infer_clone/sledge/src/exec.ml

(*
 * Copyright (c) Facebook, Inc. and its affiliates.
 *
 * This source code is licensed under the MIT license found in the
 * LICENSE file in the root directory of this source tree.
 *)

(** Symbolic Execution *)

open Fol

[@@@warning "+9"]

module Fresh : sig
  (** Monad to manage generation of fresh variables. A value of type ['a t]
      is a value of type ['a] which may contain as-yet-unnamed variables. *)
  include Monad.S

  val gen : wrt:Var.Set.t -> 'a t -> Var.Set.t * 'a
  (** [gen ~wrt a] generates names that are fresh with respect to [wrt] for
      all unnamed variables in [a], and yields the set of generated
      variables together with [a] expressed in terms of those variables. *)

  val var : string -> Term.t t
  (** Fresh variable whose name is based on the given string. *)

  val seg :
       ?bas:Term.t
    -> ?len:Term.t
    -> ?siz:Term.t
    -> ?cnt:Term.t
    -> Term.t
    -> Sh.seg t
  (** Segment with fresh variables for omitted arguments. *)

  val assign : ws:Var.Set.t -> rs:Var.Set.t -> (Var.Subst.t * Var.Set.t) t
  (** Renaming of fresh ghosts for overwritten variables, and remaining
      modified but not read variables, given written variables [ws] and read
      (or appearing in the precondition) variables [rs]. *)
end = struct
  type ctx = {wrt: Var.Set.t; xs: Var.Set.t}

  include Monad.State (struct
    type t = ctx
  end)

  open Import

  let gen ~wrt m =
    let a, {xs; wrt= _} = run m {wrt; xs= Var.Set.empty} in
    (xs, a)

  let var nam {wrt; xs} =
    let x, wrt = Var.fresh nam ~wrt in
    let xs = Var.Set.add x xs in
    return (Term.var x) {wrt; xs}

  let seg ?bas ?len ?siz ?cnt loc =
    let freshen term nam =
      match term with Some term -> return term | None -> var nam
    in
    let* bas = freshen bas "b" in
    let* len = freshen len "m" in
    let* siz = freshen siz "n" in
    let* cnt = freshen cnt "a" in
    return Sh.{loc; bas; len; siz; cnt}

  let assign ~ws ~rs {wrt; xs} =
    let ovs = Var.Set.inter ws rs in
    let Var.Subst.{sub; dom; rng}, wrt = Var.Subst.freshen ovs ~wrt in
    let ms = Var.Set.diff ws dom in
    let xs = Var.Set.union xs rng in
    return (sub, ms) {wrt; xs}
end

(** generic command: [{foot ∧ sub} ms := - {post}] *)
type spec = {foot: Sh.t; sub: Var.Subst.t; ms: Var.Set.t; post: Sh.t}

let gen_spec us specm =
  let xs, spec = Fresh.gen ~wrt:us specm in
  let us = Var.Set.union xs (Var.Set.union spec.foot.us spec.post.us) in
  let foot = Sh.extend_us us spec.foot in
  let post = Sh.extend_us us spec.post in
  (xs, {spec with foot; post})

(*
 * Instruction small axioms
 *)

let null_eq ptr = Sh.pure (Formula.eq0 ptr)

let eq_concat (siz, cnt) ms =
  Formula.eq
    (Term.sized ~siz ~seq:cnt)
    (Term.concat
       (Array.map ~f:(fun (siz, cnt) -> Term.sized ~siz ~seq:cnt) ms))

open Fresh.Import

(* { emp }
 *   rs := es
 * { *ᵢ rᵢ=eᵢΘ }
 *)
let move_spec reg_exps =
  let foot = Sh.emp in
  let ws, rs =
    IArray.fold reg_exps (Var.Set.empty, Var.Set.empty)
      ~f:(fun (reg, exp) (ws, rs) ->
        (Var.Set.add reg ws, Var.Set.union rs (Term.fv exp)) )
  in
  let+ sub, ms = Fresh.assign ~ws ~rs in
  let post =
    IArray.fold reg_exps Sh.emp ~f:(fun (reg, exp) post ->
        Sh.and_ (Formula.eq (Term.var reg) (Term.rename sub exp)) post )
  in
  {foot; sub; ms; post}

(* { p-[b;m)->⟨l,α⟩ }
 *   load l r p
 * { r=αΘ * (p-[b;m)->⟨l,α⟩)Θ }
 *)
let load_spec reg ptr len =
  let* seg = Fresh.seg ptr ~siz:len in
  let foot = Sh.seg seg in
  let+ sub, ms = Fresh.assign ~ws:(Var.Set.of_ reg) ~rs:foot.us in
  let post =
    Sh.and_
      (Formula.eq (Term.var reg) (Term.rename sub seg.cnt))
      (Sh.rename sub foot)
  in
  {foot; sub; ms; post}

(* { p-[b;m)->⟨l,α⟩ }
 *   store l p e
 * { p-[b;m)->⟨l,e⟩ }
 *)
let store_spec ptr exp len =
  let+ seg = Fresh.seg ptr ~siz:len in
  let foot = Sh.seg seg in
  let post = Sh.seg {seg with cnt= exp} in
  {foot; sub= Var.Subst.empty; ms= Var.Set.empty; post}

(* { d-[b;m)->⟨l,α⟩ }
 *   memset l d b
 * { d-[b;m)->⟨l,b^⟩ }
 *)
let memset_spec dst byt len =
  let+ seg = Fresh.seg dst ~siz:len in
  let foot = Sh.seg seg in
  let post = Sh.seg {seg with cnt= Term.splat byt} in
  {foot; sub= Var.Subst.empty; ms= Var.Set.empty; post}

(* { d=s * l=0 * d-[b;m)->⟨l,α⟩ }
 *   memcpy l d s
 * { d-[b;m)->⟨l,α⟩ }
 *)
let memcpy_eq_spec dst src len =
  let+ seg = Fresh.seg dst ~len in
  let dst_heap = Sh.seg seg in
  let foot =
    Sh.and_ (Formula.eq dst src) (Sh.and_ (Formula.eq0 len) dst_heap)
  in
  let post = dst_heap in
  {foot; sub= Var.Subst.empty; ms= Var.Set.empty; post}

(* { d-[b;m)->⟨l,α⟩ * s-[b';m')->⟨l,α'⟩ }
 *   memcpy l d s
 * { d-[b;m)->⟨l,α'⟩ * s-[b';m')->⟨l,α'⟩ }
 *)
let memcpy_dj_spec dst src len =
  let* dst_seg = Fresh.seg dst ~siz:len in
  let dst_heap = Sh.seg dst_seg in
  let+ src_seg = Fresh.seg src ~siz:len in
  let src_heap = Sh.seg src_seg in
  let dst_seg' = {dst_seg with cnt= src_seg.cnt} in
  let dst_heap' = Sh.seg dst_seg' in
  let foot = Sh.star dst_heap src_heap in
  let post = Sh.star dst_heap' src_heap in
  {foot; sub= Var.Subst.empty; ms= Var.Set.empty; post}

let memcpy_specs dst src len =
  [memcpy_eq_spec dst src len; memcpy_dj_spec dst src len]

(* { d=s * d-[b;m)->⟨l,α⟩ }
 *   memmov l d s
 * { d-[b;m)->⟨l,α⟩ }
 *)
let memmov_eq_spec dst src len =
  let+ dst_seg = Fresh.seg dst ~len in
  let dst_heap = Sh.seg dst_seg in
  let foot = Sh.and_ (Formula.eq dst src) dst_heap in
  let post = dst_heap in
  {foot; sub= Var.Subst.empty; ms= Var.Set.empty; post}

(* { d-[b;m)->⟨l,α⟩ * s-[b';m')->⟨l,α'⟩ }
 *   memmov l d s
 * { d-[b;m)->⟨l,α'⟩ * s-[b';m')->⟨l,α'⟩ }
 *)
let memmov_dj_spec = memcpy_dj_spec

(* memmov footprint for dst < src case *)
let memmov_foot dst src len =
  let* bas = Fresh.var "b" in
  let* siz = Fresh.var "m" in
  let* cnt_dst = Fresh.var "a" in
  let* cnt_mid = Fresh.var "a" in
  let* cnt_src = Fresh.var "a" in
  let src_dst = Term.sub src dst in
  let mem_dst = (src_dst, cnt_dst) in
  let siz_mid = Term.sub len src_dst in
  let mem_mid = (siz_mid, cnt_mid) in
  let mem_src = (src_dst, cnt_src) in
  let mem_dst_mid_src = [|mem_dst; mem_mid; mem_src|] in
  let* siz_dst_mid_src = Fresh.var "m" in
  let+ cnt_dst_mid_src = Fresh.var "a" in
  let eq_mem_dst_mid_src =
    eq_concat (siz_dst_mid_src, cnt_dst_mid_src) mem_dst_mid_src
  in
  let seg =
    Sh.seg
      {loc= dst; bas; len= siz; siz= siz_dst_mid_src; cnt= cnt_dst_mid_src}
  in
  let foot =
    Sh.and_ eq_mem_dst_mid_src
      (Sh.and_ (Formula.lt dst src)
         (Sh.and_ (Formula.lt src (Term.add dst len)) seg))
  in
  (bas, siz, mem_dst, mem_mid, mem_src, foot)

(* { d<s * s<d+l * d-[b;m)->⟨s-d,α⟩^⟨l-(s-d),β⟩^⟨s-d,γ⟩ }
 *   memmov l d s
 * { d-[b;m)->⟨l-(s-d),β⟩^⟨s-d,γ⟩^⟨s-d,γ⟩ }
 *)
let memmov_dn_spec dst src len =
  let* bas, siz, _, mem_mid, mem_src, foot = memmov_foot dst src len in
  let mem_mid_src_src = [|mem_mid; mem_src; mem_src|] in
  let* siz_mid_src_src = Fresh.var "m" in
  let+ cnt_mid_src_src = Fresh.var "a" in
  let eq_mem_mid_src_src =
    eq_concat (siz_mid_src_src, cnt_mid_src_src) mem_mid_src_src
  in
  let post =
    Sh.and_ eq_mem_mid_src_src
      (Sh.seg
         { loc= dst
         ; bas
         ; len= siz
         ; siz= siz_mid_src_src
         ; cnt= cnt_mid_src_src })
  in
  {foot; sub= Var.Subst.empty; ms= Var.Set.empty; post}

(* { s<d * d<s+l * s-[b;m)->⟨d-s,α⟩^⟨l-(d-s),β⟩^⟨d-s,γ⟩ }
 *   memmov l d s
 * { s-[b;m)->⟨d-s,α⟩^⟨d-s,α⟩^⟨l-(d-s),β⟩ }
 *)
let memmov_up_spec dst src len =
  let* bas, siz, mem_src, mem_mid, _, foot = memmov_foot src dst len in
  let mem_src_src_mid = [|mem_src; mem_src; mem_mid|] in
  let* siz_src_src_mid = Fresh.var "m" in
  let+ cnt_src_src_mid = Fresh.var "a" in
  let eq_mem_src_src_mid =
    eq_concat (siz_src_src_mid, cnt_src_src_mid) mem_src_src_mid
  in
  let post =
    Sh.and_ eq_mem_src_src_mid
      (Sh.seg
         { loc= src
         ; bas
         ; len= siz
         ; siz= siz_src_src_mid
         ; cnt= cnt_src_src_mid })
  in
  {foot; sub= Var.Subst.empty; ms= Var.Set.empty; post}

let memmov_specs dst src len =
  [ memmov_eq_spec dst src len
  ; memmov_dj_spec dst src len
  ; memmov_dn_spec dst src len
  ; memmov_up_spec dst src len ]

(* { emp }
 *   alloc r [n × l]
 * { ∃α'. r-[r;(n×l)Θ)->⟨(n×l)Θ,α'⟩ }
 *)
let alloc_spec reg num len =
  let foot = Sh.emp in
  let siz = Term.mulq (Q.of_int len) num in
  let* sub, ms = Fresh.assign ~ws:(Var.Set.of_ reg) ~rs:(Term.fv siz) in
  let loc = Term.var reg in
  let siz = Term.rename sub siz in
  let+ seg = Fresh.seg loc ~bas:loc ~len:siz ~siz in
  let post = Sh.seg seg in
  {foot; sub; ms; post}

(*
 * Memory management - see e.g. http://jemalloc.net/jemalloc.3.html
 *)

(* { p=0 ∨ p-[p;m)->⟨m,α⟩ }
 *   free p
 * { emp }
 *)
let free_spec ptr =
  let* len = Fresh.var "m" in
  let+ seg = Fresh.seg ptr ~bas:ptr ~len ~siz:len in
  let foot = Sh.or_ (null_eq ptr) (Sh.seg seg) in
  let post = Sh.emp in
  {foot; sub= Var.Subst.empty; ms= Var.Set.empty; post}

(* { p-[p;m)->⟨m,α⟩ }
 *   dallocx p
 * { emp }
 *)
let dallocx_spec ptr =
  let* len = Fresh.var "m" in
  let+ seg = Fresh.seg ptr ~bas:ptr ~len ~siz:len in
  let foot = Sh.seg seg in
  let post = Sh.emp in
  {foot; sub= Var.Subst.empty; ms= Var.Set.empty; post}

(* { emp }
 *   malloc r s
 * { r=0 ∨ ∃α'. r-[r;sΘ)->⟨sΘ,α'⟩ }
 *)
let malloc_spec reg siz =
  let foot = Sh.emp in
  let* sub, ms = Fresh.assign ~ws:(Var.Set.of_ reg) ~rs:(Term.fv siz) in
  let loc = Term.var reg in
  let siz = Term.rename sub siz in
  let+ seg = Fresh.seg loc ~bas:loc ~len:siz ~siz in
  let post = Sh.or_ (null_eq (Term.var reg)) (Sh.seg seg) in
  {foot; sub; ms; post}

(* { s≠0 }
 *   mallocx r s
 * { r=0 ∨ ∃α'. r-[r;sΘ)->⟨sΘ,α'⟩ }
 *)
let mallocx_spec reg siz =
  let foot = Sh.pure (Formula.dq0 siz) in
  let* sub, ms = Fresh.assign ~ws:(Var.Set.of_ reg) ~rs:(Term.fv siz) in
  let loc = Term.var reg in
  let siz = Term.rename sub siz in
  let+ seg = Fresh.seg loc ~bas:loc ~len:siz ~siz in
  let post = Sh.or_ (null_eq (Term.var reg)) (Sh.seg seg) in
  {foot; sub; ms; post}

(* { emp }
 *   calloc r [n × l]
 * { r=0 ∨ r-[r;(n×l)Θ)->⟨(n×l)Θ,0^⟩ }
 *)
let calloc_spec reg num len =
  let foot = Sh.emp in
  let siz = Term.mul num len in
  let* sub, ms = Fresh.assign ~ws:(Var.Set.of_ reg) ~rs:(Term.fv siz) in
  let loc = Term.var reg in
  let siz = Term.rename sub siz in
  let cnt = Term.splat Term.zero in
  let+ seg = Fresh.seg loc ~bas:loc ~len:siz ~siz ~cnt in
  let post = Sh.or_ (null_eq (Term.var reg)) (Sh.seg seg) in
  {foot; sub; ms; post}

let size_of_ptr = Term.integer (Z.of_int Llair.Typ.(size_of ptr))
let size_of_siz = Term.integer (Z.of_int Llair.Typ.(size_of siz))

(* { p-[_;_)->⟨W,_⟩ }
 *   posix_memalign r p s
 * {   r=ENOMEM * (p-[_;_)->⟨W,_⟩)Θ
 *   ∨ ∃α',q. r=0 * (p-[_;_)->⟨W,q⟩ * q-[q;s)->⟨s,α'⟩)Θ }
 * where W = sizeof void*
 *)
let posix_memalign_spec reg ptr siz =
  let* pseg = Fresh.seg ptr ~siz:size_of_ptr in
  let foot = Sh.seg pseg in
  let* sub, ms =
    Fresh.assign ~ws:(Var.Set.of_ reg)
      ~rs:(Var.Set.union foot.us (Term.fv siz))
  in
  let* q = Fresh.var "q" in
  let pseg' = {pseg with cnt= q} in
  let+ qseg = Fresh.seg q ~bas:q ~len:siz ~siz in
  let eok = Term.zero in
  let enomem = Term.integer (Z.of_int 12) in
  let post =
    Sh.or_
      (Sh.and_ (Formula.eq (Term.var reg) enomem) (Sh.rename sub foot))
      (Sh.and_
         (Formula.eq (Term.var reg) eok)
         (Sh.rename sub (Sh.star (Sh.seg pseg') (Sh.seg qseg))))
  in
  {foot; sub; ms; post}

(* { p=0 ∨ p-[p;m)->⟨m,α⟩ }
 *   realloc r p s
 * {   (r=0 * (pΘ=0 ∨ pΘ-[pΘ;m)->⟨m,α⟩))
 *   ∨ ∃α',α'' . r-[r;sΘ)->⟨sΘ,α'⟩
 *     * (m≤sΘ ? ⟨sΘ,α'⟩=⟨m,α⟩^⟨sΘ-m,α''⟩ : ⟨m,α⟩=⟨sΘ,α'⟩^⟨m-sΘ,α''⟩) }
 *)
let realloc_spec reg ptr siz =
  let* len = Fresh.var "m" in
  let* pseg = Fresh.seg ptr ~bas:ptr ~len ~siz:len in
  let foot = Sh.or_ (null_eq ptr) (Sh.seg pseg) in
  let* sub, ms =
    Fresh.assign ~ws:(Var.Set.of_ reg)
      ~rs:(Var.Set.union foot.us (Term.fv siz))
  in
  let loc = Term.var reg in
  let siz = Term.rename sub siz in
  let* rseg = Fresh.seg loc ~bas:loc ~len:siz ~siz in
  let a0 = pseg.cnt in
  let a1 = rseg.cnt in
  let+ a2 = Fresh.var "a" in
  let post =
    Sh.or_
      (Sh.and_ (Formula.eq0 loc) (Sh.rename sub foot))
      (Sh.and_
         (Formula.cond ~cnd:(Formula.le len siz)
            ~pos:(eq_concat (siz, a1) [|(len, a0); (Term.sub siz len, a2)|])
            ~neg:(eq_concat (len, a0) [|(siz, a1); (Term.sub len siz, a2)|]))
         (Sh.seg rseg))
  in
  {foot; sub; ms; post}

(* { s≠0 * p-[p;m)->⟨m,α⟩ }
 *   rallocx r p s
 * {   (r=0 * pΘ-[pΘ;m)->⟨m,α⟩)
 *   ∨ ∃α',α'' . r-[r;sΘ)->⟨sΘ,α'⟩
 *     * (m≤sΘ ? ⟨sΘ,α'⟩=⟨m,α⟩^⟨sΘ-m,α''⟩ : ⟨m,α⟩=⟨sΘ,α'⟩^⟨m-sΘ,α''⟩) }
 *)
let rallocx_spec reg ptr siz =
  let* len = Fresh.var "m" in
  let* pseg = Fresh.seg ptr ~bas:ptr ~len ~siz:len in
  let pheap = Sh.seg pseg in
  let foot = Sh.and_ (Formula.dq0 siz) pheap in
  let* sub, ms = Fresh.assign ~ws:(Var.Set.of_ reg) ~rs:foot.us in
  let loc = Term.var reg in
  let siz = Term.rename sub siz in
  let* rseg = Fresh.seg loc ~bas:loc ~len:siz ~siz in
  let a0 = pseg.cnt in
  let a1 = rseg.cnt in
  let+ a2 = Fresh.var "a" in
  let post =
    Sh.or_
      (Sh.and_ (Formula.eq0 loc) (Sh.rename sub pheap))
      (Sh.and_
         (Formula.cond ~cnd:(Formula.le len siz)
            ~pos:(eq_concat (siz, a1) [|(len, a0); (Term.sub siz len, a2)|])
            ~neg:(eq_concat (len, a0) [|(siz, a1); (Term.sub len siz, a2)|]))
         (Sh.seg rseg))
  in
  {foot; sub; ms; post}

(* { s≠0 * p-[p;m)->⟨m,α⟩ }
 *   xallocx r p s e
 * { ∃α',α'' . sΘ≤r≤(s+e)Θ * pΘ-[pΘ;r)->⟨r,α'⟩
 *   * (m≤r ? ⟨r,α'⟩=⟨m,α⟩^⟨r-m,α''⟩ : ⟨m,α⟩=⟨r,α'⟩^⟨m-r,α''⟩) }
 *)
let xallocx_spec reg ptr siz ext =
  let* len = Fresh.var "m" in
  let* seg = Fresh.seg ptr ~bas:ptr ~len ~siz:len in
  let foot = Sh.and_ (Formula.dq0 siz) (Sh.seg seg) in
  let* sub, ms =
    Fresh.assign ~ws:(Var.Set.of_ reg)
      ~rs:Var.Set.(union foot.us (union (Term.fv siz) (Term.fv ext)))
  in
  let reg = Term.var reg in
  let ptr = Term.rename sub ptr in
  let siz = Term.rename sub siz in
  let ext = Term.rename sub ext in
  let* seg' = Fresh.seg ptr ~bas:ptr ~len:reg ~siz:reg in
  let a0 = seg.cnt in
  let a1 = seg'.cnt in
  let+ a2 = Fresh.var "a" in
  let post =
    Sh.and_
      (Formula.and_
         (Formula.cond ~cnd:(Formula.le len siz)
            ~pos:(eq_concat (siz, a1) [|(len, a0); (Term.sub siz len, a2)|])
            ~neg:(eq_concat (len, a0) [|(siz, a1); (Term.sub len siz, a2)|]))
         (Formula.and_ (Formula.le siz reg)
            (Formula.le reg (Term.add siz ext))))
      (Sh.seg seg')
  in
  {foot; sub; ms; post}

(* { p-[p;m)->⟨m,α⟩ }
 *   sallocx r p
 * { r=m * (p-[p;m)->⟨m,α⟩)Θ }
 *)
let sallocx_spec reg ptr =
  let* len = Fresh.var "m" in
  let* seg = Fresh.seg ptr ~bas:ptr ~len ~siz:len in
  let foot = Sh.seg seg in
  let+ sub, ms = Fresh.assign ~ws:(Var.Set.of_ reg) ~rs:foot.us in
  let post = Sh.and_ (Formula.eq (Term.var reg) len) (Sh.rename sub foot) in
  {foot; sub; ms; post}

(* { p-[p;m)->⟨m,α⟩ }
 *   malloc_usable_size r p
 * { m≤r * (p-[p;m)->⟨m,α⟩)Θ }
 *)
let malloc_usable_size_spec reg ptr =
  let* len = Fresh.var "m" in
  let* seg = Fresh.seg ptr ~bas:ptr ~len ~siz:len in
  let foot = Sh.seg seg in
  let+ sub, ms = Fresh.assign ~ws:(Var.Set.of_ reg) ~rs:foot.us in
  let post = Sh.and_ (Formula.le len (Term.var reg)) (Sh.rename sub foot) in
  {foot; sub; ms; post}

(* { s≠0 }
 *   r = nallocx s
 * { r=0 ∨ r=sΘ }
 *)
let nallocx_spec reg siz =
  let foot = Sh.pure (Formula.dq0 siz) in
  let+ sub, ms = Fresh.assign ~ws:(Var.Set.of_ reg) ~rs:foot.us in
  let loc = Term.var reg in
  let siz = Term.rename sub siz in
  let post = Sh.or_ (null_eq loc) (Sh.pure (Formula.eq loc siz)) in
  {foot; sub; ms; post}

let size_of_int_mul = Term.mulq (Q.of_int Llair.Typ.(size_of siz))

(* { r-[_;_)->⟨m,_⟩ * i-[_;_)->⟨W,m⟩ * w=0 * n=0 }
 *   mallctl (_, r, i, w, n)
 * { ∃α'. r-[_;_)->⟨m,α'⟩ * i-[_;_)->⟨W,m⟩ }
 * where W = sizeof size_t
 *)
let mallctl_read_spec r i w n =
  let* iseg = Fresh.seg i ~siz:size_of_siz in
  let* rseg = Fresh.seg r ~siz:iseg.cnt in
  let+ a = Fresh.var "a" in
  let foot =
    Sh.and_ (Formula.eq0 w)
      (Sh.and_ (Formula.eq0 n) (Sh.star (Sh.seg iseg) (Sh.seg rseg)))
  in
  let rseg' = {rseg with cnt= a} in
  let post = Sh.star (Sh.seg rseg') (Sh.seg iseg) in
  {foot; sub= Var.Subst.empty; ms= Var.Set.empty; post}

(* { p-[_;_)->⟨W×l,_⟩ * r-[_;_)->⟨m,_⟩ * i-[_;_)->⟨_,m⟩ * w=0 * n=0 }
 *   mallctlbymib p l r i w n
 * { ∃α'. p-[_;_)->⟨W×l,_⟩ * r-[_;_)->⟨m,α'⟩ * i-[_;_)->⟨_,m⟩ }
 * where W = sizeof int
 *)
let mallctlbymib_read_spec p l r i w n =
  let wl = size_of_int_mul l in
  let* pseg = Fresh.seg p ~siz:wl in
  let* iseg = Fresh.seg i in
  let m = iseg.cnt in
  let* rseg = Fresh.seg r ~siz:m in
  let const = Sh.star (Sh.seg pseg) (Sh.seg iseg) in
  let+ a = Fresh.var "a" in
  let foot =
    Sh.and_ (Formula.eq0 w)
      (Sh.and_ (Formula.eq0 n) (Sh.star const (Sh.seg rseg)))
  in
  let rseg' = {rseg with cnt= a} in
  let post = Sh.star (Sh.seg rseg') const in
  {foot; sub= Var.Subst.empty; ms= Var.Set.empty; post}

(* { r=0 * i=0 * w-[_;_)->⟨n,_⟩ }
 *   mallctl (_, r, i, w, n)
 * { w-[_;_)->⟨n,_⟩ }
 *)
let mallctl_write_spec r i w n =
  let+ seg = Fresh.seg w ~siz:n in
  let post = Sh.seg seg in
  let foot = Sh.and_ (Formula.eq0 r) (Sh.and_ (Formula.eq0 i) post) in
  {foot; sub= Var.Subst.empty; ms= Var.Set.empty; post}

(* { p-[_;_)->⟨W×l,_⟩ * r=0 * i=0 * w-[_;_)->⟨n,_⟩ }
 *   mallctl (_, r, i, w, n)
 * { p-[_;_)->⟨W×l,_⟩ * w-[_;_)->⟨n,_⟩ }
 * where W = sizeof int
 *)
let mallctlbymib_write_spec p l r i w n =
  let wl = size_of_int_mul l in
  let* pseg = Fresh.seg p ~siz:wl in
  let+ wseg = Fresh.seg w ~siz:n in
  let post = Sh.star (Sh.seg pseg) (Sh.seg wseg) in
  let foot = Sh.and_ (Formula.eq0 r) (Sh.and_ (Formula.eq0 i) post) in
  {foot; sub= Var.Subst.empty; ms= Var.Set.empty; post}

let mallctl_specs r i w n =
  [mallctl_read_spec r i w n; mallctl_write_spec r i w n]

let mallctlbymib_specs p j r i w n =
  [mallctlbymib_read_spec p j r i w n; mallctlbymib_write_spec p j r i w n]

(* { p-[_;_)->⟨W×n,α⟩ * o-[_;_)->⟨_,n⟩ }
 *   mallctlnametomib p o
 * { ∃α'.
 *   p-[_;_)->⟨W×n,α'⟩ * o-[_;_)->⟨_,n⟩ }
 * where W = sizeof int
 *
 * Note: post is too strong, more accurate would be:
 * { ∃α',α²,α³,n'. ⟨W×n,α⟩=⟨W×n',α³⟩^⟨W×(n-n'),α²⟩ *
 *   p-[_;_)->⟨W×n',α'⟩ * p+W×n'-[_;_)->⟨W×(n-n'),α²⟩ * o-[_;_)->⟨_,n'⟩ }
 *)
let mallctlnametomib_spec p o =
  let* oseg = Fresh.seg o in
  let n = oseg.cnt in
  let wn = size_of_int_mul n in
  let* pseg = Fresh.seg p ~siz:wn in
  let+ a = Fresh.var "a" in
  let foot = Sh.star (Sh.seg oseg) (Sh.seg pseg) in
  let pseg' = {pseg with cnt= a} in
  let post = Sh.star (Sh.seg pseg') (Sh.seg oseg) in
  {foot; sub= Var.Subst.empty; ms= Var.Set.empty; post}

(*
 * cstring - see e.g. http://www.cplusplus.com/reference/cstring/
 *)

(* { p-[b;m)->⟨l,α⟩ }
 *   r = strlen p
 * { r=(b+m-p-1)Θ * (p-[b;m)->⟨l,α⟩)Θ }
 *)
let strlen_spec reg ptr =
  let* seg = Fresh.seg ptr in
  let foot = Sh.seg seg in
  let+ sub, ms = Fresh.assign ~ws:(Var.Set.of_ reg) ~rs:foot.us in
  let {Sh.loc= p; bas= b; len= m; _} = seg in
  let ret = Term.sub (Term.sub (Term.add b m) p) Term.one in
  let post =
    Sh.and_
      (Formula.eq (Term.var reg) (Term.rename sub ret))
      (Sh.rename sub foot)
  in
  {foot; sub; ms; post}

(*
 * Symbolic Execution
 *)

open Option.Import

let check_preserve_us (q0 : Sh.t) (q1 : Sh.t) =
  let gain_us = Var.Set.diff q1.us q0.us in
  let lose_us = Var.Set.diff q0.us q1.us in
  (Var.Set.is_empty gain_us || fail "gain us: %a" Var.Set.pp gain_us ())
  && (Var.Set.is_empty lose_us || fail "lose us: %a" Var.Set.pp lose_us ())

(* execute a command with given explicitly-quantified spec from
   explicitly-quantified pre *)
let exec_spec_ (xs, pre) (gs, {foot; sub; ms; post}) =
  ([%Trace.call fun {pf} ->
     pf "@[%a@]@ @[<2>%a@,@[<hv>{%a  %a}@;<1 -1>%a--@ {%a  }@]@]" Sh.pp pre
       (Sh.pp_us ~pre:"@<2>∀ " ())
       gs Sh.pp foot
       (fun fs sub ->
         if not (Var.Subst.is_empty sub) then
           Format.fprintf fs "∧ %a" Var.Subst.pp sub )
       sub
       (fun fs ms ->
         if not (Var.Set.is_empty ms) then
           Format.fprintf fs "%a := " Var.Set.pp ms )
       ms Sh.pp post ;
     (* gs contains all vars in spec not in pre.us *)
     assert (
       let vs = Var.Set.(diff (diff foot.us gs) pre.us) in
       Var.Set.is_empty vs || fail "unbound foot: {%a}" Var.Set.pp vs () ) ;
     assert (
       let vs = Var.Set.(diff (diff ms gs) pre.us) in
       Var.Set.is_empty vs || fail "unbound modif: {%a}" Var.Set.pp vs () ) ;
     assert (
       let vs = Var.Set.(diff (diff (Var.Subst.domain sub) gs) pre.us) in
       Var.Set.is_empty vs || fail "unbound write: {%a}" Var.Set.pp vs () ) ;
     assert (
       let vs = Var.Set.(diff (diff (Var.Subst.range sub) gs) pre.us) in
       Var.Set.is_empty vs || fail "unbound ghost: {%a}" Var.Set.pp vs () ) ;
     assert (
       let vs = Var.Set.(diff (diff post.us gs) pre.us) in
       Var.Set.is_empty vs || fail "unbound post: {%a}" Var.Set.pp vs () )]
  ;
  let+ frame = Solver.infer_frame pre gs foot in
  Sh.exists (Var.Set.union xs gs)
    (Sh.star post (Sh.exists ms (Sh.rename sub frame))))
  |>
  [%Trace.retn fun {pf} r ->
    pf "%a" (Option.pp "%a" Sh.pp) r ;
    assert (Option.for_all ~f:(check_preserve_us (Sh.exists xs pre)) r)]

(* execute a command with given spec from pre *)
let exec_spec pre specm =
  let xs, pre = Sh.bind_exists pre ~wrt:Var.Set.empty in
  exec_spec_ (xs, pre) (gen_spec pre.us specm)

(* execute a multiple-spec command, where the disjunction of the specs
   preconditions are known to be tautologous *)
let exec_specs pre =
  let xs, pre = Sh.bind_exists pre ~wrt:Var.Set.empty in
  let rec exec_specs_ (xs, pre) = function
    | specm :: specs ->
        let gs, spec = gen_spec pre.Sh.us specm in
        let pure = Sh.pure (Sh.pure_approx spec.foot) in
        let pre_pure =
          Sh.star (Sh.exists (Var.Set.inter gs pure.us) pure) pre
        in
        let* post = exec_spec_ (xs, pre_pure) (gs, spec) in
        let+ posts = exec_specs_ (xs, pre) specs in
        Sh.or_ post posts
    | [] -> Some (Sh.false_ Var.Set.empty)
  in
  exec_specs_ (xs, pre)

let exec_specs pre specs =
  [%Trace.call fun _ -> ()]
  ;
  exec_specs pre specs
  |>
  [%Trace.retn fun _ r ->
    assert (Option.for_all ~f:(check_preserve_us pre) r)]

(*
 * Exposed interface
 *)

let assume pre cnd =
  let post = Sh.and_ cnd pre in
  if Sh.is_false post then None else Some post

let kill pre reg =
  let ms = Var.Set.of_ reg in
  Sh.extend_us ms (Sh.exists ms pre)

let move pre reg_exps =
  exec_spec pre (move_spec reg_exps)
  |> function Some post -> post | _ -> fail "Exec.move failed" ()

let load pre ~reg ~ptr ~len = exec_spec pre (load_spec reg ptr len)
let store pre ~ptr ~exp ~len = exec_spec pre (store_spec ptr exp len)
let alloc pre ~reg ~num ~len = exec_spec pre (alloc_spec reg num len)
let free pre ~ptr = exec_spec pre (free_spec ptr)
let nondet pre = function Some reg -> kill pre reg | None -> pre
let abort _ = None

let intrinsic :
       Sh.t
    -> Var.t option
    -> Llair.Intrinsic.t
    -> Term.t iarray
    -> Sh.t option =
 fun pre areturn intrinsic actuals ->
  match (areturn, intrinsic, IArray.to_array actuals) with
  (*
   * llvm intrinsics
   *)
  | None, `memset, [|dst; byt; len; _isvolatile|] ->
      exec_spec pre (memset_spec dst byt len)
  | None, `memcpy, [|dst; src; len; _isvolatile|] ->
      exec_specs pre (memcpy_specs dst src len)
  | None, `memmove, [|dst; src; len; _isvolatile|] ->
      exec_specs pre (memmov_specs dst src len)
  (*
   * cstdlib - memory management
   *)
  (* void* malloc(size_t size) *)
  | Some reg, `malloc, [|size|]
  (* void* aligned_alloc(size_t alignment, size_t size) *)
   |Some reg, `aligned_alloc, [|_; size|] ->
      exec_spec pre (malloc_spec reg size)
  (* void* calloc(size_t number, size_t size) *)
  | Some reg, `calloc, [|number; size|] ->
      exec_spec pre (calloc_spec reg number size)
  (* int posix_memalign(void** ptr, size_t alignment, size_t size) *)
  | Some reg, `posix_memalign, [|ptr; _; size|] ->
      exec_spec pre (posix_memalign_spec reg ptr size)
  (* void* realloc(void* ptr, size_t size) *)
  | Some reg, `realloc, [|ptr; size|] ->
      exec_spec pre (realloc_spec reg ptr size)
  (*
   * jemalloc - non-standard API
   *)
  (* void* mallocx(size_t size, int flags) *)
  | Some reg, `mallocx, [|size; _|] -> exec_spec pre (mallocx_spec reg size)
  (* void* rallocx(void* ptr, size_t size, int flags) *)
  | Some reg, `rallocx, [|ptr; size; _|] ->
      exec_spec pre (rallocx_spec reg ptr size)
  (* size_t xallocx(void* ptr, size_t size, size_t extra, int flags) *)
  | Some reg, `xallocx, [|ptr; size; extra; _|] ->
      exec_spec pre (xallocx_spec reg ptr size extra)
  (* size_t sallocx(void* ptr, int flags) *)
  | Some reg, `sallocx, [|ptr; _|] -> exec_spec pre (sallocx_spec reg ptr)
  (* void dallocx(void* ptr, int flags) *)
  | None, `dallocx, [|ptr; _|]
  (* void sdallocx(void* ptr, size_t size, int flags) *)
   |None, `sdallocx, [|ptr; _; _|] ->
      exec_spec pre (dallocx_spec ptr)
  (* size_t nallocx(size_t size, int flags) *)
  | Some reg, `nallocx, [|size; _|] -> exec_spec pre (nallocx_spec reg size)
  (* size_t malloc_usable_size(void* ptr) *)
  | Some reg, `malloc_usable_size, [|ptr|] ->
      exec_spec pre (malloc_usable_size_spec reg ptr)
  (* int mallctl(const char* name, void* oldp, size_t* oldlenp, void* newp,
     size_t newlen) *)
  | Some _, `mallctl, [|_; oldp; oldlenp; newp; newlen|] ->
      exec_specs pre (mallctl_specs oldp oldlenp newp newlen)
  (* int mallctlnametomib(const char* name, size_t* mibp, size_t* miblenp) *)
  | Some _, `mallctlnametomib, [|_; mibp; miblenp|] ->
      exec_spec pre (mallctlnametomib_spec mibp miblenp)
  (* int mallctlbymib(const size_t* mib, size_t miblen, void* oldp, size_t*
     oldlenp, void* newp, size_t newlen); *)
  | Some _, `mallctlbymib, [|mib; miblen; oldp; oldlenp; newp; newlen|] ->
      exec_specs pre
        (mallctlbymib_specs mib miblen oldp oldlenp newp newlen)
  | _, `malloc_stats_print, _ -> Some pre
  (*
   * cstring
   *)
  (* size_t strlen (const char* ptr) *)
  | Some reg, `strlen, [|ptr|] -> exec_spec pre (strlen_spec reg ptr)
  (*
   * folly
   *)
  (* bool folly::usingJEMalloc() *)
  | Some _, `_ZN5folly13usingJEMallocEv, [||] -> Some pre
  (*
   * signature mismatch
   *)
  | ( _
    , ( `memset | `memcpy | `memmove | `malloc | `aligned_alloc | `calloc
      | `posix_memalign | `realloc | `mallocx | `rallocx | `xallocx
      | `sallocx | `dallocx | `sdallocx | `nallocx | `malloc_usable_size
      | `mallctl | `mallctlnametomib | `mallctlbymib | `strlen
      | `_ZN5folly13usingJEMallocEv )
    , _ ) ->
      fail "%aintrinsic %a%a;"
        (Option.pp "%a := " Var.pp)
        areturn Llair.Intrinsic.pp intrinsic (IArray.pp "@ " Term.pp)
        actuals ()