cbmc-doc/html/symex__bmc_8cpp_source.html

/*******************************************************************\


Module: Bounded Model Checking for ANSI-C


Author: Daniel Kroening, kroening@kroening.com


\*******************************************************************/


#include "symex_bmc.h"


#include <util/simplify_expr.h>

#include <util/source_location.h>


#include <goto-programs/unwindset.h>


#include <linking/static_lifetime_init.h>


#include <limits>


symex_bmct::symex_bmct(

  message_handlert &mh,

  const symbol_tablet &outer_symbol_table,

  symex_target_equationt &_target,

  const optionst &options,

  path_storaget &path_storage,

  guard_managert &guard_manager,

  unwindsett &unwindset)

  : goto_symext(

      mh,

      outer_symbol_table,

      _target,

      options,

      path_storage,

      guard_manager),

    last_source_location(source_locationt::nil()),

    record_coverage(!options.get_option("symex-coverage-report").empty()),

    unwindset(unwindset),

    symex_coverage(ns)

{

  const symbolt *init_symbol = outer_symbol_table.lookup(INITIALIZE_FUNCTION);

  if(init_symbol)

    language_mode = init_symbol->mode;


  messaget msg{mh};

  msg.status() << "Starting Bounded Model Checking" << messaget::eom;

}


void symex_bmct::symex_step(

  const get_goto_functiont &get_goto_function,

  statet &state)

{

  const source_locationt &source_location = state.source.pc->source_location();


  if(!source_location.is_nil() && last_source_location != source_location)

  {

    log.debug() << "BMC at " << source_location.as_string() << " (depth "

                << state.depth << ')' << log.eom;


    last_source_location = source_location;

  }


  const goto_programt::const_targett cur_pc = state.source.pc;

  const guardt cur_guard = state.guard;


  if(

    !state.guard.is_false() && state.source.pc->is_assume() &&

    simplify_expr(state.source.pc->condition(), ns) == false)

  {

    log.statistics() << "aborting path on assume(false) at "

                     << state.source.pc->source_location() << " thread "

                     << state.source.thread_nr;


    const irep_idt &c = state.source.pc->source_location().get_comment();

    if(!c.empty())

      log.statistics() << ": " << c;


    log.statistics() << log.eom;

  }


  goto_symext::symex_step(get_goto_function, state);


  if(

    record_coverage &&

    // avoid an invalid iterator in state.source.pc

    (!cur_pc->is_end_function() ||

     state.source.function_id != goto_functionst::entry_point()))

  {

    // forward goto will effectively be covered via phi function,

    // which does not invoke symex_step; as symex_step is called

    // before merge_gotos, also state.guard will be false (we have

    // taken an impossible transition); thus we synthesize a

    // transition from the goto instruction to its target to make

    // sure the goto is considered covered

    if(

      cur_pc->is_goto() && cur_pc->get_target() != state.source.pc &&

      cur_pc->condition() == true)

      symex_coverage.covered(cur_pc, cur_pc->get_target());

    else if(!state.guard.is_false())

      symex_coverage.covered(cur_pc, state.source.pc);

  }

}


void symex_bmct::merge_goto(

  const symex_targett::sourcet &prev_source,

  goto_statet &&goto_state,

  statet &state)

{

  const goto_programt::const_targett prev_pc = prev_source.pc;

  const guardt prev_guard = goto_state.guard;


  goto_symext::merge_goto(prev_source, std::move(goto_state), state);


  PRECONDITION(prev_pc->is_goto());

  if(

    record_coverage &&

    // could the branch possibly be taken?

    !prev_guard.is_false() && !state.guard.is_false() &&

    // branches only, no single-successor goto

    prev_pc->condition() != true)

    symex_coverage.covered(prev_pc, state.source.pc);

}


bool symex_bmct::should_stop_unwind(

  const symex_targett::sourcet &source,

  const call_stackt &context,

  unsigned unwind)

{

  const irep_idt id = goto_programt::loop_id(source.function_id, *source.pc);


  tvt abort_unwind_decision;

  unsigned this_loop_limit = std::numeric_limits<unsigned>::max();


  for(auto handler : loop_unwind_handlers)

  {

    abort_unwind_decision =

      handler(context, source.pc->loop_number, unwind, this_loop_limit);

    if(abort_unwind_decision.is_known())

      break;

  }


  // If no handler gave an opinion, use standard command-line --unwindset

  // / --unwind options to decide:

  if(abort_unwind_decision.is_unknown())

  {

    auto limit = unwindset.get_limit(id, source.thread_nr);


    if(!limit.has_value())

      abort_unwind_decision = tvt(false);

    else

      abort_unwind_decision = tvt(unwind >= *limit);

  }


  INVARIANT(

    abort_unwind_decision.is_known(), "unwind decision should be taken by now");

  bool abort = abort_unwind_decision.is_true();


  log.statistics() << (abort ? "Not unwinding" : "Unwinding") << " loop " << id

                   << " iteration " << unwind;


  if(this_loop_limit != std::numeric_limits<unsigned>::max())

    log.statistics() << " (" << this_loop_limit << " max)";


  log.statistics() << " " << source.pc->source_location() << " thread "

                   << source.thread_nr << log.eom;


  return abort;

}


bool symex_bmct::get_unwind_recursion(

  const irep_idt &id,

  unsigned thread_nr,

  unsigned unwind)

{

  tvt abort_unwind_decision;

  unsigned this_loop_limit = std::numeric_limits<unsigned>::max();


  for(auto handler : recursion_unwind_handlers)

  {

    abort_unwind_decision = handler(id, unwind, this_loop_limit);

    if(abort_unwind_decision.is_known())

      break;

  }


  // If no handler gave an opinion, use standard command-line --unwindset

  // / --unwind options to decide:

  if(abort_unwind_decision.is_unknown())

  {

    auto limit = unwindset.get_limit(id, thread_nr);


    if(!limit.has_value())

      abort_unwind_decision = tvt(false);

    else

      abort_unwind_decision = tvt(unwind > *limit);

  }


  INVARIANT(

    abort_unwind_decision.is_known(), "unwind decision should be taken by now");

  bool abort = abort_unwind_decision.is_true();


  if(unwind > 0 || abort)

  {

    const symbolt &symbol = ns.lookup(id);


    log.statistics() << (abort ? "Not unwinding" : "Unwinding") << " recursion "

                     << symbol.display_name() << " iteration " << unwind;


    if(this_loop_limit != std::numeric_limits<unsigned>::max())

      log.statistics() << " (" << this_loop_limit << " max)";


    log.statistics() << log.eom;

  }


  return abort;

}


call_stackt
Definition call_stack.h:15

dstringt::empty
bool empty() const
Definition dstring.h:89

goto_functionst::entry_point
static irep_idt entry_point()
Get the identifier of the entry point to a goto model.
Definition goto_functions.h:97

goto_programt::loop_id
static irep_idt loop_id(const irep_idt &function_id, const instructiont &instruction)
Human-readable loop name.
Definition goto_program.h:791

goto_programt::const_targett
instructionst::const_iterator const_targett
Definition goto_program.h:614

goto_statet
Container for data that varies per program point, e.g.
Definition goto_state.h:32

goto_statet::guard
guardt guard
Definition goto_state.h:58

goto_statet::depth
unsigned depth
Distance from entry.
Definition goto_state.h:35

goto_symex_statet::source
symex_targett::sourcet source
Definition goto_symex_state.h:62

goto_symext::statet
goto_symex_statet statet
A type abbreviation for goto_symex_statet.
Definition goto_symex.h:41

goto_symext::outer_symbol_table
const symbol_table_baset & outer_symbol_table
The symbol table associated with the goto-program being executed.
Definition goto_symex.h:247

goto_symext::language_mode
irep_idt language_mode
language_mode: ID_java, ID_C or another language identifier if we know the source language in use,...
Definition goto_symex.h:240

goto_symext::get_goto_function
static get_goto_functiont get_goto_function(abstract_goto_modelt &goto_model)
Return a function to get/load a goto function from the given goto model Create a default delegate to ...
Definition symex_main.cpp:493

goto_symext::symex_step
virtual void symex_step(const get_goto_functiont &get_goto_function, statet &state)
Called for each step in the symbolic execution This calls print_symex_step to print symex's current i...
Definition symex_main.cpp:592

goto_symext::path_storage
path_storaget & path_storage
Symbolic execution paths to be resumed later.
Definition goto_symex.h:808

goto_symext::guard_manager
guard_managert & guard_manager
Used to create guards.
Definition goto_symex.h:261

goto_symext::goto_symext
goto_symext(message_handlert &mh, const symbol_table_baset &outer_symbol_table, symex_target_equationt &_target, const optionst &options, path_storaget &path_storage, guard_managert &guard_manager)
Construct a goto_symext to execute a particular program.
Definition goto_symex.h:52

goto_symext::ns
namespacet ns
Initialized just before symbolic execution begins, to point to both outer_symbol_table and the symbol...
Definition goto_symex.h:256

goto_symext::merge_goto
virtual void merge_goto(const symex_targett::sourcet &source, goto_statet &&goto_state, statet &state)
Merge a single branch, the symbolic state of which is held in goto_state, into the current overall sy...
Definition symex_goto.cpp:516

goto_symext::get_goto_functiont
std::function< const goto_functionst::goto_functiont &(const irep_idt &)> get_goto_functiont
The type of delegate functions that retrieve a goto_functiont for a particular function identifier.
Definition goto_symex.h:94

goto_symext::log
messaget log
The messaget to write log messages to.
Definition goto_symex.h:276

guard_exprt::is_false
bool is_false() const
Definition guard_expr.h:65

irept::is_nil
bool is_nil() const
Definition irep.h:368

message_handlert
Definition message.h:27

messaget
Class that provides messages with a built-in verbosity 'level'.
Definition message.h:154

messaget::eom
static eomt eom
Definition message.h:289

messaget::status
mstreamt & status() const
Definition message.h:406

optionst
Definition options.h:23

path_storaget
Storage for symbolic execution paths to be resumed later.
Definition path_storage.h:38

source_locationt
Definition source_location.h:20

source_locationt::as_string
std::string as_string() const
Definition source_location.h:26

symbol_tablet
The symbol table.
Definition symbol_table.h:14

symbolt
Symbol table entry.
Definition symbol.h:28

symbolt::display_name
const irep_idt & display_name() const
Return language specific display name if present.
Definition symbol.h:55

symex_bmct::symex_coverage
symex_coveraget symex_coverage
Definition symex_bmc.h:112

symex_bmct::get_unwind_recursion
bool get_unwind_recursion(const irep_idt &identifier, unsigned thread_nr, unsigned unwind) override
Definition symex_bmc.cpp:173

symex_bmct::loop_unwind_handlers
std::vector< loop_unwind_handlert > loop_unwind_handlers
Callbacks that may provide an unwind/do-not-unwind decision for a loop.
Definition symex_bmc.h:88

symex_bmct::unwindset
unwindsett & unwindset
Definition symex_bmc.h:85

symex_bmct::merge_goto
void merge_goto(const symex_targett::sourcet &source, goto_statet &&goto_state, statet &state) override
Merge a single branch, the symbolic state of which is held in goto_state, into the current overall sy...
Definition symex_bmc.cpp:107

symex_bmct::last_source_location
source_locationt last_source_location
Definition symex_bmc.h:36

symex_bmct::recursion_unwind_handlers
std::vector< recursion_unwind_handlert > recursion_unwind_handlers
Callbacks that may provide an unwind/do-not-unwind decision for a recursive call.
Definition symex_bmc.h:92

symex_bmct::symex_bmct
symex_bmct(message_handlert &mh, const symbol_tablet &outer_symbol_table, symex_target_equationt &_target, const optionst &options, path_storaget &path_storage, guard_managert &guard_manager, unwindsett &unwindset)
Definition symex_bmc.cpp:23

symex_bmct::symex_step
void symex_step(const get_goto_functiont &get_goto_function, statet &state) override
show progress
Definition symex_bmc.cpp:52

symex_bmct::should_stop_unwind
bool should_stop_unwind(const symex_targett::sourcet &source, const call_stackt &context, unsigned unwind) override
Determine whether to unwind a loop.
Definition symex_bmc.cpp:127

symex_bmct::record_coverage
const bool record_coverage
Definition symex_bmc.h:82

symex_target_equationt
Inheriting the interface of symex_targett this class represents the SSA form of the input program as ...
Definition symex_target_equation.h:34

tvt
Definition threeval.h:20

tvt::is_known
bool is_known() const
Definition threeval.h:28

tvt::is_unknown
bool is_unknown() const
Definition threeval.h:27

tvt::is_true
bool is_true() const
Definition threeval.h:25

unwindsett
Definition unwindset.h:26

guard_managert
guard_expr_managert guard_managert
Definition guard.h:28

guardt
guard_exprt guardt
Definition guard.h:29

init_symbol
static std::unordered_set< irep_idt > init_symbol(const symbolt &sym, code_blockt &code_block, symbol_table_baset &symbol_table, const source_locationt &source_location, bool assume_init_pointers_not_null, const java_object_factory_parameterst &object_factory_parameters, const select_pointer_typet &pointer_type_selector, bool string_refinement_enabled, message_handlert &message_handler)
Definition java_entry_point.cpp:108

simplify_expr
exprt simplify_expr(exprt src, const namespacet &ns)
Definition simplify_expr.cpp:3374

simplify_expr.h

source_location.h

PRECONDITION
#define PRECONDITION(CONDITION)
Definition invariant.h:463

INVARIANT
#define INVARIANT(CONDITION, REASON)
This macro uses the wrapper function 'invariant_violated_string'.
Definition invariant.h:423

static_lifetime_init.h

INITIALIZE_FUNCTION
#define INITIALIZE_FUNCTION
Definition static_lifetime_init.h:24

symex_targett::sourcet
Identifies source in the context of symbolic execution.
Definition symex_target.h:37

symex_targett::sourcet::thread_nr
unsigned thread_nr
Definition symex_target.h:38

symex_targett::sourcet::pc
goto_programt::const_targett pc
Definition symex_target.h:42

symex_targett::sourcet::function_id
irep_idt function_id
Definition symex_target.h:39

symex_bmc.h
Bounded Model Checking for ANSI-C.

unwindset.h
Loop unwinding.

irep_idt
dstringt irep_idt
Definition verification_result.h:16