cbmc/complexity__limiter_8cpp_source.html

 /*******************************************************************\


 Module: Symbolic Execution


 Author: John Dumbell


 \*******************************************************************/


 #include "complexity_limiter.h"


 #include <util/options.h>


 #include "goto_symex_state.h"


 #include <cmath>


 complexity_limitert::complexity_limitert(

   message_handlert &message_handler,

   const optionst &options)

   : log(message_handler)

 {

   std::size_t limit = options.get_signed_int_option("symex-complexity-limit");

   if((complexity_active = limit > 0))

   {

     // This gives a curve that allows low limits to be rightly restrictive,

     // while larger numbers are very large.

     max_complexity = static_cast<std::size_t>((limit * limit) * 25);


     const std::size_t failed_child_loops_limit = options.get_signed_int_option(

       "symex-complexity-failed-child-loops-limit");

     const std::size_t unwind = options.get_signed_int_option("unwind");


     // If we have complexity enabled, try to work out a failed_children_limit.

     // In order of priority:

     //  * explicit limit

     //  * inferred limit from unwind

     //  * best limit we can apply with very little information.

     if(failed_child_loops_limit > 0)

       max_loops_complexity = failed_child_loops_limit;

     else if(unwind > 0)

       max_loops_complexity = std::max(static_cast<int>(floor(unwind / 3)), 1);

     else

       max_loops_complexity = limit;

   }

 }


 framet::active_loop_infot *

 complexity_limitert::get_current_active_loop(call_stackt &current_call_stack)

 {

   for(auto frame_iter = current_call_stack.rbegin();

       frame_iter != current_call_stack.rend();

       ++frame_iter)

   {

     // As we're walking bottom-up, the first frame we find with active loops

     // is our closest active one.

     if(!frame_iter->active_loops.empty())

     {

       return &frame_iter->active_loops.back();

     }

   }


   return {};

 }


 bool complexity_limitert::in_blacklisted_loop(

   const call_stackt &current_call_stack,

   const goto_programt::const_targett &instr)

 {

   for(auto frame_iter = current_call_stack.rbegin();

       frame_iter != current_call_stack.rend();

       ++frame_iter)

   {

     for(auto &loop_iter : frame_iter->active_loops)

     {

       for(auto &blacklisted_loop : loop_iter.blacklisted_loops)

       {

         if(blacklisted_loop.get().contains(instr))

         {

           return true;

         }

       }

     }

   }


   return false;

 }


 bool complexity_limitert::are_loop_children_too_complicated(

   call_stackt &current_call_stack)

 {

   std::size_t sum_complexity = 0;


   // This will walk all currently active loops, from inner-most to outer-most,

   // and sum the times their branches have failed.

   //

   // If we find that this sum is higher than our max_loops_complexity we take

   // note of the loop that happens in and then cause every parent still

   // executing that loop to blacklist it.

   //

   // This acts as a context-sensitive loop cancel, so if we've got unwind 20

   // and find out at the 3rd iteration a particular nested loop is too

   // complicated, we make sure we don't execute it the other 17 times. But as

   // soon as we're running the loop again via a different context it gets a

   // chance to redeem itself.

   lexical_loopst::loopt *loop_to_blacklist = nullptr;

   for(auto frame_iter = current_call_stack.rbegin();

       frame_iter != current_call_stack.rend();

       ++frame_iter)

   {

     for(auto it = frame_iter->active_loops.rbegin();

         it != frame_iter->active_loops.rend();

         it++)

     {

       auto &loop_info = *it;


       // Because we're walking in reverse this will only be non-empty for

       // parents of the loop that's been blacklisted. We then add that to their

       // internal lists of blacklisted children.

       if(loop_to_blacklist)

       {

         loop_info.blacklisted_loops.emplace_back(*loop_to_blacklist);

       }

       else

       {

         sum_complexity += loop_info.children_too_complex;

         if(sum_complexity > max_loops_complexity)

         {

           loop_to_blacklist = &loop_info.loop;

         }

       }

     }

   }


   return !loop_to_blacklist;

 }


 complexity_violationt

 complexity_limitert::check_complexity(goto_symex_statet &state)

 {

   if(!complexity_limits_active() || !state.reachable)

     return complexity_violationt::NONE;


   std::size_t complexity =

     bounded_expr_size(state.guard.as_expr(), max_complexity);

   if(complexity == 1)

     return complexity_violationt::NONE;


   auto &current_call_stack = state.call_stack();


   // Check if this branch is too complicated to continue.

   auto active_loop = get_current_active_loop(current_call_stack);

   if(complexity >= max_complexity)

   {

     // If we're too complex, add a counter to the current loop we're in and

     // check if we've violated child-loop complexity limits.

     if(active_loop != nullptr)

     {

       active_loop->children_too_complex++;


       // If we're considered too complex, cancel branch.

       if(are_loop_children_too_complicated(current_call_stack))

       {

         log.warning()

           << "[symex-complexity] Loop operations considered too complex"

           << (state.source.pc->source_location().is_not_nil()

                 ? " at: " + state.source.pc->source_location().as_string()

                 : ", location number: " +

                     std::to_string(state.source.pc->location_number) + ".")

           << messaget::eom;


         return complexity_violationt::LOOP;

       }

     }


     log.warning() << "[symex-complexity] Branch considered too complex"

                   << (state.source.pc->source_location().is_not_nil()

                         ? " at: " +

                             state.source.pc->source_location().as_string()

                         : ", location number: " +

                             std::to_string(state.source.pc->location_number) +

                             ".")

                   << messaget::eom;


     // Then kill this branch.

     return complexity_violationt::BRANCH;

   }


   // If we're not in any loop, return with no violation.

   if(!active_loop)

     return complexity_violationt::NONE;


   // Check if we've entered a loop that has been previously black-listed, and

   // if so then cancel before we go any further.

   if(in_blacklisted_loop(current_call_stack, state.source.pc))

   {

     log.warning() << "[symex-complexity] Trying to enter blacklisted loop"

                   << (state.source.pc->source_location().is_not_nil()

                         ? " at: " +

                             state.source.pc->source_location().as_string()

                         : ", location number: " +

                             std::to_string(state.source.pc->location_number) +

                             ".")

                   << messaget::eom;


     return complexity_violationt::LOOP;

   }


   return complexity_violationt::NONE;

 }


 void complexity_limitert::run_transformations(

   complexity_violationt complexity_violation,

   goto_symex_statet &current_state)

 {

   if(violation_transformations.empty())

     default_transformation.transform(complexity_violation, current_state);

   else

     for(auto transform_lambda : violation_transformations)

       transform_lambda.transform(complexity_violation, current_state);

 }


 static std::size_t

 bounded_expr_size(const exprt &expr, std::size_t count, std::size_t limit)

 {

   const auto &ops = expr.operands();

   count += ops.size();

   for(const auto &op : ops)

   {

     if(count >= limit)

     {

       return count;

     }

     count = bounded_expr_size(op, count, limit);

   }

   return count;

 }


 std::size_t

 complexity_limitert::bounded_expr_size(const exprt &expr, std::size_t limit)

 {

   return ::bounded_expr_size(expr, 1, limit);

 }

call_stackt
Definition: call_stack.h:15

complexity_limitert::complexity_limitert
complexity_limitert(message_handlert &logger, const optionst &options)
Definition: complexity_limiter.cpp:17

complexity_limitert::check_complexity
complexity_violationt check_complexity(goto_symex_statet &state)
Checks the passed-in state to see if its become too complex for us to deal with, and if so set its gu...
Definition: complexity_limiter.cpp:138

complexity_limitert::complexity_limits_active
bool complexity_limits_active()
Is the complexity module active?
Definition: complexity_limiter.h:55

complexity_limitert::bounded_expr_size
static std::size_t bounded_expr_size(const exprt &expr, std::size_t limit)
Amount of nodes in expr approximately bounded by limit.
Definition: complexity_limiter.cpp:243

complexity_limitert::complexity_active
bool complexity_active
Is the complexity module active, usually coincides with a max_complexity value above 0.
Definition: complexity_limiter.h:84

complexity_limitert::in_blacklisted_loop
static bool in_blacklisted_loop(const call_stackt &current_call_stack, const goto_programt::const_targett &instr)
Checks whether we're in a loop that is currently considered blacklisted, and shouldn't be executed.
Definition: complexity_limiter.cpp:65

complexity_limitert::max_complexity
std::size_t max_complexity
The max complexity rating that a branch can be before it's abandoned.
Definition: complexity_limiter.h:97

complexity_limitert::violation_transformations
std::vector< symex_complexity_limit_exceeded_actiont > violation_transformations
Functions called when the heuristic has been violated.
Definition: complexity_limiter.h:89

complexity_limitert::max_loops_complexity
std::size_t max_loops_complexity
The amount of branches that can fail within the scope of a loops execution before the entire loop is ...
Definition: complexity_limiter.h:101

complexity_limitert::get_current_active_loop
static framet::active_loop_infot * get_current_active_loop(call_stackt &current_call_stack)
Returns inner-most currently active loop.
Definition: complexity_limiter.cpp:48

complexity_limitert::log
messaget log
Definition: complexity_limiter.h:80

complexity_limitert::default_transformation
symex_complexity_limit_exceeded_actiont default_transformation
Default heuristic transformation. Sets state as unreachable.
Definition: complexity_limiter.h:92

complexity_limitert::run_transformations
void run_transformations(complexity_violationt complexity_violation, goto_symex_statet &current_state)
Runs a suite of transformations on the state and symex executable, performing whatever transformation...
Definition: complexity_limiter.cpp:211

complexity_limitert::are_loop_children_too_complicated
bool are_loop_children_too_complicated(call_stackt &current_call_stack)
Checks whether the current loop execution stack has violated max_loops_complexity.
Definition: complexity_limiter.cpp:88

exprt
Base class for all expressions.
Definition: expr.h:56

exprt::operands
operandst & operands()
Definition: expr.h:94

framet::active_loop_infot
Definition: frame.h:57

goto_programt::const_targett
instructionst::const_iterator const_targett
Definition: goto_program.h:615

goto_statet::guard
guardt guard
Definition: goto_state.h:58

goto_statet::reachable
bool reachable
Is this code reachable? If not we can take shortcuts such as not entering function calls,...
Definition: goto_state.h:62

goto_symex_statet
Central data structure: state.
Definition: goto_symex_state.h:43

goto_symex_statet::call_stack
call_stackt & call_stack()
Definition: goto_symex_state.h:147

goto_symex_statet::source
symex_targett::sourcet source
Definition: goto_symex_state.h:62

guard_exprt::as_expr
exprt as_expr() const
Definition: guard_expr.h:46

loop_templatet
A loop, specified as a set of instructions.
Definition: loop_analysis.h:24

message_handlert
Definition: message.h:27

messaget::warning
mstreamt & warning() const
Definition: message.h:396

messaget::eom
static eomt eom
Definition: message.h:289

optionst
Definition: options.h:23

optionst::get_signed_int_option
signed int get_signed_int_option(const std::string &option) const
Definition: options.cpp:50

symex_complexity_limit_exceeded_actiont::transform
virtual void transform(const complexity_violationt heuristic_result, goto_symex_statet &current_state)
Definition: symex_complexity_limit_exceeded_action.h:14

bounded_expr_size
static std::size_t bounded_expr_size(const exprt &expr, std::size_t count, std::size_t limit)
Amount of nodes expr contains, with a bound on how far to search.
Definition: complexity_limiter.cpp:227

complexity_limiter.h
Symbolic Execution.

complexity_violationt
complexity_violationt
What sort of symex-complexity violation has taken place.
Definition: complexity_violation.h:18

complexity_violationt::BRANCH
@ BRANCH

complexity_violationt::LOOP
@ LOOP

complexity_violationt::NONE
@ NONE

goto_symex_state.h
Symbolic Execution.

floor
double floor(double x)
Definition: math.c:1451

log
double log(double x)
Definition: math.c:2776

options.h
Options.

to_string
std::string to_string(const string_not_contains_constraintt &expr)
Used for debug printing.
Definition: string_constraint.cpp:58

symex_targett::sourcet::pc
goto_programt::const_targett pc
Definition: symex_target.h:42