Update VCLLVM (now Pallas) to LLVM 17, update to newest VerCors version, and convert more instructions to COL

[superaxander]

Summary

This PR updates VCLLVM to LLVM 17 and updates it to work with the current VerCors. Additionally more instructions converted into COL, there is support for loops, pointers, structs, and more. This also includes changes to the C and PVL frontends for pointers and ByValueClass encoding. (i.e. structs)

Detailed list of changes

General

• Ignore a quantifier in SimplifyNestedQuantifiers if it contains a non-inline trigger (it was erroneously rewriting a generated trigger)
• Make the ParBlockEncoder treat a unary minus as a constant operator (this was needed for one of the HaliVer examples to verify)
• Update to silicon commit viperproject/silicon@2030e3e to improve verification performance for quantified heap chunks (PR: Consolidating quantified field and predicate chunks viperproject/silicon#860)
• Add clang-format to the commit hooks to format the C++ code before every commit

Pallas

• Rename VCLLVM to Pallas
• Update Pallas to LLVM 17 from LLVM 15
• Switch from Pallas as a standalone application to a plugin that can be loaded by the LLVM framework
• Add support for more LLVM-IR instructions
  • AllocA (allocating variables on the stack eliminating the need for the mem2reg pass before verification)
  • GetElementPtr (indexing structs arrays and vectors, currently only with statically known offsets)
  • Load/Store (loading and storing values behind pointers)
  • SExt, ZExt, Trunc (since we only deal with mathematical integers these are translated as no-ops for now)
• Add support for more LLVM-IR types
  • Structs
  • Pointers (including some very basic function pointer support)
  • Arrays/Vectors (these are currently treated as the same)
• Add support for more LLVM-IR elements:
  • Global variables
  • Loops (Branch instructions are transformed into ifs + goto and then the goto's are replaced with actual (while) loops. This uses LLVM's loop analyses to find the header and body of the loop)
  • More constant types
  • Implicit pointer casts (based on C support described below, but with automatic type inference since LLVM omits pointer types)
• Pass in debug locations from the LLVM-IR to VerCors so that error locations in the original source files can be pointed out

C (changes superceding #1172 and #1227)

• Change permission syntax such that it always takes a pointer except when unfolding a struct permission
  • Permission to write a field f of struct value a becomes Perm(&a.f, write) instead of Perm(a.f, write)
  • Permission to write all fields of a struct value a becomes Perm(a, write) (or if a is a pointer to a struct you'd have Perm(a, write) ** Perm(*a, write))
• Replace struct encoding with a new one based on ADTs (called ByValueClass in the code) containing pointers (related: Encoding structs (and pointers to structs) #1194, Split Class into ByReferenceClass and ByValueClass #1227)
  • Allow casting pointers to structs to pointers to their first element (possibly multiple layers deep), also allow casting these pointers back up
  • Allow passing around void pointers to have pointers that might not always point to the same type
  • Allow getting a pointer to a struct field
  • Ensure struct values are always treated as values instead of references (this was already true in most cases but could not be guaranteed because unrelated passes were allowed to treat the struct as a Java/PVL class)
• Enable getting the address of local and global variables (related: Allow the use of pointers to things that are not a reference type #1172)
  • Variables that have their address taken are automatically upgraded to pointer types
  • Currently no automatic permission annotations are generated for local variables so this may be confusing if you have a local variable that you need to declare access for in a loop invariant. (however in every case where this would occur you would not have been able to verify the program previously because of the address-of operator) Generating permission would likely be feasible
• Add a new pointer type that can never be null (also replaces some of the changes in Encode that malloc may return NULL in C (weaken postcondition) #1239)
• Improve some of the names (which used to be unknownN in the resulting viper file to help with debugging
• Remove Viper field access from triggers where DerefPointer or PointerSubscript are the top-level expression (this is generally better for verification performance)

PVL

• Add the * and & operators to PVL to work with pointer values (which could also already be used through the pointer<T> ADT)
• Add VerCors option --contract-import-file which allows importing method contracts and types from a PVL file which will replace the function signature/contract of the LLVM function with the same name (this will likely be removed later once Robert's specification stuff gets merged in but is necessary now to test the LLVM frontend)

To do:

• Update the wiki

[pieter-bos]

Hey nice work, just a quick general comment while you work on this: I've realized that we're starting to do too much logic in the Lang{_}ToCol passes (i.e. the "unskippable" part), things should be in the transformation stage. The solution is to just adopt more nodes into the "core" of col: I think all reasonable language features should live there, so col-core is a ~superset of all our input languages. I don't mind duplicates (so by all means make a col equivalent of LLVM nodes so the initial translation is simple), but I'd encourage you to think about language features we should add into col.

[superaxander]

Hey nice work, just a quick general comment while you work on this: I've realized that we're starting to do too much logic in the Lang{_}ToCol passes (i.e. the "unskippable" part), things should be in the transformation stage. The solution is to just adopt more nodes into the "core" of col: I think all reasonable language features should live there, so col-core is a ~superset of all our input languages. I don't mind duplicates (so by all means make a col equivalent of LLVM nodes so the initial translation is simple), but I'd encourage you to think about language features we should add into col.

Yeah that makes sense I've so far not touched any of the transformation stuff so I don't quite know what goes in rewrite/, resolve/, etc. But indeed I already felt like some of the things I'm adding will be relevant more broadly.

[superaxander]

My current plan is to remove the changes from #1172 such that this can be merged without affecting any other parts of the code. I had some issues with the new Ubuntu 24.02 image (which I'm using to get LLVM-17) but the last few runs seem to have worked instead of being suddenly cancelled.

[superaxander]

Marking this as ready for review since I basically just want to add some tests now before merging this

[bobismijnnaam]

There you go! Good work!