cbmc/symex__function__call_8cpp_source.html

/*******************************************************************\


Module: Symbolic Execution of ANSI-C


Author: Daniel Kroening, kroening@kroening.com


\*******************************************************************/


#include "goto_symex.h"


#include <util/arith_tools.h>

#include <util/byte_operators.h>

#include <util/c_types.h>

#include <util/exception_utils.h>

#include <util/fresh_symbol.h>

#include <util/invariant.h>

#include <util/range.h>

#include <util/std_code.h>


#include "expr_skeleton.h"

#include "path_storage.h"

#include "symex_assign.h"


bool goto_symext::get_unwind_recursion(const irep_idt &, unsigned, unsigned)

{

  return false;

}

bool goto_symext::get_unwind_recursion(const irep_idt &, unsigned, unsigned) {…}


void goto_symext::parameter_assignments(

  const irep_idt &function_identifier,

  const goto_functionst::goto_functiont &goto_function,

  statet &state,

  const exprt::operandst &arguments)

{

  // iterates over the arguments

  exprt::operandst::const_iterator it1=arguments.begin();


  // iterates over the types of the parameters

  for(const auto &identifier : goto_function.parameter_identifiers)

  {

    INVARIANT(

      !identifier.empty(), "function parameter must have an identifier");

    state.call_stack().top().parameter_names.push_back(identifier);


    const symbolt &symbol=ns.lookup(identifier);

    symbol_exprt lhs=symbol.symbol_expr();


    // this is the type that the n-th argument should have

    const typet &parameter_type = symbol.type;


    exprt rhs;


    // if you run out of actual arguments there was a mismatch

    if(it1==arguments.end())

    {

      log.warning() << state.source.pc->source_location().as_string()

                    << ": "

                       "call to '"

                    << id2string(function_identifier)

                    << "': "

                       "not enough arguments, inserting non-deterministic value"

                    << log.eom;


      rhs = side_effect_expr_nondett(

        parameter_type, state.source.pc->source_location());

    }

    else

      rhs=*it1;


    if(rhs.is_nil())

    {

      // 'nil' argument doesn't get assigned

    }

    else

    {

      // It should be the same exact type.

      if(parameter_type != rhs.type())

      {

        const typet &rhs_type = rhs.type();


        // But we are willing to do some limited conversion.

        // This is highly dubious, obviously.

        // clang-format off

        if(

          (parameter_type.id() == ID_signedbv ||

           parameter_type.id() == ID_unsignedbv ||

           parameter_type.id() == ID_c_enum_tag ||

           parameter_type.id() == ID_bool ||

           parameter_type.id() == ID_pointer ||

           parameter_type.id() == ID_union ||

           parameter_type.id() == ID_union_tag) &&

          (rhs_type.id() == ID_signedbv ||

           rhs_type.id() == ID_unsignedbv ||

           rhs_type.id() == ID_c_bit_field ||

           rhs_type.id() == ID_c_enum_tag ||

           rhs_type.id() == ID_bool ||

           rhs_type.id() == ID_pointer ||

           rhs_type.id() == ID_union ||

           rhs_type.id() == ID_union_tag))

        // clang-format on

        {

          rhs = make_byte_extract(

            rhs, from_integer(0, c_index_type()), parameter_type);

        }

        else

        {

          std::ostringstream error;

          error << state.source.pc->source_location().as_string() << ": "

                << "function call: parameter \"" << identifier

                << "\" type mismatch:\ngot " << rhs.type().pretty()

                << "\nexpected " << parameter_type.pretty();

          throw unsupported_operation_exceptiont(error.str());

        }

      }


      assignment_typet assignment_type;


      // We hide if we are in a hidden function.

      if(state.call_stack().top().hidden_function)

        assignment_type =

          symex_targett::assignment_typet::HIDDEN_ACTUAL_PARAMETER;

      else

        assignment_type =

          symex_targett::assignment_typet::VISIBLE_ACTUAL_PARAMETER;


      lhs = to_symbol_expr(clean_expr(std::move(lhs), state, true));

      rhs = clean_expr(std::move(rhs), state, false);


      exprt::operandst lhs_conditions;

      symex_assignt{

        shadow_memory, state, assignment_type, ns, symex_config, target}

        .assign_rec(lhs, expr_skeletont{}, rhs, lhs_conditions);

    }


    if(it1!=arguments.end())

      it1++;

  }


  if(to_code_type(ns.lookup(function_identifier).type).has_ellipsis())

  {

    // These are va_arg arguments; their types may differ from call to call

    for(; it1 != arguments.end(); it1++)

    {

      symbolt &va_arg = get_fresh_aux_symbol(

        it1->type(),

        id2string(function_identifier),

        "va_arg",

        state.source.pc->source_location(),

        ns.lookup(function_identifier).mode,

        state.symbol_table);

      va_arg.is_parameter = true;


      state.call_stack().top().parameter_names.push_back(va_arg.name);


      symex_assign(state, va_arg.symbol_expr(), *it1);

    }

  }

  else if(it1!=arguments.end())

  {

    // we got too many arguments, but we will just ignore them

  }

}

void goto_symext::parameter_assignments( {…}


void goto_symext::symex_function_call(

  const get_goto_functiont &get_goto_function,

  statet &state,

  const goto_programt::instructiont &instruction)

{

  const exprt &function = instruction.call_function();


  // If at some point symex_function_call can support more

  // expression ids(), like ID_Dereference, please expand the

  // precondition appropriately.

  PRECONDITION(function.id() == ID_symbol);


  symex_function_call_symbol(

    get_goto_function,

    state,

    instruction.call_lhs(),

    to_symbol_expr(instruction.call_function()),

    instruction.call_arguments());

}

void goto_symext::symex_function_call( {…}


void goto_symext::symex_function_call_symbol(

  const get_goto_functiont &get_goto_function,

  statet &state,

  const exprt &lhs,

  const symbol_exprt &function,

  const exprt::operandst &arguments)

{

  exprt cleaned_lhs;


  if(lhs.is_nil())

    cleaned_lhs = lhs;

  else

    cleaned_lhs = clean_expr(lhs, state, true);


  // no need to clean the function, which is a symbol only


  exprt::operandst cleaned_arguments;


  for(auto &argument : arguments)

    cleaned_arguments.push_back(clean_expr(argument, state, false));


  target.location(state.guard.as_expr(), state.source);


  PRECONDITION(function.id() == ID_symbol);

  const irep_idt &identifier = to_symbol_expr(function).get_identifier();


  if(identifier == CPROVER_PREFIX SHADOW_MEMORY_GET_FIELD)

  {

    shadow_memory.symex_get_field(state, cleaned_lhs, cleaned_arguments);

    symex_transition(state);

  }

  else if(identifier == CPROVER_PREFIX SHADOW_MEMORY_SET_FIELD)

  {

    shadow_memory.symex_set_field(state, cleaned_arguments);

    symex_transition(state);

  }

  else

  {

    symex_function_call_post_clean(

      get_goto_function, state, cleaned_lhs, function, cleaned_arguments);

  }

}

void goto_symext::symex_function_call_symbol( {…}


void goto_symext::symex_function_call_post_clean(

  const get_goto_functiont &get_goto_function,

  statet &state,

  const exprt &cleaned_lhs,

  const symbol_exprt &function,

  const exprt::operandst &cleaned_arguments)

{

  const irep_idt &identifier = function.get_identifier();


  const goto_functionst::goto_functiont &goto_function =

    get_goto_function(identifier);


  path_storage.dirty.populate_dirty_for_function(identifier, goto_function);


  auto emplace_safe_pointers_result =

    path_storage.safe_pointers.emplace(identifier, local_safe_pointerst{});

  if(emplace_safe_pointers_result.second)

    emplace_safe_pointers_result.first->second(goto_function.body);


  const bool stop_recursing = get_unwind_recursion(

    identifier,

    state.source.thread_nr,

    state.call_stack().top().loop_iterations[identifier].count);


  // see if it's too much

  if(stop_recursing)

  {

    if(symex_config.unwinding_assertions)

    {

      vcc(

        false_exprt(),

        id2string(identifier) + ".recursion",

        "recursion unwinding assertion",

        state);

    }

    if(!symex_config.partial_loops)

    {

      // Rule out this path:

      symex_assume_l2(state, false_exprt());

    }


    symex_transition(state);

    return;

  }


  // read the arguments -- before the locality renaming

  const std::vector<renamedt<exprt, L2>> renamed_arguments =

    make_range(cleaned_arguments).map([&](const exprt &a) {

      return state.rename(a, ns);

    });


  // we hide the call if the caller and callee are both hidden

  const bool hidden =

    state.call_stack().top().hidden_function && goto_function.is_hidden();


  // record the call

  target.function_call(

    state.guard.as_expr(), identifier, renamed_arguments, state.source, hidden);


  if(!goto_function.body_available())

  {

    // create a fatal assertion

    if(symex_config.unwinding_assertions)

    {

      const auto &symbol = ns.lookup(identifier);

      const std::string property_id =

        id2string(state.source.pc->source_location().get_function()) +

        ".no-body." + id2string(identifier);

      vcc(

        false_exprt(),

        property_id,

        "no body for callee " + id2string(symbol.display_name()),

        state);

    }


    // record the return

    target.function_return(

      state.guard.as_expr(), identifier, state.source, hidden);


    if(cleaned_lhs.is_not_nil())

    {

      const auto rhs = side_effect_expr_nondett(

        cleaned_lhs.type(), state.source.pc->source_location());

      symex_assign(state, cleaned_lhs, rhs);

    }


    symex_transition(state);

    return;

  }


  // produce a new frame

  PRECONDITION(!state.call_stack().empty());

  framet &frame = state.call_stack().new_frame(state.source, state.guard);


  // Only enable loop analysis when complexity is enabled.

  if(symex_config.complexity_limits_active)

  {

    // Analyzes loops if required.

    path_storage.add_function_loops(identifier, goto_function.body);

    frame.loops_info = path_storage.get_loop_analysis(identifier);

  }


  // preserve locality of local variables

  locality(identifier, state, goto_function);


  // assign actuals to formal parameters

  parameter_assignments(identifier, goto_function, state, cleaned_arguments);


  frame.call_lhs = cleaned_lhs;

  frame.end_of_function = --goto_function.body.instructions.end();

  frame.function_identifier=identifier;

  frame.hidden_function = goto_function.is_hidden();


  // set up the 'return value symbol' when needed

  if(frame.call_lhs.is_not_nil())

  {

    irep_idt return_value_symbol_identifier =

      "goto_symex::return_value::" + id2string(identifier);


    if(!state.symbol_table.has_symbol(return_value_symbol_identifier))

    {

      const symbolt &function_symbol = ns.lookup(identifier);

      auxiliary_symbolt

        new_symbol; // these are thread-local and have dynamic lifetime

      new_symbol.base_name = "return_value";

      new_symbol.name = return_value_symbol_identifier;

      new_symbol.type = to_code_type(function_symbol.type).return_type();

      new_symbol.mode = function_symbol.mode;

      state.symbol_table.add(new_symbol);

    }


    frame.return_value_symbol =

      ns.lookup(return_value_symbol_identifier).symbol_expr();

  }


  const framet &p_frame = state.call_stack().previous_frame();

  for(const auto &pair : p_frame.loop_iterations)

  {

    if(pair.second.is_recursion)

      frame.loop_iterations.insert(pair);

  }


  // increase unwinding counter

  frame.loop_iterations[identifier].is_recursion=true;

  frame.loop_iterations[identifier].count++;


  state.source.function_id = identifier;

  symex_transition(state, goto_function.body.instructions.begin(), false);

}

void goto_symext::symex_function_call_post_clean( {…}


static void pop_frame(

  goto_symext::statet &state,

  const path_storaget &path_storage,

  bool doing_path_exploration)

{

  PRECONDITION(!state.call_stack().empty());


  const framet &frame = state.call_stack().top();


  // restore program counter

  symex_transition(state, frame.calling_location.pc, false);

  state.source.function_id = frame.calling_location.function_id;


  // restore L1 renaming

  state.level1.restore_from(frame.old_level1);


  // If the program is multi-threaded then the state guard is used to

  // accumulate assumptions (in symex_assume_l2) and must be left alone.

  // If however it is single-threaded then we should restore the guard, as the

  // guard coming out of the function may be more complex (e.g. if the callee

  // was { if(x) while(true) { } } then the guard may still be `!x`),

  // but at this point all control-flow paths have either converged or been

  // proven unviable, so we can stop specifying the callee's constraints when

  // we generate an assumption or VCC.


  // If we're doing path exploration then we do tail-duplication, and we

  // actually *are* in a more-restricted context than we were when the

  // function began.

  if(state.threads.size() == 1 && !doing_path_exploration)

  {

    state.guard = frame.guard_at_function_start;

  }


  for(const irep_idt &l1_o_id : frame.local_objects)

  {

    const auto l2_entry_opt = state.get_level2().current_names.find(l1_o_id);


    if(

      l2_entry_opt.has_value() &&

      (state.threads.size() == 1 ||

       !path_storage.dirty(l2_entry_opt->get().first.get_object_name())))

    {

      state.drop_existing_l1_name(l1_o_id);

    }

  }


  state.call_stack().pop();

}

static void pop_frame( {…}


void goto_symext::symex_end_of_function(statet &state)

{

  PRECONDITION(!state.call_stack().empty());


  const bool hidden = state.call_stack().top().hidden_function;


  // first record the return

  target.function_return(

    state.guard.as_expr(), state.source.function_id, state.source, hidden);


  // before we drop the frame, remember the call LHS

  // and the return value symbol, if any

  auto call_lhs = state.call_stack().top().call_lhs;

  auto return_value_symbol = state.call_stack().top().return_value_symbol;


  // now get rid of the frame

  pop_frame(state, path_storage, symex_config.doing_path_exploration);


  // after dropping the frame, assign the return value, if any

  if(state.reachable && call_lhs.is_not_nil())

  {

    DATA_INVARIANT(

      return_value_symbol.has_value(),

      "must have return value symbol when assigning call lhs");

    // the type of the call lhs and the return type might not match

    auto casted_return_value = typecast_exprt::conditional_cast(

      return_value_symbol.value(), call_lhs.type());

    symex_assign(state, call_lhs, casted_return_value);

  }

}

void goto_symext::symex_end_of_function(statet &state) {…}


void goto_symext::locality(

  const irep_idt &function_identifier,

  goto_symext::statet &state,

  const goto_functionst::goto_functiont &goto_function)

{

  unsigned &frame_nr=

    state.threads[state.source.thread_nr].function_frame[function_identifier];

  frame_nr++;


  for(const auto &param : goto_function.parameter_identifiers)

  {

    const ssa_exprt &renamed_param = state.add_object(

      ns.lookup(param).symbol_expr(),

      [this, &frame_nr](const irep_idt &l0_name) {

        return path_storage.get_unique_l1_index(l0_name, frame_nr);

      },

      ns);


    // Allocate shadow memory for parameters.

    // They are like local variables.

    shadow_memory.symex_field_local_init(state, renamed_param);

  }

}

void goto_symext::locality( {…}

from_integer
constant_exprt from_integer(const mp_integer &int_value, const typet &type)
Definition arith_tools.cpp:99

arith_tools.h

make_byte_extract
byte_extract_exprt make_byte_extract(const exprt &_op, const exprt &_offset, const typet &_type)
Construct a byte_extract_exprt with endianness and byte width matching the current configuration.
Definition byte_operators.cpp:48

byte_operators.h
Expression classes for byte-level operators.

c_index_type
bitvector_typet c_index_type()
Definition c_types.cpp:16

c_types.h

ait
ait supplies three of the four components needed: an abstract interpreter (in this case handling func...
Definition ai.h:562

auxiliary_symbolt
Internally generated symbol table entryThis is a symbol generated as part of translation to or modifi...
Definition symbol.h:153

call_stackt::pop
void pop()
Definition call_stack.h:36

call_stackt::top
framet & top()
Definition call_stack.h:17

call_stackt::new_frame
framet & new_frame(symex_targett::sourcet calling_location, const guardt &guard)
Definition call_stack.h:30

call_stackt::previous_frame
const framet & previous_frame()
Definition call_stack.h:42

dstringt
dstringt has one field, an unsigned integer no which is an index into a static table of strings.
Definition dstring.h:38

expr_skeletont
Expression in which some part is missing and can be substituted for another expression.
Definition expr_skeleton.h:26

exprt
Base class for all expressions.
Definition expr.h:56

exprt::operandst
std::vector< exprt > operandst
Definition expr.h:58

exprt::type
typet & type()
Return the type of the expression.
Definition expr.h:84

false_exprt
The Boolean constant false.
Definition std_expr.h:3199

framet
Stack frames – these are used for function calls and for exceptions.
Definition solver_types.h:41

framet::guard_at_function_start
guardt guard_at_function_start
Definition frame.h:36

framet::return_value_symbol
std::optional< symbol_exprt > return_value_symbol
Definition frame.h:39

framet::call_lhs
exprt call_lhs
Definition frame.h:38

framet::calling_location
symex_targett::sourcet calling_location
Definition frame.h:34

framet::loop_iterations
std::unordered_map< irep_idt, loop_infot > loop_iterations
Definition frame.h:77

framet::hidden_function
bool hidden_function
Definition frame.h:40

framet::parameter_names
std::vector< irep_idt > parameter_names
Definition frame.h:35

framet::old_level1
symex_level1t old_level1
Definition frame.h:42

framet::end_of_function
goto_programt::const_targett end_of_function
Definition frame.h:37

framet::local_objects
std::set< irep_idt > local_objects
Definition frame.h:44

framet::function_identifier
irep_idt function_identifier
Definition frame.h:28

framet::loops_info
std::shared_ptr< lexical_loopst > loops_info
Definition frame.h:74

goto_functionst::goto_functiont
::goto_functiont goto_functiont
Definition goto_functions.h:27

goto_programt::instructiont
This class represents an instruction in the GOTO intermediate representation.
Definition goto_program.h:181

goto_programt::instructiont::call_lhs
const exprt & call_lhs() const
Get the lhs of a FUNCTION_CALL (may be nil)
Definition goto_program.h:286

goto_programt::instructiont::call_arguments
const exprt::operandst & call_arguments() const
Get the arguments of a FUNCTION_CALL.
Definition goto_program.h:300

goto_programt::instructiont::call_function
const exprt & call_function() const
Get the function that is called for FUNCTION_CALL.
Definition goto_program.h:272

goto_statet::guard
guardt guard
Definition goto_state.h:58

goto_statet::reachable
bool reachable
Is this code reachable? If not we can take shortcuts such as not entering function calls,...
Definition goto_state.h:62

goto_statet::get_level2
const symex_level2t & get_level2() const
Definition goto_state.h:45

goto_symex_statet
Central data structure: state.
Definition goto_symex_state.h:43

goto_symex_statet::add_object
ssa_exprt add_object(const symbol_exprt &expr, std::function< std::size_t(const irep_idt &)> index_generator, const namespacet &ns)
Instantiate the object expr.
Definition goto_symex_state.cpp:823

goto_symex_statet::call_stack
call_stackt & call_stack()
Definition goto_symex_state.h:147

goto_symex_statet::level1
symex_level1t level1
Definition goto_symex_state.h:73

goto_symex_statet::rename
renamedt< exprt, level > rename(exprt expr, const namespacet &ns)
Rewrites symbol expressions in exprt, applying a suffix to each symbol reflecting its most recent ver...
Definition goto_symex_state.cpp:171

goto_symex_statet::symbol_table
symbol_tablet symbol_table
contains symbols that are minted during symbolic execution, such as dynamically created objects etc.
Definition goto_symex_state.h:67

goto_symex_statet::source
symex_targett::sourcet source
Definition goto_symex_state.h:62

goto_symex_statet::threads
std::vector< threadt > threads
Definition goto_symex_state.h:199

goto_symex_statet::drop_existing_l1_name
void drop_existing_l1_name(const irep_idt &l1_identifier)
Drops an L1 name from the local L2 map.
Definition goto_symex_state.h:233

goto_symext::symex_function_call_symbol
virtual void symex_function_call_symbol(const get_goto_functiont &get_goto_function, statet &state, const exprt &lhs, const symbol_exprt &function, const exprt::operandst &arguments)
Symbolic execution of a call to a function call.
Definition symex_function_call.cpp:187

goto_symext::get_goto_function
static get_goto_functiont get_goto_function(abstract_goto_modelt &goto_model)
Return a function to get/load a goto function from the given goto model Create a default delegate to ...
Definition symex_main.cpp:492

goto_symext::path_storage
path_storaget & path_storage
Symbolic execution paths to be resumed later.
Definition goto_symex.h:810

goto_symext::target
symex_target_equationt & target
The equation that this execution is building up.
Definition goto_symex.h:266

goto_symext::get_unwind_recursion
virtual bool get_unwind_recursion(const irep_idt &identifier, unsigned thread_nr, unsigned unwind)
Definition symex_function_call.cpp:27

goto_symext::clean_expr
exprt clean_expr(exprt expr, statet &state, bool write)
Clean up an expression.
Definition symex_clean_expr.cpp:236

goto_symext::shadow_memory
shadow_memoryt shadow_memory
Shadow memory instrumentation API.
Definition goto_symex.h:839

goto_symext::parameter_assignments
void parameter_assignments(const irep_idt &function_identifier, const goto_functionst::goto_functiont &goto_function, statet &state, const exprt::operandst &arguments)
Iterates over arguments and assigns them to the parameters, which are symbols whose name and type are...
Definition symex_function_call.cpp:32

goto_symext::ns
namespacet ns
Initialized just before symbolic execution begins, to point to both outer_symbol_table and the symbol...
Definition goto_symex.h:258

goto_symext::vcc
virtual void vcc(const exprt &cond, const irep_idt &property_id, const std::string &msg, statet &state)
Symbolically execute a verification condition (assertion).
Definition symex_main.cpp:180

goto_symext::symex_end_of_function
virtual void symex_end_of_function(statet &)
Symbolically execute a END_FUNCTION instruction.
Definition symex_function_call.cpp:431

goto_symext::symex_assign
void symex_assign(statet &state, const exprt &lhs, const exprt &rhs)
Symbolically execute an ASSIGN instruction or simulate such an execution for a synthetic assignment.
Definition goto_symex.cpp:38

goto_symext::get_goto_functiont
std::function< const goto_functionst::goto_functiont &(const irep_idt &)> get_goto_functiont
The type of delegate functions that retrieve a goto_functiont for a particular function identifier.
Definition goto_symex.h:93

goto_symext::symex_function_call_post_clean
virtual void symex_function_call_post_clean(const get_goto_functiont &get_goto_function, statet &state, const exprt &cleaned_lhs, const symbol_exprt &function, const exprt::operandst &cleaned_arguments)
Symbolic execution of a function call by inlining.
Definition symex_function_call.cpp:230

goto_symext::log
messaget log
The messaget to write log messages to.
Definition goto_symex.h:278

goto_symext::symex_config
const symex_configt symex_config
The configuration to use for this symbolic execution.
Definition goto_symex.h:185

goto_symext::symex_assume_l2
void symex_assume_l2(statet &, const exprt &cond)
Definition symex_main.cpp:219

goto_symext::locality
virtual void locality(const irep_idt &function_identifier, goto_symext::statet &state, const goto_functionst::goto_functiont &goto_function)
Preserves locality of parameters of a given function by applying L1 renaming to them.
Definition symex_function_call.cpp:462

goto_symext::symex_function_call
virtual void symex_function_call(const get_goto_functiont &get_goto_function, statet &state, const goto_programt::instructiont &instruction)
Symbolically execute a FUNCTION_CALL instruction.
Definition symex_function_call.cpp:167

guard_exprt::as_expr
exprt as_expr() const
Definition guard_expr.h:46

incremental_dirtyt::populate_dirty_for_function
void populate_dirty_for_function(const irep_idt &id, const goto_functionst::goto_functiont &function)
Analyse the given function with dirtyt if it hasn't been seen before.
Definition dirty.cpp:112

irept::pretty
std::string pretty(unsigned indent=0, unsigned max_indent=0) const
Definition irep.cpp:482

irept::is_not_nil
bool is_not_nil() const
Definition irep.h:372

irept::id
const irep_idt & id() const
Definition irep.h:388

irept::is_nil
bool is_nil() const
Definition irep.h:368

local_safe_pointerst
A very simple, cheap analysis to determine when dereference operations are trivially guarded by a che...
Definition local_safe_pointers.h:28

messaget::warning
mstreamt & warning() const
Definition message.h:396

messaget::eom
static eomt eom
Definition message.h:289

namespacet::lookup
bool lookup(const irep_idt &name, const symbolt *&symbol) const override
See documentation for namespace_baset::lookup().
Definition namespace.cpp:134

path_storaget
Storage for symbolic execution paths to be resumed later.
Definition path_storage.h:38

path_storaget::dirty
incremental_dirtyt dirty
Local variables are considered 'dirty' if they've had an address taken and therefore may be referred ...
Definition path_storage.h:116

path_storaget::get_unique_l1_index
std::size_t get_unique_l1_index(const irep_idt &id, std::size_t minimum_index)
Provide a unique L1 index for a given id, starting from minimum_index.
Definition path_storage.h:104

path_storaget::get_loop_analysis
std::shared_ptr< lexical_loopst > get_loop_analysis(const irep_idt &function_id)
Definition path_storage.h:131

path_storaget::safe_pointers
std::unordered_map< irep_idt, local_safe_pointerst > safe_pointers
Map function identifiers to local_safe_pointerst instances.
Definition path_storage.h:100

path_storaget::add_function_loops
void add_function_loops(const irep_idt &identifier, const goto_programt &body)
Generates a loop analysis for the instructions in goto_programt and keys it against function ID.
Definition path_storage.h:120

shadow_memoryt::symex_get_field
void symex_get_field(goto_symex_statet &state, const exprt &lhs, const exprt::operandst &arguments)
Symbolically executes a __CPROVER_get_field call.
Definition shadow_memory.cpp:194

shadow_memoryt::symex_field_local_init
void symex_field_local_init(goto_symex_statet &state, const ssa_exprt &expr)
Initialize local-scope shadow memory for local variables and parameters.
Definition shadow_memory.cpp:406

shadow_memoryt::symex_set_field
void symex_set_field(goto_symex_statet &state, const exprt::operandst &arguments)
Symbolically executes a __CPROVER_set_field call.
Definition shadow_memory.cpp:91

side_effect_expr_nondett
A side_effect_exprt that returns a non-deterministically chosen value.
Definition std_code.h:1520

ssa_exprt
Expression providing an SSA-renamed symbol of expressions.
Definition ssa_expr.h:17

symbol_exprt
Expression to hold a symbol (variable)
Definition std_expr.h:131

symbol_exprt::get_identifier
const irep_idt & get_identifier() const
Definition std_expr.h:160

symbol_table_baset::has_symbol
bool has_symbol(const irep_idt &name) const
Check whether a symbol exists in the symbol table.
Definition symbol_table_base.h:88

symbol_table_baset::add
bool add(const symbolt &symbol)
Add a new symbol to the symbol table.
Definition symbol_table_base.cpp:18

symbolt
Symbol table entry.
Definition symbol.h:28

symbolt::symbol_expr
class symbol_exprt symbol_expr() const
Produces a symbol_exprt for a symbol.
Definition symbol.cpp:121

symbolt::type
typet type
Type of symbol.
Definition symbol.h:31

symbolt::name
irep_idt name
The unique identifier.
Definition symbol.h:40

symbolt::base_name
irep_idt irep_idt base_name
Name of module the symbol belongs to.
Definition symbol.h:46

symbolt::mode
irep_idt mode
Language mode.
Definition symbol.h:49

symex_assignt
Functor for symex assignment.
Definition symex_assign.h:28

symex_target_equationt::function_return
virtual void function_return(const exprt &guard, const irep_idt &function_id, const sourcet &source, bool hidden)
Record return from a function.
Definition symex_target_equation.cpp:200

symex_target_equationt::location
virtual void location(const exprt &guard, const sourcet &source)
Record a location.
Definition symex_target_equation.cpp:169

symex_target_equationt::function_call
virtual void function_call(const exprt &guard, const irep_idt &function_id, const std::vector< renamedt< exprt, L2 > > &ssa_function_arguments, const sourcet &source, bool hidden)
Record a function call.
Definition symex_target_equation.cpp:181

symex_targett::assignment_typet
assignment_typet
Definition symex_target.h:69

symex_targett::assignment_typet::VISIBLE_ACTUAL_PARAMETER
@ VISIBLE_ACTUAL_PARAMETER

symex_targett::assignment_typet::HIDDEN_ACTUAL_PARAMETER
@ HIDDEN_ACTUAL_PARAMETER

typecast_exprt::conditional_cast
static exprt conditional_cast(const exprt &expr, const typet &type)
Definition std_expr.h:2081

typet
The type of an expression, extends irept.
Definition type.h:29

unsupported_operation_exceptiont
Thrown when we encounter an instruction, parameters to an instruction etc.
Definition exception_utils.h:145

CPROVER_PREFIX
#define CPROVER_PREFIX
Definition cprover_prefix.h:14

exception_utils.h

expr_skeleton.h
Expression skeleton.

get_fresh_aux_symbol
symbolt & get_fresh_aux_symbol(const typet &type, const std::string &name_prefix, const std::string &basename_prefix, const source_locationt &source_location, const irep_idt &symbol_mode, const namespacet &ns, symbol_table_baset &symbol_table)
Installs a fresh-named symbol with respect to the given namespace ns with the requested name pattern ...
Definition fresh_symbol.cpp:32

fresh_symbol.h
Fresh auxiliary symbol creation.

goto_symex.h
Symbolic Execution.

symex_transition
void symex_transition(goto_symext::statet &state)
Transition to the next instruction, which increments the internal program counter and initializes the...
Definition symex_main.cpp:144

id2string
const std::string & id2string(const irep_idt &d)
Definition irep.h:44

path_storage.h
Storage of symbolic execution paths to resume.

range.h
Ranges: pair of begin and end iterators, which can be initialized from containers,...

make_range
ranget< iteratort > make_range(iteratort begin, iteratort end)
Definition range.h:522

return_value_symbol
symbol_exprt return_value_symbol(const irep_idt &identifier, const namespacet &ns)
produces the symbol that is used to store the return value of the function with the given identifier
Definition remove_returns.cpp:413

SHADOW_MEMORY_SET_FIELD
#define SHADOW_MEMORY_SET_FIELD
Definition shadow_memory.h:25

SHADOW_MEMORY_GET_FIELD
#define SHADOW_MEMORY_GET_FIELD
Definition shadow_memory.h:24

invariant.h

DATA_INVARIANT
#define DATA_INVARIANT(CONDITION, REASON)
This condition should be used to document that assumptions that are made on goto_functions,...
Definition invariant.h:534

PRECONDITION
#define PRECONDITION(CONDITION)
Definition invariant.h:463

INVARIANT
#define INVARIANT(CONDITION, REASON)
This macro uses the wrapper function 'invariant_violated_string'.
Definition invariant.h:423

std_code.h

to_symbol_expr
const symbol_exprt & to_symbol_expr(const exprt &expr)
Cast an exprt to a symbol_exprt.
Definition std_expr.h:272

to_code_type
const code_typet & to_code_type(const typet &type)
Cast a typet to a code_typet.
Definition std_types.h:788

symex_level1t::restore_from
void restore_from(const symex_level1t &other)
Insert the content of other into this renaming.
Definition renaming_level.cpp:110

symex_targett::sourcet::thread_nr
unsigned thread_nr
Definition symex_target.h:38

symex_targett::sourcet::pc
goto_programt::const_targett pc
Definition symex_target.h:42

symex_targett::sourcet::function_id
irep_idt function_id
Definition symex_target.h:39

symex_assign.h
Symbolic Execution of assignments.

pop_frame
static void pop_frame(goto_symext::statet &state, const path_storaget &path_storage, bool doing_path_exploration)
pop one call frame
Definition symex_function_call.cpp:381