This is the basic interface of the abstract interpreter with default implementations of the core functionality.
More...
#include <ai.h>
+ Inheritance diagram for ai_baset:
+ Collaboration diagram for ai_baset:
Run abstract interpretation on a single function.
Run abstract interpretation on a whole program.
Run abstract interpretation on a whole program.
Run abstract interpretation on a single function.
Returns all of the histories that have reached the start of the instruction.
Returns all of the histories that have reached the end of the instruction.
Get a copy of the abstract state before the given instruction, without needing to know what kind of domain or history is used.
Get a copy of the abstract state after the given instruction, without needing to know what kind of domain or history is used.
The same interfaces but with histories.
Reset the abstract state.
Output the abstract states for a single function.
Output the abstract states for a single function as JSON.
Output the abstract states for a single function as XML.
Output the abstract states for a whole program.
Output the abstract states for a whole program.
Output the abstract states for a function.
Output the abstract states for the whole program as JSON.
Output the abstract states for a whole program as JSON.
Output the abstract states for a single function as JSON.
Output the abstract states for a single function as JSON.
Output the abstract states for the whole program as XML.
Output the abstract states for the whole program as XML.
Output the abstract states for a single function as XML.
Output the abstract states for a single function as XML.
The work queue, sorted using the history's ordering operator.
Protected Member Functions
Initialize all the abstract states for a single function.
Initialize all the abstract states for a single function.
Initialize all the abstract states for a whole program.
Override this to add a cleanup or post-processing step after fixedpoint has run.
Set the abstract state of the entry location of a single function to the entry state required by the analysis.
Set the abstract state of the entry location of a whole program to the entry state required by the analysis.
Get the next location from the work queue.
Run the fixedpoint algorithm until it reaches a fixed point.
Perform one step of abstract interpretation from trace t Depending on the instruction type it may compute a number of "edges" or applications of the abstract transformer.
Merge the state src, flowing from tracet from to tracet to, into the state currently stored for tracet to.
Make a copy of a state.
Get the state for the given history, creating it with the factory if it doesn't exist.
For creating history objects.
For creating domain objects.
Detailed Description
This is the basic interface of the abstract interpreter with default implementations of the core functionality.
Users of abstract interpreters should use the interface given by this class. It breaks into three categories:
- Running an analysis, via operator()(const irep_idt&,const goto_programt&, const namespacet&), ai_baset::operator()(const goto_functionst&,const namespacet&) and ai_baset::operator()(const abstract_goto_modelt&)
- Accessing the results of an analysis, by looking up the history objects for a given location
l using ai_baset::abstract_traces_before(locationt)const or the domains using ai_baset::abstract_state_before(locationt)const
- Outputting the results of the analysis; see ai_baset::output(const namespacet&, const irep_idt&,
const goto_programt&, std::ostream&)const et cetera.
Where possible, uses should be agnostic of the particular configuration of the abstract interpreter. The "tasks" that goto-analyze uses are good examples of how to do this.
From a development point of view, there are several directions in which this can be extended by inheriting from ai_baset or one of its children:
A. To change how single edges are computed ait::visit_edge and ait::visit_edge_function_call ai_recursive_interproceduralt uses this to recurse to evaluate function calls rather than approximating them as ai_baset does.
B. To change how individual instructions are handled ait::visit() and related functions.
C. To change the way that the fixed point is computed ait::fixedpoint() concurrency_aware_ait does this to compute a fixed point over threads.
D. For pre-analysis initialization ait::initialize(const irep_idt&, const goto_programt&), ait::initialize(const irep_idt&,
const goto_functionst::goto_functiont&) and ait::initialize(const goto_functionst&),
E. For post-analysis cleanup ait::finalize(),
Historically, uses of abstract interpretation inherited from ait<domainT> and added the necessary functionality. This works (although care must be taken to respect the APIs of the various components – there are some hacks to support older analyses that didn't) but is discouraged in favour of having an object for the abstract interpreter and using its public API.
Definition at line 116 of file ai.h.
Member Typedef Documentation
◆ cstate_ptrt
Definition at line 120 of file ai.h.
◆ ctrace_set_ptrt
Definition at line 123 of file ai.h.
◆ locationt
Definition at line 124 of file ai.h.
◆ statet
Definition at line 119 of file ai.h.
◆ trace_ptrt
Definition at line 121 of file ai.h.
◆ trace_sett
Definition at line 122 of file ai.h.
◆ working_sett
The work queue, sorted using the history's ordering operator.
Definition at line 418 of file ai.h.
Constructor & Destructor Documentation
◆ ai_baset()
Definition at line 126 of file ai.h.
◆ ~ai_baset()
Definition at line 138 of file ai.h.
Member Function Documentation
◆ abstract_state_after() [1/2]
Definition at line 252 of file ai.h.
◆ abstract_state_after() [2/2]
Get a copy of the abstract state after the given instruction, without needing to know what kind of domain or history is used.
Note: intended for users of the abstract interpreter; derived classes should use get_state to access the actual underlying state.
- Parameters
-
l The location before which we want the abstract state
- Returns
- The abstract state after
l. We return a pointer to a copy as the method should be const and there are some non-trivial cases including merging abstract states, etc.
PRECONDITION(l is dereferenceable && std::next(l) is dereferenceable) Check relies on a DATA_INVARIANT of goto_programs
Definition at line 238 of file ai.h.
◆ abstract_state_before() [1/2]
The same interfaces but with histories.
Definition at line 247 of file ai.h.
◆ abstract_state_before() [2/2]
Get a copy of the abstract state before the given instruction, without needing to know what kind of domain or history is used.
Note: intended for users of the abstract interpreter; derived classes should use get_state to access the actual underlying state. PRECONDITION(l is dereferenceable)
- Parameters
-
l The location before which we want the abstract state
- Returns
- The abstract state before
l. We return a pointer to a copy as the method should be const and there are some non-trivial cases including merging abstract states, etc.
Definition at line 225 of file ai.h.
◆ abstract_traces_after()
◆ abstract_traces_before()
Returns all of the histories that have reached the start of the instruction.
PRECONDITION(l is dereferenceable)
- Parameters
-
l The location before which we want the set of histories
- Returns
- The set of histories before
l.
Definition at line 198 of file ai.h.
◆ clear()
Reset the abstract state.
Definition at line 269 of file ai.h.
◆ entry_state() [1/2]
Set the abstract state of the entry location of a whole program to the entry state required by the analysis.
Definition at line 165 of file ai.cpp.
◆ entry_state() [2/2]
Set the abstract state of the entry location of a single function to the entry state required by the analysis.
Definition at line 179 of file ai.cpp.
◆ finalize()
void ai_baset::finalize
(
)
protectedvirtual
◆ fixedpoint() [1/2]
◆ fixedpoint() [2/2]
Run the fixedpoint algorithm until it reaches a fixed point.
- Returns
- True if we found something new
Definition at line 232 of file ai.cpp.
◆ get_next()
Get the next location from the work queue.
Definition at line 214 of file ai.cpp.
◆ get_state()
Get the state for the given history, creating it with the factory if it doesn't exist.
Reimplemented in ait< domainT >, ait< constant_propagator_domaint >, ait< custom_bitvector_domaint >, ait< dep_graph_domaint >, ait< escape_domaint >, ait< global_may_alias_domaint >, ait< invariant_set_domaint >, ait< rd_range_domaint >, ait< uninitialized_domaint >, ait< VSDT >, and variable_sensitivity_dependence_grapht.
Definition at line 519 of file ai.h.
◆ initialize() [1/3]
◆ initialize() [2/3]
Initialize all the abstract states for a single function.
Definition at line 190 of file ai.cpp.
◆ initialize() [3/3]
◆ make_temporary_state()
Make a copy of a state.
Definition at line 509 of file ai.h.
◆ merge()
Merge the state src, flowing from tracet from to tracet to, into the state currently stored for tracet to.
Definition at line 502 of file ai.h.
◆ operator()() [1/4]
Run abstract interpretation on a whole program.
Definition at line 169 of file ai.h.
◆ operator()() [2/4]
Run abstract interpretation on a whole program.
Definition at line 157 of file ai.h.
◆ operator()() [3/4]
Run abstract interpretation on a single function.
Definition at line 180 of file ai.h.
◆ operator()() [4/4]
Run abstract interpretation on a single function.
Definition at line 143 of file ai.h.
◆ output() [1/4]
std::ostream &
out
)
const
inline
Output the abstract states for a whole program.
Definition at line 315 of file ai.h.
◆ output() [2/4]
std::ostream &
out
)
const
virtual
Output the abstract states for a whole program.
Definition at line 20 of file ai.cpp.
◆ output() [3/4]
std::ostream &
out
)
const
inline
Output the abstract states for a function.
Definition at line 324 of file ai.h.
◆ output() [4/4]
std::ostream &
out
)
const
virtual
Output the abstract states for a single function.
- Parameters
-
ns The namespace
function_id The identifier used to find a symbol to identify the goto_program's source language
goto_program The goto program
out The ostream to direct output to
Definition at line 39 of file ai.cpp.
◆ output_json() [1/5]
Output the abstract states for a whole program as JSON.
Definition at line 338 of file ai.h.
◆ output_json() [2/5]
Output the abstract states for the whole program as JSON.
Definition at line 61 of file ai.cpp.
◆ output_json() [3/5]
Output the abstract states for a single function as JSON.
Definition at line 354 of file ai.h.
◆ output_json() [4/5]
Output the abstract states for a single function as JSON.
Definition at line 346 of file ai.h.
◆ output_json() [5/5]
Output the abstract states for a single function as JSON.
- Parameters
-
ns The namespace
goto_program The goto program
function_id The identifier used to find a symbol to identify the source language
- Returns
- The JSON object
Definition at line 83 of file ai.cpp.
◆ output_xml() [1/5]
Output the abstract states for the whole program as XML.
Definition at line 367 of file ai.h.
◆ output_xml() [2/5]
Output the abstract states for the whole program as XML.
Definition at line 110 of file ai.cpp.
◆ output_xml() [3/5]
Output the abstract states for a single function as XML.
Definition at line 383 of file ai.h.
◆ output_xml() [4/5]
Output the abstract states for a single function as XML.
Definition at line 375 of file ai.h.
◆ output_xml() [5/5]
Output the abstract states for a single function as XML.
- Parameters
-
ns The namespace
goto_program The goto program
function_id The identifier used to find a symbol to identify the source language
- Returns
- The XML object
Definition at line 136 of file ai.cpp.
◆ put_in_working_set()
Definition at line 423 of file ai.h.
◆ visit()
Perform one step of abstract interpretation from trace t Depending on the instruction type it may compute a number of "edges" or applications of the abstract transformer.
- Returns
- True if the state was changed
Definition at line 270 of file ai.cpp.
◆ visit_edge()
◆ visit_edge_function_call()
◆ visit_end_function()
◆ visit_function_call()
Member Data Documentation
◆ domain_factory
For creating domain objects.
Definition at line 498 of file ai.h.
◆ history_factory
For creating history objects.
Definition at line 495 of file ai.h.
◆ message_handler
Definition at line 525 of file ai.h.
◆ storage
Definition at line 515 of file ai.h.
The documentation for this class was generated from the following files:
- /home/runner/work/cbmc/cbmc/src/analyses/ai.h
- /home/runner/work/cbmc/cbmc/src/analyses/ai.cpp