CBMC
goto_symex.h
Go to the documentation of this file.
1 /*******************************************************************\
2 
3 Module: Symbolic Execution
4 
5 Author: Daniel Kroening, kroening@kroening.com
6 
7 \*******************************************************************/
8 
11 
12 #ifndef CPROVER_GOTO_SYMEX_GOTO_SYMEX_H
13 #define CPROVER_GOTO_SYMEX_GOTO_SYMEX_H
14 
15 #include <util/message.h>
16 
17 #include "complexity_limiter.h"
18 #include "symex_config.h"
19 
20 class address_of_exprt;
21 class code_function_callt;
22 class function_application_exprt;
23 class goto_symex_statet;
24 class path_storaget;
25 class side_effect_exprt;
26 class symex_assignt;
27 class typet;
28 
34 class goto_symext
35 {
36 public:
38  typedef goto_symex_statet statet;
39 
49  goto_symext(
50  message_handlert &mh,
51  const symbol_tablet &outer_symbol_table,
52  symex_target_equationt &_target,
53  const optionst &options,
54  path_storaget &path_storage,
55  guard_managert &guard_manager)
56  : should_pause_symex(false),
57  symex_config(options),
58  outer_symbol_table(outer_symbol_table),
59  ns(outer_symbol_table),
60  guard_manager(guard_manager),
61  target(_target),
62  atomic_section_counter(0),
63  log(mh),
64  path_storage(path_storage),
65  path_segment_vccs(0),
66  _total_vccs(std::numeric_limits<unsigned>::max()),
67  _remaining_vccs(std::numeric_limits<unsigned>::max()),
68  complexity_module(mh, options)
69  {
70  }
71 
73  virtual ~goto_symext() = default;
74 
80  typedef
81  std::function<const goto_functionst::goto_functiont &(const irep_idt &)>
82  get_goto_functiont;
83 
91  static get_goto_functiont get_goto_function(abstract_goto_modelt &goto_model);
92 
103  virtual void symex_from_entry_point_of(
104  const get_goto_functiont &get_goto_function,
105  symbol_tablet &new_symbol_table);
106 
108  virtual void initialize_path_storage_from_entry_point_of(
109  const get_goto_functiont &get_goto_function,
110  symbol_tablet &new_symbol_table);
111 
122  virtual void resume_symex_from_saved_state(
123  const get_goto_functiont &get_goto_function,
124  const statet &saved_state,
125  symex_target_equationt *saved_equation,
126  symbol_tablet &new_symbol_table);
127 
140  virtual void symex_with_state(
141  statet &state,
142  const get_goto_functiont &get_goto_functions,
143  symbol_tablet &new_symbol_table);
144 
152  bool should_pause_symex;
153 
156  bool ignore_assertions = false;
157 
166  virtual bool check_break(const irep_idt &loop_id, unsigned unwind);
167 
168 protected:
170  const symex_configt symex_config;
171 
176  std::unique_ptr<statet>
177  initialize_entry_point_state(const get_goto_functiont &get_goto_function);
178 
184  void symex_threaded_step(
185  statet &state,
186  const get_goto_functiont &get_goto_function);
187 
195  virtual void
196  symex_step(const get_goto_functiont &get_goto_function, statet &state);
197 
206  void execute_next_instruction(
207  const get_goto_functiont &get_goto_function,
208  statet &state);
209 
213  void kill_instruction_local_symbols(statet &state);
214 
217  void print_symex_step(statet &state);
218 
219  messaget::mstreamt &
220  print_callstack_entry(const symex_targett::sourcet &target);
221 
222 public:
223 
226  irep_idt language_mode;
227 
228 protected:
234  const symbol_tablet &outer_symbol_table;
235 
243  namespacet ns;
244 
248  guard_managert &guard_manager;
249 
251  symex_target_equationt &target;
252 
255  unsigned atomic_section_counter;
256 
260  std::vector<symbol_exprt> instruction_local_symbols;
261 
263  mutable messaget log;
264 
265  friend class symex_dereference_statet;
266 
276  exprt clean_expr(exprt expr, statet &state, bool write);
277 
278  void trigger_auto_object(const exprt &, statet &);
279  void initialize_auto_object(const exprt &, statet &);
280 
285  void process_array_expr(statet &, exprt &);
286  exprt make_auto_object(const typet &, statet &);
287  virtual void dereference(exprt &, statet &, bool write);
288 
289  symbol_exprt cache_dereference(exprt &dereference_result, statet &state);
290  void dereference_rec(
291  exprt &expr,
292  statet &state,
293  bool write,
294  bool is_in_quantifier);
295  exprt address_arithmetic(
296  const exprt &,
297  statet &,
298  bool keep_array);
299 
302  virtual void symex_goto(statet &state);
305  void symex_unreachable_goto(statet &state);
309  void symex_set_return_value(statet &state, const exprt &return_value);
312  virtual void symex_start_thread(statet &state);
315  virtual void symex_atomic_begin(statet &state);
318  virtual void symex_atomic_end(statet &state);
321  virtual void symex_decl(statet &state);
326  virtual void symex_decl(statet &state, const symbol_exprt &expr);
329  virtual void symex_dead(statet &state);
333  void symex_dead(statet &state, const symbol_exprt &symbol_expr);
336  virtual void symex_other(statet &state);
337 
338  void symex_assert(const goto_programt::instructiont &, statet &);
339 
349  void apply_goto_condition(
350  goto_symex_statet &current_state,
351  goto_statet &jump_taken_state,
352  goto_statet &jump_not_taken_state,
353  const exprt &original_guard,
354  const exprt &new_guard,
355  const namespacet &ns);
356 
372  void try_filter_value_sets(
373  goto_symex_statet &state,
374  exprt condition,
375  const value_sett &original_value_set,
376  value_sett *jump_taken_value_set,
377  value_sett *jump_not_taken_value_set,
378  const namespacet &ns);
379 
380  virtual void vcc(
381  const exprt &,
382  const std::string &msg,
383  statet &);
384 
389  virtual void symex_assume(statet &state, const exprt &cond);
390  void symex_assume_l2(statet &, const exprt &cond);
391 
396  void merge_gotos(statet &state);
397 
404  virtual void merge_goto(
405  const symex_targett::sourcet &source,
406  goto_statet &&goto_state,
407  statet &state);
408 
412  void phi_function(const goto_statet &goto_state, statet &dest_state);
413 
419  virtual bool should_stop_unwind(
420  const symex_targett::sourcet &source,
421  const call_stackt &context,
422  unsigned unwind);
423 
424  virtual void loop_bound_exceeded(statet &state, const exprt &guard);
425 
428  virtual void no_body(const irep_idt &identifier)
429  {
430  }
431 
439  virtual void symex_function_call(
440  const get_goto_functiont &get_goto_function,
441  statet &state,
442  const goto_programt::instructiont &instruction);
443 
446  virtual void symex_end_of_function(statet &);
447 
455  virtual void symex_function_call_symbol(
456  const get_goto_functiont &get_goto_function,
457  statet &state,
458  const exprt &lhs,
459  const symbol_exprt &function,
460  const exprt::operandst &arguments);
461 
474  virtual void symex_function_call_post_clean(
475  const get_goto_functiont &get_goto_function,
476  statet &state,
477  const exprt &cleaned_lhs,
478  const symbol_exprt &function,
479  const exprt::operandst &cleaned_arguments);
480 
481  virtual bool get_unwind_recursion(
482  const irep_idt &identifier,
483  unsigned thread_nr,
484  unsigned unwind);
485 
492  void parameter_assignments(
493  const irep_idt &function_identifier,
494  const goto_functionst::goto_functiont &goto_function,
495  statet &state,
496  const exprt::operandst &arguments);
497 
498  // exceptions
501  void symex_throw(statet &state);
504  void symex_catch(statet &state);
505 
506  virtual void do_simplify(exprt &expr);
507 
513  void symex_assign(statet &state, const exprt &lhs, const exprt &rhs);
514 
523  bool constant_propagate_assignment_with_side_effects(
524  statet &state,
525  symex_assignt &symex_assign,
526  const exprt &lhs,
527  const exprt &rhs);
528 
535  void constant_propagate_empty_string(
536  statet &state,
537  symex_assignt &symex_assign,
538  const function_application_exprt &f_l1);
539 
548  bool constant_propagate_string_concat(
549  statet &state,
550  symex_assignt &symex_assign,
551  const function_application_exprt &f_l1);
552 
561  bool constant_propagate_string_substring(
562  statet &state,
563  symex_assignt &symex_assign,
564  const function_application_exprt &f_l1);
565 
574  bool constant_propagate_integer_to_string(
575  statet &state,
576  symex_assignt &symex_assign,
577  const function_application_exprt &f_l1);
578 
587  bool constant_propagate_delete_char_at(
588  statet &state,
589  symex_assignt &symex_assign,
590  const function_application_exprt &f_l1);
591 
600  bool constant_propagate_delete(
601  statet &state,
602  symex_assignt &symex_assign,
603  const function_application_exprt &f_l1);
604 
618  bool constant_propagate_set_length(
619  statet &state,
620  symex_assignt &symex_assign,
621  const function_application_exprt &f_l1);
622 
631  bool constant_propagate_set_char_at(
632  statet &state,
633  symex_assignt &symex_assign,
634  const function_application_exprt &f_l1);
635 
637  bool constant_propagate_trim(
638  statet &state,
639  symex_assignt &symex_assign,
640  const function_application_exprt &f_l1);
641 
643  bool constant_propagate_case_change(
644  statet &state,
645  symex_assignt &symex_assign,
646  const function_application_exprt &f_l1,
647  bool to_upper);
648 
650  bool constant_propagate_replace(
651  statet &state,
652  symex_assignt &symex_assign,
653  const function_application_exprt &f_l1);
654 
675  void assign_string_constant(
676  statet &state,
677  symex_assignt &symex_assign,
678  const ssa_exprt &length,
679  const constant_exprt &new_length,
680  const ssa_exprt &char_array,
681  const array_exprt &new_char_array);
682 
691  const symbolt &get_new_string_data_symbol(
692  statet &state,
693  symex_assignt &symex_assign,
694  const std::string &aux_symbol_name,
695  const ssa_exprt &char_array,
696  const array_exprt &new_char_array);
697 
708  void associate_array_to_pointer(
709  statet &state,
710  symex_assignt &symex_assign,
711  const array_exprt &new_char_array,
712  const address_of_exprt &string_data);
713 
714  optionalt<std::reference_wrapper<const array_exprt>>
715  try_evaluate_constant_string(const statet &state, const exprt &content);
716 
717  // clang-format off
718  static optionalt<std::reference_wrapper<const constant_exprt>>
719  try_evaluate_constant(
720  const statet &state,
721  const exprt &expr);
722  // clang-format on
723 
724  // havocs the given object
725  void havoc_rec(statet &state, const guardt &guard, const exprt &dest);
726 
727  typedef symex_targett::assignment_typet assignment_typet;
728 
734  void lift_lets(statet &, exprt &);
735 
740  void lift_let(statet &state, const let_exprt &let_expr);
741 
742  virtual void
743  symex_va_start(statet &, const exprt &lhs, const side_effect_exprt &);
744 
750  virtual void symex_allocate(
751  statet &state,
752  const exprt &lhs,
753  const side_effect_exprt &code);
757  virtual void symex_cpp_delete(statet &state, const codet &code);
763  virtual void
764  symex_cpp_new(statet &state, const exprt &lhs, const side_effect_exprt &code);
765 
769  virtual void symex_printf(statet &state, const exprt &rhs);
773  virtual void symex_input(statet &state, const codet &code);
777  virtual void symex_output(statet &state, const codet &code);
778 
780  static unsigned dynamic_counter;
781 
782  void rewrite_quantifiers(exprt &, statet &);
783 
788  path_storaget &path_storage;
789 
790 public:
800  std::size_t path_segment_vccs;
801 
802 protected:
810 
811  unsigned _total_vccs, _remaining_vccs;
813 
814  complexity_limitert complexity_module;
815 
816 public:
817  unsigned get_total_vccs() const
818  {
819  INVARIANT(
820  _total_vccs != std::numeric_limits<unsigned>::max(),
821  "symex_threaded_step should have been executed at least once before "
822  "attempting to read total_vccs");
823  return _total_vccs;
824  }
825 
826  unsigned get_remaining_vccs() const
827  {
828  INVARIANT(
829  _remaining_vccs != std::numeric_limits<unsigned>::max(),
830  "symex_threaded_step should have been executed at least once before "
831  "attempting to read remaining_vccs");
832  return _remaining_vccs;
833  }
834 
835  void validate(const validation_modet vm) const
836  {
837  target.validate(ns, vm);
838  }
839 };
840 
847 void symex_transition(goto_symext::statet &state);
848 
849 void symex_transition(
850  goto_symext::statet &,
851  goto_programt::const_targett to,
852  bool is_backwards_goto);
853 
864 renamedt<exprt, L2> try_evaluate_pointer_comparisons(
865  renamedt<exprt, L2> condition,
866  const value_sett &value_set,
867  const irep_idt &language_mode,
868  const namespacet &ns);
869 
870 #endif // CPROVER_GOTO_SYMEX_GOTO_SYMEX_H
messaget
Class that provides messages with a built-in verbosity 'level'.
Definition: message.h:154
goto_symext::symex_with_state
virtual void symex_with_state(statet &state, const get_goto_functiont &get_goto_functions, symbol_tablet &new_symbol_table)
Symbolically execute the entire program starting from entry point.
Definition: symex_main.cpp:324
guard_exprt
Definition: guard_expr.h:23
goto_symext::clean_expr
exprt clean_expr(exprt expr, statet &state, bool write)
Clean up an expression.
Definition: symex_clean_expr.cpp:227
dstringt
dstringt has one field, an unsigned integer no which is an index into a static table of strings.
Definition: dstring.h:36
symex_targett::assignment_typet
assignment_typet
Definition: symex_target.h:68
goto_symext::cache_dereference
symbol_exprt cache_dereference(exprt &dereference_result, statet &state)
Definition: symex_dereference.cpp:197
goto_symext::symex_step
virtual void symex_step(const get_goto_functiont &get_goto_function, statet &state)
Called for each step in the symbolic execution This calls print_symex_step to print symex's current i...
Definition: symex_main.cpp:592
symbol_tablet
The symbol table.
Definition: symbol_table.h:13
goto_symext::symex_assume_l2
void symex_assume_l2(statet &, const exprt &cond)
Definition: symex_main.cpp:220
symex_dereference_statet::state
goto_symext::statet & state
Definition: symex_dereference_state.h:34
goto_symext::instruction_local_symbols
std::vector< symbol_exprt > instruction_local_symbols
Variables that should be killed at the end of the current symex_step invocation.
Definition: goto_symex.h:260
goto_symext::symex_unreachable_goto
void symex_unreachable_goto(statet &state)
Symbolically execute a GOTO instruction in the context of unreachable code.
Definition: symex_goto.cpp:544
symex_configt
Configuration used for a symbolic execution.
Definition: symex_config.h:16
goto_symext::kill_instruction_local_symbols
void kill_instruction_local_symbols(statet &state)
Kills any variables in instruction_local_symbols (these are currently always let-bound variables defi...
Definition: symex_main.cpp:745
goto_symext::dynamic_counter
static unsigned dynamic_counter
A monotonically increasing index for each created dynamic object.
Definition: goto_symex.h:780
goto_symext::try_filter_value_sets
void try_filter_value_sets(goto_symex_statet &state, exprt condition, const value_sett &original_value_set, value_sett *jump_taken_value_set, value_sett *jump_not_taken_value_set, const namespacet &ns)
Try to filter value sets based on whether possible values of a pointer-typed symbol make the conditio...
Definition: symex_main.cpp:781
optionst
Definition: options.h:22
goto_symext::try_evaluate_constant_string
optionalt< std::reference_wrapper< const array_exprt > > try_evaluate_constant_string(const statet &state, const exprt &content)
Definition: goto_symex.cpp:345
typet
The type of an expression, extends irept.
Definition: type.h:28
goto_symext::address_arithmetic
exprt address_arithmetic(const exprt &, statet &, bool keep_array)
Transforms an lvalue expression by replacing any dereference operations it contains with explicit ref...
Definition: symex_dereference.cpp:43
goto_symext::symex_printf
virtual void symex_printf(statet &state, const exprt &rhs)
Symbolically execute an OTHER instruction that does a CPP printf
Definition: symex_builtin_functions.cpp:369
goto_symext::constant_propagate_case_change
bool constant_propagate_case_change(statet &state, symex_assignt &symex_assign, const function_application_exprt &f_l1, bool to_upper)
Attempt to constant propagate case changes, both upper and lower.
Definition: goto_symex.cpp:947
goto_symext::constant_propagate_delete
bool constant_propagate_delete(statet &state, symex_assignt &symex_assign, const function_application_exprt &f_l1)
Attempt to constant propagate deleting a substring from a string.
Definition: goto_symex.cpp:702
goto_symext::target
symex_target_equationt & target
The equation that this execution is building up.
Definition: goto_symex.h:251
goto_symext::resume_symex_from_saved_state
virtual void resume_symex_from_saved_state(const get_goto_functiont &get_goto_function, const statet &saved_state, symex_target_equationt *saved_equation, symbol_tablet &new_symbol_table)
Performs symbolic execution using a state and equation that have already been used to symbolically ex...
Definition: symex_main.cpp:381
path_storaget
Storage for symbolic execution paths to be resumed later.
Definition: path_storage.h:37
goto_symext::path_storage
path_storaget & path_storage
Symbolic execution paths to be resumed later.
Definition: goto_symex.h:788
goto_symex_statet
Central data structure: state.
Definition: goto_symex_state.h:41
goto_symext::constant_propagate_trim
bool constant_propagate_trim(statet &state, symex_assignt &symex_assign, const function_application_exprt &f_l1)
Attempt to constant propagate trim operations.
Definition: goto_symex.cpp:1117
goto_symext::ignore_assertions
bool ignore_assertions
If this flag is set to true then assertions will be temporarily ignored by the symbolic executions.
Definition: goto_symex.h:156
goto_symext::guard_manager
guard_managert & guard_manager
Used to create guards.
Definition: goto_symex.h:248
goto_symext::constant_propagate_set_char_at
bool constant_propagate_set_char_at(statet &state, symex_assignt &symex_assign, const function_application_exprt &f_l1)
Attempt to constant propagate setting the char at the given index.
Definition: goto_symex.cpp:877
goto_symext::symex_function_call_post_clean
virtual void symex_function_call_post_clean(const get_goto_functiont &get_goto_function, statet &state, const exprt &cleaned_lhs, const symbol_exprt &function, const exprt::operandst &cleaned_arguments)
Symbolic execution of a function call by inlining.
Definition: symex_function_call.cpp:221
goto_symext::symex_cpp_new
virtual void symex_cpp_new(statet &state, const exprt &lhs, const side_effect_exprt &code)
Handles side effects of type 'new' for C++ and 'new array' for C++ and Java language modes.
Definition: symex_builtin_functions.cpp:468
goto_symext::get_new_string_data_symbol
const symbolt & get_new_string_data_symbol(statet &state, symex_assignt &symex_assign, const std::string &aux_symbol_name, const ssa_exprt &char_array, const array_exprt &new_char_array)
Installs a new symbol in the symbol table to represent the given character array, and assigns the cha...
Definition: goto_symex.cpp:281
goto_symext::initialize_path_storage_from_entry_point_of
virtual void initialize_path_storage_from_entry_point_of(const get_goto_functiont &get_goto_function, symbol_tablet &new_symbol_table)
Puts the initial state of the entry point function into the path storage.
Definition: symex_main.cpp:479
goto_symext::statet
goto_symex_statet statet
A type abbreviation for goto_symex_statet.
Definition: goto_symex.h:38
value_sett
State type in value_set_domaint, used in value-set analysis and goto-symex.
Definition: value_set.h:42
exprt
Base class for all expressions.
Definition: expr.h:55
goto_symext::merge_gotos
void merge_gotos(statet &state)
Merge all branches joining at the current program point.
Definition: symex_goto.cpp:623
goto_symext::constant_propagate_delete_char_at
bool constant_propagate_delete_char_at(statet &state, symex_assignt &symex_assign, const function_application_exprt &f_l1)
Attempt to constant propagate deleting a character from a string.
Definition: goto_symex.cpp:629
goto_symext::lift_let
void lift_let(statet &state, const let_exprt &let_expr)
Execute a single let expression, which should not have any nested let expressions (use lift_lets inst...
Definition: symex_clean_expr.cpp:179
symex_assignt
Functor for symex assignment.
Definition: symex_assign.h:25
goto_symext::symex_dead
virtual void symex_dead(statet &state)
Symbolically execute a DEAD instruction.
Definition: symex_dead.cpp:16
goto_symext::symex_catch
void symex_catch(statet &state)
Symbolically execute a CATCH instruction.
Definition: symex_catch.cpp:14
goto_symext::trigger_auto_object
void trigger_auto_object(const exprt &, statet &)
Definition: auto_objects.cpp:77
symbol_exprt
Expression to hold a symbol (variable)
Definition: std_expr.h:112
call_stackt
Definition: call_stack.h:14
goto_symext::complexity_module
complexity_limitert complexity_module
Definition: goto_symex.h:814
goto_symext::symex_throw
void symex_throw(statet &state)
Symbolically execute a THROW instruction.
Definition: symex_throw.cpp:14
goto_symext::initialize_entry_point_state
std::unique_ptr< statet > initialize_entry_point_state(const get_goto_functiont &get_goto_function)
Initialize the symbolic execution and the given state with the beginning of the entry point function.
Definition: symex_main.cpp:403
goto_symext::should_stop_unwind
virtual bool should_stop_unwind(const symex_targett::sourcet &source, const call_stackt &context, unsigned unwind)
Determine whether to unwind a loop.
Definition: symex_goto.cpp:955
goto_symext::get_unwind_recursion
virtual bool get_unwind_recursion(const irep_idt &identifier, unsigned thread_nr, unsigned unwind)
Definition: symex_function_call.cpp:35
goto_symext::assign_string_constant
void assign_string_constant(statet &state, symex_assignt &symex_assign, const ssa_exprt &length, const constant_exprt &new_length, const ssa_exprt &char_array, const array_exprt &new_char_array)
Assign constant string length and string data given by a char array to given ssa variables.
Definition: goto_symex.cpp:237
goto_symext::path_segment_vccs
std::size_t path_segment_vccs
Number of VCCs generated during the run of this goto_symext object.
Definition: goto_symex.h:800
goto_symext::log
messaget log
The messaget to write log messages to.
Definition: goto_symex.h:263
ssa_exprt
Expression providing an SSA-renamed symbol of expressions.
Definition: ssa_expr.h:16
namespacet
A namespacet is essentially one or two symbol tables bound together, to allow for symbol lookups in t...
Definition: namespace.h:90
guard_expr_managert
This is unused by this implementation of guards, but can be used by other implementations of the same...
Definition: guard_expr.h:19
code_function_callt
goto_instruction_codet representation of a function call statement.
Definition: goto_instruction_code.h:271
goto_symext::symex_atomic_end
virtual void symex_atomic_end(statet &state)
Symbolically execute an ATOMIC_END instruction.
Definition: symex_atomic_section.cpp:36
goto_symext::associate_array_to_pointer
void associate_array_to_pointer(statet &state, symex_assignt &symex_assign, const array_exprt &new_char_array, const address_of_exprt &string_data)
Generate array to pointer association primitive.
Definition: goto_symex.cpp:317
goto_symext::parameter_assignments
void parameter_assignments(const irep_idt &function_identifier, const goto_functionst::goto_functiont &goto_function, statet &state, const exprt::operandst &arguments)
Iterates over arguments and assigns them to the parameters, which are symbols whose name and type are...
Definition: symex_function_call.cpp:40
goto_symext::merge_goto
virtual void merge_goto(const symex_targett::sourcet &source, goto_statet &&goto_state, statet &state)
Merge a single branch, the symbolic state of which is held in goto_state, into the current overall sy...
Definition: symex_goto.cpp:678
goto_symext::constant_propagate_string_concat
bool constant_propagate_string_concat(statet &state, symex_assignt &symex_assign, const function_application_exprt &f_l1)
Attempt to constant propagate string concatenation.
Definition: goto_symex.cpp:413
goto_symext::constant_propagate_integer_to_string
bool constant_propagate_integer_to_string(statet &state, symex_assignt &symex_assign, const function_application_exprt &f_l1)
Attempt to constant propagate converting an integer to a string.
Definition: goto_symex.cpp:550
goto_symext::outer_symbol_table
const symbol_tablet & outer_symbol_table
The symbol table associated with the goto-program being executed.
Definition: goto_symex.h:234
goto_symext::process_array_expr
void process_array_expr(statet &, exprt &)
Given an expression, find the root object and the offset into it.
Definition: symex_clean_expr.cpp:130
goto_symext::dereference
virtual void dereference(exprt &, statet &, bool write)
Replace all dereference operations within expr with explicit references to the objects they may refer...
Definition: symex_dereference.cpp:475
goto_symext::symex_goto
virtual void symex_goto(statet &state)
Symbolically execute a GOTO instruction.
Definition: symex_goto.cpp:230
goto_symext::symex_function_call_symbol
virtual void symex_function_call_symbol(const get_goto_functiont &get_goto_function, statet &state, const exprt &lhs, const symbol_exprt &function, const exprt::operandst &arguments)
Symbolic execution of a call to a function call.
Definition: symex_function_call.cpp:194
goto_symext::symex_cpp_delete
virtual void symex_cpp_delete(statet &state, const codet &code)
Symbolically execute an OTHER instruction that does a CPP delete
Definition: symex_builtin_functions.cpp:531
goto_symext::constant_propagate_empty_string
void constant_propagate_empty_string(statet &state, symex_assignt &symex_assign, const function_application_exprt &f_l1)
Create an empty string constant.
Definition: goto_symex.cpp:385
goto_symext::constant_propagate_string_substring
bool constant_propagate_string_substring(statet &state, symex_assignt &symex_assign, const function_application_exprt &f_l1)
Attempt to constant propagate getting a substring of a string.
Definition: goto_symex.cpp:463
goto_symext::symex_decl
virtual void symex_decl(statet &state)
Symbolically execute a DECL instruction.
Definition: symex_decl.cpp:18
goto_symext::_remaining_vccs
unsigned _remaining_vccs
Definition: goto_symex.h:811
goto_symext::constant_propagate_set_length
bool constant_propagate_set_length(statet &state, symex_assignt &symex_assign, const function_application_exprt &f_l1)
Attempt to constant propagate setting the length of a string.
Definition: goto_symex.cpp:796
goto_symext::symex_allocate
virtual void symex_allocate(statet &state, const exprt &lhs, const side_effect_exprt &code)
Symbolically execute an assignment instruction that has an allocate on the right hand side.
Definition: symex_builtin_functions.cpp:49
goto_symext::initialize_auto_object
void initialize_auto_object(const exprt &, statet &)
Definition: auto_objects.cpp:38
goto_symext::symex_va_start
virtual void symex_va_start(statet &, const exprt &lhs, const side_effect_exprt &)
Definition: symex_builtin_functions.cpp:249
goto_symext::symex_from_entry_point_of
virtual void symex_from_entry_point_of(const get_goto_functiont &get_goto_function, symbol_tablet &new_symbol_table)
Symbolically execute the entire program starting from entry point.
Definition: symex_main.cpp:470
goto_symext::validate
void validate(const validation_modet vm) const
Definition: goto_symex.h:835
goto_symext::dereference_rec
void dereference_rec(exprt &expr, statet &state, bool write, bool is_in_quantifier)
If expr is a dereference_exprt, replace it with explicit references to the objects it may point to.
Definition: symex_dereference.cpp:257
symex_dereference_statet::ns
const namespacet & ns
Definition: symex_dereference_state.h:35
goto_symext
The main class for the forward symbolic simulator.
Definition: goto_symex.h:34
symex_dereference_statet
Callback object that goto_symext::dereference_rec provides to value_set_dereferencet to provide value...
Definition: symex_dereference_state.h:24
goto_symext::phi_function
void phi_function(const goto_statet &goto_state, statet &dest_state)
Merge the SSA assignments from goto_state into dest_state.
Definition: symex_goto.cpp:859
goto_symext::symex_input
virtual void symex_input(statet &state, const codet &code)
Symbolically execute an OTHER instruction that does a CPP input.
Definition: symex_builtin_functions.cpp:424
goto_symext::symex_end_of_function
virtual void symex_end_of_function(statet &)
Symbolically execute a END_FUNCTION instruction.
Definition: symex_function_call.cpp:424
function_application_exprt
Application of (mathematical) function.
Definition: mathematical_expr.h:196
goto_symext::make_auto_object
exprt make_auto_object(const typet &, statet &)
Definition: auto_objects.cpp:20
goto_symext::goto_symext
goto_symext(message_handlert &mh, const symbol_tablet &outer_symbol_table, symex_target_equationt &_target, const optionst &options, path_storaget &path_storage, guard_managert &guard_manager)
Construct a goto_symext to execute a particular program.
Definition: goto_symex.h:49
validation_modet
validation_modet
Definition: validation_mode.h:12
message_handlert
Definition: message.h:27
exprt::operandst
std::vector< exprt > operandst
Definition: expr.h:58
optionalt
nonstd::optional< T > optionalt
Definition: optional.h:35
goto_symext::do_simplify
virtual void do_simplify(exprt &expr)
Definition: goto_symex.cpp:34
goto_symext::symex_threaded_step
void symex_threaded_step(statet &state, const get_goto_functiont &get_goto_function)
Invokes symex_step and verifies whether additional threads can be executed.
Definition: symex_main.cpp:300
goto_symext::symex_function_call
virtual void symex_function_call(const get_goto_functiont &get_goto_function, statet &state, const goto_programt::instructiont &instruction)
Symbolically execute a FUNCTION_CALL instruction.
Definition: symex_function_call.cpp:174
goto_statet
Container for data that varies per program point, e.g.
Definition: goto_state.h:31
symex_transition
void symex_transition(goto_symext::statet &state)
Transition to the next instruction, which increments the internal program counter and initializes the...
Definition: symex_main.cpp:148
symex_target_equationt
Inheriting the interface of symex_targett this class represents the SSA form of the input program as ...
Definition: symex_target_equation.h:33
goto_functionst::goto_functiont
::goto_functiont goto_functiont
Definition: goto_functions.h:27
goto_symext::havoc_rec
void havoc_rec(statet &state, const guardt &guard, const exprt &dest)
Definition: symex_other.cpp:20
goto_symext::ns
namespacet ns
Initialized just before symbolic execution begins, to point to both outer_symbol_table and the symbol...
Definition: goto_symex.h:243
goto_symext::~goto_symext
virtual ~goto_symext()=default
A virtual destructor allowing derived classes to be cleaned up correctly.
try_evaluate_pointer_comparisons
renamedt< exprt, L2 > try_evaluate_pointer_comparisons(renamedt< exprt, L2 > condition, const value_sett &value_set, const irep_idt &language_mode, const namespacet &ns)
Try to evaluate pointer comparisons where they can be trivially determined using the value-set.
Definition: symex_goto.cpp:214
goto_symext::check_break
virtual bool check_break(const irep_idt &loop_id, unsigned unwind)
Defines condition for interrupting symbolic execution for a specific loop.
Definition: symex_goto.cpp:617
goto_symext::language_mode
irep_idt language_mode
language_mode: ID_java, ID_C or another language identifier if we know the source language in use,...
Definition: goto_symex.h:226
goto_symext::execute_next_instruction
void execute_next_instruction(const get_goto_functiont &get_goto_function, statet &state)
Executes the instruction state.source.pc Case-switches over the type of the instruction being execute...
Definition: symex_main.cpp:602
goto_symext::atomic_section_counter
unsigned atomic_section_counter
A monotonically increasing index for each encountered ATOMIC_BEGIN instruction.
Definition: goto_symex.h:255
symbolt
Symbol table entry.
Definition: symbol.h:27
goto_symext::assignment_typet
symex_targett::assignment_typet assignment_typet
Definition: goto_symex.h:727
goto_symext::symex_assume
virtual void symex_assume(statet &state, const exprt &cond)
Symbolically execute an ASSUME instruction or simulate such an execution for a synthetic assumption.
Definition: symex_main.cpp:200
goto_symext::vcc
virtual void vcc(const exprt &, const std::string &msg, statet &)
Definition: symex_main.cpp:183
goto_symext::get_goto_function
static get_goto_functiont get_goto_function(abstract_goto_modelt &goto_model)
Return a function to get/load a goto function from the given goto model Create a default delegate to ...
Definition: symex_main.cpp:493
goto_symext::lift_lets
void lift_lets(statet &, exprt &)
Execute any let expressions in expr using symex_assignt::assign_symbol.
Definition: symex_clean_expr.cpp:198
symex_target_equationt::validate
void validate(const namespacet &ns, const validation_modet vm) const
Definition: symex_target_equation.h:278
goto_symext::_total_vccs
unsigned _total_vccs
Definition: goto_symex.h:811
goto_symext::symex_config
const symex_configt symex_config
The configuration to use for this symbolic execution.
Definition: goto_symex.h:170
goto_symext::constant_propagate_assignment_with_side_effects
bool constant_propagate_assignment_with_side_effects(statet &state, symex_assignt &symex_assign, const exprt &lhs, const exprt &rhs)
Attempt to constant propagate side effects of the assignment (if any)
Definition: goto_symex.cpp:163
goto_symext::print_callstack_entry
messaget::mstreamt & print_callstack_entry(const symex_targett::sourcet &target)
Definition: symex_main.cpp:502
goto_symext::get_goto_functiont
std::function< const goto_functionst::goto_functiont &(const irep_idt &)> get_goto_functiont
The type of delegate functions that retrieve a goto_functiont for a particular function identifier.
Definition: goto_symex.h:82
messaget::mstreamt
Definition: message.h:223
goto_programt::const_targett
instructionst::const_iterator const_targett
Definition: goto_program.h:587
goto_symext::loop_bound_exceeded
virtual void loop_bound_exceeded(statet &state, const exprt &guard)
Definition: symex_goto.cpp:926
complexity_limiter.h
goto_symext::try_evaluate_constant
static optionalt< std::reference_wrapper< const constant_exprt > > try_evaluate_constant(const statet &state, const exprt &expr)
Definition: goto_symex.cpp:366
abstract_goto_modelt
Abstract interface to eager or lazy GOTO models.
Definition: abstract_goto_model.h:20
symex_targett::sourcet
Identifies source in the context of symbolic execution.
Definition: symex_target.h:36
goto_symext::symex_atomic_begin
virtual void symex_atomic_begin(statet &state)
Symbolically execute an ATOMIC_BEGIN instruction.
Definition: symex_atomic_section.cpp:16
goto_symext::apply_goto_condition
void apply_goto_condition(goto_symex_statet &current_state, goto_statet &jump_taken_state, goto_statet &jump_not_taken_state, const exprt &original_guard, const exprt &new_guard, const namespacet &ns)
Propagate constants and points-to information implied by a GOTO condition.
Definition: symex_goto.cpp:30
goto_symext::no_body
virtual void no_body(const irep_idt &identifier)
Log a warning that a function has no body.
Definition: goto_symex.h:428
address_of_exprt
Operator to return the address of an object.
Definition: pointer_expr.h:370
complexity_limitert
Symex complexity module.
Definition: complexity_limiter.h:46
goto_symext::symex_set_return_value
void symex_set_return_value(statet &state, const exprt &return_value)
Symbolically execute a SET_RETURN_VALUE instruction.
Definition: symex_set_return_value.cpp:14
goto_symext::get_total_vccs
unsigned get_total_vccs() const
Definition: goto_symex.h:817
message.h
constant_exprt
A constant literal expression.
Definition: std_expr.h:2941
goto_symext::print_symex_step
void print_symex_step(statet &state)
Prints the route of symex as it walks through the code.
Definition: symex_main.cpp:510
goto_symext::symex_assert
void symex_assert(const goto_programt::instructiont &, statet &)
Definition: symex_main.cpp:155
goto_symext::constant_propagate_replace
bool constant_propagate_replace(statet &state, symex_assignt &symex_assign, const function_application_exprt &f_l1)
Attempt to constant proagate character replacement.
Definition: goto_symex.cpp:1009
goto_programt::instructiont
This class represents an instruction in the GOTO intermediate representation.
Definition: goto_program.h:180
goto_symext::symex_assign
void symex_assign(statet &state, const exprt &lhs, const exprt &rhs)
Symbolically execute an ASSIGN instruction or simulate such an execution for a synthetic assignment.
Definition: goto_symex.cpp:40
goto_symext::rewrite_quantifiers
void rewrite_quantifiers(exprt &, statet &)
Definition: symex_main.cpp:252
array_exprt
Array constructor from list of elements.
Definition: std_expr.h:1562
goto_symext::symex_other
virtual void symex_other(statet &state)
Symbolically execute an OTHER instruction.
Definition: symex_other.cpp:75
goto_symext::symex_start_thread
virtual void symex_start_thread(statet &state)
Symbolically execute a START_THREAD instruction.
Definition: symex_start_thread.cpp:21
goto_symext::symex_output
virtual void symex_output(statet &state, const codet &code)
Symbolically execute an OTHER instruction that does a CPP output.
Definition: symex_builtin_functions.cpp:446
renamedt
Wrapper for expressions or types which have been renamed up to a given level.
Definition: renamed.h:32
let_exprt
A let expression.
Definition: std_expr.h:3141
side_effect_exprt
An expression containing a side effect.
Definition: std_code.h:1449
statet
unsigned int statet
Definition: trace_automaton.h:24
validation_modet::INVARIANT
@ INVARIANT
symex_config.h
goto_symext::get_remaining_vccs
unsigned get_remaining_vccs() const
Definition: goto_symex.h:826
goto_symext::should_pause_symex
bool should_pause_symex
Set when states are pushed onto the workqueue If this flag is set at the end of a symbolic execution ...
Definition: goto_symex.h:152
codet
Data structure for representing an arbitrary statement in a program.
Definition: std_code_base.h:28