Add local-safe-pointers analysis

This approaches the safe-pointers problem from the opposite direction compared to local-
bitvector-analysis -- local-bitvector tries to establish a pointer is safe because it
definitely points to known object, whereas local-safe-pointers tries to establish a
particular usage is certainly safe because it is trivially dominated by a not-null test,
which at present means a conditional GOTO or an ASSUME.

Author: smowton

regression/goto-instrument/safe-dereferences/main.c

@@ -0,0 +1,71 @@
+static void noop() { }
+
+int main(int argc, char **argv) {
+
+  int x;
+
+  // Should work (guarded by assume):
+  int *ptr1 = &x;
+  __CPROVER_assume(ptr1 != 0);
+  int deref1 = *ptr1;
+
+  // Should work (guarded by else):
+  int *ptr2 = &x;
+  if(ptr2 == 0)
+  {
+  }
+  else
+  {
+    int deref2 = *ptr2;
+  }
+
+  // Should work (guarded by if):
+  int *ptr3 = &x;
+  if(ptr3 != 0)
+  {
+    int deref3 = *ptr3;
+  }
+
+  // Shouldn't work yet despite being safe (guarded by backward goto):
+  int *ptr4 = &x;
+  goto check;
+
+deref:
+  int deref4 = *ptr4;
+  goto end_test4;
+
+check:
+  __CPROVER_assume(ptr4 != 0);
+  goto deref;
+
+end_test4:
+
+  // Shouldn't work yet despite being safe (guarded by confluence):
+  int *ptr5 = &x;
+  if(argc == 5)
+    __CPROVER_assume(ptr5 != 0);
+  else
+    __CPROVER_assume(ptr5 != 0);
+  int deref5 = *ptr5;
+
+  // Shouldn't work (unsafe as only guarded on one branch):
+  int *ptr6 = &x;
+  if(argc == 6)
+    __CPROVER_assume(ptr6 != 0);
+  else
+  {
+  }
+  int deref6 = *ptr6;
+
+  // Shouldn't work due to suspicion *ptr6 might alter ptr7:
+  int *ptr7 = &x;
+    __CPROVER_assume(ptr7 != 0);
+  ptr6 = 0;
+  int deref7 = *ptr7;
+
+  // Shouldn't work due to suspicion noop() call might alter ptr8:
+  int *ptr8 = &x;
+    __CPROVER_assume(ptr8 != 0);
+  noop();
+  int deref8 = *ptr8;
+}

regression/goto-instrument/safe-dereferences/test.desc

@@ -0,0 +1,14 @@
+CORE
+main.c
+--show-safe-dereferences
+^EXIT=0$
+^SIGNAL=0$
+Safe \(known-not-null\) dereferences: \{main::[0-9]+::ptr1\}
+Safe \(known-not-null\) dereferences: \{main::[0-9]+::ptr2\}
+Safe \(known-not-null\) dereferences: \{main::[0-9]+::ptr3\}
+--
+Safe \(known-not-null\) dereferences: \{main::[0-9]+::ptr[4-8]\}
+^warning: ignoring
+--
+See comments in main.c for details about what each ptr variable is testing, and why they
+should or shouldn't be seen as safe accesses.

src/analyses/Makefile

@@ -20,6 +20,7 @@ SRC = ai.cpp \
       local_bitvector_analysis.cpp \
       local_cfg.cpp \
       local_may_alias.cpp \
+      local_safe_pointers.cpp \
       locals.cpp \
       natural_loops.cpp \
       reaching_definitions.cpp \

src/analyses/local_safe_pointers.cpp

@@ -0,0 +1,238 @@
+/*******************************************************************\
+
+Module: Local safe pointer analysis
+
+Author: Diffblue Ltd
+
+\*******************************************************************/
+
+/// \file
+/// Local safe pointer analysis
+
+#include "local_safe_pointers.h"
+
+#include <util/expr_iterator.h>
+#include <util/format_expr.h>
+
+/// If `expr` is of the form `x != nullptr`, return x. Otherwise return null
+static const exprt *get_null_checked_expr(const exprt &expr)
+{
+  if(expr.id() == ID_notequal)
+  {
+    const exprt *op0 = &expr.op0(), *op1 = &expr.op1();
+    if(op0->type().id() == ID_pointer &&
+       *op0 == null_pointer_exprt(to_pointer_type(op0->type())))
+    {
+      std::swap(op0, op1);
+    }
+
+    if(op1->type().id() == ID_pointer &&
+       *op1 == null_pointer_exprt(to_pointer_type(op1->type())))
+    {
+      while(op0->id() == ID_typecast)
+        op0 = &op0->op0();
+      return op0;
+    }
+  }
+
+  return nullptr;
+}
+
+/// Return structure for `get_conditional_checked_expr`
+struct goto_null_checkt
+{
+  /// If true, the given GOTO tests that a pointer expression is non-null on the
+  /// taken branch; otherwise, on the not-taken branch.
+  bool checked_when_taken;
+
+  /// Null-tested pointer expression
+  exprt checked_expr;
+};
+
+/// Check if a GOTO guard expression tests if a pointer is null
+/// \param goto_guard: expression to check
+/// \return a `goto_null_checkt` indicating what expression is tested and
+///   whether the check applies on the taken or not-taken branch, or an empty
+///   optionalt if this isn't a null check.
+static optionalt<goto_null_checkt>
+get_conditional_checked_expr(const exprt &goto_guard)
+{
+  exprt normalized_guard = goto_guard;
+  bool checked_when_taken = true;
+  while(normalized_guard.id() == ID_not || normalized_guard.id() == ID_equal)
+  {
+    if(normalized_guard.id() == ID_not)
+      normalized_guard = normalized_guard.op0();
+    else
+      normalized_guard.id(ID_notequal);
+    checked_when_taken = !checked_when_taken;
+  }
+
+  const exprt *checked_expr = get_null_checked_expr(normalized_guard);
+  if(!checked_expr)
+    return {};
+  else
+    return goto_null_checkt { checked_when_taken, *checked_expr };
+}
+
+/// Compute safe dereference expressions for a given GOTO program. This
+/// populates `non_null_expressions` mapping instruction location numbers
+/// onto a set of expressions that are known to be non-null BEFORE that
+/// instruction is executed.
+/// \param goto_program: program to analyse
+void local_safe_pointerst::operator()(const goto_programt &goto_program)
+{
+  std::set<exprt> checked_expressions;
+
+  for(const auto &instruction : goto_program.instructions)
+  {
+    // Handle control-flow convergence pessimistically:
+    if(instruction.incoming_edges.size() > 1)
+      checked_expressions.clear();
+    // Retrieve working set for forward GOTOs:
+    else if(instruction.is_target())
+      checked_expressions = non_null_expressions[instruction.location_number];
+
+    // Save the working set at this program point:
+    if(!checked_expressions.empty())
+      non_null_expressions[instruction.location_number] = checked_expressions;
+
+    switch(instruction.type)
+    {
+    // Instruction types that definitely don't write anything, and therefore
+    // can't store a null pointer:
+    case DECL:
+    case DEAD:
+    case ASSERT:
+    case SKIP:
+    case LOCATION:
+    case RETURN:
+    case THROW:
+    case CATCH:
+      break;
+
+    // Possible checks:
+    case ASSUME:
+      {
+        const exprt *checked_expr;
+        if((checked_expr = get_null_checked_expr(instruction.guard)) != nullptr)
+        {
+          checked_expressions.insert(*checked_expr);
+        }
+        break;
+      }
+
+    case GOTO:
+      if(!instruction.is_backwards_goto())
+      {
+        if(auto conditional_check =
+           get_conditional_checked_expr(instruction.guard))
+        {
+          auto &taken_checked_expressions =
+            non_null_expressions[instruction.get_target()->location_number];
+          taken_checked_expressions = checked_expressions;
+
+          if(conditional_check->checked_when_taken)
+            taken_checked_expressions.insert(conditional_check->checked_expr);
+          else
+            checked_expressions.insert(conditional_check->checked_expr);
+
+          break;
+        }
+        // Otherwise fall through to...
+      }
+
+    default:
+      // Pessimistically assume all other instructions might overwrite any
+      // pointer with a possibly-null value.
+      checked_expressions.clear();
+      break;
+    }
+  }
+}
+
+/// Output non-null expressions per instruction in human-readable format
+/// \param out: stream to write output to
+/// \param goto_program: GOTO program analysed (the same one passed to
+///   operator())
+/// \param ns: global namespace
+void local_safe_pointerst::output(
+  std::ostream &out, const goto_programt &goto_program, const namespacet &ns)
+{
+  forall_goto_program_instructions(i_it, goto_program)
+  {
+    out << "**** " << i_it->location_number << " "
+        << i_it->source_location << "\n";
+
+    out << "Non-null expressions: ";
+
+    auto findit = non_null_expressions.find(i_it->location_number);
+    if(findit == non_null_expressions.end())
+      out << "{}";
+    else
+    {
+      out << "{";
+      bool first = true;
+      for(const exprt &expr : findit->second)
+      {
+        if(!first)
+          out << ", ";
+        first = true;
+        format_rec(out, expr);
+      }
+      out << "}";
+    }
+
+    out << '\n';
+    goto_program.output_instruction(ns, "", out, *i_it);
+    out << '\n';
+  }
+}
+
+/// Output safely dereferenced expressions  per instruction in human-readable
+///   format. For example, if we have an instruction `ASSUME x->y->z == a->b`
+///   and we know expressions `x->y`, `a` and `other` are not null prior to it,
+///   this will print `{x->y, a}`, the intersection of the `dereference_exprt`s
+///   used here and the known-not-null expressions.
+/// \param out: stream to write output to
+/// \param goto_program: GOTO program analysed (the same one passed to
+///   operator())
+/// \param ns: global namespace
+void local_safe_pointerst::output_safe_dereferences(
+  std::ostream &out, const goto_programt &goto_program, const namespacet &ns)
+{
+  forall_goto_program_instructions(i_it, goto_program)
+  {
+    out << "**** " << i_it->location_number << " "
+        << i_it->source_location << "\n";
+
+    out << "Safe (known-not-null) dereferences: ";
+
+    auto findit = non_null_expressions.find(i_it->location_number);
+    if(findit == non_null_expressions.end())
+      out << "{}";
+    else
+    {
+      out << "{";
+      bool first = true;
+      for(auto subexpr_it = i_it->code.depth_begin(),
+            subexpr_end = i_it->code.depth_end();
+          subexpr_it != subexpr_end;
+          ++subexpr_it)
+      {
+        if(subexpr_it->id() == ID_dereference)
+        {
+          if(!first)
+            out << ", ";
+          first = true;
+          format_rec(out, subexpr_it->op0());
+        }
+      }
+      out << "}";
+    }
+
+    out << '\n';
+    goto_program.output_instruction(ns, "", out, *i_it);
+    out << '\n';
+  }
+}

src/analyses/local_safe_pointers.h

@@ -0,0 +1,57 @@
+/*******************************************************************\
+
+Module: Local safe pointer analysis
+
+Author: Diffblue Ltd
+
+\*******************************************************************/
+
+/// \file
+/// Local safe pointer analysis
+
+#ifndef CPROVER_ANALYSES_LOCAL_SAFE_POINTERS_H
+#define CPROVER_ANALYSES_LOCAL_SAFE_POINTERS_H
+
+#include <goto-programs/goto_program.h>
+#include <util/std_expr.h>
+
+/// A very simple, cheap analysis to determine when dereference operations are
+/// trivially guarded by a check against a null pointer access.
+/// In the interests of a very cheap analysis we only search for very local
+/// guards -- at the moment only `if(x != null) { *x }`
+/// and `assume(x != null); *x` are handled. Control-flow convergence and
+/// possibly-alising operations are handled pessimistically.
+class local_safe_pointerst
+{
+  std::map<unsigned, std::set<exprt>> non_null_expressions;
+
+ public:
+  void operator()(const goto_programt &goto_program);
+
+  bool is_non_null_at_program_point(
+    const exprt &expr, goto_programt::const_targett program_point)
+  {
+    auto findit = non_null_expressions.find(program_point->location_number);
+    if(findit == non_null_expressions.end())
+      return false;
+    const exprt *tocheck = &expr;
+    while(tocheck->id() == ID_typecast)
+      tocheck = &tocheck->op0();
+    return findit->second.count(*tocheck) != 0;
+  }
+
+  bool is_safe_dereference(
+    const dereference_exprt &deref,
+    goto_programt::const_targett program_point)
+  {
+    return is_non_null_at_program_point(deref.op0(), program_point);
+  }
+
+  void output(
+    std::ostream &stream, const goto_programt &program, const namespacet &ns);
+
+  void output_safe_dereferences(
+    std::ostream &stream, const goto_programt &program, const namespacet &ns);
+};
+
+#endif // CPROVER_ANALYSES_LOCAL_SAFE_POINTERS_H