CONTRACTS: functions to compute root objects

Remi Delmas · qinheping · commit 8fa0c36cb472 · 2023-04-06T10:51:45.000-05:00
Alternative implementation of `root_object`
supporting ternary operators in assignment or call
LHS expressions, and object slice expressions in
assigns clause targets.
diff --git a/src/goto-instrument/Makefile b/src/goto-instrument/Makefile
@@ -21,6 +21,7 @@ SRC = accelerate/accelerate.cpp \
       contracts/dynamic-frames/dfcc_loop_nesting_graph.cpp \
       contracts/dynamic-frames/dfcc_contract_mode.cpp \
       contracts/dynamic-frames/dfcc_loop_contract_mode.cpp \
+      contracts/dynamic-frames/dfcc_root_object.cpp \
       contracts/dynamic-frames/dfcc_library.cpp \
       contracts/dynamic-frames/dfcc_is_cprover_symbol.cpp \
       contracts/dynamic-frames/dfcc_is_fresh.cpp \
diff --git a/src/goto-instrument/contracts/dynamic-frames/dfcc_root_object.cpp b/src/goto-instrument/contracts/dynamic-frames/dfcc_root_object.cpp
@@ -0,0 +1,188 @@
+/*******************************************************************\
+
+Module: Dynamic frame condition checking
+
+Author: Remi Delmas, delmasrd@amazon.com
+
+Date: March 2023
+
+\*******************************************************************/
+
+#include "dfcc_root_object.h"
+
+#include <util/byte_operators.h>
+#include <util/cprover_prefix.h>
+#include <util/expr.h>
+#include <util/expr_util.h>
+#include <util/message.h>
+#include <util/namespace.h>
+#include <util/pointer_expr.h>
+#include <util/std_code.h>
+
+#include <goto-programs/pointer_arithmetic.h>
+
+#include <langapi/language_util.h>
+
+/// Recursively computes a set of root object expressions for \p expr.
+static void root_objects_rec(
+  const exprt &expr,
+  const namespacet &ns,
+  messaget log,
+  std::unordered_set<exprt, irep_hash> &dest)
+{
+  if(expr.id() == ID_symbol)
+  {
+    dest.insert(expr);
+  }
+  else if(expr.id() == ID_index)
+  {
+    root_objects_rec(to_index_expr(expr).array(), ns, log, dest);
+  }
+  else if(expr.id() == ID_member)
+  {
+    const typet &type = to_member_expr(expr).struct_op().type();
+    if(
+      type.id() == ID_struct || type.id() == ID_struct_tag ||
+      type.id() == ID_union || type.id() == ID_union_tag)
+    {
+      root_objects_rec(to_member_expr(expr).compound(), ns, log, dest);
+    }
+    else
+    {
+      throw unsupported_operation_exceptiont(
+        "unexpected assignment to member of '" + type.id_string() + "'");
+    }
+  }
+  else if(expr.id() == ID_if)
+  {
+    root_objects_rec(to_if_expr(expr).true_case(), ns, log, dest);
+    root_objects_rec(to_if_expr(expr).false_case(), ns, log, dest);
+  }
+  else if(expr.id() == ID_typecast)
+  {
+    root_objects_rec(to_typecast_expr(expr).op(), ns, log, dest);
+  }
+  else if(
+    expr.id() == ID_byte_extract_little_endian ||
+    expr.id() == ID_byte_extract_big_endian)
+  {
+    root_objects_rec(to_byte_extract_expr(expr).op(), ns, log, dest);
+  }
+  else if(expr.id() == ID_complex_real)
+  {
+    root_objects_rec(to_complex_real_expr(expr).op(), ns, log, dest);
+  }
+  else if(expr.id() == ID_complex_imag)
+  {
+    root_objects_rec(to_complex_imag_expr(expr).op(), ns, log, dest);
+  }
+  else if(
+    const auto &deref =
+      expr_try_dynamic_cast<dereference_exprt>(skip_typecast(expr)))
+  {
+    // normalise the dereferenced pointer into `pointer + offset`, extract
+    // pointer expression and try some simplifications
+    const exprt &pointer = pointer_arithmetict(deref->pointer()).pointer;
+    const source_locationt source_location = expr.source_location();
+    if(const auto &if_expr = expr_try_dynamic_cast<if_exprt>(pointer))
+    {
+      // split on disjunctions
+      // *(c ? true_case : false_case) => rec(*true_case); rec(*false_case)
+      dereference_exprt if_true(if_expr->true_case());
+      if_true.add_source_location() = source_location;
+      root_objects_rec(if_true, ns, log, dest);
+      dereference_exprt if_false(if_expr->false_case());
+      if_false.add_source_location() = source_location;
+      root_objects_rec(if_false, ns, log, dest);
+    }
+    else if(
+      const auto &address_of_expr =
+        expr_try_dynamic_cast<address_of_exprt>(pointer))
+    {
+      const exprt &object = skip_typecast(address_of_expr->object());
+      if(const auto &index = expr_try_dynamic_cast<index_exprt>(object))
+      {
+        // *(&arr[idx]) => rec(arr)
+        const exprt &arr = index->array();
+        if(arr.type().id() == ID_array)
+        {
+          root_objects_rec(arr, ns, log, dest);
+        }
+      }
+      else
+      {
+        // *(&object) => rec(object)
+        root_objects_rec(object, ns, log, dest);
+      }
+    }
+    else
+    {
+      // simplify *(pointer + offset) to *pointer
+      dereference_exprt base_pointer(pointer);
+      base_pointer.add_source_location() = source_location;
+      dest.insert(base_pointer);
+    }
+  }
+  else
+  {
+    // Stop here for anything else.
+    dest.insert(expr);
+  }
+}
+
+std::unordered_set<exprt, irep_hash> dfcc_assignment_lhs_root_objects(
+  const exprt &lhs,
+  const namespacet &ns,
+  messaget &log)
+{
+  std::unordered_set<exprt, irep_hash> result;
+  root_objects_rec(lhs, ns, log, result);
+  return result;
+}
+
+/// Translates object slice expressions found in assigns clause targets to
+/// dereference expressions so that root objects can be computed.
+static exprt slice_op_to_deref(const exprt &expr)
+{
+  if(can_cast_expr<side_effect_expr_function_callt>(expr))
+  {
+    auto function_call_expr = to_side_effect_expr_function_call(expr);
+    auto function_expr = function_call_expr.function();
+    INVARIANT(
+      function_expr.id() == ID_symbol,
+      "no function pointer calls in loop assigns clause targets");
+    auto function_id = to_symbol_expr(function_expr).get_identifier();
+    INVARIANT(
+      function_id == CPROVER_PREFIX "assignable" ||
+        function_id == CPROVER_PREFIX "object_whole" ||
+        function_id == CPROVER_PREFIX "object_from" ||
+        function_id == CPROVER_PREFIX "object_upto",
+      "can only handle built-in function calls in assigns clause targets");
+    return dereference_exprt(
+      skip_typecast(function_call_expr.arguments().at(0)));
+  }
+  else
+  {
+    return expr;
+  }
+}
+
+std::unordered_set<exprt, irep_hash> dfcc_assigns_target_root_objects(
+  const exprt &expr,
+  const namespacet &ns,
+  messaget &log)
+{
+  return dfcc_assignment_lhs_root_objects(slice_op_to_deref(expr), ns, log);
+}
+
+exprt dfcc_assigns_target_single_root_object(
+  const exprt &expr,
+  const namespacet &ns,
+  messaget &log)
+{
+  auto root_objects = dfcc_assigns_target_root_objects(expr, ns, log);
+  PRECONDITION_WITH_DIAGNOSTICS(
+    root_objects.size() == 1,
+    "Expecting single root object for assigns clause target");
+  return *root_objects.begin();
+}
diff --git a/src/goto-instrument/contracts/dynamic-frames/dfcc_root_object.h b/src/goto-instrument/contracts/dynamic-frames/dfcc_root_object.h
@@ -0,0 +1,47 @@
+/*******************************************************************\
+
+Module: Dynamic frame condition checking
+
+Author: Remi Delmas, delmasrd@amazon.com
+
+Date: March 2023
+
+\*******************************************************************/
+
+/// \file
+/// Utility functions that compute root object expressions for assigns clause
+/// targets and LHS expressions.
+
+#ifndef CPROVER_GOTO_INSTRUMENT_CONTRACTS_DYNAMIC_FRAMES_DFCC_ROOT_OBJECT_H
+#define CPROVER_GOTO_INSTRUMENT_CONTRACTS_DYNAMIC_FRAMES_DFCC_ROOT_OBJECT_H
+
+#include <util/irep.h>
+
+#include <unordered_set>
+
+class exprt;
+class namespacet;
+class messaget;
+
+/// Computes a set of root object expressions for an assignment left hand side
+/// expression.
+std::unordered_set<exprt, irep_hash> dfcc_assignment_lhs_root_objects(
+  const exprt &lhs,
+  const namespacet &ns,
+  messaget &log);
+
+/// Computes a set of root object expressions for an assigns clause target
+/// expression that may contain disjunctions.
+std::unordered_set<exprt, irep_hash> dfcc_assigns_target_root_objects(
+  const exprt &expr,
+  const namespacet &ns,
+  messaget &log);
+
+/// Computes a single root object expressions for an assigns clause target that
+/// is expected not to contain disjunctions. Fails if the expression contains
+/// disjunctions.
+exprt dfcc_assigns_target_single_root_object(
+  const exprt &expr,
+  const namespacet &ns,
+  messaget &log);
+#endif
