Make DFCC is_dead_object_update less restrictive

[tautschnig]

GOTO programs are free to use different ways to assign to __CPROVER_dead_object. Any such assignment that does not match the expected pattern can then safely be ignored.

• Each commit message has a non-empty body, explaining why the change was made.
• n/a Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• n/a The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• n/a My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• n/a White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[tautschnig]

@remi-delmas-3000 Why are we tracking __CPROVER_dead_object assignments rather than just using DEAD statements?

[remi-delmas-3000]

@remi-delmas-3000 Why are we tracking __CPROVER_dead_object assignments rather than just using DEAD statements?

The use of __builtin_alloca for dynamic stack allocation, for instance, produces these __CPROVER_dead_object updates instead of DEAD instructions.

From the point of view of frame condition checking, not failing on an assignment to a dead object is unsound, so instead of having a soundness hole in the contracts instrumentation and defaulting to the underlying CBMC checks for such cases, I chose to error out when instrumenting any assignment to __CPROVER_dead_object that does not match the only pattern I knew when designing the instrumentation. This would mean that there is potentially another way to create stack objects that I don't know about, and I would need to at least take a look and make sure it is handled properly.

[tautschnig]

Ah, thank you for explaining why looking at DEAD wouldn't be sufficient. With the proposed change we'd still be picking up all the updates produced by the C front-end, but won't fail on what Kani intends to produce.

[remi-delmas-3000]

but won't fail on what Kani intends to produce.
How about abstracting away the details and introducing a __CPROVER_object_dead(ptr) function to signal an object's death instead of directly manipulating the __CPROVER_dead_object variable ?

[tautschnig]

How about abstracting away the details and introducing a __CPROVER_object_dead(ptr) function to signal an object's death instead of directly manipulating the __CPROVER_dead_object variable ?

We could indeed encapsulate this in a (library) function, but either way it will remain an implementation detail of the C front-end. Eventually Kani will create its own tracking variable for Rust checks. Either way, I think this is out of scope for this PR?