Merge pull request #7313 from thomasspriggs/tas/dynamic_object

Add support for `__CPROVER_DYNAMIC_OBJECT` to incremental SMT decision procedure

Author: thomasspriggs

regression/cbmc-incr-smt2/dynamic-memory/assert_dynamic.c

@@ -0,0 +1,17 @@
+#include <assert.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+bool nondet_bool();
+
+void main()
+{
+  char local;
+  void *pointer = &local;
+  const bool make_dynamic = nondet_bool();
+  if(make_dynamic)
+  {
+    pointer = malloc(1);
+  }
+  assert(__CPROVER_DYNAMIC_OBJECT(pointer));
+}

regression/cbmc-incr-smt2/dynamic-memory/assert_dynamic.desc

@@ -0,0 +1,11 @@
+CORE
+assert_dynamic.c
+--trace
+Passing problem to incremental SMT2 solving
+line 16 assertion __CPROVER_DYNAMIC_OBJECT\(pointer\)\: FAILURE
+make_dynamic\=FALSE
+^EXIT=10$
+^SIGNAL=0$
+--
+make_dynamic\=TRUE
+--

regression/cbmc-incr-smt2/dynamic-memory/assert_not_dynamic.c

@@ -0,0 +1,17 @@
+#include <assert.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+bool nondet_bool();
+
+void main()
+{
+  char local;
+  void *pointer = &local;
+  const bool make_dynamic = nondet_bool();
+  if(make_dynamic)
+  {
+    pointer = malloc(1);
+  }
+  assert(!__CPROVER_DYNAMIC_OBJECT(pointer));
+}

regression/cbmc-incr-smt2/dynamic-memory/assert_not_dynamic.desc

@@ -0,0 +1,11 @@
+CORE
+assert_not_dynamic.c
+--trace
+Passing problem to incremental SMT2 solving
+line 16 assertion \!__CPROVER_DYNAMIC_OBJECT\(pointer\)\: FAILURE
+make_dynamic\=TRUE
+^EXIT=10$
+^SIGNAL=0$
+--
+make_dynamic\=FALSE
+--

regression/cbmc-incr-smt2/dynamic-memory/valid.c

@@ -0,0 +1,17 @@
+#include <assert.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+bool nondet_bool();
+
+void main()
+{
+  char local;
+  void *pointer = &local;
+  const bool make_dynamic = nondet_bool();
+  if(make_dynamic)
+  {
+    pointer = malloc(1);
+  }
+  assert(make_dynamic || !__CPROVER_DYNAMIC_OBJECT(pointer));
+}

regression/cbmc-incr-smt2/dynamic-memory/valid.desc

@@ -0,0 +1,10 @@
+CORE
+valid.c
+--trace
+Passing problem to incremental SMT2 solving
+line 16 assertion make_dynamic \|\| \!__CPROVER_DYNAMIC_OBJECT\(pointer\)\: SUCCESS
+VERIFICATION SUCCESSFUL
+^EXIT=0$
+^SIGNAL=0$
+--
+--

src/solvers/Makefile

@@ -203,6 +203,7 @@ SRC = $(BOOLEFORCE_SRC) \
       smt2_incremental/convert_expr_to_smt.cpp \
       smt2_incremental/object_tracking.cpp \
       smt2_incremental/type_size_mapping.cpp \
+      smt2_incremental/smt_is_dynamic_object.cpp \
       smt2_incremental/smt_object_size.cpp \
       smt2_incremental/smt_response_validation.cpp \
       smt2_incremental/smt_solver_process.cpp \

src/solvers/smt2_incremental/convert_expr_to_smt.cpp

@@ -1042,11 +1042,18 @@ static smt_termt convert_expr_to_smt(
 
 static smt_termt convert_expr_to_smt(
   const is_dynamic_object_exprt &is_dynamic_object,
-  const sub_expression_mapt &converted)
+  const sub_expression_mapt &converted,
+  const smt_is_dynamic_objectt::make_applicationt &apply_is_dynamic_object)
 {
-  UNIMPLEMENTED_FEATURE(
-    "Generation of SMT formula for is dynamic object expression: " +
-    is_dynamic_object.pretty());
+  const smt_termt &pointer = converted.at(is_dynamic_object.address());
+  const auto pointer_sort = pointer.get_sort().cast<smt_bit_vector_sortt>();
+  INVARIANT(
+    pointer_sort, "Pointers should be encoded as bit vector sorted terms.");
+  const std::size_t pointer_width = pointer_sort->bit_width();
+  return apply_is_dynamic_object(
+    std::vector<smt_termt>{smt_bit_vector_theoryt::extract(
+      pointer_width - 1,
+      pointer_width - config.bv_encoding.object_bits)(pointer)});
 }
 
 static smt_termt convert_expr_to_smt(
@@ -1458,7 +1465,8 @@ static smt_termt dispatch_expr_to_smt_conversion(
   const sub_expression_mapt &converted,
   const smt_object_mapt &object_map,
   const type_size_mapt &pointer_sizes,
-  const smt_object_sizet::make_applicationt &call_object_size)
+  const smt_object_sizet::make_applicationt &call_object_size,
+  const smt_is_dynamic_objectt::make_applicationt &apply_is_dynamic_object)
 {
   if(const auto symbol = expr_try_dynamic_cast<symbol_exprt>(expr))
   {
@@ -1660,7 +1668,8 @@ static smt_termt dispatch_expr_to_smt_conversion(
     const auto is_dynamic_object =
       expr_try_dynamic_cast<is_dynamic_object_exprt>(expr))
   {
-    return convert_expr_to_smt(*is_dynamic_object, converted);
+    return convert_expr_to_smt(
+      *is_dynamic_object, converted, apply_is_dynamic_object);
   }
   if(
     const auto is_invalid_pointer =
@@ -1837,7 +1846,8 @@ smt_termt convert_expr_to_smt(
   const exprt &expr,
   const smt_object_mapt &object_map,
   const type_size_mapt &pointer_sizes,
-  const smt_object_sizet::make_applicationt &object_size)
+  const smt_object_sizet::make_applicationt &object_size,
+  const smt_is_dynamic_objectt::make_applicationt &is_dynamic_object)
 {
 #ifndef CPROVER_INVARIANT_DO_NOT_CHECK
   static bool in_conversion = false;
@@ -1856,7 +1866,12 @@ smt_termt convert_expr_to_smt(
     if(find_result != sub_expression_map.cend())
       return;
     smt_termt term = dispatch_expr_to_smt_conversion(
-      expr, sub_expression_map, object_map, pointer_sizes, object_size);
+      expr,
+      sub_expression_map,
+      object_map,
+      pointer_sizes,
+      object_size,
+      is_dynamic_object);
     sub_expression_map.emplace_hint(find_result, expr, std::move(term));
   });
   return std::move(sub_expression_map.at(lowered_expr));

src/solvers/smt2_incremental/convert_expr_to_smt.h

@@ -6,6 +6,7 @@
 #include <solvers/smt2_incremental/ast/smt_sorts.h>
 #include <solvers/smt2_incremental/ast/smt_terms.h>
 #include <solvers/smt2_incremental/object_tracking.h>
+#include <solvers/smt2_incremental/smt_is_dynamic_object.h>
 #include <solvers/smt2_incremental/smt_object_size.h>
 #include <solvers/smt2_incremental/type_size_mapping.h>
 
@@ -27,6 +28,7 @@ smt_termt convert_expr_to_smt(
   const exprt &expression,
   const smt_object_mapt &object_map,
   const type_size_mapt &pointer_sizes,
-  const smt_object_sizet::make_applicationt &object_size);
+  const smt_object_sizet::make_applicationt &object_size,
+  const smt_is_dynamic_objectt::make_applicationt &is_dynamic_object);
 
 #endif // CPROVER_SOLVERS_SMT2_INCREMENTAL_CONVERT_EXPR_TO_SMT_H

src/solvers/smt2_incremental/object_tracking.cpp

@@ -5,6 +5,8 @@
 #include <util/arith_tools.h>
 #include <util/c_types.h>
 #include <util/pointer_offset_size.h>
+#include <util/pointer_predicates.h>
+#include <util/prefix.h>
 #include <util/std_code.h>
 #include <util/std_expr.h>
 #include <util/string_constant.h>
@@ -49,6 +51,7 @@ static decision_procedure_objectt make_null_object()
   null_object.unique_id = 0;
   null_object.base_expression = null_pointer_exprt{pointer_type(void_type())};
   null_object.size = from_integer(0, size_type());
+  null_object.is_dynamic = false;
   return null_object;
 }
 
@@ -60,6 +63,7 @@ static decision_procedure_objectt make_invalid_pointer_object()
   invalid_pointer_object.unique_id = 1;
   invalid_pointer_object.base_expression = make_invalid_pointer_expr();
   invalid_pointer_object.size = from_integer(0, size_type());
+  invalid_pointer_object.is_dynamic = false;
   return invalid_pointer_object;
 }
 
@@ -77,6 +81,23 @@ smt_object_mapt initial_smt_object_map()
   return object_map;
 }
 
+/// This function returns true for heap allocated objects or false for stack
+/// allocated objects.
+static bool is_dynamic(const exprt &object)
+{
+  // This check corresponds to the symbols created in
+  // `goto_symext::symex_allocate`, which implements the `__CPROVER_allocate`
+  // intrinsic function used by the standard library models.
+  const bool dynamic_type = object.type().get_bool(ID_C_dynamic);
+  if(dynamic_type)
+    return true;
+  const auto symbol = expr_try_dynamic_cast<symbol_exprt>(object);
+  bool symbol_is_dynamic =
+    symbol &&
+    has_prefix(id2string(symbol->get_identifier()), SYMEX_DYNAMIC_PREFIX);
+  return symbol_is_dynamic;
+}
+
 void track_expression_objects(
   const exprt &expression,
   const namespacet &ns,
@@ -93,6 +114,7 @@ void track_expression_objects(
       object.base_expression = object_base;
       object.unique_id = object_map.size();
       object.size = *size;
+      object.is_dynamic = is_dynamic(object_base);
       object_map.emplace_hint(find_result, object_base, std::move(object));
     });
 }