Beispiel #1
0
void BlockSummary::GetAssumedBits(BlockMemory *mcfg, PPoint end_point,
                                  Vector<AssumeInfo> *assume_list)
{
  BlockId *id = mcfg->GetId();
  BlockCFG *cfg = mcfg->GetCFG();

  BlockSummary *sum = GetBlockSummary(id);

  const Vector<Bit*> *assumes = sum->GetAssumes();
  size_t assume_count = VectorSize<Bit*>(assumes);

  // pull in assumptions from the summary for mcfg. in some cases these
  // assumptions won't be useful, e.g. describing the state at exit
  // for functions. for now we're just adding all of them though. TODO: fix.
  for (size_t ind = 0; ind < assume_count; ind++) {
    Bit *bit = assumes->At(ind);
    bit->IncRef(assume_list);

    AssumeInfo info;
    info.bit = bit;
    assume_list->PushBack(info);
  }

  sum->DecRef();

  Vector<BlockCFG*> *annot_list = BodyAnnotCache.Lookup(id->Function());

  // add assumes at function entry for any preconditions.

  if (id->Kind() == B_Function) {
    for (size_t ind = 0; annot_list && ind < annot_list->Size(); ind++) {
      BlockCFG *annot_cfg = annot_list->At(ind);

      if (annot_cfg->GetAnnotationKind() != AK_Precondition &&
          annot_cfg->GetAnnotationKind() != AK_PreconditionAssume)
        continue;

      Bit *bit = BlockMemory::GetAnnotationBit(annot_cfg);
      if (!bit) continue;

      annot_cfg->IncRef(assume_list);
      bit->IncRef(assume_list);

      AssumeInfo info;
      info.annot = annot_cfg;
      info.bit = bit;
      assume_list->PushBack(info);
    }
  }

  // add assumptions from points within the block.

  for (size_t pind = 0; pind < cfg->GetPointAnnotationCount(); pind++) {
    PointAnnotation pann = cfg->GetPointAnnotation(pind);
    if (end_point && pann.point >= end_point)
      continue;

    BlockCFG *annot_cfg = GetAnnotationCFG(pann.annot);
    if (!annot_cfg) continue;

    Assert(annot_cfg->GetAnnotationKind() != AK_AssertRuntime);

    if (Bit *bit = BlockMemory::GetAnnotationBit(annot_cfg)) {
      // get the annotation bit in terms of block entry.
      Bit *point_bit = NULL;
      mcfg->TranslateBit(TRK_Point, pann.point, bit, &point_bit);
      point_bit->MoveRef(&point_bit, assume_list);

      annot_cfg->IncRef(assume_list);

      AssumeInfo info;
      info.annot = annot_cfg;
      info.point = pann.point;
      info.bit = point_bit;
      assume_list->PushBack(info);
    }

    annot_cfg->DecRef();
  }

  // add assumptions from annotation edges within the block, invariants
  // on values accessed by the block, and from the summaries of any callees.

  for (size_t eind = 0; eind < cfg->GetEdgeCount(); eind++) {
    PEdge *edge = cfg->GetEdge(eind);
    PPoint point = edge->GetSource();

    if (end_point && point >= end_point)
      continue;

    InvariantAssumeVisitor visitor(mcfg, point, assume_list);
    edge->DoVisit(&visitor);

    if (PEdgeAnnotation *nedge = edge->IfAnnotation()) {
      // add an assumption for this annotation.
      BlockCFG *annot_cfg = GetAnnotationCFG(nedge->GetAnnotationId());
      if (!annot_cfg) continue;

      Bit *bit = BlockMemory::GetAnnotationBit(annot_cfg);

      // don't incorporate AssertRuntimes, these are not assumed.
      if (bit && annot_cfg->GetAnnotationKind() != AK_AssertRuntime) {
        // get the annotation bit in terms of block entry.
        Bit *point_bit = NULL;
        mcfg->TranslateBit(TRK_Point, point, bit, &point_bit);
        point_bit->MoveRef(&point_bit, assume_list);

        annot_cfg->IncRef(assume_list);

        AssumeInfo info;
        info.annot = annot_cfg;
        info.point = point;
        info.bit = point_bit;
        assume_list->PushBack(info);
      }

      annot_cfg->DecRef();
    }

    if (BlockId *callee = edge->GetDirectCallee()) {
      GetCallAssumedBits(mcfg, edge, callee, false, assume_list);
      callee->DecRef();
    }
    else if (edge->IsCall()) {
      // add conditional assumes for the indirect targets of the call.
      // this is most useful for baked information and annotations, where
      // we sometimes need to attach information at indirect calls.

      CallEdgeSet *callees = CalleeCache.Lookup(id->BaseVar());
      size_t old_count = assume_list->Size();

      if (callees) {
        for (size_t cind = 0; cind < callees->GetEdgeCount(); cind++) {
          const CallEdge &cedge = callees->GetEdge(cind);
          if (cedge.where.id == id && cedge.where.point == point) {
            cedge.callee->IncRef();
            BlockId *callee = BlockId::Make(B_Function, cedge.callee);

            GetCallAssumedBits(mcfg, edge, callee, true, assume_list);
            callee->DecRef();
          }
        }
      }

      if (assume_list->Size() != old_count) {
        // we managed to do something at this indirect call site.
        // add another assumption restricting the possible callees to
        // only those identified by our callgraph.

        GuardExpVector receiver_list;
        mcfg->TranslateReceiver(point, &receiver_list);

        for (size_t rind = 0; rind < receiver_list.Size(); rind++) {
          const GuardExp &gs = receiver_list[rind];
          gs.guard->IncRef();

          // make a bit: !when || rcv == callee0 || rcv == callee1 || ...
          Bit *extra_bit = Bit::MakeNot(gs.guard);

          for (size_t cind = 0; cind < callees->GetEdgeCount(); cind++) {
            const CallEdge &cedge = callees->GetEdge(cind);
            if (cedge.where.id == id && cedge.where.point == point) {
              Variable *callee_var = cedge.callee;
              callee_var->IncRef();
              Exp *callee_exp = Exp::MakeVar(callee_var);

              gs.exp->IncRef();
              Bit *equal = Exp::MakeCompareBit(B_Equal, callee_exp, gs.exp);

              extra_bit = Bit::MakeOr(extra_bit, equal);
            }
          }

          extra_bit->MoveRef(NULL, assume_list);

          AssumeInfo info;
          info.bit = extra_bit;
          assume_list->PushBack(info);
        }
      }

      CalleeCache.Release(id->BaseVar());
    }
  }

  BodyAnnotCache.Release(id->Function());

  // add assumptions from heap invariants describing values mentioned
  // in added assumptions. we could keep doing this transitively but don't,
  // to ensure termination.
  size_t count = assume_list->Size();
  for (size_t ind = 0; ind < count; ind++) {
    InvariantAssumeVisitor visitor(NULL, 0, assume_list);
    assume_list->At(ind).bit->DoVisit(&visitor);
  }

  CombineAssumeList(assume_list);
}
Beispiel #2
0
bool CheckSingleHeapWrite(CheckerState *state, CheckerFrame *frame,
                          CheckerFrame *heap_frame, WhereInvariant *invariant,
                          const HeapWriteInfo &write)
{
  Assert(invariant);

  if (checker_verbose.IsSpecified())
    logout << "CHECK: " << frame
           << ": Checking single heap write: " << write.mcfg->GetId()
           << ": " << write.lval << endl;

  if (frame->Memory()->GetId()->Kind() == B_Initializer) {
    // rule out cases where another function executed before a static
    // initializer. TODO: this case can occur in C++ constructors and the
    // functions they call, should revisit this behavior.
    if (write.mcfg->GetId()->Kind() != B_Initializer) {
      if (checker_verbose.IsSpecified())
        logout << "CHECK: " << frame
               << ": Write is not in a static initializer" << endl;

      return false;
    }
  }

  CheckerFrame *write_frame = state->MakeFrame(write.mcfg->GetId());
  Assert(write_frame && write_frame->Memory() == write.mcfg);

  PPoint exit_point = write.mcfg->GetCFG()->GetExitPoint();
  write_frame->AssertPointGuard(exit_point, true);

  // assert the lvalue is actually updated within this frame. these bits
  // are never explicitly popped, they get dropped when the frame is deleted.
  for (size_t ind = 0; ind < write.exclude.Size(); ind++) {
    Bit *bit = write.exclude[ind];

    bit->IncRef();
    Bit *not_bit = Bit::MakeNot(bit);

    write_frame->PushAssumedBit(not_bit);
    not_bit->DecRef();
  }

  // connect the heap read and write frames.
  write_frame->ConnectHeapRead(heap_frame);

  // for type invariants, try to reconstruct the CSU exp for the write frame.
  Exp *write_csu = NULL;
  Exp *base_csu = NULL;
  if (invariant->GetCSU()) {
    write_csu = invariant->GetWriteCSU(write.lval);
    if (write_csu == NULL) {
      CheckerPropagate propagate(write_frame, exit_point, false);
      state->m_stack.PushBack(&propagate);

      state->SetReport(RK_UnknownCSU);
      return true;
    }

    // OK if we couldn't figure out the point-relative CSU, will just be
    // a more confusing UI message.
    base_csu = invariant->GetWriteCSU(write.base_lval);
  }

  // get the safe bits for the write frame.
  Bit *write_safe_bit;
  GuardBitVector write_safe_list;
  invariant->GetHeapBits(write_frame, write_csu, base_csu,
                         &write_safe_bit, &write_safe_list);

  if (CheckFrameList(state, write_frame, exit_point, true, true,
                     write_safe_bit, write_safe_list)) {
    write_safe_bit->DecRef();
    return true;
  }

  write_safe_bit->DecRef();
  write_frame->DisconnectHeapRead(heap_frame);
  state->DeleteFrame(write_frame);

  return false;
}
Beispiel #3
0
  void Visit(Exp *exp)
  {
    if (ExpFld *nexp = exp->IfFld()) {
      // pick up any type invariants from the host type.
      String *csu_name = nexp->GetField()->GetCSUType()->GetCSUName();
      Vector<BlockCFG*> *annot_list = CompAnnotCache.Lookup(csu_name);

      for (size_t ind = 0; annot_list && ind < annot_list->Size(); ind++) {
        BlockCFG *annot_cfg = annot_list->At(ind);
        Assert(annot_cfg->GetAnnotationKind() == AK_Invariant ||
               annot_cfg->GetAnnotationKind() == AK_InvariantAssume);
        BlockId *id = annot_cfg->GetId();

        Bit *bit = BlockMemory::GetAnnotationBit(annot_cfg);
        if (!bit) continue;

        // get the *this expression. we'll replace this with the actual CSU
        // lvalue to get the assumed bit.
        id->IncRef();
        Variable *this_var = Variable::Make(id, VK_This, NULL, 0, NULL);
        Exp *this_exp = Exp::MakeVar(this_var);
        Exp *this_drf = Exp::MakeDrf(this_exp);
        Exp *target = nexp->GetTarget();

        GuardExpVector lval_res;
        if (mcfg) {
          mcfg->TranslateExp(TRK_Point, point, target, &lval_res);
        }
        else {
          target->IncRef();
          lval_res.PushBack(GuardExp(target, Bit::MakeConstant(true)));
        }

        for (size_t lind = 0; lind < lval_res.Size(); lind++) {
          // ignore the guard component of the result here. this means that
          // accessing a field of a value means related invariants hold for
          // the value along all paths. which is normally right, except when
          // the value is the result of a cast, and could have a different type
          // along other paths. TODO: sort this out.
          const GuardExp &gs = lval_res[lind];
          Bit *new_bit = BitReplaceExp(bit, this_drf, gs.exp);

          new_bit->MoveRef(NULL, assume_list);
          annot_cfg->IncRef(assume_list);

          AssumeInfo info;
          info.annot = annot_cfg;
          info.point = 0;
          info.bit = new_bit;
          assume_list->PushBack(info);
        }

        this_drf->DecRef();
      }

      CompAnnotCache.Release(csu_name);
    }

    if (ExpVar *nexp = exp->IfVar()) {
      if (nexp->GetVariable()->Kind() == VK_Glob) {
        String *var_name = nexp->GetVariable()->GetName();
        Vector<BlockCFG*> *annot_list = InitAnnotCache.Lookup(var_name);

        for (size_t ind = 0; annot_list && ind < annot_list->Size(); ind++) {
          BlockCFG *annot_cfg = annot_list->At(ind);
          Assert(annot_cfg->GetAnnotationKind() == AK_Invariant ||
                 annot_cfg->GetAnnotationKind() == AK_InvariantAssume);

          Bit *bit = BlockMemory::GetAnnotationBit(annot_cfg);
          if (!bit) continue;

          bit->IncRef(assume_list);
          annot_cfg->IncRef(assume_list);

          AssumeInfo info;
          info.annot = annot_cfg;
          info.point = 0;
          info.bit = bit;
          assume_list->PushBack(info);
        }

        InitAnnotCache.Release(var_name);
      }
    }
  }