CBMC
local_bitvector_analysis.cpp
Go to the documentation of this file.
1 /*******************************************************************\
2 
3 Module: Field-insensitive, location-sensitive may-alias analysis
4 
5 Author: Daniel Kroening, kroening@kroening.com
6 
7 \*******************************************************************/
8 
11 
12 #include "local_bitvector_analysis.h"
13 
14 #include <util/namespace.h>
15 #include <util/pointer_expr.h>
16 #include <util/std_code.h>
17 #include <util/symbol.h>
18 
19 #include <algorithm>
20 
21 void local_bitvector_analysist::flagst::print(std::ostream &out) const
22 {
23  if(is_unknown())
24  out << "+unknown";
25  if(is_uninitialized())
26  out << "+uninitialized";
27  if(is_uses_offset())
28  out << "+uses_offset";
29  if(is_dynamic_local())
30  out << "+dynamic_local";
31  if(is_dynamic_heap())
32  out << "+dynamic_heap";
33  if(is_null())
34  out << "+null";
35  if(is_static_lifetime())
36  out << "+static_lifetime";
37  if(is_integer_address())
38  out << "+integer_address";
39 }
40 
41 bool local_bitvector_analysist::merge(points_tot &a, points_tot &b)
42 {
43  bool result=false;
44 
45  std::size_t max_index=
46  std::max(a.size(), b.size());
47 
48  for(std::size_t i=0; i<max_index; i++)
49  result |= a[i].merge(b[i]);
50 
51  return result;
52 }
53 
55 bool local_bitvector_analysist::is_tracked(const irep_idt &identifier)
56 {
57  localst::locals_sett::const_iterator it = locals.locals.find(identifier);
58  return it != locals.locals.end() && ns.lookup(*it).type.id() == ID_pointer &&
59  !dirty(identifier);
60 }
61 
62 void local_bitvector_analysist::assign_lhs(
63  const exprt &lhs,
64  const exprt &rhs,
65  points_tot &loc_info_src,
66  points_tot &loc_info_dest)
67 {
68  if(lhs.id()==ID_symbol)
69  {
70  const irep_idt &identifier=to_symbol_expr(lhs).get_identifier();
71 
72  if(is_tracked(identifier))
73  {
74  const auto dest_pointer = pointers.number(identifier);
75  flagst rhs_flags=get_rec(rhs, loc_info_src);
76  loc_info_dest[dest_pointer]=rhs_flags;
77  }
78  }
79  else if(lhs.id()==ID_dereference)
80  {
81  }
82  else if(lhs.id()==ID_index)
83  {
84  assign_lhs(to_index_expr(lhs).array(), rhs, loc_info_src, loc_info_dest);
85  }
86  else if(lhs.id()==ID_member)
87  {
88  assign_lhs(
89  to_member_expr(lhs).struct_op(), rhs, loc_info_src, loc_info_dest);
90  }
91  else if(lhs.id()==ID_typecast)
92  {
93  assign_lhs(to_typecast_expr(lhs).op(), rhs, loc_info_src, loc_info_dest);
94  }
95  else if(lhs.id()==ID_if)
96  {
97  assign_lhs(to_if_expr(lhs).true_case(), rhs, loc_info_src, loc_info_dest);
98  assign_lhs(to_if_expr(lhs).false_case(), rhs, loc_info_src, loc_info_dest);
99  }
100 }
101 
102 local_bitvector_analysist::flagst local_bitvector_analysist::get(
103  const goto_programt::const_targett t,
104  const exprt &rhs)
105 {
106  local_cfgt::loc_mapt::const_iterator loc_it=cfg.loc_map.find(t);
107  CHECK_RETURN(loc_it != cfg.loc_map.end());
108 
109  return get_rec(rhs, loc_infos[loc_it->second]);
110 }
111 
112 local_bitvector_analysist::flagst local_bitvector_analysist::get_rec(
113  const exprt &rhs,
114  points_tot &loc_info_src)
115 {
116  if(rhs.is_constant())
117  {
118  if(rhs.is_zero())
119  return flagst::mk_null();
120  else
121  return flagst::mk_integer_address();
122  }
123  else if(rhs.id()==ID_symbol)
124  {
125  const irep_idt &identifier=to_symbol_expr(rhs).get_identifier();
126  if(is_tracked(identifier))
127  {
128  const auto src_pointer = pointers.number(identifier);
129  return loc_info_src[src_pointer];
130  }
131  else
132  return flagst::mk_unknown();
133  }
134  else if(rhs.id()==ID_address_of)
135  {
136  const exprt &object=to_address_of_expr(rhs).object();
137 
138  if(object.id()==ID_symbol)
139  {
140  if(locals.is_local(to_symbol_expr(object).get_identifier()))
141  return flagst::mk_dynamic_local();
142  else
143  return flagst::mk_static_lifetime();
144  }
145  else if(object.id()==ID_index)
146  {
147  const index_exprt &index_expr=to_index_expr(object);
148  if(index_expr.array().id()==ID_symbol)
149  {
150  if(locals.is_local(
151  to_symbol_expr(index_expr.array()).get_identifier()))
152  return flagst::mk_dynamic_local() | flagst::mk_uses_offset();
153  else
154  return flagst::mk_static_lifetime() | flagst::mk_uses_offset();
155  }
156  else
157  return flagst::mk_unknown();
158  }
159  else
160  return flagst::mk_unknown();
161  }
162  else if(rhs.id()==ID_typecast)
163  {
164  return get_rec(to_typecast_expr(rhs).op(), loc_info_src);
165  }
166  else if(rhs.id()==ID_uninitialized)
167  {
168  return flagst::mk_uninitialized();
169  }
170  else if(rhs.id()==ID_plus)
171  {
172  const auto &plus_expr = to_plus_expr(rhs);
173 
174  if(plus_expr.operands().size() >= 3)
175  {
176  DATA_INVARIANT(
177  plus_expr.op0().type().id() == ID_pointer,
178  "pointer in pointer-typed sum must be op0");
179  return get_rec(plus_expr.op0(), loc_info_src) | flagst::mk_uses_offset();
180  }
181  else if(plus_expr.operands().size() == 2)
182  {
183  // one must be pointer, one an integer
184  if(plus_expr.op0().type().id() == ID_pointer)
185  {
186  return get_rec(plus_expr.op0(), loc_info_src) |
187  flagst::mk_uses_offset();
188  }
189  else if(plus_expr.op1().type().id() == ID_pointer)
190  {
191  return get_rec(plus_expr.op1(), loc_info_src) |
192  flagst::mk_uses_offset();
193  }
194  else
195  return flagst::mk_unknown();
196  }
197  else
198  return flagst::mk_unknown();
199  }
200  else if(rhs.id()==ID_minus)
201  {
202  const auto &op0 = to_minus_expr(rhs).op0();
203 
204  if(op0.type().id() == ID_pointer)
205  {
206  return get_rec(op0, loc_info_src) | flagst::mk_uses_offset();
207  }
208  else
209  return flagst::mk_unknown();
210  }
211  else if(rhs.id()==ID_member)
212  {
213  return flagst::mk_unknown();
214  }
215  else if(rhs.id()==ID_index)
216  {
217  return flagst::mk_unknown();
218  }
219  else if(rhs.id()==ID_dereference)
220  {
221  return flagst::mk_unknown();
222  }
223  else if(rhs.id()==ID_side_effect)
224  {
225  const side_effect_exprt &side_effect_expr=to_side_effect_expr(rhs);
226  const irep_idt &statement=side_effect_expr.get_statement();
227 
228  if(statement==ID_allocate)
229  return flagst::mk_dynamic_heap();
230  else
231  return flagst::mk_unknown();
232  }
233  else
234  return flagst::mk_unknown();
235 }
236 
237 void local_bitvector_analysist::build()
238 {
239  if(cfg.nodes.empty())
240  return;
241 
242  std::set<local_cfgt::node_nrt> work_queue;
243  work_queue.insert(0);
244 
245  loc_infos.resize(cfg.nodes.size());
246 
247  // Gather the objects we track, and
248  // feed in sufficiently bad defaults for their value
249  // in the entry location.
250  for(const auto &local : locals.locals)
251  {
252  if(is_tracked(local))
253  loc_infos[0][pointers.number(local)] = flagst::mk_unknown();
254  }
255 
256  while(!work_queue.empty())
257  {
258  const auto loc_nr = *work_queue.begin();
259  const local_cfgt::nodet &node=cfg.nodes[loc_nr];
260  const goto_programt::instructiont &instruction=*node.t;
261  work_queue.erase(work_queue.begin());
262 
263  auto &loc_info_src=loc_infos[loc_nr];
264  auto loc_info_dest=loc_infos[loc_nr];
265 
266  switch(instruction.type())
267  {
268  case ASSIGN:
269  assign_lhs(
270  instruction.assign_lhs(),
271  instruction.assign_rhs(),
272  loc_info_src,
273  loc_info_dest);
274  break;
275 
276  case DECL:
277  assign_lhs(
278  instruction.decl_symbol(),
279  exprt(ID_uninitialized),
280  loc_info_src,
281  loc_info_dest);
282  break;
283 
284  case DEAD:
285  assign_lhs(
286  instruction.dead_symbol(),
287  exprt(ID_uninitialized),
288  loc_info_src,
289  loc_info_dest);
290  break;
291 
292  case FUNCTION_CALL:
293  {
294  const auto &lhs = instruction.call_lhs();
295  if(lhs.is_not_nil())
296  assign_lhs(lhs, nil_exprt(), loc_info_src, loc_info_dest);
297  break;
298  }
299 
300  case CATCH:
301  case THROW:
302 #if 0
303  DATA_INVARIANT(false, "Exceptions must be removed before analysis");
304  break;
305 #endif
306  case SET_RETURN_VALUE:
307 #if 0
308  DATA_INVARIANT(false, "SET_RETURN_VALUE must be removed before analysis");
309  break;
310 #endif
311  case ATOMIC_BEGIN: // Ignoring is a valid over-approximation
312  case ATOMIC_END: // Ignoring is a valid over-approximation
313  case LOCATION: // No action required
314  case START_THREAD: // Require a concurrent analysis at higher level
315  case END_THREAD: // Require a concurrent analysis at higher level
316  case SKIP: // No action required
317  case ASSERT: // No action required
318  case ASSUME: // Ignoring is a valid over-approximation
319  case GOTO: // Ignoring the guard is a valid over-approximation
320  case END_FUNCTION: // No action required
321  break;
322  case OTHER:
323 #if 0
324  DATA_INVARIANT(
325  false, "Unclear what is a safe over-approximation of OTHER");
326 #endif
327  break;
328  case INCOMPLETE_GOTO:
329  case NO_INSTRUCTION_TYPE:
330  DATA_INVARIANT(false, "Only complete instructions can be analyzed");
331  break;
332  }
333 
334  for(const auto &succ : node.successors)
335  {
336  INVARIANT(succ < loc_infos.size(), "successor outside function");
337  if(merge(loc_infos[succ], (loc_info_dest)))
338  work_queue.insert(succ);
339  }
340  }
341 }
342 
343 void local_bitvector_analysist::output(
344  std::ostream &out,
345  const goto_functiont &goto_function,
346  const namespacet &ns) const
347 {
348  std::size_t l = 0;
349 
350  for(const auto &instruction : goto_function.body.instructions)
351  {
352  out << "**** " << instruction.source_location() << "\n";
353 
354  const auto &loc_info=loc_infos[l];
355 
356  for(points_tot::const_iterator
357  p_it=loc_info.begin();
358  p_it!=loc_info.end();
359  p_it++)
360  {
361  out << " " << pointers[p_it-loc_info.begin()]
362  << ": "
363  << *p_it
364  << "\n";
365  }
366 
367  out << "\n";
368  instruction.output(out);
369  out << "\n";
370 
371  l++;
372  }
373 }
address_of_exprt::object
exprt & object()
Definition: pointer_expr.h:549
binary_exprt::op0
exprt & op0()
Definition: expr.h:133
dstringt
dstringt has one field, an unsigned integer no which is an index into a static table of strings.
Definition: dstring.h:38
expanding_vectort
Definition: expanding_vector.h:17
expanding_vectort::size
size_type size() const
Definition: expanding_vector.h:46
expanding_vectort::const_iterator
data_typet::const_iterator const_iterator
Definition: expanding_vector.h:27
exprt
Base class for all expressions.
Definition: expr.h:56
exprt::is_zero
bool is_zero() const
Return whether the expression is a constant representing 0.
Definition: expr.cpp:47
exprt::is_constant
bool is_constant() const
Return whether the expression is a constant.
Definition: expr.h:212
goto_functiont
A goto function, consisting of function body (see body) and parameter identifiers (see parameter_iden...
Definition: goto_function.h:24
goto_functiont::body
goto_programt body
Definition: goto_function.h:26
goto_programt::instructiont
This class represents an instruction in the GOTO intermediate representation.
Definition: goto_program.h:181
goto_programt::instructiont::call_lhs
const exprt & call_lhs() const
Get the lhs of a FUNCTION_CALL (may be nil)
Definition: goto_program.h:286
goto_programt::instructiont::assign_rhs
const exprt & assign_rhs() const
Get the rhs of the assignment for ASSIGN.
Definition: goto_program.h:214
goto_programt::instructiont::dead_symbol
const symbol_exprt & dead_symbol() const
Get the symbol for DEAD.
Definition: goto_program.h:244
goto_programt::instructiont::decl_symbol
const symbol_exprt & decl_symbol() const
Get the declared symbol for DECL.
Definition: goto_program.h:228
goto_programt::instructiont::assign_lhs
const exprt & assign_lhs() const
Get the lhs of the assignment for ASSIGN.
Definition: goto_program.h:200
goto_programt::instructiont::type
goto_program_instruction_typet type() const
What kind of instruction?
Definition: goto_program.h:344
goto_programt::instructions
instructionst instructions
The list of instructions in the goto program.
Definition: goto_program.h:622
goto_programt::const_targett
instructionst::const_iterator const_targett
Definition: goto_program.h:615
index_exprt
Array index operator.
Definition: std_expr.h:1470
index_exprt::array
exprt & array()
Definition: std_expr.h:1500
irept::id
const irep_idt & id() const
Definition: irep.h:388
local_bitvector_analysist::loc_infos
loc_infost loc_infos
Definition: local_bitvector_analysis.h:192
local_bitvector_analysist::dirty
dirtyt dirty
Definition: local_bitvector_analysis.h:43
local_bitvector_analysist::locals
localst locals
Definition: local_bitvector_analysis.h:44
local_bitvector_analysist::ns
const namespacet & ns
Definition: local_bitvector_analysis.h:180
local_bitvector_analysist::merge
static bool merge(points_tot &a, points_tot &b)
Definition: local_bitvector_analysis.cpp:41
local_bitvector_analysist::build
void build()
Definition: local_bitvector_analysis.cpp:237
local_bitvector_analysist::get
flagst get(const goto_programt::const_targett t, const exprt &src)
Definition: local_bitvector_analysis.cpp:102
local_bitvector_analysist::output
void output(std::ostream &out, const goto_functiont &goto_function, const namespacet &ns) const
Definition: local_bitvector_analysis.cpp:343
local_bitvector_analysist::get_rec
flagst get_rec(const exprt &rhs, points_tot &loc_info_src)
Definition: local_bitvector_analysis.cpp:112
local_bitvector_analysist::assign_lhs
void assign_lhs(const exprt &lhs, const exprt &rhs, points_tot &loc_info_src, points_tot &loc_info_dest)
Definition: local_bitvector_analysis.cpp:62
local_bitvector_analysist::is_tracked
bool is_tracked(const irep_idt &identifier)
Definition: local_bitvector_analysis.cpp:55
local_bitvector_analysist::pointers
numberingt< irep_idt > pointers
Definition: local_bitvector_analysis.h:183
local_bitvector_analysist::cfg
local_cfgt cfg
Definition: local_bitvector_analysis.h:45
local_cfgt::nodet
Definition: local_cfg.h:26
local_cfgt::nodet::t
goto_programt::const_targett t
Definition: local_cfg.h:28
local_cfgt::nodet::successors
successorst successors
Definition: local_cfg.h:29
local_cfgt::nodes
nodest nodes
Definition: local_cfg.h:38
local_cfgt::loc_map
loc_mapt loc_map
Definition: local_cfg.h:35
localst::is_local
bool is_local(const irep_idt &identifier) const
Definition: locals.h:37
localst::locals
locals_sett locals
Definition: locals.h:43
namespacet
A namespacet is essentially one or two symbol tables bound together, to allow for symbol lookups in t...
Definition: namespace.h:94
namespacet::lookup
bool lookup(const irep_idt &name, const symbolt *&symbol) const override
See documentation for namespace_baset::lookup().
Definition: namespace.cpp:148
nil_exprt
The NIL expression.
Definition: std_expr.h:3086
numberingt::number
number_type number(const key_type &a)
Definition: numbering.h:37
side_effect_exprt
An expression containing a side effect.
Definition: std_code.h:1450
side_effect_exprt::get_statement
const irep_idt & get_statement() const
Definition: std_code.h:1472
symbol_exprt::get_identifier
const irep_idt & get_identifier() const
Definition: std_expr.h:160
FUNCTION_CALL
@ FUNCTION_CALL
Definition: goto_program.h:49
ATOMIC_END
@ ATOMIC_END
Definition: goto_program.h:44
DEAD
@ DEAD
Definition: goto_program.h:48
END_FUNCTION
@ END_FUNCTION
Definition: goto_program.h:42
ASSIGN
@ ASSIGN
Definition: goto_program.h:46
ASSERT
@ ASSERT
Definition: goto_program.h:36
SET_RETURN_VALUE
@ SET_RETURN_VALUE
Definition: goto_program.h:45
ATOMIC_BEGIN
@ ATOMIC_BEGIN
Definition: goto_program.h:43
CATCH
@ CATCH
Definition: goto_program.h:51
END_THREAD
@ END_THREAD
Definition: goto_program.h:40
SKIP
@ SKIP
Definition: goto_program.h:38
NO_INSTRUCTION_TYPE
@ NO_INSTRUCTION_TYPE
Definition: goto_program.h:33
START_THREAD
@ START_THREAD
Definition: goto_program.h:39
THROW
@ THROW
Definition: goto_program.h:50
DECL
@ DECL
Definition: goto_program.h:47
OTHER
@ OTHER
Definition: goto_program.h:37
GOTO
@ GOTO
Definition: goto_program.h:34
INCOMPLETE_GOTO
@ INCOMPLETE_GOTO
Definition: goto_program.h:52
local_bitvector_analysis.h
Field-insensitive, location-sensitive bitvector analysis.
pointer_expr.h
API to expression classes for Pointers.
to_address_of_expr
const address_of_exprt & to_address_of_expr(const exprt &expr)
Cast an exprt to an address_of_exprt.
Definition: pointer_expr.h:577
CHECK_RETURN
#define CHECK_RETURN(CONDITION)
Definition: invariant.h:495
DATA_INVARIANT
#define DATA_INVARIANT(CONDITION, REASON)
This condition should be used to document that assumptions that are made on goto_functions,...
Definition: invariant.h:534
std_code.h
to_side_effect_expr
side_effect_exprt & to_side_effect_expr(exprt &expr)
Definition: std_code.h:1506
to_if_expr
const if_exprt & to_if_expr(const exprt &expr)
Cast an exprt to an if_exprt.
Definition: std_expr.h:2455
to_symbol_expr
const symbol_exprt & to_symbol_expr(const exprt &expr)
Cast an exprt to a symbol_exprt.
Definition: std_expr.h:272
to_typecast_expr
const typecast_exprt & to_typecast_expr(const exprt &expr)
Cast an exprt to a typecast_exprt.
Definition: std_expr.h:2107
to_minus_expr
const minus_exprt & to_minus_expr(const exprt &expr)
Cast an exprt to a minus_exprt.
Definition: std_expr.h:1086
to_plus_expr
const plus_exprt & to_plus_expr(const exprt &expr)
Cast an exprt to a plus_exprt.
Definition: std_expr.h:1041
to_member_expr
const member_exprt & to_member_expr(const exprt &expr)
Cast an exprt to a member_exprt.
Definition: std_expr.h:2941
to_index_expr
const index_exprt & to_index_expr(const exprt &expr)
Cast an exprt to an index_exprt.
Definition: std_expr.h:1538
local_bitvector_analysist::flagst
Definition: local_bitvector_analysis.h:49
local_bitvector_analysist::flagst::mk_uses_offset
static flagst mk_uses_offset()
Definition: local_bitvector_analysis.h:105
local_bitvector_analysist::flagst::mk_integer_address
static flagst mk_integer_address()
Definition: local_bitvector_analysis.h:155
local_bitvector_analysist::flagst::mk_dynamic_heap
static flagst mk_dynamic_heap()
Definition: local_bitvector_analysis.h:125
local_bitvector_analysist::flagst::mk_static_lifetime
static flagst mk_static_lifetime()
Definition: local_bitvector_analysis.h:145
local_bitvector_analysist::flagst::mk_unknown
static flagst mk_unknown()
Definition: local_bitvector_analysis.h:85
local_bitvector_analysist::flagst::mk_dynamic_local
static flagst mk_dynamic_local()
Definition: local_bitvector_analysis.h:115
local_bitvector_analysist::flagst::is_static_lifetime
bool is_static_lifetime() const
Definition: local_bitvector_analysis.h:150
local_bitvector_analysist::flagst::is_dynamic_local
bool is_dynamic_local() const
Definition: local_bitvector_analysis.h:120
local_bitvector_analysist::flagst::print
void print(std::ostream &) const
Definition: local_bitvector_analysis.cpp:21
local_bitvector_analysist::flagst::is_dynamic_heap
bool is_dynamic_heap() const
Definition: local_bitvector_analysis.h:130
local_bitvector_analysist::flagst::mk_null
static flagst mk_null()
Definition: local_bitvector_analysis.h:135
local_bitvector_analysist::flagst::is_uses_offset
bool is_uses_offset() const
Definition: local_bitvector_analysis.h:110
local_bitvector_analysist::flagst::is_uninitialized
bool is_uninitialized() const
Definition: local_bitvector_analysis.h:100
local_bitvector_analysist::flagst::is_integer_address
bool is_integer_address() const
Definition: local_bitvector_analysis.h:160
local_bitvector_analysist::flagst::mk_uninitialized
static flagst mk_uninitialized()
Definition: local_bitvector_analysis.h:95
local_bitvector_analysist::flagst::is_null
bool is_null() const
Definition: local_bitvector_analysis.h:140
local_bitvector_analysist::flagst::is_unknown
bool is_unknown() const
Definition: local_bitvector_analysis.h:90
symbol.h
Symbol table entry.
validation_modet::INVARIANT
@ INVARIANT