cbmc/goto__symex__state_8h_source.html

/*******************************************************************\


Module: Symbolic Execution


Author: Daniel Kroening, kroening@kroening.com


\*******************************************************************/


#ifndef CPROVER_GOTO_SYMEX_GOTO_SYMEX_STATE_H

#define CPROVER_GOTO_SYMEX_GOTO_SYMEX_STATE_H


#include <util/invariant.h>

#include <util/ssa_expr.h>

#include <util/std_expr.h>

#include <util/symbol_table.h>


#include <analyses/guard.h>


#include "call_stack.h"

#include "field_sensitivity.h"

#include "goto_state.h"

#include "renaming_level.h"

#include "shadow_memory_state.h"


#include <functional>


class incremental_dirtyt;

class symex_target_equationt;


class goto_symex_statet final : public goto_statet

{

public:

  goto_symex_statet(

    const symex_targett::sourcet &,

    std::size_t max_field_sensitive_array_size,

    bool should_simplify,

    guard_managert &manager,

    std::function<std::size_t(const irep_idt &)> fresh_l2_name_provider);

  ~goto_symex_statet();


  explicit goto_symex_statet(

    const goto_symex_statet &other,

    symex_target_equationt *const target)

    : goto_symex_statet(other) // NOLINT

  {

    symex_target = target;

  }

  explicit goto_symex_statet( {…}


  symex_targett::sourcet source;


  symbol_tablet symbol_table;


  // Manager is required to be able to resize the thread vector

  guard_managert &guard_manager;

  symex_target_equationt *symex_target;


  symex_level1t level1;


  template <levelt level = L2>

  [[nodiscard]] renamedt<exprt, level> rename(exprt expr, const namespacet &ns);


  template <levelt level>

  [[nodiscard]] renamedt<ssa_exprt, level>

  rename_ssa(ssa_exprt ssa, const namespacet &ns);


  template <levelt level = L2>

  void rename(typet &type, const irep_idt &l1_identifier, const namespacet &ns);


  [[nodiscard]] exprt l2_rename_rvalues(exprt lvalue, const namespacet &ns);


  [[nodiscard]] renamedt<ssa_exprt, L2> assignment(

    ssa_exprt lhs,    // L0/L1

    const exprt &rhs, // L2

    const namespacet &ns,

    bool rhs_is_simplified,

    bool record_value,

    bool allow_pointer_unsoundness = false);


  field_sensitivityt field_sensitivity;


  shadow_memory_statet shadow_memory;


protected:

  template <levelt>

  void rename_address(exprt &expr, const namespacet &ns);


  template <levelt level>

  [[nodiscard]] renamedt<ssa_exprt, level>

  set_indices(ssa_exprt expr, const namespacet &ns);


  // this maps L1 names to (L2) types

  typedef std::unordered_map<irep_idt, typet> l1_typest;

  l1_typest l1_types;


public:

  // guards


  static irep_idt guard_identifier()

  {

    static irep_idt id = "goto_symex::\\guard";

    return id;

  }

  static irep_idt guard_identifier() {…}


  call_stackt &call_stack()

  {

    PRECONDITION(source.thread_nr < threads.size());

    return threads[source.thread_nr].call_stack;

  }

  call_stackt &call_stack() {…}


  const call_stackt &call_stack() const

  {

    PRECONDITION(source.thread_nr < threads.size());

    return threads[source.thread_nr].call_stack;

  }

  const call_stackt &call_stack() const {…}


  ssa_exprt add_object(

    const symbol_exprt &expr,

    std::function<std::size_t(const irep_idt &)> index_generator,

    const namespacet &ns);


  ssa_exprt declare(ssa_exprt ssa, const namespacet &ns);


  void print_backtrace(std::ostream &) const;


  // threads

  typedef std::pair<unsigned, std::list<guardt> > a_s_r_entryt;

  typedef std::list<guardt> a_s_w_entryt;

  std::unordered_map<ssa_exprt, a_s_r_entryt, irep_hash> read_in_atomic_section;

  std::unordered_map<ssa_exprt, a_s_w_entryt, irep_hash>

    written_in_atomic_section;


  struct threadt

  {

    goto_programt::const_targett pc;

    irep_idt function_id;

    guardt guard;

    call_stackt call_stack;

    std::map<irep_idt, unsigned> function_frame;

    unsigned atomic_section_id = 0;


    explicit threadt(guard_managert &guard_manager)

      : guard(true_exprt(), guard_manager)

    {

    }

    explicit threadt(guard_managert &guard_manager) {…}

  };

  struct threadt {…};


  std::vector<threadt> threads;


  enum class write_is_shared_resultt

  {

    NOT_SHARED,

    IN_ATOMIC_SECTION,

    SHARED

  };

  enum class write_is_shared_resultt {…};


  bool l2_thread_read_encoding(ssa_exprt &expr, const namespacet &ns);

  bool l2_thread_write_encoding(const ssa_exprt &expr, const namespacet &ns);

  write_is_shared_resultt

  write_is_shared(const ssa_exprt &expr, const namespacet &ns) const;


  std::stack<bool> record_events;


  const incremental_dirtyt *dirty = nullptr;


  goto_programt::const_targett saved_target;


  bool has_saved_jump_target;


  bool has_saved_next_instruction;


  bool run_validation_checks;


  unsigned total_vccs = 0;

  unsigned remaining_vccs = 0;


  void drop_existing_l1_name(const irep_idt &l1_identifier)

  {

    level2.current_names.erase(l1_identifier);

  }

  void drop_existing_l1_name(const irep_idt &l1_identifier) {…}


  void drop_l1_name(const irep_idt &l1_identifier)

  {

    level2.current_names.erase_if_exists(l1_identifier);

  }

  void drop_l1_name(const irep_idt &l1_identifier) {…}


  std::function<std::size_t(const irep_idt &)> get_l2_name_provider() const

  {

    return fresh_l2_name_provider;

  }

  std::function<std::size_t(const irep_idt &)> get_l2_name_provider() const {…}


  static bool is_read_only_object(const exprt &lvalue)

  {

    // Note ID_constant can occur due to a partial write to a string constant,

    // (i.e. something like byte_extract int from "hello" offset 2), which

    // simplifies to a plain constant.

    return lvalue.id() == ID_string_constant || lvalue.id() == ID_null_object ||

           lvalue.id() == "zero_string" || lvalue.id() == "is_zero_string" ||

           lvalue.id() == "zero_string_length" || lvalue.is_constant() ||

           lvalue.id() == ID_array;

  }

  static bool is_read_only_object(const exprt &lvalue) {…}


private:

  std::function<std::size_t(const irep_idt &)> fresh_l2_name_provider;


  goto_symex_statet(const goto_symex_statet &other) = default;

};

class goto_symex_statet final : public goto_statet {…};


#endif // CPROVER_GOTO_SYMEX_GOTO_SYMEX_STATE_H

call_stack.h

ait
ait supplies three of the four components needed: an abstract interpreter (in this case handling func...
Definition ai.h:562

call_stackt
Definition call_stack.h:15

dstringt
dstringt has one field, an unsigned integer no which is an index into a static table of strings.
Definition dstring.h:38

exprt
Base class for all expressions.
Definition expr.h:56

field_sensitivityt
Control granularity of object accesses.
Definition field_sensitivity.h:117

goto_programt::const_targett
instructionst::const_iterator const_targett
Definition goto_program.h:614

goto_statet
Container for data that varies per program point, e.g.
Definition goto_state.h:32

goto_statet::level2
symex_level2t level2
Definition goto_state.h:38

goto_symex_statet
Central data structure: state.
Definition goto_symex_state.h:42

goto_symex_statet::declare
ssa_exprt declare(ssa_exprt ssa, const namespacet &ns)
Add invalid (or a failed symbol) to the value_set if ssa is a pointer, ensure that level2 index of sy...
Definition goto_symex_state.cpp:848

goto_symex_statet::call_stack
const call_stackt & call_stack() const
Definition goto_symex_state.h:152

goto_symex_statet::saved_target
goto_programt::const_targett saved_target
Definition goto_symex_state.h:216

goto_symex_statet::add_object
ssa_exprt add_object(const symbol_exprt &expr, std::function< std::size_t(const irep_idt &)> index_generator, const namespacet &ns)
Instantiate the object expr.
Definition goto_symex_state.cpp:823

goto_symex_statet::call_stack
call_stackt & call_stack()
Definition goto_symex_state.h:146

goto_symex_statet::a_s_r_entryt
std::pair< unsigned, std::list< guardt > > a_s_r_entryt
Definition goto_symex_state.h:178

goto_symex_statet::record_events
std::stack< bool > record_events
Definition goto_symex_state.h:212

goto_symex_statet::l2_thread_write_encoding
bool l2_thread_write_encoding(const ssa_exprt &expr, const namespacet &ns)
thread encoding
Definition goto_symex_state.cpp:550

goto_symex_statet::goto_symex_statet
goto_symex_statet(const goto_symex_statet &other, symex_target_equationt *const target)
Fake "copy constructor" that initializes the symex_target member.
Definition goto_symex_state.h:53

goto_symex_statet::total_vccs
unsigned total_vccs
Definition goto_symex_state.h:228

goto_symex_statet::get_l2_name_provider
std::function< std::size_t(const irep_idt &)> get_l2_name_provider() const
Definition goto_symex_state.h:243

goto_symex_statet::l2_rename_rvalues
exprt l2_rename_rvalues(exprt lvalue, const namespacet &ns)
Definition goto_symex_state.cpp:313

goto_symex_statet::shadow_memory
shadow_memory_statet shadow_memory
Definition goto_symex_state.h:123

goto_symex_statet::guard_identifier
static irep_idt guard_identifier()
Definition goto_symex_state.h:140

goto_symex_statet::dirty
const incremental_dirtyt * dirty
Definition goto_symex_state.h:214

goto_symex_statet::read_in_atomic_section
std::unordered_map< ssa_exprt, a_s_r_entryt, irep_hash > read_in_atomic_section
Definition goto_symex_state.h:180

goto_symex_statet::write_is_shared_resultt
write_is_shared_resultt
Definition goto_symex_state.h:201

goto_symex_statet::write_is_shared_resultt::NOT_SHARED
@ NOT_SHARED

goto_symex_statet::write_is_shared_resultt::SHARED
@ SHARED

goto_symex_statet::write_is_shared_resultt::IN_ATOMIC_SECTION
@ IN_ATOMIC_SECTION

goto_symex_statet::written_in_atomic_section
std::unordered_map< ssa_exprt, a_s_w_entryt, irep_hash > written_in_atomic_section
Definition goto_symex_state.h:182

goto_symex_statet::level1
symex_level1t level1
Definition goto_symex_state.h:72

goto_symex_statet::rename_address
void rename_address(exprt &expr, const namespacet &ns)
Definition goto_symex_state.cpp:579

goto_symex_statet::assignment
renamedt< ssa_exprt, L2 > assignment(ssa_exprt lhs, const exprt &rhs, const namespacet &ns, bool rhs_is_simplified, bool record_value, bool allow_pointer_unsoundness=false)
Definition goto_symex_state.cpp:73

goto_symex_statet::guard_manager
guard_managert & guard_manager
Definition goto_symex_state.h:69

goto_symex_statet::l2_thread_read_encoding
bool l2_thread_read_encoding(ssa_exprt &expr, const namespacet &ns)
thread encoding
Definition goto_symex_state.cpp:384

goto_symex_statet::print_backtrace
void print_backtrace(std::ostream &) const
Dumps the current state of symex, printing the function name and location number for each stack frame...
Definition goto_symex_state.cpp:802

goto_symex_statet::rename
renamedt< exprt, level > rename(exprt expr, const namespacet &ns)
Rewrites symbol expressions in exprt, applying a suffix to each symbol reflecting its most recent ver...
Definition goto_symex_state.cpp:171

goto_symex_statet::symex_target
symex_target_equationt * symex_target
Definition goto_symex_state.h:70

goto_symex_statet::l1_typest
std::unordered_map< irep_idt, typet > l1_typest
Definition goto_symex_state.h:135

goto_symex_statet::symbol_table
symbol_tablet symbol_table
contains symbols that are minted during symbolic execution, such as dynamically created objects etc.
Definition goto_symex_state.h:66

goto_symex_statet::a_s_w_entryt
std::list< guardt > a_s_w_entryt
Definition goto_symex_state.h:179

goto_symex_statet::drop_l1_name
void drop_l1_name(const irep_idt &l1_identifier)
Drops an L1 name from the local L2 map.
Definition goto_symex_state.h:238

goto_symex_statet::is_read_only_object
static bool is_read_only_object(const exprt &lvalue)
Returns true if lvalue is a read-only object, such as the null object.
Definition goto_symex_state.h:249

goto_symex_statet::remaining_vccs
unsigned remaining_vccs
Definition goto_symex_state.h:229

goto_symex_statet::l1_types
l1_typest l1_types
Definition goto_symex_state.h:136

goto_symex_statet::field_sensitivity
field_sensitivityt field_sensitivity
Definition goto_symex_state.h:121

goto_symex_statet::write_is_shared
write_is_shared_resultt write_is_shared(const ssa_exprt &expr, const namespacet &ns) const
Definition goto_symex_state.cpp:522

goto_symex_statet::source
symex_targett::sourcet source
Definition goto_symex_state.h:61

goto_symex_statet::has_saved_jump_target
bool has_saved_jump_target
This state is saved, with the PC pointing to the target of a GOTO.
Definition goto_symex_state.h:219

goto_symex_statet::rename_ssa
renamedt< ssa_exprt, level > rename_ssa(ssa_exprt ssa, const namespacet &ns)
Version of rename which is specialized for SSA exprt.
Definition goto_symex_state.cpp:152

goto_symex_statet::set_indices
renamedt< ssa_exprt, level > set_indices(ssa_exprt expr, const namespacet &ns)
Update values up to level.

goto_symex_statet::goto_symex_statet
goto_symex_statet(const goto_symex_statet &other)=default
Dangerous, do not use.

goto_symex_statet::~goto_symex_statet
~goto_symex_statet()

goto_symex_statet::run_validation_checks
bool run_validation_checks
Should the additional validation checks be run?
Definition goto_symex_state.h:226

goto_symex_statet::threads
std::vector< threadt > threads
Definition goto_symex_state.h:198

goto_symex_statet::fresh_l2_name_provider
std::function< std::size_t(const irep_idt &)> fresh_l2_name_provider
Definition goto_symex_state.h:261

goto_symex_statet::has_saved_next_instruction
bool has_saved_next_instruction
This state is saved, with the PC pointing to the next instruction of a GOTO.
Definition goto_symex_state.h:223

goto_symex_statet::drop_existing_l1_name
void drop_existing_l1_name(const irep_idt &l1_identifier)
Drops an L1 name from the local L2 map.
Definition goto_symex_state.h:232

guard_exprt
Definition guard_expr.h:24

incremental_dirtyt
Wrapper for dirtyt that permits incremental population, ensuring each function is analysed exactly on...
Definition dirty.h:118

namespacet
A namespacet is essentially one or two symbol tables bound together, to allow for symbol lookups in t...
Definition namespace.h:91

shadow_memory_statet
The state maintained by the shadow memory instrumentation during symbolic execution.
Definition shadow_memory_state.h:26

sharing_mapt::erase_if_exists
void erase_if_exists(const key_type &k)
Erase element if it exists.
Definition sharing_map.h:274

sharing_mapt::erase
void erase(const key_type &k)
Erase element, element must exist in map.
Definition sharing_map.h:1203

ssa_exprt
Expression providing an SSA-renamed symbol of expressions.
Definition ssa_expr.h:17

symbol_exprt
Expression to hold a symbol (variable)
Definition std_expr.h:131

symbol_tablet
The symbol table.
Definition symbol_table.h:14

symex_target_equationt
Inheriting the interface of symex_targett this class represents the SSA form of the input program as ...
Definition symex_target_equation.h:34

true_exprt
The Boolean constant true.
Definition std_expr.h:3190

typet
The type of an expression, extends irept.
Definition type.h:29

field_sensitivity.h

goto_state.h
goto_statet class definition

guard.h
Guard Data Structure.

renaming_level.h
Renaming levels.

shadow_memory_state.h
Symex Shadow Memory Instrumentation State.

invariant.h

PRECONDITION
#define PRECONDITION(CONDITION)
Definition invariant.h:463

ssa_expr.h

std_expr.h
API to expression classes.

goto_symex_statet::threadt
Definition goto_symex_state.h:185

goto_symex_statet::threadt::call_stack
call_stackt call_stack
Definition goto_symex_state.h:189

goto_symex_statet::threadt::threadt
threadt(guard_managert &guard_manager)
Definition goto_symex_state.h:192

goto_symex_statet::threadt::atomic_section_id
unsigned atomic_section_id
Definition goto_symex_state.h:191

goto_symex_statet::threadt::function_frame
std::map< irep_idt, unsigned > function_frame
Definition goto_symex_state.h:190

goto_symex_statet::threadt::function_id
irep_idt function_id
Definition goto_symex_state.h:187

goto_symex_statet::threadt::pc
goto_programt::const_targett pc
Definition goto_symex_state.h:186

goto_symex_statet::threadt::guard
guardt guard
Definition goto_symex_state.h:188

guard_expr_managert
This is unused by this implementation of guards, but can be used by other implementations of the same...
Definition guard_expr.h:20

symex_level1t
Functor to set the level 1 renaming of SSA expressions.
Definition renaming_level.h:40

symex_level2t::current_names
symex_renaming_levelt current_names
Definition renaming_level.h:70

symex_targett::sourcet
Identifies source in the context of symbolic execution.
Definition symex_target.h:37

symex_targett::sourcet::thread_nr
unsigned thread_nr
Definition symex_target.h:38

symbol_table.h
Author: Diffblue Ltd.