String support via creating string constraints and progressively instantiating the universal constraints as needed. More...
#include "string_refinement.h"#include <solvers/sat/satcheck.h>#include <stack>#include <unordered_set>#include <util/expr_iterator.h>#include <util/expr_util.h>#include <util/format_type.h>#include <util/magic.h>#include <util/range.h>#include <util/simplify_expr.h>#include "equation_symbol_mapping.h"#include "string_constraint_instantiation.h"#include "string_dependencies.h"#include "string_refinement_invariant.h"Go to the source code of this file.
axiom as the only formula added and runs it. not_contains by substituting the quantifiers and generating axioms. expr is an equation whose right-hand-side is a associate_array_to_pointer call, add the correspondence and replace the call by an expression representing its result. symbol_resolve whenever possible. symbol_resolve structure. super_get and concretize unknown characters. arr[index], where: arr := {12, 24, 48} the constructed expression will be: index==0 ? 12 : index==1 ? 24 : 48 Avoids repetition so arr := {12, 12, 24, 48} will give index<=1 ? 12 : index==1 ? 24 : 48 cond?array1:(cond2:array2:array3). i to the index set all the indices that appear in the formula. String support via creating string constraints and progressively instantiating the universal constraints as needed.
The procedure is described in the PASS paper at HVC'13: "PASS: String Solving with Parameterized Array and Interval Automaton" by Guodong Li and Indradeep Ghosh.
Definition in file string_refinement.cpp.
Add association for each char pointer in the equation.
Definition at line 300 of file string_refinement.cpp.
Given an equation on strings, mark these strings as belonging to the same set in the symbol_resolve structure.
The lhs and rhs of the equation, should have string type or be struct with string members.
Definition at line 432 of file string_refinement.cpp.
Add i to the index set all the indices that appear in the formula.
Definition at line 1584 of file string_refinement.cpp.
Check axioms takes the model given by the underlying solver and answers whether it satisfies the string constraints.
For each string_constraint a:
a is an existential formula b;b by their values found in get;b is simplified and array accesses are replaced by expressions without arrays;b to a fresh solver;b is found, this means the constraint a is satisfied by the valuation given by get. true if the current model satisfies all the axioms, false otherwise with a list of lemmas which are obtained by instantiating constraints at indexes given by counter-examples.Definition at line 1362 of file string_refinement.cpp.
Debugging function which outputs the different steps an axiom goes through to be checked in check axioms.
Definition at line 1342 of file string_refinement.cpp.
Display part of the current model by mapping the variables created by the solver to constant expressions given by the current model.
Definition at line 1127 of file string_refinement.cpp.
Write index set to the given stream, use for debugging.
Definition at line 172 of file string_refinement.cpp.
e.x if e is a symbol subexpression with a field x of type string Definition at line 404 of file string_refinement.cpp.
This is meant to be used on the lhs of an equation with string subtype.
Definition at line 376 of file string_refinement.cpp.
Convert index-value map to a vector of values.
If a value for an index is not defined, set it to the value referenced by the next higher index. The length of the resulting vector is the key of the map's last element + 1
Definition at line 130 of file string_refinement.cpp.
Creates a solver with axiom as the only formula added and runs it.
If it is SAT, then true is returned and the given evaluation of var is stored in witness. If UNSAT, then what witness is is undefined.
Definition at line 1919 of file string_refinement.cpp.
Instantiation of all constraints.
The string refinement decision procedure works with two types of quantified axioms, which are of the form \(\forall x.\ P(x)\) (string_constraintt ) or of the form \(\forall x. P(x) \Rightarrow \exists y .s_0[x+y] \ne s_1[y] \) (string_not_contains_constraintt ). They are instantiated in a way which depends on their form:
str appears in P indexed by some f(x) and val is in the index set of str we find y such that f(y)=val and add lemma P(y). (See instantiate(messaget::mstreamt&, const string_constraintt&,
const exprt &, const exprt&) for details.)s_0 and s_1. (See instantiate(const string_not_contains_constraintt&,
const index_set_pairt&,
const std::map<string_not_contains_constraintt, symbol_exprt>&) for details.) Definition at line 220 of file string_refinement.cpp.
Get a model of an array and put it in a certain form.
If the model is incomplete or if it is too big, return no value.
Definition at line 1012 of file string_refinement.cpp.
Debugging function which finds the valuation of the given array in super_get and concretize unknown characters.
arr in the model Definition at line 1078 of file string_refinement.cpp.
An expression representing an array of characters can be in the form of an if expression for instance cond?array1:(cond2:array2:array3).
We return all the array expressions contained in array_expr.
Definition at line 1557 of file string_refinement.cpp.
Get a model of the size of the input string.
First ask the solver for a size value. If the solver has no value, get the size directly from the type. This is the case for string literals that are not part of the decision procedure (e.g. literals in return values). If the size value is not a constant or not a valid integer (size_t), return no value.
Definition at line 968 of file string_refinement.cpp.
Given an array access of the form s[i] assumed to be part of a formula \( \forall q < u. charconstraint \), initialize the index set of s so that:
Definition at line 1617 of file string_refinement.cpp.
Add to the index set all the indices that appear in the formulas and the upper bound minus one.
Definition at line 1527 of file string_refinement.cpp.
Definition at line 1646 of file string_refinement.cpp.
Definition at line 1669 of file string_refinement.cpp.
Instantiates a quantified formula representing not_contains by substituting the quantifiers and generating axioms.
For a formula of the form \(\phi = \forall x. P(x) \Rightarrow Q(x, f(x))\) let \(instantiate\_not\_contains(\phi) = ( (f(t) = u) \land
P(t) ) \Rightarrow Q(t, u)\). Then \(\forall x.\ P(x) \Rightarrow Q(x, f(x)) \models \) Axioms of the form \(\forall x. P(x) \Rightarrow \exists y .Q(x, y) \) can be transformed into the the equisatisfiable formula \(\forall x. P(x) \Rightarrow Q(x, f(x))\) for a new function symbol f. Hence, after transforming axioms of the second type and by the above lemmas, we can create quantifier free formulas that are entailed by a (transformed) axiom.
axiom's witnesses for non-containment Definition at line 1750 of file string_refinement.cpp.
If expr is an equation whose right-hand-side is a associate_array_to_pointer call, add the correspondence and replace the call by an expression representing its result.
Definition at line 247 of file string_refinement.cpp.
Negates the constraint to be fed to a solver.
The intended usage is to find an assignment of the universal variable that would violate the axiom. To avoid false positives, the symbols other than the universal variable should have been replaced by their valuation in the current model.
Definition at line 1301 of file string_refinement.cpp.
Substitute sub-expressions in equation by representative elements of symbol_resolve whenever possible.
Similar to symbol_resolve.replace_expr but doesn't mutate the expression and returns the transformed expression instead.
Definition at line 273 of file string_refinement.cpp.
Definition at line 1517 of file string_refinement.cpp.
Symbol resolution for expressions of type string typet.
We record equality between these expressions in the output if one of the function calls depends on them.
Definition at line 470 of file string_refinement.cpp.
convert the content of a string to a more readable representation.
This should only be used for debugging.
Definition at line 1060 of file string_refinement.cpp.
Create an equivalent expression where array accesses are replaced by 'if' expressions: for instance in array access arr[index], where: arr := {12, 24, 48} the constructed expression will be: index==0 ? 12 : index==1 ? 24 : 48 Avoids repetition so arr := {12, 12, 24, 48} will give index<=1 ? 12 : index==1 ? 24 : 48
Definition at line 1182 of file string_refinement.cpp.
Definition at line 1193 of file string_refinement.cpp.
Definition at line 1214 of file string_refinement.cpp.
Create a new expression where 'with' expressions on arrays are replaced by 'if' expressions.
e.g. for an array access arr[index], where: arr := array_of(12) with {0:=24} with {2:=42} the constructed expression will be: index==0 ? 24 : index==2 ? 42 : 12
array_of expression. The function checks that the expression is of the form with_expr(with_expr(...(array_of(...))). This is the form in which array valuations coming from the underlying solver are given. index<=0 ? 24 : index<=2 ? 42 : 12 Definition at line 1167 of file string_refinement.cpp.
Create an equivalent expression where array accesses and 'with' expressions are replaced by 'if' expressions, in particular:
arr[index], where: arr := {12, 24, 48} the constructed expression will be: index==0 ? 12 : index==1 ? 24 : 48arr[index], where: arr := array_of(12) with {0:=24} with {2:=42} the constructed expression will be: index==0 ? 24 : index==2 ? 42 : 12(g1?arr1:arr2)[x] where arr1 := {12} and arr2 := {34}, the constructed expression will be: g1 ? 12 : 34{ }[x] returns a fresh symbol, this corresponds to a non-deterministic result Note that if left_propagate is set to true, the with case will result in something like: index <= 0 ? 24 : index <= 2 ? 42 : 12 Definition at line 1282 of file string_refinement.cpp.
Auxiliary function for substitute_array_access Performs the same operation but modifies the argument instead of returning the resulting expression.
Definition at line 1243 of file string_refinement.cpp.
Replace array-lists by 'with' expressions.
For instance array-list [ 0 , x , 1 , y ] is replaced by ARRAYOF(0) WITH [0:=x] WITH [1:=y]. Indexes exceeding the maximal string length are ignored.
Definition at line 1792 of file string_refinement.cpp.
Add to the index set all the indices that appear in the formula.
Definition at line 1701 of file string_refinement.cpp.
Add to the index set all the indices that appear in the formulas.
Definition at line 1542 of file string_refinement.cpp.
Definition at line 150 of file string_refinement.cpp.