|  |  | @ -139,21 +139,9 @@ module TransferFunctions (CFG : ProcCfg.S) = struct | 
			
		
	
		
		
			
				
					
					|  |  |  |     Dom.Mem.instantiate_relation rel_subst_map ~caller:caller_mem ~callee:callee_exit_mem |  |  |  |     Dom.Mem.instantiate_relation rel_subst_map ~caller:caller_mem ~callee:callee_exit_mem | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |   let print_debug_info : Sil.instr -> Dom.Mem.astate -> Dom.Mem.astate -> unit = |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |    fun instr pre post -> |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     L.(debug BufferOverrun Verbose) "@\n@\n================================@\n" ; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     L.(debug BufferOverrun Verbose) "@[<v 2>Pre-state : @,%a" Dom.Mem.pp pre ; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     L.(debug BufferOverrun Verbose) "@]@\n@\n%a" (Sil.pp_instr ~print_types:true Pp.text) instr ; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     L.(debug BufferOverrun Verbose) "@\n@\n" ; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     L.(debug BufferOverrun Verbose) "@[<v 2>Post-state : @,%a" Dom.Mem.pp post ; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     L.(debug BufferOverrun Verbose) "@]@\n" ; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     L.(debug BufferOverrun Verbose) "================================@\n@." |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |   let exec_instr : Dom.Mem.astate -> extras ProcData.t -> CFG.Node.t -> Sil.instr -> Dom.Mem.astate |  |  |  |   let exec_instr : Dom.Mem.astate -> extras ProcData.t -> CFG.Node.t -> Sil.instr -> Dom.Mem.astate | 
			
		
	
		
		
			
				
					
					|  |  |  |       = |  |  |  |       = | 
			
		
	
		
		
			
				
					
					|  |  |  |    fun mem {pdesc; tenv; extras= symbol_table} node instr -> |  |  |  |    fun mem {pdesc; tenv; extras= symbol_table} node instr -> | 
			
		
	
		
		
			
				
					
					|  |  |  |     let output_mem = |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     match instr with |  |  |  |     match instr with | 
			
		
	
		
		
			
				
					
					|  |  |  |     | Load (id, _, _, _) when Ident.is_none id -> |  |  |  |     | Load (id, _, _, _) when Ident.is_none id -> | 
			
		
	
		
		
			
				
					
					|  |  |  |         mem |  |  |  |         mem | 
			
		
	
	
		
		
			
				
					|  |  | @ -168,19 +156,15 @@ module TransferFunctions (CFG : ProcCfg.S) = struct | 
			
		
	
		
		
			
				
					
					|  |  |  |               let v = Dom.Mem.find (Loc.of_pvar pvar) callee_mem in |  |  |  |               let v = Dom.Mem.find (Loc.of_pvar pvar) callee_mem in | 
			
		
	
		
		
			
				
					
					|  |  |  |               Dom.Mem.add_stack (Loc.of_id id) v mem |  |  |  |               Dom.Mem.add_stack (Loc.of_id id) v mem | 
			
		
	
		
		
			
				
					
					|  |  |  |           | None -> |  |  |  |           | None -> | 
			
		
	
		
		
			
				
					
					|  |  |  |                 L.(debug BufferOverrun Verbose) |  |  |  |               L.d_printfln "/!\\ Initializer of global constant %a has no inferbo payload" | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |                   "/!\\ Initializer of global constant %a at %a has no inferbo payload@\n" |  |  |  |                 (Pvar.pp Pp.text) pvar ; | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |                   (Pvar.pp Pp.text) pvar Location.pp location ; |  |  |  |  | 
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  |               Dom.Mem.add_unknown_from id ~callee_pname ~location mem ) |  |  |  |               Dom.Mem.add_unknown_from id ~callee_pname ~location mem ) | 
			
		
	
		
		
			
				
					
					|  |  |  |         | None -> |  |  |  |         | None -> | 
			
		
	
		
		
			
				
					
					|  |  |  |               L.(debug BufferOverrun Verbose) |  |  |  |             L.d_printfln "/!\\ Unknown initializer of global constant %a" (Pvar.pp Pp.text) pvar ; | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |                 "/!\\ Unknown initializer of global constant %a at %a@\n" (Pvar.pp Pp.text) pvar |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |                 Location.pp location ; |  |  |  |  | 
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  |             Dom.Mem.add_unknown_from id ~callee_pname ~location mem ) |  |  |  |             Dom.Mem.add_unknown_from id ~callee_pname ~location mem ) | 
			
		
	
		
		
			
				
					
					|  |  |  |       | None -> |  |  |  |       | None -> | 
			
		
	
		
		
			
				
					
					|  |  |  |             L.(debug BufferOverrun Verbose) |  |  |  |           L.d_printfln "/!\\ Failed to get initializer name of global constant %a" | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |               "/!\\ Failed to get initializer name of global constant %a at %a@\n" |  |  |  |             (Pvar.pp Pp.text) pvar ; | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |               (Pvar.pp Pp.text) pvar Location.pp location ; |  |  |  |  | 
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  |           Dom.Mem.add_unknown id ~location mem ) |  |  |  |           Dom.Mem.add_unknown id ~location mem ) | 
			
		
	
		
		
			
				
					
					|  |  |  |     | Load (id, exp, _, _) -> |  |  |  |     | Load (id, exp, _, _) -> | 
			
		
	
		
		
			
				
					
					|  |  |  |         BoUtils.Exec.load_val id (Sem.eval exp mem) mem |  |  |  |         BoUtils.Exec.load_val id (Sem.eval exp mem) mem | 
			
		
	
	
		
		
			
				
					|  |  | @ -190,8 +174,8 @@ module TransferFunctions (CFG : ProcCfg.S) = struct | 
			
		
	
		
		
			
				
					
					|  |  |  |         let mem = |  |  |  |         let mem = | 
			
		
	
		
		
			
				
					
					|  |  |  |           let sym_exps = |  |  |  |           let sym_exps = | 
			
		
	
		
		
			
				
					
					|  |  |  |             Dom.Relation.SymExp.of_exps ~get_int_sym_f:(Sem.get_sym_f mem) |  |  |  |             Dom.Relation.SymExp.of_exps ~get_int_sym_f:(Sem.get_sym_f mem) | 
			
		
	
		
		
			
				
					
					|  |  |  |                 ~get_offset_sym_f:(Sem.get_offset_sym_f mem) |  |  |  |               ~get_offset_sym_f:(Sem.get_offset_sym_f mem) ~get_size_sym_f:(Sem.get_size_sym_f mem) | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |                 ~get_size_sym_f:(Sem.get_size_sym_f mem) exp2 |  |  |  |               exp2 | 
			
				
				
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  |           in |  |  |  |           in | 
			
		
	
		
		
			
				
					
					|  |  |  |           Dom.Mem.store_relation locs sym_exps mem |  |  |  |           Dom.Mem.store_relation locs sym_exps mem | 
			
		
	
		
		
			
				
					
					|  |  |  |         in |  |  |  |         in | 
			
		
	
	
		
		
			
				
					|  |  | @ -234,29 +218,19 @@ module TransferFunctions (CFG : ProcCfg.S) = struct | 
			
		
	
		
		
			
				
					
					|  |  |  |                 instantiate_mem tenv ret callee_pdesc callee_pname params mem payload location |  |  |  |                 instantiate_mem tenv ret callee_pdesc callee_pname params mem payload location | 
			
		
	
		
		
			
				
					
					|  |  |  |             | None -> |  |  |  |             | None -> | 
			
		
	
		
		
			
				
					
					|  |  |  |                 (* This may happen for procedures with a biabduction model. *) |  |  |  |                 (* This may happen for procedures with a biabduction model. *) | 
			
		
	
		
		
			
				
					
					|  |  |  |                   L.(debug BufferOverrun Verbose) |  |  |  |                 L.d_printfln "/!\\ Call to %a has no inferbo payload" Typ.Procname.pp callee_pname ; | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |                     "/!\\ Call to %a at %a has no inferbo payload@\n" Typ.Procname.pp callee_pname |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |                     Location.pp location ; |  |  |  |  | 
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  |                 Dom.Mem.add_unknown_from id ~callee_pname ~location mem ) |  |  |  |                 Dom.Mem.add_unknown_from id ~callee_pname ~location mem ) | 
			
		
	
		
		
			
				
					
					|  |  |  |           | None -> |  |  |  |           | None -> | 
			
		
	
		
		
			
				
					
					|  |  |  |                 L.(debug BufferOverrun Verbose) |  |  |  |               L.d_printfln "/!\\ Unknown call to %a" Typ.Procname.pp callee_pname ; | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |                   "/!\\ Unknown call to %a at %a@\n" Typ.Procname.pp callee_pname Location.pp |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |                   location ; |  |  |  |  | 
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  |               Dom.Mem.add_unknown_from id ~callee_pname ~location mem ) ) |  |  |  |               Dom.Mem.add_unknown_from id ~callee_pname ~location mem ) ) | 
			
		
	
		
		
			
				
					
					|  |  |  |     | Call ((id, _), fun_exp, _, location, _) -> |  |  |  |     | Call ((id, _), fun_exp, _, location, _) -> | 
			
		
	
		
		
			
				
					
					|  |  |  |         let mem = Dom.Mem.add_stack_loc (Loc.of_id id) mem in |  |  |  |         let mem = Dom.Mem.add_stack_loc (Loc.of_id id) mem in | 
			
		
	
		
		
			
				
					
					|  |  |  |           let () = |  |  |  |         let () = L.d_printfln "/!\\ Call to non-const function %a" Exp.pp fun_exp in | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |             L.(debug BufferOverrun Verbose) |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |               "/!\\ Call to non-const function %a at %a" Exp.pp fun_exp Location.pp location |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |           in |  |  |  |  | 
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  |         Dom.Mem.add_unknown id ~location mem |  |  |  |         Dom.Mem.add_unknown id ~location mem | 
			
		
	
		
		
			
				
					
					|  |  |  |     | Remove_temps (temps, _) -> |  |  |  |     | Remove_temps (temps, _) -> | 
			
		
	
		
		
			
				
					
					|  |  |  |         Dom.Mem.remove_temps temps mem |  |  |  |         Dom.Mem.remove_temps temps mem | 
			
		
	
		
		
			
				
					
					|  |  |  |     | Abstract _ | Nullify _ -> |  |  |  |     | Abstract _ | Nullify _ -> | 
			
		
	
		
		
			
				
					
					|  |  |  |         mem |  |  |  |         mem | 
			
		
	
		
		
			
				
					
					|  |  |  |     in |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     print_debug_info instr mem output_mem ; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     output_mem |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |   let pp_session_name node fmt = F.fprintf fmt "bufferoverrun %a" CFG.Node.pp_id (CFG.Node.id node) |  |  |  |   let pp_session_name node fmt = F.fprintf fmt "bufferoverrun %a" CFG.Node.pp_id (CFG.Node.id node) | 
			
		
	
	
		
		
			
				
					|  |  | @ -799,12 +773,6 @@ let extract_pre = Analyzer.extract_pre | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | let extract_post = Analyzer.extract_post |  |  |  | let extract_post = Analyzer.extract_post | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | let print_summary : Typ.Procname.t -> BufferOverrunSummary.t -> unit = |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |  fun proc_name s -> |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |   L.(debug BufferOverrun Medium) |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     "@\n@[<v 2>Summary of %a:@,%a@]@." Typ.Procname.pp proc_name BufferOverrunSummary.pp s |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | let get_local_decls proc_desc = |  |  |  | let get_local_decls proc_desc = | 
			
		
	
		
		
			
				
					
					|  |  |  |   let proc_name = Procdesc.get_proc_name proc_desc in |  |  |  |   let proc_name = Procdesc.get_proc_name proc_desc in | 
			
		
	
		
		
			
				
					
					|  |  |  |   let accum_local_decls acc {ProcAttributes.name} = |  |  |  |   let accum_local_decls acc {ProcAttributes.name} = | 
			
		
	
	
		
		
			
				
					|  |  | @ -836,9 +804,6 @@ let compute_invariant_map_and_check : Callbacks.proc_callback_args -> invariant_ | 
			
		
	
		
		
			
				
					
					|  |  |  |     match exit_mem with |  |  |  |     match exit_mem with | 
			
		
	
		
		
			
				
					
					|  |  |  |     | Some exit_mem -> |  |  |  |     | Some exit_mem -> | 
			
		
	
		
		
			
				
					
					|  |  |  |         let post = (exit_mem, cond_set) in |  |  |  |         let post = (exit_mem, cond_set) in | 
			
		
	
		
		
			
				
					
					|  |  |  |         ( if Config.bo_debug >= 1 then |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |           let proc_name = Procdesc.get_proc_name proc_desc in |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |           print_summary proc_name post ) ; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         Payload.update_summary post summary |  |  |  |         Payload.update_summary post summary | 
			
		
	
		
		
			
				
					
					|  |  |  |     | _ -> |  |  |  |     | _ -> | 
			
		
	
		
		
			
				
					
					|  |  |  |         summary |  |  |  |         summary | 
			
		
	
	
		
		
			
				
					|  |  | 
 |