Fix segfault in k-induction step case with nested loops

[tautschnig]

The original code assumed loop_head->condition() always contained the loop guard, but in nested loop scenarios, the loop structure can vary. The backedge might contain the condition instead, or the loop might be unconditional.

Also, when processing nested loops, modifying the outer loop's goto-program could invalidate iterators pointing to the inner loop, causing memory access violations.

Co-authored-by: Kiro autonomous agent

Fixes: #5357

• Each commit message has a non-empty body, explaining why the change was made.
• n/a Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• n/a The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• n/a My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• n/a White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[Copilot]

Pull request overview

Fixes a segmentation fault in k-induction instrumentation when handling nested loops by making loop-guard detection more robust and avoiding iterator invalidation during loop processing.

Changes:

• Added find_loop_guard to derive the loop guard from either the backedge or the loop-head exit goto (and handle unconditional loops).
• Changed loop traversal to only instrument outermost loops to avoid invalidating nested-loop iterators.
• Added a regression test covering nested loops.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
src/goto-instrument/k_induction.cpp	Robustly locate loop guards and avoid processing nested loops directly to prevent segfaults
regression/k-induction/nested-loops/test.desc	New regression test expectations for nested-loop k-induction instrumentation
regression/k-induction/nested-loops/main.c	New nested-loop reproducer for the prior segfault

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Even if you only process outermost loops, calling process_loop() mutates the underlying goto-program and can invalidate goto_programt::targett iterators stored inside natural_loops.loop_map. This loop continues iterating over natural_loops.loop_map after the first mutation, which can still lead to use-after-invalidation/segfaults when accessing subsequent loop_head / other_head entries. A safer approach is to first compute a stable worklist (e.g., store location_numbers of outermost loop heads), and then, for each item, re-find the current targett in the mutated program (or recompute natural loops after each transformation) before calling process_loop.

[Copilot]

The nested-loop detection is O(N²) over natural_loops.loop_map. On functions with many loops this can become noticeably expensive. Consider building a single pass parent/containment relation (e.g., sort loops by size and assign parents, or precompute a map from loop-head to smallest enclosing loop) to avoid repeatedly scanning the full loop map.

[Copilot]

loop_exit is being used as a sentinel value for 'no backedge found'. This makes the control flow harder to reason about (and couples two unrelated concepts). Consider using an explicit bool found_backedge or an optional-like pattern to represent 'found vs not found', then only read backedge->condition() when a backedge was actually found.

Suggested change

	goto_programt::targett backedge = loop_exit;
	for(const auto &t : loop)
	{
	if(t->is_backwards_goto() && t->get_target() == loop_head)
	{
	backedge = t;
	break;
	}
	}
	if(backedge != loop_exit && !backedge->condition().is_true())
	goto_programt::targett backedge;
	bool found_backedge = false;
	for(const auto &t : loop)
	{
	if(t->is_backwards_goto() && t->get_target() == loop_head)
	{
	backedge = t;
	found_backedge = true;
	break;
	}
	}
	if(found_backedge && !backedge->condition().is_true())

[codecov]

Codecov Report

❌ Patch coverage is 90.47619% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 80.01%. Comparing base (b191cc1) to head (576cba3).

Files with missing lines	Patch %	Lines
src/goto-instrument/k_induction.cpp	90.47%	2 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##           develop    #8803   +/-   ##
========================================
  Coverage    80.01%   80.01%           
========================================
  Files         1700     1700           
  Lines       188345   188360   +15     
  Branches        73       73           
========================================
+ Hits        150696   150711   +15     
  Misses       37649    37649           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.