Warnings and Dead Code Handling for noreturn

[just-max]

Resolves #501.

Changes:

• on return of a function, warn if the function is marked noreturn,
• after call of a function, raise Deadcode if the option sem.noreturn.dead_code is enabled.

Added an Other variant to undefined_behavior for the message category, but could also just as well be category Unknown.

---

However, from what I can tell there's an issue here with how CIL handles noreturn. Here are the CFGs generated for the following function, once marked with noreturn and once unmarked:

void without_noreturn(int x) {
  if (x)
    abort();
}

noreturn void with_noreturn(int x) {
  if (x)
    abort();
}

CFG for without_noreturn

CFG for with_noreturn

My guess is that reaching the end of a noreturn function is undefined behaviour, so CIL is allowed to do this.

[just-max]

We found the problem to be that the CFG construction in Goblint checks the number of (real) successors of an If statement. In the case of two successors, these would typically be the first statements of the true and of the false blocks. If there is only one successor, Goblint assumes it to be the successor in both branches. That's an assumption that doesn't hold if there is no else block and nothing after the if statement in the function. This is the case in a noreturn function processed in CIL, which is why the CFG ends up having the Neg edge to the successor in the true block (abort(), in this case).

We decided to add an option in CIL so that functions that fall through (can reach the end of the body), yet don't contain return statements, always get a return statement added by CIL—even those marked noreturn, which was previously not the case. PR for CIL incoming.

[just-max]

still depends on goblint/cil#129, otherwise ready to merge

[michael-schwarz]

I merged the CIL PR. Could you update the pin in the opam files so we can see if the CI is happy then?

[just-max]

should be ready now

[michael-schwarz]

LGTM, thank you!