exprt interval_domaint::make_expression(const symbol_exprt &src) const
{
if(is_int(src.type()))
{
int_mapt::const_iterator i_it=int_map.find(src.get_identifier());
if(i_it==int_map.end()) return true_exprt();
const integer_intervalt &interval=i_it->second;
if(interval.is_top()) return true_exprt();
if(interval.is_bottom()) return false_exprt();
exprt::operandst conjuncts;
if(interval.upper_set)
{
exprt tmp=from_integer(interval.upper, src.type());
conjuncts.push_back(binary_relation_exprt(src, ID_le, tmp));
}
if(interval.lower_set)
{
exprt tmp=from_integer(interval.lower, src.type());
conjuncts.push_back(binary_relation_exprt(tmp, ID_le, src));
}
return conjunction(conjuncts);
}
else if(is_float(src.type()))
{
float_mapt::const_iterator i_it=float_map.find(src.get_identifier());
if(i_it==float_map.end()) return true_exprt();
const ieee_float_intervalt &interval=i_it->second;
if(interval.is_top()) return true_exprt();
if(interval.is_bottom()) return false_exprt();
exprt::operandst conjuncts;
if(interval.upper_set)
{
exprt tmp=interval.upper.to_expr();
conjuncts.push_back(binary_relation_exprt(src, ID_le, tmp));
}
if(interval.lower_set)
{
exprt tmp=interval.lower.to_expr();
conjuncts.push_back(binary_relation_exprt(tmp, ID_le, src));
}
return conjunction(conjuncts);
}
else
return true_exprt();
}
exprt ranking_synthesis_qbf_bitwiset::instantiate_projections(void)
{
std::pair<exprt,exprt> dlt = duplicate(ite_template(), bitwise_width);
if(bitwise_width<=1)
{
dlt.second.negate();
return binary_relation_exprt(dlt.second, ID_and, dlt.first);
}
else
return binary_relation_exprt(dlt.second, ID_lt, dlt.first);
}
exprt string_constraint_generatort::add_axioms_for_last_index_of(
const string_exprt &str, const exprt &c, const exprt &from_index)
{
const refined_string_typet &ref_type=to_refined_string_type(str.type());
const typet &index_type=ref_type.get_index_type();
symbol_exprt index=fresh_exist_index("last_index_of", index_type);
symbol_exprt contains=fresh_boolean("contains_in_last_index_of");
// We add axioms:
// a1 : -1 <= i <= from_index
// a2 : (i=-1 <=> !contains)
// a3 : (contains => i <= from_index &&s[i]=c)
// a4 : forall n. i+1 <= n < from_index +1 &&contains => s[n]!=c
// a5 : forall m. 0 <= m < from_index +1 &&!contains => s[m]!=c
exprt index1=from_integer(1, index_type);
exprt minus1=from_integer(-1, index_type);
exprt from_index_plus_one=plus_exprt(from_index, index1);
and_exprt a1(
binary_relation_exprt(index, ID_ge, minus1),
binary_relation_exprt(index, ID_lt, from_index_plus_one));
axioms.push_back(a1);
equal_exprt a2(not_exprt(contains), equal_exprt(index, minus1));
axioms.push_back(a2);
implies_exprt a3(
contains,
and_exprt(
binary_relation_exprt(from_index, ID_ge, index),
equal_exprt(str[index], c)));
axioms.push_back(a3);
symbol_exprt n=fresh_univ_index("QA_last_index_of", index_type);
string_constraintt a4(
n,
plus_exprt(index, index1),
from_index_plus_one,
contains,
not_exprt(equal_exprt(str[n], c)));
axioms.push_back(a4);
symbol_exprt m=fresh_univ_index("QA_last_index_of", index_type);
string_constraintt a5(
m,
from_index_plus_one,
not_exprt(contains),
not_exprt(equal_exprt(str[m], c)));
axioms.push_back(a5);
return index;
}
/// add axioms corresponding to the String.equalsIgnoreCase java function
/// \par parameters: function application with two string arguments
/// \return a Boolean expression
exprt string_constraint_generatort::add_axioms_for_equals_ignore_case(
const function_application_exprt &f)
{
assert(f.type()==bool_typet() || f.type().id()==ID_c_bool);
symbol_exprt eq=fresh_boolean("equal_ignore_case");
typecast_exprt tc_eq(eq, f.type());
string_exprt s1=add_axioms_for_string_expr(args(f, 2)[0]);
string_exprt s2=add_axioms_for_string_expr(args(f, 2)[1]);
typet char_type=to_refined_string_type(s1.type()).get_char_type();
exprt char_a=constant_char('a', char_type);
exprt char_A=constant_char('A', char_type);
exprt char_Z=constant_char('Z', char_type);
typet index_type=s1.length().type();
// We add axioms:
// a1 : eq => |s1|=|s2|
// a2 : forall qvar, 0<=qvar<|s1|,
// eq => char_equal_ignore_case(s1[qvar],s2[qvar]);
// a3 : !eq => |s1|!=s2 || (0 <=witness<|s1| &&!char_equal_ignore_case)
implies_exprt a1(eq, s1.axiom_for_has_same_length_as(s2));
axioms.push_back(a1);
symbol_exprt qvar=fresh_univ_index("QA_equal_ignore_case", index_type);
exprt constr2=character_equals_ignore_case(
s1[qvar], s2[qvar], char_a, char_A, char_Z);
string_constraintt a2(qvar, s1.length(), eq, constr2);
axioms.push_back(a2);
symbol_exprt witness=fresh_exist_index(
"witness_unequal_ignore_case", index_type);
exprt zero=from_integer(0, witness.type());
and_exprt bound_witness(
binary_relation_exprt(witness, ID_lt, s1.length()),
binary_relation_exprt(witness, ID_ge, zero));
exprt witness_eq=character_equals_ignore_case(
s1[witness], s2[witness], char_a, char_A, char_Z);
not_exprt witness_diff(witness_eq);
implies_exprt a3(
not_exprt(eq),
or_exprt(
notequal_exprt(s1.length(), s2.length()),
and_exprt(bound_witness, witness_diff)));
axioms.push_back(a3);
return tc_eq;
}
exprt string_constraint_generatort::add_axioms_for_last_index_of_string(
const string_exprt &str,
const string_exprt &substring,
const exprt &from_index)
{
const typet &index_type=str.length().type();
symbol_exprt offset=fresh_exist_index("index_of", index_type);
symbol_exprt contains=fresh_boolean("contains_substring");
// We add axioms:
// a1 : contains => |substring| >= length &&offset <= from_index
// a2 : !contains => offset=-1
// a3 : forall 0 <= witness<substring.length,
// contains => str[witness+offset]=substring[witness]
implies_exprt a1(
contains,
and_exprt(
str.axiom_for_is_longer_than(plus_exprt(substring.length(), offset)),
binary_relation_exprt(offset, ID_le, from_index)));
axioms.push_back(a1);
implies_exprt a2(
not_exprt(contains),
equal_exprt(offset, from_integer(-1, index_type)));
axioms.push_back(a2);
symbol_exprt qvar=fresh_univ_index("QA_index_of_string", index_type);
equal_exprt constr3(str[plus_exprt(qvar, offset)], substring[qvar]);
string_constraintt a3(qvar, substring.length(), contains, constr3);
axioms.push_back(a3);
return offset;
}
exprt string_constraint_generatort::add_axioms_for_index_of(
const string_exprt &str, const exprt &c, const exprt &from_index)
{
const typet &index_type=str.length().type();
symbol_exprt index=fresh_exist_index("index_of", index_type);
symbol_exprt contains=fresh_boolean("contains_in_index_of");
// We add axioms:
// a1 : -1 <= index<|str|
// a2 : !contains <=> index=-1
// a3 : contains => from_index<=index&&str[index]=c
// a4 : forall n, from_index<=n<index. contains => str[n]!=c
// a5 : forall m, from_index<=n<|str|. !contains => str[m]!=c
exprt minus1=from_integer(-1, index_type);
and_exprt a1(
binary_relation_exprt(index, ID_ge, minus1),
binary_relation_exprt(index, ID_lt, str.length()));
axioms.push_back(a1);
equal_exprt a2(not_exprt(contains), equal_exprt(index, minus1));
axioms.push_back(a2);
implies_exprt a3(
contains,
and_exprt(
binary_relation_exprt(from_index, ID_le, index),
equal_exprt(str[index], c)));
axioms.push_back(a3);
symbol_exprt n=fresh_univ_index("QA_index_of", index_type);
string_constraintt a4(
n, from_index, index, contains, not_exprt(equal_exprt(str[n], c)));
axioms.push_back(a4);
symbol_exprt m=fresh_univ_index("QA_index_of", index_type);
string_constraintt a5(
m,
from_index,
str.length(),
not_exprt(contains),
not_exprt(equal_exprt(str[m], c)));
axioms.push_back(a5);
return index;
}
/// returns an expression which is true when the two given characters are equal
/// when ignoring case for ASCII
/// \par parameters: two character expressions and constant character
/// expressions
/// representing 'a', 'A' and 'Z'
/// \return a expression of Boolean type
exprt string_constraint_generatort::character_equals_ignore_case(
exprt char1, exprt char2, exprt char_a, exprt char_A, exprt char_Z)
{
and_exprt is_upper_case_1(
binary_relation_exprt(char_A, ID_le, char1),
binary_relation_exprt(char1, ID_le, char_Z));
and_exprt is_upper_case_2(
binary_relation_exprt(char_A, ID_le, char2),
binary_relation_exprt(char2, ID_le, char_Z));
// Three possibilities:
// p1 : char1=char2
// p2 : (is_up1&&'a'-'A'+char1=char2)
// p3 : (is_up2&&'a'-'A'+char2=char1)
equal_exprt p1(char1, char2);
minus_exprt diff=minus_exprt(char_a, char_A);
and_exprt p2(is_upper_case_1, equal_exprt(plus_exprt(diff, char1), char2));
and_exprt p3(is_upper_case_2, equal_exprt(plus_exprt(diff, char2), char1));
return or_exprt(or_exprt(p1, p2), p3);
}
/// add axioms stating that the result is true exactly when the strings
/// represented by the arguments are equal
/// \par parameters: function application with two string arguments
/// \return a expression of Boolean type
exprt string_constraint_generatort::add_axioms_for_equals(
const function_application_exprt &f)
{
assert(f.type()==bool_typet() || f.type().id()==ID_c_bool);
symbol_exprt eq=fresh_boolean("equal");
typecast_exprt tc_eq(eq, f.type());
string_exprt s1=add_axioms_for_string_expr(args(f, 2)[0]);
string_exprt s2=add_axioms_for_string_expr(args(f, 2)[1]);
typet index_type=s1.length().type();
// We want to write:
// eq <=> (s1.length=s2.length &&forall i<s1.length. s1[i]=s2[i])
// We add axioms:
// a1 : eq => s1.length=s2.length
// a2 : forall i<s1.length. eq => s1[i]=s2[i]
// a3 : !eq => s1.length!=s2.length
// || (witness<s1.length &&s1[witness]!=s2[witness])
implies_exprt a1(eq, s1.axiom_for_has_same_length_as(s2));
axioms.push_back(a1);
symbol_exprt qvar=fresh_univ_index("QA_equal", index_type);
string_constraintt a2(qvar, s1.length(), eq, equal_exprt(s1[qvar], s2[qvar]));
axioms.push_back(a2);
symbol_exprt witness=fresh_exist_index("witness_unequal", index_type);
exprt zero=from_integer(0, index_type);
and_exprt bound_witness(
binary_relation_exprt(witness, ID_lt, s1.length()),
binary_relation_exprt(witness, ID_ge, zero));
and_exprt witnessing(bound_witness, notequal_exprt(s1[witness], s2[witness]));
implies_exprt a3(
not_exprt(eq),
or_exprt(notequal_exprt(s1.length(), s2.length()), witnessing));
axioms.push_back(a3);
return tc_eq;
}
void string_instrumentationt::do_snprintf(
goto_programt &dest,
goto_programt::targett target,
code_function_callt &call)
{
const code_function_callt::argumentst &arguments=call.arguments();
if(arguments.size()<3)
{
error().source_location=target->source_location;
error() << "snprintf expected to have three or more arguments"
<< eom;
throw 0;
}
goto_programt tmp;
goto_programt::targett assertion=tmp.add_instruction();
assertion->source_location=target->source_location;
assertion->source_location.set_property_class("string");
assertion->source_location.set_comment("snprintf buffer overflow");
exprt bufsize=buffer_size(arguments[0]);
assertion->make_assertion(
binary_relation_exprt(bufsize, ID_ge, arguments[1]));
do_format_string_read(tmp, target, arguments, 2, 3, "snprintf");
if(call.lhs().is_not_nil())
{
goto_programt::targett return_assignment=tmp.add_instruction(ASSIGN);
return_assignment->source_location=target->source_location;
exprt rhs=side_effect_expr_nondett(call.lhs().type());
rhs.add_source_location()=target->source_location;
return_assignment->code=code_assignt(call.lhs(), rhs);
}
target->make_skip();
dest.insert_before_swap(target, tmp);
}
bool ranking_synthesis_seneschalt::extract_ranking_relation(exprt &rf)
{
exprt function = rf;
replace_mapt post_replace_map;
for(bodyt::variable_mapt::const_iterator it=body.variable_map.begin();
it!=body.variable_map.end();
it++)
{
if(used_variables.find(it->first)==used_variables.end())
continue;
exprt postsym=symbol_exprt(it->first, ns.lookup(it->first).type);
exprt presym=symbol_exprt(it->second, ns.lookup(it->second).type);
post_replace_map[presym] = postsym;
}
for(intermediate_statet::const_iterator it=intermediate_state.begin();
it!=intermediate_state.end();
it++)
{
const exprt e=symbol_exprt(*it);
// Get rid of SSA-numbers
const std::string &str = id2string(*it);
exprt ne=e;
ne.set("identifier", str.substr(0, str.find('#')));
ne.type()=ns.lookup(ne.get("identifier")).type;
}
simplify(function, ns);
exprt post_function = function;
replace_expr(post_replace_map, post_function);
rank_relation = binary_relation_exprt(post_function, "<", function);
return true;
}
bool strategy_solver_binsearch3t::iterate(invariantt &_inv)
{
tpolyhedra_domaint::templ_valuet &inv=
static_cast<tpolyhedra_domaint::templ_valuet &>(_inv);
bool improved=false;
solver.new_context(); // for improvement check
exprt inv_expr=tpolyhedra_domain.to_pre_constraints(inv);
#if 0
debug() << "improvement check: " << eom;
debug() << "pre-inv: " << from_expr(ns, "", inv_expr) << eom;
#endif
solver << inv_expr;
exprt::operandst strategy_cond_exprs;
tpolyhedra_domain.make_not_post_constraints(
inv, strategy_cond_exprs, strategy_value_exprs);
strategy_cond_literals.resize(strategy_cond_exprs.size());
#if 0
debug() << "post-inv: ";
#endif
for(std::size_t i=0; i<strategy_cond_exprs.size(); i++)
{
#if 0
debug() << (i>0 ? " || " : "") << from_expr(ns, "", strategy_cond_exprs[i]);
#endif
strategy_cond_literals[i]=solver.convert(strategy_cond_exprs[i]);
strategy_cond_exprs[i]=literal_exprt(strategy_cond_literals[i]);
}
debug() << eom;
solver << disjunction(strategy_cond_exprs);
#if 0
debug() << "solve(): ";
#endif
std::set<tpolyhedra_domaint::rowt> improve_rows;
std::map<tpolyhedra_domaint::rowt, symbol_exprt> symb_values;
std::map<tpolyhedra_domaint::rowt, constant_exprt> lower_values;
exprt::operandst blocking_constraint;
bool improved_from_neginf=false;
while(solver()==decision_proceduret::D_SATISFIABLE) // improvement check
{
#if 0
debug() << "SAT" << eom;
#endif
improved=true;
std::size_t row=0;
for(; row<strategy_cond_literals.size(); row++)
{
if(solver.l_get(strategy_cond_literals[row]).is_true())
{
#if 1
debug() << "improve row " << row << eom;
#endif
improve_rows.insert(row);
symb_values[row]=tpolyhedra_domain.get_row_symb_value(row);
lower_values[row]=
simplify_const(solver.get(strategy_value_exprs[row]));
blocking_constraint.push_back(
literal_exprt(!strategy_cond_literals[row]));
if(tpolyhedra_domain.is_row_value_neginf(
tpolyhedra_domain.get_row_value(row, inv)))
improved_from_neginf=true;
}
}
solver << conjunction(blocking_constraint);
}
solver.pop_context(); // improvement check
if(!improved) // done
{
#if 0
debug() << "UNSAT" << eom;
#endif
return improved;
}
// symbolic value system
exprt pre_inv_expr=
tpolyhedra_domain.to_symb_pre_constraints(inv, improve_rows);
exprt post_inv_expr=
tpolyhedra_domain.to_symb_post_constraints(improve_rows);
assert(lower_values.size()>=1);
std::map<tpolyhedra_domaint::rowt, symbol_exprt>::iterator
it=symb_values.begin();
exprt _lower=lower_values[it->first];
#if 1
debug() << "update row " << it->first << ": "
<< from_expr(ns, "", lower_values[it->first]) << eom;
#endif
tpolyhedra_domain.set_row_value(it->first, lower_values[it->first], inv);
exprt _upper=
tpolyhedra_domain.get_max_row_value(it->first);
exprt sum=it->second;
for(++it; it!=symb_values.end(); ++it)
{
sum=plus_exprt(sum, it->second);
_upper=plus_exprt(_upper, tpolyhedra_domain.get_max_row_value(it->first));
_lower=plus_exprt(_lower, lower_values[it->first]);
#if 1
debug() << "update row " << it->first << ": "
<< from_expr(ns, "", lower_values[it->first]) << eom;
#endif
tpolyhedra_domain.set_row_value(it->first, lower_values[it->first], inv);
}
// do not solve system if we have just reached a new loop
// (the system will be very large!)
if(improved_from_neginf)
return improved;
solver.new_context(); // symbolic value system
solver << pre_inv_expr;
solver << post_inv_expr;
#if 1
debug() << "symbolic value system: " << eom;
debug() << "pre-inv: " << from_expr(ns, "", pre_inv_expr) << eom;
debug() << "post-inv: " << from_expr(ns, "", post_inv_expr) << eom;
#endif
extend_expr_types(sum);
extend_expr_types(_upper);
extend_expr_types(_lower);
tpolyhedra_domaint::row_valuet upper=simplify_const(_upper);
tpolyhedra_domaint::row_valuet lower=simplify_const(_lower);
assert(sum.type()==upper.type());
assert(sum.type()==lower.type());
symbol_exprt sum_bound(
SUM_BOUND_VAR+i2string(sum_bound_counter++),
sum.type());
solver << equal_exprt(sum_bound, sum);
#if 1
debug() << from_expr(ns, "", equal_exprt(sum_bound, sum)) << eom;
#endif
while(tpolyhedra_domain.less_than(lower, upper))
{
tpolyhedra_domaint::row_valuet middle=
tpolyhedra_domain.between(lower, upper);
if(!tpolyhedra_domain.less_than(lower, middle))
middle=upper;
// row_symb_value >= middle
assert(sum_bound.type()==middle.type());
exprt c=binary_relation_exprt(sum_bound, ID_ge, middle);
#if 1
debug() << "upper: " << from_expr(ns, "", upper) << eom;
debug() << "middle: " << from_expr(ns, "", middle) << eom;
debug() << "lower: " << from_expr(ns, "", lower) << eom;
#endif
solver.new_context(); // binary search iteration
#if 1
debug() << "constraint: " << from_expr(ns, "", c) << eom;
#endif
solver << c;
if(solver()==decision_proceduret::D_SATISFIABLE)
{
#if 0
debug() << "SAT" << eom;
#endif
lower=middle;
for(const auto &sv : symb_values)
{
#if 1
debug() << "update row " << sv.first << " "
<< from_expr(ns, "", sv.second) << ": ";
#endif
constant_exprt lower_row=
simplify_const(solver.get(sv.second));
#if 1
debug() << from_expr(ns, "", lower_row) << eom;
#endif
tpolyhedra_domain.set_row_value(sv.first, lower_row, inv);
}
}
else
{
#if 0
debug() << "UNSAT" << eom;
#endif
if(!tpolyhedra_domain.less_than(middle, upper))
middle=lower;
upper=middle;
}
solver.pop_context(); // binary search iteration
}
solver.pop_context(); // symbolic value system
return improved;
}
bool disjunctive_polynomial_accelerationt::accelerate(
path_acceleratort &accelerator) {
std::map<exprt, polynomialt> polynomials;
scratch_programt program(symbol_table);
accelerator.clear();
#ifdef DEBUG
std::cout << "Polynomial accelerating program:" << std::endl;
for (goto_programt::instructionst::iterator it = goto_program.instructions.begin();
it != goto_program.instructions.end();
++it) {
if (loop.find(it) != loop.end()) {
goto_program.output_instruction(ns, "scratch", std::cout, it);
}
}
std::cout << "Modified:" << std::endl;
for (expr_sett::iterator it = modified.begin();
it != modified.end();
++it) {
std::cout << expr2c(*it, ns) << std::endl;
}
#endif
if (loop_counter.is_nil()) {
symbolt loop_sym = utils.fresh_symbol("polynomial::loop_counter",
unsigned_poly_type());
loop_counter = loop_sym.symbol_expr();
}
patht &path = accelerator.path;
path.clear();
if (!find_path(path)) {
// No more paths!
return false;
}
#if 0
for (expr_sett::iterator it = modified.begin();
it != modified.end();
++it) {
polynomialt poly;
exprt target = *it;
if (it->type().id() == ID_bool) {
// Hack: don't try to accelerate booleans.
continue;
}
if (target.id() == ID_index ||
target.id() == ID_dereference) {
// We'll handle this later.
continue;
}
if (fit_polynomial(target, poly, path)) {
std::map<exprt, polynomialt> this_poly;
this_poly[target] = poly;
if (utils.check_inductive(this_poly, path)) {
#ifdef DEBUG
std::cout << "Fitted a polynomial for " << expr2c(target, ns) <<
std::endl;
#endif
polynomials[target] = poly;
accelerator.changed_vars.insert(target);
break;
}
}
}
if (polynomials.empty()) {
return false;
}
#endif
// Fit polynomials for the other variables.
expr_sett dirty;
utils.find_modified(accelerator.path, dirty);
polynomial_acceleratort path_acceleration(symbol_table, goto_functions,
loop_counter);
goto_programt::instructionst assigns;
for (patht::iterator it = accelerator.path.begin();
it != accelerator.path.end();
++it) {
if (it->loc->is_assign() || it->loc->is_decl()) {
assigns.push_back(*(it->loc));
}
}
for (expr_sett::iterator it = dirty.begin();
it != dirty.end();
++it) {
#ifdef DEBUG
std::cout << "Trying to accelerate " << expr2c(*it, ns) << std::endl;
#endif
if (it->type().id() == ID_bool) {
// Hack: don't try to accelerate booleans.
accelerator.dirty_vars.insert(*it);
#ifdef DEBUG
std::cout << "Ignoring boolean" << std::endl;
#endif
continue;
}
if (it->id() == ID_index ||
it->id() == ID_dereference) {
#ifdef DEBUG
std::cout << "Ignoring array reference" << std::endl;
#endif
continue;
}
if (accelerator.changed_vars.find(*it) != accelerator.changed_vars.end()) {
// We've accelerated variable this already.
#ifdef DEBUG
std::cout << "We've accelerated it already" << std::endl;
#endif
continue;
}
// Hack: ignore variables that depend on array values..
exprt array_rhs;
if (depends_on_array(*it, array_rhs)) {
#ifdef DEBUG
std::cout << "Ignoring because it depends on an array" << std::endl;
#endif
continue;
}
polynomialt poly;
exprt target(*it);
if (path_acceleration.fit_polynomial(assigns, target, poly)) {
std::map<exprt, polynomialt> this_poly;
this_poly[target] = poly;
if (utils.check_inductive(this_poly, accelerator.path)) {
polynomials[target] = poly;
accelerator.changed_vars.insert(target);
continue;
}
}
#ifdef DEBUG
std::cout << "Failed to accelerate " << expr2c(*it, ns) << std::endl;
#endif
// We weren't able to accelerate this target...
accelerator.dirty_vars.insert(target);
}
/*
if (!utils.check_inductive(polynomials, assigns)) {
// They're not inductive :-(
return false;
}
*/
substitutiont stashed;
utils.stash_polynomials(program, polynomials, stashed, path);
exprt guard;
bool path_is_monotone;
try {
path_is_monotone = utils.do_assumptions(polynomials, path, guard);
} catch (std::string s) {
// Couldn't do WP.
std::cout << "Assumptions error: " << s << std::endl;
return false;
}
exprt pre_guard(guard);
for (std::map<exprt, polynomialt>::iterator it = polynomials.begin();
it != polynomials.end();
++it) {
replace_expr(it->first, it->second.to_expr(), guard);
}
if (path_is_monotone) {
// OK cool -- the path is monotone, so we can just assume the condition for
// the last iteration.
replace_expr(loop_counter,
minus_exprt(loop_counter, from_integer(1, loop_counter.type())),
guard);
} else {
// The path is not monotone, so we need to introduce a quantifier to ensure
// that the condition held for all 0 <= k < n.
symbolt k_sym = utils.fresh_symbol("polynomial::k", unsigned_poly_type());
exprt k = k_sym.symbol_expr();
exprt k_bound = and_exprt(binary_relation_exprt(from_integer(0, k.type()), "<=", k),
binary_relation_exprt(k, "<", loop_counter));
replace_expr(loop_counter, k, guard);
simplify(guard, ns);
implies_exprt implies(k_bound, guard);
exprt forall(ID_forall);
forall.type() = bool_typet();
forall.copy_to_operands(k);
forall.copy_to_operands(implies);
guard = forall;
}
// All our conditions are met -- we can finally build the accelerator!
// It is of the form:
//
// loop_counter = *;
// target1 = polynomial1;
// target2 = polynomial2;
// ...
// assume(guard);
// assume(no overflows in previous code);
program.add_instruction(ASSUME)->guard = pre_guard;
program.assign(loop_counter, side_effect_expr_nondett(loop_counter.type()));
for (std::map<exprt, polynomialt>::iterator it = polynomials.begin();
it != polynomials.end();
++it) {
program.assign(it->first, it->second.to_expr());
accelerator.changed_vars.insert(it->first);
}
// Add in any array assignments we can do now.
if (!utils.do_arrays(assigns, polynomials, loop_counter, stashed, program)) {
// We couldn't model some of the array assignments with polynomials...
// Unfortunately that means we just have to bail out.
return false;
}
program.add_instruction(ASSUME)->guard = guard;
program.fix_types();
if (path_is_monotone) {
utils.ensure_no_overflows(program);
}
accelerator.pure_accelerator.instructions.swap(program.instructions);
return true;
}
bool disjunctive_polynomial_accelerationt::fit_polynomial(
exprt &var,
polynomialt &polynomial,
patht &path) {
// These are the variables that var depends on with respect to the body.
std::vector<expr_listt> parameters;
std::set<std::pair<expr_listt, exprt> > coefficients;
expr_listt exprs;
scratch_programt program(symbol_table);
expr_sett influence;
cone_of_influence(var, influence);
#ifdef DEBUG
std::cout << "Fitting a polynomial for " << expr2c(var, ns) << ", which depends on:"
<< std::endl;
for (expr_sett::iterator it = influence.begin();
it != influence.end();
++it) {
std::cout << expr2c(*it, ns) << std::endl;
}
#endif
for (expr_sett::iterator it = influence.begin();
it != influence.end();
++it) {
if (it->id() == ID_index ||
it->id() == ID_dereference) {
// Hack: don't accelerate anything that depends on an array
// yet...
return false;
}
exprs.clear();
exprs.push_back(*it);
parameters.push_back(exprs);
exprs.push_back(loop_counter);
parameters.push_back(exprs);
}
// N
exprs.clear();
exprs.push_back(loop_counter);
parameters.push_back(exprs);
// N^2
exprs.push_back(loop_counter);
parameters.push_back(exprs);
// Constant
exprs.clear();
parameters.push_back(exprs);
for (std::vector<expr_listt>::iterator it = parameters.begin();
it != parameters.end();
++it) {
symbolt coeff = utils.fresh_symbol("polynomial::coeff", signed_poly_type());
coefficients.insert(make_pair(*it, coeff.symbol_expr()));
// XXX HACK HACK HACK
// I'm just constraining these coefficients to prevent overflows messing things
// up later... Should really do this properly somehow.
program.assume(binary_relation_exprt(from_integer(-(1 << 10), signed_poly_type()),
"<", coeff.symbol_expr()));
program.assume(binary_relation_exprt(coeff.symbol_expr(), "<",
from_integer(1 << 10, signed_poly_type())));
}
// Build a set of values for all the parameters that allow us to fit a
// unique polynomial.
std::map<exprt, exprt> ivals1;
std::map<exprt, exprt> ivals2;
std::map<exprt, exprt> ivals3;
for (expr_sett::iterator it = influence.begin();
it != influence.end();
++it) {
symbolt ival1 = utils.fresh_symbol("polynomial::init",
it->type());
symbolt ival2 = utils.fresh_symbol("polynomial::init",
it->type());
symbolt ival3 = utils.fresh_symbol("polynomial::init",
it->type());
program.assume(binary_relation_exprt(ival1.symbol_expr(), "<",
ival2.symbol_expr()));
program.assume(binary_relation_exprt(ival2.symbol_expr(), "<",
ival3.symbol_expr()));
#if 0
if (it->type() == signedbv_typet()) {
program.assume(binary_relation_exprt(ival1.symbol_expr(), ">",
from_integer(-100, it->type())));
}
program.assume(binary_relation_exprt(ival1.symbol_expr(), "<",
from_integer(100, it->type())));
if (it->type() == signedbv_typet()) {
program.assume(binary_relation_exprt(ival2.symbol_expr(), ">",
from_integer(-100, it->type())));
}
program.assume(binary_relation_exprt(ival2.symbol_expr(), "<",
from_integer(100, it->type())));
if (it->type() == signedbv_typet()) {
program.assume(binary_relation_exprt(ival3.symbol_expr(), ">",
from_integer(-100, it->type())));
}
program.assume(binary_relation_exprt(ival3.symbol_expr(), "<",
from_integer(100, it->type())));
#endif
ivals1[*it] = ival1.symbol_expr();
ivals2[*it] = ival2.symbol_expr();
ivals3[*it] = ival3.symbol_expr();
//ivals1[*it] = from_integer(1, it->type());
}
std::map<exprt, exprt> values;
for (expr_sett::iterator it = influence.begin();
it != influence.end();
++it) {
values[*it] = ivals1[*it];
}
// Start building the program. Begin by decl'ing each of the
// master distinguishers.
for (std::list<exprt>::iterator it = distinguishers.begin();
it != distinguishers.end();
++it) {
program.add_instruction(DECL)->code = code_declt(*it);
}
// Now assume our polynomial fits at each of our sample points.
assert_for_values(program, values, coefficients, 1, fixed, var);
for (int n = 0; n <= 1; n++) {
for (expr_sett::iterator it = influence.begin();
it != influence.end();
++it) {
values[*it] = ivals2[*it];
assert_for_values(program, values, coefficients, n, fixed, var);
values[*it] = ivals3[*it];
assert_for_values(program, values, coefficients, n, fixed, var);
values[*it] = ivals1[*it];
}
}
for (expr_sett::iterator it = influence.begin();
it != influence.end();
++it) {
values[*it] = ivals3[*it];
}
assert_for_values(program, values, coefficients, 0, fixed, var);
assert_for_values(program, values, coefficients, 1, fixed, var);
assert_for_values(program, values, coefficients, 2, fixed, var);
// Let's make sure that we get a path we have not seen before.
for (std::list<distinguish_valuest>::iterator it = accelerated_paths.begin();
it != accelerated_paths.end();
++it) {
exprt new_path = false_exprt();
for (distinguish_valuest::iterator jt = it->begin();
jt != it->end();
++jt) {
exprt distinguisher = jt->first;
bool taken = jt->second;
if (taken) {
not_exprt negated(distinguisher);
distinguisher.swap(negated);
}
or_exprt disjunct(new_path, distinguisher);
new_path.swap(disjunct);
}
program.assume(new_path);
}
utils.ensure_no_overflows(program);
// Now do an ASSERT(false) to grab a counterexample
program.add_instruction(ASSERT)->guard = false_exprt();
// If the path is satisfiable, we've fitted a polynomial. Extract the
// relevant coefficients and return the expression.
try {
if (program.check_sat()) {
#ifdef DEBUG
std::cout << "Found a polynomial" << std::endl;
#endif
utils.extract_polynomial(program, coefficients, polynomial);
build_path(program, path);
record_path(program);
return true;
}
} catch (std::string s) {
std::cout << "Error in fitting polynomial SAT check: " << s << std::endl;
} catch (const char *s) {
std::cout << "Error in fitting polynomial SAT check: " << s << std::endl;
}
return false;
}
void goto_convertt::do_java_new_array(
const exprt &lhs,
const side_effect_exprt &rhs,
goto_programt &dest)
{
if(lhs.is_nil())
throw "do_java_new_array without lhs is yet to be implemented";
source_locationt location=rhs.source_location();
assert(rhs.operands().size()>=1); // one per dimension
if(rhs.type().id()!=ID_pointer)
throw "do_java_new_array returns pointer";
typet object_type=rhs.type().subtype();
// build size expression
exprt object_size=size_of_expr(object_type, ns);
if(object_size.is_nil())
throw "do_java_new_array got nil object_size";
// we produce a malloc side-effect, which stays
side_effect_exprt malloc_expr(ID_malloc);
malloc_expr.copy_to_operands(object_size);
malloc_expr.type()=pointer_typet(object_type);
goto_programt::targett t_n=dest.add_instruction(ASSIGN);
t_n->code=code_assignt(lhs, malloc_expr);
t_n->source_location=location;
// multi-dimensional?
assert(ns.follow(object_type).id()==ID_struct);
const struct_typet &struct_type=to_struct_type(ns.follow(object_type));
assert(struct_type.components().size()==3);
// if it's an array, we need to set the length field
dereference_exprt deref(lhs, object_type);
member_exprt length(deref, struct_type.components()[1].get_name(), struct_type.components()[1].type());
goto_programt::targett t_s=dest.add_instruction(ASSIGN);
t_s->code=code_assignt(length, rhs.op0());
t_s->source_location=location;
// we also need to allocate space for the data
member_exprt data(deref, struct_type.components()[2].get_name(), struct_type.components()[2].type());
side_effect_exprt data_cpp_new_expr(ID_cpp_new_array, data.type());
data_cpp_new_expr.set(ID_size, rhs.op0());
goto_programt::targett t_p=dest.add_instruction(ASSIGN);
t_p->code=code_assignt(data, data_cpp_new_expr);
t_p->source_location=location;
// zero-initialize the data
exprt zero_element=gen_zero(data.type().subtype());
codet array_set(ID_array_set);
array_set.copy_to_operands(data, zero_element);
goto_programt::targett t_d=dest.add_instruction(OTHER);
t_d->code=array_set;
t_d->source_location=location;
if(rhs.operands().size()>=2)
{
// produce
// for(int i=0; i<size; i++) tmp[i]=java_new(dim-1);
// This will be converted recursively.
goto_programt tmp;
symbol_exprt tmp_i=
new_tmp_symbol(index_type(), "index", tmp, location).symbol_expr();
code_fort for_loop;
side_effect_exprt sub_java_new=rhs;
sub_java_new.operands().erase(sub_java_new.operands().begin());
side_effect_exprt inc(ID_assign);
inc.operands().resize(2);
inc.op0()=tmp_i;
inc.op1()=plus_exprt(tmp_i, gen_one(tmp_i.type()));
dereference_exprt deref_expr(plus_exprt(data, tmp_i), data.type().subtype());
for_loop.init()=code_assignt(tmp_i, gen_zero(tmp_i.type()));
for_loop.cond()=binary_relation_exprt(tmp_i, ID_lt, rhs.op0());
for_loop.iter()=inc;
for_loop.body()=code_skipt();
for_loop.body()=code_assignt(deref_expr, sub_java_new);
convert(for_loop, tmp);
dest.destructive_append(tmp);
}
}
void string_instrumentationt::do_strerror(
goto_programt &dest,
goto_programt::targett it,
code_function_callt &call)
{
if(call.lhs().is_nil())
{
it->make_skip();
return;
}
irep_idt identifier_buf="__strerror_buffer";
irep_idt identifier_size="__strerror_buffer_size";
if(symbol_table.symbols.find(identifier_buf)==symbol_table.symbols.end())
{
symbolt new_symbol_size;
new_symbol_size.base_name="__strerror_buffer_size";
new_symbol_size.pretty_name=new_symbol_size.base_name;
new_symbol_size.name=identifier_size;
new_symbol_size.mode=ID_C;
new_symbol_size.type=size_type();
new_symbol_size.is_state_var=true;
new_symbol_size.is_lvalue=true;
new_symbol_size.is_static_lifetime=true;
array_typet type;
type.subtype()=char_type();
type.size()=new_symbol_size.symbol_expr();
symbolt new_symbol_buf;
new_symbol_buf.mode=ID_C;
new_symbol_buf.type=type;
new_symbol_buf.is_state_var=true;
new_symbol_buf.is_lvalue=true;
new_symbol_buf.is_static_lifetime=true;
new_symbol_buf.base_name="__strerror_buffer";
new_symbol_buf.pretty_name=new_symbol_buf.base_name;
new_symbol_buf.name=new_symbol_buf.base_name;
symbol_table.move(new_symbol_buf);
symbol_table.move(new_symbol_size);
}
const symbolt &symbol_size=ns.lookup(identifier_size);
const symbolt &symbol_buf=ns.lookup(identifier_buf);
goto_programt tmp;
{
goto_programt::targett assignment1=tmp.add_instruction(ASSIGN);
exprt nondet_size=side_effect_expr_nondett(size_type());
assignment1->code=code_assignt(symbol_size.symbol_expr(), nondet_size);
assignment1->source_location=it->source_location;
goto_programt::targett assumption1=tmp.add_instruction();
assumption1->make_assumption(
binary_relation_exprt(
symbol_size.symbol_expr(),
ID_notequal,
from_integer(0, symbol_size.type)));
assumption1->source_location=it->source_location;
}
// return a pointer to some magic buffer
index_exprt index(
symbol_buf.symbol_expr(),
from_integer(0, index_type()),
char_type());
address_of_exprt ptr(index);
// make that zero-terminated
{
goto_programt::targett assignment2=tmp.add_instruction(ASSIGN);
assignment2->code=code_assignt(is_zero_string(ptr, true), true_exprt());
assignment2->source_location=it->source_location;
}
// assign address
{
goto_programt::targett assignment3=tmp.add_instruction(ASSIGN);
exprt rhs=ptr;
make_type(rhs, call.lhs().type());
assignment3->code=code_assignt(call.lhs(), rhs);
assignment3->source_location=it->source_location;
}
it->make_skip();
dest.insert_before_swap(it, tmp);
}
codet java_bytecode_convertt::convert_instructions(
const instructionst &instructions,
const code_typet &method_type)
{
// Run a worklist algorithm, assuming that the bytecode has not
// been tampered with. See "Leroy, X. (2003). Java bytecode
// verification: algorithms and formalizations. Journal of Automated
// Reasoning, 30(3-4), 235-269." for a more complete treatment.
// first pass: get targets and map addresses to instructions
struct converted_instructiont
{
converted_instructiont(
const instructionst::const_iterator &it,
const codet &_code):source(it), code(_code), done(false)
{
}
instructionst::const_iterator source;
std::list<unsigned> successors;
std::set<unsigned> predecessors;
codet code;
stackt stack;
bool done;
};
typedef std::map<unsigned, converted_instructiont> address_mapt;
address_mapt address_map;
std::set<unsigned> targets;
for(instructionst::const_iterator
i_it=instructions.begin();
i_it!=instructions.end();
i_it++)
{
std::pair<address_mapt::iterator, bool> a_entry=
address_map.insert(std::make_pair(
i_it->address,
converted_instructiont(i_it, code_skipt())));
assert(a_entry.second);
// addresses are strictly increasing, hence we must have inserted
// a new maximal key
assert(a_entry.first==--address_map.end());
if(i_it->statement!="goto" &&
i_it->statement!="return" &&
!(i_it->statement==patternt("?return")) &&
i_it->statement!="athrow")
{
instructionst::const_iterator next=i_it;
if(++next!=instructions.end())
a_entry.first->second.successors.push_back(next->address);
}
if(i_it->statement=="goto" ||
i_it->statement==patternt("if_?cmp??") ||
i_it->statement==patternt("if??") ||
i_it->statement=="ifnonnull" ||
i_it->statement=="ifnull")
{
assert(!i_it->args.empty());
const unsigned target=safe_string2unsigned(
id2string(to_constant_expr(i_it->args[0]).get_value()));
targets.insert(target);
a_entry.first->second.successors.push_back(target);
}
else if(i_it->statement=="tableswitch" ||
i_it->statement=="lookupswitch")
{
bool is_label=true;
for(instructiont::argst::const_iterator
a_it=i_it->args.begin();
a_it!=i_it->args.end();
a_it++, is_label=!is_label)
{
if(is_label)
{
const unsigned target=safe_string2unsigned(
id2string(to_constant_expr(*a_it).get_value()));
targets.insert(target);
a_entry.first->second.successors.push_back(target);
}
}
}
}
for(address_mapt::iterator
it=address_map.begin();
it!=address_map.end();
++it)
{
for(unsigned s : it->second.successors)
{
address_mapt::iterator a_it=address_map.find(s);
assert(a_it!=address_map.end());
a_it->second.predecessors.insert(it->first);
}
}
std::set<unsigned> working_set;
if(!instructions.empty())
working_set.insert(instructions.front().address);
while(!working_set.empty())
{
std::set<unsigned>::iterator cur=working_set.begin();
address_mapt::iterator a_it=address_map.find(*cur);
assert(a_it!=address_map.end());
working_set.erase(cur);
if(a_it->second.done) continue;
working_set.insert(a_it->second.successors.begin(),
a_it->second.successors.end());
instructionst::const_iterator i_it=a_it->second.source;
stack.swap(a_it->second.stack);
a_it->second.stack.clear();
codet &c=a_it->second.code;
assert(stack.empty() ||
a_it->second.predecessors.size()<=1 ||
has_prefix(stack.front().get_string(ID_C_base_name),
"$stack"));
irep_idt statement=i_it->statement;
exprt arg0=i_it->args.size()>=1?i_it->args[0]:nil_exprt();
exprt arg1=i_it->args.size()>=2?i_it->args[1]:nil_exprt();
const bytecode_infot &bytecode_info=get_bytecode_info(statement);
// deal with _idx suffixes
if(statement.size()>=2 &&
statement[statement.size()-2]=='_' &&
isdigit(statement[statement.size()-1]))
{
arg0=constant_exprt(
std::string(id2string(statement), statement.size()-1, 1),
integer_typet());
statement=std::string(id2string(statement), 0, statement.size()-2);
}
exprt::operandst op=pop(bytecode_info.pop);
exprt::operandst results;
results.resize(bytecode_info.push, nil_exprt());
if(statement=="aconst_null")
{
assert(results.size()==1);
results[0]=gen_zero(java_reference_type(void_typet()));
}
else if(statement=="athrow")
{
assert(op.size()==1 && results.size()==1);
side_effect_expr_throwt throw_expr;
throw_expr.add_source_location()=i_it->source_location;
throw_expr.copy_to_operands(op[0]);
c=code_expressiont(throw_expr);
results[0]=op[0];
}
else if(statement=="checkcast")
{
// checkcast throws an exception in case a cast of object
// on stack to given type fails.
// The stack isn't modified.
assert(op.size()==1 && results.size()==1);
results[0]=op[0];
}
else if(statement=="invokedynamic")
{
// not used in Java
code_typet &code_type=to_code_type(arg0.type());
const code_typet::parameterst ¶meters(code_type.parameters());
pop(parameters.size());
const typet &return_type=code_type.return_type();
if(return_type.id()!=ID_empty)
{
results.resize(1);
results[0]=nil_exprt();
}
}
else if(statement=="invokeinterface" ||
statement=="invokespecial" ||
statement=="invokevirtual" ||
statement=="invokestatic")
{
const bool use_this(statement != "invokestatic");
const bool is_virtual(
statement == "invokevirtual" || statement == "invokeinterface");
code_typet &code_type=to_code_type(arg0.type());
code_typet::parameterst ¶meters(code_type.parameters());
if(use_this)
{
if(parameters.empty() || !parameters[0].get_this())
{
const empty_typet empty;
pointer_typet object_ref_type(empty);
code_typet::parametert this_p(object_ref_type);
this_p.set_this();
this_p.set_base_name("this");
parameters.insert(parameters.begin(), this_p);
}
}
code_function_callt call;
call.add_source_location()=i_it->source_location;
call.arguments() = pop(parameters.size());
// double-check a bit
if(use_this)
{
const exprt &this_arg=call.arguments().front();
assert(this_arg.type().id()==ID_pointer);
}
// do some type adjustment for the arguments,
// as Java promotes arguments
for(unsigned i=0; i<parameters.size(); i++)
{
const typet &type=parameters[i].type();
if(type==java_boolean_type() ||
type==java_char_type() ||
type==java_byte_type() ||
type==java_short_type())
{
assert(i<call.arguments().size());
call.arguments()[i].make_typecast(type);
}
}
// do some type adjustment for return values
const typet &return_type=code_type.return_type();
if(return_type.id()!=ID_empty)
{
// return types are promoted in Java
call.lhs()=tmp_variable("return", return_type);
exprt promoted=java_bytecode_promotion(call.lhs());
results.resize(1);
results[0]=promoted;
}
assert(arg0.id()==ID_virtual_function);
// does the function symbol exist?
irep_idt id=arg0.get(ID_identifier);
if(symbol_table.symbols.find(id)==symbol_table.symbols.end())
{
// no, create stub
symbolt symbol;
symbol.name=id;
symbol.base_name=arg0.get(ID_C_base_name);
symbol.type=arg0.type();
symbol.value.make_nil();
symbol.mode=ID_java;
symbol_table.add(symbol);
}
if(is_virtual)
{
// dynamic binding
assert(use_this);
assert(!call.arguments().empty());
call.function()=arg0;
}
else
{
// static binding
/*if(id == "java::java.lang.String.charAt:(I)C")
call.function()=symbol_exprt("java::__CPROVER_uninterpreted_char_at", arg0.type());
else*/
call.function()=symbol_exprt(arg0.get(ID_identifier), arg0.type());
}
call.function().add_source_location()=i_it->source_location;
c = call;
}
else if(statement=="return")
{
assert(op.empty() && results.empty());
c=code_returnt();
}
else if(statement==patternt("?return"))
{
// Return types are promoted in java, so this might need
// conversion.
assert(op.size()==1 && results.empty());
exprt r=op[0];
if(r.type()!=method_return_type) r=typecast_exprt(r, method_return_type);
c=code_returnt(r);
}
else if(statement==patternt("?astore"))
{
assert(op.size()==3 && results.empty());
char type_char=statement[0];
exprt pointer=
typecast_exprt(op[0], java_array_type(type_char));
const dereference_exprt deref(pointer, pointer.type().subtype());
const member_exprt data_ptr(
deref, "data", pointer_typet(java_type_from_char(type_char)));
plus_exprt data_plus_offset(data_ptr, op[1], data_ptr.type());
typet element_type=data_ptr.type().subtype();
const dereference_exprt element(data_plus_offset, element_type);
c=code_assignt(element, op[2]);
}
else if(statement==patternt("?store"))
{
// store value into some local variable
assert(op.size()==1 && results.empty());
exprt var=variable(arg0, statement[0]);
const bool is_array('a' == statement[0]);
if(is_array)
var.type()=op[0].type();
c=code_assignt(var, op[0]);
}
else if(statement==patternt("?aload"))
{
assert(op.size() == 2 && results.size() == 1);
char type_char=statement[0];
exprt pointer=
typecast_exprt(op[0], java_array_type(type_char));
const dereference_exprt deref(pointer, pointer.type().subtype());
const member_exprt data_ptr(
deref, "data", pointer_typet(java_type_from_char(type_char)));
plus_exprt data_plus_offset(data_ptr, op[1], data_ptr.type());
typet element_type=data_ptr.type().subtype();
dereference_exprt element(data_plus_offset, element_type);
results[0]=java_bytecode_promotion(element);
}
else if(statement==patternt("?load"))
{
// load a value from a local variable
results[0]=variable(arg0, statement[0]);
}
else if(statement=="ldc" || statement=="ldc_w" ||
statement=="ldc2" || statement=="ldc2_w")
{
assert(op.empty() && results.size()==1);
// 1) Pushing a String causes a reference to a java.lang.String object
// to be constructed and pushed onto the operand stack.
// 2) Pushing an int or a float causes a primitive value to be pushed
// onto the stack.
// 3) Pushing a Class constant causes a reference to a java.lang.Class
// to be pushed onto the operand stack
if(arg0.id()==ID_java_string_literal)
{
// these need to be references to java.lang.String
results[0]=arg0;
symbol_typet string_type("java::java.lang.String");
results[0].type()=pointer_typet(string_type);
}
else if(arg0.id()==ID_type)
{
irep_idt class_id=arg0.type().get(ID_identifier);
symbol_typet java_lang_Class("java::java.lang.Class");
symbol_exprt symbol_expr(id2string(class_id)+"@class_model", java_lang_Class);
address_of_exprt address_of_expr(symbol_expr);
results[0]=address_of_expr;
}
else if(arg0.id()==ID_constant)
{
results[0]=arg0;
}
else
{
error() << "unexpected ldc argument" << eom;
throw 0;
}
}
else if(statement=="goto" || statement=="goto_w")
{
assert(op.empty() && results.empty());
irep_idt number=to_constant_expr(arg0).get_value();
code_gotot code_goto(label(number));
c=code_goto;
}
else if(statement=="iconst_m1")
{
assert(results.size()==1);
results[0]=from_integer(-1, java_int_type());
}
else if(statement==patternt("?const"))
{
assert(results.size() == 1);
const char type_char=statement[0];
const bool is_double('d' == type_char);
const bool is_float('f' == type_char);
if(is_double || is_float)
{
const ieee_float_spect spec(
is_float ?
ieee_float_spect::single_precision() :
ieee_float_spect::double_precision());
ieee_floatt value(spec);
const typet &arg_type(arg0.type());
if(ID_integer == arg_type.id())
value.from_integer(arg0.get_int(ID_value));
else
value.from_expr(to_constant_expr(arg0));
results[0] = value.to_expr();
}
else
{
const unsigned int value(arg0.get_unsigned_int(ID_value));
const typet type=java_type_from_char(statement[0]);
results[0] = as_number(value, type);
}
}
else if(statement==patternt("?ipush"))
{
assert(results.size()==1);
results[0]=typecast_exprt(arg0, java_int_type());
}
else if(statement==patternt("if_?cmp??"))
{
irep_idt number=to_constant_expr(arg0).get_value();
assert(op.size()==2 && results.empty());
code_ifthenelset code_branch;
const irep_idt cmp_op=get_if_cmp_operator(statement);
binary_relation_exprt condition(op[0], cmp_op, op[1]);
cast_if_necessary(condition);
code_branch.cond()=condition;
code_branch.then_case()=code_gotot(label(number));
code_branch.then_case().add_source_location()=i_it->source_location;
code_branch.add_source_location()=i_it->source_location;
c=code_branch;
}
else if(statement==patternt("if??"))
{
const irep_idt id=
statement=="ifeq"?ID_equal:
statement=="ifne"?ID_notequal:
statement=="iflt"?ID_lt:
statement=="ifge"?ID_ge:
statement=="ifgt"?ID_gt:
statement=="ifle"?ID_le:
(assert(false), "");
irep_idt number=to_constant_expr(arg0).get_value();
assert(op.size()==1 && results.empty());
code_ifthenelset code_branch;
code_branch.cond()=binary_relation_exprt(op[0], id, gen_zero(op[0].type()));
code_branch.cond().add_source_location()=i_it->source_location;
code_branch.then_case()=code_gotot(label(number));
code_branch.then_case().add_source_location()=i_it->source_location;
code_branch.add_source_location()=i_it->source_location;
c=code_branch;
}
else if(statement==patternt("ifnonnull"))
{
irep_idt number=to_constant_expr(arg0).get_value();
assert(op.size()==1 && results.empty());
code_ifthenelset code_branch;
const typecast_exprt lhs(op[0], pointer_typet());
const exprt rhs(gen_zero(lhs.type()));
code_branch.cond()=binary_relation_exprt(lhs, ID_notequal, rhs);
code_branch.then_case()=code_gotot(label(number));
code_branch.then_case().add_source_location()=i_it->source_location;
code_branch.add_source_location()=i_it->source_location;
c=code_branch;
}
else if(statement==patternt("ifnull"))
{
assert(op.size()==1 && results.empty());
irep_idt number=to_constant_expr(arg0).get_value();
code_ifthenelset code_branch;
const typecast_exprt lhs(op[0], pointer_typet(empty_typet()));
const exprt rhs(gen_zero(lhs.type()));
code_branch.cond()=binary_relation_exprt(lhs, ID_equal, rhs);
code_branch.then_case()=code_gotot(label(number));
code_branch.then_case().add_source_location()=i_it->source_location;
code_branch.add_source_location()=i_it->source_location;
c=code_branch;
}
else if(statement=="iinc")
{
code_assignt code_assign;
code_assign.lhs()=variable(arg0, 'i');
code_assign.rhs()=plus_exprt(
variable(arg0, 'i'),
typecast_exprt(arg1, java_int_type()));
c=code_assign;
}
else if(statement==patternt("?xor"))
{
assert(op.size()==2 && results.size()==1);
results[0]=bitxor_exprt(op[0], op[1]);
}
else if(statement==patternt("?or"))
{
assert(op.size()==2 && results.size()==1);
results[0]=bitor_exprt(op[0], op[1]);
}
else if(statement==patternt("?and"))
{
assert(op.size()==2 && results.size()==1);
results[0]=bitand_exprt(op[0], op[1]);
}
else if(statement==patternt("?shl"))
{
assert(op.size()==2 && results.size()==1);
results[0]=shl_exprt(op[0], op[1]);
}
else if(statement==patternt("?shr"))
{
assert(op.size()==2 && results.size()==1);
results[0]=ashr_exprt(op[0], op[1]);
}
else if(statement==patternt("?ushr"))
{
assert(op.size()==2 && results.size()==1);
const typet type(java_type_from_char(statement[0]));
const unsigned int width(type.get_unsigned_int(ID_width));
typet target=unsigned_long_int_type();
target.set(ID_width, width);
const typecast_exprt lhs(op[0], target);
const typecast_exprt rhs(op[1], target);
results[0]=lshr_exprt(lhs, rhs);
}
else if(statement==patternt("?add"))
{
assert(op.size()==2 && results.size()==1);
results[0]=plus_exprt(op[0], op[1]);
}
else if(statement==patternt("?sub"))
{
assert(op.size()==2 && results.size()==1);
results[0]=minus_exprt(op[0], op[1]);
}
else if(statement==patternt("?div"))
{
assert(op.size()==2 && results.size()==1);
results[0]=div_exprt(op[0], op[1]);
}
else if(statement==patternt("?mul"))
{
assert(op.size()==2 && results.size()==1);
results[0]=mult_exprt(op[0], op[1]);
}
else if(statement==patternt("?neg"))
{
assert(op.size()==1 && results.size()==1);
results[0]=unary_minus_exprt(op[0], op[0].type());
}
else if(statement==patternt("?rem"))
{
assert(op.size()==2 && results.size()==1);
if(statement=="frem" || statement=="drem")
results[0]=rem_exprt(op[0], op[1]);
else
results[0]=mod_exprt(op[0], op[1]);
}
else if(statement==patternt("?cmp"))
{
assert(op.size() == 2 && results.size() == 1);
// The integer result on the stack is:
// 0 if op[0] equals op[1]
// -1 if op[0] is less than op[1]
// 1 if op[0] is greater than op[1]
const typet t=java_int_type();
results[0]=
if_exprt(binary_relation_exprt(op[0], ID_equal, op[1]), gen_zero(t),
if_exprt(binary_relation_exprt(op[0], ID_gt, op[1]), from_integer(1, t),
from_integer(-1, t)));
}
else if(statement==patternt("?cmp?"))
{
assert(op.size()==2 && results.size()==1);
const floatbv_typet type(to_floatbv_type(java_type_from_char(statement[0])));
const ieee_float_spect spec(type);
const ieee_floatt nan(ieee_floatt::NaN(spec));
const constant_exprt nan_expr(nan.to_expr());
const int nan_value(statement[4] == 'l' ? -1 : 1);
const typet result_type(java_int_type());
const exprt nan_result(from_integer(nan_value, result_type));
// (value1 == NaN || value2 == NaN) ? nan_value : value1 < value2 ? -1 : value2 < value1 1 ? 1 : 0;
// (value1 == NaN || value2 == NaN) ? nan_value : value1 == value2 ? 0 : value1 < value2 -1 ? 1 : 0;
results[0]=
if_exprt(or_exprt(ieee_float_equal_exprt(nan_expr, op[0]), ieee_float_equal_exprt(nan_expr, op[1])), nan_result,
if_exprt(ieee_float_equal_exprt(op[0], op[1]), gen_zero(result_type),
if_exprt(binary_relation_exprt(op[0], ID_lt, op[1]), from_integer(-1, result_type), from_integer(1, result_type))));
}
else if(statement==patternt("?cmpl"))
{
assert(op.size()==2 && results.size()==1);
results[0]=binary_relation_exprt(op[0], ID_lt, op[1]);
}
else if(statement=="dup")
{
assert(op.size()==1 && results.size()==2);
results[0]=results[1]=op[0];
}
else if(statement=="dup_x1")
{
assert(op.size()==2 && results.size()==3);
results[0]=op[1];
results[1]=op[0];
results[2]=op[1];
}
else if(statement=="dup_x2")
{
assert(op.size()==3 && results.size()==4);
results[0]=op[2];
results[1]=op[0];
results[2]=op[1];
results[3]=op[2];
}
// dup2* behaviour depends on the size of the operands on the
// stack
else if(statement=="dup2")
{
assert(!stack.empty() && results.empty());
if(stack.back().type().get_unsigned_int(ID_width)==32)
op=pop(2);
else
op=pop(1);
results.insert(results.end(), op.begin(), op.end());
results.insert(results.end(), op.begin(), op.end());
}
else if(statement=="dup2_x1")
{
assert(!stack.empty() && results.empty());
if(stack.back().type().get_unsigned_int(ID_width)==32)
op=pop(3);
else
op=pop(2);
results.insert(results.end(), op.begin()+1, op.end());
results.insert(results.end(), op.begin(), op.end());
}
else if(statement=="dup2_x2")
{
assert(!stack.empty() && results.empty());
if(stack.back().type().get_unsigned_int(ID_width)==32)
op=pop(2);
else
op=pop(1);
assert(!stack.empty());
exprt::operandst op2;
if(stack.back().type().get_unsigned_int(ID_width)==32)
op2=pop(2);
else
op2=pop(1);
results.insert(results.end(), op.begin(), op.end());
results.insert(results.end(), op2.begin(), op2.end());
results.insert(results.end(), op.begin(), op.end());
}
else if(statement=="dconst")
{
assert(op.empty() && results.size()==1);
}
else if(statement=="fconst")
{
assert(op.empty() && results.size()==1);
}
else if(statement=="getfield")
{
assert(op.size()==1 && results.size()==1);
results[0]=to_member(op[0], arg0);
}
else if(statement=="getstatic")
{
assert(op.empty() && results.size()==1);
symbol_exprt symbol_expr(arg0.type());
symbol_expr.set_identifier(arg0.get_string(ID_class)+"."+arg0.get_string(ID_component_name));
results[0]=symbol_expr;
}
else if(statement=="putfield")
{
assert(op.size()==2 && results.size()==0);
c = code_assignt(to_member(op[0], arg0), op[1]);
}
else if(statement=="putstatic")
{
assert(op.size()==1 && results.empty());
symbol_exprt symbol_expr(arg0.type());
symbol_expr.set_identifier(arg0.get_string(ID_class)+"."+arg0.get_string(ID_component_name));
c=code_assignt(symbol_expr, op[0]);
}
else if(statement==patternt("?2?")) // i2c etc.
{
assert(op.size()==1 && results.size()==1);
results[0]=typecast_exprt(op[0], java_type_from_char(statement[2]));
}
else if(statement=="new")
{
// use temporary since the stack symbol might get duplicated
assert(op.empty() && results.size()==1);
const pointer_typet ref_type(arg0.type());
exprt java_new_expr=side_effect_exprt(ID_java_new, ref_type);
if(!i_it->source_location.get_line().empty())
java_new_expr.add_source_location()=i_it->source_location;
const exprt tmp=tmp_variable("new", ref_type);
c=code_assignt(tmp, java_new_expr);
results[0]=tmp;
}
else if(statement=="newarray" ||
statement=="anewarray")
{
// the op is the array size
assert(op.size()==1 && results.size()==1);
char element_type;
if(statement=="newarray")
{
irep_idt id=arg0.type().id();
if(id==ID_bool)
element_type='z';
else if(id==ID_char)
element_type='c';
else if(id==ID_float)
element_type='f';
else if(id==ID_double)
element_type='d';
else if(id==ID_byte)
element_type='b';
else if(id==ID_short)
element_type='s';
else if(id==ID_int)
element_type='i';
else if(id==ID_long)
element_type='j';
else
element_type='?';
}
else
element_type='a';
const pointer_typet ref_type=java_array_type(element_type);
side_effect_exprt java_new_array(ID_java_new_array, ref_type);
java_new_array.copy_to_operands(op[0]);
if(!i_it->source_location.get_line().empty())
java_new_array.add_source_location()=i_it->source_location;
const exprt tmp=tmp_variable("newarray", ref_type);
c=code_assignt(tmp, java_new_array);
results[0]=tmp;
}
else if(statement=="multianewarray")
{
// The first argument is the type, the second argument is the dimension.
// The size of each dimension is on the stack.
irep_idt number=to_constant_expr(arg1).get_value();
unsigned dimension=safe_c_str2unsigned(number.c_str());
op=pop(dimension);
assert(results.size()==1);
// arg0.type()
const pointer_typet ref_type=java_array_type('a');
side_effect_exprt java_new_array(ID_java_new_array, ref_type);
java_new_array.operands()=op;
if(!i_it->source_location.get_line().empty())
java_new_array.add_source_location()=i_it->source_location;
const exprt tmp=tmp_variable("newarray", ref_type);
c=code_assignt(tmp, java_new_array);
results[0]=tmp;
}
else if(statement=="arraylength")
{
assert(op.size()==1 && results.size()==1);
exprt pointer=
typecast_exprt(op[0], java_array_type(statement[0]));
const dereference_exprt array(pointer, pointer.type().subtype());
assert(pointer.type().subtype().id()==ID_symbol);
const member_exprt length(array, "length", java_int_type());
results[0]=length;
}
else if(statement=="tableswitch" ||
statement=="lookupswitch")
{
assert(op.size()==1 && results.size()==0);
// we turn into switch-case
code_switcht code_switch;
code_switch.add_source_location()=i_it->source_location;
code_switch.value()=op[0];
code_blockt code_block;
code_block.add_source_location()=i_it->source_location;
bool is_label=true;
for(instructiont::argst::const_iterator
a_it=i_it->args.begin();
a_it!=i_it->args.end();
a_it++, is_label=!is_label)
{
if(is_label)
{
code_switch_caset code_case;
code_case.add_source_location()=i_it->source_location;
irep_idt number=to_constant_expr(*a_it).get_value();
code_case.code()=code_gotot(label(number));
code_case.code().add_source_location()=i_it->source_location;
if(a_it==i_it->args.begin())
code_case.set_default();
else
{
instructiont::argst::const_iterator prev=a_it;
prev--;
code_case.case_op()=typecast_exprt(*prev, op[0].type());
code_case.case_op().add_source_location()=i_it->source_location;
}
code_block.add(code_case);
}
}
code_switch.body()=code_block;
c=code_switch;
}
else if(statement=="pop" || statement=="pop2")
{
// these are skips
c=code_skipt();
// pop2 removes two single-word items from the stack (e.g. two
// integers, or an integer and an object reference) or one
// two-word item (i.e. a double or a long).
// http://cs.au.dk/~mis/dOvs/jvmspec/ref-pop2.html
if(statement=="pop2" &&
op[0].type().get_unsigned_int(ID_width)==32)
pop(1);
}
else if(statement=="instanceof")
{
assert(op.size()==1 && results.size()==1);
results[0]=
binary_predicate_exprt(op[0], "java_instanceof", arg0);
}
else
{
c=codet(statement);
c.operands()=op;
}
if(!i_it->source_location.get_line().empty())
c.add_source_location()=i_it->source_location;
push(results);
a_it->second.done=true;
for(std::list<unsigned>::iterator
it=a_it->second.successors.begin();
it!=a_it->second.successors.end();
++it)
{
address_mapt::iterator a_it2=address_map.find(*it);
assert(a_it2!=address_map.end());
if(!stack.empty() && a_it2->second.predecessors.size()>1)
{
// copy into temporaries
code_blockt more_code;
// introduce temporaries when successor is seen for the first
// time
if(a_it2->second.stack.empty())
{
for(stackt::iterator s_it=stack.begin();
s_it!=stack.end();
++s_it)
{
symbol_exprt lhs=tmp_variable("$stack", s_it->type());
code_assignt a(lhs, *s_it);
more_code.copy_to_operands(a);
s_it->swap(lhs);
}
}
else
{
assert(a_it2->second.stack.size()==stack.size());
stackt::const_iterator os_it=a_it2->second.stack.begin();
for(stackt::iterator s_it=stack.begin();
s_it!=stack.end();
++s_it)
{
assert(has_prefix(os_it->get_string(ID_C_base_name),
"$stack"));
symbol_exprt lhs=to_symbol_expr(*os_it);
code_assignt a(lhs, *s_it);
more_code.copy_to_operands(a);
s_it->swap(lhs);
++os_it;
}
}
if(results.empty())
{
more_code.copy_to_operands(c);
c.swap(more_code);
}
else
{
c.make_block();
forall_operands(o_it, more_code)
c.copy_to_operands(*o_it);
}
}
a_it2->second.stack=stack;
}
}
// TODO: add exception handlers from exception table
// review successor computation of athrow!
code_blockt code;
// temporaries
for(const auto & var : tmp_vars)
{
code.add(code_declt(var));
}
for(const auto & it : address_map)
{
const unsigned address=it.first;
assert(it.first==it.second.source->address);
const codet &c=it.second.code;
if(targets.find(address)!=targets.end())
code.add(code_labelt(label(i2string(address)), c));
else if(c.get_statement()!=ID_skip)
code.add(c);
}
return code;
}
/// add axioms corresponding to the String.compareTo java function
/// \par parameters: function application with two string arguments
/// \return a integer expression
exprt string_constraint_generatort::add_axioms_for_compare_to(
const function_application_exprt &f)
{
string_exprt s1=add_axioms_for_string_expr(args(f, 2)[0]);
string_exprt s2=add_axioms_for_string_expr(args(f, 2)[1]);
const typet &return_type=f.type();
symbol_exprt res=fresh_symbol("compare_to", return_type);
typet index_type=s1.length().type();
// In the lexicographic comparison, x is the first point where the two
// strings differ.
// We add axioms:
// a1 : res==0 => |s1|=|s2|
// a2 : forall i<|s1|. s1[i]==s2[i]
// a3 : exists x.
// res!=0 ==> x> 0 &&
// ((|s1| <= |s2| &&x<|s1|) || (|s1| >= |s2| &&x<|s2|)
// &&res=s1[x]-s2[x] )
// || cond2:
// (|s1|<|s2| &&x=|s1|) || (|s1| > |s2| &&x=|s2|) &&res=|s1|-|s2|)
// a4 : forall i<x. res!=0 => s1[i]=s2[i]
assert(return_type.id()==ID_signedbv);
equal_exprt res_null=equal_exprt(res, from_integer(0, return_type));
implies_exprt a1(res_null, s1.axiom_for_has_same_length_as(s2));
axioms.push_back(a1);
symbol_exprt i=fresh_univ_index("QA_compare_to", index_type);
string_constraintt a2(i, s1.length(), res_null, equal_exprt(s1[i], s2[i]));
axioms.push_back(a2);
symbol_exprt x=fresh_exist_index("index_compare_to", index_type);
equal_exprt ret_char_diff(
res,
minus_exprt(
typecast_exprt(s1[x], return_type),
typecast_exprt(s2[x], return_type)));
equal_exprt ret_length_diff(
res,
minus_exprt(
typecast_exprt(s1.length(), return_type),
typecast_exprt(s2.length(), return_type)));
or_exprt guard1(
and_exprt(s1.axiom_for_is_shorter_than(s2),
s1.axiom_for_is_strictly_longer_than(x)),
and_exprt(s1.axiom_for_is_longer_than(s2),
s2.axiom_for_is_strictly_longer_than(x)));
and_exprt cond1(ret_char_diff, guard1);
or_exprt guard2(
and_exprt(s2.axiom_for_is_strictly_longer_than(s1),
s1.axiom_for_has_length(x)),
and_exprt(s1.axiom_for_is_strictly_longer_than(s2),
s2.axiom_for_has_length(x)));
and_exprt cond2(ret_length_diff, guard2);
implies_exprt a3(
not_exprt(res_null),
and_exprt(
binary_relation_exprt(x, ID_ge, from_integer(0, return_type)),
or_exprt(cond1, cond2)));
axioms.push_back(a3);
string_constraintt a4(i, x, not_exprt(res_null), equal_exprt(s1[i], s2[i]));
axioms.push_back(a4);
return res;
}
void string_instrumentationt::invalidate_buffer(
goto_programt &dest,
goto_programt::const_targett target,
const exprt &buffer,
const typet &buf_type,
const mp_integer &limit)
{
irep_idt cntr_id="string_instrumentation::$counter";
if(context.symbols.find(cntr_id)==context.symbols.end())
{
symbolt new_symbol;
new_symbol.base_name="$counter";
new_symbol.pretty_name=new_symbol.base_name;
new_symbol.name=cntr_id;
new_symbol.mode="C";
new_symbol.type=uint_type();
new_symbol.is_statevar=true;
new_symbol.lvalue=true;
new_symbol.static_lifetime=true;
context.move(new_symbol);
}
const symbolt &cntr_sym=ns.lookup(cntr_id);
// create a loop that runs over the buffer
// and invalidates every element
goto_programt::targett init=dest.add_instruction(ASSIGN);
init->location=target->location;
init->code=code_assignt(symbol_expr(cntr_sym), gen_zero(cntr_sym.type));
goto_programt::targett check=dest.add_instruction();
check->location=target->location;
goto_programt::targett invalidate=dest.add_instruction(ASSIGN);
invalidate->location=target->location;
goto_programt::targett increment=dest.add_instruction(ASSIGN);
increment->location=target->location;
exprt plus("+", uint_type());
plus.copy_to_operands(symbol_expr(cntr_sym));
plus.copy_to_operands(gen_one(uint_type()));
increment->code=code_assignt(symbol_expr(cntr_sym), plus);
goto_programt::targett back=dest.add_instruction();
back->location=target->location;
back->make_goto(check);
back->guard=true_exprt();
goto_programt::targett exit=dest.add_instruction();
exit->location=target->location;
exit->make_skip();
exprt cnt_bs, bufp;
if(buf_type.id()=="pointer")
bufp = buffer;
else
{
index_exprt index;
index.array()=buffer;
index.index()=gen_zero(uint_type());
index.type()=buf_type.subtype();
bufp = address_of_exprt(index);
}
exprt deref("dereference", buf_type.subtype());
exprt b_plus_i("+", bufp.type());
b_plus_i.copy_to_operands(bufp);
b_plus_i.copy_to_operands(symbol_expr(cntr_sym));
deref.copy_to_operands(b_plus_i);
check->make_goto(exit);
if(limit==0)
check->guard=
binary_relation_exprt(symbol_expr(cntr_sym), ">=",
buffer_size(bufp));
else
check->guard=
binary_relation_exprt(symbol_expr(cntr_sym), ">",
from_integer(limit, uint_type()));
exprt nondet=side_effect_expr_nondett(buf_type.subtype());
invalidate->code=code_assignt(deref, nondet);
}
void string_instrumentationt::do_format_string_write(
goto_programt &dest,
goto_programt::const_targett target,
const code_function_callt::argumentst &arguments,
unsigned format_string_inx,
unsigned argument_start_inx,
const std::string &function_name)
{
const exprt &format_arg = arguments[format_string_inx];
if(format_arg.id()=="address_of" &&
format_arg.op0().id()=="index" &&
format_arg.op0().op0().id()==ID_string_constant) // constant format
{
format_token_listt token_list;
parse_format_string(format_arg.op0().op0(), token_list);
unsigned args=0;
for(format_token_listt::const_iterator it=token_list.begin();
it!=token_list.end();
it++)
{
if(find(it->flags.begin(), it->flags.end(), format_tokent::ASTERISK)!=
it->flags.end())
continue; // asterisk means `ignore this'
switch(it->type)
{
case format_tokent::STRING:
{
const exprt &argument=arguments[argument_start_inx+args];
const typet &arg_type=ns.follow(argument.type());
goto_programt::targett assertion=dest.add_instruction();
assertion->location=target->location;
assertion->location.set("property", "string");
std::string comment("format string buffer overflow in ");
comment += function_name;
assertion->location.set("comment", comment);
if(it->field_width!=0)
{
exprt fwidth = from_integer(it->field_width, uint_type());
exprt fw_1("+", uint_type());
exprt one = gen_one(uint_type());
fw_1.move_to_operands(fwidth);
fw_1.move_to_operands(one); // +1 for 0-char
exprt fw_lt_bs;
if(arg_type.id()=="pointer")
fw_lt_bs=binary_relation_exprt(fw_1, "<=", buffer_size(argument));
else
{
index_exprt index;
index.array()=argument;
index.index()=gen_zero(uint_type());
address_of_exprt aof(index);
fw_lt_bs=binary_relation_exprt(fw_1, "<=", buffer_size(aof));
}
assertion->make_assertion(fw_lt_bs);
}
else
{
// this is a possible overflow.
assertion->make_assertion(false_exprt());
}
// now kill the contents
invalidate_buffer(dest, target, argument, arg_type, it->field_width);
args++;
break;
}
case format_tokent::TEXT:
case format_tokent::UNKNOWN:
{
// nothing
break;
}
default: // everything else
{
const exprt &argument=arguments[argument_start_inx+args];
const typet &arg_type=ns.follow(argument.type());
goto_programt::targett assignment=dest.add_instruction(ASSIGN);
assignment->location=target->location;
exprt lhs("dereference", arg_type.subtype());
lhs.copy_to_operands(argument);
exprt rhs=side_effect_expr_nondett(lhs.type());
rhs.location()=target->location;
assignment->code=code_assignt(lhs, rhs);
args++;
break;
}
}
}
}
else // non-const format string
{
for(unsigned i=argument_start_inx; i<arguments.size(); i++)
{
const typet &arg_type=ns.follow(arguments[i].type());
// Note: is_string_type() is a `good guess' here. Actually
// any of the pointers could point into an array. But it
// would suck if we had to invalidate all variables.
// Luckily this case isn't needed too often.
if(is_string_type(arg_type))
{
goto_programt::targett assertion=dest.add_instruction();
assertion->location=target->location;
assertion->location.set("property", "string");
std::string comment("format string buffer overflow in ");
comment += function_name;
assertion->location.set("comment", comment);
// as we don't know any field width for the %s that
// should be here during runtime, we just report a
// possibly false positive
assertion->make_assertion(false_exprt());
invalidate_buffer(dest, target, arguments[i], arg_type, 0);
}
else
{
goto_programt::targett assignment = dest.add_instruction(ASSIGN);
assignment->location=target->location;
exprt lhs("dereference", arg_type.subtype());
lhs.copy_to_operands(arguments[i]);
exprt rhs=side_effect_expr_nondett(lhs.type());
rhs.location()=target->location;
assignment->code=code_assignt(lhs, rhs);
}
}
}
}
void string_instrumentationt::do_strerror(
goto_programt &dest,
goto_programt::targett it,
code_function_callt &call)
{
if(call.lhs().is_nil())
{
it->make_skip();
return;
}
irep_idt identifier_buf="c::__strerror_buffer";
irep_idt identifier_size="c::__strerror_buffer_size";
if(context.symbols.find(identifier_buf)==context.symbols.end())
{
symbolt new_symbol_size;
new_symbol_size.base_name="__strerror_buffer_size";
new_symbol_size.pretty_name=new_symbol_size.base_name;
new_symbol_size.name=identifier_size;
new_symbol_size.mode="C";
new_symbol_size.type=uint_type();
new_symbol_size.is_statevar=true;
new_symbol_size.lvalue=true;
new_symbol_size.static_lifetime=true;
array_typet type;
type.subtype()=char_type();
type.size()=symbol_expr(new_symbol_size);
symbolt new_symbol_buf;
new_symbol_buf.mode="C";
new_symbol_buf.type=type;
new_symbol_buf.is_statevar=true;
new_symbol_buf.lvalue=true;
new_symbol_buf.static_lifetime=true;
new_symbol_buf.base_name="__strerror_buffer";
new_symbol_buf.pretty_name=new_symbol_buf.base_name;
new_symbol_buf.name="c::"+id2string(new_symbol_buf.base_name);
context.move(new_symbol_buf);
context.move(new_symbol_size);
}
const symbolt &symbol_size=ns.lookup(identifier_size);
const symbolt &symbol_buf=ns.lookup(identifier_buf);
goto_programt tmp;
{
goto_programt::targett assignment1=tmp.add_instruction(ASSIGN);
exprt nondet_size=side_effect_expr_nondett(uint_type());
assignment1->code=code_assignt(symbol_expr(symbol_size), nondet_size);
assignment1->location=it->location;
goto_programt::targett assumption1=tmp.add_instruction();
assumption1->make_assumption(binary_relation_exprt(
symbol_expr(symbol_size), "notequal",
gen_zero(symbol_size.type)));
assumption1->location=it->location;
}
// return a pointer to some magic buffer
exprt index=exprt("index", char_type());
index.copy_to_operands(symbol_expr(symbol_buf), gen_zero(uint_type()));
exprt ptr=exprt("address_of", pointer_typet());
ptr.type().subtype()=char_type();
ptr.copy_to_operands(index);
// make that zero-terminated
{
goto_programt::targett assignment2=tmp.add_instruction(ASSIGN);
assignment2->code=code_assignt(is_zero_string(ptr, true), true_exprt());
assignment2->location=it->location;
}
// assign address
{
goto_programt::targett assignment3=tmp.add_instruction(ASSIGN);
exprt rhs=ptr;
make_type(rhs, call.lhs().type());
assignment3->code=code_assignt(call.lhs(), rhs);
assignment3->location=it->location;
}
it->make_skip();
dest.insert_before_swap(it, tmp);
}
bool polynomial_acceleratort::accelerate(patht &loop,
path_acceleratort &accelerator) {
goto_programt::instructionst body;
accelerator.clear();
for (patht::iterator it = loop.begin();
it != loop.end();
++it) {
body.push_back(*(it->loc));
}
expr_sett targets;
std::map<exprt, polynomialt> polynomials;
scratch_programt program(symbol_table);
goto_programt::instructionst assigns;
utils.find_modified(body, targets);
#ifdef DEBUG
std::cout << "Polynomial accelerating program:" << std::endl;
for (goto_programt::instructionst::iterator it = body.begin();
it != body.end();
++it) {
program.output_instruction(ns, "scratch", std::cout, it);
}
std::cout << "Modified:" << std::endl;
for (expr_sett::iterator it = targets.begin();
it != targets.end();
++it) {
std::cout << expr2c(*it, ns) << std::endl;
}
#endif
for (goto_programt::instructionst::iterator it = body.begin();
it != body.end();
++it) {
if (it->is_assign() || it->is_decl()) {
assigns.push_back(*it);
}
}
if (loop_counter.is_nil()) {
symbolt loop_sym = utils.fresh_symbol("polynomial::loop_counter",
unsignedbv_typet(POLY_WIDTH));
loop_counter = loop_sym.symbol_expr();
}
for (expr_sett::iterator it = targets.begin();
it != targets.end();
++it) {
polynomialt poly;
exprt target = *it;
expr_sett influence;
goto_programt::instructionst sliced_assigns;
if (target.type() == bool_typet()) {
// Hack: don't accelerate booleans.
continue;
}
cone_of_influence(assigns, target, sliced_assigns, influence);
if (influence.find(target) == influence.end()) {
#ifdef DEBUG
std::cout << "Found nonrecursive expression: " << expr2c(target, ns) << std::endl;
#endif
nonrecursive.insert(target);
continue;
}
if (target.id() == ID_index ||
target.id() == ID_dereference) {
// We can't accelerate a recursive indirect access...
accelerator.dirty_vars.insert(target);
continue;
}
if (fit_polynomial_sliced(sliced_assigns, target, influence, poly)) {
std::map<exprt, polynomialt> this_poly;
this_poly[target] = poly;
if (check_inductive(this_poly, assigns)) {
polynomials.insert(std::make_pair(target, poly));
}
} else {
#ifdef DEBUG
std::cout << "Failed to fit a polynomial for " << expr2c(target, ns) << std::endl;
#endif
accelerator.dirty_vars.insert(*it);
}
}
if (polynomials.empty()) {
//return false;
}
/*
if (!utils.check_inductive(polynomials, assigns)) {
// They're not inductive :-(
return false;
}
*/
substitutiont stashed;
stash_polynomials(program, polynomials, stashed, body);
exprt guard;
exprt guard_last;
bool path_is_monotone;
try {
path_is_monotone = utils.do_assumptions(polynomials, loop, guard);
} catch (std::string s) {
// Couldn't do WP.
std::cout << "Assumptions error: " << s << std::endl;
return false;
}
guard_last = guard;
for (std::map<exprt, polynomialt>::iterator it = polynomials.begin();
it != polynomials.end();
++it) {
replace_expr(it->first, it->second.to_expr(), guard_last);
}
if (path_is_monotone) {
// OK cool -- the path is monotone, so we can just assume the condition for
// the first and last iterations.
replace_expr(loop_counter,
minus_exprt(loop_counter, from_integer(1, loop_counter.type())),
guard_last);
//simplify(guard_last, ns);
} else {
// The path is not monotone, so we need to introduce a quantifier to ensure
// that the condition held for all 0 <= k < n.
symbolt k_sym = utils.fresh_symbol("polynomial::k", unsignedbv_typet(POLY_WIDTH));
exprt k = k_sym.symbol_expr();
exprt k_bound = and_exprt(binary_relation_exprt(from_integer(0, k.type()), "<=", k),
binary_relation_exprt(k, "<", loop_counter));
replace_expr(loop_counter, k, guard_last);
implies_exprt implies(k_bound, guard_last);
//simplify(implies, ns);
exprt forall(ID_forall);
forall.type() = bool_typet();
forall.copy_to_operands(k);
forall.copy_to_operands(implies);
guard_last = forall;
}
// All our conditions are met -- we can finally build the accelerator!
// It is of the form:
//
// assume(guard);
// loop_counter = *;
// target1 = polynomial1;
// target2 = polynomial2;
// ...
// assume(guard);
// assume(no overflows in previous code);
program.add_instruction(ASSUME)->guard = guard;
program.assign(loop_counter, side_effect_expr_nondett(loop_counter.type()));
for (std::map<exprt, polynomialt>::iterator it = polynomials.begin();
it != polynomials.end();
++it) {
program.assign(it->first, it->second.to_expr());
}
// Add in any array assignments we can do now.
if (!utils.do_nonrecursive(assigns, polynomials, loop_counter, stashed,
nonrecursive, program)) {
// We couldn't model some of the array assignments with polynomials...
// Unfortunately that means we just have to bail out.
#ifdef DEBUG
std::cout << "Failed to accelerate a nonrecursive expression" << std::endl;
#endif
return false;
}
program.add_instruction(ASSUME)->guard = guard_last;
program.fix_types();
if (path_is_monotone) {
utils.ensure_no_overflows(program);
}
accelerator.pure_accelerator.instructions.swap(program.instructions);
return true;
}
exprt ranking_synthesis_satt::instantiate(void)
{
find_largest_constant(body.body_relation);
binary_relation_exprt toplevel_and("and");
toplevel_and.lhs() = body.body_relation; // that's R(x,x')
exprt function;
replace_mapt pre_replace_map;
bool first=true;
for(bodyt::variable_mapt::const_iterator it=body.variable_map.begin();
it!=body.variable_map.end();
it++)
{
if(used_variables.find(it->first)==used_variables.end())
continue;
exprt var=symbol_exprt(it->first, ns.lookup(it->first).type);
pre_replace_map[var] = // save the corresponding pre-var
symbol_exprt(it->second, ns.lookup(it->second).type);
adjust_type(var.type());
const typet type=var.type();
exprt coef=coefficient(var);
unsigned width=safe_width(var, ns);
assert(width!=0);
exprt term("*", typet(""));
term.copy_to_operands(coef, var);
if(first)
{
function=term;
first=false;
}
else
{
// cast_up(function, term);
exprt t("+", typet(""));
t.move_to_operands(function, term);
function = t;
}
}
if(first) // non of the interesting variables was used - bail out!
{
debug("Completely non-deterministic template; "
"this loop does not terminate.");
return false_exprt();
}
// if(!largest_constant.is_zero())
// {
// // add the largest constant
// symbol_exprt lc_sym("termination::LC", largest_constant.type());
// exprt lc=largest_constant;
// exprt lcc=coefficient(lc_sym);
//// cast_up(lc, lcc);
// exprt m("*", typet(""));
// m.move_to_operands(lcc, lc);
//
//// cast_up(function, m);
// exprt t("+", typet(""));
// t.move_to_operands(function, m);
// function = t;
// }
// add a constant term
symbol_exprt const_sym("termination::constant", signedbv_typet(2));
exprt cc=coefficient(const_sym);
// cast_up(function, cc);
exprt t2("+", typet(""));
t2.move_to_operands(function, cc);
function=t2;
contextt context;
ansi_c_parse_treet pt;
rankfunction_typecheckt typecheck(pt, context, ns, *message_handler);
try
{
typecheck.typecheck_expr(function);
}
catch (...)
{
throw "TC ERROR";
}
exprt pre_function = function;
replace_expr(pre_replace_map, pre_function);
// save the relation for later
rank_relation = binary_relation_exprt(function, "<", pre_function);
// base_type(rank_relation, ns);
toplevel_and.rhs()=not_exprt(rank_relation);
return toplevel_and;
}