void string_instrumentationt::do_strtok(
goto_programt &dest,
goto_programt::targett target,
code_function_callt &call)
{
const code_function_callt::argumentst &arguments=call.arguments();
if(arguments.size()!=2)
{
err_location(target->location);
throw "strtok expected to have two arguments";
}
goto_programt tmp;
goto_programt::targett assertion0=tmp.add_instruction();
assertion0->make_assertion(is_zero_string(arguments[0]));
assertion0->location=target->location;
assertion0->location.set("property", "string");
assertion0->location.set("comment", "zero-termination of 1st string argument of strtok");
goto_programt::targett assertion1=tmp.add_instruction();
assertion1->make_assertion(is_zero_string(arguments[1]));
assertion1->location=target->location;
assertion1->location.set("property", "string");
assertion1->location.set("comment", "zero-termination of 2nd string argument of strtok");
target->make_skip();
dest.insert_before_swap(target, tmp);
}
void string_instrumentationt::do_strstr(
goto_programt &dest,
goto_programt::targett target,
code_function_callt &call)
{
const code_function_callt::argumentst &arguments=call.arguments();
if(arguments.size()!=2)
{
error().source_location=target->source_location;
error() << "strstr expected to have two arguments" << eom;
throw 0;
}
goto_programt tmp;
goto_programt::targett assertion0=tmp.add_instruction();
assertion0->make_assertion(is_zero_string(arguments[0]));
assertion0->source_location=target->source_location;
assertion0->source_location.set_property_class("string");
assertion0->source_location.set_comment("zero-termination of 1st string argument of strstr");
goto_programt::targett assertion1=tmp.add_instruction();
assertion1->make_assertion(is_zero_string(arguments[1]));
assertion1->source_location=target->source_location;
assertion1->source_location.set_property_class("string");
assertion1->source_location.set_comment("zero-termination of 2nd string argument of strstr");
target->make_skip();
dest.insert_before_swap(target, tmp);
}
void string_instrumentationt::do_strerror(
goto_programt &dest,
goto_programt::targett it,
code_function_callt &call)
{
if(call.lhs().is_nil())
{
it->make_skip();
return;
}
irep_idt identifier_buf="c::__strerror_buffer";
irep_idt identifier_size="c::__strerror_buffer_size";
if(context.symbols.find(identifier_buf)==context.symbols.end())
{
symbolt new_symbol_size;
new_symbol_size.base_name="__strerror_buffer_size";
new_symbol_size.pretty_name=new_symbol_size.base_name;
new_symbol_size.name=identifier_size;
new_symbol_size.mode="C";
new_symbol_size.type=uint_type();
new_symbol_size.is_statevar=true;
new_symbol_size.lvalue=true;
new_symbol_size.static_lifetime=true;
array_typet type;
type.subtype()=char_type();
type.size()=symbol_expr(new_symbol_size);
symbolt new_symbol_buf;
new_symbol_buf.mode="C";
new_symbol_buf.type=type;
new_symbol_buf.is_statevar=true;
new_symbol_buf.lvalue=true;
new_symbol_buf.static_lifetime=true;
new_symbol_buf.base_name="__strerror_buffer";
new_symbol_buf.pretty_name=new_symbol_buf.base_name;
new_symbol_buf.name="c::"+id2string(new_symbol_buf.base_name);
context.move(new_symbol_buf);
context.move(new_symbol_size);
}
const symbolt &symbol_size=ns.lookup(identifier_size);
const symbolt &symbol_buf=ns.lookup(identifier_buf);
goto_programt tmp;
{
goto_programt::targett assignment1=tmp.add_instruction(ASSIGN);
exprt nondet_size=side_effect_expr_nondett(uint_type());
assignment1->code=code_assignt(symbol_expr(symbol_size), nondet_size);
assignment1->location=it->location;
goto_programt::targett assumption1=tmp.add_instruction();
assumption1->make_assumption(binary_relation_exprt(
symbol_expr(symbol_size), "notequal",
gen_zero(symbol_size.type)));
assumption1->location=it->location;
}
// return a pointer to some magic buffer
exprt index=exprt("index", char_type());
index.copy_to_operands(symbol_expr(symbol_buf), gen_zero(uint_type()));
exprt ptr=exprt("address_of", pointer_typet());
ptr.type().subtype()=char_type();
ptr.copy_to_operands(index);
// make that zero-terminated
{
goto_programt::targett assignment2=tmp.add_instruction(ASSIGN);
assignment2->code=code_assignt(is_zero_string(ptr, true), true_exprt());
assignment2->location=it->location;
}
// assign address
{
goto_programt::targett assignment3=tmp.add_instruction(ASSIGN);
exprt rhs=ptr;
make_type(rhs, call.lhs().type());
assignment3->code=code_assignt(call.lhs(), rhs);
assignment3->location=it->location;
}
it->make_skip();
dest.insert_before_swap(it, tmp);
}
void string_instrumentationt::do_format_string_read(
goto_programt &dest,
goto_programt::const_targett target,
const code_function_callt::argumentst &arguments,
unsigned format_string_inx,
unsigned argument_start_inx,
const std::string &function_name)
{
const exprt &format_arg = arguments[format_string_inx];
if(format_arg.id()=="address_of" &&
format_arg.op0().id()=="index" &&
format_arg.op0().op0().id()==ID_string_constant)
{
format_token_listt token_list;
parse_format_string(format_arg.op0().op0(), token_list);
unsigned args=0;
for(format_token_listt::const_iterator it=token_list.begin();
it!=token_list.end();
it++)
{
if(it->type==format_tokent::STRING)
{
const exprt &arg = arguments[argument_start_inx+args];
const typet &arg_type = ns.follow(arg.type());
if(arg.id()!=ID_string_constant) // we don't need to check constants
{
goto_programt::targett assertion=dest.add_instruction();
assertion->location=target->location;
assertion->location.set("property", "string");
std::string comment("zero-termination of string argument of ");
comment += function_name;
assertion->location.set("comment", comment);
exprt temp(arg);
if(arg_type.id()!="pointer")
{
index_exprt index;
index.array()=temp;
index.index()=gen_zero(uint_type());
index.type()=arg_type.subtype();
temp=address_of_exprt(index);
}
assertion->make_assertion(is_zero_string(temp));
}
}
if(it->type!=format_tokent::TEXT &&
it->type!=format_tokent::UNKNOWN) args++;
if(find(it->flags.begin(), it->flags.end(), format_tokent::ASTERISK)!=
it->flags.end())
args++; // just eat the additional argument
}
}
else // non-const format string
{
goto_programt::targett format_ass=dest.add_instruction();
format_ass->make_assertion(is_zero_string(arguments[1]));
format_ass->location=target->location;
format_ass->location.set("property", "string");
std::string comment("zero-termination of format string of ");
comment += function_name;
format_ass->location.set("comment", comment);
for(unsigned i=2; i<arguments.size(); i++)
{
const exprt &arg = arguments[i];
const typet &arg_type=ns.follow(arguments[i].type());
if(arguments[i].id()!=ID_string_constant &&
is_string_type(arg_type))
{
goto_programt::targett assertion=dest.add_instruction();
assertion->location=target->location;
assertion->location.set("property", "string");
std::string comment("zero-termination of string argument of ");
comment += function_name;
assertion->location.set("comment", comment);
exprt temp(arg);
if(arg_type.id()!="pointer")
{
index_exprt index;
index.array()=temp;
index.index()=gen_zero(uint_type());
index.type()=arg_type.subtype();
temp=address_of_exprt(index);
}
assertion->make_assertion(is_zero_string(temp));
}
}
}
}
void string_instrumentationt::do_strerror(
goto_programt &dest,
goto_programt::targett it,
code_function_callt &call)
{
if(call.lhs().is_nil())
{
it->make_skip();
return;
}
irep_idt identifier_buf="__strerror_buffer";
irep_idt identifier_size="__strerror_buffer_size";
if(symbol_table.symbols.find(identifier_buf)==symbol_table.symbols.end())
{
symbolt new_symbol_size;
new_symbol_size.base_name="__strerror_buffer_size";
new_symbol_size.pretty_name=new_symbol_size.base_name;
new_symbol_size.name=identifier_size;
new_symbol_size.mode=ID_C;
new_symbol_size.type=size_type();
new_symbol_size.is_state_var=true;
new_symbol_size.is_lvalue=true;
new_symbol_size.is_static_lifetime=true;
array_typet type;
type.subtype()=char_type();
type.size()=new_symbol_size.symbol_expr();
symbolt new_symbol_buf;
new_symbol_buf.mode=ID_C;
new_symbol_buf.type=type;
new_symbol_buf.is_state_var=true;
new_symbol_buf.is_lvalue=true;
new_symbol_buf.is_static_lifetime=true;
new_symbol_buf.base_name="__strerror_buffer";
new_symbol_buf.pretty_name=new_symbol_buf.base_name;
new_symbol_buf.name=new_symbol_buf.base_name;
symbol_table.move(new_symbol_buf);
symbol_table.move(new_symbol_size);
}
const symbolt &symbol_size=ns.lookup(identifier_size);
const symbolt &symbol_buf=ns.lookup(identifier_buf);
goto_programt tmp;
{
goto_programt::targett assignment1=tmp.add_instruction(ASSIGN);
exprt nondet_size=side_effect_expr_nondett(size_type());
assignment1->code=code_assignt(symbol_size.symbol_expr(), nondet_size);
assignment1->source_location=it->source_location;
goto_programt::targett assumption1=tmp.add_instruction();
assumption1->make_assumption(
binary_relation_exprt(
symbol_size.symbol_expr(),
ID_notequal,
from_integer(0, symbol_size.type)));
assumption1->source_location=it->source_location;
}
// return a pointer to some magic buffer
index_exprt index(
symbol_buf.symbol_expr(),
from_integer(0, index_type()),
char_type());
address_of_exprt ptr(index);
// make that zero-terminated
{
goto_programt::targett assignment2=tmp.add_instruction(ASSIGN);
assignment2->code=code_assignt(is_zero_string(ptr, true), true_exprt());
assignment2->source_location=it->source_location;
}
// assign address
{
goto_programt::targett assignment3=tmp.add_instruction(ASSIGN);
exprt rhs=ptr;
make_type(rhs, call.lhs().type());
assignment3->code=code_assignt(call.lhs(), rhs);
assignment3->source_location=it->source_location;
}
it->make_skip();
dest.insert_before_swap(it, tmp);
}
