cbmc/symex__bmc_8cpp_source.html

 /*******************************************************************\


 Module: Bounded Model Checking for ANSI-C


 Author: Daniel Kroening, kroening@kroening.com


 \*******************************************************************/


 #include "symex_bmc.h"


 #include <limits>


 #include <util/simplify_expr.h>

 #include <util/source_location.h>


 #include <goto-instrument/unwindset.h>


 symex_bmct::symex_bmct(

   message_handlert &mh,

   const symbol_tablet &outer_symbol_table,

   symex_target_equationt &_target,

   const optionst &options,

   path_storaget &path_storage,

   guard_managert &guard_manager,

   unwindsett &unwindset)

   : goto_symext(

       mh,

       outer_symbol_table,

       _target,

       options,

       path_storage,

       guard_manager),

     record_coverage(!options.get_option("symex-coverage-report").empty()),

     unwindset(unwindset),

     symex_coverage(ns)

 {

 }


 void symex_bmct::symex_step(

   const get_goto_functiont &get_goto_function,

   statet &state)

 {

   const source_locationt &source_location = state.source.pc->source_location();


   if(!source_location.is_nil() && last_source_location != source_location)

   {

     log.debug() << "BMC at " << source_location.as_string() << " (depth "

                 << state.depth << ')' << log.eom;


     last_source_location = source_location;

   }


   const goto_programt::const_targett cur_pc = state.source.pc;

   const guardt cur_guard = state.guard;


   if(

     !state.guard.is_false() && state.source.pc->is_assume() &&

     simplify_expr(state.source.pc->condition(), ns).is_false())

   {

     log.statistics() << "aborting path on assume(false) at "

                      << state.source.pc->source_location() << " thread "

                      << state.source.thread_nr;


     const irep_idt &c = state.source.pc->source_location().get_comment();

     if(!c.empty())

       log.statistics() << ": " << c;


     log.statistics() << log.eom;

   }


   goto_symext::symex_step(get_goto_function, state);


   if(

     record_coverage &&

     // avoid an invalid iterator in state.source.pc

     (!cur_pc->is_end_function() ||

      state.source.function_id != goto_functionst::entry_point()))

   {

     // forward goto will effectively be covered via phi function,

     // which does not invoke symex_step; as symex_step is called

     // before merge_gotos, also state.guard will be false (we have

     // taken an impossible transition); thus we synthesize a

     // transition from the goto instruction to its target to make

     // sure the goto is considered covered

     if(

       cur_pc->is_goto() && cur_pc->get_target() != state.source.pc &&

       cur_pc->condition().is_true())

       symex_coverage.covered(cur_pc, cur_pc->get_target());

     else if(!state.guard.is_false())

       symex_coverage.covered(cur_pc, state.source.pc);

   }

 }


 void symex_bmct::merge_goto(

   const symex_targett::sourcet &prev_source,

   goto_statet &&goto_state,

   statet &state)

 {

   const goto_programt::const_targett prev_pc = prev_source.pc;

   const guardt prev_guard = goto_state.guard;


   goto_symext::merge_goto(prev_source, std::move(goto_state), state);


   PRECONDITION(prev_pc->is_goto());

   if(

     record_coverage &&

     // could the branch possibly be taken?

     !prev_guard.is_false() && !state.guard.is_false() &&

     // branches only, no single-successor goto

     !prev_pc->condition().is_true())

     symex_coverage.covered(prev_pc, state.source.pc);

 }


 bool symex_bmct::should_stop_unwind(

   const symex_targett::sourcet &source,

   const call_stackt &context,

   unsigned unwind)

 {

   const irep_idt id = goto_programt::loop_id(source.function_id, *source.pc);


   tvt abort_unwind_decision;

   unsigned this_loop_limit = std::numeric_limits<unsigned>::max();


   for(auto handler : loop_unwind_handlers)

   {

     abort_unwind_decision =

       handler(context, source.pc->loop_number, unwind, this_loop_limit);

     if(abort_unwind_decision.is_known())

       break;

   }


   // If no handler gave an opinion, use standard command-line --unwindset

   // / --unwind options to decide:

   if(abort_unwind_decision.is_unknown())

   {

     auto limit = unwindset.get_limit(id, source.thread_nr);


     if(!limit.has_value())

       abort_unwind_decision = tvt(false);

     else

       abort_unwind_decision = tvt(unwind >= *limit);

   }


   INVARIANT(

     abort_unwind_decision.is_known(), "unwind decision should be taken by now");

   bool abort = abort_unwind_decision.is_true();


   log.statistics() << (abort ? "Not unwinding" : "Unwinding") << " loop " << id

                    << " iteration " << unwind;


   if(this_loop_limit != std::numeric_limits<unsigned>::max())

     log.statistics() << " (" << this_loop_limit << " max)";


   log.statistics() << " " << source.pc->source_location() << " thread "

                    << source.thread_nr << log.eom;


   return abort;

 }


 bool symex_bmct::get_unwind_recursion(

   const irep_idt &id,

   unsigned thread_nr,

   unsigned unwind)

 {

   tvt abort_unwind_decision;

   unsigned this_loop_limit = std::numeric_limits<unsigned>::max();


   for(auto handler : recursion_unwind_handlers)

   {

     abort_unwind_decision = handler(id, unwind, this_loop_limit);

     if(abort_unwind_decision.is_known())

       break;

   }


   // If no handler gave an opinion, use standard command-line --unwindset

   // / --unwind options to decide:

   if(abort_unwind_decision.is_unknown())

   {

     auto limit = unwindset.get_limit(id, thread_nr);


     if(!limit.has_value())

       abort_unwind_decision = tvt(false);

     else

       abort_unwind_decision = tvt(unwind > *limit);

   }


   INVARIANT(

     abort_unwind_decision.is_known(), "unwind decision should be taken by now");

   bool abort = abort_unwind_decision.is_true();


   if(unwind > 0 || abort)

   {

     const symbolt &symbol = ns.lookup(id);


     log.statistics() << (abort ? "Not unwinding" : "Unwinding") << " recursion "

                      << symbol.display_name() << " iteration " << unwind;


     if(this_loop_limit != std::numeric_limits<unsigned>::max())

       log.statistics() << " (" << this_loop_limit << " max)";


     log.statistics() << log.eom;

   }


   return abort;

 }

call_stackt
Definition: call_stack.h:15

dstringt
dstringt has one field, an unsigned integer no which is an index into a static table of strings.
Definition: dstring.h:38

dstringt::empty
bool empty() const
Definition: dstring.h:89

exprt::is_false
bool is_false() const
Return whether the expression is a constant representing false.
Definition: expr.cpp:34

goto_functionst::entry_point
static irep_idt entry_point()
Get the identifier of the entry point to a goto model.
Definition: goto_functions.h:97

goto_programt::loop_id
static irep_idt loop_id(const irep_idt &function_id, const instructiont &instruction)
Human-readable loop name.
Definition: goto_program.h:792

goto_programt::const_targett
instructionst::const_iterator const_targett
Definition: goto_program.h:615

goto_statet
Container for data that varies per program point, e.g.
Definition: goto_state.h:32

goto_statet::guard
guardt guard
Definition: goto_state.h:58

goto_statet::depth
unsigned depth
Distance from entry.
Definition: goto_state.h:35

goto_symex_statet
Central data structure: state.
Definition: goto_symex_state.h:43

goto_symex_statet::source
symex_targett::sourcet source
Definition: goto_symex_state.h:62

goto_symext
The main class for the forward symbolic simulator.
Definition: goto_symex.h:37

goto_symext::get_goto_function
static get_goto_functiont get_goto_function(abstract_goto_modelt &goto_model)
Return a function to get/load a goto function from the given goto model Create a default delegate to ...
Definition: symex_main.cpp:492

goto_symext::symex_step
virtual void symex_step(const get_goto_functiont &get_goto_function, statet &state)
Called for each step in the symbolic execution This calls print_symex_step to print symex's current i...
Definition: symex_main.cpp:591

goto_symext::ns
namespacet ns
Initialized just before symbolic execution begins, to point to both outer_symbol_table and the symbol...
Definition: goto_symex.h:258

goto_symext::merge_goto
virtual void merge_goto(const symex_targett::sourcet &source, goto_statet &&goto_state, statet &state)
Merge a single branch, the symbolic state of which is held in goto_state, into the current overall sy...
Definition: symex_goto.cpp:678

goto_symext::get_goto_functiont
std::function< const goto_functionst::goto_functiont &(const irep_idt &)> get_goto_functiont
The type of delegate functions that retrieve a goto_functiont for a particular function identifier.
Definition: goto_symex.h:93

goto_symext::log
messaget log
The messaget to write log messages to.
Definition: goto_symex.h:278

guard_exprt
Definition: guard_expr.h:24

guard_exprt::is_false
bool is_false() const
Definition: guard_expr.h:65

irept::is_nil
bool is_nil() const
Definition: irep.h:368

message_handlert
Definition: message.h:27

messaget::statistics
mstreamt & statistics() const
Definition: message.h:411

messaget::debug
mstreamt & debug() const
Definition: message.h:421

messaget::eom
static eomt eom
Definition: message.h:289

namespacet::lookup
bool lookup(const irep_idt &name, const symbolt *&symbol) const override
See documentation for namespace_baset::lookup().
Definition: namespace.cpp:148

optionst
Definition: options.h:23

path_storaget
Storage for symbolic execution paths to be resumed later.
Definition: path_storage.h:38

source_locationt
Definition: source_location.h:20

source_locationt::as_string
std::string as_string() const
Definition: source_location.h:26

symbol_tablet
The symbol table.
Definition: symbol_table.h:14

symbolt
Symbol table entry.
Definition: symbol.h:28

symbolt::display_name
const irep_idt & display_name() const
Return language specific display name if present.
Definition: symbol.h:55

symex_bmct::symex_coverage
symex_coveraget symex_coverage
Definition: symex_bmc.h:112

symex_bmct::get_unwind_recursion
bool get_unwind_recursion(const irep_idt &identifier, unsigned thread_nr, unsigned unwind) override
Definition: symex_bmc.cpp:164

symex_bmct::loop_unwind_handlers
std::vector< loop_unwind_handlert > loop_unwind_handlers
Callbacks that may provide an unwind/do-not-unwind decision for a loop.
Definition: symex_bmc.h:88

symex_bmct::unwindset
unwindsett & unwindset
Definition: symex_bmc.h:84

symex_bmct::merge_goto
void merge_goto(const symex_targett::sourcet &source, goto_statet &&goto_state, statet &state) override
Merge a single branch, the symbolic state of which is held in goto_state, into the current overall sy...
Definition: symex_bmc.cpp:98

symex_bmct::last_source_location
source_locationt last_source_location
Definition: symex_bmc.h:36

symex_bmct::recursion_unwind_handlers
std::vector< recursion_unwind_handlert > recursion_unwind_handlers
Callbacks that may provide an unwind/do-not-unwind decision for a recursive call.
Definition: symex_bmc.h:92

symex_bmct::symex_bmct
symex_bmct(message_handlert &mh, const symbol_tablet &outer_symbol_table, symex_target_equationt &_target, const optionst &options, path_storaget &path_storage, guard_managert &guard_manager, unwindsett &unwindset)
Definition: symex_bmc.cpp:21

symex_bmct::symex_step
void symex_step(const get_goto_functiont &get_goto_function, statet &state) override
show progress
Definition: symex_bmc.cpp:43

symex_bmct::should_stop_unwind
bool should_stop_unwind(const symex_targett::sourcet &source, const call_stackt &context, unsigned unwind) override
Determine whether to unwind a loop.
Definition: symex_bmc.cpp:118

symex_bmct::record_coverage
const bool record_coverage
Definition: symex_bmc.h:82

symex_coveraget::covered
void covered(goto_programt::const_targett from, goto_programt::const_targett to)
Definition: symex_coverage.h:36

symex_target_equationt
Inheriting the interface of symex_targett this class represents the SSA form of the input program as ...
Definition: symex_target_equation.h:34

tvt
Definition: threeval.h:20

tvt::is_known
bool is_known() const
Definition: threeval.h:28

tvt::is_unknown
bool is_unknown() const
Definition: threeval.h:27

tvt::is_true
bool is_true() const
Definition: threeval.h:25

unwindsett
Definition: unwindset.h:26

unwindsett::get_limit
std::optional< unsigned > get_limit(const irep_idt &loop, unsigned thread_id) const
Definition: unwindset.cpp:191

simplify_expr
exprt simplify_expr(exprt src, const namespacet &ns)
Definition: simplify_expr.cpp:3243

simplify_expr.h

source_location.h

PRECONDITION
#define PRECONDITION(CONDITION)
Definition: invariant.h:463

abort
void abort(void)
Definition: stdlib.c:128

guard_expr_managert
This is unused by this implementation of guards, but can be used by other implementations of the same...
Definition: guard_expr.h:20

symex_targett::sourcet
Identifies source in the context of symbolic execution.
Definition: symex_target.h:37

symex_targett::sourcet::thread_nr
unsigned thread_nr
Definition: symex_target.h:38

symex_targett::sourcet::pc
goto_programt::const_targett pc
Definition: symex_target.h:42

symex_targett::sourcet::function_id
irep_idt function_id
Definition: symex_target.h:39

symex_bmc.h
Bounded Model Checking for ANSI-C.

unwindset.h
Loop unwinding.

validation_modet::INVARIANT
@ INVARIANT