Field-sensitive level-2 SSA renaming

- Currently for structs only, extension to arrays pending

Author: tautschnig

regression/cbmc/Struct_Propagation1/main.c

@@ -0,0 +1,34 @@
+struct S
+{
+  int v;
+  struct Inner
+  {
+    int x;
+  } inner;
+};
+
+struct S works;
+
+int main()
+{
+  struct S fails;
+
+  works.v=2;
+  fails.v=2;
+
+  while(works.v>0)
+    --(works.v);
+
+  while(fails.v>0)
+    --(fails.v);
+
+  __CPROVER_assert(works.inner.x==0, "");
+
+  _Bool b;
+  if(b)
+  {
+    struct S s={ 42, { 42 } };
+  }
+
+  return 0;
+}

regression/cbmc/Struct_Propagation1/test.desc

@@ -0,0 +1,9 @@
+CORE
+main.c
+--unwind 5
+^EXIT=0$
+^SIGNAL=0$
+^VERIFICATION SUCCESSFUL$
+\(Starting CEGAR Loop\|VCC(s), 0 remaining after simplification$\)
+--
+^warning: ignoring

src/goto-symex/Makefile

@@ -8,7 +8,7 @@ SRC = symex_target.cpp symex_target_equation.cpp goto_symex.cpp \
       symex_catch.cpp symex_start_thread.cpp symex_assign.cpp \
       symex_throw.cpp symex_atomic_section.cpp memory_model.cpp \
       memory_model_sc.cpp partial_order_concurrency.cpp \
-      memory_model_tso.cpp memory_model_pso.cpp substitute.cpp
+      memory_model_tso.cpp memory_model_pso.cpp substitute.cpp field_sensitivity.cpp
 
 INCLUDES= -I ..
 

src/goto-symex/field_sensitivity.cpp

@@ -0,0 +1,254 @@
+/*******************************************************************\
+
+Module: Field-sensitive SSA
+
+Author: Michael Tautschnig, [email protected]
+
+\*******************************************************************/
+
+#include <util/simplify_expr.h>
+#include <util/std_expr.h>
+
+#include "symex_target.h"
+#include "goto_symex_state.h"
+
+#include "field_sensitivity.h"
+
+/*******************************************************************\
+
+Function: field_sensitivityt::operator()
+
+  Inputs:
+
+ Outputs:
+
+ Purpose:
+
+\*******************************************************************/
+
+void field_sensitivityt::operator()(
+  const namespacet &ns,
+  exprt &expr,
+  bool write) const
+{
+#if 1
+  if(expr.id()!=ID_address_of)
+    Forall_operands(it, expr)
+      operator()(ns, *it, write);
+
+  if(expr.id()==ID_symbol &&
+     expr.get_bool(ID_C_SSA_symbol) &&
+     !write)
+  {
+    ssa_exprt ssa=to_ssa_expr(expr);
+    get_fields(ns, ssa, expr);
+  }
+  else if(!write &&
+          expr.id()==ID_member &&
+          to_member_expr(expr).struct_op().id()==ID_struct)
+  {
+    simplify(expr, ns);
+  }
+  else if(write && expr.id()==ID_member)
+  {
+    member_exprt &member=to_member_expr(expr);
+
+    if(member.struct_op().id()==ID_symbol &&
+       member.struct_op().get_bool(ID_C_SSA_symbol) &&
+       ns.follow(member.struct_op().type()).id()==ID_struct)
+    {
+      ssa_exprt tmp=to_ssa_expr(member.struct_op());
+
+      member.struct_op()=tmp.get_original_expr();
+
+      tmp.type()=member.type();
+      tmp.set(ID_expression, member);
+      tmp.update_identifier();
+
+      expr.swap(tmp);
+    }
+  }
+#endif
+}
+
+/*******************************************************************\
+
+Function: field_sensitivityt::get_fields
+
+  Inputs:
+
+ Outputs:
+
+ Purpose:
+
+\*******************************************************************/
+
+void field_sensitivityt::get_fields(
+  const namespacet &ns,
+  const ssa_exprt &ssa_expr,
+  exprt &dest) const
+{
+#if 1
+  if(ns.follow(ssa_expr.type()).id()==ID_struct)
+  {
+    const exprt &struct_op=ssa_expr.get_original_expr();
+
+    const struct_typet &type=
+      to_struct_type(ns.follow(ssa_expr.type()));
+
+    const struct_union_typet::componentst &components=
+      type.components();
+
+    dest=struct_exprt(ssa_expr.type());
+    dest.reserve_operands(components.size());
+
+    for(struct_union_typet::componentst::const_iterator
+        it=components.begin();
+        it!=components.end();
+        ++it)
+    {
+      member_exprt member(struct_op, it->get_name(), it->type());
+
+      ssa_exprt tmp=ssa_expr;
+
+      tmp.type()=member.type();
+      tmp.set(ID_expression, member);
+      tmp.update_identifier();
+
+      exprt tmp_dest;
+      get_fields(ns, tmp, tmp_dest);
+      dest.copy_to_operands(tmp_dest);
+    }
+  }
+  else
+#endif
+    dest=ssa_expr;
+}
+
+/*******************************************************************\
+
+Function: field_sensitivityt::field_assignments
+
+  Inputs:
+
+ Outputs:
+
+ Purpose:
+
+\*******************************************************************/
+
+void field_sensitivityt::field_assignments(
+  const namespacet &ns,
+  goto_symex_statet &state,
+  symex_targett &target,
+  const exprt &lhs) const
+{
+  exprt lhs_fs=lhs;
+  operator()(ns, lhs_fs, false);
+
+  field_assignments_rec(ns, state, target, lhs_fs, lhs);
+}
+
+/*******************************************************************\
+
+Function: field_sensitivityt::field_assignments_rec
+
+  Inputs:
+
+ Outputs:
+
+ Purpose:
+
+\*******************************************************************/
+
+void field_sensitivityt::field_assignments_rec(
+  const namespacet &ns,
+  goto_symex_statet &state,
+  symex_targett &target,
+  const exprt &lhs_fs,
+  const exprt &lhs) const
+{
+  if(lhs==lhs_fs)
+    return;
+  else if(lhs_fs.id()==ID_symbol &&
+          lhs_fs.get_bool(ID_C_SSA_symbol))
+  {
+    exprt ssa_rhs=lhs;
+
+    state.rename(ssa_rhs, ns);
+    simplify(ssa_rhs, ns);
+
+    ssa_exprt ssa_lhs=to_ssa_expr(lhs_fs);
+    state.assignment(ssa_lhs, ssa_rhs, ns, true);
+
+    // do the assignment
+    target.assignment(
+      state.guard.as_expr(),
+      ssa_lhs,
+      ssa_lhs, ssa_lhs.get_original_expr(),
+      ssa_rhs,
+      state.source,
+      symex_targett::STATE);
+  }
+  else if(ns.follow(lhs.type()).id()==ID_struct)
+  {
+    const struct_typet &type=
+      to_struct_type(ns.follow(lhs.type()));
+
+    const struct_union_typet::componentst &components=
+      type.components();
+
+    assert(components.empty() ||
+           (lhs_fs.has_operands() &&
+            lhs_fs.operands().size()==components.size()));
+
+    unsigned number=0;
+    for(struct_union_typet::componentst::const_iterator
+        it=components.begin();
+        it!=components.end();
+        ++it, ++number)
+    {
+      member_exprt member_rhs(lhs, it->get_name(), it->type());
+      exprt member_lhs=lhs_fs.operands()[number];
+
+      field_assignments_rec(ns, state, target, member_lhs, member_rhs);
+    }
+  }
+  else if(lhs_fs.has_operands())
+  {
+    assert(lhs.has_operands() &&
+           lhs_fs.operands().size()==lhs.operands().size());
+
+    exprt::operandst::const_iterator fs_it=lhs_fs.operands().begin();
+    for(exprt::operandst::const_iterator it=lhs.operands().begin();
+        it!=lhs.operands().end();
+        ++it, ++fs_it)
+      field_assignments_rec(ns, state, target, *fs_it, *it);
+  }
+  else
+  {
+    assert(false);
+  }
+}
+
+/*******************************************************************\
+
+Function: field_sensitivityt::is_indivisible
+
+  Inputs:
+
+ Outputs:
+
+ Purpose:
+
+\*******************************************************************/
+
+bool field_sensitivityt::is_indivisible(
+  const namespacet &ns,
+  const ssa_exprt &expr) const
+{
+  exprt tmp;
+  get_fields(ns, expr, tmp);
+
+  return expr==tmp;
+}

src/goto-symex/field_sensitivity.h

@@ -0,0 +1,52 @@
+/*******************************************************************\
+
+Module: Field-sensitive SSA
+
+Author: Michael Tautschnig, [email protected]
+
+\*******************************************************************/
+
+#ifndef CPROVER_FIELD_SENSITIVITY_H
+#define CPROVER_FIELD_SENSITIVITY_H
+
+class exprt;
+class ssa_exprt;
+class namespacet;
+class goto_symex_statet;
+class symex_targett;
+
+/*! \brief Control granularity of object accesses
+*/
+class field_sensitivityt
+{
+public:
+  void operator()(
+    const namespacet &ns,
+    exprt &expr,
+    bool write) const;
+
+  void get_fields(
+    const namespacet &ns,
+    const ssa_exprt &ssa_expr,
+    exprt &dest) const;
+
+  void field_assignments(
+    const namespacet &ns,
+    goto_symex_statet &state,
+    symex_targett &target,
+    const exprt &lhs) const;
+
+  bool is_indivisible(
+    const namespacet &ns,
+    const ssa_exprt &expr) const;
+
+private:
+  void field_assignments_rec(
+    const namespacet &ns,
+    goto_symex_statet &state,
+    symex_targett &target,
+    const exprt &lhs_fs,
+    const exprt &lhs) const;
+};
+
+#endif

src/goto-symex/goto_symex_state.cpp

@@ -639,6 +639,10 @@ bool goto_symex_statet::l2_thread_read_encoding(
       !dirty->is_dirty(obj_identifier)))
     return false;
 
+  // is it an indivisible object being accessed?
+  if(!field_sensitivity.is_indivisible(ns, expr))
+    return false;
+
   ssa_exprt ssa_l1=expr;
   ssa_l1.remove_level_2();
   const irep_idt &l1_identifier=ssa_l1.get_identifier();
@@ -793,6 +797,10 @@ bool goto_symex_statet::l2_thread_write_encoding(
      (!ns.lookup(obj_identifier).is_shared() &&
       !dirty->is_dirty(obj_identifier)))
     return false; // not shared
+
+  // is it an indivisible object being accessed?
+  if(!field_sensitivity.is_indivisible(ns, expr))
+    return false;
 
   // see whether we are within an atomic section
   if(atomic_section_id!=0)

src/goto-symex/goto_symex_state.h

@@ -20,6 +20,7 @@ Author: Daniel Kroening, [email protected]
 #include <goto-programs/goto_functions.h>
 
 #include "symex_target.h"
+#include "field_sensitivity.h"
 
 class dirtyt;
 
@@ -345,6 +346,7 @@ class goto_symex_statet
   std::set<unsigned> cex_graph_nodes;
   bool cex_started;
   const dirtyt * dirty;
+  field_sensitivityt field_sensitivity;
 };
 
 #endif