void BlockSummary::GetAssumedBits(BlockMemory *mcfg, PPoint end_point,
Vector<AssumeInfo> *assume_list)
{
BlockId *id = mcfg->GetId();
BlockCFG *cfg = mcfg->GetCFG();
BlockSummary *sum = GetBlockSummary(id);
const Vector<Bit*> *assumes = sum->GetAssumes();
size_t assume_count = VectorSize<Bit*>(assumes);
// pull in assumptions from the summary for mcfg. in some cases these
// assumptions won't be useful, e.g. describing the state at exit
// for functions. for now we're just adding all of them though. TODO: fix.
for (size_t ind = 0; ind < assume_count; ind++) {
Bit *bit = assumes->At(ind);
bit->IncRef(assume_list);
AssumeInfo info;
info.bit = bit;
assume_list->PushBack(info);
}
sum->DecRef();
Vector<BlockCFG*> *annot_list = BodyAnnotCache.Lookup(id->Function());
// add assumes at function entry for any preconditions.
if (id->Kind() == B_Function) {
for (size_t ind = 0; annot_list && ind < annot_list->Size(); ind++) {
BlockCFG *annot_cfg = annot_list->At(ind);
if (annot_cfg->GetAnnotationKind() != AK_Precondition &&
annot_cfg->GetAnnotationKind() != AK_PreconditionAssume)
continue;
Bit *bit = BlockMemory::GetAnnotationBit(annot_cfg);
if (!bit) continue;
annot_cfg->IncRef(assume_list);
bit->IncRef(assume_list);
AssumeInfo info;
info.annot = annot_cfg;
info.bit = bit;
assume_list->PushBack(info);
}
}
// add assumptions from points within the block.
for (size_t pind = 0; pind < cfg->GetPointAnnotationCount(); pind++) {
PointAnnotation pann = cfg->GetPointAnnotation(pind);
if (end_point && pann.point >= end_point)
continue;
BlockCFG *annot_cfg = GetAnnotationCFG(pann.annot);
if (!annot_cfg) continue;
Assert(annot_cfg->GetAnnotationKind() != AK_AssertRuntime);
if (Bit *bit = BlockMemory::GetAnnotationBit(annot_cfg)) {
// get the annotation bit in terms of block entry.
Bit *point_bit = NULL;
mcfg->TranslateBit(TRK_Point, pann.point, bit, &point_bit);
point_bit->MoveRef(&point_bit, assume_list);
annot_cfg->IncRef(assume_list);
AssumeInfo info;
info.annot = annot_cfg;
info.point = pann.point;
info.bit = point_bit;
assume_list->PushBack(info);
}
annot_cfg->DecRef();
}
// add assumptions from annotation edges within the block, invariants
// on values accessed by the block, and from the summaries of any callees.
for (size_t eind = 0; eind < cfg->GetEdgeCount(); eind++) {
PEdge *edge = cfg->GetEdge(eind);
PPoint point = edge->GetSource();
if (end_point && point >= end_point)
continue;
InvariantAssumeVisitor visitor(mcfg, point, assume_list);
edge->DoVisit(&visitor);
if (PEdgeAnnotation *nedge = edge->IfAnnotation()) {
// add an assumption for this annotation.
BlockCFG *annot_cfg = GetAnnotationCFG(nedge->GetAnnotationId());
if (!annot_cfg) continue;
Bit *bit = BlockMemory::GetAnnotationBit(annot_cfg);
// don't incorporate AssertRuntimes, these are not assumed.
if (bit && annot_cfg->GetAnnotationKind() != AK_AssertRuntime) {
// get the annotation bit in terms of block entry.
Bit *point_bit = NULL;
mcfg->TranslateBit(TRK_Point, point, bit, &point_bit);
point_bit->MoveRef(&point_bit, assume_list);
annot_cfg->IncRef(assume_list);
AssumeInfo info;
info.annot = annot_cfg;
info.point = point;
info.bit = point_bit;
assume_list->PushBack(info);
}
annot_cfg->DecRef();
}
if (BlockId *callee = edge->GetDirectCallee()) {
GetCallAssumedBits(mcfg, edge, callee, false, assume_list);
callee->DecRef();
}
else if (edge->IsCall()) {
// add conditional assumes for the indirect targets of the call.
// this is most useful for baked information and annotations, where
// we sometimes need to attach information at indirect calls.
CallEdgeSet *callees = CalleeCache.Lookup(id->BaseVar());
size_t old_count = assume_list->Size();
if (callees) {
for (size_t cind = 0; cind < callees->GetEdgeCount(); cind++) {
const CallEdge &cedge = callees->GetEdge(cind);
if (cedge.where.id == id && cedge.where.point == point) {
cedge.callee->IncRef();
BlockId *callee = BlockId::Make(B_Function, cedge.callee);
GetCallAssumedBits(mcfg, edge, callee, true, assume_list);
callee->DecRef();
}
}
}
if (assume_list->Size() != old_count) {
// we managed to do something at this indirect call site.
// add another assumption restricting the possible callees to
// only those identified by our callgraph.
GuardExpVector receiver_list;
mcfg->TranslateReceiver(point, &receiver_list);
for (size_t rind = 0; rind < receiver_list.Size(); rind++) {
const GuardExp &gs = receiver_list[rind];
gs.guard->IncRef();
// make a bit: !when || rcv == callee0 || rcv == callee1 || ...
Bit *extra_bit = Bit::MakeNot(gs.guard);
for (size_t cind = 0; cind < callees->GetEdgeCount(); cind++) {
const CallEdge &cedge = callees->GetEdge(cind);
if (cedge.where.id == id && cedge.where.point == point) {
Variable *callee_var = cedge.callee;
callee_var->IncRef();
Exp *callee_exp = Exp::MakeVar(callee_var);
gs.exp->IncRef();
Bit *equal = Exp::MakeCompareBit(B_Equal, callee_exp, gs.exp);
extra_bit = Bit::MakeOr(extra_bit, equal);
}
}
extra_bit->MoveRef(NULL, assume_list);
AssumeInfo info;
info.bit = extra_bit;
assume_list->PushBack(info);
}
}
CalleeCache.Release(id->BaseVar());
}
}
BodyAnnotCache.Release(id->Function());
// add assumptions from heap invariants describing values mentioned
// in added assumptions. we could keep doing this transitively but don't,
// to ensure termination.
size_t count = assume_list->Size();
for (size_t ind = 0; ind < count; ind++) {
InvariantAssumeVisitor visitor(NULL, 0, assume_list);
assume_list->At(ind).bit->DoVisit(&visitor);
}
CombineAssumeList(assume_list);
}
bool CheckSingleHeapWrite(CheckerState *state, CheckerFrame *frame,
CheckerFrame *heap_frame, WhereInvariant *invariant,
const HeapWriteInfo &write)
{
Assert(invariant);
if (checker_verbose.IsSpecified())
logout << "CHECK: " << frame
<< ": Checking single heap write: " << write.mcfg->GetId()
<< ": " << write.lval << endl;
if (frame->Memory()->GetId()->Kind() == B_Initializer) {
// rule out cases where another function executed before a static
// initializer. TODO: this case can occur in C++ constructors and the
// functions they call, should revisit this behavior.
if (write.mcfg->GetId()->Kind() != B_Initializer) {
if (checker_verbose.IsSpecified())
logout << "CHECK: " << frame
<< ": Write is not in a static initializer" << endl;
return false;
}
}
CheckerFrame *write_frame = state->MakeFrame(write.mcfg->GetId());
Assert(write_frame && write_frame->Memory() == write.mcfg);
PPoint exit_point = write.mcfg->GetCFG()->GetExitPoint();
write_frame->AssertPointGuard(exit_point, true);
// assert the lvalue is actually updated within this frame. these bits
// are never explicitly popped, they get dropped when the frame is deleted.
for (size_t ind = 0; ind < write.exclude.Size(); ind++) {
Bit *bit = write.exclude[ind];
bit->IncRef();
Bit *not_bit = Bit::MakeNot(bit);
write_frame->PushAssumedBit(not_bit);
not_bit->DecRef();
}
// connect the heap read and write frames.
write_frame->ConnectHeapRead(heap_frame);
// for type invariants, try to reconstruct the CSU exp for the write frame.
Exp *write_csu = NULL;
Exp *base_csu = NULL;
if (invariant->GetCSU()) {
write_csu = invariant->GetWriteCSU(write.lval);
if (write_csu == NULL) {
CheckerPropagate propagate(write_frame, exit_point, false);
state->m_stack.PushBack(&propagate);
state->SetReport(RK_UnknownCSU);
return true;
}
// OK if we couldn't figure out the point-relative CSU, will just be
// a more confusing UI message.
base_csu = invariant->GetWriteCSU(write.base_lval);
}
// get the safe bits for the write frame.
Bit *write_safe_bit;
GuardBitVector write_safe_list;
invariant->GetHeapBits(write_frame, write_csu, base_csu,
&write_safe_bit, &write_safe_list);
if (CheckFrameList(state, write_frame, exit_point, true, true,
write_safe_bit, write_safe_list)) {
write_safe_bit->DecRef();
return true;
}
write_safe_bit->DecRef();
write_frame->DisconnectHeapRead(heap_frame);
state->DeleteFrame(write_frame);
return false;
}
void Visit(Exp *exp)
{
if (ExpFld *nexp = exp->IfFld()) {
// pick up any type invariants from the host type.
String *csu_name = nexp->GetField()->GetCSUType()->GetCSUName();
Vector<BlockCFG*> *annot_list = CompAnnotCache.Lookup(csu_name);
for (size_t ind = 0; annot_list && ind < annot_list->Size(); ind++) {
BlockCFG *annot_cfg = annot_list->At(ind);
Assert(annot_cfg->GetAnnotationKind() == AK_Invariant ||
annot_cfg->GetAnnotationKind() == AK_InvariantAssume);
BlockId *id = annot_cfg->GetId();
Bit *bit = BlockMemory::GetAnnotationBit(annot_cfg);
if (!bit) continue;
// get the *this expression. we'll replace this with the actual CSU
// lvalue to get the assumed bit.
id->IncRef();
Variable *this_var = Variable::Make(id, VK_This, NULL, 0, NULL);
Exp *this_exp = Exp::MakeVar(this_var);
Exp *this_drf = Exp::MakeDrf(this_exp);
Exp *target = nexp->GetTarget();
GuardExpVector lval_res;
if (mcfg) {
mcfg->TranslateExp(TRK_Point, point, target, &lval_res);
}
else {
target->IncRef();
lval_res.PushBack(GuardExp(target, Bit::MakeConstant(true)));
}
for (size_t lind = 0; lind < lval_res.Size(); lind++) {
// ignore the guard component of the result here. this means that
// accessing a field of a value means related invariants hold for
// the value along all paths. which is normally right, except when
// the value is the result of a cast, and could have a different type
// along other paths. TODO: sort this out.
const GuardExp &gs = lval_res[lind];
Bit *new_bit = BitReplaceExp(bit, this_drf, gs.exp);
new_bit->MoveRef(NULL, assume_list);
annot_cfg->IncRef(assume_list);
AssumeInfo info;
info.annot = annot_cfg;
info.point = 0;
info.bit = new_bit;
assume_list->PushBack(info);
}
this_drf->DecRef();
}
CompAnnotCache.Release(csu_name);
}
if (ExpVar *nexp = exp->IfVar()) {
if (nexp->GetVariable()->Kind() == VK_Glob) {
String *var_name = nexp->GetVariable()->GetName();
Vector<BlockCFG*> *annot_list = InitAnnotCache.Lookup(var_name);
for (size_t ind = 0; annot_list && ind < annot_list->Size(); ind++) {
BlockCFG *annot_cfg = annot_list->At(ind);
Assert(annot_cfg->GetAnnotationKind() == AK_Invariant ||
annot_cfg->GetAnnotationKind() == AK_InvariantAssume);
Bit *bit = BlockMemory::GetAnnotationBit(annot_cfg);
if (!bit) continue;
bit->IncRef(assume_list);
annot_cfg->IncRef(assume_list);
AssumeInfo info;
info.annot = annot_cfg;
info.point = 0;
info.bit = bit;
assume_list->PushBack(info);
}
InitAnnotCache.Release(var_name);
}
}
}