static int LuaOnSignal(lua_State *pState, CYDWEEventData &eventData, bool ignore_error, luabind::object const& func)
{
lua_stack_guard tmp_guard(pState);
TranslateEventDataToLuaTable(pState, eventData);
luabind::object event_data(luabind::from_stack(pState, -1));
if (ignore_error)
{
try {
return luabind::call_function<int>(func, event_data);
}
catch (...) {
}
}
else
{
try {
return luabind::call_function<int>(func, event_data);
}
catch (luabind::error const& e) {
LOGGING_ERROR(lg) << "exception: \"" << e.what() << "\" " << lua_tostring(e.state(), -1);
}
catch (std::exception const& e) {
LOGGING_ERROR(lg) << "exception: \"" << e.what() << "\"";
}
catch (...) {
LOGGING_ERROR(lg) << "unknown exception";
}
}
return -1;
}
bool value_set_dereferencet::memory_model_conversion(
exprt &value,
const typet &to_type,
const guardt &guard,
const exprt &offset)
{
// only doing type conversion
// just do the typecast
value.make_typecast(to_type);
// also assert that offset is zero
if(options.get_bool_option("pointer-check"))
{
equal_exprt offset_not_zero(offset, from_integer(0, offset.type()));
offset_not_zero.make_not();
guardt tmp_guard(guard);
tmp_guard.add(offset_not_zero);
dereference_callback.dereference_failure(
"word bounds",
"offset not zero", tmp_guard);
}
return true;
}
void value_set_dereferencet::invalid_pointer(
const exprt &pointer,
const guardt &guard)
{
if(!options.get_bool_option("pointer-check"))
return;
// constraint that it actually is an invalid pointer
guardt tmp_guard(guard);
tmp_guard.add(::invalid_pointer(pointer));
dereference_callback.dereference_failure(
"pointer dereference",
"invalid pointer",
tmp_guard);
}
bool value_set_dereferencet::memory_model_bytes(
exprt &value,
const typet &to_type,
const guardt &guard,
const exprt &offset)
{
const typet from_type=value.type();
// We simply refuse to convert to/from code.
if(from_type.id()==ID_code || to_type.id()==ID_code)
return false;
// We won't do this without a commitment to an endianness.
if(config.ansi_c.endianness==configt::ansi_ct::endiannesst::NO_ENDIANNESS)
return false;
// But everything else we will try!
// We just rely on byte_extract to do the job!
exprt result;
// See if we have an array of bytes already,
// and we want something byte-sized.
if(ns.follow(from_type).id()==ID_array &&
pointer_offset_size(ns.follow(from_type).subtype(), ns)==1 &&
pointer_offset_size(to_type, ns)==1 &&
is_a_bv_type(ns.follow(from_type).subtype()) &&
is_a_bv_type(to_type))
{
// yes, can use 'index'
result=index_exprt(value, offset, ns.follow(from_type).subtype());
// possibly need to convert
if(!base_type_eq(result.type(), to_type, ns))
result.make_typecast(to_type);
}
else
{
// no, use 'byte_extract'
result=exprt(byte_extract_id(), to_type);
result.copy_to_operands(value, offset);
}
value=result;
// are we within the bounds?
if(options.get_bool_option("pointer-check"))
{
// upper bound
{
exprt from_width=size_of_expr(from_type, ns);
INVARIANT(
from_width.is_not_nil(),
"unknown or invalid type size:\n"+from_type.pretty());
exprt to_width=
to_type.id()==ID_empty?
from_integer(0, size_type()):size_of_expr(to_type, ns);
INVARIANT(
to_width.is_not_nil(),
"unknown or invalid type size:\n"+to_type.pretty());
INVARIANT(
from_width.type()==to_width.type(),
"type mismatch on result of size_of_expr");
minus_exprt bound(from_width, to_width);
if(bound.type()!=offset.type())
bound.make_typecast(offset.type());
binary_relation_exprt
offset_upper_bound(offset, ID_gt, bound);
guardt tmp_guard(guard);
tmp_guard.add(offset_upper_bound);
dereference_callback.dereference_failure(
"pointer dereference",
"object upper bound", tmp_guard);
}
// lower bound is easy
if(!offset.is_zero())
{
binary_relation_exprt
offset_lower_bound(
offset, ID_lt, from_integer(0, offset.type()));
guardt tmp_guard(guard);
tmp_guard.add(offset_lower_bound);
dereference_callback.dereference_failure(
"pointer dereference",
"object lower bound", tmp_guard);
}
}
return true;
}
void value_set_dereferencet::bounds_check(
const index_exprt &expr,
const guardt &guard)
{
if(!options.get_bool_option("pointer-check"))
return;
if(!options.get_bool_option("bounds-check"))
return;
const typet &array_type=ns.follow(expr.op0().type());
if(array_type.id()!=ID_array)
throw "bounds check expected array type";
std::string name=array_name(ns, expr.array());
{
mp_integer i;
if(!to_integer(expr.index(), i) &&
i>=0)
{
}
else
{
exprt zero=from_integer(0, expr.index().type());
if(zero.is_nil())
throw "no zero constant of index type "+
expr.index().type().pretty();
binary_relation_exprt
inequality(expr.index(), ID_lt, zero);
guardt tmp_guard(guard);
tmp_guard.add(inequality);
dereference_callback.dereference_failure(
"array bounds",
name+" lower bound", tmp_guard);
}
}
const exprt &size_expr=
to_array_type(array_type).size();
if(size_expr.id()==ID_infinity)
{
}
else if(size_expr.is_zero() && expr.array().id()==ID_member)
{
// this is a variable-sized struct field
}
else
{
if(size_expr.is_nil())
throw "index array operand of wrong type";
binary_relation_exprt inequality(expr.index(), ID_ge, size_expr);
if(c_implicit_typecast(
inequality.op0(),
inequality.op1().type(),
ns))
throw "index address of wrong type";
guardt tmp_guard(guard);
tmp_guard.add(inequality);
dereference_callback.dereference_failure(
"array bounds",
name+" upper bound", tmp_guard);
}
}
value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
const exprt &what,
const modet mode,
const exprt &pointer_expr,
const guardt &guard)
{
const typet &dereference_type=
ns.follow(pointer_expr.type()).subtype();
if(what.id()==ID_unknown ||
what.id()==ID_invalid)
{
invalid_pointer(pointer_expr, guard);
return valuet();
}
if(what.id()!=ID_object_descriptor)
throw "unknown points-to: "+what.id_string();
const object_descriptor_exprt &o=to_object_descriptor_expr(what);
const exprt &root_object=o.root_object();
const exprt &object=o.object();
#if 0
std::cout << "O: " << from_expr(ns, "", root_object) << '\n';
#endif
valuet result;
if(root_object.id()=="NULL-object")
{
if(options.get_bool_option("pointer-check"))
{
guardt tmp_guard(guard);
if(o.offset().is_zero())
{
tmp_guard.add(null_pointer(pointer_expr));
dereference_callback.dereference_failure(
"pointer dereference",
"NULL pointer", tmp_guard);
}
else
{
tmp_guard.add(null_object(pointer_expr));
dereference_callback.dereference_failure(
"pointer dereference",
"NULL plus offset pointer", tmp_guard);
}
}
}
else if(root_object.id()==ID_dynamic_object)
{
// const dynamic_object_exprt &dynamic_object=
// to_dynamic_object_expr(root_object);
// the object produced by malloc
exprt malloc_object=
ns.lookup(CPROVER_PREFIX "malloc_object").symbol_expr();
exprt is_malloc_object=same_object(pointer_expr, malloc_object);
// constraint that it actually is a dynamic object
exprt dynamic_object_expr(ID_dynamic_object, bool_typet());
dynamic_object_expr.copy_to_operands(pointer_expr);
// this is also our guard
result.pointer_guard=dynamic_object_expr;
// can't remove here, turn into *p
result.value=dereference_exprt(pointer_expr, dereference_type);
if(options.get_bool_option("pointer-check"))
{
// if(!dynamic_object.valid().is_true())
{
// check if it is still alive
guardt tmp_guard(guard);
tmp_guard.add(deallocated(pointer_expr, ns));
dereference_callback.dereference_failure(
"pointer dereference",
"dynamic object deallocated",
tmp_guard);
}
if(options.get_bool_option("bounds-check"))
{
if(!o.offset().is_zero())
{
// check lower bound
guardt tmp_guard(guard);
tmp_guard.add(is_malloc_object);
tmp_guard.add(
dynamic_object_lower_bound(
pointer_expr,
ns,
nil_exprt()));
dereference_callback.dereference_failure(
"pointer dereference",
"dynamic object lower bound", tmp_guard);
}
{
// check upper bound
// we check SAME_OBJECT(__CPROVER_malloc_object, p) &&
// POINTER_OFFSET(p)+size>__CPROVER_malloc_size
guardt tmp_guard(guard);
tmp_guard.add(is_malloc_object);
tmp_guard.add(
dynamic_object_upper_bound(
pointer_expr,
dereference_type,
ns,
size_of_expr(dereference_type, ns)));
dereference_callback.dereference_failure(
"pointer dereference",
"dynamic object upper bound", tmp_guard);
}
}
}
}
else if(root_object.id()==ID_integer_address)
{
// This is stuff like *((char *)5).
// This is turned into an access to __CPROVER_memory[...].
if(language_mode==ID_java)
{
result.value=nil_exprt();
return result;
}
const symbolt &memory_symbol=ns.lookup(CPROVER_PREFIX "memory");
exprt symbol_expr=symbol_exprt(memory_symbol.name, memory_symbol.type);
if(base_type_eq(
ns.follow(memory_symbol.type).subtype(),
dereference_type, ns))
{
// Types match already, what a coincidence!
// We can use an index expression.
exprt index_expr=index_exprt(symbol_expr, pointer_offset(pointer_expr));
index_expr.type()=ns.follow(memory_symbol.type).subtype();
result.value=index_expr;
}
else if(dereference_type_compare(
ns.follow(memory_symbol.type).subtype(),
dereference_type))
{
exprt index_expr=index_exprt(symbol_expr, pointer_offset(pointer_expr));
index_expr.type()=ns.follow(memory_symbol.type).subtype();
result.value=typecast_exprt(index_expr, dereference_type);
}
else
{
// We need to use byte_extract.
// Won't do this without a commitment to an endianness.
if(config.ansi_c.endianness==configt::ansi_ct::endiannesst::NO_ENDIANNESS)
{
}
else
{
exprt byte_extract(byte_extract_id(), dereference_type);
byte_extract.copy_to_operands(
symbol_expr, pointer_offset(pointer_expr));
result.value=byte_extract;
}
}
}
else
{
// something generic -- really has to be a symbol
address_of_exprt object_pointer(object);
if(o.offset().is_zero())
{
equal_exprt equality(pointer_expr, object_pointer);
if(ns.follow(equality.lhs().type())!=ns.follow(equality.rhs().type()))
equality.lhs().make_typecast(equality.rhs().type());
result.pointer_guard=equality;
}
else
{
result.pointer_guard=same_object(pointer_expr, object_pointer);
}
guardt tmp_guard(guard);
tmp_guard.add(result.pointer_guard);
valid_check(object, tmp_guard, mode);
const typet &object_type=ns.follow(object.type());
const exprt &root_object=o.root_object();
const typet &root_object_type=ns.follow(root_object.type());
exprt root_object_subexpression=root_object;
if(dereference_type_compare(object_type, dereference_type) &&
o.offset().is_zero())
{
// The simplest case: types match, and offset is zero!
// This is great, we are almost done.
result.value=object;
if(object_type!=ns.follow(dereference_type))
result.value.make_typecast(dereference_type);
}
else if(root_object_type.id()==ID_array &&
dereference_type_compare(
root_object_type.subtype(),
dereference_type))
{
// We have an array with a subtype that matches
// the dereferencing type.
// We will require well-alignedness!
exprt offset;
// this should work as the object is essentially the root object
if(o.offset().is_constant())
offset=o.offset();
else
offset=pointer_offset(pointer_expr);
exprt adjusted_offset;
// are we doing a byte?
mp_integer element_size=
dereference_type.id()==ID_empty?
pointer_offset_size(char_type(), ns):
pointer_offset_size(dereference_type, ns);
if(element_size==1)
{
// no need to adjust offset
adjusted_offset=offset;
}
else if(element_size<=0)
{
throw "unknown or invalid type size of:\n"+dereference_type.pretty();
}
else
{
exprt element_size_expr=
from_integer(element_size, offset.type());
adjusted_offset=binary_exprt(
offset, ID_div, element_size_expr, offset.type());
// TODO: need to assert well-alignedness
}
index_exprt index_expr=
index_exprt(root_object, adjusted_offset, root_object_type.subtype());
bounds_check(index_expr, tmp_guard);
result.value=index_expr;
if(ns.follow(result.value.type())!=ns.follow(dereference_type))
result.value.make_typecast(dereference_type);
}
else if(get_subexpression_at_offset(
root_object_subexpression,
o.offset(),
dereference_type,
ns))
{
// Successfully found a member, array index, or combination thereof
// that matches the desired type and offset:
result.value=root_object_subexpression;
}
else
{
// we extract something from the root object
result.value=o.root_object();
// this is relative to the root object
const exprt offset=pointer_offset(pointer_expr);
if(memory_model(result.value, dereference_type, tmp_guard, offset))
{
// ok, done
}
else
{
if(options.get_bool_option("pointer-check"))
{
std::string msg="memory model not applicable (got `";
msg+=from_type(ns, "", result.value.type());
msg+="', expected `";
msg+=from_type(ns, "", dereference_type);
msg+="')";
dereference_callback.dereference_failure(
"pointer dereference",
msg, tmp_guard);
}
return valuet(); // give up, no way that this is ok
}
}
}
return result;
}
