Support witnesses with ghost variables

[schuessf]

This PR adds support for the validation of witnesses that contain ghost variables. Namely the entry-types (that are not official yet) in YAML-witnesses ghost_variable and ghost_update can now be handled in the validation. The validation of those entry-types works in a similar fashion to the existing entry-type invariant: We translate them to ACSL, s.t. the entries instrumented are in our Boogie-Code. This instrumentation uses ghost code in ACSL that is now supported (see #649).

[bahnwaerter]

Thanks @schuessf for your great work. Your changes look good to me. However, make sure that new files always contain a license header.

[schuessf]

Needs to be revised (after SV-COMP), because the format for YAML witnesses has changed and we also use a different parser.

[maul-esel]

Thanks for adding this support. I've looked through the changes and marked some points that could be improved or clarified.

[maul-esel]

This seems similar but slightly different from the case GhostVariable.NAME code above. What is the reason to have both? Does it have to do with different versions of the format?

[schuessf]

Yes, exactly, this function is used for the format version 2.1 (therefore this function is called in the case "ghost_instrumentation"), while the one above is used for version 0.1. The slight difference is variable vs. name as field name for the name of the ghost variable.

[maul-esel]

See above: It seems like a lot of effort just to keep supporting a draft format version proposed in a workshop talk. If we update our artifact repo for the workshop to point to the ULTIMATE version where this format is supported, I think we can safely abandon the old format going forward.

[schuessf]

Since the format was now adapted and Goblint also supports the new format, I removed ghost variables in version 0.1.

[bahnwaerter]

An important note: The current implementation does not follow the intended witness schema for ghost variables. The following things are different and should be changed in my opinion (in order to remain backwards compatible with the original style of the schema):

• ghost_variables and ghost_updates are not put under content (like the invariant_set entry type does).
• Expressions of ghost_variables and ghost_updates are not represented correctly. They are composed of a value and format field instead of directly assigning the value to the expression field.

[bahnwaerter]

Looks great! Now the implementation follows our final correctness witness schema with ghosts.

[maul-esel]

Looks good! I only left some minor comments.

[maul-esel]

question: what are these declarations? how are they related to the declaration added after the loop? should all of them be global?

[schuessf]

Previously res itself contained the declarations. This was however changed, this loop can be removed.

[maul-esel]

Can the initialization require declarations of other variables? e.g. auxvars? (though they should probably not be global)

[schuessf]

Currently this is not possible, since we (luckily) restricted the ghost updates, s.t. they can only have a primitive type and their initial value can only be a constant expression. If we wanted to be less restrictive, we probably need to adapt this anway (as it seems, we cannot add aux-vars or local declarations to the init-procedure here).

[maul-esel]

I think we said in the schema that the expression may be any expression over global variables, right @bahnwaerter?

[maul-esel]

(side-effect-free and without undefined behaviour, of course)

[schuessf]

The only variables allowed in this expression are the global variables of the program.
The expression is evaluated after global variables declared in the program are initialized.

Okay, I see, then there might be aux-vars involved, e.g. if a ghost variable is initialized by a read of a global array.
But in that case the second sentence is problematic. Currently we initialize the ghost variables (in ULTIMATE.init) before the program. To match the specification, we would need to initialize the ghost variables at the very end, i.e., between dispatching the actual program, but before calling PostProcessor (where the ULTIMATE.init procedure is actually build).
I tried to implement this in f6123d9, but I am not sure, if this is a nice solution...

[maul-esel]

We should look into this and see if CfgBuilder can be modified to support this; perhaps next week.

It's not a blocker for the merge though.

[schuessf]

This PR has canged the behaiour for location invariants, they are now added inside an atomic-block. Therefore some witness-tests (e.g. this) fail now with an AssertionError: Atomic section must begin with ICFG location.

@maul-esel Since you worked recently on atomic blocks, why is this the case?

[maul-esel]

The problem seems to be an atomic block in dead code, due to a wrong instrumentation of invariants pointing to labels. The instrumented Boogie program contains the following code:

    ...
    #res := 0;
    return;
    atomic {
        assert false;
    }
  ERROR:
    assert { :reach "ERROR_FUNCTION","reach_error" } false;
    ...

The witness specifies the invariant false at the location for the label. I don't know if we have definitively fixed the semantics for location invariants at labels, but I would expect them to hold whenever one jumps to the label. I've committed a fix for these cases, have a look if you agree.

[maul-esel]

Incidentally, to add regression tests for these kinds of bugs (the instrumentation was wrong, even if the atomic wouldn't have caused it to crash) we would need to support tests where we expect a witness to be rejected. We should add that in the future (maybe we can base it on our planned experiments comparing with other validators).