Merge pull request diffblue#1612 from reuk/reuk/more-iterator-fixes

Iterator comparison and memory bug fixes

Author: tautschnig

.travis.yml

@@ -65,7 +65,9 @@ jobs:
       before_install:
         - mkdir bin ; ln -s /usr/bin/gcc-5 bin/gcc
       # env: COMPILER=g++-5 SAN_FLAGS="-fsanitize=undefined -fno-sanitize-recover -fno-omit-frame-pointer"
-      env: COMPILER="ccache g++-5"
+      env:
+        - COMPILER="ccache g++-5"
+        - EXTRA_CXXFLAGS="-D_GLIBCXX_DEBUG"
 
     # OS X using g++
     - stage: Test different OS/CXX/Flags

regression/cbmc-cover/built-ins7/test.desc

@@ -1,4 +1,4 @@
-CORE
+KNOWNBUG
 main.c
 --cover mcdc --unwind 5
 ^EXIT=0$
@@ -7,3 +7,6 @@ main.c
 --
 ^warning: ignoring
 ^\[.*<builtin-library-
+--
+Knownbug added because this test triggers an invariant in cover.cpp
+See #1622 for details

regression/cbmc-cover/mcdc1/test.desc

@@ -1,4 +1,4 @@
-CORE
+KNOWNBUG
 main.c
 --cover mcdc
 ^EXIT=0$
@@ -12,3 +12,6 @@ main.c
 ^\*\* .* of .* covered \(100.0%\)$
 --
 ^warning: ignoring
+--
+Knownbug added because this test triggers an invariant in cover.cpp
+See #1622 for details

regression/cbmc-cover/mcdc10/test.desc

@@ -1,4 +1,4 @@
-CORE
+KNOWNBUG
 main.c
 --cover mcdc
 ^EXIT=0$
@@ -10,3 +10,6 @@ main.c
 ^\*\* .* of .* covered \(100.0%\)$
 --
 ^warning: ignoring
+--
+Knownbug added because this test triggers an invariant in cover.cpp
+See #1622 for details

regression/cbmc-cover/mcdc11/test.desc

@@ -1,4 +1,4 @@
-CORE
+KNOWNBUG
 main.c
 --cover mcdc
 ^EXIT=0$
@@ -12,3 +12,6 @@ main.c
 ^\*\* .* of .* covered \(100.0%\)$
 --
 ^warning: ignoring
+--
+Knownbug added because this test triggers an invariant in cover.cpp
+See #1622 for details

regression/cbmc-cover/mcdc12/test.desc

@@ -1,4 +1,4 @@
-CORE
+KNOWNBUG
 main.c
 --cover mcdc
 ^EXIT=0$
@@ -15,3 +15,6 @@ main.c
 ^\*\* .* of .* covered \(100.0%\)$
 --
 ^warning: ignoring
+--
+Knownbug added because this test triggers an invariant in cover.cpp
+See #1622 for details

regression/cbmc-cover/mcdc13/test.desc

@@ -1,4 +1,4 @@
-CORE
+KNOWNBUG
 main.c
 --cover mcdc
 ^EXIT=0$
@@ -10,3 +10,6 @@ main.c
 ^\*\* .* of .* covered \(100.0%\)$
 --
 ^warning: ignoring
+--
+Knownbug added because this test triggers an invariant in cover.cpp
+See #1622 for details

regression/cbmc-cover/mcdc14/test.desc

@@ -1,4 +1,4 @@
-CORE
+KNOWNBUG
 main.c
 --cover mcdc
 ^EXIT=0$
@@ -8,3 +8,6 @@ main.c
 ^\*\* .* of .* covered \(100.0%\)$
 --
 ^warning: ignoring
+--
+Knownbug added because this test triggers an invariant in cover.cpp
+See #1622 for details

regression/cbmc-cover/mcdc2/test.desc

@@ -1,4 +1,4 @@
-CORE
+KNOWNBUG
 main.c
 --cover mcdc
 ^EXIT=0$
@@ -10,3 +10,6 @@ main.c
 ^\*\* .* of .* covered \(100.0%\)$
 --
 ^warning: ignoring
+--
+Knownbug added because this test triggers an invariant in cover.cpp
+See #1622 for details

regression/cbmc-cover/mcdc3/test.desc

@@ -1,4 +1,4 @@
-CORE
+KNOWNBUG
 main.c
 --cover mcdc
 ^EXIT=0$
@@ -9,3 +9,6 @@ main.c
 ^\*\* .* of .* covered \(100.0%\)$
 --
 ^warning: ignoring
+--
+Knownbug added because this test triggers an invariant in cover.cpp
+See #1622 for details

regression/cbmc-cover/mcdc4/test.desc

@@ -1,4 +1,4 @@
-CORE
+KNOWNBUG
 main.c
 --cover mcdc
 ^EXIT=0$
@@ -11,3 +11,6 @@ main.c
 ^\*\* .* of .* covered \(100.0%\)$
 --
 ^warning: ignoring
+--
+Knownbug added because this test triggers an invariant in cover.cpp
+See #1622 for details

regression/cbmc-cover/mcdc5/test.desc

@@ -1,4 +1,4 @@
-CORE
+KNOWNBUG
 main.c
 --cover mcdc
 ^EXIT=0$
@@ -11,3 +11,6 @@ main.c
 ^\*\* .* of .* covered \(100.0%\)$
 --
 ^warning: ignoring
+--
+Knownbug added because this test triggers an invariant in cover.cpp
+See #1622 for details

regression/cbmc-cover/mcdc6/test.desc

@@ -1,4 +1,4 @@
-CORE
+KNOWNBUG
 main.c
 --cover mcdc
 ^EXIT=0$
@@ -8,3 +8,6 @@ main.c
 ^\*\* .* of .* covered \(100.0%\)$
 --
 ^warning: ignoring
+--
+Knownbug added because this test triggers an invariant in cover.cpp
+See #1622 for details

regression/cbmc-cover/mcdc7/test.desc

@@ -1,4 +1,4 @@
-CORE
+KNOWNBUG
 main.c
 --cover mcdc
 ^EXIT=0$
@@ -10,3 +10,6 @@ main.c
 ^\*\* .* of .* covered \(100.0%\)$
 --
 ^warning: ignoring
+--
+Knownbug added because this test triggers an invariant in cover.cpp
+See #1622 for details

regression/cbmc-cover/mcdc8/test.desc

@@ -1,4 +1,4 @@
-CORE
+KNOWNBUG
 main.c
 --cover mcdc
 ^EXIT=0$
@@ -10,3 +10,6 @@ main.c
 ^\*\* .* of .* covered \(100.0%\)$
 --
 ^warning: ignoring
+--
+Knownbug added because this test triggers an invariant in cover.cpp
+See #1622 for details

regression/cbmc-cover/mcdc9/test.desc

@@ -1,4 +1,4 @@
-CORE
+KNOWNBUG
 main.c
 --cover mcdc
 ^EXIT=0$
@@ -11,3 +11,6 @@ main.c
 ^\*\* .* of .* covered \(100.0%\)$
 --
 ^warning: ignoring
+--
+Knownbug added because this test triggers an invariant in cover.cpp
+See #1622 for details

src/analyses/ai.cpp

@@ -365,7 +365,8 @@ bool ai_baset::visit(
       // initialize state, if necessary
       get_state(to_l);
 
-      new_values.transform(l, to_l, *this, ns);
+      new_values.transform(
+        l, to_l, *this, ns, ai_domain_baset::edge_typet::FUNCTION_LOCAL);
 
       if(merge(new_values, l, to_l))
         have_new_values=true;
@@ -398,7 +399,8 @@ bool ai_baset::do_function_call(
   {
     // if we don't have a body, we just do an edige call -> return
     std::unique_ptr<statet> tmp_state(make_temporary_state(get_state(l_call)));
-    tmp_state->transform(l_call, l_return, *this, ns);
+    tmp_state->transform(
+      l_call, l_return, *this, ns, ai_domain_baset::edge_typet::FUNCTION_LOCAL);
 
     return merge(*tmp_state, l_call, l_return);
   }
@@ -415,7 +417,8 @@ bool ai_baset::do_function_call(
 
     // do the edge from the call site to the beginning of the function
     std::unique_ptr<statet> tmp_state(make_temporary_state(get_state(l_call)));
-    tmp_state->transform(l_call, l_begin, *this, ns);
+    tmp_state->transform(
+      l_call, l_begin, *this, ns, ai_domain_baset::edge_typet::CALL);
 
     bool new_data=false;
 
@@ -442,7 +445,8 @@ bool ai_baset::do_function_call(
       return false; // function exit point not reachable
 
     std::unique_ptr<statet> tmp_state(make_temporary_state(end_state));
-    tmp_state->transform(l_end, l_return, *this, ns);
+    tmp_state->transform(
+      l_end, l_return, *this, ns, ai_domain_baset::edge_typet::RETURN);
 
     // Propagate those
     return merge(*tmp_state, l_end, l_return);

src/analyses/ai.h

@@ -31,6 +31,13 @@ class ai_baset;
 class ai_domain_baset
 {
 public:
+  enum class edge_typet
+  {
+    FUNCTION_LOCAL,
+    CALL,
+    RETURN,
+  };
+
   // The constructor is expected to produce 'false'
   // or 'bottom'
   ai_domain_baset()
@@ -53,7 +60,8 @@ class ai_domain_baset
     locationt from,
     locationt to,
     ai_baset &ai,
-    const namespacet &ns)=0;
+    const namespacet &ns,
+    edge_typet edge_type) = 0;
 
   virtual void output(
     std::ostream &out,
@@ -401,7 +409,9 @@ class ait:public ai_baset
   }
 
 protected:
-  typedef std::unordered_map<locationt, domainT, const_target_hash> state_mapt;
+  typedef std::
+    unordered_map<locationt, domainT, const_target_hash, pointee_address_equalt>
+      state_mapt;
   state_mapt state_map;
 
   // this one creates states, if need be

src/analyses/constant_propagator.cpp

@@ -45,7 +45,8 @@ void constant_propagator_domaint::transform(
   locationt from,
   locationt to,
   ai_baset &ai,
-  const namespacet &ns)
+  const namespacet &ns,
+  ai_domain_baset::edge_typet edge_type)
 {
 #ifdef DEBUG
   std::cout << "Transform from/to:\n";
@@ -129,7 +130,7 @@ void constant_propagator_domaint::transform(
       const symbol_exprt &symbol_expr=to_symbol_expr(function);
       const irep_idt id=symbol_expr.get_identifier();
 
-      if(to==next)
+      if(edge_type == ai_domain_baset::edge_typet::FUNCTION_LOCAL)
       {
         if(id==CPROVER_PREFIX "set_must" ||
            id==CPROVER_PREFIX "get_must" ||

src/analyses/constant_propagator.h

@@ -25,7 +25,8 @@ class constant_propagator_domaint:public ai_domain_baset
     locationt from,
     locationt to,
     ai_baset &ai_base,
-    const namespacet &ns) final override;
+    const namespacet &ns,
+    ai_domain_baset::edge_typet edge_type) final override;
 
   virtual void output(
     std::ostream &out,

src/analyses/custom_bitvector_analysis.cpp

@@ -269,7 +269,8 @@ void custom_bitvector_domaint::transform(
   locationt from,
   locationt to,
   ai_baset &ai,
-  const namespacet &ns)
+  const namespacet &ns,
+  ai_domain_baset::edge_typet edge_type)
 {
   // upcast of ai
   custom_bitvector_analysist &cba=
@@ -395,11 +396,8 @@ void custom_bitvector_domaint::transform(
         }
         else
         {
-          goto_programt::const_targett next=from;
-          ++next;
-
           // only if there is an actual call, i.e., we have a body
-          if(next!=to)
+          if(edge_type != ai_domain_baset::edge_typet::FUNCTION_LOCAL)
           {
             const code_typet &code_type=
               to_code_type(ns.lookup(identifier).type);

src/analyses/custom_bitvector_analysis.h

@@ -27,7 +27,8 @@ class custom_bitvector_domaint:public ai_domain_baset
     locationt from,
     locationt to,
     ai_baset &ai,
-    const namespacet &ns) final override;
+    const namespacet &ns,
+    ai_domain_baset::edge_typet edge_type) final override;
 
   void output(
     std::ostream &out,

src/analyses/dependence_graph.cpp

@@ -187,18 +187,18 @@ void dep_graph_domaint::transform(
   goto_programt::const_targett from,
   goto_programt::const_targett to,
   ai_baset &ai,
-  const namespacet &ns)
+  const namespacet &ns,
+  ai_domain_baset::edge_typet edge_type)
 {
   dependence_grapht *dep_graph=dynamic_cast<dependence_grapht*>(&ai);
   assert(dep_graph!=nullptr);
 
   // propagate control dependencies across function calls
   if(from->is_function_call())
   {
-    goto_programt::const_targett next=from;
-    ++next;
+    const goto_programt::const_targett next = std::next(from);
 
-    if(next==to)
+    if(edge_type == ai_domain_baset::edge_typet::FUNCTION_LOCAL)
     {
       control_dependencies(from, to, *dep_graph);
     }

src/analyses/dependence_graph.h

@@ -83,7 +83,8 @@ class dep_graph_domaint:public ai_domain_baset
     goto_programt::const_targett from,
     goto_programt::const_targett to,
     ai_baset &ai,
-    const namespacet &ns) final override;
+    const namespacet &ns,
+    ai_domain_baset::edge_typet edge_type) final override;
 
   void output(
     std::ostream &out,

src/analyses/escape_analysis.cpp

@@ -165,7 +165,8 @@ void escape_domaint::transform(
   locationt from,
   locationt to,
   ai_baset &ai,
-  const namespacet &ns)
+  const namespacet &ns,
+  ai_domain_baset::edge_typet /*edge_type*/)
 {
   if(has_values.is_false())
     return;

src/analyses/escape_analysis.h

@@ -32,7 +32,8 @@ class escape_domaint:public ai_domain_baset
     locationt from,
     locationt to,
     ai_baset &ai,
-    const namespacet &ns) final override;
+    const namespacet &ns,
+    ai_domain_baset::edge_typet edge_type) final override;
 
   void output(
     std::ostream &out,