| 1 | #ifndef _MEM_
|
|---|
| 2 | #define _MEM_
|
|---|
| 3 | #include <civlc.cvh>
|
|---|
| 4 | #pragma CIVL ACSL
|
|---|
| 5 | /* A mem object is an immutable value representing a set of memory
|
|---|
| 6 | locations. The mem library provides the $mem type and a set of
|
|---|
| 7 | operations on mem objects.
|
|---|
| 8 |
|
|---|
| 9 | In CIVL-C, each process has, as part of its state, a "read stack"
|
|---|
| 10 | and a "write stack". Each stack consists of mutable stack entries.
|
|---|
| 11 | Each stack entry has a mem field, which is updated automatically each
|
|---|
| 12 | time the process performs a read or write. When the process reads
|
|---|
| 13 | memory location l, every entry on the read stack is updated with
|
|---|
| 14 | new mem values that are obtained by adding l to the old values.
|
|---|
| 15 | Similarly, when a process writes l, every entry on the write stack
|
|---|
| 16 | is so updated.
|
|---|
| 17 |
|
|---|
| 18 | New entries can be pushed onto the stacks using functions provided
|
|---|
| 19 | here. Similarly, each stack can be popped and the final mem value
|
|---|
| 20 | of the popped entry can be retrieved. These functions are useful
|
|---|
| 21 | for many things, such as checking for data races in multi-threaded
|
|---|
| 22 | programs.
|
|---|
| 23 |
|
|---|
| 24 | Note that $mem values can be created by casting a pointer expression
|
|---|
| 25 | to $mem. Examples:
|
|---|
| 26 |
|
|---|
| 27 | int x;
|
|---|
| 28 | $mem m1 = ($mem)&x;
|
|---|
| 29 | int a[10];
|
|---|
| 30 | $mem m2 = ($mem)&a[0]; // just the bits of "a[0]"
|
|---|
| 31 | $mem m3 = ($mem)&a; // all locations in a: a[0..9]
|
|---|
| 32 | $mem m4 = ($mem)a[0..9];
|
|---|
| 33 | $mem_equals(m3, m4); // true
|
|---|
| 34 | */
|
|---|
| 35 |
|
|---|
| 36 | /* **************** Functions to create $mem objects **************** */
|
|---|
| 37 |
|
|---|
| 38 | /* Pushes a new entry onto the write stack of the calling process.
|
|---|
| 39 | The mem field of the new entry will be the empty mem. */
|
|---|
| 40 | /*@ depends_on \nothing;
|
|---|
| 41 | @ executes_when \true;
|
|---|
| 42 | @*/
|
|---|
| 43 | $system void $write_set_push();
|
|---|
| 44 |
|
|---|
| 45 | /* Pops the top entry from the calling process' write stack. The mem
|
|---|
| 46 | field of that entry is returned. Behavior is undefined if the write
|
|---|
| 47 | stack is empty. */
|
|---|
| 48 | /*@ depends_on \nothing;
|
|---|
| 49 | @ executes_when \true;
|
|---|
| 50 | @*/
|
|---|
| 51 | $system $mem $write_set_pop();
|
|---|
| 52 |
|
|---|
| 53 | /* Returns the mem field of the top entry of the write stack of the
|
|---|
| 54 | calling process. */
|
|---|
| 55 | /*@ depends_on \nothing;
|
|---|
| 56 | @ executes_when \true;
|
|---|
| 57 | @*/
|
|---|
| 58 | $state_f $system $mem $write_set_peek();
|
|---|
| 59 |
|
|---|
| 60 | /* Pushes a new entry onto the read stack of the calling process.
|
|---|
| 61 | The mem field of the new entry will be the empty mem. */
|
|---|
| 62 | /*@ depends_on \nothing;
|
|---|
| 63 | @ executes_when \true;
|
|---|
| 64 | @*/
|
|---|
| 65 | $system void $read_set_push();
|
|---|
| 66 |
|
|---|
| 67 | /* Pops the top entry from the calling process' read stack. The mem
|
|---|
| 68 | field of that entry is returned. Behavior is undefined if the read
|
|---|
| 69 | stack is empty. */
|
|---|
| 70 | /*@ depends_on \nothing;
|
|---|
| 71 | @ executes_when \true;
|
|---|
| 72 | @*/
|
|---|
| 73 | $system $mem $read_set_pop();
|
|---|
| 74 |
|
|---|
| 75 | /* Returns the mem field of the top entry of the read stack of the
|
|---|
| 76 | calling process. */
|
|---|
| 77 | /*@ depends_on \nothing;
|
|---|
| 78 | @ executes_when \true;
|
|---|
| 79 | @*/
|
|---|
| 80 | $state_f $system $mem $read_set_peek();
|
|---|
| 81 |
|
|---|
| 82 | /* Returns the empty mem object. */
|
|---|
| 83 | /*@ depends_on \nothing;
|
|---|
| 84 | @ executes_when \true;
|
|---|
| 85 | @*/
|
|---|
| 86 | $atomic_f $system $mem $mem_empty();
|
|---|
| 87 |
|
|---|
| 88 | /* A predicate that holds iff the two mem values represent the same set of
|
|---|
| 89 | memory locations. */
|
|---|
| 90 | /*@ depends_on \nothing;
|
|---|
| 91 | @ executes_when \true;
|
|---|
| 92 | @*/
|
|---|
| 93 | $atomic_f $system _Bool $mem_equals($mem m0, $mem m1);
|
|---|
| 94 |
|
|---|
| 95 | /* A predicate that holds iff the set of memory location represented
|
|---|
| 96 | by "super" contains the set of memory locations represented by
|
|---|
| 97 | "sub". */
|
|---|
| 98 | /*@ depends_on \nothing;
|
|---|
| 99 | @ executes_when \true;
|
|---|
| 100 | @*/
|
|---|
| 101 | $atomic_f $system _Bool $mem_contains($mem super, $mem sub);
|
|---|
| 102 |
|
|---|
| 103 | /* Tests if two $mem objects have no overlap. Returns the condition that is
|
|---|
| 104 | true iff the two $mem objects have no overlap.
|
|---|
| 105 |
|
|---|
| 106 | If the returned condition cannot be proved valid at the state where a call
|
|---|
| 107 | to this function returns, the two output arguments: "out0" and "out1" will
|
|---|
| 108 | be assigned two $mem type values which is a pair of memory locations that
|
|---|
| 109 | have overlap.
|
|---|
| 110 | */
|
|---|
| 111 | /*@ depends_on \write(out0, out1);
|
|---|
| 112 | @ executes_when \true;
|
|---|
| 113 | @*/
|
|---|
| 114 | $atomic_f $system _Bool $mem_no_intersect($mem m0, $mem m1,
|
|---|
| 115 | $mem *out0, $mem *out1);
|
|---|
| 116 |
|
|---|
| 117 | /* Returns the mem object which represents the set of memory locations
|
|---|
| 118 | which is the union of the set of locations represented by mem0 and
|
|---|
| 119 | the set of locations represented by mem1. */
|
|---|
| 120 | /*@ depends_on \nothing;
|
|---|
| 121 | @ executes_when \true;
|
|---|
| 122 | @*/
|
|---|
| 123 | $atomic_f $system $mem $mem_union($mem mem0, $mem mem1);
|
|---|
| 124 |
|
|---|
| 125 | /* Returns a mem object which represents a set of memory locations
|
|---|
| 126 | that contains the union of the set of locations represented by mem0
|
|---|
| 127 | and the set of locations represented by mem1. The over-approximation
|
|---|
| 128 | to the union is obtained by some appropriate "widening" operator
|
|---|
| 129 | that is used to force convergence of an analysis. */
|
|---|
| 130 | /*@ depends_on \nothing;
|
|---|
| 131 | @ executes_when \true;
|
|---|
| 132 | @*/
|
|---|
| 133 | $atomic_f $system $mem $mem_union_widening($mem, $mem);
|
|---|
| 134 |
|
|---|
| 135 |
|
|---|
| 136 | // TODO: POR contract for the following two functions are incorrect
|
|---|
| 137 | // one must be able to express the set of memory locations in the $mem object in POR
|
|---|
| 138 | // contract
|
|---|
| 139 |
|
|---|
| 140 | /* Havocs (assigns arbitrary values to) all memory locations in the
|
|---|
| 141 | set represented by m. */
|
|---|
| 142 | /*@ depends_on \nothing;
|
|---|
| 143 | @ executes_when \true;
|
|---|
| 144 | @*/
|
|---|
| 145 | $atomic_f $system void $mem_havoc($mem m);
|
|---|
| 146 |
|
|---|
| 147 | /* Returns a mem object which represents a set of memory locations
|
|---|
| 148 | which contains the set of memory locations represented by m.
|
|---|
| 149 | The set returned is an over-approximation of m. It has been
|
|---|
| 150 | suitably "widened" to obtain convergence. */
|
|---|
| 151 | /*@ depends_on \nothing;
|
|---|
| 152 | @ executes_when \true;
|
|---|
| 153 | @*/
|
|---|
| 154 | $atomic_f $system $mem $mem_unary_widening($mem m);
|
|---|
| 155 |
|
|---|
| 156 | /* Assigns (in the current state) each memory location l in m, the value
|
|---|
| 157 | that l holds in state s. This assumes that there is a close
|
|---|
| 158 | correspondence between the current state and state s, so that a
|
|---|
| 159 | mapping between the locations in the two states can be established. */
|
|---|
| 160 | /*@ depends_on \nothing; // \access($mem_to_pointers($mem m))
|
|---|
| 161 | @ executes_when \true;
|
|---|
| 162 | @*/
|
|---|
| 163 | $atomic_f $system void $mem_assign_from($state s, $mem m);
|
|---|
| 164 |
|
|---|
| 165 | #endif
|
|---|
