cbmc/local__may__alias_8cpp_source.html

 /*******************************************************************\


 Module: Field-insensitive, location-sensitive may-alias analysis


 Author: Daniel Kroening, kroening@kroening.com


 \*******************************************************************/


 #include "local_may_alias.h"


 #include <iterator>

 #include <algorithm>


 #include <util/arith_tools.h>

 #include <util/pointer_expr.h>

 #include <util/std_code.h>


 #include <util/c_types.h>

 #include <langapi/language_util.h>


 bool local_may_aliast::loc_infot::merge(const loc_infot &src)

 {

   bool changed=false;


   // do union; this should be amortized linear

   for(std::size_t i=0; i<src.aliases.size(); i++)

   {

     std::size_t root=src.aliases.find(i);


     if(!aliases.same_set(i, root))

     {

       aliases.make_union(i, root);

       changed=true;

     }

   }


   return changed;

 }


 void local_may_aliast::assign_lhs(

   const exprt &lhs,

   const exprt &rhs,

   const loc_infot &loc_info_src,

   loc_infot &loc_info_dest)

 {

   if(lhs.id()==ID_symbol)

   {

     if(lhs.type().id()==ID_pointer)

     {

       unsigned dest_pointer=objects.number(lhs);


       // isolate the lhs pointer

       loc_info_dest.aliases.isolate(dest_pointer);


       object_sett rhs_set;

       get_rec(rhs_set, rhs, loc_info_src);


       // make these all aliases

       for(object_sett::const_iterator

           p_it=rhs_set.begin();

           p_it!=rhs_set.end();

           p_it++)

       {

         loc_info_dest.aliases.make_union(dest_pointer, *p_it);

       }

     }

   }

   else if(lhs.id()==ID_dereference)

   {

     // this might invalidate all pointers that are

     // a) local and dirty

     // b) global

     if(lhs.type().id()==ID_pointer)

     {

       for(std::size_t i=0; i<objects.size(); i++)

       {

         if(objects[i].id()==ID_symbol)

         {

           const irep_idt &identifier=

             to_symbol_expr(objects[i]).get_identifier();


           if(dirty(identifier) || !locals.is_local(identifier))

           {

             loc_info_dest.aliases.isolate(i);

             loc_info_dest.aliases.make_union(i, unknown_object);

           }

         }

       }

     }

   }

   else if(lhs.id()==ID_index)

   {

     assign_lhs(to_index_expr(lhs).array(), rhs, loc_info_src, loc_info_dest);

   }

   else if(lhs.id()==ID_member)

   {

     assign_lhs(

       to_member_expr(lhs).struct_op(), rhs, loc_info_src, loc_info_dest);

   }

   else if(lhs.id()==ID_typecast)

   {

     assign_lhs(to_typecast_expr(lhs).op(), rhs, loc_info_src, loc_info_dest);

   }

   else if(lhs.id()==ID_if)

   {

     assign_lhs(to_if_expr(lhs).true_case(), rhs, loc_info_src, loc_info_dest);

     assign_lhs(to_if_expr(lhs).false_case(), rhs, loc_info_src, loc_info_dest);

   }

 }


 std::set<exprt> local_may_aliast::get(

   const goto_programt::const_targett t,

   const exprt &rhs) const

 {

   local_cfgt::loc_mapt::const_iterator loc_it=cfg.loc_map.find(t);

   CHECK_RETURN(loc_it != cfg.loc_map.end());


   const loc_infot &loc_info_src=loc_infos[loc_it->second];


   object_sett result_tmp;

   get_rec(result_tmp, rhs, loc_info_src);


   std::set<exprt> result;


   for(object_sett::const_iterator

       it=result_tmp.begin();

       it!=result_tmp.end();

       it++)

   {

     result.insert(objects[*it]);

   }


   return result;

 }


 bool local_may_aliast::aliases(

   const goto_programt::const_targett t,

   const exprt &src1, const exprt &src2) const

 {

   local_cfgt::loc_mapt::const_iterator loc_it=cfg.loc_map.find(t);

   CHECK_RETURN(loc_it != cfg.loc_map.end());


   const loc_infot &loc_info_src=loc_infos[loc_it->second];


   object_sett tmp1, tmp2;

   get_rec(tmp1, src1, loc_info_src);

   get_rec(tmp2, src2, loc_info_src);


   if(tmp1.find(unknown_object)!=tmp1.end() ||

      tmp2.find(unknown_object)!=tmp2.end())

     return true;


   std::list<unsigned> result;


   std::set_intersection(

     tmp1.begin(), tmp1.end(),

     tmp2.begin(), tmp2.end(),

     std::back_inserter(result));


   return !result.empty();

 }


 void local_may_aliast::get_rec(

   object_sett &dest,

   const exprt &rhs,

   const loc_infot &loc_info_src) const

 {

   if(rhs.is_constant())

   {

     if(rhs.is_zero())

       dest.insert(objects.number(exprt(ID_null_object)));

     else

       dest.insert(objects.number(exprt(ID_integer_address_object)));

   }

   else if(rhs.id()==ID_symbol)

   {

     if(rhs.type().id()==ID_pointer)

     {

       unsigned src_pointer=objects.number(rhs);


       dest.insert(src_pointer);


       for(std::size_t i=0; i<loc_info_src.aliases.size(); i++)

         if(loc_info_src.aliases.same_set(src_pointer, i))

           dest.insert(i);

     }

     else

       dest.insert(unknown_object);

   }

   else if(rhs.id()==ID_if)

   {

     get_rec(dest, to_if_expr(rhs).false_case(), loc_info_src);

     get_rec(dest, to_if_expr(rhs).true_case(), loc_info_src);

   }

   else if(rhs.id()==ID_address_of)

   {

     const exprt &object=to_address_of_expr(rhs).object();


     if(object.id()==ID_symbol)

     {

       unsigned object_nr=objects.number(rhs);

       dest.insert(object_nr);


       for(std::size_t i=0; i<loc_info_src.aliases.size(); i++)

         if(loc_info_src.aliases.same_set(object_nr, i))

           dest.insert(i);

     }

     else if(object.id()==ID_index)

     {

       const index_exprt &index_expr=to_index_expr(object);

       if(index_expr.array().id()==ID_symbol)

       {

         index_exprt tmp1=index_expr;

         tmp1.index() = from_integer(0, c_index_type());

         address_of_exprt tmp2(tmp1);

         unsigned object_nr=objects.number(tmp2);

         dest.insert(object_nr);


         for(std::size_t i=0; i<loc_info_src.aliases.size(); i++)

           if(loc_info_src.aliases.same_set(object_nr, i))

             dest.insert(i);

       }

       else if(index_expr.array().id()==ID_string_constant)

       {

         index_exprt tmp1=index_expr;

         tmp1.index() = from_integer(0, c_index_type());

         address_of_exprt tmp2(tmp1);

         unsigned object_nr=objects.number(tmp2);

         dest.insert(object_nr);


         for(std::size_t i=0; i<loc_info_src.aliases.size(); i++)

           if(loc_info_src.aliases.same_set(object_nr, i))

             dest.insert(i);

       }

       else

         dest.insert(unknown_object);

     }

     else

       dest.insert(unknown_object);

   }

   else if(rhs.id()==ID_typecast)

   {

     get_rec(dest, to_typecast_expr(rhs).op(), loc_info_src);

   }

   else if(rhs.id()==ID_plus)

   {

     const auto &plus_expr = to_plus_expr(rhs);


     if(plus_expr.operands().size() >= 3)

     {

       DATA_INVARIANT(

         plus_expr.op0().type().id() == ID_pointer,

         "pointer in pointer-typed sum must be op0");

       get_rec(dest, plus_expr.op0(), loc_info_src);

     }

     else if(plus_expr.operands().size() == 2)

     {

       // one must be pointer, one an integer

       if(plus_expr.op0().type().id() == ID_pointer)

       {

         get_rec(dest, plus_expr.op0(), loc_info_src);

       }

       else if(plus_expr.op1().type().id() == ID_pointer)

       {

         get_rec(dest, plus_expr.op1(), loc_info_src);

       }

       else

         dest.insert(unknown_object);

     }

     else

       dest.insert(unknown_object);

   }

   else if(rhs.id()==ID_minus)

   {

     const auto &op0 = to_minus_expr(rhs).op0();


     if(op0.type().id() == ID_pointer)

     {

       get_rec(dest, op0, loc_info_src);

     }

     else

       dest.insert(unknown_object);

   }

   else if(rhs.id()==ID_member)

   {

     dest.insert(unknown_object);

   }

   else if(rhs.id()==ID_index)

   {

     dest.insert(unknown_object);

   }

   else if(rhs.id()==ID_dereference)

   {

     dest.insert(unknown_object);

   }

   else if(rhs.id()==ID_side_effect)

   {

     const side_effect_exprt &side_effect_expr=to_side_effect_expr(rhs);

     const irep_idt &statement=side_effect_expr.get_statement();


     if(statement==ID_allocate)

     {

       dest.insert(objects.number(exprt(ID_dynamic_object)));

     }

     else

       dest.insert(unknown_object);

   }

   else if(rhs.is_nil())

   {

     // this means 'empty'

   }

   else

     dest.insert(unknown_object);

 }


 void local_may_aliast::build(const goto_functiont &goto_function)

 {

   if(cfg.nodes.empty())

     return;


   work_queuet work_queue;


   // put all nodes into work queue

   for(local_cfgt::node_nrt n=0; n<cfg.nodes.size(); n++)

     work_queue.push(n);


   unknown_object=objects.number(exprt(ID_unknown));


   loc_infos.resize(cfg.nodes.size());


   (void)goto_function; // unused parameter

 #if 0

   // feed in sufficiently bad defaults

   for(code_typet::parameterst::const_iterator

       it=goto_function.type.parameters().begin();

       it!=goto_function.type.parameters().end();

       it++)

   {

     const irep_idt &identifier=it->get_identifier();

     if(is_tracked(identifier))

       loc_infos[0].points_to[objects.number(identifier)].objects.insert(

         unknown_object);

   }

 #endif


 #if 0

   for(localst::locals_mapt::const_iterator

       l_it=locals.locals_map.begin();

       l_it!=locals.locals_map.end();

       l_it++)

   {

     if(is_tracked(l_it->first))

       loc_infos[0].aliases.make_union(

         objects.number(l_it->second), unknown_object);

   }

 #endif


   while(!work_queue.empty())

   {

     local_cfgt::node_nrt loc_nr=work_queue.top();

     const local_cfgt::nodet &node=cfg.nodes[loc_nr];

     const goto_programt::instructiont &instruction=*node.t;

     work_queue.pop();


     const loc_infot &loc_info_src=loc_infos[loc_nr];

     loc_infot loc_info_dest=loc_infos[loc_nr];


     switch(instruction.type())

     {

     case ASSIGN:

     {

       assign_lhs(

         instruction.assign_lhs(),

         instruction.assign_rhs(),

         loc_info_src,

         loc_info_dest);

       break;

     }


     case DECL:

       assign_lhs(

         instruction.decl_symbol(), nil_exprt(), loc_info_src, loc_info_dest);

       break;


     case DEAD:

       assign_lhs(

         instruction.dead_symbol(), nil_exprt(), loc_info_src, loc_info_dest);

       break;


     case FUNCTION_CALL:

     {

       const auto &lhs = instruction.call_lhs();

       if(lhs.is_not_nil())

         assign_lhs(lhs, nil_exprt(), loc_info_src, loc_info_dest);


       // this might invalidate all pointers that are

       // a) local and dirty

       // b) global

       for(std::size_t i = 0; i < objects.size(); i++)

       {

         if(objects[i].id() == ID_symbol)

         {

           const irep_idt &identifier =

             to_symbol_expr(objects[i]).get_identifier();


           if(dirty(identifier) || !locals.is_local(identifier))

           {

             loc_info_dest.aliases.isolate(i);

             loc_info_dest.aliases.make_union(i, unknown_object);

           }

         }

       }

       break;

     }


     case CATCH:

     case THROW:

       DATA_INVARIANT(false, "Exceptions must be removed before analysis");

       break;

     case SET_RETURN_VALUE:

 #if 0

       DATA_INVARIANT(false, "SET_RETURN_VALUE must be removed before analysis");

 #endif

       break;

     case GOTO:         // Ignoring the guard is a valid over-approximation

     case START_THREAD: // Require a concurrent analysis at higher level

     case END_THREAD:   // Require a concurrent analysis at higher level

     case ATOMIC_BEGIN: // Ignoring is a valid over-approximation

     case ATOMIC_END:   // Ignoring is a valid over-approximation

     case LOCATION:     // No action required

     case SKIP:         // No action required

     case END_FUNCTION: // No action required

     case ASSERT:       // No action required

     case ASSUME:       // Ignoring is a valid over-approximation

       break;

     case OTHER:

 #if 0

       DATA_INVARIANT(

         false, "Unclear what is a safe over-approximation of OTHER");

 #endif

       break;

     case INCOMPLETE_GOTO:

     case NO_INSTRUCTION_TYPE:

       DATA_INVARIANT(false, "Only complete instructions can be analyzed");

       break;

     }


     for(local_cfgt::successorst::const_iterator

         it=node.successors.begin();

         it!=node.successors.end();

         it++)

     {

       if(loc_infos[*it].merge(loc_info_dest))

         work_queue.push(*it);

     }

   }

 }


 void local_may_aliast::output(

   std::ostream &out,

   const goto_functiont &goto_function,

   const namespacet &ns) const

 {

   unsigned l=0;


   for(const auto &instruction : goto_function.body.instructions)

   {

     out << "**** " << instruction.source_location() << "\n";


     const loc_infot &loc_info=loc_infos[l];


     for(std::size_t i=0; i<loc_info.aliases.size(); i++)

     {

       if(loc_info.aliases.count(i)!=1 &&

          loc_info.aliases.find(i)==i) // root?

       {

         out << '{';

         for(std::size_t j=0; j<loc_info.aliases.size(); j++)

           if(loc_info.aliases.find(j)==i)

           {

             INVARIANT(j < objects.size(), "invalid object index");

             irep_idt identifier;

             if(objects[j].id() == ID_symbol)

               identifier = to_symbol_expr(objects[j]).get_identifier();

             out << ' ' << from_expr(ns, identifier, objects[j]);

           }


         out << " }";

         out << "\n";

       }

     }


     out << "\n";

     instruction.output(out);

     out << "\n";


     l++;

   }

 }

from_integer
constant_exprt from_integer(const mp_integer &int_value, const typet &type)
Definition: arith_tools.cpp:100

arith_tools.h

c_index_type
bitvector_typet c_index_type()
Definition: c_types.cpp:16

c_types.h

address_of_exprt
Operator to return the address of an object.
Definition: pointer_expr.h:540

address_of_exprt::object
exprt & object()
Definition: pointer_expr.h:549

binary_exprt::op0
exprt & op0()
Definition: expr.h:133

dstringt
dstringt has one field, an unsigned integer no which is an index into a static table of strings.
Definition: dstring.h:38

exprt
Base class for all expressions.
Definition: expr.h:56

exprt::is_zero
bool is_zero() const
Return whether the expression is a constant representing 0.
Definition: expr.cpp:47

exprt::type
typet & type()
Return the type of the expression.
Definition: expr.h:84

exprt::is_constant
bool is_constant() const
Return whether the expression is a constant.
Definition: expr.h:212

goto_functiont
A goto function, consisting of function body (see body) and parameter identifiers (see parameter_iden...
Definition: goto_function.h:24

goto_functiont::body
goto_programt body
Definition: goto_function.h:26

goto_programt::instructiont
This class represents an instruction in the GOTO intermediate representation.
Definition: goto_program.h:181

goto_programt::instructiont::call_lhs
const exprt & call_lhs() const
Get the lhs of a FUNCTION_CALL (may be nil)
Definition: goto_program.h:286

goto_programt::instructiont::assign_rhs
const exprt & assign_rhs() const
Get the rhs of the assignment for ASSIGN.
Definition: goto_program.h:214

goto_programt::instructiont::dead_symbol
const symbol_exprt & dead_symbol() const
Get the symbol for DEAD.
Definition: goto_program.h:244

goto_programt::instructiont::decl_symbol
const symbol_exprt & decl_symbol() const
Get the declared symbol for DECL.
Definition: goto_program.h:228

goto_programt::instructiont::assign_lhs
const exprt & assign_lhs() const
Get the lhs of the assignment for ASSIGN.
Definition: goto_program.h:200

goto_programt::instructiont::type
goto_program_instruction_typet type() const
What kind of instruction?
Definition: goto_program.h:344

goto_programt::instructions
instructionst instructions
The list of instructions in the goto program.
Definition: goto_program.h:622

goto_programt::const_targett
instructionst::const_iterator const_targett
Definition: goto_program.h:615

index_exprt
Array index operator.
Definition: std_expr.h:1465

index_exprt::array
exprt & array()
Definition: std_expr.h:1495

index_exprt::index
exprt & index()
Definition: std_expr.h:1505

irept::id
const irep_idt & id() const
Definition: irep.h:388

irept::is_nil
bool is_nil() const
Definition: irep.h:368

local_cfgt::nodet
Definition: local_cfg.h:26

local_cfgt::nodet::t
goto_programt::const_targett t
Definition: local_cfg.h:28

local_cfgt::nodet::successors
successorst successors
Definition: local_cfg.h:29

local_cfgt::nodes
nodest nodes
Definition: local_cfg.h:38

local_cfgt::node_nrt
std::size_t node_nrt
Definition: local_cfg.h:22

local_cfgt::loc_map
loc_mapt loc_map
Definition: local_cfg.h:35

local_may_aliast::loc_infot
Definition: local_may_alias.h:68

local_may_aliast::loc_infot::aliases
alias_sett aliases
Definition: local_may_alias.h:70

local_may_aliast::loc_infot::merge
bool merge(const loc_infot &src)
Definition: local_may_alias.cpp:25

local_may_aliast::locals
localst locals
Definition: local_may_alias.h:44

local_may_aliast::output
void output(std::ostream &out, const goto_functiont &goto_function, const namespacet &ns) const
Definition: local_may_alias.cpp:463

local_may_aliast::assign_lhs
void assign_lhs(const exprt &lhs, const exprt &rhs, const loc_infot &loc_info_src, loc_infot &loc_info_dest)
Definition: local_may_alias.cpp:44

local_may_aliast::build
void build(const goto_functiont &goto_function)
Definition: local_may_alias.cpp:320

local_may_aliast::unknown_object
unsigned unknown_object
Definition: local_may_alias.h:91

local_may_aliast::dirty
dirtyt dirty
Definition: local_may_alias.h:43

local_may_aliast::objects
numberingt< exprt, irep_hash > objects
Definition: local_may_alias.h:62

local_may_aliast::get
std::set< exprt > get(const goto_programt::const_targett t, const exprt &src) const
Definition: local_may_alias.cpp:115

local_may_aliast::get_rec
void get_rec(object_sett &dest, const exprt &rhs, const loc_infot &loc_info_src) const
Definition: local_may_alias.cpp:167

local_may_aliast::cfg
local_cfgt cfg
Definition: local_may_alias.h:45

local_may_aliast::work_queuet
std::stack< local_cfgt::node_nrt > work_queuet
Definition: local_may_alias.h:60

local_may_aliast::loc_infos
loc_infost loc_infos
Definition: local_may_alias.h:76

local_may_aliast::aliases
bool aliases(const goto_programt::const_targett t, const exprt &src1, const exprt &src2) const
Definition: local_may_alias.cpp:140

local_may_aliast::object_sett
std::set< unsigned > object_sett
Definition: local_may_alias.h:84

localst::is_local
bool is_local(const irep_idt &identifier) const
Definition: locals.h:37

namespacet
A namespacet is essentially one or two symbol tables bound together, to allow for symbol lookups in t...
Definition: namespace.h:94

nil_exprt
The NIL expression.
Definition: std_expr.h:3081

numberingt::number
number_type number(const key_type &a)
Definition: numbering.h:37

numberingt::size
size_type size() const
Definition: numbering.h:66

side_effect_exprt
An expression containing a side effect.
Definition: std_code.h:1450

side_effect_exprt::get_statement
const irep_idt & get_statement() const
Definition: std_code.h:1472

symbol_exprt::get_identifier
const irep_idt & get_identifier() const
Definition: std_expr.h:160

unsigned_union_find::size
size_type size() const
Definition: union_find.h:97

unsigned_union_find::find
size_type find(size_type a) const
Definition: union_find.cpp:141

unsigned_union_find::count
size_type count(size_type a) const
Definition: union_find.h:103

unsigned_union_find::make_union
void make_union(size_type a, size_type b)
Definition: union_find.cpp:13

unsigned_union_find::same_set
bool same_set(size_type a, size_type b) const
Definition: union_find.h:91

unsigned_union_find::isolate
void isolate(size_type a)
Definition: union_find.cpp:41

coverage_criteriont::LOCATION
@ LOCATION

coverage_criteriont::ASSUME
@ ASSUME

FUNCTION_CALL
@ FUNCTION_CALL
Definition: goto_program.h:49

ATOMIC_END
@ ATOMIC_END
Definition: goto_program.h:44

DEAD
@ DEAD
Definition: goto_program.h:48

END_FUNCTION
@ END_FUNCTION
Definition: goto_program.h:42

ASSIGN
@ ASSIGN
Definition: goto_program.h:46

ASSERT
@ ASSERT
Definition: goto_program.h:36

SET_RETURN_VALUE
@ SET_RETURN_VALUE
Definition: goto_program.h:45

ATOMIC_BEGIN
@ ATOMIC_BEGIN
Definition: goto_program.h:43

CATCH
@ CATCH
Definition: goto_program.h:51

END_THREAD
@ END_THREAD
Definition: goto_program.h:40

SKIP
@ SKIP
Definition: goto_program.h:38

NO_INSTRUCTION_TYPE
@ NO_INSTRUCTION_TYPE
Definition: goto_program.h:33

START_THREAD
@ START_THREAD
Definition: goto_program.h:39

THROW
@ THROW
Definition: goto_program.h:50

DECL
@ DECL
Definition: goto_program.h:47

OTHER
@ OTHER
Definition: goto_program.h:37

GOTO
@ GOTO
Definition: goto_program.h:34

INCOMPLETE_GOTO
@ INCOMPLETE_GOTO
Definition: goto_program.h:52

from_expr
std::string from_expr(const namespacet &ns, const irep_idt &identifier, const exprt &expr)
Definition: language_util.cpp:39

language_util.h

local_may_alias.h
Field-insensitive, location-sensitive may-alias analysis.

pointer_expr.h
API to expression classes for Pointers.

to_address_of_expr
const address_of_exprt & to_address_of_expr(const exprt &expr)
Cast an exprt to an address_of_exprt.
Definition: pointer_expr.h:577

CHECK_RETURN
#define CHECK_RETURN(CONDITION)
Definition: invariant.h:495

DATA_INVARIANT
#define DATA_INVARIANT(CONDITION, REASON)
This condition should be used to document that assumptions that are made on goto_functions,...
Definition: invariant.h:534

std_code.h

to_side_effect_expr
side_effect_exprt & to_side_effect_expr(exprt &expr)
Definition: std_code.h:1506

to_if_expr
const if_exprt & to_if_expr(const exprt &expr)
Cast an exprt to an if_exprt.
Definition: std_expr.h:2450

to_symbol_expr
const symbol_exprt & to_symbol_expr(const exprt &expr)
Cast an exprt to a symbol_exprt.
Definition: std_expr.h:272

to_typecast_expr
const typecast_exprt & to_typecast_expr(const exprt &expr)
Cast an exprt to a typecast_exprt.
Definition: std_expr.h:2102

to_minus_expr
const minus_exprt & to_minus_expr(const exprt &expr)
Cast an exprt to a minus_exprt.
Definition: std_expr.h:1086

to_plus_expr
const plus_exprt & to_plus_expr(const exprt &expr)
Cast an exprt to a plus_exprt.
Definition: std_expr.h:1041

to_member_expr
const member_exprt & to_member_expr(const exprt &expr)
Cast an exprt to a member_exprt.
Definition: std_expr.h:2936

to_index_expr
const index_exprt & to_index_expr(const exprt &expr)
Cast an exprt to an index_exprt.
Definition: std_expr.h:1533

merge
void merge(string_constraintst &result, string_constraintst other)
Merge two sets of constraints by appending to the first one.
Definition: string_constraint_generator_main.cpp:101

validation_modet::INVARIANT
@ INVARIANT