expr2tc abstract_domain_baset::get_return_lhs(locationt to) const
{
// get predecessor of "to"
to--;
if(to->is_end_function())
return expr2tc();
// must be the function call
assert(to->is_function_call());
const code_function_call2t &code = to_code_function_call2t(to->code);
return code.ret;
}
void
goto_symext::symex_step(reachability_treet & art)
{
assert(!cur_state->call_stack.empty());
const goto_programt::instructiont &instruction = *cur_state->source.pc;
// depth exceeded?
{
if (depth_limit != 0 && cur_state->depth > depth_limit)
cur_state->guard.add(false_expr);
cur_state->depth++;
}
// actually do instruction
switch (instruction.type) {
case SKIP:
case LOCATION:
// really ignore
cur_state->source.pc++;
break;
case END_FUNCTION:
symex_end_of_function();
// Potentially skip to run another function ptr target; if not,
// continue
if (!run_next_function_ptr_target(false))
cur_state->source.pc++;
break;
case GOTO:
{
expr2tc tmp(instruction.guard);
replace_nondet(tmp);
dereference(tmp, false);
replace_dynamic_allocation(tmp);
symex_goto(tmp);
}
break;
case ASSUME:
if (!cur_state->guard.is_false()) {
expr2tc tmp = instruction.guard;
replace_nondet(tmp);
dereference(tmp, false);
replace_dynamic_allocation(tmp);
cur_state->rename(tmp);
do_simplify(tmp);
if (!is_true(tmp)) {
expr2tc tmp2 = tmp;
expr2tc tmp3 = tmp2;
cur_state->guard.guard_expr(tmp2);
assume(tmp2);
// we also add it to the state guard
cur_state->guard.add(tmp3);
}
}
cur_state->source.pc++;
break;
case ASSERT:
if (!cur_state->guard.is_false()) {
if (!no_assertions ||
!cur_state->source.pc->location.user_provided()
|| deadlock_check) {
std::string msg = cur_state->source.pc->location.comment().as_string();
if (msg == "") msg = "assertion";
expr2tc tmp = instruction.guard;
replace_nondet(tmp);
dereference(tmp, false);
replace_dynamic_allocation(tmp);
claim(tmp, msg);
}
}
cur_state->source.pc++;
break;
case RETURN:
if (!cur_state->guard.is_false()) {
expr2tc thecode = instruction.code, assign;
if (make_return_assignment(assign, thecode)) {
goto_symext::symex_assign(assign);
}
symex_return();
}
cur_state->source.pc++;
break;
case ASSIGN:
if (!cur_state->guard.is_false()) {
code_assign2tc deref_code = instruction.code;
// XXX jmorse -- this is not fully symbolic.
if (thrown_obj_map.find(cur_state->source.pc) != thrown_obj_map.end()) {
symbol2tc thrown_obj = thrown_obj_map[cur_state->source.pc];
if (is_pointer_type(deref_code.get()->target.get()->type)
&& !is_pointer_type(thrown_obj.get()->type))
{
expr2tc new_thrown_obj(new address_of2t(thrown_obj.get()->type, thrown_obj));
deref_code.get()->source = new_thrown_obj;
}
else
deref_code.get()->source = thrown_obj;
thrown_obj_map.erase(cur_state->source.pc);
}
replace_nondet(deref_code);
code_assign2t &assign = to_code_assign2t(deref_code);
dereference(assign.target, true);
dereference(assign.source, false);
replace_dynamic_allocation(deref_code);
symex_assign(deref_code);
}
cur_state->source.pc++;
break;
case FUNCTION_CALL:
{
expr2tc deref_code = instruction.code;
replace_nondet(deref_code);
code_function_call2t &call = to_code_function_call2t(deref_code);
if (!is_nil_expr(call.ret)) {
dereference(call.ret, true);
}
replace_dynamic_allocation(deref_code);
for (std::vector<expr2tc>::iterator it = call.operands.begin();
it != call.operands.end(); it++)
if (!is_nil_expr(*it))
dereference(*it, false);
// Always run intrinsics, whether guard is false or not. This is due to the
// unfortunate circumstance where a thread starts with false guard due to
// decision taken in another thread in this trace. In that case the
// terminate intrinsic _has_ to run, or we explode.
if (is_symbol2t(call.function)) {
const irep_idt &id = to_symbol2t(call.function).thename;
if (has_prefix(id.as_string(), "c::__ESBMC")) {
cur_state->source.pc++;
std::string name = id.as_string().substr(3);
run_intrinsic(call, art, name);
return;
} else if (has_prefix(id.as_string(), "cpp::__ESBMC")) {
cur_state->source.pc++;
std::string name = id.as_string().substr(5);
name = name.substr(0, name.find("("));
run_intrinsic(call, art, name);
return;
}
}
// Don't run a function call if the guard is false.
if (!cur_state->guard.is_false()) {
symex_function_call(deref_code);
} else {
cur_state->source.pc++;
}
}
break;
case OTHER:
if (!cur_state->guard.is_false()) {
symex_other();
}
cur_state->source.pc++;
break;
case CATCH:
symex_catch();
break;
case THROW:
if (!cur_state->guard.is_false()) {
if(symex_throw())
cur_state->source.pc++;
} else {
cur_state->source.pc++;
}
break;
case THROW_DECL:
symex_throw_decl();
cur_state->source.pc++;
break;
case THROW_DECL_END:
// When we reach THROW_DECL_END, we must clear any throw_decl
if(stack_catch.size())
{
// Get to the correct try (always the last one)
goto_symex_statet::exceptiont* except=&stack_catch.top();
except->has_throw_decl=false;
except->throw_list_set.clear();
}
cur_state->source.pc++;
break;
default:
std::cerr << "GOTO instruction type " << instruction.type;
std::cerr << " not handled in goto_symext::symex_step" << std::endl;
abort();
}
}
