Chalice: Only show the "first" smoke warning, as once the prover is able to show false, all follwoing attempts will always succeed. However, smoke warnings on different paths through a method are still all reported.

Also, the places where to insert "assert false" are chosen more carefully (essentially always all statements that inhale something).
Update test reference outputs accordingly.

28 files changed, 215 insertions, 91 deletions

diff --git a/Chalice/src/SmokeTest.scala b/Chalice/src/SmokeTest.scala
index 9e141e31..bf2622ce 100644
--- a/Chalice/src/SmokeTest.scala
+++ b/Chalice/src/SmokeTest.scala
@@ -13,8 +13,24 @@ import scala.util.parsing.input.NoPosition
  */

 object SmokeTest {

 

-  /** Map from error message ID's to their position and error message */

-  private var errorMessages: scala.collection.SortedMap[Int, (Position, String)] = scala.collection.SortedMap()

+  /** SmokeAssert is used to keep track of the position and real error message

+   *  associated with a certain assert statement. Also, we build a DAG of

+   *  SmokeAssert that essentially corresponds to the control flow graph (the

+   *  member prev is used to record the in-edges of every SmokeAssert). This

+   *  graph is then used to omit certain warnings (e.g., if the precondition is

+   *  already false, we do not need to report that the method end cannot be

+   *  reached, too).

+   */

+  case class SmokeAssert(id: Int, pos: Position, msg: String, prev: Set[SmokeAssert], chaliceAssert: Assert) {

+    var warning: Boolean = false // did this "assert false" generate a warning? (i.e. did it not generate a Boogie error?)

+  }

+  /** Serves as a sentinel for the first assert (which should always cause a

+   *  warning, thus SmokeAssertSentinel.warning = false

+   */

+  object SmokeAssertSentinel extends SmokeAssert(-1, NoPosition, "", Set(), null)

+

+  /** Map from error message ID's to their SmokeAssert object */

+  private var smokeAssertions: Map[Int,SmokeAssert] = Map()

   private var count: Int = 0 // current error message id

   

   /** Process the output of Boogie and generate the correct warnings from smoke testing */

@@ -30,26 +46,38 @@ object SmokeTest {
       case SummaryPattern(verified, errors) => outcome = Some((verified.toInt,errors.toInt))

       case _ => verificationResult += s + "\n"

     }

-    val smokeTestAssertions = errorMessages.size

-    val smokeTestWarnings = smokeTestAssertions - smokeErrors.size

     

+    // check which smoke assertions failed

+    for ((errNr, s@SmokeAssert(_, pos, msg, prev, _)) <- smokeAssertions) yield {

+      s.warning = !smokeErrors.contains(errNr)

+    }

+    

+    var smokeTestWarnings = 0

     val smokeResult = {

       var t = "";

-      for ((errNr, (pos, msg)) <- errorMessages) yield {

-        if (!smokeErrors.contains(errNr)) {

-          t += "  " + pos + ": " + msg + "\n"

+      for (s@SmokeAssert(_, pos, msg, prev, _) <- smokeAssertions.values.toList.sortWith((a,b) => a.pos < b.pos)) yield {

+        if (s.warning) {

+          if (s.prev.exists(a => !a.warning)) { // omit warning if all ancestors created a warning

+            t += "  " + pos + ": " + msg + "\n"

+            smokeTestWarnings += 1

+          }

         }

       }

       t

     }

     

-    verificationResult +

-    smokeResult + (if (smokeResult != "") "\n" else "") +

-    (outcome match {

+    var realErrors = -1

+    val status = (outcome match {

       case None => ""

       case Some((verified,errors)) =>

-        "Boogie program verifier finished with " + (errors-smokeErrors.size) + " errors and " + smokeTestWarnings + " smoke test warnings."

+        realErrors = errors-smokeErrors.size

+        "Boogie program verifier finished with " + realErrors + " errors and " + smokeTestWarnings + " smoke test warnings."

     })

+    

+    verificationResult +

+    (if (realErrors > 0) "The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.\n" else "") + 

+    smokeResult + (if (smokeResult != "") "\n" else "") +

+    status

   }

   

   /** Add smoke assertions for to a program. */

@@ -74,61 +102,108 @@ object SmokeTest {
   

   /** Add smoke assertions for a method (if necessary). */

   private def smokeMethod(method: Method) = {

-    var newbody = smokeStmt(method.body)

-    val preassert = smokeAssert(method.pos, "Precondition of method " + method.Id + " is equivalent to false.")

-    val postassert = smokeAssert(method.pos, "The end of method " + method.Id + " is unreachable.")

-    newbody = preassert :: newbody ::: postassert :: Nil

+    val preassert = initSmokeAssert(method.pos, "Precondition of method " + method.Id + " is equivalent to false.")

+    var (newbody, bodyout) = smokeStmt(method.body, Set(preassert))

+    val postassert = initSmokeAssert(method.pos, "The end of method " + method.Id + " is unreachable.", bodyout)

+    newbody = preassert.chaliceAssert :: newbody ::: postassert.chaliceAssert :: Nil

     Method(method.id, method.ins, method.outs, method.spec, newbody)

   }

   

   /** Add smoke assertions for multiple statements (if necessary). */

-  private def smokeStmt(stmts: List[Statement]): List[Statement] = {

-    (for (s <- stmts) yield copyPosition(s, smokeStmt(s))).flatten

+  private def smokeStmt(stmts: List[Statement], in: Set[SmokeAssert]): (List[Statement], Set[SmokeAssert]) = {

+    var tmp = in

+    val newstmts = (for (s <- stmts) yield {

+      val (sstmts, sout) = smokeStmt(s, tmp)

+      tmp = sout

+      copyPosition(s, sstmts)

+    }).flatten

+    (newstmts, tmp)

   }

   

   /** Add smoke assertions for a statement (if necessary). */

-  private def smokeStmt(stmt: Statement): List[Statement] = {

-    stmt match {

-      case Assume(_) => stmt :: smokeAssert(stmt.pos, "Assumption might introduce a contradiction.") :: Nil

-      case BlockStmt(ss) => smokeStmt(ss)

+  private def smokeStmt(stmt: Statement, in: Set[SmokeAssert]): (List[Statement], Set[SmokeAssert]) = {

+    var out = in

+    val result = stmt match {

+      // composite statements

+      case BlockStmt(ss) =>

+        val (smokestmts, blocksmoke) = smokeStmt(ss, in)

+        out = blocksmoke

+        smokestmts

       case ifs@IfStmt(guard, BlockStmt(then), els) =>

-        val newthen = smokeStmt(then) ::: smokeAssert(ifs.pos, "The end of the if-branch is unreachable.") :: Nil

+        val thensmoke = initSmokeAssert(ifs.pos, "The begging of the if-branch is unreachable.", in)

+        val (thensmokestmts, thenout) = smokeStmt(then, Set(thensmoke))

+        out = thenout

+        val newthen = thensmoke.chaliceAssert :: thensmokestmts

         val newelse = els match {

-          case None => None

-          case Some(s) => Some(BlockStmt(smokeStmt(s) ::: smokeAssert(ifs.pos, "The end of the else-branch is unreachable.") :: Nil))

+          case None =>

+            out ++= in

+            None

+          case Some(s) =>

+            val elsesmoke = initSmokeAssert(ifs.pos, "The begging of the else-branch is unreachable.", in)

+            val (blocksmokestmts, blockout) = smokeStmt(s, Set(elsesmoke))

+            out ++= blockout

+            Some(BlockStmt(elsesmoke.chaliceAssert :: blocksmokestmts))

         }

         IfStmt(guard, BlockStmt(newthen), newelse) :: Nil

       case WhileStmt(guard, oldInvs, newInvs, lkch, BlockStmt(body)) =>

-        val newbody = smokeStmt(body) ::: smokeAssert(stmt.pos, "The end of the while-body is unreachable.") :: Nil

-        WhileStmt(guard, oldInvs, newInvs, lkch, BlockStmt(newbody)) :: Nil

+        val whilesmoke = initSmokeAssert(stmt.pos, "The begging of the while-body is unreachable.", in)

+        val (whilesmokestmts, whileout) = smokeStmt(body, Set(whilesmoke))

+        val whileaftersmoke = initSmokeAssert(stmt.pos, "The statements after the while-loop are unreachable.", in)

+        val whileendsmoke = initSmokeAssert(stmt.pos, "The end of the while-loop is unreachable.", whileout)

+        out = Set(whileaftersmoke)

+        val newbody = whilesmoke.chaliceAssert :: whilesmokestmts ::: whileendsmoke.chaliceAssert :: Nil

+        WhileStmt(guard, oldInvs, newInvs, lkch, BlockStmt(newbody)) :: whileaftersmoke.chaliceAssert :: Nil

       case Lock(obj, BlockStmt(body), rdLock) =>

-        Lock(obj, BlockStmt(smokeStmt(body)), rdLock) :: Nil

-      case _: RefinementBlock => stmt :: Nil

+        val locksmoke = initSmokeAssert(stmt.pos, "The begging of the lock-block is unreachable.", in)

+        val (blocksmokestmts, blockout) = smokeStmt(body, Set(locksmoke))

+        out = blockout

+        Lock(obj, BlockStmt(locksmoke.chaliceAssert :: blocksmokestmts), rdLock) :: Nil

+      case _: RefinementBlock =>

+        // TODO

+        stmt :: Nil

+      

+      // assumption

+      case Assume(_) =>

+        val assumeSmoke = initSmokeAssert(stmt.pos, "Assumption introduces a contradiction.", in)

+        out = Set(assumeSmoke)

+        stmt :: assumeSmoke.chaliceAssert :: Nil

       

+      // simple statements that inhale something

+      case Unfold(_) => val (stmts, sout) = smokeSimpleStmt(stmt, in, "unfold"); out = sout; stmts

+      case JoinAsync(_, _) => val (stmts, sout) = smokeSimpleStmt(stmt, in, "join"); out = sout; stmts

+      case _: Call => val (stmts, sout) = smokeSimpleStmt(stmt, in, "method call"); out = sout; stmts

+      case _: SpecStmt => val (stmts, sout) = smokeSimpleStmt(stmt, in, "specification"); out = sout; stmts

+      case Receive(_, _, _) => val (stmts, sout) = smokeSimpleStmt(stmt, in, "receive"); out = sout; stmts

+      case Acquire(_) => val (stmts, sout) = smokeSimpleStmt(stmt, in, "acquire"); out = sout; stmts

+      case RdAcquire(_) => val (stmts, sout) = smokeSimpleStmt(stmt, in, "rd acquire"); out = sout; stmts

+      

+      // any other simple statements

       case Assert(_) => stmt :: Nil

       case Assign(_, _) => stmt :: Nil

       case FieldUpdate(_, _) => stmt :: Nil

       case _: LocalVar => stmt :: Nil

-      case _: SpecStmt => stmt :: Nil

-      case _: Call => stmt :: Nil

       case Install(_, _, _) => stmt :: Nil

       case Share(_, _, _) => stmt :: Nil

       case Unshare(_) => stmt :: Nil

-      case Acquire(_) => stmt :: Nil

       case Release(_) => stmt :: Nil

-      case RdAcquire(_) => stmt :: Nil

       case RdRelease(_) => stmt :: Nil

       case Downgrade(_) => stmt :: Nil

       case Free(_) => stmt :: Nil

       case Fold(_) => stmt :: Nil

-      case Unfold(_) => stmt :: Nil

       case CallAsync(_, _, _, _, _) => stmt :: Nil

-      case JoinAsync(_, _) => stmt :: Nil

       case Send(_, _) => stmt :: Nil

-      case Receive(_, _, _) => stmt :: Nil

       case _: Signal => stmt :: Nil

       case _: Wait => stmt :: Nil

     }

+    (result, out)

+  }

+  

+  /** Helper method to add a smoke assertion after a simple (non-compound)

+   *  statement.

+   */

+  def smokeSimpleStmt(stmt: Statement, in: Set[SmokeAssert], msg: String): (List[Statement], Set[SmokeAssert]) = {

+    val smoke = initSmokeAssert(stmt.pos, "The statements after the " + msg + " statement are unreachable.", in)

+    (stmt :: smoke.chaliceAssert :: Nil, Set(smoke))

   }

   

   /** Generate an "assert false" with a certain position and a certain error

@@ -137,13 +212,17 @@ object SmokeTest {
    *  not generate warnings for all failing assertions (even if the command

    *  line switch /subsumption:0 is used).

    */

-  private def smokeAssert(pos: Position, error: String) = {

+  def initSmokeAssert(pos: Position, error: String): SmokeAssert = initSmokeAssert(pos, error, Set(SmokeAssertSentinel))

+  def initSmokeAssert(pos: Position, error: String, prev: Set[SmokeAssert]): SmokeAssert = {

     count += 1

-    errorMessages += count -> (pos, error)

-    val assert = Assert(Neq(IntLiteral(1), IntLiteral(1)))

+    val i = IntLiteral(1); i.typ = IntClass

+    val n = Neq(i, i); n.typ = BoolClass

+    val assert = Assert(n)

     assert.smokeErrorNr = Some(count)

     assert.pos = pos

-    assert

+    val sm = SmokeAssert(count, pos, error, prev, assert)

+    smokeAssertions += count -> sm

+    sm

   }

   

   /** Copy the position of an old AST node to a new node (if not already

diff --git a/Chalice/tests/examples/AssociationList.output.txt b/Chalice/tests/examples/AssociationList.output.txt
index ce20ed93..bfff3c60 100644
--- a/Chalice/tests/examples/AssociationList.output.txt
+++ b/Chalice/tests/examples/AssociationList.output.txt
@@ -3,11 +3,8 @@ Verification of AssociationList.chalice using parameters=""
   19.3: The postcondition at 21.13 might not hold. Insufficient fraction at 21.13 for mu.
   64.9: Method execution before loop might lock/unlock more than allowed by lockchange clause of loop.
 
-  75.11: The end of the if-branch is unreachable.
-  79.13: The end of the if-branch is unreachable.
-  79.13: The end of the else-branch is unreachable.
-  75.11: The end of the else-branch is unreachable.
-  64.9: The end of the while-body is unreachable.
-  60.7: The end of the else-branch is unreachable.
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
+  64.9: The begging of the while-body is unreachable.
+  64.9: The statements after the while-loop are unreachable.
 
-Boogie program verifier finished with 2 errors and 6 smoke test warnings.

+Boogie program verifier finished with 2 errors and 2 smoke test warnings.

diff --git a/Chalice/tests/examples/CopyLessMessagePassing-with-ack.output.txt b/Chalice/tests/examples/CopyLessMessagePassing-with-ack.output.txt
index 6ea31348..b47290ea 100644
--- a/Chalice/tests/examples/CopyLessMessagePassing-with-ack.output.txt
+++ b/Chalice/tests/examples/CopyLessMessagePassing-with-ack.output.txt
@@ -1,11 +1,8 @@
 Verification of CopyLessMessagePassing-with-ack.chalice using parameters="" 

 

 
-  48.22: Assumption might introduce a contradiction.
-  48.7: The end of the if-branch is unreachable.
-  69.22: Assumption might introduce a contradiction.
-  69.7: The end of the if-branch is unreachable.
-  72.21: Assumption might introduce a contradiction.
-  72.5: The end of the if-branch is unreachable.
+  48.22: Assumption introduces a contradiction.
+  69.22: Assumption introduces a contradiction.
+  72.21: Assumption introduces a contradiction.
 
-Boogie program verifier finished with 0 errors and 6 smoke test warnings.

+Boogie program verifier finished with 0 errors and 3 smoke test warnings.

diff --git a/Chalice/tests/examples/CopyLessMessagePassing-with-ack2.output.txt b/Chalice/tests/examples/CopyLessMessagePassing-with-ack2.output.txt
index 7f53cfb3..42a63bf1 100644
--- a/Chalice/tests/examples/CopyLessMessagePassing-with-ack2.output.txt
+++ b/Chalice/tests/examples/CopyLessMessagePassing-with-ack2.output.txt
@@ -1,9 +1,7 @@
 Verification of CopyLessMessagePassing-with-ack2.chalice using parameters="" 

 

 
-  50.23: Assumption might introduce a contradiction.
-  50.7: The end of the if-branch is unreachable.
-  65.27: Assumption might introduce a contradiction.
-  65.7: The end of the if-branch is unreachable.
+  50.23: Assumption introduces a contradiction.
+  65.27: Assumption introduces a contradiction.
 
-Boogie program verifier finished with 0 errors and 4 smoke test warnings.

+Boogie program verifier finished with 0 errors and 2 smoke test warnings.

diff --git a/Chalice/tests/examples/LoopLockChange.output.txt b/Chalice/tests/examples/LoopLockChange.output.txt
index 50b446ec..19e84f93 100644
--- a/Chalice/tests/examples/LoopLockChange.output.txt
+++ b/Chalice/tests/examples/LoopLockChange.output.txt
@@ -4,9 +4,9 @@ Verification of LoopLockChange.chalice using parameters=""
   35.5: The loop might lock/unlock more than the lockchange clause allows.
   65.5: The loop might lock/unlock more than the lockchange clause allows.
 
-  10.5: The end of the while-body is unreachable.
-  3.3: The end of method Test0 is unreachable.
-  75.5: Assumption might introduce a contradiction.
-  59.3: The end of method Test4 is unreachable.
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
+  10.5: The begging of the while-body is unreachable.
+  10.5: The statements after the while-loop are unreachable.
+  75.5: Assumption introduces a contradiction.
 
-Boogie program verifier finished with 3 errors and 4 smoke test warnings.

+Boogie program verifier finished with 3 errors and 3 smoke test warnings.

diff --git a/Chalice/tests/examples/PetersonsAlgorithm.output.txt b/Chalice/tests/examples/PetersonsAlgorithm.output.txt
index 185dc8e1..eddb4927 100644
--- a/Chalice/tests/examples/PetersonsAlgorithm.output.txt
+++ b/Chalice/tests/examples/PetersonsAlgorithm.output.txt
@@ -1,8 +1,8 @@
 Verification of PetersonsAlgorithm.chalice using parameters="" 

 

 
-  15.3: The end of method Main is unreachable.
-  30.3: The end of method Process0 is unreachable.
-  55.3: The end of method Process1 is unreachable.
+  23.5: The statements after the while-loop are unreachable.
+  34.5: The statements after the while-loop are unreachable.
+  59.5: The statements after the while-loop are unreachable.
 
 Boogie program verifier finished with 0 errors and 3 smoke test warnings.

diff --git a/Chalice/tests/examples/ProdConsChannel.output.txt b/Chalice/tests/examples/ProdConsChannel.output.txt
index fc436ea7..167898fb 100644
--- a/Chalice/tests/examples/ProdConsChannel.output.txt
+++ b/Chalice/tests/examples/ProdConsChannel.output.txt
@@ -5,6 +5,7 @@ Verification of ProdConsChannel.chalice using parameters=""
   85.20: Location might not be readable.
   123.7: Assertion might not hold. The expression at 123.14 might not evaluate to true.
 
-  80.5: The end of the while-body is unreachable.
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
+  80.5: The end of the while-loop is unreachable.
 
 Boogie program verifier finished with 4 errors and 1 smoke test warnings.

diff --git a/Chalice/tests/examples/SmokeTestTest.chalice b/Chalice/tests/examples/SmokeTestTest.chalice
index e5384955..2f32625e 100644
--- a/Chalice/tests/examples/SmokeTestTest.chalice
+++ b/Chalice/tests/examples/SmokeTestTest.chalice
@@ -1,4 +1,3 @@
-// chalice-parameter=-smoke

 // This file is meant as a test for Chalice's smoke testing feature (command line switch -smoke)

 class Cell {

   var f: int;

@@ -77,4 +76,37 @@ class Cell {
       this.f := 1; // SMOKE: unreachable

     }

   }

+  

+  function f1(): int

+    requires false // SMOKE: precondition is false

+  { 1 }

+  

+  method a11()

+  {

+    var i: int := 0

+    if (false) {

+      // SMOKE: unreachable

+    } else {

+      if (true) { assume false } // SMOKE: introduces contradiction

+      else { assume i == 1 } // SMOKE: introduces contradiction

+    }

+  }

+  

+  method a12()

+  {

+    assume false // SMOKE: introduces contradiction

+    while (false) {

+    

+    }

+  }

+  

+  method a13()

+    ensures false // ERROR: cannot prove false

+  {

+  }

+  

+  method a14()

+  {

+    call a13(); // SMOKE: statements afterwards not reachable anymore

+  }

 }

diff --git a/Chalice/tests/examples/SmokeTestTest.output.txt b/Chalice/tests/examples/SmokeTestTest.output.txt
index 2bfce65f..0d7985d6 100644
--- a/Chalice/tests/examples/SmokeTestTest.output.txt
+++ b/Chalice/tests/examples/SmokeTestTest.output.txt
@@ -1,15 +1,19 @@
-Verification of SmokeTestTest.chalice using parameters="-smoke" 

+Verification of SmokeTestTest.chalice using parameters="" 

 

+  103.3: The postcondition at 104.13 might not hold. The expression at 104.13 might not evaluate to true.
 
-  6.3: Precondition of method a1 is equivalent to false.
-  6.3: The end of method a1 is unreachable.
-  10.3: Precondition of method a2 is equivalent to false.
-  10.3: The end of method a2 is unreachable.
-  25.5: The end of the if-branch is unreachable.
-  41.5: The end of the if-branch is unreachable.
-  51.5: Assumption might introduce a contradiction.
-  48.3: The end of method a7 is unreachable.
-  54.3: The end of method a8 is unreachable.
-  74.5: The end of the else-branch is unreachable.
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
+  5.3: Precondition of method a1 is equivalent to false.
+  9.3: Precondition of method a2 is equivalent to false.
+  24.5: The begging of the if-branch is unreachable.
+  40.5: The begging of the if-branch is unreachable.
+  50.5: Assumption introduces a contradiction.
+  56.5: The statements after the while-loop are unreachable.
+  73.5: The begging of the else-branch is unreachable.
+  87.5: The begging of the if-branch is unreachable.
+  90.7: The begging of the else-branch is unreachable.
+  90.19: Assumption introduces a contradiction.
+  97.5: Assumption introduces a contradiction.
+  110.5: The statements after the method call statement are unreachable.
 
-Boogie program verifier finished with 0 errors and 10 smoke test warnings.

+Boogie program verifier finished with 1 errors and 12 smoke test warnings.

diff --git a/Chalice/tests/examples/UnboundedThreads.output.txt b/Chalice/tests/examples/UnboundedThreads.output.txt
index ccb4e93c..bd34d380 100644
--- a/Chalice/tests/examples/UnboundedThreads.output.txt
+++ b/Chalice/tests/examples/UnboundedThreads.output.txt
@@ -2,4 +2,5 @@ Verification of UnboundedThreads.chalice using parameters=""
 

   40.17: The loop invariant at 40.17 might not be preserved by the loop. Insufficient epsilons at 40.27  for C.f.
 
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
 Boogie program verifier finished with 1 errors and 0 smoke test warnings.

diff --git a/Chalice/tests/examples/cell-defaults.output.txt b/Chalice/tests/examples/cell-defaults.output.txt
index 31b4223f..138a5717 100644
--- a/Chalice/tests/examples/cell-defaults.output.txt
+++ b/Chalice/tests/examples/cell-defaults.output.txt
@@ -4,6 +4,7 @@ Verification of cell-defaults.chalice using parameters="-defaults -autoFold -aut
   103.5: The heap of the callee might not be strictly smaller than the heap of the caller.
   132.5: Assertion might not hold. Insufficient fraction at 132.12 for Cell.valid.
 
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
   125.3: The end of method main2 is unreachable.
 
 Boogie program verifier finished with 3 errors and 1 smoke test warnings.

diff --git a/Chalice/tests/examples/cell.output.txt b/Chalice/tests/examples/cell.output.txt
index 075cbcf5..b5ba1586 100644
--- a/Chalice/tests/examples/cell.output.txt
+++ b/Chalice/tests/examples/cell.output.txt
@@ -2,6 +2,7 @@ Verification of cell.chalice using parameters=""
 

   142.5: Assertion might not hold. Insufficient fraction at 142.12 for Cell.valid.
 
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
   135.3: The end of method main2 is unreachable.
 
 Boogie program verifier finished with 1 errors and 1 smoke test warnings.

diff --git a/Chalice/tests/examples/counter.output.txt b/Chalice/tests/examples/counter.output.txt
index 69f93f12..1d5be0ea 100644
--- a/Chalice/tests/examples/counter.output.txt
+++ b/Chalice/tests/examples/counter.output.txt
@@ -7,10 +7,11 @@ Verification of counter.chalice using parameters=""
   136.7: The mu field of the target of the acquire statement might not be above waitlevel.
   145.5: The target of the release statement might not be locked by the current thread.
 
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
   62.3: The end of method main4 is unreachable.
   116.3: The end of method nestedBad0 is unreachable.
-  124.3: The end of method nestedBad1 is unreachable.
-  132.3: The end of method nestedBad2 is unreachable.
+  128.7: The statements after the acquire statement are unreachable.
+  136.7: The begging of the lock-block is unreachable.
   141.3: The end of method nestedBad3 is unreachable.
 
 Boogie program verifier finished with 6 errors and 5 smoke test warnings.

diff --git a/Chalice/tests/examples/dining-philosophers.output.txt b/Chalice/tests/examples/dining-philosophers.output.txt
index 9d17fd1f..bd1bd4a0 100644
--- a/Chalice/tests/examples/dining-philosophers.output.txt
+++ b/Chalice/tests/examples/dining-philosophers.output.txt
@@ -1,6 +1,6 @@
 Verification of dining-philosophers.chalice using parameters="" 

 

 
-  16.3: The end of method run is unreachable.
+  24.5: The statements after the while-loop are unreachable.
 
 Boogie program verifier finished with 0 errors and 1 smoke test warnings.

diff --git a/Chalice/tests/examples/linkedlist.output.txt b/Chalice/tests/examples/linkedlist.output.txt
index ce5b5844..468e5921 100644
--- a/Chalice/tests/examples/linkedlist.output.txt
+++ b/Chalice/tests/examples/linkedlist.output.txt
@@ -2,4 +2,5 @@ Verification of linkedlist.chalice using parameters=""
 

   49.39: Precondition at 47.14 might not hold. The expression at 47.31 might not evaluate to true.
 
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
 Boogie program verifier finished with 1 errors and 0 smoke test warnings.

diff --git a/Chalice/tests/examples/producer-consumer.output.txt b/Chalice/tests/examples/producer-consumer.output.txt
index 9d408b7d..55f4bf3c 100644
--- a/Chalice/tests/examples/producer-consumer.output.txt
+++ b/Chalice/tests/examples/producer-consumer.output.txt
@@ -1,7 +1,7 @@
 Verification of producer-consumer.chalice using parameters="" 

 

 
-  36.3: The end of method run is unreachable.
-  77.3: The end of method run is unreachable.
+  42.5: The statements after the while-loop are unreachable.
+  81.5: The statements after the while-loop are unreachable.
 
 Boogie program verifier finished with 0 errors and 2 smoke test warnings.

diff --git a/Chalice/tests/examples/prog1.output.txt b/Chalice/tests/examples/prog1.output.txt
index 3b80f8a8..630ecdfa 100644
--- a/Chalice/tests/examples/prog1.output.txt
+++ b/Chalice/tests/examples/prog1.output.txt
@@ -8,6 +8,7 @@ Verification of prog1.chalice using parameters=""
   76.5: The target of the unshare statement might not be shared.
   84.5: The target of the unshare statement might not be shared.
 
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
   7.3: The end of method seq0 is unreachable.
   21.3: The end of method seq3 is unreachable.
   28.3: The end of method main0 is unreachable.
diff --git a/Chalice/tests/examples/prog2.output.txt b/Chalice/tests/examples/prog2.output.txt
index 3d08e54c..b9d88bbe 100644
--- a/Chalice/tests/examples/prog2.output.txt
+++ b/Chalice/tests/examples/prog2.output.txt
@@ -5,8 +5,9 @@ Verification of prog2.chalice using parameters=""
   73.5: Const variable can be assigned to only once.
   78.5: Assertion might not hold. The expression at 78.12 might not evaluate to true.
 
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
   20.3: The end of method Caller1 is unreachable.
-  35.3: The end of method Caller2 is unreachable.
+  39.5: The statements after the method call statement are unreachable.
   70.3: The end of method M2 is unreachable.
 
 Boogie program verifier finished with 4 errors and 3 smoke test warnings.

diff --git a/Chalice/tests/examples/prog3.output.txt b/Chalice/tests/examples/prog3.output.txt
index 729d78fe..18d05658 100644
--- a/Chalice/tests/examples/prog3.output.txt
+++ b/Chalice/tests/examples/prog3.output.txt
@@ -5,6 +5,7 @@ Verification of prog3.chalice using parameters=""
   191.5: The precondition at 182.14 might not hold. Insufficient epsilons at 182.14  for ReadSharing.x.
   202.3: The postcondition at 204.13 might not hold. Insufficient epsilons at 204.13  for ReadSharing.x.
 
-  187.3: The end of method Divulge is unreachable.
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
+  191.5: The statements after the method call statement are unreachable.
 
 Boogie program verifier finished with 4 errors and 1 smoke test warnings.

diff --git a/Chalice/tests/examples/prog4.output.txt b/Chalice/tests/examples/prog4.output.txt
index db9af8c2..9415df7c 100644
--- a/Chalice/tests/examples/prog4.output.txt
+++ b/Chalice/tests/examples/prog4.output.txt
@@ -8,6 +8,7 @@ Verification of prog4.chalice using parameters=""
   34.5: The target of the release statement might not be locked by the current thread.
   34.5: Release might fail because the current thread might hold the read lock.
 
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
   2.3: The end of method M is unreachable.
 
 Boogie program verifier finished with 7 errors and 1 smoke test warnings.

diff --git a/Chalice/tests/examples/quantifiers.output.txt b/Chalice/tests/examples/quantifiers.output.txt
index 2f325c42..4abb22e1 100644
--- a/Chalice/tests/examples/quantifiers.output.txt
+++ b/Chalice/tests/examples/quantifiers.output.txt
@@ -2,4 +2,5 @@ Verification of quantifiers.chalice using parameters=""
 

   57.29: The heap of the callee might not be strictly smaller than the heap of the caller.
 
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
 Boogie program verifier finished with 1 errors and 0 smoke test warnings.

diff --git a/Chalice/tests/permission-model/basic.output.txt b/Chalice/tests/permission-model/basic.output.txt
index 02e7acb7..acbef565 100644
--- a/Chalice/tests/permission-model/basic.output.txt
+++ b/Chalice/tests/permission-model/basic.output.txt
@@ -5,4 +5,5 @@ Verification of basic.chalice using parameters=""
   97.3: The postcondition at 99.13 might not hold. Insufficient fraction at 99.13 for Cell.x.
   148.3: The postcondition at 150.13 might not hold. Insufficient fraction at 150.13 for Cell.x.
 
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
 Boogie program verifier finished with 4 errors and 0 smoke test warnings.

diff --git a/Chalice/tests/permission-model/channels.output.txt b/Chalice/tests/permission-model/channels.output.txt
index 159e0ee6..f588bc0a 100644
--- a/Chalice/tests/permission-model/channels.output.txt
+++ b/Chalice/tests/permission-model/channels.output.txt
@@ -3,4 +3,5 @@ Verification of channels.chalice using parameters=""
   8.5: The where clause at 44.24 might not hold. Insufficient fraction at 44.24 for C.f.
   18.3: The postcondition at 20.13 might not hold. Insufficient fraction at 20.13 for C.f.
 
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
 Boogie program verifier finished with 2 errors and 0 smoke test warnings.

diff --git a/Chalice/tests/permission-model/locks.output.txt b/Chalice/tests/permission-model/locks.output.txt
index 3492e807..b6ea8f80 100644
--- a/Chalice/tests/permission-model/locks.output.txt
+++ b/Chalice/tests/permission-model/locks.output.txt
@@ -11,9 +11,10 @@ Verification of locks.chalice using parameters=""
   111.5: Monitor invariant might hot hold. Insufficient fraction at 64.13 for Cell2.x.
   136.10: Location might not be readable.
 
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
   66.3: The end of method a1 is unreachable.
   76.3: The end of method a2 is unreachable.
   86.3: The end of method a3 is unreachable.
-  126.3: The end of method a6 is unreachable.
+  138.5: The statements after the acquire statement are unreachable.
 
 Boogie program verifier finished with 10 errors and 4 smoke test warnings.

diff --git a/Chalice/tests/permission-model/peculiar.output.txt b/Chalice/tests/permission-model/peculiar.output.txt
index 68d4b092..e2e6ec90 100644
--- a/Chalice/tests/permission-model/peculiar.output.txt
+++ b/Chalice/tests/permission-model/peculiar.output.txt
@@ -2,6 +2,7 @@ Verification of peculiar.chalice using parameters=""
 

   35.5: Assertion might not hold. Insufficient fraction at 35.12 for Cell.x.
 
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
   30.3: The end of method t4 is unreachable.
 
 Boogie program verifier finished with 1 errors and 1 smoke test warnings.

diff --git a/Chalice/tests/permission-model/permission_arithmetic.output.txt b/Chalice/tests/permission-model/permission_arithmetic.output.txt
index d57e0939..f5c02b3d 100644
--- a/Chalice/tests/permission-model/permission_arithmetic.output.txt
+++ b/Chalice/tests/permission-model/permission_arithmetic.output.txt
@@ -12,11 +12,11 @@ Verification of permission_arithmetic.chalice using parameters=""
   205.10: Location might not be readable.
   220.10: Location might not be readable.
 
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
   18.3: Precondition of method a2 is equivalent to false.
-  18.3: The end of method a2 is unreachable.
   24.3: The end of method a3 is unreachable.
-  39.3: The end of method a6 is unreachable.
+  42.5: The statements after the method call statement are unreachable.
   200.3: The end of method a28 is unreachable.
   215.3: The end of method a28b is unreachable.
 
-Boogie program verifier finished with 11 errors and 6 smoke test warnings.

+Boogie program verifier finished with 11 errors and 5 smoke test warnings.

diff --git a/Chalice/tests/permission-model/predicates.output.txt b/Chalice/tests/permission-model/predicates.output.txt
index 8b9d8abe..5c0d0455 100644
--- a/Chalice/tests/permission-model/predicates.output.txt
+++ b/Chalice/tests/permission-model/predicates.output.txt
@@ -4,6 +4,7 @@ Verification of predicates.chalice using parameters=""
   55.5: Fold might fail because the definition of Cell.read1 does not hold. Insufficient fraction at 8.21 for Cell.x.
   66.3: The postcondition at 68.13 might not hold. Insufficient fraction at 68.13 for Cell.x.
 
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
   28.3: The end of method b3 is unreachable.
   49.3: The end of method b5 is unreachable.
 
diff --git a/Chalice/tests/permission-model/sequences.output.txt b/Chalice/tests/permission-model/sequences.output.txt
index f557b8c7..2cb8d25d 100644
--- a/Chalice/tests/permission-model/sequences.output.txt
+++ b/Chalice/tests/permission-model/sequences.output.txt
@@ -3,4 +3,5 @@ Verification of sequences.chalice using parameters=""
   36.3: The postcondition at 41.13 might not hold. Insufficient permission at 41.13 for A.f
   60.3: The postcondition at 65.13 might not hold. Insufficient permission at 65.13 for A.f
 
+The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification.
 Boogie program verifier finished with 2 errors and 0 smoke test warnings.