cbmc/dependence__graph_8cpp_source.html

/*******************************************************************\


Module: Field-Sensitive Program Dependence Analysis, Litvak et al.,

        FSE 2010


Author: Michael Tautschnig


Date: August 2013


\*******************************************************************/


#include "dependence_graph.h"


#include <util/container_utils.h>

#include <util/json_irep.h>


#include "goto_rw.h"


bool dep_graph_domaint::merge(

  const dep_graph_domaint &src,

  trace_ptrt,

  trace_ptrt)

{

  // An abstract state at location `to` may be non-bottom even if

  // `merge(..., `to`) has not been called so far. This is due to the special

  // handling of function entry edges (see transform()).

  bool changed = is_bottom() || has_changed;


  // For computing the data dependencies, we would not need a fixpoint

  // computation. The data dependencies at a location are computed from the

  // result of the reaching definitions analysis at that location

  // (in data_dependencies()). Thus, we only need to set the data dependencies

  // part of an abstract state at a certain location once.

  if(changed && data_deps.empty())

  {

    data_deps = src.data_deps;

    has_values = tvt::unknown();

  }


  changed |= util_inplace_set_union(control_deps, src.control_deps);

  changed |=

    util_inplace_set_union(control_dep_candidates, src.control_dep_candidates);


  has_changed = false;


  return changed;

}


void dep_graph_domaint::control_dependencies(

  const irep_idt &function_id,

  goto_programt::const_targett from,

  goto_programt::const_targett to,

  dependence_grapht &dep_graph)

{

  // Better Slicing of Programs with Jumps and Switches

  // Kumar and Horwitz, FASE'02:

  // "Node N is control dependent on node M iff N postdominates, in

  // the CFG, one but not all of M's CFG successors."

  //

  // The "successor" above refers to an immediate successor of M.

  //

  // When computing the control dependencies of a node N (i.e., "to"

  // being N), candidates for M are all control statements (gotos or

  // assumes) from which there is a path in the CFG to N.


  // Add new candidates


  if(from->is_goto() || from->is_assume())

    control_dep_candidates.insert(from);

  else if(from->is_end_function())

  {

    control_dep_candidates.clear();

    return;

  }


  if(control_dep_candidates.empty())

    return;


  // Get postdominators


  const irep_idt id = function_id;

  const cfg_post_dominatorst &pd=dep_graph.cfg_post_dominators().at(id);


  // Check all candidates


  for(const auto &control_dep_candidate : control_dep_candidates)

  {

    // check all CFG successors of M

    // special case: assumptions also introduce a control dependency

    bool post_dom_all = !control_dep_candidate->is_assume();

    bool post_dom_one=false;


    // we could hard-code assume and goto handling here to improve

    // performance

    const cfg_post_dominatorst::cfgt::nodet &m =

      pd.get_node(control_dep_candidate);


    // successors of M

    for(const auto &edge : m.out)

    {

      // Could use pd.dominates(to, control_dep_candidate) but this would impose

      // another dominator node lookup per call to this function, which is too

      // expensive.

      const cfg_post_dominatorst::cfgt::nodet &m_s=

        pd.cfg[edge.first];


      if(m_s.dominators.find(to)!=m_s.dominators.end())

        post_dom_one=true;

      else

        post_dom_all=false;

    }


    if(post_dom_all || !post_dom_one)

    {

      control_deps.erase(control_dep_candidate);

    }

    else

    {

      control_deps.insert(control_dep_candidate);

    }

  }

}


static bool may_be_def_use_pair(

  const range_spect &w_start,

  const range_spect &w_end,

  const range_spect &r_start,

  const range_spect &r_end)

{

  PRECONDITION(w_start >= range_spect{0});

  PRECONDITION(r_start >= range_spect{0});


  if(

    (!w_end.is_unknown() && w_end <= r_start) || // we < rs

    (!r_end.is_unknown() && w_start >= r_end))   // re < we

  {

    return false;

  }

  else if(w_start >= r_start) // rs <= ws < we,re

    return true;

  else if(

    w_end.is_unknown() ||

    (!r_end.is_unknown() && w_end > r_start)) // ws <= rs < we,re

  {

    return true;

  }

  else

    return false;

}


void dep_graph_domaint::data_dependencies(

  goto_programt::const_targett,

  const irep_idt &function_to,

  goto_programt::const_targett to,

  dependence_grapht &dep_graph,

  const namespacet &ns)

{

  // data dependencies using def-use pairs

  data_deps.clear();


  // TODO use (future) reaching-definitions-dereferencing rw_set

  value_setst &value_sets=

    dep_graph.reaching_definitions().get_value_sets();

  rw_range_set_value_sett rw_set(ns, value_sets, message_handler);

  goto_rw(function_to, to, rw_set);


  for(const auto &read_object_entry : rw_set.get_r_set())

  {

    const range_domaint &r_ranges = rw_set.get_ranges(read_object_entry.second);

    const rd_range_domaint::ranges_at_loct &w_ranges =

      dep_graph.reaching_definitions()[to].get(read_object_entry.first);


    for(const auto &w_range : w_ranges)

    {

      bool found=false;

      for(const auto &wr : w_range.second)

      {

        for(const auto &r_range : r_ranges)

        {

          if(!found &&

             may_be_def_use_pair(wr.first, wr.second,

                                 r_range.first, r_range.second))

          {

            // found a def-use pair

            data_deps.insert(w_range.first);

            found=true;

          }

        }

      }

    }


    dep_graph.reaching_definitions()[to].clear_cache(read_object_entry.first);

  }


  if(to->is_set_return_value())

  {

    auto entry = dep_graph.end_function_map.find(function_to);

    CHECK_RETURN(entry != dep_graph.end_function_map.end());


    goto_programt::const_targett end_function = entry->second;


    dep_graph_domaint *s =

      dynamic_cast<dep_graph_domaint *>(&(dep_graph.get_state(end_function)));

    CHECK_RETURN(s != nullptr);


    if(s->is_bottom())

      s->has_values = tvt::unknown();


    if(s->data_deps.insert(to).second)

      s->has_changed = true;

  }

}


void dep_graph_domaint::transform(

  const irep_idt &function_from,

  trace_ptrt trace_from,

  const irep_idt &function_to,

  trace_ptrt trace_to,

  ai_baset &ai,

  const namespacet &ns)

{

  locationt from{trace_from->current_location()};

  locationt to{trace_to->current_location()};


  dependence_grapht *dep_graph=dynamic_cast<dependence_grapht*>(&ai);

  CHECK_RETURN(dep_graph != nullptr);


  // We do not propagate control dependencies on function calls, i.e., only the

  // entry point of a function should have a control dependency on the call

  depst filtered_control_deps;

  std::copy_if(

    control_deps.begin(),

    control_deps.end(),

    std::inserter(filtered_control_deps, filtered_control_deps.end()),

    [](goto_programt::const_targett dep) { return !dep->is_function_call(); });

  control_deps = std::move(filtered_control_deps);


  // propagate control dependencies across function calls

  if(from->is_function_call() && function_from != function_to)

  {

    // edge to function entry point

    const goto_programt::const_targett next = std::next(from);


    dep_graph_domaint *s =

      dynamic_cast<dep_graph_domaint *>(&(dep_graph->get_state(next)));

    CHECK_RETURN(s != nullptr);


    if(s->is_bottom())

    {

      s->has_values = tvt::unknown();

      s->has_changed = true;

    }


    s->has_changed |= util_inplace_set_union(s->control_deps, control_deps);

    s->has_changed |=

      util_inplace_set_union(s->control_dep_candidates, control_dep_candidates);


    control_deps.clear();

    control_deps.insert(from);


    control_dep_candidates.clear();

  }

  else

    control_dependencies(function_from, from, to, *dep_graph);


  data_dependencies(from, function_to, to, *dep_graph, ns);

}


void dep_graph_domaint::output(

  std::ostream &out,

  const ai_baset &,

  const namespacet &) const

{

  if(!control_deps.empty())

  {

    out << "Control dependencies: ";

    for(depst::const_iterator

        it=control_deps.begin();

        it!=control_deps.end();

        ++it)

    {

      if(it!=control_deps.begin())

        out << ",";

      out << (*it)->location_number;

    }

    out << '\n';

  }


  if(!data_deps.empty())

  {

    out << "Data dependencies: ";

    for(depst::const_iterator

        it=data_deps.begin();

        it!=data_deps.end();

        ++it)

    {

      if(it!=data_deps.begin())

        out << ",";

      out << (*it)->location_number;

    }

    out << '\n';

  }

}


jsont dep_graph_domaint::output_json(

  const ai_baset &,

  const namespacet &) const

{

  json_arrayt graph;


  for(const auto &cd : control_deps)

  {

    json_objectt link{

      {"locationNumber", json_numbert(std::to_string(cd->location_number))},

      {"sourceLocation", json(cd->source_location())},

      {"type", json_stringt("control")}};

    graph.push_back(std::move(link));

  }


  for(const auto &dd : data_deps)

  {

    json_objectt link{

      {"locationNumber", json_numbert(std::to_string(dd->location_number))},

      {"sourceLocation", json(dd->source_location())},

      {"type", json_stringt("data")}};

    graph.push_back(std::move(link));

  }


  return std::move(graph);

}


class dep_graph_domain_factoryt : public ai_domain_factoryt<dep_graph_domaint>

{

public:


  dep_graph_domain_factoryt(

    dependence_grapht &_dg,

    message_handlert &message_handler)

    : dg(_dg), message_handler(message_handler)

  {

  }


  std::unique_ptr<statet> make(locationt l) const override

  {

    auto node_id = dg.add_node();

    dg.nodes[node_id].PC = l;

    auto p = std::make_unique<dep_graph_domaint>(node_id, message_handler);

    CHECK_RETURN(p->is_bottom());


    return std::unique_ptr<statet>(p.release());

  }


private:

  dependence_grapht &dg;

  message_handlert &message_handler;

};


dependence_grapht::dependence_grapht(

  const namespacet &_ns,

  message_handlert &message_handler)

  : ait<dep_graph_domaint>(

      std::make_unique<dep_graph_domain_factoryt>(*this, message_handler)),

    ns(_ns),

    rd(ns, message_handler)

{

}


void dependence_grapht::add_dep(

  dep_edget::kindt kind,

  goto_programt::const_targett from,

  goto_programt::const_targett to)

{

  const node_indext n_from = (*this)[from].get_node_id();

  CHECK_RETURN(n_from < size());

  const node_indext n_to = (*this)[to].get_node_id();

  CHECK_RETURN(n_to < size());


  // add_edge is redundant as the subsequent operations also insert

  // entries into the edge maps (implicitly)

  // add_edge(n_from, n_to);

  nodes[n_from].out[n_to].add(kind);

  nodes[n_to].in[n_from].add(kind);

}


void dep_graph_domaint::populate_dep_graph(

  dependence_grapht &dep_graph, goto_programt::const_targett this_loc) const

{

  for(const auto &c_dep : control_deps)

    dep_graph.add_dep(dep_edget::kindt::CTRL, c_dep, this_loc);


  for(const auto &d_dep : data_deps)

    dep_graph.add_dep(dep_edget::kindt::DATA, d_dep, this_loc);

}


ai_baset
This is the basic interface of the abstract interpreter with default implementations of the core func...
Definition ai.h:117

ai_baset::clear
virtual void clear()
Reset the abstract state.
Definition ai.h:265

ai_domain_baset::trace_ptrt
ai_history_baset::trace_ptrt trace_ptrt
Definition ai_domain.h:73

ai_domain_baset::locationt
goto_programt::const_targett locationt
Definition ai_domain.h:72

ai_domain_factoryt
Definition ai_domain.h:200

ai_domain_factoryt< dep_graph_domaint >::locationt
ai_domain_factory_baset::locationt locationt
Definition ai_domain.h:203

ait
ait supplies three of the four components needed: an abstract interpreter (in this case handling func...
Definition ai.h:562

ait::get_state
virtual statet & get_state(locationt l)
Definition ai.h:611

ait< dep_graph_domaint >::ait
ait()
Definition ai.h:565

dep_edget::kindt
kindt
Definition dependence_graph.h:30

dep_edget::kindt::CTRL
@ CTRL

dep_edget::kindt::DATA
@ DATA

dep_graph_domain_factoryt
This ensures that all domains are constructed with the node ID that links them to the graph part of t...
Definition dependence_graph.cpp:342

dep_graph_domain_factoryt::dg
dependence_grapht & dg
Definition dependence_graph.cpp:362

dep_graph_domain_factoryt::make
std::unique_ptr< statet > make(locationt l) const override
Definition dependence_graph.cpp:351

dep_graph_domain_factoryt::dep_graph_domain_factoryt
dep_graph_domain_factoryt(dependence_grapht &_dg, message_handlert &message_handler)
Definition dependence_graph.cpp:344

dep_graph_domain_factoryt::message_handler
message_handlert & message_handler
Definition dependence_graph.cpp:363

dep_graph_domaint
Definition dependence_graph.h:67

dep_graph_domaint::has_values
tvt has_values
Definition dependence_graph.h:174

dep_graph_domaint::control_dependencies
void control_dependencies(const irep_idt &function_id, goto_programt::const_targett from, goto_programt::const_targett to, dependence_grapht &dep_graph)
Definition dependence_graph.cpp:52

dep_graph_domaint::depst
std::set< goto_programt::const_targett, goto_programt::target_less_than > depst
Definition dependence_graph.h:180

dep_graph_domaint::data_deps
depst data_deps
Definition dependence_graph.h:193

dep_graph_domaint::merge
bool merge(const dep_graph_domaint &src, trace_ptrt from, trace_ptrt to)
Definition dependence_graph.cpp:22

dep_graph_domaint::is_bottom
bool is_bottom() const final override
Definition dependence_graph.h:150

dep_graph_domaint::has_changed
bool has_changed
Definition dependence_graph.h:176

dep_graph_domaint::control_deps
depst control_deps
Definition dependence_graph.h:184

dep_graph_domaint::populate_dep_graph
void populate_dep_graph(dependence_grapht &, goto_programt::const_targett) const
Definition dependence_graph.cpp:393

dep_graph_domaint::output_json
jsont output_json(const ai_baset &ai, const namespacet &ns) const override
Outputs the current value of the domain.
Definition dependence_graph.cpp:311

dep_graph_domaint::transform
void transform(const irep_idt &function_from, trace_ptrt trace_from, const irep_idt &function_to, trace_ptrt trace_to, ai_baset &ai, const namespacet &ns) final override
how function calls are treated: a) there is an edge from each call site to the function head b) there...
Definition dependence_graph.cpp:217

dep_graph_domaint::control_dep_candidates
depst control_dep_candidates
Definition dependence_graph.h:189

dep_graph_domaint::data_dependencies
void data_dependencies(goto_programt::const_targett from, const irep_idt &function_to, goto_programt::const_targett to, dependence_grapht &dep_graph, const namespacet &ns)
Definition dependence_graph.cpp:154

dep_graph_domaint::output
void output(std::ostream &out, const ai_baset &ai, const namespacet &ns) const final override
Definition dependence_graph.cpp:272

dep_graph_domaint::message_handler
message_handlert & message_handler
Definition dependence_graph.h:195

dependence_grapht
Definition dependence_graph.h:221

dependence_grapht::add_dep
void add_dep(dep_edget::kindt kind, goto_programt::const_targett from, goto_programt::const_targett to)
Definition dependence_graph.cpp:376

dependence_grapht::dependence_grapht
dependence_grapht(const namespacet &_ns, message_handlert &)
Definition dependence_graph.cpp:366

dstringt
dstringt has one field, an unsigned integer no which is an index into a static table of strings.
Definition dstring.h:38

goto_programt::const_targett
instructionst::const_iterator const_targett
Definition goto_program.h:614

grapht::nodes
nodest nodes
Definition graph.h:176

grapht< dep_nodet >::node_indext
nodet::node_indext node_indext
Definition graph.h:173

grapht::add_node
node_indext add_node(arguments &&... values)
Definition graph.h:180

grapht< dep_nodet >::size
std::size_t size() const
Definition graph.h:212

json_arrayt
Definition json.h:165

json_arrayt::push_back
jsont & push_back(const jsont &json)
Definition json.h:212

json_numbert
Definition json.h:289

json_objectt
Definition json.h:298

json_stringt
Definition json.h:270

jsont
Definition json.h:27

message_handlert
Definition message.h:27

namespacet
A namespacet is essentially one or two symbol tables bound together, to allow for symbol lookups in t...
Definition namespace.h:91

range_domaint
Definition goto_rw.h:175

range_spect
Data type to describe upper and lower bounds of the range of bits that a read or write access may aff...
Definition goto_rw.h:61

rd_range_domaint::ranges_at_loct
std::map< locationt, rangest, goto_programt::target_less_than > ranges_at_loct
Definition reaching_definitions.h:253

rw_range_set_value_sett
Definition goto_rw.h:365

tvt::unknown
static tvt unknown()
Definition threeval.h:33

value_setst
Definition value_sets.h:22

container_utils.h

util_inplace_set_union
bool util_inplace_set_union(std::set< T, Compare, Alloc > &target, const std::set< T, Compare, Alloc > &source)
Compute union of two sets.
Definition container_utils.h:28

may_be_def_use_pair
static bool may_be_def_use_pair(const range_spect &w_start, const range_spect &w_end, const range_spect &r_start, const range_spect &r_end)
Definition dependence_graph.cpp:127

dependence_graph.h
Field-Sensitive Program Dependence Analysis, Litvak et al., FSE 2010.

goto_rw
static void goto_rw(const irep_idt &function, goto_programt::const_targett target, const exprt &lhs, const exprt &function_expr, const exprt::operandst &arguments, rw_range_sett &rw_set)
Definition goto_rw.cpp:845

goto_rw.h

json_irep.h
Util.

std
STL namespace.

json
static void json(json_objectT &result, const irep_idt &property_id, const property_infot &property_info)
Definition properties.cpp:120

CHECK_RETURN
#define CHECK_RETURN(CONDITION)
Definition invariant.h:495

PRECONDITION
#define PRECONDITION(CONDITION)
Definition invariant.h:463