CBMC
Loading...
Searching...
No Matches
bmc_util.h
Go to the documentation of this file.
1/*******************************************************************\
2
3Module: Bounded Model Checking Utilities
4
5Author: Daniel Kroening, Peter Schrammel
6
7\*******************************************************************/
8
11
12#ifndef CPROVER_GOTO_CHECKER_BMC_UTIL_H
13#define CPROVER_GOTO_CHECKER_BMC_UTIL_H
14
15#include <goto-programs/unwindset.h>
16
17#include <goto-symex/build_goto_trace.h>
18
19#include "incremental_goto_checker.h"
20#include "properties.h"
21
22#include <chrono> // IWYU pragma: keep
23#include <memory>
24
25class decision_proceduret;
26class goto_symex_property_decidert;
27class goto_tracet;
28class memory_model_baset;
29class message_handlert;
30class namespacet;
31class optionst;
32class symex_bmct;
33class symex_target_equationt;
34struct trace_optionst;
35class ui_message_handlert;
36
37void convert_symex_target_equation(
38 symex_target_equationt &equation,
39 decision_proceduret &decision_procedure,
40 message_handlert &message_handler);
41
44ssa_step_predicatet
45ssa_step_matches_failing_property(const irep_idt &property_id);
46
48void message_building_error_trace(messaget &);
49
50void build_error_trace(
51 goto_tracet &,
52 const namespacet &,
53 const symex_target_equationt &,
54 const decision_proceduret &,
55 ui_message_handlert &);
56
57void output_error_trace(
58 const goto_tracet &,
59 const namespacet &,
60 const trace_optionst &,
61 ui_message_handlert &);
62
63void output_graphml(const goto_tracet &, const namespacet &, const optionst &);
64void output_graphml(
65 const symex_target_equationt &,
66 const namespacet &,
67 const optionst &);
68
69std::unique_ptr<memory_model_baset>
70get_memory_model(const optionst &options, const namespacet &);
71
72void slice(
73 symex_bmct &,
74 symex_target_equationt &symex_target_equation,
75 const namespacet &,
76 const optionst &,
77 ui_message_handlert &);
78
83void postprocess_equation(
84 symex_bmct &symex,
85 symex_target_equationt &equation,
86 const optionst &options,
87 const namespacet &ns,
88 ui_message_handlert &ui_message_handler);
89
97void output_coverage_report(
98 const std::string &cov_out,
99 const abstract_goto_modelt &goto_model,
100 const symex_bmct &symex,
101 ui_message_handlert &ui_message_handler);
102
109void update_properties_status_from_symex_target_equation(
110 propertiest &properties,
111 std::unordered_set<irep_idt> &updated_properties,
112 const symex_target_equationt &equation);
113
120void update_status_of_not_checked_properties(
121 propertiest &properties,
122 std::unordered_set<irep_idt> &updated_properties);
123
130void update_status_of_unknown_properties(
131 propertiest &properties,
132 std::unordered_set<irep_idt> &updated_properties);
133
143std::chrono::duration<double> prepare_property_decider(
144 propertiest &properties,
145 symex_target_equationt &equation,
146 goto_symex_property_decidert &property_decider,
147 ui_message_handlert &ui_message_handler);
148
159void run_property_decider(
160 incremental_goto_checkert::resultt &result,
161 propertiest &properties,
162 goto_symex_property_decidert &property_decider,
163 ui_message_handlert &ui_message_handler,
164 std::chrono::duration<double> solver_runtime,
165 bool set_pass = true);
166
167#define OPT_BMC \
168 "(program-only)" \
169 "(show-byte-ops)" \
170 "(show-vcc)" \
171 "(show-goto-symex-steps)" \
172 "(show-points-to-sets)" \
173 "(slice-formula)" \
174 "(unwinding-assertions)" \
175 "(no-unwinding-assertions)" \
176 "(no-self-loops-to-assumptions)" \
177 "(partial-loops)" \
178 "(paths):" \
179 "(show-symex-strategies)" \
180 "(depth):" \
181 "(max-field-sensitivity-array-size):" \
182 "(no-array-field-sensitivity)" \
183 "(graphml-witness):" \
184 "(symex-complexity-limit):" \
185 "(symex-complexity-failed-child-loops-limit):" \
186 "(incremental-loop):" \
187 "(unwind-min):" \
188 "(unwind-max):" \
189 "(ignore-properties-before-unwind-min)" \
190 "(symex-cache-dereferences)" OPT_UNWINDSET
191
192#define HELP_BMC \
193 " {y--paths} [strategy] \t explore paths one at a time\n" \
194 " {y--show-symex-strategies} \t list strategies for use with {y--paths}\n" \
195 " {y--show-goto-symex-steps} \t show which steps symex travels, includes " \
196 "diagnostic information\n" \
197 " {y--show-points-to-sets} \t show points-to sets for pointer dereference. " \
198 "Requires {y--json-ui}.\n" \
199 " {y--program-only} \t only show program expression\n" \
200 " {y--show-byte-ops} \t show all byte extracts and updates\n" \
201 " {y--depth} {unr} \t limit search depth\n" \
202 " {y--max-field-sensitivity-array-size} {uM} \t " \
203 "maximum size {uM} of arrays for which field sensitivity will be " \
204 "applied to array, the default is 64\n" \
205 " {y--no-array-field-sensitivity} \t " \
206 "deactivate field sensitivity for arrays, this is equivalent to setting " \
207 "the maximum field sensitivity size for arrays to 0\n" HELP_UNWINDSET \
208 " {y--incremental-loop} {uL} \t " \
209 "check properties after each unwinding of loop {uL} (use {y--show-loops} " \
210 "to get the loop IDs)\n" \
211 " {y--unwind-min} {unr} \t " \
212 "start incremental-loop after {unr} unwindings but before solving that " \
213 "iteration. If for example it is 1, then the loop will be unwound once, " \
214 "and immediately checked. Note: this means for {y--unwind-min} 1 or 0 all " \
215 "properties are checked.\n" \
216 " {y--unwind-max} {unr} \t stop incremental-loop after {unr} unwindings\n" \
217 " {y--ignore-properties-before-unwind-min} \t " \
218 "do not check properties before unwind-min when using " \
219 "{y--incremental-loop}\n" \
220 " {y--show-vcc} \t show the verification conditions\n" \
221 " {y--slice-formula} \t remove assignments unrelated to property\n" \
222 " {y--unwinding-assertions} \t generate unwinding assertions (cannot be " \
223 "used with {y--cover})\n" \
224 " {y--partial-loops} \t permit paths with partial loops\n" \
225 " {y--no-self-loops-to-assumptions} \t do not simplify while(1){ {}} to " \
226 "assume(0)\n" \
227 " {y--symex-complexity-limit} {uN} \t " \
228 "how complex ({uN}) a path can become before symex abandons it. Currently " \
229 "uses guard size to calculate complexity.\n" \
230 " {y--symex-complexity-failed-child-loops-limit} {uN} \t " \
231 "how many child branches ({uN}) in an iteration are allowed to fail due to " \
232 "complexity violations before the loop gets blacklisted\n" \
233 " {y--graphml-witness} {ufilename} \t write the witness in GraphML format " \
234 "to {ufilename}\n" \
235 " {y--symex-cache-dereferences} \t enable caching of repeated " \
236 "dereferences\n"
237
238#endif // CPROVER_GOTO_CHECKER_BMC_UTIL_H
run_property_decider
void run_property_decider(incremental_goto_checkert::resultt &result, propertiest &properties, goto_symex_property_decidert &property_decider, ui_message_handlert &ui_message_handler, std::chrono::duration< double > solver_runtime, bool set_pass=true)
Runs the property decider to solve the equation.
Definition bmc_util.cpp:359
slice
void slice(symex_bmct &, symex_target_equationt &symex_target_equation, const namespacet &, const optionst &, ui_message_handlert &)
Definition bmc_util.cpp:175
output_coverage_report
void output_coverage_report(const std::string &cov_out, const abstract_goto_modelt &goto_model, const symex_bmct &symex, ui_message_handlert &ui_message_handler)
Output a coverage report as generated by symex_coveraget if cov_out is non-empty.
Definition bmc_util.cpp:283
prepare_property_decider
std::chrono::duration< double > prepare_property_decider(propertiest &properties, symex_target_equationt &equation, goto_symex_property_decidert &property_decider, ui_message_handlert &ui_message_handler)
Converts the equation and sets up the property decider, but does not call solve.
Definition bmc_util.cpp:335
update_status_of_unknown_properties
void update_status_of_unknown_properties(propertiest &properties, std::unordered_set< irep_idt > &updated_properties)
Sets the property status of UNKNOWN properties to PASS.
Definition bmc_util.cpp:267
output_graphml
void output_graphml(const goto_tracet &, const namespacet &, const optionst &)
outputs an error witness in graphml format
Definition bmc_util.cpp:104
update_properties_status_from_symex_target_equation
void update_properties_status_from_symex_target_equation(propertiest &properties, std::unordered_set< irep_idt > &updated_properties, const symex_target_equationt &equation)
Sets property status to PASS for properties whose conditions are constant true in the equation.
Definition bmc_util.cpp:215
output_error_trace
void output_error_trace(const goto_tracet &, const namespacet &, const trace_optionst &, ui_message_handlert &)
Definition bmc_util.cpp:61
message_building_error_trace
void message_building_error_trace(messaget &)
Outputs a message that an error trace is being built.
Definition bmc_util.cpp:32
update_status_of_not_checked_properties
void update_status_of_not_checked_properties(propertiest &properties, std::unordered_set< irep_idt > &updated_properties)
Sets the property status of NOT_CHECKED properties to PASS.
Definition bmc_util.cpp:251
ssa_step_matches_failing_property
ssa_step_predicatet ssa_step_matches_failing_property(const irep_idt &property_id)
Returns a function that checks whether an SSA step is an assertion with property_id.
Definition bmc_util.cpp:51
get_memory_model
std::unique_ptr< memory_model_baset > get_memory_model(const optionst &options, const namespacet &)
Definition bmc_util.cpp:159
convert_symex_target_equation
void convert_symex_target_equation(symex_target_equationt &equation, decision_proceduret &decision_procedure, message_handlert &message_handler)
Definition bmc_util.cpp:147
postprocess_equation
void postprocess_equation(symex_bmct &symex, symex_target_equationt &equation, const optionst &options, const namespacet &ns, ui_message_handlert &ui_message_handler)
Post process the equation.
Definition bmc_util.cpp:299
build_error_trace
void build_error_trace(goto_tracet &, const namespacet &, const symex_target_equationt &, const decision_proceduret &, ui_message_handlert &)
Definition bmc_util.cpp:37
build_goto_trace.h
Traces of GOTO Programs.
ssa_step_predicatet
std::function< bool(symex_target_equationt::SSA_stepst::const_iterator, const decision_proceduret &)> ssa_step_predicatet
Definition build_goto_trace.h:48
abstract_goto_modelt
Abstract interface to eager or lazy GOTO models.
Definition abstract_goto_model.h:22
ait
ait supplies three of the four components needed: an abstract interpreter (in this case handling func...
Definition ai.h:562
decision_proceduret
An interface for a decision procedure for satisfiability problems.
Definition decision_procedure.h:22
dstringt
dstringt has one field, an unsigned integer no which is an index into a static table of strings.
Definition dstring.h:38
goto_symex_property_decidert
Provides management of goal variables that encode properties.
Definition goto_symex_property_decider.h:24
goto_tracet
Trace of a GOTO program.
Definition goto_trace.h:177
memory_model_baset
Definition memory_model.h:18
message_handlert
Definition message.h:27
messaget
Class that provides messages with a built-in verbosity 'level'.
Definition message.h:154
namespacet
A namespacet is essentially one or two symbol tables bound together, to allow for symbol lookups in t...
Definition namespace.h:91
symex_bmct
Definition symex_bmc.h:24
symex_target_equationt
Inheriting the interface of symex_targett this class represents the SSA form of the input program as ...
Definition symex_target_equation.h:34
ui_message_handlert
Definition ui_message.h:22
ui_message_handlert::message_handler
message_handlert * message_handler
Definition ui_message.h:49
incremental_goto_checker.h
Incremental Goto Checker Interface.
properties.h
Properties.
propertiest
std::map< irep_idt, property_infot > propertiest
A map of property IDs to property infos.
Definition properties.h:76
incremental_goto_checkert::resultt
Definition incremental_goto_checker.h:43
trace_optionst
Options for printing the trace using show_goto_trace.
Definition goto_trace.h:221
unwindset.h
Loop unwinding.