cbmc/havoc__assigns__clause__targets_8cpp_source.html

 /*******************************************************************\


 Module: Havoc multiple and possibly dependent targets simultaneously


 Author: Remi Delmas, delmasrd@amazon.com


 \*******************************************************************/


 #include "havoc_assigns_clause_targets.h"


 #include <util/c_types.h>

 #include <util/message.h>

 #include <util/pointer_expr.h>

 #include <util/std_code.h>


 #include "instrument_spec_assigns.h"

 #include "utils.h"


 void havoc_assigns_clause_targetst::get_instructions(goto_programt &dest)

 {

   // snapshotting instructions and well-definedness checks

   goto_programt snapshot_program;


   // add static locals called touched by the replaced function

   track_static_locals(snapshot_program);


   // add spec targets

   for(const auto &target : targets)

     track_spec_target(target, snapshot_program);


   // generate havocking instructions for all tracked CARs

   goto_programt havoc_program;

   for(const auto &pair : from_spec_assigns)

     havoc_if_valid(pair.second, havoc_program);


   for(const auto &pair : from_stack_alloc)

     havoc_if_valid(pair.second, havoc_program);


   for(const auto &car : from_heap_alloc)

     havoc_if_valid(car, havoc_program);


   for(const auto &pair : from_static_local)

   {

     havoc_static_local(pair.second, havoc_program);

   }


   // append to dest

   dest.destructive_append(snapshot_program);

   dest.destructive_append(havoc_program);

 }


 void havoc_assigns_clause_targetst::havoc_if_valid(

   car_exprt car,

   goto_programt &dest)

 {

   const irep_idt &tracking_comment =

     make_assigns_clause_replacement_tracking_comment(

       car.target(), function_id, ns);


   source_locationt source_location_no_checks(source_location);

   add_pragma_disable_pointer_checks(source_location_no_checks);


   goto_programt skip_program;

   const auto skip_target =

     skip_program.add(goto_programt::make_skip(source_location_no_checks));


   dest.add(goto_programt::make_goto(

     skip_target, boolean_negate(car.valid_var()), source_location_no_checks));


   if(car.havoc_method == car_havoc_methodt::HAVOC_OBJECT)

   {

     // OTHER __CPROVER_havoc_object(target_snapshot_var)

     codet code(ID_havoc_object, {car.lower_bound_var()});

     source_locationt annotated_location = source_location;

     annotated_location.set_comment(tracking_comment);

     dest.add(goto_programt::make_other(code, annotated_location));

   }

   else if(car.havoc_method == car_havoc_methodt::HAVOC_SLICE)

   {

     // This is a slice target. We use goto convert's do_havoc_slice()

     // code generation, provided by cleanert.

     cleanert cleaner(st, log.get_message_handler());

     const auto &mode = st.lookup_ref(function_id).mode;

     const auto &funcall = to_side_effect_expr_function_call(car.target());

     const auto &function = to_symbol_expr(funcall.function());

     exprt::operandst arguments;

     arguments.push_back(car.lower_bound_var());

     arguments.push_back(car.target_size());

     cleaner.do_havoc_slice(function, arguments, dest, mode);

   }

   else if(car.havoc_method == car_havoc_methodt::NONDET_ASSIGN)

   {

     // a target where the size is derived from the type of the target

     // ASSIGN *(target.type() *)__car_lb = nondet(car.target().type())

     const auto &target_type = car.target().type();

     side_effect_expr_nondett nondet(target_type, source_location);

     source_locationt annotated_location = source_location;

     annotated_location.set_comment(tracking_comment);

     dest.add(goto_programt::make_assignment(

       dereference_exprt{typecast_exprt::conditional_cast(

         car.lower_bound_var(), pointer_type(target_type))},

       nondet,

       annotated_location));

   }

   else

   {

     UNREACHABLE;

   }


   dest.destructive_append(skip_program);


   dest.add(

     goto_programt::make_dead(car.valid_var(), source_location_no_checks));


   dest.add(

     goto_programt::make_dead(car.lower_bound_var(), source_location_no_checks));


   dest.add(

     goto_programt::make_dead(car.upper_bound_var(), source_location_no_checks));

 }


 void havoc_assigns_clause_targetst::havoc_static_local(

   car_exprt car,

   goto_programt &dest)

 {

   // We havoc the target expression directly for local statics

   // instead of the __car_lb pointer because we know statics never die

   // and cannot be involved in in dependencies

   // since we cannot talk about them in contracts.

   const irep_idt &tracking_comment =

     make_assigns_clause_replacement_tracking_comment(

       car.target(), function_id, ns);


   source_locationt source_location_no_checks(source_location);

   add_pragma_disable_pointer_checks(source_location_no_checks);


   goto_programt skip_program;

   const auto skip_target =

     skip_program.add(goto_programt::make_skip(source_location_no_checks));


   dest.add(goto_programt::make_goto(

     skip_target, boolean_negate(car.valid_var()), source_location_no_checks));


   const auto &target_type = car.target().type();

   side_effect_expr_nondett nondet(target_type, source_location);

   source_locationt annotated_location = source_location;

   annotated_location.set_comment(tracking_comment);

   add_propagate_static_local_pragma(annotated_location);

   dest.add(

     goto_programt::make_assignment(car.target(), nondet, annotated_location));


   dest.destructive_append(skip_program);


   dest.add(

     goto_programt::make_dead(car.valid_var(), source_location_no_checks));


   dest.add(

     goto_programt::make_dead(car.lower_bound_var(), source_location_no_checks));


   dest.add(

     goto_programt::make_dead(car.upper_bound_var(), source_location_no_checks));

 }

pointer_type
pointer_typet pointer_type(const typet &subtype)
Definition: c_types.cpp:235

c_types.h

car_exprt
Class that represents a normalized conditional address range, with:
Definition: instrument_spec_assigns.h:74

car_exprt::havoc_method
const car_havoc_methodt havoc_method
Method to use to havod the target.
Definition: instrument_spec_assigns.h:101

car_exprt::target_size
const exprt & target_size() const
Size of the target in bytes.
Definition: instrument_spec_assigns.h:122

car_exprt::upper_bound_var
const symbol_exprt & upper_bound_var() const
Identifier of the upper address bound snapshot variable.
Definition: instrument_spec_assigns.h:140

car_exprt::valid_var
const symbol_exprt & valid_var() const
Identifier of the validity snapshot variable.
Definition: instrument_spec_assigns.h:128

car_exprt::target
const exprt & target() const
The target expression.
Definition: instrument_spec_assigns.h:110

car_exprt::lower_bound_var
const symbol_exprt & lower_bound_var() const
Identifier of the lower address bound snapshot variable.
Definition: instrument_spec_assigns.h:134

cleanert
Class that allows to clean expressions of side effects and to generate havoc_slice expressions.
Definition: utils.h:37

cleanert::do_havoc_slice
void do_havoc_slice(const symbol_exprt &function, const exprt::operandst &arguments, goto_programt &dest, const irep_idt &mode)
Definition: utils.h:54

codet
Data structure for representing an arbitrary statement in a program.
Definition: std_code_base.h:29

dereference_exprt
Operator to dereference a pointer.
Definition: pointer_expr.h:834

dstringt
dstringt has one field, an unsigned integer no which is an index into a static table of strings.
Definition: dstring.h:38

exprt::operandst
std::vector< exprt > operandst
Definition: expr.h:58

exprt::type
typet & type()
Return the type of the expression.
Definition: expr.h:84

goto_programt
A generic container class for the GOTO intermediate representation of one function.
Definition: goto_program.h:73

goto_programt::make_dead
static instructiont make_dead(const symbol_exprt &symbol, const source_locationt &l=source_locationt::nil())
Definition: goto_program.h:971

goto_programt::destructive_append
void destructive_append(goto_programt &p)
Appends the given program p to *this. p is destroyed.
Definition: goto_program.h:722

goto_programt::make_assignment
static instructiont make_assignment(const code_assignt &_code, const source_locationt &l=source_locationt::nil())
Create an assignment instruction.
Definition: goto_program.h:1065

goto_programt::make_skip
static instructiont make_skip(const source_locationt &l=source_locationt::nil())
Definition: goto_program.h:891

goto_programt::make_other
static instructiont make_other(const goto_instruction_codet &_code, const source_locationt &l=source_locationt::nil())
Definition: goto_program.h:957

goto_programt::add
targett add(instructiont &&instruction)
Adds a given instruction at the end.
Definition: goto_program.h:739

goto_programt::make_goto
static instructiont make_goto(targett _target, const source_locationt &l=source_locationt::nil())
Definition: goto_program.h:1039

havoc_assigns_clause_targetst::targets
const std::vector< exprt > & targets
Definition: havoc_assigns_clause_targets.h:120

havoc_assigns_clause_targetst::havoc_if_valid
void havoc_if_valid(car_exprt car, goto_programt &dest)
Generates instructions to conditionally havoc the given conditional address range expression car,...
Definition: havoc_assigns_clause_targets.cpp:55

havoc_assigns_clause_targetst::get_instructions
void get_instructions(goto_programt &dest)
Generates the assigns clause replacement instructions in dest.
Definition: havoc_assigns_clause_targets.cpp:22

havoc_assigns_clause_targetst::havoc_static_local
void havoc_static_local(car_exprt car, goto_programt &dest)
Havoc a static local expression.
Definition: havoc_assigns_clause_targets.cpp:125

havoc_assigns_clause_targetst::source_location
const source_locationt & source_location
Definition: havoc_assigns_clause_targets.h:121

instrument_spec_assignst::track_spec_target
void track_spec_target(const exprt &expr, goto_programt &dest)
Track an assigns clause target and generate snaphsot instructions and well-definedness assertions in ...
Definition: instrument_spec_assigns.cpp:92

instrument_spec_assignst::from_stack_alloc
symbol_exprt_to_car_mapt from_stack_alloc
Map from DECL symbols to corresponding conditional address ranges.
Definition: instrument_spec_assigns.h:611

instrument_spec_assignst::from_spec_assigns
cond_target_exprt_to_car_mapt from_spec_assigns
Map from conditional target expressions of assigns clauses to corresponding conditional address range...
Definition: instrument_spec_assigns.h:602

instrument_spec_assignst::st
symbol_table_baset & st
Program symbol table.
Definition: instrument_spec_assigns.h:483

instrument_spec_assignst::from_static_local
symbol_exprt_to_car_mapt from_static_local
Map to from detected or propagated static local symbols to corresponding conditional address ranges.
Definition: instrument_spec_assigns.h:626

instrument_spec_assignst::mode
const irep_idt & mode
Language mode.
Definition: instrument_spec_assigns.h:492

instrument_spec_assignst::from_heap_alloc
car_expr_listt from_heap_alloc
Definition: instrument_spec_assigns.h:620

instrument_spec_assignst::track_static_locals
void track_static_locals(goto_programt &dest)
Searches the goto instructions reachable from the start to the end of the instrumented function's ins...
Definition: instrument_spec_assigns.cpp:165

instrument_spec_assignst::log
messaget log
Logger.
Definition: instrument_spec_assigns.h:489

instrument_spec_assignst::ns
const namespacet ns
Program namespace.
Definition: instrument_spec_assigns.h:486

instrument_spec_assignst::function_id
const irep_idt & function_id
Name of the instrumented function.
Definition: instrument_spec_assigns.h:474

messaget::get_message_handler
message_handlert & get_message_handler()
Definition: message.h:183

side_effect_expr_nondett
A side_effect_exprt that returns a non-deterministically chosen value.
Definition: std_code.h:1520

source_locationt
Definition: source_location.h:20

source_locationt::set_comment
void set_comment(const irep_idt &comment)
Definition: source_location.h:150

symbol_table_baset::lookup_ref
const symbolt & lookup_ref(const irep_idt &name) const
Find a symbol in the symbol table for read-only access.
Definition: symbol_table_base.h:105

symbolt::mode
irep_idt mode
Language mode.
Definition: symbol.h:49

typecast_exprt::conditional_cast
static exprt conditional_cast(const exprt &expr, const typet &type)
Definition: std_expr.h:2076

boolean_negate
exprt boolean_negate(const exprt &src)
negate a Boolean expression, possibly removing a not_exprt, and swapping false and true
Definition: expr_util.cpp:103

havoc_assigns_clause_targets.h
Havoc function assigns clauses.

add_pragma_disable_pointer_checks
void add_pragma_disable_pointer_checks(source_locationt &location)
Adds a pragma on a source location disable all pointer checks.
Definition: instrument_spec_assigns.cpp:54

add_propagate_static_local_pragma
void add_propagate_static_local_pragma(source_locationt &source_location)
Sets a pragma to mark assignments to static local variables that need to be propagated upwards in the...
Definition: instrument_spec_assigns.cpp:45

instrument_spec_assigns.h
Specify write set in function contracts.

car_havoc_methodt::NONDET_ASSIGN
@ NONDET_ASSIGN

car_havoc_methodt::HAVOC_OBJECT
@ HAVOC_OBJECT

car_havoc_methodt::HAVOC_SLICE
@ HAVOC_SLICE

pointer_expr.h
API to expression classes for Pointers.

UNREACHABLE
#define UNREACHABLE
This should be used to mark dead code.
Definition: invariant.h:525

message.h

std_code.h

to_side_effect_expr_function_call
side_effect_expr_function_callt & to_side_effect_expr_function_call(exprt &expr)
Definition: std_code.h:1739

to_symbol_expr
const symbol_exprt & to_symbol_expr(const exprt &expr)
Cast an exprt to a symbol_exprt.
Definition: std_expr.h:272

make_assigns_clause_replacement_tracking_comment
irep_idt make_assigns_clause_replacement_tracking_comment(const exprt &target, const irep_idt &function_id, const namespacet &ns)
Returns an irep_idt that essentially says that target was assigned by the contract of function_id.
Definition: utils.cpp:329

utils.h