module T = Types module V = Values open Scalars module E = Expressions open Errors module C = Contexts module Subst = Substitute module A = CfimAst module L = Logging open TypesUtils open ValuesUtils module Inv = Invariants module S = Synthesis open Utils open InterpreterUtils open InterpreterProjectors open InterpreterBorrows open InterpreterExpansion (* TODO: check that the value types are correct when evaluating *) (* TODO: for debugging purposes, we might want to put use eval_ctx everywhere (rather than only env) *) (* TODO: it would be good to find a "core", which implements the rules (like "end_borrow") and on top of which we build more complex functions which chose in which order to apply the rules, etc. This way we would make very explicit where we need to insert sanity checks, what the preconditions are, where invariants might be broken, etc. *) (* TODO: intensively test with PLT-redex *) (* TODO: remove the config parameters when they are useless *) (** TODO: change the name *) type eval_error = Panic type 'a eval_result = ('a, eval_error) result (** Paths *) (** When we fail reading from or writing to a path, it might be because we need to update the environment by ending borrows, expanding symbolic values, etc. The following type is used to convey this information. TODO: compare with borrow_lres? *) type path_fail_kind = | FailSharedLoan of V.BorrowId.Set.t (** Failure because we couldn't go inside a shared loan *) | FailMutLoan of V.BorrowId.id (** Failure because we couldn't go inside a mutable loan *) | FailInactivatedMutBorrow of V.BorrowId.id (** Failure because we couldn't go inside an inactivated mutable borrow (which should get activated) *) | FailSymbolic of (E.projection_elem * V.symbolic_proj_comp) (** Failure because we need to enter a symbolic value (and thus need to expand it) *) (* TODO: Remove the parentheses *) | FailBottom of (int * E.projection_elem * T.ety) (** Failure because we need to enter an any value - we can expand Bottom values if they are left values. We return the number of elements which were remaining in the path when we reached the error - this allows to properly update the Bottom value, if needs be. *) | FailBorrow of V.borrow_content (** We got stuck because we couldn't enter a borrow *) (** Result of evaluating a path (reading from a path/writing to a path) Note that when we fail, we return information used to update the environment, as well as the *) type 'a path_access_result = ('a, path_fail_kind) result (** The result of reading from/writing to a place *) type updated_read_value = { read : V.typed_value; updated : V.typed_value } type projection_access = { enter_shared_loans : bool; enter_mut_borrows : bool; lookup_shared_borrows : bool; } (** Generic function to access (read/write) the value at the end of a projection. We return the (eventually) updated value, the value we read at the end of the place and the (eventually) updated environment. TODO: use exceptions? *) let rec access_projection (access : projection_access) (ctx : C.eval_ctx) (* Function to (eventually) update the value we find *) (update : V.typed_value -> V.typed_value) (p : E.projection) (v : V.typed_value) : (C.eval_ctx * updated_read_value) path_access_result = (* For looking up/updating shared loans *) let ek : exploration_kind = { enter_shared_loans = true; enter_mut_borrows = true; enter_abs = true } in match p with | [] -> let nv = update v in (* Type checking *) if nv.ty <> v.ty then ( L.log#lerror (lazy ("Not the same type:\n- nv.ty: " ^ T.show_ety nv.ty ^ "\n- v.ty: " ^ T.show_ety v.ty)); failwith "Assertion failed: new value doesn't have the same type as its \ destination"); Ok (ctx, { read = v; updated = nv }) | pe :: p' -> ( (* Match on the projection element and the value *) match (pe, v.V.value, v.V.ty) with (* Field projection - ADTs *) | ( Field (ProjAdt (def_id, opt_variant_id), field_id), V.Adt adt, T.Adt (T.AdtId def_id', _, _) ) -> ( assert (def_id = def_id'); (* Check that the projection is consistent with the current value *) (match (opt_variant_id, adt.variant_id) with | None, None -> () | Some vid, Some vid' -> if vid <> vid' then failwith "Unreachable" | _ -> failwith "Unreachable"); (* Actually project *) let fv = T.FieldId.nth adt.field_values field_id in match access_projection access ctx update p' fv with | Error err -> Error err | Ok (ctx, res) -> (* Update the field value *) let nvalues = T.FieldId.update_nth adt.field_values field_id res.updated in let nadt = V.Adt { adt with V.field_values = nvalues } in let updated = { v with value = nadt } in Ok (ctx, { res with updated })) (* Tuples *) | Field (ProjTuple arity, field_id), V.Adt adt, T.Adt (T.Tuple, _, _) -> ( assert (arity = List.length adt.field_values); let fv = T.FieldId.nth adt.field_values field_id in (* Project *) match access_projection access ctx update p' fv with | Error err -> Error err | Ok (ctx, res) -> (* Update the field value *) let nvalues = T.FieldId.update_nth adt.field_values field_id res.updated in let ntuple = V.Adt { adt with field_values = nvalues } in let updated = { v with value = ntuple } in Ok (ctx, { res with updated }) (* If we reach Bottom, it may mean we need to expand an uninitialized * enumeration value *)) | Field (ProjAdt (_, _), _), V.Bottom, _ -> Error (FailBottom (1 + List.length p', pe, v.ty)) | Field (ProjTuple _, _), V.Bottom, _ -> Error (FailBottom (1 + List.length p', pe, v.ty)) (* Symbolic value: needs to be expanded *) | _, Symbolic sp, _ -> (* Expand the symbolic value *) Error (FailSymbolic (pe, sp)) (* Box dereferencement *) | ( DerefBox, Adt { variant_id = None; field_values = [ bv ] }, T.Adt (T.Assumed T.Box, _, _) ) -> ( (* We allow moving inside of boxes. In practice, this kind of * manipulations should happen only inside unsage code, so * it shouldn't happen due to user code, and we leverage it * when implementing box dereferencement for the concrete * interpreter *) match access_projection access ctx update p' bv with | Error err -> Error err | Ok (ctx, res) -> let nv = { v with value = V.Adt { variant_id = None; field_values = [ res.updated ] }; } in Ok (ctx, { res with updated = nv })) (* Borrows *) | Deref, V.Borrow bc, _ -> ( match bc with | V.SharedBorrow bid -> (* Lookup the loan content, and explore from there *) if access.lookup_shared_borrows then match lookup_loan ek bid ctx with | _, Concrete (V.MutLoan _) -> failwith "Expected a shared loan" | _, Concrete (V.SharedLoan (bids, sv)) -> ( (* Explore the shared value *) match access_projection access ctx update p' sv with | Error err -> Error err | Ok (ctx, res) -> (* Update the shared loan with the new value returned by [access_projection] *) let ctx = update_loan ek bid (V.SharedLoan (bids, res.updated)) ctx in (* Return - note that we don't need to update the borrow itself *) Ok (ctx, { res with updated = v })) | ( _, Abstract ( V.AMutLoan (_, _) | V.AEndedMutLoan { given_back = _; child = _ } | V.AEndedSharedLoan (_, _) | V.AIgnoredMutLoan (_, _) | V.AEndedIgnoredMutLoan { given_back = _; child = _ } | V.AIgnoredSharedLoan _ ) ) -> failwith "Expected a shared (abstraction) loan" | _, Abstract (V.ASharedLoan (bids, sv, _av)) -> ( (* Explore the shared value *) match access_projection access ctx update p' sv with | Error err -> Error err | Ok (ctx, res) -> (* Relookup the child avalue *) let av = match lookup_loan ek bid ctx with | _, Abstract (V.ASharedLoan (_, _, av)) -> av | _ -> failwith "Unexpected" in (* Update the shared loan with the new value returned by [access_projection] *) let ctx = update_aloan ek bid (V.ASharedLoan (bids, res.updated, av)) ctx in (* Return - note that we don't need to update the borrow itself *) Ok (ctx, { res with updated = v })) else Error (FailBorrow bc) | V.InactivatedMutBorrow bid -> Error (FailInactivatedMutBorrow bid) | V.MutBorrow (bid, bv) -> if access.enter_mut_borrows then match access_projection access ctx update p' bv with | Error err -> Error err | Ok (ctx, res) -> let nv = { v with value = V.Borrow (V.MutBorrow (bid, res.updated)); } in Ok (ctx, { res with updated = nv }) else Error (FailBorrow bc)) | _, V.Loan lc, _ -> ( match lc with | V.MutLoan bid -> Error (FailMutLoan bid) | V.SharedLoan (bids, sv) -> (* If we can enter shared loan, we ignore the loan. Pay attention to the fact that we need to reexplore the *whole* place (i.e, we mustn't ignore the current projection element *) if access.enter_shared_loans then match access_projection access ctx update (pe :: p') sv with | Error err -> Error err | Ok (ctx, res) -> let nv = { v with value = V.Loan (V.SharedLoan (bids, res.updated)); } in Ok (ctx, { res with updated = nv }) else Error (FailSharedLoan bids)) | (_, (V.Concrete _ | V.Adt _ | V.Bottom | V.Borrow _), _) as r -> let pe, v, ty = r in let pe = "- pe: " ^ E.show_projection_elem pe in let v = "- v:\n" ^ V.show_value v in let ty = "- ty:\n" ^ T.show_ety ty in L.log#serror ("Inconsistent projection:\n" ^ pe ^ "\n" ^ v ^ "\n" ^ ty); failwith "Inconsistent projection") (** Generic function to access (read/write) the value at a given place. We return the value we read at the place and the (eventually) updated environment, if we managed to access the place, or the precise reason why we failed. *) let access_place (access : projection_access) (* Function to (eventually) update the value we find *) (update : V.typed_value -> V.typed_value) (p : E.place) (ctx : C.eval_ctx) : (C.eval_ctx * V.typed_value) path_access_result = (* Lookup the variable's value *) let value = C.ctx_lookup_var_value ctx p.var_id in (* Apply the projection *) match access_projection access ctx update p.projection value with | Error err -> Error err | Ok (ctx, res) -> (* Update the value *) let ctx = C.ctx_update_var_value ctx p.var_id res.updated in (* Return *) Ok (ctx, res.read) type access_kind = | Read (** We can go inside borrows and loans *) | Write (** Don't enter shared borrows or shared loans *) | Move (** Don't enter borrows or loans *) let access_kind_to_projection_access (access : access_kind) : projection_access = match access with | Read -> { enter_shared_loans = true; enter_mut_borrows = true; lookup_shared_borrows = true; } | Write -> { enter_shared_loans = false; enter_mut_borrows = true; lookup_shared_borrows = false; } | Move -> { enter_shared_loans = false; enter_mut_borrows = false; lookup_shared_borrows = false; } (** Read the value at a given place *) let read_place (config : C.config) (access : access_kind) (p : E.place) (ctx : C.eval_ctx) : V.typed_value path_access_result = let access = access_kind_to_projection_access access in (* The update function is the identity *) let update v = v in match access_place access update p ctx with | Error err -> Error err | Ok (ctx1, read_value) -> (* Note that we ignore the new environment: it should be the same as the original one. *) if config.check_invariants then if ctx1 <> ctx then ( let msg = "Unexpected environment update:\nNew environment:\n" ^ C.show_env ctx1.env ^ "\n\nOld environment:\n" ^ C.show_env ctx.env in L.log#serror msg; failwith "Unexpected environment update"); Ok read_value let read_place_unwrap (config : C.config) (access : access_kind) (p : E.place) (ctx : C.eval_ctx) : V.typed_value = match read_place config access p ctx with | Error _ -> failwith "Unreachable" | Ok v -> v (** Update the value at a given place *) let write_place (_config : C.config) (access : access_kind) (p : E.place) (nv : V.typed_value) (ctx : C.eval_ctx) : C.eval_ctx path_access_result = let access = access_kind_to_projection_access access in (* The update function substitutes the value with the new value *) let update _ = nv in match access_place access update p ctx with | Error err -> Error err | Ok (ctx, _) -> (* We ignore the read value *) Ok ctx let write_place_unwrap (config : C.config) (access : access_kind) (p : E.place) (nv : V.typed_value) (ctx : C.eval_ctx) : C.eval_ctx = match write_place config access p nv ctx with | Error _ -> failwith "Unreachable" | Ok ctx -> ctx (** Compute an expanded ADT bottom value *) let compute_expanded_bottom_adt_value (tyctx : T.type_def list) (def_id : T.TypeDefId.id) (opt_variant_id : T.VariantId.id option) (regions : T.erased_region list) (types : T.ety list) : V.typed_value = (* Lookup the definition and check if it is an enumeration - it should be an enumeration if and only if the projection element is a field projection with *some* variant id. Retrieve the list of fields at the same time. *) let def = T.TypeDefId.nth tyctx def_id in assert (List.length regions = List.length def.T.region_params); (* Compute the field types *) let field_types = Subst.type_def_get_instantiated_field_etypes def opt_variant_id types in (* Initialize the expanded value *) let fields = List.map (fun ty : V.typed_value -> ({ V.value = V.Bottom; ty } : V.typed_value)) field_types in let av = V.Adt { variant_id = opt_variant_id; field_values = fields } in let ty = T.Adt (T.AdtId def_id, regions, types) in { V.value = av; V.ty } (** Compute an expanded tuple bottom value *) let compute_expanded_bottom_tuple_value (field_types : T.ety list) : V.typed_value = (* Generate the field values *) let fields = List.map (fun ty : V.typed_value -> { V.value = Bottom; ty }) field_types in let v = V.Adt { variant_id = None; field_values = fields } in let ty = T.Adt (T.Tuple, [], field_types) in { V.value = v; V.ty } (** Auxiliary helper to expand [Bottom] values. During compilation, rustc desaggregates the ADT initializations. The consequence is that the following rust code: ``` let x = Cons a b; ``` Looks like this in MIR: ``` (x as Cons).0 = a; (x as Cons).1 = b; set_discriminant(x, 0); // If `Cons` is the variant of index 0 ``` The consequence is that we may sometimes need to write fields to values which are currently [Bottom]. When doing this, we first expand the value to, say, [Cons Bottom Bottom] (note that field projection contains information about which variant we should project to, which is why we *can* set the variant index when writing one of its fields). *) let expand_bottom_value_from_projection (config : C.config) (access : access_kind) (p : E.place) (remaining_pes : int) (pe : E.projection_elem) (ty : T.ety) (ctx : C.eval_ctx) : C.eval_ctx = (* Debugging *) L.log#ldebug (lazy ("expand_bottom_value_from_projection:\n" ^ "pe: " ^ E.show_projection_elem pe ^ "\n" ^ "ty: " ^ T.show_ety ty)); (* Prepare the update: we need to take the proper prefix of the place during whose evaluation we got stuck *) let projection' = fst (Utilities.list_split_at p.projection (List.length p.projection - remaining_pes)) in let p' = { p with projection = projection' } in (* Compute the expanded value. The type of the [Bottom] value should be a tuple or an ADT. Note that the projection element we got stuck at should be a field projection, and gives the variant id if the [Bottom] value is an enumeration value. Also, the expanded value should be the proper ADT variant or a tuple with the proper arity, with all the fields initialized to [Bottom] *) let nv = match (pe, ty) with (* "Regular" ADTs *) | ( Field (ProjAdt (def_id, opt_variant_id), _), T.Adt (T.AdtId def_id', regions, types) ) -> assert (def_id = def_id'); compute_expanded_bottom_adt_value ctx.type_context.type_defs def_id opt_variant_id regions types (* Tuples *) | Field (ProjTuple arity, _), T.Adt (T.Tuple, [], tys) -> assert (arity = List.length tys); (* Generate the field values *) compute_expanded_bottom_tuple_value tys | _ -> failwith ("Unreachable: " ^ E.show_projection_elem pe ^ ", " ^ T.show_ety ty) in (* Update the context by inserting the expanded value at the proper place *) match write_place config access p' nv ctx with | Ok ctx -> ctx | Error _ -> failwith "Unreachable" (** Update the environment to be able to read a place. When reading a place, we may be stuck along the way because some value is borrowed, we reach a symbolic value, etc. In this situation [read_place] fails while returning precise information about the failure. This function uses this information to update the environment (by ending borrows, expanding symbolic values) until we manage to fully read the place. *) let rec update_ctx_along_read_place (config : C.config) (access : access_kind) (p : E.place) (ctx : C.eval_ctx) : C.eval_ctx = (* Attempt to read the place: if it fails, update the environment and retry *) match read_place config access p ctx with | Ok _ -> ctx | Error err -> let ctx = match err with | FailSharedLoan bids -> end_outer_borrows config bids ctx | FailMutLoan bid -> end_outer_borrow config bid ctx | FailInactivatedMutBorrow bid -> activate_inactivated_mut_borrow config Outer bid ctx | FailSymbolic (pe, sp) -> (* Expand the symbolic value *) expand_symbolic_value_no_branching config pe sp ctx | FailBottom (_, _, _) -> (* We can't expand [Bottom] values while reading them *) failwith "Found [Bottom] while reading a place" | FailBorrow _ -> failwith "Could not read a borrow" in update_ctx_along_read_place config access p ctx (** Update the environment to be able to write to a place. See [update_env_alond_read_place]. *) let rec update_ctx_along_write_place (config : C.config) (access : access_kind) (p : E.place) (ctx : C.eval_ctx) : C.eval_ctx = (* Attempt to *read* (yes, "read": we check the access to the place, and write to it later) the place: if it fails, update the environment and retry *) match read_place config access p ctx with | Ok _ -> ctx | Error err -> let ctx = match err with | FailSharedLoan bids -> end_outer_borrows config bids ctx | FailMutLoan bid -> end_outer_borrow config bid ctx | FailInactivatedMutBorrow bid -> activate_inactivated_mut_borrow config Outer bid ctx | FailSymbolic (pe, sp) -> (* Expand the symbolic value *) expand_symbolic_value_no_branching config pe sp ctx | FailBottom (remaining_pes, pe, ty) -> (* Expand the [Bottom] value *) expand_bottom_value_from_projection config access p remaining_pes pe ty ctx | FailBorrow _ -> failwith "Could not write to a borrow" in update_ctx_along_write_place config access p ctx exception UpdateCtx of C.eval_ctx (** Small utility used to break control-flow *) (** End the loans at a given place: read the value, if it contains a loan, end this loan, repeat. This is used when reading, borrowing, writing to a value. We typically first call [update_ctx_along_read_place] or [update_ctx_along_write_place] to get access to the value, then call this function to "prepare" the value: when moving values, we can't move a value which contains loans and thus need to end them, etc. *) let rec end_loans_at_place (config : C.config) (access : access_kind) (p : E.place) (ctx : C.eval_ctx) : C.eval_ctx = (* Iterator to explore a value and update the context whenever we find * loans. * We use exceptions to make it handy: whenever we update the * context, we raise an exception wrapping the updated context. * *) let obj = object inherit [_] V.iter_typed_value as super method! visit_borrow_content env bc = match bc with | V.SharedBorrow _ | V.MutBorrow (_, _) -> (* Nothing special to do *) super#visit_borrow_content env bc | V.InactivatedMutBorrow bid -> (* We need to activate inactivated borrows *) let ctx = activate_inactivated_mut_borrow config Inner bid ctx in raise (UpdateCtx ctx) method! visit_loan_content env lc = match lc with | V.SharedLoan (bids, v) -> ( (* End the loans if we need a modification access, otherwise dive into the shared value *) match access with | Read -> super#visit_SharedLoan env bids v | Write | Move -> let ctx = end_outer_borrows config bids ctx in raise (UpdateCtx ctx)) | V.MutLoan bid -> (* We always need to end mutable borrows *) let ctx = end_outer_borrow config bid ctx in raise (UpdateCtx ctx) end in (* First, retrieve the value *) match read_place config access p ctx with | Error _ -> failwith "Unreachable" | Ok v -> ( (* Inspect the value and update the context while doing so. If the context gets updated: perform a recursive call (many things may have been updated in the context: we need to re-read the value at place [p] - and this value may actually not be accessible anymore...) *) try obj#visit_typed_value () v; (* No context update required: return the current context *) ctx with UpdateCtx ctx -> (* The context was updated: do a recursive call to reinspect the value *) end_loans_at_place config access p ctx) (** Drop (end) all the loans and borrows at a given place, which should be seen as an l-value (we will write to it later, but need to drop the borrows before writing). We start by only dropping the borrows, then we end the loans. The reason is that some loan we find may be borrowed by another part of the subvalue. In order to correctly handle the "outer borrow" priority (we should end the outer borrows first) which is not really applied here (we are preparing the value for override: we can end the borrows inside, without ending the borrows we traversed to actually access the value) we first end the borrows we find in the place, to make sure all the "local" loans are taken care of. Then, if we find a loan, it means it is "externally" borrowed (the associated borrow is not in a subvalue of the place under inspection). Also note that whenever we end a loan, we might propagate back a value inside the place under inspection: we must re-end all the borrows we find there, before reconsidering loans. Repeat: - read the value at a given place - as long as we find a loan or a borrow, end it This is used to drop values (when we need to write to a place, we first drop the value there to properly propagate back values which are not/can't be borrowed anymore). *) let rec drop_borrows_loans_at_lplace (config : C.config) (p : E.place) (ctx : C.eval_ctx) : C.eval_ctx = (* Iterator to explore a value and update the context whenever we find borrows/loans. We use exceptions to make it handy: whenever we update the context, we raise an exception wrapping the updated context. Note that we can end the borrows which are inside the value (while the value itself might be inside a borrow/loan: we are thus ending inner borrows). Because a loan inside the value may be linked to a borrow somewhere else *also inside* the value (it's possible with adts), we first end all the borrows we find - by using [Inner] to allow ending inner borrows - then end all the loans we find. It is really important to do this in two steps: the borrow linked to a loan may be inside the value at place p, in which case this borrow may be an inner borrow that we *can* end, but it may also be outside this value, in which case we need to end all the outer borrows first... Also, whenever the context is updated, we need to re-inspect the value at place p *in two steps* again (end borrows, then end loans). Example: ======= We want to end the borrows/loans at `*x` in the following environment: ``` x -> mut_borrow l0 (mut_loan l1, mut_borrow l1 (Int 3), mut_loan l2) y -> mut_borrow l2 (Bool true) ``` We have to consider two things: - the borrow `mut_borrow l1 (Int 3)` borrows a subvalue of `*x` - the borrow corresponding to the loan `mut_loan l2` is outside of `*x` We first end all the *borrows* (not the loans) inside of `*x`, which gives: ``` x -> mut_borrow l0 (Int 3, ⊥, mut_loan l2) y -> mut_borrow l2 (Bool true) ``` Note that when ending the borrows, we can (and have to) ignore the outer borrows (in this case `mut_borrow l0 ...`). Otherwise, we would have to end the borrow `l0` which is incorrect (note that we might have to drop the borrows/loans at `*x` if we evaluate, for instance, `*x = ...`). It is ok to ignore outer borrows in this case because whenever we end a borrow, it is an outer borrow locally to `*x` (i.e., we ignore the outer borrows when accessing `*x`, but once examining the value at `*x` we never dive into borrows: whenever we find one, we end it - it is thus an outer borrow, in some way). Then, we end the loans at `*x`. Note that as at this point `*x` doesn't contain borrows (only loans), the borrows corresponding to those loans are thus necessarily outside of `*x`: we mustn't ignore outer borrows this time. This gives: ``` x -> mut_borrow l0 (Int 3, ⊥, Bool true) y -> ⊥ ``` *) let obj = object inherit [_] V.iter_typed_value as super method! visit_borrow_content end_loans bc = (* Sanity check: we should have ended all the borrows before starting to end loans *) assert (not end_loans); (* We need to end all borrows. Note that we ignore the outer borrows when ending the borrows we find here (we call [end_inner_borrow(s)]: the value at place p might be below a borrow/loan). Note however that if we restrain ourselves at the value at place p, the borrow we found here can be considered as an outer borrow. *) match bc with | V.SharedBorrow bid | V.MutBorrow (bid, _) -> raise (UpdateCtx (end_inner_borrow config bid ctx)) | V.InactivatedMutBorrow bid -> (* We need to activate ithe nactivated borrow - later, we will * actually end it - Rk.: we could actually end it straight away * (this is not really important) *) let ctx = activate_inactivated_mut_borrow config Inner bid ctx in raise (UpdateCtx ctx) method! visit_loan_content end_loans lc = if (* If we can, end the loans, otherwise ignore: keep for later *) end_loans then (* We need to end all loans. Note that as all the borrows inside the value at place p should already have ended, the borrows associated to the loans we find here should be borrows from outside this value: we need to call [end_outer_borrow(s)] (we can't ignore outer borrows this time). *) match lc with | V.SharedLoan (bids, _) -> raise (UpdateCtx (end_outer_borrows config bids ctx)) | V.MutLoan bid -> raise (UpdateCtx (end_outer_borrow config bid ctx)) else super#visit_loan_content end_loans lc end in (* We do something similar to [end_loans_at_place]. First, retrieve the value *) match read_place config Write p ctx with | Error _ -> failwith "Unreachable" | Ok v -> ( (* Inspect the value and update the context while doing so. If the context gets updated: perform a recursive call (many things may have been updated in the context: first we need to retrieve the proper updated value - and this value may actually not be accessible anymore *) try (* Inspect the value: end the borrows only *) obj#visit_typed_value false v; (* Inspect the value: end the loans *) obj#visit_typed_value true v; (* No context update required: return the current context *) ctx with UpdateCtx ctx -> drop_borrows_loans_at_lplace config p ctx) (** Copy a value, and return the resulting value. Note that copying values might update the context. For instance, when copying shared borrows, we need to insert new shared borrows in the context. Also, this function is actually more general than it should be: it can be used to copy concrete ADT values, while ADT copy should be done through the Copy trait (i.e., by calling a dedicated function). This is why we added a parameter to control this copy. Note that here by ADT we mean the user-defined ADTs (not tuples or assumed types). *) let rec copy_value (allow_adt_copy : bool) (config : C.config) (ctx : C.eval_ctx) (v : V.typed_value) : C.eval_ctx * V.typed_value = (* Remark: at some point we rewrote this function to use iterators, but then * we reverted the changes: the result was less clear actually. In particular, * the fact that we have exhaustive matches below makes very obvious the cases * in which we need to fail *) match v.V.value with | V.Concrete _ -> (ctx, v) | V.Adt av -> (* Sanity check *) (match v.V.ty with | T.Adt (T.Assumed _, _, _) -> failwith "Can't copy an assumed value" | T.Adt (T.AdtId _, _, _) -> assert allow_adt_copy | T.Adt (T.Tuple, _, _) -> () (* Ok *) | _ -> failwith "Unreachable"); let ctx, fields = List.fold_left_map (copy_value allow_adt_copy config) ctx av.field_values in (ctx, { v with V.value = V.Adt { av with field_values = fields } }) | V.Bottom -> failwith "Can't copy ⊥" | V.Borrow bc -> ( (* We can only copy shared borrows *) match bc with | SharedBorrow bid -> (* We need to create a new borrow id for the copied borrow, and * update the context accordingly *) let ctx, bid' = C.fresh_borrow_id ctx in let ctx = reborrow_shared bid bid' ctx in (ctx, { v with V.value = V.Borrow (SharedBorrow bid') }) | MutBorrow (_, _) -> failwith "Can't copy a mutable borrow" | V.InactivatedMutBorrow _ -> failwith "Can't copy an inactivated mut borrow") | V.Loan lc -> ( (* We can only copy shared loans *) match lc with | V.MutLoan _ -> failwith "Can't copy a mutable loan" | V.SharedLoan (_, sv) -> (* We don't copy the shared loan: only the shared value inside *) copy_value allow_adt_copy config ctx sv) | V.Symbolic sp -> (* We can copy only if the type is "primitively" copyable. * Note that in the general case, copy is a trait: copying values * thus requires calling the proper function. Here, we copy values * for very simple types such as integers, shared borrows, etc. *) assert ( type_is_primitively_copyable (Subst.erase_regions sp.V.svalue.V.sv_ty)); (* If the type is copyable, we simply return the current value. Side * remark: what is important to look at when copying symbolic values * is symbolic expansion. The important subcase is the expansion of shared * borrows: when doing so, every occurrence of the same symbolic value * must use a fresh borrow id. *) (ctx, v) (** Convert a constant operand value to a typed value *) let constant_value_to_typed_value (ctx : C.eval_ctx) (ty : T.ety) (cv : E.operand_constant_value) : V.typed_value = (* Check the type while converting *) match (ty, cv) with (* Unit *) | T.Adt (T.Tuple, [], []), Unit -> mk_unit_value (* Adt with one variant and no fields *) | T.Adt (T.AdtId def_id, [], []), ConstantAdt def_id' -> assert (def_id = def_id'); (* Check that the adt definition only has one variant with no fields, compute the variant id at the same time. *) let def = C.ctx_lookup_type_def ctx def_id in assert (List.length def.region_params = 0); assert (List.length def.type_params = 0); let variant_id = match def.kind with | Struct fields -> assert (List.length fields = 0); None | Enum variants -> assert (List.length variants = 1); let variant_id = T.VariantId.zero in let variant = T.VariantId.nth variants variant_id in assert (List.length variant.fields = 0); Some variant_id in let value = V.Adt { variant_id; field_values = [] } in { value; ty } (* Scalar, boolean... *) | T.Bool, ConstantValue (Bool v) -> { V.value = V.Concrete (Bool v); ty } | T.Char, ConstantValue (Char v) -> { V.value = V.Concrete (Char v); ty } | T.Str, ConstantValue (String v) -> { V.value = V.Concrete (String v); ty } | T.Integer int_ty, ConstantValue (V.Scalar v) -> (* Check the type and the ranges *) assert (int_ty == v.int_ty); assert (check_scalar_value_in_range v); { V.value = V.Concrete (V.Scalar v); ty } (* Remaining cases (invalid) - listing as much as we can on purpose (allows to catch errors at compilation if the definitions change) *) | _, Unit | _, ConstantAdt _ | _, ConstantValue _ -> failwith "Improperly typed constant value" (** Small utility *) let prepare_rplace (config : C.config) (access : access_kind) (p : E.place) (ctx : C.eval_ctx) : C.eval_ctx * V.typed_value = let ctx = update_ctx_along_read_place config access p ctx in let ctx = end_loans_at_place config access p ctx in let v = read_place_unwrap config access p ctx in (ctx, v) (** Prepare the evaluation of an operand. *) let eval_operand_prepare (config : C.config) (ctx : C.eval_ctx) (op : E.operand) : C.eval_ctx * V.typed_value = let ctx, v = match op with | Expressions.Constant (ty, cv) -> let v = constant_value_to_typed_value ctx ty cv in (ctx, v) | Expressions.Copy p -> (* Access the value *) let access = Read in prepare_rplace config access p ctx | Expressions.Move p -> (* Access the value *) let access = Move in prepare_rplace config access p ctx in assert (not (bottom_in_value v)); (ctx, v) (** Evaluate an operand. *) let eval_operand (config : C.config) (ctx : C.eval_ctx) (op : E.operand) : C.eval_ctx * V.typed_value = (* Debug *) L.log#ldebug (lazy ("eval_operand:\n- ctx:\n" ^ eval_ctx_to_string ctx ^ "\n\n- op:\n" ^ operand_to_string ctx op ^ "\n")); (* Evaluate *) match op with | Expressions.Constant (ty, cv) -> let v = constant_value_to_typed_value ctx ty cv in (ctx, v) | Expressions.Copy p -> (* Access the value *) let access = Read in let ctx, v = prepare_rplace config access p ctx in (* Copy the value *) L.log#ldebug (lazy ("Value to copy:\n" ^ typed_value_to_string ctx v)); assert (not (bottom_in_value v)); let allow_adt_copy = false in copy_value allow_adt_copy config ctx v | Expressions.Move p -> ( (* Access the value *) let access = Move in let ctx, v = prepare_rplace config access p ctx in (* Move the value *) L.log#ldebug (lazy ("Value to move:\n" ^ typed_value_to_string ctx v)); assert (not (bottom_in_value v)); let bottom : V.typed_value = { V.value = Bottom; ty = v.ty } in match write_place config access p bottom ctx with | Error _ -> failwith "Unreachable" | Ok ctx -> (ctx, v)) (** Evaluate several operands. *) let eval_operands (config : C.config) (ctx : C.eval_ctx) (ops : E.operand list) : C.eval_ctx * V.typed_value list = List.fold_left_map (fun ctx op -> eval_operand config ctx op) ctx ops let eval_two_operands (config : C.config) (ctx : C.eval_ctx) (op1 : E.operand) (op2 : E.operand) : C.eval_ctx * V.typed_value * V.typed_value = match eval_operands config ctx [ op1; op2 ] with | ctx, [ v1; v2 ] -> (ctx, v1, v2) | _ -> failwith "Unreachable" let eval_unary_op_concrete (config : C.config) (ctx : C.eval_ctx) (unop : E.unop) (op : E.operand) : (C.eval_ctx * V.typed_value) eval_result = (* Evaluate the operand *) let ctx, v = eval_operand config ctx op in (* Apply the unop *) match (unop, v.V.value) with | E.Not, V.Concrete (Bool b) -> Ok (ctx, { v with V.value = V.Concrete (Bool (not b)) }) | E.Neg, V.Concrete (V.Scalar sv) -> ( let i = Z.neg sv.V.value in match mk_scalar sv.int_ty i with | Error _ -> Error Panic | Ok sv -> Ok (ctx, { v with V.value = V.Concrete (V.Scalar sv) })) | _ -> failwith "Invalid input for unop" let eval_unary_op_symbolic (config : C.config) (ctx : C.eval_ctx) (unop : E.unop) (op : E.operand) : (C.eval_ctx * V.typed_value) eval_result = (* Evaluate the operand *) let ctx, v = eval_operand config ctx op in (* Generate a fresh symbolic value to store the result *) let ctx, res_sv_id = C.fresh_symbolic_value_id ctx in let res_sv_ty = match (unop, v.V.ty) with | E.Not, T.Bool -> T.Bool | E.Neg, T.Integer int_ty -> T.Integer int_ty | _ -> failwith "Invalid input for unop" in let res_sv = { V.sv_id = res_sv_id; sv_ty = res_sv_ty } in (* Synthesize *) S.synthesize_unary_op unop v res_sv; (* Return *) Ok (ctx, mk_typed_value_from_symbolic_value res_sv) let eval_unary_op (config : C.config) (ctx : C.eval_ctx) (unop : E.unop) (op : E.operand) : (C.eval_ctx * V.typed_value) eval_result = match config.mode with | C.ConcreteMode -> eval_unary_op_concrete config ctx unop op | C.SymbolicMode -> eval_unary_op_symbolic config ctx unop op let eval_binary_op_concrete (config : C.config) (ctx : C.eval_ctx) (binop : E.binop) (op1 : E.operand) (op2 : E.operand) : (C.eval_ctx * V.typed_value) eval_result = (* Evaluate the operands *) let ctx, v1, v2 = eval_two_operands config ctx op1 op2 in (* Equality check binops (Eq, Ne) accept values from a wide variety of types. * The remaining binops only operate on scalars. *) if binop = Eq || binop = Ne then ( (* Equality operations *) assert (v1.ty = v2.ty); (* Equality/inequality check is primitive only for a subset of types *) assert (type_is_primitively_copyable v1.ty); let b = v1 = v2 in Ok (ctx, { V.value = V.Concrete (Bool b); ty = T.Bool })) else (* For the non-equality operations, the input values are necessarily scalars *) match (v1.V.value, v2.V.value) with | V.Concrete (V.Scalar sv1), V.Concrete (V.Scalar sv2) -> ( let res = (* There are binops which require the two operands to have the same type, and binops for which it is not the case. There are also binops which return booleans, and binops which return integers. *) match binop with | E.Lt | E.Le | E.Ge | E.Gt -> (* The two operands must have the same type and the result is a boolean *) assert (sv1.int_ty = sv2.int_ty); let b = match binop with | E.Lt -> Z.lt sv1.V.value sv2.V.value | E.Le -> Z.leq sv1.V.value sv2.V.value | E.Ge -> Z.geq sv1.V.value sv2.V.value | E.Gt -> Z.gt sv1.V.value sv2.V.value | E.Div | E.Rem | E.Add | E.Sub | E.Mul | E.BitXor | E.BitAnd | E.BitOr | E.Shl | E.Shr | E.Ne | E.Eq -> failwith "Unreachable" in Ok ({ V.value = V.Concrete (Bool b); ty = T.Bool } : V.typed_value) | E.Div | E.Rem | E.Add | E.Sub | E.Mul | E.BitXor | E.BitAnd | E.BitOr -> ( (* The two operands must have the same type and the result is an integer *) assert (sv1.int_ty = sv2.int_ty); let res = match binop with | E.Div -> if sv2.V.value = Z.zero then Error () else mk_scalar sv1.int_ty (Z.div sv1.V.value sv2.V.value) | E.Rem -> (* See [https://github.com/ocaml/Zarith/blob/master/z.mli] *) if sv2.V.value = Z.zero then Error () else mk_scalar sv1.int_ty (Z.rem sv1.V.value sv2.V.value) | E.Add -> mk_scalar sv1.int_ty (Z.add sv1.V.value sv2.V.value) | E.Sub -> mk_scalar sv1.int_ty (Z.sub sv1.V.value sv2.V.value) | E.Mul -> mk_scalar sv1.int_ty (Z.mul sv1.V.value sv2.V.value) | E.BitXor -> raise Unimplemented | E.BitAnd -> raise Unimplemented | E.BitOr -> raise Unimplemented | E.Lt | E.Le | E.Ge | E.Gt | E.Shl | E.Shr | E.Ne | E.Eq -> failwith "Unreachable" in match res with | Error err -> Error err | Ok sv -> Ok { V.value = V.Concrete (V.Scalar sv); ty = Integer sv1.int_ty; }) | E.Shl | E.Shr -> raise Unimplemented | E.Ne | E.Eq -> failwith "Unreachable" in match res with Error _ -> Error Panic | Ok v -> Ok (ctx, v)) | _ -> failwith "Invalid inputs for binop" let eval_binary_op_symbolic (config : C.config) (ctx : C.eval_ctx) (binop : E.binop) (op1 : E.operand) (op2 : E.operand) : (C.eval_ctx * V.typed_value) eval_result = (* Evaluate the operands *) let ctx, v1, v2 = eval_two_operands config ctx op1 op2 in (* Generate a fresh symbolic value to store the result *) let ctx, res_sv_id = C.fresh_symbolic_value_id ctx in let res_sv_ty = if binop = Eq || binop = Ne then ( (* Equality operations *) assert (v1.ty = v2.ty); (* Equality/inequality check is primitive only for a subset of types *) assert (type_is_primitively_copyable v1.ty); T.Bool) else (* Other operations: input types are integers *) match (v1.V.ty, v2.V.ty) with | T.Integer int_ty1, T.Integer int_ty2 -> ( match binop with | E.Lt | E.Le | E.Ge | E.Gt -> assert (int_ty1 = int_ty2); T.Bool | E.Div | E.Rem | E.Add | E.Sub | E.Mul | E.BitXor | E.BitAnd | E.BitOr -> assert (int_ty1 = int_ty2); T.Integer int_ty1 | E.Shl | E.Shr -> raise Unimplemented | E.Ne | E.Eq -> failwith "Unreachable") | _ -> failwith "Invalid inputs for binop" in let res_sv = { V.sv_id = res_sv_id; sv_ty = res_sv_ty } in (* Synthesize *) S.synthesize_binary_op binop v1 v2 res_sv; (* Return *) Ok (ctx, mk_typed_value_from_symbolic_value res_sv) let eval_binary_op (config : C.config) (ctx : C.eval_ctx) (binop : E.binop) (op1 : E.operand) (op2 : E.operand) : (C.eval_ctx * V.typed_value) eval_result = match config.mode with | C.ConcreteMode -> eval_binary_op_concrete config ctx binop op1 op2 | C.SymbolicMode -> eval_binary_op_symbolic config ctx binop op1 op2 (** Evaluate the discriminant of a concrete (i.e., non symbolic) ADT value *) let eval_rvalue_discriminant_concrete (config : C.config) (p : E.place) (ctx : C.eval_ctx) : C.eval_ctx * V.typed_value = (* Note that discriminant values have type `isize` *) (* Access the value *) let access = Read in let ctx, v = prepare_rplace config access p ctx in match v.V.value with | Adt av -> ( match av.variant_id with | None -> failwith "Invalid input for `discriminant`: structure instead of enum" | Some variant_id -> ( let id = Z.of_int (T.VariantId.to_int variant_id) in match mk_scalar Isize id with | Error _ -> failwith "Disciminant id out of range" (* Should really never happen *) | Ok sv -> (ctx, { V.value = V.Concrete (V.Scalar sv); ty = Integer Isize })) ) | _ -> failwith "Invalid input for `discriminant`" let eval_rvalue_discriminant (config : C.config) (p : E.place) (ctx : C.eval_ctx) : (C.eval_ctx * V.typed_value) list = S.synthesize_eval_rvalue_discriminant p; (* Note that discriminant values have type `isize` *) (* Access the value *) let access = Read in let ctx, v = prepare_rplace config access p ctx in match v.V.value with | Adt _ -> [ eval_rvalue_discriminant_concrete config p ctx ] | Symbolic sv -> (* Expand the symbolic value - may lead to branching *) let ctxl = expand_symbolic_enum_value config sv ctx in (* This time the value is concrete: reevaluate *) List.map (eval_rvalue_discriminant_concrete config p) ctxl | _ -> failwith "Invalid input for `discriminant`" let eval_rvalue_ref (config : C.config) (ctx : C.eval_ctx) (p : E.place) (bkind : E.borrow_kind) : C.eval_ctx * V.typed_value = S.synthesize_eval_rvalue_ref p bkind; match bkind with | E.Shared | E.TwoPhaseMut -> (* Access the value *) let access = if bkind = E.Shared then Read else Write in let ctx, v = prepare_rplace config access p ctx in (* Compute the rvalue - simply a shared borrow with a fresh id *) let ctx, bid = C.fresh_borrow_id ctx in (* Note that the reference is *mutable* if we do a two-phase borrow *) let rv_ty = T.Ref (T.Erased, v.ty, if bkind = E.Shared then Shared else Mut) in let bc = if bkind = E.Shared then V.SharedBorrow bid else V.InactivatedMutBorrow bid in let rv : V.typed_value = { V.value = V.Borrow bc; ty = rv_ty } in (* Compute the value with which to replace the value at place p *) let nv = match v.V.value with | V.Loan (V.SharedLoan (bids, sv)) -> (* Shared loan: insert the new borrow id *) let bids1 = V.BorrowId.Set.add bid bids in { v with V.value = V.Loan (V.SharedLoan (bids1, sv)) } | _ -> (* Not a shared loan: add a wrapper *) let v' = V.Loan (V.SharedLoan (V.BorrowId.Set.singleton bid, v)) in { v with V.value = v' } in (* Update the value in the context *) let ctx = write_place_unwrap config access p nv ctx in (* Return *) (ctx, rv) | E.Mut -> (* Access the value *) let access = Write in let ctx, v = prepare_rplace config access p ctx in (* Compute the rvalue - wrap the value in a mutable borrow with a fresh id *) let ctx, bid = C.fresh_borrow_id ctx in let rv_ty = T.Ref (T.Erased, v.ty, Mut) in let rv : V.typed_value = { V.value = V.Borrow (V.MutBorrow (bid, v)); ty = rv_ty } in (* Compute the value with which to replace the value at place p *) let nv = { v with V.value = V.Loan (V.MutLoan bid) } in (* Update the value in the context *) let ctx = write_place_unwrap config access p nv ctx in (* Return *) (ctx, rv) let eval_rvalue_aggregate (config : C.config) (ctx : C.eval_ctx) (aggregate_kind : E.aggregate_kind) (ops : E.operand list) : C.eval_ctx * V.typed_value = S.synthesize_eval_rvalue_aggregate aggregate_kind ops; (* Evaluate the operands *) let ctx, values = eval_operands config ctx ops in (* Match on the aggregate kind *) match aggregate_kind with | E.AggregatedTuple -> let tys = List.map (fun (v : V.typed_value) -> v.V.ty) values in let v = V.Adt { variant_id = None; field_values = values } in let ty = T.Adt (T.Tuple, [], tys) in (ctx, { V.value = v; ty }) | E.AggregatedAdt (def_id, opt_variant_id, regions, types) -> (* Sanity checks *) let type_def = C.ctx_lookup_type_def ctx def_id in assert (List.length type_def.region_params = List.length regions); let expected_field_types = Subst.ctx_adt_get_instantiated_field_etypes ctx def_id opt_variant_id types in assert ( expected_field_types = List.map (fun (v : V.typed_value) -> v.V.ty) values); (* Construct the value *) let av : V.adt_value = { V.variant_id = opt_variant_id; V.field_values = values } in let aty = T.Adt (T.AdtId def_id, regions, types) in (ctx, { V.value = Adt av; ty = aty }) (** Evaluate an rvalue which is not a discriminant. We define a function for this specific case, because evaluating a discriminant might lead to branching (if we evaluate the discriminant of a symbolic enumeration value), while it is not the case for the other rvalues. *) let eval_rvalue_non_discriminant (config : C.config) (ctx : C.eval_ctx) (rvalue : E.rvalue) : (C.eval_ctx * V.typed_value) eval_result = match rvalue with | E.Use op -> Ok (eval_operand config ctx op) | E.Ref (p, bkind) -> Ok (eval_rvalue_ref config ctx p bkind) | E.UnaryOp (unop, op) -> eval_unary_op config ctx unop op | E.BinaryOp (binop, op1, op2) -> eval_binary_op config ctx binop op1 op2 | E.Aggregate (aggregate_kind, ops) -> Ok (eval_rvalue_aggregate config ctx aggregate_kind ops) | E.Discriminant _ -> failwith "Unreachable" (** Evaluate an rvalue in a given context: return the updated context and the computed value. Returns a list of pairs (new context, computed rvalue) because `discriminant` might lead to a branching in case it is applied on a symbolic enumeration value. *) let eval_rvalue (config : C.config) (ctx : C.eval_ctx) (rvalue : E.rvalue) : (C.eval_ctx * V.typed_value) list eval_result = match rvalue with | E.Discriminant p -> Ok (eval_rvalue_discriminant config p ctx) | _ -> ( match eval_rvalue_non_discriminant config ctx rvalue with | Error e -> Error e | Ok res -> Ok [ res ]) (** Result of evaluating a statement *) type statement_eval_res = Unit | Break of int | Continue of int | Return (** Small utility. Prepare a place which is to be used as the destination of an assignment: update the environment along the paths, end the borrows and loans at this place, etc. Return the updated context and the (updated) value at the end of the place. This value should not contain any loan or borrow (and we check it is the case). Note that it is very likely to contain [Bottom] values. *) let prepare_lplace (config : C.config) (p : E.place) (ctx : C.eval_ctx) : C.eval_ctx * V.typed_value = (* TODO *) let access = Write in let ctx = update_ctx_along_write_place config access p ctx in (* End the borrows and loans, starting with the borrows *) let ctx = drop_borrows_loans_at_lplace config p ctx in (* Read the value and check it *) let v = read_place_unwrap config access p ctx in (* Sanity checks *) assert (not (loans_in_value v)); assert (not (borrows_in_value v)); (* Return *) (ctx, v) (** Read the value at a given place. As long as it is a loan, end the loan. This function doesn't perform a recursive exploration: it won't dive into the value to end all the inner loans (contrary to [drop_borrows_loans_at_lplace] for instance). *) let rec end_loan_exactly_at_place (config : C.config) (access : access_kind) (p : E.place) (ctx : C.eval_ctx) : C.eval_ctx = let v = read_place_unwrap config access p ctx in match v.V.value with | V.Loan (V.SharedLoan (bids, _)) -> let ctx = end_outer_borrows config bids ctx in end_loan_exactly_at_place config access p ctx | V.Loan (V.MutLoan bid) -> let ctx = end_outer_borrow config bid ctx in end_loan_exactly_at_place config access p ctx | _ -> ctx (** Updates the discriminant of a value at a given place. There are two situations: - either the discriminant is already the proper one (in which case we don't do anything) - or it is not the proper one (because the variant is not the proper one, or the value is actually [Bottom] - this happens when initializing ADT values), in which case we replace the value with a variant with all its fields set to [Bottom]. For instance, something like: `Cons Bottom Bottom`. *) let set_discriminant (config : C.config) (ctx : C.eval_ctx) (p : E.place) (variant_id : T.VariantId.id) : C.eval_ctx * statement_eval_res = (* Access the value *) let access = Write in let ctx = update_ctx_along_read_place config access p ctx in let ctx = end_loan_exactly_at_place config access p ctx in let v = read_place_unwrap config access p ctx in (* Update the value *) match (v.V.ty, v.V.value) with | T.Adt (T.AdtId def_id, regions, types), V.Adt av -> ( (* There are two situations: - either the discriminant is already the proper one (in which case we don't do anything) - or it is not the proper one, in which case we replace the value with a variant with all its fields set to [Bottom] *) match av.variant_id with | None -> failwith "Found a struct value while expected an enum" | Some variant_id' -> if variant_id' = variant_id then (* Nothing to do *) (ctx, Unit) else (* Replace the value *) let bottom_v = compute_expanded_bottom_adt_value ctx.type_context.type_defs def_id (Some variant_id) regions types in let ctx = write_place_unwrap config access p bottom_v ctx in (ctx, Unit)) | T.Adt (T.AdtId def_id, regions, types), V.Bottom -> let bottom_v = compute_expanded_bottom_adt_value ctx.type_context.type_defs def_id (Some variant_id) regions types in let ctx = write_place_unwrap config access p bottom_v ctx in (ctx, Unit) | _, V.Symbolic _ -> assert (config.mode = SymbolicMode); (* This is a bit annoying: in theory we should expand the symbolic value * then set the discriminant, because in the case the discriminant is * exactly the one we set, the fields are left untouched, and in the * other cases they are set to Bottom. * For now, we forbid setting the discriminant of a symbolic value: * setting a discriminant should only be used to initialize a value, * really. *) failwith "Unexpected value" | _, (V.Adt _ | V.Bottom) -> failwith "Inconsistent state" | _, (V.Concrete _ | V.Borrow _ | V.Loan _) -> failwith "Unexpected value" (** Push a frame delimiter in the context's environment *) let ctx_push_frame (ctx : C.eval_ctx) : C.eval_ctx = { ctx with env = Frame :: ctx.env } (** Drop a value at a given place *) let drop_value (config : C.config) (ctx : C.eval_ctx) (p : E.place) : C.eval_ctx = L.log#ldebug (lazy ("drop_value: place: " ^ place_to_string ctx p)); (* Prepare the place (by ending the loans, then the borrows) *) let ctx, v = prepare_lplace config p ctx in (* Replace the value with [Bottom] *) let nv = { v with value = V.Bottom } in let ctx = write_place_unwrap config Write p nv ctx in ctx (** Small helper: compute the type of the return value for a specific instantiation of a non-local function. *) let get_non_local_function_return_type (fid : A.assumed_fun_id) (region_params : T.erased_region list) (type_params : T.ety list) : T.ety = match (fid, region_params, type_params) with | A.BoxNew, [], [ bty ] -> T.Adt (T.Assumed T.Box, [], [ bty ]) | A.BoxDeref, [], [ bty ] -> T.Ref (T.Erased, bty, T.Shared) | A.BoxDerefMut, [], [ bty ] -> T.Ref (T.Erased, bty, T.Mut) | A.BoxFree, [], [ _ ] -> mk_unit_ty | _ -> failwith "Inconsistent state" (** Pop the current frame. Drop all the local variables but the return variable, move the return value out of the return variable, remove all the local variables (but not the abstractions!) from the context, remove the [Frame] indicator delimiting the current frame and return the return value and the updated context. *) let ctx_pop_frame (config : C.config) (ctx : C.eval_ctx) : C.eval_ctx * V.typed_value = (* Debug *) L.log#ldebug (lazy ("ctx_pop_frame:\n" ^ eval_ctx_to_string ctx)); (* Eval *) let ret_vid = V.VarId.zero in (* List the local variables, but the return variable *) let rec list_locals env = match env with | [] -> failwith "Inconsistent environment" | C.Abs _ :: env -> list_locals env | C.Var (var, _) :: env -> let locals = list_locals env in if var.index <> ret_vid then var.index :: locals else locals | C.Frame :: _ -> [] in let locals = list_locals ctx.env in (* Debug *) L.log#ldebug (lazy ("ctx_pop_frame: locals to drop: [" ^ String.concat "," (List.map V.VarId.to_string locals) ^ "]")); (* Drop the local variables *) let ctx = List.fold_left (fun ctx lid -> drop_value config ctx (mk_place_from_var_id lid)) ctx locals in (* Debug *) L.log#ldebug (lazy ("ctx_pop_frame: after dropping local variables:\n" ^ eval_ctx_to_string ctx)); (* Move the return value out of the return variable *) let ctx, ret_value = eval_operand config ctx (E.Move (mk_place_from_var_id ret_vid)) in (* Pop the frame *) let rec pop env = match env with | [] -> failwith "Inconsistent environment" | C.Abs abs :: env -> C.Abs abs :: pop env | C.Var (_, _) :: env -> pop env | C.Frame :: env -> env in let env = pop ctx.env in let ctx = { ctx with env } in (ctx, ret_value) (** Assign a value to a given place *) let assign_to_place (config : C.config) (ctx : C.eval_ctx) (v : V.typed_value) (p : E.place) : C.eval_ctx = (* Prepare the destination *) let ctx, _ = prepare_lplace config p ctx in (* Update the destination *) let ctx = write_place_unwrap config Write p v ctx in ctx (** Auxiliary function - see [eval_non_local_function_call] *) let eval_box_new_concrete (config : C.config) (region_params : T.erased_region list) (type_params : T.ety list) (ctx : C.eval_ctx) : C.eval_ctx eval_result = (* Check and retrieve the arguments *) match (region_params, type_params, ctx.env) with | ( [], [ boxed_ty ], Var (input_var, input_value) :: Var (_ret_var, _) :: C.Frame :: _ ) -> (* Required type checking *) assert (input_value.V.ty = boxed_ty); (* Move the input value *) let ctx, moved_input_value = eval_operand config ctx (E.Move (mk_place_from_var_id input_var.C.index)) in (* Create the box value *) let box_ty = T.Adt (T.Assumed T.Box, [], [ boxed_ty ]) in let box_v = V.Adt { variant_id = None; field_values = [ moved_input_value ] } in let box_v = mk_typed_value box_ty box_v in (* Move this value to the return variable *) let dest = mk_place_from_var_id V.VarId.zero in let ctx = assign_to_place config ctx box_v dest in (* Return *) Ok ctx | _ -> failwith "Inconsistent state" (** Auxiliary function which factorizes code to evaluate `std::Deref::deref` and `std::DerefMut::deref_mut` - see [eval_non_local_function_call] *) let eval_box_deref_mut_or_shared_concrete (config : C.config) (region_params : T.erased_region list) (type_params : T.ety list) (is_mut : bool) (ctx : C.eval_ctx) : C.eval_ctx eval_result = (* Check the arguments *) match (region_params, type_params, ctx.env) with | ( [], [ boxed_ty ], Var (input_var, input_value) :: Var (_ret_var, _) :: C.Frame :: _ ) -> ( (* Required type checking. We must have: - input_value.ty == & (mut) Box - boxed_ty == ty for some ty *) (let _, input_ty, ref_kind = ty_get_ref input_value.V.ty in assert (match ref_kind with T.Shared -> not is_mut | T.Mut -> is_mut); let input_ty = ty_get_box input_ty in assert (input_ty = boxed_ty)); (* Borrow the boxed value *) let p = { E.var_id = input_var.C.index; projection = [ E.Deref; E.DerefBox ] } in let borrow_kind = if is_mut then E.Mut else E.Shared in let rv = E.Ref (p, borrow_kind) in (* Note that the rvalue can't be a discriminant value *) match eval_rvalue_non_discriminant config ctx rv with | Error err -> Error err | Ok (ctx, borrowed_value) -> (* Move the borrowed value to its destination *) let destp = mk_place_from_var_id V.VarId.zero in let ctx = assign_to_place config ctx borrowed_value destp in Ok ctx) | _ -> failwith "Inconsistent state" (** Auxiliary function - see [eval_non_local_function_call] *) let eval_box_deref_concrete (config : C.config) (region_params : T.erased_region list) (type_params : T.ety list) (ctx : C.eval_ctx) : C.eval_ctx eval_result = let is_mut = false in eval_box_deref_mut_or_shared_concrete config region_params type_params is_mut ctx (** Auxiliary function - see [eval_non_local_function_call] *) let eval_box_deref_mut_concrete (config : C.config) (region_params : T.erased_region list) (type_params : T.ety list) (ctx : C.eval_ctx) : C.eval_ctx eval_result = let is_mut = true in eval_box_deref_mut_or_shared_concrete config region_params type_params is_mut ctx (** Auxiliary function - see [eval_non_local_function_call]. `Box::free` is not handled the same way as the other assumed functions: - in the regular case, whenever we need to evaluate an assumed function, we evaluate the operands, push a frame, call a dedicated function to correctly update the variables in the frame (and mimic the execution of a body) and finally pop the frame - in the case of `Box::free`: the value given to this function is often of the form `Box(⊥)` because we can move the value out of the box before freeing the box. It makes it invalid to see box_free as a "regular" function: it is not valid to call a function with arguments which contain `⊥`. For this reason, we execute `Box::free` as drop_value, but this is a bit annoying with regards to the semantics... Followingly this function doesn't behave like the others: it does not expect a stack frame to have been pushed, but rather simply behaves like [drop_value]. It thus updates the box value (by calling [drop_value]) and updates the destination (by setting it to `()`). *) let eval_box_free (config : C.config) (region_params : T.erased_region list) (type_params : T.ety list) (args : E.operand list) (dest : E.place) (ctx : C.eval_ctx) : C.eval_ctx = match (region_params, type_params, args) with | [], [ boxed_ty ], [ E.Move input_box_place ] -> (* Required type checking *) let input_box = read_place_unwrap config Write input_box_place ctx in (let input_ty = ty_get_box input_box.V.ty in assert (input_ty = boxed_ty)); (* Drop the value *) let ctx = drop_value config ctx input_box_place in (* Update the destination by setting it to `()` *) let ctx = assign_to_place config ctx mk_unit_value dest in (* Return *) ctx | _ -> failwith "Inconsistent state" (** Auxiliary function - see [eval_non_local_function_call] *) let eval_box_new_inst_sig (region_params : T.erased_region list) (type_params : T.ety list) : A.inst_fun_sig = (* The signature is: `T -> Box` where T is the type pram *) match (region_params, type_params) with | [], [ ty_param ] -> let input = ety_no_regions_to_rty ty_param in let output = mk_box_ty ty_param in let output = ety_no_regions_to_rty output in { A.regions_hierarchy = []; inputs = [ input ]; output } | _ -> failwith "Inconsistent state" (** Auxiliary function which factorizes code to evaluate `std::Deref::deref` and `std::DerefMut::deref_mut` - see [eval_non_local_function_call] *) let eval_box_deref_mut_or_shared_inst_sig (region_params : T.erased_region list) (type_params : T.ety list) (is_mut : bool) (ctx : C.eval_ctx) : C.eval_ctx * A.inst_fun_sig = (* The signature is: `&'a (mut) Box -> &'a (mut) T` where T is the type param *) let ctx, rid = C.fresh_region_id ctx in let r = T.Var rid in let ctx, abs_id = C.fresh_abstraction_id ctx in match (region_params, type_params) with | [], [ ty_param ] -> let ty_param = ety_no_regions_to_rty ty_param in let ref_kind = if is_mut then T.Mut else T.Shared in let input = mk_box_ty ty_param in let input = mk_ref_ty r input ref_kind in let output = mk_ref_ty r ty_param ref_kind in let regions = { A.id = abs_id; regions = [ rid ]; parents = [] } in let inst_sg = { A.regions_hierarchy = [ regions ]; inputs = [ input ]; output } in (ctx, inst_sg) | _ -> failwith "Inconsistent state" (** Auxiliary function - see [eval_non_local_function_call] *) let eval_box_deref_inst_sig (region_params : T.erased_region list) (type_params : T.ety list) (ctx : C.eval_ctx) : C.eval_ctx * A.inst_fun_sig = let is_mut = false in eval_box_deref_mut_or_shared_inst_sig region_params type_params is_mut ctx (** Auxiliary function - see [eval_non_local_function_call] *) let eval_box_deref_mut_inst_sig (region_params : T.erased_region list) (type_params : T.ety list) (ctx : C.eval_ctx) : C.eval_ctx * A.inst_fun_sig = let is_mut = true in eval_box_deref_mut_or_shared_inst_sig region_params type_params is_mut ctx (** Evaluate a non-local function call in concrete mode *) let eval_non_local_function_call_concrete (config : C.config) (ctx : C.eval_ctx) (fid : A.assumed_fun_id) (region_params : T.erased_region list) (type_params : T.ety list) (args : E.operand list) (dest : E.place) : C.eval_ctx eval_result = (* There are two cases (and this is extremely annoying): - the function is not box_free - the function is box_free See [eval_box_free] *) match fid with | A.BoxFree -> (* Degenerate case: box_free *) Ok (eval_box_free config region_params type_params args dest ctx) | _ -> ( (* "Normal" case: not box_free *) (* Evaluate the operands *) let ctx, args_vl = eval_operands config ctx args in (* Push the stack frame: we initialize the frame with the return variable, and one variable per input argument *) let ctx = ctx_push_frame ctx in (* Create and push the return variable *) let ret_vid = V.VarId.zero in let ret_ty = get_non_local_function_return_type fid region_params type_params in let ret_var = mk_var ret_vid (Some "@return") ret_ty in let ctx = C.ctx_push_uninitialized_var ctx ret_var in (* Create and push the input variables *) let input_vars = V.VarId.mapi_from1 (fun id (v : V.typed_value) -> (mk_var id None v.V.ty, v)) args_vl in let ctx = C.ctx_push_vars ctx input_vars in (* "Execute" the function body. As the functions are assumed, here we call custom functions to perform the proper manipulations: we don't have access to a body. *) let res = match fid with | A.BoxNew -> eval_box_new_concrete config region_params type_params ctx | A.BoxDeref -> eval_box_deref_concrete config region_params type_params ctx | A.BoxDerefMut -> eval_box_deref_mut_concrete config region_params type_params ctx | A.BoxFree -> failwith "Unreachable" (* should have been treated above *) in (* Check if the function body evaluated correctly *) match res with | Error err -> Error err | Ok ctx -> (* Pop the stack frame and retrieve the return value *) let ctx, ret_value = ctx_pop_frame config ctx in (* Move the return value to its destination *) let ctx = assign_to_place config ctx ret_value dest in (* Return *) Ok ctx) (** Evaluate a statement *) let rec eval_statement (config : C.config) (ctx : C.eval_ctx) (st : A.statement) : (C.eval_ctx * statement_eval_res) eval_result list = (* Debugging *) L.log#ldebug (lazy ("\n" ^ eval_ctx_to_string ctx ^ "\nAbout to evaluate statement: " ^ statement_to_string ctx st ^ "\n")); (* Sanity check *) if config.C.check_invariants then Inv.check_invariants ctx; (* Evaluate *) match st with | A.Assign (p, rvalue) -> ( (* Evaluate the rvalue *) match eval_rvalue config ctx rvalue with | Error err -> [ Error err ] | Ok res -> (* Assign *) let assign (ctx, rvalue) = let ctx = assign_to_place config ctx rvalue p in Ok (ctx, Unit) in List.map assign res) | A.FakeRead p -> let ctx, _ = prepare_rplace config Read p ctx in [ Ok (ctx, Unit) ] | A.SetDiscriminant (p, variant_id) -> [ Ok (set_discriminant config ctx p variant_id) ] | A.Drop p -> [ Ok (drop_value config ctx p, Unit) ] | A.Assert assertion -> ( let ctx, v = eval_operand config ctx assertion.cond in assert (v.ty = T.Bool); match v.value with | Concrete (Bool b) -> if b = assertion.expected then [ Ok (ctx, Unit) ] else [ Error Panic ] | _ -> failwith "Expected a boolean") | A.Call call -> eval_function_call config ctx call | A.Panic -> [ Error Panic ] | A.Return -> [ Ok (ctx, Return) ] | A.Break i -> [ Ok (ctx, Break i) ] | A.Continue i -> [ Ok (ctx, Continue i) ] | A.Nop -> [ Ok (ctx, Unit) ] | A.Sequence (st1, st2) -> (* Evaluate the first statement *) let res1 = eval_statement config ctx st1 in (* Evaluate the sequence *) let eval_seq res1 = match res1 with | Error err -> [ Error err ] | Ok (ctx, Unit) -> (* Evaluate the second statement *) eval_statement config ctx st2 (* Control-flow break: transmit. We enumerate the cases on purpose *) | Ok (ctx, Break i) -> [ Ok (ctx, Break i) ] | Ok (ctx, Continue i) -> [ Ok (ctx, Continue i) ] | Ok (ctx, Return) -> [ Ok (ctx, Return) ] in List.concat (List.map eval_seq res1) | A.Loop loop_body -> (* For now, we don't support loops in symbolic mode *) assert (config.C.mode = C.ConcreteMode); (* Evaluate a loop body We need a specific function for the [Continue] case: in case we continue, we might have to reevaluate the current loop body with the new context (and repeat this an indefinite number of times). *) let rec eval_loop_body (ctx : C.eval_ctx) : (C.eval_ctx * statement_eval_res) eval_result list = (* Evaluate the loop body *) let body_res = eval_statement config ctx loop_body in (* Evaluate the next steps *) let eval res = match res with | Error err -> [ Error err ] | Ok (ctx, Unit) -> (* We finished evaluating the statement in a "normal" manner *) [ Ok (ctx, Unit) ] (* Control-flow breaks *) | Ok (ctx, Break i) -> (* Decrease the break index *) if i = 0 then [ Ok (ctx, Unit) ] else [ Ok (ctx, Break (i - 1)) ] | Ok (ctx, Continue i) -> (* Decrease the continue index *) if i = 0 then (* We stop there. When we continue, we go back to the beginning of the loop: we must thus reevaluate the loop body (and recheck the result to know whether we must reevaluate again, etc. *) eval_loop_body ctx else (* We don't stop there: transmit *) [ Ok (ctx, Continue (i - 1)) ] | Ok (ctx, Return) -> [ Ok (ctx, Return) ] in List.concat (List.map eval body_res) in (* Apply *) eval_loop_body ctx | A.Switch (op, tgts) -> eval_switch config op tgts ctx (** Evaluate a switch *) and eval_switch (config : C.config) (op : E.operand) (tgts : A.switch_targets) (ctx : C.eval_ctx) : (C.eval_ctx * statement_eval_res) eval_result list = (* We evaluate the operand in two steps: * first we prepare it, then we check if its value is concrete or * symbolic. If it is concrete, we can then evaluate the operand * directly, otherwise we must first expand the value. * Note that we can't fully evaluate the operand *then* expand the * value if it is symbolic, because the value may have been move * (and would thus floating in thin air...)! * *) (* Prepare the operand *) let ctx, op_v = eval_operand_prepare config ctx op in (* Match on the targets *) match tgts with | A.If (st1, st2) -> ( match op_v.value with | V.Concrete (V.Bool b) -> (* Evaluate the operand *) let ctx, op_v' = eval_operand config ctx op in assert (op_v' = op_v); (* Branch *) if b then eval_statement config ctx st1 else eval_statement config ctx st2 | V.Symbolic sv -> (* Synthesis *) S.synthesize_symbolic_expansion_if_branching sv.V.svalue; (* Expand the symbolic value to true or false *) let see_true = SeConcrete (V.Bool true) in let see_false = SeConcrete (V.Bool false) in let expand_and_execute see st = (* Apply the symbolic expansion *) let ctx = apply_symbolic_expansion_non_borrow config sv.V.svalue see ctx in (* Evaluate the operand *) let ctx, _ = eval_operand config ctx op in (* Evaluate the branch *) eval_statement config ctx st in (* Execute the two branches *) List.append (expand_and_execute see_true st1) (expand_and_execute see_false st2) | _ -> failwith "Inconsistent state") | A.SwitchInt (int_ty, tgts, otherwise) -> ( match op_v.value with | V.Concrete (V.Scalar sv) -> ( (* Evaluate the operand *) let ctx, op_v' = eval_operand config ctx op in assert (op_v' = op_v); (* Sanity check *) assert (sv.V.int_ty = int_ty); (* Find the branch *) match List.find_opt (fun (sv', _) -> sv = sv') tgts with | None -> eval_statement config ctx otherwise | Some (_, tgt) -> eval_statement config ctx tgt) | V.Symbolic sv -> (* Synthesis *) S.synthesize_symbolic_expansion_switch_int_branching sv.V.svalue; (* For all the branches of the switch, we expand the symbolic value * to the value given by the branch and execute the branch statement. * For the otherwise branch, we leave the symbolic value as it is * (because this branch doesn't precisely define which should be the * value of the scrutinee...) and simply execute the otherwise statement. *) (* Branches other than "otherwise" *) let exec_branch (switch_value, branch_st) = let see = SeConcrete (V.Scalar switch_value) in (* Apply the symbolic expansion *) let ctx = apply_symbolic_expansion_non_borrow config sv.V.svalue see ctx in (* Evaluate the operand *) let ctx, _ = eval_operand config ctx op in (* Evaluate the branch *) eval_statement config ctx branch_st in let ctxl = List.map exec_branch tgts in (* Otherwise branch *) let ctx_otherwise = eval_statement config ctx otherwise in (* Put everything together *) List.append (List.concat ctxl) ctx_otherwise | _ -> failwith "Inconsistent state") (** Evaluate a function call (auxiliary helper for [eval_statement]) *) and eval_function_call (config : C.config) (ctx : C.eval_ctx) (call : A.call) : (C.eval_ctx * statement_eval_res) eval_result list = (* There are two cases * - this is a local function, in which case we execute its body - this is a non-local function, in which case there is a special treatment *) let res = match call.func with | A.Local fid -> eval_local_function_call config ctx fid call.region_params call.type_params call.args call.dest | A.Assumed fid -> [ eval_non_local_function_call config ctx fid call.region_params call.type_params call.args call.dest; ] in List.map (fun res -> match res with Error err -> Error err | Ok ctx -> Ok (ctx, Unit)) res (** Evaluate a local (i.e., non-assumed) function call in concrete mode *) and eval_local_function_call_concrete (config : C.config) (ctx : C.eval_ctx) (fid : A.FunDefId.id) (_region_params : T.erased_region list) (type_params : T.ety list) (args : E.operand list) (dest : E.place) : C.eval_ctx eval_result list = (* Retrieve the (correctly instantiated) body *) let def = C.ctx_lookup_fun_def ctx fid in let tsubst = Subst.make_type_subst (List.map (fun v -> v.T.index) def.A.signature.type_params) type_params in let locals, body = Subst.fun_def_substitute_in_body tsubst def in (* Evaluate the input operands *) let ctx, args = eval_operands config ctx args in assert (List.length args = def.A.arg_count); (* Push a frame delimiter *) let ctx = ctx_push_frame ctx in (* Compute the initial values for the local variables *) (* 1. Push the return value *) let ret_var, locals = match locals with | ret_ty :: locals -> (ret_ty, locals) | _ -> failwith "Unreachable" in let ctx = C.ctx_push_var ctx ret_var (C.mk_bottom ret_var.var_ty) in (* 2. Push the input values *) let input_locals, locals = Utilities.list_split_at locals def.A.arg_count in let inputs = List.combine input_locals args in (* Note that this function checks that the variables and their values have the same type (this is important) *) let ctx = C.ctx_push_vars ctx inputs in (* 3. Push the remaining local variables (initialized as [Bottom]) *) let ctx = C.ctx_push_uninitialized_vars ctx locals in (* Execute the function body *) let res = eval_function_body config ctx body in (* Pop the stack frame and move the return value to its destination *) let finish res = match res with | Error Panic -> Error Panic | Ok ctx -> (* Pop the stack frame and retrieve the return value *) let ctx, ret_value = ctx_pop_frame config ctx in (* Move the return value to its destination *) let ctx = assign_to_place config ctx ret_value dest in (* Return *) Ok ctx in List.map finish res (** Evaluate a local (i.e., non-assumed) function call in symbolic mode *) and eval_local_function_call_symbolic (config : C.config) (ctx : C.eval_ctx) (fid : A.FunDefId.id) (region_params : T.erased_region list) (type_params : T.ety list) (args : E.operand list) (dest : E.place) : C.eval_ctx = (* Retrieve the (correctly instantiated) signature *) let def = C.ctx_lookup_fun_def ctx fid in let sg = def.A.signature in (* Generate fresh abstraction ids and create a substitution from region * group ids to abstraction ids *) let ctx, rg_abs_ids_bindings = List.fold_left_map (fun ctx rg -> let ctx, abs_id = C.fresh_abstraction_id ctx in (ctx, (rg.A.id, abs_id))) ctx sg.regions_hierarchy in let asubst_map : V.AbstractionId.id A.RegionGroupId.Map.t = List.fold_left (fun mp (rg_id, abs_id) -> A.RegionGroupId.Map.add rg_id abs_id mp) A.RegionGroupId.Map.empty rg_abs_ids_bindings in let asubst (rg_id : A.RegionGroupId.id) : V.AbstractionId.id = A.RegionGroupId.Map.find rg_id asubst_map in (* Generate fresh regions and their substitutions *) let ctx, _, rsubst, _ = Subst.fresh_regions_with_substs sg.region_params ctx in (* Generate the type substitution * Note that we need the substitution to map the type variables to * [rty] types (not [ety]). In order to do that, we convert the * type parameters to types with regions. This is possible only * if those types don't contain any regions. * This is a current limitation of the analysis: there is still some * work to do to properly handle full type parametrization. * *) let rtype_params = List.map ety_no_regions_to_rty type_params in let tsubst = Subst.make_type_subst (List.map (fun v -> v.T.index) sg.type_params) rtype_params in (* Substitute the signature *) let inst_sg = Subst.substitute_signature asubst rsubst tsubst sg in (* Sanity check *) assert (List.length args = def.A.arg_count); (* Evaluate the function call *) eval_function_call_symbolic_from_inst_sig config ctx (A.Local fid) inst_sg region_params type_params args dest (** Evaluate a function call in symbolic mode by using the function signature. This allows us to factorize the evaluation of local and non-local function calls in symbolic mode: only their signatures matter. *) and eval_function_call_symbolic_from_inst_sig (config : C.config) (ctx : C.eval_ctx) (fid : A.fun_id) (inst_sg : A.inst_fun_sig) (region_params : T.erased_region list) (type_params : T.ety list) (args : E.operand list) (dest : E.place) : C.eval_ctx = (* Generate a fresh symbolic value for the return value *) let ret_sv_ty = inst_sg.A.output in let ctx, ret_spc = mk_fresh_symbolic_proj_comp T.RegionId.Set.empty ret_sv_ty ctx in let ret_value = mk_typed_value_from_proj_comp ret_spc in let ret_av = V.ASymbolic (V.AProjLoans ret_spc.V.svalue) in let ret_av : V.typed_avalue = { V.value = ret_av; V.ty = ret_spc.V.svalue.V.sv_ty } in (* Evaluate the input operands *) let ctx, args = eval_operands config ctx args in let args_with_rtypes = List.combine args inst_sg.A.inputs in (* Check the type of the input arguments *) assert ( List.for_all (fun ((arg, rty) : V.typed_value * T.rty) -> arg.V.ty = Subst.erase_regions rty) args_with_rtypes); (* Generate the abstractions from the region groups and add them to the context *) let gen_abs (ctx : C.eval_ctx) (rg : A.abs_region_group) : C.eval_ctx = let abs_id = rg.A.id in let parents = List.fold_left (fun s pid -> V.AbstractionId.Set.add pid s) V.AbstractionId.Set.empty rg.A.parents in let regions = List.fold_left (fun s rid -> T.RegionId.Set.add rid s) T.RegionId.Set.empty rg.A.regions in (* Project over the input values *) let ctx, args_projs = List.fold_left_map (fun ctx (arg, arg_rty) -> apply_proj_borrows_on_input_value config ctx regions arg arg_rty) ctx args_with_rtypes in (* Group the input and output values *) let avalues = List.append args_projs [ ret_av ] in (* Create the abstraction *) let abs = { V.abs_id; parents; regions; avalues } in (* Insert the abstraction in the context *) let ctx = { ctx with env = Abs abs :: ctx.env } in (* Return *) ctx in let ctx = List.fold_left gen_abs ctx inst_sg.A.regions_hierarchy in (* Move the return value to its destination *) let ctx = assign_to_place config ctx ret_value dest in (* Synthesis *) S.synthesize_function_call fid region_params type_params args dest ret_spc.V.svalue; (* Return *) ctx (** Evaluate a non-local function call in symbolic mode *) and eval_non_local_function_call_symbolic (config : C.config) (ctx : C.eval_ctx) (fid : A.assumed_fun_id) (region_params : T.erased_region list) (type_params : T.ety list) (args : E.operand list) (dest : E.place) : C.eval_ctx = (* Sanity check: make sure the type parameters don't contain regions - * this is a current limitation of our synthesis *) assert (List.for_all (fun ty -> not (ty_has_regions ty)) type_params); (* There are two cases (and this is extremely annoying): - the function is not box_free - the function is box_free See [eval_box_free] *) match fid with | A.BoxFree -> (* Degenerate case: box_free - note that this is not really a function * call: no need to call a "synthesize_..." function *) eval_box_free config region_params type_params args dest ctx | _ -> (* "Normal" case: not box_free *) (* In symbolic mode, the behaviour of a function call is completely defined * by the signature of the function: we thus simply generate correctly * instantiated signatures, and delegate the work to an auxiliary function *) let ctx, inst_sig = match fid with | A.BoxNew -> (ctx, eval_box_new_inst_sig region_params type_params) | A.BoxDeref -> eval_box_deref_inst_sig region_params type_params ctx | A.BoxDerefMut -> eval_box_deref_mut_inst_sig region_params type_params ctx | A.BoxFree -> failwith "Unreachable" (* should have been treated above *) in (* Evaluate the function call *) eval_function_call_symbolic_from_inst_sig config ctx (A.Assumed fid) inst_sig region_params type_params args dest (** Evaluate a non-local (i.e, assumed) function call such as `Box::deref` (auxiliary helper for [eval_statement]) *) and eval_non_local_function_call (config : C.config) (ctx : C.eval_ctx) (fid : A.assumed_fun_id) (region_params : T.erased_region list) (type_params : T.ety list) (args : E.operand list) (dest : E.place) : C.eval_ctx eval_result = (* Debug *) L.log#ldebug (lazy (let type_params = "[" ^ String.concat ", " (List.map (ety_to_string ctx) type_params) ^ "]" in let args = "[" ^ String.concat ", " (List.map (operand_to_string ctx) args) ^ "]" in let dest = place_to_string ctx dest in "eval_non_local_function_call:\n- fid:" ^ A.show_assumed_fun_id fid ^ "\n- type_params: " ^ type_params ^ "\n- args: " ^ args ^ "\n- dest: " ^ dest)); match config.mode with | C.ConcreteMode -> eval_non_local_function_call_concrete config ctx fid region_params type_params args dest | C.SymbolicMode -> Ok (eval_non_local_function_call_symbolic config ctx fid region_params type_params args dest) (** Evaluate a local (i.e, not assumed) function call (auxiliary helper for [eval_statement]) *) and eval_local_function_call (config : C.config) (ctx : C.eval_ctx) (fid : A.FunDefId.id) (region_params : T.erased_region list) (type_params : T.ety list) (args : E.operand list) (dest : E.place) : C.eval_ctx eval_result list = match config.mode with | ConcreteMode -> eval_local_function_call_concrete config ctx fid region_params type_params args dest | SymbolicMode -> [ Ok (eval_local_function_call_symbolic config ctx fid region_params type_params args dest); ] (** Evaluate a statement seen as a function body (auxiliary helper for [eval_statement]) *) and eval_function_body (config : C.config) (ctx : C.eval_ctx) (body : A.statement) : (C.eval_ctx, eval_error) result list = let res = eval_statement config ctx body in let finish res = match res with | Error err -> Error err | Ok (ctx, res) -> ( (* Sanity check *) if config.C.check_invariants then Inv.check_invariants ctx; match res with | Unit | Break _ | Continue _ -> failwith "Inconsistent state" | Return -> Ok ctx) in List.map finish res module Test = struct (** Test a unit function (taking no arguments) by evaluating it in an empty environment *) let test_unit_function (type_context : C.type_context) (fun_defs : A.fun_def list) (fid : A.FunDefId.id) : unit eval_result = (* Retrieve the function declaration *) let fdef = A.FunDefId.nth fun_defs fid in (* Debug *) L.log#ldebug (lazy ("test_unit_function: " ^ Print.Types.name_to_string fdef.A.name)); (* Sanity check - *) assert (List.length fdef.A.signature.region_params = 0); assert (List.length fdef.A.signature.type_params = 0); assert (fdef.A.arg_count = 0); (* Create the evaluation context *) let ctx = { C.type_context; C.fun_context = fun_defs; C.type_vars = []; C.env = []; C.symbolic_counter = V.SymbolicValueId.generator_zero; C.borrow_counter = V.BorrowId.generator_zero; C.region_counter = T.RegionId.generator_zero; C.abstraction_counter = V.AbstractionId.generator_zero; } in (* Put the (uninitialized) local variables *) let ctx = C.ctx_push_uninitialized_vars ctx fdef.A.locals in (* Evaluate the function *) let config = { C.mode = C.ConcreteMode; C.check_invariants = true } in match eval_function_body config ctx fdef.A.body with | [ Ok _ ] -> Ok () | [ Error err ] -> Error err | _ -> (* We execute the concrete interpreter: there shouldn't be any branching *) failwith "Unreachable" (** Small helper: return true if the function is a unit function (no parameters, no arguments) - TODO: move *) let fun_def_is_unit (def : A.fun_def) : bool = def.A.arg_count = 0 && List.length def.A.signature.region_params = 0 && List.length def.A.signature.type_params = 0 && List.length def.A.signature.inputs = 0 (** Test all the unit functions in a list of function definitions *) let test_all_unit_functions (type_defs : T.type_def list) (fun_defs : A.fun_def list) : unit = let test_fun (def : A.fun_def) : unit = if fun_def_is_unit def then let type_ctx = { C.type_defs } in match test_unit_function type_ctx fun_defs def.A.def_id with | Error _ -> failwith "Unit test failed" | Ok _ -> () else () in List.iter test_fun fun_defs end