CBMC
bmc_util.h
Go to the documentation of this file.
1 /*******************************************************************\
2 
3 Module: Bounded Model Checking Utilities
4 
5 Author: Daniel Kroening, Peter Schrammel
6 
7 \*******************************************************************/
8 
11 
12 #ifndef CPROVER_GOTO_CHECKER_BMC_UTIL_H
13 #define CPROVER_GOTO_CHECKER_BMC_UTIL_H
14 
15 #include <chrono>
16 #include <memory>
17 
18 #include <goto-symex/build_goto_trace.h>
19 
20 #include <goto-instrument/unwindset.h>
21 
22 #include "incremental_goto_checker.h"
23 #include "properties.h"
24 
25 class decision_proceduret;
26 class goto_symex_property_decidert;
27 class goto_tracet;
28 class memory_model_baset;
29 class message_handlert;
30 class namespacet;
31 class optionst;
32 class symex_bmct;
33 class symex_target_equationt;
34 struct trace_optionst;
35 class ui_message_handlert;
36 
37 void convert_symex_target_equation(
38  symex_target_equationt &equation,
39  decision_proceduret &decision_procedure,
40  message_handlert &message_handler);
41 
44 ssa_step_predicatet
45 ssa_step_matches_failing_property(const irep_idt &property_id);
46 
48 void message_building_error_trace(messaget &);
49 
50 void build_error_trace(
51  goto_tracet &,
52  const namespacet &,
53  const symex_target_equationt &,
54  const decision_proceduret &,
55  ui_message_handlert &);
56 
57 void output_error_trace(
58  const goto_tracet &,
59  const namespacet &,
60  const trace_optionst &,
61  ui_message_handlert &);
62 
63 void output_graphml(const goto_tracet &, const namespacet &, const optionst &);
64 void output_graphml(
65  const symex_target_equationt &,
66  const namespacet &,
67  const optionst &);
68 
69 std::unique_ptr<memory_model_baset>
70 get_memory_model(const optionst &options, const namespacet &);
71 
72 void setup_symex(
73  symex_bmct &,
74  const namespacet &,
75  const optionst &,
76  ui_message_handlert &);
77 
78 void slice(
79  symex_bmct &,
80  symex_target_equationt &symex_target_equation,
81  const namespacet &,
82  const optionst &,
83  ui_message_handlert &);
84 
89 void postprocess_equation(
90  symex_bmct &symex,
91  symex_target_equationt &equation,
92  const optionst &options,
93  const namespacet &ns,
94  ui_message_handlert &ui_message_handler);
95 
103 void output_coverage_report(
104  const std::string &cov_out,
105  const abstract_goto_modelt &goto_model,
106  const symex_bmct &symex,
107  ui_message_handlert &ui_message_handler);
108 
115 void update_properties_status_from_symex_target_equation(
116  propertiest &properties,
117  std::unordered_set<irep_idt> &updated_properties,
118  const symex_target_equationt &equation);
119 
126 void update_status_of_not_checked_properties(
127  propertiest &properties,
128  std::unordered_set<irep_idt> &updated_properties);
129 
136 void update_status_of_unknown_properties(
137  propertiest &properties,
138  std::unordered_set<irep_idt> &updated_properties);
139 
149 std::chrono::duration<double> prepare_property_decider(
150  propertiest &properties,
151  symex_target_equationt &equation,
152  goto_symex_property_decidert &property_decider,
153  ui_message_handlert &ui_message_handler);
154 
165 void run_property_decider(
166  incremental_goto_checkert::resultt &result,
167  propertiest &properties,
168  goto_symex_property_decidert &property_decider,
169  ui_message_handlert &ui_message_handler,
170  std::chrono::duration<double> solver_runtime,
171  bool set_pass = true);
172 
173 // clang-format off
174 #define OPT_BMC \
175  "(program-only)" \
176  "(show-byte-ops)" \
177  "(show-vcc)" \
178  "(show-goto-symex-steps)" \
179  "(show-points-to-sets)" \
180  "(slice-formula)" \
181  "(unwinding-assertions)" \
182  "(no-unwinding-assertions)" \
183  "(no-self-loops-to-assumptions)" \
184  "(partial-loops)" \
185  "(paths):" \
186  "(show-symex-strategies)" \
187  "(depth):" \
188  "(max-field-sensitivity-array-size):" \
189  "(no-array-field-sensitivity)" \
190  "(graphml-witness):" \
191  "(symex-complexity-limit):" \
192  "(symex-complexity-failed-child-loops-limit):" \
193  "(incremental-loop):" \
194  "(unwind-min):" \
195  "(unwind-max):" \
196  "(ignore-properties-before-unwind-min)" \
197  "(symex-cache-dereferences)" \
198  OPT_UNWINDSET \
199 
200 #define HELP_BMC \
201  " --paths [strategy] explore paths one at a time\n" \
202  " --show-symex-strategies list strategies for use with --paths\n" \
203  " --show-goto-symex-steps show which steps symex travels, includes\n" \
204  " diagnostic information\n" \
205  " --show-points-to-sets show points-to sets for\n" \
206  " pointer dereference. Requires --json-ui.\n" \
207  " --program-only only show program expression\n" \
208  " --show-byte-ops show all byte extracts and updates\n" \
209  " --depth nr limit search depth\n" \
210  " --max-field-sensitivity-array-size M\n" \
211  " maximum size M of arrays for which field\n" \
212  " sensitivity will be applied to array,\n" \
213  " the default is 64\n" \
214  " --no-array-field-sensitivity\n" \
215  " deactivate field sensitivity for arrays, " \
216  "this is\n" \
217  " equivalent to setting the maximum field \n" \
218  " sensitivity size for arrays to 0\n" \
219  HELP_UNWINDSET \
220  " --incremental-loop L check properties after each unwinding\n" \
221  " of loop L\n" \
222  " (use --show-loops to get the loop IDs)\n" \
223  " --unwind-min nr start incremental-loop after nr unwindings\n" \
224  " but before solving that iteration. If for\n" \
225  " example it is 1, then the loop will be\n" \
226  " unwound once, and immediately checked.\n" \
227  " Note: this means for min-unwind 1 or\n"\
228  " 0 all properties are checked.\n" \
229  " --unwind-max nr stop incremental-loop after nr unwindings\n" \
230  " --ignore-properties-before-unwind-min\n" \
231  " do not check properties before unwind-min\n" \
232  " when using incremental-loop\n" \
233  " --show-vcc show the verification conditions\n" \
234  " --slice-formula remove assignments unrelated to property\n" \
235  " --unwinding-assertions generate unwinding assertions (cannot be\n" \
236  " used with --cover)\n" \
237  " --partial-loops permit paths with partial loops\n" \
238  " --no-self-loops-to-assumptions\n" \
239  " do not simplify while(1){} to assume(0)\n" \
240  " --symex-complexity-limit N how complex (N) a path can become before\n" \
241  " symex abandons it. Currently uses guard\n" \
242  " size to calculate complexity. \n" \
243  " --symex-complexity-failed-child-loops-limit N\n" \
244  " how many child branches (N) in an\n" \
245  " iteration are allowed to fail due to\n" \
246  " complexity violations before the loop\n" \
247  " gets blacklisted\n" \
248  " --graphml-witness filename write the witness in GraphML format to filename\n" /* NOLINT(*) */ \
249  " --symex-cache-dereferences enable caching of repeated dereferences" \
250 // clang-format on
251 
252 #endif // CPROVER_GOTO_CHECKER_BMC_UTIL_H
messaget
Class that provides messages with a built-in verbosity 'level'.
Definition: message.h:154
output_coverage_report
void output_coverage_report(const std::string &cov_out, const abstract_goto_modelt &goto_model, const symex_bmct &symex, ui_message_handlert &ui_message_handler)
Output a coverage report as generated by symex_coveraget if cov_out is non-empty.
Definition: bmc_util.cpp:307
dstringt
dstringt has one field, an unsigned integer no which is an index into a static table of strings.
Definition: dstring.h:36
ssa_step_matches_failing_property
ssa_step_predicatet ssa_step_matches_failing_property(const irep_idt &property_id)
Returns a function that checks whether an SSA step is an assertion with property_id.
Definition: bmc_util.cpp:55
convert_symex_target_equation
void convert_symex_target_equation(symex_target_equationt &equation, decision_proceduret &decision_procedure, message_handlert &message_handler)
Definition: bmc_util.cpp:151
slice
void slice(symex_bmct &, symex_target_equationt &symex_target_equation, const namespacet &, const optionst &, ui_message_handlert &)
Definition: bmc_util.cpp:199
ui_message_handlert
Definition: ui_message.h:21
ssa_step_predicatet
std::function< bool(symex_target_equationt::SSA_stepst::const_iterator, const decision_proceduret &)> ssa_step_predicatet
Definition: build_goto_trace.h:48
incremental_goto_checkert::resultt
Definition: incremental_goto_checker.h:42
optionst
Definition: options.h:22
decision_proceduret
Definition: decision_procedure.h:20
propertiest
std::map< irep_idt, property_infot > propertiest
A map of property IDs to property infos.
Definition: properties.h:76
build_error_trace
void build_error_trace(goto_tracet &, const namespacet &, const symex_target_equationt &, const decision_proceduret &, ui_message_handlert &)
Definition: bmc_util.cpp:41
incremental_goto_checker.h
memory_model_baset
Definition: memory_model.h:17
namespacet
A namespacet is essentially one or two symbol tables bound together, to allow for symbol lookups in t...
Definition: namespace.h:90
update_status_of_unknown_properties
void update_status_of_unknown_properties(propertiest &properties, std::unordered_set< irep_idt > &updated_properties)
Sets the property status of UNKNOWN properties to PASS.
Definition: bmc_util.cpp:291
message_building_error_trace
void message_building_error_trace(messaget &)
Outputs a message that an error trace is being built.
Definition: bmc_util.cpp:36
output_error_trace
void output_error_trace(const goto_tracet &, const namespacet &, const trace_optionst &, ui_message_handlert &)
Definition: bmc_util.cpp:65
message_handlert
Definition: message.h:27
setup_symex
void setup_symex(symex_bmct &, const namespacet &, const optionst &, ui_message_handlert &)
Definition: bmc_util.cpp:179
update_properties_status_from_symex_target_equation
void update_properties_status_from_symex_target_equation(propertiest &properties, std::unordered_set< irep_idt > &updated_properties, const symex_target_equationt &equation)
Sets property status to PASS for properties whose conditions are constant true in the equation.
Definition: bmc_util.cpp:239
symex_target_equationt
Inheriting the interface of symex_targett this class represents the SSA form of the input program as ...
Definition: symex_target_equation.h:33
trace_optionst
Options for printing the trace using show_goto_trace.
Definition: goto_trace.h:218
build_goto_trace.h
goto_tracet
Trace of a GOTO program.
Definition: goto_trace.h:174
goto_symex_property_decidert
Provides management of goal variables that encode properties.
Definition: goto_symex_property_decider.h:23
abstract_goto_modelt
Abstract interface to eager or lazy GOTO models.
Definition: abstract_goto_model.h:20
symex_bmct
Definition: symex_bmc.h:23
update_status_of_not_checked_properties
void update_status_of_not_checked_properties(propertiest &properties, std::unordered_set< irep_idt > &updated_properties)
Sets the property status of NOT_CHECKED properties to PASS.
Definition: bmc_util.cpp:275
prepare_property_decider
std::chrono::duration< double > prepare_property_decider(propertiest &properties, symex_target_equationt &equation, goto_symex_property_decidert &property_decider, ui_message_handlert &ui_message_handler)
Converts the equation and sets up the property decider, but does not call solve.
Definition: bmc_util.cpp:358
properties.h
unwindset.h
get_memory_model
std::unique_ptr< memory_model_baset > get_memory_model(const optionst &options, const namespacet &)
Definition: bmc_util.cpp:163
output_graphml
void output_graphml(const goto_tracet &, const namespacet &, const optionst &)
outputs an error witness in graphml format
Definition: bmc_util.cpp:108
postprocess_equation
void postprocess_equation(symex_bmct &symex, symex_target_equationt &equation, const optionst &options, const namespacet &ns, ui_message_handlert &ui_message_handler)
Post process the equation.
Definition: bmc_util.cpp:323
ui_message_handlert::message_handler
message_handlert * message_handler
Definition: ui_message.h:49
run_property_decider
void run_property_decider(incremental_goto_checkert::resultt &result, propertiest &properties, goto_symex_property_decidert &property_decider, ui_message_handlert &ui_message_handler, std::chrono::duration< double > solver_runtime, bool set_pass=true)
Runs the property decider to solve the equation.
Definition: bmc_util.cpp:382