cbmc/dfcc__lift__memory__predicates_8cpp_source.html

/*******************************************************************\


Module: Dynamic frame condition checking for function contracts


Author: Remi Delmas, delmasrd@amazon.com

Date: August 2022


\*******************************************************************/


// TODO when scanning the goto functions to detect pointer predicates,

// replace pointer equality p == q with __CPROVER_pointer_equals(p,q)

// in all user-defined memory predicates.


#include "dfcc_lift_memory_predicates.h"


#include <util/cprover_prefix.h>

#include <util/format_expr.h>

#include <util/graph.h>

#include <util/pointer_expr.h>

#include <util/replace_symbol.h>

#include <util/symbol.h>


#include <goto-programs/goto_model.h>


#include "dfcc_instrument.h"

#include "dfcc_library.h"

#include "dfcc_utils.h"


dfcc_lift_memory_predicatest::dfcc_lift_memory_predicatest(

  goto_modelt &goto_model,

  dfcc_libraryt &library,

  dfcc_instrumentt &instrument,

  message_handlert &message_handler)

  : goto_model(goto_model),

    library(library),

    instrument(instrument),

    log(message_handler)

{

}

dfcc_lift_memory_predicatest::dfcc_lift_memory_predicatest( {…}


bool dfcc_lift_memory_predicatest::is_lifted_function(

  const irep_idt &function_id)

{

  return lifted_parameters.find(function_id) != lifted_parameters.end();

}

bool dfcc_lift_memory_predicatest::is_lifted_function( {…}


static bool is_core_memory_predicate(const irep_idt &function_id)

{

  return (function_id == CPROVER_PREFIX "pointer_equals") ||

         (function_id == CPROVER_PREFIX "is_fresh") ||

         (function_id == CPROVER_PREFIX "pointer_in_range_dfcc") ||

         (function_id == CPROVER_PREFIX "obeys_contract");

}

static bool is_core_memory_predicate(const irep_idt &function_id) {…}


bool dfcc_lift_memory_predicatest::calls_memory_predicates(

  const goto_programt &goto_program,

  const std::set<irep_idt> &predicates)

{

  for(const auto &instruction : goto_program.instructions)

  {

    if(

      instruction.is_function_call() &&

      instruction.call_function().id() == ID_symbol)

    {

      const auto &callee_id =

        to_symbol_expr(instruction.call_function()).get_identifier();


      if(

        is_core_memory_predicate(callee_id) ||

        predicates.find(callee_id) != predicates.end())

      {

        return true;

      }

    }

  }

  return false;

}

bool dfcc_lift_memory_predicatest::calls_memory_predicates( {…}


std::set<irep_idt> dfcc_lift_memory_predicatest::lift_predicates(

  std::set<irep_idt> &discovered_function_pointer_contracts)

{

  std::set<irep_idt> candidates;

  for(const auto &pair : goto_model.symbol_table)

  {

    if(

      pair.second.type.id() == ID_code &&

      !instrument.do_not_instrument(pair.first))

    {

      const auto &iter =

        goto_model.goto_functions.function_map.find(pair.first);

      if(

        iter != goto_model.goto_functions.function_map.end() &&

        iter->second.body_available())

      {

        candidates.insert(pair.first);

      }

    }

  }


  std::set<irep_idt> predicates;


  // iterate until no new predicate is found

  bool new_predicates_found = true;

  while(new_predicates_found)

  {

    new_predicates_found = false;

    for(const auto &function_id : candidates)

    {

      if(

        predicates.find(function_id) == predicates.end() &&

        calls_memory_predicates(

          goto_model.goto_functions.function_map[function_id].body, predicates))

      {

        predicates.insert(function_id);

        new_predicates_found = true;

      }

    }

  }


  if(predicates.empty())

    return predicates;


  // some predicates were found, build dependency graph

  struct dep_graph_nodet : public graph_nodet<empty_edget>

  {

    const irep_idt &function_id;

    explicit dep_graph_nodet(const irep_idt &function_id)

      : function_id(function_id)

    {

    }

  };


  grapht<dep_graph_nodet> dep_graph;


  // inverse mapping from names to dep_graph_nodet identifiers

  std::map<irep_idt, std::size_t> id_to_node_map;

  // create all nodes

  for(auto &predicate : predicates)

  {

    id_to_node_map.insert({predicate, dep_graph.add_node(predicate)});

  }


  // create all edges

  for(auto &caller : predicates)

  {

    const auto caller_id = id_to_node_map[caller];

    for(const auto &instruction :

        goto_model.goto_functions.function_map[caller].body.instructions)

    {

      if(

        instruction.is_function_call() &&

        instruction.call_function().id() == ID_symbol)

      {

        const auto &callee =

          to_symbol_expr(instruction.call_function()).get_identifier();

        if(predicates.find(callee) != predicates.end())

        {

          log.conditional_output(log.debug(), [&](messaget::mstreamt &mstream) {

            mstream << "Memory predicate dependency " << caller << " -> "

                    << callee << messaget::eom;

          });

          const auto callee_id = id_to_node_map[callee];

          if(callee != caller) // do not add edges for self-recursive functions

            dep_graph.add_edge(callee_id, caller_id);

        }

      }

    }

  }


  // lift in dependency order

  auto sorted = dep_graph.topsort();

  PRECONDITION_WITH_DIAGNOSTICS(

    !sorted.empty(),

    "could not determine instrumentation order for memory predicates, most "

    "likely due to mutual recursion");

  for(const auto &idx : sorted)

  {

    lift_predicate(

      dep_graph[idx].function_id, discovered_function_pointer_contracts);

  }


  return predicates;

}

std::set<irep_idt> dfcc_lift_memory_predicatest::lift_predicates( {…}


// returns an optional rank


static std::optional<std::size_t> is_param_expr(

  const exprt &expr,

  const std::map<irep_idt, std::size_t> &parameter_rank)

{

  if(expr.id() == ID_typecast)

  {

    // ignore typecasts

    return is_param_expr(to_typecast_expr(expr).op(), parameter_rank);

  }

  else if(expr.id() == ID_symbol)

  {

    const irep_idt &ident = to_symbol_expr(expr).get_identifier();

    const auto found = parameter_rank.find(ident);

    if(found != parameter_rank.end())

    {

      return {found->second};

    }

    else

    {

      return {};

    }

  }

  else

  {

    // bail on anything else

    return {};

  }

}

static std::optional<std::size_t> is_param_expr( {…}


void dfcc_lift_memory_predicatest::collect_parameters_to_lift(

  const irep_idt &function_id)

{

  const symbolt &function_symbol =

    dfcc_utilst::get_function_symbol(goto_model.symbol_table, function_id);

  // map of parameter name to its rank in the signature

  std::map<irep_idt, std::size_t> parameter_rank;

  const auto &parameters = to_code_type(function_symbol.type).parameters();

  for(std::size_t rank = 0; rank < parameters.size(); rank++)

  {

    parameter_rank[parameters[rank].get_identifier()] = rank;

  }

  const goto_programt &body =

    goto_model.goto_functions.function_map[function_id].body;

  for(const auto &it : body.instructions)

  {

    // for all function calls, if a parameter of function_id is passed

    // in a lifted position, add its rank to the set of lifted parameters

    if(it.is_function_call() && it.call_function().id() == ID_symbol)

    {

      const irep_idt &callee_id =

        to_symbol_expr(it.call_function()).get_identifier();

      if(callee_id == CPROVER_PREFIX "pointer_equals")

      {

        auto opt_rank = is_param_expr(it.call_arguments()[0], parameter_rank);

        if(opt_rank.has_value())

        {

          lifted_parameters[function_id].insert(opt_rank.value());

        }

      }

      else if(callee_id == CPROVER_PREFIX "is_fresh")

      {

        auto opt_rank = is_param_expr(it.call_arguments()[0], parameter_rank);

        if(opt_rank.has_value())

        {

          lifted_parameters[function_id].insert(opt_rank.value());

        }

      }

      else if(callee_id == CPROVER_PREFIX "pointer_in_range_dfcc")

      {

        auto opt_rank = is_param_expr(it.call_arguments()[1], parameter_rank);

        if(opt_rank.has_value())

        {

          lifted_parameters[function_id].insert(opt_rank.value());

        }

      }

      else if(callee_id == CPROVER_PREFIX "obeys_contract")

      {

        auto opt_rank = is_param_expr(it.call_arguments()[0], parameter_rank);

        if(opt_rank.has_value())

        {

          lifted_parameters[function_id].insert(opt_rank.value());

        }

      }

      else if(is_lifted_function(callee_id))

      {

        // search wether a parameter of function_id is passed to a lifted

        // parameter of callee_id

        for(const std::size_t callee_rank : lifted_parameters[callee_id])

        {

          auto opt_rank =

            is_param_expr(it.call_arguments()[callee_rank], parameter_rank);

          if(opt_rank.has_value())

          {

            lifted_parameters[function_id].insert(opt_rank.value());

          }

        }

      }

    }

  }

}

void dfcc_lift_memory_predicatest::collect_parameters_to_lift( {…}


void dfcc_lift_memory_predicatest::add_pointer_type(

  const irep_idt &function_id,

  const std::size_t parameter_rank,

  replace_symbolt &replace_lifted_param)

{

  symbolt &function_symbol =

    dfcc_utilst::get_function_symbol(goto_model.symbol_table, function_id);

  code_typet &code_type = to_code_type(function_symbol.type);

  auto &parameters = code_type.parameters();

  auto &parameter_id = parameters[parameter_rank].get_identifier();

  auto entry = goto_model.symbol_table.symbols.find(parameter_id);

  log.conditional_output(log.debug(), [&](messaget::mstreamt &mstream) {

    mstream << "adding pointer type to " << function_id << " " << parameter_id

            << messaget::eom;

  });

  const symbolt &old_symbol = entry->second;

  const auto &old_symbol_expr = old_symbol.symbol_expr();

  // create new parameter symbol, same everything except type

  symbolt new_symbol(

    old_symbol.name, pointer_type(old_symbol.type), old_symbol.mode);

  new_symbol.base_name = old_symbol.base_name;

  new_symbol.location = old_symbol.location;

  new_symbol.module = old_symbol.module;

  new_symbol.is_lvalue = old_symbol.is_lvalue;

  new_symbol.is_state_var = old_symbol.is_state_var;

  new_symbol.is_thread_local = old_symbol.is_thread_local;

  new_symbol.is_file_local = old_symbol.is_file_local;

  new_symbol.is_auxiliary = old_symbol.is_auxiliary;

  new_symbol.is_parameter = old_symbol.is_parameter;

  goto_model.symbol_table.erase(entry);

  std::pair<symbolt &, bool> res =

    goto_model.symbol_table.insert(std::move(new_symbol));

  CHECK_RETURN(res.second);

  replace_lifted_param.insert(

    old_symbol_expr, dereference_exprt(res.first.symbol_expr()));

  code_typet::parametert parameter(res.first.type);

  parameter.set_base_name(res.first.base_name);

  parameter.set_identifier(res.first.name);

  parameters[parameter_rank] = parameter;

}

void dfcc_lift_memory_predicatest::add_pointer_type( {…}


void dfcc_lift_memory_predicatest::lift_parameters_and_update_body(

  const irep_idt &function_id,

  std::set<irep_idt> &discovered_function_pointer_contracts)

{

  replace_symbolt replace_lifted_params;

  // add pointer types to all parameters that require it

  for(const auto rank : lifted_parameters[function_id])

  {

    add_pointer_type(function_id, rank, replace_lifted_params);

  }

  auto &body = goto_model.goto_functions.function_map[function_id].body;

  // update the function body

  for(auto &instruction : body.instructions)

  {

    // rewrite all occurrences of lifted parameters

    instruction.transform([&replace_lifted_params](exprt expr) {

      const bool changed = !replace_lifted_params.replace(expr);

      return changed ? std::optional<exprt>{expr} : std::nullopt;

    });


    // add address-of to all arguments expressions passed in lifted position to

    // another memory predicate

    if(

      instruction.is_function_call() &&

      instruction.call_function().id() == ID_symbol)

    {

      // add address-of to arguments that are passed in lifted position

      auto &callee_id =

        to_symbol_expr(instruction.call_function()).get_identifier();

      if(is_lifted_function(callee_id))

      {

        for(const auto &rank : lifted_parameters[callee_id])

        {

          const auto arg = instruction.call_arguments()[rank];

          log.conditional_output(log.debug(), [&](messaget::mstreamt &mstream) {

            mstream << "Adding address_of to call " << callee_id

                    << ", argument " << format(arg) << messaget::eom;

          });

          instruction.call_arguments()[rank] = address_of_exprt(arg);

        }

      }

    }

  }

}

void dfcc_lift_memory_predicatest::lift_parameters_and_update_body( {…}


void dfcc_lift_memory_predicatest::lift_predicate(

  const irep_idt &function_id,

  std::set<irep_idt> &discovered_function_pointer_contracts)

{

  // when this function_id gets processed, any memory predicate it calls has

  // already been processed (except itself if it is recursive);


  log.status() << "Instrumenting memory predicate '" << function_id << "'"

               << messaget::eom;


  // first step: identify which parameters are passed directly to core

  // predicates of lifted positions in user-defined memory predicates and mark

  // them as lifted

  collect_parameters_to_lift(function_id);

  lift_parameters_and_update_body(

    function_id, discovered_function_pointer_contracts);


  log.conditional_output(log.debug(), [&](messaget::mstreamt &mstream) {

    mstream << "Ranks of lifted parameters for " << function_id << ": ";

    for(const auto rank : lifted_parameters[function_id])

      mstream << rank << ", ";

    mstream << messaget::eom;

  });


  // instrument the function for side effects: adds the write_set parameter,

  // adds checks for side effects, maps core predicates to their implementation.

  instrument.instrument_function(

    function_id,

    loop_contract_configt{false},

    discovered_function_pointer_contracts);

}

void dfcc_lift_memory_predicatest::lift_predicate( {…}


void dfcc_lift_memory_predicatest::fix_calls(goto_programt &program)

{

  fix_calls(program, program.instructions.begin(), program.instructions.end());

}

void dfcc_lift_memory_predicatest::fix_calls(goto_programt &program) {…}


void dfcc_lift_memory_predicatest::fix_calls(

  goto_programt &program,

  goto_programt::targett first_instruction,

  const goto_programt::targett &last_instruction)

{

  for(auto target = first_instruction; target != last_instruction; target++)

  {

    if(target->is_function_call())

    {

      const auto &function = target->call_function();


      if(function.id() == ID_symbol)

      {

        const irep_idt &fun_name = to_symbol_expr(function).get_identifier();


        if(is_lifted_function(fun_name))

        {

          // add address-of on all lifted argumnents

          for(const auto rank : lifted_parameters[fun_name])

          {

            target->call_arguments()[rank] =

              address_of_exprt(target->call_arguments()[rank]);

          }

        }

      }

    }

  }

}

void dfcc_lift_memory_predicatest::fix_calls( {…}

pointer_type
pointer_typet pointer_type(const typet &subtype)
Definition c_types.cpp:235

address_of_exprt
Operator to return the address of an object.
Definition pointer_expr.h:540

ait
ait supplies three of the four components needed: an abstract interpreter (in this case handling func...
Definition ai.h:562

code_typet::parametert
Definition std_types.h:600

code_typet
Base type of functions.
Definition std_types.h:583

dereference_exprt
Operator to dereference a pointer.
Definition pointer_expr.h:834

dfcc_instrumentt
This class instruments GOTO functions or instruction sequences for frame condition checking and loop ...
Definition dfcc_instrument.h:44

dfcc_instrumentt::instrument_function
void instrument_function(const irep_idt &function_id, const loop_contract_configt &loop_contract_config, std::set< irep_idt > &function_pointer_contracts)
Instruments a GOTO function by adding an extra write set parameter and instrumenting its body instruc...
Definition dfcc_instrument.cpp:318

dfcc_instrumentt::do_not_instrument
bool do_not_instrument(const irep_idt &id) const
True iff the symbol must not be instrumented because it is an internal symbol or a CPROVER symbol.
Definition dfcc_instrument.cpp:233

dfcc_libraryt
Class interface to library types and functions defined in cprover_contracts.c.
Definition dfcc_library.h:164

dfcc_lift_memory_predicatest::instrument
dfcc_instrumentt & instrument
Definition dfcc_lift_memory_predicates.h:71

dfcc_lift_memory_predicatest::fix_calls
void fix_calls(goto_programt &program)
Fixes calls to user-defined memory predicates in the given program, by adding an address-of to argume...
Definition dfcc_lift_memory_predicates.cpp:407

dfcc_lift_memory_predicatest::goto_model
goto_modelt & goto_model
Definition dfcc_lift_memory_predicates.h:69

dfcc_lift_memory_predicatest::collect_parameters_to_lift
void collect_parameters_to_lift(const irep_idt &function_id)
Computes the subset of function parameters of function_id that are passed directly to core predicates...
Definition dfcc_lift_memory_predicates.cpp:217

dfcc_lift_memory_predicatest::lift_predicate
void lift_predicate(const irep_idt &function_id, std::set< irep_idt > &discovered_function_pointer_contracts)
Definition dfcc_lift_memory_predicates.cpp:375

dfcc_lift_memory_predicatest::log
messaget log
Definition dfcc_lift_memory_predicates.h:72

dfcc_lift_memory_predicatest::add_pointer_type
void add_pointer_type(const irep_idt &function_id, const std::size_t parameter_rank, replace_symbolt &replace_lifted_param)
adds a pointer_type to the parameter of a function
Definition dfcc_lift_memory_predicates.cpp:289

dfcc_lift_memory_predicatest::dfcc_lift_memory_predicatest
dfcc_lift_memory_predicatest(goto_modelt &goto_model, dfcc_libraryt &library, dfcc_instrumentt &instrument, message_handlert &message_handler)
Definition dfcc_lift_memory_predicates.cpp:29

dfcc_lift_memory_predicatest::lifted_parameters
std::map< irep_idt, std::set< std::size_t > > lifted_parameters
Definition dfcc_lift_memory_predicates.h:74

dfcc_lift_memory_predicatest::lift_parameters_and_update_body
void lift_parameters_and_update_body(const irep_idt &function_id, std::set< irep_idt > &discovered_function_pointer_contracts)
Definition dfcc_lift_memory_predicates.cpp:330

dfcc_lift_memory_predicatest::calls_memory_predicates
bool calls_memory_predicates(const goto_programt &goto_program, const std::set< irep_idt > &predicates)
Returns true iff goto_program calls core memory predicates.
Definition dfcc_lift_memory_predicates.cpp:57

dfcc_lift_memory_predicatest::is_lifted_function
bool is_lifted_function(const irep_idt &function_id)
True if a function at least had one of its parameters lifted.
Definition dfcc_lift_memory_predicates.cpp:42

dfcc_lift_memory_predicatest::lift_predicates
std::set< irep_idt > lift_predicates(std::set< irep_idt > &discovered_function_pointer_contracts)
Collects and lifts all user-defined memory predicates.
Definition dfcc_lift_memory_predicates.cpp:81

dstringt
dstringt has one field, an unsigned integer no which is an index into a static table of strings.
Definition dstring.h:38

exprt
Base class for all expressions.
Definition expr.h:56

goto_functionst::function_map
function_mapt function_map
Definition goto_functions.h:29

goto_modelt
Definition goto_model.h:27

goto_modelt::symbol_table
symbol_tablet symbol_table
Symbol table.
Definition goto_model.h:31

goto_modelt::goto_functions
goto_functionst goto_functions
GOTO functions.
Definition goto_model.h:34

goto_programt
A generic container class for the GOTO intermediate representation of one function.
Definition goto_program.h:73

goto_programt::instructions
instructionst instructions
The list of instructions in the goto program.
Definition goto_program.h:622

goto_programt::targett
instructionst::iterator targett
Definition goto_program.h:614

graph_nodet
This class represents a node in a directed graph.
Definition graph.h:35

irept::id
const irep_idt & id() const
Definition irep.h:388

message_handlert
Definition message.h:27

messaget::mstreamt
Definition message.h:216

messaget::debug
mstreamt & debug() const
Definition message.h:421

messaget::conditional_output
void conditional_output(mstreamt &mstream, const std::function< void(mstreamt &)> &output_generator) const
Generate output to message_stream using output_generator if the configured verbosity is at least as h...
Definition message.cpp:139

messaget::eom
static eomt eom
Definition message.h:289

messaget::status
mstreamt & status() const
Definition message.h:406

replace_symbolt
Replace a symbol expression by a given expression.
Definition replace_symbol.h:28

symbol_table_baset::symbols
const symbolst & symbols
Read-only field, used to look up symbols given their names.
Definition symbol_table_base.h:31

symbol_tablet::erase
virtual void erase(const symbolst::const_iterator &entry) override
Remove a symbol from the symbol table.
Definition symbol_table.cpp:90

symbol_tablet::insert
virtual std::pair< symbolt &, bool > insert(symbolt symbol) override
Author: Diffblue Ltd.
Definition symbol_table.cpp:17

symbolt
Symbol table entry.
Definition symbol.h:28

symbolt::is_auxiliary
bool is_auxiliary
Definition symbol.h:77

symbolt::is_file_local
bool is_file_local
Definition symbol.h:73

symbolt::is_parameter
bool is_parameter
Definition symbol.h:76

symbolt::is_thread_local
bool is_thread_local
Definition symbol.h:71

symbolt::location
source_locationt location
Source code location of definition of symbol.
Definition symbol.h:37

symbolt::is_state_var
bool is_state_var
Definition symbol.h:66

symbolt::symbol_expr
class symbol_exprt symbol_expr() const
Produces a symbol_exprt for a symbol.
Definition symbol.cpp:121

symbolt::type
typet type
Type of symbol.
Definition symbol.h:31

symbolt::name
irep_idt name
The unique identifier.
Definition symbol.h:40

symbolt::base_name
irep_idt irep_idt base_name
Name of module the symbol belongs to.
Definition symbol.h:46

symbolt::is_lvalue
bool is_lvalue
Definition symbol.h:72

symbolt::mode
irep_idt mode
Language mode.
Definition symbol.h:49

cprover_prefix.h

CPROVER_PREFIX
#define CPROVER_PREFIX
Definition cprover_prefix.h:14

dfcc_instrument.h
Add instrumentation to a goto program to perform frame condition checks.

dfcc_library.h
Dynamic frame condition checking library loading.

is_core_memory_predicate
static bool is_core_memory_predicate(const irep_idt &function_id)
True iff function_id is a core memory predicate.
Definition dfcc_lift_memory_predicates.cpp:49

is_param_expr
static std::optional< std::size_t > is_param_expr(const exprt &expr, const std::map< irep_idt, std::size_t > &parameter_rank)
Definition dfcc_lift_memory_predicates.cpp:188

dfcc_lift_memory_predicates.h
Collects all user-defined predicates that call functions is_fresh, pointer_in_range,...

dfcc_utils.h
Dynamic frame condition checking utility functions.

format
static format_containert< T > format(const T &o)
Definition format.h:37

format_expr.h

goto_model.h
Symbol Table + CFG.

graph.h
A Template Class for Graphs.

log
double log(double x)
Definition math.c:2449

pointer_expr.h
API to expression classes for Pointers.

replace_symbol.h

PRECONDITION_WITH_DIAGNOSTICS
#define PRECONDITION_WITH_DIAGNOSTICS(CONDITION,...)
Definition invariant.h:464

CHECK_RETURN
#define CHECK_RETURN(CONDITION)
Definition invariant.h:495

to_typecast_expr
const typecast_exprt & to_typecast_expr(const exprt &expr)
Cast an exprt to a typecast_exprt.
Definition std_expr.h:2107

to_symbol_expr
const symbol_exprt & to_symbol_expr(const exprt &expr)
Cast an exprt to a symbol_exprt.
Definition std_expr.h:272

to_code_type
const code_typet & to_code_type(const typet &type)
Cast a typet to a code_typet.
Definition std_types.h:788

dfcc_utilst::get_function_symbol
static symbolt & get_function_symbol(symbol_table_baset &, const irep_idt &function_id)
Returns the symbolt for function_id.
Definition dfcc_utils.cpp:72

loop_contract_configt
Loop contract configurations.
Definition loop_contract_config.h:19

symbol.h
Symbol table entry.