cbmc-documentation/ai_8h_source.html

/*******************************************************************\


Module: Abstract Interpretation


Author: Daniel Kroening, kroening@kroening.com


\*******************************************************************/


#ifndef CPROVER_ANALYSES_AI_H

#define CPROVER_ANALYSES_AI_H


#include <iosfwd>

#include <memory>


#include <util/deprecate.h>

#include <util/json.h>

#include <util/make_unique.h>

#include <util/message.h>

#include <util/xml.h>


#include <goto-programs/goto_model.h>


#include "ai_domain.h"

#include "ai_history.h"

#include "ai_storage.h"

#include "is_threaded.h"


class ai_baset

{

public:

  typedef ai_domain_baset statet;

  typedef ai_storage_baset::cstate_ptrt cstate_ptrt;

  typedef ai_history_baset::trace_ptrt trace_ptrt;

  typedef ai_history_baset::trace_sett trace_sett;

  typedef ai_storage_baset::ctrace_set_ptrt ctrace_set_ptrt;

  typedef goto_programt::const_targett locationt;


  ai_baset(

    std::unique_ptr<ai_history_factory_baset> &&hf,

    std::unique_ptr<ai_domain_factory_baset> &&df,

    std::unique_ptr<ai_storage_baset> &&st,

    message_handlert &mh)

    : history_factory(std::move(hf)),

      domain_factory(std::move(df)),

      storage(std::move(st)),

      message_handler(mh)

  {

  }


  virtual ~ai_baset()

  {

  }


  void operator()(

    const irep_idt &function_id,

    const goto_programt &goto_program,

    const namespacet &ns)

  {

    goto_functionst goto_functions;

    initialize(function_id, goto_program);

    trace_ptrt p = entry_state(goto_program);

    fixedpoint(p, function_id, goto_program, goto_functions, ns);

    finalize();

  }


  void operator()(

    const goto_functionst &goto_functions,

    const namespacet &ns)

  {

    initialize(goto_functions);

    trace_ptrt p = entry_state(goto_functions);

    fixedpoint(p, goto_functions, ns);

    finalize();

  }


  void operator()(const abstract_goto_modelt &goto_model)

  {

    const namespacet ns(goto_model.get_symbol_table());

    initialize(goto_model.get_goto_functions());

    trace_ptrt p = entry_state(goto_model.get_goto_functions());

    fixedpoint(p, goto_model.get_goto_functions(), ns);

    finalize();

  }


  void operator()(

    const irep_idt &function_id,

    const goto_functionst::goto_functiont &goto_function,

    const namespacet &ns)

  {

    goto_functionst goto_functions;

    initialize(function_id, goto_function);

    trace_ptrt p = entry_state(goto_function.body);

    fixedpoint(p, function_id, goto_function.body, goto_functions, ns);

    finalize();

  }


  virtual ctrace_set_ptrt abstract_traces_before(locationt l) const

  {

    return storage->abstract_traces_before(l);

  }


  virtual ctrace_set_ptrt abstract_traces_after(locationt l) const

  {

    INVARIANT(!l->is_end_function(), "No state after the last instruction");

    return storage->abstract_traces_before(std::next(l));

  }


  virtual cstate_ptrt abstract_state_before(locationt l) const

  {

    return storage->abstract_state_before(l, *domain_factory);

  }


  virtual cstate_ptrt abstract_state_after(locationt l) const

  {

    INVARIANT(!l->is_end_function(), "No state after the last instruction");

    return abstract_state_before(std::next(l));

  }


  virtual cstate_ptrt abstract_state_before(const trace_ptrt &p) const

  {

    return storage->abstract_state_before(p, *domain_factory);

  }


  virtual cstate_ptrt abstract_state_after(const trace_ptrt &p) const

  {

    locationt l = p->current_location();

    INVARIANT(!l->is_end_function(), "No state after the last instruction");


    locationt n = std::next(l);


    auto step_return = p->step(

      n,

      *(storage->abstract_traces_before(n)),

      ai_history_baset::no_caller_history);

    // Caller history not needed as this is a local step


    return storage->abstract_state_before(step_return.second, *domain_factory);

  }


  virtual void clear()

  {

    storage->clear();

  }


  virtual void output(

    const namespacet &ns,

    const irep_idt &function_id,

    const goto_programt &goto_program,

    std::ostream &out) const;


  virtual void output(

    const namespacet &ns,

    const goto_functionst &goto_functions,

    std::ostream &out) const;


  void output(

    const goto_modelt &goto_model,

    std::ostream &out) const

  {

    const namespacet ns(goto_model.symbol_table);

    output(ns, goto_model.goto_functions, out);

  }


  void output(

    const namespacet &ns,

    const goto_functionst::goto_functiont &goto_function,

    std::ostream &out) const

  {

    output(ns, irep_idt(), goto_function.body, out);

  }


  virtual jsont output_json(

    const namespacet &ns,

    const goto_functionst &goto_functions) const;


  jsont output_json(

    const goto_modelt &goto_model) const

  {

    const namespacet ns(goto_model.symbol_table);

    return output_json(ns, goto_model.goto_functions);

  }


  jsont output_json(

    const namespacet &ns,

    const goto_programt &goto_program) const

  {

    return output_json(ns, irep_idt(), goto_program);

  }


  jsont output_json(

    const namespacet &ns,

    const goto_functionst::goto_functiont &goto_function) const

  {

    return output_json(ns, irep_idt(), goto_function.body);

  }


  virtual xmlt output_xml(

    const namespacet &ns,

    const goto_functionst &goto_functions) const;


  xmlt output_xml(

    const goto_modelt &goto_model) const

  {

    const namespacet ns(goto_model.symbol_table);

    return output_xml(ns, goto_model.goto_functions);

  }


  xmlt output_xml(

    const namespacet &ns,

    const goto_programt &goto_program) const

  {

    return output_xml(ns, irep_idt(), goto_program);

  }


  xmlt output_xml(

    const namespacet &ns,

    const goto_functionst::goto_functiont &goto_function) const

  {

    return output_xml(ns, irep_idt(), goto_function.body);

  }


protected:

  virtual void

  initialize(const irep_idt &function_id, const goto_programt &goto_program);


  virtual void initialize(

    const irep_idt &function_id,

    const goto_functionst::goto_functiont &goto_function);


  virtual void initialize(const goto_functionst &goto_functions);


  virtual void finalize();


  trace_ptrt entry_state(const goto_programt &goto_program);


  trace_ptrt entry_state(const goto_functionst &goto_functions);


  virtual jsont output_json(

    const namespacet &ns,

    const irep_idt &function_id,

    const goto_programt &goto_program) const;


  virtual xmlt output_xml(

    const namespacet &ns,

    const irep_idt &function_id,

    const goto_programt &goto_program) const;


  typedef trace_sett working_sett;


  trace_ptrt get_next(working_sett &working_set);


  void put_in_working_set(working_sett &working_set, trace_ptrt t)

  {

    working_set.insert(t);

  }


  virtual bool fixedpoint(

    trace_ptrt starting_trace,

    const irep_idt &function_id,

    const goto_programt &goto_program,

    const goto_functionst &goto_functions,

    const namespacet &ns);


  virtual void fixedpoint(

    trace_ptrt starting_trace,

    const goto_functionst &goto_functions,

    const namespacet &ns);


  virtual bool visit(

    const irep_idt &function_id,

    trace_ptrt p,

    working_sett &working_set,

    const goto_programt &goto_program,

    const goto_functionst &goto_functions,

    const namespacet &ns);


  // function calls and return are special cases

  // different kinds of analysis handle these differently so these are virtual

  // visit_function_call handles which function(s) to call,

  // while visit_edge_function_call handles a single call

  virtual bool visit_function_call(

    const irep_idt &function_id,

    trace_ptrt p_call,

    working_sett &working_set,

    const goto_programt &goto_program,

    const goto_functionst &goto_functions,

    const namespacet &ns);


  virtual bool visit_end_function(

    const irep_idt &function_id,

    trace_ptrt p,

    working_sett &working_set,

    const goto_programt &goto_program,

    const goto_functionst &goto_functions,

    const namespacet &ns);


  // The most basic step, computing one edge / transformer application.

  bool visit_edge(

    const irep_idt &function_id,

    trace_ptrt p,

    const irep_idt &to_function_id,

    locationt to_l,

    trace_ptrt caller_history,

    const namespacet &ns,

    working_sett &working_set);


  virtual bool visit_edge_function_call(

    const irep_idt &calling_function_id,

    trace_ptrt p_call,

    locationt l_return,

    const irep_idt &callee_function_id,

    working_sett &working_set,

    const goto_programt &callee,

    const goto_functionst &goto_functions,

    const namespacet &ns);


  std::unique_ptr<ai_history_factory_baset> history_factory;


  std::unique_ptr<ai_domain_factory_baset> domain_factory;


  virtual bool merge(const statet &src, trace_ptrt from, trace_ptrt to)

  {

    statet &dest = get_state(to);

    return domain_factory->merge(dest, src, from, to);

  }


  virtual std::unique_ptr<statet> make_temporary_state(const statet &s)

  {

    return domain_factory->copy(s);

  }


  // Domain and history storage

  std::unique_ptr<ai_storage_baset> storage;


  virtual statet &get_state(trace_ptrt p)

  {

    return storage->get_state(p, *domain_factory);

  }


  // Logging

  message_handlert &message_handler;

};


// Perform interprocedural analysis by simply recursing in the interpreter

// This can lead to a call stack overflow if the domain has a large height

class ai_recursive_interproceduralt : public ai_baset

{

public:

  ai_recursive_interproceduralt(

    std::unique_ptr<ai_history_factory_baset> &&hf,

    std::unique_ptr<ai_domain_factory_baset> &&df,

    std::unique_ptr<ai_storage_baset> &&st,

    message_handlert &mh)

    : ai_baset(std::move(hf), std::move(df), std::move(st), mh)

  {

  }


protected:

  // Override the function that handles a single function call edge

  bool visit_edge_function_call(

    const irep_idt &calling_function_id,

    trace_ptrt p_call,

    locationt l_return,

    const irep_idt &callee_function_id,

    working_sett &working_set,

    const goto_programt &callee,

    const goto_functionst &goto_functions,

    const namespacet &ns) override;

};


template <typename domainT>

class ait : public ai_recursive_interproceduralt

{

public:

  // constructor

  ait()

    : ai_recursive_interproceduralt(

        util_make_unique<

          ai_history_factory_default_constructort<ahistoricalt>>(),

        util_make_unique<ai_domain_factory_default_constructort<domainT>>(),

        util_make_unique<location_sensitive_storaget>(),

        no_logging)

  {

  }


  explicit ait(std::unique_ptr<ai_domain_factory_baset> &&df)

    : ai_recursive_interproceduralt(

        util_make_unique<

          ai_history_factory_default_constructort<ahistoricalt>>(),

        std::move(df),

        util_make_unique<location_sensitive_storaget>(),

        no_logging)

  {

  }


  typedef goto_programt::const_targett locationt;


  // The older interface for non-modifying access

  // Not recommended as it will throw an exception if a location has not

  // been reached in an analysis and there is no (other) way of telling

  // if a location has been reached.

  DEPRECATED(SINCE(2019, 08, 01, "use abstract_state_{before,after} instead"))

  const domainT &operator[](locationt l) const

  {

    auto p = storage->abstract_state_before(l, *domain_factory);


    if(p.use_count() == 1)

    {

      // Would be unsafe to return the dereferenced object

      throw std::out_of_range("failed to find state");

    }


    return static_cast<const domainT &>(*p);

  }


protected:

  // Support the legacy get_state interface which is needed for a few domains

  // This is one of the few users of the legacy get_state(locationt) method

  // in location_sensitive_storaget.

  DEPRECATED(SINCE(2019, 08, 01, "use get_state(trace_ptrt p) instead"))

  virtual statet &get_state(locationt l)

  {

    auto &s = dynamic_cast<location_sensitive_storaget &>(*storage);

    return s.get_state(l, *domain_factory);

  }


  using ai_baset::get_state;


private:

  void dummy(const domainT &s) { const statet &x=s; (void)x; }


  // To keep the old constructor interface we disable logging

  null_message_handlert no_logging;

};


template<typename domainT>

class concurrency_aware_ait:public ait<domainT>

{

public:

  using statet = typename ait<domainT>::statet;

  using locationt = typename statet::locationt;


  // constructor

  concurrency_aware_ait():ait<domainT>()

  {

  }

  explicit concurrency_aware_ait(std::unique_ptr<ai_domain_factory_baset> &&df)

    : ait<domainT>(std::move(df))

  {

  }


  virtual bool merge_shared(

    const statet &src,

    locationt from,

    locationt to,

    const namespacet &ns)

  {

    statet &dest=this->get_state(to);

    return static_cast<domainT &>(dest).merge_shared(

      static_cast<const domainT &>(src), from, to, ns);

  }


protected:

  using working_sett = ai_baset::working_sett;


  void fixedpoint(

    ai_baset::trace_ptrt start_trace,

    const goto_functionst &goto_functions,

    const namespacet &ns) override

  {

    ai_baset::fixedpoint(start_trace, goto_functions, ns);


    is_threadedt is_threaded(goto_functions);


    // construct an initial shared state collecting the results of all

    // functions

    goto_programt tmp;

    tmp.add_instruction();

    goto_programt::const_targett sh_target = tmp.instructions.begin();

    ai_baset::trace_ptrt target_hist =

      ai_baset::history_factory->epoch(sh_target);

    statet &shared_state = ait<domainT>::get_state(sh_target);


    struct wl_entryt

    {

      wl_entryt(

        const irep_idt &_function_id,

        const goto_programt &_goto_program,

        locationt _location)

        : function_id(_function_id),

          goto_program(&_goto_program),

          location(_location)

      {

      }


      irep_idt function_id;

      const goto_programt *goto_program;

      locationt location;

    };


    typedef std::list<wl_entryt> thread_wlt;

    thread_wlt thread_wl;


    for(const auto &gf_entry : goto_functions.function_map)

    {

      forall_goto_program_instructions(t_it, gf_entry.second.body)

      {

        if(is_threaded(t_it))

        {

          thread_wl.push_back(

            wl_entryt(gf_entry.first, gf_entry.second.body, t_it));


          goto_programt::const_targett l_end =

            gf_entry.second.body.instructions.end();

          --l_end;


          merge_shared(shared_state, l_end, sh_target, ns);

        }

      }

    }


    // now feed in the shared state into all concurrently executing

    // functions, and iterate until the shared state stabilizes

    bool new_shared = true;

    while(new_shared)

    {

      new_shared = false;


      for(const auto &wl_entry : thread_wl)

      {

        working_sett working_set;

        ai_baset::trace_ptrt t(

          ai_baset::history_factory->epoch(wl_entry.location));

        ai_baset::put_in_working_set(working_set, t);


        statet &begin_state = ait<domainT>::get_state(wl_entry.location);

        ait<domainT>::merge(begin_state, target_hist, t);


        while(!working_set.empty())

        {

          ai_baset::trace_ptrt p = ai_baset::get_next(working_set);

          goto_programt::const_targett l = p->current_location();


          ai_baset::visit(

            wl_entry.function_id,

            p,

            working_set,

            *(wl_entry.goto_program),

            goto_functions,

            ns);


          // the underlying domain must make sure that the final state

          // carries all possible values; otherwise we would need to

          // merge over each and every state

          if(l->is_end_function())

            new_shared |= merge_shared(shared_state, l, sh_target, ns);

        }

      }

    }

  }

};


#endif // CPROVER_ANALYSES_AI_H