cbmc/object__tracking_8cpp_source.html

 // Author: Diffblue Ltd.


 #include "object_tracking.h"


 #include <util/arith_tools.h>

 #include <util/c_types.h>

 #include <util/pointer_offset_size.h>

 #include <util/pointer_predicates.h>

 #include <util/std_code.h>

 #include <util/std_expr.h>

 #include <util/string_constant.h>


 exprt make_invalid_pointer_expr()

 {

   return constant_exprt(ID_invalid, pointer_type(void_type()));

 }


 exprt find_object_base_expression(const address_of_exprt &address_of)

 {

   auto current = std::ref(address_of.object());

   while(

     !(can_cast_expr<symbol_exprt>(current) ||

       can_cast_expr<constant_exprt>(current) ||

       can_cast_expr<string_constantt>(current) ||

       can_cast_expr<code_labelt>(current)))

   {

     if(const auto index = expr_try_dynamic_cast<index_exprt>(current.get()))

     {

       // For the case `my_array[bar]` the base expression is `my_array`.

       current = index->array();

       continue;

     }

     if(const auto member = expr_try_dynamic_cast<member_exprt>(current.get()))

     {

       // For the case `my_struct.field_name` the base expression is `my_struct`.

       current = member->compound();

       continue;

     }

     INVARIANT(

       false,

       "Unable to find base object of expression: " +

         current.get().pretty(1, 0));

   }

   return current.get();

 }


 static decision_procedure_objectt make_null_object()

 {

   decision_procedure_objectt null_object;

   null_object.unique_id = 0;

   null_object.base_expression = null_pointer_exprt{pointer_type(void_type())};

   null_object.size = from_integer(0, size_type());

   null_object.is_dynamic = false;

   return null_object;

 }


 static decision_procedure_objectt make_invalid_pointer_object()

 {

   decision_procedure_objectt invalid_pointer_object;

   // Using unique_id = 1, so 0 is the NULL object, 1 is the invalid object and

   // other valid objects have unique_id > 1.

   invalid_pointer_object.unique_id = 1;

   invalid_pointer_object.base_expression = make_invalid_pointer_expr();

   invalid_pointer_object.size = from_integer(0, size_type());

   invalid_pointer_object.is_dynamic = false;

   return invalid_pointer_object;

 }


 smt_object_mapt initial_smt_object_map()

 {

   smt_object_mapt object_map;

   decision_procedure_objectt null_object = make_null_object();

   exprt null_object_base = null_object.base_expression;

   object_map.emplace(std::move(null_object_base), std::move(null_object));

   decision_procedure_objectt invalid_pointer_object =

     make_invalid_pointer_object();

   exprt invalid_pointer_object_base = invalid_pointer_object.base_expression;

   object_map.emplace(

     std::move(invalid_pointer_object_base), std::move(invalid_pointer_object));

   return object_map;

 }


 static bool is_dynamic(const exprt &object)

 {

   // This check corresponds to the symbols created in

   // `goto_symext::symex_allocate`, which implements the `__CPROVER_allocate`

   // intrinsic function used by the standard library models.

   const bool dynamic_type = object.type().get_bool(ID_C_dynamic);

   if(dynamic_type)

     return true;

   const auto symbol = expr_try_dynamic_cast<symbol_exprt>(object);

   bool symbol_is_dynamic =

     symbol && symbol->get_identifier().starts_with(SYMEX_DYNAMIC_PREFIX);

   return symbol_is_dynamic;

 }


 void track_expression_objects(

   const exprt &expression,

   const namespacet &ns,

   smt_object_mapt &object_map)

 {

   find_object_base_expressions(

     expression, [&](const exprt &object_base) -> void {

       const auto find_result = object_map.find(object_base);

       if(find_result != object_map.cend())

         return;

       const auto size = size_of_expr(object_base.type(), ns);

       INVARIANT(size, "Objects are expected to have well defined size");

       decision_procedure_objectt object;

       object.base_expression = object_base;

       object.unique_id = object_map.size();

       object.size = *size;

       object.is_dynamic = is_dynamic(object_base);

       object_map.emplace_hint(find_result, object_base, std::move(object));

     });

 }


 bool objects_are_already_tracked(

   const exprt &expression,

   const smt_object_mapt &object_map)

 {

   bool all_objects_tracked = true;

   find_object_base_expressions(

     expression, [&](const exprt &object_base) -> void {

       const auto find_result = object_map.find(object_base);

       if(find_result != object_map.cend())

         return;

       all_objects_tracked = false;

     });

   return all_objects_tracked;

 }

from_integer
constant_exprt from_integer(const mp_integer &int_value, const typet &type)
Definition: arith_tools.cpp:100

arith_tools.h

void_type
empty_typet void_type()
Definition: c_types.cpp:245

pointer_type
pointer_typet pointer_type(const typet &subtype)
Definition: c_types.cpp:235

c_types.h

address_of_exprt
Operator to return the address of an object.
Definition: pointer_expr.h:540

address_of_exprt::object
exprt & object()
Definition: pointer_expr.h:549

constant_exprt
A constant literal expression.
Definition: std_expr.h:2987

exprt
Base class for all expressions.
Definition: expr.h:56

exprt::type
typet & type()
Return the type of the expression.
Definition: expr.h:84

irept::find
const irept & find(const irep_idt &name) const
Definition: irep.cpp:93

namespacet
A namespacet is essentially one or two symbol tables bound together, to allow for symbol lookups in t...
Definition: namespace.h:94

null_pointer_exprt
The null pointer constant.
Definition: pointer_expr.h:909

make_invalid_pointer_expr
exprt make_invalid_pointer_expr()
Create the invalid pointer constant.
Definition: object_tracking.cpp:13

find_object_base_expression
exprt find_object_base_expression(const address_of_exprt &address_of)
The model of addresses we use consists of a unique object identifier and an offset.
Definition: object_tracking.cpp:18

track_expression_objects
void track_expression_objects(const exprt &expression, const namespacet &ns, smt_object_mapt &object_map)
Finds all the object expressions in the given expression and adds them to the object map for cases wh...
Definition: object_tracking.cpp:99

objects_are_already_tracked
bool objects_are_already_tracked(const exprt &expression, const smt_object_mapt &object_map)
Finds whether all base object expressions in the given expression are already tracked in the given ob...
Definition: object_tracking.cpp:120

make_invalid_pointer_object
static decision_procedure_objectt make_invalid_pointer_object()
Definition: object_tracking.cpp:57

initial_smt_object_map
smt_object_mapt initial_smt_object_map()
Constructs an initial object map containing the null object.
Definition: object_tracking.cpp:69

make_null_object
static decision_procedure_objectt make_null_object()
Definition: object_tracking.cpp:47

is_dynamic
static bool is_dynamic(const exprt &object)
This function returns true for heap allocated objects or false for stack allocated objects.
Definition: object_tracking.cpp:85

object_tracking.h
Data structures and algorithms used by smt2_incremental_decision_proceduret to track data about the o...

find_object_base_expressions
void find_object_base_expressions(const exprt &expression, const output_object_functiont &output_object)
Arbitrary expressions passed to the decision procedure may have multiple address of operations as its...
Definition: object_tracking.h:76

smt_object_mapt
std::unordered_map< exprt, decision_procedure_objectt, irep_hash > smt_object_mapt
Mapping from an object's base expression to the set of information about it which we track.
Definition: object_tracking.h:91

size_of_expr
std::optional< exprt > size_of_expr(const typet &type, const namespacet &ns)
Definition: pointer_offset_size.cpp:287

pointer_offset_size.h
Pointer Logic.

null_object
exprt null_object(const exprt &pointer)
Definition: pointer_predicates.cpp:59

pointer_predicates.h
Various predicates over pointers in programs.

SYMEX_DYNAMIC_PREFIX
#define SYMEX_DYNAMIC_PREFIX
Definition: pointer_predicates.h:17

INVARIANT
#define INVARIANT(CONDITION, REASON)
This macro uses the wrapper function 'invariant_violated_string'.
Definition: invariant.h:423

std_code.h

can_cast_expr< code_labelt >
bool can_cast_expr< code_labelt >(const exprt &base)
Definition: std_code.h:994

std_expr.h
API to expression classes.

can_cast_expr< constant_exprt >
bool can_cast_expr< constant_exprt >(const exprt &base)
Definition: std_expr.h:3021

can_cast_expr< symbol_exprt >
bool can_cast_expr< symbol_exprt >(const exprt &base)
Definition: std_expr.h:256

string_constant.h

can_cast_expr< string_constantt >
bool can_cast_expr< string_constantt >(const exprt &base)
Definition: string_constant.h:50

decision_procedure_objectt
Information the decision procedure holds about each object.
Definition: object_tracking.h:41

decision_procedure_objectt::base_expression
exprt base_expression
The expression for the root of the object.
Definition: object_tracking.h:44

decision_procedure_objectt::is_dynamic
bool is_dynamic
This is true for heap allocated objects and false for stack allocated.
Definition: object_tracking.h:50

decision_procedure_objectt::unique_id
std::size_t unique_id
Number which uniquely identifies this particular object.
Definition: object_tracking.h:46

decision_procedure_objectt::size
exprt size
Expression which evaluates to the size of the object in bytes.
Definition: object_tracking.h:48

size_type
#define size_type
Definition: unistd.c:347