Symex: restore guards on function exit

Executing a function may have a cumulative effect on the state guard. For example, if the
callee contained ASSUME statements that rendered one or more control-flow options unviable
then the guard might still embody that restriction (i.e. for if(x) ASSUME(false) the guard might
still be `!x`). However, on function return we know that all control-flow paths have converged
or been shown to be unviable, so we can restore the simpler guard as it was when we entered
the callee function.

Exceptions:
(a) if the guard is false it would be correct but inefficient to restore it; keep it false until
    we find a convergeance with another viable path
(b) if we're doing path-sensitive symex then we do tail duplication, and there are no control-flow
    convergeances. Keep the guard as-was.
(c) if we're executing a multi-threaded program then symex_assume_l2 uses the guard to accumulate
    assumptions, which we must not discard.

In truth this optimisation is applicable whenever a block postdominates another, but function
structure gives us a cheap way to establish postdominance without analysis (in the absence of
setjmp/longjmp at least)

Author: smowton

regression/cbmc/residual-guards-1/test.c

@@ -0,0 +1,19 @@
+void g()
+{
+  g();
+}
+
+void f(int y)
+{
+  if(y == 5)
+  {
+    g();
+    y = 10;
+  }
+}
+
+int main(int argc, char **argv)
+{
+  f(argc);
+  assert(argc == 1);
+}

regression/cbmc/residual-guards-1/test.desc

@@ -0,0 +1,14 @@
+CORE paths-lifo-expected-failure
+test.c
+--show-vcc --unwind 10
+^\{1\} main::argc!0@1#1 = 1$
+^EXIT=0$
+^SIGNAL=0$
+--
+^\{-[0-9]+\} f::y!0@1#[0-9]+ = 10$
+--
+This checks that the assertion, argc == 1, is unguarded (i.e. is not of the form 
+'guard => condition'). Such a guard is redundant, but could be added before goto-symex
+made sure to restore guards to their state at function entry.
+We also check that no VCC is created for the unreachable code 'y = 10;'
+--paths mode is excluded as it currently always accrues large guards as it proceeds through execution

regression/cbmc/residual-guards-1/test_execution.desc

@@ -0,0 +1,11 @@
+CORE
+test.c
+--unwind 10
+^\[main\.assertion\.[0-9]+\] line [0-9]+ assertion argc == 1: FAILURE$
+^VERIFICATION FAILED$
+^EXIT=10$
+^SIGNAL=0$
+--
+--
+The main test is in test.desc; this just checks that the test is executable and
+the assertion fails as expected.

regression/cbmc/residual-guards-2/test.c

@@ -0,0 +1,16 @@
+void f(int y)
+{
+  if(y == 5)
+  {
+    for(int i = 0; i < 20; ++i)
+    {
+    }
+    y = 10;
+  }
+}
+
+int main(int argc, char **argv)
+{
+  f(argc);
+  assert(argc == 1);
+}

regression/cbmc/residual-guards-2/test.desc

@@ -0,0 +1,12 @@
+CORE paths-lifo-expected-failure
+test.c
+--show-vcc --unwind 10
+^\{1\} main::argc!0@1#1 = 1$
+^EXIT=0$
+^SIGNAL=0$
+--
+--
+This checks that the assertion, argc == 1, is unguarded (i.e. is not of the form 
+'guard => condition'). Such a guard is redundant, but could be added before goto-symex
+made sure to restore guards to their state at function entry.
+--paths mode is excluded as it currently always accrues large guards as it proceeds through execution

regression/cbmc/residual-guards-2/test_execution.desc

@@ -0,0 +1,11 @@
+CORE
+test.c
+--unwind 10
+^\[main\.assertion\.[0-9]+\] line [0-9]+ assertion argc == 1: FAILURE$
+^VERIFICATION FAILED$
+^EXIT=10$
+^SIGNAL=0$
+--
+--
+The main test is in test.desc; this just checks that the test is executable and
+the assertion fails as expected.

regression/cbmc/residual-guards-2/unreachable-code.desc

@@ -0,0 +1,9 @@
+FUTURE
+test.c
+--show-vcc --unwind 10
+^EXIT=0$
+^SIGNAL=0$
+--
+^\{-[0-9]+\} f::y!0@1#[0-9]+ = 10$
+--
+We also check that no VCC is created for the unreachable code 'y = 10;'

regression/cbmc/residual-guards-3/test.c

@@ -0,0 +1,19 @@
+void g(int x)
+{
+  return g(x + 1);
+}
+
+void f(int y)
+{
+  if(y == 5)
+  {
+    g(1);
+    y = 10;
+  }
+}
+
+int main(int argc, char **argv)
+{
+  f(argc);
+  assert(argc == 1);
+}

regression/cbmc/residual-guards-3/test.desc

@@ -0,0 +1,14 @@
+CORE paths-lifo-expected-failure
+test.c
+--show-vcc --depth 1000
+^\{1\} main::argc!0@1#1 = 1$
+^EXIT=0$
+^SIGNAL=0$
+--
+^\{-[0-9]+\} f::y!0@1#[0-9]+ = 10$
+--
+This checks that the assertion, argc == 1, is unguarded (i.e. is not of the form 
+'guard => condition'). Such a guard is redundant, but could be added before goto-symex
+made sure to restore guards to their state at function entry.
+We also check that no VCC is created for the unreachable code 'y = 10;'
+--paths mode is excluded as it currently always accrues large guards as it proceeds through execution

regression/cbmc/residual-guards-3/test_execution.desc

@@ -0,0 +1,11 @@
+CORE
+test.c
+--depth 1000
+^\[main\.assertion\.[0-9]+\] line [0-9]+ assertion argc == 1: FAILURE$
+^VERIFICATION FAILED$
+^EXIT=10$
+^SIGNAL=0$
+--
+--
+The main test is in test.desc; this just checks that the test is executable and
+the assertion fails as expected.