cbmc/local__may__alias_8cpp_source.html

/*******************************************************************\


Module: Field-insensitive, location-sensitive may-alias analysis


Author: Daniel Kroening, kroening@kroening.com


\*******************************************************************/


#include "local_may_alias.h"


#include <iterator>

#include <algorithm>


#include <util/arith_tools.h>

#include <util/pointer_expr.h>

#include <util/std_code.h>


#include <util/c_types.h>

#include <langapi/language_util.h>


bool local_may_aliast::loc_infot::merge(const loc_infot &src)

{

  bool changed=false;


  // do union; this should be amortized linear

  for(std::size_t i=0; i<src.aliases.size(); i++)

  {

    std::size_t root=src.aliases.find(i);


    if(!aliases.same_set(i, root))

    {

      aliases.make_union(i, root);

      changed=true;

    }

  }


  return changed;

}


void local_may_aliast::assign_lhs(

  const exprt &lhs,

  const exprt &rhs,

  const loc_infot &loc_info_src,

  loc_infot &loc_info_dest)

{

  if(lhs.id()==ID_symbol)

  {

    if(lhs.type().id()==ID_pointer)

    {

      unsigned dest_pointer=objects.number(lhs);


      // isolate the lhs pointer

      loc_info_dest.aliases.isolate(dest_pointer);


      object_sett rhs_set;

      get_rec(rhs_set, rhs, loc_info_src);


      // make these all aliases

      for(object_sett::const_iterator

          p_it=rhs_set.begin();

          p_it!=rhs_set.end();

          p_it++)

      {

        loc_info_dest.aliases.make_union(dest_pointer, *p_it);

      }

    }

  }

  else if(lhs.id()==ID_dereference)

  {

    // this might invalidate all pointers that are

    // a) local and dirty

    // b) global

    if(lhs.type().id()==ID_pointer)

    {

      for(std::size_t i=0; i<objects.size(); i++)

      {

        if(objects[i].id()==ID_symbol)

        {

          const irep_idt &identifier = to_symbol_expr(objects[i]).identifier();


          if(dirty(identifier) || !locals.is_local(identifier))

          {

            loc_info_dest.aliases.isolate(i);

            loc_info_dest.aliases.make_union(i, unknown_object);

          }

        }

      }

    }

  }

  else if(lhs.id()==ID_index)

  {

    assign_lhs(to_index_expr(lhs).array(), rhs, loc_info_src, loc_info_dest);

  }

  else if(lhs.id()==ID_member)

  {

    assign_lhs(

      to_member_expr(lhs).struct_op(), rhs, loc_info_src, loc_info_dest);

  }

  else if(lhs.id()==ID_typecast)

  {

    assign_lhs(to_typecast_expr(lhs).op(), rhs, loc_info_src, loc_info_dest);

  }

  else if(lhs.id()==ID_if)

  {

    assign_lhs(to_if_expr(lhs).true_case(), rhs, loc_info_src, loc_info_dest);

    assign_lhs(to_if_expr(lhs).false_case(), rhs, loc_info_src, loc_info_dest);

  }

}


std::set<exprt> local_may_aliast::get(

  const goto_programt::const_targett t,

  const exprt &rhs) const

{

  local_cfgt::loc_mapt::const_iterator loc_it=cfg.loc_map.find(t);

  CHECK_RETURN(loc_it != cfg.loc_map.end());


  const loc_infot &loc_info_src=loc_infos[loc_it->second];


  object_sett result_tmp;

  get_rec(result_tmp, rhs, loc_info_src);


  std::set<exprt> result;


  for(object_sett::const_iterator

      it=result_tmp.begin();

      it!=result_tmp.end();

      it++)

  {

    result.insert(objects[*it]);

  }


  return result;

}


bool local_may_aliast::aliases(

  const goto_programt::const_targett t,

  const exprt &src1, const exprt &src2) const

{

  local_cfgt::loc_mapt::const_iterator loc_it=cfg.loc_map.find(t);

  CHECK_RETURN(loc_it != cfg.loc_map.end());


  const loc_infot &loc_info_src=loc_infos[loc_it->second];


  object_sett tmp1, tmp2;

  get_rec(tmp1, src1, loc_info_src);

  get_rec(tmp2, src2, loc_info_src);


  if(tmp1.find(unknown_object)!=tmp1.end() ||

     tmp2.find(unknown_object)!=tmp2.end())

    return true;


  std::list<unsigned> result;


  std::set_intersection(

    tmp1.begin(), tmp1.end(),

    tmp2.begin(), tmp2.end(),

    std::back_inserter(result));


  return !result.empty();

}


void local_may_aliast::get_rec(

  object_sett &dest,

  const exprt &rhs,

  const loc_infot &loc_info_src) const

{

  if(rhs.is_constant())

  {

    if(rhs == 0)

      dest.insert(objects.number(exprt(ID_null_object)));

    else

      dest.insert(objects.number(exprt(ID_integer_address_object)));

  }

  else if(rhs.id()==ID_symbol)

  {

    if(rhs.type().id()==ID_pointer)

    {

      unsigned src_pointer=objects.number(rhs);


      dest.insert(src_pointer);


      for(std::size_t i=0; i<loc_info_src.aliases.size(); i++)

        if(loc_info_src.aliases.same_set(src_pointer, i))

          dest.insert(i);

    }

    else

      dest.insert(unknown_object);

  }

  else if(rhs.id()==ID_if)

  {

    get_rec(dest, to_if_expr(rhs).false_case(), loc_info_src);

    get_rec(dest, to_if_expr(rhs).true_case(), loc_info_src);

  }

  else if(rhs.id()==ID_address_of)

  {

    const exprt &object=to_address_of_expr(rhs).object();


    if(object.id()==ID_symbol)

    {

      unsigned object_nr=objects.number(rhs);

      dest.insert(object_nr);


      for(std::size_t i=0; i<loc_info_src.aliases.size(); i++)

        if(loc_info_src.aliases.same_set(object_nr, i))

          dest.insert(i);

    }

    else if(object.id()==ID_index)

    {

      const index_exprt &index_expr=to_index_expr(object);

      if(index_expr.array().id()==ID_symbol)

      {

        index_exprt tmp1=index_expr;

        tmp1.index() = from_integer(0, c_index_type());

        address_of_exprt tmp2(tmp1);

        unsigned object_nr=objects.number(tmp2);

        dest.insert(object_nr);


        for(std::size_t i=0; i<loc_info_src.aliases.size(); i++)

          if(loc_info_src.aliases.same_set(object_nr, i))

            dest.insert(i);

      }

      else if(index_expr.array().id()==ID_string_constant)

      {

        index_exprt tmp1=index_expr;

        tmp1.index() = from_integer(0, c_index_type());

        address_of_exprt tmp2(tmp1);

        unsigned object_nr=objects.number(tmp2);

        dest.insert(object_nr);


        for(std::size_t i=0; i<loc_info_src.aliases.size(); i++)

          if(loc_info_src.aliases.same_set(object_nr, i))

            dest.insert(i);

      }

      else

        dest.insert(unknown_object);

    }

    else

      dest.insert(unknown_object);

  }

  else if(rhs.id()==ID_typecast)

  {

    get_rec(dest, to_typecast_expr(rhs).op(), loc_info_src);

  }

  else if(rhs.id()==ID_plus)

  {

    const auto &plus_expr = to_plus_expr(rhs);


    if(plus_expr.operands().size() >= 3)

    {

      DATA_INVARIANT(

        plus_expr.op0().type().id() == ID_pointer,

        "pointer in pointer-typed sum must be op0");

      get_rec(dest, plus_expr.op0(), loc_info_src);

    }

    else if(plus_expr.operands().size() == 2)

    {

      // one must be pointer, one an integer

      if(plus_expr.op0().type().id() == ID_pointer)

      {

        get_rec(dest, plus_expr.op0(), loc_info_src);

      }

      else if(plus_expr.op1().type().id() == ID_pointer)

      {

        get_rec(dest, plus_expr.op1(), loc_info_src);

      }

      else

        dest.insert(unknown_object);

    }

    else

      dest.insert(unknown_object);

  }

  else if(rhs.id()==ID_minus)

  {

    const auto &op0 = to_minus_expr(rhs).op0();


    if(op0.type().id() == ID_pointer)

    {

      get_rec(dest, op0, loc_info_src);

    }

    else

      dest.insert(unknown_object);

  }

  else if(rhs.id()==ID_member)

  {

    dest.insert(unknown_object);

  }

  else if(rhs.id()==ID_index)

  {

    dest.insert(unknown_object);

  }

  else if(rhs.id()==ID_dereference)

  {

    dest.insert(unknown_object);

  }

  else if(rhs.id()==ID_side_effect)

  {

    const side_effect_exprt &side_effect_expr=to_side_effect_expr(rhs);

    const irep_idt &statement=side_effect_expr.get_statement();


    if(statement==ID_allocate)

    {

      dest.insert(objects.number(exprt(ID_dynamic_object)));

    }

    else

      dest.insert(unknown_object);

  }

  else if(rhs.is_nil())

  {

    // this means 'empty'

  }

  else

    dest.insert(unknown_object);

}


void local_may_aliast::build(const goto_functiont &goto_function)

{

  if(cfg.nodes.empty())

    return;


  work_queuet work_queue;


  // put all nodes into work queue

  for(local_cfgt::node_nrt n=0; n<cfg.nodes.size(); n++)

    work_queue.push(n);


  unknown_object=objects.number(exprt(ID_unknown));


  loc_infos.resize(cfg.nodes.size());


  (void)goto_function; // unused parameter

#if 0

  // feed in sufficiently bad defaults

  for(code_typet::parameterst::const_iterator

      it=goto_function.type.parameters().begin();

      it!=goto_function.type.parameters().end();

      it++)

  {

    const irep_idt &identifier=it->get_identifier();

    if(is_tracked(identifier))

      loc_infos[0].points_to[objects.number(identifier)].objects.insert(

        unknown_object);

  }

#endif


#if 0

  for(localst::locals_mapt::const_iterator

      l_it=locals.locals_map.begin();

      l_it!=locals.locals_map.end();

      l_it++)

  {

    if(is_tracked(l_it->first))

      loc_infos[0].aliases.make_union(

        objects.number(l_it->second), unknown_object);

  }

#endif


  while(!work_queue.empty())

  {

    local_cfgt::node_nrt loc_nr=work_queue.top();

    const local_cfgt::nodet &node=cfg.nodes[loc_nr];

    const goto_programt::instructiont &instruction=*node.t;

    work_queue.pop();


    const loc_infot &loc_info_src=loc_infos[loc_nr];

    loc_infot loc_info_dest=loc_infos[loc_nr];


    switch(instruction.type())

    {

    case ASSIGN:

    {

      assign_lhs(

        instruction.assign_lhs(),

        instruction.assign_rhs(),

        loc_info_src,

        loc_info_dest);

      break;

    }


    case DECL:

      assign_lhs(

        instruction.decl_symbol(), nil_exprt(), loc_info_src, loc_info_dest);

      break;


    case DEAD:

      assign_lhs(

        instruction.dead_symbol(), nil_exprt(), loc_info_src, loc_info_dest);

      break;


    case FUNCTION_CALL:

    {

      const auto &lhs = instruction.call_lhs();

      if(lhs.is_not_nil())

        assign_lhs(lhs, nil_exprt(), loc_info_src, loc_info_dest);


      // this might invalidate all pointers that are

      // a) local and dirty

      // b) global

      for(std::size_t i = 0; i < objects.size(); i++)

      {

        if(objects[i].id() == ID_symbol)

        {

          const irep_idt &identifier = to_symbol_expr(objects[i]).identifier();


          if(dirty(identifier) || !locals.is_local(identifier))

          {

            loc_info_dest.aliases.isolate(i);

            loc_info_dest.aliases.make_union(i, unknown_object);

          }

        }

      }

      break;

    }


    case CATCH:

    case THROW:

      DATA_INVARIANT(false, "Exceptions must be removed before analysis");

      break;

    case SET_RETURN_VALUE:

#if 0

      DATA_INVARIANT(false, "SET_RETURN_VALUE must be removed before analysis");

#endif

      break;

    case GOTO:         // Ignoring the guard is a valid over-approximation

    case START_THREAD: // Require a concurrent analysis at higher level

    case END_THREAD:   // Require a concurrent analysis at higher level

    case ATOMIC_BEGIN: // Ignoring is a valid over-approximation

    case ATOMIC_END:   // Ignoring is a valid over-approximation

    case LOCATION:     // No action required

    case SKIP:         // No action required

    case END_FUNCTION: // No action required

    case ASSERT:       // No action required

    case ASSUME:       // Ignoring is a valid over-approximation

      break;

    case OTHER:

#if 0

      DATA_INVARIANT(

        false, "Unclear what is a safe over-approximation of OTHER");

#endif

      break;

    case INCOMPLETE_GOTO:

    case NO_INSTRUCTION_TYPE:

      DATA_INVARIANT(false, "Only complete instructions can be analyzed");

      break;

    }


    for(local_cfgt::successorst::const_iterator

        it=node.successors.begin();

        it!=node.successors.end();

        it++)

    {

      if(loc_infos[*it].merge(loc_info_dest))

        work_queue.push(*it);

    }

  }

}


void local_may_aliast::output(

  std::ostream &out,

  const goto_functiont &goto_function,

  const namespacet &ns) const

{

  unsigned l=0;


  for(const auto &instruction : goto_function.body.instructions)

  {

    out << "**** " << instruction.source_location() << "\n";


    const loc_infot &loc_info=loc_infos[l];


    for(std::size_t i=0; i<loc_info.aliases.size(); i++)

    {

      if(loc_info.aliases.count(i)!=1 &&

         loc_info.aliases.find(i)==i) // root?

      {

        out << '{';

        for(std::size_t j=0; j<loc_info.aliases.size(); j++)

          if(loc_info.aliases.find(j)==i)

          {

            INVARIANT(j < objects.size(), "invalid object index");

            irep_idt identifier;

            if(objects[j].id() == ID_symbol)

              identifier = to_symbol_expr(objects[j]).identifier();

            out << ' ' << from_expr(ns, identifier, objects[j]);

          }


        out << " }";

        out << "\n";

      }

    }


    out << "\n";

    instruction.output(out);

    out << "\n";


    l++;

  }

}


from_integer
constant_exprt from_integer(const mp_integer &int_value, const typet &type)
Definition arith_tools.cpp:100

arith_tools.h

c_index_type
bitvector_typet c_index_type()
Definition c_types.cpp:16

c_types.h

address_of_exprt
Operator to return the address of an object.
Definition pointer_expr.h:540

ait
ait supplies three of the four components needed: an abstract interpreter (in this case handling func...
Definition ai.h:566

dstringt
dstringt has one field, an unsigned integer no which is an index into a static table of strings.
Definition dstring.h:38

exprt
Base class for all expressions.
Definition expr.h:57

exprt::is_constant
bool is_constant() const
Return whether the expression is a constant.
Definition expr.h:213

exprt::type
typet & type()
Return the type of the expression.
Definition expr.h:85

goto_functiont
A goto function, consisting of function body (see body) and parameter identifiers (see parameter_iden...
Definition goto_function.h:24

goto_functiont::body
goto_programt body
Definition goto_function.h:26

goto_programt::instructiont
This class represents an instruction in the GOTO intermediate representation.
Definition goto_program.h:180

goto_programt::instructiont::dead_symbol
const symbol_exprt & dead_symbol() const
Get the symbol for DEAD.
Definition goto_program.h:243

goto_programt::instructiont::call_lhs
const exprt & call_lhs() const
Get the lhs of a FUNCTION_CALL (may be nil)
Definition goto_program.h:285

goto_programt::instructiont::decl_symbol
const symbol_exprt & decl_symbol() const
Get the declared symbol for DECL.
Definition goto_program.h:227

goto_programt::instructiont::assign_lhs
const exprt & assign_lhs() const
Get the lhs of the assignment for ASSIGN.
Definition goto_program.h:199

goto_programt::instructiont::assign_rhs
const exprt & assign_rhs() const
Get the rhs of the assignment for ASSIGN.
Definition goto_program.h:213

goto_programt::instructiont::type
goto_program_instruction_typet type() const
What kind of instruction?
Definition goto_program.h:343

goto_programt::instructions
instructionst instructions
The list of instructions in the goto program.
Definition goto_program.h:621

goto_programt::const_targett
instructionst::const_iterator const_targett
Definition goto_program.h:614

index_exprt
Array index operator.
Definition std_expr.h:1431

irept::id
const irep_idt & id() const
Definition irep.h:388

irept::is_nil
bool is_nil() const
Definition irep.h:368

local_cfgt::nodet
Definition local_cfg.h:26

local_cfgt::nodet::t
goto_programt::const_targett t
Definition local_cfg.h:28

local_cfgt::nodet::successors
successorst successors
Definition local_cfg.h:29

local_cfgt::nodes
nodest nodes
Definition local_cfg.h:38

local_cfgt::node_nrt
std::size_t node_nrt
Definition local_cfg.h:22

local_cfgt::loc_map
loc_mapt loc_map
Definition local_cfg.h:35

local_may_aliast::loc_infot
Definition local_may_alias.h:68

local_may_aliast::loc_infot::aliases
alias_sett aliases
Definition local_may_alias.h:70

local_may_aliast::loc_infot::merge
bool merge(const loc_infot &src)
Definition local_may_alias.cpp:25

local_may_aliast::locals
localst locals
Definition local_may_alias.h:44

local_may_aliast::output
void output(std::ostream &out, const goto_functiont &goto_function, const namespacet &ns) const
Definition local_may_alias.cpp:461

local_may_aliast::assign_lhs
void assign_lhs(const exprt &lhs, const exprt &rhs, const loc_infot &loc_info_src, loc_infot &loc_info_dest)
Definition local_may_alias.cpp:44

local_may_aliast::build
void build(const goto_functiont &goto_function)
Definition local_may_alias.cpp:319

local_may_aliast::unknown_object
unsigned unknown_object
Definition local_may_alias.h:91

local_may_aliast::dirty
dirtyt dirty
Definition local_may_alias.h:43

local_may_aliast::objects
numberingt< exprt, irep_hash > objects
Definition local_may_alias.h:62

local_may_aliast::get
std::set< exprt > get(const goto_programt::const_targett t, const exprt &src) const
Definition local_may_alias.cpp:114

local_may_aliast::get_rec
void get_rec(object_sett &dest, const exprt &rhs, const loc_infot &loc_info_src) const
Definition local_may_alias.cpp:166

local_may_aliast::cfg
local_cfgt cfg
Definition local_may_alias.h:45

local_may_aliast::work_queuet
std::stack< local_cfgt::node_nrt > work_queuet
Definition local_may_alias.h:60

local_may_aliast::loc_infos
loc_infost loc_infos
Definition local_may_alias.h:76

local_may_aliast::aliases
bool aliases(const goto_programt::const_targett t, const exprt &src1, const exprt &src2) const
Definition local_may_alias.cpp:139

local_may_aliast::object_sett
std::set< unsigned > object_sett
Definition local_may_alias.h:84

localst::is_local
bool is_local(const irep_idt &identifier) const
Definition locals.h:37

namespacet
A namespacet is essentially one or two symbol tables bound together, to allow for symbol lookups in t...
Definition namespace.h:91

nil_exprt
The NIL expression.
Definition std_expr.h:3144

numberingt::number
number_type number(const key_type &a)
Definition numbering.h:37

numberingt::size
size_type size() const
Definition numbering.h:66

side_effect_exprt
An expression containing a side effect.
Definition std_code.h:1450

unsigned_union_find::size
size_type size() const
Definition union_find.h:97

unsigned_union_find::find
size_type find(size_type a) const
Definition union_find.cpp:141

unsigned_union_find::make_union
void make_union(size_type a, size_type b)
Definition union_find.cpp:13

unsigned_union_find::same_set
bool same_set(size_type a, size_type b) const
Definition union_find.h:91

FUNCTION_CALL
@ FUNCTION_CALL
Definition goto_program.h:48

ATOMIC_END
@ ATOMIC_END
Definition goto_program.h:43

DEAD
@ DEAD
Definition goto_program.h:47

LOCATION
@ LOCATION
Definition goto_program.h:40

END_FUNCTION
@ END_FUNCTION
Definition goto_program.h:41

ASSIGN
@ ASSIGN
Definition goto_program.h:45

ASSERT
@ ASSERT
Definition goto_program.h:35

SET_RETURN_VALUE
@ SET_RETURN_VALUE
Definition goto_program.h:44

ATOMIC_BEGIN
@ ATOMIC_BEGIN
Definition goto_program.h:42

CATCH
@ CATCH
Definition goto_program.h:50

END_THREAD
@ END_THREAD
Definition goto_program.h:39

SKIP
@ SKIP
Definition goto_program.h:37

NO_INSTRUCTION_TYPE
@ NO_INSTRUCTION_TYPE
Definition goto_program.h:32

START_THREAD
@ START_THREAD
Definition goto_program.h:38

THROW
@ THROW
Definition goto_program.h:49

DECL
@ DECL
Definition goto_program.h:46

OTHER
@ OTHER
Definition goto_program.h:36

GOTO
@ GOTO
Definition goto_program.h:33

INCOMPLETE_GOTO
@ INCOMPLETE_GOTO
Definition goto_program.h:51

ASSUME
@ ASSUME
Definition goto_program.h:34

from_expr
std::string from_expr(const namespacet &ns, const irep_idt &identifier, const exprt &expr)
Definition language_util.cpp:39

language_util.h

local_may_alias.h
Field-insensitive, location-sensitive may-alias analysis.

pointer_expr.h
API to expression classes for Pointers.

to_address_of_expr
const address_of_exprt & to_address_of_expr(const exprt &expr)
Cast an exprt to an address_of_exprt.
Definition pointer_expr.h:577

CHECK_RETURN
#define CHECK_RETURN(CONDITION)
Definition invariant.h:495

DATA_INVARIANT
#define DATA_INVARIANT(CONDITION, REASON)
This condition should be used to document that assumptions that are made on goto_functions,...
Definition invariant.h:534

INVARIANT
#define INVARIANT(CONDITION, REASON)
This macro uses the wrapper function 'invariant_violated_string'.
Definition invariant.h:423

std_code.h

to_side_effect_expr
side_effect_exprt & to_side_effect_expr(exprt &expr)
Definition std_code.h:1506

to_index_expr
const index_exprt & to_index_expr(const exprt &expr)
Cast an exprt to an index_exprt.
Definition std_expr.h:1494

to_typecast_expr
const typecast_exprt & to_typecast_expr(const exprt &expr)
Cast an exprt to a typecast_exprt.
Definition std_expr.h:2024

to_plus_expr
const plus_exprt & to_plus_expr(const exprt &expr)
Cast an exprt to a plus_exprt.
Definition std_expr.h:1045

to_if_expr
const if_exprt & to_if_expr(const exprt &expr)
Cast an exprt to an if_exprt.
Definition std_expr.h:2501

to_member_expr
const member_exprt & to_member_expr(const exprt &expr)
Cast an exprt to a member_exprt.
Definition std_expr.h:2953

to_minus_expr
const minus_exprt & to_minus_expr(const exprt &expr)
Cast an exprt to a minus_exprt.
Definition std_expr.h:1085

to_symbol_expr
const symbol_exprt & to_symbol_expr(const exprt &expr)
Cast an exprt to a symbol_exprt.
Definition std_expr.h:221

merge
void merge(string_constraintst &result, string_constraintst other)
Merge two sets of constraints by appending to the first one.
Definition string_constraint_generator_main.cpp:101