Abort after failing C assert

[tautschnig]

The C standard specifies behaviour of the "assert" macro as resulting in
an abort when the condition does not evaluate to true. Implement this
behaviour by inserting assume(0) after assert(0).

Fixes: #5505

• Each commit message has a non-empty body, explaining why the change was made.
• n/a Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• n/a My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• n/a White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[codecov]

Codecov Report

Merging #5866 (9940fd9) into develop (e021eef) will decrease coverage by 2.43%.
The diff coverage is 62.50%.

❗ Current head 9940fd9 differs from pull request most recent head 76491eb. Consider uploading reports for the commit 76491eb to get more accurate results

@@             Coverage Diff             @@
##           develop    #5866      +/-   ##
===========================================
- Coverage    76.74%   74.30%   -2.44%     
===========================================
  Files         1579     1447     -132     
  Lines       182171   157796   -24375     
===========================================
- Hits        139802   117257   -22545     
+ Misses       42369    40539    -1830     

Impacted Files	Coverage Δ
src/goto-programs/builtin_functions.cpp	55.32% <55.55%> (-1.55%)	⬇️
src/goto-instrument/goto_program2code.cpp	69.15% <71.42%> (+0.37%)	⬆️
unit/unit_tests.cpp	0.00% <0.00%> (-100.00%)	⬇️
src/goto-checker/goto_verifier.h	0.00% <0.00%> (-100.00%)	⬇️
src/goto-cc/linker_script_merge.h	0.00% <0.00%> (-100.00%)	⬇️
src/goto-instrument/wmm/shared_buffers.h	0.00% <0.00%> (-95.46%)	⬇️
src/goto-instrument/document_properties.cpp	0.00% <0.00%> (-89.35%)	⬇️
src/goto-instrument/uninitialized.cpp	0.00% <0.00%> (-87.76%)	⬇️
src/goto-programs/link_goto_model.cpp	0.00% <0.00%> (-85.51%)	⬇️
src/analyses/uninitialized_domain.cpp	0.00% <0.00%> (-81.09%)	⬇️
... and 1310 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e08c77d...76491eb. Read the comment docs.

[peterschrammel]

I think this requires a thorough documentation review since __CPROVER_assert is now the default way to specify non-aborting properties. Some downstream CBMC users might not operate with abort-semantics in mind.

Side note: JBMC does something similar (in one of its modes)

cbmc/jbmc/src/java_bytecode/java_bytecode_convert_method.cpp

Lines 2444 to 2446 in f4edb72

	// we translate athrow into
	// ASSERT false;
	// ASSUME false:

[peterschrammel]

❓ Do we need a convenienve overload without the comment argument since __CPROVER_assert is now the default way to specify non-aborting properties?

[hannes-steffenhagen-diffblue]

Sounds like a good idea to me

[hannes-steffenhagen-diffblue]

IMHO this sounds like the right way to go forward with this. I do also agree with @peterschrammel though that this requires us going through documentation and making sure we don't say anything wrong now, and for the other I think this should result in a major version bump.

[TGWDB]

Have we lost something useful and helpful here by not showing any detail of the assertion that failed? (I realise the empty messages may contribute to this, but with the comment of @peterschrammel above perhaps we should consider having the same behaviour in our override?)

[martin-cs]

+1 these should give a message...

[martin-cs]

We are doing a similar assert/assume thing for Ada.

As regards updating -- this always used to be how assert() worked. I guess it must have been removed at some point? There were a few years where there was ... ambiguity over the semantics of assert.

[martin-cs]

A good and useful thing to do. I won't block this but I do agree with others that this needs to be clearly communicated (or, at least, "If you want a non-terminating check, use __CPROVER_assert()").

One thought : it feels like assert should be implementable in the C library (possibly with a macro to copy the expression into the string so that we don't have the problem with loss of messages that @TGWDB flagged). I am generally in favour of modelling going in the library in C where possible.

[SaswatPadhi]

I have one small comment that I had mentioned to @tautschnig this morning:

The semantics for ASSUME statement currently is stated (in src/goto-programs/goto_program.h) as:

This thread of execution waits for guard to evaluate to true.
Assume does not "retro-actively" affect the thread or any ASSERTs.

This means, if the guard evaluates to false, it would keep waiting forever as opposed to aborting (as mandated by C assert semantics).

It seems to me that THROW might be the closest we have to an aborting goto primitive, but I'm not sure.

[martin-cs]

@SaswatPadhi This is a sensible and a valid concern but I think that assume is the right thing to do. Our (informal) model of execution has nothing happen after termination, so in the single threaded case, an abrupt termination and an infinite loop are indistinguishable. The multi-threaded case is a little more complex and I haven't worked on it so I am probably not the best person to ask but I don't think we have a way of distinguishing a "hung" thread from one that terminates early, so, again, this is not an issue.

THROWand CATCH... TBH their semantics are even less clear to me. I think the clearest explanation is the code that removes them. This is different for C++ and Java. In practice they are removed early on so I don't think we should be introducing them, esp. in things like C that don't have an exception model at all.

[tautschnig]

Marking do-not-merge as this likely wants a major-version bump. Otherwise it should be ready for (re-)review.

[esteffin]

We are considering to include this PR into version 6.

However we should make sure that we do add the documentation specifying that assert is blocking as opposed to __CPROVER_assert that is not.

[tautschnig]

This is a major undertaking with limited added value. Users could choose to add their own assert macro that exhibits this behaviour. Closing as we are unlikely to find time to work on this anytime soon.