Source: from_compute.ml (p.frama-c.28.0.doc.src.frama-c-from.core)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669(**************************************************************************) (* *) (* This file is part of Frama-C. *) (* *) (* Copyright (C) 2007-2023 *) (* CEA (Commissariat à l'énergie atomique et aux énergies *) (* alternatives) *) (* *) (* you can redistribute it and/or modify it under the terms of the GNU *) (* Lesser General Public License as published by the Free Software *) (* Foundation, version 2.1. *) (* *) (* It is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *) (* GNU Lesser General Public License for more details. *) (* *) (* See the GNU Lesser General Public License version 2.1 *) (* for more details (enclosed in the file licenses/LGPLv2.1). *) (* *) (**************************************************************************) open Cil_types open Cil open Cil_datatype open Abstract_interp open Locations exception Call_did_not_take_place module Record_From_Callbacks = Hook.Build (struct type t = (Kernel_function.t Stack.t) * Function_Froms.Memory.t Stmt.Hashtbl.t * (Kernel_function.t * Function_Froms.Memory.t) list Stmt.Hashtbl.t end) module type To_Use = sig val get_from_call : kernel_function -> stmt -> Function_Froms.t val stmt_request : stmt -> Eva.Results.request val keep_base : kernel_function -> Base.t -> bool val cleanup_and_save : kernel_function -> Function_Froms.t -> Function_Froms.t end let compute_using_prototype_for_state state kf assigns = let varinfo = Kernel_function.get_vi kf in let return_deps,deps = match assigns with | WritesAny -> From_parameters.warning "@[no assigns clauses@ for function %a.@]@ \ Results will be imprecise." Kernel_function.pretty kf; Function_Froms.Memory.(top_return, top) | Writes assigns -> let (rt_typ,_,_,_) = splitFunctionTypeVI varinfo in let input_zone out ins = (* Technically out is unused, but there is a signature problem *) Eva.Logic_inout.assigns_inputs_to_zone state (Writes [out, ins]) in let treat_assign acc (out, ins) = let output = Eva.Logic_inout.assigns_tlval_to_zones state Write out.it_content in match output with | None -> From_parameters.result ~once:true ~current:true "Unable to extract assigns in %a" Kernel_function.pretty kf; acc | Some output -> let input_zone = input_zone out ins in (* assign clauses do not let us specify address dependencies for now, so we assume it is all data dependencies *) let input_deps = Function_Froms.Deps.from_data_deps input_zone in (* Weak update of the over-approximation of the zones assigned *) let acc = Function_Froms.Memory.add_binding ~exact:false acc output.over input_deps in (* Now, perform a strong update on the zones that are guaranteed to be assigned (under-approximation) AND that do not depend on themselves. Note: here we remove an overapproximation from an underapproximation to get an underapproximation, which is not the usual direction. It works here because diff on non-top zones is an exact operation. *) let sure_out_zone = Zone.(if equal top input_zone then bottom else diff output.under input_zone) in let acc = Function_Froms.Memory.add_binding ~exact:true acc sure_out_zone input_deps in acc in let treat_ret_assign acc (out, from) = let zone_from = input_zone out from in (* assign clauses do not let us specify address dependencies for now, so we assume it is all data dependencies *) let inputs_deps = Function_Froms.Deps.from_data_deps zone_from in try let coffs = Logic_to_c.loc_to_offset out.it_content in List.fold_left (fun acc coff -> let (base,width) = bitsOffset rt_typ coff in let size = Int_Base.inject (Int.of_int width) in Function_Froms.Memory.(add_to_return ~start:base ~size ~m:acc inputs_deps) ) acc coffs with Logic_to_c.No_conversion | SizeOfError _ -> From_parameters.result ~once:true ~current:true "Unable to extract a proper offset. \ Using FROM for the whole \\result"; let size = Bit_utils.sizeof rt_typ in Function_Froms.(Memory.add_to_return ~size ~m:acc inputs_deps) in let return_assigns, other_assigns = List.fold_left (fun (ra,oa) (loc,_ as a) -> if Logic_utils.is_result loc.it_content then a::ra,oa else ra,a::oa) ([],[]) assigns in let return_assigns = match return_assigns with | [] when Cil.isVoidType rt_typ -> Function_Froms.Memory.default_return | [] -> (* \from unspecified. *) let size = Bit_utils.sizeof rt_typ in Function_Froms.Memory.top_return_size size | _ -> List.fold_left treat_ret_assign Function_Froms.Memory.default_return return_assigns in return_assigns, List.fold_left treat_assign Function_Froms.Memory.empty other_assigns in { deps_return = return_deps; Function_Froms.deps_table = deps } module ZoneStmtMap = struct include Hptmap.Make(Stmt_Id)(Zone)(Hptmap.Comp_unused) (struct let v = [[]] end) (struct let l = [Ast.self] end) let join = let decide _k z1 z2 = Zone.join z1 z2 in join ~cache:(Hptmap_sig.PersistentCache "From_compute.ZoneStmtMap.join") ~symmetric:true ~idempotent:true ~decide end module Make (To_Use: To_Use) = struct type t' = { additional_deps_table : ZoneStmtMap.t; (** Additional control dependencies to add to all modified variables, coming from the control statements encountered so far (If, Switch). The statement information is used to remove the dependencies that are no longer useful, when we reach a statement that post-dominates the statement that gave rise to the dependency. *) additional_deps : Zone.t; (** Union of the sets in {!additional_deps_table} *) deps_table : Function_Froms.Memory.t (** dependency table *) } let call_stack : kernel_function Stack.t = Stack.create () (** Stack of function being processed *) (** Recreate the [additional_deps] field from [additional_deps_table] *) let rebuild_additional_deps map = ZoneStmtMap.fold (fun _ z accz -> Zone.join z accz) map Zone.bottom (** given a [Function_Froms.Deps.t], apply [f] on both components and merge the result: depending directly on an indirect dependency -> indirect, depending indirectly on a direct dependency -> indirect *) let merge_deps f deps = let open Function_Froms.Deps in let ind = f deps.indirect in let data = f deps.data in let ind = Zone.join data.indirect (to_zone ind) in let data = data.data in { data = data; indirect = ind } (** Bind all the variables of [b] to [Assigned \from \nothing]. This function is always called on local variables. We do *not* want to bind a local variable [v] to Unassigned, as otherwise we could get some dependencies that refer to [v] (when [v] is not guaranteed to be always assigned, or for padding in local structs), and that would need to be removed when v goes out of scope. Moreover, semantically, [v] *is* assigned (albeit to "uninitialized", which represents an indefinite part of the stack). We do not attempts to track this "uninitialized" information in From, as this is redundant with the work done by Value -- hence the use of [\nothing].*) let bind_locals m b = let aux_local acc vi = Cil.CurrentLoc.set vi.vdecl; (* Consider that local are initialized to a constant value *) Function_Froms.Memory.bind_var vi Function_Froms.Deps.bottom acc in let loc = Cil.CurrentLoc.get () in let r = List.fold_left aux_local m b.blocals in Cil.CurrentLoc.set loc; r let unbind_locals m b = let aux_local acc vi = Function_Froms.Memory.unbind_var vi acc in List.fold_left aux_local m b.blocals let find stmt deps_tbl expr = let request = To_Use.stmt_request stmt in let pre_trans = Eva.Results.expr_dependencies expr request in merge_deps (fun d -> Function_Froms.Memory.find_precise deps_tbl d) pre_trans let lval_to_zone_with_deps stmt lv = let request = To_Use.stmt_request stmt in Eva.Results.lval_deps lv request let lval_to_precise_loc_with_deps stmt ~for_writing lv = let request = To_Use.stmt_request stmt in let deps = Eva.Results.address_deps lv request in let address = Eva.Results.eval_address ~for_writing lv request in let loc = Eva.Results.as_precise_loc address and exact = Eva.Results.(is_singleton address || is_bottom address) in deps, loc, exact let empty_from = { additional_deps_table = ZoneStmtMap.empty; additional_deps = Zone.bottom; deps_table = Function_Froms.Memory.empty } let bottom_from = { additional_deps_table = ZoneStmtMap.empty; additional_deps = Zone.bottom; deps_table = Function_Froms.Memory.bottom } module Computer = struct type t = t' let bottom = bottom_from;; let callwise_states_with_formals = Stmt.Hashtbl.create 7 let substitute call_site_froms extra_loc deps = let subst_deps = Function_Froms.Memory.substitute call_site_froms deps in Function_Froms.Deps.add_indirect_dep subst_deps extra_loc let display_one_from fmt v = Function_Froms.Memory.pretty fmt v.deps_table; Format.fprintf fmt "Additional Variable Map : %a@\n" ZoneStmtMap.pretty v.additional_deps_table; Format.fprintf fmt "Additional Variable Map Set : %a@\n" Zone.pretty v.additional_deps let pretty fmt (v: t) = display_one_from fmt v let transfer_conditional_exp s exp state = let additional = find s state.deps_table exp in let additional = Function_Froms.Deps.to_zone additional in {state with additional_deps_table = ZoneStmtMap.add s additional state.additional_deps_table; additional_deps = Zone.join additional state.additional_deps } let join_and_is_included new_ old = let additional_map, additional_zone, included = let mold = old.additional_deps_table in let mnew = new_.additional_deps_table in let zold = old.additional_deps in let m = ZoneStmtMap.join mnew mold in if ZoneStmtMap.equal m mold then mold, zold, true else let new_z = Zone.join old.additional_deps new_.additional_deps in m, new_z, false in let map = Function_Froms.Memory.join new_.deps_table old.deps_table in let included' = Function_Froms.Memory.is_included new_.deps_table old.deps_table in { deps_table = map; additional_deps_table = additional_map; additional_deps = additional_zone; }, included && included' let join old new_ = fst (join_and_is_included old new_) let is_included old new_ = snd (join_and_is_included old new_) (** Handle an assignment [lv = ...], the dependencies of the right-hand side being stored in [deps_right]. [init] is true for a local initialization, in which case the left location is not reduced to its valid part for a writing, in order to keep the const local variables. *) let transfer_assign stmt ~init lv deps_right state = (* The assigned location is [loc], whose address is computed from [deps]. *) let deps, loc, exact = lval_to_precise_loc_with_deps stmt ~for_writing:(not init) lv in let deps_of_deps = Function_Froms.Memory.find state.deps_table deps in let all_indirect = Zone.join state.additional_deps deps_of_deps in let deps = Function_Froms.Deps.add_indirect_dep deps_right all_indirect in let access = if init then Read else Write in { state with deps_table = Function_Froms.Memory.add_binding_precise_loc ~exact access state.deps_table loc deps } let transfer_call stmt dest f args _loc state = Db.yield (); let request = To_Use.stmt_request stmt in let called_vinfos = Eva.Results.(eval_callee f request |> default []) in let f_deps = Eva.Results.expr_deps f request in (* dependencies for the evaluation of [f] *) let f_deps = Function_Froms.Memory.find state.deps_table f_deps in let additional_deps = Zone.join state.additional_deps f_deps in let args_froms = List.map (fun arg -> (* TODO : dependencies on subfields for structs *) find stmt state.deps_table arg) args in let states_with_formals = ref [] in let do_on kf = let called_vinfo = Kernel_function.get_vi kf in if Ast_info.is_frama_c_builtin called_vinfo.vname then state else let froms_call = To_Use.get_from_call kf stmt in let froms_call_table = froms_call.Function_Froms.deps_table in if Function_Froms.Memory.is_bottom froms_call_table then bottom_from else let formal_args = Kernel_function.get_formals kf in let state_with_formals = ref state.deps_table in begin try List.iter2 (fun vi from -> state_with_formals := Function_Froms.Memory.bind_var vi from !state_with_formals; ) formal_args args_froms; with Invalid_argument _ -> From_parameters.warning ~once:true ~current:true "variadic call detected. Using only %d argument(s)." (min (List.length formal_args) (List.length args_froms)) end; if not (Record_From_Callbacks.is_empty ()) then states_with_formals := (kf, !state_with_formals) :: !states_with_formals; let subst_before_call = substitute !state_with_formals additional_deps in (* From state just after the call, but before the result assignment *) let deps_after_call = let before_call = state.deps_table in let open Function_Froms in let subst d = DepsOrUnassigned.subst subst_before_call d in let call_substituted = Memory.map subst froms_call_table in Memory.compose call_substituted before_call in let state = {state with deps_table = deps_after_call } in (* Treatement for the possible assignment of the call result *) match dest with | None -> state | Some lv -> let return_from = froms_call.Function_Froms.deps_return in let deps_ret = subst_before_call return_from in let init = Cil.is_mutable_or_initialized lv in transfer_assign stmt ~init lv deps_ret state in let f acc f = let p = do_on f in match acc with | None -> Some p | Some acc_memory -> Some {state with deps_table = Function_Froms.Memory.join p.deps_table acc_memory.deps_table} in let result = try (match List.fold_left f None called_vinfos with | None -> state | Some s -> s); with Call_did_not_take_place -> state in if not (Record_From_Callbacks.is_empty ()) then Stmt.Hashtbl.replace callwise_states_with_formals stmt !states_with_formals; result let transfer_instr stmt (i: instr) (state: t) = Db.yield (); match i with | Set (lv, exp, _) -> let comp_vars = find stmt state.deps_table exp in let init = Cil.is_mutable_or_initialized lv in transfer_assign stmt ~init lv comp_vars state | Local_init(v, AssignInit i, _) -> let rec aux lv i acc = let doinit o i _ state = aux (Cil.addOffsetLval o lv) i state in match i with | SingleInit e -> let comp_vars = find stmt acc.deps_table e in transfer_assign stmt ~init:true lv comp_vars acc | CompoundInit (ct, initl) -> (* To avoid a performance issue, do not fold implicit initializers of scalar or large arrays. We still use implicit initializers for small struct arrays, as this may be more precise in case of padding bits. The 100 limit is arbitrary. *) let implicit = not (Cil.isArrayType ct && (Cil.isArithmeticOrPointerType (Cil.typeOf_array_elem ct) || Ast_info.array_size ct > (Integer.of_int 100))) in let r = Cil.foldLeftCompound ~implicit ~doinit ~ct ~initl ~acc in if implicit then r else (* If implicit zero-initializers have been skipped, also mark the entire array as initialized from no dependency (nothing is read by the implicit zero-initializers). *) transfer_assign stmt ~init:true lv Function_Froms.Deps.bottom r in aux (Cil.var v) i state | Call (lvaloption,funcexp,argl,loc) -> transfer_call stmt lvaloption funcexp argl loc state | Local_init (v, ConsInit(f, args, kind), loc) -> Cil.treat_constructor_as_func (transfer_call stmt) v f args kind loc state | Asm _ | Code_annot _ | Skip _ -> state let transfer_guard s e d = let request = To_Use.stmt_request s in let interpreted_e = Eva.Results.(eval_exp e request |> as_cvalue) in let t1 = unrollType (typeOf e) in let do_then, do_else = if isIntegralType t1 || isPointerType t1 then Cvalue.V.contains_non_zero interpreted_e, Cvalue.V.contains_zero interpreted_e else true, true (* TODO: a float condition is true iff != 0.0 *) in (if do_then then d else bottom), (if do_else then d else bottom) ;; (* Eliminate additional variables originating from a control-flow branching statement closing at [s]. *) let eliminate_additional s data = let kf = Stack.top call_stack in let map = data.additional_deps_table in let map' = ZoneStmtMap.fold (fun k _v acc_map -> if !Db.Postdominators.is_postdominator kf ~opening:k ~closing:s then ZoneStmtMap.remove k acc_map else acc_map ) map map in if not (map == map') then { data with additional_deps_table = map'; additional_deps = rebuild_additional_deps map'; } else data let transfer_stmt s data = let data = eliminate_additional s data in let map_on_all_succs new_data = List.map (fun x -> (x,new_data)) s.succs in match s.skind with | Instr i -> map_on_all_succs (transfer_instr s i data) | If(exp,_,_,_) -> let data = transfer_conditional_exp s exp data in Dataflows.transfer_if_from_guard transfer_guard s data | Switch(exp,_,_,_) -> let data = transfer_conditional_exp s exp data in Dataflows.transfer_switch_from_guard transfer_guard s data | Return _ | Throw _ -> [] | UnspecifiedSequence _ | Loop _ | Block _ | Goto _ | Break _ | Continue _ | TryExcept _ | TryFinally _ | TryCatch _ -> map_on_all_succs data ;; (* Filter out unreachable values. *) let transfer_stmt s d = if Eva.Results.is_reachable s && not (Function_Froms.Memory.is_bottom d.deps_table) then transfer_stmt s d else [] let doEdge s succ d = if Eva.Results.is_reachable succ then let dt = d.deps_table in let opened = Kernel_function.blocks_opened_by_edge s succ in let closed = Kernel_function.blocks_closed_by_edge s succ in let dt = List.fold_left bind_locals dt opened in let dt = List.fold_left unbind_locals dt closed in { d with deps_table = dt } else bottom_from (* Filter the outgoing data using doEdge. *) let transfer_stmt s d = let ds = transfer_stmt s d in List.map (fun (succ, d) -> (succ, doEdge s succ d)) ds ;; end (* Remove all local variables and formals from table *) let externalize return kf state = let deps_return = (match return.skind with | Return (Some ({enode = Lval v}),_) -> let zone = lval_to_zone_with_deps return v in let deps = Function_Froms.Memory.find_precise state.deps_table zone in let size = Bit_utils.sizeof (Cil.typeOfLval v) in Function_Froms.(Memory.add_to_return ~size deps) | Return (None,_) -> Function_Froms.Memory.default_return | _ -> assert false) in let accept = To_Use.keep_base kf in let deps_table = Function_Froms.Memory.filter_base accept state.deps_table in { deps_return = deps_return; Function_Froms.deps_table = deps_table } let compute_using_cfg kf = match kf.fundec with | Declaration _ -> assert false | Definition (f,_) -> if not (Eva.Analysis.save_results kf) then Function_Froms.top else try Stack.iter (fun g -> if kf == g then raise Exit) call_stack; Stack.push kf call_stack; let state = { empty_from with deps_table = bind_locals empty_from.deps_table f.sbody } in let module Fenv = (val Dataflows.function_env kf: Dataflows.FUNCTION_ENV) in let module Dataflow_arg = struct include Computer let init = [(Kernel_function.find_first_stmt kf, state)] end in let module Compute = Dataflows.Simple_forward(Fenv)(Dataflow_arg) in let ret_id = Kernel_function.find_return kf in if not (Record_From_Callbacks.is_empty ()) then begin From_parameters.feedback "Now calling From callbacks"; let states = Stmt.Hashtbl.create Fenv.nb_stmts in Compute.iter_on_result (fun k record -> Stmt.Hashtbl.add states k record.deps_table); Record_From_Callbacks.apply (call_stack, states, Dataflow_arg.callwise_states_with_formals) end; let _poped = Stack.pop call_stack in let last_from = try if Eva.Results.is_reachable ret_id then externalize ret_id kf Compute.before.(Fenv.to_ordered ret_id) else raise Not_found with Not_found -> begin From_parameters.result "Non-terminating function %a (no dependencies)" Kernel_function.pretty kf; { Function_Froms.deps_return = Function_Froms.Memory.default_return; deps_table = Function_Froms.Memory.bottom } end in last_from with Exit (* Recursive call *) -> { Function_Froms.deps_return = Function_Froms.Memory.default_return; deps_table = Function_Froms.Memory.empty } let compute_using_prototype kf = let state = Eva.Results.(at_start_of kf |> get_cvalue_model) in let behaviors = Eva.Logic_inout.valid_behaviors kf state in let assigns = Ast_info.merge_assigns behaviors in compute_using_prototype_for_state state kf assigns let compute_and_return kf = let call_site_loc = CurrentLoc.get () in From_parameters.feedback "Computing for function %a%s" Kernel_function.pretty kf (let s = ref "" in Stack.iter (fun kf -> s := !s^" <-"^(Format.asprintf "%a" Kernel_function.pretty kf)) call_stack; !s); Db.yield (); let result = if Eva.Analysis.use_spec_instead_of_definition kf then compute_using_prototype kf else compute_using_cfg kf in let result = To_Use.cleanup_and_save kf result in From_parameters.feedback "Done for function %a" Kernel_function.pretty kf; Db.yield (); CurrentLoc.set call_site_loc; result let compute kf = Eva.Analysis.compute (); ignore (compute_and_return kf) end (* Local Variables: compile-command: "make -C ../../.." End: *)