symex__clean__expr_8cpp_source.html

 /*******************************************************************\


 Module: Symbolic Execution of ANSI-C


 Author: Daniel Kroening, kroening@kroening.com


 \*******************************************************************/


 #include "goto_symex.h"


 #include <util/arith_tools.h>

 #include <util/byte_operators.h>

 #include <util/c_types.h>

 #include <util/expr_iterator.h>

 #include <util/pointer_offset_size.h>

 #include <util/simplify_expr.h>


 #include "expr_skeleton.h"

 #include "path_storage.h"

 #include "symex_assign.h"

 #include "symex_dereference_state.h"


 #include <pointer-analysis/value_set_dereference.h>


 static void

 process_array_expr(exprt &expr, bool do_simplify, const namespacet &ns)

 {

   // This may change the type of the expression!


   if(expr.id()==ID_if)

   {

     if_exprt &if_expr=to_if_expr(expr);

     process_array_expr(if_expr.true_case(), do_simplify, ns);

     process_array_expr(if_expr.false_case(), do_simplify, ns);


     if(if_expr.true_case() != if_expr.false_case())

     {

       byte_extract_exprt be = make_byte_extract(

         if_expr.false_case(),

         from_integer(0, c_index_type()),

         if_expr.true_case().type());


       if_expr.false_case().swap(be);

     }


     if_expr.type()=if_expr.true_case().type();

   }

   else if(expr.id()==ID_address_of)

   {

     // strip

     exprt tmp = to_address_of_expr(expr).object();

     expr.swap(tmp);

     process_array_expr(expr, do_simplify, ns);

   }

   else if(

     is_ssa_expr(expr) && to_ssa_expr(expr).get_original_expr().id() == ID_index)

   {

     const ssa_exprt &ssa=to_ssa_expr(expr);

     const index_exprt &index_expr=to_index_expr(ssa.get_original_expr());

     exprt tmp=index_expr.array();

     expr.swap(tmp);


     process_array_expr(expr, do_simplify, ns);

   }

   else if(expr.id() != ID_symbol)

   {

     object_descriptor_exprt ode;

     ode.build(expr, ns);


     expr = ode.root_object();


     // If we arrive at a void-typed object (typically the result of failing to

     // dereference a void* pointer) there is nothing else to be done - it has

     // void-type and the caller needs to handle this case gracefully.

     if(expr.type().id() == ID_empty)

       return;


     if(!ode.offset().is_zero())

     {

       if(expr.type().id() != ID_array)

       {

         auto array_size = size_of_expr(expr.type(), ns);

         CHECK_RETURN(array_size.has_value());

         if(do_simplify)

           simplify(array_size.value(), ns);

         expr = make_byte_extract(

           expr,

           from_integer(0, c_index_type()),

           array_typet(char_type(), array_size.value()));

       }


       // given an array type T[N], i.e., an array of N elements of type T, and a

       // byte offset B, compute the array offset B/sizeof(T) and build a new

       // type T[N-(B/sizeof(T))]

       const array_typet &prev_array_type = to_array_type(expr.type());

       const typet &array_size_type = prev_array_type.size().type();

       const typet &subtype = prev_array_type.element_type();


       exprt new_offset =

         typecast_exprt::conditional_cast(ode.offset(), array_size_type);

       auto subtype_size_opt = size_of_expr(subtype, ns);

       CHECK_RETURN(subtype_size_opt.has_value());

       exprt subtype_size = typecast_exprt::conditional_cast(

         subtype_size_opt.value(), array_size_type);

       new_offset = div_exprt(new_offset, subtype_size);

       minus_exprt subtraction{prev_array_type.size(), new_offset};

       if_exprt new_size{

         binary_predicate_exprt{

           subtraction, ID_ge, from_integer(0, subtraction.type())},

         subtraction,

         from_integer(0, subtraction.type())};

       if(do_simplify)

         simplify(new_size, ns);


       array_typet new_array_type(subtype, new_size);


       expr = make_byte_extract(expr, ode.offset(), new_array_type);

     }

   }

 }


 void goto_symext::process_array_expr(statet &state, exprt &expr)

 {

   symex_dereference_statet symex_dereference_state(state, ns);


   value_set_dereferencet dereference(

     ns,

     state.symbol_table,

     symex_dereference_state,

     language_mode,

     false,

     log.get_message_handler());


   expr = dereference.dereference(expr, symex_config.show_points_to_sets);

   lift_lets(state, expr);


   ::process_array_expr(expr, symex_config.simplify_opt, ns);

 }


 static void adjust_byte_extract_rec(exprt &expr, const namespacet &ns)

 {

   Forall_operands(it, expr)

     adjust_byte_extract_rec(*it, ns);


   if(expr.id()==ID_byte_extract_big_endian ||

      expr.id()==ID_byte_extract_little_endian)

   {

     byte_extract_exprt &be=to_byte_extract_expr(expr);

     if(be.op().id()==ID_symbol &&

        to_ssa_expr(be.op()).get_original_expr().get_bool(ID_C_invalid_object))

       return;


     object_descriptor_exprt ode;

     ode.build(expr, ns);


     be.op()=ode.root_object();

     be.offset()=ode.offset();

   }

 }


 static void

 replace_nondet(exprt &expr, symex_nondet_generatort &build_symex_nondet)

 {

   if(expr.id() == ID_side_effect && expr.get(ID_statement) == ID_nondet)

   {

     expr = build_symex_nondet(expr.type(), expr.source_location());

   }

   else

   {

     Forall_operands(it, expr)

       replace_nondet(*it, build_symex_nondet);

   }

 }


 void goto_symext::lift_let(statet &state, const let_exprt &let_expr)

 {

   exprt let_value = clean_expr(let_expr.value(), state, false);

   let_value = state.rename(std::move(let_value), ns).get();

   do_simplify(let_value);


   exprt::operandst value_assignment_guard;

   symex_assignt{

     shadow_memory,

     state,

     symex_targett::assignment_typet::HIDDEN,

     ns,

     symex_config,

     target}

     .assign_symbol(

       to_ssa_expr(state.rename<L1>(let_expr.symbol(), ns).get()),

       expr_skeletont{},

       let_value,

       value_assignment_guard);


   // Schedule the bound variable to be cleaned up at the end of symex_step:

   instruction_local_symbols.push_back(let_expr.symbol());

 }


 void goto_symext::lift_lets(statet &state, exprt &rhs)

 {

   for(auto it = rhs.depth_begin(), itend = rhs.depth_end(); it != itend;)

   {

     if(it->id() == ID_let)

     {

       // Visit post-order, so more-local definitions are made before usage:

       exprt &replaced_expr = it.mutate();

       let_exprt &replaced_let = to_let_expr(replaced_expr);

       lift_lets(state, replaced_let.value());

       lift_lets(state, replaced_let.where());


       lift_let(state, replaced_let);

       replaced_expr = replaced_let.where();


       it.next_sibling_or_parent();

     }

     else if(can_cast_expr<binding_exprt>(*it))

     {

       // expressions within exists/forall may depend on bound variables, we

       // cannot safely lift let expressions out of those, just skip

       it.next_sibling_or_parent();

     }

     else

       ++it;

   }

 }


 [[nodiscard]] exprt

 goto_symext::clean_expr(exprt expr, statet &state, const bool write)

 {

   replace_nondet(expr, path_storage.build_symex_nondet);

   dereference(expr, state, write);

   lift_lets(state, expr);


   // make sure all remaining byte extract operations use the root

   // object to avoid nesting of with/update and byte_update when on

   // lhs

   if(write)

     adjust_byte_extract_rec(expr, ns);

   return expr;

 }

from_integer
constant_exprt from_integer(const mp_integer &int_value, const typet &type)
Definition: arith_tools.cpp:100

arith_tools.h

make_byte_extract
byte_extract_exprt make_byte_extract(const exprt &_op, const exprt &_offset, const typet &_type)
Construct a byte_extract_exprt with endianness and byte width matching the current configuration.
Definition: byte_operators.cpp:48

byte_operators.h
Expression classes for byte-level operators.

to_byte_extract_expr
const byte_extract_exprt & to_byte_extract_expr(const exprt &expr)
Definition: byte_operators.h:70

char_type
bitvector_typet char_type()
Definition: c_types.cpp:106

c_index_type
bitvector_typet c_index_type()
Definition: c_types.cpp:16

c_types.h

address_of_exprt::object
exprt & object()
Definition: pointer_expr.h:549

array_typet
Arrays with given size.
Definition: std_types.h:807

array_typet::element_type
const typet & element_type() const
The type of the elements of the array.
Definition: std_types.h:827

array_typet::size
const exprt & size() const
Definition: std_types.h:840

binary_predicate_exprt
A base class for expressions that are predicates, i.e., Boolean-typed, and that take exactly two argu...
Definition: std_expr.h:731

byte_extract_exprt
Expression of type type extracted from some object op starting at position offset (given in number of...
Definition: byte_operators.h:29

byte_extract_exprt::op
exprt & op()
Definition: byte_operators.h:46

byte_extract_exprt::offset
exprt & offset()
Definition: byte_operators.h:47

div_exprt
Division.
Definition: std_expr.h:1152

expr_skeletont
Expression in which some part is missing and can be substituted for another expression.
Definition: expr_skeleton.h:26

exprt
Base class for all expressions.
Definition: expr.h:56

exprt::operandst
std::vector< exprt > operandst
Definition: expr.h:58

exprt::depth_end
depth_iteratort depth_end()
Definition: expr.cpp:249

exprt::depth_begin
depth_iteratort depth_begin()
Definition: expr.cpp:247

exprt::source_location
const source_locationt & source_location() const
Definition: expr.h:231

exprt::is_zero
bool is_zero() const
Return whether the expression is a constant representing 0.
Definition: expr.cpp:47

exprt::type
typet & type()
Return the type of the expression.
Definition: expr.h:84

goto_symex_statet
Central data structure: state.
Definition: goto_symex_state.h:43

goto_symex_statet::rename
renamedt< exprt, level > rename(exprt expr, const namespacet &ns)
Rewrites symbol expressions in exprt, applying a suffix to each symbol reflecting its most recent ver...
Definition: goto_symex_state.cpp:171

goto_symex_statet::symbol_table
symbol_tablet symbol_table
contains symbols that are minted during symbolic execution, such as dynamically created objects etc.
Definition: goto_symex_state.h:67

goto_symext::language_mode
irep_idt language_mode
language_mode: ID_java, ID_C or another language identifier if we know the source language in use,...
Definition: goto_symex.h:241

goto_symext::lift_let
void lift_let(statet &state, const let_exprt &let_expr)
Execute a single let expression, which should not have any nested let expressions (use lift_lets inst...
Definition: symex_clean_expr.cpp:183

goto_symext::path_storage
path_storaget & path_storage
Symbolic execution paths to be resumed later.
Definition: goto_symex.h:816

goto_symext::target
symex_target_equationt & target
The equation that this execution is building up.
Definition: goto_symex.h:266

goto_symext::clean_expr
exprt clean_expr(exprt expr, statet &state, bool write)
Clean up an expression.
Definition: symex_clean_expr.cpp:236

goto_symext::shadow_memory
shadow_memoryt shadow_memory
Shadow memory instrumentation API.
Definition: goto_symex.h:845

goto_symext::ns
namespacet ns
Initialized just before symbolic execution begins, to point to both outer_symbol_table and the symbol...
Definition: goto_symex.h:258

goto_symext::lift_lets
void lift_lets(statet &, exprt &)
Execute any let expressions in expr using symex_assignt::assign_symbol.
Definition: symex_clean_expr.cpp:207

goto_symext::do_simplify
virtual void do_simplify(exprt &expr)
Definition: goto_symex.cpp:32

goto_symext::log
messaget log
The messaget to write log messages to.
Definition: goto_symex.h:278

goto_symext::symex_config
const symex_configt symex_config
The configuration to use for this symbolic execution.
Definition: goto_symex.h:185

goto_symext::dereference
virtual void dereference(exprt &, statet &, bool write)
Replace all dereference operations within expr with explicit references to the objects they may refer...
Definition: symex_dereference.cpp:484

goto_symext::instruction_local_symbols
std::vector< symbol_exprt > instruction_local_symbols
Variables that should be killed at the end of the current symex_step invocation.
Definition: goto_symex.h:275

goto_symext::process_array_expr
void process_array_expr(statet &, exprt &)
Given an expression, find the root object and the offset into it.
Definition: symex_clean_expr.cpp:129

if_exprt
The trinary if-then-else operator.
Definition: std_expr.h:2370

if_exprt::true_case
exprt & true_case()
Definition: std_expr.h:2397

if_exprt::false_case
exprt & false_case()
Definition: std_expr.h:2407

index_exprt
Array index operator.
Definition: std_expr.h:1465

index_exprt::array
exprt & array()
Definition: std_expr.h:1495

irept::get_bool
bool get_bool(const irep_idt &name) const
Definition: irep.cpp:57

irept::get
const irep_idt & get(const irep_idt &name) const
Definition: irep.cpp:44

irept::id
const irep_idt & id() const
Definition: irep.h:384

irept::swap
void swap(irept &irep)
Definition: irep.h:430

let_exprt
A let expression.
Definition: std_expr.h:3196

let_exprt::where
exprt & where()
convenience accessor for binding().where()
Definition: std_expr.h:3289

let_exprt::symbol
symbol_exprt & symbol()
convenience accessor for the symbol of a single binding
Definition: std_expr.h:3235

let_exprt::value
exprt & value()
convenience accessor for the value of a single binding
Definition: std_expr.h:3251

messaget::get_message_handler
message_handlert & get_message_handler()
Definition: message.h:184

minus_exprt
Binary minus.
Definition: std_expr.h:1061

namespacet
A namespacet is essentially one or two symbol tables bound together, to allow for symbol lookups in t...
Definition: namespace.h:94

object_descriptor_exprt
Split an expression into a base object and a (byte) offset.
Definition: pointer_expr.h:181

object_descriptor_exprt::offset
exprt & offset()
Definition: pointer_expr.h:223

object_descriptor_exprt::build
void build(const exprt &expr, const namespacet &ns)
Given an expression expr, attempt to find the underlying object it represents by skipping over type c...
Definition: pointer_expr.cpp:108

object_descriptor_exprt::root_object
static const exprt & root_object(const exprt &expr)
Definition: pointer_expr.cpp:180

path_storaget::build_symex_nondet
symex_nondet_generatort build_symex_nondet
Counter for nondet objects, which require unique names.
Definition: path_storage.h:91

ssa_exprt
Expression providing an SSA-renamed symbol of expressions.
Definition: ssa_expr.h:17

ssa_exprt::get_original_expr
const exprt & get_original_expr() const
Definition: ssa_expr.h:33

symex_assignt
Functor for symex assignment.
Definition: symex_assign.h:28

symex_dereference_statet
Callback object that goto_symext::dereference_rec provides to value_set_dereferencet to provide value...
Definition: symex_dereference_state.h:26

symex_nondet_generatort
Functor generating fresh nondet symbols.
Definition: path_storage.h:23

symex_targett::assignment_typet::HIDDEN
@ HIDDEN

typecast_exprt::conditional_cast
static exprt conditional_cast(const exprt &expr, const typet &type)
Definition: std_expr.h:2076

typet
The type of an expression, extends irept.
Definition: type.h:29

value_set_dereferencet
Wrapper for a function dereferencing pointer expressions using a value set.
Definition: value_set_dereference.h:23

Forall_operands
#define Forall_operands(it, expr)
Definition: expr.h:27

expr_iterator.h
Forward depth-first search iterators These iterators' copy operations are expensive,...

expr_skeleton.h
Expression skeleton.

goto_symex.h
Symbolic Execution.

path_storage.h
Storage of symbolic execution paths to resume.

to_address_of_expr
const address_of_exprt & to_address_of_expr(const exprt &expr)
Cast an exprt to an address_of_exprt.
Definition: pointer_expr.h:577

size_of_expr
std::optional< exprt > size_of_expr(const typet &type, const namespacet &ns)
Definition: pointer_offset_size.cpp:287

pointer_offset_size.h
Pointer Logic.

L1
@ L1
Definition: renamed.h:24

simplify
bool simplify(exprt &expr, const namespacet &ns)
Definition: simplify_expr.cpp:3233

simplify_expr.h

CHECK_RETURN
#define CHECK_RETURN(CONDITION)
Definition: invariant.h:495

to_ssa_expr
const ssa_exprt & to_ssa_expr(const exprt &expr)
Cast a generic exprt to an ssa_exprt.
Definition: ssa_expr.h:145

is_ssa_expr
bool is_ssa_expr(const exprt &expr)
Definition: ssa_expr.h:125

to_if_expr
const if_exprt & to_if_expr(const exprt &expr)
Cast an exprt to an if_exprt.
Definition: std_expr.h:2450

to_let_expr
const let_exprt & to_let_expr(const exprt &expr)
Cast an exprt to a let_exprt.
Definition: std_expr.h:3320

can_cast_expr< binding_exprt >
bool can_cast_expr< binding_exprt >(const exprt &base)
Definition: std_expr.h:3150

to_index_expr
const index_exprt & to_index_expr(const exprt &expr)
Cast an exprt to an index_exprt.
Definition: std_expr.h:1533

to_array_type
const array_typet & to_array_type(const typet &type)
Cast a typet to an array_typet.
Definition: std_types.h:888

symex_configt::show_points_to_sets
bool show_points_to_sets
Definition: symex_config.h:49

symex_configt::simplify_opt
bool simplify_opt
Definition: symex_config.h:33

symex_assign.h
Symbolic Execution of assignments.

process_array_expr
static void process_array_expr(exprt &expr, bool do_simplify, const namespacet &ns)
Given an expression, find the root object and the offset into it.
Definition: symex_clean_expr.cpp:33

replace_nondet
static void replace_nondet(exprt &expr, symex_nondet_generatort &build_symex_nondet)
Definition: symex_clean_expr.cpp:170

adjust_byte_extract_rec
static void adjust_byte_extract_rec(exprt &expr, const namespacet &ns)
Rewrite index/member expressions in byte_extract to offset.
Definition: symex_clean_expr.cpp:148

symex_dereference_state.h
Symbolic Execution of ANSI-C.

write
ssize_t write(int fildes, const void *buf, size_t nbyte)
Definition: unistd.c:195

value_set_dereference.h
Pointer Dereferencing.