROVER_contracts_is_fresh.assertion.\d+] line \d+ __CPROVER_is_fresh does not conflict with other pointer predicate in assert context: FAILURE$
+^\[__CPROVER_contracts_pointer_equals.assertion.\d+] line \d+ __CPROVER_pointer_equals does not conflict with other pointer predicate in assume context: FAILURE$
+^\[__CPROVER_contracts_pointer_equals.assertion.\d+] line \d+ __CPROVER_pointer_equals does not conflict with other pointer predicate in assert context: FAILURE$
+^\[__CPROVER_contracts_pointer_in_range_dfcc.assertion.\d+] line \d+ __CPROVER_pointer_in_range_dfcc does not conflict with other pointer predicate in assume context: FAILURE$
+^\[__CPROVER_contracts_pointer_in_range_dfcc.assertion.\d+] line \d+ __CPROVER_pointer_in_range_dfcc does not conflict with other predicate in assert context: FAILURE$
+^EXIT=10$
+^SIGNAL=0$
+^VERIFICATION FAILED$
+--
+--
+Tests that the analysis fails when a same pointer is the target of multiple
+pointer predicates at the same time.
+
+We test all 6 pairwise combinations of is_fresh, poitner_equals,
+pointer_in_range_dfcc in mode assume-requires/assert-ensures.

Diff for: regression/contracts-dfcc/test_pointer_pred_unique_replace_pass/main.c

@@ -0,0 +1,84 @@
+int nondet_int();
+void foo(
+  int *in,
+  int *in1,
+  int *in2,
+  int *in3,
+  int *in4,
+  int *in5,
+  int *in6,
+  int **out1,
+  int **out2,
+  int **out3,
+  int **out4,
+  int **out5,
+  int **out6)
+  // clang-format off
+__CPROVER_requires(__CPROVER_is_fresh(in, sizeof(int)))
+__CPROVER_requires(__CPROVER_is_fresh(in1, sizeof(int)) || __CPROVER_pointer_in_range_dfcc(in, in1, in))
+__CPROVER_requires(__CPROVER_pointer_in_range_dfcc(in, in2, in) || __CPROVER_is_fresh(in2, sizeof(int)))
+__CPROVER_requires(__CPROVER_is_fresh(in3, sizeof(int)) || __CPROVER_pointer_equals(in3, in))
+__CPROVER_requires(__CPROVER_pointer_equals(in4, in) || __CPROVER_is_fresh(in4, sizeof(int)))
+__CPROVER_requires(__CPROVER_pointer_in_range_dfcc(in, in5, in) || __CPROVER_pointer_equals(in5, in))
+__CPROVER_requires(__CPROVER_pointer_equals(in6, in) || __CPROVER_pointer_in_range_dfcc(in, in6, in))
+__CPROVER_requires(__CPROVER_is_fresh(out1, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out2, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out3, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out4, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out5, sizeof(int *)))
+__CPROVER_requires(__CPROVER_is_fresh(out6, sizeof(int *)))
+__CPROVER_assigns(*out1, *out2, *out3, *out4, *out5, *out6)
+__CPROVER_ensures(__CPROVER_is_fresh(*out1, sizeof(int)) || __CPROVER_pointer_in_range_dfcc(in, *out1, in))
+__CPROVER_ensures(__CPROVER_pointer_in_range_dfcc(in, *out2, in) || __CPROVER_is_fresh(*out2, sizeof(int)))
+__CPROVER_ensures(__CPROVER_is_fresh(*out3, sizeof(int)) || __CPROVER_pointer_equals(*out3, in))
+__CPROVER_ensures(__CPROVER_pointer_equals(*out4, in) || __CPROVER_is_fresh(*out4, sizeof(int)))
+__CPROVER_ensures(__CPROVER_pointer_in_range_dfcc(in, *out5, in) || __CPROVER_pointer_equals(*out5, in))
+__CPROVER_ensures(__CPROVER_pointer_equals(*out6, in) || __CPROVER_pointer_in_range_dfcc(in, *out6, in))
+// clang-format on
+{
+  int *tmp1 = malloc(sizeof(int));
+  __CPROVER_assume(tmp1);
+  *out1 = nondet_int() ? tmp1 : in;
+  int *tmp2 = malloc(sizeof(int));
+  __CPROVER_assume(tmp2);
+  *out2 = nondet_int() ? tmp2 : in;
+  int *tmp3 = malloc(sizeof(int));
+  __CPROVER_assume(tmp3);
+  *out3 = nondet_int() ? tmp3 : in;
+  int *tmp4 = malloc(sizeof(int));
+  __CPROVER_assume(tmp4);
+  *out4 = nondet_int() ? tmp4 : in;
+  *out5 = in;
+  *out6 = in;
+}
+
+void bar()
+  // clang-format off
+__CPROVER_requires(1)
+__CPROVER_assigns()
+__CPROVER_ensures(1)
+// clang-format on
+{
+  int in, in1, in2, in3, in4, in5, in6;
+  int *out1, *out2, *out3, *out4, *out5, *out6;
+  foo(
+    &in,
+    nondet_bool() ? &in : &in1,
+    nondet_bool() ? &in : &in2,
+    nondet_bool() ? &in : &in3,
+    nondet_bool() ? &in : &in4,
+    &in,
+    &in,
+    &out1,
+    &out2,
+    &out3,
+    &out4,
+    &out5,
+    &out6);
+}
+
+int main()
+{
+  bar();
+  return 0;
+}

Diff for: regression/contracts-dfcc/test_pointer_pred_unique_replace_pass/test.desc

@@ -0,0 +1,19 @@
+CORE dfcc-only
+main.c
+--dfcc main --replace-call-with-contract foo _ --arrays-uf-always --slice-formula
+^\[__CPROVER_contracts_is_fresh.assertion.\d+\] line \d+ __CPROVER_is_fresh does not conflict with other pointer predicate in assume context: SUCCESS$
+^\[__CPROVER_contracts_is_fresh.assertion.\d+\] line \d+ __CPROVER_is_fresh does not conflict with other pointer predicate in assert context: SUCCESS$
+^\[__CPROVER_contracts_pointer_equals.assertion.\d+\] line \d+ __CPROVER_pointer_equals does not conflict with other pointer predicate in assume context: SUCCESS$
+^\[__CPROVER_contracts_pointer_equals.assertion.\d+\] line \d+ __CPROVER_pointer_equals does not conflict with other pointer predicate in assert context: SUCCESS$
+^\[__CPROVER_contracts_pointer_in_range_dfcc.assertion.\d+\] line \d+ __CPROVER_pointer_in_range_dfcc does not conflict with other pointer predicate in assume context: SUCCESS$
+^\[__CPROVER_contracts_pointer_in_range_dfcc.assertion.\d+\] line \d+ __CPROVER_pointer_in_range_dfcc does not conflict with other predicate in assert context: SUCCESS$
+^EXIT=0$
+^SIGNAL=0$
+^VERIFICATION SUCCESSFUL$
+--
+--
+Tests that a same pointer can be the target of multiple pointer predicates as
+long as they do not apply at the same time.
+
+Tests all 6 pairwise combinations of is_fresh, pointer_equals,
+pointer_in_range_dfcc in mode assert-requires/assume-ensures.