diffblue.github.io/cbmc/havoc__assigns__clause__targets_8cpp_source.html

/*******************************************************************\


Module: Havoc multiple and possibly dependent targets simultaneously


Author: Remi Delmas, [email protected]


\*******************************************************************/


#include "havoc_assigns_clause_targets.h"


#include <util/c_types.h>

#include <util/message.h>

#include <util/pointer_expr.h>

#include <util/std_code.h>


#include "instrument_spec_assigns.h"

#include "utils.h"


void havoc_assigns_clause_targetst::get_instructions(goto_programt &dest)

{

  // snapshotting instructions and well-definedness checks

  goto_programt snapshot_program;


  // add static locals called touched by the replaced function

  track_static_locals(snapshot_program);


  // add spec targets

  for(const auto &target : targets)

    track_spec_target(target, snapshot_program);


  // generate havocking instructions for all tracked CARs

  goto_programt havoc_program;

  for(const auto &pair : from_spec_assigns)

    havoc_if_valid(pair.second, havoc_program);


  for(const auto &pair : from_stack_alloc)

    havoc_if_valid(pair.second, havoc_program);


  for(const auto &car : from_heap_alloc)

    havoc_if_valid(car, havoc_program);


  for(const auto &pair : from_static_local)

  {

    havoc_static_local(pair.second, havoc_program);

  }


  // append to dest

  dest.destructive_append(snapshot_program);

  dest.destructive_append(havoc_program);

}


void havoc_assigns_clause_targetst::havoc_if_valid(

  car_exprt car,

  goto_programt &dest)

{

  const irep_idt &tracking_comment =

    make_assigns_clause_replacement_tracking_comment(

      car.target(), function_id, ns);


  source_locationt source_location_no_checks(source_location);

  add_pragma_disable_pointer_checks(source_location_no_checks);


  goto_programt skip_program;

  const auto skip_target =

    skip_program.add(goto_programt::make_skip(source_location_no_checks));


  dest.add(goto_programt::make_goto(

    skip_target, boolean_negate(car.valid_var()), source_location_no_checks));


  if(car.havoc_method == car_havoc_methodt::HAVOC_OBJECT)

  {

    // OTHER __CPROVER_havoc_object(target_snapshot_var)

    codet code(ID_havoc_object, {car.lower_bound_var()});

    source_locationt annotated_location = source_location;

    annotated_location.set_comment(tracking_comment);

    dest.add(goto_programt::make_other(code, annotated_location));

  }

  else if(car.havoc_method == car_havoc_methodt::HAVOC_SLICE)

  {

    // This is a slice target. We use goto convert's do_havoc_slice()

    // code generation, provided by cleanert.

    cleanert cleaner(st, log.get_message_handler());

    const auto &mode = st.lookup_ref(function_id).mode;

    const auto &funcall = to_side_effect_expr_function_call(car.target());

    const auto &function = to_symbol_expr(funcall.function());

    exprt::operandst arguments;

    arguments.push_back(car.lower_bound_var());

    arguments.push_back(car.target_size());

    cleaner.do_havoc_slice(function, arguments, dest, mode);

  }

  else if(car.havoc_method == car_havoc_methodt::NONDET_ASSIGN)

  {

    // a target where the size is derived from the type of the target

    // ASSIGN *(target.type() *)__car_lb = nondet(car.target().type())

    const auto &target_type = car.target().type();

    side_effect_expr_nondett nondet(target_type, source_location);

    source_locationt annotated_location = source_location;

    annotated_location.set_comment(tracking_comment);

    dest.add(goto_programt::make_assignment(

      dereference_exprt{typecast_exprt::conditional_cast(

        car.lower_bound_var(), pointer_type(target_type))},

      nondet,

      annotated_location));

  }

  else

  {

    UNREACHABLE;

  }


  dest.destructive_append(skip_program);


  dest.add(

    goto_programt::make_dead(car.valid_var(), source_location_no_checks));


  dest.add(

    goto_programt::make_dead(car.lower_bound_var(), source_location_no_checks));


  dest.add(

    goto_programt::make_dead(car.upper_bound_var(), source_location_no_checks));

}


void havoc_assigns_clause_targetst::havoc_static_local(

  car_exprt car,

  goto_programt &dest)

{

  // We havoc the target expression directly for local statics

  // instead of the __car_lb pointer because we know statics never die

  // and cannot be involved in in dependencies

  // since we cannot talk about them in contracts.

  const irep_idt &tracking_comment =

    make_assigns_clause_replacement_tracking_comment(

      car.target(), function_id, ns);


  source_locationt source_location_no_checks(source_location);

  add_pragma_disable_pointer_checks(source_location_no_checks);


  goto_programt skip_program;

  const auto skip_target =

    skip_program.add(goto_programt::make_skip(source_location_no_checks));


  dest.add(goto_programt::make_goto(

    skip_target, boolean_negate(car.valid_var()), source_location_no_checks));


  const auto &target_type = car.target().type();

  side_effect_expr_nondett nondet(target_type, source_location);

  source_locationt annotated_location = source_location;

  annotated_location.set_comment(tracking_comment);

  add_propagate_static_local_pragma(annotated_location);

  dest.add(

    goto_programt::make_assignment(car.target(), nondet, annotated_location));


  dest.destructive_append(skip_program);


  dest.add(

    goto_programt::make_dead(car.valid_var(), source_location_no_checks));


  dest.add(

    goto_programt::make_dead(car.lower_bound_var(), source_location_no_checks));


  dest.add(

    goto_programt::make_dead(car.upper_bound_var(), source_location_no_checks));

}


pointer_type
pointer_typet pointer_type(const typet &subtype)
Definition c_types.cpp:235

c_types.h

ait
ait supplies three of the four components needed: an abstract interpreter (in this case handling func...
Definition ai.h:562

car_exprt
Class that represents a normalized conditional address range, with:
Definition instrument_spec_assigns.h:74

cleanert
Class that allows to clean expressions of side effects and to generate havoc_slice expressions.
Definition utils.h:37

cleanert::do_havoc_slice
void do_havoc_slice(const symbol_exprt &function, const exprt::operandst &arguments, goto_programt &dest, const irep_idt &mode)
Definition utils.h:54

codet
Data structure for representing an arbitrary statement in a program.
Definition std_code_base.h:29

dereference_exprt
Operator to dereference a pointer.
Definition pointer_expr.h:834

dstringt
dstringt has one field, an unsigned integer no which is an index into a static table of strings.
Definition dstring.h:38

exprt::operandst
std::vector< exprt > operandst
Definition expr.h:58

goto_programt
A generic container class for the GOTO intermediate representation of one function.
Definition goto_program.h:72

goto_programt::make_dead
static instructiont make_dead(const symbol_exprt &symbol, const source_locationt &l=source_locationt::nil())
Definition goto_program.h:970

goto_programt::destructive_append
void destructive_append(goto_programt &p)
Appends the given program p to *this. p is destroyed.
Definition goto_program.h:721

goto_programt::make_assignment
static instructiont make_assignment(const code_assignt &_code, const source_locationt &l=source_locationt::nil())
Create an assignment instruction.
Definition goto_program.h:1064

goto_programt::make_skip
static instructiont make_skip(const source_locationt &l=source_locationt::nil())
Definition goto_program.h:890

goto_programt::make_other
static instructiont make_other(const goto_instruction_codet &_code, const source_locationt &l=source_locationt::nil())
Definition goto_program.h:956

goto_programt::add
targett add(instructiont &&instruction)
Adds a given instruction at the end.
Definition goto_program.h:738

goto_programt::make_goto
static instructiont make_goto(targett _target, const source_locationt &l=source_locationt::nil())
Definition goto_program.h:1038

havoc_assigns_clause_targetst::targets
const std::vector< exprt > & targets
Definition havoc_assigns_clause_targets.h:120

havoc_assigns_clause_targetst::havoc_if_valid
void havoc_if_valid(car_exprt car, goto_programt &dest)
Generates instructions to conditionally havoc the given conditional address range expression car,...
Definition havoc_assigns_clause_targets.cpp:55

havoc_assigns_clause_targetst::get_instructions
void get_instructions(goto_programt &dest)
Generates the assigns clause replacement instructions in dest.
Definition havoc_assigns_clause_targets.cpp:22

havoc_assigns_clause_targetst::havoc_static_local
void havoc_static_local(car_exprt car, goto_programt &dest)
Havoc a static local expression.
Definition havoc_assigns_clause_targets.cpp:125

havoc_assigns_clause_targetst::source_location
const source_locationt & source_location
Definition havoc_assigns_clause_targets.h:121

instrument_spec_assignst::track_spec_target
void track_spec_target(const exprt &expr, goto_programt &dest)
Track an assigns clause target and generate snaphsot instructions and well-definedness assertions in ...
Definition instrument_spec_assigns.cpp:92

instrument_spec_assignst::from_stack_alloc
symbol_exprt_to_car_mapt from_stack_alloc
Map from DECL symbols to corresponding conditional address ranges.
Definition instrument_spec_assigns.h:611

instrument_spec_assignst::from_spec_assigns
cond_target_exprt_to_car_mapt from_spec_assigns
Map from conditional target expressions of assigns clauses to corresponding conditional address range...
Definition instrument_spec_assigns.h:602

instrument_spec_assignst::st
symbol_table_baset & st
Program symbol table.
Definition instrument_spec_assigns.h:483

instrument_spec_assignst::from_static_local
symbol_exprt_to_car_mapt from_static_local
Map to from detected or propagated static local symbols to corresponding conditional address ranges.
Definition instrument_spec_assigns.h:626

instrument_spec_assignst::mode
const irep_idt & mode
Language mode.
Definition instrument_spec_assigns.h:492

instrument_spec_assignst::from_heap_alloc
car_expr_listt from_heap_alloc
Definition instrument_spec_assigns.h:620

instrument_spec_assignst::track_static_locals
void track_static_locals(goto_programt &dest)
Searches the goto instructions reachable from the start to the end of the instrumented function's ins...
Definition instrument_spec_assigns.cpp:165

instrument_spec_assignst::log
messaget log
Logger.
Definition instrument_spec_assigns.h:489

instrument_spec_assignst::ns
const namespacet ns
Program namespace.
Definition instrument_spec_assigns.h:486

instrument_spec_assignst::function_id
const irep_idt & function_id
Name of the instrumented function.
Definition instrument_spec_assigns.h:474

messaget::get_message_handler
message_handlert & get_message_handler()
Definition message.h:183

side_effect_expr_nondett
A side_effect_exprt that returns a non-deterministically chosen value.
Definition std_code.h:1520

source_locationt
Definition source_location.h:20

symbol_table_baset::lookup_ref
const symbolt & lookup_ref(const irep_idt &name) const
Find a symbol in the symbol table for read-only access.
Definition symbol_table_base.h:105

typecast_exprt::conditional_cast
static exprt conditional_cast(const exprt &expr, const typet &type)
Definition std_expr.h:2081

boolean_negate
exprt boolean_negate(const exprt &src)
negate a Boolean expression, possibly removing a not_exprt, and swapping false and true
Definition expr_util.cpp:103

havoc_assigns_clause_targets.h
Havoc function assigns clauses.

add_pragma_disable_pointer_checks
void add_pragma_disable_pointer_checks(source_locationt &location)
Adds a pragma on a source location disable all pointer checks.
Definition instrument_spec_assigns.cpp:54

add_propagate_static_local_pragma
void add_propagate_static_local_pragma(source_locationt &source_location)
Sets a pragma to mark assignments to static local variables that need to be propagated upwards in the...
Definition instrument_spec_assigns.cpp:45

instrument_spec_assigns.h
Specify write set in function contracts.

car_havoc_methodt::NONDET_ASSIGN
@ NONDET_ASSIGN

car_havoc_methodt::HAVOC_OBJECT
@ HAVOC_OBJECT

car_havoc_methodt::HAVOC_SLICE
@ HAVOC_SLICE

pointer_expr.h
API to expression classes for Pointers.

UNREACHABLE
#define UNREACHABLE
This should be used to mark dead code.
Definition invariant.h:525

message.h

std_code.h

to_side_effect_expr_function_call
side_effect_expr_function_callt & to_side_effect_expr_function_call(exprt &expr)
Definition std_code.h:1739

to_symbol_expr
const symbol_exprt & to_symbol_expr(const exprt &expr)
Cast an exprt to a symbol_exprt.
Definition std_expr.h:272

make_assigns_clause_replacement_tracking_comment
irep_idt make_assigns_clause_replacement_tracking_comment(const exprt &target, const irep_idt &function_id, const namespacet &ns)
Returns an irep_idt that essentially says that target was assigned by the contract of function_id.
Definition utils.cpp:329

utils.h