cbmc/remove__instanceof_8cpp_source.html

/*******************************************************************\


Module: Remove Instance-of Operators


Author: Chris Smowton, chris.smowton@diffblue.com


\*******************************************************************/


#include "remove_instanceof.h"


#include <goto-programs/class_hierarchy.h>

#include <goto-programs/class_identifier.h>

#include <goto-programs/goto_model.h>


#include <java_bytecode/java_types.h>


#include <util/arith_tools.h>


class remove_instanceoft

{

public:


  remove_instanceoft(

    symbol_table_baset &symbol_table,

    const class_hierarchyt &class_hierarchy,

    message_handlert &message_handler)

    : symbol_table(symbol_table),

      class_hierarchy(class_hierarchy),

      ns(symbol_table),

      message_handler(message_handler)

  {

  }


  // Lower instanceof for a single function

  bool lower_instanceof(const irep_idt &function_identifier, goto_programt &);


  // Lower instanceof for a single instruction

  bool lower_instanceof(

    const irep_idt &function_identifier,

    goto_programt &,

    goto_programt::targett);


protected:

  symbol_table_baset &symbol_table;

  const class_hierarchyt &class_hierarchy;

  namespacet ns;

  message_handlert &message_handler;


  bool lower_instanceof(

    const irep_idt &function_identifier,

    exprt &,

    goto_programt &,

    goto_programt::targett);

};


static exprt subtype_expr(

  const exprt &classid_field,

  const irep_idt &target_type,

  const class_hierarchyt &class_hierarchy)

{

  std::vector<irep_idt> children =

    class_hierarchy.get_children_trans(target_type);

  children.push_back(target_type);

  // Sort alphabetically to make order of generated disjuncts

  // independent of class loading order

  std::sort(

    children.begin(), children.end(), [](const irep_idt &a, const irep_idt &b) {

      return a.compare(b) < 0;

    });


  exprt::operandst or_ops;

  for(const auto &class_name : children)

  {

    constant_exprt class_expr(class_name, string_typet());

    equal_exprt test(classid_field, class_expr);

    or_ops.push_back(test);

  }


  return disjunction(or_ops);

}


bool remove_instanceoft::lower_instanceof(

  const irep_idt &function_identifier,

  exprt &expr,

  goto_programt &goto_program,

  goto_programt::targett this_inst)

{

  if(expr.id()!=ID_java_instanceof)

  {

    bool changed = false;

    Forall_operands(it, expr)

      changed |=

        lower_instanceof(function_identifier, *it, goto_program, this_inst);

    return changed;

  }


  INVARIANT(

    expr.operands().size()==2,

    "java_instanceof should have two operands");


  const exprt &check_ptr = to_binary_expr(expr).op0();

  INVARIANT(

    check_ptr.type().id()==ID_pointer,

    "instanceof first operand should be a pointer");


  const exprt &target_arg = to_binary_expr(expr).op1();

  INVARIANT(

    target_arg.id()==ID_type,

    "instanceof second operand should be a type");


  INVARIANT(

    target_arg.type().id() == ID_struct_tag,

    "instanceof second operand should have a simple type");


  const auto &target_type = to_struct_tag_type(target_arg.type());


  const auto underlying_type_and_dimension =

    java_array_dimension_and_element_type(target_type);


  bool target_type_is_reference_array =

    underlying_type_and_dimension.second >= 1 &&

    can_cast_type<java_reference_typet>(underlying_type_and_dimension.first);


  // If we're casting to a reference array type, check

  //   @class_identifier == "java::array[reference]" &&

  //   @array_dimension == target_array_dimension &&

  //   @array_element_type (subtype of) target_array_element_type

  // Otherwise just check

  //   @class_identifier (subtype of) target_type


  // Exception: when the target type is Object, nothing needs checking; when

  // it is Object[], Object[][] etc, then we check that

  // @array_dimension >= target_array_dimension (because

  // String[][] (subtype of) Object[] for example) and don't check the element

  // type.


  // All tests are made directly against a pointer to the object whose type is

  // queried. By operating directly on a pointer rather than using a temporary

  // (x->@clsid == "A" rather than id = x->@clsid; id == "A") we enable symex's

  // value-set filtering to discard no-longer-viable candidates for "x" (in the

  // case where 'x' is a symbol, not a general expression like x->y->@clsid).

  // This means there are more clean dereference operations (ones where there

  // is no possibility of reading a null, invalid or incorrectly-typed object),

  // and less pessimistic aliasing assumptions possibly causing goto-symex to

  // explore in-fact-unreachable paths.


  // In all cases require the input pointer is not null for any cast to succeed:


  std::vector<exprt> test_conjuncts;

  test_conjuncts.push_back(notequal_exprt(

    check_ptr, null_pointer_exprt(to_pointer_type(check_ptr.type()))));


  auto jlo = to_struct_tag_type(java_lang_object_type().subtype());


  exprt object_class_identifier_field =

    get_class_identifier_field(check_ptr, jlo, ns);


  if(target_type_is_reference_array)

  {

    const auto &underlying_type = to_struct_tag_type(

      to_pointer_type(underlying_type_and_dimension.first).base_type());


    test_conjuncts.push_back(equal_exprt(

      object_class_identifier_field,

      constant_exprt(JAVA_REFERENCE_ARRAY_CLASSID, string_typet())));


    exprt object_array_dimension = get_array_dimension_field(check_ptr);

    constant_exprt target_array_dimension = from_integer(

      underlying_type_and_dimension.second, object_array_dimension.type());


    if(underlying_type == jlo)

    {

      test_conjuncts.push_back(binary_relation_exprt(

        object_array_dimension, ID_ge, target_array_dimension));

    }

    else

    {

      test_conjuncts.push_back(

        equal_exprt(object_array_dimension, target_array_dimension));

      test_conjuncts.push_back(subtype_expr(

        get_array_element_type_field(check_ptr),

        underlying_type.get_identifier(),

        class_hierarchy));

    }

  }

  else if(target_type != jlo)

  {

    test_conjuncts.push_back(subtype_expr(

      get_class_identifier_field(check_ptr, jlo, ns),

      target_type.get_identifier(),

      class_hierarchy));

  }


  expr = conjunction(test_conjuncts);


  return true;

}


static bool contains_instanceof(const exprt &e)

{

  if(e.id() == ID_java_instanceof)

    return true;


  for(const exprt &subexpr : e.operands())

  {

    if(contains_instanceof(subexpr))

      return true;

  }


  return false;

}


bool remove_instanceoft::lower_instanceof(

  const irep_idt &function_identifier,

  goto_programt &goto_program,

  goto_programt::targett target)

{

  bool changed;


  if(

    target->is_target() &&

    (contains_instanceof(target->code()) ||

     (target->has_condition() && contains_instanceof(target->condition()))))

  {

    // If this is a branch target, add a skip beforehand so we can splice new

    // GOTO programs before the target instruction without inserting into the

    // wrong basic block.

    goto_program.insert_before_swap(target);

    target->turn_into_skip();

    // Actually alter the now-moved instruction:

    ++target;

  }


  changed = lower_instanceof(

    function_identifier, target->code_nonconst(), goto_program, target);

  changed |=

    (target->has_condition() ? lower_instanceof(

                                 function_identifier,

                                 target->condition_nonconst(),

                                 goto_program,

                                 target)

                             : false);

  return changed;

}


bool remove_instanceoft::lower_instanceof(

  const irep_idt &function_identifier,

  goto_programt &goto_program)

{

  bool changed=false;

  for(goto_programt::instructionst::iterator target=

      goto_program.instructions.begin();

    target!=goto_program.instructions.end();

    ++target)

  {

    changed =

      lower_instanceof(function_identifier, goto_program, target) || changed;

  }

  if(!changed)

    return false;

  goto_program.update();

  return true;

}


void remove_instanceof(

  const irep_idt &function_identifier,

  goto_programt::targett target,

  goto_programt &goto_program,

  symbol_table_baset &symbol_table,

  const class_hierarchyt &class_hierarchy,

  message_handlert &message_handler)

{

  remove_instanceoft rem(symbol_table, class_hierarchy, message_handler);

  rem.lower_instanceof(function_identifier, goto_program, target);

}


void remove_instanceof(

  const irep_idt &function_identifier,

  goto_functionst::goto_functiont &function,

  symbol_table_baset &symbol_table,

  const class_hierarchyt &class_hierarchy,

  message_handlert &message_handler)

{

  remove_instanceoft rem(symbol_table, class_hierarchy, message_handler);

  rem.lower_instanceof(function_identifier, function.body);

}


void remove_instanceof(

  goto_functionst &goto_functions,

  symbol_table_baset &symbol_table,

  const class_hierarchyt &class_hierarchy,

  message_handlert &message_handler)

{

  remove_instanceoft rem(symbol_table, class_hierarchy, message_handler);

  bool changed=false;

  for(auto &f : goto_functions.function_map)

    changed = rem.lower_instanceof(f.first, f.second.body) || changed;

  if(changed)

    goto_functions.compute_location_numbers();

}


void remove_instanceof(

  goto_modelt &goto_model,

  const class_hierarchyt &class_hierarchy,

  message_handlert &message_handler)

{

  remove_instanceof(

    goto_model.goto_functions,

    goto_model.symbol_table,

    class_hierarchy,

    message_handler);

}


from_integer
constant_exprt from_integer(const mp_integer &int_value, const typet &type)
Definition arith_tools.cpp:99

arith_tools.h

class_hierarchy.h
Class Hierarchy.

get_class_identifier_field
exprt get_class_identifier_field(const exprt &this_expr_in, const struct_tag_typet &suggested_type, const namespacet &ns)
Definition class_identifier.cpp:57

class_identifier.h
Extract class identifier.

ait
ait supplies three of the four components needed: an abstract interpreter (in this case handling func...
Definition ai.h:562

binary_relation_exprt
A base class for relations, i.e., binary predicates whose two operands have the same type.
Definition std_expr.h:762

class_hierarchyt
Non-graph-based representation of the class hierarchy.
Definition class_hierarchy.h:41

class_hierarchyt::get_children_trans
idst get_children_trans(const irep_idt &id) const
Definition class_hierarchy.h:66

constant_exprt
A constant literal expression.
Definition std_expr.h:3118

dstringt
dstringt has one field, an unsigned integer no which is an index into a static table of strings.
Definition dstring.h:38

equal_exprt
Equality.
Definition std_expr.h:1366

exprt
Base class for all expressions.
Definition expr.h:56

exprt::operandst
std::vector< exprt > operandst
Definition expr.h:58

exprt::operands
operandst & operands()
Definition expr.h:94

goto_functionst
A collection of goto functions.
Definition goto_functions.h:25

goto_functionst::function_map
function_mapt function_map
Definition goto_functions.h:29

goto_functionst::goto_functiont
::goto_functiont goto_functiont
Definition goto_functions.h:27

goto_functionst::compute_location_numbers
void compute_location_numbers()
Definition goto_functions.cpp:21

goto_modelt
Definition goto_model.h:27

goto_modelt::symbol_table
symbol_tablet symbol_table
Symbol table.
Definition goto_model.h:31

goto_modelt::goto_functions
goto_functionst goto_functions
GOTO functions.
Definition goto_model.h:34

goto_programt
A generic container class for the GOTO intermediate representation of one function.
Definition goto_program.h:72

goto_programt::instructions
instructionst instructions
The list of instructions in the goto program.
Definition goto_program.h:621

goto_programt::update
void update()
Update all indices.
Definition goto_program.cpp:619

goto_programt::insert_before_swap
void insert_before_swap(targett target)
Insertion that preserves jumps to "target".
Definition goto_program.h:642

goto_programt::targett
instructionst::iterator targett
Definition goto_program.h:613

irept::id
const irep_idt & id() const
Definition irep.h:388

message_handlert
Definition message.h:27

namespacet
A namespacet is essentially one or two symbol tables bound together, to allow for symbol lookups in t...
Definition namespace.h:91

notequal_exprt
Disequality.
Definition std_expr.h:1425

null_pointer_exprt
The null pointer constant.
Definition pointer_expr.h:909

remove_instanceoft
Definition remove_instanceof.cpp:23

remove_instanceoft::lower_instanceof
bool lower_instanceof(const irep_idt &function_identifier, goto_programt &)
Replace every instanceof in the passed function body with an explicit class-identifier test.
Definition remove_instanceof.cpp:278

remove_instanceoft::message_handler
message_handlert & message_handler
Definition remove_instanceof.cpp:49

remove_instanceoft::remove_instanceoft
remove_instanceoft(symbol_table_baset &symbol_table, const class_hierarchyt &class_hierarchy, message_handlert &message_handler)
Definition remove_instanceof.cpp:25

remove_instanceoft::class_hierarchy
const class_hierarchyt & class_hierarchy
Definition remove_instanceof.cpp:47

remove_instanceoft::symbol_table
symbol_table_baset & symbol_table
Definition remove_instanceof.cpp:46

remove_instanceoft::ns
namespacet ns
Definition remove_instanceof.cpp:48

string_typet
String type.
Definition std_types.h:966

symbol_table_baset
The symbol table base class interface.
Definition symbol_table_base.h:23

Forall_operands
#define Forall_operands(it, expr)
Definition expr.h:27

goto_model.h
Symbol Table + CFG.

java_array_dimension_and_element_type
std::pair< typet, std::size_t > java_array_dimension_and_element_type(const struct_tag_typet &type)
Returns the underlying element type and array dimensionality of Java struct type.
Definition java_types.cpp:189

get_array_element_type_field
exprt get_array_element_type_field(const exprt &pointer)
Definition java_types.cpp:218

get_array_dimension_field
exprt get_array_dimension_field(const exprt &pointer)
Definition java_types.cpp:206

java_lang_object_type
java_reference_typet java_lang_object_type()
Definition java_types.cpp:98

java_types.h

JAVA_REFERENCE_ARRAY_CLASSID
#define JAVA_REFERENCE_ARRAY_CLASSID
Definition java_types.h:655

can_cast_type< java_reference_typet >
bool can_cast_type< java_reference_typet >(const typet &type)
Definition java_types.h:623

to_pointer_type
const pointer_typet & to_pointer_type(const typet &type)
Cast a typet to a pointer_typet.
Definition pointer_expr.h:93

subtype_expr
static exprt subtype_expr(const exprt &classid_field, const irep_idt &target_type, const class_hierarchyt &class_hierarchy)
Produce an expression of the form classid_field == "A" || classid_field == "B" || ....
Definition remove_instanceof.cpp:67

contains_instanceof
static bool contains_instanceof(const exprt &e)
Definition remove_instanceof.cpp:218

remove_instanceof
void remove_instanceof(const irep_idt &function_identifier, goto_programt::targett target, goto_programt &goto_program, symbol_table_baset &symbol_table, const class_hierarchyt &class_hierarchy, message_handlert &message_handler)
Replace an instanceof in the expression or guard of the passed instruction of the given function body...
Definition remove_instanceof.cpp:306

remove_instanceof.h
Remove Instance-of Operators.

INVARIANT
#define INVARIANT(CONDITION, REASON)
This macro uses the wrapper function 'invariant_violated_string'.
Definition invariant.h:423

disjunction
exprt disjunction(const exprt::operandst &op)
1) generates a disjunction for two or more operands 2) for one operand, returns the operand 3) return...
Definition std_expr.cpp:71

conjunction
exprt conjunction(exprt a, exprt b)
Conjunction of two expressions.
Definition std_expr.cpp:83

to_binary_expr
const binary_exprt & to_binary_expr(const exprt &expr)
Cast an exprt to a binary_exprt.
Definition std_expr.h:715

to_struct_tag_type
const struct_tag_typet & to_struct_tag_type(const typet &type)
Cast a typet to a struct_tag_typet.
Definition std_types.h:518