FastCexSolver.cpp

Go to the documentation of this file.

//===-- FastCexSolver.cpp -------------------------------------------------===//
//
//                     The KLEE Symbolic Virtual Machine
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//

#include "klee/Solver.h"

#include "klee/Constraints.h"
#include "klee/Expr.h"
#include "klee/IncompleteSolver.h"
#include "klee/util/ExprEvaluator.h"
#include "klee/util/ExprRangeEvaluator.h"
#include "klee/util/ExprVisitor.h"
// FIXME: Use APInt.
#include "klee/Internal/Support/IntEvaluation.h"

#include <iostream>
#include <sstream>
#include <cassert>
#include <map>
#include <vector>

using namespace klee;

/***/

//#define LOG
#ifdef LOG
std::ostream *theLog;
#endif

      // Hacker's Delight, pgs 58-63
static uint64_t minOR(uint64_t a, uint64_t b,
                      uint64_t c, uint64_t d) {
  uint64_t temp, m = ((uint64_t) 1)<<63;
  while (m) {
    if (~a & c & m) {
      temp = (a | m) & -m;
      if (temp <= b) { a = temp; break; }
    } else if (a & ~c & m) {
      temp = (c | m) & -m;
      if (temp <= d) { c = temp; break; }
    }
    m >>= 1;
  }
  
  return a | c;
}
static uint64_t maxOR(uint64_t a, uint64_t b,
                      uint64_t c, uint64_t d) {
  uint64_t temp, m = ((uint64_t) 1)<<63;

  while (m) {
    if (b & d & m) {
      temp = (b - m) | (m - 1);
      if (temp >= a) { b = temp; break; }
      temp = (d - m) | (m -1);
      if (temp >= c) { d = temp; break; }
    }
    m >>= 1;
  }

  return b | d;
}
static uint64_t minAND(uint64_t a, uint64_t b,
                       uint64_t c, uint64_t d) {
  uint64_t temp, m = ((uint64_t) 1)<<63;
  while (m) {
    if (~a & ~c & m) {
      temp = (a | m) & -m;
      if (temp <= b) { a = temp; break; }
      temp = (c | m) & -m;
      if (temp <= d) { c = temp; break; }
    }
    m >>= 1;
  }
  
  return a & c;
}
static uint64_t maxAND(uint64_t a, uint64_t b,
                       uint64_t c, uint64_t d) {
  uint64_t temp, m = ((uint64_t) 1)<<63;
  while (m) {
    if (b & ~d & m) {
      temp = (b & ~m) | (m - 1);
      if (temp >= a) { b = temp; break; }
    } else if (~b & d & m) {
      temp = (d & ~m) | (m - 1);
      if (temp >= c) { d = temp; break; }
    }
    m >>= 1;
  }
  
  return b & d;
}


class ValueRange {
private:
  uint64_t m_min, m_max;

public:
  ValueRange() : m_min(1),m_max(0) {}
  ValueRange(uint64_t value) : m_min(value), m_max(value) {}
  ValueRange(uint64_t _min, uint64_t _max) : m_min(_min), m_max(_max) {}
  ValueRange(const ValueRange &b) : m_min(b.m_min), m_max(b.m_max) {}

  void print(std::ostream &os) const {
    if (isFixed()) {
      os << m_min;
    } else {
      os << "[" << m_min << "," << m_max << "]";
    }
  }

  bool isEmpty() const { 
    return m_min>m_max; 
  }
  bool contains(uint64_t value) const { 
    return this->intersects(ValueRange(value)); 
  }
  bool intersects(const ValueRange &b) const { 
    return !this->set_intersection(b).isEmpty(); 
  }

  bool isFullRange(unsigned bits) {
    return m_min==0 && m_max==bits64::maxValueOfNBits(bits);
  }

  ValueRange set_intersection(const ValueRange &b) const {
    return ValueRange(std::max(m_min,b.m_min), std::min(m_max,b.m_max));
  }
  ValueRange set_union(const ValueRange &b) const {
    return ValueRange(std::min(m_min,b.m_min), std::max(m_max,b.m_max));
  }
  ValueRange set_difference(const ValueRange &b) const {
    if (b.isEmpty() || b.m_min > m_max || b.m_max < m_min) { // no intersection
      return *this;
    } else if (b.m_min <= m_min && b.m_max >= m_max) { // empty
      return ValueRange(1,0); 
    } else if (b.m_min <= m_min) { // one range out
      // cannot overflow because b.m_max < m_max
      return ValueRange(b.m_max+1, m_max);
    } else if (b.m_max >= m_max) {
      // cannot overflow because b.min > m_min
      return ValueRange(m_min, b.m_min-1);
    } else {
      // two ranges, take bottom
      return ValueRange(m_min, b.m_min-1);
    }
  }
  ValueRange binaryAnd(const ValueRange &b) const {
    // XXX
    assert(!isEmpty() && !b.isEmpty() && "XXX");
    if (isFixed() && b.isFixed()) {
      return ValueRange(m_min & b.m_min);
    } else {
      return ValueRange(minAND(m_min, m_max, b.m_min, b.m_max),
                        maxAND(m_min, m_max, b.m_min, b.m_max));
    }
  }
  ValueRange binaryAnd(uint64_t b) const { return binaryAnd(ValueRange(b)); }
  ValueRange binaryOr(ValueRange b) const {
    // XXX
    assert(!isEmpty() && !b.isEmpty() && "XXX");
    if (isFixed() && b.isFixed()) {
      return ValueRange(m_min | b.m_min);
    } else {
      return ValueRange(minOR(m_min, m_max, b.m_min, b.m_max),
                        maxOR(m_min, m_max, b.m_min, b.m_max));
    }
  }
  ValueRange binaryOr(uint64_t b) const { return binaryOr(ValueRange(b)); }
  ValueRange binaryXor(ValueRange b) const {
    if (isFixed() && b.isFixed()) {
      return ValueRange(m_min ^ b.m_min);
    } else {
      uint64_t t = m_max | b.m_max;
      while (!bits64::isPowerOfTwo(t))
        t = bits64::withoutRightmostBit(t);
      return ValueRange(0, (t<<1)-1);
    }
  }

  ValueRange binaryShiftLeft(unsigned bits) const {
    return ValueRange(m_min<<bits, m_max<<bits);
  }
  ValueRange binaryShiftRight(unsigned bits) const {
    return ValueRange(m_min>>bits, m_max>>bits);
  }

  ValueRange concat(const ValueRange &b, unsigned bits) const {
    return binaryShiftLeft(bits).binaryOr(b);
  }
  ValueRange extract(uint64_t lowBit, uint64_t maxBit) const {
    return binaryShiftRight(lowBit).binaryAnd(bits64::maxValueOfNBits(maxBit-lowBit));
  }

  ValueRange add(const ValueRange &b, unsigned width) const {
    return ValueRange(0, bits64::maxValueOfNBits(width));
  }
  ValueRange sub(const ValueRange &b, unsigned width) const {
    return ValueRange(0, bits64::maxValueOfNBits(width));
  }
  ValueRange mul(const ValueRange &b, unsigned width) const {
    return ValueRange(0, bits64::maxValueOfNBits(width));
  }
  ValueRange udiv(const ValueRange &b, unsigned width) const {
    return ValueRange(0, bits64::maxValueOfNBits(width));
  }
  ValueRange sdiv(const ValueRange &b, unsigned width) const {
    return ValueRange(0, bits64::maxValueOfNBits(width));
  }
  ValueRange urem(const ValueRange &b, unsigned width) const {
    return ValueRange(0, bits64::maxValueOfNBits(width));
  }
  ValueRange srem(const ValueRange &b, unsigned width) const {
    return ValueRange(0, bits64::maxValueOfNBits(width));
  }

  // use min() to get value if true (XXX should we add a method to
  // make code clearer?)
  bool isFixed() const { return m_min==m_max; }

  bool operator==(const ValueRange &b) const { return m_min==b.m_min && m_max==b.m_max; }
  bool operator!=(const ValueRange &b) const { return !(*this==b); }

  bool mustEqual(const uint64_t b) const { return m_min==m_max && m_min==b; }
  bool mayEqual(const uint64_t b) const { return m_min<=b && m_max>=b; }
  
  bool mustEqual(const ValueRange &b) const { return isFixed() && b.isFixed() && m_min==b.m_min; }
  bool mayEqual(const ValueRange &b) const { return this->intersects(b); }

  uint64_t min() const { 
    assert(!isEmpty() && "cannot get minimum of empty range");
    return m_min; 
  }

  uint64_t max() const { 
    assert(!isEmpty() && "cannot get maximum of empty range");
    return m_max; 
  }
  
  int64_t minSigned(unsigned bits) const {
    assert((m_min>>bits)==0 && (m_max>>bits)==0 &&
           "range is outside given number of bits");

    // if max allows sign bit to be set then it can be smallest value,
    // otherwise since the range is not empty, min cannot have a sign
    // bit

    uint64_t smallest = ((uint64_t) 1 << (bits-1));
    if (m_max >= smallest) {
      return ints::sext(smallest, 64, bits);
    } else {
      return m_min;
    }
  }

  int64_t maxSigned(unsigned bits) const {
    assert((m_min>>bits)==0 && (m_max>>bits)==0 &&
           "range is outside given number of bits");

    uint64_t smallest = ((uint64_t) 1 << (bits-1));

    // if max and min have sign bit then max is max, otherwise if only
    // max has sign bit then max is largest signed integer, otherwise
    // max is max

    if (m_min < smallest && m_max >= smallest) {
      return smallest - 1;
    } else {
      return ints::sext(m_max, 64, bits);
    }
  }
};

inline std::ostream &operator<<(std::ostream &os, const ValueRange &vr) {
  vr.print(os);
  return os;
}

// used to find all memory object ids and the maximum size of any
// object state that references them (for symbolic size).
class ObjectFinder : public ExprVisitor {
protected:
  Action visitRead(const ReadExpr &re) {
    addUpdates(re.updates);
    return Action::doChildren();
  }

  // XXX nice if this information was cached somewhere, used by
  // independence as well right?
  void addUpdates(const UpdateList &ul) {
    for (const UpdateNode *un=ul.head; un; un=un->next) {
      visit(un->index);
      visit(un->value);
    }

    addObject(*ul.root);
  }

public:
  void addObject(const Array& array) {
    unsigned id = array.id;
    std::map<unsigned,unsigned>::iterator it = results.find(id);

    // FIXME: Not 64-bit size clean.
    if (it == results.end()) {
      results[id] = (unsigned) array.size;      
    } else {
      it->second = std::max(it->second, (unsigned) array.size);
    }
  }

public:
  std::map<unsigned, unsigned> results;
};

// XXX waste of space, rather have ByteValueRange
typedef ValueRange CexValueData;

class CexObjectData {
public:
  unsigned size;
  CexValueData *values;

public:
  CexObjectData(unsigned _size) : size(_size), values(new CexValueData[size]) {
    for (unsigned i=0; i<size; i++)
      values[i] = ValueRange(0, 255);
  }
};

class CexRangeEvaluator : public ExprRangeEvaluator<ValueRange> {
public:
  std::map<unsigned, CexObjectData> &objectValues;
  CexRangeEvaluator(std::map<unsigned, CexObjectData> &_objectValues) 
    : objectValues(_objectValues) {}

  ValueRange getInitialReadRange(const Array &os, ValueRange index) {
    return ValueRange(0, 255);
  }
};

class CexConstifier : public ExprEvaluator {
protected:
  ref<Expr> getInitialValue(const Array& array, unsigned index) {
    std::map<unsigned, CexObjectData>::iterator it = 
      objectValues.find(array.id);
    assert(it != objectValues.end() && "missing object?");
    CexObjectData &cod = it->second;
    
    if (index >= cod.size) {
      return ReadExpr::create(UpdateList(&array, true, 0), 
                              ConstantExpr::alloc(index, Expr::Int32));
    } else {
      CexValueData &cvd = cod.values[index];
      assert(cvd.min() == cvd.max() && "value is not fixed");
      return ConstantExpr::alloc(cvd.min(), Expr::Int8);
    }
  }

public:
  std::map<unsigned, CexObjectData> &objectValues;
  CexConstifier(std::map<unsigned, CexObjectData> &_objectValues) 
    : objectValues(_objectValues) {}
};

class CexData {
public:
  std::map<unsigned, CexObjectData> objectValues;

public:
  CexData(ObjectFinder &finder) {
    for (std::map<unsigned,unsigned>::iterator it = finder.results.begin(),
           ie = finder.results.end(); it != ie; ++it) {
      objectValues.insert(std::pair<unsigned, CexObjectData>(it->first, 
                                                             CexObjectData(it->second)));
    }
  }  
  ~CexData() {
    for (std::map<unsigned, CexObjectData>::iterator it = objectValues.begin(),
           ie = objectValues.end(); it != ie; ++it)
      delete[] it->second.values;
  }

  void forceExprToValue(ref<Expr> e, uint64_t value) {
    forceExprToRange(e, CexValueData(value,value));
  }

  void forceExprToRange(ref<Expr> e, CexValueData range) {
#ifdef LOG
    //    *theLog << "force: " << e << " to " << range << "\n";
#endif
    switch (e->getKind()) {
    case Expr::Constant: {
      // rather a pity if the constant isn't in the range, but how can
      // we use this?
      break;
    }

      // Special

    case Expr::NotOptimized: break;

    case Expr::Read: {
      ReadExpr *re = cast<ReadExpr>(e);
      const Array *array = re->updates.root;
      CexObjectData &cod = objectValues.find(array->id)->second;

      // XXX we need to respect the version here and object state chain

      if (ConstantExpr *CE = dyn_cast<ConstantExpr>(re->index)) {
        if (CE->getConstantValue() < array->size) {
          CexValueData &cvd = cod.values[CE->getConstantValue()];
          CexValueData tmp = cvd.set_intersection(range);
        
          if (tmp.isEmpty()) {
            if (range.isFixed()) // ranges conflict, if new one is fixed use that
              cvd = range;
          } else {
            cvd = tmp;
          }
        }
      } else {
        // XXX        fatal("XXX not implemented");
      }
      
      break;
    }

    case Expr::Select: {
      SelectExpr *se = cast<SelectExpr>(e);
      ValueRange cond = evalRangeForExpr(se->cond);
      if (cond.isFixed()) {
        if (cond.min()) {
          forceExprToRange(se->trueExpr, range);
        } else {
          forceExprToRange(se->falseExpr, range);
        }
      } else {
        // XXX imprecise... we have a choice here. One method is to
        // simply force both sides into the specified range (since the
        // condition is indetermined). This may lose in two ways, the
        // first is that the condition chosen may limit further
        // restrict the range in each of the children, however this is
        // less of a problem as the range will be a superset of legal
        // values. The other is if the condition ends up being forced
        // by some other constraints, then we needlessly forced one
        // side into the given range.
        //
        // The other method would be to force the condition to one
        // side and force that side into the given range. This loses
        // when we force the condition to an unsatisfiable value
        // (either because the condition cannot be that, or the
        // resulting range given that condition is not in the required
        // range).
        // 
        // Currently we just force both into the range. A hybrid would
        // be to evaluate the ranges for each of the children... if
        // one of the ranges happens to already be a subset of the
        // required range then it may be preferable to force the
        // condition to that side.
        forceExprToRange(se->trueExpr, range);
        forceExprToRange(se->falseExpr, range);
      }
      break;
    }

      // XXX imprecise... the problem here is that extracting bits
      // loses information about what bits are connected across the
      // bytes. if a value can be 1 or 256 then either the top or
      // lower byte is 0, but just extraction loses this information
      // and will allow neither,one,or both to be 1.
      //
      // we can protect against this in a limited fashion by writing
      // the extraction a byte at a time, then checking the evaluated
      // value, isolating for that range, and continuing.
    case Expr::Concat: {
      ConcatExpr *ce = cast<ConcatExpr>(e);
      if (ce->is2ByteConcat()) {
        forceExprToRange(ce->getKid(0), range.extract( 8, 16));
        forceExprToRange(ce->getKid(1), range.extract( 0,  8));
      }
      else if (ce->is4ByteConcat()) {
        forceExprToRange(ce->getKid(0), range.extract(24, 32));
        forceExprToRange(ce->getKid(1), range.extract(16, 24));
        forceExprToRange(ce->getKid(2), range.extract( 8, 16));
        forceExprToRange(ce->getKid(3), range.extract( 0,  8));
      }
      else if (ce->is8ByteConcat()) {
        forceExprToRange(ce->getKid(0), range.extract(56, 64));
        forceExprToRange(ce->getKid(1), range.extract(48, 56));
        forceExprToRange(ce->getKid(2), range.extract(40, 48));
        forceExprToRange(ce->getKid(3), range.extract(32, 40));
        forceExprToRange(ce->getKid(4), range.extract(24, 32));
        forceExprToRange(ce->getKid(5), range.extract(16, 24));
        forceExprToRange(ce->getKid(6), range.extract( 8, 16));
        forceExprToRange(ce->getKid(7), range.extract( 0,  8));
      }
      
      break;
    }

    case Expr::Extract: {
      // XXX
      break;
    }

      // Casting

      // Simply intersect the output range with the range of all
      // possible outputs and then truncate to the desired number of
      // bits. 

      // For ZExt this simplifies to just intersection with the
      // possible input range.
    case Expr::ZExt: {
      CastExpr *ce = cast<CastExpr>(e);
      unsigned inBits = ce->src->getWidth();
      ValueRange input = range.set_intersection(ValueRange(0, bits64::maxValueOfNBits(inBits)));
      forceExprToRange(ce->src, input);
      break;
    }
      // For SExt instead of doing the intersection we just take the output range
      // minus the impossible values. This is nicer since it is a single interval.
    case Expr::SExt: {
      CastExpr *ce = cast<CastExpr>(e);
      unsigned inBits = ce->src->getWidth();
      unsigned outBits = ce->width;
      ValueRange output = range.set_difference(ValueRange(1<<(inBits-1),
                                                          (bits64::maxValueOfNBits(outBits)-
                                                           bits64::maxValueOfNBits(inBits-1)-1)));
      ValueRange input = output.binaryAnd(bits64::maxValueOfNBits(inBits));
      forceExprToRange(ce->src, input);
      break;
    }

      // Binary

    case Expr::And: {
      BinaryExpr *be = cast<BinaryExpr>(e);
      if (be->getWidth()==Expr::Bool) {
        if (range.isFixed()) {
          ValueRange left = evalRangeForExpr(be->left);
          ValueRange right = evalRangeForExpr(be->right);

          if (!range.min()) {
            if (left.mustEqual(0) || right.mustEqual(0)) {
              // all is well
            } else {
              // XXX heuristic, which order

              forceExprToValue(be->left, 0);
              left = evalRangeForExpr(be->left);

              // see if that worked
              if (!left.mustEqual(1))
                forceExprToValue(be->right, 0);
            }
          } else {
            if (!left.mustEqual(1)) forceExprToValue(be->left, 1);
            if (!right.mustEqual(1)) forceExprToValue(be->right, 1);
          }
        }
      } else {
        // XXX
      }
      break;
    }

    case Expr::Or: {
      BinaryExpr *be = cast<BinaryExpr>(e);
      if (be->getWidth()==Expr::Bool) {
        if (range.isFixed()) {
          ValueRange left = evalRangeForExpr(be->left);
          ValueRange right = evalRangeForExpr(be->right);

          if (range.min()) {
            if (left.mustEqual(1) || right.mustEqual(1)) {
              // all is well
            } else {
              // XXX heuristic, which order?
              
              // force left to value we need
              forceExprToValue(be->left, 1);
              left = evalRangeForExpr(be->left);

              // see if that worked
              if (!left.mustEqual(1))
                forceExprToValue(be->right, 1);
            }
          } else {
            if (!left.mustEqual(0)) forceExprToValue(be->left, 0);
            if (!right.mustEqual(0)) forceExprToValue(be->right, 0);
          }
        }
      } else {
        // XXX
      }
      break;
    }

    case Expr::Xor: break;

      // Comparison

    case Expr::Eq: {
      BinaryExpr *be = cast<BinaryExpr>(e);
      if (range.isFixed()) {
        if (ConstantExpr *CE = dyn_cast<ConstantExpr>(be->left)) {
          uint64_t value = CE->getConstantValue();
          if (range.min()) {
            forceExprToValue(be->right, value);
          } else {
            if (value==0) {
              forceExprToRange(be->right, 
                               CexValueData(1,
                                            ints::sext(1, 
                                                       be->right->getWidth(),
                                                       1)));
            } else {
              // XXX heuristic / lossy, could be better to pick larger range?
              forceExprToRange(be->right, CexValueData(0, value-1));
            }
          }
        } else {
          // XXX what now
        }
      }
      break;
    }

    case Expr::Ult: {
      BinaryExpr *be = cast<BinaryExpr>(e);
      
      // XXX heuristic / lossy, what order if conflict

      if (range.isFixed()) {
        ValueRange left = evalRangeForExpr(be->left);
        ValueRange right = evalRangeForExpr(be->right);

        uint64_t maxValue = bits64::maxValueOfNBits(be->right->getWidth());

        // XXX should deal with overflow (can lead to empty range)

        if (left.isFixed()) {
          if (range.min()) {
            forceExprToRange(be->right, CexValueData(left.min()+1, maxValue));
          } else {
            forceExprToRange(be->right, CexValueData(0, left.min()));
          }
        } else if (right.isFixed()) {
          if (range.min()) {
            forceExprToRange(be->left, CexValueData(0, right.min()-1));
          } else {
            forceExprToRange(be->left, CexValueData(right.min(), maxValue));
          }
        } else {
          // XXX ???
        }
      }
      break;
    }
    case Expr::Ule: {
      BinaryExpr *be = cast<BinaryExpr>(e);
      
      // XXX heuristic / lossy, what order if conflict

      if (range.isFixed()) {
        ValueRange left = evalRangeForExpr(be->left);
        ValueRange right = evalRangeForExpr(be->right);

        // XXX should deal with overflow (can lead to empty range)

        uint64_t maxValue = bits64::maxValueOfNBits(be->right->getWidth());
        if (left.isFixed()) {
          if (range.min()) {
            forceExprToRange(be->right, CexValueData(left.min(), maxValue));
          } else {
            forceExprToRange(be->right, CexValueData(0, left.min()-1));
          }
        } else if (right.isFixed()) {
          if (range.min()) {
            forceExprToRange(be->left, CexValueData(0, right.min()));
          } else {
            forceExprToRange(be->left, CexValueData(right.min()+1, maxValue));
          }
        } else {
          // XXX ???
        }
      }
      break;
    }

    case Expr::Ne:
    case Expr::Ugt:
    case Expr::Uge:
    case Expr::Sgt:
    case Expr::Sge:
      assert(0 && "invalid expressions (uncanonicalized");

    default:
      break;
    }
  }

  void fixValues() {
    for (std::map<unsigned, CexObjectData>::iterator it = objectValues.begin(),
           ie = objectValues.end(); it != ie; ++it) {
      CexObjectData &cod = it->second;
      for (unsigned i=0; i<cod.size; i++) {
        CexValueData &cvd = cod.values[i];
        cvd = CexValueData(cvd.min() + (cvd.max()-cvd.min())/2);
      }
    }
  }

  ValueRange evalRangeForExpr(ref<Expr> &e) {
    CexRangeEvaluator ce(objectValues);
    return ce.evaluate(e);
  }

  bool exprMustBeValue(ref<Expr> e, uint64_t value) {
    CexConstifier cc(objectValues);
    ref<Expr> v = cc.visit(e);
    if (ConstantExpr *CE = dyn_cast<ConstantExpr>(v))
      return CE->getConstantValue() == value;
    return false;
  }
};

/* *** */


class FastCexSolver : public IncompleteSolver {
public:
  FastCexSolver();
  ~FastCexSolver();

  IncompleteSolver::PartialValidity computeTruth(const Query&);  
  bool computeValue(const Query&, ref<Expr> &result);
  bool computeInitialValues(const Query&,
                            const std::vector<const Array*> &objects,
                            std::vector< std::vector<unsigned char> > &values,
                            bool &hasSolution);
};

FastCexSolver::FastCexSolver() { }

FastCexSolver::~FastCexSolver() { }

IncompleteSolver::PartialValidity 
FastCexSolver::computeTruth(const Query& query) {
#ifdef LOG
  std::ostringstream log;
  theLog = &log;
  //  log << "------ start FastCexSolver::mustBeTrue ------\n";
  log << "-- QUERY --\n";
  unsigned i=0;
  for (ConstraintManager::const_iterator it = query.constraints.begin(), 
         ie = query.constraints.end(); it != ie; ++it)
    log << "    C" << i++ << ": " << *it << ", \n";
  log << "    Q : " << query.expr << "\n";
#endif

  ObjectFinder of;
  for (ConstraintManager::const_iterator it = query.constraints.begin(), 
         ie = query.constraints.end(); it != ie; ++it)
    of.visit(*it);
  of.visit(query.expr);
  CexData cd(of);

  for (ConstraintManager::const_iterator it = query.constraints.begin(), 
         ie = query.constraints.end(); it != ie; ++it)
    cd.forceExprToValue(*it, 1);
  cd.forceExprToValue(query.expr, 0);

#ifdef LOG
  log << " -- ranges --\n";
  for (std::map<unsigned, CexObjectData>::iterator it = objectValues.begin(),
         ie = objectValues.end(); it != ie; ++it) {
    CexObjectData &cod = it->second;
    log << "    arr" << it->first << "[" << cod.size << "] = [";
    unsigned continueFrom=cod.size-1;
    for (; continueFrom>0; continueFrom--)
      if (cod.values[continueFrom-1]!=cod.values[continueFrom])
        break;
    for (unsigned i=0; i<cod.size; i++) {
      log << cod.values[i];
      if (i<cod.size-1) {
        log << ", ";
        if (i==continueFrom) {
          log << "...";
          break;
        }
      }
    }
    log << "]\n";
  }
#endif

  // this could be done lazily of course
  cd.fixValues();

#ifdef LOG
  log << " -- fixed values --\n";
  for (std::map<unsigned, CexObjectData>::iterator it = objectValues.begin(),
         ie = objectValues.end(); it != ie; ++it) {
    CexObjectData &cod = it->second;
    log << "    arr" << it->first << "[" << cod.size << "] = [";
    unsigned continueFrom=cod.size-1;
    for (; continueFrom>0; continueFrom--)
      if (cod.values[continueFrom-1]!=cod.values[continueFrom])
        break;
    for (unsigned i=0; i<cod.size; i++) {
      log << cod.values[i];
      if (i<cod.size-1) {
        log << ", ";
        if (i==continueFrom) {
          log << "...";
          break;
        }
      }
    }
    log << "]\n";
  }
#endif

  // check the result

  bool isGood = true;

  if (!cd.exprMustBeValue(query.expr, 0)) isGood = false;

  for (ConstraintManager::const_iterator it = query.constraints.begin(), 
         ie = query.constraints.end(); it != ie; ++it)
    if (!cd.exprMustBeValue(*it, 1)) 
      isGood = false;

#ifdef LOG
  log << " -- evaluating result --\n";
  
  i=0;
  for (ConstraintManager::const_iterator it = query.constraints.begin(), 
         ie = query.constraints.end(); it != ie; ++it) {
    bool res = cd.exprMustBeValue(*it, 1);
    log << "    C" << i++ << ": " << (res?"true":"false") << "\n";
  }
  log << "    Q : " 
      << (cd.exprMustBeValue(query.expr, 0)?"true":"false") << "\n";
  
  log << "\n\n";
#endif

  return isGood ? IncompleteSolver::MayBeFalse : IncompleteSolver::None;
}

bool FastCexSolver::computeValue(const Query& query, ref<Expr> &result) {
  ObjectFinder of;
  for (ConstraintManager::const_iterator it = query.constraints.begin(), 
         ie = query.constraints.end(); it != ie; ++it)
    of.visit(*it);
  of.visit(query.expr);
  CexData cd(of);

  for (ConstraintManager::const_iterator it = query.constraints.begin(), 
         ie = query.constraints.end(); it != ie; ++it)
    cd.forceExprToValue(*it, 1);

  // this could be done lazily of course
  cd.fixValues();

  // check the result
  for (ConstraintManager::const_iterator it = query.constraints.begin(), 
         ie = query.constraints.end(); it != ie; ++it)
    if (!cd.exprMustBeValue(*it, 1))
      return false;

  CexConstifier cc(cd.objectValues);
  ref<Expr> value = cc.visit(query.expr);

  if (isa<ConstantExpr>(value)) {
    result = value;
    return true;
  } else {
    return false;
  }
}

bool
FastCexSolver::computeInitialValues(const Query& query,
                                    const std::vector<const Array*>
                                      &objects,
                                    std::vector< std::vector<unsigned char> >
                                      &values,
                                    bool &hasSolution) {
  ObjectFinder of;
  for (ConstraintManager::const_iterator it = query.constraints.begin(), 
         ie = query.constraints.end(); it != ie; ++it)
    of.visit(*it);
  of.visit(query.expr);
  for (unsigned i = 0; i != objects.size(); ++i)
    of.addObject(*objects[i]);
  CexData cd(of);

  for (ConstraintManager::const_iterator it = query.constraints.begin(), 
         ie = query.constraints.end(); it != ie; ++it)
    cd.forceExprToValue(*it, 1);
  cd.forceExprToValue(query.expr, 0);

  // this could be done lazily of course
  cd.fixValues();

  // check the result
  for (ConstraintManager::const_iterator it = query.constraints.begin(), 
         ie = query.constraints.end(); it != ie; ++it)
    if (!cd.exprMustBeValue(*it, 1))
      return false;
  if (!cd.exprMustBeValue(query.expr, 0))
    return false;

  hasSolution = true;
  CexConstifier cc(cd.objectValues);
  for (unsigned i = 0; i != objects.size(); ++i) {
    const Array *array = objects[i];
    std::vector<unsigned char> data;
    data.reserve(array->size);

    for (unsigned i=0; i < array->size; i++) {
      ref<Expr> value =
        cc.visit(ReadExpr::create(UpdateList(array, true, 0),
                                  ConstantExpr::create(i,
                                                       kMachinePointerType)));
      
      if (ConstantExpr *CE = dyn_cast<ConstantExpr>(value)) {
        data.push_back(CE->getConstantValue());
      } else {
        // FIXME: When does this happen?
        return false;
      }
    }

    values.push_back(data);
  }

  return true;
}


Solver *klee::createFastCexSolver(Solver *s) {
  return new Solver(new StagedSolverImpl(new FastCexSolver(), s));
}