public Preconditions Ldelem(APC pc, Type type, Variable dest, Variable array, Variable index, Preconditions pre)
{
BreakHere(pc, pre);
if (pre != null)
{
var result = new Preconditions();
var ldElemExp = new BoxedExpression.ArrayIndexExpression <Type>(BoxedExpression.Var(array), BoxedExpression.Var(index), type);
var destExp = BoxedExpression.Var(dest);
foreach (var p in pre)
{
if (p != null)
{
result.AddIfNotNull(p.Substitute(destExp, ldElemExp));
}
}
return(result);
}
else
{
return(pre);
}
}
private bool TrySplitBaseWBAndOffset(APC pc, Polynomial<BoxedVariable<Variable>, BoxedExpression> pol, out BoxedExpression basePtr, out BoxedExpression wbPtr, out BoxedExpression offset)
{
var foundAPointer = false;
var offsets = new List<Monomial<BoxedVariable<Variable>>>(pol.Left.Length);
var basePtrVar = default(Variable);
// 1. Fetch the pointer
foreach (var m in pol.Left)
{
BoxedVariable<Variable> tryVar;
Variable v;
if (m.IsVariable(out tryVar) && tryVar.TryUnpackVariable(out v))
{
var type = this.Context.ValueContext.GetType(this.Context.MethodContext.CFG.Post(pc), v);
if(type.IsNormal && (this.DecoderForMetaData.IsUnmanagedPointer(type.Value) || this.DecoderForMetaData.IsReferenceType(type.Value)))
{
basePtrVar = v;
Contract.Assume(foundAPointer == false);
foundAPointer = true;
continue;
}
}
offsets.Add(m);
}
if (!foundAPointer)
{
basePtr = offset = wbPtr = default(BoxedExpression);
return false;
}
// 2. Get the WB
Variable varForWB;
if (!this.Context.ValueContext.TryGetWritableBytes(this.Context.MethodContext.CFG.Post(pc), basePtrVar, out varForWB))
{
basePtr = offset = wbPtr = default(BoxedExpression);
return false;
}
// 3. Construct the offset
Polynomial<BoxedVariable<Variable>, BoxedExpression> tmpPol;
if (!Polynomial<BoxedVariable<Variable>, BoxedExpression>.TryToPolynomialForm(offsets.ToArray(), out tmpPol))
{
throw new AbstractInterpretationException("Impossible case?");
}
Contract.Assert(this.Encoder != null);
basePtr = BoxedExpression.Var(basePtrVar);
wbPtr = BoxedExpression.Var(varForWB);
offset = tmpPol.ToPureExpression(this.Encoder);
return true;
}
public BoxedExpression Variable(object variable)
{
var variableAsBoxedExp = variable as BoxedExpression;
if (variableAsBoxedExp != null)
{
return(variableAsBoxedExp);
}
if (VariableConverter != null)
{
var variableAsBoxedVar = variable as BoxedVariable <Var>;
if (variableAsBoxedVar != null)
{
Var v;
if (variableAsBoxedVar.TryUnpackVariable(out v))
{
return(VariableConverter(v));
}
}
else if (variable is Var)
{
return(VariableConverter((Var)variable));
}
}
return(BoxedExpression.Var(variable));
}
protected override ProofOutcome ValidateInternalSpecific(IFactQuery <BoxedExpression, Variable> query, ContractInferenceManager inferenceManager, IOutputResults output)
{
// Check if expForIndex >= 0
return(query.IsGreaterEqualToZero(this.PC, index));
#if false
// Try to use weakest preconditions
if (result == ProofOutcome.Top)
{
if (CanAssumeLowerBoundPrecondition(output, this.index))
{
result = ProofOutcome.True;
}
else
{
// if we have lb <= i, then we can suggest 0 <= lb
//
foreach (Variable lb in query.LowerBounds(this.PC, index, false))
{
BoxedExpression lbbox = BoxedExpression.Var(lb);
if (CanAssumeLowerBoundPrecondition(output, lbbox))
{
result = ProofOutcome.True;
}
}
}
}
return(result);
#endif
}
private BoxedExpression GenerateTheExists(APC exitPC, BoxedExpression variable, Type arrayType, BoxedExpression array)
{
Contract.Requires(variable != null);
Contract.Requires(array != null);
BoxedExpression newPost = null;
var boundedVariable = BoxedExpression.Var("__j__");
var lowerBound = BoxedExpression.Const(0, this.DecoderForMetaData.System_Int32, this.DecoderForMetaData);
Variable arrayVar, arrayLength;
if (array.TryGetFrameworkVariable(out arrayVar) &&
this.Context.ValueContext.TryGetArrayLength(exitPC, arrayVar, out arrayLength))
{
var upperBound = BoxedExpression.Var(arrayLength, this.Context.ValueContext.VisibleAccessPathListFromPost(exitPC, arrayLength));
// arr[boundedVariable] == variable
var arrayLoad = new BoxedExpression.ArrayIndexExpression <Type>(array, boundedVariable, arrayType);
var eq = BoxedExpression.Binary(BinaryOperator.Ceq, arrayLoad, variable);
newPost = new ExistsIndexedExpression(null, boundedVariable, lowerBound, upperBound, eq);
}
return(newPost);
}
private List <BoxedExpression> GetForAllVisibleOutsideOfTheMethod(
BoxedVariable <Variable> array,
ArraySegmentation <FlatAbstractDomainOfBoolsWithRenaming <BoxedVariable <Variable> >, BoxedVariable <Variable>, BoxedExpression> segmentation)
{
Contract.Requires(array != null);
Contract.Requires(segmentation != null);
var result = new List <BoxedExpression>();
var arrayBE = ReadVariableInPreStateForRequires(this.Context.MethodContext.CFG.EntryAfterRequires, array);
if (arrayBE != null)
{
var boundVar = BoxedExpression.Var("i");
var arrayindex = new BoxedExpression.ArrayIndexExpression <Type>(arrayBE, boundVar, this.DecoderForMetaData.System_Object);
var factory = new BoxedExpressionFactory <Local, Parameter, Method, Field, Property, Event, Type, Attribute, Assembly, Variable>(
boundVar, arrayindex,
(v => ReadVariableInPreStateForRequires(this.Context.MethodContext.CFG.EntryAfterRequires, v)),
this.DecoderForMetaData, null);
var formula = segmentation.To(factory);
if (formula != null)
{
result.AddRange(factory.SplitAnd(formula));
}
}
return(result);
}
protected virtual BoxedExpression Variable(BoxedExpression original, object var, PathElement[] path)
{
Contract.Requires(original != null);
Contract.Requires(original.UnderlyingVariable == var);
if (path != null || this.PathFetcher == null)
{
return(original);
}
else
{
Contract.Assert(this.PathFetcher != null);
var newPath = this.PathFetcher(original.UnderlyingVariable);
return(newPath != null?BoxedExpression.Var(original.UnderlyingVariable, newPath) : null);
}
}
public bool TryCollectWitnesses(out bool mayReturnNull)
{
Trace("Try to collect a witness for the return value");
mayReturnNull = false;
if (this.timeout.HasAlreadyTimeOut)
{
return(false);
}
try
{
this.timeout.Start();
Variable retVar;
if (this.Mdriver.Context.ValueContext.TryResultValue(this.pcCondition, out retVar))
{
var initialState = new Witness(BoxedExpression.Var(retVar));
Visit(this.pcCondition, initialState, 0);
if (this.Found)
{
mayReturnNull = this.Result.State == Witness.Kind.ReturnNull || this.Result.State == Witness.Kind.ReturnNullIndirectly;
return(true);
}
}
}
catch (TimeoutExceptionFixpointComputation)
{
return(false);
}
catch (AccessViolationException)
{
Console.WriteLine("Internal error in CLR: memory is corrupted? -- Continuing as we where simply searching for a witness");
}
finally
{
this.timeout.Stop();
}
return(false);
}
/// <summary>
/// If failIfCannotReplaceVarsWithAccessPaths is true, whenever we cannot convert a variable into an expression, we return null.
/// Otherwise (when failIfCannotReplaceVarsWithAccessPaths is false), then we return the same expression
/// </summary>
public BoxedExpression ReadAt(APC pc, BoxedExpression exp, bool failIfCannotReplaceVarsWithAccessPaths = true, Typ allowReturnValue = default(Typ))
{
Contract.Requires(exp != null);
if (this.boundVariables.Contains(exp))
{
return(exp);
}
if (exp.IsVariable)
{
Variable var;
if (exp.TryGetFrameworkVariable(out var))
{
var accessPath = context.ValueContext.AccessPathList(pc, var, true, true, allowReturnValue);
if (accessPath != null)
{
return(BoxedExpression.Var(var, accessPath));
}
Contract.Assert(accessPath == null, "Just for readibility: we are here if we do not have an access path for the variable");
return(failIfCannotReplaceVarsWithAccessPaths ? null : exp);
}
return(null);
}
BinaryOperator bop;
BoxedExpression left, right;
if (exp.IsBinaryExpression(out bop, out left, out right))
{
Variable leftVar, rightVar;
if (left.TryGetFrameworkVariable(out leftVar) && right.IsConstant)
{
var typeLeft = this.context.ValueContext.GetType(pc, leftVar);
if (typeLeft.IsNormal && IsInterestingBoundFromTheTypeRange(right, typeLeft.Value))
{
var recurse = ReadAt(pc, left, failIfCannotReplaceVarsWithAccessPaths, allowReturnValue);
if (recurse != null)
{
return(BoxedExpression.Binary(bop, recurse, right));
}
}
return(null);
}
if (left.IsConstant && right.TryGetFrameworkVariable(out rightVar))
{
var typeRight = this.context.ValueContext.GetType(pc, rightVar);
if (typeRight.IsNormal && IsInterestingBoundFromTheTypeRange(left, typeRight.Value))
{
var recurse = ReadAt(pc, right, failIfCannotReplaceVarsWithAccessPaths, allowReturnValue);
if (recurse != null)
{
return(BoxedExpression.Binary(bop, left, recurse));
}
}
return(null);
}
var recurseLeft = ReadAt(pc, left, failIfCannotReplaceVarsWithAccessPaths, allowReturnValue);
var recurseRight = ReadAt(pc, right, failIfCannotReplaceVarsWithAccessPaths, allowReturnValue);
if (recurseLeft != null && recurseRight != null)
{
return(BoxedExpression.Binary(bop, recurseLeft, recurseRight));
}
else
{
return(null);
}
}
UnaryOperator uop;
if (exp.IsUnaryExpression(out uop, out left))
{
var recurse = ReadAt(pc, left, failIfCannotReplaceVarsWithAccessPaths, allowReturnValue);
if (recurse != null)
{
return(BoxedExpression.Unary(uop, recurse));
}
return(null);
}
object type;
if (exp.IsIsInstExpression(out left, out type))
{
var recurse = ReadAt(pc, left, failIfCannotReplaceVarsWithAccessPaths, allowReturnValue);
if (recurse != null)
{
return(ClousotExpression <Type> .MakeIsInst((Type)type, recurse));
}
return(null);
}
bool isForAll;
BoxedExpression boundVar, inf, sup, body;
if (exp.IsQuantifiedExpression(out isForAll, out boundVar, out inf, out sup, out body))
{
Contract.Assert(boundVar != null);
Contract.Assert(inf != null);
Contract.Assert(sup != null);
Contract.Assert(body != null);
this.boundVariables.Add(boundVar);
var infRec = ReadAt(pc, inf, failIfCannotReplaceVarsWithAccessPaths, allowReturnValue);
if (infRec != null)
{
var supRec = ReadAt(pc, sup, failIfCannotReplaceVarsWithAccessPaths, allowReturnValue);
if (supRec != null)
{
var bodyRec = ReadAt(pc, body, failIfCannotReplaceVarsWithAccessPaths, allowReturnValue);
if (bodyRec != null)
{
this.boundVariables.Remove(boundVar);
if (isForAll)
{
return(new ForAllIndexedExpression(null, boundVar, infRec, supRec, bodyRec));
}
else
{
return(new ExistsIndexedExpression(null, boundVar, infRec, supRec, bodyRec));
}
}
}
}
return(null);
}
object t;
BoxedExpression array, index;
if (exp.IsArrayIndexExpression(out array, out index, out t) && t is Typ)
{
var arrayRec = ReadAt(pc, array, failIfCannotReplaceVarsWithAccessPaths, allowReturnValue);
if (arrayRec != null)
{
var indexRec = ReadAt(pc, index, failIfCannotReplaceVarsWithAccessPaths, allowReturnValue);
if (indexRec != null)
{
return(new BoxedExpression.ArrayIndexExpression <Typ>(arrayRec, indexRec, (Typ)t));
}
}
}
return(exp);
}
private BoxedExpression ExpressionInPostStateHelper(BoxedExpression exp, bool replaceReturnValue, bool overrideAccessModifiers, bool allowReturnValue, ref Details details)
{
if (exp.IsConstant || exp.IsSizeOf /*|| exp.IsNull*/)
{ // Nothing to do
return(exp);
}
if (exp.IsNull)
{
return(BoxedExpression.Const(null, this.metaDataDecoder.System_Object, this.metaDataDecoder));
}
if (exp.IsVariable)
{
if (exp.IsVariableBoundedInQuantifier)
{
return(exp);
}
// F: this check is there as there may be slack variables form subpolyhedra
Variable var;
if (!exp.TryGetFrameworkVariable(out var))
{
return(null);
}
// We want to replace the return variable with the marker for the return value
if (replaceReturnValue && this.returnVariable.IsValid && var.Equals(this.returnVariable.Value))
{
details.HasVariables = true;
details.HasReturnVariable = true;
return(this.returnExpression);
}
#region First try: Read it in the post-state
var accessPath =
context.ValueContext.VisibleAccessPathListFromPost(context.MethodContext.CFG.NormalExit, var, allowReturnValue);
#if false
// F: change!!!!
// Console.WriteLine("Access paths for sv = {0}", var);
foreach (var ap in context.ValueContext.AccessPaths(context.MethodContext.CFG.NormalExit, var, AccessPathFilter <Method> .FromPostcondition(this.context.MethodContext.CurrentMethod)))
{
// Console.WriteLine(ap);
if (context.ValueContext.PathSuitableInEnsures(context.MethodContext.CFG.NormalExit, ap))
{
// we found our accesspath
accessPath = ap;
break;
}
}
#endif
if (accessPath != null)
{
details.HasVariables = true;
details.HasReturnVariable = accessPath.Head.IsReturnValue;
if (accessPath.Length() == 1 && accessPath.ToString() == "this")
{
details.IsThis = true;
}
if (accessPath.Head.ToString() == "this")
{
details.IsRootedInThis = true;
}
// TODO: check possible bug here: this should be var not exp.UnderlyingVariable
return(BoxedExpression.Var(var, accessPath));
}
#endregion
#region Second try: Read it in the pre-state
accessPath =
// context.ValueContext.VisibleAccessPathListFromPre(context.MethodContext.CFG.EntryAfterRequires, var);
context.ValueContext.AccessPathList(context.MethodContext.CFG.EntryAfterRequires, var, false, false);
if (accessPath != null)
{
details.HasVariables = true;
var type = this.context.ValueContext.GetType(this.context.MethodContext.CFG.NormalExit, var);
if (type.IsNormal)
{
details.HasOldVariable = true;
return(BoxedExpression.Old(BoxedExpression.Var(var, accessPath), type.Value));
}
else
{
return(null);
}
}
#endregion
#region Third try: use the extended refined, if any
if (this.extendedRefiner != null)
{
BoxedExpression refined;
if (this.extendedRefiner.TryRefineExpression(this.context.MethodContext.CFG.NormalExit, var, out refined) &&
refined.IsArrayIndex) // F: it seems we generate some recursive expression which causes a stack overflow. Should investigate!!!!
{
return(ExpressionInPostStateHelper(refined, replaceReturnValue, overrideAccessModifiers, allowReturnValue, ref details));
}
}
#endregion
// giving up
return(null);
}
if (exp.IsUnary)
{
var rec = ExpressionInPostStateHelper(exp.UnaryArgument, replaceReturnValue, overrideAccessModifiers, allowReturnValue, ref details);
if (rec == null)
{
return(null);
}
// Avoid copying the expression (optimization?)
if (rec == exp.UnaryArgument)
{
return(exp);
}
else
{
return(BoxedExpression.Unary(exp.UnaryOp, rec));
}
}
if (exp.IsBinary)
{
if (!exp.BinaryOp.IsComparisonBinaryOperator())
{
details.HasCompoundExp = true;
}
var recLeft = ExpressionInPostStateHelper(exp.BinaryLeft, replaceReturnValue, overrideAccessModifiers, allowReturnValue, ref details);
if (recLeft == null)
{
return(null);
}
var recRight = ExpressionInPostStateHelper(exp.BinaryRight, replaceReturnValue, overrideAccessModifiers, allowReturnValue, ref details);
if (recRight == null)
{
return(null);
}
// Heuristics to rule out trivial expressions arr.Length >= 0 or 0 <= arr.Length or this.Count >= 0 or 0 <= this.Count
int value;
if ((exp.BinaryOp == BinaryOperator.Cge && recLeft.IsArrayLengthOrThisDotCount(context.MethodContext.CFG.NormalExit, this.context, this.metaDataDecoder) && recRight.IsConstantInt(out value) && value == 0)
||
(exp.BinaryOp == BinaryOperator.Cle && recLeft.IsConstantInt(out value) && value == 0 && recRight.IsArrayLengthOrThisDotCount(context.MethodContext.CFG.NormalExit, this.context, this.metaDataDecoder)))
{
return(null);
}
if (recLeft == exp.BinaryLeft && recRight == exp.BinaryRight)
{
return(exp);
}
else
{
return(BoxedExpression.Binary(exp.BinaryOp, recLeft, recRight));
}
}
object t;
BoxedExpression array, index;
if (exp.IsArrayIndexExpression(out array, out index, out t) && t is Typ)
{
// Sanity check. We have a case with post-inference where the array and the index get swapped by the underlying framework
if (array.UnderlyingVariable is Variable)
{
var type = this.context.ValueContext.GetType(context.MethodContext.CFG.NormalExit, (Variable)array.UnderlyingVariable);
if (type.IsNormal && this.metaDataDecoder.IsArray(type.Value))
{
var arrayRef = ExpressionInPostStateHelper(array, replaceReturnValue, overrideAccessModifiers, allowReturnValue, ref details);
if (arrayRef != null)
{
var indexRef = ExpressionInPostStateHelper(index, replaceReturnValue, overrideAccessModifiers, allowReturnValue, ref details);
if (indexRef != null)
{
return(new BoxedExpression.ArrayIndexExpression <Typ>(arrayRef, indexRef, (Typ)t));
}
}
}
}
return(null);
}
// Unreachable?
return(null);
}
private static bool TrySplitBaseWBAndOffset <Local, Parameter, Method, Field, Property, Event, Type, Attribute, Assembly, Expression, Variable, LogOptions>
(
this IMethodDriver <Local, Parameter, Method, Field, Property, Event, Type, Attribute, Assembly, Expression, Variable, LogOptions> mdriver,
APC pc, Polynomial <BoxedVariable <Variable>, BoxedExpression> pol, out BoxedExpression basePtr, out BoxedExpression wbPtr, out BoxedExpression offset
)
where LogOptions : IFrameworkLogOptions
where Type : IEquatable <Type>
where Variable : IEquatable <Variable>
where Expression : IEquatable <Expression>
{
var foundAPointer = false;
var offsets = new List <Monomial <BoxedVariable <Variable> > >(pol.Left.Length);
var basePtrVar = default(Variable);
// 1. Fetch the pointer
foreach (var m in pol.Left)
{
BoxedVariable <Variable> tryVar;
Variable v;
if (m.IsVariable(out tryVar) && tryVar.TryUnpackVariable(out v))
{
var type = mdriver.Context.ValueContext.GetType(mdriver.Context.MethodContext.CFG.Post(pc), v);
if (type.IsNormal && (mdriver.MetaDataDecoder.IsUnmanagedPointer(type.Value) || mdriver.MetaDataDecoder.IsReferenceType(type.Value)))
{
basePtrVar = v;
Contract.Assume(foundAPointer == false);
foundAPointer = true;
continue;
}
}
offsets.Add(m);
}
if (!foundAPointer)
{
basePtr = offset = wbPtr = default(BoxedExpression);
return(false);
}
// 2. Get the WB
Variable varForWB;
if (!mdriver.Context.ValueContext.TryGetWritableBytes(mdriver.Context.MethodContext.CFG.Post(pc), basePtrVar, out varForWB))
{
basePtr = offset = wbPtr = default(BoxedExpression);
return(false);
}
// 3. Construct the offset
Polynomial <BoxedVariable <Variable>, BoxedExpression> tmpPol;
if (!Polynomial <BoxedVariable <Variable>, BoxedExpression> .TryToPolynomialForm(offsets.ToArray(), out tmpPol))
{
throw new AbstractInterpretationException("Impossible case?");
}
basePtr = BoxedExpression.Var(basePtrVar);
wbPtr = BoxedExpression.Var(varForWB);
offset = tmpPol.ToPureExpression(mdriver.BoxedEncoder());
return(true);
}
protected BoxedExpression.BinaryExpressionMethodCall MakeMethodCallExpression(Method method, Variable var, FList <PathElement> accessPath)
{
return(new BoxedExpression.BinaryExpressionMethodCall(/* dummy? */ BinaryOperator.Add,
BoxedExpression.Var(var, accessPath, this.Mdriver.MetaDataDecoder.System_Object), this.Mdriver.MetaDataDecoder.Name(method)));
}
protected bool TryInferNonRelationalProperty(BoxedExpression index, BoxedExpression body,
INumericalAbstractDomain <BoxedVariable <Variable>, BoxedExpression> dom,
out BoxedExpression array, out NonRelationalValueAbstraction <BoxedVariable <Variable>, BoxedExpression> elementsProperty)
{
Contract.Ensures(!Contract.Result <bool>() || Contract.ValueAtReturn(out array) != null);
Contract.Ensures(!Contract.Result <bool>() || Contract.ValueAtReturn(out elementsProperty) != null);
BoxedExpression.ArrayIndexExpression <Type> arrayExp;
if (body.TryFindArrayExp(index, out arrayExp))
{
array = arrayExp.Array;
Contract.Assert(array != null);
var slackVar = new BoxedVariable <Variable>(true);
var slackExp = BoxedExpression.Var(slackVar);
var renamedBody = body.Substitute(arrayExp, slackExp);
var nonTrivial = false;
var symbolicConditions = SymbolicExpressionTracker <BoxedVariable <Variable>, BoxedExpression> .Unknown;
var equalities = SetOfConstraints <BoxedVariable <Variable> > .Unknown;
var disequalities = SetOfConstraints <BoxedVariable <Variable> > .Unknown;
var weakUpperBounds = SetOfConstraints <BoxedVariable <Variable> > .Unknown;
var strictUpperBounds = SetOfConstraints <BoxedVariable <Variable> > .Unknown;
var existential = SetOfConstraints <BoxedVariable <Variable> > .Unknown;
#region Look for an interval
var augmentedDom = dom.TestTrue(renamedBody) as INumericalAbstractDomain <BoxedVariable <Variable>, BoxedExpression>;
var intv = augmentedDom.BoundsFor(slackVar);
if (intv.IsNormal)
{
nonTrivial = true;
}
// TODO: upgrade the non-relational values to disintervals, to avoid those checks
if (intv.IsTop && augmentedDom.CheckIfNonZero(slackExp).IsTrue())
{
intv = DisInterval.For(1);
nonTrivial = true;
}
#endregion
#region Look for equalities
BoxedExpression left, right;
if (renamedBody.IsCheckExp1EqExp2(out left, out right))
{
Variable eq;
// a[i] == v
if (
(left.Equals(slackExp) && right.TryGetFrameworkVariable(out eq))
||
(right.Equals(slackExp) && left.TryGetFrameworkVariable(out eq))
)
{
equalities = new SetOfConstraints <BoxedVariable <Variable> >(ToBoxedVariable(eq));
nonTrivial = true;
}
}
#endregion
if (nonTrivial)
{
elementsProperty = new NonRelationalValueAbstraction <BoxedVariable <Variable>, BoxedExpression>(
intv, symbolicConditions, equalities, disequalities, weakUpperBounds, strictUpperBounds, existential);
return(true);
}
else
{
elementsProperty = default(NonRelationalValueAbstraction <BoxedVariable <Variable>, BoxedExpression>);
return(false);
}
}
array = default(BoxedExpression);
elementsProperty = default(NonRelationalValueAbstraction <BoxedVariable <Variable>, BoxedExpression>);
return(false);
}
public BoxedExpression VariableFor(BoxedVariable <TVar> var)
{
return(BoxedExpression.Var(var));
}
