cbmc/interval__domain_8cpp_source.html

/*******************************************************************\


Module: Interval Domain


Author: Daniel Kroening, kroening@kroening.com


\*******************************************************************/


#include "interval_domain.h"


#ifdef DEBUG

#include <iostream>

#include <langapi/language_util.h>

#endif


#include <util/simplify_expr.h>

#include <util/std_expr.h>

#include <util/arith_tools.h>


void interval_domaint::output(

  std::ostream &out,

  const ai_baset &,

  const namespacet &) const

{

  if(bottom)

  {

    out << "BOTTOM\n";

    return;

  }


  for(const auto &interval : int_map)

  {

    if(interval.second.is_top())

      continue;

    if(interval.second.lower_set)

      out << interval.second.lower << " <= ";

    out << interval.first;

    if(interval.second.upper_set)

      out << " <= " << interval.second.upper;

    out << "\n";

  }


  for(const auto &interval : float_map)

  {

    if(interval.second.is_top())

      continue;

    if(interval.second.lower_set)

      out << interval.second.lower << " <= ";

    out << interval.first;

    if(interval.second.upper_set)

      out << " <= " << interval.second.upper;

    out << "\n";

  }

}


void interval_domaint::transform(

  const irep_idt &function_from,

  trace_ptrt trace_from,

  const irep_idt &function_to,

  trace_ptrt trace_to,

  ai_baset &ai,

  const namespacet &ns)

{

  locationt from{trace_from->current_location()};

  locationt to{trace_to->current_location()};


  const goto_programt::instructiont &instruction=*from;

  switch(instruction.type())

  {

  case DECL:

    havoc_rec(instruction.decl_symbol());

    break;


  case DEAD:

    havoc_rec(instruction.dead_symbol());

    break;


  case ASSIGN:

    assign(instruction.assign_lhs(), instruction.assign_rhs());

    break;


  case GOTO:

  {

    // Comparing iterators is safe as the target must be within the same list

    // of instructions because this is a GOTO.

    locationt next = from;

    next++;

    if(from->get_target() != next) // If equal then a skip

    {

      if(next == to)

        assume(not_exprt(instruction.condition()), ns);

      else

        assume(instruction.condition(), ns);

    }

    break;

  }


  case ASSUME:

    assume(instruction.condition(), ns);

    break;


  case FUNCTION_CALL:

  {

    const auto &lhs = instruction.call_lhs();

    if(lhs.is_not_nil())

      havoc_rec(lhs);

    break;

  }


  case CATCH:

  case THROW:

    DATA_INVARIANT(false, "Exceptions must be removed before analysis");

    break;

  case SET_RETURN_VALUE:

    DATA_INVARIANT(false, "SET_RETURN_VALUE must be removed before analysis");

    break;

  case ATOMIC_BEGIN: // Ignoring is a valid over-approximation

  case ATOMIC_END:   // Ignoring is a valid over-approximation

  case END_FUNCTION: // No action required

  case START_THREAD: // Require a concurrent analysis at higher level

  case END_THREAD:   // Require a concurrent analysis at higher level

  case ASSERT:       // No action required

  case LOCATION:     // No action required

  case SKIP:         // No action required

    break;

  case OTHER:

#if 0

    DATA_INVARIANT(false, "Unclear what is a safe over-approximation of OTHER");

#endif

    break;

  case INCOMPLETE_GOTO:

  case NO_INSTRUCTION_TYPE:

    DATA_INVARIANT(false, "Only complete instructions can be analyzed");

    break;

  }

}


bool interval_domaint::join(

  const interval_domaint &b)

{

  if(b.bottom)

    return false;

  if(bottom)

  {

    *this=b;

    return true;

  }


  bool result=false;


  for(int_mapt::iterator it=int_map.begin();

      it!=int_map.end(); ) // no it++

  {

    // search for the variable that needs to be merged

    // containers have different size and variable order

    const int_mapt::const_iterator b_it=b.int_map.find(it->first);

    if(b_it==b.int_map.end())

    {

      it=int_map.erase(it);

      result=true;

    }

    else

    {

      integer_intervalt previous=it->second;

      it->second.join(b_it->second);

      if(it->second!=previous)

        result=true;


      it++;

    }

  }


  for(float_mapt::iterator it=float_map.begin();

      it!=float_map.end(); ) // no it++

  {

    const float_mapt::const_iterator b_it=b.float_map.begin();

    if(b_it==b.float_map.end())

    {

      it=float_map.erase(it);

      result=true;

    }

    else

    {

      ieee_float_intervalt previous=it->second;

      it->second.join(b_it->second);

      if(it->second!=previous)

        result=true;


      it++;

    }

  }


  return result;

}


void interval_domaint::assign(const exprt &lhs, const exprt &rhs)

{

  havoc_rec(lhs);

  assume_rec(lhs, ID_equal, rhs);

}


void interval_domaint::havoc_rec(const exprt &lhs)

{

  if(lhs.id()==ID_if)

  {

    havoc_rec(to_if_expr(lhs).true_case());

    havoc_rec(to_if_expr(lhs).false_case());

  }

  else if(lhs.id()==ID_symbol)

  {

    irep_idt identifier=to_symbol_expr(lhs).get_identifier();


    if(is_int(lhs.type()))

      int_map.erase(identifier);

    else if(is_float(lhs.type()))

      float_map.erase(identifier);

  }

  else if(lhs.id()==ID_typecast)

  {

    havoc_rec(to_typecast_expr(lhs).op());

  }

}


void interval_domaint::assume_rec(

  const exprt &lhs, irep_idt id, const exprt &rhs)

{

  if(lhs.id()==ID_typecast)

    return assume_rec(to_typecast_expr(lhs).op(), id, rhs);


  if(rhs.id()==ID_typecast)

    return assume_rec(lhs, id, to_typecast_expr(rhs).op());


  if(id==ID_equal)

  {

    assume_rec(lhs, ID_ge, rhs);

    assume_rec(lhs, ID_le, rhs);

    return;

  }


  if(id==ID_notequal)

    return; // won't do split


  if(id==ID_ge)

    return assume_rec(rhs, ID_le, lhs);


  if(id==ID_gt)

    return assume_rec(rhs, ID_lt, lhs);


  // we now have lhs <  rhs or

  //             lhs <= rhs


  DATA_INVARIANT(id == ID_lt || id == ID_le, "unexpected comparison operator");


#ifdef DEBUG

  std::cout << "assume_rec: "

            << from_expr(lhs) << " " << id << " "

            << from_expr(rhs) << "\n";

  #endif


  if(lhs.id() == ID_symbol && rhs.is_constant())

  {

    irep_idt lhs_identifier=to_symbol_expr(lhs).get_identifier();


    if(is_int(lhs.type()) && is_int(rhs.type()))

    {

      mp_integer tmp = numeric_cast_v<mp_integer>(to_constant_expr(rhs));

      if(id==ID_lt)

        --tmp;

      integer_intervalt &ii=int_map[lhs_identifier];

      ii.make_le_than(tmp);

      if(ii.is_bottom())

        make_bottom();

    }

    else if(is_float(lhs.type()) && is_float(rhs.type()))

    {

      ieee_float_valuet tmp(to_constant_expr(rhs));

      if(id==ID_lt)

        tmp.decrement();

      ieee_float_intervalt &fi=float_map[lhs_identifier];

      fi.make_le_than(tmp);

      if(fi.is_bottom())

        make_bottom();

    }

  }

  else if(lhs.is_constant() && rhs.id() == ID_symbol)

  {

    irep_idt rhs_identifier=to_symbol_expr(rhs).get_identifier();


    if(is_int(lhs.type()) && is_int(rhs.type()))

    {

      mp_integer tmp = numeric_cast_v<mp_integer>(to_constant_expr(lhs));

      if(id==ID_lt)

        ++tmp;

      integer_intervalt &ii=int_map[rhs_identifier];

      ii.make_ge_than(tmp);

      if(ii.is_bottom())

        make_bottom();

    }

    else if(is_float(lhs.type()) && is_float(rhs.type()))

    {

      ieee_float_valuet tmp(to_constant_expr(lhs));

      if(id==ID_lt)

        tmp.increment();

      ieee_float_intervalt &fi=float_map[rhs_identifier];

      fi.make_ge_than(tmp);

      if(fi.is_bottom())

        make_bottom();

    }

  }

  else if(lhs.id()==ID_symbol && rhs.id()==ID_symbol)

  {

    irep_idt lhs_identifier=to_symbol_expr(lhs).get_identifier();

    irep_idt rhs_identifier=to_symbol_expr(rhs).get_identifier();


    if(is_int(lhs.type()) && is_int(rhs.type()))

    {

      integer_intervalt &lhs_i=int_map[lhs_identifier];

      integer_intervalt &rhs_i=int_map[rhs_identifier];

      if(id == ID_lt && !lhs_i.is_less_than(rhs_i))

        lhs_i.make_less_than(rhs_i);

      if(id == ID_le && !lhs_i.is_less_than_eq(rhs_i))

        lhs_i.make_less_than_eq(rhs_i);

    }

    else if(is_float(lhs.type()) && is_float(rhs.type()))

    {

      ieee_float_intervalt &lhs_i=float_map[lhs_identifier];

      ieee_float_intervalt &rhs_i=float_map[rhs_identifier];

      lhs_i.meet(rhs_i);

      rhs_i=lhs_i;

      if(rhs_i.is_bottom())

        make_bottom();

    }

  }

}


void interval_domaint::assume(

  const exprt &cond,

  const namespacet &ns)

{

  assume_rec(simplify_expr(cond, ns), false);

}


void interval_domaint::assume_rec(

  const exprt &cond,

  bool negation)

{

  if(cond.id()==ID_lt || cond.id()==ID_le ||

     cond.id()==ID_gt || cond.id()==ID_ge ||

     cond.id()==ID_equal || cond.id()==ID_notequal)

  {

    const auto &rel = to_binary_relation_expr(cond);


    if(negation) // !x<y  ---> x>=y

    {

      if(rel.id() == ID_lt)

        assume_rec(rel.op0(), ID_ge, rel.op1());

      else if(rel.id() == ID_le)

        assume_rec(rel.op0(), ID_gt, rel.op1());

      else if(rel.id() == ID_gt)

        assume_rec(rel.op0(), ID_le, rel.op1());

      else if(rel.id() == ID_ge)

        assume_rec(rel.op0(), ID_lt, rel.op1());

      else if(rel.id() == ID_equal)

        assume_rec(rel.op0(), ID_notequal, rel.op1());

      else if(rel.id() == ID_notequal)

        assume_rec(rel.op0(), ID_equal, rel.op1());

    }

    else

      assume_rec(rel.op0(), rel.id(), rel.op1());

  }

  else if(cond.id()==ID_not)

  {

    assume_rec(to_not_expr(cond).op(), !negation);

  }

  else if(cond.id()==ID_and)

  {

    if(!negation)

    {

      for(const auto &op : cond.operands())

        assume_rec(op, false);

    }

  }

  else if(cond.id()==ID_or)

  {

    if(negation)

    {

      for(const auto &op : cond.operands())

        assume_rec(op, true);

    }

  }

}


exprt interval_domaint::make_expression(const symbol_exprt &src) const

{

  if(is_int(src.type()))

  {

    int_mapt::const_iterator i_it=int_map.find(src.get_identifier());

    if(i_it==int_map.end())

      return true_exprt();


    const integer_intervalt &interval=i_it->second;

    if(interval.is_top())

      return true_exprt();

    if(interval.is_bottom())

      return false_exprt();


    exprt::operandst conjuncts;


    if(interval.upper_set)

    {

      exprt tmp=from_integer(interval.upper, src.type());

      conjuncts.push_back(binary_relation_exprt(src, ID_le, tmp));

    }


    if(interval.lower_set)

    {

      exprt tmp=from_integer(interval.lower, src.type());

      conjuncts.push_back(binary_relation_exprt(tmp, ID_le, src));

    }


    return conjunction(conjuncts);

  }

  else if(is_float(src.type()))

  {

    float_mapt::const_iterator i_it=float_map.find(src.get_identifier());

    if(i_it==float_map.end())

      return true_exprt();


    const ieee_float_intervalt &interval=i_it->second;

    if(interval.is_top())

      return true_exprt();

    if(interval.is_bottom())

      return false_exprt();


    exprt::operandst conjuncts;


    if(interval.upper_set)

    {

      exprt tmp=interval.upper.to_expr();

      conjuncts.push_back(binary_relation_exprt(src, ID_le, tmp));

    }


    if(interval.lower_set)

    {

      exprt tmp=interval.lower.to_expr();

      conjuncts.push_back(binary_relation_exprt(tmp, ID_le, src));

    }


    return conjunction(conjuncts);

  }

  else

    return true_exprt();

}


/*

 * This implementation is aimed at reducing assertions to true, particularly

 * range checks for arrays and other bounds checks.

 *

 * Rather than work with the various kinds of exprt directly, we use assume,

 * join and is_bottom.  It is sufficient for the use case and avoids duplicating

 * functionality that is in assume anyway.

 *

 * As some expressions (1<=a && a<=2) can be represented exactly as intervals

 * and some can't (a<1 || a>2), the way these operations are used varies

 * depending on the structure of the expression to try to give the best results.

 * For example negating a disjunction makes it easier for assume to handle.

 */


bool interval_domaint::ai_simplify(

  exprt &condition,

  const namespacet &ns) const

{

  bool unchanged=true;

  interval_domaint d(*this);


  // merge intervals to properly handle conjunction

  if(condition.id()==ID_and)              // May be directly representable

  {

    interval_domaint a;

    a.make_top();                         // a is everything

    a.assume(condition, ns);              // Restrict a to an over-approximation

                                          //  of when condition is true

    if(!a.join(d))                        // If d (this) is included in a...

    {                                     // Then the condition is always true

      unchanged=condition.is_true();

      condition = true_exprt();

    }

  }

  else if(condition.id()==ID_symbol)

  {

    // TODO: we have to handle symbol expression

  }

  else                                    // Less likely to be representable

  {

    d.assume(not_exprt(condition), ns);   // Restrict to when condition is false

    if(d.is_bottom())                     // If there there are none...

    {                                     // Then the condition is always true

      unchanged=condition.is_true();

      condition = true_exprt();

    }

  }


  return unchanged;

}


from_integer
constant_exprt from_integer(const mp_integer &int_value, const typet &type)
Definition arith_tools.cpp:99

arith_tools.h

ai_baset
This is the basic interface of the abstract interpreter with default implementations of the core func...
Definition ai.h:117

ai_domain_baset::trace_ptrt
ai_history_baset::trace_ptrt trace_ptrt
Definition ai_domain.h:73

ai_domain_baset::locationt
goto_programt::const_targett locationt
Definition ai_domain.h:72

ait
ait supplies three of the four components needed: an abstract interpreter (in this case handling func...
Definition ai.h:562

binary_relation_exprt
A base class for relations, i.e., binary predicates whose two operands have the same type.
Definition std_expr.h:762

dstringt
dstringt has one field, an unsigned integer no which is an index into a static table of strings.
Definition dstring.h:38

exprt
Base class for all expressions.
Definition expr.h:56

exprt::operandst
std::vector< exprt > operandst
Definition expr.h:58

exprt::is_true
bool is_true() const
Return whether the expression is a constant representing true.
Definition expr.cpp:27

exprt::is_constant
bool is_constant() const
Return whether the expression is a constant.
Definition expr.h:212

exprt::type
typet & type()
Return the type of the expression.
Definition expr.h:84

exprt::operands
operandst & operands()
Definition expr.h:94

false_exprt
The Boolean constant false.
Definition std_expr.h:3199

goto_programt::instructiont
This class represents an instruction in the GOTO intermediate representation.
Definition goto_program.h:181

goto_programt::instructiont::dead_symbol
const symbol_exprt & dead_symbol() const
Get the symbol for DEAD.
Definition goto_program.h:244

goto_programt::instructiont::call_lhs
const exprt & call_lhs() const
Get the lhs of a FUNCTION_CALL (may be nil)
Definition goto_program.h:286

goto_programt::instructiont::decl_symbol
const symbol_exprt & decl_symbol() const
Get the declared symbol for DECL.
Definition goto_program.h:228

goto_programt::instructiont::assign_lhs
const exprt & assign_lhs() const
Get the lhs of the assignment for ASSIGN.
Definition goto_program.h:200

goto_programt::instructiont::assign_rhs
const exprt & assign_rhs() const
Get the rhs of the assignment for ASSIGN.
Definition goto_program.h:214

goto_programt::instructiont::condition
const exprt & condition() const
Get the condition of gotos, assume, assert.
Definition goto_program.h:366

goto_programt::instructiont::type
goto_program_instruction_typet type() const
What kind of instruction?
Definition goto_program.h:344

ieee_float_valuet
An IEEE 754 floating-point value, including specificiation.
Definition ieee_float.h:117

interval_domaint
Definition interval_domain.h:24

interval_domaint::assign
void assign(const exprt &lhs, const exprt &rhs)
Definition interval_domain.cpp:211

interval_domaint::is_int
static bool is_int(const typet &src)
Definition interval_domain.h:92

interval_domaint::output
void output(std::ostream &out, const ai_baset &ai, const namespacet &ns) const override
Definition interval_domain.cpp:23

interval_domaint::is_bottom
bool is_bottom() const override final
Definition interval_domain.h:72

interval_domaint::make_bottom
void make_bottom() final override
no states
Definition interval_domain.h:57

interval_domaint::float_map
float_mapt float_map
Definition interval_domain.h:113

interval_domaint::int_map
int_mapt int_map
Definition interval_domain.h:112

interval_domaint::assume_rec
void assume_rec(const exprt &, bool negation=false)
Definition interval_domain.cpp:358

interval_domaint::join
bool join(const interval_domaint &b)
Sets *this to the mathematical join between the two domains.
Definition interval_domain.cpp:153

interval_domaint::transform
void transform(const irep_idt &function_from, trace_ptrt trace_from, const irep_idt &function_to, trace_ptrt trace_to, ai_baset &ai, const namespacet &ns) final override
how function calls are treated: a) there is an edge from each call site to the function head b) there...
Definition interval_domain.cpp:59

interval_domaint::make_expression
exprt make_expression(const symbol_exprt &) const
Definition interval_domain.cpp:408

interval_domaint::bottom
bool bottom
Definition interval_domain.h:107

interval_domaint::havoc_rec
void havoc_rec(const exprt &)
Definition interval_domain.cpp:217

interval_domaint::assume
void assume(const exprt &, const namespacet &)
Definition interval_domain.cpp:351

interval_domaint::ai_simplify
virtual bool ai_simplify(exprt &condition, const namespacet &ns) const override
Uses the abstract state to simplify a given expression using context- specific information.
Definition interval_domain.cpp:488

interval_domaint::is_float
static bool is_float(const typet &src)
Definition interval_domain.h:97

interval_templatet
Definition interval_template.h:20

interval_templatet::make_le_than
void make_le_than(const T &v)
Definition interval_template.h:77

interval_templatet::join
void join(const interval_templatet< T > &i)
Definition interval_template.h:106

interval_templatet::make_ge_than
void make_ge_than(const T &v)
Definition interval_template.h:91

interval_templatet::is_bottom
bool is_bottom() const
Definition interval_template.h:61

irept::id
const irep_idt & id() const
Definition irep.h:388

namespacet
A namespacet is essentially one or two symbol tables bound together, to allow for symbol lookups in t...
Definition namespace.h:91

not_exprt
Boolean negation.
Definition std_expr.h:2454

symbol_exprt
Expression to hold a symbol (variable)
Definition std_expr.h:131

symbol_exprt::get_identifier
const irep_idt & get_identifier() const
Definition std_expr.h:160

true_exprt
The Boolean constant true.
Definition std_expr.h:3190

FUNCTION_CALL
@ FUNCTION_CALL
Definition goto_program.h:49

ATOMIC_END
@ ATOMIC_END
Definition goto_program.h:44

DEAD
@ DEAD
Definition goto_program.h:48

LOCATION
@ LOCATION
Definition goto_program.h:41

END_FUNCTION
@ END_FUNCTION
Definition goto_program.h:42

ASSIGN
@ ASSIGN
Definition goto_program.h:46

ASSERT
@ ASSERT
Definition goto_program.h:36

SET_RETURN_VALUE
@ SET_RETURN_VALUE
Definition goto_program.h:45

ATOMIC_BEGIN
@ ATOMIC_BEGIN
Definition goto_program.h:43

CATCH
@ CATCH
Definition goto_program.h:51

END_THREAD
@ END_THREAD
Definition goto_program.h:40

SKIP
@ SKIP
Definition goto_program.h:38

NO_INSTRUCTION_TYPE
@ NO_INSTRUCTION_TYPE
Definition goto_program.h:33

START_THREAD
@ START_THREAD
Definition goto_program.h:39

THROW
@ THROW
Definition goto_program.h:50

DECL
@ DECL
Definition goto_program.h:47

OTHER
@ OTHER
Definition goto_program.h:37

GOTO
@ GOTO
Definition goto_program.h:34

INCOMPLETE_GOTO
@ INCOMPLETE_GOTO
Definition goto_program.h:52

ASSUME
@ ASSUME
Definition goto_program.h:35

interval_domain.h
Interval Domain.

from_expr
std::string from_expr(const namespacet &ns, const irep_idt &identifier, const exprt &expr)
Definition language_util.cpp:39

language_util.h

simplify_expr
exprt simplify_expr(exprt src, const namespacet &ns)
Definition simplify_expr.cpp:3246

simplify_expr.h

DATA_INVARIANT
#define DATA_INVARIANT(CONDITION, REASON)
This condition should be used to document that assumptions that are made on goto_functions,...
Definition invariant.h:534

conjunction
exprt conjunction(const exprt::operandst &op)
1) generates a conjunction for two or more operands 2) for one operand, returns the operand 3) return...
Definition std_expr.cpp:83

std_expr.h
API to expression classes.

to_binary_relation_expr
const binary_relation_exprt & to_binary_relation_expr(const exprt &expr)
Cast an exprt to a binary_relation_exprt.
Definition std_expr.h:895

to_typecast_expr
const typecast_exprt & to_typecast_expr(const exprt &expr)
Cast an exprt to a typecast_exprt.
Definition std_expr.h:2107

to_if_expr
const if_exprt & to_if_expr(const exprt &expr)
Cast an exprt to an if_exprt.
Definition std_expr.h:2577

to_constant_expr
const constant_exprt & to_constant_expr(const exprt &expr)
Cast an exprt to a constant_exprt.
Definition std_expr.h:3172

to_not_expr
const not_exprt & to_not_expr(const exprt &expr)
Cast an exprt to an not_exprt.
Definition std_expr.h:2479

to_symbol_expr
const symbol_exprt & to_symbol_expr(const exprt &expr)
Cast an exprt to a symbol_exprt.
Definition std_expr.h:272

interval
Definition wcwidth.c:64

interval::first
int first
Definition wcwidth.c:65