will likely need to consult what p is equal to, to find some meaningful type, and it could easily take much more work than this to produce reliably readable results
** do not hardcode target-specific types and layout
- add a target module
- construct an instance in frontend as first step
- use it during translation
- return it as part of program
- pass it from Control to Domain, etc.
** function types could include the types of throw continuation args
separation between xlate_intrinsic (which translates an intrinsic function name to an expression constructor) and the Call case of xlate_instr (which translates calls to intrinsic functions to instructions) is not clear
** extract struct field names from llvm debug info
** normalize cfg
- remove unreachable blocks
- combine blocks with cmnd= []; term= Unreachable into one
- nothing prevents the compiler from generating code that directly manipulates the target-specific va_list struct, and it appears to do so at least for amd64, so the only safe approach is to use the same representation:
- add a local variable 'top' to each function with a non-entry alloca; that points to a pointer that always points to the head of the stack; initially NULL
- alloca in non-entry blocks adds an element and stores the result of alloc in it, sets next to contents of 'top', and stores result into 'top'
- function return (and other popping terminators) traverses the stack, popping elements, calling free on the slot pointers, until finding NULL in next
- one solution: pre-process llvm to remove [optnone] attributes before running scalarizer pass
** ? remove Exp.Nondet, replace with free variables
it is not obvious whether it will be simpler to use free variables instead of Nondet in the frontend, or to treat Nondet as a single-occurrence existential variable in the analyzer
- `opt -S -ipsccp llvm/Transforms/SimplifyCFG/indirectbr.ll` crashes, which makes sledge crash in the same way because it calls `Llvm_ipo.add_ipsccp`
- Calling `size_in_bits` on `%struct.__sFILE = type { %struct.__sFILE }` from llvm/Verifier/recursive-struct-param.ll crashes even though `type_is_sized` holds
** rename 'simplification' to 'normalization' and 'simp' to 'norm' for consistency with Equality
** should Add and Mul have an Ap form like ApN
with a corresponding norm function to use in the exposed interface and e.g. map?
** refactor Term so that the representation type is private
for all of the module except for the normalization functions, to ensure with the type system that everything passed out of the external interface has been checked to satisfy the invariant
** try only after getting rid of redundant type definitions due to Base containers
** should handle equality and disequality simplification
- equalities of equalities to integers currently handled by Sh.pure
- doing it in Exp leads to violations of the subexp assertion on app1
** optimize: change Cls.t and Use.t from a list to an unbalanced tree data structure
- only need empty, add, union, map, fold, fold_map to be fast, so no need for balancing
- detecting duplicates probably not worth the time since if any occur, the only cost is adding a redundant equation to pnd which will be quickly processed
** optimize: when called from extend, norm_extend calls norm unnecessarily
** revise mli to two sections, one for a "relation" api (with merge, mem/check, etc) and one for a "formula" api (with and_, or_, etc.)
- add operation to normalize by rewriting in terms of reps
- check for unsat
- call it in Exec.assume
** eliminate existentials
by changing Congruence reps to avoid existentials if possible and then normalizing Sh ito reps
** add exps in pure and pto (including memory siz and arr) to carrier
** optimize Sh.and_ with direct implementation
** perhaps it would be better to allow us and xs to intersect
but to rename xs when binding them or otherwise operating under the quantifier. But it might be an unnecessary complication to always have to deal with the potential for shadowing.
** consider how to detect unsat formulas
in relation to also wanting to express formulas in terms of congruence
class representatives in order to perform quantifier elimination. Is
there a way to detect unsat at the same time / as part of the same
normalization?
** consider hoisting existentials over disjunction:
#+BEGIN_SRC ocaml
| _ ->
let us = Set.union q1.us q2.us in
let xs1, xs, xs2 = Set.diff_inter_diff q1.xs q2.xs in
let us1 = Set.union q1.us xs in
let us2 = Set.union q2.us xs in
{ us
; xs
; cong= Congruence.true_
; pure= []
; heap= []
; djns= [[{q1 with us= us1; xs= xs1}; {q2 with us= us2; xs= xs2}]] }
| _ ->
let xs1, vs1 = Set.inter_diff q1.xs q2.us in
let xs2, vs2 = Set.inter_diff q2.xs q1.us in
let us1 = Set.union q1.us vs1 in
let us2 = Set.union q2.us vs2 in
let us = Set.union q1.us q2.us in
let xs = Set.union vs1 vs2 in
{ us
; xs
; cong= Congruence.true_
; pure= []
; heap= []
; djns= [[{q1 with us= us1; xs= xs1}; {q2 with us= us2; xs= xs2}]] }
#+END_SRC
** consider how to arrange to have a complete set of variables
at the top of formulas so that freshening wrt them is guaranteed not to clash with subformulas. This would allow removing the call to freshen_xs in rename, which is called on every subformula for every freshen/rename operation. Is it complicated to make us always include xs, as well as the us of the subformulas? That would allow the top-level us to serve as such a complete set of vars. How often would we need to compute us - xs?
** think about how to avoid having to manipulate disjunct formulas
unnecessarily, e.g. freshening, etc.
** ? should star strengthen djns with stem's cong
** optimize: refactor Sh.pure to avoid `Congruence.(and_eq true_ ...)`
** consider strengthening cong of or_ at price of freshening existentials
** consider using the append case when freshening existentials is needed
** strengthen Sh.pure_approx
* solver
** solve more existential equations in excise_exp
If sub.pure contains an equation involving an existential, add equation to min, remove the var from xs, continue. If all pure atoms normalize to true, added equations induce good existential witnesses, and excise will return them as part of min.
** change Depths.t from environment- to state-like treatment
- currently each waiting state has an associated depths map
- the depths of all edges into a destination are joined
- could the depths be just threaded through Work.run instead?
- this would involve changing type x to Depths.t -> t -> Depths.t * t, and removing Depths.t from waiting_states
- separate joining depths from joining states
- i.e. Change to repeatedly pop edges as long as the dst is the same, and only join the states for those. This would involve keeping the waiting states in the priority queue, and removing the waiting states map entirely.
** change Work.run to move Domain.join into ~f
** canonicalize renamings in stacks
It seems possible that two edges will be distinct only due to differences between choice of fresh variable names for shadowed variables. It is not obvious that this could not lead to an infinite number of Edge.t values even without recursion. Using predictable names for local variables, such as a pair of the declared name and the depth of the stack, would avoid these difficulties.