139 gcc_version.
get(
"gcc");
144 const bool validate_only =
cmdline.isset(
"validate-goto-binary");
146 if(validate_only ||
cmdline.isset(
"validate-goto-model"))
159 if(
cmdline.isset(
"nondet-static-matching"))
161 log.status() <<
"Adding nondeterministic initialization "
162 "of matching static/global variables"
170 if(
cmdline.isset(
"validate-goto-model"))
176 bool unwind_given=
cmdline.isset(
"unwind");
177 bool unwindset_given=
cmdline.isset(
"unwindset");
178 bool unwindset_file_given=
cmdline.isset(
"unwindset-file");
180 if(unwindset_given && unwindset_file_given)
181 throw "only one of --unwindset and --unwindset-file supported at a "
184 if(unwind_given || unwindset_given || unwindset_file_given)
191 if(unwindset_file_given)
194 cmdline.get_value(
"unwindset-file"),
202 cmdline.get_comma_separated_values(
"unwindset"),
207 bool continue_as_loops=
cmdline.isset(
"continue-as-loops");
208 bool partial_loops =
cmdline.isset(
"partial-loops");
209 bool unwinding_assertions =
cmdline.isset(
"unwinding-assertions") ||
210 (!continue_as_loops && !partial_loops &&
211 !
cmdline.isset(
"no-unwinding-assertions"));
212 if(continue_as_loops)
214 if(unwinding_assertions)
216 throw "unwinding assertions cannot be used with "
217 "--continue-as-loops";
219 else if(partial_loops)
220 throw "partial loops cannot be used with --continue-as-loops";
226 if(unwinding_assertions)
233 else if(partial_loops)
237 else if(continue_as_loops)
243 goto_unwind(
goto_model, unwindset, unwind_strategy);
247 std::string filename =
cmdline.value_opt(
"log").value_or(
"-");
248 bool have_file = filename !=
"-";
257 throw "failed to open file "+filename;
264 std::cout << result <<
'\n';
274 if(
cmdline.isset(
"show-threaded"))
280 for(
const auto &gf_entry :
goto_model.goto_functions.function_map)
282 std::cout <<
"////\n";
283 std::cout <<
"//// Function: " << gf_entry.first <<
'\n';
284 std::cout <<
"////\n\n";
291 std::cout <<
"Is threaded: " << (is_threaded(i_it)?
"True":
"False")
299 if(
cmdline.isset(
"insert-final-assert-false"))
304 cmdline.get_value(
"insert-final-assert-false"),
313 if(
cmdline.isset(
"show-value-sets"))
329 if(
cmdline.isset(
"show-global-may-alias"))
345 if(
cmdline.isset(
"show-local-bitvector-analysis"))
355 for(
const auto &gf_entry :
goto_model.goto_functions.function_map)
358 std::cout <<
">>>>\n";
359 std::cout <<
">>>> " << gf_entry.first <<
'\n';
360 std::cout <<
">>>>\n";
361 local_bitvector_analysis.
output(std::cout, gf_entry.second, ns);
368 if(
cmdline.isset(
"show-local-safe-pointers") ||
369 cmdline.isset(
"show-safe-dereferences"))
376 for(
const auto &gf_entry :
goto_model.goto_functions.function_map)
379 local_safe_pointers(gf_entry.second.body);
380 std::cout <<
">>>>\n";
381 std::cout <<
">>>> " << gf_entry.first <<
'\n';
382 std::cout <<
">>>>\n";
383 if(
cmdline.isset(
"show-local-safe-pointers"))
384 local_safe_pointers.
output(std::cout, gf_entry.second.body, ns);
388 std::cout, gf_entry.second.body, ns);
396 if(
cmdline.isset(
"show-sese-regions"))
403 for(
const auto &gf_entry :
goto_model.goto_functions.function_map)
406 sese_region_analysis(gf_entry.second.body);
407 std::cout <<
">>>>\n";
408 std::cout <<
">>>> " << gf_entry.first <<
'\n';
409 std::cout <<
">>>>\n";
410 sese_region_analysis.
output(std::cout, gf_entry.second.body, ns);
417 if(
cmdline.isset(
"show-custom-bitvector-analysis"))
441 if(
cmdline.isset(
"show-escape-analysis"))
457 if(
cmdline.isset(
"custom-bitvector-analysis"))
478 custom_bitvector_analysis.
check(
486 if(
cmdline.isset(
"show-points-to"))
498 points_to.
output(std::cout);
502 if(
cmdline.isset(
"show-intervals"))
517 if(
cmdline.isset(
"show-call-sequences"))
524 if(
cmdline.isset(
"check-call-sequence"))
531 if(
cmdline.isset(
"list-calls-args"))
540 if(
cmdline.isset(
"show-rw-set"))
564 if(
cmdline.isset(
"show-symbol-table"))
570 if(
cmdline.isset(
"show-reaching-definitions"))
583 if(
cmdline.isset(
"show-dependence-graph"))
597 if(
cmdline.isset(
"count-eloc"))
609 if(
cmdline.isset(
"print-path-lengths"))
615 if(
cmdline.isset(
"print-global-state-size"))
621 if(
cmdline.isset(
"list-symbols"))
627 if(
cmdline.isset(
"show-uninitialized"))
633 if(
cmdline.isset(
"interpreter"))
643 if(
cmdline.isset(
"show-claims") ||
644 cmdline.isset(
"show-properties"))
651 if(
cmdline.isset(
"document-claims-html") ||
652 cmdline.isset(
"document-properties-html"))
658 if(
cmdline.isset(
"document-claims-latex") ||
659 cmdline.isset(
"document-properties-latex"))
665 if(
cmdline.isset(
"show-loops"))
671 if(
cmdline.isset(
"show-natural-loops"))
677 if(
cmdline.isset(
"show-lexical-loops"))
683 if(
cmdline.isset(
"print-internal-representation"))
685 for(
auto const &pair :
goto_model.goto_functions.function_map)
686 for(
auto const &ins : pair.second.body.instructions)
688 if(ins.code().is_not_nil())
690 if(ins.has_condition())
692 log.status() <<
"[guard] " << ins.condition().pretty()
700 cmdline.isset(
"show-goto-functions") ||
701 cmdline.isset(
"list-goto-functions"))
708 if(
cmdline.isset(
"list-undefined-functions"))
715 if(
cmdline.isset(
"show-struct-alignment"))
721 if(
cmdline.isset(
"show-locations"))
729 cmdline.isset(
"dump-c-type-header"))
731 const bool is_cpp=
cmdline.isset(
"dump-cpp");
732 const bool is_header =
cmdline.isset(
"dump-c-type-header");
733 const bool h_libc=!
cmdline.isset(
"no-system-headers");
734 const bool h_all=
cmdline.isset(
"use-all-headers");
735 const bool harness=
cmdline.isset(
"harness");
752 log.error() <<
"failed to write to '" <<
cmdline.args[1] <<
"'";
763 cmdline.get_value(
"dump-c-type-header"),
769 goto_model.goto_functions, h_libc, h_all, harness, ns, out);
782 cmdline.get_value(
"dump-c-type-header"),
788 goto_model.goto_functions, h_libc, h_all, harness, ns, std::cout);
795 if(
cmdline.isset(
"call-graph"))
805 call_graph.
output(std::cout);
810 if(
cmdline.isset(
"reachable-call-graph"))
821 call_graph.
output(std::cout);
826 if(
cmdline.isset(
"show-class-hierarchy"))
848 log.error() <<
"failed to write to " <<
cmdline.args[1] <<
"'";
860 if(
cmdline.isset(
"accelerate"))
869 log.status() <<
"Removing calls to functions without a body"
892 log.error() <<
"Failed to open output file " <<
cmdline.args[1]
905 if(
cmdline.isset(
"drop-unused-functions"))
914 if(
cmdline.isset(
"undefined-function-is-assume-false"))
923 log.status() <<
"Writing GOTO program to '" <<
cmdline.args[1] <<
"'"
931 else if(
cmdline.args.size() < 2)
934 "Invalid number of positional arguments passed",
936 "goto-instrument needs one input and one output file, aside from other "
1008 log.status() <<
"Reading GOTO program from '" <<
cmdline.args[0] <<
"'"
1015 if(!result.has_value())
1030 if(
cmdline.isset(
"no-simplify"))
1039 if(
cmdline.isset(
"model-argc-argv"))
1043 std::list<std::string> argv;
1044 argv.resize(max_argc);
1046 log.status() <<
"Adding up to " << max_argc <<
" command line arguments"
1054 if(
cmdline.isset(
"add-cmd-line-arg"))
1056 const std::list<std::string> &argv =
cmdline.get_values(
"add-cmd-line-arg");
1059 std::stringstream ss;
1061 std::string sep =
"";
1062 for(
auto const &arg : argv)
1064 ss << sep <<
"\"" << arg <<
"\"";
1070 log.status() <<
"Adding " << argc <<
" arguments: " << ss.str()
1078 if(
cmdline.isset(
"remove-function-body"))
1082 cmdline.get_values(
"remove-function-body"),
1086 if(
cmdline.isset(
"remove-function-body-regex"))
1090 cmdline.get_value(
"remove-function-body-regex"),
1098 cmdline.isset(
"reachability-slice") ||
1099 cmdline.isset(
"reachability-slice-fb") ||
1100 cmdline.isset(
"fp-reachability-slice"))
1102 if(
cmdline.isset(
"show-custom-bitvector-analysis") ||
1103 cmdline.isset(
"custom-bitvector-analysis"))
1105 config.ansi_c.defines.push_back(
1114 log.status() <<
"Adding CPROVER library (" <<
config.ansi_c.arch <<
")"
1145 if(
cmdline.isset(
"skip-loops"))
1160 if(
cmdline.isset(
"show-custom-bitvector-analysis") ||
1161 cmdline.isset(
"custom-bitvector-analysis"))
1172 if(
cmdline.isset(
"show-custom-bitvector-analysis") ||
1173 cmdline.isset(
"custom-bitvector-analysis"))
1180 if(
cmdline.isset(
"escape-analysis"))
1201 if(
cmdline.isset(
"loop-contracts-file"))
1203 const auto file_name =
cmdline.get_value(
"loop-contracts-file");
1223 log.warning() <<
"**** WARNING: transformed loops will not be unwound "
1224 <<
"after applying loop contracts. Note that transformed "
1225 <<
"loops require at least unwinding bounds 2 to pass "
1235 "Redundant options detected",
1241 log.status() <<
"Trying to force one backedge per target" <<
messaget::eom;
1246 std::set<irep_idt> to_replace(
1255 "Mutually exclusive options detected",
1265 bool allow_recursive_calls =
1268 std::set<std::string> to_exclude_from_nondet_static(
1269 cmdline.get_values(
"nondet-static-exclude").begin(),
1270 cmdline.get_values(
"nondet-static-exclude").end());
1276 to_enforce.
empty() ? std::optional<irep_idt>{}
1277 : std::optional<irep_idt>{to_enforce.front()},
1278 allow_recursive_calls,
1280 loop_contract_config,
1281 to_exclude_from_nondet_static,
1282 log.get_message_handler());
1289 log.status() <<
"Trying to force one backedge per target" <<
messaget::eom;
1293 std::set<std::string> to_replace(
1297 std::set<std::string> to_enforce(
1301 std::set<std::string> to_exclude_from_nondet_static(
1302 cmdline.get_values(
"nondet-static-exclude").begin(),
1303 cmdline.get_values(
"nondet-static-exclude").end());
1318 if(
cmdline.isset(
"value-set-fi-fp-removal"))
1325 if(
cmdline.isset(
"remove-function-pointers"))
1329 else if(
cmdline.isset(
"remove-const-function-pointers"))
1334 if(
cmdline.isset(
"replace-calls"))
1342 if(
cmdline.isset(
"function-inline"))
1344 std::string function=
cmdline.get_value(
"function-inline");
1347 bool caching=!
cmdline.isset(
"no-caching");
1351 log.status() <<
"Inlining calls of function '" << function <<
"'"
1361 std::string filename =
cmdline.value_opt(
"log").value_or(
"-");
1362 bool have_file = filename !=
"-";
1372 throw "failed to open file "+filename;
1379 std::cout << result <<
'\n';
1384 goto_model.goto_functions.compute_loop_numbers();
1387 if(
cmdline.isset(
"partial-inline"))
1395 goto_model.goto_functions.compute_loop_numbers();
1398 if(
cmdline.isset(
"remove-calls-no-body"))
1400 log.status() <<
"Removing calls to functions without a body"
1407 goto_model.goto_functions.compute_loop_numbers();
1410 if(
cmdline.isset(
"constant-propagator"))
1416 log.warning() <<
"**** WARNING: Constant propagation as performed by "
1417 "goto-instrument is not expected to be sound. Do not use "
1418 "--constant-propagator if soundness is important for your "
1426 if(
cmdline.isset(
"generate-function-body"))
1431 c_object_factory_options);
1434 cmdline.get_value(
"generate-function-body-options"),
1435 object_factory_parameters,
1439 std::regex(
cmdline.get_value(
"generate-function-body")),
1440 *generate_implementation,
1446 if(
cmdline.isset(
"generate-havocing-body"))
1451 c_object_factory_options);
1453 auto options_split =
1455 if(options_split.size() < 2)
1457 "not enough arguments for this option",
"--generate-havocing-body"};
1459 if(options_split.size() == 2)
1462 std::string{
"havoc,"} + options_split.back(),
1463 object_factory_parameters,
1467 std::regex(options_split[0]),
1468 *generate_implementation,
1476 for(
size_t i = 1; i + 1 < options_split.size(); i += 2)
1479 std::string{
"havoc,"} + options_split[i + 1],
1480 object_factory_parameters,
1486 *generate_implementation,
1498 if(
cmdline.isset(
"uninitialized-check"))
1500 log.status() <<
"Adding checks for uninitialized local variables"
1506 if(
cmdline.isset(
"stack-depth"))
1508 log.status() <<
"Adding check for maximum call stack size" <<
messaget::eom;
1517 if(
cmdline.isset(
"nondet-static-exclude"))
1519 log.status() <<
"Adding nondeterministic initialization "
1520 "of static/global variables except for "
1521 "the specified ones."
1523 std::set<std::string> to_exclude(
1524 cmdline.get_values(
"nondet-static-exclude").begin(),
1525 cmdline.get_values(
"nondet-static-exclude").end());
1528 else if(
cmdline.isset(
"nondet-static"))
1530 log.status() <<
"Adding nondeterministic initialization "
1531 "of static/global variables"
1536 if(
cmdline.isset(
"slice-global-inits"))
1540 log.status() <<
"Slicing away initializations of unused global variables"
1545 if(
cmdline.isset(
"string-abstraction"))
1556 if(
cmdline.isset(
"remove-pointers") ||
1557 cmdline.isset(
"race-check") ||
1569 if(
cmdline.isset(
"remove-pointers"))
1576 if(
cmdline.isset(
"race-check"))
1584 std::string mm=
cmdline.get_value(
"mm");
1589 if(
cmdline.isset(
"one-event-per-cycle"))
1591 else if(
cmdline.isset(
"minimum-interference"))
1593 else if(
cmdline.isset(
"read-first"))
1595 else if(
cmdline.isset(
"write-first"))
1597 else if(
cmdline.isset(
"my-events"))
1603 const unsigned max_var=
1606 const unsigned max_po_trans=
1607 cmdline.isset(
"max-po-trans")?
1612 log.status() <<
"Adding weak memory (TSO) Instrumentation"
1618 log.status() <<
"Adding weak memory (PSO) Instrumentation"
1624 log.status() <<
"Adding weak memory (RMO) Instrumentation"
1628 else if(mm==
"power")
1630 log.status() <<
"Adding weak memory (Power) Instrumentation"
1636 log.error() <<
"Unknown weak memory model '" << mm <<
"'"
1643 if(
cmdline.isset(
"force-loop-duplication"))
1645 if(
cmdline.isset(
"no-loop-duplication"))
1656 cmdline.isset(
"no-dependencies"),
1660 !
cmdline.isset(
"no-po-rendering"),
1661 cmdline.isset(
"render-cluster-file"),
1662 cmdline.isset(
"render-cluster-function"),
1664 cmdline.isset(
"hide-internals"),
1666 cmdline.isset(
"ignore-arrays"));
1687 if(
cmdline.isset(
"concurrency"))
1694 if(
cmdline.isset(
"interval-analysis"))
1700 if(
cmdline.isset(
"havoc-loops"))
1706 if(
cmdline.isset(
"k-induction"))
1708 bool base_case=
cmdline.isset(
"base-case");
1709 bool step_case=
cmdline.isset(
"step-case");
1711 if(step_case && base_case)
1712 throw "please specify only one of --step-case and --base-case";
1713 else if(!step_case && !base_case)
1714 throw "please specify one of --step-case and --base-case";
1719 throw "please give k>=1";
1721 log.status() <<
"Instrumenting k-induction for k=" << k <<
", "
1722 << (base_case ?
"base case" :
"step case") <<
messaget::eom;
1727 if(
cmdline.isset(
"function-enter"))
1732 cmdline.get_value(
"function-enter"));
1735 if(
cmdline.isset(
"function-exit"))
1740 cmdline.get_value(
"function-exit"));
1758 goto_model.goto_functions.compute_loop_numbers();
1766 if(
cmdline.isset(
"reachability-slice"))
1784 if(
cmdline.isset(
"fp-reachability-slice"))
1788 log.status() <<
"Performing a function pointer reachability slice"
1792 cmdline.get_comma_separated_values(
"fp-reachability-slice"),
1797 if(
cmdline.isset(
"full-slice"))
1805 log.warning() <<
"**** WARNING: Experimental option --full-slice, "
1806 <<
"analysis results may be unsound. See "
1807 <<
"https://github.com/diffblue/cbmc/issues/260"
1820 if(
cmdline.isset(
"splice-call"))
1823 std::string callercallee=
cmdline.get_value(
"splice-call");
1833 if(
cmdline.isset(
"aggressive-slice"))
1840 log.status() <<
"Slicing away initializations of unused global variables"
1847 if(
cmdline.isset(
"aggressive-slice-call-depth"))
1851 if(
cmdline.isset(
"aggressive-slice-preserve-function"))
1853 cmdline.get_values(
"aggressive-slice-preserve-function"));
1857 cmdline.get_values(
"property");
1859 if(
cmdline.isset(
"aggressive-slice-preserve-functions-containing"))
1861 cmdline.get_values(
"aggressive-slice-preserve-functions-containing");
1864 cmdline.isset(
"aggressive-slice-preserve-all-direct-paths");
1866 aggressive_slicer.
doit();
1880 if(
cmdline.isset(
"ensure-one-backedge-per-target"))
1882 log.status() <<
"Trying to force one backedge per target" <<
messaget::eom;
1902 "Usage: \tPurpose:\n"
1904 " {bgoto-instrument} [{y-?}] [{y-h}] [{y--help}] \t show this help\n"
1905 " {bgoto-instrument} {y--version} \t show version and exit\n"
1906 " {bgoto-instrument} [options] {uin} [{uout}] \t perform analysis or"
1907 " instrumentation\n"
1911 " {y--horn} \t print program as constrained horn clauses\n"
1916 " {y--show-symbol-table} \t show loaded symbol table\n"
1917 " {y--list-symbols} \t list symbols with type information\n"
1920 " {y--show-locations} \t show all source locations\n"
1921 " {y--dot} \t generate CFG graph in DOT format\n"
1922 " {y--print-internal-representation} \t show verbose internal"
1923 " representation of the program\n"
1924 " {y--list-undefined-functions} \t list functions without body\n"
1925 " {y--list-calls-args} \t list all function calls with their arguments\n"
1926 " {y--call-graph} \t show graph of function calls\n"
1927 " {y--reachable-call-graph} \t show graph of function calls potentially"
1928 " reachable from main function\n"
1931 " {y--validate-goto-binary} \t check the well-formedness of the passed in"
1932 " goto binary and then exit\n"
1933 " {y--interpreter} \t do concrete execution\n"
1935 "Data-flow analyses:\n"
1936 " {y--show-struct-alignment} \t show struct members that might be"
1937 " concurrently accessed\n"
1938 " {y--show-threaded} \t show instructions that may be executed by more than"
1940 " {y--show-local-safe-pointers} \t show pointer expressions that are"
1941 " trivially dominated by a not-null check\n"
1942 " {y--show-safe-dereferences} \t show pointer expressions that are"
1943 " trivially dominated by a not-null check *and* used as a dereference"
1945 " {y--show-value-sets} \t show points-to information (using value sets)\n"
1946 " {y--show-global-may-alias} \t show may-alias information over globals\n"
1947 " {y--show-local-bitvector-analysis} \t show procedure-local pointer"
1949 " {y--escape-analysis} \t perform escape analysis\n"
1950 " {y--show-escape-analysis} \t show results of escape analysis\n"
1951 " {y--custom-bitvector-analysis} \t perform configurable bitvector"
1953 " {y--show-custom-bitvector-analysis} \t show results of configurable"
1954 " bitvector analysis\n"
1955 " {y--interval-analysis} \t perform interval analysis\n"
1956 " {y--show-intervals} \t show results of interval analysis\n"
1957 " {y--show-uninitialized} \t show maybe-uninitialized variables\n"
1958 " {y--show-points-to} \t show points-to information\n"
1959 " {y--show-rw-set} \t show read-write sets\n"
1960 " {y--show-call-sequences} \t show function call sequences\n"
1961 " {y--show-reaching-definitions} \t show reaching definitions\n"
1962 " {y--show-dependence-graph} \t show program-dependence graph\n"
1963 " {y--show-sese-regions} \t show single-entry-single-exit regions\n"
1966 " {y--no-assertions} \t ignore user assertions\n"
1969 " {y--stack-depth} {un} \t add check that call stack size of non-inlined"
1970 " functions never exceeds {un}\n"
1971 " {y--race-check} \t add floating-point data race checks\n"
1973 "Semantic transformations:\n"
1975 " {y--isr} {ufunction} \t instruments an interrupt service routine\n"
1976 " {y--mmio} \t instruments memory-mapped I/O\n"
1977 " {y--nondet-static} \t add nondeterministic initialization of variables"
1978 " with static lifetime\n"
1979 " {y--nondet-static-exclude} {ue} \t same as nondet-static except for the"
1980 " variable {ue} (use multiple times if required)\n"
1981 " {y--nondet-static-matching} {ur} \t add nondeterministic initialization"
1982 " of variables with static lifetime matching regex {ur}\n"
1983 " {y--function-enter} {uf}, {y--function-exit} {uf}, {y--branch} {uf} \t"
1984 " instruments a call to {uf} at the beginning, the exit, or a branch point,"
1986 " {y--splice-call} {ucaller},{ucallee} \t prepends a call to {ucallee} in"
1987 " the body of {ucaller}\n"
1988 " {y--check-call-sequence} {useq} \t instruments checks to assert that all"
1989 " call sequences match {useq}\n"
1990 " {y--undefined-function-is-assume-false} \t convert each call to an"
1991 " undefined function to assume(false)\n"
1996 " {y--add-library} \t add models of C library functions\n"
1999 " {y--remove-function-body} {uf} \t remove the implementation of function"
2000 " {uf} (may be repeated)\n"
2001 " {y--remove-function-body-regex} {uregex} \t remove the implementation of"
2002 " functions matching regular expression {uregex}\n"
2006 "Semantics-preserving transformations:\n"
2007 " {y--ensure-one-backedge-per-target} \t transform loop bodies such that"
2008 " there is a single edge back to the loop head\n"
2009 " {y--drop-unused-functions} \t drop functions trivially unreachable from"
2012 " {y--constant-propagator} \t propagate constants and simplify"
2014 " {y--inline} \t perform full inlining\n"
2015 " {y--partial-inline} \t perform partial inlining\n"
2016 " {y--function-inline} {ufunction} \t transitively inline all calls"
2017 " {ufunction} makes\n"
2018 " {y--no-caching} \t disable caching of intermediate results during"
2019 " transitive function inlining\n"
2020 " {y--log} {ufile} \t log in JSON format which code segments were inlined,"
2021 " use with {y--function-inline}\n"
2022 " {y--remove-function-pointers} \t replace function pointers by case"
2023 " statement over function calls\n"
2025 " {y--value-set-fi-fp-removal} \t build flow-insensitive value set and"
2026 " replace function pointers by a case statement over the possible"
2027 " assignments. If the set of possible assignments is empty the function"
2028 " pointer is removed using the standard remove-function-pointers pass.\n"
2030 "Loop information and transformations:\n"
2032 " {y--unwindset-file_<file>} \t read unwindset from file\n"
2033 " {y--partial-loops} \t permit paths with partial loops\n"
2034 " {y--unwinding-assertions} \t generate unwinding assertions"
2035 " (enabled by default)\n"
2036 " {y--no-unwinding-assertions} \t do not generate unwinding assertions\n"
2037 " {y--continue-as-loops} \t add loop for remaining iterations after"
2039 " {y--k-induction} {uk} \t check loops with k-induction\n"
2040 " {y--step-case} \t k-induction: do step-case\n"
2041 " {y--base-case} \t k-induction: do base-case\n"
2042 " {y--havoc-loops} \t over-approximate all loops\n"
2043 " {y--accelerate} \t add loop accelerators\n"
2044 " {y--z3} \t use Z3 when computing loop accelerators\n"
2045 " {y--skip-loops {uloop-ids} \t add gotos to skip selected loops during"
2047 " {y--show-lexical-loops} \t show single-entry-single-back-edge loops\n"
2048 " {y--show-natural-loops} \t show natural loop heads\n"
2050 "Memory model instrumentations:\n"
2056 " {y--full-slice} \t slice away instructions that don't affect assertions\n"
2057 " {y--property} {uid} \t slice with respect to specific property only\n"
2058 " {y--slice-global-inits} \t slice away initializations of unused global"
2060 " {y--aggressive-slice} \t remove bodies of any functions not on the"
2061 " shortest path between the start function and the function containing the"
2062 " property/properties\n"
2063 " {y--aggressive-slice-call-depth} {un} \t used with aggressive-slice,"
2064 " preserves all functions within {un} function calls of the functions on"
2065 " the shortest path\n"
2066 " {y--aggressive-slice-preserve-function} {uf} \t force the aggressive"
2067 " slicer to preserve function {uf}\n"
2068 " {y--aggressive-slice-preserve-functions-containing} {uf} \t force the"
2069 " aggressive slicer to preserve all functions with names containing {uf}\n"
2070 " {y--aggressive-slice-preserve-all-direct-paths} \t force aggressive"
2071 " slicer to preserve all direct paths\n"
2083 "User-interface options:\n"
2085 " {y--xml} \t output files in XML where supported\n"
2086 " {y--xml-ui} \t use XML-formatted output\n"
2087 " {y--json-ui} \t use JSON-formatted output\n"
2088 " {y--verbosity} {u#} \t verbosity level\n"
void accelerate_functions(goto_modelt &goto_model, message_handlert &message_handler, bool use_z3, guard_managert &guard_manager)
void add_failed_symbols(symbol_table_baset &symbol_table)
Create a failed-dereference symbol for all symbols in the given table that need one (i....
void print_struct_alignment_problems(const symbol_table_baset &symbol_table, std::ostream &out)
void cprover_c_library_factory(const std::set< irep_idt > &functions, const symbol_table_baset &symbol_table, symbol_table_baset &dest_symbol_table, message_handlert &message_handler)
#define HELP_ANSI_C_LANGUAGE
void branch(goto_modelt &goto_model, const irep_idt &id)
void parse_c_object_factory_options(const cmdlinet &cmdline, optionst &options)
Parse the c object factory parameters from a given command line.
static void list_calls_and_arguments(const namespacet &ns, const goto_programt &goto_program)
void check_call_sequence(const goto_modelt &goto_model)
void show_call_sequences(const irep_idt &caller, const goto_programt &goto_program)
Memory-mapped I/O Instrumentation for Goto Programs.
void show_class_hierarchy(const class_hierarchyt &hierarchy, ui_message_handlert &message_handler, bool children_only)
Output the class hierarchy.
#define HELP_SHOW_CLASS_HIERARCHY
The aggressive slicer removes the body of all the functions except those on the shortest path,...
std::list< std::string > user_specified_properties
void doit()
Removes the body of all functions except those on the shortest path or functions that are reachable f...
std::list< std::string > name_snippets
void preserve_functions(const std::list< std::string > &function_list)
Adds a list of functions to the set of functions for the aggressive slicer to preserve.
bool preserve_all_direct_paths
virtual void output(const namespacet &ns, const irep_idt &function_id, const goto_programt &goto_program, std::ostream &out) const
Output the abstract states for a single function.
ait supplies three of the four components needed: an abstract interpreter (in this case handling func...
A call graph (https://en.wikipedia.org/wiki/Call_graph) for a GOTO model or GOTO functions collection...
void output_dot(std::ostream &out) const
void output(std::ostream &out) const
static call_grapht create_from_root_function(const goto_modelt &model, const irep_idt &root, bool collect_callsites)
void output_xml(std::ostream &out) const
Non-graph-based representation of the class hierarchy.
void output_dot(std::ostream &) const
Output class hierarchy in Graphviz DOT format.
void apply_loop_contracts(const std::set< std::string > &to_exclude_from_nondet_init={})
Applies loop contract transformations.
void enforce_contracts(const std::set< std::string > &to_enforce, const std::set< std::string > &to_exclude_from_nondet_init={})
Turn requires & ensures into assumptions and assertions for each of the named functions.
void replace_calls(const std::set< std::string > &to_replace)
Replace all calls to each function in the to_replace set with that function's contract.
void check(const goto_modelt &, bool xml, std::ostream &)
void instrument(goto_modelt &)
void get(const std::string &executable)
This is a may analysis (i.e.
static irep_idt entry_point()
Get the identifier of the entry point to a goto model.
void register_languages() override
void help() override
display command line help
void instrument_goto_program()
void do_indirect_call_and_rtti_removal(bool force=false)
bool partial_inlining_done
bool function_pointer_removal_done
void do_partial_inlining()
void do_remove_const_function_pointers_only()
Remove function pointers that can be resolved by analysing const variables (i.e.
int doit() override
invoke main modules
A generic container class for the GOTO intermediate representation of one function.
std::ostream & output(std::ostream &out) const
Output goto-program to given stream.
jsont output_log_json() const
void output_dot(std::ostream &out) const
Thrown when users pass incorrect command line arguments, for example passing no files to analysis or ...
void output(std::ostream &out, const goto_functiont &goto_function, const namespacet &ns) const
A very simple, cheap analysis to determine when dereference operations are trivially guarded by a che...
void output_safe_dereferences(std::ostream &stream, const goto_programt &program, const namespacet &ns)
Output safely dereferenced expressions per instruction in human-readable format.
void output(std::ostream &stream, const goto_programt &program, const namespacet &ns)
Output non-null expressions per instruction in human-readable format.
static unsigned eval_verbosity(const std::string &user_input, const message_levelt default_verbosity, message_handlert &dest)
Parse a (user-)provided string as a verbosity level and set it as the verbosity of dest.
A namespacet is essentially one or two symbol tables bound together, to allow for symbol lookups in t...
bool lookup(const irep_idt &name, const symbolt *&symbol) const override
See documentation for namespace_baset::lookup().
bool is_set(const std::string &option) const
N.B. opts.is_set("foo") does not imply opts.get_bool_option("foo").
void set_option(const std::string &option, const bool value)
ui_message_handlert ui_message_handler
void output(std::ostream &out) const
void output(std::ostream &out, const goto_programt &goto_program, const namespacet &ns) const
Expression to hold a symbol (variable).
typet type
Type of symbol.
irep_idt name
The unique identifier.
void parse_unwind(const std::string &unwind)
void parse_unwindset(const std::list< std::string > &unwindset, abstract_goto_modelt &goto_model, message_handlert &message_handler)
void parse_unwindset_file(const std::string &file_name, abstract_goto_modelt &goto_model, message_handlert &message_handler)
void concurrency(value_setst &value_sets, goto_modelt &goto_model)
Encoding for Threaded Goto Programs.
#define HELP_CONFIG_LIBRARY
#define HELP_REPLACE_CALL
#define HELP_DISABLE_SIDE_EFFECT_CHECK
#define FLAG_REPLACE_CALL
#define FLAG_ENFORCE_CONTRACT
#define HELP_LOOP_CONTRACTS
#define FLAG_LOOP_CONTRACTS
#define HELP_LOOP_CONTRACTS_NO_UNWIND
#define HELP_ENFORCE_CONTRACT
#define HELP_LOOP_CONTRACTS_FILE
#define FLAG_DISABLE_SIDE_EFFECT_CHECK
#define FLAG_LOOP_CONTRACTS_NO_UNWIND
void count_eloc(const goto_modelt &goto_model)
void print_global_state_size(const goto_modelt &goto_model)
void print_path_lengths(const goto_modelt &goto_model)
void list_eloc(const goto_modelt &goto_model)
#define HELP_GOTO_PROGRAM_STATS
void cprover_cpp_library_factory(const std::set< irep_idt > &functions, const symbol_table_baset &symbol_table, symbol_table_baset &dest_symbol_table, message_handlert &message_handler)
static void show_goto_functions(const goto_modelt &goto_model)
Field-insensitive, location-sensitive bitvector analysis.
Field-Sensitive Program Dependence Analysis, Litvak et al., FSE 2010.
#define FLAG_ENFORCE_CONTRACT_REC
#define HELP_ENFORCE_CONTRACT_REC
void document_properties_latex(const goto_modelt &goto_model, std::ostream &out)
void document_properties_html(const goto_modelt &goto_model, std::ostream &out)
#define HELP_DOCUMENT_PROPERTIES
void dot(const goto_modelt &src, std::ostream &out)
Dump Goto-Program as DOT Graph.
void dump_cpp(const goto_functionst &src, const bool use_system_headers, const bool use_all_headers, const bool include_harness, const namespacet &ns, std::ostream &out)
void dump_c(const goto_functionst &src, const bool use_system_headers, const bool use_all_headers, const bool include_harness, const namespacet &ns, std::ostream &out)
void dump_c_type_header(const goto_functionst &src, const bool use_system_headers, const bool use_all_headers, const bool include_harness, const namespacet &ns, const std::string module, std::ostream &out)
bool ensure_one_backedge_per_target(goto_programt::targett &it, goto_programt &goto_program)
Ensure one backedge per target.
Field-insensitive, location-sensitive, over-approximative escape analysis.
Document and give macros for the exit codes of CPROVER binaries.
#define CPROVER_EXIT_CONVERSION_FAILED
Failure to convert / write to another format.
#define CPROVER_EXIT_INTERNAL_ERROR
An error has been encountered during processing the requested analysis.
#define CPROVER_EXIT_USAGE_ERROR
A usage error is returned when the command line is invalid or conflicting.
#define CPROVER_EXIT_SUCCESS
Success indicates the required analysis has been performed without error.
void property_slicer(goto_functionst &goto_functions, const namespacet &ns, const std::list< std::string > &properties, message_handlert &message_handler)
void full_slicer(goto_functionst &goto_functions, const namespacet &ns, const slicing_criteriont &criterion, message_handlert &message_handler)
void function_exit(goto_modelt &goto_model, const irep_idt &id)
void function_enter(goto_modelt &goto_model, const irep_idt &id)
Function Entering and Exiting.
void configure_gcc(const gcc_versiont &gcc_version)
std::unique_ptr< generate_function_bodiest > generate_function_bodies_factory(const std::string &options, const c_object_factory_parameterst &object_factory_parameters, const symbol_tablet &symbol_table, message_handlert &message_handler)
Create the type that actually generates the functions.
void generate_function_bodies(const std::regex &functions_regex, const generate_function_bodiest &generate_function_body, goto_modelt &model, message_handlert &message_handler, bool ignore_no_match)
Generate function bodies with some default behavior: assert-false, assume-false, assert-false-assume-...
#define HELP_REPLACE_FUNCTION_BODY
Field-insensitive, location-sensitive, over-approximative escape analysis.
static void transform_assertions_assumptions(goto_programt &goto_program, bool enable_assertions, bool enable_built_in_assertions, bool enable_assumptions)
Checks for Errors in C and Java Programs.
void goto_check_c(const irep_idt &function_identifier, goto_functionst::goto_functiont &goto_function, const namespacet &ns, const optionst &options, message_handlert &message_handler)
#define PARSE_OPTIONS_GOTO_CHECK(cmdline, options)
void goto_inline(goto_modelt &goto_model, message_handlert &message_handler, bool adjust_function)
Inline every function call into the entry_point() function.
void goto_function_inline(goto_modelt &goto_model, const irep_idt function, message_handlert &message_handler, bool adjust_function, bool caching)
Transitively inline all function calls made from a particular function.
void goto_partial_inline(goto_modelt &goto_model, message_handlert &message_handler, unsigned smallfunc_limit, bool adjust_function)
Inline all function calls to functions either marked as "inlined" or smaller than smallfunc_limit (by...
jsont goto_function_inline_and_log(goto_modelt &goto_model, const irep_idt function, message_handlert &message_handler, bool adjust_function, bool caching)
Function Inlining This gives a number of different interfaces to the function inlining functionality ...
#define forall_goto_program_instructions(it, program)
void remove_pointers(goto_modelt &goto_model, value_setst &value_sets, message_handlert &message_handler)
Remove dereferences in all expressions contained in the program goto_model.
#define HELP_REMOVE_POINTERS
void dfcc(const optionst &options, goto_modelt &goto_model, const irep_idt &harness_id, const std::optional< irep_idt > &to_check, const bool allow_recursive_calls, const std::set< irep_idt > &to_replace, const loop_contract_configt loop_contract_config, const std::set< std::string > &to_exclude_from_nondet_static, message_handlert &message_handler)
Applies function contracts transformation to GOTO model, using the dynamic frame condition checking a...
guard_expr_managert guard_managert
void havoc_loops(goto_modelt &goto_model)
void horn_encoding(const goto_modelt &goto_model, std::ostream &out)
bool insert_final_assert_false(goto_modelt &goto_model, const std::string &function_to_instrument, message_handlert &message_handler)
Transform a goto program by inserting assert(false) at the end of a given function function_to_instru...
Insert final assert false into a function.
#define HELP_INSERT_FINAL_ASSERT_FALSE
void interpreter(const goto_modelt &goto_model, message_handlert &message_handler)
Interpreter for GOTO Programs.
static void interrupt(value_setst &value_sets, const symbol_tablet &symbol_table, const irep_idt &function_id, goto_programt &goto_program, const symbol_exprt &interrupt_handler, const rw_set_baset &isr_rw_set, message_handlert &message_handler)
Interrupt Instrumentation for Goto Programs.
void interval_analysis(goto_modelt &goto_model)
Initialises the abstract interpretation over interval domain and instruments instructions using inter...
Over-approximate Concurrency for Threaded Goto Programs.
void k_induction(goto_modelt &goto_model, bool base_case, bool step_case, unsigned k)
void label_function_pointer_call_sites(goto_modelt &goto_model)
This ensures that call instructions can be only one of two things:
Label function pointer call sites across a goto model.
Compute lexical loops in a goto_function.
void show_lexical_loops(const goto_modelt &goto_model, std::ostream &out)
void link_to_library(goto_modelt &goto_model, message_handlert &message_handler, const std::function< void(const std::set< irep_idt > &, const symbol_tablet &, symbol_tablet &, message_handlert &)> &library)
Complete missing function definitions using the library.
Field-insensitive, location-sensitive bitvector analysis.
Local safe pointer analysis.
void show_loop_ids(ui_message_handlert::uit ui, const goto_modelt &goto_model)
void mm_io(symbol_tablet &symbol_table, goto_functionst &goto_functions, message_handlert &message_handler)
Perform Memory-mapped I/O instrumentation.
static void mmio(value_setst &value_sets, const symbol_tablet &symbol_table, const irep_idt &function_id, goto_programt &goto_program, message_handlert &message_handler)
Memory-mapped I/O Instrumentation for Goto Programs.
bool model_argc_argv(goto_modelt &goto_model, const std::list< std::string > &argv_args, bool model_argv, message_handlert &message_handler)
Set up argv to user-specified values (when model_argv is FALSE) or (when model_argv is TRUE) set up a...
Compute natural loops in a goto_function.
void show_natural_loops(const goto_modelt &goto_model, std::ostream &out)
void nondet_static_matching(goto_modelt &goto_model, const std::string ®ex)
Nondeterministically initializes global scope variables that match the given regex.
static void nondet_static(const namespacet &ns, goto_modelt &goto_model, const irep_idt &fct_name)
Nondeterministically initializes global scope variables in a goto-function.
Nondeterministically initializes global scope variables, except for constants (such as string literal...
void parse_nondet_volatile_options(const cmdlinet &cmdline, optionst &options)
void nondet_volatile(goto_modelt &goto_model, const optionst &options)
Havoc reads from volatile expressions, if enabled in the options.
#define HELP_NONDET_VOLATILE
void parameter_assignments(symbol_table_baset &symbol_table, goto_functionst &goto_functions)
removes returns
Add parameter assignments.
std::string align_center_with_border(const std::string &text)
Utility for displaying help centered messages borderered by "* *".
std::string banner_string(const std::string &front_end, const std::string &version)
Field-sensitive, location-insensitive points-to analysis.
static void race_check(value_setst &value_sets, symbol_table_baset &symbol_table, const irep_idt &function_id, goto_programt &goto_program, w_guardst &w_guards, message_handlert &message_handler)
Race Detection for Threaded Goto Programs.
void reachability_slicer(goto_modelt &goto_model, const bool include_forward_reachability, message_handlert &message_handler)
Perform reachability slicing on goto_model, with respect to the criterion given by all properties.
void function_path_reachability_slicer(goto_modelt &goto_model, const std::list< std::string > &functions_list, message_handlert &message_handler)
Perform reachability slicing on goto_model for selected functions.
#define HELP_FP_REACHABILITY_SLICER
#define HELP_REACHABILITY_SLICER
Range-based reaching definitions analysis (following Field- Sensitive Program Dependence Analysis,...
static bool read_goto_binary(const std::string &filename, symbol_tablet &, goto_functionst &, message_handlert &)
Read a goto binary from a file, but do not update config.
void remove_asm(goto_functionst &goto_functions, symbol_tablet &symbol_table, message_handlert &message_handler)
Replaces inline assembly instructions in the goto program (i.e., instructions of kind OTHER with a co...
bool has_asm(const goto_functionst &goto_functions)
returns true iff the given goto functions use asm instructions
Remove 'asm' statements by compiling them into suitable standard goto program instructions.
Remove calls to functions without a body.
#define HELP_REMOVE_CALLS_NO_BODY
#define HELP_REMOVE_CONST_FUNCTION_POINTERS
void remove_functions(goto_modelt &goto_model, const std::list< std::string > &names, message_handlert &message_handler)
Remove the body of all functions listed in "names" such that an analysis will treat it as a side-effe...
static void remove_functions_regex(goto_modelt &goto_model, const std::regex &pattern, const std::string &pattern_as_str, message_handlert &message_handler)
Remove functions matching a regular expression pattern.
Remove function definition.
void remove_function_pointers(message_handlert &_message_handler, goto_modelt &goto_model, bool only_remove_const_fps)
Remove Indirect Function Calls.
void restore_returns(goto_modelt &goto_model)
restores return statements
void remove_returns(symbol_table_baset &symbol_table, goto_functionst &goto_functions)
removes returns
Replace function returns by assignments to global variables.
void remove_skip(goto_programt &goto_program, goto_programt::targett begin, goto_programt::targett end)
remove unnecessary skip statements
void remove_unused_functions(goto_modelt &goto_model, message_handlert &message_handler)
void remove_virtual_functions(symbol_table_baset &symbol_table, goto_functionst &goto_functions)
Remove virtual function calls from all functions in the specified list and replace them with their mo...
Functions for replacing virtual function call with a static function calls in functions,...
#define HELP_REPLACE_CALLS
void parse_function_pointer_restriction_options_from_cmdline(const cmdlinet &cmdline, optionst &options)
void restrict_function_pointers(message_handlert &message_handler, goto_modelt &goto_model, const optionst &options)
Apply function pointer restrictions to a goto_model.
Given goto functions and a list of function parameters or globals that are function pointers with lis...
#define RESTRICT_FUNCTION_POINTER_OPT
#define RESTRICT_FUNCTION_POINTER_FROM_FILE_OPT
#define HELP_RESTRICT_FUNCTION_POINTER
#define RESTRICT_FUNCTION_POINTER_BY_NAME_OPT
static std::optional< exprt > rewrite_rw_ok(exprt expr, const namespacet &ns)
Rewrite r/w/rw_ok expressions to ones including prophecy variables recording the state.
void rewrite_union(exprt &expr)
We rewrite u.c for unions u into byte_extract(u, 0), and { .c = v } into byte_update(NIL,...
Race Detection for Threaded Goto Programs.
Single-entry, single-exit region analysis.
void label_properties(goto_modelt &goto_model)
Set the properties to check.
#define HELP_SHOW_GOTO_FUNCTIONS
void show_locations(ui_message_handlert::uit ui, const irep_idt function_id, const goto_programt &goto_program)
void show_properties(const namespacet &ns, const irep_idt &identifier, message_handlert &message_handler, ui_message_handlert::uit ui, const goto_programt &goto_program)
#define HELP_SHOW_PROPERTIES
void show_symbol_table(const symbol_table_baset &symbol_table, ui_message_handlert &ui)
void show_symbol_table_brief(const symbol_table_baset &symbol_table, ui_message_handlert &ui)
void show_value_sets(ui_message_handlert::uit ui, const goto_modelt &goto_model, const value_set_analysist &value_set_analysis)
static bool skip_loops(goto_programt &goto_program, const loop_idst &loop_ids, messaget &message)
Skip over selected loops by adding gotos.
void slice_global_inits(goto_modelt &goto_model, message_handlert &message_handler)
Remove initialization of global variables that are not used in any function reachable from the entry ...
Remove initializations of unused global variables.
bool splice_call(goto_functionst &goto_functions, const std::string &callercallee, const symbol_table_baset &symbol_table, message_handlert &message_handler)
Harnessing for goto functions.
#define CHECK_RETURN(CONDITION)
#define PRECONDITION(CONDITION)
static void stack_depth(goto_programt &goto_program, const symbol_exprt &symbol, const std::size_t i_depth, const exprt &max_depth)
unsigned safe_string2unsigned(const std::string &str, int base)
unsigned unsafe_string2unsigned(const std::string &str, int base)
std::size_t safe_string2size_t(const std::string &str, int base)
void string_abstraction(goto_modelt &goto_model, message_handlert &message_handler)
void split_string(const std::string &s, char delim, std::vector< std::string > &result, bool strip, bool remove_empty)
Loop contract configurations.
void thread_exit_instrumentation(goto_programt &goto_program)
void mutex_init_instrumentation(const symbol_tablet &symbol_table, goto_programt &goto_program, typet lock_type)
void list_undefined_functions(const goto_modelt &goto_model, std::ostream &os)
void undefined_function_abort_path(goto_modelt &goto_model)
Handling of functions without body.
#define widen_if_needed(s)
void add_uninitialized_locals_assertions(goto_modelt &goto_model)
void show_uninitialized(const goto_modelt &goto_model, std::ostream &out)
#define HELP_UNINITIALIZED_CHECK
value_set_analysis_templatet< value_set_domain_templatet< value_sett > > value_set_analysist
void value_set_fi_fp_removal(goto_modelt &goto_model, message_handlert &message_handler)
Builds the flow-insensitive value set for all function pointers and replaces function pointers with a...
flow insensitive value set function pointer removal
const char * CBMC_VERSION
void weak_memory(memory_modelt model, value_setst &value_sets, goto_modelt &goto_model, bool SCC, instrumentation_strategyt event_strategy, bool no_cfg_kill, bool no_dependencies, loop_strategyt duplicate_body, unsigned input_max_var, unsigned input_max_po_trans, bool render_po, bool render_file, bool render_function, bool cav11_option, bool hide_internals, message_handlert &message_handler, bool ignore_arrays)
instrumentation_strategyt
static void write_goto_binary(std::ostream &out, const symbol_table_baset &symbol_table, const goto_functionst &goto_functions, irep_serializationt &irepconverter)
Writes a goto program to disc, using goto binary format.
1.15.0