CONTRACTS: havoc all statics by default

[remi-delmas-3000]

For soundness, automatically havoc all statics as soon as loop or function contracts are checked (same effect as --nondet-static). Variables can still be manually excluded using --nondet-static-exclude.

Havocing is not activated if only --replace-call-with-contract is used in an otherwise classic harness-based proof (we already automatically detect static variables modified by a function and havoc them during replacement).

• Each commit message has a non-empty body, explaining why the change was made.
• Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[codecov]

Codecov Report

Merging #6829 (f2935a3) into develop (3df1868) will increase coverage by 0.74%.
The diff coverage is 84.55%.

@@             Coverage Diff             @@
##           develop    #6829      +/-   ##
===========================================
+ Coverage    77.04%   77.79%   +0.74%     
===========================================
  Files         1594     1567      -27     
  Lines       185287   179719    -5568     
===========================================
- Hits        142763   139809    -2954     
+ Misses       42524    39910    -2614     

Impacted Files	Coverage Δ
src/goto-instrument/contracts/contracts.h	100.00% <ø> (ø)
src/goto-instrument/cover_basic_blocks.h	100.00% <ø> (ø)
src/goto-instrument/nondet_static.cpp	96.92% <ø> (ø)
src/goto-instrument/source_lines.h	100.00% <ø> (ø)
src/goto-programs/show_properties.cpp	64.42% <47.82%> (-5.82%)	⬇️
src/goto-checker/cover_goals_report_util.cpp	90.09% <68.96%> (-8.61%)	⬇️
...ecode/java_virtual_functions/virtual_functions.cpp	100.00% <100.00%> (ø)
src/goto-instrument/contracts/contracts.cpp	94.46% <100.00%> (+0.04%)	⬆️
src/goto-instrument/cover_basic_blocks.cpp	89.09% <100.00%> (-1.68%)	⬇️
src/goto-instrument/cover_instrument_location.cpp	94.73% <100.00%> (ø)
... and 72 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8699438...f2935a3. Read the comment docs.

[tautschnig]

Approving except for the one debug left-over.

[feliperodri]

LGTM apart from some debug leftovers.

[remi-delmas-3000]

Hi, I answered @feliperodri 's questions and fixed the missing newline, this should be good to go now.

[feliperodri]

@chris-ryder @martin-cs @peterschrammel could you take a look at this PR? It's missing a code owner review.

[peterschrammel]

Having goto_model, symbol_table and goto_functions is redundant.
Either have goto_model or symbol_table+goto_functions. I'd prefer the former.

[peterschrammel]

Ah, ok, I see. You are just using them as shortcuts for the goto_model members. That's fine.

[tautschnig]

But then I wonder: is it really useful to have these at class level?

[peterschrammel]

Yes, might still be confusing that changing one thing has side effects on the other.

[remi-delmas-3000]

Hi! I had to add the goto_model as a class member because the nondet static call I needed to add requires a goto_model. I also think that exploding the goto_model into shortcuts to its members is confusing as it could make you think these members are disconnected in some way. But it also seems like this style of having shortcuts to the symbol table, namespace of function maps like this occurs in several places in the codebase.
Do you want me to do a cleanup pass and remove shortcuts ?

[tautschnig]

Yes, I would suggest that we clean out these particular short cuts. Note that the situation is a bit different from the widespread use of a namespace member for there is no risk of confusion as to whether a namespace is different or the same as the member of another class member. (In other words: the current code raises the question whether .symbol_table is the same as .goto_model.symbol_table or not.)