CBMC
string_refinement.cpp
Go to the documentation of this file.
1 /*******************************************************************\
2 
3 Module: String support via creating string constraints and progressively
4  instantiating the universal constraints as needed.
5  The procedure is described in the PASS paper at HVC'13:
6  "PASS: String Solving with Parameterized Array and Interval Automaton"
7  by Guodong Li and Indradeep Ghosh.
8 
9 Author: Alberto Griggio, alberto.griggio@gmail.com
10 
11 \*******************************************************************/
12 
19 
20 #include "string_refinement.h"
21 
22 #include <solvers/sat/satcheck.h>
23 #include <stack>
24 #include <unordered_set>
25 
26 #include <util/expr_iterator.h>
27 #include <util/expr_util.h>
28 #include <util/format_type.h>
29 #include <util/magic.h>
30 #include <util/range.h>
31 #include <util/simplify_expr.h>
32 
33 #include "equation_symbol_mapping.h"
34 #include "string_constraint_instantiation.h"
35 #include "string_dependencies.h"
36 #include "string_refinement_invariant.h"
37 
38 static bool is_valid_string_constraint(
39  messaget::mstreamt &stream,
40  const namespacet &ns,
41  const string_constraintt &constraint);
42 
43 static optionalt<exprt> find_counter_example(
44  const namespacet &ns,
45  const exprt &axiom,
46  const symbol_exprt &var,
47  message_handlert &message_handler);
48 
65 static std::pair<bool, std::vector<exprt>> check_axioms(
66  const string_axiomst &axioms,
67  string_constraint_generatort &generator,
68  const std::function<exprt(const exprt &)> &get,
69  messaget::mstreamt &stream,
70  const namespacet &ns,
71  bool use_counter_example,
72  const union_find_replacet &symbol_resolve,
73  const std::unordered_map<string_not_contains_constraintt, symbol_exprt>
74  &not_contain_witnesses);
75 
76 static void initial_index_set(
77  index_set_pairt &index_set,
78  const namespacet &ns,
79  const string_constraintt &axiom);
80 
81 static void initial_index_set(
82  index_set_pairt &index_set,
83  const namespacet &ns,
84  const string_not_contains_constraintt &axiom);
85 
86 static void initial_index_set(
87  index_set_pairt &index_set,
88  const namespacet &ns,
89  const string_axiomst &axioms);
90 
91 exprt simplify_sum(const exprt &f);
92 
93 static void update_index_set(
94  index_set_pairt &index_set,
95  const namespacet &ns,
96  const std::vector<exprt> &current_constraints);
97 
98 static void update_index_set(
99  index_set_pairt &index_set,
100  const namespacet &ns,
101  const exprt &formula);
102 
103 static std::vector<exprt> instantiate(
104  const string_not_contains_constraintt &axiom,
105  const index_set_pairt &index_set,
106  const std::unordered_map<string_not_contains_constraintt, symbol_exprt>
107  &witnesses);
108 
109 static optionalt<exprt> get_array(
110  const std::function<exprt(const exprt &)> &super_get,
111  const namespacet &ns,
112  messaget::mstreamt &stream,
113  const array_string_exprt &arr,
114  const array_poolt &array_pool);
115 
116 static optionalt<exprt> substitute_array_access(
117  const index_exprt &index_expr,
118  symbol_generatort &symbol_generator,
119  const bool left_propagate);
120 
128 template <typename T>
129 static std::vector<T>
130 fill_in_map_as_vector(const std::map<std::size_t, T> &index_value)
131 {
132  std::vector<T> result;
133  if(!index_value.empty())
134  {
135  result.resize(index_value.rbegin()->first + 1);
136  for(auto it = index_value.rbegin(); it != index_value.rend(); ++it)
137  {
138  const std::size_t index = it->first;
139  const T &value = it->second;
140  const auto next = std::next(it);
141  const std::size_t leftmost_index_to_pad =
142  next != index_value.rend() ? next->first + 1 : 0;
143  for(std::size_t j = leftmost_index_to_pad; j <= index; j++)
144  result[j] = value;
145  }
146  }
147  return result;
148 }
149 
150 static bool validate(const string_refinementt::infot &info)
151 {
152  PRECONDITION(info.ns);
153  PRECONDITION(info.prop);
154  return true;
155 }
156 
157 string_refinementt::string_refinementt(const infot &info, bool)
158  : supert(info),
159  config_(info),
160  loop_bound_(info.refinement_bound),
161  generator(*info.ns, *info.message_handler)
162 {
163 }
164 
165 string_refinementt::string_refinementt(const infot &info)
166  : string_refinementt(info, validate(info))
167 {
168 }
169 
171 static void
172 display_index_set(messaget::mstreamt &stream, const index_set_pairt &index_set)
173 {
174  std::size_t count = 0;
175  std::size_t count_current = 0;
176  for(const auto &i : index_set.cumulative)
177  {
178  const exprt &s = i.first;
179  stream << "IS(" << format(s) << ")=={" << messaget::eom;
180 
181  for(const auto &j : i.second)
182  {
183  const auto it = index_set.current.find(i.first);
184  if(
185  it != index_set.current.end() && it->second.find(j) != it->second.end())
186  {
187  count_current++;
188  stream << "**";
189  }
190  stream << " " << format(j) << ";" << messaget::eom;
191  count++;
192  }
193  stream << "}" << messaget::eom;
194  }
195  stream << count << " elements in index set (" << count_current
196  << " newly added)" << messaget::eom;
197 }
198 
220 static std::vector<exprt> generate_instantiations(
221  const index_set_pairt &index_set,
222  const string_axiomst &axioms,
223  const std::unordered_map<string_not_contains_constraintt, symbol_exprt>
224  &not_contain_witnesses)
225 {
226  std::vector<exprt> lemmas;
227  for(const auto &i : index_set.current)
228  {
229  for(const auto &univ_axiom : axioms.universal)
230  {
231  for(const auto &j : i.second)
232  lemmas.push_back(instantiate(univ_axiom, i.first, j));
233  }
234  }
235  for(const auto &nc_axiom : axioms.not_contains)
236  {
237  for(const auto &instance :
238  instantiate(nc_axiom, index_set, not_contain_witnesses))
239  lemmas.push_back(instance);
240  }
241  return lemmas;
242 }
243 
247 static void make_char_array_pointer_associations(
248  string_constraint_generatort &generator,
249  exprt &expr)
250 {
251  if(const auto equal_expr = expr_try_dynamic_cast<equal_exprt>(expr))
252  {
253  if(
254  const auto fun_app = expr_try_dynamic_cast<function_application_exprt>(
255  as_const(equal_expr->rhs())))
256  {
257  const auto new_equation =
258  generator.make_array_pointer_association(equal_expr->lhs(), *fun_app);
259  if(new_equation)
260  {
261  expr =
262  equal_exprt{from_integer(true, new_equation->type()), *new_equation};
263  }
264  }
265  }
266 }
267 
272 static exprt
273 replace_expr_copy(const union_find_replacet &symbol_resolve, exprt expr)
274 {
275  symbol_resolve.replace_expr(expr);
276  return expr;
277 }
278 
283 void string_refinementt::set_to(const exprt &expr, bool value)
284 {
285  PRECONDITION(expr.type().id() == ID_bool);
286  PRECONDITION(equality_propagation);
287  if(!value)
288  equations.push_back(not_exprt{expr});
289  else
290  equations.push_back(expr);
291 }
292 
301 static void add_equations_for_symbol_resolution(
302  union_find_replacet &symbol_solver,
303  const std::vector<exprt> &equations,
304  const namespacet &ns,
305  messaget::mstreamt &stream)
306 {
307  const std::string log_message =
308  "WARNING string_refinement.cpp generate_symbol_resolution_from_equations:";
309  auto equalities = make_range(equations).filter(
310  [&](const exprt &e) { return can_cast_expr<equal_exprt>(e); });
311  for(const exprt &e : equalities)
312  {
313  const equal_exprt &eq = to_equal_expr(e);
314  const exprt &lhs = to_equal_expr(eq).lhs();
315  const exprt &rhs = to_equal_expr(eq).rhs();
316  if(lhs.id() != ID_symbol)
317  {
318  stream << log_message << "non symbol lhs: " << format(lhs)
319  << " with rhs: " << format(rhs) << messaget::eom;
320  continue;
321  }
322 
323  if(lhs.type() != rhs.type())
324  {
325  stream << log_message << "non equal types lhs: " << format(lhs)
326  << "\n####################### rhs: " << format(rhs)
327  << messaget::eom;
328  continue;
329  }
330 
331  if(is_char_pointer_type(rhs.type()))
332  {
333  symbol_solver.make_union(lhs, simplify_expr(rhs, ns));
334  }
335  else if(rhs.id() == ID_function_application)
336  {
337  // function applications can be ignored because they will be replaced
338  // in the convert_function_application step of dec_solve
339  }
340  else if(
341  lhs.type().id() != ID_pointer && has_char_pointer_subtype(lhs.type(), ns))
342  {
343  if(rhs.type().id() == ID_struct || rhs.type().id() == ID_struct_tag)
344  {
345  const struct_typet &struct_type = to_struct_type(ns.follow(rhs.type()));
346  for(const auto &comp : struct_type.components())
347  {
348  if(is_char_pointer_type(comp.type()))
349  {
350  const member_exprt lhs_data(lhs, comp.get_name(), comp.type());
351  const exprt rhs_data = simplify_expr(
352  member_exprt(rhs, comp.get_name(), comp.type()), ns);
353  symbol_solver.make_union(lhs_data, rhs_data);
354  }
355  }
356  }
357  else
358  {
359  stream << log_message << "non struct with char pointer subexpr "
360  << format(rhs) << "\n * of type " << format(rhs.type())
361  << messaget::eom;
362  }
363  }
364  }
365 }
366 
373 static std::vector<exprt>
374 extract_strings_from_lhs(const exprt &lhs, const namespacet &ns)
375 {
376  std::vector<exprt> result;
377  if(lhs.type() == string_typet())
378  result.push_back(lhs);
379  else if(lhs.type().id() == ID_struct || lhs.type().id() == ID_struct_tag)
380  {
381  const struct_typet &struct_type = to_struct_type(ns.follow(lhs.type()));
382  for(const auto &comp : struct_type.components())
383  {
384  const std::vector<exprt> strings_in_comp = extract_strings_from_lhs(
385  member_exprt(lhs, comp.get_name(), comp.type()), ns);
386  result.insert(
387  result.end(), strings_in_comp.begin(), strings_in_comp.end());
388  }
389  }
390  return result;
391 }
392 
398 static std::vector<exprt>
399 extract_strings(const exprt &expr, const namespacet &ns)
400 {
401  std::vector<exprt> result;
402  for(auto it = expr.depth_begin(); it != expr.depth_end();)
403  {
404  if(it->type() == string_typet() && it->id() != ID_if)
405  {
406  result.push_back(*it);
407  it.next_sibling_or_parent();
408  }
409  else if(it->id() == ID_symbol)
410  {
411  for(const exprt &e : extract_strings_from_lhs(*it, ns))
412  result.push_back(e);
413  it.next_sibling_or_parent();
414  }
415  else
416  ++it;
417  }
418  return result;
419 }
420 
427 static void add_string_equation_to_symbol_resolution(
428  const equal_exprt &eq,
429  union_find_replacet &symbol_resolve,
430  const namespacet &ns)
431 {
432  if(eq.rhs().type() == string_typet())
433  {
434  symbol_resolve.make_union(eq.lhs(), simplify_expr(eq.rhs(), ns));
435  }
436  else if(has_subtype(eq.lhs().type(), ID_string, ns))
437  {
438  if(
439  eq.rhs().type().id() == ID_struct ||
440  eq.rhs().type().id() == ID_struct_tag)
441  {
442  const struct_typet &struct_type =
443  to_struct_type(ns.follow(eq.rhs().type()));
444  for(const auto &comp : struct_type.components())
445  {
446  const member_exprt lhs_data(eq.lhs(), comp.get_name(), comp.type());
447  const exprt rhs_data = simplify_expr(
448  member_exprt(eq.rhs(), comp.get_name(), comp.type()), ns);
449  add_string_equation_to_symbol_resolution(
450  equal_exprt(lhs_data, rhs_data), symbol_resolve, ns);
451  }
452  }
453  }
454 }
455 
463 union_find_replacet string_identifiers_resolution_from_equations(
464  const std::vector<equal_exprt> &equations,
465  const namespacet &ns,
466  messaget::mstreamt &stream)
467 {
468  const std::string log_message =
469  "WARNING string_refinement.cpp "
470  "string_identifiers_resolution_from_equations:";
471 
472  equation_symbol_mappingt equation_map;
473 
474  // Indexes of equations that need to be added to the result
475  std::unordered_set<size_t> required_equations;
476  std::stack<size_t> equations_to_treat;
477 
478  for(std::size_t i = 0; i < equations.size(); ++i)
479  {
480  const equal_exprt &eq = equations[i];
481  if(eq.rhs().id() == ID_function_application)
482  {
483  if(required_equations.insert(i).second)
484  equations_to_treat.push(i);
485 
486  std::vector<exprt> rhs_strings = extract_strings(eq.rhs(), ns);
487  for(const auto &expr : rhs_strings)
488  equation_map.add(i, expr);
489  }
490  else if(
491  eq.lhs().type().id() != ID_pointer &&
492  has_subtype(eq.lhs().type(), ID_string, ns))
493  {
494  std::vector<exprt> lhs_strings = extract_strings_from_lhs(eq.lhs(), ns);
495 
496  for(const auto &expr : lhs_strings)
497  equation_map.add(i, expr);
498 
499  if(lhs_strings.empty())
500  {
501  stream << log_message << "non struct with string subtype "
502  << format(eq.lhs()) << "\n * of type "
503  << format(eq.lhs().type()) << messaget::eom;
504  }
505 
506  for(const exprt &expr : extract_strings(eq.rhs(), ns))
507  equation_map.add(i, expr);
508  }
509  }
510 
511  // transitively add all equations which depend on the equations to treat
512  while(!equations_to_treat.empty())
513  {
514  const std::size_t i = equations_to_treat.top();
515  equations_to_treat.pop();
516  for(const exprt &string : equation_map.find_expressions(i))
517  {
518  for(const std::size_t j : equation_map.find_equations(string))
519  {
520  if(required_equations.insert(j).second)
521  equations_to_treat.push(j);
522  }
523  }
524  }
525 
526  union_find_replacet result;
527  for(const std::size_t i : required_equations)
528  add_string_equation_to_symbol_resolution(equations[i], result, ns);
529 
530  return result;
531 }
532 
533 #ifdef DEBUG
534 static void
536 output_equations(std::ostream &output, const std::vector<exprt> &equations)
537 {
538  for(std::size_t i = 0; i < equations.size(); ++i)
539  output << " [" << i << "] " << format(equations[i]) << std::endl;
540 }
541 #endif
542 
553 // NOLINTNEXTLINE
556 // NOLINTNEXTLINE
561 // NOLINTNEXTLINE
607 decision_proceduret::resultt string_refinementt::dec_solve()
608 {
609 #ifdef DEBUG
610  log.debug() << "dec_solve: Initial set of equations" << messaget::eom;
611  output_equations(log.debug(), equations);
612 #endif
613 
614  log.debug() << "dec_solve: Build symbol solver from equations"
615  << messaget::eom;
616  // symbol_resolve is used by get and is kept between calls to dec_solve,
617  // that's why we use a class member here
618  add_equations_for_symbol_resolution(
619  symbol_resolve, equations, ns, log.debug());
620 #ifdef DEBUG
621  log.debug() << "symbol resolve:" << messaget::eom;
622  for(const auto &pair : symbol_resolve.to_vector())
623  log.debug() << format(pair.first) << " --> " << format(pair.second)
624  << messaget::eom;
625 #endif
626 
627  const union_find_replacet string_id_symbol_resolve =
628  string_identifiers_resolution_from_equations(
629  [&] {
630  std::vector<equal_exprt> equalities;
631  for(const auto &eq : equations)
632  {
633  if(auto equal_expr = expr_try_dynamic_cast<equal_exprt>(eq))
634  equalities.push_back(*equal_expr);
635  }
636  return equalities;
637  }(),
638  ns,
639  log.debug());
640 #ifdef DEBUG
641  log.debug() << "symbol resolve string:" << messaget::eom;
642  for(const auto &pair : string_id_symbol_resolve.to_vector())
643  {
644  log.debug() << format(pair.first) << " --> " << format(pair.second)
645  << messaget::eom;
646  }
647 #endif
648 
649  log.debug() << "dec_solve: Replacing string ids and simplifying arguments"
650  " in function applications"
651  << messaget::eom;
652  for(exprt &expr : equations)
653  {
654  auto it = expr.depth_begin();
655  while(it != expr.depth_end())
656  {
657  if(can_cast_expr<function_application_exprt>(*it))
658  {
659  // Simplification is required because the array pool may not realize
660  // that an expression like
661  // `(unsignedbv[16]*)((signedbv[8]*)&constarray[0] + 0)` is the
662  // same pointer as `&constarray[0]
663  simplify(it.mutate(), ns);
664  string_id_symbol_resolve.replace_expr(it.mutate());
665  it.next_sibling_or_parent();
666  }
667  else
668  ++it;
669  }
670  }
671 
672  // Constraints start clear at each `dec_solve` call.
673  string_constraintst constraints;
674  for(auto &expr : equations)
675  make_char_array_pointer_associations(generator, expr);
676 
677 #ifdef DEBUG
678  output_equations(log.debug(), equations);
679 #endif
680 
681  log.debug() << "dec_solve: compute dependency graph and remove function "
682  << "applications captured by the dependencies:" << messaget::eom;
683  std::vector<exprt> local_equations;
684  for(const exprt &eq : equations)
685  {
686  // Ensures that arrays that are equal, are associated to the same nodes
687  // in the graph.
688  const exprt eq_with_char_array_replaced_with_representative_elements =
689  replace_expr_copy(symbol_resolve, eq);
690  const optionalt<exprt> new_equation = add_node(
691  dependencies,
692  eq_with_char_array_replaced_with_representative_elements,
693  generator.array_pool,
694  generator.fresh_symbol);
695  if(new_equation)
696  local_equations.push_back(*new_equation);
697  else
698  local_equations.push_back(eq);
699  }
700  equations.clear();
701 
702 #ifdef DEBUG
703  dependencies.output_dot(log.debug());
704 #endif
705 
706  log.debug() << "dec_solve: add constraints" << messaget::eom;
707  merge(
708  constraints,
709  dependencies.add_constraints(generator, log.get_message_handler()));
710 
711 #ifdef DEBUG
712  output_equations(log.debug(), equations);
713 #endif
714 
715 #ifdef DEBUG
716  log.debug() << "dec_solve: arrays_of_pointers:" << messaget::eom;
717  for(auto pair : generator.array_pool.get_arrays_of_pointers())
718  {
719  log.debug() << " * " << format(pair.first) << "\t--> "
720  << format(pair.second) << " : " << format(pair.second.type())
721  << messaget::eom;
722  }
723 #endif
724 
725  for(const auto &eq : local_equations)
726  {
727 #ifdef DEBUG
728  log.debug() << "dec_solve: set_to " << format(eq) << messaget::eom;
729 #endif
730  supert::set_to(eq, true);
731  }
732 
733  std::transform(
734  constraints.universal.begin(),
735  constraints.universal.end(),
736  std::back_inserter(axioms.universal),
737  [&](string_constraintt constraint) {
738  constraint.replace_expr(symbol_resolve);
739  DATA_INVARIANT(
740  is_valid_string_constraint(log.error(), ns, constraint),
741  string_refinement_invariantt(
742  "string constraints satisfy their invariant"));
743  return constraint;
744  });
745 
746  std::transform(
747  constraints.not_contains.begin(),
748  constraints.not_contains.end(),
749  std::back_inserter(axioms.not_contains),
750  [&](string_not_contains_constraintt axiom) {
751  replace(symbol_resolve, axiom);
752  return axiom;
753  });
754 
755  // Used to store information about witnesses for not_contains constraints
756  std::unordered_map<string_not_contains_constraintt, symbol_exprt>
757  not_contain_witnesses;
758  for(const auto &nc_axiom : axioms.not_contains)
759  {
760  const auto &witness_type = [&] {
761  const auto &rtype = to_array_type(nc_axiom.s0.type());
762  const typet &index_type = rtype.size().type();
763  return array_typet(index_type, infinity_exprt(index_type));
764  }();
765  not_contain_witnesses.emplace(
766  nc_axiom, generator.fresh_symbol("not_contains_witness", witness_type));
767  }
768 
769  for(const exprt &lemma : constraints.existential)
770  {
771  add_lemma(substitute_array_access(lemma, generator.fresh_symbol, true));
772  }
773 
774  // All generated strings should have non-negative length
775  for(const auto &pair : generator.array_pool.created_strings())
776  {
777  exprt length = generator.array_pool.get_or_create_length(pair.first);
778  add_lemma(
779  binary_relation_exprt{length, ID_ge, from_integer(0, length.type())});
780  }
781 
782  // Initial try without index set
783  const auto get = [this](const exprt &expr) { return this->get(expr); };
784  dependencies.clean_cache();
785  const decision_proceduret::resultt initial_result = supert::dec_solve();
786  if(initial_result == resultt::D_SATISFIABLE)
787  {
788  bool satisfied;
789  std::vector<exprt> counter_examples;
790  std::tie(satisfied, counter_examples) = check_axioms(
791  axioms,
792  generator,
793  get,
794  log.debug(),
795  ns,
796  config_.use_counter_example,
797  symbol_resolve,
798  not_contain_witnesses);
799  if(satisfied)
800  {
801  log.debug() << "check_SAT: the model is correct" << messaget::eom;
802  return resultt::D_SATISFIABLE;
803  }
804  log.debug() << "check_SAT: got SAT but the model is not correct"
805  << messaget::eom;
806  }
807  else
808  {
809  log.debug() << "check_SAT: got UNSAT or ERROR" << messaget::eom;
810  return initial_result;
811  }
812 
813  initial_index_set(index_sets, ns, axioms);
814  update_index_set(index_sets, ns, current_constraints);
815  current_constraints.clear();
816  const auto initial_instances =
817  generate_instantiations(index_sets, axioms, not_contain_witnesses);
818  for(const auto &instance : initial_instances)
819  {
820  add_lemma(substitute_array_access(instance, generator.fresh_symbol, true));
821  }
822 
823  while((loop_bound_--) > 0)
824  {
825  dependencies.clean_cache();
826  const decision_proceduret::resultt refined_result = supert::dec_solve();
827 
828  if(refined_result == resultt::D_SATISFIABLE)
829  {
830  bool satisfied;
831  std::vector<exprt> counter_examples;
832  std::tie(satisfied, counter_examples) = check_axioms(
833  axioms,
834  generator,
835  get,
836  log.debug(),
837  ns,
838  config_.use_counter_example,
839  symbol_resolve,
840  not_contain_witnesses);
841  if(satisfied)
842  {
843  log.debug() << "check_SAT: the model is correct" << messaget::eom;
844  return resultt::D_SATISFIABLE;
845  }
846 
847  log.debug()
848  << "check_SAT: got SAT but the model is not correct, refining..."
849  << messaget::eom;
850 
851  // Since the model is not correct although we got SAT, we need to refine
852  // the property we are checking by adding more indices to the index set,
853  // and instantiating universal formulas with this indices.
854  // We will then relaunch the solver with these added lemmas.
855  index_sets.current.clear();
856  update_index_set(index_sets, ns, current_constraints);
857 
858  display_index_set(log.debug(), index_sets);
859 
860  if(index_sets.current.empty())
861  {
862  if(axioms.not_contains.empty())
863  {
864  log.error() << "dec_solve: current index set is empty, "
865  << "this should not happen" << messaget::eom;
866  return resultt::D_ERROR;
867  }
868  else
869  {
870  log.debug() << "dec_solve: current index set is empty, "
871  << "adding counter examples" << messaget::eom;
872  for(const auto &counter : counter_examples)
873  add_lemma(counter);
874  }
875  }
876  current_constraints.clear();
877  const auto instances =
878  generate_instantiations(index_sets, axioms, not_contain_witnesses);
879  for(const auto &instance : instances)
880  add_lemma(
881  substitute_array_access(instance, generator.fresh_symbol, true));
882  }
883  else
884  {
885  log.debug() << "check_SAT: default return "
886  << static_cast<int>(refined_result) << messaget::eom;
887  return refined_result;
888  }
889  }
890  log.debug() << "string_refinementt::dec_solve reached the maximum number"
891  << "of steps allowed" << messaget::eom;
892  return resultt::D_ERROR;
893 }
898 void string_refinementt::add_lemma(
899  const exprt &lemma,
900  const bool simplify_lemma)
901 {
902  if(!seen_instances.insert(lemma).second)
903  return;
904 
905  current_constraints.push_back(lemma);
906 
907  exprt simple_lemma = lemma;
908  if(simplify_lemma)
909  {
910  simplify(simple_lemma, ns);
911  }
912 
913  if(simple_lemma.is_true())
914  {
915 #if 0
916  log.debug() << "string_refinementt::add_lemma : tautology" << messaget::eom;
917 #endif
918  return;
919  }
920 
921  symbol_resolve.replace_expr(simple_lemma);
922 
923  // Replace empty arrays with array_of expression because the solver cannot
924  // handle empty arrays.
925  for(auto it = simple_lemma.depth_begin(); it != simple_lemma.depth_end();)
926  {
927  if(it->id() == ID_array && it->operands().empty())
928  {
929  it.mutate() = array_of_exprt(
930  from_integer(
931  CHARACTER_FOR_UNKNOWN, to_array_type(it->type()).subtype()),
932  to_array_type(it->type()));
933  it.next_sibling_or_parent();
934  }
935  else
936  ++it;
937  }
938 
939  log.debug() << "adding lemma " << format(simple_lemma) << messaget::eom;
940 
941  prop.l_set_to_true(convert(simple_lemma));
942 }
943 
958 static optionalt<exprt> get_valid_array_size(
959  const std::function<exprt(const exprt &)> &super_get,
960  const namespacet &ns,
961  messaget::mstreamt &stream,
962  const array_string_exprt &arr,
963  const array_poolt &array_pool)
964 {
965  const auto &size_from_pool = array_pool.get_length_if_exists(arr);
966  exprt size_val;
967  if(size_from_pool.has_value())
968  {
969  const exprt size = size_from_pool.value();
970  size_val = simplify_expr(super_get(size), ns);
971  if(size_val.id() != ID_constant)
972  {
973  stream << "(sr::get_valid_array_size) string of unknown size: "
974  << format(size_val) << messaget::eom;
975  return {};
976  }
977  }
978  else if(to_array_type(arr.type()).size().id() == ID_constant)
979  size_val = simplify_expr(to_array_type(arr.type()).size(), ns);
980  else
981  return {};
982 
983  auto n_opt = numeric_cast<std::size_t>(size_val);
984  if(!n_opt)
985  {
986  stream << "(sr::get_valid_array_size) size is not valid" << messaget::eom;
987  return {};
988  }
989 
990  return size_val;
991 }
992 
1002 static optionalt<exprt> get_array(
1003  const std::function<exprt(const exprt &)> &super_get,
1004  const namespacet &ns,
1005  messaget::mstreamt &stream,
1006  const array_string_exprt &arr,
1007  const array_poolt &array_pool)
1008 {
1009  const auto size =
1010  get_valid_array_size(super_get, ns, stream, arr, array_pool);
1011  if(!size.has_value())
1012  {
1013  return {};
1014  }
1015 
1016  const size_t n = numeric_cast<std::size_t>(size.value()).value();
1017 
1018  if(n > MAX_CONCRETE_STRING_SIZE)
1019  {
1020  stream << "(sr::get_valid_array_size) long string (size "
1021  << " = " << n << ") " << format(arr) << messaget::eom;
1022  stream << "(sr::get_valid_array_size) consider reducing "
1023  "max-nondet-string-length so "
1024  "that no string exceeds "
1025  << MAX_CONCRETE_STRING_SIZE
1026  << " in length and "
1027  "make sure all functions returning strings are loaded"
1028  << messaget::eom;
1029  stream << "(sr::get_valid_array_size) this can also happen on invalid "
1030  "object access"
1031  << messaget::eom;
1032  return nil_exprt();
1033  }
1034 
1035  const exprt arr_val = simplify_expr(super_get(arr), ns);
1036  const typet char_type = to_array_type(arr.type()).subtype();
1037  const typet &index_type = size.value().type();
1038 
1039  if(
1040  const auto &array = interval_sparse_arrayt::of_expr(
1041  arr_val, from_integer(CHARACTER_FOR_UNKNOWN, char_type)))
1042  return array->concretize(n, index_type);
1043  return {};
1044 }
1045 
1050 static std::string string_of_array(const array_exprt &arr)
1051 {
1052  if(arr.type().id() != ID_array)
1053  return std::string("");
1054 
1055  exprt size_expr = to_array_type(arr.type()).size();
1056  auto n = numeric_cast_v<std::size_t>(to_constant_expr(size_expr));
1057  return utf16_constant_array_to_java(arr, n);
1058 }
1059 
1068 static exprt get_char_array_and_concretize(
1069  const std::function<exprt(const exprt &)> &super_get,
1070  const namespacet &ns,
1071  messaget::mstreamt &stream,
1072  const array_string_exprt &arr,
1073  array_poolt &array_pool)
1074 {
1075  stream << "- " << format(arr) << ":\n";
1076  stream << std::string(4, ' ') << "- type: " << format(arr.type())
1077  << messaget::eom;
1078  const auto arr_model_opt = get_array(super_get, ns, stream, arr, array_pool);
1079  if(arr_model_opt)
1080  {
1081  stream << std::string(4, ' ') << "- char_array: " << format(*arr_model_opt)
1082  << '\n';
1083  stream << std::string(4, ' ')
1084  << "- type : " << format(arr_model_opt->type()) << messaget::eom;
1085  const exprt simple = simplify_expr(*arr_model_opt, ns);
1086  stream << std::string(4, ' ')
1087  << "- simplified_char_array: " << format(simple) << messaget::eom;
1088  if(
1089  const auto concretized_array = get_array(
1090  super_get, ns, stream, to_array_string_expr(simple), array_pool))
1091  {
1092  stream << std::string(4, ' ')
1093  << "- concretized_char_array: " << format(*concretized_array)
1094  << messaget::eom;
1095 
1096  if(
1097  const auto array_expr =
1098  expr_try_dynamic_cast<array_exprt>(*concretized_array))
1099  {
1100  stream << std::string(4, ' ') << "- as_string: \""
1101  << string_of_array(*array_expr) << "\"\n";
1102  }
1103  else
1104  stream << std::string(2, ' ') << "- warning: not an array"
1105  << messaget::eom;
1106  return *concretized_array;
1107  }
1108  return simple;
1109  }
1110  stream << std::string(4, ' ') << "- incomplete model" << messaget::eom;
1111  return arr;
1112 }
1113 
1116 void debug_model(
1117  const string_constraint_generatort &generator,
1118  messaget::mstreamt &stream,
1119  const namespacet &ns,
1120  const std::function<exprt(const exprt &)> &super_get,
1121  const std::vector<symbol_exprt> &symbols,
1122  array_poolt &array_pool)
1123 {
1124  stream << "debug_model:" << '\n';
1125  for(const auto &pointer_array : generator.array_pool.get_arrays_of_pointers())
1126  {
1127  const auto arr = pointer_array.second;
1128  const exprt model =
1129  get_char_array_and_concretize(super_get, ns, stream, arr, array_pool);
1130 
1131  stream << "- " << format(arr) << ":\n"
1132  << " - pointer: " << format(pointer_array.first) << "\n"
1133  << " - model: " << format(model) << messaget::eom;
1134  }
1135 
1136  for(const auto &symbol : symbols)
1137  {
1138  stream << " - " << symbol.get_identifier() << ": "
1139  << format(super_get(symbol)) << '\n';
1140  }
1141  stream << messaget::eom;
1142 }
1143 
1156 static exprt substitute_array_access(
1157  const with_exprt &expr,
1158  const exprt &index,
1159  const bool left_propagate)
1160 {
1161  return left_propagate ? interval_sparse_arrayt(expr).to_if_expression(index)
1162  : sparse_arrayt::to_if_expression(expr, index);
1163 }
1164 
1171 static exprt substitute_array_access(
1172  const array_exprt &array_expr,
1173  const exprt &index,
1174  symbol_generatort &symbol_generator)
1175 {
1176  const typet &char_type = array_expr.type().element_type();
1177  const exprt default_val = symbol_generator("out_of_bound_access", char_type);
1178  const interval_sparse_arrayt sparse_array(array_expr, default_val);
1179  return sparse_array.to_if_expression(index);
1180 }
1181 
1182 static exprt substitute_array_access(
1183  const if_exprt &if_expr,
1184  const exprt &index,
1185  symbol_generatort &symbol_generator,
1186  const bool left_propagate)
1187 {
1188  exprt true_index = index_exprt(if_expr.true_case(), index);
1189  exprt false_index = index_exprt(if_expr.false_case(), index);
1190 
1191  // Substitute recursively in branches of conditional expressions
1192  optionalt<exprt> substituted_true_case =
1193  substitute_array_access(true_index, symbol_generator, left_propagate);
1194  optionalt<exprt> substituted_false_case =
1195  substitute_array_access(false_index, symbol_generator, left_propagate);
1196 
1197  return if_exprt(
1198  if_expr.cond(),
1199  substituted_true_case ? *substituted_true_case : true_index,
1200  substituted_false_case ? *substituted_false_case : false_index);
1201 }
1202 
1203 static optionalt<exprt> substitute_array_access(
1204  const index_exprt &index_expr,
1205  symbol_generatort &symbol_generator,
1206  const bool left_propagate)
1207 {
1208  const exprt &array = index_expr.array();
1209  if(auto array_of = expr_try_dynamic_cast<array_of_exprt>(array))
1210  return array_of->op();
1211  if(auto array_with = expr_try_dynamic_cast<with_exprt>(array))
1212  return substitute_array_access(
1213  *array_with, index_expr.index(), left_propagate);
1214  if(auto array_expr = expr_try_dynamic_cast<array_exprt>(array))
1215  return substitute_array_access(
1216  *array_expr, index_expr.index(), symbol_generator);
1217  if(auto if_expr = expr_try_dynamic_cast<if_exprt>(array))
1218  return substitute_array_access(
1219  *if_expr, index_expr.index(), symbol_generator, left_propagate);
1220 
1221  INVARIANT(
1222  array.is_nil() || array.id() == ID_symbol || array.id() == ID_nondet_symbol,
1223  std::string(
1224  "in case the array is unknown, it should be a symbol or nil, id: ") +
1225  id2string(array.id()));
1226  return {};
1227 }
1228 
1232 static void substitute_array_access_in_place(
1233  exprt &expr,
1234  symbol_generatort &symbol_generator,
1235  const bool left_propagate)
1236 {
1237  // Recurse down structure and modify on the way.
1238  for(auto it = expr.depth_begin(), itend = expr.depth_end(); it != itend; ++it)
1239  {
1240  if(const auto index_expr = expr_try_dynamic_cast<index_exprt>(*it))
1241  {
1242  optionalt<exprt> result =
1243  substitute_array_access(*index_expr, symbol_generator, left_propagate);
1244 
1245  // Only perform a write when we have something changed.
1246  if(result)
1247  it.mutate() = *result;
1248  }
1249  }
1250 }
1251 
1271 exprt substitute_array_access(
1272  exprt expr,
1273  symbol_generatort &symbol_generator,
1274  const bool left_propagate)
1275 {
1276  substitute_array_access_in_place(expr, symbol_generator, left_propagate);
1277  return expr;
1278 }
1279 
1290 static exprt negation_of_not_contains_constraint(
1291  const string_not_contains_constraintt &constraint,
1292  const symbol_exprt &univ_var,
1293  const std::function<exprt(const exprt &)> &get)
1294 {
1295  // If the for all is vacuously true, the negation is false.
1296  const auto lbe = numeric_cast_v<mp_integer>(
1297  to_constant_expr(get(constraint.exists_lower_bound)));
1298  const auto ube = numeric_cast_v<mp_integer>(
1299  to_constant_expr(get(constraint.exists_upper_bound)));
1300  const auto univ_bounds = and_exprt(
1301  binary_relation_exprt(get(constraint.univ_lower_bound), ID_le, univ_var),
1302  binary_relation_exprt(get(constraint.univ_upper_bound), ID_gt, univ_var));
1303 
1304  // The negated existential becomes an universal, and this is the unrolling of
1305  // that universal quantifier.
1306  // Ff the upper bound is smaller than the lower bound (specifically, it might
1307  // actually be negative as it is initially unconstrained) then there is
1308  // nothing to do (and the reserve call would fail).
1309  if(ube < lbe)
1310  return and_exprt(univ_bounds, get(constraint.premise));
1311 
1312  std::vector<exprt> conjuncts;
1313  conjuncts.reserve(numeric_cast_v<std::size_t>(ube - lbe));
1314  for(mp_integer i = lbe; i < ube; ++i)
1315  {
1316  const constant_exprt i_expr = from_integer(i, univ_var.type());
1317  const exprt s0_char =
1318  get(index_exprt(constraint.s0, plus_exprt(univ_var, i_expr)));
1319  const exprt s1_char = get(index_exprt(constraint.s1, i_expr));
1320  conjuncts.push_back(equal_exprt(s0_char, s1_char));
1321  }
1322  const exprt equal_strings = conjunction(conjuncts);
1323  return and_exprt(univ_bounds, get(constraint.premise), equal_strings);
1324 }
1325 
1330 template <typename T>
1331 static void debug_check_axioms_step(
1332  messaget::mstreamt &stream,
1333  const T &axiom,
1334  const T &axiom_in_model,
1335  const exprt &negaxiom,
1336  const exprt &with_concretized_arrays)
1337 {
1338  stream << std::string(4, ' ') << "- axiom:\n" << std::string(6, ' ');
1339  stream << to_string(axiom);
1340  stream << '\n'
1341  << std::string(4, ' ') << "- axiom_in_model:\n"
1342  << std::string(6, ' ');
1343  stream << to_string(axiom_in_model) << '\n'
1344  << std::string(4, ' ') << "- negated_axiom:\n"
1345  << std::string(6, ' ') << format(negaxiom) << '\n';
1346  stream << std::string(4, ' ') << "- negated_axiom_with_concretized_arrays:\n"
1347  << std::string(6, ' ') << format(with_concretized_arrays) << '\n';
1348 }
1349 
1351 static std::pair<bool, std::vector<exprt>> check_axioms(
1352  const string_axiomst &axioms,
1353  string_constraint_generatort &generator,
1354  const std::function<exprt(const exprt &)> &get,
1355  messaget::mstreamt &stream,
1356  const namespacet &ns,
1357  bool use_counter_example,
1358  const union_find_replacet &symbol_resolve,
1359  const std::unordered_map<string_not_contains_constraintt, symbol_exprt>
1360  &not_contain_witnesses)
1361 {
1362  stream << "string_refinementt::check_axioms:" << messaget::eom;
1363 
1364  stream << "symbol_resolve:" << messaget::eom;
1365  auto pairs = symbol_resolve.to_vector();
1366  for(const auto &pair : pairs)
1367  stream << " - " << format(pair.first) << " --> " << format(pair.second)
1368  << messaget::eom;
1369 
1370 #ifdef DEBUG
1371  debug_model(
1372  generator,
1373  stream,
1374  ns,
1375  get,
1376  generator.fresh_symbol.created_symbols,
1377  generator.array_pool);
1378 #endif
1379 
1380  // Maps from indexes of violated universal axiom to a witness of violation
1381  std::map<size_t, exprt> violated;
1382 
1383  stream << "string_refinement::check_axioms: " << axioms.universal.size()
1384  << " universal axioms:" << messaget::eom;
1385  for(size_t i = 0; i < axioms.universal.size(); i++)
1386  {
1387  const string_constraintt &axiom = axioms.universal[i];
1388  const string_constraintt axiom_in_model(
1389  axiom.univ_var,
1390  get(axiom.lower_bound),
1391  get(axiom.upper_bound),
1392  get(axiom.body),
1393  stream.message.get_message_handler());
1394 
1395  exprt negaxiom = axiom_in_model.negation();
1396  negaxiom = simplify_expr(negaxiom, ns);
1397 
1398  stream << std::string(2, ' ') << i << ".\n";
1399  const exprt with_concretized_arrays =
1400  substitute_array_access(negaxiom, generator.fresh_symbol, true);
1401  debug_check_axioms_step(
1402  stream, axiom, axiom_in_model, negaxiom, with_concretized_arrays);
1403 
1404  if(
1405  const auto &witness = find_counter_example(
1406  ns,
1407  with_concretized_arrays,
1408  axiom.univ_var,
1409  stream.message.get_message_handler()))
1410  {
1411  stream << std::string(4, ' ')
1412  << "- violated_for: " << format(axiom.univ_var) << "="
1413  << format(*witness) << messaget::eom;
1414  violated[i] = *witness;
1415  }
1416  else
1417  stream << std::string(4, ' ') << "- correct" << messaget::eom;
1418  }
1419 
1420  // Maps from indexes of violated not_contains axiom to a witness of violation
1421  std::map<std::size_t, exprt> violated_not_contains;
1422 
1423  stream << "there are " << axioms.not_contains.size() << " not_contains axioms"
1424  << messaget::eom;
1425  for(std::size_t i = 0; i < axioms.not_contains.size(); i++)
1426  {
1427  const string_not_contains_constraintt &nc_axiom = axioms.not_contains[i];
1428  const symbol_exprt univ_var = generator.fresh_symbol(
1429  "not_contains_univ_var", nc_axiom.s0.length_type());
1430  const exprt negated_axiom = negation_of_not_contains_constraint(
1431  nc_axiom, univ_var, [&](const exprt &expr) {
1432  return simplify_expr(get(expr), ns);
1433  });
1434 
1435  stream << std::string(2, ' ') << i << ".\n";
1436  debug_check_axioms_step(
1437  stream, nc_axiom, nc_axiom, negated_axiom, negated_axiom);
1438 
1439  if(
1440  const auto witness = find_counter_example(
1441  ns, negated_axiom, univ_var, stream.message.get_message_handler()))
1442  {
1443  stream << std::string(4, ' ')
1444  << "- violated_for: " << univ_var.get_identifier() << "="
1445  << format(*witness) << messaget::eom;
1446  violated_not_contains[i] = *witness;
1447  }
1448  }
1449 
1450  if(violated.empty() && violated_not_contains.empty())
1451  {
1452  stream << "no violated property" << messaget::eom;
1453  return {true, std::vector<exprt>()};
1454  }
1455  else
1456  {
1457  stream << violated.size() << " universal string axioms can be violated"
1458  << messaget::eom;
1459  stream << violated_not_contains.size()
1460  << " not_contains string axioms can be violated" << messaget::eom;
1461 
1462  if(use_counter_example)
1463  {
1464  std::vector<exprt> lemmas;
1465 
1466  for(const auto &v : violated)
1467  {
1468  const exprt &val = v.second;
1469  const string_constraintt &axiom = axioms.universal[v.first];
1470 
1471  exprt instance(axiom.body);
1472  replace_expr(axiom.univ_var, val, instance);
1473  // We are not sure the index set contains only positive numbers
1474  and_exprt bounds(
1475  axiom.univ_within_bounds(),
1476  binary_relation_exprt(from_integer(0, val.type()), ID_le, val));
1477  replace_expr(axiom.univ_var, val, bounds);
1478  const implies_exprt counter(bounds, instance);
1479  lemmas.push_back(counter);
1480  }
1481 
1482  for(const auto &v : violated_not_contains)
1483  {
1484  const exprt &val = v.second;
1485  const string_not_contains_constraintt &axiom =
1486  axioms.not_contains[v.first];
1487 
1488  const exprt func_val =
1489  index_exprt(not_contain_witnesses.at(axiom), val);
1490  const exprt comp_val = simplify_sum(plus_exprt(val, func_val));
1491 
1492  std::set<std::pair<exprt, exprt>> indices;
1493  indices.insert(std::pair<exprt, exprt>(comp_val, func_val));
1494  const exprt counter =
1495  ::instantiate_not_contains(axiom, indices, not_contain_witnesses)[0];
1496  lemmas.push_back(counter);
1497  }
1498  return {false, lemmas};
1499  }
1500  }
1501  return {false, std::vector<exprt>()};
1502 }
1503 
1506 exprt simplify_sum(const exprt &f)
1507 {
1508  return linear_functiont{f}.to_expr();
1509 }
1510 
1516 static void initial_index_set(
1517  index_set_pairt &index_set,
1518  const namespacet &ns,
1519  const string_axiomst &axioms)
1520 {
1521  for(const auto &axiom : axioms.universal)
1522  initial_index_set(index_set, ns, axiom);
1523  for(const auto &axiom : axioms.not_contains)
1524  initial_index_set(index_set, ns, axiom);
1525 }
1526 
1531 static void update_index_set(
1532  index_set_pairt &index_set,
1533  const namespacet &ns,
1534  const std::vector<exprt> &current_constraints)
1535 {
1536  for(const auto &axiom : current_constraints)
1537  update_index_set(index_set, ns, axiom);
1538 }
1539 
1546 static void get_sub_arrays(const exprt &array_expr, std::vector<exprt> &accu)
1547 {
1548  if(array_expr.id() == ID_if)
1549  {
1550  get_sub_arrays(to_if_expr(array_expr).true_case(), accu);
1551  get_sub_arrays(to_if_expr(array_expr).false_case(), accu);
1552  }
1553  else
1554  {
1555  if(array_expr.type().id() == ID_array)
1556  {
1557  // TODO: check_that it does not contain any sub_array
1558  accu.push_back(array_expr);
1559  }
1560  else
1561  {
1562  for(const auto &operand : array_expr.operands())
1563  get_sub_arrays(operand, accu);
1564  }
1565  }
1566 }
1567 
1573 static void add_to_index_set(
1574  index_set_pairt &index_set,
1575  const namespacet &ns,
1576  const exprt &s,
1577  exprt i)
1578 {
1579  simplify(i, ns);
1580  const bool is_size_t = numeric_cast<std::size_t>(i).has_value();
1581  if(i.id() != ID_constant || is_size_t)
1582  {
1583  std::vector<exprt> sub_arrays;
1584  get_sub_arrays(s, sub_arrays);
1585  for(const auto &sub : sub_arrays)
1586  if(index_set.cumulative[sub].insert(i).second)
1587  index_set.current[sub].insert(i);
1588  }
1589 }
1590 
1606 static void initial_index_set(
1607  index_set_pairt &index_set,
1608  const namespacet &ns,
1609  const exprt &qvar,
1610  const exprt &upper_bound,
1611  const exprt &s,
1612  const exprt &i)
1613 {
1614  PRECONDITION(
1615  s.id() == ID_symbol || s.id() == ID_nondet_symbol || s.id() == ID_array ||
1616  s.id() == ID_if);
1617  if(s.id() == ID_array)
1618  {
1619  for(std::size_t j = 0; j < s.operands().size(); ++j)
1620  add_to_index_set(index_set, ns, s, from_integer(j, i.type()));
1621  return;
1622  }
1623  if(auto ite = expr_try_dynamic_cast<if_exprt>(s))
1624  {
1625  initial_index_set(index_set, ns, qvar, upper_bound, ite->true_case(), i);
1626  initial_index_set(index_set, ns, qvar, upper_bound, ite->false_case(), i);
1627  return;
1628  }
1629  const minus_exprt u_minus_1(upper_bound, from_integer(1, upper_bound.type()));
1630  exprt i_copy = i;
1631  replace_expr(qvar, u_minus_1, i_copy);
1632  add_to_index_set(index_set, ns, s, i_copy);
1633 }
1634 
1635 static void initial_index_set(
1636  index_set_pairt &index_set,
1637  const namespacet &ns,
1638  const string_constraintt &axiom)
1639 {
1640  const symbol_exprt &qvar = axiom.univ_var;
1641  const auto &bound = axiom.upper_bound;
1642  auto it = axiom.body.depth_begin();
1643  const auto end = axiom.body.depth_end();
1644  while(it != end)
1645  {
1646  if(it->id() == ID_index && is_char_type(it->type()))
1647  {
1648  const auto &index_expr = to_index_expr(*it);
1649  const auto &s = index_expr.array();
1650  initial_index_set(index_set, ns, qvar, bound, s, index_expr.index());
1651  it.next_sibling_or_parent();
1652  }
1653  else
1654  ++it;
1655  }
1656 }
1657 
1658 static void initial_index_set(
1659  index_set_pairt &index_set,
1660  const namespacet &ns,
1661  const string_not_contains_constraintt &axiom)
1662 {
1663  auto it = axiom.premise.depth_begin();
1664  const auto end = axiom.premise.depth_end();
1665  while(it != end)
1666  {
1667  if(it->id() == ID_index && is_char_type(it->type()))
1668  {
1669  const exprt &s = to_index_expr(*it).array();
1670  const exprt &i = to_index_expr(*it).index();
1671 
1672  // cur is of the form s[i] and no quantified variable appears in i
1673  add_to_index_set(index_set, ns, s, i);
1674 
1675  it.next_sibling_or_parent();
1676  }
1677  else
1678  ++it;
1679  }
1680 
1681  const minus_exprt kminus1(
1682  axiom.exists_upper_bound, from_integer(1, axiom.exists_upper_bound.type()));
1683  add_to_index_set(index_set, ns, axiom.s1.content(), kminus1);
1684 }
1685 
1690 static void update_index_set(
1691  index_set_pairt &index_set,
1692  const namespacet &ns,
1693  const exprt &formula)
1694 {
1695  std::list<exprt> to_process;
1696  to_process.push_back(formula);
1697 
1698  while(!to_process.empty())
1699  {
1700  exprt cur = to_process.back();
1701  to_process.pop_back();
1702  if(cur.id() == ID_index && is_char_type(cur.type()))
1703  {
1704  const exprt &s = to_index_expr(cur).array();
1705  const exprt &i = to_index_expr(cur).index();
1706  DATA_INVARIANT(
1707  s.type().id() == ID_array,
1708  string_refinement_invariantt("index expressions must index on arrays"));
1709  exprt simplified = simplify_sum(i);
1710  if(s.id() != ID_array) // do not update index set of constant arrays
1711  add_to_index_set(index_set, ns, s, simplified);
1712  }
1713  else
1714  {
1715  forall_operands(it, cur)
1716  to_process.push_back(*it);
1717  }
1718  }
1719 }
1720 
1739 static std::vector<exprt> instantiate(
1740  const string_not_contains_constraintt &axiom,
1741  const index_set_pairt &index_set,
1742  const std::unordered_map<string_not_contains_constraintt, symbol_exprt>
1743  &witnesses)
1744 {
1745  const array_string_exprt &s0 = axiom.s0;
1746  const array_string_exprt &s1 = axiom.s1;
1747 
1748  const auto &index_set0 = index_set.cumulative.find(s0.content());
1749  const auto &index_set1 = index_set.cumulative.find(s1.content());
1750  const auto &current_index_set0 = index_set.current.find(s0.content());
1751  const auto &current_index_set1 = index_set.current.find(s1.content());
1752 
1753  if(
1754  index_set0 != index_set.cumulative.end() &&
1755  index_set1 != index_set.cumulative.end() &&
1756  current_index_set0 != index_set.current.end() &&
1757  current_index_set1 != index_set.current.end())
1758  {
1759  typedef std::pair<exprt, exprt> expr_pairt;
1760  std::set<expr_pairt> index_pairs;
1761 
1762  for(const auto &ic0 : current_index_set0->second)
1763  for(const auto &i1 : index_set1->second)
1764  index_pairs.insert(expr_pairt(ic0, i1));
1765  for(const auto &ic1 : current_index_set1->second)
1766  for(const auto &i0 : index_set0->second)
1767  index_pairs.insert(expr_pairt(i0, ic1));
1768 
1769  return ::instantiate_not_contains(axiom, index_pairs, witnesses);
1770  }
1771  return {};
1772 }
1773 
1781 exprt substitute_array_lists(exprt expr, size_t string_max_length)
1782 {
1783  for(auto &operand : expr.operands())
1784  operand = substitute_array_lists(operand, string_max_length);
1785 
1786  if(expr.id() == ID_array_list)
1787  {
1788  DATA_INVARIANT(
1789  expr.operands().size() >= 2,
1790  string_refinement_invariantt("array-lists must have at least two "
1791  "operands"));
1792  const typet &char_type = expr.operands()[1].type();
1793  array_typet arr_type(char_type, infinity_exprt(char_type));
1794  exprt ret_expr = array_of_exprt(from_integer(0, char_type), arr_type);
1795 
1796  for(size_t i = 0; i < expr.operands().size(); i += 2)
1797  {
1798  const exprt &index = expr.operands()[i];
1799  const exprt &value = expr.operands()[i + 1];
1800  const auto index_value = numeric_cast<std::size_t>(index);
1801  if(
1802  !index.is_constant() ||
1803  (index_value && *index_value < string_max_length))
1804  ret_expr = with_exprt(ret_expr, index, value);
1805  }
1806  return ret_expr;
1807  }
1808 
1809  return expr;
1810 }
1811 
1819 exprt string_refinementt::get(const exprt &expr) const
1820 {
1821  const auto super_get = [this](const exprt &expr) {
1822  return supert::get(expr);
1823  };
1824  exprt ecopy(expr);
1825  (void)symbol_resolve.replace_expr(ecopy);
1826 
1827  // Special treatment for index expressions
1828  const auto &index_expr = expr_try_dynamic_cast<index_exprt>(ecopy);
1829  if(index_expr && is_char_type(index_expr->type()))
1830  {
1831  std::reference_wrapper<const exprt> current(index_expr->array());
1832  while(current.get().id() == ID_if)
1833  {
1834  const auto &if_expr = expr_dynamic_cast<if_exprt>(current.get());
1835  const exprt cond = get(if_expr.cond());
1836  if(cond.is_true())
1837  current = std::cref(if_expr.true_case());
1838  else if(cond.is_false())
1839  current = std::cref(if_expr.false_case());
1840  else
1841  UNREACHABLE;
1842  }
1843  const auto array = supert::get(current.get());
1844  const auto index = get(index_expr->index());
1845 
1846  // If the underlying solver does not know about the existence of an array,
1847  // it can return nil, which cannot be used in the expression returned here.
1848  if(array.is_nil())
1849  return index_exprt(current, index);
1850 
1851  const exprt unknown =
1852  from_integer(CHARACTER_FOR_UNKNOWN, index_expr->type());
1853  if(
1854  const auto sparse_array = interval_sparse_arrayt::of_expr(array, unknown))
1855  {
1856  if(const auto index_value = numeric_cast<std::size_t>(index))
1857  return sparse_array->at(*index_value);
1858  return sparse_array->to_if_expression(index);
1859  }
1860 
1861  INVARIANT(array.id() == ID_symbol || array.id() == ID_nondet_symbol,
1862  "Apart from symbols, array valuations can be interpreted as "
1863  "sparse arrays. Array model : " + array.pretty());
1864  return index_exprt(array, index);
1865  }
1866 
1867  if(is_char_array_type(ecopy.type(), ns))
1868  {
1869  array_string_exprt &arr = to_array_string_expr(ecopy);
1870 
1871  if(
1872  const auto from_dependencies =
1873  dependencies.eval(arr, [&](const exprt &expr) { return get(expr); }))
1874  return *from_dependencies;
1875 
1876  if(
1877  const auto arr_model_opt =
1878  get_array(super_get, ns, log.debug(), arr, generator.array_pool))
1879  return *arr_model_opt;
1880 
1881  if(
1882  const auto &length_from_pool =
1883  generator.array_pool.get_length_if_exists(arr))
1884  {
1885  const exprt length = super_get(length_from_pool.value());
1886 
1887  if(const auto n = numeric_cast<std::size_t>(length))
1888  {
1889  const interval_sparse_arrayt sparse_array(from_integer(
1890  CHARACTER_FOR_UNKNOWN, to_array_type(arr.type()).element_type()));
1891  return sparse_array.concretize(*n, length.type());
1892  }
1893  }
1894  return arr;
1895  }
1896  return supert::get(ecopy);
1897 }
1898 
1908 static optionalt<exprt> find_counter_example(
1909  const namespacet &ns,
1910  const exprt &axiom,
1911  const symbol_exprt &var,
1912  message_handlert &message_handler)
1913 {
1914  satcheck_no_simplifiert sat_check(message_handler);
1915  bv_pointerst solver(ns, sat_check, message_handler);
1916  solver << axiom;
1917 
1918  if(solver() == decision_proceduret::resultt::D_SATISFIABLE)
1919  return solver.get(var);
1920  else
1921  return {};
1922 }
1923 
1925 typedef std::map<exprt, std::vector<exprt>> array_index_mapt;
1926 
1928 static array_index_mapt gather_indices(const exprt &expr)
1929 {
1930  array_index_mapt indices;
1931  // clang-format off
1932  std::for_each(
1933  expr.depth_begin(),
1934  expr.depth_end(),
1935  [&](const exprt &expr)
1936  {
1937  const auto index_expr = expr_try_dynamic_cast<const index_exprt>(expr);
1938  if(index_expr)
1939  indices[index_expr->array()].push_back(index_expr->index());
1940  });
1941  // clang-format on
1942  return indices;
1943 }
1944 
1950 static bool
1951 is_linear_arithmetic_expr(const exprt &expr, const symbol_exprt &var)
1952 {
1953  for(auto it = expr.depth_begin(); it != expr.depth_end();)
1954  {
1955  if(
1956  it->id() != ID_plus && it->id() != ID_minus &&
1957  it->id() != ID_unary_minus && *it != var)
1958  {
1959  if(std::find(it->depth_begin(), it->depth_end(), var) != it->depth_end())
1960  return false;
1961  else
1962  it.next_sibling_or_parent();
1963  }
1964  else
1965  ++it;
1966  }
1967  return true;
1968 }
1969 
1977 static bool universal_only_in_index(const string_constraintt &constr)
1978 {
1979  for(auto it = constr.body.depth_begin(); it != constr.body.depth_end();)
1980  {
1981  if(*it == constr.univ_var)
1982  return false;
1983  if(it->id() == ID_index)
1984  it.next_sibling_or_parent();
1985  else
1986  ++it;
1987  }
1988  return true;
1989 }
1990 
1997 static bool is_valid_string_constraint(
1998  messaget::mstreamt &stream,
1999  const namespacet &ns,
2000  const string_constraintt &constraint)
2001 {
2002  const array_index_mapt body_indices = gather_indices(constraint.body);
2003  // Must validate for each string. Note that we have an invariant that the
2004  // second value in the pair is non-empty.
2005  for(const auto &pair : body_indices)
2006  {
2007  // Condition 1: All indices of the same string must be the of the same form
2008  const exprt rep = pair.second.back();
2009  for(size_t j = 0; j < pair.second.size() - 1; j++)
2010  {
2011  const exprt i = pair.second[j];
2012  const equal_exprt equals(rep, i);
2013  const exprt result = simplify_expr(equals, ns);
2014  if(result.is_false())
2015  {
2016  stream << "Indices not equal: " << to_string(constraint)
2017  << ", str: " << format(pair.first) << messaget::eom;
2018  return false;
2019  }
2020  }
2021 
2022  // Condition 2: f must be linear in the quantified variable
2023  if(!is_linear_arithmetic_expr(rep, constraint.univ_var))
2024  {
2025  stream << "f is not linear: " << to_string(constraint)
2026  << ", str: " << format(pair.first) << messaget::eom;
2027  return false;
2028  }
2029 
2030  // Condition 3: the quantified variable can only occur in indices in the
2031  // body
2032  if(!universal_only_in_index(constraint))
2033  {
2034  stream << "Universal variable outside of index:" << to_string(constraint)
2035  << messaget::eom;
2036  return false;
2037  }
2038  }
2039 
2040  return true;
2041 }
string_refinementt::loop_bound_
std::size_t loop_bound_
Definition: string_refinement.h:97
with_exprt
Operator to update elements in structs and arrays.
Definition: std_expr.h:2423
string_axiomst::universal
std::vector< string_constraintt > universal
Definition: string_refinement_util.h:67
UNREACHABLE
#define UNREACHABLE
This should be used to mark dead code.
Definition: invariant.h:503
struct_union_typet::components
const componentst & components() const
Definition: std_types.h:147
array_poolt::created_strings
const std::unordered_map< array_string_exprt, exprt, irep_hash > & created_strings() const
Return a map mapping all array_string_exprt of the array_pool to their length.
Definition: array_pool.cpp:179
format
static format_containert< T > format(const T &o)
Definition: format.h:37
prop_conv_solvert::equality_propagation
bool equality_propagation
Definition: prop_conv_solver.h:75
extract_strings
static std::vector< exprt > extract_strings(const exprt &expr, const namespacet &ns)
Definition: string_refinement.cpp:399
check_axioms
static std::pair< bool, std::vector< exprt > > check_axioms(const string_axiomst &axioms, string_constraint_generatort &generator, const std::function< exprt(const exprt &)> &get, messaget::mstreamt &stream, const namespacet &ns, bool use_counter_example, const union_find_replacet &symbol_resolve, const std::unordered_map< string_not_contains_constraintt, symbol_exprt > &not_contain_witnesses)
Check axioms takes the model given by the underlying solver and answers whether it satisfies the stri...
Definition: string_refinement.cpp:1351
string_refinementt::generator
string_constraint_generatort generator
Definition: string_refinement.h:98
array_string_exprt::length_type
const typet & length_type() const
Definition: string_expr.h:69
array_poolt::get_arrays_of_pointers
const std::unordered_map< exprt, array_string_exprt, irep_hash > & get_arrays_of_pointers() const
Definition: array_pool.h:50
mp_integer
BigInt mp_integer
Definition: smt_terms.h:17
conjunction
exprt conjunction(const exprt::operandst &op)
1) generates a conjunction for two or more operands 2) for one operand, returns the operand 3) return...
Definition: std_expr.cpp:62
binary_exprt::rhs
exprt & rhs()
Definition: std_expr.h:623
union_find_replacet::to_vector
std::vector< std::pair< exprt, exprt > > to_vector() const
Definition: union_find_replace.cpp:46
exprt::depth_end
depth_iteratort depth_end()
Definition: expr.cpp:267
fill_in_map_as_vector
static std::vector< T > fill_in_map_as_vector(const std::map< std::size_t, T > &index_value)
Convert index-value map to a vector of values.
Definition: string_refinement.cpp:130
generate_instantiations
static std::vector< exprt > generate_instantiations(const index_set_pairt &index_set, const string_axiomst &axioms, const std::unordered_map< string_not_contains_constraintt, symbol_exprt > &not_contain_witnesses)
Instantiation of all constraints.
Definition: string_refinement.cpp:220
to_struct_type
const struct_typet & to_struct_type(const typet &type)
Cast a typet to a struct_typet.
Definition: std_types.h:308
arrayst::log
messaget log
Definition: arrays.h:57
instantiate_not_contains
std::vector< exprt > instantiate_not_contains(const string_not_contains_constraintt &axiom, const std::set< std::pair< exprt, exprt >> &index_pairs, const std::unordered_map< string_not_contains_constraintt, symbol_exprt > &witnesses)
get_valid_array_size
static optionalt< exprt > get_valid_array_size(const std::function< exprt(const exprt &)> &super_get, const namespacet &ns, messaget::mstreamt &stream, const array_string_exprt &arr, const array_poolt &array_pool)
Get a model of the size of the input string.
Definition: string_refinement.cpp:958
string_not_contains_constraintt::univ_upper_bound
exprt univ_upper_bound
Definition: string_constraint.h:129
typet
The type of an expression, extends irept.
Definition: type.h:28
negation_of_not_contains_constraint
static exprt negation_of_not_contains_constraint(const string_not_contains_constraintt &constraint, const symbol_exprt &univ_var, const std::function< exprt(const exprt &)> &get)
Negates the constraint to be fed to a solver.
Definition: string_refinement.cpp:1290
debug_check_axioms_step
static void debug_check_axioms_step(messaget::mstreamt &stream, const T &axiom, const T &axiom_in_model, const exprt &negaxiom, const exprt &with_concretized_arrays)
Debugging function which outputs the different steps an axiom goes through to be checked in check axi...
Definition: string_refinement.cpp:1331
equation_symbol_mapping.h
transform
static abstract_object_pointert transform(const exprt &expr, const std::vector< abstract_object_pointert > &operands, const abstract_environmentt &environment, const namespacet &ns)
Definition: abstract_value_object.cpp:159
display_index_set
static void display_index_set(messaget::mstreamt &stream, const index_set_pairt &index_set)
Write index set to the given stream, use for debugging.
Definition: string_refinement.cpp:172
to_index_expr
const index_exprt & to_index_expr(const exprt &expr)
Cast an exprt to an index_exprt.
Definition: std_expr.h:1478
to_if_expr
const if_exprt & to_if_expr(const exprt &expr)
Cast an exprt to an if_exprt.
Definition: std_expr.h:2403
array_poolt
Correspondance between arrays and pointers string representations.
Definition: array_pool.h:41
boolbvt::set_to
void set_to(const exprt &expr, bool value) override
For a Boolean expression expr, add the constraint 'expr' if value is true, otherwise add 'not expr'.
Definition: boolbv.cpp:508
string_refinementt::current_constraints
std::vector< exprt > current_constraints
Definition: string_refinement.h:106
string_constraintt
Definition: string_constraint.h:55
if_exprt
The trinary if-then-else operator.
Definition: std_expr.h:2322
is_char_type
bool is_char_type(const typet &type)
For now, any unsigned bitvector type of width smaller or equal to 16 is considered a character.
Definition: string_refinement_util.cpp:22
index_set_pairt
Definition: string_refinement_util.h:59
interval_sparse_arrayt
Represents arrays by the indexes up to which the value remains the same.
Definition: string_refinement_util.h:98
string_constraint_generatort::fresh_symbol
symbol_generatort fresh_symbol
Definition: string_constraint_generator.h:61
interval_sparse_arrayt::to_if_expression
exprt to_if_expression(const exprt &index) const
Definition: string_refinement_util.cpp:105
union_find_replacet::replace_expr
bool replace_expr(exprt &expr) const
Replace subexpressions of expr by the representative element of the set they belong to.
Definition: union_find_replace.cpp:28
and_exprt
Boolean AND.
Definition: std_expr.h:2070
string_dependenciest::add_constraints
string_constraintst add_constraints(string_constraint_generatort &generatort, message_handlert &message_handler)
For all builtin call on which a test (or an unsupported buitin) result depends, add the corresponding...
Definition: string_dependencies.cpp:348
s1
int8_t s1
Definition: bytecode_info.h:59
array_poolt::get_or_create_length
exprt get_or_create_length(const array_string_exprt &s)
Get the length of an array_string_exprt from the array_pool.
Definition: array_pool.cpp:26
string_refinement_invariant.h
MAX_CONCRETE_STRING_SIZE
const std::size_t MAX_CONCRETE_STRING_SIZE
Definition: magic.h:14
plus_exprt
The plus expression Associativity is not specified.
Definition: std_expr.h:946
exprt
Base class for all expressions.
Definition: expr.h:55
binary_exprt::lhs
exprt & lhs()
Definition: std_expr.h:613
propt::l_set_to_true
void l_set_to_true(literalt a)
Definition: prop.h:50
string_constraintst
Collection of constraints of different types: existential formulas, universal formulas,...
Definition: string_constraint_generator.h:38
array_string_exprt::content
exprt & content()
Definition: string_expr.h:74
interval_sparse_arrayt::of_expr
static optionalt< interval_sparse_arrayt > of_expr(const exprt &expr, const exprt &extra_value)
If the expression is an array_exprt or a with_exprt uses the appropriate constructor,...
Definition: string_refinement_util.cpp:158
get_sub_arrays
static void get_sub_arrays(const exprt &array_expr, std::vector< exprt > &accu)
An expression representing an array of characters can be in the form of an if expression for instance...
Definition: string_refinement.cpp:1546
to_string
std::string to_string(const string_not_contains_constraintt &expr)
Used for debug printing.
Definition: string_constraint.cpp:58
messaget::eom
static eomt eom
Definition: message.h:297
linear_functiont
Canonical representation of linear function, for instance, expression $x + x - y + 5 - 3$ would given...
Definition: string_constraint_instantiation.h:51
exprt::is_true
bool is_true() const
Return whether the expression is a constant representing true.
Definition: expr.cpp:34
string_refinementt::index_sets
index_set_pairt index_sets
Definition: string_refinement.h:111
string_not_contains_constraintt::exists_upper_bound
exprt exists_upper_bound
Definition: string_constraint.h:132
symbol_exprt
Expression to hold a symbol (variable)
Definition: std_expr.h:112
make_char_array_pointer_associations
static void make_char_array_pointer_associations(string_constraint_generatort &generator, exprt &expr)
If expr is an equation whose right-hand-side is a associate_array_to_pointer call,...
Definition: string_refinement.cpp:247
string_axiomst
Definition: string_refinement_util.h:65
index_type
bitvector_typet index_type()
Definition: c_types.cpp:22
string_dependencies.h
equal_exprt
Equality.
Definition: std_expr.h:1305
magic.h
Magic numbers used throughout the codebase.
utf16_constant_array_to_java
std::string utf16_constant_array_to_java(const array_exprt &arr, std::size_t length)
Construct a string from a constant array.
Definition: string_refinement_util.cpp:54
string_constraintt::univ_var
symbol_exprt univ_var
Definition: string_constraint.h:60
string_constraint_generatort::array_pool
array_poolt array_pool
Definition: string_constraint_generator.h:63
string_not_contains_constraintt::premise
exprt premise
Definition: string_constraint.h:130
can_cast_expr< equal_exprt >
bool can_cast_expr< equal_exprt >(const exprt &base)
Definition: std_expr.h:1331
infinity_exprt
An expression denoting infinity.
Definition: std_expr.h:3041
if_exprt::false_case
exprt & false_case()
Definition: std_expr.h:2360
sparse_arrayt::to_if_expression
static exprt to_if_expression(const with_exprt &expr, const exprt &index)
Creates an if_expr corresponding to the result of accessing the array at the given index.
Definition: string_refinement_util.cpp:84
string_constraint_generatort
Definition: string_constraint_generator.h:47
exprt::is_false
bool is_false() const
Return whether the expression is a constant representing false.
Definition: expr.cpp:43
initial_index_set
static void initial_index_set(index_set_pairt &index_set, const namespacet &ns, const string_constraintt &axiom)
Definition: string_refinement.cpp:1635
merge
void merge(string_constraintst &result, string_constraintst other)
Merge two sets of constraints by appending to the first one.
Definition: string_constraint_generator_main.cpp:101
string_constraintt::upper_bound
exprt upper_bound
Definition: string_constraint.h:62
string_constraintt::array_index_mapt
std::map< exprt, std::vector< exprt > > array_index_mapt
Definition: string_refinement.cpp:1925
instantiate
static std::vector< exprt > instantiate(const string_not_contains_constraintt &axiom, const index_set_pairt &index_set, const std::unordered_map< string_not_contains_constraintt, symbol_exprt > &witnesses)
Instantiates a quantified formula representing not_contains by substituting the quantifiers and gener...
Definition: string_refinement.cpp:1739
string_constraintt::body
exprt body
Definition: string_constraint.h:63
decision_proceduret::resultt::D_SATISFIABLE
@ D_SATISFIABLE
string_constraintt::lower_bound
exprt lower_bound
Definition: string_constraint.h:61
array_typet::size
const exprt & size() const
Definition: std_types.h:800
namespacet
A namespacet is essentially one or two symbol tables bound together, to allow for symbol lookups in t...
Definition: namespace.h:90
exprt::type
typet & type()
Return the type of the expression.
Definition: expr.h:84
array_exprt::type
const array_typet & type() const
Definition: std_expr.h:1570
symbol_generatort
Generation of fresh symbols of a given type.
Definition: array_pool.h:21
validate
static bool validate(const string_refinementt::infot &info)
Definition: string_refinement.cpp:150
is_char_pointer_type
bool is_char_pointer_type(const typet &type)
For now, any unsigned bitvector type is considered a character.
Definition: string_refinement_util.cpp:36
bv_refinementt::dec_solve
decision_proceduret::resultt dec_solve() override
Run the decision procedure to solve the problem.
Definition: bv_refinement_loop.cpp:24
add_node
optionalt< exprt > add_node(string_dependenciest &dependencies, const exprt &expr, array_poolt &array_pool, symbol_generatort &fresh_symbol)
When a sub-expression of expr is a builtin_function, add a "string_builtin_function" node to the grap...
Definition: string_dependencies.cpp:198
as_const
const T & as_const(T &value)
Return a reference to the same object but ensures the type is const.
Definition: as_const.h:14
messaget::error
mstreamt & error() const
Definition: message.h:399
string_dependenciest::clean_cache
void clean_cache()
Clean the cache used by eval
Definition: string_dependencies.cpp:191
find_counter_example
static optionalt< exprt > find_counter_example(const namespacet &ns, const exprt &axiom, const symbol_exprt &var, message_handlert &message_handler)
Creates a solver with axiom as the only formula added and runs it.
Definition: string_refinement.cpp:1908
DATA_INVARIANT
#define DATA_INVARIANT(CONDITION, REASON)
This condition should be used to document that assumptions that are made on goto_functions,...
Definition: invariant.h:510
CHARACTER_FOR_UNKNOWN
#define CHARACTER_FOR_UNKNOWN
Module: String solver Author: Diffblue Ltd.
Definition: string_builtin_function.h:15
id2string
const std::string & id2string(const irep_idt &d)
Definition: irep.h:47
debug_model
void debug_model(const string_constraint_generatort &generator, messaget::mstreamt &stream, const namespacet &ns, const std::function< exprt(const exprt &)> &super_get, const std::vector< symbol_exprt > &symbols, array_poolt &array_pool)
Display part of the current model by mapping the variables created by the solver to constant expressi...
Definition: string_refinement.cpp:1116
substitute_array_lists
exprt substitute_array_lists(exprt expr, size_t string_max_length)
Replace array-lists by 'with' expressions.
Definition: string_refinement.cpp:1781
forall_operands
#define forall_operands(it, expr)
Definition: expr.h:20
string_of_array
static std::string string_of_array(const array_exprt &arr)
convert the content of a string to a more readable representation.
Definition: string_refinement.cpp:1050
string_refinementt::get
exprt get(const exprt &expr) const override
Evaluates the given expression in the valuation found by string_refinementt::dec_solve.
Definition: string_refinement.cpp:1819
string_dependenciest::eval
optionalt< exprt > eval(const array_string_exprt &s, const std::function< exprt(const exprt &)> &get_value) const
Attempt to evaluate the given string from the dependencies and valuation of strings on which it depen...
Definition: string_dependencies.cpp:169
string_not_contains_constraintt::exists_lower_bound
exprt exists_lower_bound
Definition: string_constraint.h:131
PRECONDITION
#define PRECONDITION(CONDITION)
Definition: invariant.h:463
symbol_exprt::get_identifier
const irep_idt & get_identifier() const
Definition: std_expr.h:142
has_subtype
bool has_subtype(const typet &type, const std::function< bool(const typet &)> &pred, const namespacet &ns)
returns true if any of the contained types satisfies pred
Definition: expr_util.cpp:153
arrayst::ns
const namespacet & ns
Definition: arrays.h:56
string_dependenciest::output_dot
void output_dot(std::ostream &stream) const
Definition: string_dependencies.cpp:323
nil_exprt
The NIL expression.
Definition: std_expr.h:3025
array_of_exprt
Array constructor from single element.
Definition: std_expr.h:1497
bv_refinementt::infot::prop
propt * prop
Definition: bv_refinement.h:36
string_identifiers_resolution_from_equations
union_find_replacet string_identifiers_resolution_from_equations(const std::vector< equal_exprt > &equations, const namespacet &ns, messaget::mstreamt &stream)
Symbol resolution for expressions of type string typet.
Definition: string_refinement.cpp:463
get_array
static optionalt< exprt > get_array(const std::function< exprt(const exprt &)> &super_get, const namespacet &ns, messaget::mstreamt &stream, const array_string_exprt &arr, const array_poolt &array_pool)
Get a model of an array and put it in a certain form.
Definition: string_refinement.cpp:1002
string_constraintt::is_valid_string_constraint
static bool is_valid_string_constraint(messaget::mstreamt &stream, const namespacet &ns, const string_constraintt &constraint)
Checks the data invariant for string_constraintt.
Definition: string_refinement.cpp:1997
simplify
bool simplify(exprt &expr, const namespacet &ns)
Definition: simplify_expr.cpp:2926
simplify_expr
exprt simplify_expr(exprt src, const namespacet &ns)
Definition: simplify_expr.cpp:2931
is_char_array_type
bool is_char_array_type(const typet &type, const namespacet &ns)
Distinguish char array from other types.
Definition: string_refinement_util.cpp:28
index_exprt::index
exprt & index()
Definition: std_expr.h:1450
index_exprt::array
exprt & array()
Definition: std_expr.h:1440
bv_pointerst
Definition: bv_pointers.h:18
decision_proceduret::resultt::D_ERROR
@ D_ERROR
irept::is_nil
bool is_nil() const
Definition: irep.h:376
irept::id
const irep_idt & id() const
Definition: irep.h:396
message_handlert
Definition: message.h:27
substitute_array_access_in_place
static void substitute_array_access_in_place(exprt &expr, symbol_generatort &symbol_generator, const bool left_propagate)
Auxiliary function for substitute_array_access Performs the same operation but modifies the argument ...
Definition: string_refinement.cpp:1232
range.h
string_refinementt::axioms
string_axiomst axioms
Definition: string_refinement.h:103
equation_symbol_mappingt::add
void add(const std::size_t i, const exprt &expr)
Record the fact that equation i contains expression expr
Definition: equation_symbol_mapping.cpp:11
string_refinement.h
update_index_set
static void update_index_set(index_set_pairt &index_set, const namespacet &ns, const std::vector< exprt > &current_constraints)
Add to the index set all the indices that appear in the formulas.
Definition: string_refinement.cpp:1531
equation_symbol_mappingt
Maps equation to expressions contained in them and conversely expressions to equations that contain t...
Definition: equation_symbol_mapping.h:21
add_to_index_set
static void add_to_index_set(index_set_pairt &index_set, const namespacet &ns, const exprt &s, exprt i)
Add i to the index set all the indices that appear in the formula.
Definition: string_refinement.cpp:1573
to_array_string_expr
array_string_exprt & to_array_string_expr(exprt &expr)
Definition: string_expr.h:95
string_constraint_generatort::make_array_pointer_association
optionalt< exprt > make_array_pointer_association(const exprt &return_code, const function_application_exprt &expr)
Associate array to pointer, and array to length.
Definition: string_constraint_generator_main.cpp:195
optionalt
nonstd::optional< T > optionalt
Definition: optional.h:35
bv_refinementt
Definition: bv_refinement.h:19
string_refinementt::symbol_resolve
union_find_replacet symbol_resolve
Definition: string_refinement.h:112
prop_conv_solvert::convert
literalt convert(const exprt &expr) override
Convert a Boolean expression and return the corresponding literal.
Definition: prop_conv_solver.cpp:156
decision_proceduret::resultt
resultt
Result of running the decision procedure.
Definition: decision_procedure.h:43
minus_exprt
Binary minus.
Definition: std_expr.h:1005
union_find_replacet::make_union
exprt make_union(const exprt &a, const exprt &b)
Merge the set containing a and the set containing b.
Definition: union_find_replace.cpp:15
messaget::mstreamt::message
messaget & message
Definition: message.h:246
string_constraintt::negation
exprt negation() const
Definition: string_constraint.h:101
string_refinementt::dec_solve
decision_proceduret::resultt dec_solve() override
Main decision procedure of the solver.
Definition: string_refinement.cpp:607
string_refinementt::dependencies
string_dependenciest dependencies
Definition: string_refinement.h:116
char_type
bitvector_typet char_type()
Definition: c_types.cpp:124
simplify_expr.h
string_not_contains_constraintt::univ_lower_bound
exprt univ_lower_bound
Definition: string_constraint.h:128
member_exprt
Extract member of struct or union.
Definition: std_expr.h:2793
expr_util.h
Deprecated expression utility functions.
satcheck.h
string_constraintt::univ_within_bounds
exprt univ_within_bounds() const
Definition: string_constraint.h:87
messaget::get_message_handler
message_handlert & get_message_handler()
Definition: message.h:184
string_refinementt
Definition: string_refinement.h:64
add_equations_for_symbol_resolution
static void add_equations_for_symbol_resolution(union_find_replacet &symbol_solver, const std::vector< exprt > &equations, const namespacet &ns, messaget::mstreamt &stream)
Add association for each char pointer in the equation.
Definition: string_refinement.cpp:301
interval_sparse_arrayt::concretize
array_exprt concretize(std::size_t size, const typet &index_type) const
Convert to an array representation, ignores elements at index >= size.
Definition: string_refinement_util.cpp:176
struct_typet
Structure type, corresponds to C style structs.
Definition: std_types.h:230
array_typet
Arrays with given size.
Definition: std_types.h:762
expr_iterator.h
string_constraintt::universal_only_in_index
static bool universal_only_in_index(const string_constraintt &constr)
The universally quantified variable is only allowed to occur in index expressions in the body of a st...
Definition: string_refinement.cpp:1977
if_exprt::true_case
exprt & true_case()
Definition: std_expr.h:2350
replace_expr_copy
static exprt replace_expr_copy(const union_find_replacet &symbol_resolve, exprt expr)
Substitute sub-expressions in equation by representative elements of symbol_resolve whenever possible...
Definition: string_refinement.cpp:273
namespace_baset::follow
const typet & follow(const typet &) const
Resolve type symbol to the type it points to.
Definition: namespace.cpp:49
can_cast_expr< function_application_exprt >
bool can_cast_expr< function_application_exprt >(const exprt &base)
Definition: mathematical_expr.h:230
union_find_replacet
Similar interface to union-find for expressions, with a function for replacing sub-expressions by the...
Definition: union_find_replace.h:16
exprt::depth_begin
depth_iteratort depth_begin()
Definition: expr.cpp:265
replace_expr
bool replace_expr(const exprt &what, const exprt &by, exprt &dest)
Definition: replace_expr.cpp:12
from_integer
constant_exprt from_integer(const mp_integer &int_value, const typet &type)
Definition: arith_tools.cpp:100
string_refinementt::instantiate_not_contains
std::vector< exprt > instantiate_not_contains(const string_not_contains_constraintt &axiom, const std::set< std::pair< exprt, exprt >> &index_pairs, const std::unordered_map< string_not_contains_constraintt, symbol_exprt > &witnesses)
Instantiates a quantified formula representing not_contains by substituting the quantifiers and gener...
Definition: string_constraint_instantiation.cpp:201
string_refinement_invariantt
#define string_refinement_invariantt(reason)
Definition: string_refinement_invariant.h:12
array_poolt::get_length_if_exists
optionalt< exprt > get_length_if_exists(const array_string_exprt &s) const
As opposed to get_length(), do not create a new symbol if the length of the array_string_exprt does n...
Definition: array_pool.cpp:48
solver
int solver(std::istream &in)
Definition: smt2_solver.cpp:407
has_char_pointer_subtype
bool has_char_pointer_subtype(const typet &type, const namespacet &ns)
Definition: string_refinement_util.cpp:42
exprt::is_constant
bool is_constant() const
Return whether the expression is a constant.
Definition: expr.cpp:27
if_exprt::cond
exprt & cond()
Definition: std_expr.h:2340
string_typet
String type.
Definition: std_types.h:912
string_constraint_instantiation.h
binary_relation_exprt
A base class for relations, i.e., binary predicates whose two operands have the same type.
Definition: std_expr.h:706
simplify_sum
exprt simplify_sum(const exprt &f)
Definition: string_refinement.cpp:1506
to_array_type
const array_typet & to_array_type(const typet &type)
Cast a typet to an array_typet.
Definition: std_types.h:844
to_equal_expr
const equal_exprt & to_equal_expr(const exprt &expr)
Cast an exprt to an equal_exprt.
Definition: std_expr.h:1347
extract_strings_from_lhs
static std::vector< exprt > extract_strings_from_lhs(const exprt &lhs, const namespacet &ns)
This is meant to be used on the lhs of an equation with string subtype.
Definition: string_refinement.cpp:374
string_not_contains_constraintt::s0
array_string_exprt s0
Definition: string_constraint.h:133
substitute_array_access
static optionalt< exprt > substitute_array_access(const index_exprt &index_expr, symbol_generatort &symbol_generator, const bool left_propagate)
Definition: string_refinement.cpp:1203
type_with_subtypet::subtype
const typet & subtype() const
Definition: type.h:172
index_set_pairt::current
std::map< exprt, std::set< exprt > > current
Definition: string_refinement_util.h:62
equation_symbol_mappingt::find_expressions
std::vector< exprt > find_expressions(const std::size_t i)
Definition: equation_symbol_mapping.cpp:18
messaget::mstreamt
Definition: message.h:223
string_refinementt::equations
std::vector< exprt > equations
Definition: string_refinement.h:114
string_constraintst::not_contains
std::vector< string_not_contains_constraintt > not_contains
Definition: string_constraint_generator.h:42
implies_exprt
Boolean implication.
Definition: std_expr.h:2133
string_refinementt::add_lemma
void add_lemma(const exprt &lemma, bool simplify_lemma=true)
Add the given lemma to the solver.
Definition: string_refinement.cpp:898
string_not_contains_constraintt
Constraints to encode non containement of strings.
Definition: string_constraint.h:126
index_set_pairt::cumulative
std::map< exprt, std::set< exprt > > cumulative
Definition: string_refinement_util.h:61
string_constraintt::is_linear_arithmetic_expr
static bool is_linear_arithmetic_expr(const exprt &expr, const symbol_exprt &var)
Definition: string_refinement.cpp:1951
string_refinementt::infot
string_refinementt constructor arguments
Definition: string_refinement.h:75
exprt::operands
operandst & operands()
Definition: expr.h:94
messaget::debug
mstreamt & debug() const
Definition: message.h:429
string_refinementt::config_
const configt config_
Definition: string_refinement.h:96
string_constraintt::gather_indices
static array_index_mapt gather_indices(const exprt &expr)
Definition: string_refinement.cpp:1928
string_refinementt::set_to
void set_to(const exprt &expr, bool value) override
Record the constraints to ensure that the expression is true when the boolean is true and false other...
Definition: string_refinement.cpp:283
index_exprt
Array index operator.
Definition: std_expr.h:1409
INVARIANT
#define INVARIANT(CONDITION, REASON)
This macro uses the wrapper function 'invariant_violated_string'.
Definition: invariant.h:423
string_not_contains_constraintt::s1
array_string_exprt s1
Definition: string_constraint.h:134
bv_refinementt::infot::ns
const namespacet * ns
Definition: bv_refinement.h:35
constant_exprt
A constant literal expression.
Definition: std_expr.h:2941
string_refinementt::configt::use_counter_example
bool use_counter_example
Definition: string_refinement.h:70
string_refinementt::string_refinementt
string_refinementt(const infot &)
Definition: string_refinement.cpp:165
equation_symbol_mappingt::find_equations
std::vector< std::size_t > find_equations(const exprt &expr)
Definition: equation_symbol_mapping.cpp:24
array_exprt
Array constructor from list of elements.
Definition: std_expr.h:1562
add_string_equation_to_symbol_resolution
static void add_string_equation_to_symbol_resolution(const equal_exprt &eq, union_find_replacet &symbol_resolve, const namespacet &ns)
Given an equation on strings, mark these strings as belonging to the same set in the symbol_resolve s...
Definition: string_refinement.cpp:427
make_range
ranget< iteratort > make_range(iteratort begin, iteratort end)
Definition: range.h:524
string_axiomst::not_contains
std::vector< string_not_contains_constraintt > not_contains
Definition: string_refinement_util.h:68
format_type.h
array_string_exprt
Definition: string_expr.h:66
boolbvt::get
exprt get(const exprt &expr) const override
Return expr with variables replaced by values from satisfying assignment if available.
Definition: boolbv_get.cpp:21
get_char_array_and_concretize
static exprt get_char_array_and_concretize(const std::function< exprt(const exprt &)> &super_get, const namespacet &ns, messaget::mstreamt &stream, const array_string_exprt &arr, array_poolt &array_pool)
Debugging function which finds the valuation of the given array in super_get and concretize unknown c...
Definition: string_refinement.cpp:1068
string_refinementt::seen_instances
std::set< exprt > seen_instances
Definition: string_refinement.h:101
validation_modet::INVARIANT
@ INVARIANT
prop_conv_solvert::prop
propt & prop
Definition: prop_conv_solver.h:130
array_typet::element_type
const typet & element_type() const
The type of the elements of the array.
Definition: std_types.h:785
string_constraintst::existential
std::vector< exprt > existential
Definition: string_constraint_generator.h:40
not_exprt
Boolean negation.
Definition: std_expr.h:2277
to_constant_expr
const constant_exprt & to_constant_expr(const exprt &expr)
Cast an exprt to a constant_exprt.
Definition: std_expr.h:2992
string_constraintst::universal
std::vector< string_constraintt > universal
Definition: string_constraint_generator.h:41