typet c_typecheck_baset::enum_constant_type( const mp_integer &min_value, const mp_integer &max_value) const { if(config.ansi_c.mode==configt::ansi_ct::flavourt::VISUAL_STUDIO) { return signed_int_type(); } else { // enum constants are at least 'int', but may be made larger. // 'Packing' has no influence. if(max_value<(mp_integer(1)<<(config.ansi_c.int_width-1)) && min_value>=-(mp_integer(1)<<(config.ansi_c.int_width-1))) return signed_int_type(); else if(max_value<(mp_integer(1)<<config.ansi_c.int_width) && min_value>=0) return unsigned_int_type(); else if(max_value<(mp_integer(1)<<config.ansi_c.long_int_width) && min_value>=0) return unsigned_long_int_type(); else if(max_value<(mp_integer(1)<<config.ansi_c.long_long_int_width) && min_value>=0) return unsigned_long_long_int_type(); else if(max_value<(mp_integer(1)<<(config.ansi_c.long_int_width-1)) && min_value>=-(mp_integer(1)<<(config.ansi_c.long_int_width-1))) return signed_long_int_type(); else return signed_long_long_int_type(); } }
typet c_typecheck_baset::enum_underlying_type( const mp_integer &min_value, const mp_integer &max_value, bool is_packed) const { if(config.ansi_c.mode==configt::ansi_ct::flavourt::VISUAL_STUDIO) { return signed_int_type(); } else { if(min_value<0) { // We'll want a signed type. if(is_packed) { // If packed, there are smaller options. if(max_value<(mp_integer(1)<<(config.ansi_c.char_width-1)) && min_value>=-(mp_integer(1)<<(config.ansi_c.char_width-1))) return signed_char_type(); else if(max_value<(mp_integer(1)<<(config.ansi_c.short_int_width-1)) && min_value>=-(mp_integer(1)<<(config.ansi_c.short_int_width-1))) return signed_short_int_type(); } if(max_value<(mp_integer(1)<<(config.ansi_c.int_width-1)) && min_value>=-(mp_integer(1)<<(config.ansi_c.int_width-1))) return signed_int_type(); else if(max_value<(mp_integer(1)<<(config.ansi_c.long_int_width-1)) && min_value>=-(mp_integer(1)<<(config.ansi_c.long_int_width-1))) return signed_long_int_type(); else return signed_long_long_int_type(); } else { // We'll want an unsigned type. if(is_packed) { // If packed, there are smaller options. if(max_value<(mp_integer(1)<<config.ansi_c.char_width)) return unsigned_char_type(); else if(max_value<(mp_integer(1)<<config.ansi_c.short_int_width)) return unsigned_short_int_type(); } if(max_value<(mp_integer(1)<<config.ansi_c.int_width)) return unsigned_int_type(); else if(max_value<(mp_integer(1)<<config.ansi_c.long_int_width)) return unsigned_long_int_type(); else return unsigned_long_long_int_type(); } } }
typet size_type() { // The size type varies. This is unsigned int on some systems, // and unsigned long int on others, // and unsigned long long on say Windows 64. if(config.ansi_c.pointer_width==config.ansi_c.int_width) return unsigned_int_type(); else if(config.ansi_c.pointer_width==config.ansi_c.long_int_width) return unsigned_long_int_type(); else if(config.ansi_c.pointer_width==config.ansi_c.long_long_int_width) return unsigned_long_long_int_type(); else assert(false); // aaah! }
void c_typecastt::implicit_typecast_arithmetic( exprt &expr, c_typet c_type) { typet new_type; const typet &expr_type=ns.follow(expr.type()); switch(c_type) { case PTR: if(expr_type.id()==ID_array) { new_type.id(ID_pointer); new_type.subtype()=expr_type.subtype(); break; } return; case BOOL: assert(false); // should always be promoted to int case CHAR: assert(false); // should always be promoted to int case UCHAR: assert(false); // should always be promoted to int case SHORT: assert(false); // should always be promoted to int case USHORT: assert(false); // should always be promoted to int case INT: new_type=signed_int_type(); break; case UINT: new_type=unsigned_int_type(); break; case LONG: new_type=signed_long_int_type(); break; case ULONG: new_type=unsigned_long_int_type(); break; case LONGLONG: new_type=signed_long_long_int_type(); break; case ULONGLONG: new_type=unsigned_long_long_int_type(); break; case SINGLE: new_type=float_type(); break; case DOUBLE: new_type=double_type(); break; case LONGDOUBLE: new_type=long_double_type(); break; case FLOAT128: new_type=ieee_float_spect::quadruple_precision().to_type(); break; case RATIONAL: new_type=rational_typet(); break; case REAL: new_type=real_typet(); break; case INTEGER: new_type=integer_typet(); break; case COMPLEX: return; // do nothing default: return; } if(new_type!=expr_type) do_typecast(expr, new_type); }
void printf_formattert::process_format(std::ostream &out) { exprt tmp; format_constantt format_constant; format_constant.precision=6; format_constant.min_width=0; format_constant.zero_padding=false; char ch=next(); if(ch=='0') // leading zeros { format_constant.zero_padding=true; ch=next(); } while(isdigit(ch)) // width { format_constant.min_width*=10; format_constant.min_width+=ch-'0'; ch=next(); } if(ch=='.') // precision { format_constant.precision=0; ch=next(); while(isdigit(ch)) { format_constant.precision*=10; format_constant.precision+=ch-'0'; ch=next(); } } switch(ch) { case '%': out << ch; break; case 'e': case 'E': format_constant.style=format_spect::stylet::SCIENTIFIC; if(next_operand==operands.end()) break; out << format_constant( make_type(*(next_operand++), double_type())); break; case 'f': case 'F': format_constant.style=format_spect::stylet::DECIMAL; if(next_operand==operands.end()) break; out << format_constant( make_type(*(next_operand++), double_type())); break; case 'g': case 'G': format_constant.style=format_spect::stylet::AUTOMATIC; if(format_constant.precision==0) format_constant.precision=1; if(next_operand==operands.end()) break; out << format_constant( make_type(*(next_operand++), double_type())); break; case 's': { if(next_operand==operands.end()) break; // this is the address of a string const exprt &op=*(next_operand++); if(op.id()==ID_address_of && op.operands().size()==1 && op.op0().id()==ID_index && op.op0().operands().size()==2 && op.op0().op0().id()==ID_string_constant) out << format_constant(op.op0().op0()); } break; case 'd': if(next_operand==operands.end()) break; out << format_constant( make_type(*(next_operand++), signed_int_type())); break; case 'D': if(next_operand==operands.end()) break; out << format_constant( make_type(*(next_operand++), signed_long_int_type())); break; case 'u': if(next_operand==operands.end()) break; out << format_constant( make_type(*(next_operand++), unsigned_int_type())); break; case 'U': if(next_operand==operands.end()) break; out << format_constant( make_type(*(next_operand++), unsigned_long_int_type())); break; default: out << '%' << ch; } }
void string_instrumentationt::do_format_string_write( goto_programt &dest, goto_programt::const_targett target, const code_function_callt::argumentst &arguments, unsigned format_string_inx, unsigned argument_start_inx, const std::string &function_name) { const exprt &format_arg = arguments[format_string_inx]; if(format_arg.id()==ID_address_of && format_arg.op0().id()==ID_index && format_arg.op0().op0().id()==ID_string_constant) // constant format { format_token_listt token_list; parse_format_string(format_arg.op0().op0(), token_list); unsigned args=0; for(format_token_listt::const_iterator it=token_list.begin(); it!=token_list.end(); it++) { if(find(it->flags.begin(), it->flags.end(), format_tokent::ASTERISK)!= it->flags.end()) continue; // asterisk means `ignore this' switch(it->type) { case format_tokent::STRING: { const exprt &argument=arguments[argument_start_inx+args]; const typet &arg_type=ns.follow(argument.type()); goto_programt::targett assertion=dest.add_instruction(); assertion->location=target->location; assertion->location.set("property", "string"); std::string comment("format string buffer overflow in "); comment += function_name; assertion->location.set("comment", comment); if(it->field_width!=0) { exprt fwidth = from_integer(it->field_width, unsigned_int_type()); exprt fw_1(ID_plus, unsigned_int_type()); exprt one = gen_one(unsigned_int_type()); fw_1.move_to_operands(fwidth); fw_1.move_to_operands(one); // +1 for 0-char exprt fw_lt_bs; if(arg_type.id()==ID_pointer) fw_lt_bs=binary_relation_exprt(fw_1, ID_le, buffer_size(argument)); else { index_exprt index; index.array()=argument; index.index()=gen_zero(unsigned_int_type()); address_of_exprt aof(index); fw_lt_bs=binary_relation_exprt(fw_1, ID_le, buffer_size(aof)); } assertion->make_assertion(fw_lt_bs); } else { // this is a possible overflow. assertion->make_assertion(false_exprt()); } // now kill the contents invalidate_buffer(dest, target, argument, arg_type, it->field_width); args++; break; } case format_tokent::TEXT: case format_tokent::UNKNOWN: { // nothing break; } default: // everything else { const exprt &argument=arguments[argument_start_inx+args]; const typet &arg_type=ns.follow(argument.type()); goto_programt::targett assignment=dest.add_instruction(ASSIGN); assignment->location=target->location; exprt lhs(ID_dereference, arg_type.subtype()); lhs.copy_to_operands(argument); exprt rhs=side_effect_expr_nondett(lhs.type()); rhs.location()=target->location; assignment->code=code_assignt(lhs, rhs); args++; break; } } } } else // non-const format string { for(unsigned i=argument_start_inx; i<arguments.size(); i++) { const typet &arg_type=ns.follow(arguments[i].type()); // Note: is_string_type() is a `good guess' here. Actually // any of the pointers could point into an array. But it // would suck if we had to invalidate all variables. // Luckily this case isn't needed too often. if(is_string_type(arg_type)) { goto_programt::targett assertion=dest.add_instruction(); assertion->location=target->location; assertion->location.set("property", "string"); std::string comment("format string buffer overflow in "); comment += function_name; assertion->location.set("comment", comment); // as we don't know any field width for the %s that // should be here during runtime, we just report a // possibly false positive assertion->make_assertion(false_exprt()); invalidate_buffer(dest, target, arguments[i], arg_type, 0); } else { goto_programt::targett assignment = dest.add_instruction(ASSIGN); assignment->location=target->location; exprt lhs(ID_dereference, arg_type.subtype()); lhs.copy_to_operands(arguments[i]); exprt rhs=side_effect_expr_nondett(lhs.type()); rhs.location()=target->location; assignment->code=code_assignt(lhs, rhs); } } } }
void string_instrumentationt::invalidate_buffer( goto_programt &dest, goto_programt::const_targett target, const exprt &buffer, const typet &buf_type, const mp_integer &limit) { irep_idt cntr_id="string_instrumentation::$counter"; if(symbol_table.symbols.find(cntr_id)==symbol_table.symbols.end()) { symbolt new_symbol; new_symbol.base_name="$counter"; new_symbol.pretty_name=new_symbol.base_name; new_symbol.name=cntr_id; new_symbol.mode=ID_C; new_symbol.type=size_type(); new_symbol.is_state_var=true; new_symbol.is_lvalue=true; new_symbol.is_static_lifetime=true; symbol_table.move(new_symbol); } const symbolt &cntr_sym=ns.lookup(cntr_id); // create a loop that runs over the buffer // and invalidates every element goto_programt::targett init=dest.add_instruction(ASSIGN); init->location=target->location; init->code=code_assignt(cntr_sym.symbol_expr(), gen_zero(cntr_sym.type)); goto_programt::targett check=dest.add_instruction(); check->location=target->location; goto_programt::targett invalidate=dest.add_instruction(ASSIGN); invalidate->location=target->location; goto_programt::targett increment=dest.add_instruction(ASSIGN); increment->location=target->location; exprt plus(ID_plus, unsigned_int_type()); plus.copy_to_operands(cntr_sym.symbol_expr()); plus.copy_to_operands(gen_one(unsigned_int_type())); increment->code=code_assignt(cntr_sym.symbol_expr(), plus); goto_programt::targett back=dest.add_instruction(); back->location=target->location; back->make_goto(check); back->guard=true_exprt(); goto_programt::targett exit=dest.add_instruction(); exit->location=target->location; exit->make_skip(); exprt cnt_bs, bufp; if(buf_type.id()==ID_pointer) bufp = buffer; else { index_exprt index; index.array()=buffer; index.index()=gen_zero(index_type()); index.type()=buf_type.subtype(); bufp = address_of_exprt(index); } exprt deref(ID_dereference, buf_type.subtype()); exprt b_plus_i(ID_plus, bufp.type()); b_plus_i.copy_to_operands(bufp); b_plus_i.copy_to_operands(cntr_sym.symbol_expr()); deref.copy_to_operands(b_plus_i); check->make_goto(exit); if(limit==0) check->guard= binary_relation_exprt(cntr_sym.symbol_expr(), ID_ge, buffer_size(bufp)); else check->guard= binary_relation_exprt(cntr_sym.symbol_expr(), ID_gt, from_integer(limit, unsigned_int_type())); exprt nondet=side_effect_expr_nondett(buf_type.subtype()); invalidate->code=code_assignt(deref, nondet); }
void c_typecheck_baset::typecheck_type(typet &type) { // we first convert, and then check { ansi_c_convert_typet ansi_c_convert_type(get_message_handler()); ansi_c_convert_type.read(type); ansi_c_convert_type.write(type); } if(type.id()==ID_already_typechecked) { // need to preserve any qualifiers c_qualifierst c_qualifiers(type); c_qualifiers+=c_qualifierst(type.subtype()); bool packed=type.get_bool(ID_C_packed); exprt alignment=static_cast<const exprt &>(type.find(ID_C_alignment)); irept _typedef=type.find(ID_C_typedef); type=type.subtype(); c_qualifiers.write(type); if(packed) type.set(ID_C_packed, true); if(alignment.is_not_nil()) type.add(ID_C_alignment, alignment); if(_typedef.is_not_nil()) type.add(ID_C_typedef, _typedef); return; // done } // do we have alignment? if(type.find(ID_C_alignment).is_not_nil()) { exprt &alignment=static_cast<exprt &>(type.add(ID_C_alignment)); if(alignment.id()!=ID_default) { typecheck_expr(alignment); make_constant(alignment); } } if(type.id()==ID_code) typecheck_code_type(to_code_type(type)); else if(type.id()==ID_array) typecheck_array_type(to_array_type(type)); else if(type.id()==ID_pointer) typecheck_type(type.subtype()); else if(type.id()==ID_struct || type.id()==ID_union) typecheck_compound_type(to_struct_union_type(type)); else if(type.id()==ID_c_enum) typecheck_c_enum_type(type); else if(type.id()==ID_c_enum_tag) typecheck_c_enum_tag_type(to_c_enum_tag_type(type)); else if(type.id()==ID_c_bit_field) typecheck_c_bit_field_type(to_c_bit_field_type(type)); else if(type.id()==ID_typeof) typecheck_typeof_type(type); else if(type.id()==ID_symbol) typecheck_symbol_type(type); else if(type.id()==ID_vector) typecheck_vector_type(to_vector_type(type)); else if(type.id()==ID_custom_unsignedbv || type.id()==ID_custom_signedbv || type.id()==ID_custom_floatbv || type.id()==ID_custom_fixedbv) typecheck_custom_type(type); else if(type.id()==ID_gcc_attribute_mode) { // get that mode irep_idt mode=type.get(ID_size); // A list of all modes ist at // http://www.delorie.com/gnu/docs/gcc/gccint_53.html typecheck_type(type.subtype()); typet underlying_type=type.subtype(); // gcc allows this, but clang doesn't; it's a compiler hint only, // but we'll try to interpret it the GCC way if(underlying_type.id()==ID_c_enum_tag) { underlying_type= follow_tag(to_c_enum_tag_type(underlying_type)).subtype(); assert(underlying_type.id()==ID_signedbv || underlying_type.id()==ID_unsignedbv); } if(underlying_type.id()==ID_signedbv || underlying_type.id()==ID_unsignedbv) { bool is_signed=underlying_type.id()==ID_signedbv; typet result; if(mode=="__QI__") // 8 bits result=is_signed?signed_char_type():unsigned_char_type(); else if(mode=="__byte__") // 8 bits result=is_signed?signed_char_type():unsigned_char_type(); else if(mode=="__HI__") // 16 bits result=is_signed?signed_short_int_type():unsigned_short_int_type(); else if(mode=="__SI__") // 32 bits result=is_signed?signed_int_type():unsigned_int_type(); else if(mode=="__word__") // long int, we think result=is_signed?signed_long_int_type():unsigned_long_int_type(); else if(mode=="__pointer__") // we think this is size_t/ssize_t result=is_signed?signed_size_type():size_type(); else if(mode=="__DI__") // 64 bits { if(config.ansi_c.long_int_width==64) result=is_signed?signed_long_int_type():unsigned_long_int_type(); else { assert(config.ansi_c.long_long_int_width==64); result= is_signed?signed_long_long_int_type():unsigned_long_long_int_type(); } } else if(mode=="__TI__") // 128 bits result=is_signed?gcc_signed_int128_type():gcc_unsigned_int128_type(); else if(mode=="__V2SI__") // vector of 2 ints, deprecated by gcc result= vector_typet( is_signed?signed_int_type():unsigned_int_type(), from_integer(2, size_type())); else if(mode=="__V4SI__") // vector of 4 ints, deprecated by gcc result= vector_typet( is_signed?signed_int_type():unsigned_int_type(), from_integer(4, size_type())); else // give up, just use subtype result=type.subtype(); // save the location result.add_source_location()=type.source_location(); if(type.subtype().id()==ID_c_enum_tag) { const irep_idt &tag_name= to_c_enum_tag_type(type.subtype()).get_identifier(); symbol_tablet::symbolst::iterator entry= symbol_table.symbols.find(tag_name); assert(entry!=symbol_table.symbols.end()); entry->second.type.subtype()=result; } type=result; } else if(underlying_type.id()==ID_floatbv) { typet result; if(mode=="__SF__") // 32 bits result=float_type(); else if(mode=="__DF__") // 64 bits result=double_type(); else if(mode=="__TF__") // 128 bits result=gcc_float128_type(); else if(mode=="__V2SF__") // vector of 2 floats, deprecated by gcc result=vector_typet(float_type(), from_integer(2, size_type())); else if(mode=="__V2DF__") // vector of 2 doubles, deprecated by gcc result=vector_typet(double_type(), from_integer(2, size_type())); else if(mode=="__V4SF__") // vector of 4 floats, deprecated by gcc result=vector_typet(float_type(), from_integer(4, size_type())); else if(mode=="__V4DF__") // vector of 4 doubles, deprecated by gcc result=vector_typet(double_type(), from_integer(4, size_type())); else // give up, just use subtype result=type.subtype(); // save the location result.add_source_location()=type.source_location(); type=result; } else if(underlying_type.id()==ID_complex) { // gcc allows this, but clang doesn't -- see enums above typet result; if(mode=="__SC__") // 32 bits result=float_type(); else if(mode=="__DC__") // 64 bits result=double_type(); else if(mode=="__TC__") // 128 bits result=gcc_float128_type(); else // give up, just use subtype result=type.subtype(); // save the location result.add_source_location()=type.source_location(); type=complex_typet(result); } else { error().source_location=type.source_location(); error() << "attribute mode `" << mode << "' applied to inappropriate type `" << to_string(type) << "'" << eom; throw 0; } } // do a mild bit of rule checking if(type.get_bool(ID_C_restricted) && type.id()!=ID_pointer && type.id()!=ID_array) { error().source_location=type.source_location(); error() << "only a pointer can be 'restrict'" << eom; throw 0; } }
typet cegis_default_integer_type() { return unsigned_int_type(); }
typet get_type(const format_tokent &token) { switch(token.type) { case format_tokent::INT: switch(token.length_modifier) { case format_tokent::LEN_h: if(token.representation==format_tokent::SIGNED_DEC) return signed_char_type(); else return unsigned_char_type(); case format_tokent::LEN_hh: if(token.representation==format_tokent::SIGNED_DEC) return signed_short_int_type(); else return unsigned_short_int_type(); case format_tokent::LEN_l: if(token.representation==format_tokent::SIGNED_DEC) return signed_long_int_type(); else return unsigned_long_int_type(); case format_tokent::LEN_ll: if(token.representation==format_tokent::SIGNED_DEC) return signed_long_long_int_type(); else return unsigned_long_long_int_type(); default: if(token.representation==format_tokent::SIGNED_DEC) return signed_int_type(); else return unsigned_int_type(); } case format_tokent::FLOAT: switch(token.length_modifier) { case format_tokent::LEN_l: return double_type(); case format_tokent::LEN_L: return long_double_type(); default: return float_type(); } case format_tokent::CHAR: switch(token.length_modifier) { case format_tokent::LEN_l: return wchar_t_type(); default: return char_type(); } case format_tokent::POINTER: return pointer_type(void_type()); case format_tokent::STRING: switch(token.length_modifier) { case format_tokent::LEN_l: return array_typet(wchar_t_type(), nil_exprt()); default: return array_typet(char_type(), nil_exprt()); } default: return nil_typet(); } }