From 1f8b5048862947fcfb89e8997b647a07fd774896 Mon Sep 17 00:00:00 2001 From: reuk Date: Mon, 24 Apr 2017 17:47:45 +0100 Subject: [PATCH 01/89] Make assignment_typet into an enum class --- src/goto-symex/build_goto_trace.cpp | 2 ++ src/goto-symex/symex_target.h | 7 ++++++- src/goto-symex/symex_target_equation.cpp | 18 ++++++++++++------ 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/src/goto-symex/build_goto_trace.cpp b/src/goto-symex/build_goto_trace.cpp index 0612b04e2d..7e938118ba 100644 --- a/src/goto-symex/build_goto_trace.cpp +++ b/src/goto-symex/build_goto_trace.cpp @@ -224,7 +224,9 @@ void build_goto_trace( symex_target_equationt::assignment_typet::PHI || SSA_step.assignment_type== symex_target_equationt::assignment_typet::GUARD)) + { continue; + } goto_tracet::stepst &steps=time_map[current_time]; steps.push_back(goto_trace_stept()); diff --git a/src/goto-symex/symex_target.h b/src/goto-symex/symex_target.h index 2aae977f71..eafea6d7e3 100644 --- a/src/goto-symex/symex_target.h +++ b/src/goto-symex/symex_target.h @@ -53,7 +53,12 @@ public: enum class assignment_typet { - STATE, HIDDEN, VISIBLE_ACTUAL_PARAMETER, HIDDEN_ACTUAL_PARAMETER, PHI, GUARD + STATE, + HIDDEN, + VISIBLE_ACTUAL_PARAMETER, + HIDDEN_ACTUAL_PARAMETER, + PHI, + GUARD, }; // read event diff --git a/src/goto-symex/symex_target_equation.cpp b/src/goto-symex/symex_target_equation.cpp index 5b5206aff7..0b7bc15a95 100644 --- a/src/goto-symex/symex_target_equation.cpp +++ b/src/goto-symex/symex_target_equation.cpp @@ -1002,17 +1002,23 @@ void symex_target_equationt::SSA_stept::output( switch(assignment_type) { case assignment_typet::HIDDEN: - out << "HIDDEN"; break; + out << "HIDDEN"; + break; case assignment_typet::STATE: - out << "STATE"; break; + out << "STATE"; + break; case assignment_typet::VISIBLE_ACTUAL_PARAMETER: - out << "VISIBLE_ACTUAL_PARAMETER"; break; + out << "VISIBLE_ACTUAL_PARAMETER"; + break; case assignment_typet::HIDDEN_ACTUAL_PARAMETER: - out << "HIDDEN_ACTUAL_PARAMETER"; break; + out << "HIDDEN_ACTUAL_PARAMETER"; + break; case assignment_typet::PHI: - out << "PHI"; break; + out << "PHI"; + break; case assignment_typet::GUARD: - out << "GUARD"; break; + out << "GUARD"; + break; default: { } From 5b42bc77f84fcd44b4ef079bbe8b4a77f4c225c3 Mon Sep 17 00:00:00 2001 From: reuk Date: Mon, 24 Apr 2017 17:51:55 +0100 Subject: [PATCH 02/89] Initialise variables in symex_target_equation.h --- src/goto-symex/symex_target_equation.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/goto-symex/symex_target_equation.h b/src/goto-symex/symex_target_equation.h index e7f0274aac..aac51725ad 100644 --- a/src/goto-symex/symex_target_equation.h +++ b/src/goto-symex/symex_target_equation.h @@ -204,7 +204,7 @@ public: bool is_atomic_end() const { return type==goto_trace_stept::typet::ATOMIC_END; } // we may choose to hide - bool hidden; + bool hidden=false; exprt guard; literalt guard_literal; @@ -213,7 +213,7 @@ public: ssa_exprt ssa_lhs; exprt ssa_full_lhs, original_full_lhs; exprt ssa_rhs; - assignment_typet assignment_type; + assignment_typet assignment_type=assignment_typet::STATE; // for ASSUME/ASSERT/GOTO/CONSTRAINT exprt cond_expr; @@ -222,7 +222,7 @@ public: // for INPUT/OUTPUT irep_idt format_string, io_id; - bool formatted; + bool formatted=false; std::list io_args; std::list converted_io_args; @@ -230,10 +230,10 @@ public: irep_idt identifier; // for SHARED_READ/SHARED_WRITE and ATOMIC_BEGIN/ATOMIC_END - unsigned atomic_section_id; + unsigned atomic_section_id=0; // for slicing - bool ignore; + bool ignore=false; SSA_stept(): type(goto_trace_stept::typet::NONE), From 0edafabfc6f4d0c0deb995eeb85ba19d93290576 Mon Sep 17 00:00:00 2001 From: Owen Jones Date: Thu, 4 May 2017 09:54:44 +0100 Subject: [PATCH 03/89] Document $, !, @ and # in symbol names Document what symbol name suffices beginning with $, !, @ and # mean, at the points in the code where they are created. --- src/util/fresh_symbol.cpp | 1 + src/util/ssa_expr.cpp | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/src/util/fresh_symbol.cpp b/src/util/fresh_symbol.cpp index fbe6f09b87..1f1549a96d 100644 --- a/src/util/fresh_symbol.cpp +++ b/src/util/fresh_symbol.cpp @@ -41,6 +41,7 @@ symbolt &get_fresh_aux_symbol( do { + // Distinguish local variables with the same name new_symbol.base_name= basename_prefix+ "$"+ diff --git a/src/util/ssa_expr.cpp b/src/util/ssa_expr.cpp index c75d7d2ed9..7348cc4848 100644 --- a/src/util/ssa_expr.cpp +++ b/src/util/ssa_expr.cpp @@ -61,18 +61,23 @@ static void build_ssa_identifier_rec( if(!l0.empty()) { + // Distinguish different threads of execution os << '!' << l0; l1_object_os << '!' << l0; } if(!l1.empty()) { + // Distinguish different calls to the same function (~stack frame) os << '@' << l1; l1_object_os << '@' << l1; } if(!l2.empty()) + { + // Distinguish SSA steps for the same variable os << '#' << l2; + } } else assert(false); From 14fc0239f0076d1129c063d64748144b8e90e7fb Mon Sep 17 00:00:00 2001 From: thk123 Date: Wed, 17 May 2017 15:32:56 +0100 Subject: [PATCH 04/89] Added test demonstrating bug with irrelevant lost of const Though this example program appears to lose const-ness, since it is a primitive it is a copy so it is irrelevant. --- .../main.c | 34 +++++++++++++++++++ .../test.desc | 18 ++++++++++ 2 files changed, 52 insertions(+) create mode 100644 regression/goto-analyzer/precise-const-fp-supurious-const-loss/main.c create mode 100644 regression/goto-analyzer/precise-const-fp-supurious-const-loss/test.desc diff --git a/regression/goto-analyzer/precise-const-fp-supurious-const-loss/main.c b/regression/goto-analyzer/precise-const-fp-supurious-const-loss/main.c new file mode 100644 index 0000000000..a3380fa387 --- /dev/null +++ b/regression/goto-analyzer/precise-const-fp-supurious-const-loss/main.c @@ -0,0 +1,34 @@ +#include + +void f1 (void) { printf("%i\n", 1); } +void f2 (void) { printf("%i\n", 2); } +void f3 (void) { printf("%i\n", 3); } +void f4 (void) { printf("%i\n", 4); } +void f5 (void) { printf("%i\n", 5); } +void f6 (void) { printf("%i\n", 6); } +void f7 (void) { printf("%i\n", 7); } +void f8 (void) { printf("%i\n", 8); } +void f9 (void) { printf("%i\n", 9); } + +typedef void(*void_fp)(void); + +// There is a basic check that excludes all functions that aren't used anywhere +// This ensures that check can't work in this example +const void_fp fp_all[] = {f1, f2 ,f3, f4, f5 ,f6, f7, f8, f9}; + +const int const_number=4; + +void func() +{ + // Here we 'lose' const-ness except it is a copy so we shouldn't care + int non_const_number=const_number; + const void_fp fp = f2; + fp(); +} + +int main() +{ + func(); + + return 0; +} diff --git a/regression/goto-analyzer/precise-const-fp-supurious-const-loss/test.desc b/regression/goto-analyzer/precise-const-fp-supurious-const-loss/test.desc new file mode 100644 index 0000000000..0cd9c5edc7 --- /dev/null +++ b/regression/goto-analyzer/precise-const-fp-supurious-const-loss/test.desc @@ -0,0 +1,18 @@ +KNOWNBUG +main.c +--show-goto-functions --verbosity 10 --pointer-check +^Removing function pointers and virtual functions$ +^\s*f2\(\); +-- +^warning: ignoring +^\s*\d+:\s*f1\(\); +^\s*\d+:\s*f3\(\); +^\s*\d+:\s*f4\(\); +^\s*\d+:\s*f5\(\); +^\s*\d+:\s*f6\(\); +^\s*\d+:\s*f7\(\); +^\s*\d+:\s*f8\(\); +^\s*\d+:\s*f9\(\); +-- +Though this example program appears to lose const-ness, since it is a primitive +it is a copy so it is irrelevant. From 4b83a912824754e36d796c8f65aced80d01cf0ba Mon Sep 17 00:00:00 2001 From: thk123 Date: Thu, 18 May 2017 18:21:43 +0100 Subject: [PATCH 05/89] Added unit tests for the does_remove_const class --- src/analyses/does_remove_const.h | 3 + unit/Makefile | 1 + .../does_expr_lose_const.cpp | 396 ++++++++++++++++++ 3 files changed, 400 insertions(+) create mode 100644 unit/analyses/does_remove_const/does_expr_lose_const.cpp diff --git a/src/analyses/does_remove_const.h b/src/analyses/does_remove_const.h index f0cf2a2579..c70878b66d 100644 --- a/src/analyses/does_remove_const.h +++ b/src/analyses/does_remove_const.h @@ -12,6 +12,7 @@ #define CPROVER_ANALYSES_DOES_REMOVE_CONST_H #include +#include class goto_programt; @@ -29,6 +30,8 @@ private: const goto_programt &goto_program; const namespacet &ns; + + friend class does_remove_const_testt; }; #endif // CPROVER_ANALYSES_DOES_REMOVE_CONST_H diff --git a/unit/Makefile b/unit/Makefile index a1de1539ee..e9004bd618 100644 --- a/unit/Makefile +++ b/unit/Makefile @@ -1,6 +1,7 @@ .PHONY: all cprover.dir test SRC = unit_tests.cpp \ + analyses/does_remove_const/does_expr_lose_const.cpp \ catch_example.cpp \ # Empty last line diff --git a/unit/analyses/does_remove_const/does_expr_lose_const.cpp b/unit/analyses/does_remove_const/does_expr_lose_const.cpp new file mode 100644 index 0000000000..d90b6b2038 --- /dev/null +++ b/unit/analyses/does_remove_const/does_expr_lose_const.cpp @@ -0,0 +1,396 @@ +/*******************************************************************\ + + Module: Does Remove Const Unit Tests + + Author: DiffBlue Limited. All rights reserved. + +\*******************************************************************/ + +/// \file +/// Does Remove Const Unit Tests + +#include +#include +#include +#include +#include +#include +#include + +// This class provides access to private members and functions of +// does_remove_const +class does_remove_const_testt +{ +public: + does_remove_const_testt(does_remove_constt does_remove_const): + does_remove_const(does_remove_const) + {} + bool does_expr_lose_const(const exprt &expr) const + { + return does_remove_const.does_expr_lose_const(expr); + } + +private: + does_remove_constt does_remove_const; + +}; + +SCENARIO("does_expr_lose_const", + "[core][analyses][does_remove_const][does_expr_remove_const]") +{ + symbol_tablet symbol_table; + namespacet ns(symbol_table); + goto_programt program; + does_remove_constt does_remove_const(program, ns); + does_remove_const_testt does_remove_const_test(does_remove_const); + + GIVEN("Const and non-const primitive and pointers to primitives") + { + c_qualifierst const_qualifier; + const_qualifier.is_constant=true; + + // const int + typet const_primitive_type=integer_typet(); + const_qualifier.write(const_primitive_type); + + // int + typet non_const_primitive_type=integer_typet(); + + // pointer (can be reassigned) + // to int (value can be changed) + // int * + typet pointer_to_int_type=pointer_typet(non_const_primitive_type); + + // const pointer (can't be reassigned) + // to int (value can be changed) + // int * const + typet const_pointer_to_int_type=pointer_typet(non_const_primitive_type); + const_qualifier.write(const_pointer_to_int_type); + + // pointer (can be reassigned) + // to const int (value can't be changed) + // const int * + typet pointer_to_const_int_type=pointer_typet(const_primitive_type); + + // constant pointer (can't be reassigned) + // to const int (value can't be changed) + // const int * const + typet const_pointer_to_const_int_type=pointer_typet(const_primitive_type); + const_qualifier.write(const_pointer_to_const_int_type); + + // const int const_primitive; + symbol_exprt const_primitive_symbol( + "const_primitive", const_primitive_type); + + // int non_const_primitive; + symbol_exprt non_const_primitive_symbol( + "non_const_primitive", non_const_primitive_type); + + symbol_exprt pointer_to_int_symbol( + "pointer_to_int", pointer_to_int_type); + symbol_exprt const_pointer_to_int_symbol( + "const_pointer_to_int", const_pointer_to_int_type); + symbol_exprt pointer_to_const_int_symbol( + "pointer_to_const_int", pointer_to_const_int_type); + symbol_exprt const_pointer_to_const_int_symbol( + "const_pointer_to_const_int", const_pointer_to_const_int_type); + + WHEN("Casting from int to int") + { + typecast_exprt cast_expr( + non_const_primitive_symbol, non_const_primitive_type); + + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from const int to int") + { + typecast_exprt cast_expr( + non_const_primitive_symbol, const_primitive_type); + + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from int to const int") + { + typecast_exprt cast_expr( + non_const_primitive_symbol, const_primitive_type); + + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from const int to const int") + { + typecast_exprt cast_expr( + const_primitive_symbol, const_primitive_type); + + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from int * to int *") + { + typecast_exprt cast_expr( + pointer_to_int_symbol, pointer_to_int_type); + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from const int * to int *") + { + typecast_exprt cast_expr( + pointer_to_const_int_symbol, pointer_to_int_type); + THEN("The cast_expr does lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE(result); + } + } + WHEN("Casting from int * b const to int *") + { + typecast_exprt cast_expr( + const_pointer_to_int_symbol, pointer_to_int_type); + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from const int * b const to int *") + { + typecast_exprt cast_expr( + const_pointer_to_const_int_symbol, pointer_to_int_type); + THEN("The cast_expr does lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE(result); + } + } + WHEN("Casting from int * to const int *") + { + typecast_exprt cast_expr( + pointer_to_int_symbol, pointer_to_const_int_type); + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from const int * to const int *") + { + typecast_exprt cast_expr( + pointer_to_const_int_symbol, pointer_to_const_int_type); + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from int * b const to const int *") + { + typecast_exprt cast_expr( + const_pointer_to_int_symbol, pointer_to_const_int_type); + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from const int * b const to const int *") + { + typecast_exprt cast_expr( + const_pointer_to_const_int_symbol, pointer_to_const_int_type); + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from int * to int * const") + { + typecast_exprt cast_expr( + pointer_to_int_symbol, const_pointer_to_int_type); + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from const int * to int * const") + { + typecast_exprt cast_expr( + pointer_to_const_int_symbol, const_pointer_to_int_type); + THEN("The cast_expr does lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE(result); + } + } + WHEN("Casting from int * b const to int * const") + { + typecast_exprt cast_expr( + const_pointer_to_int_symbol, const_pointer_to_int_type); + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from const int * b const to int * const") + { + typecast_exprt cast_expr( + const_pointer_to_const_int_symbol, const_pointer_to_int_type); + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE(result); + } + } + WHEN("Casting from int * to const int * const") + { + typecast_exprt cast_expr( + pointer_to_int_symbol, const_pointer_to_const_int_type); + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from const int * to const int * const") + { + typecast_exprt cast_expr( + pointer_to_const_int_symbol, const_pointer_to_const_int_type); + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from int * b const to const int * const") + { + typecast_exprt cast_expr( + const_pointer_to_int_symbol, const_pointer_to_const_int_type); + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from const int * b const to const int * const") + { + typecast_exprt cast_expr( + const_pointer_to_const_int_symbol, const_pointer_to_const_int_type); + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + + WHEN("Casting from &(int) to int *") + { + typecast_exprt cast_expr( + address_of_exprt(non_const_primitive_symbol), pointer_to_int_type); + + THEN("The typecast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from &(const int) to int *") + { + typecast_exprt cast_expr( + address_of_exprt(const_primitive_symbol), pointer_to_int_type); + + THEN("The cast_expr does lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE(result); + } + } + WHEN("Casting from &(int) to const int *") + { + typecast_exprt cast_expr( + address_of_exprt(non_const_primitive_symbol), + pointer_to_const_int_type); + + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from &(const int) to const int *") + { + typecast_exprt cast_expr( + address_of_exprt(const_primitive_symbol), pointer_to_const_int_type); + + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from &(int) to int * const") + { + typecast_exprt cast_expr( + address_of_exprt(non_const_primitive_symbol), + const_pointer_to_int_type); + + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from &(const int) to int * const") + { + typecast_exprt cast_expr( + address_of_exprt(const_primitive_symbol), const_pointer_to_int_type); + + THEN("The cast_expr does lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE(result); + } + } + WHEN("Casting from &(int) to const int * const") + { + typecast_exprt cast_expr( + address_of_exprt(non_const_primitive_symbol), + const_pointer_to_const_int_type); + + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + WHEN("Casting from &(const int) to const int * const") + { + typecast_exprt cast_expr( + address_of_exprt(const_primitive_symbol), + const_pointer_to_const_int_type); + + THEN("The cast_expr does not lose const-correctness") + { + bool result=does_remove_const_test.does_expr_lose_const(cast_expr); + REQUIRE_FALSE(result); + } + } + } +} From fcd4e42e563666c45640ee47c0d03b72366650f4 Mon Sep 17 00:00:00 2001 From: thk123 Date: Mon, 12 Jun 2017 15:17:47 +0100 Subject: [PATCH 06/89] Corrected test for whether a program loses const-correctness Previously the check for loss of const-correctness was to look at each assignment and check whether in either the left/right hand sides of the assignment or somewhere in the right hand side expression tree the following condition was met: Any type or any of its subtypes lost const-ness This condition is now replaced by a more subtle condition: if they are both pointers then: there subtypes should not directly lose const-ness if the subtype is a pointer, we recursively apply this check on the subtypes if they are not pointers: we don't care about const-qualification loss at this level since it is a copy This fixes diffblue/cbmc-toyota#127 where an `const int` being assigned to an `int` would trigger disabling the function pointer removal. Pulled out the private access class into a util file Updating New implementation of is_type_at_least_as_const_as only checks one depth so we don't need to pass in naked pointers. Updated the comment to reflect methods new purpose. Added unit tests to document exactly what the method is testing Added tests to demonstrate the does_type_preserve_const_correctness This is useful documentation of how it is different to the is_type_at_least_as_const_as. Added more examples of spurious const loss --- .../main.c | 7 + .../test.desc | 2 +- src/analyses/does_remove_const.cpp | 95 +++++-- src/analyses/does_remove_const.h | 5 +- unit/Makefile | 2 + .../does_expr_lose_const.cpp | 22 +- .../does_remove_const_util.h | 49 ++++ .../does_type_preserve_const_correctness.cpp | 265 ++++++++++++++++++ .../is_type_at_least_as_const_as.cpp | 265 ++++++++++++++++++ 9 files changed, 662 insertions(+), 50 deletions(-) create mode 100644 unit/analyses/does_remove_const/does_remove_const_util.h create mode 100644 unit/analyses/does_remove_const/does_type_preserve_const_correctness.cpp create mode 100644 unit/analyses/does_remove_const/is_type_at_least_as_const_as.cpp diff --git a/regression/goto-analyzer/precise-const-fp-supurious-const-loss/main.c b/regression/goto-analyzer/precise-const-fp-supurious-const-loss/main.c index a3380fa387..4041b2f6aa 100644 --- a/regression/goto-analyzer/precise-const-fp-supurious-const-loss/main.c +++ b/regression/goto-analyzer/precise-const-fp-supurious-const-loss/main.c @@ -23,6 +23,13 @@ void func() // Here we 'lose' const-ness except it is a copy so we shouldn't care int non_const_number=const_number; const void_fp fp = f2; + + + // Here also we lose const-ness except it is a copy of pointer so we + // shouldn't care + const void_fp * const p2fp = &f2; + const void_fp * p2fp_non_const = &p2fp; + fp(); } diff --git a/regression/goto-analyzer/precise-const-fp-supurious-const-loss/test.desc b/regression/goto-analyzer/precise-const-fp-supurious-const-loss/test.desc index 0cd9c5edc7..7673499998 100644 --- a/regression/goto-analyzer/precise-const-fp-supurious-const-loss/test.desc +++ b/regression/goto-analyzer/precise-const-fp-supurious-const-loss/test.desc @@ -1,4 +1,4 @@ -KNOWNBUG +CORE main.c --show-goto-functions --verbosity 10 --pointer-check ^Removing function pointers and virtual functions$ diff --git a/src/analyses/does_remove_const.cpp b/src/analyses/does_remove_const.cpp index 90d82f99e1..1afe39f231 100644 --- a/src/analyses/does_remove_const.cpp +++ b/src/analyses/does_remove_const.cpp @@ -47,7 +47,7 @@ bool does_remove_constt::operator()() const // Compare the types recursively for a point where the rhs is more // const that the lhs - if(!is_type_at_least_as_const_as(&lhs_type, &rhs_type)) + if(!does_type_preserve_const_correctness(&lhs_type, &rhs_type)) { return true; } @@ -78,7 +78,7 @@ bool does_remove_constt::does_expr_lose_const(const exprt &expr) const if(base_type_eq(op_type, root_type, ns)) { // Is this child more const-qualified than the root - if(!is_type_at_least_as_const_as(&root_type, &op_type)) + if(!does_type_preserve_const_correctness(&root_type, &op_type)) { return true; } @@ -93,37 +93,78 @@ bool does_remove_constt::does_expr_lose_const(const exprt &expr) const return false; } -/// A recursive check to check the type_more_const is at least as const as type -/// compare. +/// A recursive check that handles when assigning a source value to a target, is +/// the assignment a loss of const-correctness. /// -/// type_more_const | type_compare || result -/// ---------------------------------------- -/// const int * | const int * -> true -/// int * | const int * -> false -/// const int * | int * -> true -/// int * | int * const -> false +/// For primitive types, it always returns true since these are copied +/// +/// For pointers we requires that if in the source it's value couldn't +/// be modified, then it still can't be modified in the target +/// +/// target_type | source_type || result +/// ---------------------------------------- +/// const int | int -> true +/// int | const int -> true +/// const int | const int -> true +/// int | int -> true +/// +/// int * | int * const -> true +/// int * | const int * -> false +/// const int * | int * -> true +/// const int * | const int * -> true +/// int * const | int * -> true +/// +/// See unit/analyses/does_type_preserve_const_correcness for +/// comprehensive list +/// \param target_type: the resulting type +/// \param source_type: the starting type +/// \return Returns true if a value of type source_type could be assigned into a +/// a value of target_type without losing const-correctness +bool does_remove_constt::does_type_preserve_const_correctness( + const typet *target_type, const typet *source_type) const +{ + while(target_type->id()==ID_pointer) + { + bool direct_subtypes_at_least_as_const= + is_type_at_least_as_const_as( + target_type->subtype(), source_type->subtype()); + // We have a pointer to something, but the thing it is pointing to can't be + // modified normally, but can through this pointer + if(!direct_subtypes_at_least_as_const) + return false; + // Check the subtypes if they are pointers + target_type=&target_type->subtype(); + source_type=&source_type->subtype(); + } + return true; +} + +/// A simple check to check the type_more_const is at least as const as type +/// compare. This only checks the exact type, use +/// `is_pointer_at_least_as_constant_as` for dealing with nested types +/// +/// type_more_const | type_compare || result +/// ---------------------------------------- +/// const int | int -> true +/// int | const int -> false +/// const int | const int -> true +/// int | int -> true +/// int * | int * const -> false +/// int * | const int * -> true +/// const int * | int * -> true +/// int * const | int * -> true +/// +/// See unit/analyses/is_type_as_least_as_const_as for comprehensive list /// \param type_more_const: the type we are expecting to be at least as const /// qualified /// \param type_compare: the type we are comparing against which may be less /// const qualified /// \return Returns true if type_more_const is at least as const as type_compare bool does_remove_constt::is_type_at_least_as_const_as( - const typet *type_more_const, const typet *type_compare) const + const typet &type_more_const, const typet &type_compare) const { - while(type_compare->id()!=ID_nil && type_more_const->id()!=ID_nil) - { - const c_qualifierst rhs_qualifiers(*type_compare); - const c_qualifierst lhs_qualifiers(*type_more_const); - if(rhs_qualifiers.is_constant && !lhs_qualifiers.is_constant) - { - return false; - } - - type_compare=&type_compare->subtype(); - type_more_const=&type_more_const->subtype(); - } - - // Both the types should have the same number of subtypes - assert(type_compare->id()==ID_nil && type_more_const->id()==ID_nil); - return true; + const c_qualifierst type_compare_qualifiers(type_compare); + const c_qualifierst more_constant_qualifiers(type_more_const); + return !type_compare_qualifiers.is_constant || + more_constant_qualifiers.is_constant; } diff --git a/src/analyses/does_remove_const.h b/src/analyses/does_remove_const.h index c70878b66d..a15ec0f771 100644 --- a/src/analyses/does_remove_const.h +++ b/src/analyses/does_remove_const.h @@ -26,7 +26,10 @@ private: bool does_expr_lose_const(const exprt &expr) const; bool is_type_at_least_as_const_as( - const typet *type_more_const, const typet *type_compare) const; + const typet &type_more_const, const typet &type_compare) const; + + bool does_type_preserve_const_correctness( + const typet *target_type, const typet *source_type) const; const goto_programt &goto_program; const namespacet &ns; diff --git a/unit/Makefile b/unit/Makefile index e9004bd618..0afe791678 100644 --- a/unit/Makefile +++ b/unit/Makefile @@ -2,6 +2,8 @@ SRC = unit_tests.cpp \ analyses/does_remove_const/does_expr_lose_const.cpp \ + analyses/does_remove_const/does_type_preserve_const_correctness.cpp \ + analyses/does_remove_const/is_type_at_least_as_const_as.cpp \ catch_example.cpp \ # Empty last line diff --git a/unit/analyses/does_remove_const/does_expr_lose_const.cpp b/unit/analyses/does_remove_const/does_expr_lose_const.cpp index d90b6b2038..80e223c93b 100644 --- a/unit/analyses/does_remove_const/does_expr_lose_const.cpp +++ b/unit/analyses/does_remove_const/does_expr_lose_const.cpp @@ -16,24 +16,8 @@ #include #include #include +#include -// This class provides access to private members and functions of -// does_remove_const -class does_remove_const_testt -{ -public: - does_remove_const_testt(does_remove_constt does_remove_const): - does_remove_const(does_remove_const) - {} - bool does_expr_lose_const(const exprt &expr) const - { - return does_remove_const.does_expr_lose_const(expr); - } - -private: - does_remove_constt does_remove_const; - -}; SCENARIO("does_expr_lose_const", "[core][analyses][does_remove_const][does_expr_remove_const]") @@ -78,14 +62,10 @@ SCENARIO("does_expr_lose_const", typet const_pointer_to_const_int_type=pointer_typet(const_primitive_type); const_qualifier.write(const_pointer_to_const_int_type); - // const int const_primitive; symbol_exprt const_primitive_symbol( "const_primitive", const_primitive_type); - - // int non_const_primitive; symbol_exprt non_const_primitive_symbol( "non_const_primitive", non_const_primitive_type); - symbol_exprt pointer_to_int_symbol( "pointer_to_int", pointer_to_int_type); symbol_exprt const_pointer_to_int_symbol( diff --git a/unit/analyses/does_remove_const/does_remove_const_util.h b/unit/analyses/does_remove_const/does_remove_const_util.h new file mode 100644 index 0000000000..e1a459b6c1 --- /dev/null +++ b/unit/analyses/does_remove_const/does_remove_const_util.h @@ -0,0 +1,49 @@ +/*******************************************************************\ + + Module: Does Remove Const Unit Tests + + Author: DiffBlue Limited. All rights reserved. + +\*******************************************************************/ + +/// \file +/// Does Remove Const Unit Tests + +#ifndef CPROVER__ANALYSES_DOES_REMOVE_CONST_DOES_REMOVE_CONST_UTIL_H +#define CPROVER__ANALYSES_DOES_REMOVE_CONST_DOES_REMOVE_CONST_UTIL_H + +#include + +// This class provides access to private members and functions of +// does_remove_const +class does_remove_const_testt +{ +public: + explicit does_remove_const_testt(does_remove_constt does_remove_const): + does_remove_const(does_remove_const) + {} + + bool does_expr_lose_const(const exprt &expr) const + { + return does_remove_const.does_expr_lose_const(expr); + } + + bool is_type_at_least_as_const_as( + const typet &type_more_const, const typet &type_compare) const + { + return does_remove_const.is_type_at_least_as_const_as( + type_more_const, type_compare); + } + + bool does_type_preserve_const_correctness( + const typet *target_type, const typet *source_type) const + { + return does_remove_const.does_type_preserve_const_correctness( + target_type, source_type); + } + +private: + does_remove_constt does_remove_const; +}; + +#endif // CPROVER__ANALYSES_DOES_REMOVE_CONST_DOES_REMOVE_CONST_UTIL_H diff --git a/unit/analyses/does_remove_const/does_type_preserve_const_correctness.cpp b/unit/analyses/does_remove_const/does_type_preserve_const_correctness.cpp new file mode 100644 index 0000000000..0f10081c49 --- /dev/null +++ b/unit/analyses/does_remove_const/does_type_preserve_const_correctness.cpp @@ -0,0 +1,265 @@ +/*******************************************************************\ + + Module: Does Remove Const Unit Tests + + Author: DiffBlue Limited. All rights reserved. + +\*******************************************************************/ + +/// \file +/// Does Remove Const Unit Tests + +#include + +#include +#include +#include +#include +#include +#include + +SCENARIO("does_type_preserve_const_correctness", + "[core][analyses][does_remove_const][does_type_preserve_const_correctness]") +{ + symbol_tablet symbol_table; + namespacet ns(symbol_table); + goto_programt program; + does_remove_constt does_remove_const(program, ns); + does_remove_const_testt does_remove_const_test(does_remove_const); + + GIVEN("Const and non-const primitive and pointers to primitives") + { + c_qualifierst const_qualifier; + const_qualifier.is_constant=true; + + // const int + typet const_primitive_type=integer_typet(); + const_qualifier.write(const_primitive_type); + + // int + typet non_const_primitive_type=integer_typet(); + + // pointer (can be reassigned) + // to int (value can be changed) + // int * + typet pointer_to_int_type=pointer_typet(non_const_primitive_type); + + // const pointer (can't be reassigned) + // to int (value can be changed) + // int * const + typet const_pointer_to_int_type=pointer_typet(non_const_primitive_type); + const_qualifier.write(const_pointer_to_int_type); + + // pointer (can be reassigned) + // to const int (value can't be changed) + // const int * + typet pointer_to_const_int_type=pointer_typet(const_primitive_type); + + // constant pointer (can't be reassigned) + // to const int (value can't be changed) + // const int * const + typet const_pointer_to_const_int_type=pointer_typet(const_primitive_type); + const_qualifier.write(const_pointer_to_const_int_type); + + WHEN("Comparing int to int") + { + THEN("The target type preserves the const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &non_const_primitive_type, &non_const_primitive_type); + REQUIRE(result); + } + } + WHEN("Comparing const int to int") + { + THEN("The target type preserves the const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &const_primitive_type, &non_const_primitive_type); + REQUIRE(result); + } + } + WHEN("Comparing int to const int") + { + THEN("The target type preserves the const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &non_const_primitive_type, &const_primitive_type); + REQUIRE(result); + } + } + WHEN("Comparing const int to const int") + { + THEN("The target type preserves the const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &const_primitive_type, &const_primitive_type); + REQUIRE(result); + } + } + WHEN("Comparing int * to int *") + { + THEN("The target type preserves the const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &pointer_to_int_type, &pointer_to_int_type); + REQUIRE(result); + } + } + WHEN("Comparing const int * to int *") + { + THEN("The target type preserves the const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &pointer_to_const_int_type, &pointer_to_int_type); + REQUIRE(result); + } + } + WHEN("Comparing int * b const to int *") + { + THEN("The target type preserves the const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &const_pointer_to_int_type, &pointer_to_int_type); + REQUIRE(result); + } + } + WHEN("Comparing const int * b const to int *") + { + THEN("The target type preserves the const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &const_pointer_to_const_int_type, &pointer_to_int_type); + REQUIRE(result); + } + } + WHEN("Comparing int * to const int *") + { + THEN("The target type loses const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &pointer_to_int_type, &pointer_to_const_int_type); + REQUIRE_FALSE(result); + } + } + WHEN("Comparing const int * to const int *") + { + THEN("The target type preserves the const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &pointer_to_const_int_type, &pointer_to_const_int_type); + REQUIRE(result); + } + } + WHEN("Comparing int * b const to const int *") + { + THEN("The target type loses const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &const_pointer_to_int_type, &pointer_to_const_int_type); + REQUIRE_FALSE(result); + } + } + WHEN("Comparing const int * b const to const int *") + { + THEN("The target type preserves the const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &const_pointer_to_const_int_type, &pointer_to_const_int_type); + REQUIRE(result); + } + } + WHEN("Comparing int * to int * const") + { + THEN("The target type preserves the const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &pointer_to_int_type, &const_pointer_to_int_type); + REQUIRE(result); + } + } + WHEN("Comparing const int * to int * const") + { + THEN("The target type preserves the const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &pointer_to_const_int_type, &const_pointer_to_int_type); + REQUIRE(result); + } + } + WHEN("Comparing int * b const to int * const") + { + THEN("The target type preserves the const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &const_pointer_to_int_type, &const_pointer_to_int_type); + REQUIRE(result); + } + } + WHEN("Comparing const int * b const to int * const") + { + THEN("The target type preserves the const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &const_pointer_to_const_int_type, &const_pointer_to_int_type); + REQUIRE(result); + } + } + WHEN("Comparing int * to const int * const") + { + THEN("The target type loses const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &pointer_to_int_type, &const_pointer_to_const_int_type); + REQUIRE_FALSE(result); + } + } + WHEN("Comparing const int * to const int * const") + { + THEN("The target type preserves the const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &pointer_to_const_int_type, &const_pointer_to_const_int_type); + REQUIRE(result); + } + } + WHEN("Comparing int * b const to const int * const") + { + THEN("The target type loses const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &const_pointer_to_int_type, &const_pointer_to_const_int_type); + REQUIRE_FALSE(result); + } + } + WHEN("Comparing const int * b const to const int * const") + { + THEN("The target type preserves the const-correctness of the source type") + { + bool result= + does_remove_const_test.does_type_preserve_const_correctness( + &const_pointer_to_const_int_type, &const_pointer_to_const_int_type); + REQUIRE(result); + } + } + } +} diff --git a/unit/analyses/does_remove_const/is_type_at_least_as_const_as.cpp b/unit/analyses/does_remove_const/is_type_at_least_as_const_as.cpp new file mode 100644 index 0000000000..cfb2c64753 --- /dev/null +++ b/unit/analyses/does_remove_const/is_type_at_least_as_const_as.cpp @@ -0,0 +1,265 @@ +/*******************************************************************\ + + Module: Does Remove Const Unit Tests + + Author: DiffBlue Limited. All rights reserved. + +\*******************************************************************/ + +/// \file +/// Does Remove Const Unit Tests + +#include + +#include +#include +#include +#include +#include +#include + +SCENARIO("is_type_at_least_as_const", + "[core][analyses][does_remove_const][is_type_at_least_as_const]") +{ + symbol_tablet symbol_table; + namespacet ns(symbol_table); + goto_programt program; + does_remove_constt does_remove_const(program, ns); + does_remove_const_testt does_remove_const_test(does_remove_const); + + GIVEN("Const and non-const primitive and pointers to primitives") + { + c_qualifierst const_qualifier; + const_qualifier.is_constant=true; + + // const int + typet const_primitive_type=integer_typet(); + const_qualifier.write(const_primitive_type); + + // int + typet non_const_primitive_type=integer_typet(); + + // pointer (can be reassigned) + // to int (value can be changed) + // int * + typet pointer_to_int_type=pointer_typet(non_const_primitive_type); + + // const pointer (can't be reassigned) + // to int (value can be changed) + // int * const + typet const_pointer_to_int_type=pointer_typet(non_const_primitive_type); + const_qualifier.write(const_pointer_to_int_type); + + // pointer (can be reassigned) + // to const int (value can't be changed) + // const int * + typet pointer_to_const_int_type=pointer_typet(const_primitive_type); + + // constant pointer (can't be reassigned) + // to const int (value can't be changed) + // const int * const + typet const_pointer_to_const_int_type=pointer_typet(const_primitive_type); + const_qualifier.write(const_pointer_to_const_int_type); + + WHEN("Comparing int to int") + { + THEN("The first type is at least as const as the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + non_const_primitive_type, non_const_primitive_type); + REQUIRE(result); + } + } + WHEN("Comparing const int to int") + { + THEN("The first type is at least as const as the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + const_primitive_type, non_const_primitive_type); + REQUIRE(result); + } + } + WHEN("Comparing int to const int") + { + THEN("The first type is less const than the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + non_const_primitive_type, const_primitive_type); + REQUIRE_FALSE(result); + } + } + WHEN("Comparing const int to const int") + { + THEN("The first type is at least as const as the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + const_primitive_type, const_primitive_type); + REQUIRE(result); + } + } + WHEN("Comparing int * to int *") + { + THEN("The first type is at least as const as the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + pointer_to_int_type, pointer_to_int_type); + REQUIRE(result); + } + } + WHEN("Comparing const int * to int *") + { + THEN("The first type is at least as const as the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + pointer_to_const_int_type, pointer_to_int_type); + REQUIRE(result); + } + } + WHEN("Comparing int * b const to int *") + { + THEN("The first type is at least as const as the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + const_pointer_to_int_type, pointer_to_int_type); + REQUIRE(result); + } + } + WHEN("Comparing const int * b const to int *") + { + THEN("The first type is at least as const as the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + const_pointer_to_const_int_type, pointer_to_int_type); + REQUIRE(result); + } + } + WHEN("Comparing int * to const int *") + { + THEN("The first type is at least as const as the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + pointer_to_int_type, pointer_to_const_int_type); + REQUIRE(result); + } + } + WHEN("Comparing const int * to const int *") + { + THEN("The first type is at least as const as the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + pointer_to_const_int_type, pointer_to_const_int_type); + REQUIRE(result); + } + } + WHEN("Comparing int * b const to const int *") + { + THEN("The first type is at least as const as the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + const_pointer_to_int_type, pointer_to_const_int_type); + REQUIRE(result); + } + } + WHEN("Comparing const int * b const to const int *") + { + THEN("The first type is at least as const as the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + const_pointer_to_const_int_type, pointer_to_const_int_type); + REQUIRE(result); + } + } + WHEN("Comparing int * to int * const") + { + THEN("The first type is less const as the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + pointer_to_int_type, const_pointer_to_int_type); + REQUIRE_FALSE(result); + } + } + WHEN("Comparing const int * to int * const") + { + THEN("The first type is less const as the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + pointer_to_const_int_type, const_pointer_to_int_type); + REQUIRE_FALSE(result); + } + } + WHEN("Comparing int * b const to int * const") + { + THEN("The first type is at least as const as the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + const_pointer_to_int_type, const_pointer_to_int_type); + REQUIRE(result); + } + } + WHEN("Comparing const int * b const to int * const") + { + THEN("The first type is at least as const as the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + const_pointer_to_const_int_type, const_pointer_to_int_type); + REQUIRE(result); + } + } + WHEN("Comparing int * to const int * const") + { + THEN("The first type is less const than the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + pointer_to_int_type, const_pointer_to_const_int_type); + REQUIRE_FALSE(result); + } + } + WHEN("Comparing const int * to const int * const") + { + THEN("The first type is less const than the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + pointer_to_const_int_type, const_pointer_to_const_int_type); + REQUIRE_FALSE(result); + } + } + WHEN("Comparing int * b const to const int * const") + { + THEN("The first type is at least as const as the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + const_pointer_to_int_type, const_pointer_to_const_int_type); + REQUIRE(result); + } + } + WHEN("Comparing const int * b const to const int * const") + { + THEN("The first type is at least as const as the second type") + { + bool result= + does_remove_const_test.is_type_at_least_as_const_as( + const_pointer_to_const_int_type, const_pointer_to_const_int_type); + REQUIRE(result); + } + } + } +} From 31e7991c40673828b09692374891d0d6c8ba8339 Mon Sep 17 00:00:00 2001 From: reuk Date: Thu, 22 Jun 2017 17:03:07 +0100 Subject: [PATCH 07/89] Fixup coding standard spelling and formatting --- CODING_STANDARD | 205 ----------------------------------------- CODING_STANDARD.md | 223 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 223 insertions(+), 205 deletions(-) delete mode 100644 CODING_STANDARD create mode 100644 CODING_STANDARD.md diff --git a/CODING_STANDARD b/CODING_STANDARD deleted file mode 100644 index 0a86fd71b2..0000000000 --- a/CODING_STANDARD +++ /dev/null @@ -1,205 +0,0 @@ -Here a few minimalistic coding rules for the CPROVER source tree. - -Whitespaces: -- Use 2 spaces indent, no tabs. -- No lines wider than 80 chars. - - When line is wider, do the following: - - Subsequent lines should be indented two more than the initial line - - Break after = if it is part of an assignment - - For chained calls, prefer immediately before . - - For other operators (e.g. &&, +) prefer immediately after the operator - - For brackets, break after the bracket - - In the case of function calls, put each argument on a separate line if - they do not fit after one line break - - Nested function calls do not need to be broken up into separate lines even - if the outer function call does. -- If a method is bigger than 50 lines, break it into parts. -- Put matching { } into the same column. -- No spaces around operators (=, +, ==, ...) - Exceptions: Spaces around &&, || and << -- Space after comma (parameter lists, argument lists, ...) -- Space after colon inside 'for' -- For pointers and references, the */& should be attached to the variable name - as oppposed to the tyep. E.g. for a pointer to an int the syntax would be: - `int *x;` -- No whitespaces at end of line -- No whitespaces in blank lines -- Put argument lists on next line (and ident 2 spaces) if too long -- Put parameters on separate lines (and ident 2 spaces) if too long -- No whitespaces around colon for inheritance, - put inherited into separate lines in case of multiple inheritance -- The initializer list follows the constructor without a whitespace - around the colon. Break line after the colon if required and indent members. -- if(...), else, for(...), do, and while(...) are always in a separate line -- Break expressions in if, for, while if necessary and align them - with the first character following the opening parenthesis -- Use {} instead of ; for the empty statement -- Single line blocks without { } are allowed, - but put braces around multi-line blocks -- Use blank lines to visually separate logically cohesive code blocks - within a function -- Have a newline at the end of a file - -Comments: -- Do not use /* */ except for file and function comment blocks -- Each source and header file must start with a comment block - stating the Module name and Author [will be changed when we roll out doxygen] -- Each function in the source file (not the header) is preceded - by a function comment header consisting of a comment block stating - Name, Inputs, Outputs and Purpose [will be changed when we roll - out doxygen] - - It should look like this: - ``` - /*******************************************************************\ - - Function: class_namet::function_name - - Inputs: - arg_name - Description of its purpose - long_arg_name - Descriptions should be indented - to match the first line of the - description - - Outputs: A description of what the function returns - - Purpose: A description of what the function does. - Again, indentation with the line above - - \*******************************************************************/ - ``` -- An empty line should appear between the bottom of the function comment header - and the function. -- Put comments on a separate line -- Use comments to explain the non-obvious -- Use #if 0 for commenting out source code -- Use #ifdef DEBUG to guard debug code - -Naming: -- Identifiers may use the characters [a-z0-9_] and should start with a - lower-case letter (parameters in constructors may start with _). -- Use american spelling for identifiers. -- Separate basic words by _ -- Avoid abbreviations (e.g. prefer symbol_table to of st). -- User defined type identifiers have to be terminated by 't'. Moreover, - before 't' may not be '_'. -- Do not use 'm_' prefix nor '_' suffix for names of attributes of structured - types. -- Enum values may use the characters [A-Z0-9_] - -Header files: -- Avoid unnecessary #includes, especially in header files -- Prefer forward declaration to includes, but forward declare at the top - of the header file rather than in line -- Guard headers with #ifndef CPROVER_DIRECTORIES_FILE_H, etc - -Make files -- Each source file should appear on a separate line -- The final source file should still be followed by a trailing slash -- The last line should be a comment to not be deleted, i.e. should look like: -``` -SRC = source_file.cpp \ - source_file2.cpp \ - # Empty last line -``` -- This ensures the Makefiles can be easily merged. - -Program Command Line Options -- Each program contains a program_name_parse_optionst class which should - contain a define PROGRAM_NAME_PARSE_OPTIONS which is a string of all the - parse options in brackets (with a colon after the bracket if it takes a - parameter) -- Each parameter should be one per line to yield easy merging -- If parameters are shared between programs, they should be pulled out into - a common file and then included using a define -- The defines should be OPT_FLAG_NAMES which should go into the OPTIONS define -- The defines should include HELP_FLAG_NAMES which should contain the help - output of the format: - ``` - " --flag explanations\n" \ - " --another flag more explanation\n" \ - <-------30 chars------> -- The defines may include PARSE_OPTIONS_FLAG_NAMES which move the options - from the command line into the options - -C++ features: -- Do not use namespaces, except for anonymous namespaces. -- Prefer use of 'typedef' insted of 'using'. -- Prefer use of 'class' instead of 'struct'. -- Write type modifiers before the type specifier. -- Make references const whenever possible -- Make functions const whenever possible -- Do not hide base class functions -- You are encouraged to use override -- Single argument constructors must be explicit -- Avoid implicit conversions -- Avoid friend declarations -- Avoid iterators, use ranged for instead -- Avoid allocation with new/delete, use unique_ptr -- Avoid pointers, use references -- Avoid char *, use std::string -- For numbers, use int, unsigned, long, unsigned long, double -- Use mp_integer, not BigInt -- Use the functions in util for conversions between numbers and strings -- Avoid C-style functions. Use classes with an operator() instead. -- Use irep_idt for identifiers (not std::string) -- Avoid destructive updates if possible. The irept has constant time copy. -- Use instances of std::size_t for comparison with return values of .size() of - STL containers and algorithms, and use them as indices to arrays or vectors. -- Do not use default values in public functions -- Use assertions to detect programming errors, e.g. whenever you make - assumptions on how your code is used -- Use exceptions only when the execution of the program has to abort - because of erroneous user input -- We allow to use 3rd-party libraries directly. - No wrapper matching the coding rules is required. - Allowed libraries are: STL. -- When throwing, omit the brackets, i.e. `throw "error"`. -- Error messages should start with a lower case letter. -- Use the auto keyword if and only if one of the following - - The type is explictly repeated on the RHS (e.g. a constructor call) - - Adding the type will increase confusion (e.g. iterators, function pointers) -- Avoid assert, if the condition is an actual invariant, use INVARIANT, - PRECONDITION, POSTCONDITION, CHECK_RETURN, UNREACHABLE or DATA_INVARIANT. - If there are possible reasons why it might fail, throw an exception. - -Architecture-specific code: -- Avoid if possible. -- Use __LINUX__, __MACH__, and _WIN32 to distinguish the architectures. -- Don't include architecture-specific header files without #ifdef ... - -Output: -- Do not output to cout or cerr directly (except in temporary debug code, - and then guard #include by #ifdef DEBUG) -- Derive from messaget if the class produces output and use the streams provided - (status(), error(), debug(), etc) -- Use '\n' instead of std::endl - -Unit tests: - - Unit tests are written using Catch: https://github.com/philsquared/Catch/ - - For large classes: - - Create a separate file that contains the tests for each method of each - class - - The file should be named according to - `unit/class/path/class_name/function_name.cpp` - - For small classes: - - Create a separate file that contains the tests for all methods of each - class - - The file should be named according to unit/class/path/class_name.cpp - - Catch supports tagging, tests should be tagged with all the following tags: - - [core] should be used for all tests unless the test takes more than 1 - second to run, then it should be tagged with [long] - - [folder_name] of the file being tested - - [class_name] of the class being tested - - [function_name] of the function being tested - -You are allowed to break rules if you have a good reason to do so. - -Pre-commit hook to run cpplint locally --------------------------------------- -To install the hook -cp .githooks/pre-commit .git/hooks/pre-commit -or use a symbolic link. -Then, when running git commit, you should get the linter output -(if any) before being prompted to enter a commit message. -To bypass the check (e.g. if there was a false positive), -add the option --no-verify. diff --git a/CODING_STANDARD.md b/CODING_STANDARD.md new file mode 100644 index 0000000000..4b4619e1d6 --- /dev/null +++ b/CODING_STANDARD.md @@ -0,0 +1,223 @@ +Here a few minimalistic coding rules for the CPROVER source tree. + +# Whitespaces +- Use 2 spaces indent, no tabs. +- No lines wider than 80 chars. + - When line is wider, do the following: + - Subsequent lines should be indented two more than the initial line + - Break after `=` if it is part of an assignment + - For chained calls, prefer immediately before `.` + - For other operators (e.g. &&, `+`) prefer immediately after the operator + - For brackets, break after the bracket + - In the case of function calls, put each argument on a separate line if + they do not fit after one line break + - Nested function calls do not need to be broken up into separate lines + even if the outer function call does. +- If a method is bigger than 50 lines, break it into parts. +- Put matching `{ }` into the same column. +- No spaces around operators (`=`, `+`, `==` ...) Exceptions: Spaces around + `&&`, `||` and `<<` +- Space after comma (parameter lists, argument lists, ...) +- Space after colon inside `for` +- For pointers and references, the `*`/`&` should be attached to the variable + name as opposed to the type. E.g. for a pointer to an int the syntax would + be: `int *x;` +- No whitespaces at end of line +- No whitespaces in blank lines +- Put argument lists on next line (and indent 2 spaces) if too long +- Put parameters on separate lines (and indent 2 spaces) if too long +- No whitespaces around colon for inheritance, put inherited into separate + lines in case of multiple inheritance +- The initializer list follows the constructor without a whitespace around the + colon. Break line after the colon if required and indent members. +- `if(...)`, `else`, `for(...)`, `do`, and `while(...)` are always in a + separate line +- Break expressions in `if`, `for`, `while` if necessary and align them with + the first character following the opening parenthesis +- Use `{}` instead of `;` for the empty statement +- Single line blocks without `{ }` are allowed, but put braces around + multi-line blocks +- Use blank lines to visually separate logically cohesive code blocks within a + function +- Have a newline at the end of a file + +# Comments +- Do not use `/* */` +- Each source and header file must start with a comment block stating the + author. See existing source for an example of the format of this block. This + should be followed by a Doxygen `\file` comment: + ```c++ + /// \file + /// + ``` + Note that the `\file` tag must be immediately followed by a newline in order + for Doxygen to relate the comment to the current file. +- Each function should be preceded by a Doxygen comment describing that + function. The format should match the [LLVM + guidelines](http://llvm.org/docs/CodingStandards.html#doxygen-use-in-documentation-comments), + with one extension: `\param` and `\return` comments longer than a single line + should have subsequent lines indented by two spaces, so that the tags stand + out. An example: + ```c++ + /// This sentence, until the first dot followed by whitespace, becomes + /// the brief description. More detailed text follows. Feel free to + /// break this into paragraphs to aid readability. + /// \param arg_name: This parameter doesn't need much description + /// \param [out] long_arg_name: This parameter is mutated by the function. + /// Extra info about the parameter gets indented an extra two columns, + /// like this. + /// \return The return value is literally the value returned by the + /// function. For out-parameters, use "\param [out]". + return_typet my_function(argt arg_name, argt &long_arg_name) + ``` +- The priority of documentation is readability. Therefore, feel free to use + Doxygen features, or to add whitespace for multi-paragraph comment blocks if + necessary. +- A comment block should immediately precede the definition of the entity it + documents, which will generally mean that it will live in the source file. + This allows us to take advantage of the one definition rule. If each entity + is defined only once, then it is also documented only once. +- The documentation block must *immediately* precede the entity it documents. + Don't insert empty lines between docs and functions, because this will + confuse Doxygen. +- Put comments on a separate line +- Use comments to explain the non-obvious +- Use #if 0 for commenting out source code +- Use #ifdef DEBUG to guard debug code + +# Naming +- Identifiers may use the characters `[a-z0-9_]` and should start with a + lower-case letter (parameters in constructors may start with `_`). +- Use American spelling for identifiers. +- Separate basic words by `_` +- Avoid abbreviations (e.g. prefer `symbol_table` to `st`). +- User defined type identifiers have to be terminated by `t`. Moreover, before + `t` may not be `t`. +- Do not use `m_` prefix nor `_` suffix for names of attributes of structured + types. +- Enum values may use the characters `[A-Z0-9_]` + +# Header files +- Avoid unnecessary `#include`s, especially in header files +- Prefer forward declaration to includes, but forward declare at the top of the + header file rather than in line +- Guard headers with `#ifndef CPROVER_DIRECTORIES_FILE_H`, etc + +# Makefiles +- Each source file should appear on a separate line +- The final source file should still be followed by a trailing slash +- The last line should be a comment to not be deleted, i.e. should look like: + ```makefile + SRC = source_file.cpp \ + source_file2.cpp \ + # Empty last line + ``` +- This ensures the Makefiles can be easily merged. + +# Program Command Line Options +- Each program contains a `program_name_parse_optionst` class which should + contain a define `PROGRAM_NAME_PARSE_OPTIONS` which is a string of all the + parse options in brackets (with a colon after the bracket if it takes a + parameter) +- Each parameter should be one per line to yield easy merging +- If parameters are shared between programs, they should be pulled out into a + common file and then included using a define +- The defines should be `OPT_FLAG_NAMES` which should go into the `OPTIONS` + define +- The defines should include `HELP_FLAG_NAMES` which should contain the help + output in the format: + ``` + " --flag explanations\n" \ + " --another flag more explanation\n" \ + <-------30 chars------> + ``` +- The defines may include `PARSE_OPTIONS_FLAG_NAMES` which move the options + from the command line into the options + +# C++ features +- Do not use namespaces, except for anonymous namespaces. +- Prefer use of `typedef` instead of `using`. +- Prefer use of `class` instead of `struct`. +- Write type modifiers before the type specifier. +- Make references `const` whenever possible +- Make member functions `const` whenever possible +- Do not hide base class functions +- You are encouraged to use `override` +- Single argument constructors must be `explicit` +- Avoid implicit conversions +- Avoid `friend` declarations +- Avoid iterators, use ranged `for` instead +- Avoid allocation with `new`/`delete`, use `unique_ptr` +- Avoid pointers, use references +- Avoid `char *`, use `std::string` +- For numbers, use `int`, `unsigned`, `long`, `unsigned long`, `double` +- Use `mp_integer`, not `BigInt` +- Use the functions in util for conversions between numbers and strings +- Avoid C-style functions. Use classes with an `operator()` instead. +- Use `irep_idt` for identifiers (not `std::string`) +- Avoid destructive updates if possible. The `irept` has constant time copy. +- Use instances of `std::size_t` for comparison with return values of `.size()` + of STL containers and algorithms, and use them as indices to arrays or + vectors. +- Do not use default values in public functions +- Use assertions to detect programming errors, e.g. whenever you make + assumptions on how your code is used +- Use exceptions only when the execution of the program has to abort because of + erroneous user input +- We allow to use 3rd-party libraries directly. No wrapper matching the coding + rules is required. Allowed libraries are: STL. +- When throwing, omit the brackets, i.e. `throw "error"`. +- Error messages should start with a lower case letter. +- Use the `auto` keyword if and only if one of the following + - The type is explicitly repeated on the RHS (e.g. a constructor call) + - Adding the type will increase confusion (e.g. iterators, function pointers) +- Avoid `assert`. If the condition is an actual invariant, use INVARIANT, + PRECONDITION, POSTCONDITION, CHECK_RETURN, UNREACHABLE or DATA_INVARIANT. If + there are possible reasons why it might fail, throw an exception. + +# Architecture-specific code +- Avoid if possible. +- Use `__LINUX__`, `__MACH__`, and `_WIN32` to distinguish the architectures. +- Don't include architecture-specific header files without `#ifdef` ... + +# Output +- Do not output to `cout` or `cerr` directly (except in temporary debug code, + and then guard `#include ` by `#ifdef DEBUG`) +- Derive from `messaget` if the class produces output and use the streams + provided (`status()`, `error()`, `debug()`, etc) +- Use `\n` instead of `std::endl` + +# Unit tests +- Unit tests are written using [Catch](https://github.com/philsquared/Catch) +- For large classes: + - Create a separate file that contains the tests for each method of each + class + - The file should be named according to + `unit/class/path/class_name/function_name.cpp` +- For small classes: + - Create a separate file that contains the tests for all methods of each + class + - The file should be named according to `unit/class/path/class_name.cpp` +- Catch supports tagging, tests should be tagged with all the following tags: + - [core] should be used for all tests unless the test takes more than 1 + second to run, then it should be tagged with [long] + - [folder_name] of the file being tested + - [class_name] of the class being tested + - [function_name] of the function being tested + +--- + +You are allowed to break rules if you have a good reason to do so. + +--- + +# Pre-commit hook to run cpplint locally + +To install the hook +```sh +cp .githooks/pre-commit .git/hooks/pre-commit +``` +or use a symbolic link. Then, when running git commit, you should get the +linter output (if any) before being prompted to enter a commit message. To +bypass the check (e.g. if there was a false positive), add the option +`--no-verify`. From 881048271b533f8ef104e9aff75874e8d2d0ed6a Mon Sep 17 00:00:00 2001 From: Reuben Thomas Date: Thu, 22 Jun 2017 18:33:45 +0100 Subject: [PATCH 08/89] Update CODING_STANDARD.md --- CODING_STANDARD.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CODING_STANDARD.md b/CODING_STANDARD.md index 4b4619e1d6..6c078a0652 100644 --- a/CODING_STANDARD.md +++ b/CODING_STANDARD.md @@ -7,7 +7,8 @@ Here a few minimalistic coding rules for the CPROVER source tree. - Subsequent lines should be indented two more than the initial line - Break after `=` if it is part of an assignment - For chained calls, prefer immediately before `.` - - For other operators (e.g. &&, `+`) prefer immediately after the operator + - For other operators (e.g. `&&`, `+`) prefer immediately after the + operator - For brackets, break after the bracket - In the case of function calls, put each argument on a separate line if they do not fit after one line break From a38b6b4054e0b5d61b037ec2f3780f8d0f2c4e36 Mon Sep 17 00:00:00 2001 From: Reuben Thomas Date: Fri, 23 Jun 2017 09:47:38 +0100 Subject: [PATCH 09/89] Update CODING_STANDARD.md --- CODING_STANDARD.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CODING_STANDARD.md b/CODING_STANDARD.md index 6c078a0652..7710858d3d 100644 --- a/CODING_STANDARD.md +++ b/CODING_STANDARD.md @@ -93,7 +93,7 @@ Here a few minimalistic coding rules for the CPROVER source tree. - Separate basic words by `_` - Avoid abbreviations (e.g. prefer `symbol_table` to `st`). - User defined type identifiers have to be terminated by `t`. Moreover, before - `t` may not be `t`. + `t` may not be `_`. - Do not use `m_` prefix nor `_` suffix for names of attributes of structured types. - Enum values may use the characters `[A-Z0-9_]` @@ -113,7 +113,7 @@ Here a few minimalistic coding rules for the CPROVER source tree. source_file2.cpp \ # Empty last line ``` -- This ensures the Makefiles can be easily merged. + This ensures the Makefiles can be easily merged. # Program Command Line Options - Each program contains a `program_name_parse_optionst` class which should From 64c771457ecacc86bb975be6a0e6cae2a937b060 Mon Sep 17 00:00:00 2001 From: Owen Jones Date: Mon, 26 Jun 2017 10:00:32 +0100 Subject: [PATCH 10/89] Possible typo that should be checked --- src/goto-cc/armcc_cmdline.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/goto-cc/armcc_cmdline.cpp b/src/goto-cc/armcc_cmdline.cpp index 81bf59bc68..c19fab6b47 100644 --- a/src/goto-cc/armcc_cmdline.cpp +++ b/src/goto-cc/armcc_cmdline.cpp @@ -87,8 +87,8 @@ static const char *options_no_arg[]= "--no_implicit_include_searches", "--implicit_typename", "--no_implicit_typename", - "--nonstd_qualifider_deduction", - "--no_nonstd_qualifider_deduction", + "--nonstd_qualifier_deduction", + "--no_nonstd_qualifier_deduction", "--old_specializations", "--no_old_specializations", "--parse_templates", From 60c9fb23a1de55b583b899ffed0cd1a99bbb980e Mon Sep 17 00:00:00 2001 From: Owen Jones Date: Mon, 26 Jun 2017 12:29:46 +0100 Subject: [PATCH 11/89] Fix typos Most typos are in comments. Some are in strings - mainly strings that are printed out. --- src/analyses/ai.h | 4 ++-- src/analyses/escape_analysis.cpp | 2 +- src/analyses/flow_insensitive_analysis.h | 4 ++-- src/analyses/global_may_alias.cpp | 4 ++-- src/analyses/goto_check.cpp | 2 +- src/analyses/invariant_set.cpp | 2 +- src/analyses/invariant_set.h | 4 ++-- src/analyses/reaching_definitions.cpp | 8 ++++---- src/analyses/reaching_definitions.h | 2 +- src/analyses/static_analysis.h | 4 ++-- src/analyses/uninitialized_domain.cpp | 2 +- src/analyses/uninitialized_domain.h | 2 +- src/ansi-c/ansi_c_parser.h | 2 +- src/ansi-c/c_typecast.cpp | 2 +- src/ansi-c/c_typecast.h | 2 +- src/ansi-c/c_typecheck_base.cpp | 2 +- src/ansi-c/c_typecheck_expr.cpp | 6 +++--- src/ansi-c/c_typecheck_initializer.cpp | 4 ++-- src/ansi-c/c_typecheck_type.cpp | 2 +- src/ansi-c/expr2c.cpp | 2 +- src/ansi-c/literals/convert_float_literal.cpp | 2 +- src/cbmc/bmc_cover.cpp | 2 +- src/cpp/cpp_constructor.cpp | 7 ++++--- src/cpp/cpp_instantiate_template.cpp | 2 +- src/cpp/cpp_typecheck_code.cpp | 2 +- src/cpp/cpp_typecheck_compound_type.cpp | 6 +++--- src/cpp/cpp_typecheck_constructor.cpp | 8 ++++---- src/cpp/cpp_typecheck_conversions.cpp | 6 +++--- src/cpp/cpp_typecheck_expr.cpp | 8 ++++---- src/cpp/cpp_typecheck_resolve.cpp | 4 ++-- src/cpp/cpp_typecheck_template.cpp | 8 ++++---- src/cpp/parse.cpp | 4 ++-- src/goto-analyzer/taint_parser.h | 2 +- src/goto-cc/armcc_cmdline.cpp | 6 +++--- src/goto-cc/armcc_cmdline.h | 4 ++-- src/goto-cc/compile.cpp | 4 ++-- src/goto-cc/gcc_cmdline.cpp | 2 +- src/goto-cc/ld_cmdline.cpp | 2 +- src/goto-cc/ms_cl_cmdline.cpp | 4 ++-- src/goto-cc/xml_binaries/read_goto_object.cpp | 2 +- src/goto-instrument/accelerate/util.cpp | 2 +- src/goto-instrument/alignment_checks.cpp | 2 +- src/goto-instrument/code_contracts.cpp | 2 +- src/goto-instrument/cover.cpp | 4 ++-- src/goto-instrument/goto_instrument_parse_options.cpp | 4 ++-- src/goto-instrument/havoc_loops.cpp | 2 +- src/goto-instrument/k_induction.cpp | 2 +- src/goto-instrument/wmm/event_graph.h | 2 +- src/goto-instrument/wmm/goto2graph.h | 2 +- src/goto-instrument/wmm/shared_buffers.cpp | 2 +- src/goto-instrument/wmm/shared_buffers.h | 2 +- src/goto-programs/basic_blocks.cpp | 2 +- src/goto-programs/goto_convert.cpp | 2 +- src/goto-programs/goto_convert_side_effect.cpp | 4 ++-- src/goto-programs/remove_function_pointers.cpp | 4 ++-- src/goto-programs/show_goto_functions_json.cpp | 2 +- src/goto-programs/show_goto_functions_xml.cpp | 2 +- src/goto-symex/build_goto_trace.cpp | 2 +- src/goto-symex/memory_model_sc.cpp | 2 +- src/goto-symex/symex_start_thread.cpp | 2 +- src/java_bytecode/expr2java.cpp | 4 ++-- src/java_bytecode/java_bytecode_convert_method.cpp | 4 ++-- src/java_bytecode/java_bytecode_parser.cpp | 2 +- src/java_bytecode/java_local_variable_table.cpp | 2 +- src/java_bytecode/java_object_factory.cpp | 2 +- src/jsil/jsil_internal_additions.cpp | 2 +- src/jsil/jsil_typecheck.cpp | 4 ++-- src/musketeer/fence_inserter.h | 4 ++-- src/musketeer/graph_visitor.cpp | 2 +- src/musketeer/propagate_const_function_pointers.cpp | 2 +- src/path-symex/path_symex.cpp | 2 +- src/path-symex/path_symex_history.h | 2 +- src/path-symex/path_symex_state_read.cpp | 4 ++-- src/pointer-analysis/dereference.cpp | 2 +- src/pointer-analysis/value_set.cpp | 4 ++-- src/pointer-analysis/value_set.h | 6 +++--- src/pointer-analysis/value_set_dereference.cpp | 6 +++--- src/pointer-analysis/value_set_fi.cpp | 4 ++-- src/pointer-analysis/value_set_fi.h | 6 +++--- src/pointer-analysis/value_set_fivr.cpp | 2 +- src/pointer-analysis/value_set_fivr.h | 2 +- src/pointer-analysis/value_set_fivrns.cpp | 2 +- src/pointer-analysis/value_set_fivrns.h | 2 +- src/solvers/floatbv/float_bv.cpp | 6 +++--- src/symex/symex_parse_options.cpp | 2 +- src/util/expr_util.h | 4 ++-- src/util/graph.h | 2 +- src/util/ieee_float.cpp | 2 +- src/util/ieee_float.h | 4 ++-- src/util/irep.cpp | 6 +++--- src/util/irep_serialization.cpp | 2 +- src/util/json_irep.cpp | 4 ++-- src/util/lispirep.cpp | 2 +- src/util/simplify_expr.cpp | 6 +++--- src/util/string2int.h | 2 +- src/util/string_hash.cpp | 4 ++-- src/util/union_find.cpp | 2 +- 97 files changed, 158 insertions(+), 157 deletions(-) diff --git a/src/analyses/ai.h b/src/analyses/ai.h index 3c078d2a9b..5e0d1db3b2 100644 --- a/src/analyses/ai.h +++ b/src/analyses/ai.h @@ -280,7 +280,7 @@ protected: std::pair(l->location_number, l)); } - // true = found s.th. new + // true = found something new bool fixedpoint( const goto_programt &goto_program, const goto_functionst &goto_functions, @@ -297,7 +297,7 @@ protected: const goto_functionst &goto_functions, const namespacet &ns); - // true = found s.th. new + // true = found something new bool visit( locationt l, working_sett &working_set, diff --git a/src/analyses/escape_analysis.cpp b/src/analyses/escape_analysis.cpp index 3b0e7fc3f5..c724460527 100644 --- a/src/analyses/escape_analysis.cpp +++ b/src/analyses/escape_analysis.cpp @@ -371,7 +371,7 @@ void escape_domaint::check_lhs( { const irep_idt &identifier=to_symbol_expr(lhs).get_identifier(); - // pointer with aleanup function? + // pointer with cleanup function? const escape_domaint::cleanup_mapt::const_iterator m_it= cleanup_map.find(identifier); diff --git a/src/analyses/flow_insensitive_analysis.h b/src/analyses/flow_insensitive_analysis.h index bf06cf90cd..ae4cc5fa34 100644 --- a/src/analyses/flow_insensitive_analysis.h +++ b/src/analyses/flow_insensitive_analysis.h @@ -161,7 +161,7 @@ protected: working_set.push(l); } - // true = found s.th. new + // true = found something new bool fixedpoint( const goto_programt &goto_program, const goto_functionst &goto_functions); @@ -173,7 +173,7 @@ protected: void fixedpoint( const goto_functionst &goto_functions); - // true = found s.th. new + // true = found something new bool visit( locationt l, working_sett &working_set, diff --git a/src/analyses/global_may_alias.cpp b/src/analyses/global_may_alias.cpp index 28fabae92b..82c1f5a72d 100644 --- a/src/analyses/global_may_alias.cpp +++ b/src/analyses/global_may_alias.cpp @@ -1,13 +1,13 @@ /*******************************************************************\ -Module: Field-insensitive, location-sensitive gobal may alias analysis +Module: Field-insensitive, location-sensitive global may alias analysis Author: Daniel Kroening, kroening@kroening.com \*******************************************************************/ /// \file -/// Field-insensitive, location-sensitive gobal may alias analysis +/// Field-insensitive, location-sensitive global may alias analysis #include "global_may_alias.h" diff --git a/src/analyses/goto_check.cpp b/src/analyses/goto_check.cpp index 75c039343b..cddc054cc2 100644 --- a/src/analyses/goto_check.cpp +++ b/src/analyses/goto_check.cpp @@ -1560,7 +1560,7 @@ void goto_checkt::goto_check( add_guarded_claim( not_eq_null, - "this is null on method invokation", + "this is null on method invocation", "pointer dereference", i.source_location, pointer, diff --git a/src/analyses/invariant_set.cpp b/src/analyses/invariant_set.cpp index 425842a86f..101a330d31 100644 --- a/src/analyses/invariant_set.cpp +++ b/src/analyses/invariant_set.cpp @@ -1103,7 +1103,7 @@ void invariant_sett::apply_code(const codet &code) } else if(statement==ID_function_call) { - // may be a desaster + // may be a disaster make_true(); } else if(statement==ID_cpp_delete || diff --git a/src/analyses/invariant_set.h b/src/analyses/invariant_set.h index b9ee53e45d..6bb40bd3e9 100644 --- a/src/analyses/invariant_set.h +++ b/src/analyses/invariant_set.h @@ -108,7 +108,7 @@ public: const irep_idt &identifier, std::ostream &out) const; - // true = added s.th. + // true = added something bool make_union(const invariant_sett &other_invariants); void strengthen(const exprt &expr); @@ -214,7 +214,7 @@ protected: void get_bounds(unsigned a, boundst &dest) const; - // true = added s.th. + // true = added something bool make_union_bounds_map(const bounds_mapt &other); void modifies(unsigned a); diff --git a/src/analyses/reaching_definitions.cpp b/src/analyses/reaching_definitions.cpp index 70ea10b79c..217bbb5f5d 100644 --- a/src/analyses/reaching_definitions.cpp +++ b/src/analyses/reaching_definitions.cpp @@ -67,7 +67,7 @@ void rd_range_domaint::transform( // cleanup parameters else if(from->is_end_function()) transform_end_function(ns, from, to, *rd); - // lhs assignements + // lhs assignments else if(from->is_assign()) transform_assign(ns, from, from, *rd); // initial (non-deterministic) value @@ -559,7 +559,7 @@ void rd_range_domaint::output(std::ostream &out) const } } -/// \return returns true iff there is s.th. new +/// \return returns true iff there is something new bool rd_range_domaint::merge_inner( values_innert &dest, const values_innert &other) @@ -610,7 +610,7 @@ bool rd_range_domaint::merge_inner( return more; } -/// \return returns true iff there is s.th. new +/// \return returns true iff there is something new bool rd_range_domaint::merge( const rd_range_domaint &other, locationt from, @@ -646,7 +646,7 @@ bool rd_range_domaint::merge( return changed; } -/// \return returns true iff there is s.th. new +/// \return returns true iff there is something new bool rd_range_domaint::merge_shared( const rd_range_domaint &other, goto_programt::const_targett from, diff --git a/src/analyses/reaching_definitions.h b/src/analyses/reaching_definitions.h index 2cc7d815fa..e5f0d5f12b 100644 --- a/src/analyses/reaching_definitions.h +++ b/src/analyses/reaching_definitions.h @@ -147,7 +147,7 @@ public: make_top(); } - // returns true iff there is s.th. new + // returns true iff there is something new bool merge( const rd_range_domaint &other, locationt from, diff --git a/src/analyses/static_analysis.h b/src/analyses/static_analysis.h index 17d8dced47..1f384ec979 100644 --- a/src/analyses/static_analysis.h +++ b/src/analyses/static_analysis.h @@ -188,7 +188,7 @@ protected: std::pair(l->location_number, l)); } - // true = found s.th. new + // true = found something new bool fixedpoint( const goto_programt &goto_program, const goto_functionst &goto_functions); @@ -201,7 +201,7 @@ protected: void concurrent_fixedpoint( const goto_functionst &goto_functions); - // true = found s.th. new + // true = found something new bool visit( locationt l, working_sett &working_set, diff --git a/src/analyses/uninitialized_domain.cpp b/src/analyses/uninitialized_domain.cpp index 60f8c45c1b..d042fa5876 100644 --- a/src/analyses/uninitialized_domain.cpp +++ b/src/analyses/uninitialized_domain.cpp @@ -75,7 +75,7 @@ void uninitialized_domaint::output( } } -/// \return returns true iff there is s.th. new +/// \return returns true iff there is something new bool uninitialized_domaint::merge( const uninitialized_domaint &other, locationt from, diff --git a/src/analyses/uninitialized_domain.h b/src/analyses/uninitialized_domain.h index a48f995438..11dcaa0217 100644 --- a/src/analyses/uninitialized_domain.h +++ b/src/analyses/uninitialized_domain.h @@ -57,7 +57,7 @@ public: make_top(); } - // returns true iff there is s.th. new + // returns true iff there is something new bool merge( const uninitialized_domaint &other, locationt from, diff --git a/src/ansi-c/ansi_c_parser.h b/src/ansi-c/ansi_c_parser.h index 2dc2c77001..bd7dab0559 100644 --- a/src/ansi-c/ansi_c_parser.h +++ b/src/ansi-c/ansi_c_parser.h @@ -51,7 +51,7 @@ public: string_literal.clear(); pragma_pack.clear(); - // setup global scope + // set up global scope scopes.clear(); scopes.push_back(scopet()); } diff --git a/src/ansi-c/c_typecast.cpp b/src/ansi-c/c_typecast.cpp index 5b60bbda47..6af56f507b 100644 --- a/src/ansi-c/c_typecast.cpp +++ b/src/ansi-c/c_typecast.cpp @@ -715,7 +715,7 @@ void c_typecastt::do_typecast(exprt &expr, const typet &dest_type) if(src_type!=dest_type) { // C booleans are special; we produce the - // explicit comparision with zero. + // explicit comparison with zero. // Note that this requires ieee_float_notequal // in case of floating-point numbers. diff --git a/src/ansi-c/c_typecast.h b/src/ansi-c/c_typecast.h index 56d0c83235..efd95f998b 100644 --- a/src/ansi-c/c_typecast.h +++ b/src/ansi-c/c_typecast.h @@ -15,7 +15,7 @@ Author: Daniel Kroening, kroening@kroening.com // try a type cast from expr.type() to type // -// false: typecast successfull, expr modified +// false: typecast successful, expr modified // true: typecast failed bool check_c_implicit_typecast( diff --git a/src/ansi-c/c_typecheck_base.cpp b/src/ansi-c/c_typecheck_base.cpp index 74a0f33f96..d77d057688 100644 --- a/src/ansi-c/c_typecheck_base.cpp +++ b/src/ansi-c/c_typecheck_base.cpp @@ -165,7 +165,7 @@ void c_typecheck_baset::typecheck_redefinition_type( const typet &final_old=follow(old_symbol.type); const typet &final_new=follow(new_symbol.type); - // see if we had s.th. incomplete before + // see if we had something incomplete before if(final_old.id()==ID_incomplete_struct || final_old.id()==ID_incomplete_union || final_old.id()==ID_incomplete_c_enum) diff --git a/src/ansi-c/c_typecheck_expr.cpp b/src/ansi-c/c_typecheck_expr.cpp index 4b84899fc1..f010ff0dcc 100644 --- a/src/ansi-c/c_typecheck_expr.cpp +++ b/src/ansi-c/c_typecheck_expr.cpp @@ -350,7 +350,7 @@ void c_typecheck_baset::typecheck_expr_main(exprt &expr) { // This is C11. // The operand is already typechecked. Depending - // on it's type, we return one of the generic associatios. + // on its type, we return one of the generic associations. if(expr.operands().size()!=1) { @@ -2420,7 +2420,7 @@ exprt c_typecheck_baset::do_special_functions( exprt tmp; - // the followin means "don't know" + // the following means "don't know" if(arg1==0 || arg1==1) { tmp=from_integer(-1, size_type()); @@ -2755,7 +2755,7 @@ bool c_typecheck_baset::gcc_vector_types_compatible( if(s0!=s1) return false; - // comparse subtype + // compare subtype if((type0.subtype().id()==ID_signedbv || type0.subtype().id()==ID_unsignedbv) && (type1.subtype().id()==ID_signedbv || diff --git a/src/ansi-c/c_typecheck_initializer.cpp b/src/ansi-c/c_typecheck_initializer.cpp index db3280f12a..2edf574243 100644 --- a/src/ansi-c/c_typecheck_initializer.cpp +++ b/src/ansi-c/c_typecheck_initializer.cpp @@ -294,7 +294,7 @@ void c_typecheck_baset::designator_enter( } else { - // The default is to unitialize using the first member of the + // The default is to initialize using the first member of the // union. entry.size=1; entry.subtype=union_type.components().front().type(); @@ -571,7 +571,7 @@ void c_typecheck_baset::do_designated_initializer( full_type.id()==ID_vector); // we are initializing a compound type, and enter it! - // this may change the type, full_type might not be valid anymore + // this may change the type, full_type might not be valid any more const typet dest_type=full_type; designator_enter(type, designator); diff --git a/src/ansi-c/c_typecheck_type.cpp b/src/ansi-c/c_typecheck_type.cpp index 448df44cef..aa5217b79c 100644 --- a/src/ansi-c/c_typecheck_type.cpp +++ b/src/ansi-c/c_typecheck_type.cpp @@ -100,7 +100,7 @@ void c_typecheck_baset::typecheck_type(typet &type) // get that mode irep_idt mode=type.get(ID_size); - // A list of all modes ist at + // A list of all modes is at // http://www.delorie.com/gnu/docs/gcc/gccint_53.html typecheck_type(type.subtype()); diff --git a/src/ansi-c/expr2c.cpp b/src/ansi-c/expr2c.cpp index dc0c469b64..cffb5e9cd0 100644 --- a/src/ansi-c/expr2c.cpp +++ b/src/ansi-c/expr2c.cpp @@ -1943,7 +1943,7 @@ std::string expr2ct::convert_struct( /// \param src: The struct declaration expression /// precedence /// \param include_padding_components: Should the generated C code include the -/// padding members added to structs for GOTOs benifit +/// padding members added to structs for GOTOs benefit /// \return A string representation of the struct expression std::string expr2ct::convert_struct( const exprt &src, diff --git a/src/ansi-c/literals/convert_float_literal.cpp b/src/ansi-c/literals/convert_float_literal.cpp index e89148c974..00e98d7f7b 100644 --- a/src/ansi-c/literals/convert_float_literal.cpp +++ b/src/ansi-c/literals/convert_float_literal.cpp @@ -47,7 +47,7 @@ exprt convert_float_literal(const std::string &src) // In ANSI-C, float literals are double by default, // unless marked with 'f'. // All of these can be complex as well. - // This can be overriden with + // This can be overridden with // config.ansi_c.single_precision_constant. if(is_float) diff --git a/src/cbmc/bmc_cover.cpp b/src/cbmc/bmc_cover.cpp index 4c101cc215..28deebef17 100644 --- a/src/cbmc/bmc_cover.cpp +++ b/src/cbmc/bmc_cover.cpp @@ -68,7 +68,7 @@ public: std::string description; source_locationt source_location; - // if satisified, we compute a goto_trace + // if satisfied, we compute a goto_trace bool satisfied; goalt( diff --git a/src/cpp/cpp_constructor.cpp b/src/cpp/cpp_constructor.cpp index 07eed38180..44f458162f 100644 --- a/src/cpp/cpp_constructor.cpp +++ b/src/cpp/cpp_constructor.cpp @@ -17,7 +17,8 @@ Author: Daniel Kroening, kroening@cs.cmu.edu #include "cpp_typecheck.h" #include "cpp_util.h" -/// \param non:typchecked object, non-typechecked operands +/// \param object: non-typechecked object +/// \param operands: non-typechecked operands /// \return typechecked code codet cpp_typecheckt::cpp_constructor( const source_locationt &source_location, @@ -40,8 +41,8 @@ codet cpp_typecheckt::cpp_constructor( // We allow only one operand and it must be tagged with '#array_ini'. // Note that the operand is an array that is used for copy-initialization. // In the general case, a program is not allow to use this form of - // construct. This way of initializing an array is used internaly only. - // The purpose of the tag #arra_ini is to rule out ill-formed + // construct. This way of initializing an array is used internally only. + // The purpose of the tag #array_ini is to rule out ill-formed // programs. if(!operands.empty() && !operands.front().get_bool("#array_ini")) diff --git a/src/cpp/cpp_instantiate_template.cpp b/src/cpp/cpp_instantiate_template.cpp index 79e3de89b0..5ed613f925 100644 --- a/src/cpp/cpp_instantiate_template.cpp +++ b/src/cpp/cpp_instantiate_template.cpp @@ -332,7 +332,7 @@ const symbolt &cpp_typecheckt::instantiate_template( if(id_set.size()==1) { - // It has already been instantianted! + // It has already been instantiated! const cpp_idt &cpp_id = **id_set.begin(); assert(cpp_id.id_class == cpp_idt::id_classt::CLASS || diff --git a/src/cpp/cpp_typecheck_code.cpp b/src/cpp/cpp_typecheck_code.cpp index 8a7dd30139..88cc259d0a 100644 --- a/src/cpp/cpp_typecheck_code.cpp +++ b/src/cpp/cpp_typecheck_code.cpp @@ -459,7 +459,7 @@ void cpp_typecheckt::typecheck_assign(codet &code) throw 0; } - // turn into a sideeffect + // turn into a side effect side_effect_exprt expr(code.get(ID_statement)); expr.operands() = code.operands(); typecheck_expr(expr); diff --git a/src/cpp/cpp_typecheck_compound_type.cpp b/src/cpp/cpp_typecheck_compound_type.cpp index bb0b207e69..8bb655da6e 100644 --- a/src/cpp/cpp_typecheck_compound_type.cpp +++ b/src/cpp/cpp_typecheck_compound_type.cpp @@ -148,7 +148,7 @@ void cpp_typecheckt::typecheck_compound_type( } // The identifier 'tag-X' matches what the C front-end does! - // The hypen is deliberate to avoid collisions with other + // The hyphen is deliberate to avoid collisions with other // identifiers. const irep_idt symbol_name= dest_scope->prefix+ @@ -1079,7 +1079,7 @@ void cpp_typecheckt::typecheck_compound_body(symbolt &symbol) ID_public, false, false, false); } - // setup virtual tables before doing the constructors + // set up virtual tables before doing the constructors if(symbol.type.id()==ID_struct) do_virtual_table(symbol); @@ -1382,7 +1382,7 @@ void cpp_typecheckt::add_anonymous_members_to_scope( if(comp.get_anonymous()) { const symbolt &symbol=lookup(comp.type().get(ID_identifier)); - // recrusive call + // recursive call add_anonymous_members_to_scope(symbol); } else diff --git a/src/cpp/cpp_typecheck_constructor.cpp b/src/cpp/cpp_typecheck_constructor.cpp index 5cb0b6aebb..32981b866c 100644 --- a/src/cpp/cpp_typecheck_constructor.cpp +++ b/src/cpp/cpp_typecheck_constructor.cpp @@ -353,7 +353,7 @@ void cpp_typecheckt::default_cpctor( } } -/// Generate declarartion of the implicit default assignment operator +/// Generate declaration of the implicit default assignment operator void cpp_typecheckt::default_assignop( const symbolt &symbol, cpp_declarationt &cpctor) @@ -508,7 +508,7 @@ void cpp_typecheckt::default_assignop_value( ret_code.type()=code_typet(); } -/// Check a constructor initialization-list. An initalizer has to be a data +/// Check a constructor initialization-list. An initializer has to be a data /// member declared in this class or a direct-parent constructor. /// \param bases: the parents of the class /// \param components: the components of the class @@ -647,7 +647,7 @@ void cpp_typecheckt::check_member_initializers( /// direct-parent constructors are called. Second, all the non-pod data members /// are initialized. /// -/// Note: The initialization order follows the decalration order. +/// Note: The initialization order follows the declaration order. /// \param struct_union_type: the class/struct/union /// \param initializers: the constructor initializers /// \return initializers is updated. @@ -709,7 +709,7 @@ void cpp_typecheckt::full_member_initialization( const irept &bases=struct_union_type.find(ID_bases); - // Subsequenlty, we need to call the non-POD parent constructors + // Subsequently, we need to call the non-POD parent constructors forall_irep(parent_it, bases.get_sub()) { assert(parent_it->id()==ID_base); diff --git a/src/cpp/cpp_typecheck_conversions.cpp b/src/cpp/cpp_typecheck_conversions.cpp index cc357d1fb2..dc28db9d1c 100644 --- a/src/cpp/cpp_typecheck_conversions.cpp +++ b/src/cpp/cpp_typecheck_conversions.cpp @@ -192,7 +192,7 @@ bool cpp_typecheckt::standard_conversion_qualification( /// An rvalue of type bool can be converted to an rvalue of type int, /// with false becoming zero and true becoming one. /// \par parameters: A typechecked expression 'expr' -/// \return True iff the integral pormotion is possible. The result of the +/// \return True iff the integral promotion is possible. The result of the /// conversion is stored in 'new_expr'. bool cpp_typecheckt::standard_conversion_integral_promotion( const exprt &expr, @@ -299,7 +299,7 @@ bool cpp_typecheckt::standard_conversion_floating_point_promotion( /// the set of integral conversions. /// \par parameters: A typechecked expression 'expr', a destination /// type 'type' -/// \return True iff the integral pormotion is possible. The result of the +/// \return True iff the integral promotion is possible. The result of the /// conversion is stored in 'new_expr'. bool cpp_typecheckt::standard_conversion_integral_conversion( const exprt &expr, @@ -1411,7 +1411,7 @@ bool cpp_typecheckt::reference_binding( type.subtype().get_bool(ID_C_volatile)) return false; - // TODO: hanlde the case for implicit parameters + // TODO: handle the case for implicit parameters if(!type.subtype().get_bool(ID_C_constant) && !expr.get_bool(ID_C_lvalue)) return false; diff --git a/src/cpp/cpp_typecheck_expr.cpp b/src/cpp/cpp_typecheck_expr.cpp index e2926f0960..10c0b1c9b5 100644 --- a/src/cpp/cpp_typecheck_expr.cpp +++ b/src/cpp/cpp_typecheck_expr.cpp @@ -504,7 +504,7 @@ bool cpp_typecheckt::operator_is_overloaded(exprt &expr) cpp_name.get_sub().back().set(ID_identifier, op_name); cpp_name.get_sub().back().add(ID_C_source_location)=expr.source_location(); - // See if the struct decalares the cast operator as a member + // See if the struct declares the cast operator as a member bool found_in_struct=false; assert(!expr.operands().empty()); typet t0(follow(expr.op0().type())); @@ -1975,7 +1975,7 @@ void cpp_typecheckt::typecheck_side_effect_function_call( else { error().source_location=expr.source_location(); - error() << "zero or one argument excpected" << eom; + error() << "zero or one argument expected" << eom; throw 0; } @@ -2019,7 +2019,7 @@ void cpp_typecheckt::typecheck_side_effect_function_call( assert(bound.type().id()==ID_pointer); expr.arguments().insert(expr.arguments().begin(), bound); - // we don't need the object anymore + // we don't need the object any more expr.function().type().remove("#bound"); } @@ -2100,7 +2100,7 @@ void cpp_typecheckt::typecheck_side_effect_function_call( vtentry_member.swap(tmp); } - // Typcheck the expresssion as if it was not virtual + // Typecheck the expression as if it was not virtual // (add the this pointer) expr.type()= diff --git a/src/cpp/cpp_typecheck_resolve.cpp b/src/cpp/cpp_typecheck_resolve.cpp index dad5650722..5de6c9f551 100644 --- a/src/cpp/cpp_typecheck_resolve.cpp +++ b/src/cpp/cpp_typecheck_resolve.cpp @@ -1269,7 +1269,7 @@ cpp_scopet &cpp_typecheck_resolvet::resolve_namespace( cpp_typecheck.error().source_location=source_location; cpp_typecheck.error() << "namespace `" - << base_name << "' is ambigous" << messaget::eom; + << base_name << "' is ambiguous" << messaget::eom; throw 0; } } @@ -1801,7 +1801,7 @@ void cpp_typecheck_resolvet::guess_template_args( if(cpp_name.has_template_args()) { - // this could be s.th. like my_template, and we need + // this could be something like my_template, and we need // to match 'T'. Then 'desired_type' has to be a template instance. // TODO diff --git a/src/cpp/cpp_typecheck_template.cpp b/src/cpp/cpp_typecheck_template.cpp index 5fae1b654a..4ce4c55919 100644 --- a/src/cpp/cpp_typecheck_template.cpp +++ b/src/cpp/cpp_typecheck_template.cpp @@ -305,7 +305,7 @@ void cpp_typecheckt::typecheck_function_template( cpp_scopes.id_map[symbol_name] = &template_scope; } -/// typecheck class tempalte members; these can be methods or static members +/// typecheck class template members; these can be methods or static members void cpp_typecheckt::typecheck_class_template_member( cpp_declarationt &declaration) { @@ -520,7 +520,7 @@ void cpp_typecheckt::convert_class_template_specialization( // currently we are more restrictive // than the standard error().source_location=cpp_name.source_location(); - error() << "bad template-class-sepcialization name" << eom; + error() << "bad template-class-specialization name" << eom; throw 0; } @@ -953,7 +953,7 @@ cpp_template_args_tct cpp_typecheckt::typecheck_template_args( typet type=parameter.type(); - // First check the parameter type (might have ealier + // First check the parameter type (might have earlier // type parameters in it). Needs to be checked in scope // of template. { @@ -1046,7 +1046,7 @@ void cpp_typecheckt::convert_template_declaration( typecheck_class_template(declaration); return; } - // maybe function template, maybe class template member, maye + // maybe function template, maybe class template member, maybe // template variable else { diff --git a/src/cpp/parse.cpp b/src/cpp/parse.cpp index 190e9e1e8c..baa831d2cd 100644 --- a/src/cpp/parse.cpp +++ b/src/cpp/parse.cpp @@ -2763,7 +2763,7 @@ bool Parser::rDeclarator( std::cout << std::string(__indent, ' ') << "Parser::rDeclarator2 1\n"; #endif - // we can have one or more declatator qualifiers + // we can have one or more declarator qualifiers if(!rDeclaratorQualifier()) return false; @@ -2777,7 +2777,7 @@ bool Parser::rDeclarator( if(!optPtrOperator(d_outer)) return false; - // we can have another sequence of declatator qualifiers + // we can have another sequence of declarator qualifiers if(!rDeclaratorQualifier()) return false; diff --git a/src/goto-analyzer/taint_parser.h b/src/goto-analyzer/taint_parser.h index 7974604126..9f54365d73 100644 --- a/src/goto-analyzer/taint_parser.h +++ b/src/goto-analyzer/taint_parser.h @@ -46,7 +46,7 @@ public: irep_idt id; irep_idt function_identifier; irep_idt taint; - unsigned parameter_number; // the frist one is '1' + unsigned parameter_number; // the first one is '1' std::string message; void output(std::ostream &) const; diff --git a/src/goto-cc/armcc_cmdline.cpp b/src/goto-cc/armcc_cmdline.cpp index c19fab6b47..2512e1f0ab 100644 --- a/src/goto-cc/armcc_cmdline.cpp +++ b/src/goto-cc/armcc_cmdline.cpp @@ -1,20 +1,20 @@ /*******************************************************************\ -Module: A special command line object to mimick ARM's armcc +Module: A special command line object to mimic ARM's armcc Author: Daniel Kroening \*******************************************************************/ /// \file -/// A special command line object to mimick ARM's armcc +/// A special command line object to mimic ARM's armcc #include #include #include "armcc_cmdline.h" -/// parses the commandline options into a cmdlinet +/// parses the command line options into a cmdlinet /// \par parameters: argument count, argument strings /// \return none // see diff --git a/src/goto-cc/armcc_cmdline.h b/src/goto-cc/armcc_cmdline.h index f899636639..e7e5e0dafa 100644 --- a/src/goto-cc/armcc_cmdline.h +++ b/src/goto-cc/armcc_cmdline.h @@ -1,6 +1,6 @@ /*******************************************************************\ -Module: A special command line object to mimick ARM's armcc +Module: A special command line object to mimic ARM's armcc Author: Daniel Kroening @@ -9,7 +9,7 @@ Date: June 2006 \*******************************************************************/ /// \file -/// A special command line object to mimick ARM's armcc +/// A special command line object to mimic ARM's armcc #ifndef CPROVER_GOTO_CC_ARMCC_CMDLINE_H #define CPROVER_GOTO_CC_ARMCC_CMDLINE_H diff --git a/src/goto-cc/compile.cpp b/src/goto-cc/compile.cpp index f9184b8659..cd46c55442 100644 --- a/src/goto-cc/compile.cpp +++ b/src/goto-cc/compile.cpp @@ -77,7 +77,7 @@ bool compilet::doit() add_compiler_specific_defines(config); - // Parse commandline for source and object file names + // Parse command line for source and object file names for(std::size_t i=0; i<_cmdline.args.size(); i++) if(add_input_file(_cmdline.args[i])) return true; @@ -703,7 +703,7 @@ void compilet::convert_symbols(goto_functionst &dest) Forall_symbols(it, symbol_table.symbols) symbols.insert(it->first); - // the symbol table itertors aren't stable + // the symbol table iterators aren't stable for(symbols_sett::const_iterator it=symbols.begin(); it!=symbols.end(); diff --git a/src/goto-cc/gcc_cmdline.cpp b/src/goto-cc/gcc_cmdline.cpp index a45498b130..61d07b265d 100644 --- a/src/goto-cc/gcc_cmdline.cpp +++ b/src/goto-cc/gcc_cmdline.cpp @@ -18,7 +18,7 @@ Author: CM Wintersteiger, 2006 #include "gcc_cmdline.h" -/// parses the commandline options into a cmdlinet +/// parses the command line options into a cmdlinet /// \par parameters: argument count, argument strings /// \return none // non-gcc options diff --git a/src/goto-cc/ld_cmdline.cpp b/src/goto-cc/ld_cmdline.cpp index eb6c43af14..45a7fab5b9 100644 --- a/src/goto-cc/ld_cmdline.cpp +++ b/src/goto-cc/ld_cmdline.cpp @@ -16,7 +16,7 @@ Author: Daniel Kroening, 2013 #include "ld_cmdline.h" -/// parses the commandline options into a cmdlinet +/// parses the command line options into a cmdlinet /// \par parameters: argument count, argument strings /// \return none const char *goto_ld_options_with_argument[]= diff --git a/src/goto-cc/ms_cl_cmdline.cpp b/src/goto-cc/ms_cl_cmdline.cpp index 635c799cc8..fdc5987929 100644 --- a/src/goto-cc/ms_cl_cmdline.cpp +++ b/src/goto-cc/ms_cl_cmdline.cpp @@ -19,7 +19,7 @@ Author: Daniel Kroening #include "ms_cl_cmdline.h" -/// parses the commandline options into a cmdlinet +/// parses the command line options into a cmdlinet /// \par parameters: argument count, argument strings /// \return none const char *non_ms_cl_options[]= @@ -116,7 +116,7 @@ void ms_cl_cmdlinet::parse_env() #endif } -/// parses the commandline options into a cmdlinet +/// parses the command line options into a cmdlinet /// \par parameters: argument count, argument strings /// \return none bool ms_cl_cmdlinet::parse(int argc, const char **argv) diff --git a/src/goto-cc/xml_binaries/read_goto_object.cpp b/src/goto-cc/xml_binaries/read_goto_object.cpp index 7804701841..5a2f24bf58 100644 --- a/src/goto-cc/xml_binaries/read_goto_object.cpp +++ b/src/goto-cc/xml_binaries/read_goto_object.cpp @@ -95,7 +95,7 @@ bool read_goto_object( { // makes sure there is an empty function // for this symbol. if we got code for it, - // it will be added lateron. + // it will be added later on. functions.function_map[symbol.name].type= to_code_type(symbol.type); } diff --git a/src/goto-instrument/accelerate/util.cpp b/src/goto-instrument/accelerate/util.cpp index 543b2faa4a..5f3bf5b94c 100644 --- a/src/goto-instrument/accelerate/util.cpp +++ b/src/goto-instrument/accelerate/util.cpp @@ -49,7 +49,7 @@ bool is_signed(const typet &t) /** - * Conveniece function -- is the type unsigned? + * Convenience function -- is the type unsigned? */ bool is_unsigned(const typet &t) { diff --git a/src/goto-instrument/alignment_checks.cpp b/src/goto-instrument/alignment_checks.cpp index 0482687e2b..98740c254a 100644 --- a/src/goto-instrument/alignment_checks.cpp +++ b/src/goto-instrument/alignment_checks.cpp @@ -86,7 +86,7 @@ void print_struct_alignment_problems( } else if(it->second.type.id()==ID_array) { - // is this structure likely to introduce dataraces? + // is this structure likely to introduce data races? #if 0 const namespacet ns(symbol_table); const array_typet array=to_array_type(it->second.type); diff --git a/src/goto-instrument/code_contracts.cpp b/src/goto-instrument/code_contracts.cpp index 963c90ef96..e828b3c790 100644 --- a/src/goto-instrument/code_contracts.cpp +++ b/src/goto-instrument/code_contracts.cpp @@ -103,7 +103,7 @@ static void check_apply_invariants( modifiest modifies; get_modifies(local_may_alias, loop, modifies); - // build the havoc-ing code + // build the havocking code goto_programt havoc_code; // assert the invariant diff --git a/src/goto-instrument/cover.cpp b/src/goto-instrument/cover.cpp index f2d17617cc..9beffb29c8 100644 --- a/src/goto-instrument/cover.cpp +++ b/src/goto-instrument/cover.cpp @@ -724,9 +724,9 @@ void minimize_mcdc_controlling( * * If in the end all elements ''x'' in ''controlling'' are * reserved, this means that current ''controlling'' set is - * minimum and the ''while'' loop should be breaked. + * minimum and the ''while'' loop should be broken out of. * - * Note: implementaion here for the above procedure is + * Note: implementation here for the above procedure is * not (meant to be) optimal. **/ for(auto &x : controlling) diff --git a/src/goto-instrument/goto_instrument_parse_options.cpp b/src/goto-instrument/goto_instrument_parse_options.cpp index 622618a220..7857ea3eaa 100644 --- a/src/goto-instrument/goto_instrument_parse_options.cpp +++ b/src/goto-instrument/goto_instrument_parse_options.cpp @@ -1126,7 +1126,7 @@ void goto_instrument_parse_optionst::instrument_goto_program() // add generic checks, if needed goto_check(ns, options, goto_functions); - // check for uninitalized local varibles + // check for uninitalized local variables if(cmdline.isset("uninitialized-check")) { status() << "Adding checks for uninitialized local variables" << eom; @@ -1337,7 +1337,7 @@ void goto_instrument_parse_optionst::instrument_goto_program() if(cmdline.isset("havoc-loops")) { - status() << "Havocing loops" << eom; + status() << "Havocking loops" << eom; havoc_loops(goto_functions); } diff --git a/src/goto-instrument/havoc_loops.cpp b/src/goto-instrument/havoc_loops.cpp index e1213ec183..08478565ec 100644 --- a/src/goto-instrument/havoc_loops.cpp +++ b/src/goto-instrument/havoc_loops.cpp @@ -111,7 +111,7 @@ void havoc_loopst::havoc_loop( modifiest modifies; get_modifies(loop, modifies); - // build the havoc-ing code + // build the havocking code goto_programt havoc_code; build_havoc_code(loop_head, modifies, havoc_code); diff --git a/src/goto-instrument/k_induction.cpp b/src/goto-instrument/k_induction.cpp index fcedf66e41..1a39e8f2ea 100644 --- a/src/goto-instrument/k_induction.cpp +++ b/src/goto-instrument/k_induction.cpp @@ -86,7 +86,7 @@ void k_inductiont::process_loop( modifiest modifies; get_modifies(local_may_alias, loop, modifies); - // build the havoc-ing code + // build the havocking code goto_programt havoc_code; build_havoc_code(loop_head, modifies, havoc_code); diff --git a/src/goto-instrument/wmm/event_graph.h b/src/goto-instrument/wmm/event_graph.h index 61428a934a..a6af54e0b6 100644 --- a/src/goto-instrument/wmm/event_graph.h +++ b/src/goto-instrument/wmm/event_graph.h @@ -97,7 +97,7 @@ public: from.hide_internals(&target) */ void hide_internals(critical_cyclet &reduced) const; - /* checks whether there is at leat one pair which is unsafe + /* checks whether there is at least one pair which is unsafe (takes fences and dependencies into account), and adds the unsafe pairs in the set */ bool is_unsafe(memory_modelt model, bool fast=false); diff --git a/src/goto-instrument/wmm/goto2graph.h b/src/goto-instrument/wmm/goto2graph.h index 49adbfdb64..d220fe0317 100644 --- a/src/goto-instrument/wmm/goto2graph.h +++ b/src/goto-instrument/wmm/goto2graph.h @@ -265,7 +265,7 @@ protected: memory_modelt model, bool no_dependencies, loop_strategyt duplicate_body, - /* functino to analyse */ + /* function to analyse */ const irep_idt &function, /* incoming edges */ const std::set &initial_vertex, diff --git a/src/goto-instrument/wmm/shared_buffers.cpp b/src/goto-instrument/wmm/shared_buffers.cpp index 46db452610..45615ff0ba 100644 --- a/src/goto-instrument/wmm/shared_buffers.cpp +++ b/src/goto-instrument/wmm/shared_buffers.cpp @@ -380,7 +380,7 @@ void shared_bufferst::det_flush( // We update (or not) the value in the memory assignment(goto_program, target, source_location, object, new_value_expr); - // We udpate the flags of the buffer + // We update the flags of the buffer // if buff0 used and mine, then it is no more used, as we flushed the last // write and -ws-> imposes not to have other writes in the buffer assignment( diff --git a/src/goto-instrument/wmm/shared_buffers.h b/src/goto-instrument/wmm/shared_buffers.h index 27524b372b..0550291637 100644 --- a/src/goto-instrument/wmm/shared_buffers.h +++ b/src/goto-instrument/wmm/shared_buffers.h @@ -222,7 +222,7 @@ public: protected: class symbol_tablet &symbol_table; - // number of threads interferring + // number of threads interfering unsigned nb_threads; // instrumentations (not to be instrumented again) diff --git a/src/goto-programs/basic_blocks.cpp b/src/goto-programs/basic_blocks.cpp index b0c3dc7417..44e1ff7bac 100644 --- a/src/goto-programs/basic_blocks.cpp +++ b/src/goto-programs/basic_blocks.cpp @@ -34,7 +34,7 @@ void basic_blocks(goto_programt &goto_program, it!=goto_program.instructions.end(); ) // intentionally no it++ { - // goto's and empty code are left unchanged + // gotos and empty code are left unchanged if(it->is_goto() || it->is_dead() || it->is_assert() || it->is_assume() || it->is_atomic_begin() || it->is_atomic_end() || diff --git a/src/goto-programs/goto_convert.cpp b/src/goto-programs/goto_convert.cpp index 6b3f5d68d6..5b48fb0670 100644 --- a/src/goto-programs/goto_convert.cpp +++ b/src/goto-programs/goto_convert.cpp @@ -296,7 +296,7 @@ void goto_convertt::finish_guarded_gotos(goto_programt &dest) gg.gotoiter->guard=gg.guard; // goto_programt doesn't provide an erase operation, // perhaps for a good reason, so let's be cautious and just - // flatten the un-needed instructions into skips. + // flatten the unneeded instructions into skips. for(auto it=gg.ifiter, itend=gg.gotoiter; it!=itend; ++it) it->make_skip(); } diff --git a/src/goto-programs/goto_convert_side_effect.cpp b/src/goto-programs/goto_convert_side_effect.cpp index 3119cc252d..1ed77b3166 100644 --- a/src/goto-programs/goto_convert_side_effect.cpp +++ b/src/goto-programs/goto_convert_side_effect.cpp @@ -93,7 +93,7 @@ void goto_convertt::remove_assignment( else { error().source_location=expr.find_source_location(); - error() << "assignment `" << statement << "' not yet supproted" + error() << "assignment `" << statement << "' not yet supported" << eom; throw 0; } @@ -554,7 +554,7 @@ void goto_convertt::remove_statement_expression( // This is a gcc extension of the form ({ ....; expr; }) // The value is that of the final expression. // The expression is copied into a temporary before the - // scope is destoyed. + // scope is destroyed. if(expr.operands().size()!=1) { diff --git a/src/goto-programs/remove_function_pointers.cpp b/src/goto-programs/remove_function_pointers.cpp index d62d1b62c8..2726d6ab7f 100644 --- a/src/goto-programs/remove_function_pointers.cpp +++ b/src/goto-programs/remove_function_pointers.cpp @@ -48,7 +48,7 @@ protected: bool add_safety_assertion; // We can optionally halt the FP removal if we aren't able to use - // remove_const_function_pointerst to sucessfully narrow to a small + // remove_const_function_pointerst to successfully narrow to a small // subset of possible functions and just leave the function pointer // as it is. // This can be activated in goto-instrument using @@ -313,7 +313,7 @@ void remove_function_pointerst::remove_function_pointer( if(only_resolve_const_fps) { // If this mode is enabled, we only remove function pointers - // that we can resolve either to an exact funciton, or an exact subset + // that we can resolve either to an exact function, or an exact subset // (e.g. a variable index in a constant array). // Since we haven't found functions, we would now resort to // replacing the function pointer with any function with a valid signature diff --git a/src/goto-programs/show_goto_functions_json.cpp b/src/goto-programs/show_goto_functions_json.cpp index ea25d5c0f7..6afbf023c6 100644 --- a/src/goto-programs/show_goto_functions_json.cpp +++ b/src/goto-programs/show_goto_functions_json.cpp @@ -23,7 +23,7 @@ Author: Thomas Kiley #include "goto_model.h" #include "show_goto_functions_json.h" -/// For outputing the GOTO program in a readable JSON format. +/// For outputting the GOTO program in a readable JSON format. /// \param ns: the namespace to use to resolve names with show_goto_functions_jsont::show_goto_functions_jsont(const namespacet &ns): ns(ns) diff --git a/src/goto-programs/show_goto_functions_xml.cpp b/src/goto-programs/show_goto_functions_xml.cpp index cce37c8d2c..10e624902e 100644 --- a/src/goto-programs/show_goto_functions_xml.cpp +++ b/src/goto-programs/show_goto_functions_xml.cpp @@ -24,7 +24,7 @@ Author: Thomas Kiley #include "show_goto_functions_xml.h" -/// For outputing the GOTO program in a readable xml format. +/// For outputting the GOTO program in a readable xml format. /// \param ns: the namespace to use to resolve names with show_goto_functions_xmlt::show_goto_functions_xmlt(const namespacet &ns): ns(ns) diff --git a/src/goto-symex/build_goto_trace.cpp b/src/goto-symex/build_goto_trace.cpp index 7b6a367f6b..1657266b65 100644 --- a/src/goto-symex/build_goto_trace.cpp +++ b/src/goto-symex/build_goto_trace.cpp @@ -261,7 +261,7 @@ void build_goto_trace( } // Now assemble into a single goto_trace. - // This expoits sorted-ness of the map. + // This exploits sorted-ness of the map. for(auto &t_it : time_map) goto_trace.steps.splice(goto_trace.steps.end(), t_it.second); diff --git a/src/goto-symex/memory_model_sc.cpp b/src/goto-symex/memory_model_sc.cpp index d034711aa5..c6be709dfd 100644 --- a/src/goto-symex/memory_model_sc.cpp +++ b/src/goto-symex/memory_model_sc.cpp @@ -53,7 +53,7 @@ void memory_model_sct::build_per_thread_map( e_it!=equation.SSA_steps.end(); e_it++) { - // concurreny-related? + // concurrency-related? if(!e_it->is_shared_read() && !e_it->is_shared_write() && !e_it->is_spawn() && diff --git a/src/goto-symex/symex_start_thread.cpp b/src/goto-symex/symex_start_thread.cpp index e5891d7924..c4e2e83422 100644 --- a/src/goto-symex/symex_start_thread.cpp +++ b/src/goto-symex/symex_start_thread.cpp @@ -67,7 +67,7 @@ void goto_symext::symex_start_thread(statet &state) // get L0 name for current thread lhs.set_level_0(t); - // setup L1 name + // set up L1 name if(!state.level1.current_names.insert( std::make_pair(lhs.get_l1_object_identifier(), std::make_pair(lhs, 0))).second) diff --git a/src/java_bytecode/expr2java.cpp b/src/java_bytecode/expr2java.cpp index daa89f21a9..c6f2d0f90e 100644 --- a/src/java_bytecode/expr2java.cpp +++ b/src/java_bytecode/expr2java.cpp @@ -276,8 +276,8 @@ std::string expr2javat::convert_rec( const code_typet &code_type=to_code_type(src); // Java doesn't really have syntax for function types, - // so we make one up, loosley inspired by the syntax - // of lamda expressions. + // so we make one up, loosely inspired by the syntax + // of lambda expressions. std::string dest=""; diff --git a/src/java_bytecode/java_bytecode_convert_method.cpp b/src/java_bytecode/java_bytecode_convert_method.cpp index 871f82b6c1..ecb59827dd 100644 --- a/src/java_bytecode/java_bytecode_convert_method.cpp +++ b/src/java_bytecode/java_bytecode_convert_method.cpp @@ -173,7 +173,7 @@ const exprt java_bytecode_convert_methodt::variable( if(var.symbol_expr.get_identifier().empty()) { - // an un-named local variable + // an unnamed local variable irep_idt base_name="anonlocal::"+id2string(number)+type_char; irep_idt identifier=id2string(current_method)+"::"+id2string(base_name); @@ -545,7 +545,7 @@ code_blockt &java_bytecode_convert_methodt::get_block_for_pcrange( /// 'allow_merge' /// which is always true except when called from get_block_for_pcrange /// \return See above, plus potential side-effects on 'tree' and 'this_block' as -/// descibed in 'Purpose' +/// described in 'Purpose' code_blockt &java_bytecode_convert_methodt::get_or_create_block_for_pcrange( block_tree_nodet &tree, code_blockt &this_block, diff --git a/src/java_bytecode/java_bytecode_parser.cpp b/src/java_bytecode/java_bytecode_parser.cpp index 4235f6faab..ca271aaaba 100644 --- a/src/java_bytecode/java_bytecode_parser.cpp +++ b/src/java_bytecode/java_bytecode_parser.cpp @@ -430,7 +430,7 @@ void java_bytecode_parsert::rconstant_pool() case CONSTANT_Long: case CONSTANT_Double: it->number=read_u8(); - // Eight-byte constants take up two entires + // Eight-byte constants take up two entries // in the constant_pool table, for annoying this programmer. if(it==constant_pool.end()) { diff --git a/src/java_bytecode/java_local_variable_table.cpp b/src/java_bytecode/java_local_variable_table.cpp index ee7d061f9d..b1462e4321 100644 --- a/src/java_bytecode/java_local_variable_table.cpp +++ b/src/java_bytecode/java_local_variable_table.cpp @@ -91,7 +91,7 @@ struct procedure_local_cfg_baset< } }; -// Grab some class typdefs for brevity: +// Grab some class typedefs for brevity: typedef java_bytecode_convert_methodt::holet holet; typedef java_bytecode_convert_methodt::local_variable_with_holest diff --git a/src/java_bytecode/java_object_factory.cpp b/src/java_bytecode/java_object_factory.cpp index 5f97bbfa52..5ab08becad 100644 --- a/src/java_bytecode/java_object_factory.cpp +++ b/src/java_bytecode/java_object_factory.cpp @@ -394,7 +394,7 @@ void java_object_factoryt::gen_nondet_init( } } -/// Allocates a fresh array. Single-use herem at the moment, but useful to keep +/// Allocates a fresh array. Single-use at the moment, but useful to keep /// as a separate function for downstream branches. /// \par parameters: `lhs`, symbol to assign the new array structure /// `max_length_expr`, maximum length of the new array (minimum is fixed at zero diff --git a/src/jsil/jsil_internal_additions.cpp b/src/jsil/jsil_internal_additions.cpp index 88c93bf180..6250258b4b 100644 --- a/src/jsil/jsil_internal_additions.cpp +++ b/src/jsil/jsil_internal_additions.cpp @@ -81,7 +81,7 @@ void jsil_internal_additions(symbol_tablet &dest) dest.add(symbol); } - // add empty symbol used for decl statemements + // add empty symbol used for decl statements { symbolt symbol; diff --git a/src/jsil/jsil_typecheck.cpp b/src/jsil/jsil_typecheck.cpp index c94e02b2e7..892a8df7f2 100644 --- a/src/jsil/jsil_typecheck.cpp +++ b/src/jsil/jsil_typecheck.cpp @@ -845,8 +845,8 @@ void jsil_typecheckt::typecheck_assign(code_assignt &code) make_type_compatible(code.op0(), code.op1().type(), false); } -/// typecheking procedure declaration; any other symbols should have been -/// typechecked during typecheking of procedure declaration +/// typechecking procedure declaration; any other symbols should have been +/// typechecked during typechecking of procedure declaration /// \par parameters: any symbol void jsil_typecheckt::typecheck_non_type_symbol(symbolt &symbol) { diff --git a/src/musketeer/fence_inserter.h b/src/musketeer/fence_inserter.h index 70676a0156..847e5ea271 100644 --- a/src/musketeer/fence_inserter.h +++ b/src/musketeer/fence_inserter.h @@ -64,7 +64,7 @@ public: instrumentert &instrumenter; - /* normal variables used almost everytime */ + /* normal variables used almost every time */ std::map &map_to_e; std::map &map_from_e; unsigned add_edge(const edget &e) { return var.add_edge(e); } @@ -73,7 +73,7 @@ public: return invisible_var.add_edge(e); } - /* number of contraints */ + /* number of constraints */ std::size_t constraints_number; const memory_modelt model; diff --git a/src/musketeer/graph_visitor.cpp b/src/musketeer/graph_visitor.cpp index 5c46243958..d84e75db6e 100644 --- a/src/musketeer/graph_visitor.cpp +++ b/src/musketeer/graph_visitor.cpp @@ -346,7 +346,7 @@ void const_graph_visitort::PT( #ifdef BTWN1 event_grapht &egraph=fence_inserter.instrumenter.egraph; - /* all the pos inbetween */ + /* all the pos in between */ for(wmm_grapht::edgest::const_iterator next_it=egraph.po_out(e.first).begin(); next_it!=egraph.po_out(e.first).end(); diff --git a/src/musketeer/propagate_const_function_pointers.cpp b/src/musketeer/propagate_const_function_pointers.cpp index fa96cb63a7..d48ce8da63 100644 --- a/src/musketeer/propagate_const_function_pointers.cpp +++ b/src/musketeer/propagate_const_function_pointers.cpp @@ -308,7 +308,7 @@ void const_function_pointer_propagationt::dup_caller_and_inline_callee( { } - message.debug() << "callsite targetted: " << (*callsite)->source_location + message.debug() << "callsite targeted: " << (*callsite)->source_location << " function: " << const_function.get_identifier() << messaget::eom; assert(it->source_location==(*callsite)->source_location); diff --git a/src/path-symex/path_symex.cpp b/src/path-symex/path_symex.cpp index 3ae6b858b7..2aef635cbf 100644 --- a/src/path-symex/path_symex.cpp +++ b/src/path-symex/path_symex.cpp @@ -869,7 +869,7 @@ void path_symext::do_goto( if(!guard.is_false()) { // branch taken case - // copy the state into 'furhter_states' + // copy the state into 'further_states' further_states.push_back(state); further_states.back().record_step(); state.history->branch=stept::BRANCH_TAKEN; diff --git a/src/path-symex/path_symex_history.h b/src/path-symex/path_symex_history.h index 35cfcb6d59..4371e5e26d 100644 --- a/src/path-symex/path_symex_history.h +++ b/src/path-symex/path_symex_history.h @@ -58,7 +58,7 @@ public: void generate_successor(); - // build a forward-traversible version of the history + // build a forward-traversable version of the history void build_history(std::vector &dest) const; protected: diff --git a/src/path-symex/path_symex_state_read.cpp b/src/path-symex/path_symex_state_read.cpp index 4e60dd91ff..885160beb9 100644 --- a/src/path-symex/path_symex_state_read.cpp +++ b/src/path-symex/path_symex_state_read.cpp @@ -359,7 +359,7 @@ exprt path_symex_statet::read_symbol_member_index( suffix="."+id2string(member_expr.get_component_name())+suffix; } else - return nil_exprt(); // includes unions, deliberatley + return nil_exprt(); // includes unions, deliberately } else if(current.id()==ID_index) { @@ -452,7 +452,7 @@ bool path_symex_statet::is_symbol_member_index(const exprt &src) const next=&(member_expr.struct_op()); } else - return false; // includes unions, deliberatley + return false; // includes unions, deliberately } else if(current->id()==ID_index) { diff --git a/src/pointer-analysis/dereference.cpp b/src/pointer-analysis/dereference.cpp index 5b4baf0b02..56a42effa3 100644 --- a/src/pointer-analysis/dereference.cpp +++ b/src/pointer-analysis/dereference.cpp @@ -300,7 +300,7 @@ bool dereferencet::type_compatible( { if(to_struct_type(dereference_type).is_prefix_of( to_struct_type(object_type))) - return true; // ok, dreference_type is a prefix of object_type + return true; // ok, dereference_type is a prefix of object_type } // any code is ok diff --git a/src/pointer-analysis/value_set.cpp b/src/pointer-analysis/value_set.cpp index f6a9f128c5..a41796677a 100644 --- a/src/pointer-analysis/value_set.cpp +++ b/src/pointer-analysis/value_set.cpp @@ -762,7 +762,7 @@ void value_sett::get_value_set_rec( } else if(expr.id()==ID_array) { - // an array constructur, possibly containing addresses + // an array constructor, possibly containing addresses forall_operands(it, expr) get_value_set_rec(*it, dest, suffix, original_type, ns); } @@ -1538,7 +1538,7 @@ void value_sett::apply_code( } else if(statement==ID_expression) { - // can be ignored, we don't expect sideeffects here + // can be ignored, we don't expect side effects here } else if(statement=="cpp_delete" || statement=="cpp_delete[]") diff --git a/src/pointer-analysis/value_set.h b/src/pointer-analysis/value_set.h index 8fc7c0218f..66e4fa57ab 100644 --- a/src/pointer-analysis/value_set.h +++ b/src/pointer-analysis/value_set.h @@ -155,13 +155,13 @@ public: valuest values; - // true = added s.th. new + // true = added something new bool make_union(object_mapt &dest, const object_mapt &src) const; - // true = added s.th. new + // true = added something new bool make_union(const valuest &new_values); - // true = added s.th. new + // true = added something new bool make_union(const value_sett &new_values) { return make_union(new_values.values); diff --git a/src/pointer-analysis/value_set_dereference.cpp b/src/pointer-analysis/value_set_dereference.cpp index 9efd87c579..81edc39bbd 100644 --- a/src/pointer-analysis/value_set_dereference.cpp +++ b/src/pointer-analysis/value_set_dereference.cpp @@ -431,7 +431,7 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to( else { // We need to use byte_extract. - // Won't do this without a committment to an endianness. + // Won't do this without a commitment to an endianness. if(config.ansi_c.endianness==configt::ansi_ct::endiannesst::NO_ENDIANNESS) { @@ -775,7 +775,7 @@ bool value_set_dereferencet::memory_model( return memory_model_conversion(value, to_type, guard, offset); } - // otherwise, we will stich it together from bytes + // otherwise, we will stitch it together from bytes return memory_model_bytes(value, to_type, guard, offset); } @@ -819,7 +819,7 @@ bool value_set_dereferencet::memory_model_bytes( if(from_type.id()==ID_code || to_type.id()==ID_code) return false; - // We won't do this without a committment to an endianness. + // We won't do this without a commitment to an endianness. if(config.ansi_c.endianness==configt::ansi_ct::endiannesst::NO_ENDIANNESS) return false; diff --git a/src/pointer-analysis/value_set_fi.cpp b/src/pointer-analysis/value_set_fi.cpp index 149af49876..64336252d1 100644 --- a/src/pointer-analysis/value_set_fi.cpp +++ b/src/pointer-analysis/value_set_fi.cpp @@ -658,7 +658,7 @@ void value_set_fit::get_value_set_rec( else if(expr.id()==ID_array_of || expr.id()==ID_array) { - // an array constructur, possibly containing addresses + // an array constructor, possibly containing addresses forall_operands(it, expr) get_value_set_rec(*it, dest, suffix, original_type, ns, recursion_set); } @@ -1457,7 +1457,7 @@ void value_set_fit::apply_code( } else if(statement==ID_expression) { - // can be ignored, we don't expect sideeffects here + // can be ignored, we don't expect side effects here } else if(statement==ID_cpp_delete || statement==ID_cpp_delete_array) diff --git a/src/pointer-analysis/value_set_fi.h b/src/pointer-analysis/value_set_fi.h index 76f2666d83..0a38d79904 100644 --- a/src/pointer-analysis/value_set_fi.h +++ b/src/pointer-analysis/value_set_fi.h @@ -235,13 +235,13 @@ public: bool changed; - // true = added s.th. new + // true = added something new bool make_union(object_mapt &dest, const object_mapt &src) const; - // true = added s.th. new + // true = added something new bool make_union(const valuest &new_values); - // true = added s.th. new + // true = added something new bool make_union(const value_set_fit &new_values) { return make_union(new_values.values); diff --git a/src/pointer-analysis/value_set_fivr.cpp b/src/pointer-analysis/value_set_fivr.cpp index 9c8edfeb76..763eb9407c 100644 --- a/src/pointer-analysis/value_set_fivr.cpp +++ b/src/pointer-analysis/value_set_fivr.cpp @@ -1615,7 +1615,7 @@ void value_set_fivrt::apply_code( } else if(statement==ID_expression) { - // can be ignored, we don't expect sideeffects here + // can be ignored, we don't expect side effects here } else if(statement==ID_cpp_delete || statement==ID_cpp_delete_array) diff --git a/src/pointer-analysis/value_set_fivr.h b/src/pointer-analysis/value_set_fivr.h index 66adf83739..015a97271e 100644 --- a/src/pointer-analysis/value_set_fivr.h +++ b/src/pointer-analysis/value_set_fivr.h @@ -302,7 +302,7 @@ public: valuest values; valuest temporary_values; - // true = added s.th. new + // true = added something new bool make_union( object_mapt &dest, const object_mapt &src) const; diff --git a/src/pointer-analysis/value_set_fivrns.cpp b/src/pointer-analysis/value_set_fivrns.cpp index 0d10df43d5..bb15453d99 100644 --- a/src/pointer-analysis/value_set_fivrns.cpp +++ b/src/pointer-analysis/value_set_fivrns.cpp @@ -1268,7 +1268,7 @@ void value_set_fivrnst::apply_code( } else if(statement==ID_expression) { - // can be ignored, we don't expect sideeffects here + // can be ignored, we don't expect side effects here } else if(statement==ID_cpp_delete || statement==ID_cpp_delete_array) diff --git a/src/pointer-analysis/value_set_fivrns.h b/src/pointer-analysis/value_set_fivrns.h index e01db014cb..db735cfe2d 100644 --- a/src/pointer-analysis/value_set_fivrns.h +++ b/src/pointer-analysis/value_set_fivrns.h @@ -299,7 +299,7 @@ public: valuest values; valuest temporary_values; - // true = added s.th. new + // true = added something new bool make_union( object_mapt &dest, const object_mapt &src) const; diff --git a/src/solvers/floatbv/float_bv.cpp b/src/solvers/floatbv/float_bv.cpp index b346b40dfc..65ba54deb4 100644 --- a/src/solvers/floatbv/float_bv.cpp +++ b/src/solvers/floatbv/float_bv.cpp @@ -104,7 +104,7 @@ ieee_float_spect float_bvt::get_spec(const exprt &expr) exprt float_bvt::abs(const exprt &op, const ieee_float_spect &spec) { - // we mask away the sign bit, which is the most significand bit + // we mask away the sign bit, which is the most significant bit std::string mask_str(spec.width(), '1'); mask_str[0]='0'; @@ -150,7 +150,7 @@ exprt float_bvt::is_zero( const exprt &src, const ieee_float_spect &spec) { - // we mask away the sign bit, which is the most significand bit + // we mask away the sign bit, which is the most significant bit const floatbv_typet &type=to_floatbv_type(src.type()); std::size_t width=type.get_width(); @@ -687,7 +687,7 @@ exprt float_bvt::div( // is there a remainder? exprt have_remainder=notequal_exprt(rem, from_integer(0, rem.type())); - // we throw this into the result, as least-significand bit, + // we throw this into the result, as least-significant bit, // to get the right rounding decision result.fraction= concatenation_exprt( diff --git a/src/symex/symex_parse_options.cpp b/src/symex/symex_parse_options.cpp index 72f5b559a5..9b77014a2d 100644 --- a/src/symex/symex_parse_options.cpp +++ b/src/symex/symex_parse_options.cpp @@ -349,7 +349,7 @@ bool symex_parse_optionst::process_goto_program(const optionst &options) return true; } - status() << "Instrumenting coverge goals" << eom; + status() << "Instrumenting coverage goals" << eom; instrument_cover_goals(symbol_table, goto_model.goto_functions, c); goto_model.goto_functions.update(); } diff --git a/src/util/expr_util.h b/src/util/expr_util.h index 6ab3951037..34f1540701 100644 --- a/src/util/expr_util.h +++ b/src/util/expr_util.h @@ -36,7 +36,7 @@ void make_next_state(exprt &); /*! splits an expression with >=3 operands into nested binary expressions */ exprt make_binary(const exprt &); -/*! converts an udpate expr into a (possibly nested) with expression */ +/*! converts an update expr into a (possibly nested) with expression */ with_exprt make_with_expr(const update_exprt &); /*! converts a scalar/float expression to C/C++ Booleans */ @@ -46,7 +46,7 @@ exprt is_not_zero(const exprt &, const namespacet &ns); and swapping false and true */ exprt boolean_negate(const exprt &); -/*! returns true if the expression has a subexpresion with given ID */ +/*! returns true if the expression has a subexpression with given ID */ bool has_subexpr(const exprt &, const irep_idt &); /*! lift up an if_exprt one level */ diff --git a/src/util/graph.h b/src/util/graph.h index 6ef7976ad0..d3f14259e9 100644 --- a/src/util/graph.h +++ b/src/util/graph.h @@ -56,7 +56,7 @@ public: } }; -// a node type with an exta bit +// a node type with an extra bit template class visited_nodet:public graph_nodet { diff --git a/src/util/ieee_float.cpp b/src/util/ieee_float.cpp index 5f8828ca76..b2afe32197 100644 --- a/src/util/ieee_float.cpp +++ b/src/util/ieee_float.cpp @@ -1268,6 +1268,6 @@ void ieee_floatt::next_representable(bool greater) unpack(old); - // sign change impossible (zero case caught earler) + // sign change impossible (zero case caught earlier) set_sign(old_sign); } diff --git a/src/util/ieee_float.h b/src/util/ieee_float.h index fbad6d092d..5c975f3782 100644 --- a/src/util/ieee_float.h +++ b/src/util/ieee_float.h @@ -238,7 +238,7 @@ public: void from_double(const double d); void from_float(const float f); - // perfroms conversions from IEEE float-point format + // performs conversions from IEEE float-point format // to something else double to_double() const; float to_float() const; @@ -268,7 +268,7 @@ public: constant_exprt to_expr() const; void from_expr(const constant_exprt &expr); - // the usual opertors + // the usual operators ieee_floatt &operator/=(const ieee_floatt &other); ieee_floatt &operator*=(const ieee_floatt &other); ieee_floatt &operator+=(const ieee_floatt &other); diff --git a/src/util/irep.cpp b/src/util/irep.cpp index 6efa7ccf82..1bedec03f1 100644 --- a/src/util/irep.cpp +++ b/src/util/irep.cpp @@ -426,7 +426,7 @@ bool irept::full_eq(const irept &other) const return true; } -/// defines ordering on the internal represenation +/// defines ordering on the internal representation bool irept::ordering(const irept &other) const { return compare(other)<0; @@ -494,7 +494,7 @@ bool irept::ordering(const irept &other) const #endif } -/// defines ordering on the internal represenation +/// defines ordering on the internal representation int irept::compare(const irept &i) const { int r; @@ -562,7 +562,7 @@ int irept::compare(const irept &i) const return 0; } -/// defines ordering on the internal represenation +/// defines ordering on the internal representation bool irept::operator<(const irept &other) const { return ordering(other); diff --git a/src/util/irep_serialization.cpp b/src/util/irep_serialization.cpp index ac148c1e81..c21d14916b 100644 --- a/src/util/irep_serialization.cpp +++ b/src/util/irep_serialization.cpp @@ -159,7 +159,7 @@ std::size_t irep_serializationt::insert_on_read( return id; } -/// outputs 4 characters for a long, most-significand byte first +/// outputs 4 characters for a long, most-significant byte first /// \par parameters: an output stream and a number /// \return nothing void write_gb_word(std::ostream &out, std::size_t u) diff --git a/src/util/json_irep.cpp b/src/util/json_irep.cpp index 3cefcb9306..ca9db86284 100644 --- a/src/util/json_irep.cpp +++ b/src/util/json_irep.cpp @@ -15,7 +15,7 @@ Author: Thomas Kiley, thomas.kiley@diffblue.com #include -/// To convert to JSON from an irep structure by recurssively generating JSON +/// To convert to JSON from an irep structure by recursively generating JSON /// for the different sub trees. /// \param include_comments: when writing JSON, should the comments /// sub tree be included. @@ -23,7 +23,7 @@ json_irept::json_irept(bool include_comments): include_comments(include_comments) {} -/// To convert to JSON from an irep structure by recurssively generating JSON +/// To convert to JSON from an irep structure by recursively generating JSON /// for the different sub trees. /// \param irep: The irep structure to turn into json /// \param json: The json object to be filled up. diff --git a/src/util/lispirep.cpp b/src/util/lispirep.cpp index 49fb6dc323..6ad94df06a 100644 --- a/src/util/lispirep.cpp +++ b/src/util/lispirep.cpp @@ -54,7 +54,7 @@ void irep2lisp(const irept &src, lispexprt &dest) id.value=src.id_string(); dest.push_back(id); - // reserve objects for extra performace + // reserve objects for extra performance forall_irep(it, src.get_sub()) { diff --git a/src/util/simplify_expr.cpp b/src/util/simplify_expr.cpp index 23d814b75a..28b9ab87c2 100644 --- a/src/util/simplify_expr.cpp +++ b/src/util/simplify_expr.cpp @@ -221,7 +221,7 @@ bool simplify_exprt::simplify_typecast(exprt &expr) return false; } - // elminiate casts to proper bool + // eliminate casts to proper bool if(expr_type.id()==ID_bool) { // rewrite (bool)x to x!=0 @@ -236,7 +236,7 @@ bool simplify_exprt::simplify_typecast(exprt &expr) return false; } - // elminiate casts to _Bool + // eliminate casts to _Bool if(expr_type.id()==ID_c_bool && op_type.id()!=ID_bool) { @@ -1348,7 +1348,7 @@ bool simplify_exprt::simplify_update(exprt &expr) value_ptr=&value_ptr->operands()[number]; } else - return true; // give up, unkown designator + return true; // give up, unknown designator } // found, done diff --git a/src/util/string2int.h b/src/util/string2int.h index 1b0007a644..12c0260aaa 100644 --- a/src/util/string2int.h +++ b/src/util/string2int.h @@ -19,7 +19,7 @@ Author: Michael Tautschnig, michael.tautschnig@cs.ox.ac.uk unsigned safe_string2unsigned(const std::string &str, int base=10); std::size_t safe_string2size_t(const std::string &str, int base=10); -// The below mimick C's atoi/atol: any errors are silently ignored. +// The below mimic C's atoi/atol: any errors are silently ignored. // They are meant to replace atoi/atol. int unsafe_string2int(const std::string &str, int base=10); unsigned unsafe_string2unsigned(const std::string &str, int base=10); diff --git a/src/util/string_hash.cpp b/src/util/string_hash.cpp index ee212232fa..c283155cae 100644 --- a/src/util/string_hash.cpp +++ b/src/util/string_hash.cpp @@ -1,13 +1,13 @@ /*******************************************************************\ -Module: string hasing +Module: string hashing Author: Daniel Kroening, kroening@kroening.com \*******************************************************************/ /// \file -/// string hasing +/// string hashing #include "string_hash.h" diff --git a/src/util/union_find.cpp b/src/util/union_find.cpp index a7084e4d60..6e32019186 100644 --- a/src/util/union_find.cpp +++ b/src/util/union_find.cpp @@ -85,7 +85,7 @@ void unsigned_union_find::re_root(size_type old_root, size_type new_root) if(find(new_root)!=old_root) return; - // make sure we actually do s.th. + // make sure we actually do something assert(new_root!=old_root); assert(nodes[old_root].count>=2); From cfc171c381320250579ec698896b3ed3d72b957c Mon Sep 17 00:00:00 2001 From: Owen Jones Date: Thu, 29 Jun 2017 14:38:39 +0100 Subject: [PATCH 12/89] Format comments correctly --- src/goto-instrument/accelerate/util.cpp | 4 +--- src/goto-instrument/wmm/event_graph.h | 5 ++--- src/goto-instrument/wmm/goto2graph.h | 10 +++++----- src/musketeer/fence_inserter.h | 6 +++--- src/musketeer/graph_visitor.cpp | 2 +- src/util/expr_util.h | 20 ++++++++++---------- 6 files changed, 22 insertions(+), 25 deletions(-) diff --git a/src/goto-instrument/accelerate/util.cpp b/src/goto-instrument/accelerate/util.cpp index 5f3bf5b94c..0af56c088e 100644 --- a/src/goto-instrument/accelerate/util.cpp +++ b/src/goto-instrument/accelerate/util.cpp @@ -48,9 +48,7 @@ bool is_signed(const typet &t) } -/** - * Convenience function -- is the type unsigned? - */ +/// Convenience function -- is the type unsigned? bool is_unsigned(const typet &t) { return t.id()==ID_bv || diff --git a/src/goto-instrument/wmm/event_graph.h b/src/goto-instrument/wmm/event_graph.h index a6af54e0b6..95cf95cd95 100644 --- a/src/goto-instrument/wmm/event_graph.h +++ b/src/goto-instrument/wmm/event_graph.h @@ -97,9 +97,8 @@ public: from.hide_internals(&target) */ void hide_internals(critical_cyclet &reduced) const; - /* checks whether there is at least one pair which is unsafe - (takes fences and dependencies into account), and adds - the unsafe pairs in the set */ + /// checks whether there is at least one pair which is unsafe (takes fences + /// and dependencies into account), and adds the unsafe pairs in the set bool is_unsafe(memory_modelt model, bool fast=false); /* do not update the unsafe pairs set */ diff --git a/src/goto-instrument/wmm/goto2graph.h b/src/goto-instrument/wmm/goto2graph.h index d220fe0317..b37f6adf87 100644 --- a/src/goto-instrument/wmm/goto2graph.h +++ b/src/goto-instrument/wmm/goto2graph.h @@ -258,18 +258,18 @@ protected: } } - // TODO: move the visitor outside, and inherit + /// TODO: move the visitor outside, and inherit virtual void visit_cfg_function( - /* value_sets and options */ + /// value_sets and options value_setst &value_sets, memory_modelt model, bool no_dependencies, loop_strategyt duplicate_body, - /* function to analyse */ + /// function to analyse const irep_idt &function, - /* incoming edges */ + /// incoming edges const std::set &initial_vertex, - /* outcoming edges */ + /// outcoming edges std::set &ending_vertex); bool inline local(const irep_idt &i); diff --git a/src/musketeer/fence_inserter.h b/src/musketeer/fence_inserter.h index 847e5ea271..e24a32dbc1 100644 --- a/src/musketeer/fence_inserter.h +++ b/src/musketeer/fence_inserter.h @@ -64,7 +64,7 @@ public: instrumentert &instrumenter; - /* normal variables used almost every time */ + /// normal variables used almost every time std::map &map_to_e; std::map &map_from_e; unsigned add_edge(const edget &e) { return var.add_edge(e); } @@ -73,11 +73,11 @@ public: return invisible_var.add_edge(e); } - /* number of constraints */ + /// number of constraints std::size_t constraints_number; const memory_modelt model; - /* to retrieve the concrete graph edges involved in the (abstract) cycles */ + /// to retrieve the concrete graph edges involved in the (abstract) cycles const_graph_visitort const_graph_visitor; protected: diff --git a/src/musketeer/graph_visitor.cpp b/src/musketeer/graph_visitor.cpp index d84e75db6e..883246b589 100644 --- a/src/musketeer/graph_visitor.cpp +++ b/src/musketeer/graph_visitor.cpp @@ -346,7 +346,7 @@ void const_graph_visitort::PT( #ifdef BTWN1 event_grapht &egraph=fence_inserter.instrumenter.egraph; - /* all the pos in between */ + /// all the pos in between for(wmm_grapht::edgest::const_iterator next_it=egraph.po_out(e.first).begin(); next_it!=egraph.po_out(e.first).end(); diff --git a/src/util/expr_util.h b/src/util/expr_util.h index 34f1540701..e0b1f4aaf2 100644 --- a/src/util/expr_util.h +++ b/src/util/expr_util.h @@ -28,28 +28,28 @@ class symbolt; class typet; class namespacet; -/*! \deprecated This function will eventually be removed. Use functions from - * \ref util/std_expr.h instead. -*/ +/// \deprecated This function will eventually be removed. Use functions +/// from \ref util/std_expr.h instead. + void make_next_state(exprt &); -/*! splits an expression with >=3 operands into nested binary expressions */ +/// splits an expression with >=3 operands into nested binary expressions exprt make_binary(const exprt &); -/*! converts an update expr into a (possibly nested) with expression */ +/// converts an update expr into a (possibly nested) with expression with_exprt make_with_expr(const update_exprt &); -/*! converts a scalar/float expression to C/C++ Booleans */ +/// converts a scalar/float expression to C/C++ Booleans exprt is_not_zero(const exprt &, const namespacet &ns); -/*! negate a Boolean expression, possibly removing a not_exprt, - and swapping false and true */ +/// negate a Boolean expression, possibly removing a not_exprt, +/// and swapping false and true exprt boolean_negate(const exprt &); -/*! returns true if the expression has a subexpression with given ID */ +/// returns true if the expression has a subexpression with given ID bool has_subexpr(const exprt &, const irep_idt &); -/*! lift up an if_exprt one level */ +/// lift up an if_exprt one level if_exprt lift_if(const exprt &, std::size_t operand_number); #endif // CPROVER_UTIL_EXPR_UTIL_H From 14e23a1cc0bb265664c59f69db749d82debf168f Mon Sep 17 00:00:00 2001 From: Michael Tautschnig Date: Mon, 3 Jul 2017 10:18:17 +0100 Subject: [PATCH 13/89] Introduce regression test suite for goto-diff Test presently fails, marked as KNOWNBUG --- regression/Makefile | 2 +- regression/goto-diff/Makefile | 24 ++++++++++++++++++ regression/goto-diff/syntactic-diff1/a.c | 11 ++++++++ regression/goto-diff/syntactic-diff1/a.gb | Bin 0 -> 5839 bytes regression/goto-diff/syntactic-diff1/b.c | 11 ++++++++ regression/goto-diff/syntactic-diff1/b.gb | Bin 0 -> 5936 bytes .../goto-diff/syntactic-diff1/test.desc | 10 ++++++++ 7 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 regression/goto-diff/Makefile create mode 100644 regression/goto-diff/syntactic-diff1/a.c create mode 100644 regression/goto-diff/syntactic-diff1/a.gb create mode 100644 regression/goto-diff/syntactic-diff1/b.c create mode 100644 regression/goto-diff/syntactic-diff1/b.gb create mode 100644 regression/goto-diff/syntactic-diff1/test.desc diff --git a/regression/Makefile b/regression/Makefile index 71e3494e07..b6d109b604 100644 --- a/regression/Makefile +++ b/regression/Makefile @@ -1,4 +1,3 @@ - DIRS = ansi-c \ cbmc \ cpp \ @@ -6,6 +5,7 @@ DIRS = ansi-c \ goto-analyzer \ goto-instrument \ goto-instrument-typedef \ + goto-diff \ test-script \ # Empty last line diff --git a/regression/goto-diff/Makefile b/regression/goto-diff/Makefile new file mode 100644 index 0000000000..266f02032b --- /dev/null +++ b/regression/goto-diff/Makefile @@ -0,0 +1,24 @@ +default: tests.log + +test: + @if ! ../test.pl -c ../../../src/goto-diff/goto-diff ; then \ + ../failed-tests-printer.pl ; \ + exit 1 ; \ + fi + +tests.log: ../test.pl + @if ! ../test.pl -c ../../../src/goto-diff/goto-diff ; then \ + ../failed-tests-printer.pl ; \ + exit 1 ; \ + fi + +show: + @for dir in *; do \ + if [ -d "$$dir" ]; then \ + vim -o "$$dir/*.c" "$$dir/*.out"; \ + fi; \ + done; + +clean: + find -name '*.out' -execdir $(RM) '{}' \; + $(RM) tests.log diff --git a/regression/goto-diff/syntactic-diff1/a.c b/regression/goto-diff/syntactic-diff1/a.c new file mode 100644 index 0000000000..95ce6e1c1a --- /dev/null +++ b/regression/goto-diff/syntactic-diff1/a.c @@ -0,0 +1,11 @@ +int main() +{ + int x; + + return 0; +} + +void foo() +{ + int y; +} diff --git a/regression/goto-diff/syntactic-diff1/a.gb b/regression/goto-diff/syntactic-diff1/a.gb new file mode 100644 index 0000000000000000000000000000000000000000..2bf7c7b9947e2094186bd3379fdcd4736a43fa45 GIT binary patch literal 5839 zcmbtYdwdkt6~1?u%qB%x0Uu4!HZ)e6B7{u>!bUAHK>=ZWjM}&3WM?)R+3c({vnG+) z^?`ua`atBZR$E)EqPE&%>!ZGv2IUb*K(ZiEk*a7!5!?FccjvJ)slSy!+~1F|vvbaO zzH{z5=bn3WXH7dZTus!BuB9#2AR?Wjwq~pj!bhu2J!>RXDWxZ5OViUNM2IjvsijmB zeuz7*DXXQdv08eptSB0LZ=QkoBT`ygC4+8{)W`6&y`)Vy=4$C?Nzn{7Vd+K(DOtnS zTxhC>S!2mr%S^PSYZ_H^uBB&crnZ?=jb?t@9DZE0X4M#Kv!R+Mplh0SOCPIf$z+Y$ zk+$T7r6ue~7$N+ka8&~4EjeuwZb!)eEgB+`>4jf~u+@=KL8$R^Ih9pOX`Tuf&YlhB z(9(z`@#mg@&PCJDms;f%oR##ZOTm@&$7QlK(jDgUmy9n{#cxdEqk|EGurT7NTO)Oo zZ3j!3eGcIoOomJs!ev5ZDH*&t0IH}qs%)tWAQuC0G2n)lnp$&ORhlj*!acN2Q>+#e z-5IK@g+FTtRV5^w@X@P6j+lhi0o!4rw3Z@5csRa~0Fz_hj?3c`EbPZV#?|5f@?!Pi)mUcP58)pykcq|@o2a6j@+evr$-8ebrcvbu++$wk6s< zI-a>zzGR?ViXW*ZaBB(NI-x9^4mx(?uF%AKxD@@CV}L_SAYxz8D(0V}Cds!S=KKXP zwJTH!jv@q=cZNJDWFRugjld`e=sU|I^@x=Xw>&`0T|x!~KbM2na?q+OY0~u+At#-h z)-Cn2tehg^cj4Ahq4DGox$#H%F#e+*v)@}0sb_Jvy;w)9nq*TY)h}`}M2(2wcOkJt zRZL~{$}cn1Oew9lNwQ(c9bmW;3|E5Tm{O!cl%*1UKboB4AdP(^egtkvc0M`|SRqS#l8BQkwX~wP z6LIq0)S)H?$~2yE0wXrqb`XntA}IE1o`#T|&VD@+zn*c2R~UiZ5E_5*=8@v{)!~fA zSo1)enDPMEK53%lYItNF@sf>uwIPLSVXA4Z2sc-}S@v7KB$b`K`7Xu55 zb=Zq_*o$>&EDI#d^woZ$xHWR7ldKc%H0=%4mltUiQ&LN7R)>^jD*f?Zt~=bzAq~%R z5^u(ivZ9fSId9l{&ve%NSg#(c$;?f~eDD@Za++O#d=tFc1aD?BZ`h(%lCwv$wvdob zi-@xwCMWaJIgUHR$6Otj$G0VfXOTIF1Ma2Oc1yBa3{_Snjdk0@aO*I0>l_E{+-FOR zy2W0=HRjfNj$7w%=3=J?4W75Vm~*XaEA}=?&!~o+RwTFm?1qQC;h~7S;iDHgs26VI zYP}vyE_#WIKdcmgbT<{kKTe1Zg7On5yMFrC*UPS$-I0*VKYNgCl@q$j{JH>%%o5m5 zIjV*WtBKfVw2_ksSHpF7dJcw6zLV4=f@S&`KK@hlFhjm6@CF{zL>8xe<%EbM6qPv7_zVYhSE4tvJ2dD&X7;03dp*<8#f z+Y$@G-wdOhnNh+y8+nE0J9F@E9utA!~vzVg7ySjm!W6V3OkUsvfAj6_n>+8M39`TT&#=v=xUeT9dsQR^H#>r z^VM`mF^+9^_4`%010;8Vwp_ptzU zb}ndeihDF6mpI?-!hNu0%-z02_qcX{L!ajc)a^aAx0qQIK?=mY7bbg|JHK^d$MVs8 zUD)5zEnEx(vA>r0(mlm+RfJzor!fx0kv%}&!%%Z}wpOQ6neW~9YGg?N)w4Sv` z#`UG$;q|59{;-esh|B$tbORR~uxmU*cNXKG)Y?@=O6rD`OzAS4Mt6euP8OCw`N4kF zg?@~_&eaYW10SXPi$SwPzJ!=up&G2O?Fa6DhWlq1_b>GIqGOgj=GuGfTG#mF^kt46 z5&V^2OScy@Znx_HE8Xp2upJBr*=O^TztRfvZ*;QR(b|OLDLaqmGzDiaEvexy<_U@u zIv>SBKl~)EAi^|kO_pk($)2KTDQW^ITK2k&ju`qh^QcN_{5yStS_ZB-@c9CtC?U_l z$g}<$J;!{(?qCV!$N7FR6T-CT=_NpfL>GOI9`!W!AYK5(i*&M0@CoSK!Y|PoxZA)E zTF{948l4P*de4-Sm(i=4TJAW2zv6Oe_c)Y6k`m&lTA<$#S?8)w`v;ZHxmpIU<+;uh z51i2J0{i!jnT^w7p+a2G_#Q9hUZuF0AmT`e^lNmcj4P#PT#T?=k33gCq<}*$T5 zF_#kYQr}Jsq+0^gyCD4rlb$8yc2gXch|+|p?6q_AxXL7c>f`#794I zYvOUr<`cUzq5BC96xF{yKDRR1PiTORUpejoJLo?!)G7X#nYsbdIY^24DQ%LC<}B+V zI1f53KckX&XDB6bQ_14fiHW%LXrJ@vfcnDad{t-xt}4Wm9sr~0osGJpXWE+ zOalPdget^qLpbZs4^@iSh1h8~E;K$5N>jbFC=56V3qsqep0zSr4B-W=K|Yyt;VM;k7Qp3|%u)wSNvML+-ioln%^7kYB=SU$jw3YVf%gS^@i__3_cLOS=Yqtv3w2>US_ z90x+@y%Djx25%aAtVJ`h&2qXrHf!kU5mx^gpZA5vc`1+E8F8ieE|Zlcwot2zoiPyE ziPY|lu$l>~6yZE8ZJzbF`eH3eKIbrza}dkV?-fGM-euofL+D?;&B*BllfGT4rQ&KE zlP29q7Ax7)L?*{9O{50P#p;rJCdSR=MWIF`|Mm=sGv#h)+j?q3Y`oy@|0mVaQyU8L z)`li_;lo1P_;IpTvlFAQQB~6FYXXxl;zY#8iw}P}Utq#r`5W-}JF3*c*u*_W^MG6; z1$&T!JxIZK%RF^5b%nb@?7eY`Rh#FVRoUm+SB}!yLdHIW_MSb!g;FtT9 zET7-sB!tfMRY!TlAe=V)-6h5Cc7Laozk*$>x{ z^rK4Y$M=!w|4B@05aU0!Qvb7ezFg`7JlJmPuYJUUPQc;pT({^iO&ErC2KJ07Z#uDXmB2Up=>$^gj(lOVmcH3 zbJ@HDo}Om3=&BNzH9q?tKpQ(Cu<_xm$pX4G8oY)q*4NSt!k~t64Q(mL+w4_GG^{P) zz6IQ`qY8{t*V81%syfNXI_urXr;H(4$K--R4*!JbyF9vV9+hsh?4sUc4D8cFLAPG` z?uGB+ozzKP_0}ABCS%jBcc!~XhAg0%G)9cyK%b*!Vec*EKB3}`^obBI^fmMQ(F^I| z5h`Y7wGA@^m+~N_JjkC2zjQ;m$qr$p8^TSrwO9!8bgn6>79!Y+2)6PFM&Ha~Fm;X; zN8Li07EQE|_ylQ=!gJvL!^j+j^btnk@U6E0+vv@rUDtjjnOkj;ECV4TQIG!i#MNsLCa_pm)%gz_>x1Ug1Uv!py6~m^%ny+ zaWR)V!!}6w1G^vCbMK~;qyBMyD zyeX*^##Jb=8>qWE>hIj>AGA?_Pp=E1LEZd8$`?a*(l%J&JmB+ye~7GsZgt62_As=5 z#Pzn)*7{NEE}bw)8`1v|v6Zy0)NMW)Eu&(Z&Y2_Ky3!v1x>8p2nAxo!Cp=7_u)+R7 z{X(r%ar~@zs`*>h6O{L)jt__$P5|b?DUY<}1y=c_i8dT-PKyRtaXf5fYnotHtEig> zBHh&E?gd@6n_V+(WIHEV8Ia#Js5A`j87ChHWIEe zm~^tE6~7wE3l$!THo>}wTbGF)n+f+nOd94|4~6wmkM$N<_j2noVn-k0=*^_Du5}Hp zYdqFlVZDu8GqK}M!c`TM0(j-KJmIo|NjrG%PREfk8pLgdop1g= zFP!aJxf3hj;wxLkj$MSQl}Sn0dIqd#c&vBBdJngrD|Y-HJr~w@(k^by7pm=Dl?GOqy4%Yp;;_W77zp@fpe-5E-i z4>ed~zj5Nlw|QZqm&_+lxgJDYv+9l4sJ;F8eU<-HFgRof_)o&P5e@R;#1!#)c)*AK zk(&wI*je^3toV0fMPVOBgP+;^;dbIvjkztc_A~PAsLvfjw{Y0c$iv3nHTD2m@&z1q zlJp<$>oMqakeGCsz`8ldTMdqk7R{@DvUA@k$8ZnI73w6+q@8rEOZysMg>11lU@2sik) eQ95U2a+re)SS2o*g+9BF-015B6He75#eV_ZKjiiR literal 0 HcmV?d00001 diff --git a/regression/goto-diff/syntactic-diff1/test.desc b/regression/goto-diff/syntactic-diff1/test.desc new file mode 100644 index 0000000000..612daaa37b --- /dev/null +++ b/regression/goto-diff/syntactic-diff1/test.desc @@ -0,0 +1,10 @@ +KNOWNBUG +b.gb +a.gb +// Enable multi-line checking +activate-multi-line-match +EXIT=0 +SIGNAL=0 +new functions:\n\s+b.c: bar\nmodified functions:\n\s+b.c: main\ndeleted functions:\n\s+a.c: foo +-- +^warning: ignoring From 133c3d2c2005ab3b9edd92d6360b44bd7fd99b4d Mon Sep 17 00:00:00 2001 From: Michael Tautschnig Date: Mon, 3 Jul 2017 10:19:03 +0100 Subject: [PATCH 14/89] goto-diff: deleted functions cannot be found in goto_model2 --- src/goto-diff/goto_diff_base.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/goto-diff/goto_diff_base.cpp b/src/goto-diff/goto_diff_base.cpp index cd945b11a7..78807dbe73 100644 --- a/src/goto-diff/goto_diff_base.cpp +++ b/src/goto-diff/goto_diff_base.cpp @@ -47,7 +47,7 @@ std::ostream &goto_difft::output_functions(std::ostream &out) const it!=deleted_functions.end(); ++it) { const goto_programt &program= - goto_model2.goto_functions.function_map.at(*it).body; + goto_model1.goto_functions.function_map.at(*it).body; out << " " << program.instructions.begin()->source_location.get_file() << ": " << *it << "\n"; From 87cc5c22bb37a399a1b697032887766e72fac138 Mon Sep 17 00:00:00 2001 From: Michael Tautschnig Date: Mon, 3 Jul 2017 10:19:35 +0100 Subject: [PATCH 15/89] goto-diff: no whitespace in section headers at end-of-line Completes the fix of the regression test together with the previous commit. Test now marked as CORE. --- regression/goto-diff/syntactic-diff1/test.desc | 2 +- src/goto-diff/goto_diff_base.cpp | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/regression/goto-diff/syntactic-diff1/test.desc b/regression/goto-diff/syntactic-diff1/test.desc index 612daaa37b..6a47a3b1a3 100644 --- a/regression/goto-diff/syntactic-diff1/test.desc +++ b/regression/goto-diff/syntactic-diff1/test.desc @@ -1,4 +1,4 @@ -KNOWNBUG +CORE b.gb a.gb // Enable multi-line checking diff --git a/src/goto-diff/goto_diff_base.cpp b/src/goto-diff/goto_diff_base.cpp index 78807dbe73..f2af3eb4c4 100644 --- a/src/goto-diff/goto_diff_base.cpp +++ b/src/goto-diff/goto_diff_base.cpp @@ -20,7 +20,7 @@ std::ostream &goto_difft::output_functions(std::ostream &out) const case ui_message_handlert::uit::PLAIN: { out << "total number of functions: " << total_functions_count << "\n"; - out << "new functions: \n"; + out << "new functions:\n"; for(irep_id_sett::const_iterator it=new_functions.begin(); it!=new_functions.end(); ++it) { @@ -31,7 +31,7 @@ std::ostream &goto_difft::output_functions(std::ostream &out) const << ": " << *it << "\n"; } - out << "modified functions: \n"; + out << "modified functions:\n"; for(irep_id_sett::const_iterator it=modified_functions.begin(); it!=modified_functions.end(); ++it) { @@ -42,7 +42,7 @@ std::ostream &goto_difft::output_functions(std::ostream &out) const << ": " << *it << "\n"; } - out << "deleted functions: \n"; + out << "deleted functions:\n"; for(irep_id_sett::const_iterator it=deleted_functions.begin(); it!=deleted_functions.end(); ++it) { From 9714e1292064ffcf1da82ff09533a88bcf448187 Mon Sep 17 00:00:00 2001 From: Peter Schrammel Date: Mon, 3 Jul 2017 11:05:06 +0100 Subject: [PATCH 16/89] Rename linter filter script --- scripts/{filter_lint_by_diff.py => filter_by_diff.py} | 0 scripts/run_lint.sh | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) rename scripts/{filter_lint_by_diff.py => filter_by_diff.py} (100%) diff --git a/scripts/filter_lint_by_diff.py b/scripts/filter_by_diff.py similarity index 100% rename from scripts/filter_lint_by_diff.py rename to scripts/filter_by_diff.py diff --git a/scripts/run_lint.sh b/scripts/run_lint.sh index fa588f084a..b22e31d697 100755 --- a/scripts/run_lint.sh +++ b/scripts/run_lint.sh @@ -20,10 +20,10 @@ then exit 1 fi -if ! [[ -e $script_folder/filter_lint_by_diff.py ]] +if ! [[ -e $script_folder/filter_by_diff.py ]] then echo "Lint filter script could not be found in the $script_folder directory" - echo "Ensure filter_lint_by_diff.py is inside the $script_folder directory then run again" + echo "Ensure filter_by_diff.py is inside the $script_folder directory then run again" exit 1 fi From 428507bc4422a6b5c386a49f55e09b8d196b01c4 Mon Sep 17 00:00:00 2001 From: Peter Schrammel Date: Mon, 3 Jul 2017 11:07:32 +0100 Subject: [PATCH 17/89] Generalise filter_by_diff to output lines between warnings --- scripts/filter_by_diff.py | 33 +++++++++++++++++++++++++-------- scripts/run_lint.sh | 4 ++-- 2 files changed, 27 insertions(+), 10 deletions(-) diff --git a/scripts/filter_by_diff.py b/scripts/filter_by_diff.py index e018cce315..3e7689ddf5 100755 --- a/scripts/filter_by_diff.py +++ b/scripts/filter_by_diff.py @@ -4,21 +4,25 @@ import sys import unidiff import os.path -if len(sys.argv) != 3: - print >>sys.stderr, "Usage: filter_lint_by_diff.py diff.patch repository_root_directory < cpplint_warnings.txt" +if len(sys.argv) != 4: + print >>sys.stderr, "Usage: filter_by_diff.py diffed_file diff.patch repository_root_directory < warnings.txt" sys.exit(1) -repository_root = sys.argv[2] +diffed_file = sys.argv[1] +diff_file = sys.argv[2] +repository_root = sys.argv[3] # Create a set of all the files and the specific lines within that file that are in the diff added_lines = set() -for diff_file in unidiff.PatchSet.from_filename(sys.argv[1]): +for diff_file in unidiff.PatchSet.from_filename(diff_file): filename = diff_file.target_file # Skip files deleted in the tip (b side of the diff): if filename == "/dev/null": continue assert filename.startswith("b/") filename = os.path.join(repository_root, filename[2:]) + if filename != diffed_file: + continue added_lines.add((filename, 0)) for diff_hunk in diff_file: for diff_line in diff_hunk: @@ -26,11 +30,24 @@ for diff_file in unidiff.PatchSet.from_filename(sys.argv[1]): added_lines.add((filename, diff_line.target_line_no)) # Print the lines that are in the set +found = False for line in sys.stdin: line_parts = line.split(":") if len(line_parts) < 3: + if found: + # Print lines between a matching warning and the next warning + sys.stdout.write(line) + continue + try: + linenum = int(line_parts[1]) + found = False + filename = line_parts[0] + if not repository_root in filename: + filename = os.path.join(repository_root, line_parts[0]) + if (filename, linenum) in added_lines: + found = True + sys.stdout.write(line) + except ValueError: + if found: + sys.stdout.write(line) continue - filename = os.path.join(repository_root, line_parts[0]) - linenum = int(line_parts[1]) - if (filename, linenum) in added_lines: - sys.stdout.write(line) diff --git a/scripts/run_lint.sh b/scripts/run_lint.sh index b22e31d697..ac3f18ffcd 100755 --- a/scripts/run_lint.sh +++ b/scripts/run_lint.sh @@ -22,7 +22,7 @@ fi if ! [[ -e $script_folder/filter_by_diff.py ]] then - echo "Lint filter script could not be found in the $script_folder directory" + echo "Filter script could not be found in the $script_folder directory" echo "Ensure filter_by_diff.py is inside the $script_folder directory then run again" exit 1 fi @@ -69,7 +69,7 @@ for file in $diff_files; do # Run the linting script and filter: # The errors from the linter go to STDERR so must be redirected to STDOUT - result=`$script_folder/cpplint.py $file 2>&1 >/dev/null | $script_folder/filter_lint_by_diff.py $diff_file $absolute_repository_root` + result=`$script_folder/cpplint.py $file 2>&1 >/dev/null | $script_folder/filter_by_diff.py $file $diff_file $absolute_repository_root` # Providing some errors were relevant we print them out if [ "$result" ] From 7af068eb2e18d23641c54ed2d8d41dbd7a287ccb Mon Sep 17 00:00:00 2001 From: Peter Schrammel Date: Mon, 3 Jul 2017 11:12:08 +0100 Subject: [PATCH 18/89] Generalise run_lint to run with different tools --- scripts/run_lint.sh | 41 ++++++++++++++++++++++++++--------------- scripts/travis_lint.sh | 4 ++-- 2 files changed, 28 insertions(+), 17 deletions(-) diff --git a/scripts/run_lint.sh b/scripts/run_lint.sh index ac3f18ffcd..625d3f4fe9 100755 --- a/scripts/run_lint.sh +++ b/scripts/run_lint.sh @@ -4,22 +4,17 @@ set -e script_folder=`dirname $0` absolute_repository_root=`git rev-parse --show-toplevel` +mode=$1 -if [[ "$#" -gt 2 ]] +if [[ "$#" -gt 3 ]] then - echo "Script for running the CPP linter only on modified lines. Arguments:" + echo "Script for running a checker script only on modified lines. Arguments:" + echo "mode - tool to run: CPPLINT" echo "target - a git reference to the branch we want to compare against (default: 'master')" echo "tip - a git reference to the commit with changes (default: current working tree)" exit 1 fi -if ! [[ -e $script_folder/cpplint.py ]] -then - echo "Lint script could not be found in the $script_folder directory" - echo "Ensure cpplint.py is inside the $script_folder directory then run again" - exit 1 -fi - if ! [[ -e $script_folder/filter_by_diff.py ]] then echo "Filter script could not be found in the $script_folder directory" @@ -27,17 +22,33 @@ then exit 1 fi -if [[ "$#" -gt 0 ]] +if [[ "$mode" == "CPPLINT" ]] then - git_start=$1 + if ! [[ -e $script_folder/cpplint.py ]] + then + echo "Lint script could not be found in the $script_folder directory" + echo "Ensure cpplint.py is inside the $script_folder directory then run again" + exit 1 + else + cmd='$script_folder/cpplint.py $file 2>&1 >/dev/null' + fi else - git_start="master" + echo "Mode $mode not recognized" + echo "Possible values: CPPLINT" + exit 1 fi if [[ "$#" -gt 1 ]] then - git_end=$2 - git_merge_base_end=$2 + git_start=$2 +else + git_start="master" +fi + +if [[ "$#" -gt 2 ]] +then + git_end=$3 + git_merge_base_end=$3 else git_end="" git_merge_base_end="HEAD" @@ -69,7 +80,7 @@ for file in $diff_files; do # Run the linting script and filter: # The errors from the linter go to STDERR so must be redirected to STDOUT - result=`$script_folder/cpplint.py $file 2>&1 >/dev/null | $script_folder/filter_by_diff.py $file $diff_file $absolute_repository_root` + result=`eval $cmd | $script_folder/filter_by_diff.py $file $diff_file $absolute_repository_root` # Providing some errors were relevant we print them out if [ "$result" ] diff --git a/scripts/travis_lint.sh b/scripts/travis_lint.sh index dc1ffb0b81..29f952d719 100755 --- a/scripts/travis_lint.sh +++ b/scripts/travis_lint.sh @@ -6,8 +6,8 @@ script_folder=`dirname $0` pip install --user unidiff if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then - $script_folder/run_lint.sh HEAD~1 # Check for errors introduced in last commit + $script_folder/run_lint.sh CPPLINT HEAD~1 # Check for errors introduced in last commit else - $script_folder/run_lint.sh $TRAVIS_BRANCH # Check for errors compared to merge target + $script_folder/run_lint.sh CPPLINT $TRAVIS_BRANCH # Check for errors compared to merge target fi From 64a3ab5b6497e6a3b5e2eb1b946d5973b96e67a0 Mon Sep 17 00:00:00 2001 From: Peter Schrammel Date: Mon, 3 Jul 2017 11:13:18 +0100 Subject: [PATCH 19/89] Rename run_lint to run_diff --- scripts/run_diff.sh | 94 ++++++++++++++++++++++++++++++++++++++++++ scripts/run_lint.sh | 91 +--------------------------------------- scripts/travis_lint.sh | 5 +-- 3 files changed, 97 insertions(+), 93 deletions(-) create mode 100755 scripts/run_diff.sh diff --git a/scripts/run_diff.sh b/scripts/run_diff.sh new file mode 100755 index 0000000000..3ef031bdc7 --- /dev/null +++ b/scripts/run_diff.sh @@ -0,0 +1,94 @@ +#!/bin/bash + +set -e + +script_folder=`dirname $0` +absolute_repository_root=`git rev-parse --show-toplevel` +mode=$1 + +if [[ "$#" -gt 3 ]] +then + echo "Script for running a checker script only on modified lines. Arguments:" + echo "mode - tool to run: CPPLINT" + echo "target - a git reference to the branch we want to compare against (default: 'master')" + echo "tip - a git reference to the commit with changes (default: current working tree)" + exit 1 +fi + +if ! [[ -e $script_folder/filter_by_diff.py ]] +then + echo "Filter script could not be found in the $script_folder directory" + echo "Ensure filter_by_diff.py is inside the $script_folder directory then run again" + exit 1 +fi + +if [[ "$mode" == "CPPLINT" ]] +then + if ! [[ -e $script_folder/cpplint.py ]] + then + echo "Lint script could not be found in the $script_folder directory" + echo "Ensure cpplint.py is inside the $script_folder directory then run again" + exit 1 + else + cmd='$script_folder/cpplint.py $file 2>&1 >/dev/null' + fi +else + echo "Mode $mode not recognized" + echo "Possible values: CPPLINT" + exit 1 +fi + +if [[ "$#" -gt 1 ]] +then + git_start=$2 +else + git_start="master" +fi + +if [[ "$#" -gt 2 ]] +then + git_end=$3 + git_merge_base_end=$3 +else + git_end="" + git_merge_base_end="HEAD" +fi + +git_start=`git merge-base $git_start $git_merge_base_end` + +cleanup() +{ + rm -f $diff_file +} + +trap cleanup EXIT + +diff_file=`mktemp` + +git diff $git_start $git_end > $diff_file + +# Get the list of files that have changed +diff_files=`git diff --name-only $git_start $git_end` + +for file in $diff_files; do + file=$absolute_repository_root/$file + # If the file has been deleted we don't want to run the linter on it + if ! [[ -e $file ]] + then + continue + fi + + # Run the linting script and filter: + # The errors from the linter go to STDERR so must be redirected to STDOUT + result=`eval $cmd | $script_folder/filter_by_diff.py $file $diff_file $absolute_repository_root` + + # Providing some errors were relevant we print them out + if [ "$result" ] + then + are_errors=1 + (>&2 echo "$result") + fi +done + +# Return an error code if errors are found +exit $are_errors diff --git a/scripts/run_lint.sh b/scripts/run_lint.sh index 625d3f4fe9..434fb7a247 100755 --- a/scripts/run_lint.sh +++ b/scripts/run_lint.sh @@ -1,94 +1,5 @@ #!/bin/bash -set -e - script_folder=`dirname $0` -absolute_repository_root=`git rev-parse --show-toplevel` -mode=$1 -if [[ "$#" -gt 3 ]] -then - echo "Script for running a checker script only on modified lines. Arguments:" - echo "mode - tool to run: CPPLINT" - echo "target - a git reference to the branch we want to compare against (default: 'master')" - echo "tip - a git reference to the commit with changes (default: current working tree)" - exit 1 -fi - -if ! [[ -e $script_folder/filter_by_diff.py ]] -then - echo "Filter script could not be found in the $script_folder directory" - echo "Ensure filter_by_diff.py is inside the $script_folder directory then run again" - exit 1 -fi - -if [[ "$mode" == "CPPLINT" ]] -then - if ! [[ -e $script_folder/cpplint.py ]] - then - echo "Lint script could not be found in the $script_folder directory" - echo "Ensure cpplint.py is inside the $script_folder directory then run again" - exit 1 - else - cmd='$script_folder/cpplint.py $file 2>&1 >/dev/null' - fi -else - echo "Mode $mode not recognized" - echo "Possible values: CPPLINT" - exit 1 -fi - -if [[ "$#" -gt 1 ]] -then - git_start=$2 -else - git_start="master" -fi - -if [[ "$#" -gt 2 ]] -then - git_end=$3 - git_merge_base_end=$3 -else - git_end="" - git_merge_base_end="HEAD" -fi - -git_start=`git merge-base $git_start $git_merge_base_end` - -cleanup() -{ - rm -f $diff_file -} - -trap cleanup EXIT - -diff_file=`mktemp` - -git diff $git_start $git_end > $diff_file - -# Get the list of files that have changed -diff_files=`git diff --name-only $git_start $git_end` - -for file in $diff_files; do - file=$absolute_repository_root/$file - # If the file has been deleted we don't want to run the linter on it - if ! [[ -e $file ]] - then - continue - fi - - # Run the linting script and filter: - # The errors from the linter go to STDERR so must be redirected to STDOUT - result=`eval $cmd | $script_folder/filter_by_diff.py $file $diff_file $absolute_repository_root` - - # Providing some errors were relevant we print them out - if [ "$result" ] - then - are_errors=1 - (>&2 echo "$result") - fi -done - -# Return an error code if errors are found -exit $are_errors +$script_folder/run_diff.sh CPPLINT "$@" diff --git a/scripts/travis_lint.sh b/scripts/travis_lint.sh index 29f952d719..036605237e 100755 --- a/scripts/travis_lint.sh +++ b/scripts/travis_lint.sh @@ -6,8 +6,7 @@ script_folder=`dirname $0` pip install --user unidiff if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then - $script_folder/run_lint.sh CPPLINT HEAD~1 # Check for errors introduced in last commit + $script_folder/run_diff.sh CPPLINT HEAD~1 # Check for errors introduced in last commit else - $script_folder/run_lint.sh CPPLINT $TRAVIS_BRANCH # Check for errors compared to merge target + $script_folder/run_diff.sh CPPLINT $TRAVIS_BRANCH # Check for errors compared to merge target fi - From 9ad6bc27d2b235dfe1d8499005622b446d6d405e Mon Sep 17 00:00:00 2001 From: Daniel Neville Date: Tue, 4 Jul 2017 13:48:59 +0100 Subject: [PATCH 20/89] tvt's || operator is not marked as const, despite it being safe to mark it as such, and all other similar methods being marked as const. This commit marks the method as const. --- src/util/threeval.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/util/threeval.h b/src/util/threeval.h index 6bf3f0ebec..215d3cdecf 100644 --- a/src/util/threeval.h +++ b/src/util/threeval.h @@ -74,7 +74,7 @@ public: return unknown(); } - tvt operator||(const tvt other) + tvt operator||(const tvt other) const { if(is_true() || other.is_true()) return tvt(true); From f9664aa948836cdf91a0993360398e747c4ab161 Mon Sep 17 00:00:00 2001 From: Kareem Khazem Date: Tue, 27 Jun 2017 11:50:45 +0100 Subject: [PATCH 21/89] Use native objcopy when linking with GCC goto-cc calls objcopy with a native prefix if GCC is being used to link several object files, and the name of the compiler begins with some native prefix (like arm-none-eabi-gcc). Previously, goto-cc would only prepend a native prefix to objcopy if the linker command had a native prefix. This commit causes goto-cc to work on codebases that use GCC rather than LD to link, and that use a cross-compiler with a native-prefixed name. --- src/goto-cc/gcc_mode.cpp | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/goto-cc/gcc_mode.cpp b/src/goto-cc/gcc_mode.cpp index ce2fa4405e..d9204c9f51 100644 --- a/src/goto-cc/gcc_mode.cpp +++ b/src/goto-cc/gcc_mode.cpp @@ -22,6 +22,7 @@ Author: CM Wintersteiger, 2006 #include #include +#include #include #include #include @@ -442,7 +443,7 @@ int gcc_modet::doit() else if(cmdline.isset('E')) { compiler.mode=compilet::PREPROCESS_ONLY; - assert(false); + UNREACHABLE; } else if(cmdline.isset("shared") || cmdline.isset('r')) // really not well documented @@ -464,7 +465,6 @@ int gcc_modet::doit() debug() << "Compiling and linking a library" << eom; break; case compilet::COMPILE_LINK_EXECUTABLE: debug() << "Compiling and linking an executable" << eom; break; - default: assert(false); } if(cmdline.isset("i386-win32") || @@ -718,7 +718,7 @@ int gcc_modet::preprocess( new_argv.push_back(src); // overwrite argv[0] - assert(new_argv.size()>=1); + INVARIANT(new_argv.size()>=1, "No program name in argv"); new_argv[0]=native_tool_name.c_str(); #if 0 @@ -734,7 +734,7 @@ int gcc_modet::preprocess( /// run gcc or clang with original command line int gcc_modet::run_gcc() { - assert(!cmdline.parsed_argv.empty()); + PRECONDITION(!cmdline.parsed_argv.empty()); // build new argv std::vector new_argv; @@ -823,6 +823,11 @@ int gcc_modet::gcc_hybrid_binary() objcopy_cmd=linker_name(cmdline, base_name); objcopy_cmd.erase(objcopy_cmd.size()-2); } + else if(has_suffix(compiler_name(cmdline, base_name), "-gcc")) + { + objcopy_cmd=compiler_name(cmdline, base_name); + objcopy_cmd.erase(objcopy_cmd.size()-3); + } objcopy_cmd+="objcopy"; int result=run_gcc(); From de657ed1092c62253494dacdc782e7e02a7caf75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20G=C3=BCdemann?= Date: Tue, 4 Jul 2017 22:59:22 +0200 Subject: [PATCH 22/89] Add Kahn's algorithm to graph.h --- src/util/graph.h | 56 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/src/util/graph.h b/src/util/graph.h index 6ef7976ad0..11b7b98af2 100644 --- a/src/util/graph.h +++ b/src/util/graph.h @@ -19,6 +19,9 @@ Author: Daniel Kroening, kroening@kroening.com #include #include #include +#include + +#include "invariant.h" class empty_edget { @@ -226,6 +229,13 @@ public: // return value: number of SCCs std::size_t SCCs(std::vector &subgraph_nr); + bool is_dag() const + { + return empty() || !topsort().empty(); + } + + std::list topsort() const; + void output_dot(std::ostream &out) const; void output_dot_node(std::ostream &out, node_indext n) const; @@ -570,6 +580,52 @@ void grapht::make_chordal() } } +/// Find a topological order of the nodes if graph is DAG, return empty list for +/// non-DAG or empty graph. Uses Kahn's algorithm running in O(#edges+#nodes). +template +std::list::node_indext> grapht::topsort() const +{ + // list of topologically sorted nodes + std::list nodelist; + // queue of working set nodes with in-degree zero + std::queue indeg0_nodes; + // in-degree for each node + std::vector in_deg(nodes.size(), 0); + + // abstract graph as in-degree of each node + for(node_indext idx=0; idx void grapht::output_dot(std::ostream &out) const { From ebb745ff753c71b889f36555af3043c647ac4cee Mon Sep 17 00:00:00 2001 From: Peter Schrammel Date: Mon, 3 Jul 2017 16:56:53 +0100 Subject: [PATCH 23/89] Extend run_diff to doxygen --- scripts/run_diff.sh | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/scripts/run_diff.sh b/scripts/run_diff.sh index 3ef031bdc7..43d43f7577 100755 --- a/scripts/run_diff.sh +++ b/scripts/run_diff.sh @@ -5,11 +5,12 @@ set -e script_folder=`dirname $0` absolute_repository_root=`git rev-parse --show-toplevel` mode=$1 +modes="CPPLINT | DOXYGEN" if [[ "$#" -gt 3 ]] then echo "Script for running a checker script only on modified lines. Arguments:" - echo "mode - tool to run: CPPLINT" + echo "mode - tool to run: $modes" echo "target - a git reference to the branch we want to compare against (default: 'master')" echo "tip - a git reference to the commit with changes (default: current working tree)" exit 1 @@ -32,9 +33,23 @@ then else cmd='$script_folder/cpplint.py $file 2>&1 >/dev/null' fi +elif [[ "$mode" == "DOXYGEN" ]] +then + doxygen=doxygen + doxygenlogdir="doc/html" + doxygenlog="$doxygenlogdir/doxygen.log" + if ! $doxygen --version &>/dev/null + then + echo "Lint script could not be found in the $script_folder directory" + echo "Ensure cpplint.py is inside the $script_folder directory then run again" + exit 1 + else + mkdir -p $doxygenlogdir && cd src && $doxygen &> ../$doxygenlog && cd .. + cmd='cat $doxygenlog' + fi else echo "Mode $mode not recognized" - echo "Possible values: CPPLINT" + echo "Possible values: $modes" exit 1 fi From 4cd6c0cf80ad6f4cebd019a4c7043a953d1fc9c5 Mon Sep 17 00:00:00 2001 From: Peter Schrammel Date: Mon, 3 Jul 2017 11:29:01 +0100 Subject: [PATCH 24/89] Enable doxygen warnings for undocumented parameters --- src/doxyfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/doxyfile b/src/doxyfile index 7d894c4e70..5337aa3c7a 100644 --- a/src/doxyfile +++ b/src/doxyfile @@ -737,7 +737,7 @@ WARN_IF_DOC_ERROR = YES # parameter documentation, but not about the absence of documentation. # The default value is: NO. -WARN_NO_PARAMDOC = NO +WARN_NO_PARAMDOC = YES # If the WARN_AS_ERROR tag is set to YES then doxygen will immediately stop when # a warning is encountered. From c9acbeee9179ea2757d13ebf2defea0aa01dfdd3 Mon Sep 17 00:00:00 2001 From: Peter Schrammel Date: Mon, 3 Jul 2017 16:57:07 +0100 Subject: [PATCH 25/89] Report doxygen warnings on travis --- .travis.yml | 9 +++++++++ scripts/travis_doxygen.sh | 12 ++++++++++++ 2 files changed, 21 insertions(+) create mode 100755 scripts/travis_doxygen.sh diff --git a/.travis.yml b/.travis.yml index bb5f03e72e..0cf80acccf 100644 --- a/.travis.yml +++ b/.travis.yml @@ -134,6 +134,15 @@ matrix: script: scripts/travis_lint.sh before_cache: + - env: NAME="DOXYGEN-CHECK" + addons: + apt: + packages: + - doxygen + install: + script: scripts/travis_doxygen.sh + before_cache: + allow_failures: - env: NAME="CPP-LINT" install: diff --git a/scripts/travis_doxygen.sh b/scripts/travis_doxygen.sh new file mode 100755 index 0000000000..78adcff3c1 --- /dev/null +++ b/scripts/travis_doxygen.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +set -e + +script_folder=`dirname $0` +pip install --user unidiff + +if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then + $script_folder/run_diff.sh DOXYGEN HEAD~1 # Check for errors introduced in last commit +else + $script_folder/run_diff.sh DOXYGEN $TRAVIS_BRANCH # Check for errors compared to merge target +fi From 0043abf9d6e162f6b3e102fc77de9fa64e0fa325 Mon Sep 17 00:00:00 2001 From: Kareem Khazem Date: Wed, 5 Jul 2017 18:51:28 +0100 Subject: [PATCH 26/89] [goto-gcc] Add arch flags for x86_64, power, hppa goto-gcc now selects the correct architecture when x86_64, power, or HP-PA specific flags are passed to -mtune, -march or -mcpu. --- src/goto-cc/gcc_mode.cpp | 74 ++++++++++++++++++++++++++++++++++------ 1 file changed, 64 insertions(+), 10 deletions(-) diff --git a/src/goto-cc/gcc_mode.cpp b/src/goto-cc/gcc_mode.cpp index ce2fa4405e..9e0fbed99e 100644 --- a/src/goto-cc/gcc_mode.cpp +++ b/src/goto-cc/gcc_mode.cpp @@ -136,7 +136,45 @@ gcc_modet::gcc_modet( }}, // NOLINTNEXTLINE(whitespace/braces) {"arm64", { "cortex-a57", "cortex-a72", "exynos-m1" + }}, // NOLINTNEXTLINE(whitespace/braces) + {"hppa", {"1.0", "1.1", "2.0"}}, // NOLINTNEXTLINE(whitespace/braces) + // PowerPC + // https://en.wikipedia.org/wiki/List_of_PowerPC_processors + // NOLINTNEXTLINE(whitespace/braces) + {"powerpc", { + "powerpc", "601", "602", "603", "603e", "604", "604e", "630", + // PowerPC G3 == 7xx series + "G3", "740", "750", + // PowerPC G4 == 74xx series + "G4", "7400", "7450", + // SoC and low power: https://en.wikipedia.org/wiki/PowerPC_400 + "401", "403", "405", "405fp", "440", "440fp", "464", "464fp", + "476", "476fp", + // e series. x00 are 32-bit, x50 are 64-bit. See e.g. + // https://en.wikipedia.org/wiki/PowerPC_e6500 + "e300c2", "e300c3", "e500mc", "ec603e", + // https://en.wikipedia.org/wiki/Titan_(microprocessor) + "titan", }}, + // NOLINTNEXTLINE(whitespace/braces) + {"powerpc64", { + "powerpc64", + // First IBM 64-bit processor + "620", + "970", "G5" + // All IBM POWER processors are 64 bit, but POWER 8 is + // little-endian so not in this list. + // https://en.wikipedia.org/wiki/Ppc64 + "power3", "power4", "power5", "power5+", "power6", "power6x", + "power7", "rs64", + // e series SoC chips. x00 are 32-bit, x50 are 64-bit. See e.g. + // https://en.wikipedia.org/wiki/PowerPC_e6500 + "e500mc64", "e5500", "e6500", + // https://en.wikipedia.org/wiki/IBM_A2 + "a2", + }}, + // The latest Power processors are little endian. + {"powerpc64le", {"powerpc64le", "power8"}}, // There are two MIPS architecture series. The 'old' one comprises // MIPS I - MIPS V (where MIPS I and MIPS II are 32-bit // architectures, and the III, IV and V are 64-bit). The 'new' @@ -214,17 +252,33 @@ gcc_modet::gcc_modet( {"ia64", { "itanium", "itanium1", "merced", "itanium2", "mckinley" }}, // NOLINTNEXTLINE(whitespace/braces) + // x86 and x86_64. See + // https://en.wikipedia.org/wiki/List_of_AMD_microprocessors + // https://en.wikipedia.org/wiki/List_of_Intel_microprocessors {"i386", { - "i386", "i486", "i586", "pentium", "pentium-mmx", "pentiumpro", - "i686", "pentium2", "pentium3", "pentium3m", "pentium-m", - "pentium4", "pentium4m", "prescott", "nocona", "core2", "nehalem", - "westmere", "sandybridge", "ivybridge", "haswell", "broadwell", - "bonnell", "silvermont", "k6", "k6-2", "k6-3", "athlon", - "athlon-tbird", "athlon-4", "athlon-xp", "athlon-mp", "k8", - "opteron", "athlon64", "athlon-fx", "k8-sse3", "opteron-sse3", - "athlon64-sse3", "amdfam10", "barcelona", "bdver1", "bdver2", - "bdver3", "bdver4", "btver1", "btver2", "winchip-c6", "winchip2", - "c3", "c3-2", "geode", + // Intel generic + "i386", "i486", "i586", "i686", + // AMD + "k6", "k6-2", "k6-3", "athlon" "athlon-tbird", "athlon-4", + "athlon-xp", "athlon-mp", + // Everything called "pentium" by GCC is 32 bits; the only 64-bit + // Pentium flag recognized by GCC is "nocona". + "pentium", "pentium-mmx", "pentiumpro" "pentium2", "pentium3", + "pentium3m", "pentium-m" "pentium4", "pentium4m", "prescott", + // Misc + "winchip-c6", "winchip2", "c3", "c3-2", "geode", + }}, // NOLINTNEXTLINE(whitespace/braces) + {"x86_64", { + // Intel + "nocona", "core2", "nehalem" "westmere", "sandybridge", "knl", + "ivybridge", "haswell", "broadwell" "bonnell", "silvermont", + // AMD generic + "k8", "k8-sse3", "opteron", "athlon64", "athlon-fx", + "opteron-sse3" "athlon64-sse3", "amdfam10", "barcelona", + // AMD "bulldozer" (high power, family 15h) + "bdver1", "bdver2" "bdver3", "bdver4", + // AMD "bobcat" (low power, family 14h) + "btver1", "btver2", }}, }) { From 2cb56f643b01b9f6009c0e60fb7e0fa389266952 Mon Sep 17 00:00:00 2001 From: Michael Tautschnig Date: Thu, 6 Jul 2017 15:57:34 +0100 Subject: [PATCH 27/89] Do not constant propagate multiplication unconditionally The previous code was a non-trivial expression always returning true. Fixes: #351 --- src/goto-symex/goto_symex_state.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/goto-symex/goto_symex_state.cpp b/src/goto-symex/goto_symex_state.cpp index d88e9c68ba..361669c5be 100644 --- a/src/goto-symex/goto_symex_state.cpp +++ b/src/goto-symex/goto_symex_state.cpp @@ -125,8 +125,12 @@ bool goto_symex_statet::constant_propagation(const exprt &expr) const { // propagate stuff with sizeof in it forall_operands(it, expr) + { if(it->find(ID_C_c_sizeof_type).is_not_nil()) return true; + else if(!constant_propagation(*it)) + return false; + } return true; } From de356a07304a91b3137810672a572fb97c151d3d Mon Sep 17 00:00:00 2001 From: Kareem Khazem Date: Fri, 7 Jul 2017 14:35:09 +0100 Subject: [PATCH 28/89] [goto-cc] Print gcc command line before running it --- src/goto-cc/gcc_mode.cpp | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/src/goto-cc/gcc_mode.cpp b/src/goto-cc/gcc_mode.cpp index ce2fa4405e..2cff24f8ba 100644 --- a/src/goto-cc/gcc_mode.cpp +++ b/src/goto-cc/gcc_mode.cpp @@ -721,12 +721,10 @@ int gcc_modet::preprocess( assert(new_argv.size()>=1); new_argv[0]=native_tool_name.c_str(); - #if 0 - std::cout << "RUN:"; + debug() << "RUN:"; for(std::size_t i=0; i Date: Wed, 5 Jul 2017 08:37:57 +0100 Subject: [PATCH 29/89] [docs 1/5] Port existing HTML manual to doxygen * The existing HTML documentation under doc/html-manual has been converted to Markdown. This was done automatically using Pandoc, plus some manual work to give identifiers to sections and changing internal links to point to those sections with \ref. * The Doxygen front page now contains some content: a link to the doxygen-ated HTML manual, and a note about the API documentation. The intention here is that the entire Doxygen site could be hosted publicly, serving both users of and contributors to CBMC from a single site. * The doxyfile is updated to enable these changes. --- doc/CPPLINT.cfg | 1 + doc/architectural/front-page.md | 24 + doc/{html-manual => assets}/binsearch.c | 0 doc/{html-manual => assets}/c_to_ir.svg | 0 doc/{html-manual => assets}/cegar-1.png | Bin doc/{html-manual => assets}/counter.c | 0 .../boop-example => assets}/driver.c | 0 .../boop-example => assets}/driver.h | 0 doc/{html-manual => assets}/expr.c | 0 doc/{html-manual => assets}/expr.svg | 0 doc/{html-manual => assets}/file1.c | 0 doc/{html-manual => assets}/file2.c | 0 doc/{html-manual => assets}/gcc-wrap.c | 0 doc/{html-manual => assets}/goto_program.svg | 0 doc/{html-manual => assets}/ireptree.svg | 0 .../boop-example => assets}/kdev_t.h | 0 .../lock-example-fixed.c | 0 doc/{html-manual => assets}/lock-example.c | 0 .../boop-example => assets}/modules.h | 0 doc/{html-manual => assets}/pid.c | 0 doc/{html-manual => assets}/pid.png | Bin doc/{html-manual => assets}/refinement.png | Bin doc/{html-manual => assets}/ring_buffer1.c | 0 doc/{html-manual => assets}/ring_buffer2.c | 0 .../boop-example => assets}/spec.c | 0 doc/{html-manual => assets}/states.png | Bin doc/cprover-manual.md | 2982 +++++++++++++++++ doc/html-manual/api.shtml | 323 -- doc/html-manual/architecture.shtml | 93 - doc/html-manual/cbmc-loops.shtml | 233 -- doc/html-manual/cbmc.shtml | 377 --- doc/html-manual/counter.v | 10 - doc/html-manual/cover.shtml | 276 -- doc/html-manual/cprover-source.shtml | 877 ----- doc/html-manual/footer.inc | 5 - doc/html-manual/goto-cc-apache.shtml | 69 - doc/html-manual/goto-cc-linux.shtml | 97 - doc/html-manual/goto-cc-rockbox.shtml | 83 - doc/html-manual/goto-cc-variants.shtml | 48 - doc/html-manual/goto-cc-visual-studio.shtml | 57 - doc/html-manual/goto-cc.shtml | 144 - doc/html-manual/header.inc | 23 - doc/html-manual/highlight/CHANGES.md | 1610 --------- doc/html-manual/highlight/LICENSE | 24 - doc/html-manual/highlight/README.md | 150 - doc/html-manual/highlight/README.ru.md | 142 - doc/html-manual/highlight/highlight.pack.js | 2 - doc/html-manual/highlight/styles/agate.css | 108 - .../highlight/styles/androidstudio.css | 66 - .../highlight/styles/arduino-light.css | 88 - doc/html-manual/highlight/styles/arta.css | 73 - doc/html-manual/highlight/styles/ascetic.css | 45 - .../highlight/styles/atelier-cave-dark.css | 83 - .../highlight/styles/atelier-cave-light.css | 85 - .../highlight/styles/atelier-dune-dark.css | 69 - .../highlight/styles/atelier-dune-light.css | 69 - .../highlight/styles/atelier-estuary-dark.css | 84 - .../styles/atelier-estuary-light.css | 84 - .../highlight/styles/atelier-forest-dark.css | 69 - .../highlight/styles/atelier-forest-light.css | 69 - .../highlight/styles/atelier-heath-dark.css | 69 - .../highlight/styles/atelier-heath-light.css | 69 - .../styles/atelier-lakeside-dark.css | 69 - .../styles/atelier-lakeside-light.css | 69 - .../highlight/styles/atelier-plateau-dark.css | 84 - .../styles/atelier-plateau-light.css | 84 - .../highlight/styles/atelier-savanna-dark.css | 84 - .../styles/atelier-savanna-light.css | 84 - .../highlight/styles/atelier-seaside-dark.css | 69 - .../styles/atelier-seaside-light.css | 69 - .../styles/atelier-sulphurpool-dark.css | 69 - .../styles/atelier-sulphurpool-light.css | 69 - .../highlight/styles/brown-paper.css | 64 - .../highlight/styles/brown-papersq.png | Bin 18198 -> 0 bytes .../highlight/styles/codepen-embed.css | 60 - .../highlight/styles/color-brewer.css | 71 - doc/html-manual/highlight/styles/dark.css | 63 - doc/html-manual/highlight/styles/darkula.css | 6 - doc/html-manual/highlight/styles/default.css | 99 - doc/html-manual/highlight/styles/docco.css | 97 - doc/html-manual/highlight/styles/dracula.css | 76 - doc/html-manual/highlight/styles/far.css | 71 - .../highlight/styles/foundation.css | 88 - .../highlight/styles/github-gist.css | 71 - doc/html-manual/highlight/styles/github.css | 99 - .../highlight/styles/googlecode.css | 89 - .../highlight/styles/grayscale.css | 101 - .../highlight/styles/gruvbox-dark.css | 108 - .../highlight/styles/gruvbox-light.css | 108 - .../highlight/styles/hopscotch.css | 83 - doc/html-manual/highlight/styles/hybrid.css | 102 - doc/html-manual/highlight/styles/idea.css | 97 - doc/html-manual/highlight/styles/ir-black.css | 73 - .../highlight/styles/kimbie.dark.css | 74 - .../highlight/styles/kimbie.light.css | 74 - doc/html-manual/highlight/styles/magula.css | 70 - .../highlight/styles/mono-blue.css | 59 - .../highlight/styles/monokai-sublime.css | 83 - doc/html-manual/highlight/styles/monokai.css | 70 - doc/html-manual/highlight/styles/obsidian.css | 88 - .../highlight/styles/paraiso-dark.css | 72 - .../highlight/styles/paraiso-light.css | 72 - doc/html-manual/highlight/styles/pojoaque.css | 83 - doc/html-manual/highlight/styles/pojoaque.jpg | Bin 1186 -> 0 bytes .../highlight/styles/purebasic.css | 96 - .../highlight/styles/qtcreator_dark.css | 83 - .../highlight/styles/qtcreator_light.css | 83 - .../highlight/styles/railscasts.css | 106 - doc/html-manual/highlight/styles/rainbow.css | 85 - .../highlight/styles/school-book.css | 72 - .../highlight/styles/school-book.png | Bin 486 -> 0 bytes .../highlight/styles/solarized-dark.css | 84 - .../highlight/styles/solarized-light.css | 84 - doc/html-manual/highlight/styles/sunburst.css | 102 - .../highlight/styles/tomorrow-night-blue.css | 75 - .../styles/tomorrow-night-bright.css | 74 - .../styles/tomorrow-night-eighties.css | 74 - .../highlight/styles/tomorrow-night.css | 75 - doc/html-manual/highlight/styles/tomorrow.css | 72 - doc/html-manual/highlight/styles/vs.css | 68 - doc/html-manual/highlight/styles/xcode.css | 93 - doc/html-manual/highlight/styles/xt256.css | 92 - doc/html-manual/highlight/styles/zenburn.css | 80 - doc/html-manual/hwsw-inputs.shtml | 106 - doc/html-manual/hwsw-mapping.shtml | 131 - doc/html-manual/hwsw-tutorial.shtml | 220 -- doc/html-manual/hwsw.shtml | 116 - doc/html-manual/index.shtml | 62 - doc/html-manual/installation-cbmc.shtml | 80 - doc/html-manual/installation-plugin.shtml | 42 - doc/html-manual/installation-satabs.shtml | 139 - doc/html-manual/introduction.shtml | 162 - doc/html-manual/libraries.shtml | 54 - doc/html-manual/modeling-assertions.shtml | 152 - doc/html-manual/modeling-floating-point.shtml | 140 - doc/html-manual/modeling-nondet.shtml | 65 - doc/html-manual/modeling-pointers.shtml | 108 - doc/html-manual/pid_test_suites.xml | 500 --- doc/html-manual/properties.shtml | 208 -- doc/html-manual/satabs-aeon.shtml | 266 -- doc/html-manual/satabs-background.shtml | 152 - doc/html-manual/satabs-driver.shtml | 264 -- doc/html-manual/satabs-tutorials.shtml | 25 - doc/html-manual/satabs.shtml | 178 - src/doxyfile | 11 +- 145 files changed, 3013 insertions(+), 13567 deletions(-) create mode 100644 doc/CPPLINT.cfg create mode 100644 doc/architectural/front-page.md rename doc/{html-manual => assets}/binsearch.c (100%) rename doc/{html-manual => assets}/c_to_ir.svg (100%) rename doc/{html-manual => assets}/cegar-1.png (100%) rename doc/{html-manual => assets}/counter.c (100%) rename doc/{html-manual/boop-example => assets}/driver.c (100%) rename doc/{html-manual/boop-example => assets}/driver.h (100%) rename doc/{html-manual => assets}/expr.c (100%) rename doc/{html-manual => assets}/expr.svg (100%) rename doc/{html-manual => assets}/file1.c (100%) rename doc/{html-manual => assets}/file2.c (100%) rename doc/{html-manual => assets}/gcc-wrap.c (100%) rename doc/{html-manual => assets}/goto_program.svg (100%) rename doc/{html-manual => assets}/ireptree.svg (100%) rename doc/{html-manual/boop-example => assets}/kdev_t.h (100%) rename doc/{html-manual => assets}/lock-example-fixed.c (100%) rename doc/{html-manual => assets}/lock-example.c (100%) rename doc/{html-manual/boop-example => assets}/modules.h (100%) rename doc/{html-manual => assets}/pid.c (100%) rename doc/{html-manual => assets}/pid.png (100%) rename doc/{html-manual => assets}/refinement.png (100%) rename doc/{html-manual => assets}/ring_buffer1.c (100%) rename doc/{html-manual => assets}/ring_buffer2.c (100%) rename doc/{html-manual/boop-example => assets}/spec.c (100%) rename doc/{html-manual => assets}/states.png (100%) create mode 100644 doc/cprover-manual.md delete mode 100644 doc/html-manual/api.shtml delete mode 100644 doc/html-manual/architecture.shtml delete mode 100644 doc/html-manual/cbmc-loops.shtml delete mode 100644 doc/html-manual/cbmc.shtml delete mode 100644 doc/html-manual/counter.v delete mode 100644 doc/html-manual/cover.shtml delete mode 100644 doc/html-manual/cprover-source.shtml delete mode 100644 doc/html-manual/footer.inc delete mode 100644 doc/html-manual/goto-cc-apache.shtml delete mode 100644 doc/html-manual/goto-cc-linux.shtml delete mode 100644 doc/html-manual/goto-cc-rockbox.shtml delete mode 100644 doc/html-manual/goto-cc-variants.shtml delete mode 100644 doc/html-manual/goto-cc-visual-studio.shtml delete mode 100644 doc/html-manual/goto-cc.shtml delete mode 100644 doc/html-manual/header.inc delete mode 100644 doc/html-manual/highlight/CHANGES.md delete mode 100644 doc/html-manual/highlight/LICENSE delete mode 100644 doc/html-manual/highlight/README.md delete mode 100644 doc/html-manual/highlight/README.ru.md delete mode 100644 doc/html-manual/highlight/highlight.pack.js delete mode 100644 doc/html-manual/highlight/styles/agate.css delete mode 100644 doc/html-manual/highlight/styles/androidstudio.css delete mode 100644 doc/html-manual/highlight/styles/arduino-light.css delete mode 100644 doc/html-manual/highlight/styles/arta.css delete mode 100644 doc/html-manual/highlight/styles/ascetic.css delete mode 100644 doc/html-manual/highlight/styles/atelier-cave-dark.css delete mode 100644 doc/html-manual/highlight/styles/atelier-cave-light.css delete mode 100644 doc/html-manual/highlight/styles/atelier-dune-dark.css delete mode 100644 doc/html-manual/highlight/styles/atelier-dune-light.css delete mode 100644 doc/html-manual/highlight/styles/atelier-estuary-dark.css delete mode 100644 doc/html-manual/highlight/styles/atelier-estuary-light.css delete mode 100644 doc/html-manual/highlight/styles/atelier-forest-dark.css delete mode 100644 doc/html-manual/highlight/styles/atelier-forest-light.css delete mode 100644 doc/html-manual/highlight/styles/atelier-heath-dark.css delete mode 100644 doc/html-manual/highlight/styles/atelier-heath-light.css delete mode 100644 doc/html-manual/highlight/styles/atelier-lakeside-dark.css delete mode 100644 doc/html-manual/highlight/styles/atelier-lakeside-light.css delete mode 100644 doc/html-manual/highlight/styles/atelier-plateau-dark.css delete mode 100644 doc/html-manual/highlight/styles/atelier-plateau-light.css delete mode 100644 doc/html-manual/highlight/styles/atelier-savanna-dark.css delete mode 100644 doc/html-manual/highlight/styles/atelier-savanna-light.css delete mode 100644 doc/html-manual/highlight/styles/atelier-seaside-dark.css delete mode 100644 doc/html-manual/highlight/styles/atelier-seaside-light.css delete mode 100644 doc/html-manual/highlight/styles/atelier-sulphurpool-dark.css delete mode 100644 doc/html-manual/highlight/styles/atelier-sulphurpool-light.css delete mode 100644 doc/html-manual/highlight/styles/brown-paper.css delete mode 100644 doc/html-manual/highlight/styles/brown-papersq.png delete mode 100644 doc/html-manual/highlight/styles/codepen-embed.css delete mode 100644 doc/html-manual/highlight/styles/color-brewer.css delete mode 100644 doc/html-manual/highlight/styles/dark.css delete mode 100644 doc/html-manual/highlight/styles/darkula.css delete mode 100644 doc/html-manual/highlight/styles/default.css delete mode 100644 doc/html-manual/highlight/styles/docco.css delete mode 100644 doc/html-manual/highlight/styles/dracula.css delete mode 100644 doc/html-manual/highlight/styles/far.css delete mode 100644 doc/html-manual/highlight/styles/foundation.css delete mode 100644 doc/html-manual/highlight/styles/github-gist.css delete mode 100644 doc/html-manual/highlight/styles/github.css delete mode 100644 doc/html-manual/highlight/styles/googlecode.css delete mode 100644 doc/html-manual/highlight/styles/grayscale.css delete mode 100644 doc/html-manual/highlight/styles/gruvbox-dark.css delete mode 100644 doc/html-manual/highlight/styles/gruvbox-light.css delete mode 100644 doc/html-manual/highlight/styles/hopscotch.css delete mode 100644 doc/html-manual/highlight/styles/hybrid.css delete mode 100644 doc/html-manual/highlight/styles/idea.css delete mode 100644 doc/html-manual/highlight/styles/ir-black.css delete mode 100644 doc/html-manual/highlight/styles/kimbie.dark.css delete mode 100644 doc/html-manual/highlight/styles/kimbie.light.css delete mode 100644 doc/html-manual/highlight/styles/magula.css delete mode 100644 doc/html-manual/highlight/styles/mono-blue.css delete mode 100644 doc/html-manual/highlight/styles/monokai-sublime.css delete mode 100644 doc/html-manual/highlight/styles/monokai.css delete mode 100644 doc/html-manual/highlight/styles/obsidian.css delete mode 100644 doc/html-manual/highlight/styles/paraiso-dark.css delete mode 100644 doc/html-manual/highlight/styles/paraiso-light.css delete mode 100644 doc/html-manual/highlight/styles/pojoaque.css delete mode 100644 doc/html-manual/highlight/styles/pojoaque.jpg delete mode 100644 doc/html-manual/highlight/styles/purebasic.css delete mode 100644 doc/html-manual/highlight/styles/qtcreator_dark.css delete mode 100644 doc/html-manual/highlight/styles/qtcreator_light.css delete mode 100644 doc/html-manual/highlight/styles/railscasts.css delete mode 100644 doc/html-manual/highlight/styles/rainbow.css delete mode 100644 doc/html-manual/highlight/styles/school-book.css delete mode 100644 doc/html-manual/highlight/styles/school-book.png delete mode 100644 doc/html-manual/highlight/styles/solarized-dark.css delete mode 100644 doc/html-manual/highlight/styles/solarized-light.css delete mode 100644 doc/html-manual/highlight/styles/sunburst.css delete mode 100644 doc/html-manual/highlight/styles/tomorrow-night-blue.css delete mode 100644 doc/html-manual/highlight/styles/tomorrow-night-bright.css delete mode 100644 doc/html-manual/highlight/styles/tomorrow-night-eighties.css delete mode 100644 doc/html-manual/highlight/styles/tomorrow-night.css delete mode 100644 doc/html-manual/highlight/styles/tomorrow.css delete mode 100644 doc/html-manual/highlight/styles/vs.css delete mode 100644 doc/html-manual/highlight/styles/xcode.css delete mode 100644 doc/html-manual/highlight/styles/xt256.css delete mode 100644 doc/html-manual/highlight/styles/zenburn.css delete mode 100644 doc/html-manual/hwsw-inputs.shtml delete mode 100644 doc/html-manual/hwsw-mapping.shtml delete mode 100644 doc/html-manual/hwsw-tutorial.shtml delete mode 100644 doc/html-manual/hwsw.shtml delete mode 100644 doc/html-manual/index.shtml delete mode 100644 doc/html-manual/installation-cbmc.shtml delete mode 100644 doc/html-manual/installation-plugin.shtml delete mode 100644 doc/html-manual/installation-satabs.shtml delete mode 100644 doc/html-manual/introduction.shtml delete mode 100644 doc/html-manual/libraries.shtml delete mode 100644 doc/html-manual/modeling-assertions.shtml delete mode 100644 doc/html-manual/modeling-floating-point.shtml delete mode 100644 doc/html-manual/modeling-nondet.shtml delete mode 100644 doc/html-manual/modeling-pointers.shtml delete mode 100644 doc/html-manual/pid_test_suites.xml delete mode 100644 doc/html-manual/properties.shtml delete mode 100644 doc/html-manual/satabs-aeon.shtml delete mode 100644 doc/html-manual/satabs-background.shtml delete mode 100644 doc/html-manual/satabs-driver.shtml delete mode 100644 doc/html-manual/satabs-tutorials.shtml delete mode 100644 doc/html-manual/satabs.shtml diff --git a/doc/CPPLINT.cfg b/doc/CPPLINT.cfg new file mode 100644 index 0000000000..51ff339c18 --- /dev/null +++ b/doc/CPPLINT.cfg @@ -0,0 +1 @@ +exclude_files=.* diff --git a/doc/architectural/front-page.md b/doc/architectural/front-page.md new file mode 100644 index 0000000000..4a75c82bbb --- /dev/null +++ b/doc/architectural/front-page.md @@ -0,0 +1,24 @@ +CProver Documentation +===================== + +These pages contain both user tutorials and automatically-generated API +documentation. Users can download CProver tools from the +CProver website; contributors +should use the repository +hosted on GitHub. + +### For users: + +* The \ref cprover-manual "CProver Manual" details the capabilities of + CBMC and SATABS and describes how to install and use these tools. It + also covers the underlying theory and prerequisite concepts behind how + these tools work. + +### For contributors: + +* If you already know exactly what you're looking for, the API reference + is generated from the codebase. You can search for classes and class + members in the search bar at top-right or use one of the links in the + sidebar. + +\defgroup module_hidden _hidden diff --git a/doc/html-manual/binsearch.c b/doc/assets/binsearch.c similarity index 100% rename from doc/html-manual/binsearch.c rename to doc/assets/binsearch.c diff --git a/doc/html-manual/c_to_ir.svg b/doc/assets/c_to_ir.svg similarity index 100% rename from doc/html-manual/c_to_ir.svg rename to doc/assets/c_to_ir.svg diff --git a/doc/html-manual/cegar-1.png b/doc/assets/cegar-1.png similarity index 100% rename from doc/html-manual/cegar-1.png rename to doc/assets/cegar-1.png diff --git a/doc/html-manual/counter.c b/doc/assets/counter.c similarity index 100% rename from doc/html-manual/counter.c rename to doc/assets/counter.c diff --git a/doc/html-manual/boop-example/driver.c b/doc/assets/driver.c similarity index 100% rename from doc/html-manual/boop-example/driver.c rename to doc/assets/driver.c diff --git a/doc/html-manual/boop-example/driver.h b/doc/assets/driver.h similarity index 100% rename from doc/html-manual/boop-example/driver.h rename to doc/assets/driver.h diff --git a/doc/html-manual/expr.c b/doc/assets/expr.c similarity index 100% rename from doc/html-manual/expr.c rename to doc/assets/expr.c diff --git a/doc/html-manual/expr.svg b/doc/assets/expr.svg similarity index 100% rename from doc/html-manual/expr.svg rename to doc/assets/expr.svg diff --git a/doc/html-manual/file1.c b/doc/assets/file1.c similarity index 100% rename from doc/html-manual/file1.c rename to doc/assets/file1.c diff --git a/doc/html-manual/file2.c b/doc/assets/file2.c similarity index 100% rename from doc/html-manual/file2.c rename to doc/assets/file2.c diff --git a/doc/html-manual/gcc-wrap.c b/doc/assets/gcc-wrap.c similarity index 100% rename from doc/html-manual/gcc-wrap.c rename to doc/assets/gcc-wrap.c diff --git a/doc/html-manual/goto_program.svg b/doc/assets/goto_program.svg similarity index 100% rename from doc/html-manual/goto_program.svg rename to doc/assets/goto_program.svg diff --git a/doc/html-manual/ireptree.svg b/doc/assets/ireptree.svg similarity index 100% rename from doc/html-manual/ireptree.svg rename to doc/assets/ireptree.svg diff --git a/doc/html-manual/boop-example/kdev_t.h b/doc/assets/kdev_t.h similarity index 100% rename from doc/html-manual/boop-example/kdev_t.h rename to doc/assets/kdev_t.h diff --git a/doc/html-manual/lock-example-fixed.c b/doc/assets/lock-example-fixed.c similarity index 100% rename from doc/html-manual/lock-example-fixed.c rename to doc/assets/lock-example-fixed.c diff --git a/doc/html-manual/lock-example.c b/doc/assets/lock-example.c similarity index 100% rename from doc/html-manual/lock-example.c rename to doc/assets/lock-example.c diff --git a/doc/html-manual/boop-example/modules.h b/doc/assets/modules.h similarity index 100% rename from doc/html-manual/boop-example/modules.h rename to doc/assets/modules.h diff --git a/doc/html-manual/pid.c b/doc/assets/pid.c similarity index 100% rename from doc/html-manual/pid.c rename to doc/assets/pid.c diff --git a/doc/html-manual/pid.png b/doc/assets/pid.png similarity index 100% rename from doc/html-manual/pid.png rename to doc/assets/pid.png diff --git a/doc/html-manual/refinement.png b/doc/assets/refinement.png similarity index 100% rename from doc/html-manual/refinement.png rename to doc/assets/refinement.png diff --git a/doc/html-manual/ring_buffer1.c b/doc/assets/ring_buffer1.c similarity index 100% rename from doc/html-manual/ring_buffer1.c rename to doc/assets/ring_buffer1.c diff --git a/doc/html-manual/ring_buffer2.c b/doc/assets/ring_buffer2.c similarity index 100% rename from doc/html-manual/ring_buffer2.c rename to doc/assets/ring_buffer2.c diff --git a/doc/html-manual/boop-example/spec.c b/doc/assets/spec.c similarity index 100% rename from doc/html-manual/boop-example/spec.c rename to doc/assets/spec.c diff --git a/doc/html-manual/states.png b/doc/assets/states.png similarity index 100% rename from doc/html-manual/states.png rename to doc/assets/states.png diff --git a/doc/cprover-manual.md b/doc/cprover-manual.md new file mode 100644 index 0000000000..90d609193d --- /dev/null +++ b/doc/cprover-manual.md @@ -0,0 +1,2982 @@ +\ingroup module_hidden +\page cprover-manual CProver User Manual + +\author Daniel Kroening + +This tutorial is intended for users of CProver (CBMC, SatAbs, and +associated tools). + +\tableofcontents + +\section man_introduction Introduction + +## Motivation + +Numerous tools to hunt down functional design flaws in silicon have been +available for many years, mainly due to the enormous cost of hardware +bugs. The use of such tools is wide-spread. In contrast, the market for +tools that address the need for quality software is still in its +infancy. + +Research in software quality has an enormous breadth. We focus the +presentation using two criteria: + +1. We believe that any form of quality requires a specific *guarantee*, + in theory and practice. +2. The sheer size of software designs requires techniques that are + highly *automated*. + +In practice, quality guarantees usually do not refer to "total +correctness" of a design, as ensuring the absence of all bugs is too +expensive for most applications. In contrast, a guarantee of the absence +of specific flaws is achievable, and is a good metric of quality. + +We document two programs that try to achieve formal guarantees of the +absence of specific problems: CBMC and SATABS. The algorithms +implemented by CBMC and SATABS are complementary, and often, one tool is +able to solve a problem that the other cannot solve. + +Both CBMC and SATABS are verification tools for ANSI-C/C++ programs. +They verify array bounds (buffer overflows), pointer safety, exceptions +and user-specified assertions. Both tools model integer arithmetic +accurately, and are able to reason about machine-level artifacts such as +integer overflow. CBMC and SATABS are therefore able to detect a class +of bugs that has so far gone unnoticed by many other verification tools. +This manual also covers some variants of CBMC, which includes HW-CBMC +for +\ref man_hard-soft-introduction "hardware/software co-verification". + +## Bounded Model Checking with CBMC + +CBMC implements a technique called *Bounded Model Checking* (BMC). In +BMC, the transition relation for a complex state machine and its +specification are jointly unwound to obtain a Boolean formula, which is +then checked for satisfiability by using an efficient SAT procedure. If +the formula is satisfiable, a counterexample is extracted from the +output of the SAT procedure. If the formula is not satisfiable, the +program can be unwound more to determine if a longer counterexample +exists. + +In many engineering domains, real-time guarantees are a strict +requirement. An example is software embedded in automotive controllers. +As a consequence, the loop constructs in these types of programs often +have a strict bound on the number of iterations. CBMC is able to +formally verify such bounds by means of *unwinding assertions*. Once +this bound is established, CBMC is able to prove the absence of errors. + +A more detailed description of how to apply CBMC to verify programs is +\ref man_cbmc-tutorial "here". + +## Automatic Program Verification with SATABS + +In many cases, lightweight properties such as array bounds do not rely +on the entire program. A large fraction of the program is *irrelevant* +to the property. SATABS exploits this observation and computes an +*abstraction* of the program in order to handle large amounts of code. + +In order to use SATABS it is not necessary to understand the abstraction +refinement process. For the interested reader, a high-level introduction +to abstraction refinement is provided +\ref man_satabs-overview "here". +We also provide +\ref man_satabs-tutorials "tutorials on how to use SATABS". + +Just as CBMC, SATABS attempts to build counterexamples that refute the +property. If such a counterexample is found, it is presented to the +engineer to facilitate localization and repair of the program. + +### Example: Buffer Overflows + +In order to give a brief overview of the capabilities of CBMC and SATABS +we start with a small example. The issue of *[buffer +overflows](http://en.wikipedia.org/wiki/Buffer_overflow)* has obtained +wide public attention. A buffer is a contiguously-allocated chunk of +memory, represented by an array or a pointer in C. Programs written in C +do not provide automatic bounds checking on the buffer, which means a +program can – accidentally or maliciously – write past a buffer. The +following example is a perfectly valid C program (in the sense that a +compiler compiles it without any errors): + +```{.c} +int main() +{ + int buffer[10]; + buffer[20] = 10; +} +``` + +However, the write access to an address outside the allocated memory +region can lead to unexpected behavior. In particular, such bugs can be +exploited to overwrite the return address of a function, thus enabling +the execution of arbitrary user-induced code. CBMC and SATABS are able +to detect this problem and reports that the "upper bound property" of +the buffer is violated. CBMC and SATABS are capable of checking these +lower and upper bounds, even for arrays with dynamic size. A detailed +discussion of the properties that CBMC and SATABS can check +automatically is \ref man_instrumentation-properties "here". + +## Hardware/Software Co-Verification + +Software programs often interact with hardware in a non-trivial manner, +and many properties of the overall design only arise from the interplay +of both components. CBMC and SATABS therefore support *Co-Verification*, +i.e., are able to reason about a C/C++ program together with a circuit +description given in Verilog. + +These co-verification capabilities can also be applied to perform +refinement proofs. Software programs are often used as high-level +descriptions of circuitry. While both describe the same functionality, +the hardware implementation usually contains more detail. It is highly +desirable to establish some form for equivalence between the two +descriptions. Hardware/Software co-verification and equivalence checking +with CBMC and SATABS are described +\ref man_hard-soft-introduction "here". + + +\section man_installation Installation + +\subsection man_install-cbmc Installing CBMC + +### Requirements + +CBMC is available for Windows, i86 Linux, and MacOS X. CBMC requires a +code pre-processing environment comprising of a suitable preprocessor +and an a set of header files. + +1. **Linux:** the preprocessor and the header files typically come with + a package called *gcc*, which must be installed prior to the + installation of CBMC. + +2. **Windows:** The Windows version of CBMC requires the preprocessor + `cl.exe`, which is part of Microsoft Visual Studio. We recommend the + free [Visual Studio Community + 2013](http://www.visualstudio.com/en-us/products/visual-studio-community-vs). + +3. **MacOS:** Install the [XCode Command Line + Utilities](http://developer.apple.com/technologies/xcode.html) prior + to installing CBMC. Just installing XCode alone is not enough. + +Important note for Windows users: Visual Studio's `cl.exe` relies on a +complex set of environment variables to identify the target architecture +and the directories that contain the header files. You must run CBMC +from within the *Visual Studio Command Prompt*. + +Note that the distribution files for the [Eclipse +plugin](installation-plugin.shtml) include the CBMC executable. +Therefore, if you intend to run CBMC exclusively within Eclipse, you can +skip the installation of the CBMC executable. However, you still have to +install the compiler environment as described above. + +### Installing the CBMC Binaries + +1. Download CBMC for your operating system. The binaries are available + from http://www.cprover.org/cbmc/. +2. Unzip/untar the archive into a directory of your choice. We + recommend to add this directory to your `PATH` environment variable. + +You are now ready to \ref man_cbmc-tutorial "use CBMC"! + +### Building CBMC from Source + +Alternatively, the CBMC source code is available [via +SVN](http://www.cprover.org/svn/cbmc/). To compile the source code, +follow [these +instructions](http://www.cprover.org/svn/cbmc/trunk/COMPILING). + +\subsection man_install-satabs Installing SATABS + +### Requirements + +SATABS is available for Windows, i86 Linux, and MacOS X. SATABS requires +a code pre-processing environment comprising of a suitable preprocessor +and an a set of header files. + +1. **Linux:** the preprocessor and the header files typically come with + a package called *gcc*, which must be installed prior to the + installation of SATABS. +2. **Windows:** The Windows version of SATABS requires the preprocessor + `cl.exe`, which is part of Visual Studio (including the free [Visual + Studio + Express](http://msdn.microsoft.com/vstudio/express/visualc/)). +3. **MacOS:** Install + [XCode](http://developer.apple.com/technologies/xcode.html) prior to + installing SATABS. + +Important note for Windows users: Visual Studio's `cl.exe` relies on a +complex set of environment variables to identify the target architecture +and the directories that contain the header files. You must run SATABS +from within the *Visual Studio Command Prompt*. + +Note that the distribution files for the [Eclipse +plugin](installation-plugin.shtml) include the command-line tools. +Therefore, if you intend to run SATABS exclusively within Eclipse, you +can skip the installation of the command-line tools. However, you still +have to install the compiler environment as described above. + +### Choosing and Installing a Model Checker + +You need to install a Model Checker in order to be able to run SATABS. +You can choose between following alternatives: + +- **Cadence SMV**. Available from http://www.kenmcmil.com/smv.html. + Cadence SMV is a commercial model checker. The free version that is + available on the homepage above must not be used for commercial + purposes (read the license agreement thoroughly before you download + the tool). The documentation for SMV can be found in the directory + where you unzip/untar SMV under ./smv/doc/smv/. Read the + installation instructions carefully. The Linux/MacOS versions + require setting environment variables. You must add add the + directory containing the `smv` binary (located in ./smv/bin/, + relative to the path where you unpacked it) to your `PATH` + environment variable. SATABS uses Cadence SMV by default. + +- **NuSMV**. Available from http://nusmv.irst.itc.it/. NuSMV is the + open source alternative to Cadence SMV. Installation instructions + and documentation can be found on the NuSMV homepage. The directory + containing the NuSMV binary should be added to your `PATH` + environment variable. Use the option + + --modelchecker nusmv + + to instruct SATABS to use NuSMV. + +- **BOPPO**. Available from http://www.cprover.org/boppo/. BOPPO is + a model checker that uses SAT-solving algorithms. BOPPO relies on a + built-in SAT solver and Quantor, a solver for quantified boolean + formulas that is currently bundled with BOPPO, but also available + separately from . We recommend to add + the directories containing both tools to your `PATH` environment + variable. Use the option + + --modelchecker boppo + + when you call SATABS and want it to use BOPPO instead of SMV. + +- **BOOM**. Available from http://www.cprover.org/boom/. Boom has a + number of unique features, including the verification of programs + with unbounded thread creation. + +### Installing SATABS + +1. Download SATABS for your operating system. The binaries are + available from . +2. Unzip/untar the archive into a directory of your choice. We + recommend to add this directory to your `PATH` environment variable. + +Now you can execute SATABS. Try running SATABS on the small examples +presented in the \ref man_satabs-tutorials "SATABS tutorial". If you use +the Cadence SMV model checker, the only command line arguments you have +to specify are the names of the files that contain your program. + + +\subsection man_install-eclipse Installing the Eclipse Plugin + +### Requirements + +We provide a graphical user interface to CBMC and SATABS, which is +realized as a plugin to the Eclipse framework. Eclipse is available at +http://www.eclipse.org. We do not provide installation instructions for +Eclipse (basically, you only have to download the current version and +extract the files to your hard-disk) and assume that you have already +installed the current version. + +CBMC and SATABS have their own requirements. As an example, both CBMC and SATABS require a suitable preprocessor and a set of header files. As +first step, you should therefore follow the installation instructions +for \ref man_install-cbmc "CBMC" and \ref man_install-satabs "SATABS". + +Important note for Windows users: Visual Studio's `cl.exe` relies on a +complex set of environment variables to identify the target architecture +and the directories that contain the header files. You must run Eclipse +from within the *Visual Studio Command Prompt*. + +### Installing the Eclipse Plugin + +The installation instructions for the Eclipse Plugin, including the link +to the download site, are available +[here](http://www.cprover.org/eclipse-plugin/). This includes a small +tutorial on how to use the Eclipse plugin. + + +\section man_cbmc CBMC: Bounded Model Checking for C, C++ and Java + +\subsection man_cbmc-tutorial A Short Tutorial + +### First Steps + +We assume you have already installed CBMC and the necessary support +files on your system. If not so, please follow the instructions +\ref man_install-cbmc "here". + +Like a compiler, CBMC takes the names of .c files as command line +arguments. CBMC then translates the program and merges the function +definitions from the various .c files, just like a linker. But instead +of producing a binary for execution, CBMC performs symbolic simulation +on the program. + +As an example, consider the following simple program, named file1.c: + + int puts(const char *s) { } + + int main(int argc, char **argv) { + puts(argv[2]); + } + +Of course, this program is faulty, as the `argv` array might have fewer +than three elements, and then the array access `argv[2]` is out of +bounds. Now, run CBMC as follows: + + cbmc file1.c --show-properties --bounds-check --pointer-check + +The two options `--bounds-check` and `--pointer-check` instruct CBMC to +look for errors related to pointers and array bounds. CBMC will print +the list of properties it checks. Note that it lists, among others, a +property labelled with "object bounds in argv" together with the location +of the faulty array access. As you can see, CBMC largely determines the +property it needs to check itself. This is realized by means of a +preliminary static analysis, which relies on computing a fixed point on +various [abstract +domains](http://en.wikipedia.org/wiki/Abstract_interpretation). More +detail on automatically generated properties is provided +\ref man_instrumentation-properties "here". + +Note that these automatically generated properties need not necessarily +correspond to bugs – these are just *potential* flaws, as abstract +interpretation might be imprecise. Whether these properties hold or +correspond to actual bugs needs to be determined by further analysis. + +CBMC performs this analysis using *symbolic simulation*, which +corresponds to a translation of the program into a formula. The formula +is then combined with the property. Let's look at the formula that is +generated by CBMC's symbolic simulation: + + cbmc file1.c --show-vcc --bounds-check --pointer-check + +With this option, CBMC performs the symbolic simulation and prints the +verification conditions on the screen. A verification condition needs to +be proven to be valid by a [decision +procedure](http://en.wikipedia.org/wiki/Decision_problem) in order to +assert that the corresponding property holds. Let's run the decision +procedure: + + cbmc file1.c --bounds-check --pointer-check + +CBMC transforms the equation you have seen before into CNF and passes it +to a SAT solver (more background on this step is in the book on +[Decision Procedures](http://www.decision-procedures.org/)). It then +determines which of the properties that it has generated for the program +hold and which do not. Using the SAT solver, CBMC detects that the +property for the object bounds of `argv` does not hold, and will thus +print a line as follows: + + [main.pointer_dereference.6] dereference failure: object bounds in argv[(signed long int)2]: FAILURE + +### Counterexample Traces + +Let us have a closer look at this property and why it fails. To aid the +understanding of the problem, CBMC can generate a *counterexample trace* +for failed properties. To obtain this trace, run + + cbmc file1.c --bounds-check --trace + +CBMC then prints a counterexample trace, i.e., a program trace that +begins with `main` and ends in a state which violates the property. In +our example, the program trace ends in the faulty array access. It also +gives the values the input variables must have for the bug to occur. In +this example, `argc` must be one to trigger the out-of-bounds array +access. If you add a branch to the example that requires that `argc>=3`, +the bug is fixed and CBMC will report that the proofs of all properties +have been successful. + +### Verifying Modules + +In the example above, we used a program that starts with a `main` +function. However, CBMC is aimed at embedded software, and these kinds +of programs usually have different entry points. Furthermore, CBMC is +also useful for verifying program modules. Consider the following +example, called file2.c: + + int array[10]; + int sum() { + unsigned i, sum; + + sum=0; + for(i=0; i<10; i++) + sum+=array[i]; + } + +In order to set the entry point to the `sum` function, run + + cbmc file2.c --function sum --bounds-check + +It is often necessary to build a suitable *harness* for the function in +order to set up the environment appropriately. + +### Loop Unwinding + +When running the previous example, you will have noted that CBMC unwinds +the `for` loop in the program. As CBMC performs Bounded Model Checking, +all loops have to have a finite upper run-time bound in order to +guarantee that all bugs are found. CBMC can optionally check that enough +unwinding is performed. As an example, consider the program binsearch.c: + + int binsearch(int x) { + int a[16]; + signed low=0, high=16; + + while(low>1); + + if(a[middle]x) + low=middle+1; + else // a[middle]==x + return middle; + } + + return -1; + } + +If you run CBMC on this function, you will notice that the unwinding +does not stop on its own. The built-in simplifier is not able to +determine a run time bound for this loop. The unwinding bound has to be +given as a command line argument: + + cbmc binsearch.c --function binsearch --unwind 6 --bounds-check --unwinding-assertions + +CBMC verifies that verifies the array accesses are within the bounds; +note that this actually depends on the result of the right shift. In +addition, as CBMC is given the option `--unwinding-assertions`, it also +checks that enough unwinding is done, i.e., it proves a run-time bound. +For any lower unwinding bound, there are traces that require more loop +iterations. Thus, CBMC will report that the unwinding assertion has +failed. As usual, a counterexample trace that documents this can be +obtained with the option `--property`. + +### Unbounded Loops + +CBMC can also be used for programs with unbounded loops. In this case, +CBMC is used for bug hunting only; CBMC does not attempt to find all +bugs. The following program (lock-example.c) is an example of a program +with a user-specified property: + + _Bool nondet_bool(); + _Bool LOCK = 0; + + _Bool lock() { + if(nondet_bool()) { + assert(!LOCK); + LOCK=1; + return 1; } + + return 0; + } + + void unlock() { + assert(LOCK); + LOCK=0; + } + + int main() { + unsigned got_lock = 0; + int times; + + while(times > 0) { + if(lock()) { + got_lock++; + /* critical section */ + } + + if(got_lock!=0) + unlock(); + + got_lock--; + times--; + } + } + +The `while` loop in the `main` function has no (useful) run-time bound. +Thus, a bound has to be set on the amount of unwinding that CBMC +performs. There are two ways to do so: + +1. The `--unwind` command-line parameter can to be used to limit the + number of times loops are unwound. +2. The `--depth` command-line parameter can be used to limit the number + of program steps to be processed. + +Given the option `--unwinding-assertions`, CBMC checks whether the +arugment to `--unwind` is large enough to cover all program paths. If +the argument is too small, CBMC will detect that not enough unwinding is +done reports that an unwinding assertion has failed. + +Reconsider the example. For a loop unwinding bound of one, no bug is +found. But already for a bound of two, CBMC detects a trace that +violates an assertion. Without unwinding assertions, or when using the +`--depth` command line switch, CBMC does not prove the program correct, +but it can be helpful to find program bugs. The various command line +options that CBMC offers for loop unwinding are described in the section +on \ref man_cbmc-loops "understanding loop unwinding". + +### A Note About Compilers and the ANSI-C Library + +Most C programs make use of functions provided by a library; instances +are functions from the standard ANSI-C library such as `malloc` or +`printf`. The verification of programs that use such functions has two +requirements: + +1. Appropriate header files have to be provided. These header files + contain *declarations* of the functions that are to be used. +2. Appropriate *definitions* have to be provided. + +Most C compilers come with header files for the ANSI-C library +functions. We briefly discuss how to obtain/install these library files. + +#### Linux + +Linux systems that are able to compile software are usually equipped +with the appropriate header files. Consult the documentation of your +distribution on how to install the compiler and the header files. First +try to compile some significant program before attempting to verify it. + +#### Windows + +On Microsoft Windows, CBMC is pre-configured to use the compiler that is +part of Microsoft's Visual Studio. Microsoft's [Visual Studio +Community](http://www.visualstudio.com/en-us/products/visual-studio-community-vs) +is fully featured and available for download for free from the Microsoft +webpage. Visual Studio installs the usual set of header files together +with the compiler. However, the Visual Studio compiler requires a large +set of environment variables to function correctly. It is therefore +required to run CBMC from the *Visual Studio Command Prompt*, which can +be found in the menu *Visual Studio Tools*. + +Note that in both cases, only header files are available. CBMC only +comes with a small set of definitions, which includes functions such as +`malloc`. Detailed information about the built-in definitions is +\ref man_instrumentation-libraries "here". + +### Command Line Interface + +This section describes the command line interface of CBMC. Like a C +compiler, CBMC takes the names of the .c source files as arguments. +Additional options allow to customize the behavior of CBMC. Use +`cbmc --help` to get a full list of the available options. + +Structured output can be obtained from CBMC using the option `--xml-ui`. +Any output from CBMC (e.g., counterexamples) will then use an XML +representation. + +### Further Reading + +- \ref man_cbmc-loops "Understanding Loop Unwinding" +- [Hardware Verification using ANSI-C Programs as a + Reference](http://www-2.cs.cmu.edu/~svc/papers/view-publications-ck03.html) +- [Behavioral Consistency of C and Verilog Programs Using Bounded + Model Checking](http://www-2.cs.cmu.edu/~svc/papers/view-publications-cky03.html) +- [A Tool for Checking ANSI-C + Programs](http://www-2.cs.cmu.edu/~svc/papers/view-publications-ckl2004.html) + +We also have a [list of interesting applications of +CBMC](http://www.cprover.org/cbmc/applications/). + + +\subsection man_cbmc-loops Understanding Loop Unwinding + +### Iteration-based Unwinding + +The basic idea of CBMC is to model the computation of the programs up to +a particular depth. Technically, this is achieved by a process that +essentially amounts to *unwinding loops*. This concept is best +illustrated with a generic example: + + int main(int argc, char **argv) { + while(cond) { + BODY CODE + } + } + +A BMC instance that will find bugs with up to five iterations of the +loop would contain five copies of the loop body, and essentially +corresponds to checking the following loop-free program: + + int main(int argc, char **argv) { + if(cond) { + BODY CODE COPY 1 + if(cond) { + BODY CODE COPY 2 + if(cond) { + BODY CODE COPY 3 + if(cond) { + BODY CODE COPY 4 + if(cond) { + BODY CODE COPY 5 + } + } + } + } + } + } + +Note the use of the `if` statement to prevent the execution of the loop +body in the case that the loop ends before five iterations are executed. +The construction above is meant to produce a program that is trace +equivalent with the original programs for those traces that contain up +to five iterations of the loop. + +In many cases, CBMC is able to automatically determine an upper bound on +the number of loop iterations. This may even work when the number of +loop unwindings is not constant. Consider the following example: + + _Bool f(); + + int main() { + for(int i=0; i<100; i++) { + if(f()) break; + } + assert(0); + } + +The loop in the program above has an obvious upper bound on the number +of iterations, but note that the loop may abort prematurely depending on +the value that is returned by `f()`. CBMC is nevertheless able to +automatically unwind the loop to completion. + +This automatic detection of the unwinding bound may fail if the number +of loop iterations is highly data-dependent. Furthermore, the number of +iterations that are executed by any given loop may be too large or may +simply be unbounded. For this case, CBMC offers the command-line option +`--unwind B`, where `B` denotes a number that corresponds to the maximal +number of loop unwindings CBMC performs on any loop. + +Note that the number of unwindings is measured by counting the number of +*backjumps*. In the example above, note that the condition `i<100` is in +fact evaluated 101 times before the loop terminates. Thus, the loop +requires a limit of 101, and not 100. + +### Setting Separate Unwinding Limits + +The setting given with `--unwind` is used globally, that is, for all +loops in the program. In order to set individual limits for the loops, +first use + + --show-loops + +to obtain a list of all loops in the program. Then identify the loops +you need to set a separate bound for, and note their loop ID. Then use + + --unwindset L:B,L:B,... + +where `L` denotes a loop ID and `B` denotes the bound for that loop. + +As an example, consider a program with two loops in the function main: + + --unwindset c::main.0:10,c::main.1:20 + +This sets a bound of 10 for the first loop, and a bound of 20 for the +second loop. + +What if the number of unwindings specified is too small? In this case, +bugs that require paths that are deeper may be missed. In order to +address this problem, CBMC can optionally insert checks that the given +unwinding bound is actually sufficiently large. These checks are called +*unwinding assertions*, and are enabled with the option +`--unwinding-assertions`. Continuing the generic example above, this +unwinding assertion for a bound of five corresponds to checking the +following loop-free program: + + int main(int argc, char **argv) { + if(cond) { + BODY CODE COPY 1 + if(cond) { + BODY CODE COPY 2 + if(cond) { + BODY CODE COPY 3 + if(cond) { + BODY CODE COPY 4 + if(cond) { + BODY CODE COPY 5 + assert(!cond); + } + } + } + } + } + } + +The unwinding assertions can be verified just like any other generated +assertion. If all of them are proven to hold, the given loop bounds are +sufficient for the program. This establishes a [high-level worst-case +execution time](http://en.wikipedia.org/wiki/Worst-case_execution_time) +(WCET). + +In some cases, it is desirable to cut off very deep loops in favor of +code that follows the loop. As an example, consider the following +program: + + int main() { + for(int i=0; i<10000; i++) { + BODY CODE + } + assert(0); + } + +In the example above, small values of `--unwind` will prevent that the +assertion is reached. If the code in the loop is considered irrelevant +to the later assertion, use the option + + --partial-loops + +This option will allow paths that execute loops only partially, enabling +a counterexample for the assertion above even for small unwinding +bounds. The disadvantage of using this option is that the resulting path +may be spurious, i.e., may not exist in the original program. + +### Depth-based Unwinding + +The loop-based unwinding bound is not always appropriate. In particular, +it is often difficult to control the size of the generated formula when +using the `--unwind` option. The option + + --depth nr + +specifies an unwinding bound in terms of the number of instructions that +are executed on a given path, irrespectively of the number of loop +iterations. Note that CBMC uses the number of instructions in the +control-flow graph as the criterion, not the number of instructions in +the source code. + +\subsection man_cbmc-cover COVER: Test Suite Generation with CBMC + + +### A Small Tutorial with A Case Study + +We assume that CBMC is installed on your system. If not so, follow +\ref man_install-cbmc "these instructions". + +CBMC can be used to automatically generate test cases that satisfy a +certain [code coverage](https://en.wikipedia.org/wiki/Code_coverage) +criteria. Common coverage criteria include branch coverage, condition +coverage and [Modified Condition/Decision Coverage +(MC/DC)](https://en.wikipedia.org/wiki/Modified_condition/decision_coverage). +Among others, MC/DC is required by several avionics software development +guidelines to ensure adequate testing of safety critical software. +Briefly, in order to satisfy MC/DC, for every conditional statement +containing boolean decisions, each Boolean variable should be evaluated +one time to "true" and one time to "false", in a way that affects the +outcome of the decision. + +In the following, we are going to demonstrate how to apply the test +suite generation functionality in CBMC, by means of a case study. The +following program is an excerpt from a real-time embedded benchmark +[PapaBench](https://www.irit.fr/recherches/ARCHI/MARCH/rubrique.php3?id_rubrique=97), +and implements part of a fly-by-wire autopilot for an Unmanned Aerial +Vehicle (UAV). It is adjusted mildly for our purposes. + +The aim of function `climb_pid_run` is to control the vertical climb of +the UAV. Details on the theory behind this operation are documented in +the [wiki](https://wiki.paparazziuav.org/wiki/Theory_of_Operation) for +the Paparazzi UAV project. The behaviour of this simple controller, +supposing that the desired speed is 0.5 meters per second, is plotted in +the Figure below. + +\image html pid.png "The pid controller" + + 01: // CONSTANTS: + 02: #define MAX_CLIMB_SUM_ERR 10 + 03: #define MAX_CLIMB 1 + 04: + 05: #define CLOCK 16 + 06: #define MAX_PPRZ (CLOCK*600) + 07: + 08: #define CLIMB_LEVEL_GAZ 0.31 + 09: #define CLIMB_GAZ_OF_CLIMB 0.75 + 10: #define CLIMB_PITCH_OF_VZ_PGAIN 0.05 + 11: #define CLIMB_PGAIN -0.03 + 12: #define CLIMB_IGAIN 0.1 + 13: + 14: const float pitch_of_vz_pgain=CLIMB_PITCH_OF_VZ_PGAIN; + 15: const float climb_pgain=CLIMB_PGAIN; + 16: const float climb_igain=CLIMB_IGAIN; + 17: const float nav_pitch=0; + 18: + 19: /** PID function INPUTS */ + 20: // The user input: target speed in vertical direction + 21: float desired_climb; + 22: // Vertical speed of the UAV detected by GPS sensor + 23: float estimator_z_dot; + 24: + 25: /** PID function OUTPUTS */ + 26: float desired_gaz; + 27: float desired_pitch; + 28: + 29: /** The state variable: accumulated error in the control */ + 30: float climb_sum_err=0; + 31: + 32: /** Computes desired_gaz and desired_pitch */ + 33: void climb_pid_run() + 34: { + 35: + 36: float err=estimator_z_dot-desired_climb; + 37: + 38: float fgaz=climb_pgain*(err+climb_igain*climb_sum_err)+CLIMB_LEVEL_GAZ+CLIMB_GAZ_OF_CLIMB*desired_climb; + 39: + 40: float pprz=fgaz*MAX_PPRZ; + 41: desired_gaz=((pprz>=0 && pprz<=MAX_PPRZ) ? pprz : (pprz>MAX_PPRZ ? MAX_PPRZ : 0)); + 42: + 43: /** pitch offset for climb */ + 44: float pitch_of_vz=(desired_climb>0) ? desired_climb*pitch_of_vz_pgain : 0; + 45: desired_pitch=nav_pitch+pitch_of_vz; + 46: + 47: climb_sum_err=err+climb_sum_err; + 48: if (climb_sum_err>MAX_CLIMB_SUM_ERR) climb_sum_err=MAX_CLIMB_SUM_ERR; + 49: if (climb_sum_err<-MAX_CLIMB_SUM_ERR) climb_sum_err=-MAX_CLIMB_SUM_ERR; + 50: + 51: } + 52: + 53: int main() + 54: { + 55: + 56: while(1) + 57: { + 58: /** Non-deterministic input values */ + 59: desired_climb=nondet_float(); + 60: estimator_z_dot=nondet_float(); + 61: + 62: /** Range of input values */ + 63: __CPROVER_assume(desired_climb>=-MAX_CLIMB && desired_climb<=MAX_CLIMB); + 64: __CPROVER_assume(estimator_z_dot>=-MAX_CLIMB && estimator_z_dot<=MAX_CLIMB); + 65: + 66: __CPROVER_input("desired_climb", desired_climb); + 67: __CPROVER_input("estimator_z_dot", estimator_z_dot); + 68: + 69: climb_pid_run(); + 70: + 71: __CPROVER_output("desired_gaz", desired_gaz); + 72: __CPROVER_output("desired_pitch", desired_pitch); + 73: + 74: } + 75: + 76: return 0; + 77: } + +In order to test the PID controller, we construct a main control loop, +which repeatedly invokes the function `climb_pid_run` (line 69). This +PID function has two input variables: the desired speed `desired_climb` +and the estimated speed `estimated_z_dot`. In the beginning of each loop +iteration, values of the inputs are assigned non-deterministically. +Subsequently, the `__CPROVER_assume` statement in lines 63 and 64 +guarantees that both values are bounded within a valid range. The +`__CPROVER_input` and `__CPROVER_output` will help clarify the inputs +and outputs of interest for generating test suites. + +To demonstrate the automatic test suite generation in CBMC, we call the +following command and we are going to explain the command line options +one by one. + + cbmc pid.c --cover mcdc --unwind 6 --xml-ui + +The option `--cover mcdc` specifies the code coverage criterion. There +are four conditional statements in the PID function: in line 41, line +44, line 48 and line 49. To satisfy MC/DC, the test suite has to meet +multiple requirements. For instance, each conditional statement needs to +evaluate to *true* and *false*. Consider the condition +`"pprz>=0 && pprz<=MAX_PPRZ"` in line 41. CBMC instruments three +coverage goals to control the respective evaluated results of +`"pprz>=0"` and `"pprz<=MAX_PPRZ"`. We list them in below and they +satisfy the MC/DC rules. Note that `MAX_PPRZ` is defined as 16 \* 600 in +line 06 of the program. + + !(pprz >= (float)0) && pprz <= (float)(16 * 600) id="climb_pid_run.coverage.1" + pprz >= (float)0 && !(pprz <= (float)(16 * 600)) id="climb_pid_run.coverage.2" + pprz >= (float)0 && pprz <= (float)(16 * 600) id="climb_pid_run.coverage.3" + +The "id" of each coverage goal is automatically assigned by CBMC. For +every coverage goal, a test suite (if there exists) that satisfies such +a goal is printed out in XML format, as the parameter `--xml-ui` is +given. Multiple coverage goals can share a test suite, when the +corresponding execution of the program satisfies all these goals at the +same time. + +In the end, the following test suites are automatically generated for +testing the PID controller. A test suite consists of a sequence of input +parameters that are passed to the PID function `climb_pid_run` at each +loop iteration. For example, Test 1 covers the MC/DC goal with +id="climb\_pid\_run.coverage.1". The complete output from CBMC is in +[pid\_test\_suites.xml](pid_test_suites.xml), where every test suite and +the coverage goals it is for are clearly described. + + Test suite: + Test 1. + (iteration 1) desired_climb=-1.000000f, estimator_z_dot=1.000000f + + Test 2. + (iteration 1) desired_climb=-1.000000f, estimator_z_dot=1.000000f + (iteration 2) desired_climb=1.000000f, estimator_z_dot=-1.000000f + + Test 3. + (iteration 1) desired_climb=0.000000f, estimator_z_dot=-1.000000f + (iteration 2) desired_climb=1.000000f, estimator_z_dot=-1.000000f + + Test 4. + (iteration 1) desired_climb=1.000000f, estimator_z_dot=-1.000000f + (iteration 2) desired_climb=1.000000f, estimator_z_dot=-1.000000f + (iteration 3) desired_climb=1.000000f, estimator_z_dot=-1.000000f + (iteration 4) desired_climb=1.000000f, estimator_z_dot=-1.000000f + (iteration 5) desired_climb=0.000000f, estimator_z_dot=-1.000000f + (iteration 6) desired_climb=1.000000f, estimator_z_dot=-1.000000f + + Test 5. + (iteration 1) desired_climb=-1.000000f, estimator_z_dot=1.000000f + (iteration 2) desired_climb=-1.000000f, estimator_z_dot=1.000000f + (iteration 3) desired_climb=-1.000000f, estimator_z_dot=1.000000f + (iteration 4) desired_climb=-1.000000f, estimator_z_dot=1.000000f + (iteration 5) desired_climb=-1.000000f, estimator_z_dot=1.000000f + (iteration 6) desired_climb=-1.000000f, estimator_z_dot=1.000000f + +The option `--unwind 6` unwinds the loop inside the main function body +six times. In order to achieve the complete coverage on all the +instrumented goals in the PID function `climb_pid_run`, the loop must be +unwound sufficient enough times. For example, `climb_pid_run` needs to +be called at least six times for evaluating the condition +`climb_sum_err>MAX_CLIMB_SUM_ERR` in line 48 to *true*. This corresponds +to the Test 5. An introduction to the use of loop unwinding can be found +in [Understanding Loop Unwinding](cbmc-loops.shtml). + +In this small tutorial, we present the automatic test suite generation +functionality of CBMC, by applying the MC/DC code coverage criterion to +a PID controller case study. In addition to `--cover mcdc`, other +coverage criteria like `branch`, `decision`, `path` etc. are also +available when calling CBMC. + +### Coverage Criteria + +The table below summarizes the coverage criteria that CBMC supports. + +Criterion |Definition +----------|---------- +assertion |For every assertion, generate a test that reaches it +location |For every location, generate a test that reaches it +branch |Generate a test for every branch outcome +decision |Generate a test for both outcomes of every Boolean expression that is not an operand of a propositional connective +condition |Generate a test for both outcomes of every Boolean expression +mcdc |Modified Condition/Decision Coverage (MC/DC) +path |Bounded path coverage +cover |Generate a test for every `__CPROVER_cover` statement + + +\section man_satabs SATABS---Predicate Abstraction with SAT + +\subsection man_satabs-overview Overview + +This section describes SATABS from the point of view of the user. To +learn about the technology implemented in SATABS, read +\ref man_satabs-background "this". + +We assume you have already installed SATABS and the necessary support +files on your system. If not so, please follow +\ref man_install-satabs "these instructions". + +While users of SATABS almost never have to be concerned about the +underlying refinement abstraction algorithms, understanding the classes +of properties that can be verified is crucial. Predicate abstraction is +most effective when applied to *control-flow dominated properties*. As +an example, reconsider the following program (lock-example-fixed.c): + + _Bool nondet_bool(); + _Bool LOCK = 0; + + _Bool lock() { + if(nondet_bool()) { + assert(!LOCK); + LOCK=1; + return 1; } + + return 0; + } + + void unlock() { + assert(LOCK); + LOCK=0; + } + + int main() { + unsigned got_lock = 0; + int times; + + while(times > 0) { + if(lock()) { + got_lock++; + /* critical section */ + } + + if(got_lock!=0) { + unlock(); + got_lock--; + } + + times--; + } + } + +The two assertions in the program model that the functions `lock()` and +`unlock()` are called in the right order. Note that the value of `times` +is chosen non-deterministically and is not bounded. The program has no +run-time bound, and thus, unwinding the code with CBMC will never +terminate. + +### Working with Claims + +The two assertions will give rise to two *properties*. Each property is +associated to a specific line of code, i.e., a property is violated when +some condition can become false at the corresponding program location. +SATABS will generate a list of all properties for the programs as +follows: + + satabs lock-example-fixed.c --show-properties + +SATABS will list two properties; each property corresponds to one of the +two assertions. We can use SATABS to verify both properties as follows: + + satabs lock-example-fixed.c + +SATABS will conclude the verification successfully, that is, both +assertions hold for execution traces of any length. + +By default, SATABS attempts to verify all properties at once. A single +property can be verified (or refuted) by using the `--property id` +option of SATABS, where `id` denotes the identifier of the property in +the list obtained by calling SATABS with the `--show-properties` flag. +Whenever a property is violated, SATABS reports a feasible path that +leads to a state in which the condition that corresponds to the violated +property evaluates to false. + +\subsection man_satabs-libraries Programs that use Libraries + +SATABS cannot check programs that use functions that are only available +in binary (compiled) form (this restriction is not imposed by the +verification algorithms that are used by SATABS – they also work on +assembly code). The reason is simply that so far no assembly language +frontend is available for SATABS. At the moment, (library) functions for +which no C source code is available have to be replaced by stubs. The +usage of stubs and harnesses (as known from unit testing) also allows to +check more complicated properties (like, for example, whether function +`fopen` is always called before `fclose`). This technique is explained +in detail in the \ref man_satabs-tutorials "SATABS tutorials". + +\subsection man_satabs-unit-test Unit Testing with SATABS + +The example presented \ref man_satabs-tutorial-driver "here" is +obviously a toy example and can hardly be used to convince your project +manager to use static verification in your next project. Even though we +recommend to use formal verification and specification already in the +early phases of your project, the sad truth is that in most projects +verification (of any kind) is still pushed to the very end of the +development cycle. Therefore, this section is dedicated to the +verification of legacy code. However, the techniques presented here can +also be used for *unit testing*. + +Unit testing is used in most software development projects, and static +verification with SATABS can be very well combined with this technique. +Unit testing relies on a number test cases that yield the desired code +coverage. Such test cases are implemented by a software testing engineer +in terms of a test harness (aka test driver) and a set of function +stubs. Typically, a slight modification to the test harness allows it to +be used with SATABS. Replacing the explicit input values with +non-deterministic inputs (as explained in +\ref man_satabs-tutorial-aeon "here" and +\ref man_satabs-tutorial-driver "here")) guarantees that SATABS will try +to achieve **full** path and state coverage (due to the fact that +predicate abstraction implicitly detects equivalence classes). However, +it is not guaranteed that SATABS terminates in all cases. Keep in mind +that you must not make any assumptions about the validity of the +properties if SATABS did not run to completion! + +### Further Reading + +- [Model Checking Concurrent Linux Device + Drivers](http://www.kroening.com/publications/view-publications-wbwk2007.html) +- [SATABS: SAT-based Predicate Abstraction for + ANSI-C](http://www-2.cs.cmu.edu/~svc/papers/view-publications-cksy2005.html) +- [Predicate Abstraction of ANSI-C Programs using + SAT](http://www-2.cs.cmu.edu/~svc/papers/view-publications-cksy2004.html) + +\subsection man_satabs-background Background + +### Sound Abstractions + +This section provides background information on how SATABS operates. +Even for very trivial C programs it is impossible to exhaustively +examine their state space (which is potentially unbounded). However, not +all details in a C program necessarily contribute to a bug, so it may be +sufficient to only examine those parts of the program that are somehow +related to a bug. + +In practice, many static verification tools (such as `lint`) try to +achieve this goal by applying heuristics. This approach comes at a cost: +bugs might be overlooked because the heuristics do not cover all +relevant aspects of the program. Therefore, the conclusion that a +program is correct whenever such a static verification tool is unable to +find an error is invalid. + +\image html cegar-1.png "CEGAR Loop" + +A more sophisticated approach that has been very successful recently is +to generate a *sound* abstraction of the original program. In this +context, *soundness* refers to the fact that the abstract program +contains (at least) all relevant behaviors (i.e., bugs) that are present +in the original program. In the Figure above, the first component strips +details from the original program. The number of possible behaviors +increases as the number of details in the abstract program decreases. +Intuitively, the reason is that whenever the model checking tool lacks +the information that is necessary to make an accurate decision on +whether a branch of an control flow statement can be taken or not, both +branches have to be considered. + +In the resulting *abstract program*, a set of concrete states is +subsumed by means of a single abstract state. Consider the following +figure: + +![](states.png) + +The concrete states *x*~1~ and *x*~2~ are mapped to an abstract state +*X*, and similarly *Y* subsumes *y*~1~ and *y*~2~. However, all +transitions that are possible in the concrete program are also possible +in the abstract model. The abstract transition *X* → *Y* summarizes the +concrete transitions *x*~1~ → *y*~1~ and *x*~1~ → *x*~1~, and *Y* → *X* +corresponds to *x*~1~ → *x*~2~. The behavior *X* → *Y* → *X* is feasible +in the original program, because it maps to *x*~1~ → *x*~1~ → *x*~2~. +However, *Y* → *X* → *Y* is feasible only in the abstract model. + +### Spurious Counterexamples + +The consequence is that the model checker (component number two in the +figure above) possibly reports a *spurious* counterexample. We call a +counterexample spurious whenever it is feasible in the current abstract +model but not in the original program. However, whenever the model +checker is unable to find an execution trace that violates the given +property, we can conclude that there is no such trace in the original +program, either. + +The feasibility of counterexamples is checked by *symbolic simulation* +(performed by component three in the figure above). If the +counterexample is indeed feasible, SATABS found a bug in the original +program and reports it to the user. + +### Automatic Refinement + +On the other hand, infeasible counterexamples (that originate from +abstract behaviors that result from the omission of details and are not +present in the original program) are never reported to the user. +Instead, the information is used in order to refine the abstraction such +that the spurious counterexample is not part of the refined model +anymore. For instance, the reason for the infeasibility of *Y* → *X* → +*Y* is that neither *y*~1~ nor *x*~1~ can be reached from *x*~2~. +Therefore, the abstraction can be refined by partitioning *X*. + +The refinement steps can be illustrated as follows: + +![Iterative refinement](refinement.png) + +The first step (1) is to generate a very coarse abstraction with a very +small state space. This abstraction is then successively refined (2, 3, +...) until either a feasible counterexample is found or the abstract +program is detailed enough to show that there is no path that leads to a +violation of the given property. The problem is that this point is not +necessarily reached for every input program, i.e., it is possible that +the the abstraction refinement loop never terminates. Therefore, SATABS +allows to specify an upper bound for the number of iterations. + +When this upper bound is reached and no counterexample was found, this +does not necessarily mean that there is none. In this case, you cannot +make any conclusions at all with respect to the correctness of the input +program. + +\subsection man_satabs-tutorials Tutorials + +We provide an introduction to model checking "real" C programs with +SATABS using two small examples. + +\subsubsection man_satabs-tutorial-driver Reference Counting in Linux Device Drivers + +Microsoft's [SLAM](http://research.microsoft.com/SLAM) toolkit has been +successfully used to find bugs in Windows device drivers. SLAM +automatically verifies device driver whether a device driver adheres to +a set of specifications. SLAM provides a test harness for device drivers +that calls the device driver dispatch routines in a non-deterministic +order. Therefore, the Model Checker examines all combinations of calls. +Motivated by the success this approach, we provide a toy example based +on Linux device drivers. For a more complete approach to the +verification of Linux device drivers, consider +[DDVerify](http://www.cprover.org/ddverify/). + +Dynamically loadable modules enable the Linux Kernel to load device +drivers on demand and to release them when they are not needed anymore. +When a device driver is registered, the kernel provides a major number +that is used to uniquely identify the device driver. The corresponding +device can be accessed through special files in the filesystem; by +convention, they are located in the `/dev` directory. If a process +accesses a device file the kernel calls the corresponding `open`, `read` +and `write` functions of the device driver. Since a driver must not be +released by the kernel as long as it is used by at least one process, +the device driver must maintain a usage counter (in more recent Linux +kernels, this is done automatically, however, drivers that must maintain +backward compatibility have to adjust this counter). + +We provide a skeleton of such a driver. Download the files +assets/spec.c, assets/driver.c, assets/driver.h, assets/kdev_t.h, and +assets/modules.h. + +The driver contains following functions: + +1. `register_chrdev`: (in assets/spec.c) Registers a character device. + In our implementation, the function sets the variable `usecount` to + zero and returns a major number for this device (a constant, if the + user provides 0 as argument for the major number, and the value + specified by the user otherwise). + + int usecount; + + int register_chrdev (unsigned int major, const char* name) + { + usecount = 0; + if (major == 0) + return MAJOR_NUMBER; + return major; + } + +2. `unregister_chrdev`: (in assets/spec.c) Unregisters a character + device. This function asserts that the device is not used by any + process anymore (we use the macro `MOD_IN_USE` to check this). + + int unregister_chrdev (unsigned int major, const char* name) + { + if (MOD_IN_USE) + { + ERROR: assert (0); + } + else + return 0; + } + +3. `dummy_open`: (in assets/driver.c) This function increases the + `usecount`. If the device is locked by some other process + `dummy_open` returns -1. Otherwise it locks the device for the + caller. + +4. `dummy_read`: (in assets/driver.c) This function "simulates" a read + access to the device. In fact it does nothing, since we are + currently not interested in the potential buffer overflow that may + result from a call to this function. Note the usage of the function + `nondet_int`: This is an internal SATABS-function that + non­determi­nistically returns an arbitrary integer value. The + function `__CPROVER_assume` tells SATABS to ignore all traces that + do not adhere to the given assumption. Therefore, whenever the lock + is held, `dummy_read` will return a value between 0 and `max`. If + the lock is not held, then `dummy_read` returns -1. + +5. `dummy_release`: (in assets/driver.c) If the lock is held, then + `dummy_release` decreases the `usecount`, releases the lock, and + returns 0. Otherwise, the function returns -1. + +We now want to check if any *valid* sequence of calls of the dispatch +functions (in driver.c) can lead to the violation of the assertion (in +assets/spec.c). Obviously, a call to `dummy_open` that is immediately +followed by a call to `unregister_chrdev` violates the assertion. + +The function `main` in spec.c gives an example of how these functions +are called. First, a character device "`dummy`" is registered. The major +number is stored in the `inode` structure of the device. The values for +the file structure are assigned non-deterministically. We rule out +invalid sequences of calls by ensuring that no device is unregistered +while it is still locked. We use the following model checking harness +for calling the dispatching functions: + + random = nondet_uchar (); + __CPROVER_assume (0 <= random && random <= 3); + + switch (random) + { + case 1: + rval = dummy_open (&inode, &my_file); + if (rval == 0) + lock_held = TRUE; + break; + case 2: + __CPROVER_assume (lock_held); + count = dummy_read (&my_file, buffer, BUF_SIZE); + break; + case 3: + dummy_release (&inode, &my_file); + lock_held = FALSE; + break; + default: + break; + } + +The variable `random` is assigned non-deterministically. Subsequently, +the value of `random` is restricted to be 0 &le `random` ≤ 3 by a call +to `__CPROVER_assume`. Whenever the value of `random` is not in this +interval, the corresponding execution trace is simply discarded by +SATABS. Depending on the value of `random`, the harness calls either +`dummy_open`, `dummy_read` or `dummy_close`. Therefore, if there is a +sequence of calls to these three functions that leads to a violation of +the assertion in `unregister_chrdev`, then SATABS will eventually +consider it. + +If we ask SATABS to show us the properties it verifies with + + satabs driver.c spec.c --show-properties + +for our example, we obtain + +1. Claim unregister\_chrdev.1:\ +     file spec.c line 18 function unregister\_chrdev\ +     MOD\_IN\_USE in unregister\_chrdev\ +     FALSE + +2. Claim dummy\_open.1:\ +     file driver.c line 15 function dummy\_open\ +     i\_rdev mismatch\ +     (unsigned int)inode->i\_rdev >> 8 == (unsigned + int)dummy\_major + +It seems obvious that the property dummy\_open.1 can never be violated. +SATABS confirms this assumption: We call + + satabs driver.c spec.c --property dummy_open.1 + +and SATABS reports `VERIFICATION SUCCESSFUL` after a few iterations. + +If we try to verify property unregister\_chrdev.1, SATABS reports that +the property in line 18 in file spec.c is violated (i.e., the assertion +does not hold, therefore the `VERIFICATION FAILED`). Furthermore, SATABS +provides a detailed description of the problem in the form of a +counterexample (i.e., an execution trace that violates the property). On +this trace, `dummy_open` is called **twice**, leading to a `usecount` of 2. +The second call of course fails with `rval=-1`, but the counter is +increased nevertheless: + + int dummy_open (struct inode *inode, struct file *filp) + { + __CPROVER_assert(MAJOR (inode->i_rdev) == dummy_major, + "i_rdev mismatch"); + MOD_INC_USE_COUNT; + + if (locked) + return -1; + locked = TRUE; + + return 0; /* success */ + } + +Then, `dummy_release` is called to release the lock on the device. +Finally, the loop is left and the call to `unregister_chrdev` results in +a violation of the assertion (since `usecount` is still 1, even though +`locked=0`). + +\subsubsection man_satabs-tutorial-aeon Buffer Overflow in a Mail Transfer Agent + +We explain how to model check Aeon version 0.2a, a small mail transfer +agent written by Piotr Benetkiewicz. The description advertises Aeon as +a "*good choice for **hardened** or minimalistic boxes*". The sources +are available +[here](http://www.cprover.org/satabs/examples/loop_detection/aeon-0.2a.tar.gz). + +Our first naive attempt to verify Aeon using + + satabs *.c + +produces a positive result, but also warns us that the property holds +trivially. It also reveals that a large number library functions are +missing: SATABS is unable to find the source code for library functions +like `send`, `write` and `close`. + +Now, do you have to provide a body for all missing library functions? +There is no easy answer to this question, but a viable answer would be +"most likely not". It is necessary to understand how SATABS handles +functions without bodies: It simply assumes that such a function returns +an arbitrary value, but that no other locations than the one on the left +hand side of the assignment are changed. Obviously, there are cases in +which this assumption is un­sound, since the function potentially +modifies all memory locations that it can somehow address. + +We now use static analysis to generate array bounds checks for Aeon: + + satabs *.c --pointer-check --bounds-check --show-properties + +SATABS will show about 300 properties in various functions (read +\ref man_instrumentation-properties "this" for more information on the +property instrumentation). Now consider the first few lines of the +`main` function of Aeon: + + int main(int argc, char **argv) + { + char settings[MAX_SETTINGS][MAX_LEN]; + ... + numSet = getConfig(settings); + if (numSet == -1) { + logEntry("Missing config file!"); + exit(1); + } + ... + +and the function `getConfig` in `lib_aeon.c`: + + int getConfig(char settings[MAX_SETTINGS][MAX_LEN]) + { + char home[MAX_LEN]; + FILE *fp; /* .rc file handler */ + int numSet = 0; /* number of settings */ + + strcpy(home, getenv("HOME")); /* get home path */ + strcat(home, "/.aeonrc"); /* full path to rc file */ + fp = fopen(home, "r"); + if (fp == NULL) return -1; /* no cfg - ERROR */ + while (fgets(settings[numSet], MAX_LEN-1, fp) + && (numSet < MAX_SETTINGS)) numSet++; + fclose(fp); + + return numSet; + } + +The function `getConfig` makes calls to `strcpy`, `strcat`, `getenv`, +`fopen`, `fgets`, and `fclose`. It is very easy to provide an +implementation for the functions from the string library (string.h), and +SATABS comes with meaningful definitions for most of them. The +definition of `getenv` is not so straight-forward. The man-page of +`getenv` (which we obtain by entering `man 3 getenv` in a Unix or cygwin +command prompt) tells us: + + `` `getenv' `` searches the list of en­vi­ron­ment variable names + and values (using the global pointer `char **environ`) for a + variable whose name matches the string at `NAME`. If a variable name + matches, `getenv` returns a pointer to the associated value. + +SATABS has no information whatsoever about the content of `environ`. +Even if SATABS could access the environment variables on your +computer, a successful verification of `Aeon` would then only guarantee +that the properties for this program hold on your computer with a +specific set of en­vi­ron­ment variables. We have to assume that +`environ` contains en­vi­ron­ment variables that have an arbitrary +content of arbitrary length. The content of en­vi­ron­ment variables is +not only arbitrary but could be malefic, since it can be modified by the +user. The approximation of the behavior of `getenv` that is shipped with +SATABS completely ignores the content of the string. + +Now let us have another look at the properties that SATABS generates for +the models of the the string library and for `getenv`. Most of these +properties require that we verify that the upper and lower bounds of +buffers or arrays are not violated. Let us look at one of the properties +that SATABS generates for the code in function `getConfig`: + + Claim getConfig.3:   file lib_aeon.c line 19 function getConfig   dereference failure: NULL plus offset pointer   !(SAME-OBJECT(src, NULL))` + +The model of the function `strcpy` dereferences the pointer returned by +`getenv`, which may return a NULL pointer. This possibility is detected +by the static analysis, and thus a corresponding property is generated. +Let us check this specific property: + + satabs *.c --pointer-check --bounds-check --property getConfig.3 + +SATABS immediately returns a counterexample path that demonstrates how +`getenv` returns a NULL, which is subsequently dereferenced. We have +identified the first bug in this program: it requires that the +environment variable HOME is set, and crashes otherwise. + +Let us examine one more property in the same function: + + Claim getConfig.7:   file lib_aeon.c line 19 function getConfig   dereference failure: array `home' upper bound   !(POINTER_OFFSET(dst) + (int)i >= 512) || !(SAME-OBJECT(dst, &home[0])) + +This property asserts that the upper bound of the array `home` is not +violated. The variable `home` looks familiar: We encountered it in the +function `getConfig` given above. The function `getenv` in combination +with functions `strcpy`, `strcat` or `sprintf` is indeed often the +source for buffer overflows. Therefore, we try to use SATABS to check +the upper bound of the array `home`: + + satabs *.c --pointer-check --bounds-check --property getConfig.7 + +SATABS runs for quite a while and will eventually give up, telling us +that its upper bound for abstraction refinement iterations has been +exceeded. This is not exactly the result we were hoping for, and we +could now increase the bound for iterations with help of the +`--iterations` command line switch of SATABS. + +Before we do this, let us investigate why SATABS has failed to provide a +useful result. The function `strcpy` contains a loop that counts from 1 +to the length of the input string. Predicate abstraction, the mechanism +SATABS is based on, is unable to detect such loops and will therefore +unroll the loop body as often as necessary. The array `home` has +`MAX_LEN` elements, and `MAX_LEN` is defined to be 512 in `aeon.h`. +Therefore, SATABS would have to run through at least 512 iterations, +only to verify (or reject) one of the more than 300 properties! Does +this fact defeat the purpose of static verification? + +We can make the job easier: after reducing the value of `MAX_LEN` in +`aeon.h` to a small value, say to 10, SATABS provides a counterexample +trace that demonstrates how the buffer overflow be reproduced. If you +use the Eclipse plugin (as described \ref man_install-eclipse "here"), +you can step through this counterexample. The trace contains the string +that is returned by `getenv`. + + +\section man_modelling Modelling + +\subsection man_modelling-nondet Nondeterminism + +### Rationale + +Programs typically read inputs from an environment. These inputs can +take the form of data read from a file, keyboard or network socket, or +arguments passed on the command line. It is usually desirable to analyze +the program for any choice of these inputs. In Model Checking, inputs +are therefore modeled by means of *nondeterminism*, which means that the +value of the input is not specified. The program may follow any +computation that results from any choice of inputs. + +### Sources of Nondeterminism + +The CPROVER tools support the following sources of nondeterminism: + +- functions that read inputs from the environments; +- the thread schedule in concurrent programs; +- initial values of local-scoped variables and memory allocated with + `malloc`; +- initial values of variables that are `extern` in all compilation + units; +- explicit functions for generating nondeterminism. + +The CPROVER tools are shipped with a number of stubs for the most +commonly used library functions. When executing a statement such as +`getchar()`, a nondeterministic value is chosen instead of reading a +character from the keyboard. + +When desired, nondeterminism can be introduced explicitly into the +program by means of functions that begin with the prefix `nondet_`. As +an example, the following function returns a nondeterministically chosen +unsigned short int: + + unsigned short int nondet_ushortint(); + +Note that the body of the function is not defined. The name of the +function itself is irrelevant (save for the prefix), but must be unique. +Also note that a nondeterministic choice is not to be confused with a +probabilistic (or random) choice. + +### Uninterpreted Functions + +It may be necessary to check parts of a program independently. +Nondeterminism can be used to over-approximate the behaviour of part of +the system which is not being checked. Rather than calling a complex or +unrelated function, a nondeterministic stub is used. However, separate +calls to the function can return different results, even for the same +inputs. If the function output only depends on its inputs then this can +introduce spurious errors. To avoid this problem, functions whose names +begin with the prefix `__CPROVER_uninterpreted_` are treated as +uninterpreted functions. Their value is non-deterministic but different +invocations will return the same value if their inputs are the same. +Note that uninterpreted functions are not supported by all back-end +solvers. + +\subsection man_modelling-assumptions Modeling with Assertions and Assumptions + +### Assertions + +[Assertions](http://en.wikipedia.org/wiki/Assertion_%28computing%29) are +statements within the program that attempt to capture the programmer's +intent. The ANSI-C standard defines a header file +[assert.h](http://en.wikipedia.org/wiki/Assert.h), which offers a macro +`assert(cond)`. When executing a statement such as + + assert(p!=NULL); + +the execution is aborted with an error message if the condition +evaluates to *false*, i.e., if `p` is NULL in the example above. The +CPROVER tools can check the validity of the programmer-annotated +assertions statically. Specifically, the CPROVER tools will check that +the assertions hold for *any* nondeterministic choice that the program +can make. The static assertion checks can be disabled using the +`--no-assertions` command line option. + +In addition, there is a CPROVER-specific way to specify assertions, +using the built-in function `__CPROVER_assert`: + + __CPROVER_assert(p!=NULL, "p is not NULL"); + +The (mandatory) string that is passed as the second argument provides an +informal description of the assertion. It is shown in the list of +properties together with the condition. + +The assertion language of the CPROVER tools is identical to the language +used for expressions. Note that \ref man_modelling-nondet +"nondeterminism" +can be exploited in order to check a range of choices. As an example, +the following code fragment asserts that **all** elements of the array +are zero: + + int a[100], i; + + ... + + i=nondet_uint(); + if(i>=0 && i<100) + assert(a[i]==0); + +The nondeterministic choice will guess the element of the array that is +nonzero. The code fragment above is therefore equivalent to + + int a[100], i; + + ... + + for(i=0; i<100; i++) + assert(a[i]==0); + +Future CPROVER releases will support explicit quantifiers with a syntax +that resembles Spec\#: + + __CPROVER_forall { *type identifier* ; *expression* } + __CPROVER_exists { *type identifier* ; *expression* } + +### Assumptions + +Assumptions are used to restrict nondeterministic choices made by the +program. As an example, suppose we wish to model a nondeterministic +choice that returns a number from 1 to 100. There is no integer type +with this range. We therefore use \_\_CPROVER\_assume to restrict the +range of a nondeterministically chosen integer: + + unsigned int nondet_uint(); + + unsigned int one_to_hundred() + { + unsigned int result=nondet_uint(); + __CPROVER_assume(result>=1 && result<=100); + return result; + } + +The function above returns the desired integer from 1 to 100. You must +ensure that the condition given as an assumption is actually satisfiable +by some nondeterministic choice, or otherwise the model checking step +will pass vacuously. + +Also note that assumptions are never retroactive: They only affect +assertions (or other properties) that follow them in program order. This +is best illustrated with an example. In the following fragment, the +assumption has no effect on the assertion, which means that the +assertion will fail: + + x=nondet_uint(); + assert(x==100); + __CPROVER_assume(x==100); + +Assumptions do restrict the search space, but only for assertions that +follow. As an example, the following program will pass: + + int main() { + int x; + + __CPROVER_assume(x>=1 && x<=100000); + + x*=-1; + + __CPROVER_assert(x<0, "x is negative"); + } + +Beware that nondeterminism cannot be used to obtain the effect of +universal quantification in assumptions. As an example, + + int main() { + int a[10], x, y; + + x=nondet_int(); + y=nondet_int(); + __CPROVER_assume(x>=0 && x<10 && y>=0 && y<10); + + __CPROVER_assume(a[x]>=0); + + assert(a[y]>=0); + } + +fails, as there is a choice of x and y which results in a counterexample +(any choice in which x and y are different). + +\subsection man_modelling-pointers Pointer Model + +### Pointers in C + +C programs (and sometimes C++ programs as well) make intensive use of +pointers in order to decouple program code from specific data. A pointer +variable does not store data such as numbers or letters, but instead +points to a location in memory that hold the relevant data. This section +describes the way the CPROVER tools model pointers. + +### Objects and Offsets + +The CPROVER tools represent pointers as a pair. The first member of the +pair is the *object* the pointer points to, and the second is the offset +within the object. + +In C, objects are simply continuous fragments of memory (this definition +of "object" is not to be confused with the use of the term in +object-oriented programming). Variables of any type are guaranteed to be +stored as one object, irrespectively of their type. As an example, all +members of a struct or array belong to the same object. CPROVER simply +assigns a number to each active object. The object number of a pointer +`p` can be extracted using the expression `__CPROVER_POINTER_OBJECT(p)`. +As a consequence, pointers to different objects are always different, +which is not sound. + +The offset (the second member of the pair that forms a pointer) is +relative to the beginning of the object; it uses byte granularity. As an +example, the code fragment + + unsigned array[10]; + char *p; + + p=(char *)(array+1); + p++; + +will result in a pointer with offset 5. The offset of a pointer `p` can +be extracted using the expression `__CPROVER_POINTER_OFFSET(p)`. + +### Dereferencing Pointers + +The CPROVER tools require that pointers that are dereferenced point to a +valid object. Assertions that check this requirement can be generated +using the option --pointer-check and, if desired, --bounds-check. These +options will ensure that NULL pointers are not dereferenced, and that +dynamically allocated objects have not yet been deallocated. + +Furthermore, the CPROVER tools check that dynamically allocated memory +is not deallocated twice. The goto-instrument tool is also able to add +checks for memory leaks, i.e., it detects dynamically allocated objects +that are not deallocated once the program terminates. + +The CPROVER tools support pointer typecasts. Most casts are supported, +with the following exceptions: + +1. One notable exception is that pointers can only be accessed using a + pointer type. The conversion of a pointer into an integer-type using + a pointer typecast is not supported. + +2. Casts from integers to pointers yield a pointer that is either NULL + (if the integer is zero) or that point into a special array for + modeling [memory-mapped + I/O](http://en.wikipedia.org/wiki/Memory-mapped_I/O). Such pointers + are assumed not to overlap with any other objects. This is, of + course, only sound if a corresponding range check is instrumented. + +3. Accesses to arrays via pointers that have the array subtype need to + be well-aligned. + +### Pointers in Open Programs + +It is frequently desired to validate an open program, i.e., a fragment +of a program. Some variables are left undefined. In case an undefined +pointer is dereferenced, CBMC assumes that the pointer points to a +separate object of appropriate type with unbounded size. The object is +assumed not to alias with any other object. This assumption may +obviously be wrong in specific extensions of the program. + +\subsection man_modelling-floating-point Floating Point + +The CPROVER tools support bit-accurate reasoning about IEEE-754 +floating-point and fixed-point arithmetic. The C standard contains a +number of areas of implementation-defined behaviour with regard to +floating-point arithmetic: + +- CPROVER supports C99 Appendix F, and thus, the `__STD_IEC_559__` + macro is defined. This means that the C `float` data type maps to + IEEE 754 `binary32` and `double` maps to `binary64` and operations + on them are as specified in IEEE 754. + +- `long double` can be configured to be `binary64`, `binary128` + (quad precision) or a 96 bit type with 15 exponent bits and 80 + significant bits. The last is an approximation of Intel's x87 + extended precision double data type. As the C standard allows a + implementations a fairly wide set of options for `long double`, it + is best avoided for both portable code and bit-precise analysis. The + default is to match the build architecture as closely as possible. + +- In CPROVER, floating-point expressions are evaluated at the 'natural + precision' (the greatest of the arguments) and not at a + higher precision. This corresponds to `FLT_EVAL_METHOD` set to `0`. + Note that this is a different policy to some platforms (see below). + +- Expression contraction (for example, converting `x * y + c` to + `fma(x,y,c)`) is not performed. In effect, the `FP_CONTRACT` pragma + is always off. + +- Constant expressions are evaluated at \`run' time wherever possible + and so will respect changes in the rounding mode. In effect, the + `FENV_ACCESS` pragma is always off. Note that floating point + constants are treated as doubles (unless they are followed by `f` + when they are float) as specified in the C standard. `goto-cc` + supports `-fsingle-precision-constant`, which allows + the (non-standard) treatment of constants as floats. + +- Casts from int to float and float to float make use of the current + rounding mode. Note that the standard requires that casts from float + to int use round-to-zero (i.e. truncation). + +### x86 and Other Platform-specific Issues + +Not all platforms have the same implementation-defined behaviour as +CPROVER. This can cause mismatches between the verification environment +and the execution environment. If this occurs, check the compiler manual +for the choices listed above. There are two common cases that can cause +these problems: 32-bit x86 code and the use of unsafe optimisations. + +Many compilers that target 32-bit x86 platforms employ a different +evaluation method. The extended precision format of the x87 unit is used +for all computations regardless of their native precision. Most of the +time, this results in more accurate results and avoids edge cases. +However, it can result in some obscure and difficult to debug behaviour. +Checking if the `FLT_EVAL_METHOD` macro is non-zero (for these platforms +it will typically be 2), should warn of these problems. Changing the +compiler flags to use the SSE registers will resolve many of them, give +a more standards-compliant platform and will likely perform better. Thus +it is *highly* recommended. Use `-msse2 -mfpmath=sse` to enable this +option for GCC. Visual C++ does not have an option to force the +exclusive use of SSE instructions, but `/arch:SSE2` will pick SSE +instructions "when it \[the compiler\] determines that it is faster to +use the SSE/SSE2 instructions" and is thus better than `/arch:IA32`, +which exclusively uses the x87 unit. + +The other common cause of discrepancy between CPROVER results and the +actual platform are the use of unsafe optimisations. Some higher +optimisation levels enable transformations that are unsound with respect +to the IEEE-754 standard. Consult the compiler manual and disable any +optimisations that are described as unsafe (for example, the GCC options +`-ffast-math`). The options `-ffp-contract=off` (which replaces +`-mno-fused-madd`), `-frounding-math` and `-fsignaling-nans` are needed +for GCC to be strictly compliant with IEEE-754. + +### Rounding Mode + +CPROVER supports the four rounding modes given by IEEE-754 1985; round +to nearest (ties to even), round up, round down and round towards zero. +By default, round to nearest is used. However, command line options +(`--round-to-zero`, etc.) can be used to over-ride this. If more control +is needed, CPROVER has models of `fesetround` (for POSIX systems) and +`_controlfp` (for Windows), which can be used to change the rounding +mode during program execution. Furthermore, the inline assembly commands +fstcw/fnstcw/fldcw (on x86) can be used. + +The rounding mode is stored in the (thread local) variable +`__CPROVER_rounding_mode`, but users are strongly advised not to use +this directly. + +### Math Library + +CPROVER implements some of `math.h`, including `fabs`, `fpclassify` and +`signbit`. It has very limited support for elementary functions. Care +must be taken when verifying properties that are dependent on these +functions as the accuracy of implementations can vary considerably. The +C compilers can (and many do) say that the accuracy of these functions +is unknown. + +### Fixed-point Arithmetic + +CPROVER also has support for fixed-point types. The `--fixedbv` flag +switches `float`, `double` and `long double` to fixed-point types. The +length of these types is platform specific. The upper half of each type +is the integer component and the lower half is the fractional part. + + +\section man_hard-soft Hardware and Software Equivalence and Co-Verification + +\subsection man_hard-soft-introduction Introduction + +A common hardware design approach employed by many companies is to first +write a quick prototype that behaves like the planned circuit in a +language like ANSI-C. This program is then used for extensive testing +and debugging, in particular of any embedded software that will later on +be shipped with the circuit. An example is the hardware of a cell phone +and its software. After testing and debugging of the program, the actual +hardware design is written using hardware description languages like +[VHDL](http://en.wikipedia.org/wiki/VHDL) or +[Verilog](http://en.wikipedia.org/wiki/Verilog). + +Thus, there are two implementations of the same design: one written in +ANSI-C, which is written for simulation, and one written in register +transfer level HDL, which is the actual product. The ANSI-C +implementation is usually thoroughly tested and debugged. + +Due to market constraints, companies aim to sell the chip as soon as +possible, i.e., shortly after the HDL implementation is designed. There +is usually little time for additional debugging and testing of the HDL +implementation. Thus, an automated, or nearly automated way of +establishing the consistency of the HDL implementation is highly +desirable. + +This motivates the verification problem: we want to verify the +consistency of the HDL implementation, i.e., the product, [using the +ANSI-C implementation as a +reference](http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=936243&userType=inst). +Es­ta­bli­shing the consistency does not re­quire a formal +specification. However, formal methods to verify either the hardware or +software design are still desirable. + +### Related Work + +There have been several attempts in the past to tackle the problem. +[Semeria et al.](http://portal.acm.org/citation.cfm?id=513951) describe +a tool for verifying the combinational equivalence of RTL-C and an HDL. +They translate the C code into HDL and use standard equivalence checkers +to establish the equivalence. The C code has to be very close to a +hardware description (RTL level), which implies that the source and +target have to be implemented in a very similar way. There are also +variants of C specifically for this purpose. The [SystemC +standard](http://en.wikipedia.org/wiki/SystemC) defines a subset of C++ +that can be used for synthesis. Further variants of ANSI-C for +specifying hardware are SpecC and Handel C, among others. + +The concept of verifying the equivalence of a software implementation +and a synchronous transition system was introduced by [Pnueli, Siegel, +and Shtrichman](http://www.springerlink.com/content/ah5lpxaagrjp8ax2/). +The C program is re­quired to be in a very specific form, since a +mechanical translation is assumed. + +In 2000, [Currie, Hu, and +Rajan](http://doi.acm.org/10.1145/337292.337339) transform DSP assembly +language into an equation for the Stanford Validity Checker. The +symbolic execution of programs for comparison with RTL is now common +practice. + +The previous work focuses on a small subset of ANSI-C that is +particularly close to register transfer language. Thus, the designer is +often re­quired to rewrite the C program manually in order to comply +with these constraints. We extend the methodology to handle the full set +of ANSI-C language features. This is a challenge in the presence of +complex, dynamic data structures and pointers that may dynamically point +to multiple objects. Furthermore, our methodology allows arbitrary loop +constructs. + +### Further Material + +We provide a small \ref man_hard-soft-tutorial "tutorial" and a +description on +\ref man_hard-soft-inputs "how to synchronize inputs between the C model and the Verilog model". +There is also a collection of +[benchmark problems](http://www.cprover.org/hardware/sequential-equivalence/) +available. + +Further Reading + +- [Hardware Verification using ANSI-C Programs as a + Reference](http://www-2.cs.cmu.edu/~svc/papers/view-publications-ck03.html) +- [Behavioral Consistency of C and Verilog Programs Using Bounded + Model Checking](http://www-2.cs.cmu.edu/~svc/papers/view-publications-cky03.html) +- [A Tool for Checking ANSI-C + Programs](http://www-2.cs.cmu.edu/~svc/papers/view-publications-ckl2004.html) +- [Checking Consistency of C and Verilog using Predicate Abstraction + and Induction](http://www.kroening.com/publications/view-publications-kc2004.html) + + +\subsection man_hard-soft-tutorial Tutorial + +### Verilog vs. ANSI-C + +We assume that CBMC is installed on your system. If not so, follow +\ref man_install-cbmc "these instructions". + +The following Verilog module implements a 4-bit counter +(counter.v): + + module top(input clk); + + reg [3:0] counter; + + initial counter=0; + + always @(posedge clk) + counter=counter+1; + + endmodule + +HW-CBMC can take Verilog modules as the one above as additional input. +Similar as in co-simulation, the data in the Verilog modules is +available to the C program by means of global variables. For the example +above, the following C fragment shows the definition of the variable +that holds the value of the `counter` register: + + struct module_top { + unsigned int counter; + }; + + extern struct module_top top; + +Using this definition, the value of the `counter` register in the +Verilog fragment above can be accessed as `top.counter`. Please note +that the name of the variable **must** match the name of the top module. +The C program only has a view of one state of the Verilog model. The +Verilog model makes a transition once the function `next_timeframe()` is +called. + +As CBMC performs Bounded Model Checking, the number of timeframes +available for analysis must be bounded (SATABS). As it is desirable to +change the bound to adjust it to the available computing capacity, the +bound is given on the command line and not as part of the C program. +This makes it easy to use only one C program for arbitrary bounds. The +actual bound is available in the C program using the following +declaration: + + extern const unsigned int bound; + +Also note that the fragment above declares a constant variable of struct +type. Thus, the C program can only read the trace values and is not able +to modify them. We will later on describe how to drive inputs of the +Verilog module from within the C program. + +As described in previous chapters, assertions can be used to verify +properties of the Verilog trace. As an example, the following program +checks two values of the trace of the counter module (counter.c): + + void next_timeframe(); + + struct module_top { + unsigned int counter; + }; + + extern struct module_top top; + + int main() { + next_timeframe(); + next_timeframe(); + assert(top.counter==2); + next_timeframe(); + assert(top.counter==3); + } + +The following CBMC command line checks these assertions with a bound of +20: + + hw-cbmc counter.c counter.v --module top --bound 20 + +Note that a specific version of CBMC is used, called `hw-cbmc`. The +module name given must match the name of the module in the Verilog file. +Multiple Verilog files can be given on the command line. + +The `--bound` parameter is not to be confused with the `--unwind` +parameter. While the `--unwind` parameter specifies the maximum +unwinding depth for loops within the C program, the `--bound` parameter +specifies the number of times the transition relation of the Verilog +module is to be unwound. + +### Counterexamples + +For the given example, the verification is successful. If the first +assertion is changed to + + assert(top.counter==10); + +and the bound on the command line is changed to 6, CBMC will produce a +counterexample. CBMC produces two traces: One for the C program, which +matches the traces described earlier, and a separate trace for the +Verilog module. The values of the registers in the Verilog module are +also shown in the C trace as part of the initial state. + + Initial State + ---------------------------------------------------- + bound=6 (00000000000000000000000000000110) + counter={ 0, 1, 2, 3, 4, 5, 6 } + + Failed assertion: assertion line 6 function main + + Transition system state 0 + ---------------------------------------------------- + counter=0 (0000) + + Transition system state 1 + ---------------------------------------------------- + counter=1 (0001) + + Transition system state 2 + ---------------------------------------------------- + counter=2 (0010) + + Transition system state 3 + ---------------------------------------------------- + counter=3 (0011) + + Transition system state 4 + ---------------------------------------------------- + counter=4 (0100) + + Transition system state 5 + ---------------------------------------------------- + counter=5 (0101) + + Transition system state 6 + ---------------------------------------------------- + counter=6 (0110) + +### Using the Bound + +The following program is using the bound variable to check the counter +value in all cycles: + + void next_timeframe(); + extern const unsigned int bound; + + struct module_top { + unsigned int counter; + }; + + extern struct module_top top; + + int main() { + unsigned cycle; + + for(cycle=0; cycle + #include + + int main() { + printf("sizeof(long int): %d\n", (int)sizeof(long int)); + printf("sizeof(int *): %d\n", (int)sizeof(int *)); + assert(0); + } + +The counterexample trace contains the strings printed by the `printf` +command. + +The effects of endianness are more subtle. Try the following program +with `--big-endian` and `--little-endian`: + + #include + #include + + int main() { + int i=0x01020304; + char *p=(char *)&i; + printf("Bytes of i: %d, %d, %d, %d\n", p[0], p[1], p[2], p[3]); + assert(0); + } + + +\subsection man_instrumentation-properties Property Instrumentation + +### Properties + +We have mentioned *properties* several times so far, but we never +explained *what* kind of properties CBMC and SATABS can verify. We cover +this topic in more detail in this section. + +Both CBMC and SATABS use +[assertions](http://en.wikipedia.org/wiki/Assertion_(computing)) to +specify program properties. Assertions are properties of the state of +the program when the program reaches a particular program location. +Assertions are often written by the programmer by means of the `assert` +macro. + +In addition to the assertions written by the programmer, assertions for +specific properties can also be generated automatically by CBMC and +SATABS, often relieving the programmer from writing "obvious" +assertions. + +CBMC and SATABS come with an assertion generator called +`goto-instrument`, which performs a conservative [static +analysis](http://en.wikipedia.org/wiki/Static_code_analysis) to +determine program locations that potentially contain a bug. Due to the +imprecision of the static analysis, it is important to emphasize that +these generated assertions are only *potential* bugs, and that the Model +Checker first needs to confirm that they are indeed genuine bugs. + +The assertion generator can generate assertions for the verification of +the following properties: + +- **Buffer overflows.** For each array access, check whether the upper + and lower bounds are violated. +- **Pointer safety.** Search for `NULL`-pointer dereferences or + dereferences of other invalid pointers. + +- **Division by zero.** Check whether there is a division by zero in + the program. + +- **Not-a-Number.** Check whether floating-point computation may + result in [NaNs](http://en.wikipedia.org/wiki/NaN). + +- **Unitialized local.** Check whether the program uses an + uninitialized local variable. + +- **Data race.** Check whether a concurrent program accesses a shared + variable at the same time in two threads. + +We refrain from explaining the properties above in detail. Most of them +relate to behaviors that are left undefined by the respective language +semantics. For a discussion on why these behaviors are usually very +undesirable, read [this](http://blog.regehr.org/archives/213) blog post +by John Regehr. + +All the properties described above are *reachability* properties. They +are always of the form + +"*Is there a path through the program such that property ... is +violated?*" + +The counterexamples to such properties are always program paths. Users +of the Eclipse plugin can step through these counterexamples in a way +that is similar to debugging programs. The installation of this plugin +is explained \ref man_install-eclipse "here". + +### Using goto-instrument + +The goto-instrument static analyzer operates on goto-binaries, which is +a binary representation of control-flow graphs. The goto-binary is +extracted from program source code using goto-cc, which is explained +\ref man_instrumentation-goto-cc "here". Given a goto-program, +goto-instrument operates as follows: + +1. A goto-binary is read in. +2. The specified static analyses are performed. +3. Any potential bugs found are transformed into corresponding + assertions, and are added into the program. +4. A new goto-binary (with assertions) is written to disc. + +As an example, we begin with small C program we call `expr.c` (taken +from [here](http://www.spinroot.com/uno/)): + + int *ptr; + + int main(void) { + if (ptr) + *ptr = 0; + if (!ptr) + *ptr = 1; + } + +The program contains an obvious NULL-pointer dereference. We first +compile the example program with goto-cc and then instrument the +resulting goto-binary with pointer checks. + + goto-cc expr.c -o in.gb   goto-instrument in.gb out.gb --pointer-check + +We can now get a list of the assertions that have been generated as +follows: + + goto-instrument out.gb --show-properties + +Using either CBMC or SATABS on `out.gb`, we can obtain a counterexample +trace for the NULL-pointer dereference: + + cbmc out.gb + +The goto-instrument program supports the following checks: + +Flag | Check +-----------------------------|---------------------------------------------- +`--no-assertions` | ignore user assertions +`--bounds-check` | add array bounds checks +`--div-by-zero-check` | add division by zero checks +`--pointer-check` | add pointer checks +`--signed-overflow-check` | add arithmetic over- and underflow checks +`--unsigned-overflow-check` | add arithmetic over- and underflow checks +`--undefined-shift-check` | add range checks for shift distances +`--nan-check` | add floating-point NaN checks +`--uninitialized-check` | add checks for uninitialized locals (experimental) +`--error-label label` | check that given label is unreachable + +\subsection man_instrumentation-api The CPROVER API Reference + +The following sections summarize the functions available to programs +that are passed to the CPROVER tools. + +### Functions + +#### \_\_CPROVER\_assume, \_\_CPROVER\_assert, assert + + void __CPROVER_assume(_Bool assumption); + void __CPROVER_assert(_Bool assertion, const char *description); + void assert(_Bool assertion); + +The function **\_\_CPROVER\_assume** adds an expression as a constraint +to the program. If the expression evaluates to false, the execution +aborts without failure. More detail on the use of assumptions is in the +section on [Assumptions and Assertions](modeling-assertions.shtml). + +#### \_\_CPROVER\_same\_object, \_\_CPROVER\_POINTER\_OBJECT, \_\_CPROVER\_POINTER\_OFFSET, \_\_CPROVER\_DYNAMIC\_OBJECT + + _Bool __CPROVER_same_object(const void *, const void *); + unsigned __CPROVER_POINTER_OBJECT(const void *p); + signed __CPROVER_POINTER_OFFSET(const void *p); + _Bool __CPROVER_DYNAMIC_OBJECT(const void *p); + +The function **\_\_CPROVER\_same\_object** returns true if the two +pointers given as arguments point to the same object. The function +**\_\_CPROVER\_POINTER\_OFFSET** returns the offset of the given pointer +relative to the base address of the object. The function +**\_\_CPROVER\_DYNAMIC\_OBJECT** returns true if the pointer passed as +arguments points to a dynamically allocated object. + +#### \_\_CPROVER\_is\_zero\_string, \_\_CPROVER\_zero\_string\_length, \_\_CPROVER\_buffer\_size + + _Bool __CPROVER_is_zero_string(const void *); + __CPROVER_size_t __CPROVER_zero_string_length(const void *); + __CPROVER_size_t __CPROVER_buffer_size(const void *); + +#### \_\_CPROVER\_initialize + + void __CPROVER_initialize(void); + +The function **\_\_CPROVER\_initialize** computes the initial state of +the program. It is called prior to calling the main procedure of the +program. + +#### \_\_CPROVER\_input, \_\_CPROVER\_output + + void __CPROVER_input(const char *id, ...); + void __CPROVER_output(const char *id, ...); + +The functions **\_\_CPROVER\_input** and **\_\_CPROVER\_output** are +used to report an input or output value. Note that they do not generate +input or output values. The first argument is a string constant to +distinguish multiple inputs and outputs (inputs are typically generated +using nondeterminism, as described [here](modeling-nondet.shtml)). The +string constant is followed by an arbitrary number of values of +arbitrary types. + +#### \_\_CPROVER\_cover + + void __CPROVER_cover(_Bool condition); + +This statement defines a custom coverage criterion, for usage with the +[test suite generation feature](cover.shtml). + +#### \_\_CPROVER\_isnan, \_\_CPROVER\_isfinite, \_\_CPROVER\_isinf, \_\_CPROVER\_isnormal, \_\_CPROVER\_sign + + _Bool __CPROVER_isnan(double f); + _Bool __CPROVER_isfinite(double f); + _Bool __CPROVER_isinf(double f); + _Bool __CPROVER_isnormal(double f); + _Bool __CPROVER_sign(double f); + +The function **\_\_CPROVER\_isnan** returns true if the double-precision +floating-point number passed as argument is a +[NaN](http://en.wikipedia.org/wiki/NaN). + +The function **\_\_CPROVER\_isfinite** returns true if the +double-precision floating-point number passed as argument is a finite +number. + +This function **\_\_CPROVER\_isinf** returns true if the +double-precision floating-point number passed as argument is plus or +minus infinity. + +The function **\_\_CPROVER\_isnormal** returns true if the +double-precision floating-point number passed as argument is a normal +number. + +This function **\_\_CPROVER\_sign** returns true if the double-precision +floating-point number passed as argument is negative. + +#### \_\_CPROVER\_abs, \_\_CPROVER\_labs, \_\_CPROVER\_fabs, \_\_CPROVER\_fabsl, \_\_CPROVER\_fabsf + + int __CPROVER_abs(int x); + long int __CPROVER_labs(long int x); + double __CPROVER_fabs(double x); + long double __CPROVER_fabsl(long double x); + float __CPROVER_fabsf(float x); + +These functions return the absolute value of the given argument. + +#### \_\_CPROVER\_array\_equal, \_\_CPROVER\_array\_copy, \_\_CPROVER\_array\_set + + _Bool __CPROVER_array_equal(const void array1[], const void array2[]); + void __CPROVER_array_copy(const void dest[], const void src[]); + void __CPROVER_array_set(const void dest[], value); + +The function **\_\_CPROVER\_array\_equal** returns true if the values +stored in the given arrays are equal. The function +**\_\_CPROVER\_array\_copy** copies the contents of the array **src** to +the array **dest**. The function **\_\_CPROVER\_array\_set** initializes +the array **dest** with the given value. + +#### Uninterpreted Functions + +Uninterpreted functions are documented \ref man_modelling-nondet "here". + +### Predefined Types and Symbols + +#### \_\_CPROVER\_bitvector + + __CPROVER_bitvector [ expression ] + +This type is only available in the C frontend. It is used to specify a +bit vector with arbitrary but fixed size. The usual integer type +modifiers **signed** and **unsigned** can be applied. The usual +arithmetic promotions will be applied to operands of this type. + +#### \_\_CPROVER\_floatbv + + __CPROVER_floatbv [ expression ] [ expression ] + +This type is only available in the C frontend. It is used to specify an +IEEE-754 floating point number with arbitrary but fixed size. The first +parameter is the total size (in bits) of the number, and the second is +the size (in bits) of the mantissa, or significand (not including the +hidden bit, thus for single precision this should be 23). + +#### \_\_CPROVER\_fixedbv + + __CPROVER_fixedbv [ expression ] [ expression ] + +This type is only available in the C frontend. It is used to specify a +fixed-point bit vector with arbitrary but fixed size. The first +parameter is the total size (in bits) of the type, and the second is the +number of bits after the radix point. + +#### \_\_CPROVER\_size\_t + +The type of sizeof expressions. + +#### \_\_CPROVER\_rounding\_mode + + extern int __CPROVER_rounding_mode; + +This variable contains the IEEE floating-point arithmetic rounding mode. + +#### \_\_CPROVER\_constant\_infinity\_uint + +This is a constant that models a large unsigned integer. + +#### \_\_CPROVER\_integer, \_\_CPROVER\_rational + +**\_\_CPROVER\_integer** is an unbounded, signed integer type. +**\_\_CPROVER\_rational** is an unbounded, signed rational number type. + +#### \_\_CPROVER\_memory + + extern unsigned char __CPROVER_memory[]; + +This array models the contents of integer-addressed memory. + +#### \_\_CPROVER::unsignedbv<N> (C++ only) + +This type is the equivalent of **unsigned \_\_CPROVER\_bitvector\[N\]** +in the C++ front-end. + +#### \_\_CPROVER::signedbv<N> (C++ only) + +This type is the equivalent of **signed \_\_CPROVER\_bitvector\[N\]** in +the C++ front-end. + +#### \_\_CPROVER::fixedbv<N> (C++ only) + +This type is the equivalent of **\_\_CPROVER\_fixedbv\[N,m\]** in the +C++ front-end. + +### Concurrency + +Asynchronous threads are created by preceding an instruction with a +label with the prefix **\_\_CPROVER\_ASYNC\_**. + +\subsection man_goto-cc-linux goto-cc: Extracting Models from the Linux Kernel + +The Linux kernel code consists of more than 11 million lines of +low-level C and is frequently used to evaluate static analysis +techniques. In the following, we show how to extract models from Linux +2.6.39. + +1. First of all, you will need to make sure you have around 100 GB of + free disc space available. + +2. Download the Kernel sources at + . + +3. Now do + +   `bunzip2 linux-2.6.39.tar.bz2`\ +   `tar xvf linux-2.6.39.tar`\ +   `cd linux-2.6.39` + +4. Now ensure that you can actually compile a kernel by doing + +   `make defconfig`\ +   `make` + + These steps need to succeed before you can try to extract models + from the kernel. + +5. Now compile [gcc-wrap.c](gcc-wrap.c) and put the resulting binary + into a directory that is in your PATH variable: + +   `lwp-download http://www.cprover.org/cprover-manual/gcc-wrap.c`\ +   `gcc gcc-wrap.c -o gcc-wrap`\ +   `cp gcc-wrap ~/bin/`\ + + This assumes that the directory `~/bin` exists and is in your + PATH variable. + +6. Now change the variable CC in the kernel Makefile as follows: + + CC = ~/bin/gcc-wrap + +7. Now do + +   make clean +   make + + This will re-compile the kernel, but this time retaining the + preprocessed source files. + +8. You can now compile the preprocessed source files with goto-cc as + follows: + + find ./ -name .tmp_*.i > source-file-list + for a in `cat source-file-list` ; do +   goto-cc -c $a -o $a.gb + done + + Note that it is important that the word-size of the kernel + configuration matches that of goto-cc. Otherwise, compile-time + assertions will fail, generating the error message "bit field size + is negative". For a kernel configured for a 64-bit word-width, pass + the option --64 to goto-cc. + +The resulting `.gb` files can be passed to any of the CPROVER tools. + +\subsection man_goto-cc-apache goto-cc: Extracting Models from the Apache HTTPD + +The [Apache HTTPD](http://httpd.apache.org/) is still the most +frequently used web server. Together with the relevant libraries, it +consists of around 0.4 million lines of C code. In the following, we +show how to extract models from Apache HTTPD 2.4.2. + +1. First of all, we download the sources of Apache HTTPD and two + supporting libraries and uncompress them: + + lwp-download http://www.mirrorservice.org/sites/ftp.apache.org/apr/apr-1.4.6.tar.bz2 + lwp-download http://www.mirrorservice.org/sites/ftp.apache.org/apr/apr-util-1.4.1.tar.bz2 + lwp-download http://mirror.catn.com/pub/apache/httpd/httpd-2.4.2.tar.bz2 + bunzip2 < apr-1.4.6.tar.bz2 | tar x + bunzip2 < apr-util-1.4.1.tar.bz2 | tar x + bunzip2 < httpd-2.4.2.tar.bz2 | tar x + +2. Now compile [gcc-wrap.c](gcc-wrap.c) and put the resulting binary + into a directory that is in your PATH variable: + + lwp-download http://www.cprover.org/cprover-manual/gcc-wrap.c + gcc gcc-wrap.c -o gcc-wrap + cp gcc-wrap ~/bin/ + + This assumes that the directory `~/bin` exists and is in your + PATH variable. + +3. We now build the sources with gcc: + + (cd apr-1.4.6; ./configure; make CC=gcc-wrap) + (cd apr-util-1.4.1; ./configure --with-apr=../apr-1.4.6 ; make CC=gcc-wrap) + (cd httpd-2.4.2; ./configure --with-apr=../apr-1.4.6 --with-apr-util=../apr-util-1.4.1 ; make CC=gcc-wrap) + +4. You can now compile the preprocessed source files with goto-cc as + follows: + + find ./ -name *.i > source-file-list + for a in `cat source-file-list` ; do +   goto-cc -c $a -o $a.gb + done + +The resulting `.gb` files can be passed to any of the CPROVER tools. diff --git a/doc/html-manual/api.shtml b/doc/html-manual/api.shtml deleted file mode 100644 index 77b7edc1ae..0000000000 --- a/doc/html-manual/api.shtml +++ /dev/null @@ -1,323 +0,0 @@ - - -

CPROVER Manual TOC

- -

The CPROVER API Reference

- -

-The following sections summarize the functions available to programs -that are passed to the CPROVER tools. -

- -

Functions

- -

__CPROVER_assume, __CPROVER_assert, assert

- -
- -void __CPROVER_assume(_Bool assumption);
-void __CPROVER_assert(_Bool assertion, const char *description);
-void assert(_Bool assertion); - -
- -

-The function __CPROVER_assume adds an expression as a constraint -to the program. If the expression evaluates to false, the execution -aborts without failure. More detail on the use of assumptions is -in the section on Assumptions -and Assertions. -

- -

__CPROVER_same_object, __CPROVER_POINTER_OBJECT, -__CPROVER_POINTER_OFFSET, -__CPROVER_DYNAMIC_OBJECT

- -
- -_Bool __CPROVER_same_object(const void *, const void *);
-unsigned __CPROVER_POINTER_OBJECT(const void *p);
-signed __CPROVER_POINTER_OFFSET(const void *p);
-_Bool __CPROVER_DYNAMIC_OBJECT(const void *p); - -
- -

-The function __CPROVER_same_object returns true -if the two pointers given as arguments point to the same -object. -The function __CPROVER_POINTER_OFFSET returns -the offset of the given pointer relative to the base -address of the object. -The function __CPROVER_DYNAMIC_OBJECT -returns true if the pointer passed -as arguments points to a dynamically allocated object. -

- -

__CPROVER_is_zero_string, -__CPROVER_zero_string_length, -__CPROVER_buffer_size

- -
- -_Bool __CPROVER_is_zero_string(const void *);
-__CPROVER_size_t __CPROVER_zero_string_length(const void *);
-__CPROVER_size_t __CPROVER_buffer_size(const void *); - -
- -

-

- -

__CPROVER_initialize

- -
- -void __CPROVER_initialize(void); - -
- -

-The function __CPROVER_initialize computes the initial -state of the program. It is called prior to calling the -main procedure of the program. -

- -

__CPROVER_input, __CPROVER_output

- -
- -void __CPROVER_input(const char *id, ...);
-void __CPROVER_output(const char *id, ...); - -
- -

-The functions __CPROVER_input and __CPROVER_output -are used to report an input or output value. Note that they do not generate -input or output values. The first argument is a string constant -to distinguish multiple inputs and outputs (inputs are typically -generated using nondeterminism, as described -here). -The string constant is followed by an arbitrary number of values of -arbitrary types. -

- -

__CPROVER_cover

- -
- -void __CPROVER_cover(_Bool condition); - -
- -

This statement defines a custom coverage criterion, for usage -with the test suite generation feature.

- -

-

- -

__CPROVER_isnan, __CPROVER_isfinite, __CPROVER_isinf, -__CPROVER_isnormal, __CPROVER_sign

- -
- -_Bool __CPROVER_isnan(double f);
-_Bool __CPROVER_isfinite(double f);
-_Bool __CPROVER_isinf(double f);
-_Bool __CPROVER_isnormal(double f);
-_Bool __CPROVER_sign(double f); - -
- -

-The function __CPROVER_isnan returns true if the double-precision -floating-point number passed as argument is a -NaN. -

- -

-The function __CPROVER_isfinite returns true if the double-precision -floating-point number passed as argument is a -finite number. -

- -

-This function __CPROVER_isinf returns true if the double-precision -floating-point number passed as argument is plus -or minus infinity. -

- -

-The function __CPROVER_isnormal returns true if the double-precision -floating-point number passed as argument is a -normal number. -

- -

-This function __CPROVER_sign returns true if the double-precision -floating-point number passed as argument is -negative. -

- -

__CPROVER_abs, __CPROVER_labs, __CPROVER_fabs, __CPROVER_fabsl, __CPROVER_fabsf

- -
- -int __CPROVER_abs(int x);
-long int __CPROVER_labs(long int x);
-double __CPROVER_fabs(double x);
-long double __CPROVER_fabsl(long double x);
-float __CPROVER_fabsf(float x); - -
- -

-These functions return the absolute value of the given -argument. -

- -

__CPROVER_array_equal, __CPROVER_array_copy, __CPROVER_array_set

- -
- -_Bool __CPROVER_array_equal(const void array1[], const void array2[]);
-void __CPROVER_array_copy(const void dest[], const void src[]);
-void __CPROVER_array_set(const void dest[], value); - -
- -

-The function __CPROVER_array_equal returns true if the values -stored in the given arrays are equal. -The function __CPROVER_array_copy copies the contents of -the array src to the array dest. -The function __CPROVER_array_set initializes the array dest with -the given value. -

- -

Uninterpreted Functions

- -

-Uninterpreted functions are documented here. -

- -

Predefined Types and Symbols

- -

__CPROVER_bitvector

- -
- -__CPROVER_bitvector [ expression ] - -
- -

-This type is only available in the C frontend. It is used -to specify a bit vector with arbitrary but fixed size. The -usual integer type modifiers signed and unsigned -can be applied. The usual arithmetic promotions will be -applied to operands of this type. -

- -

__CPROVER_floatbv

- -
- -__CPROVER_floatbv [ expression ] [ expression ] - -
- -

-This type is only available in the C frontend. It is used -to specify an IEEE-754 floating point number with arbitrary -but fixed size. The first parameter is the total size (in bits) -of the number, and the second is the size (in bits) of the -mantissa, or significand (not including the hidden bit, thus for -single precision this should be 23). -

- -

__CPROVER_fixedbv

- -
- -__CPROVER_fixedbv [ expression ] [ expression ] - -
- -

-This type is only available in the C frontend. It is used -to specify a fixed-point bit vector with arbitrary -but fixed size. The first parameter is the total size (in bits) -of the type, and the second is the number of bits after the radix -point. -

- -

__CPROVER_size_t

- -

-The type of sizeof expressions. -

- -

__CPROVER_rounding_mode

- -
- -extern int __CPROVER_rounding_mode; - -
- -

-This variable contains the IEEE floating-point -arithmetic rounding mode. -

- -

__CPROVER_constant_infinity_uint

- -

-This is a constant that models a large unsigned -integer. -

- -

__CPROVER_integer, __CPROVER_rational

- -

-__CPROVER_integer is an unbounded, signed integer type. -__CPROVER_rational is an unbounded, signed rational -number type. -

- -

__CPROVER_memory

- -
- -extern unsigned char __CPROVER_memory[]; - -
- -

-This array models the contents of integer-addressed memory. -

- -

__CPROVER::unsignedbv<N> (C++ only)

- -

This type is the equivalent of unsigned __CPROVER_bitvector[N] in the C++ front-end. -

- -

__CPROVER::signedbv<N> (C++ only)

- -

This type is the equivalent of signed __CPROVER_bitvector[N] in the C++ front-end. -

- -

__CPROVER::fixedbv<N> (C++ only)

- -

This type is the equivalent of __CPROVER_fixedbv[N,m] in the C++ front-end. -

- -

Concurrency

- -

-Asynchronous threads are created by preceding an instruction with a label with the prefix __CPROVER_ASYNC_. -

- - diff --git a/doc/html-manual/architecture.shtml b/doc/html-manual/architecture.shtml deleted file mode 100644 index 18ef3e0b1f..0000000000 --- a/doc/html-manual/architecture.shtml +++ /dev/null @@ -1,93 +0,0 @@ - - -

CPROVER Manual TOC

- -

Build Systems and Libraries

- -

Architectural Settings

- -

The behavior of a C/C++ program depends on a number of -parameters that are specific to the architecture the program was compiled -for. The three most important architectural parameters are:

- -
    -
  • The width of the various scalar types; e.g., compare the value -of sizeof(long int) on various machines.
    • - -
  • The width of pointers; e.g., compare the value -of sizeof(int *) on various machines.
    • - -
  • The endianness -of the architecture.
    • -
- -

-In general, the CPROVER tools attempt to adopt the settings of the -particular architecture the tool itself was compiled for. For example, -when running a 64 bit binary of CBMC on Linux, the program will be processed -assuming that sizeof(long int)==8.

- -

-As a consequence of these architectural parameters, -you may observe different verification results for an identical -program when running CBMC on different machines. In order to get -consistent results, or when aiming at validating a program written -for a different platform, the following command-line arguments can -be passed to the CPROVER tools:

- -
    -
  • The word-width can be set with --16, ---32, --64.
    • -
  • The endianness can be defined with ---little-endian and --big-endian.
    • -
- -

-When using a goto binary, CBMC and the other tools read the configuration -from the binary, i.e., the setting when running goto-cc is the one that -matters; the option given to the model checker is ignored in this case. -

- -

-In order to see the effect of the options --16, ---32 and --64, pass -the following program to CBMC:

- -
- -#include <stdio.h>
-#include <assert.h>
-
-int main() {
-  printf("sizeof(long int): %d\n", (int)sizeof(long int));
-  printf("sizeof(int *): %d\n", (int)sizeof(int *));
-  assert(0);
-} - -
- -

-The counterexample trace contains the strings printed by the -printf command.

- -

-The effects of endianness are -more subtle. Try the following program with --big-endian -and --little-endian:

- -
-

-#include <stdio.h>

-#include <assert.h>

-

-int main() {

-  int i=0x01020304;

-  char *p=(char *)&i;

-  printf("Bytes of i: %d, %d, %d, %d\n",

-         p[0], p[1], p[2], p[3]);

-  assert(0);

-}
-
-
- - diff --git a/doc/html-manual/cbmc-loops.shtml b/doc/html-manual/cbmc-loops.shtml deleted file mode 100644 index da4df1eaee..0000000000 --- a/doc/html-manual/cbmc-loops.shtml +++ /dev/null @@ -1,233 +0,0 @@ - - - - - - -

CPROVER Manual TOC

- -

CBMC: Bounded Model Checking for C/C++ and Java

- -

Understanding Loop Unwinding

- -

Iteration-based Unwinding

- -

-The basic idea of CBMC is to model the computation of the programs up to a -particular depth. Technically, this is achieved by a process that -essentially amounts to unwinding loops. This concept is best -illustrated with a generic example: -

- -
int main(int argc, char **argv) {
-  while(cond) {
-    BODY CODE
-  }
-}
-
- -

-A BMC instance that will find bugs with up to five iterations of the loop would -contain five copies of the loop body, and essentially corresponds to checking -the following loop-free program: -

- -
int main(int argc, char **argv) {
-  if(cond) {
-    BODY CODE COPY 1
-    if(cond) {
-      BODY CODE COPY 2
-      if(cond) {
-        BODY CODE COPY 3
-        if(cond) {
-          BODY CODE COPY 4
-          if(cond) {
-            BODY CODE COPY 5
-          }
-        }
-      }
-    }
-  }
-}
-
- -

-Note the use of the if statement to prevent the execution of -the loop body in the case that the loop ends before five iterations are executed. -The construction above is meant to produce a program that is trace equivalent -with the original programs for those traces that contain up to five iterations -of the loop. -

- -

-In many cases, CBMC is able to automatically determine an upper bound on the - -number of loop iterations. This may even work when the number of loop -unwindings is not constant. Consider the following example: -

- -
_Bool f();
-
-int main() {
-  for(int i=0; i<100; i++) {
-    if(f()) break;
-  }
-  
-  assert(0);
-}
-
- -

-The loop in the program above has an obvious upper bound on the number of -iterations, but note that the loop may abort prematurely depending on the -value that is returned by f(). CBMC is nevertheless able to -automatically unwind the loop to completion.

- -

-This automatic detection of the unwinding -bound may fail if the number of loop iterations is highly data-dependent. -Furthermore, the number of iterations that are executed by any given -loop may be too large or may simply be unbounded. For this case, -CBMC offers the command-line option --unwind B, where -B denotes a number that corresponds to the maximal number -of loop unwindings CBMC performs on any loop. -

- -

-Note that the number of unwindings is measured by counting the number of -backjumps. In the example above, note that the condition -i<100 is in fact evaluated 101 times before the loop -terminates. Thus, the loop requires a limit of 101, and not 100.

- -

Setting Separate Unwinding Limits

- -

-The setting given with --unwind is used globally, -that is, for all loops in the program. In order to set individual -limits for the loops, first use -

- - -  --show-loops - - -

-to obtain a list of all loops in the program. Then identify the loops -you need to set a separate bound for, and note their loop ID. Then -use -

- - -  --unwindset L:B,L:B,... - - -

-where L denotes a loop ID and B denotes -the bound for that loop.

- -

-As an example, consider a program with two loops in the function -main: -

- - -  --unwindset c::main.0:10,c::main.1:20 - - -

-This sets a bound of 10 for the first loop, and a bound of 20 for -the second loop. -

- -

-What if the number of unwindings specified is too small? In this case, bugs -that require paths that are deeper may be missed. In order to address this -problem, CBMC can optionally insert checks that the given unwinding bound is -actually sufficiently large. These checks are called unwinding -assertions, and are enabled with the option ---unwinding-assertions. Continuing the generic example above, -this unwinding assertion for a bound of five corresponds to checking the -following loop-free program: -

- -
int main(int argc, char **argv) {
-  if(cond) {
-    BODY CODE COPY 1
-    if(cond) {
-      BODY CODE COPY 2
-      if(cond) {
-        BODY CODE COPY 3
-        if(cond) {
-          BODY CODE COPY 4
-          if(cond) {
-            BODY CODE COPY 5
-            assert(!cond);
-          }
-        }
-      }
-    }
-  }
-}
-
- -

-The unwinding assertions can be verified just like any other generated -assertion. If all of them are proven to hold, the given loop bounds are -sufficient for the program. This establishes a high-level -worst-case execution time (WCET). -

- -

-In some cases, it is desirable to cut off very deep loops in favor -of code that follows the loop. As an example, consider the -following program: -

- -
int main() {
-  for(int i=0; i<10000; i++) {
-    BODY CODE
-  }
-  
-  assert(0);
-}
-
- -

-In the example above, small values of --unwind will -prevent that the assertion is reached. If the code in the loop -is considered irrelevant to the later assertion, use the option -

- - -  --partial-loops - - -

-This option will allow paths that execute loops only partially, -enabling a counterexample for the assertion above even for -small unwinding bounds. The disadvantage of using this option -is that the resulting path may be spurious, i.e., may not -exist in the original program. -

- -

Depth-based Unwinding

- -

-The loop-based unwinding bound is not always appropriate. In particular, -it is often difficult to control the size of the generated formula -when using the --unwind option. The option -

- - -  --depth nr - - -

-specifies an unwinding bound in terms of the number of instructions that are -executed on a given path, irrespectively of the number of loop iterations. -Note that CBMC uses the number of instructions in the control-flow graph -as the criterion, not the number of instructions in the source code. -

- - diff --git a/doc/html-manual/cbmc.shtml b/doc/html-manual/cbmc.shtml deleted file mode 100644 index a52f39a90f..0000000000 --- a/doc/html-manual/cbmc.shtml +++ /dev/null @@ -1,377 +0,0 @@ - - - - - - -

CPROVER Manual TOC

- -

CBMC: Bounded Model Checking for C/C++ and Java

- -

A Short Tutorial

- -

First Steps

- -

-We assume you have already installed CBMC and the necessary support files -on your system. If not so, please follow -these instructions. -

- -

-Like a compiler, CBMC takes the names of .c files as command line -arguments. CBMC then translates the program and merges the function -definitions from the various .c files, just like a linker. But instead -of producing a binary for execution, CBMC performs symbolic simulation on -the program. -

- -

-As an example, consider the following simple program, named -file1.c: -

- -
int puts(const char *s) { }
-
-int main(int argc, char **argv) {
-  puts(argv[2]);
-}
-
- -

-Of course, this program is faulty, as the argv array might have fewer -than three elements, and then the array access argv[2] is out of bounds. -Now, run CBMC as follows: -

- - -  cbmc file1.c --show-properties --bounds-check --pointer-check - - -

The two options --bounds-check and --pointer-check -instruct CBMC to look for errors related to pointers and array bounds. -CBMC will print the list of properties it checks. Note that it lists, -among others, a property labeled with "object bounds in argv" together with -the location of the faulty array access. As you can see, CBMC largely -determines the property it needs to check itself. This is realized by means -of a preliminary static analysis, which relies on computing a fixed point on -various abstract -domains. More detail on automatically generated properties is provided -here.

- -

-Note that these automatically generated properties need not necessarily -correspond to bugs – these are just potential flaws, as -abstract interpretation might be imprecise. Whether these properties -hold or correspond to actual bugs needs to be determined by further analysis. -

- -

-CBMC performs this analysis using symbolic simulation, which -corresponds to a translation of the program into a formula. The formula is -then combined with the property. Let's look at the formula that is -generated by CBMC's symbolic simulation:

- - -  cbmc file1.c --show-vcc --bounds-check --pointer-check - - -

-With this option, CBMC performs the symbolic simulation and prints the -verification conditions on the screen. A verification condition needs -to be proven to be valid by a -decision procedure in order to assert that the corresponding property -holds. Let's run the decision procedure:

- - -  cbmc file1.c --bounds-check --pointer-check - - -

-CBMC transforms the equation you have seen before into CNF and passes it to -a SAT solver (more background on this step is in the book on Decision Procedures). It -then determines which of the properties that it has generated for the -program hold and which do not. Using the SAT solver, CBMC detects that the -property for the object bounds of argv does not hold, and will -thus print a line as follows: -

- - -[main.pointer_dereference.6] dereference failure: object bounds in argv[(signed long int)2]: FAILURE - - -

Counterexample Traces

- -

-Let us have a closer look at this property and why it fails. To aid the -understanding of the problem, CBMC can generate a counterexample -trace for failed properties. To obtain this trace, run -

- - -  cbmc file1.c --bounds-check --trace - - -

-CBMC then prints a counterexample trace, i.e., a program trace that begins -with main and ends in a state which violates the property. In -our example, the program trace ends in the faulty array access. It also -gives the values the input variables must have for the bug to occur. In -this example, argc must be one to trigger the out-of-bounds -array access. If you add a branch to the example that requires that -argc>=3, the bug is fixed and CBMC will report that the -proofs of all properties have been successful.

- -

Verifying Modules

- -

-In the example above, we used a program that starts with a main -function. However, CBMC is aimed at embedded software, and these -kinds of programs usually have different entry points. Furthermore, CBMC -is also useful for verifying program modules. Consider the following example, -called file2.c: -

- -
int array[10];
-int sum() {
-  unsigned i, sum;
-
-  sum=0;
-  for(i=0; i<10; i++)
-    sum+=array[i];
-}
-
- -

-In order to set the entry point to the sum function, run -

- - -  cbmc file2.c --function sum --bounds-check - - -

-It is often necessary to build a suitable harness for the function -in order to set up the environment appropriately. -

- -

Loop Unwinding

- -

-When running the previous example, you will have noted that CBMC unwinds the -for loop in the program. As CBMC performs Bounded Model -Checking, all loops have to have a finite upper run-time bound in order to -guarantee that all bugs are found. CBMC can optionally check that enough -unwinding is performed. As an example, consider the program binsearch.c: -

- -
int binsearch(int x) {
-  int a[16];
-  signed low=0, high=16;
-
-  while(low<high) {
-    signed middle=low+((high-low)>>1);
-
-    if(a[middle]<x)
-      high=middle;
-    else if(a[middle]>x)
-      low=middle+1;
-    else // a[middle]==x
-      return middle;
-  }
-
-  return -1;
-}
-
- -

-If you run CBMC on this function, you will notice that the unwinding -does not stop on its own. The built-in simplifier is not able to determine -a run time bound for this loop. The unwinding bound has to be given as a -command line argument:

- - -  cbmc binsearch.c --function binsearch --unwind 6 --bounds-check --unwinding-assertions - - -

-CBMC verifies that verifies the array accesses are within the bounds; note -that this actually depends on the result of the right shift. In addition, -as CBMC is given the option ---unwinding-assertions, it also checks that enough -unwinding is done, i.e., it proves a run-time bound. For any lower -unwinding bound, there are traces that require more loop iterations. Thus, -CBMC will report that the unwinding assertion has failed. As usual, a counterexample -trace that documents this can be obtained with the option ---property. -

- -

Unbounded Loops

- -

-CBMC can also be used for programs with unbounded loops. In this -case, CBMC is used for bug hunting only; CBMC does not attempt to find -all bugs. The following program -(lock-example.c) is an example -of a program with a user-specified property:

- -
_Bool nondet_bool();
-_Bool LOCK = 0;
-
-_Bool lock() {
-  if(nondet_bool()) {
-    assert(!LOCK);
-    LOCK=1;
-    return 1; }
-
-  return 0;
-}
-
-void unlock() {
-  assert(LOCK);
-  LOCK=0;
-}
-
-int main() {
-  unsigned got_lock = 0;
-  int times;
-
-  while(times > 0) {
-    if(lock()) {
-      got_lock++;
-      /* critical section */
-    }
-
-    if(got_lock!=0)
-      unlock();
-
-    got_lock--;
-    times--;
-} }
-
- -

-The while loop in the main function has no -(useful) run-time bound. Thus, a bound has to be set on the amount of -unwinding that CBMC performs. There are two ways to do so: -

- -
    - -
  1. The --unwind command-line parameter can to be used to limit -the number of times loops are unwound.
    2. - -
  2. The --depth command-line parameter can be used to limit -the number of program steps to be processed.
    3. - -
- -

-Given the option --unwinding-assertions, CBMC checks whether -the arugment to --unwind is large enough to cover all program -paths. If the argument is too small, CBMC will detect that not enough -unwinding is done reports that an unwinding assertion has failed. -

- -

-Reconsider the example. For a loop unwinding bound of one, no bug is found. -But already for a bound of two, CBMC detects a trace that violates an -assertion. Without unwinding assertions, or when using the --depth -command line switch, CBMC does not prove the program correct, but it can be -helpful to find program bugs. The various command line options that CBMC -offers for loop unwinding are described in the section on -understanding loop unwinding.

- -

A Note About Compilers and the ANSI-C Library

- -

-Most C programs make use of functions provided by a library; instances are -functions from the standard ANSI-C library such as malloc or -printf. The verification of programs that use such functions -has two requirements:

- -
    - -
  1. Appropriate header files have to be provided. These header files -contain declarations of the functions that are to be used. -
    2. - -
  2. Appropriate definitions have to be provided.
    3. - -
- -

-Most C compilers come with header files for the ANSI-C library functions. -We briefly discuss how to obtain/install these library files. -

- -

Linux

- -

-Linux systems that are able to compile software are usually equipped with -the appropriate header files. Consult the documentation of your distribution -on how to install the compiler and the header files. First try to compile -some significant program before attempting to verify it. -

- -

Windows

- -

-On Microsoft Windows, CBMC is pre-configured to use the compiler that is -part of Microsoft's Visual Studio. Microsoft's -Visual Studio Community is fully featured and available for download for -free from the Microsoft webpage. Visual Studio installs the usual set of -header files together with the compiler. However, the Visual Studio -compiler requires a large set of environment variables to function -correctly. It is therefore required to run CBMC from the Visual Studio -Command Prompt, which can be found in the menu Visual Studio -Tools. -

- -

-Note that in both cases, only header files are available. CBMC only -comes with a small set of definitions, which includes functions such as -malloc. Detailed information about the built-in definitions is -here.

- -

Command Line Interface

- -

-This section describes the command line interface of CBMC. Like a C -compiler, CBMC takes the names of the .c source files as arguments. -Additional options allow to customize the behavior of CBMC. Use -cbmc --help to get a full list of the available options. -

- -

-Structured output can be obtained from CBMC using the option --xml-ui. -Any output from CBMC (e.g., counterexamples) will then use an XML -representation. -

- -
-
Further Reading
- - - -

-We also have a list of -interesting applications of CBMC.

- -
- - - diff --git a/doc/html-manual/counter.v b/doc/html-manual/counter.v deleted file mode 100644 index 4920568889..0000000000 --- a/doc/html-manual/counter.v +++ /dev/null @@ -1,10 +0,0 @@ -module top(input clk); - - reg [3:0] counter; - - initial counter=0; - - always @(posedge clk) - counter=counter+1; - -endmodule diff --git a/doc/html-manual/cover.shtml b/doc/html-manual/cover.shtml deleted file mode 100644 index 3665121f0b..0000000000 --- a/doc/html-manual/cover.shtml +++ /dev/null @@ -1,276 +0,0 @@ - - - - - - -

CPROVER Manual TOC

- -

Automatic Test Suite Generation with CBMC

- -

A Small Tutorial with A Case Study

- -

-We assume that CBMC is installed on your system. If not so, follow -these instructions.

- -

-CBMC can be used to automatically generate test cases that satisfy a certain code coverage -criterion. Common coverage criteria include branch coverage, condition -coverage and Modified -Condition/Decision Coverage (MC/DC). Among others, MC/DC is required -by several avionics software development guidelines to ensure adequate testing -of safety critical software. Briefly, in order to satisfy MC/DC, -for every conditional statement containing boolean decisions, each Boolean -variable should be evaluated one time to "true" and one time to "false", -in a way that affects the outcome of the decision. -

- -

-In the following, we are going to demonstrate how to apply the test suite -generation functionality in CBMC, by means of a case study. The program -pid.c is an excerpt from a real-time embedded benchmark PapaBench, -and implements part of a fly-by-wire autopilot for an Unmanned Aerial Vehicle (UAV). -It is adjusted mildly for our purposes. -

- -

-The aim of function climb_pid_run is to control the vertical climb of the UAV. -Details on the theory behind this operation are documented in the wiki for the Paparazzi UAV project. -The behaviour of this simple controller, supposing that the desired speed is 0.5 meters per second, -is plotted in the Figure below. -

- -
- -The pid controller - -
- -
01: // CONSTANTS:
-02: #define MAX_CLIMB_SUM_ERR 10
-03: #define MAX_CLIMB 1
-04:
-05: #define CLOCK 16
-06: #define MAX_PPRZ (CLOCK*600)
-07:
-08: #define CLIMB_LEVEL_GAZ 0.31
-09: #define CLIMB_GAZ_OF_CLIMB 0.75
-10: #define CLIMB_PITCH_OF_VZ_PGAIN 0.05
-11: #define CLIMB_PGAIN -0.03
-12: #define CLIMB_IGAIN 0.1
-13:
-14: const float pitch_of_vz_pgain=CLIMB_PITCH_OF_VZ_PGAIN;
-15: const float climb_pgain=CLIMB_PGAIN;
-16: const float climb_igain=CLIMB_IGAIN;
-17: const float nav_pitch=0;
-18:
-19: /** PID function INPUTS */
-20: // The user input: target speed in vertical direction
-21: float desired_climb;
-22: // Vertical speed of the UAV detected by GPS sensor
-23: float estimator_z_dot;
-24:
-25: /** PID function OUTPUTS */
-26: float desired_gaz;
-27: float desired_pitch;
-28:
-29: /** The state variable: accumulated error in the control */
-30: float climb_sum_err=0;
-31:
-32: /** Computes desired_gaz and desired_pitch */
-33: void climb_pid_run() 
-34: {
-35:
-36:   float err=estimator_z_dot-desired_climb;
-37:
-38:   float fgaz=climb_pgain*(err+climb_igain*climb_sum_err)+CLIMB_LEVEL_GAZ+CLIMB_GAZ_OF_CLIMB*desired_climb;
-39:
-40:   float pprz=fgaz*MAX_PPRZ;
-41:   desired_gaz=((pprz>=0 && pprz<=MAX_PPRZ) ? pprz : (pprz>MAX_PPRZ ? MAX_PPRZ : 0));
-42:
-43:   /** pitch offset for climb */
-44:   float pitch_of_vz=(desired_climb>0) ? desired_climb*pitch_of_vz_pgain : 0;
-45:   desired_pitch=nav_pitch+pitch_of_vz;
-46:
-47:   climb_sum_err=err+climb_sum_err;
-48:   if (climb_sum_err>MAX_CLIMB_SUM_ERR) climb_sum_err=MAX_CLIMB_SUM_ERR;
-49:   if (climb_sum_err<-MAX_CLIMB_SUM_ERR) climb_sum_err=-MAX_CLIMB_SUM_ERR;
-50:
-51: }
-52:
-53: int main()
-54: {
-55:
-56:   while(1)
-57:   {
-58:     /** Non-deterministic input values */ 
-59:     desired_climb=nondet_float();
-60:     estimator_z_dot=nondet_float();
-61:
-62:     /** Range of input values */ 
-63:     __CPROVER_assume(desired_climb>=-MAX_CLIMB && desired_climb<=MAX_CLIMB);
-64:     __CPROVER_assume(estimator_z_dot>=-MAX_CLIMB && estimator_z_dot<=MAX_CLIMB);
-65:
-66:     __CPROVER_input("desired_climb", desired_climb);
-67:     __CPROVER_input("estimator_z_dot", estimator_z_dot);
-68:
-69:     climb_pid_run();
-70:
-71:     __CPROVER_output("desired_gaz", desired_gaz);
-72:     __CPROVER_output("desired_pitch", desired_pitch);
-73:
-74:   }
-75:
-76:   return 0;
-77: }
-
- -

-In order to test the PID controller, we construct a main control loop, -which repeatedly invokes the function climb_pid_run (line 69). -This PID function has two input variables: the desired speed desired_climb -and the estimated speed estimated_z_dot. -In the beginning of each loop iteration, values of the inputs are assigned non-deterministically. -Subsequently, the __CPROVER_assume statement in lines 63 and 64 guarantees that -both values are bounded within a valid range. -The __CPROVER_input and __CPROVER_output will help clarify the inputs -and outputs of interest for generating test suites. -

- -

-To demonstrate the automatic test suite generation in CBMC, -we call the following command and we are going to explain the command line options one by one. -

- -
cbmc pid.c --cover mcdc --unwind 6 --xml-ui
-
- -

-The option --cover mcdc specifies the code coverage criterion. -There are four conditional statements in the PID function: in line 41, line 44, -line 48 and line 49. -To satisfy MC/DC, the test suite has to meet multiple requirements. -For instance, each conditional statement needs to evaluate to true and false. -Consider the condition "pprz>=0 && pprz<=MAX_PPRZ" in line 41. CBMC -instruments three coverage goals to control the respective evaluated results of "pprz>=0" and -"pprz<=MAX_PPRZ". -We list them in below and they satisfy the MC/DC rules. -Note that MAX_PPRZ is defined as 16 * 600 in line 06 of the program. -

- -
-!(pprz >= (float)0) && pprz <= (float)(16 * 600)  id="climb_pid_run.coverage.1"
-pprz >= (float)0 && !(pprz <= (float)(16 * 600))  id="climb_pid_run.coverage.2"
-pprz >= (float)0 && pprz <= (float)(16 * 600)     id="climb_pid_run.coverage.3"
-
- -

-The "id" of each coverage goal is automatically assigned by CBMC. For every -coverage goal, a test suite (if there exists) that -satisfies such a goal is printed out in XML format, as the parameter ---xml-ui is given. Multiple coverage goals can share a -test suite, when the corresponding execution of the program satisfies all these -goals at the same time. -

- -

-In the end, the following test suites are automatically generated for testing the PID controller. -A test suite consists of a sequence of input parameters that are -passed to the PID function climb_pid_run at each loop iteration. -For example, Test 1 covers the MC/DC goal with id="climb_pid_run.coverage.1". -The complete output from CBMC is in -pid_test_suites.xml, where every test suite and the coverage goals it is for -are clearly described. - -

Test suite:
-Test 1. 
-  (iteration 1) desired_climb=-1.000000f, estimator_z_dot=1.000000f
-
-Test 2.
-  (iteration 1) desired_climb=-1.000000f, estimator_z_dot=1.000000f 
-  (iteration 2) desired_climb=1.000000f, estimator_z_dot=-1.000000f 
-
-Test 3.
-  (iteration 1) desired_climb=0.000000f, estimator_z_dot=-1.000000f
-  (iteration 2) desired_climb=1.000000f, estimator_z_dot=-1.000000f
-
-Test 4.
-  (iteration 1) desired_climb=1.000000f, estimator_z_dot=-1.000000f
-  (iteration 2) desired_climb=1.000000f, estimator_z_dot=-1.000000f
-  (iteration 3) desired_climb=1.000000f, estimator_z_dot=-1.000000f
-  (iteration 4) desired_climb=1.000000f, estimator_z_dot=-1.000000f
-  (iteration 5) desired_climb=0.000000f, estimator_z_dot=-1.000000f
-  (iteration 6) desired_climb=1.000000f, estimator_z_dot=-1.000000f
-
-Test 5.
-  (iteration 1) desired_climb=-1.000000f, estimator_z_dot=1.000000f
-  (iteration 2) desired_climb=-1.000000f, estimator_z_dot=1.000000f
-  (iteration 3) desired_climb=-1.000000f, estimator_z_dot=1.000000f
-  (iteration 4) desired_climb=-1.000000f, estimator_z_dot=1.000000f
-  (iteration 5) desired_climb=-1.000000f, estimator_z_dot=1.000000f
-  (iteration 6) desired_climb=-1.000000f, estimator_z_dot=1.000000f
-
- -

-The option --unwind 6 unwinds the loop inside the main -function body six times. In order to achieve the complete coverage on all the instrumented goals -in the PID function climb_pid_run, the loop must be unwound sufficient enough times. -For example, climb_pid_run needs to be called at least six times for evaluating the -condition climb_sum_err>MAX_CLIMB_SUM_ERR in line 48 to true. -This corresponds to the Test 5. -An introduction to the use of loop unwinding can be found -in Understanding Loop Unwinding. -

- -

-In this small tutorial, we present the automatic test suite generation -functionality of CBMC, by applying the MC/DC code coverage criterion to a -PID controller case study. In addition to --cover mcdc, other -coverage criteria like branch, decision, -path etc. are also available when calling CBMC. -

- -

Coverage Criteria

- -

-The table below summarizes the coverage criteria that CBMC supports. -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
CriterionDefinition
assertionFor every assertion, generate a test that reaches it
locationFor every location, generate a test that reaches it
branchGenerate a test for every branch outcome
decisionGenerate a test for both outcomes of every Boolean expression -that is not an operand of a propositional connective
conditionGenerate a test for both outcomes of every Boolean expression
mcdcModified Condition/Decision Coverage (MC/DC)
pathBounded path coverage
coverGenerate a test for every __CPROVER_cover statement -
- - diff --git a/doc/html-manual/cprover-source.shtml b/doc/html-manual/cprover-source.shtml deleted file mode 100644 index 29f273ceea..0000000000 --- a/doc/html-manual/cprover-source.shtml +++ /dev/null @@ -1,877 +0,0 @@ - - - - - - -

CPROVER Manual TOC

- -

The CPROVER Source Code Reference

- -

-The following sections provide an introduction for anybody who -wishes to modify CBMC or build new tools on top of the APIs used -by CBMC. They summarize key components, data structures and APIs -that are used to build the CPROVER tools. -

- -

Source Code Availability and Compilation

- -

-The most recent source code of CBMC and the CPROVER infrastructure can be obtained -via git at https://github.com/diffblue/cbmc.git. -Tar balls for releases are available at https://github.com/diffblue/cbmc/releases. -

- -

-Detailed instructions on how to build CBMC from source are given -in the file COMPILING. -

- -

Components

- -
-
From C source code file to CPROVER's IR
- -

-The sources of the C frontend are located in the "src/ansi-c" directory. It -uses a standard Flex/Bison setup for scanning and parsing the files. The -Flex scanner produces a token sequence, which is turned into a tree -representation of the input program using the Bison grammar. The -typechecker subsequently annotates this parse tree with types and generates -a symbol table. The symbol table is a map from identifiers (functions, -variables and types) to their definitions. -

- -

-The following example illustrates how to use the frontend for parsing files and -for translating them into a symbol table. A call to parse generates -the parse tree of the program. The conversion into the symbol table is -performed during type checking, which is done by a call to the -typecheck method. The symbol table is a map from identifiers to the -symbolt data structure. -

- -
#include <iostream>
-#include <fstream>
-#include <sstream>
-#include <string>
-
-#include <ansi-c/ansi_c_language.h>
-#include <util/cmdline.h>
-#include <util/config.h>
-
-int main(int argc, const char* argv[])
-{
-   // Command line: parse  -I incl_dir file1 ...
-   cmdlinet cmdl;
-   cmdl.parse(argc, argv, "I:");
-
-   config.init();
-
-   if(cmdl.isset('I'))	
-     config.ansi_c.include_paths=cmdl.get_values('I');
-
-   // Set language to C
-   std::auto_ptr<languaget> clang=new_ansi_c_language();
-
-   // Symbol table
-   symbol_tablet my_symbol_table;
-
-   for(const auto & arg : cmdl.args)
-   {
-     // Source code stream
-     std::ifstream in(arg.c_str());	
-
-     // Parse
-     clang->parse(in, "", std::cerr);
-
-     // Typecheck
-     clang->typecheck(my_symbol_table, arg, std::cerr);
-  }
-
-  // Do some final adjustements
-  clang->final(my_symbol_table, std::cerr);
-
-  my_symbol_table.show(std::cout);
-
-  return 0;
-}
-
- -

-The parse trees are implemented using a class called irept. Its -declaration and definiton can be found in the files "src/util/irep.h" and -"src/util/irep.cpp", respectively. -

- -

-The excerpt below gives some details of the class irept: -

- -
class irept
-{
-public:
-  typedef std::vector<irept> subt;
-  typedef std::map<irep_name_string, irept> named_subt;
-  ...
-
-public:
-  class dt
-  {
-  public:
-    unsigned ref_count;
-    dstring data;
-    named_subt named_sub;
-    named_subt comments;
-    subt sub;
-    ...
-  };
-
-protected:
-  dt *data;
-  ...
-};
-
- -

-Every node of any tree is an object of class irept. Each node has a -pointer to an object of class dt. The dt objects are used -for storing the actual content of nodes. Objects of class dt are -dynamically allocated and can be shared between nodes. A reference-counter -mechanism is implemented to automatically free unreachable dt -objects. A shallow copy of a tree is an O(1) operation. -

- -

-The field data of class dt is a (hashed) string -representing the label of the nodes. The fields named_sub, -comments and sub are links to childs. Edges are either -labeled with a string or ordered. The string-labeled edges are stored in the -map comments if their first character is '#'. Otherwise, they are -stored in the map named_sub. The labels of edges are unique for a -given node; however, their ordering is not preserved. The field sub -is a vector of nodes that is used for storing the ordered children. The order -of edges of this kind is preserved during copy. -

- -
-
Tree for the expression a+b with int a; char -b;.
- -

Interface of Class irept

- -
id
- -
const irep_idt &id();
-void id(const irep_idt &_data);
-
- -

-The first method returns a constant reference to the label of the node. The -second method sets the label of the node. -

- -
is_nil and is_not_nil
- -
virtual bool is_nil() const;
-virtual bool is_not_nil() const;
-
- -

-The first method returns true if the label of the node is equal to "nil". -The second method returns false if the label of the node is equal to "nil". -

- -
find, add and get
- -
const irept &find(const irep_namet &name) const;
-irept &add(const irep_namet &name);
-const irep_idt &get(const irep_namet &name) const;
-
- -
    - -
  1. The first method looks for an edge with label name -and returns the corresponding child. If no edge with label name -is found, then nil_rep is returned.
    2. - -
  2. The second method does the same as the first except that if -no edge with label name if found, then a new child is created -and returned. -
    3. - -
  3. The third method does the same as the first except that the label -of the child is returned (instead of a reference). -If no edge with label name is found, then an empty -string is returned. -
    4. - -
- -
set
- -
void set(const irep_namet &name,
-         const irep_idt &value);
-void set(const irep_namet &name, const long value);
-void set(const irep_namet &name, const irept &irep);
-
- -

-These methods create a new edge with label name. -

- -

-If the second argument is an object of class irept, then it is -assigned to the new child. - -

-If the second argument is a string, then it is set as node-label of the new child. - -

-If the second argument is a number, then it is converted to a -string and set as node-label of the new child. - -

remove
- -
void remove(const irep_namet &name);
-
- -

-This method looks for an edge with label name -and removes it. - -

move_to_sub and move_to_named_sub
- -
void move_to_sub(irept &irep);
-void move_to_named_sub(const irep_namet &name, irept &irep);
-
- -

-The first method creates a new ordered edge with a child equal to -irep. Then it sets irep to nil. The index of the -edge is equal to the size of vector sub before the call. -

- -

-The second method does the same but for labeled edges. -

- -
swap
- -
void swap(irept &irep);
-
- -

-Exchange the content of the invoked node with the one of irep. -

- -
make_nil
- -
void make_nil();
-
- -

-Set the label of the node to "nil" and remove all outgoing edges. -

- -
get_sub and get_named_sub and get_comments
- -
const subt &get_sub();
-const named_subt &get_named_sub();
-const named_subt &get_comments();
-
- -

-Return a constant reference to -sub, named_sub, and comments, respectively. -

- -

Types

- -

-The class typet inherits from irept. Types may have -subtypes. This is modeled with two edges named "subtype" and "subtypes". The -class typet only add specialized methods for accessing the subtype -information to the interface of irept. -

- -

Interface of class typet

- -
has_subtype and has_subtypes
- -
bool has_subtype() const;
-bool has_subtypes() const;
-
- -

-The first method returns true if the a subtype node exists. is not -nil. The second method returns true is a subtypes node exists. -

- -
subtype and subtypes
- -
typet &subtype();
-typest &subtypes();
-
- -

-The first method returns a reference to the 'subtype' node. -The second method returns a reference to the vector of subtypes. -

- -

Subtypes of typet

- -

-A number of subtypes of typet exist which allow convenient -creation and manipulation of typet objects for special types. -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ClassDescription
bool_typetBoolean type
symbol_typetSymbol type. Has edge "identifier" to a string value, which can be accessed with get_identifier and set_identifier.
struct_typet, union_typetRepresent a struct, resp. union types. Convenience functions to access components components().
code_typetThe type of a function/procedure. Convenience functions to access arguments() and return_type().
array_typetConvenience function size() to access size of the array.
pointer_typetPointer type, subtype stores the type of the object pointed to.
reference_typetRepresents a reference type, subtype stores the type of the object referenced to.
bv_typetRepresents a bit vector type with variable width.
fixed_bv_typetRepresents a bit vector that encodes a fixed-point number.
floatbv_typetRepresents a bit vector that encodes a floating-point number.
string_typetRepresents a string type.
- -

Source Locations

- -

-The class source_locationt inherits from the class irept. It -is used to store locations in text files. It adds specialized methods to -manipulate the edges named "file", "line", "column", "function". -

- -

Expressions

- -

-The class exprt inherits from class irept. Expressions -have operands and a type. This is modeled with ordered edges for the -operands and an edge labeled"type", respectively. The class exprt -only adds specialized methods for accessing operands and type information -to the interface of irept. -

- -
-
Representation of a binary expression
- -

Interface of class exprt

- -
constructors
- -
explicit exprt(const irep_idt &id);
-
- -

-Creates an exprt object with a given label and no type. -

- -
exprt(const irep_idt &id, const typet &type);
-
- -

-Creates an exprt object with a given label and type. -

- -
type
- -
const typet &type() const;
-typet &type();
-
- -

-Return a reference to the 'type' node -

- -
has_operands
- -
bool has_operands() const;
-
- -

-Return true if the expression has at least one operand. -

- -
operands
- -
const operandst &operands() const;
-
- -

-Return a reference to the vector of operands. -

- -
const exprt &op0();
-const exprt &op1();
-const exprt &op2();
-const exprt &op3();
-exprt &op0();
-exprt &op1();
-exprt &op2();
-exprt &op3();
-
- -

-Return a reference to a specific operand. Avoid calling -if the operand does not exist. -

- -
Constructing common expressions
- -
void make_true();
-void make_false();
-void make_bool(bool value);
-
- -

-Turn the current exprt instance into a expression of type "bool" -with label "constant" and a single edge labeled "value", which points to -a new node with label either "true" or "false". -

- -
void make_typecast(const typet &_type);
-
- -

-Turns the current exprt instance into a typecast. The old value of -the instance is appended as the single operand of the typecast, i.e., the -result is a typecast-expression of the old expression to the indicated type. -

- -
void make_not();
-
- -

-Turns the current exprt instance into an expression with label -"not" of the same type as the original expression. The old value of the -instance is appended as the operand of the "not"-node. If the original -expression is of type "bool", the result represents the negation of the -original expression with the following simplifications possibly applied: -

- -
    -
  • ¬ ¬ f = f
    • -
  • ¬ true = false
    • -
  • ¬ false = true
    • -
- -
-void negate();
-
- -

-Turns the current exprt instance into a negation of itself, depending -on its type: -

- -
    - -
  • For boolean expressions, make_not is called.
    • - -
  • For integers, the current instance is turned into a numeric negation -expression "unary-" of its old value. Chains of "unary-" nodes and -negations of integer constants are simplified.
    • - -
  • For all other types, irept::make_nil is called.
    • - -
- -
bool sum(const exprt &expr);
-bool mul(const exprt &expr);
-bool subtract(const exprt &expr);
-
- -

-Expect the "this" object and the function argument to be constants of the -same numeric type. Turn the current exprt instance into a -constant expression of the same type, whose "value" edge points to the -result of the sum, product, or difference of the two expressions. If the -operation fails for some reason (e.g., the types are different), -true is returned. -

- -
Testing common expressions
- -
bool is_constant() const;
-
- -

-Returns true if the expression label is "constant". -

- -
bool is_boolean() const;
-
- -

-Returns true if the label of the type is "bool". - -

bool is_false() const;
-bool is_true() const;
-
- -

-The first function returns true if the expression is a boolean constant with -value "false". The second function returns true for any boolean constant -that is not of value "false". -

- -
bool is_zero() const;
-bool is_one() const;
-
- -

-The first function returns true if the expression represents a zero numeric -constant, or if the expression represents a null pointer. The second -function returns true if the expression represents a numeric constant with -value "1". -

- -

Subtypes of exprt

- -

-A number of subtypes of exprt provide further convenience functions -for edge access or other specialized behaviour: -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ClassDescription
transtRepresents an SMV-style transition system with invariants -invar(), initial state init() and transition -function trans().
true_exprtBoolean constant true expression.
false_exprtBoolean constant false expression.
symbol_exprtRepresents a symbol (e.g., a variable occurrence), convenience function for manipulating "identifier"-edge set_identifier and get_identifier
predicate_exprtConvenience constructors to create expressions of type "bool".
binary_relation_exprt : predicate_exprtConvenience functions to create and manipulate binary expressions of type "bool".
equality_exprt : binary_relation_exprtConvenience functions to create and manipulate equality expressions such as "a == b".
ieee_float_equal_exprt : binary_relation_exprtConvenience functions to create and manipulate equality expressions between floating-point numbers. -
index_exprtRepresents an array access expression such as "a[i]". Convenience functions array() and index() for accessing the array expressions and indexing expression.
typecast_exprtRepresents a cast to the type of the expression.
-and_exprt, -implies_exprt, -or_exprt, -not_exprtRepresentations of logical operators with convenience constructors.
address_of_exprtRepresentation of a C-style &a address-of operation. Convenience function object() for accessing operand.
dereference_exprtRepresentation of a C-style *a pointer-dereference operation. Convenience function object() for accessing operand.
if_exprtRepresentation of a conditional expresion, with convenience functions cond(), true_case() and false_case() for accessing operands.
member_exprtRepresents a some_struct.some_field member access.
codetRepresents a segment of code.
- -

Symbols and the Symbol Table

- -

Symbol

- -

-A symbol is an object of class symbolt. This class -is declared in "util/symbol.h". The code below shows a partial -declaration of the interface: -

- -
class symbolt
-{
-public:
-  typet type;
-  exprt value;
-  std::string name;
-  std::string base_name;
-  ...
-};
-
- -

-Symbol names are unique. Scopes are handled by adding prefixes -to symbols: -

- -
int main(int argc, char* argv[]) {
-	
-	               // Symbol name: c::main::0::alice
-   char alice = 0;     // Symbol base: alice
-   
-   {
-	               // Symbol name: c::main::1::alice
-       int alice = 0;  // Symbol base: alice
-   }
-}
- -

Symbol Table

- -

-A symbol table is an object of class contextt. This class -is declared in "util/context.h". The code below shows a partial -declaration of the interface: -

- -
class symbol_tablett
-{
-public:
-                                 // Insert the symbol
-  bool add(const symbolt &symb);
-                                 // Insert symb into the
-                                 // table and erase it.
-                                 // New_symbol points to the
-                                 // newly inserted element.
-  bool move(symbolt &symbol, symbolt *&new_symbol);
-
-                                 // Insert symb into the
-                                 // table. Then symb is erased.
-  bool move(symbolt &syb);
-
-                                 // Return the entry of the
-                                 // symbol with given name.
-  const irept &value(const std::string &name) const;
-};
-
- -

Goto Programs

- -

-Goto programs are a representation of the control flow graph of a program -that uses only guarded goto and assume statements to model non-sequential -flow. The main definition can be found in -"src/goto-programs/goto_program_template.h", which is a template class. The -concrete instantiation of the template that is used in the framework can be -found in "src/goto-programs/goto_program.h". A single instruction in a goto -program is represented by the class goto_programt::instructiont -whose definition can be found again in -"goto-programs/goto_program_template.h". -

- -

-In the class goto_programt, the control flow graph is represented -as a mixture of sequential transitions between nodes, and non-sequential -transitions at goto-nodes. The sequential flow of the program is captured -by the list instructions that is a field of the class -goto_programt. Transitions via goto statements are represented in -the list targets, which is a field of the class -goto_programt::instructiont, i.e., each goto-instruction carries a -list of possible jump destinations. The latter list targets is a -list of iterators which point to elements of the list instructions. -An illustration is given in the figure below. -

- -
-
Representation of program flow in goto_programt
- -

-Instructions can have a number of different types as represented by -enum goto_program_instruction_typet and can be accessed via the -field type in instructiont. These include: -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
GOTORepresents a non-deterministic branch to the instructions given in the -list targets. Goto statements are guarded, i.e., the -non-deterministic branch is only taken if the expression in -guard evaluates to true, otherwise the program continues -sequentially. Guarded gotos can be used, for example, to model if -statements. The guard is then set to the negated condition of the -statement, and goto target is set to bypass the conditionally executed code -if this guard evaluates to true. -
ASSUMEAn assumption statement that restricts viable paths reaching the -instruction location to the ones that make the expression guard -evaluate to true.
ASSERTAn assertion whose guard is checked for validity when the instruction is -reached.
RETURNA return statement in a function.
END_FUNCTIONDenotes the end of a function.
ASSIGNA variable assignment.
SKIPNo operation.
OTHERAny operation not covered by enum -goto_program_instruction_typet.
- -

-A number of convenience functions in instructiont, such as -is_goto(), is_assume(), etc., simplify type queries. -The following code segment gives a partial interface declaration of -goto_program_template and instructiont. -

- -
template <class codeT, class guardT>
-class goto_program_templatet
-{
-public:
-  //list of instruction type
-  typedef std::list<class instructiont> instructionst;
-
-  //a reference to an instruction in the list
-  typedef typename 
-    std::list::iterator targett;
-
-  //Sequential list of instructions, 
-  //representing sequential program flow
-  instructionst instructions;
-
-  typedef typename 
-    std::map<const_targett, unsigned> target_numberst;
-
-  //A map containing the unique number of each target
-  target_numberst target_numbers;
-
-  //Get the successors of a given instruction 
-  void get_successors(targett target, targetst &successors); 
-
-  ...
-
- 
-  class instructiont
-  {
-  public:
-    codeT code;
-    
-    //identifier of enclosing function
-    irep_idt function;
-    
-    //location in the source file
-    locationt location;
-    
-    //type of instruction?
-    goto_program_instruction_typet type;
-
-    //Guard statement for gotos, assume, assert 
-    guardT guard;
-    
-    //targets for gotos
-    targetst targets;
-   
-    //set of all predecessors (sequential, and gotos)
-    std::set<targett> incoming_edges;
-    
-    // a globally unique number to identify a 
-    // program location. It is guaranteed to be 
-    // ordered in program order within one 
-    // goto_program
-    unsigned location_number;
-    
-    // a globally unique number to identify loops
-    unsigned loop_number;
-    
-    // true if this is a goto jumping back to an 
-    // earlier instruction in the sequential program 
-    // flow
-    bool is_backwards_goto() const;
-  };
-
-}
-
- - - - - - diff --git a/doc/html-manual/footer.inc b/doc/html-manual/footer.inc deleted file mode 100644 index 3e1257f5a2..0000000000 --- a/doc/html-manual/footer.inc +++ /dev/null @@ -1,5 +0,0 @@ - - - - - diff --git a/doc/html-manual/goto-cc-apache.shtml b/doc/html-manual/goto-cc-apache.shtml deleted file mode 100644 index 2a54f1b3ae..0000000000 --- a/doc/html-manual/goto-cc-apache.shtml +++ /dev/null @@ -1,69 +0,0 @@ - - -

CPROVER Manual TOC

- -

Build Systems and Libraries

- -

Example: Extracting Models from the Apache HTTPD

- -

-The Apache HTTPD is still the most -frequently used web server. Together with the relevant libraries, it -consists of around 0.4 million lines of C code. In the following, we show -how to extract models from Apache HTTPD 2.4.2. -

- -
    - -

  1. -First of all, we download the sources of Apache HTTPD and two supporting -libraries and uncompress them:

    - -

    -  lwp-download http://www.mirrorservice.org/sites/ftp.apache.org/apr/apr-1.4.6.tar.bz2
    -  lwp-download http://www.mirrorservice.org/sites/ftp.apache.org/apr/apr-util-1.4.1.tar.bz2
    -  lwp-download http://mirror.catn.com/pub/apache/httpd/httpd-2.4.2.tar.bz2
    -
    -  bunzip2 < apr-1.4.6.tar.bz2 | tar x
    -  bunzip2 < apr-util-1.4.1.tar.bz2 | tar x
    -  bunzip2 < httpd-2.4.2.tar.bz2 | tar x -

    2. - -

  2. Now compile -gcc-wrap.c and put the resulting binary -into a directory that is in your PATH variable:

    -

    -  lwp-download http://www.cprover.org/cprover-manual/gcc-wrap.c
    -  gcc gcc-wrap.c -o gcc-wrap
    -  cp gcc-wrap ~/bin/
    -

    -

    This assumes that the directory ~/bin -exists and is in your PATH variable.

    -
    3. - -

  3. We now build the sources with gcc:

    - -

    -  (cd apr-1.4.6; ./configure; make CC=gcc-wrap)
    -  (cd apr-util-1.4.1; ./configure --with-apr=../apr-1.4.6 ; make CC=gcc-wrap)
    -  (cd httpd-2.4.2; ./configure --with-apr=../apr-1.4.6 --with-apr-util=../apr-util-1.4.1 ; make CC=gcc-wrap) -

    - -

  4. You can now compile the preprocessed -source files with goto-cc as follows:

    -

    -  find ./ -name *.i > source-file-list
    -  for a in `cat source-file-list` ; do
    -    goto-cc -c $a -o $a.gb
    -  done

    -
    5. - -
- -

-The resulting .gb files can be passed to any -of the CPROVER tools. -

- - - diff --git a/doc/html-manual/goto-cc-linux.shtml b/doc/html-manual/goto-cc-linux.shtml deleted file mode 100644 index 52ecbfb229..0000000000 --- a/doc/html-manual/goto-cc-linux.shtml +++ /dev/null @@ -1,97 +0,0 @@ - - -

CPROVER Manual TOC

- -

Build Systems and Libraries

- -

Example: Extracting Models from the Linux Kernel

- -

- -The Linux kernel code consists of more than 11 million lines of low-level C -and is frequently used to evaluate static analysis techniques. In the -following, we show how to extract models from Linux 2.6.39. -

- -
    -

  1. -First of all, you will need to make sure you have around 100 GB -of free disc space available.

    2. - -

  2. Download the Kernel sources at - -http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.39.tar.bz2 -. -

    3. - -

  3. Now do

    -

    -  bunzip2 linux-2.6.39.tar.bz2
    -  tar xvf linux-2.6.39.tar
    -  cd linux-2.6.39 -

    4. - -

  4. Now ensure that you can actually -compile a kernel by doing

    -

    -  make defconfig
    -  make

    -

    -These steps need to succeed before you can try to extract -models from the kernel. -

    5. - -

  5. Now compile -gcc-wrap.c and put the resulting binary -into a directory that is in your PATH variable:

    -

    -  lwp-download http://www.cprover.org/cprover-manual/gcc-wrap.c
    -  gcc gcc-wrap.c -o gcc-wrap
    -  cp gcc-wrap ~/bin/
    -

    -

    This assumes that the directory ~/bin -exists and is in your PATH variable.

    -
    6. - -

  6. Now change the variable CC in the kernel -Makefile as follows:

    -

    -  CC = ~/bin/gcc-wrap -

    -
    7. - -

  7. Now do

    -

    -  make clean
    -  make

    -

    -This will re-compile the kernel, but this time retaining the -preprocessed source files. -

    8. - -

  8. You can now compile the preprocessed -source files with goto-cc as follows:

    -

    -  find ./ -name .tmp_*.i > source-file-list
    -  for a in `cat source-file-list` ; do
    -    goto-cc -c $a -o $a.gb
    -  done

    - -

    Note that it is important that the -word-size of the kernel configuration matches that of goto-cc. -Otherwise, compile-time assertions will fail, generating -the error message "bit field size is negative". For a kernel -configured for a 64-bit word-width, pass the option ---64 to goto-cc.

    - -
    9. - -
- -

-The resulting .gb files can be passed to any -of the CPROVER tools. -

- - - diff --git a/doc/html-manual/goto-cc-rockbox.shtml b/doc/html-manual/goto-cc-rockbox.shtml deleted file mode 100644 index 7bae0855bf..0000000000 --- a/doc/html-manual/goto-cc-rockbox.shtml +++ /dev/null @@ -1,83 +0,0 @@ - - -

CPROVER Manual TOC

- -

Build Systems and Libraries

- -

Example: Extracting Models from the Rockbox

- -

-The Rockbox is an open-source software -package for common MP3 players, with about 1 million lines of code in total. -

- -
    -

  1. -First of all, you will need to install one of the cross-compilers. Follow -the instructions here. -

    2. - -

  2. -You will then need to check out the Rockbox sources with GIT, and -configure and compile the code. Follow -these instructions. The build must succeed. -We will assume that one of the ARM-based targets -is used, and that the ARM cross-compiler is installed -at /usr/local/bin/arm-elf-eabi-gcc. -

    3. - -

  3. Now download -gcc-wrap.c:

    -

    -  lwp-download http://www.cprover.org/cprover-manual/gcc-wrap.c
    -

    -
    4. - -

  4. Open gcc-wrap.c in your favorite editor, -and adjust the path to gcc (in the first line) to -/usr/local/bin/arm-elf-eabi-gcc (it is important that the -full path is given). -

    5. - -

  5. Now compile gcc-wrap:

    -

    -  gcc gcc-wrap.c -o gcc-wrap-arm-elf-eabi-gcc
    -  cp gcc-wrap-arm-elf-eabi-gcc ~/bin/
    -

    -

    This assumes that the directory ~/bin -exists and is in your PATH variable.

    -
    6. - -

  6. Now re-compile the Rockbox code as follows:

    -

    -  make clean
    -  make CC=gcc-wrap-arm-elf-eabi-gcc

    -

    -This will re-compile the Rockbox, but this time retaining the -preprocessed source files. -

    7. - -

  7. You can now compile the preprocessed -source files with goto-cc as follows:

    -

    -  find ./ -name \*.i > source-file-list
    -  for a in `cat source-file-list` ; do
    -    goto-cc -std=gnu99 -m32 -c $a -o $a.gb
    -  done

    - -

    Note that it is important that the -word-size of the target platform matches that of goto-cc. -For a 32-bit target, pass the option --m32 to goto-cc.

    - -
    8. - -
- -

-The resulting .gb files can be passed to any -of the CPROVER tools. -

- - - diff --git a/doc/html-manual/goto-cc-variants.shtml b/doc/html-manual/goto-cc-variants.shtml deleted file mode 100644 index a7c5844325..0000000000 --- a/doc/html-manual/goto-cc-variants.shtml +++ /dev/null @@ -1,48 +0,0 @@ - - -

CPROVER Manual TOC

- -

Build Systems and Libraries

- -

Variants of goto-cc

- -

-The goto-cc utility comes in several variants, summarised in the following table. -

- -
- - - - - - - - - - - - - - - - - - -
ExecutableEnvironmentPreprocessor
goto-ccgcc (control-flow graph only)gcc -E
goto-gccgcc ("hybrid" executable)gcc -E
goto-armccARM RVDSarmcc -E
goto-clVisual Studiocl /E
goto-cwFreescale CodeWarriormwcceppc
-
- -

- -The primary difference between the variants is the preprocessor called. -Furthermore, the language recognized varies slightly. The variants can be -obtained by simply renaming the goto-cc executable. On Linux/MacOS, the -variants can be obtained by creating a symbolic link.

- -

-The "hybrid" -executables contain both the control-flow graph for verification purposes -and the usual, executable machine code. -

- - diff --git a/doc/html-manual/goto-cc-visual-studio.shtml b/doc/html-manual/goto-cc-visual-studio.shtml deleted file mode 100644 index a7ab178e9a..0000000000 --- a/doc/html-manual/goto-cc-visual-studio.shtml +++ /dev/null @@ -1,57 +0,0 @@ - - -

CPROVER Manual TOC

- -

Build Systems and Libraries

- -

Integration into Visual Studio 2008 to 2012

- -

-Visual Studio version 2008 onwards comes with a new XML-based -build system called MSBuild. -The MSBuild system is also activated when triggering a build from the Visual Studio GUI. -The project files created by the Visual Studio GUI are used as input by the MSBuild tool. -

- -

-The MSBuild system can be used to generate goto-binaries from your Visual Studio project -as follows: -

- -
    - -

  1. -Install the goto-cl.exe and goto-link.exe binaries -in some directory that is contained in the PATH environment -variable.

    2. - -

  2. Add a configuration for the goto-cc build for your project -in the configuration manager, named "goto-cc".

    3. - -

  3. Open the Visual Studio Command Prompt (in the Tools menu).

    4. - -

  4. Locate the directory that contains the project. Change into this -directory using "CD".

    5. - -

  5. Type

    -

    - -msbuild /p:CLToolExe=goto-cl.exe /p:LinkToolExe=goto-link.exe
    -   /p:Flavor=goto-cc /p:Platform=x86 -     -

    - -

    -The platform can be adjusted as required; the "Flavor" given should match -the configuration that was created earlier. -

    6. - -
- -

-Note that the recent versions of goto-cc also support file names with -non-ASCII (Unicode) characters on Windows platforms. -

- - - diff --git a/doc/html-manual/goto-cc.shtml b/doc/html-manual/goto-cc.shtml deleted file mode 100644 index cdc3c7d340..0000000000 --- a/doc/html-manual/goto-cc.shtml +++ /dev/null @@ -1,144 +0,0 @@ - - -

CPROVER Manual TOC

- -

Build Systems and Libraries

- -

Integration into Build Systems with goto-cc

- -

-Existing software projects usually do not come in a single source file that -may simply be passed to a model checker. They rather come in a multitude of -source files in different directories and refer to external libraries and -system-wide options. A build system then collects the configuration options -from the system and compiles the software according to build rules. -

- -

-The most prevalent build tool on Unix (-based) systems surely is the -make utility. This tool uses build rules given in a -Makefile that comes with the software sources. Running software -verification tools on projects like these is greatly simplified by a -compiler that first collects all the necessary models into a single -model file. goto-cc -is such a model file extractor, which can seamlessly replace gcc -and cl.exe in Makefiles. The normal build system for the -project may be used to build the software, but the outcome will be a -model file with suitable detail for verification, as opposed to a -flat executable program. Note that goto-cc comes in different variants -depending on the compilation environment. These variants -are described here. -

- -

Example: Building wu-ftpd

- -

This example assumes a Unix-like machine.

- -
    - -

  1. Download the sources of wu-ftpd from - - here. -

    2. - -

  2. Unpack the sources by running - tar xfz wu-ftpd-current.tar.gz -

    3. - -

  3. Change to the source directory, by entering, e.g., - cd wu-ftpd-2.6.2 -

    4. - -

  4. Configure the project for verification by running -

    -
    - ./configure YACC=byacc CC=goto-cc --host=none-none-none -
    -
    5. - -

  5. Build the project by running - make. - This creates multiple model files in the src directory. Among - them is a model for the main executable ftpd. -

    6. - -

  6. Run a model-checker, e.g., CBMC, - on the model file: -

    -
    - cbmc src/ftpd -
    -

    CBMC automatically recognizes that the file -is a goto binary. -

    -
    7. - -
- -

Important Notes

- -

-More elaborate build or configuration scripts often make use of -features of the compiler or the system library to detect configuration -options automatically, e.g., in a configure script. -Replacing gcc by goto-cc at this stage may confuse the script, -or detect wrong options. For example, missing library functions do not -cause goto-cc to throw an error (only to issue a warning). Because of -this, configuration scripts sometimes falsely assume the availability -of a system function or library. -

- -

-In the case of this or similar problems, it is more advisable to -configure the project using the normal routine, and replacing the -compiler setting manually in the generated Makefiles, e.g., by -replacing lines like CC=gcc by CC=goto-cc. -

- -

-A helpful command that accomplishes this task successfully for many -projects is the following: -

- - -for i in `find . -name Makefile`; do
-  sed -e 's/^\(\s*CC[ \t]*=\)\(.*$\)/\1goto-cc/g' -i $i
-done - - -

Here are additional examples on how to use goto-cc:

- - - -

A description -of how to integrate goto-cc into Microsoft's Visual Studio -is here.

- -

Linking Libraries

- -

-Some software projects come with their own libraries; also, the goal may be -to analyze a library by itself. For this purpose it is possible to use -goto-cc to link multiple model files into a library of model files. An -object file can then be linked against this model library. For this purpose, -goto-cc also features a linker mode. -

- -

-To enable this linker mode, create a link to the goto-cc binary by the -name of goto-ld (Linux and Mac) or copy the goto-cc binary to goto-link.exe -(Windows). The goto-ld tool can now be used as a seamless replacement -for the ld tool present on most Unix (-based) systems and -for the link tool on Windows. -

- -

-The default linker may need to be replaced by goto-ld or -goto-link.exe in the build -script, which can be achieved in much the same way as replacing the compiler. -

- - diff --git a/doc/html-manual/header.inc b/doc/html-manual/header.inc deleted file mode 100644 index 4624f036f2..0000000000 --- a/doc/html-manual/header.inc +++ /dev/null @@ -1,23 +0,0 @@ - - - - - -CPROVER Manual - - - - - - -
-
- - diff --git a/doc/html-manual/highlight/CHANGES.md b/doc/html-manual/highlight/CHANGES.md deleted file mode 100644 index 38cd2733c3..0000000000 --- a/doc/html-manual/highlight/CHANGES.md +++ /dev/null @@ -1,1610 +0,0 @@ -## Version 9.11.0 - -New languages: - -- *Shell* by [Tsuyusato Kitsune][] -- *jboss-cli* by [Raphaël Parrëe][] - -Improvements: - -- [Joël Porquet] has [greatly improved the definition of *makefile*][5b3e0e6]. -- *C++* class titles are now highlighted as in other languages with classes. -- [Jordi Petit][] added rarely used `or`, `and` and `not` keywords to *C++*. -- [Pieter Vantorre][] fixed highlighting of negative floating point values. - - -[Tsuyusato Kitsune]: https://github.com/MakeNowJust -[Jordi Petit]: https://github.com/jordi-petit -[Raphaël Parrëe]: https://github.com/rparree -[Pieter Vantorre]: https://github.com/NuclearCookie -[5b3e0e6]: https://github.com/isagalaev/highlight.js/commit/5b3e0e68bfaae282faff6697d6a490567fa9d44b - - -## Version 9.10.0 - -Apologies for missing the previous release cycle. Some thing just can't be -automated… Anyway, we're back! - -New languages: - -- *Hy* by [Sergey Sobko][] -- *Leaf* by [Hale Chan][] -- *N1QL* by [Andres Täht][] and [Rene Saarsoo][] - -Improvements: - -- *Rust* got updated with new keywords by [Kasper Andersen][] and then - significantly modernized even more by [Eduard-Mihai Burtescu][] (yes, @eddyb, - Rust core team member!) -- *Python* updated with f-literals by [Philipp A][]. -- *YAML* updated with unquoted strings support. -- *Gauss* updated with new keywords by [Matt Evans][]. -- *Lua* updated with new keywords by [Joe Blow][]. -- *Kotlin* updated with new keywords by [Philipp Hauer][]. -- *TypeScript* got highlighting of function params and updated keywords by - [Ike Ku][]. -- *Scheme* now correctly handles \`-quoted lists thanks to [Guannan Wei]. -- [Sam Wu][] fixed handling of `<<` in *C++* defines. - -[Philipp A]: https://github.com/flying-sheep -[Philipp Hauer]: https://github.com/phauer -[Sergey Sobko]: https://github.com/profitware -[Hale Chan]: https://github.com/halechan -[Matt Evans]: https://github.com/matthewevans -[Joe Blow]: https://github.com/mossarelli -[Kasper Andersen]: https://github.com/kasma1990 -[Eduard-Mihai Burtescu]: https://github.com/eddyb -[Andres Täht]: https://github.com/andrestaht -[Rene Saarsoo]: https://github.com/nene -[Philipp Hauer]: https://github.com/phauer -[Ike Ku]: https://github.com/dempfi -[Guannan Wei]: https://github.com/Kraks -[Sam Wu]: https://github.com/samsam2310 - - -## Version 9.9.0 - -New languages - -- *LLVM* by [Michael Rodler][] - -Improvements: - -- *TypeScript* updated with annotations and param lists inside constructors, by - [Raphael Parree][]. -- *CoffeeScript* updated with new keywords and fixed to recognize JavaScript - in \`\`\`, thanks to thanks to [Geoffrey Booth][]. -- Compiler directives in *Delphi* are now correctly highlighted as "meta". - -[Raphael Parree]: https://github.com/rparree -[Michael Rodler]: https://github.com/f0rki -[Geoffrey Booth]: https://github.com/GeoffreyBooth - - -## Version 9.8.0 "New York" - -This version is the second one that deserved a name. Because I'm in New York, -and the release isn't missing the deadline only because it's still Tuesday on -West Coast. - -New languages: - -- *Clean* by [Camil Staps][] -- *Flix* by [Magnus Madsen][] - -Improvements: - -- [Kenton Hamaluik][] did a comprehensive update for *Haxe*. -- New commands for *PowerShell* from [Nicolas Le Gall][]. -- [Jan T. Sott][] updated *NSIS*. -- *Java* and *Swift* support unicode characters in identifiers thanks to - [Alexander Lichter][]. - -[Camil Staps]: https://github.com/camilstaps -[Magnus Madsen]: https://github.com/magnus-madsen -[Kenton Hamaluik]: https://github.com/FuzzyWuzzie -[Nicolas Le Gall]: https://github.com/darkitty -[Jan T. Sott]: https://github.com/idleberg -[Alexander Lichter]: https://github.com/manniL - - -## Version 9.7.0 - -A comprehensive bugfix release. This is one of the best things about -highlight.js: even boring things keep getting better (even if slow). - -- VHDL updated with PSL keywords and uses more consistent styling. -- Nested C-style comments no longer break highlighting in many languages. -- JavaScript updated with `=>` functions, highlighted object attributes and - parsing within template string substitution blocks (`${...}`). -- Fixed another corner case with self-closing `` in JSX. -- Added `HEALTHCHECK` directive in Docker. -- Delphi updated with new Free Pascal keywords. -- Fixed digit separator parsing in C++. -- C# updated with new keywords and fixed to allow multiple identifiers within - generics `<...>`. -- Fixed another slow regex in Less. - - -## Version 9.6.0 - -New languages: - -- *ABNF* and *EBNF* by [Alex McKibben][] -- *Awk* by [Matthew Daly][] -- *SubUnit* by [Sergey Bronnikov][] - -New styles: - -- *Atom One* in both Dark and Light variants by [Daniel Gamage][] - -Plus, a few smaller updates for *Lasso*, *Elixir*, *C++* and *SQL*. - -[Alex McKibben]: https://github.com/mckibbenta -[Daniel Gamage]: https://github.com/danielgamage -[Matthew Daly]: https://github.com/matthewbdaly -[Sergey Bronnikov]: https://github.com/ligurio - - -## Version 9.5.0 - -New languages: - -- *Excel* by [Victor Zhou][] -- *Linden Scripting Language* by [Builder's Brewery][] -- *TAP* (Test Anything Protocol) by [Sergey Bronnikov][] -- *Pony* by [Joe Eli McIlvain][] -- *Coq* by [Stephan Boyer][] -- *dsconfig* and *LDIF* by [Jacob Childress][] - -New styles: - -- *Ocean Dark* by [Gavin Siu][] - -Notable changes: - -- [Minh Nguyễn][] added more built-ins to Objective C. -- [Jeremy Hull][] fixed corner cases in C++ preprocessor directives and Diff - comments. -- [Victor Zhou][] added support for digit separators in C++ numbers. - -[Gavin Siu]: https://github.com/gavsiu -[Builder's Brewery]: https://github.com/buildersbrewery -[Victor Zhou]: https://github.com/OiCMudkips -[Sergey Bronnikov]: https://github.com/ligurio -[Joe Eli McIlvain]: https://github.com/jemc -[Stephan Boyer]: https://github.com/boyers -[Jacob Childress]: https://github.com/braveulysses -[Minh Nguyễn]: https://github.com/1ec5 -[Jeremy Hull]: https://github.com/sourrust - - -## Version 9.4.0 - -New languages: - -- *PureBASIC* by [Tristano Ajmone][] -- *BNF* by [Oleg Efimov][] -- *Ada* by [Lars Schulna][] - -New styles: - -- *PureBASIC* by [Tristano Ajmone][] - -Improvements to existing languages and styles: - -- We now highlight function declarations in Go. -- [Taisuke Fujimoto][] contributed very convoluted rules for raw and - interpolated strings in C#. -- [Boone Severson][] updated Verilog to comply with IEEE 1800-2012 - SystemVerilog. -- [Victor Zhou][] improved rules for comments and strings in PowerShell files. -- [Janis Voigtländer][] updated the definition of Elm to version 0.17 of the - languages. Elm is now featured on the front page of . -- Special variable `$this` is highlighted as a keyword in PHP. -- `usize` and `isize` are now highlighted in Rust. -- Fixed labels and directives in x86 assembler. - -[Tristano Ajmone]: https://github.com/tajmone -[Taisuke Fujimoto]: https://github.com/temp-impl -[Oleg Efimov]: https://github.com/Sannis -[Boone Severson]: https://github.com/BooneJS -[Victor Zhou]: https://github.com/OiCMudkips -[Lars Schulna]: https://github.com/captain-hanuta -[Janis Voigtländer]: https://github.com/jvoigtlaender - - -## Version 9.3.0 - -New languages: - -- *Tagger Script* by [Philipp Wolfer][] -- *MoonScript* by [Billy Quith][] - -New styles: - -- *xt256* by [Herbert Shin][] - -Improvements to existing languages and styles: - -- More robust handling of unquoted HTML tag attributes -- Relevance tuning for QML which was unnecessary eager at seizing other - languages' code -- Improve GAMS language parsing -- Fixed a bunch of bugs around selectors in Less -- Kotlin's got a new definition for annotations, updated keywords and other - minor improvements -- Added `move` to Rust keywords -- Markdown now recognizes \`\`\`-fenced code blocks -- Improved detection of function declarations in C++ and C# - -[Philipp Wolfer]: https://github.com/phw -[Billy Quith]: https://github.com/billyquith -[Herbert Shin]: https://github.com/initbar - - -## Version 9.2.0 - -New languages: - -- *QML* by [John Foster][] -- *HTMLBars* by [Michael Johnston][] -- *CSP* by [Taras][] -- *Maxima* by [Robert Dodier][] - -New styles: - -- *Gruvbox* by [Qeole][] -- *Dracula* by [Denis Ciccale][] - -Improvements to existing languages and styles: - -- We now correctly handle JSX with arbitrary node tree depth. -- Argument list for `(lambda)` in Scheme is no longer highlighted as a function - call. -- Stylus syntax doesn't break on valid CSS. -- More correct handling of comments and strings and other improvements for - VimScript. -- More subtle work on the default style. -- We now use anonymous modules for AMD. -- `macro_rules!` is now recognized as a built-in in Rust. - -[John Foster]: https://github.com/jf990 -[Qeole]: https://github.com/Qeole -[Denis Ciccale]: https://github.com/dciccale -[Michael Johnston]: https://github.com/lastobelus -[Taras]: https://github.com/oxdef -[Robert Dodier]: https://github.com/robert-dodier - - -## Version 9.1.0 - -New languages: - -- *Stan* by [Brendan Rocks][] -- *BASIC* by [Raphaël Assénat][] -- *GAUSS* by [Matt Evans][] -- *DTS* by [Martin Braun][] -- *Arduino* by [Stefania Mellai][] - -New Styles: - -- *Arduino Light* by [Stefania Mellai][] - -Improvements to existing languages and styles: - -- Handle return type annotations in Python -- Allow shebang headers in Javascript -- Support strings in Rust meta -- Recognize `struct` as a class-level definition in Rust -- Recognize b-prefixed chars and strings in Rust -- Better numbers handling in Verilog - -[Brendan Rocks]: http://brendanrocks.com -[Raphaël Assénat]: https://github.com/raphnet -[Matt Evans]: https://github.com/matthewevans -[Martin Braun]: https://github.com/mbr0wn -[Stefania Mellai]: https://github.com/smellai - - -## Version 9.0.0 - -The new major version brings a reworked styling system. Highlight.js now defines -a limited set of highlightable classes giving a consistent result across all the -styles and languages. You can read a more detailed explanation and background in -the [tracking issue][#348] that started this long process back in May. - -This change is backwards incompatible for those who uses highlight.js with a -custom stylesheet. The [new style guide][sg] explains how to write styles -in this new world. - -Bundled themes have also suffered a significant amount of improvements and may -look different in places, but all the things now consistent and make more sense. -Among others, the Default style has got a refresh and will probably be tweaked -some more in next releases. Please do give your feedback in our -[issue tracker][issues]. - -New languages in this release: - -- *Caché Object Script* by [Nikita Savchenko][] -- *YAML* by [Stefan Wienert][] -- *MIPS Assembler* by [Nebuleon Fumika][] -- *HSP* by [prince][] - -Improvements to existing languages and styles: - -- ECMAScript 6 modules import now do not require closing semicolon. -- ECMAScript 6 classes constructors now highlighted. -- Template string support for Typescript, as for ECMAScript 6. -- Scala case classes params highlight fixed. -- Built-in names introduced in Julia v0.4 added by [Kenta Sato][]. -- Refreshed Default style. - -Other notable changes: - -- [Web workers support][webworkers] added bu [Jan Kühle][]. -- We now have tests for compressed browser builds as well. -- The building tool chain has been switched to node.js 4.x. and is now - shamelessly uses ES6 features all over the place, courtesy of [Jeremy Hull][]. -- License added to non-compressed browser build. - -[Jan Kühle]: https://github.com/frigus02 -[Stefan Wienert]: https://github.com/zealot128 -[Kenta Sato]: https://github.com/bicycle1885 -[Nikita Savchenko]: https://github.com/ZitRos -[webworkers]: https://github.com/isagalaev/highlight.js#web-workers -[Jeremy Hull]: https://github.com/sourrust -[#348]: https://github.com/isagalaev/highlight.js/issues/348 -[sg]: http://highlightjs.readthedocs.org/en/latest/style-guide.html -[issues]: https://github.com/isagalaev/highlight.js/issues -[Nebuleon Fumika]: https://github.com/Nebuleon -[prince]: https://github.com/prince-0203 - - -## Version 8.9.1 - -Some last-minute changes reverted due to strange bug with minified browser build: - -- Scala case classes params highlight fixed -- ECMAScript 6 modules import now do not require closing semicolon -- ECMAScript 6 classes constructors now highlighted -- Template string support for Typescript, as for ECMAScript 6 -- License added to not minified browser build - - -## Version 8.9.0 - -New languages: - -- *crmsh* by [Kristoffer Gronlund][] -- *SQF* by [Soren Enevoldsen][] - -[Kristoffer Gronlund]: https://github.com/krig -[Soren Enevoldsen]: https://github.com/senevoldsen90 - -Notable fixes and improvements to existing languages: - -- Added `abstract` and `namespace` keywords to TypeScript by [Daniel Rosenwasser][] -- Added `label` support to Dockerfile by [Ladislav Prskavec][] -- Crystal highlighting improved by [Tsuyusato Kitsune][] -- Missing Swift keywords added by [Nate Cook][] -- Improve detection of C block comments -- ~~Scala case classes params highlight fixed~~ -- ~~ECMAScript 6 modules import now do not require closing semicolon~~ -- ~~ECMAScript 6 classes constructors now highlighted~~ -- ~~Template string support for Typescript, as for ECMAScript 6~~ - -Other notable changes: - -- ~~License added to not minified browser build~~ - -[Kristoffer Gronlund]: https://github.com/krig -[Søren Enevoldsen]: https://github.com/senevoldsen90 -[Daniel Rosenwasser]: https://github.com/DanielRosenwasser -[Ladislav Prskavec]: https://github.com/abtris -[Tsuyusato Kitsune]: https://github.com/MakeNowJust -[Nate Cook]: https://github.com/natecook1000 - - -## Version 8.8.0 - -New languages: - -- *Golo* by [Philippe Charrière][] -- *GAMS* by [Stefan Bechert][] -- *IRPF90* by [Anthony Scemama][] -- *Access logs* by [Oleg Efimov][] -- *Crystal* by [Tsuyusato Kitsune][] - -Notable fixes and improvements to existing languages: - -- JavaScript highlighting no longer fails with ES6 default parameters -- Added keywords `async` and `await` to Python -- PHP heredoc support improved -- Allow preprocessor directives within C++ functions - -Other notable changes: - -- Change versions to X.Y.Z SemVer-compatible format -- Added ability to build all targets at once - -[Philippe Charrière]: https://github.com/k33g -[Stefan Bechert]: https://github.com/b-pos465 -[Anthony Scemama]: https://github.com/scemama -[Oleg Efimov]: https://github.com/Sannis -[Tsuyusato Kitsune]: https://github.com/MakeNowJust - - -## Version 8.7 - -New languages: - -- *Zephir* by [Oleg Efimov][] -- *Elm* by [Janis Voigtländer][] -- *XQuery* by [Dirk Kirsten][] -- *Mojolicious* by [Dotan Dimet][] -- *AutoIt* by Manh Tuan from [J2TeaM][] -- *Toml* (ini extension) by [Guillaume Gomez][] - -New styles: - -- *Hopscotch* by [Jan T. Sott][] -- *Grayscale* by [MY Sun][] - -Notable fixes and improvements to existing languages: - -- Fix encoding of images when copied over in certain builds -- Fix incorrect highlighting of the word "bug" in comments -- Treat decorators different from matrix multiplication in Python -- Fix traits inheritance highlighting in Rust -- Fix incorrect document -- Oracle keywords added to SQL language definition by [Vadimtro][] -- Postgres keywords added to SQL language definition by [Benjamin Auder][] -- Fix registers in x86asm being highlighted as a hex number -- Fix highlighting for numbers with a leading decimal point -- Correctly highlight numbers and strings inside of C/C++ macros -- C/C++ functions now support pointer, reference, and move returns - -[Oleg Efimov]: https://github.com/Sannis -[Guillaume Gomez]: https://github.com/GuillaumeGomez -[Janis Voigtländer]: https://github.com/jvoigtlaender -[Jan T. Sott]: https://github.com/idleberg -[Dirk Kirsten]: https://github.com/dirkk -[MY Sun]: https://github.com/simonmysun -[Vadimtro]: https://github.com/Vadimtro -[Benjamin Auder]: https://github.com/ghost -[Dotan Dimet]: https://github.com/dotandimet -[J2TeaM]: https://github.com/J2TeaM - - -## Version 8.6 - -New languages: - -- *C/AL* by [Kenneth Fuglsang][] -- *DNS zone file* by [Tim Schumacher][] -- *Ceylon* by [Lucas Werkmeister][] -- *OpenSCAD* by [Dan Panzarella][] -- *Inform7* by [Bruno Dias][] -- *armasm* by [Dan Panzarella][] -- *TP* by [Jay Strybis][] - -New styles: - -- *Atelier Cave*, *Atelier Estuary*, - *Atelier Plateau* and *Atelier Savanna* by [Bram de Haan][] -- *Github Gist* by [Louis Barranqueiro][] - -Notable fixes and improvements to existing languages: - -- Multi-line raw strings from C++11 are now supported -- Fix class names with dashes in HAML -- The `async` keyword from ES6/7 is now supported -- TypeScript functions handle type and parameter complexity better -- We unified phpdoc/javadoc/yardoc etc modes across all languages -- CSS .class selectors relevance was dropped to prevent wrong language detection -- Images is now included to CDN build -- Release process is now automated - -[Bram de Haan]: https://github.com/atelierbram -[Kenneth Fuglsang]: https://github.com/kfuglsang -[Louis Barranqueiro]: https://github.com/LouisBarranqueiro -[Tim Schumacher]: https://github.com/enko -[Lucas Werkmeister]: https://github.com/lucaswerkmeister -[Dan Panzarella]: https://github.com/pzl -[Bruno Dias]: https://github.com/sequitur -[Jay Strybis]: https://github.com/unreal - - -## Version 8.5 - -New languages: - -- *pf.conf* by [Peter Piwowarski][] -- *Julia* by [Kenta Sato][] -- *Prolog* by [Raivo Laanemets][] -- *Docker* by [Alexis Hénaut][] -- *Fortran* by [Anthony Scemama][] and [Thomas Applencourt][] -- *Kotlin* by [Sergey Mashkov][] - -New styles: - -- *Agate* by [Taufik Nurrohman][] -- *Darcula* by [JetBrains][] -- *Atelier Sulphurpool* by [Bram de Haan][] -- *Android Studio* by [Pedro Oliveira][] - -Notable fixes and improvements to existing languages: - -- ES6 features in JavaScript are better supported now by [Gu Yiling][]. -- Swift now recognizes body-less method definitions. -- Single expression functions `def foo, do: ... ` now work in Elixir. -- More uniform detection of built-in classes in Objective C. -- Fixes for number literals and processor directives in Rust. -- HTML ` - ``` - -- `tabReplace` and `useBR` that were used in different places are also unified - into the global options object and are to be set using `configure(options)`. - This function is documented in our [API docs][]. Also note that these - parameters are gone from `highlightBlock` and `fixMarkup` which are now also - rely on `configure`. - -- We removed public-facing (though undocumented) object `hljs.LANGUAGES` which - was used to register languages with the library in favor of two new methods: - `registerLanguage` and `getLanguage`. Both are documented in our [API docs][]. - -- Result returned from `highlight` and `highlightAuto` no longer contains two - separate attributes contributing to relevance score, `relevance` and - `keyword_count`. They are now unified in `relevance`. - -Another technically compatible change that nonetheless might need attention: - -- The structure of the NPM package was refactored, so if you had installed it - locally, you'll have to update your paths. The usual `require('highlight.js')` - works as before. This is contributed by [Dmitry Smolin][]. - -New features: - -- Languages now can be recognized by multiple names like "js" for JavaScript or - "html" for, well, HTML (which earlier insisted on calling it "xml"). These - aliases can be specified in the class attribute of the code container in your - HTML as well as in various API calls. For now there are only a few very common - aliases but we'll expand it in the future. All of them are listed in the - [class reference][cr]. - -- Language detection can now be restricted to a subset of languages relevant in - a given context — a web page or even a single highlighting call. This is - especially useful for node.js build that includes all the known languages. - Another example is a StackOverflow-style site where users specify languages - as tags rather than in the markdown-formatted code snippets. This is - documented in the [API reference][] (see methods `highlightAuto` and - `configure`). - -- Language definition syntax streamlined with [variants][] and - [beginKeywords][]. - -New languages and styles: - -- *Oxygene* by [Carlo Kok][] -- *Mathematica* by [Daniel Kvasnička][] -- *Autohotkey* by [Seongwon Lee][] -- *Atelier* family of styles in 10 variants by [Bram de Haan][] -- *Paraíso* styles by [Jan T. Sott][] - -Miscellaneous improvements: - -- Highlighting `=>` prompts in Clojure. -- [Jeremy Hull][] fixed a lot of styles for consistency. -- Finally, highlighting PHP and HTML [mixed in peculiar ways][php-html]. -- Objective C and C# now properly highlight titles in method definition. -- Big overhaul of relevance counting for a number of languages. Please do report - bugs about mis-detection of non-trivial code snippets! - -[API reference]: http://highlightjs.readthedocs.org/en/latest/api.html - -[cr]: http://highlightjs.readthedocs.org/en/latest/css-classes-reference.html -[api docs]: http://highlightjs.readthedocs.org/en/latest/api.html -[variants]: https://groups.google.com/d/topic/highlightjs/VoGC9-1p5vk/discussion -[beginKeywords]: https://github.com/isagalaev/highlight.js/commit/6c7fdea002eb3949577a85b3f7930137c7c3038d -[php-html]: https://twitter.com/highlightjs/status/408890903017689088 - -[Carlo Kok]: https://github.com/carlokok -[Bram de Haan]: https://github.com/atelierbram -[Daniel Kvasnička]: https://github.com/dkvasnicka -[Dmitry Smolin]: https://github.com/dimsmol -[Jeremy Hull]: https://github.com/sourrust -[Seongwon Lee]: https://github.com/dlimpid -[Jan T. Sott]: https://github.com/idleberg - - -## Version 7.5 - -A catch-up release dealing with some of the accumulated contributions. This one -is probably will be the last before the 8.0 which will be slightly backwards -incompatible regarding some advanced use-cases. - -One outstanding change in this version is the addition of 6 languages to the -[hosted script][d]: Markdown, ObjectiveC, CoffeeScript, Apache, Nginx and -Makefile. It now weighs about 6K more but we're going to keep it under 30K. - -New languages: - -- OCaml by [Mehdi Dogguy][mehdid] and [Nicolas Braud-Santoni][nbraud] -- [LiveCode Server][lcs] by [Ralf Bitter][revig] -- Scilab by [Sylvestre Ledru][sylvestre] -- basic support for Makefile by [Ivan Sagalaev][isagalaev] - -Improvements: - -- Ruby's got support for characters like `?A`, `?1`, `?\012` etc. and `%r{..}` - regexps. -- Clojure now allows a function call in the beginning of s-expressions - `(($filter "myCount") (arr 1 2 3 4 5))`. -- Haskell's got new keywords and now recognizes more things like pragmas, - preprocessors, modules, containers, FFIs etc. Thanks to [Zena Treep][treep] - for the implementation and to [Jeremy Hull][sourrust] for guiding it. -- Miscellaneous fixes in PHP, Brainfuck, SCSS, Asciidoc, CMake, Python and F#. - -[mehdid]: https://github.com/mehdid -[nbraud]: https://github.com/nbraud -[revig]: https://github.com/revig -[lcs]: http://livecode.com/developers/guides/server/ -[sylvestre]: https://github.com/sylvestre -[isagalaev]: https://github.com/isagalaev -[treep]: https://github.com/treep -[sourrust]: https://github.com/sourrust -[d]: http://highlightjs.org/download/ - - -## New core developers - -The latest long period of almost complete inactivity in the project coincided -with growing interest to it led to a decision that now seems completely obvious: -we need more core developers. - -So without further ado let me welcome to the core team two long-time -contributors: [Jeremy Hull][] and [Oleg -Efimov][]. - -Hope now we'll be able to work through stuff faster! - -P.S. The historical commit is [here][1] for the record. - -[Jeremy Hull]: https://github.com/sourrust -[Oleg Efimov]: https://github.com/sannis -[1]: https://github.com/isagalaev/highlight.js/commit/f3056941bda56d2b72276b97bc0dd5f230f2473f - - -## Version 7.4 - -This long overdue version is a snapshot of the current source tree with all the -changes that happened during the past year. Sorry for taking so long! - -Along with the changes in code highlight.js has finally got its new home at -, moving from its cradle on Software Maniacs which it -outgrew a long time ago. Be sure to report any bugs about the site to -. - -On to what's new… - -New languages: - -- Handlebars templates by [Robin Ward][] -- Oracle Rules Language by [Jason Jacobson][] -- F# by [Joans Follesø][] -- AsciiDoc and Haml by [Dan Allen][] -- Lasso by [Eric Knibbe][] -- SCSS by [Kurt Emch][] -- VB.NET by [Poren Chiang][] -- Mizar by [Kelley van Evert][] - -[Robin Ward]: https://github.com/eviltrout -[Jason Jacobson]: https://github.com/jayce7 -[Joans Follesø]: https://github.com/follesoe -[Dan Allen]: https://github.com/mojavelinux -[Eric Knibbe]: https://github.com/EricFromCanada -[Kurt Emch]: https://github.com/kemch -[Poren Chiang]: https://github.com/rschiang -[Kelley van Evert]: https://github.com/kelleyvanevert - -New style themes: - -- Monokai Sublime by [noformnocontent][] -- Railscasts by [Damien White][] -- Obsidian by [Alexander Marenin][] -- Docco by [Simon Madine][] -- Mono Blue by [Ivan Sagalaev][] (uses a single color hue for everything) -- Foundation by [Dan Allen][] - -[noformnocontent]: http://nn.mit-license.org/ -[Damien White]: https://github.com/visoft -[Alexander Marenin]: https://github.com/ioncreature -[Simon Madine]: https://github.com/thingsinjars -[Ivan Sagalaev]: https://github.com/isagalaev - -Other notable changes: - -- Corrected many corner cases in CSS. -- Dropped Python 2 version of the build tool. -- Implemented building for the AMD format. -- Updated Rust keywords (thanks to [Dmitry Medvinsky][]). -- Literal regexes can now be used in language definitions. -- CoffeeScript highlighting is now significantly more robust and rich due to - input from [Cédric Néhémie][]. - -[Dmitry Medvinsky]: https://github.com/dmedvinsky -[Cédric Néhémie]: https://github.com/abe33 - - -## Version 7.3 - -- Since this version highlight.js no longer works in IE version 8 and older. - It's made it possible to reduce the library size and dramatically improve code - readability and made it easier to maintain. Time to go forward! - -- New languages: AppleScript (by [Nathan Grigg][ng] and [Dr. Drang][dd]) and - Brainfuck (by [Evgeny Stepanischev][bolk]). - -- Improvements to existing languages: - - - interpreter prompt in Python (`>>>` and `...`) - - @-properties and classes in CoffeeScript - - E4X in JavaScript (by [Oleg Efimov][oe]) - - new keywords in Perl (by [Kirk Kimmel][kk]) - - big Ruby syntax update (by [Vasily Polovnyov][vast]) - - small fixes in Bash - -- Also Oleg Efimov did a great job of moving all the docs for language and style - developers and contributors from the old wiki under the source code in the - "docs" directory. Now these docs are nicely presented at - . - -[ng]: https://github.com/nathan11g -[dd]: https://github.com/drdrang -[bolk]: https://github.com/bolknote -[oe]: https://github.com/Sannis -[kk]: https://github.com/kimmel -[vast]: https://github.com/vast - - -## Version 7.2 - -A regular bug-fix release without any significant new features. Enjoy! - - -## Version 7.1 - -A Summer crop: - -- [Marc Fornos][mf] made the definition for Clojure along with the matching - style Rainbow (which, of course, works for other languages too). -- CoffeeScript support continues to improve getting support for regular - expressions. -- Yoshihide Jimbo ported to highlight.js [five Tomorrow styles][tm] from the - [project by Chris Kempson][tm0]. -- Thanks to [Casey Duncun][cd] the library can now be built in the popular - [AMD format][amd]. -- And last but not least, we've got a fair number of correctness and consistency - fixes, including a pretty significant refactoring of Ruby. - -[mf]: https://github.com/mfornos -[tm]: http://jmblog.github.com/color-themes-for-highlightjs/ -[tm0]: https://github.com/ChrisKempson/Tomorrow-Theme -[cd]: https://github.com/caseman -[amd]: http://requirejs.org/docs/whyamd.html - - -## Version 7.0 - -The reason for the new major version update is a global change of keyword syntax -which resulted in the library getting smaller once again. For example, the -hosted build is 2K less than at the previous version while supporting two new -languages. - -Notable changes: - -- The library now works not only in a browser but also with [node.js][]. It is - installable with `npm install highlight.js`. [API][] docs are available on our - wiki. - -- The new unique feature (apparently) among syntax highlighters is highlighting - *HTTP* headers and an arbitrary language in the request body. The most useful - languages here are *XML* and *JSON* both of which highlight.js does support. - Here's [the detailed post][p] about the feature. - -- Two new style themes: a dark "south" *[Pojoaque][]* by Jason Tate and an - emulation of*XCode* IDE by [Angel Olloqui][ao]. - -- Three new languages: *D* by [Aleksandar Ružičić][ar], *R* by [Joe Cheng][jc] - and *GLSL* by [Sergey Tikhomirov][st]. - -- *Nginx* syntax has become a million times smaller and more universal thanks to - remaking it in a more generic manner that doesn't require listing all the - directives in the known universe. - -- Function titles are now highlighted in *PHP*. - -- *Haskell* and *VHDL* were significantly reworked to be more rich and correct - by their respective maintainers [Jeremy Hull][sr] and [Igor Kalnitsky][ik]. - -And last but not least, many bugs have been fixed around correctness and -language detection. - -Overall highlight.js currently supports 51 languages and 20 style themes. - -[node.js]: http://nodejs.org/ -[api]: http://softwaremaniacs.org/wiki/doku.php/highlight.js:api -[p]: http://softwaremaniacs.org/blog/2012/05/10/http-and-json-in-highlight-js/en/ -[pojoaque]: http://web-cms-designs.com/ftopict-10-pojoaque-style-for-highlight-js-code-highlighter.html -[ao]: https://github.com/angelolloqui -[ar]: https://github.com/raleksandar -[jc]: https://github.com/jcheng5 -[st]: https://github.com/tikhomirov -[sr]: https://github.com/sourrust -[ik]: https://github.com/ikalnitsky - - -## Version 6.2 - -A lot of things happened in highlight.js since the last version! We've got nine -new contributors, the discussion group came alive, and the main branch on GitHub -now counts more than 350 followers. Here are most significant results coming -from all this activity: - -- 5 (five!) new languages: Rust, ActionScript, CoffeeScript, MatLab and - experimental support for markdown. Thanks go to [Andrey Vlasovskikh][av], - [Alexander Myadzel][am], [Dmytrii Nagirniak][dn], [Oleg Efimov][oe], [Denis - Bardadym][db] and [John Crepezzi][jc]. - -- 2 new style themes: Monokai by [Luigi Maselli][lm] and stylistic imitation of - another well-known highlighter Google Code Prettify by [Aahan Krish][ak]. - -- A vast number of [correctness fixes and code refactorings][log], mostly made - by [Oleg Efimov][oe] and [Evgeny Stepanischev][es]. - -[av]: https://github.com/vlasovskikh -[am]: https://github.com/myadzel -[dn]: https://github.com/dnagir -[oe]: https://github.com/Sannis -[db]: https://github.com/btd -[jc]: https://github.com/seejohnrun -[lm]: http://grigio.org/ -[ak]: https://github.com/geekpanth3r -[es]: https://github.com/bolknote -[log]: https://github.com/isagalaev/highlight.js/commits/ - - -## Version 6.1 — Solarized - -[Jeremy Hull][jh] has implemented my dream feature — a port of [Solarized][] -style theme famous for being based on the intricate color theory to achieve -correct contrast and color perception. It is now available for highlight.js in -both variants — light and dark. - -This version also adds a new original style Arta. Its author pumbur maintains a -[heavily modified fork of highlight.js][pb] on GitHub. - -[jh]: https://github.com/sourrust -[solarized]: http://ethanschoonover.com/solarized -[pb]: https://github.com/pumbur/highlight.js - - -## Version 6.0 - -New major version of the highlighter has been built on a significantly -refactored syntax. Due to this it's even smaller than the previous one while -supporting more languages! - -New languages are: - -- Haskell by [Jeremy Hull][sourrust] -- Erlang in two varieties — module and REPL — made collectively by [Nikolay - Zakharov][desh], [Dmitry Kovega][arhibot] and [Sergey Ignatov][ignatov] -- Objective C by [Valerii Hiora][vhbit] -- Vala by [Antono Vasiljev][antono] -- Go by [Stephan Kountso][steplg] - -[sourrust]: https://github.com/sourrust -[desh]: http://desh.su/ -[arhibot]: https://github.com/arhibot -[ignatov]: https://github.com/ignatov -[vhbit]: https://github.com/vhbit -[antono]: https://github.com/antono -[steplg]: https://github.com/steplg - -Also this version is marginally faster and fixes a number of small long-standing -bugs. - -Developer overview of the new language syntax is available in a [blog post about -recent beta release][beta]. - -[beta]: http://softwaremaniacs.org/blog/2011/04/25/highlight-js-60-beta/en/ - -P.S. New version is not yet available on a Yandex CDN, so for now you have to -download [your own copy][d]. - -[d]: /soft/highlight/en/download/ - - -## Version 5.14 - -Fixed bugs in HTML/XML detection and relevance introduced in previous -refactoring. - -Also test.html now shows the second best result of language detection by -relevance. - - -## Version 5.13 - -Past weekend began with a couple of simple additions for existing languages but -ended up in a big code refactoring bringing along nice improvements for language -developers. - -### For users - -- Description of C++ has got new keywords from the upcoming [C++ 0x][] standard. -- Description of HTML has got new tags from [HTML 5][]. -- CSS-styles have been unified to use consistent padding and also have lost - pop-outs with names of detected languages. -- [Igor Kalnitsky][ik] has sent two new language descriptions: CMake & VHDL. - -This makes total number of languages supported by highlight.js to reach 35. - -Bug fixes: - -- Custom classes on `
` tags are not being overridden anymore
-- More correct highlighting of code blocks inside non-`
` containers:
-  highlighter now doesn't insist on replacing them with its own container and
-  just replaces the contents.
-- Small fixes in browser compatibility and heuristics.
-
-[c++ 0x]: http://ru.wikipedia.org/wiki/C%2B%2B0x
-[html 5]: http://en.wikipedia.org/wiki/HTML5
-[ik]: http://kalnitsky.org.ua/
-
-### For developers
-
-The most significant change is the ability to include language submodes right
-under `contains` instead of defining explicit named submodes in the main array:
-
-    contains: [
-      'string',
-      'number',
-      {begin: '\\n', end: hljs.IMMEDIATE_RE}
-    ]
-
-This is useful for auxiliary modes needed only in one place to define parsing.
-Note that such modes often don't have `className` and hence won't generate a
-separate `` in the resulting markup. This is similar in effect to
-`noMarkup: true`. All existing languages have been refactored accordingly.
-
-Test file test.html has at last become a real test. Now it not only puts the
-detected language name under the code snippet but also tests if it matches the
-expected one. Test summary is displayed right above all language snippets.
-
-
-## CDN
-
-Fine people at [Yandex][] agreed to host highlight.js on their big fast servers.
-[Link up][l]!
-
-[yandex]: http://yandex.com/
-[l]: http://softwaremaniacs.org/soft/highlight/en/download/
-
-
-## Version 5.10 — "Paris".
-
-Though I'm on a vacation in Paris, I decided to release a new version with a
-couple of small fixes:
-
-- Tomas Vitvar discovered that TAB replacement doesn't always work when used
-  with custom markup in code
-- SQL parsing is even more rigid now and doesn't step over SmallTalk in tests
-
-
-## Version 5.9
-
-A long-awaited version is finally released.
-
-New languages:
-
-- Andrew Fedorov made a definition for Lua
-- a long-time highlight.js contributor [Peter Leonov][pl] made a definition for
-  Nginx config
-- [Vladimir Moskva][vm] made a definition for TeX
-
-[pl]: http://kung-fu-tzu.ru/
-[vm]: http://fulc.ru/
-
-Fixes for existing languages:
-
-- [Loren Segal][ls] reworked the Ruby definition and added highlighting for
-  [YARD][] inline documentation
-- the definition of SQL has become more solid and now it shouldn't be overly
-  greedy when it comes to language detection
-
-[ls]: http://gnuu.org/
-[yard]: http://yardoc.org/
-
-The highlighter has become more usable as a library allowing to do highlighting
-from initialization code of JS frameworks and in ajax methods (see.
-readme.eng.txt).
-
-Also this version drops support for the [WordPress][wp] plugin. Everyone is
-welcome to [pick up its maintenance][p] if needed.
-
-[wp]: http://wordpress.org/
-[p]: http://bazaar.launchpad.net/~isagalaev/+junk/highlight/annotate/342/src/wp_highlight.js.php
-
-
-## Version 5.8
-
-- Jan Berkel has contributed a definition for Scala. +1 to hotness!
-- All CSS-styles are rewritten to work only inside `
` tags to avoid
-  conflicts with host site styles.
-
-
-## Version 5.7.
-
-Fixed escaping of quotes in VBScript strings.
-
-
-## Version 5.5
-
-This version brings a small change: now .ini-files allow digits, underscores and
-square brackets in key names.
-
-
-## Version 5.4
-
-Fixed small but upsetting bug in the packer which caused incorrect highlighting
-of explicitly specified languages. Thanks to Andrew Fedorov for precise
-diagnostics!
-
-
-## Version 5.3
-
-The version to fulfil old promises.
-
-The most significant change is that highlight.js now preserves custom user
-markup in code along with its own highlighting markup. This means that now it's
-possible to use, say, links in code. Thanks to [Vladimir Dolzhenko][vd] for the
-[initial proposal][1] and for making a proof-of-concept patch.
-
-Also in this version:
-
-- [Vasily Polovnyov][vp] has sent a GitHub-like style and has implemented
-  support for CSS @-rules and Ruby symbols.
-- Yura Zaripov has sent two styles: Brown Paper and School Book.
-- Oleg Volchkov has sent a definition for [Parser 3][p3].
-
-[1]: http://softwaremaniacs.org/forum/highlightjs/6612/
-[p3]: http://www.parser.ru/
-[vp]: http://vasily.polovnyov.ru/
-[vd]: http://dolzhenko.blogspot.com/
-
-
-## Version 5.2
-
-- at last it's possible to replace indentation TABs with something sensible
-  (e.g. 2 or 4 spaces)
-- new keywords and built-ins for 1C by Sergey Baranov
-- a couple of small fixes to Apache highlighting
-
-
-## Version 5.1
-
-This is one of those nice version consisting entirely of new and shiny
-contributions!
-
-- [Vladimir Ermakov][vooon] created highlighting for AVR Assembler
-- [Ruslan Keba][rukeba] created highlighting for Apache config file. Also his
-  original visual style for it is now available for all highlight.js languages
-  under the name "Magula".
-- [Shuen-Huei Guan][drake] (aka Drake) sent new keywords for RenderMan
-  languages. Also thanks go to [Konstantin Evdokimenko][ke] for his advice on
-  the matter.
-
-[vooon]: http://vehq.ru/about/
-[rukeba]: http://rukeba.com/
-[drake]: http://drakeguan.org/
-[ke]: http://k-evdokimenko.moikrug.ru/
-
-
-## Version 5.0
-
-The main change in the new major version of highlight.js is a mechanism for
-packing several languages along with the library itself into a single compressed
-file. Now sites using several languages will load considerably faster because
-the library won't dynamically include additional files while loading.
-
-Also this version fixes a long-standing bug with Javascript highlighting that
-couldn't distinguish between regular expressions and division operations.
-
-And as usually there were a couple of minor correctness fixes.
-
-Great thanks to all contributors! Keep using highlight.js.
-
-
-## Version 4.3
-
-This version comes with two contributions from [Jason Diamond][jd]:
-
-- language definition for C# (yes! it was a long-missed thing!)
-- Visual Studio-like highlighting style
-
-Plus there are a couple of minor bug fixes for parsing HTML and XML attributes.
-
-[jd]: http://jason.diamond.name/weblog/
-
-
-## Version 4.2
-
-The biggest news is highlighting for Lisp, courtesy of Vasily Polovnyov. It's
-somewhat experimental meaning that for highlighting "keywords" it doesn't use
-any pre-defined set of a Lisp dialect. Instead it tries to highlight first word
-in parentheses wherever it makes sense. I'd like to ask people programming in
-Lisp to confirm if it's a good idea and send feedback to [the forum][f].
-
-Other changes:
-
-- Smalltalk was excluded from DEFAULT_LANGUAGES to save traffic
-- [Vladimir Epifanov][voldmar] has implemented javascript style switcher for
-  test.html
-- comments now allowed inside Ruby function definition
-- [MEL][] language from [Shuen-Huei Guan][drake]
-- whitespace now allowed between `
` and ``
-- better auto-detection of C++ and PHP
-- HTML allows embedded VBScript (`<% .. %>`)
-
-[f]: http://softwaremaniacs.org/forum/highlightjs/
-[voldmar]: http://voldmar.ya.ru/
-[mel]: http://en.wikipedia.org/wiki/Maya_Embedded_Language
-[drake]: http://drakeguan.org/
-
-
-## Version 4.1
-
-Languages:
-
-- Bash from Vah
-- DOS bat-files from Alexander Makarov (Sam)
-- Diff files from Vasily Polovnyov
-- Ini files from myself though initial idea was from Sam
-
-Styles:
-
-- Zenburn from Vladimir Epifanov, this is an imitation of a
-  [well-known theme for Vim][zenburn].
-- Ascetic from myself, as a realization of ideals of non-flashy highlighting:
-  just one color in only three gradations :-)
-
-In other news. [One small bug][bug] was fixed, built-in keywords were added for
-Python and C++ which improved auto-detection for the latter (it was shame that
-[my wife's blog][alenacpp] had issues with it from time to time). And lastly
-thanks go to Sam for getting rid of my stylistic comments in code that were
-getting in the way of [JSMin][].
-
-[zenburn]: http://en.wikipedia.org/wiki/Zenburn
-[alenacpp]: http://alenacpp.blogspot.com/
-[bug]: http://softwaremaniacs.org/forum/viewtopic.php?id=1823
-[jsmin]: http://code.google.com/p/jsmin-php/
-
-
-## Version 4.0
-
-New major version is a result of vast refactoring and of many contributions.
-
-Visible new features:
-
-- Highlighting of embedded languages. Currently is implemented highlighting of
-  Javascript and CSS inside HTML.
-- Bundled 5 ready-made style themes!
-
-Invisible new features:
-
-- Highlight.js no longer pollutes global namespace. Only one object and one
-  function for backward compatibility.
-- Performance is further increased by about 15%.
-
-Changing of a major version number caused by a new format of language definition
-files. If you use some third-party language files they should be updated.
-
-
-## Version 3.5
-
-A very nice version in my opinion fixing a number of small bugs and slightly
-increased speed in a couple of corner cases. Thanks to everybody who reports
-bugs in he [forum][f] and by email!
-
-There is also a new language — XML. A custom XML formerly was detected as HTML
-and didn't highlight custom tags. In this version I tried to make custom XML to
-be detected and highlighted by its own rules. Which by the way include such
-things as CDATA sections and processing instructions (``).
-
-[f]: http://softwaremaniacs.org/forum/viewforum.php?id=6
-
-
-## Version 3.3
-
-[Vladimir Gubarkov][xonix] has provided an interesting and useful addition.
-File export.html contains a little program that shows and allows to copy and
-paste an HTML code generated by the highlighter for any code snippet. This can
-be useful in situations when one can't use the script itself on a site.
-
-
-[xonix]: http://xonixx.blogspot.com/
-
-
-## Version 3.2 consists completely of contributions:
-
-- Vladimir Gubarkov has described SmallTalk
-- Yuri Ivanov has described 1C
-- Peter Leonov has packaged the highlighter as a Firefox extension
-- Vladimir Ermakov has compiled a mod for phpBB
-
-Many thanks to you all!
-
-
-## Version 3.1
-
-Three new languages are available: Django templates, SQL and Axapta. The latter
-two are sent by [Dmitri Roudakov][1]. However I've almost entirely rewrote an
-SQL definition but I'd never started it be it from the ground up :-)
-
-The engine itself has got a long awaited feature of grouping keywords
-("keyword", "built-in function", "literal"). No more hacks!
-
-[1]: http://roudakov.ru/
-
-
-## Version 3.0
-
-It is major mainly because now highlight.js has grown large and has become
-modular. Now when you pass it a list of languages to highlight it will
-dynamically load into a browser only those languages.
-
-Also:
-
-- Konstantin Evdokimenko of [RibKit][] project has created a highlighting for
-  RenderMan Shading Language and RenderMan Interface Bytestream. Yay for more
-  languages!
-- Heuristics for C++ and HTML got better.
-- I've implemented (at last) a correct handling of backslash escapes in C-like
-  languages.
-
-There is also a small backwards incompatible change in the new version. The
-function initHighlighting that was used to initialize highlighting instead of
-initHighlightingOnLoad a long time ago no longer works. If you by chance still
-use it — replace it with the new one.
-
-[RibKit]: http://ribkit.sourceforge.net/
-
-
-## Version 2.9
-
-Highlight.js is a parser, not just a couple of regular expressions. That said
-I'm glad to announce that in the new version 2.9 has support for:
-
-- in-string substitutions for Ruby -- `#{...}`
-- strings from from numeric symbol codes (like #XX) for Delphi
-
-
-## Version 2.8
-
-A maintenance release with more tuned heuristics. Fully backwards compatible.
-
-
-## Version 2.7
-
-- Nikita Ledyaev presents highlighting for VBScript, yay!
-- A couple of bugs with escaping in strings were fixed thanks to Mickle
-- Ongoing tuning of heuristics
-
-Fixed bugs were rather unpleasant so I encourage everyone to upgrade!
-
-
-## Version 2.4
-
-- Peter Leonov provides another improved highlighting for Perl
-- Javascript gets a new kind of keywords — "literals". These are the words
-  "true", "false" and "null"
-
-Also highlight.js homepage now lists sites that use the library. Feel free to
-add your site by [dropping me a message][mail] until I find the time to build a
-submit form.
-
-[mail]: mailto:Maniac@SoftwareManiacs.Org
-
-
-## Version 2.3
-
-This version fixes IE breakage in previous version. My apologies to all who have
-already downloaded that one!
-
-
-## Version 2.2
-
-- added highlighting for Javascript
-- at last fixed parsing of Delphi's escaped apostrophes in strings
-- in Ruby fixed highlighting of keywords 'def' and 'class', same for 'sub' in
-  Perl
-
-
-## Version 2.0
-
-- Ruby support by [Anton Kovalyov][ak]
-- speed increased by orders of magnitude due to new way of parsing
-- this same way allows now correct highlighting of keywords in some tricky
-  places (like keyword "End" at the end of Delphi classes)
-
-[ak]: http://anton.kovalyov.net/
-
-
-## Version 1.0
-
-Version 1.0 of javascript syntax highlighter is released!
-
-It's the first version available with English description. Feel free to post
-your comments and question to [highlight.js forum][forum]. And don't be afraid
-if you find there some fancy Cyrillic letters -- it's for Russian users too :-)
-
-[forum]: http://softwaremaniacs.org/forum/viewforum.php?id=6
diff --git a/doc/html-manual/highlight/LICENSE b/doc/html-manual/highlight/LICENSE
deleted file mode 100644
index 422deb7350..0000000000
--- a/doc/html-manual/highlight/LICENSE
+++ /dev/null
@@ -1,24 +0,0 @@
-Copyright (c) 2006, Ivan Sagalaev
-All rights reserved.
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright
-      notice, this list of conditions and the following disclaimer.
-    * Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-    * Neither the name of highlight.js nor the names of its contributors 
-      may be used to endorse or promote products derived from this software 
-      without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY
-EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE REGENTS AND CONTRIBUTORS BE LIABLE FOR ANY
-DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/doc/html-manual/highlight/README.md b/doc/html-manual/highlight/README.md
deleted file mode 100644
index 9f76e6bd56..0000000000
--- a/doc/html-manual/highlight/README.md
+++ /dev/null
@@ -1,150 +0,0 @@
-# Highlight.js
-
-[![Build Status](https://travis-ci.org/isagalaev/highlight.js.svg?branch=master)](https://travis-ci.org/isagalaev/highlight.js)
-
-Highlight.js is a syntax highlighter written in JavaScript. It works in
-the browser as well as on the server. It works with pretty much any
-markup, doesn’t depend on any framework and has automatic language
-detection.
-
-## Getting Started
-
-The bare minimum for using highlight.js on a web page is linking to the
-library along with one of the styles and calling
-[`initHighlightingOnLoad`][1]:
-
-```html
-
-
-
-```
-
-This will find and highlight code inside of `
` tags; it tries
-to detect the language automatically. If automatic detection doesn’t
-work for you, you can specify the language in the `class` attribute:
-
-```html
-
...

-```
-
-The list of supported language classes is available in the [class
-reference][2].  Classes can also be prefixed with either `language-` or
-`lang-`.
-
-To disable highlighting altogether use the `nohighlight` class:
-
-```html
-
...

-```
-
-## Custom Initialization
-
-When you need a bit more control over the initialization of
-highlight.js, you can use the [`highlightBlock`][3] and [`configure`][4]
-functions. This allows you to control *what* to highlight and *when*.
-
-Here’s an equivalent way to calling [`initHighlightingOnLoad`][1] using
-jQuery:
-
-```javascript
-$(document).ready(function() {
-  $('pre code').each(function(i, block) {
-    hljs.highlightBlock(block);
-  });
-});
-```
-
-You can use any tags instead of `
` to mark up your code. If
-you don't use a container that preserve line breaks you will need to
-configure highlight.js to use the `
` tag:
-
-```javascript
-hljs.configure({useBR: true});
-
-$('div.code').each(function(i, block) {
-  hljs.highlightBlock(block);
-});
-```
-
-For other options refer to the documentation for [`configure`][4].
-
-
-## Web Workers
-
-You can run highlighting inside a web worker to avoid freezing the browser
-window while dealing with very big chunks of code.
-
-In your main script:
-
-```javascript
-addEventListener('load', function() {
-  var code = document.querySelector('#code');
-  var worker = new Worker('worker.js');
-  worker.onmessage = function(event) { code.innerHTML = event.data; }
-  worker.postMessage(code.textContent);
-})
-```
-
-In worker.js:
-
-```javascript
-onmessage = function(event) {
-  importScripts('/highlight.pack.js');
-  var result = self.hljs.highlightAuto(event.data);
-  postMessage(result.value);
-}
-```
-
-
-## Getting the Library
-
-You can get highlight.js as a hosted, or custom-build, browser script or
-as a server module. Right out of the box the browser script supports
-both AMD and CommonJS, so if you wish you can use RequireJS or
-Browserify without having to build from source. The server module also
-works perfectly fine with Browserify, but there is the option to use a
-build specific to browsers rather than something meant for a server.
-Head over to the [download page][5] for all the options.
-
-**Don't link to GitHub directly.** The library is not supposed to work straight
-from the source, it requires building. If none of the pre-packaged options
-work for you refer to the [building documentation][6].
-
-**The CDN-hosted package doesn't have all the languages.** Otherwise it'd be
-too big. If you don't see the language you need in the ["Common" section][5],
-it can be added manually:
-
-```html
-
-```
-
-**On Almond.** You need to use the optimizer to give the module a name. For
-example:
-
-```
-r.js -o name=hljs paths.hljs=/path/to/highlight out=highlight.js
-```
-
-
-## License
-
-Highlight.js is released under the BSD License. See [LICENSE][7] file
-for details.
-
-## Links
-
-The official site for the library is at .
-
-Further in-depth documentation for the API and other topics is at
-.
-
-Authors and contributors are listed in the [AUTHORS.en.txt][8] file.
-
-[1]: http://highlightjs.readthedocs.io/en/latest/api.html#inithighlightingonload
-[2]: http://highlightjs.readthedocs.io/en/latest/css-classes-reference.html
-[3]: http://highlightjs.readthedocs.io/en/latest/api.html#highlightblock-block
-[4]: http://highlightjs.readthedocs.io/en/latest/api.html#configure-options
-[5]: https://highlightjs.org/download/
-[6]: http://highlightjs.readthedocs.io/en/latest/building-testing.html
-[7]: https://github.com/isagalaev/highlight.js/blob/master/LICENSE
-[8]: https://github.com/isagalaev/highlight.js/blob/master/AUTHORS.en.txt
diff --git a/doc/html-manual/highlight/README.ru.md b/doc/html-manual/highlight/README.ru.md
deleted file mode 100644
index ac481d0718..0000000000
--- a/doc/html-manual/highlight/README.ru.md
+++ /dev/null
@@ -1,142 +0,0 @@
-# Highlight.js
-
-Highlight.js — это инструмент для подсветки синтаксиса, написанный на JavaScript. Он работает
-и в браузере, и на сервере. Он работает с практически любой HTML разметкой, не
-зависит от каких-либо фреймворков и умеет автоматически определять язык.
-
-
-## Начало работы
-
-Минимум, что нужно сделать для использования highlight.js на веб-странице — это
-подключить библиотеку, CSS-стили и вызывать [`initHighlightingOnLoad`][1]:
-
-```html
-
-
-
-```
-
-Библиотека найдёт и раскрасит код внутри тегов `
`, попытавшись
-автоматически определить язык. Когда автоопределение не срабатывает, можно явно
-указать язык в атрибуте class:
-
-```html
-
...

-```
-
-Список поддерживаемых классов языков доступен в [справочнике по классам][2].
-Класс также можно предварить префиксами `language-` или `lang-`.
-
-Чтобы отключить подсветку для какого-то блока, используйте класс `nohighlight`:
-
-```html
-
...

-```
-
-## Инициализация вручную
-
-Чтобы иметь чуть больше контроля за инициализацией подсветки, вы можете
-использовать функции [`highlightBlock`][3] и [`configure`][4]. Таким образом
-можно управлять тем, *что* и *когда* подсвечивать.
-
-Вот пример инициализации, эквивалентной вызову [`initHighlightingOnLoad`][1], но
-с использованием jQuery:
-
-```javascript
-$(document).ready(function() {
-  $('pre code').each(function(i, block) {
-    hljs.highlightBlock(block);
-  });
-});
-```
-
-Вы можете использовать любые теги разметки вместо `
`. Если
-используете контейнер, не сохраняющий переводы строк, вам нужно сказать
-highlight.js использовать для них тег `
`:
-
-```javascript
-hljs.configure({useBR: true});
-
-$('div.code').each(function(i, block) {
-  hljs.highlightBlock(block);
-});
-```
-
-Другие опции можно найти в документации функции [`configure`][4].
-
-
-## Web Workers
-
-Подсветку можно запустить внутри web worker'а, чтобы окно
-браузера не подтормаживало при работе с большими кусками кода.
-
-В основном скрипте:
-
-```javascript
-addEventListener('load', function() {
-  var code = document.querySelector('#code');
-  var worker = new Worker('worker.js');
-  worker.onmessage = function(event) { code.innerHTML = event.data; }
-  worker.postMessage(code.textContent);
-})
-```
-
-В worker.js:
-
-```javascript
-onmessage = function(event) {
-  importScripts('/highlight.pack.js');
-  var result = self.hljs.highlightAuto(event.data);
-  postMessage(result.value);
-}
-```
-
-
-## Установка библиотеки
-
-Highlight.js можно использовать в браузере прямо с CDN хостинга или скачать
-индивидуальную сборку, а также установив модуль на сервере. На
-[странице загрузки][5] подробно описаны все варианты.
-
-**Не подключайте GitHub напрямую.** Библиотека не предназначена для
-использования в виде исходного кода, а требует отдельной сборки. Если вам не
-подходит ни один из готовых вариантов, читайте [документацию по сборке][6].
-
-**Файл на CDN содержит не все языки.** Иначе он будет слишком большого размера.
-Если нужного вам языка нет в [категории "Common"][5], можно дообавить его
-вручную:
-
-```html
-
-```
-
-**Про Almond.** Нужно задать имя модуля в оптимизаторе, например:
-
-```
-r.js -o name=hljs paths.hljs=/path/to/highlight out=highlight.js
-```
-
-
-## Лицензия
-
-Highlight.js распространяется под лицензией BSD. Подробнее читайте файл
-[LICENSE][7].
-
-
-## Ссылки
-
-Официальный сайт билиотеки расположен по адресу .
-
-Более подробная документация по API и другим темам расположена на
-.
-
-Авторы и контрибьюторы перечислены в файле [AUTHORS.ru.txt][8] file.
-
-[1]: http://highlightjs.readthedocs.io/en/latest/api.html#inithighlightingonload
-[2]: http://highlightjs.readthedocs.io/en/latest/css-classes-reference.html
-[3]: http://highlightjs.readthedocs.io/en/latest/api.html#highlightblock-block
-[4]: http://highlightjs.readthedocs.io/en/latest/api.html#configure-options
-[5]: https://highlightjs.org/download/
-[6]: http://highlightjs.readthedocs.io/en/latest/building-testing.html
-[7]: https://github.com/isagalaev/highlight.js/blob/master/LICENSE
-[8]: https://github.com/isagalaev/highlight.js/blob/master/AUTHORS.ru.txt
diff --git a/doc/html-manual/highlight/highlight.pack.js b/doc/html-manual/highlight/highlight.pack.js
deleted file mode 100644
index e93b5ee1ce..0000000000
--- a/doc/html-manual/highlight/highlight.pack.js
+++ /dev/null
@@ -1,2 +0,0 @@
-/*! highlight.js v9.11.0 | BSD3 License | git.io/hljslicense */
-!function(e){var n="object"==typeof window&&window||"object"==typeof self&&self;"undefined"!=typeof exports?e(exports):n&&(n.hljs=e({}),"function"==typeof define&&define.amd&&define([],function(){return n.hljs}))}(function(e){function n(e){return e.replace(/&/g,"&").replace(//g,">")}function t(e){return e.nodeName.toLowerCase()}function r(e,n){var t=e&&e.exec(n);return t&&0===t.index}function a(e){return k.test(e)}function i(e){var n,t,r,i,o=e.className+" ";if(o+=e.parentNode?e.parentNode.className:"",t=B.exec(o))return w(t[1])?t[1]:"no-highlight";for(o=o.split(/\s+/),n=0,r=o.length;r>n;n++)if(i=o[n],a(i)||w(i))return i}function o(e){var n,t={},r=Array.prototype.slice.call(arguments,1);for(n in e)t[n]=e[n];return r.forEach(function(e){for(n in e)t[n]=e[n]}),t}function u(e){var n=[];return function r(e,a){for(var i=e.firstChild;i;i=i.nextSibling)3===i.nodeType?a+=i.nodeValue.length:1===i.nodeType&&(n.push({event:"start",offset:a,node:i}),a=r(i,a),t(i).match(/br|hr|img|input/)||n.push({event:"stop",offset:a,node:i}));return a}(e,0),n}function c(e,r,a){function i(){return e.length&&r.length?e[0].offset!==r[0].offset?e[0].offset"}function u(e){s+=""}function c(e){("start"===e.event?o:u)(e.node)}for(var l=0,s="",f=[];e.length||r.length;){var g=i();if(s+=n(a.substring(l,g[0].offset)),l=g[0].offset,g===e){f.reverse().forEach(u);do c(g.splice(0,1)[0]),g=i();while(g===e&&g.length&&g[0].offset===l);f.reverse().forEach(o)}else"start"===g[0].event?f.push(g[0].node):f.pop(),c(g.splice(0,1)[0])}return s+n(a.substr(l))}function l(e){return e.v&&!e.cached_variants&&(e.cached_variants=e.v.map(function(n){return o(e,{v:null},n)})),e.cached_variants||e.eW&&[o(e)]||[e]}function s(e){function n(e){return e&&e.source||e}function t(t,r){return new RegExp(n(t),"m"+(e.cI?"i":"")+(r?"g":""))}function r(a,i){if(!a.compiled){if(a.compiled=!0,a.k=a.k||a.bK,a.k){var o={},u=function(n,t){e.cI&&(t=t.toLowerCase()),t.split(" ").forEach(function(e){var t=e.split("|");o[t[0]]=[n,t[1]?Number(t[1]):1]})};"string"==typeof a.k?u("keyword",a.k):x(a.k).forEach(function(e){u(e,a.k[e])}),a.k=o}a.lR=t(a.l||/\w+/,!0),i&&(a.bK&&(a.b="\\b("+a.bK.split(" ").join("|")+")\\b"),a.b||(a.b=/\B|\b/),a.bR=t(a.b),a.e||a.eW||(a.e=/\B|\b/),a.e&&(a.eR=t(a.e)),a.tE=n(a.e)||"",a.eW&&i.tE&&(a.tE+=(a.e?"|":"")+i.tE)),a.i&&(a.iR=t(a.i)),null==a.r&&(a.r=1),a.c||(a.c=[]),a.c=Array.prototype.concat.apply([],a.c.map(function(e){return l("self"===e?a:e)})),a.c.forEach(function(e){r(e,a)}),a.starts&&r(a.starts,i);var c=a.c.map(function(e){return e.bK?"\\.?("+e.b+")\\.?":e.b}).concat([a.tE,a.i]).map(n).filter(Boolean);a.t=c.length?t(c.join("|"),!0):{exec:function(){return null}}}}r(e)}function f(e,t,a,i){function o(e,n){var t,a;for(t=0,a=n.c.length;a>t;t++)if(r(n.c[t].bR,e))return n.c[t]}function u(e,n){if(r(e.eR,n)){for(;e.endsParent&&e.parent;)e=e.parent;return e}return e.eW?u(e.parent,n):void 0}function c(e,n){return!a&&r(n.iR,e)}function l(e,n){var t=N.cI?n[0].toLowerCase():n[0];return e.k.hasOwnProperty(t)&&e.k[t]}function p(e,n,t,r){var a=r?"":I.classPrefix,i='',i+n+o}function h(){var e,t,r,a;if(!E.k)return n(k);for(a="",t=0,E.lR.lastIndex=0,r=E.lR.exec(k);r;)a+=n(k.substring(t,r.index)),e=l(E,r),e?(B+=e[1],a+=p(e[0],n(r[0]))):a+=n(r[0]),t=E.lR.lastIndex,r=E.lR.exec(k);return a+n(k.substr(t))}function d(){var e="string"==typeof E.sL;if(e&&!y[E.sL])return n(k);var t=e?f(E.sL,k,!0,x[E.sL]):g(k,E.sL.length?E.sL:void 0);return E.r>0&&(B+=t.r),e&&(x[E.sL]=t.top),p(t.language,t.value,!1,!0)}function b(){L+=null!=E.sL?d():h(),k=""}function v(e){L+=e.cN?p(e.cN,"",!0):"",E=Object.create(e,{parent:{value:E}})}function m(e,n){if(k+=e,null==n)return b(),0;var t=o(n,E);if(t)return t.skip?k+=n:(t.eB&&(k+=n),b(),t.rB||t.eB||(k=n)),v(t,n),t.rB?0:n.length;var r=u(E,n);if(r){var a=E;a.skip?k+=n:(a.rE||a.eE||(k+=n),b(),a.eE&&(k=n));do E.cN&&(L+=C),E.skip||(B+=E.r),E=E.parent;while(E!==r.parent);return r.starts&&v(r.starts,""),a.rE?0:n.length}if(c(n,E))throw new Error('Illegal lexeme "'+n+'" for mode "'+(E.cN||"")+'"');return k+=n,n.length||1}var N=w(e);if(!N)throw new Error('Unknown language: "'+e+'"');s(N);var R,E=i||N,x={},L="";for(R=E;R!==N;R=R.parent)R.cN&&(L=p(R.cN,"",!0)+L);var k="",B=0;try{for(var M,j,O=0;;){if(E.t.lastIndex=O,M=E.t.exec(t),!M)break;j=m(t.substring(O,M.index),M[0]),O=M.index+j}for(m(t.substr(O)),R=E;R.parent;R=R.parent)R.cN&&(L+=C);return{r:B,value:L,language:e,top:E}}catch(T){if(T.message&&-1!==T.message.indexOf("Illegal"))return{r:0,value:n(t)};throw T}}function g(e,t){t=t||I.languages||x(y);var r={r:0,value:n(e)},a=r;return t.filter(w).forEach(function(n){var t=f(n,e,!1);t.language=n,t.r>a.r&&(a=t),t.r>r.r&&(a=r,r=t)}),a.language&&(r.second_best=a),r}function p(e){return I.tabReplace||I.useBR?e.replace(M,function(e,n){return I.useBR&&"\n"===e?"
":I.tabReplace?n.replace(/\t/g,I.tabReplace):""}):e}function h(e,n,t){var r=n?L[n]:t,a=[e.trim()];return e.match(/\bhljs\b/)||a.push("hljs"),-1===e.indexOf(r)&&a.push(r),a.join(" ").trim()}function d(e){var n,t,r,o,l,s=i(e);a(s)||(I.useBR?(n=document.createElementNS("http://www.w3.org/1999/xhtml","div"),n.innerHTML=e.innerHTML.replace(/\n/g,"").replace(//g,"\n")):n=e,l=n.textContent,r=s?f(s,l,!0):g(l),t=u(n),t.length&&(o=document.createElementNS("http://www.w3.org/1999/xhtml","div"),o.innerHTML=r.value,r.value=c(t,u(o),l)),r.value=p(r.value),e.innerHTML=r.value,e.className=h(e.className,s,r.language),e.result={language:r.language,re:r.r},r.second_best&&(e.second_best={language:r.second_best.language,re:r.second_best.r}))}function b(e){I=o(I,e)}function v(){if(!v.called){v.called=!0;var e=document.querySelectorAll("pre code");E.forEach.call(e,d)}}function m(){addEventListener("DOMContentLoaded",v,!1),addEventListener("load",v,!1)}function N(n,t){var r=y[n]=t(e);r.aliases&&r.aliases.forEach(function(e){L[e]=n})}function R(){return x(y)}function w(e){return e=(e||"").toLowerCase(),y[e]||y[L[e]]}var E=[],x=Object.keys,y={},L={},k=/^(no-?highlight|plain|text)$/i,B=/\blang(?:uage)?-([\w-]+)\b/i,M=/((^(<[^>]+>|\t|)+|(?:\n)))/gm,C="",I={classPrefix:"hljs-",tabReplace:null,useBR:!1,languages:void 0};return e.highlight=f,e.highlightAuto=g,e.fixMarkup=p,e.highlightBlock=d,e.configure=b,e.initHighlighting=v,e.initHighlightingOnLoad=m,e.registerLanguage=N,e.listLanguages=R,e.getLanguage=w,e.inherit=o,e.IR="[a-zA-Z]\\w*",e.UIR="[a-zA-Z_]\\w*",e.NR="\\b\\d+(\\.\\d+)?",e.CNR="(-?)(\\b0[xX][a-fA-F0-9]+|(\\b\\d+(\\.\\d*)?|\\.\\d+)([eE][-+]?\\d+)?)",e.BNR="\\b(0b[01]+)",e.RSR="!|!=|!==|%|%=|&|&&|&=|\\*|\\*=|\\+|\\+=|,|-|-=|/=|/|:|;|<<|<<=|<=|<|===|==|=|>>>=|>>=|>=|>>>|>>|>|\\?|\\[|\\{|\\(|\\^|\\^=|\\||\\|=|\\|\\||~",e.BE={b:"\\\\[\\s\\S]",r:0},e.ASM={cN:"string",b:"'",e:"'",i:"\\n",c:[e.BE]},e.QSM={cN:"string",b:'"',e:'"',i:"\\n",c:[e.BE]},e.PWM={b:/\b(a|an|the|are|I'm|isn't|don't|doesn't|won't|but|just|should|pretty|simply|enough|gonna|going|wtf|so|such|will|you|your|they|like|more)\b/},e.C=function(n,t,r){var a=e.inherit({cN:"comment",b:n,e:t,c:[]},r||{});return a.c.push(e.PWM),a.c.push({cN:"doctag",b:"(?:TODO|FIXME|NOTE|BUG|XXX):",r:0}),a},e.CLCM=e.C("//","$"),e.CBCM=e.C("/\\*","\\*/"),e.HCM=e.C("#","$"),e.NM={cN:"number",b:e.NR,r:0},e.CNM={cN:"number",b:e.CNR,r:0},e.BNM={cN:"number",b:e.BNR,r:0},e.CSSNM={cN:"number",b:e.NR+"(%|em|ex|ch|rem|vw|vh|vmin|vmax|cm|mm|in|pt|pc|px|deg|grad|rad|turn|s|ms|Hz|kHz|dpi|dpcm|dppx)?",r:0},e.RM={cN:"regexp",b:/\//,e:/\/[gimuy]*/,i:/\n/,c:[e.BE,{b:/\[/,e:/\]/,r:0,c:[e.BE]}]},e.TM={cN:"title",b:e.IR,r:0},e.UTM={cN:"title",b:e.UIR,r:0},e.METHOD_GUARD={b:"\\.\\s*"+e.UIR,r:0},e});hljs.registerLanguage("verilog",function(e){var n={keyword:"accept_on alias always always_comb always_ff always_latch and assert assign assume automatic before begin bind bins binsof bit break buf|0 bufif0 bufif1 byte case casex casez cell chandle checker class clocking cmos config const constraint context continue cover covergroup coverpoint cross deassign default defparam design disable dist do edge else end endcase endchecker endclass endclocking endconfig endfunction endgenerate endgroup endinterface endmodule endpackage endprimitive endprogram endproperty endspecify endsequence endtable endtask enum event eventually expect export extends extern final first_match for force foreach forever fork forkjoin function generate|5 genvar global highz0 highz1 if iff ifnone ignore_bins illegal_bins implements implies import incdir include initial inout input inside instance int integer interconnect interface intersect join join_any join_none large let liblist library local localparam logic longint macromodule matches medium modport module nand negedge nettype new nexttime nmos nor noshowcancelled not notif0 notif1 or output package packed parameter pmos posedge primitive priority program property protected pull0 pull1 pulldown pullup pulsestyle_ondetect pulsestyle_onevent pure rand randc randcase randsequence rcmos real realtime ref reg reject_on release repeat restrict return rnmos rpmos rtran rtranif0 rtranif1 s_always s_eventually s_nexttime s_until s_until_with scalared sequence shortint shortreal showcancelled signed small soft solve specify specparam static string strong strong0 strong1 struct super supply0 supply1 sync_accept_on sync_reject_on table tagged task this throughout time timeprecision timeunit tran tranif0 tranif1 tri tri0 tri1 triand trior trireg type typedef union unique unique0 unsigned until until_with untyped use uwire var vectored virtual void wait wait_order wand weak weak0 weak1 while wildcard wire with within wor xnor xor",literal:"null",built_in:"$finish $stop $exit $fatal $error $warning $info $realtime $time $printtimescale $bitstoreal $bitstoshortreal $itor $signed $cast $bits $stime $timeformat $realtobits $shortrealtobits $rtoi $unsigned $asserton $assertkill $assertpasson $assertfailon $assertnonvacuouson $assertoff $assertcontrol $assertpassoff $assertfailoff $assertvacuousoff $isunbounded $sampled $fell $changed $past_gclk $fell_gclk $changed_gclk $rising_gclk $steady_gclk $coverage_control $coverage_get $coverage_save $set_coverage_db_name $rose $stable $past $rose_gclk $stable_gclk $future_gclk $falling_gclk $changing_gclk $display $coverage_get_max $coverage_merge $get_coverage $load_coverage_db $typename $unpacked_dimensions $left $low $increment $clog2 $ln $log10 $exp $sqrt $pow $floor $ceil $sin $cos $tan $countbits $onehot $isunknown $fatal $warning $dimensions $right $high $size $asin $acos $atan $atan2 $hypot $sinh $cosh $tanh $asinh $acosh $atanh $countones $onehot0 $error $info $random $dist_chi_square $dist_erlang $dist_exponential $dist_normal $dist_poisson $dist_t $dist_uniform $q_initialize $q_remove $q_exam $async$and$array $async$nand$array $async$or$array $async$nor$array $sync$and$array $sync$nand$array $sync$or$array $sync$nor$array $q_add $q_full $psprintf $async$and$plane $async$nand$plane $async$or$plane $async$nor$plane $sync$and$plane $sync$nand$plane $sync$or$plane $sync$nor$plane $system $display $displayb $displayh $displayo $strobe $strobeb $strobeh $strobeo $write $readmemb $readmemh $writememh $value$plusargs $dumpvars $dumpon $dumplimit $dumpports $dumpportson $dumpportslimit $writeb $writeh $writeo $monitor $monitorb $monitorh $monitoro $writememb $dumpfile $dumpoff $dumpall $dumpflush $dumpportsoff $dumpportsall $dumpportsflush $fclose $fdisplay $fdisplayb $fdisplayh $fdisplayo $fstrobe $fstrobeb $fstrobeh $fstrobeo $swrite $swriteb $swriteh $swriteo $fscanf $fread $fseek $fflush $feof $fopen $fwrite $fwriteb $fwriteh $fwriteo $fmonitor $fmonitorb $fmonitorh $fmonitoro $sformat $sformatf $fgetc $ungetc $fgets $sscanf $rewind $ftell $ferror"};return{aliases:["v","sv","svh"],cI:!1,k:n,l:/[\w\$]+/,c:[e.CBCM,e.CLCM,e.QSM,{cN:"number",c:[e.BE],v:[{b:"\\b((\\d+'(b|h|o|d|B|H|O|D))[0-9xzXZa-fA-F_]+)"},{b:"\\B(('(b|h|o|d|B|H|O|D))[0-9xzXZa-fA-F_]+)"},{b:"\\b([0-9_])+",r:0}]},{cN:"variable",v:[{b:"#\\((?!parameter).+\\)"},{b:"\\.\\w+",r:0}]},{cN:"meta",b:"`",e:"$",k:{"meta-keyword":"define __FILE__ __LINE__ begin_keywords celldefine default_nettype define else elsif end_keywords endcelldefine endif ifdef ifndef include line nounconnected_drive pragma resetall timescale unconnected_drive undef undefineall"},r:0}]}});hljs.registerLanguage("cpp",function(t){var e={cN:"keyword",b:"\\b[a-z\\d_]*_t\\b"},r={cN:"string",v:[{b:'(u8?|U)?L?"',e:'"',i:"\\n",c:[t.BE]},{b:'(u8?|U)?R"',e:'"',c:[t.BE]},{b:"'\\\\?.",e:"'",i:"."}]},s={cN:"number",v:[{b:"\\b(0b[01']+)"},{b:"(-?)\\b([\\d']+(\\.[\\d']*)?|\\.[\\d']+)(u|U|l|L|ul|UL|f|F|b|B)"},{b:"(-?)(\\b0[xX][a-fA-F0-9']+|(\\b[\\d']+(\\.[\\d']*)?|\\.[\\d']+)([eE][-+]?[\\d']+)?)"}],r:0},i={cN:"meta",b:/#\s*[a-z]+\b/,e:/$/,k:{"meta-keyword":"if else elif endif define undef warning error line pragma ifdef ifndef include"},c:[{b:/\\\n/,r:0},t.inherit(r,{cN:"meta-string"}),{cN:"meta-string",b:/<[^\n>]*>/,e:/$/,i:"\\n"},t.CLCM,t.CBCM]},a=t.IR+"\\s*\\(",c={keyword:"int float while private char catch import module export virtual operator sizeof dynamic_cast|10 typedef const_cast|10 const for static_cast|10 union namespace unsigned long volatile static protected bool template mutable if public friend do goto auto void enum else break extern using asm case typeid short reinterpret_cast|10 default double register explicit signed typename try this switch continue inline delete alignof constexpr decltype noexcept static_assert thread_local restrict _Bool complex _Complex _Imaginary atomic_bool atomic_char atomic_schar atomic_uchar atomic_short atomic_ushort atomic_int atomic_uint atomic_long atomic_ulong atomic_llong atomic_ullong new throw return and or not",built_in:"std string cin cout cerr clog stdin stdout stderr stringstream istringstream ostringstream auto_ptr deque list queue stack vector map set bitset multiset multimap unordered_set unordered_map unordered_multiset unordered_multimap array shared_ptr abort abs acos asin atan2 atan calloc ceil cosh cos exit exp fabs floor fmod fprintf fputs free frexp fscanf isalnum isalpha iscntrl isdigit isgraph islower isprint ispunct isspace isupper isxdigit tolower toupper labs ldexp log10 log malloc realloc memchr memcmp memcpy memset modf pow printf putchar puts scanf sinh sin snprintf sprintf sqrt sscanf strcat strchr strcmp strcpy strcspn strlen strncat strncmp strncpy strpbrk strrchr strspn strstr tanh tan vfprintf vprintf vsprintf endl initializer_list unique_ptr",literal:"true false nullptr NULL"},n=[e,t.CLCM,t.CBCM,s,r];return{aliases:["c","cc","h","c++","h++","hpp"],k:c,i:"",k:c,c:["self",e]},{b:t.IR+"::",k:c},{v:[{b:/=/,e:/;/},{b:/\(/,e:/\)/},{bK:"new throw return else",e:/;/}],k:c,c:n.concat([{b:/\(/,e:/\)/,k:c,c:n.concat(["self"]),r:0}]),r:0},{cN:"function",b:"("+t.IR+"[\\*&\\s]+)+"+a,rB:!0,e:/[{;=]/,eE:!0,k:c,i:/[^\w\s\*&]/,c:[{b:a,rB:!0,c:[t.TM],r:0},{cN:"params",b:/\(/,e:/\)/,k:c,r:0,c:[t.CLCM,t.CBCM,r,s,e]},t.CLCM,t.CBCM,i]},{cN:"class",bK:"class struct",e:/[{;:]/,c:[{b://,c:["self"]},t.TM]}]),exports:{preprocessor:i,strings:r,k:c}}});
\ No newline at end of file
diff --git a/doc/html-manual/highlight/styles/agate.css b/doc/html-manual/highlight/styles/agate.css
deleted file mode 100644
index 8d64547c58..0000000000
--- a/doc/html-manual/highlight/styles/agate.css
+++ /dev/null
@@ -1,108 +0,0 @@
-/*!
- * Agate by Taufik Nurrohman 
- * ----------------------------------------------------
- *
- * #ade5fc
- * #a2fca2
- * #c6b4f0
- * #d36363
- * #fcc28c
- * #fc9b9b
- * #ffa
- * #fff
- * #333
- * #62c8f3
- * #888
- *
- */
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #333;
-  color: white;
-}
-
-.hljs-name,
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-code,
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-tag {
-  color: #62c8f3;
-}
-
-.hljs-variable,
-.hljs-template-variable,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #ade5fc;
-}
-
-.hljs-string,
-.hljs-bullet {
-  color: #a2fca2;
-}
-
-.hljs-type,
-.hljs-title,
-.hljs-section,
-.hljs-attribute,
-.hljs-quote,
-.hljs-built_in,
-.hljs-builtin-name {
-  color: #ffa;
-}
-
-.hljs-number,
-.hljs-symbol,
-.hljs-bullet {
-  color: #d36363;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-literal {
-  color: #fcc28c;
-}
-
-.hljs-comment,
-.hljs-deletion,
-.hljs-code {
-  color: #888;
-}
-
-.hljs-regexp,
-.hljs-link {
-  color: #c6b4f0;
-}
-
-.hljs-meta {
-  color: #fc9b9b;
-}
-
-.hljs-deletion {
-  background-color: #fc9b9b;
-  color: #333;
-}
-
-.hljs-addition {
-  background-color: #a2fca2;
-  color: #333;
-}
-
-.hljs a {
-  color: inherit;
-}
-
-.hljs a:focus,
-.hljs a:hover {
-  color: inherit;
-  text-decoration: underline;
-}
diff --git a/doc/html-manual/highlight/styles/androidstudio.css b/doc/html-manual/highlight/styles/androidstudio.css
deleted file mode 100644
index bc8e473b59..0000000000
--- a/doc/html-manual/highlight/styles/androidstudio.css
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
-Date: 24 Fev 2015
-Author: Pedro Oliveira 
-*/
-
-.hljs {
-  color: #a9b7c6;
-  background: #282b2e;
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-}
-
-.hljs-number,
-.hljs-literal,
-.hljs-symbol,
-.hljs-bullet {
-  color: #6897BB;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-deletion {
-  color: #cc7832;
-}
-
-.hljs-variable,
-.hljs-template-variable,
-.hljs-link {
-  color: #629755;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #808080;
-}
-
-.hljs-meta {
-  color: #bbb529;
-}
-
-.hljs-string,
-.hljs-attribute,
-.hljs-addition {
-  color: #6A8759;
-}
-
-.hljs-section,
-.hljs-title,
-.hljs-type {
-  color: #ffc66d;
-}
-
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #e8bf6a;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/arduino-light.css b/doc/html-manual/highlight/styles/arduino-light.css
deleted file mode 100644
index 4b8b7fd3c9..0000000000
--- a/doc/html-manual/highlight/styles/arduino-light.css
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
-
-Arduino® Light Theme - Stefania Mellai 
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #FFFFFF;
-}
-
-.hljs,
-.hljs-subst {
-  color: #434f54;
-}
-
-.hljs-keyword,
-.hljs-attribute,
-.hljs-selector-tag,
-.hljs-doctag,
-.hljs-name {
-  color: #00979D;
-}
-
-.hljs-built_in,
-.hljs-literal,
-.hljs-bullet,
-.hljs-code,
-.hljs-addition {
-  color: #D35400;
-}
-
-.hljs-regexp,
-.hljs-symbol,
-.hljs-variable,
-.hljs-template-variable,
-.hljs-link,
-.hljs-selector-attr,
-.hljs-selector-pseudo {
-  color: #00979D;
-}
-
-.hljs-type,
-.hljs-string,
-.hljs-selector-id,
-.hljs-selector-class,
-.hljs-quote,
-.hljs-template-tag,
-.hljs-deletion {
-  color: #005C5F;
-}
-
-.hljs-title,
-.hljs-section {
-  color: #880000;
-  font-weight: bold;
-}
-
-.hljs-comment {
-  color: rgba(149,165,166,.8);
-}
-
-.hljs-meta-keyword {
-  color: #728E00;
-}
-
-.hljs-meta {
-  color: #728E00;
-  color: #434f54;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-function {
-  color: #728E00;
-}
-
-.hljs-number {
-  color: #8A7B52;  
-}
diff --git a/doc/html-manual/highlight/styles/arta.css b/doc/html-manual/highlight/styles/arta.css
deleted file mode 100644
index 75ef3a9e59..0000000000
--- a/doc/html-manual/highlight/styles/arta.css
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
-Date: 17.V.2011
-Author: pumbur 
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #222;
-}
-
-.hljs,
-.hljs-subst {
-  color: #aaa;
-}
-
-.hljs-section {
-  color: #fff;
-}
-
-.hljs-comment,
-.hljs-quote,
-.hljs-meta {
-  color: #444;
-}
-
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-regexp {
-  color: #ffcc33;
-}
-
-.hljs-number,
-.hljs-addition {
-  color: #00cc66;
-}
-
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-link {
-  color: #32aaee;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #6644aa;
-}
-
-.hljs-title,
-.hljs-variable,
-.hljs-deletion,
-.hljs-template-tag {
-  color: #bb1166;
-}
-
-.hljs-section,
-.hljs-doctag,
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
diff --git a/doc/html-manual/highlight/styles/ascetic.css b/doc/html-manual/highlight/styles/ascetic.css
deleted file mode 100644
index 48397e889d..0000000000
--- a/doc/html-manual/highlight/styles/ascetic.css
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
-
-Original style from softwaremaniacs.org (c) Ivan Sagalaev 
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: white;
-  color: black;
-}
-
-.hljs-string,
-.hljs-variable,
-.hljs-template-variable,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-section,
-.hljs-addition,
-.hljs-attribute,
-.hljs-link {
-  color: #888;
-}
-
-.hljs-comment,
-.hljs-quote,
-.hljs-meta,
-.hljs-deletion {
-  color: #ccc;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-section,
-.hljs-name,
-.hljs-type,
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-cave-dark.css b/doc/html-manual/highlight/styles/atelier-cave-dark.css
deleted file mode 100644
index 65428f3b12..0000000000
--- a/doc/html-manual/highlight/styles/atelier-cave-dark.css
+++ /dev/null
@@ -1,83 +0,0 @@
-/* Base16 Atelier Cave Dark - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/cave) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Cave Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #7e7887;
-}
-
-/* Atelier-Cave Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-regexp,
-.hljs-link,
-.hljs-tag,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #be4678;
-}
-
-/* Atelier-Cave Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #aa573c;
-}
-
-/* Atelier-Cave Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #2a9292;
-}
-
-/* Atelier-Cave Blue */
-.hljs-title,
-.hljs-section {
-  color: #576ddb;
-}
-
-/* Atelier-Cave Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #955ae7;
-}
-
-.hljs-deletion,
-.hljs-addition {
-  color: #19171c;
-  display: inline-block;
-  width: 100%;
-}
-
-.hljs-deletion {
-  background-color: #be4678;
-}
-
-.hljs-addition {
-  background-color: #2a9292;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #19171c;
-  color: #8b8792;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-cave-light.css b/doc/html-manual/highlight/styles/atelier-cave-light.css
deleted file mode 100644
index b419f9fd8f..0000000000
--- a/doc/html-manual/highlight/styles/atelier-cave-light.css
+++ /dev/null
@@ -1,85 +0,0 @@
-/* Base16 Atelier Cave Light - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/cave) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Cave Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #655f6d;
-}
-
-/* Atelier-Cave Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-regexp,
-.hljs-link,
-.hljs-name,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #be4678;
-}
-
-/* Atelier-Cave Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #aa573c;
-}
-
-/* Atelier-Cave Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #2a9292;
-}
-
-/* Atelier-Cave Blue */
-.hljs-title,
-.hljs-section {
-  color: #576ddb;
-}
-
-/* Atelier-Cave Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #955ae7;
-}
-
-.hljs-deletion,
-.hljs-addition {
-  color: #19171c;
-  display: inline-block;
-  width: 100%;
-}
-
-.hljs-deletion {
-  background-color: #be4678;
-}
-
-.hljs-addition {
-  background-color: #2a9292;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #efecf4;
-  color: #585260;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-dune-dark.css b/doc/html-manual/highlight/styles/atelier-dune-dark.css
deleted file mode 100644
index 1684f5225a..0000000000
--- a/doc/html-manual/highlight/styles/atelier-dune-dark.css
+++ /dev/null
@@ -1,69 +0,0 @@
-/* Base16 Atelier Dune Dark - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/dune) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Dune Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #999580;
-}
-
-/* Atelier-Dune Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-regexp,
-.hljs-link,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #d73737;
-}
-
-/* Atelier-Dune Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #b65611;
-}
-
-/* Atelier-Dune Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #60ac39;
-}
-
-/* Atelier-Dune Blue */
-.hljs-title,
-.hljs-section {
-  color: #6684e1;
-}
-
-/* Atelier-Dune Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #b854d4;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #20201d;
-  color: #a6a28c;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-dune-light.css b/doc/html-manual/highlight/styles/atelier-dune-light.css
deleted file mode 100644
index 547719de82..0000000000
--- a/doc/html-manual/highlight/styles/atelier-dune-light.css
+++ /dev/null
@@ -1,69 +0,0 @@
-/* Base16 Atelier Dune Light - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/dune) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Dune Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #7d7a68;
-}
-
-/* Atelier-Dune Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-regexp,
-.hljs-link,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #d73737;
-}
-
-/* Atelier-Dune Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #b65611;
-}
-
-/* Atelier-Dune Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #60ac39;
-}
-
-/* Atelier-Dune Blue */
-.hljs-title,
-.hljs-section {
-  color: #6684e1;
-}
-
-/* Atelier-Dune Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #b854d4;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #fefbec;
-  color: #6e6b5e;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-estuary-dark.css b/doc/html-manual/highlight/styles/atelier-estuary-dark.css
deleted file mode 100644
index a5e507187e..0000000000
--- a/doc/html-manual/highlight/styles/atelier-estuary-dark.css
+++ /dev/null
@@ -1,84 +0,0 @@
-/* Base16 Atelier Estuary Dark - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/estuary) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Estuary Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #878573;
-}
-
-/* Atelier-Estuary Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-regexp,
-.hljs-link,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #ba6236;
-}
-
-/* Atelier-Estuary Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #ae7313;
-}
-
-/* Atelier-Estuary Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #7d9726;
-}
-
-/* Atelier-Estuary Blue */
-.hljs-title,
-.hljs-section {
-  color: #36a166;
-}
-
-/* Atelier-Estuary Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #5f9182;
-}
-
-.hljs-deletion,
-.hljs-addition {
-  color: #22221b;
-  display: inline-block;
-  width: 100%;
-}
-
-.hljs-deletion {
-  background-color: #ba6236;
-}
-
-.hljs-addition {
-  background-color: #7d9726;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #22221b;
-  color: #929181;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-estuary-light.css b/doc/html-manual/highlight/styles/atelier-estuary-light.css
deleted file mode 100644
index 1daee5d985..0000000000
--- a/doc/html-manual/highlight/styles/atelier-estuary-light.css
+++ /dev/null
@@ -1,84 +0,0 @@
-/* Base16 Atelier Estuary Light - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/estuary) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Estuary Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #6c6b5a;
-}
-
-/* Atelier-Estuary Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-regexp,
-.hljs-link,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #ba6236;
-}
-
-/* Atelier-Estuary Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #ae7313;
-}
-
-/* Atelier-Estuary Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #7d9726;
-}
-
-/* Atelier-Estuary Blue */
-.hljs-title,
-.hljs-section {
-  color: #36a166;
-}
-
-/* Atelier-Estuary Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #5f9182;
-}
-
-.hljs-deletion,
-.hljs-addition {
-  color: #22221b;
-  display: inline-block;
-  width: 100%;
-}
-
-.hljs-deletion {
-  background-color: #ba6236;
-}
-
-.hljs-addition {
-  background-color: #7d9726;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #f4f3ec;
-  color: #5f5e4e;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-forest-dark.css b/doc/html-manual/highlight/styles/atelier-forest-dark.css
deleted file mode 100644
index 0ef4fae317..0000000000
--- a/doc/html-manual/highlight/styles/atelier-forest-dark.css
+++ /dev/null
@@ -1,69 +0,0 @@
-/* Base16 Atelier Forest Dark - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/forest) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Forest Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #9c9491;
-}
-
-/* Atelier-Forest Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-regexp,
-.hljs-link,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #f22c40;
-}
-
-/* Atelier-Forest Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #df5320;
-}
-
-/* Atelier-Forest Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #7b9726;
-}
-
-/* Atelier-Forest Blue */
-.hljs-title,
-.hljs-section {
-  color: #407ee7;
-}
-
-/* Atelier-Forest Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #6666ea;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #1b1918;
-  color: #a8a19f;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-forest-light.css b/doc/html-manual/highlight/styles/atelier-forest-light.css
deleted file mode 100644
index bbedde18a0..0000000000
--- a/doc/html-manual/highlight/styles/atelier-forest-light.css
+++ /dev/null
@@ -1,69 +0,0 @@
-/* Base16 Atelier Forest Light - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/forest) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Forest Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #766e6b;
-}
-
-/* Atelier-Forest Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-regexp,
-.hljs-link,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #f22c40;
-}
-
-/* Atelier-Forest Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #df5320;
-}
-
-/* Atelier-Forest Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #7b9726;
-}
-
-/* Atelier-Forest Blue */
-.hljs-title,
-.hljs-section {
-  color: #407ee7;
-}
-
-/* Atelier-Forest Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #6666ea;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #f1efee;
-  color: #68615e;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-heath-dark.css b/doc/html-manual/highlight/styles/atelier-heath-dark.css
deleted file mode 100644
index fe01ff721b..0000000000
--- a/doc/html-manual/highlight/styles/atelier-heath-dark.css
+++ /dev/null
@@ -1,69 +0,0 @@
-/* Base16 Atelier Heath Dark - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/heath) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Heath Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #9e8f9e;
-}
-
-/* Atelier-Heath Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-regexp,
-.hljs-link,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #ca402b;
-}
-
-/* Atelier-Heath Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #a65926;
-}
-
-/* Atelier-Heath Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #918b3b;
-}
-
-/* Atelier-Heath Blue */
-.hljs-title,
-.hljs-section {
-  color: #516aec;
-}
-
-/* Atelier-Heath Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #7b59c0;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #1b181b;
-  color: #ab9bab;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-heath-light.css b/doc/html-manual/highlight/styles/atelier-heath-light.css
deleted file mode 100644
index ee43786d12..0000000000
--- a/doc/html-manual/highlight/styles/atelier-heath-light.css
+++ /dev/null
@@ -1,69 +0,0 @@
-/* Base16 Atelier Heath Light - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/heath) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Heath Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #776977;
-}
-
-/* Atelier-Heath Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-regexp,
-.hljs-link,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #ca402b;
-}
-
-/* Atelier-Heath Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #a65926;
-}
-
-/* Atelier-Heath Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #918b3b;
-}
-
-/* Atelier-Heath Blue */
-.hljs-title,
-.hljs-section {
-  color: #516aec;
-}
-
-/* Atelier-Heath Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #7b59c0;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #f7f3f7;
-  color: #695d69;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-lakeside-dark.css b/doc/html-manual/highlight/styles/atelier-lakeside-dark.css
deleted file mode 100644
index a937d3bf5f..0000000000
--- a/doc/html-manual/highlight/styles/atelier-lakeside-dark.css
+++ /dev/null
@@ -1,69 +0,0 @@
-/* Base16 Atelier Lakeside Dark - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/lakeside) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Lakeside Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #7195a8;
-}
-
-/* Atelier-Lakeside Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-regexp,
-.hljs-link,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #d22d72;
-}
-
-/* Atelier-Lakeside Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #935c25;
-}
-
-/* Atelier-Lakeside Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #568c3b;
-}
-
-/* Atelier-Lakeside Blue */
-.hljs-title,
-.hljs-section {
-  color: #257fad;
-}
-
-/* Atelier-Lakeside Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #6b6bb8;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #161b1d;
-  color: #7ea2b4;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-lakeside-light.css b/doc/html-manual/highlight/styles/atelier-lakeside-light.css
deleted file mode 100644
index 6c7e8f9ef2..0000000000
--- a/doc/html-manual/highlight/styles/atelier-lakeside-light.css
+++ /dev/null
@@ -1,69 +0,0 @@
-/* Base16 Atelier Lakeside Light - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/lakeside) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Lakeside Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #5a7b8c;
-}
-
-/* Atelier-Lakeside Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-regexp,
-.hljs-link,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #d22d72;
-}
-
-/* Atelier-Lakeside Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #935c25;
-}
-
-/* Atelier-Lakeside Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #568c3b;
-}
-
-/* Atelier-Lakeside Blue */
-.hljs-title,
-.hljs-section {
-  color: #257fad;
-}
-
-/* Atelier-Lakeside Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #6b6bb8;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #ebf8ff;
-  color: #516d7b;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-plateau-dark.css b/doc/html-manual/highlight/styles/atelier-plateau-dark.css
deleted file mode 100644
index 3bb052693c..0000000000
--- a/doc/html-manual/highlight/styles/atelier-plateau-dark.css
+++ /dev/null
@@ -1,84 +0,0 @@
-/* Base16 Atelier Plateau Dark - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/plateau) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Plateau Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #7e7777;
-}
-
-/* Atelier-Plateau Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-regexp,
-.hljs-link,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #ca4949;
-}
-
-/* Atelier-Plateau Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #b45a3c;
-}
-
-/* Atelier-Plateau Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #4b8b8b;
-}
-
-/* Atelier-Plateau Blue */
-.hljs-title,
-.hljs-section {
-  color: #7272ca;
-}
-
-/* Atelier-Plateau Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #8464c4;
-}
-
-.hljs-deletion,
-.hljs-addition {
-  color: #1b1818;
-  display: inline-block;
-  width: 100%;
-}
-
-.hljs-deletion {
-  background-color: #ca4949;
-}
-
-.hljs-addition {
-  background-color: #4b8b8b;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #1b1818;
-  color: #8a8585;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-plateau-light.css b/doc/html-manual/highlight/styles/atelier-plateau-light.css
deleted file mode 100644
index 5f0222bec1..0000000000
--- a/doc/html-manual/highlight/styles/atelier-plateau-light.css
+++ /dev/null
@@ -1,84 +0,0 @@
-/* Base16 Atelier Plateau Light - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/plateau) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Plateau Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #655d5d;
-}
-
-/* Atelier-Plateau Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-regexp,
-.hljs-link,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #ca4949;
-}
-
-/* Atelier-Plateau Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #b45a3c;
-}
-
-/* Atelier-Plateau Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #4b8b8b;
-}
-
-/* Atelier-Plateau Blue */
-.hljs-title,
-.hljs-section {
-  color: #7272ca;
-}
-
-/* Atelier-Plateau Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #8464c4;
-}
-
-.hljs-deletion,
-.hljs-addition {
-  color: #1b1818;
-  display: inline-block;
-  width: 100%;
-}
-
-.hljs-deletion {
-  background-color: #ca4949;
-}
-
-.hljs-addition {
-  background-color: #4b8b8b;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #f4ecec;
-  color: #585050;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-savanna-dark.css b/doc/html-manual/highlight/styles/atelier-savanna-dark.css
deleted file mode 100644
index 38f831431c..0000000000
--- a/doc/html-manual/highlight/styles/atelier-savanna-dark.css
+++ /dev/null
@@ -1,84 +0,0 @@
-/* Base16 Atelier Savanna Dark - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/savanna) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Savanna Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #78877d;
-}
-
-/* Atelier-Savanna Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-regexp,
-.hljs-link,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #b16139;
-}
-
-/* Atelier-Savanna Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #9f713c;
-}
-
-/* Atelier-Savanna Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #489963;
-}
-
-/* Atelier-Savanna Blue */
-.hljs-title,
-.hljs-section {
-  color: #478c90;
-}
-
-/* Atelier-Savanna Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #55859b;
-}
-
-.hljs-deletion,
-.hljs-addition {
-  color: #171c19;
-  display: inline-block;
-  width: 100%;
-}
-
-.hljs-deletion {
-  background-color: #b16139;
-}
-
-.hljs-addition {
-  background-color: #489963;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #171c19;
-  color: #87928a;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-savanna-light.css b/doc/html-manual/highlight/styles/atelier-savanna-light.css
deleted file mode 100644
index 1ccd7c6858..0000000000
--- a/doc/html-manual/highlight/styles/atelier-savanna-light.css
+++ /dev/null
@@ -1,84 +0,0 @@
-/* Base16 Atelier Savanna Light - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/savanna) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Savanna Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #5f6d64;
-}
-
-/* Atelier-Savanna Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-regexp,
-.hljs-link,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #b16139;
-}
-
-/* Atelier-Savanna Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #9f713c;
-}
-
-/* Atelier-Savanna Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #489963;
-}
-
-/* Atelier-Savanna Blue */
-.hljs-title,
-.hljs-section {
-  color: #478c90;
-}
-
-/* Atelier-Savanna Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #55859b;
-}
-
-.hljs-deletion,
-.hljs-addition {
-  color: #171c19;
-  display: inline-block;
-  width: 100%;
-}
-
-.hljs-deletion {
-  background-color: #b16139;
-}
-
-.hljs-addition {
-  background-color: #489963;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #ecf4ee;
-  color: #526057;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-seaside-dark.css b/doc/html-manual/highlight/styles/atelier-seaside-dark.css
deleted file mode 100644
index df29949c69..0000000000
--- a/doc/html-manual/highlight/styles/atelier-seaside-dark.css
+++ /dev/null
@@ -1,69 +0,0 @@
-/* Base16 Atelier Seaside Dark - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/seaside) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Seaside Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #809980;
-}
-
-/* Atelier-Seaside Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-regexp,
-.hljs-link,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #e6193c;
-}
-
-/* Atelier-Seaside Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #87711d;
-}
-
-/* Atelier-Seaside Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #29a329;
-}
-
-/* Atelier-Seaside Blue */
-.hljs-title,
-.hljs-section {
-  color: #3d62f5;
-}
-
-/* Atelier-Seaside Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #ad2bee;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #131513;
-  color: #8ca68c;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-seaside-light.css b/doc/html-manual/highlight/styles/atelier-seaside-light.css
deleted file mode 100644
index 9d960f29f3..0000000000
--- a/doc/html-manual/highlight/styles/atelier-seaside-light.css
+++ /dev/null
@@ -1,69 +0,0 @@
-/* Base16 Atelier Seaside Light - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/seaside) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Seaside Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #687d68;
-}
-
-/* Atelier-Seaside Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-regexp,
-.hljs-link,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #e6193c;
-}
-
-/* Atelier-Seaside Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #87711d;
-}
-
-/* Atelier-Seaside Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #29a329;
-}
-
-/* Atelier-Seaside Blue */
-.hljs-title,
-.hljs-section {
-  color: #3d62f5;
-}
-
-/* Atelier-Seaside Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #ad2bee;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #f4fbf4;
-  color: #5e6e5e;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-sulphurpool-dark.css b/doc/html-manual/highlight/styles/atelier-sulphurpool-dark.css
deleted file mode 100644
index c2ab7938d8..0000000000
--- a/doc/html-manual/highlight/styles/atelier-sulphurpool-dark.css
+++ /dev/null
@@ -1,69 +0,0 @@
-/* Base16 Atelier Sulphurpool Dark - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/sulphurpool) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Sulphurpool Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #898ea4;
-}
-
-/* Atelier-Sulphurpool Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-regexp,
-.hljs-link,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #c94922;
-}
-
-/* Atelier-Sulphurpool Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #c76b29;
-}
-
-/* Atelier-Sulphurpool Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #ac9739;
-}
-
-/* Atelier-Sulphurpool Blue */
-.hljs-title,
-.hljs-section {
-  color: #3d8fd1;
-}
-
-/* Atelier-Sulphurpool Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #6679cc;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #202746;
-  color: #979db4;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/atelier-sulphurpool-light.css b/doc/html-manual/highlight/styles/atelier-sulphurpool-light.css
deleted file mode 100644
index 96c47d0860..0000000000
--- a/doc/html-manual/highlight/styles/atelier-sulphurpool-light.css
+++ /dev/null
@@ -1,69 +0,0 @@
-/* Base16 Atelier Sulphurpool Light - Theme */
-/* by Bram de Haan (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/sulphurpool) */
-/* Original Base16 color scheme by Chris Kempson (https://github.com/chriskempson/base16) */
-
-/* Atelier-Sulphurpool Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #6b7394;
-}
-
-/* Atelier-Sulphurpool Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-regexp,
-.hljs-link,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #c94922;
-}
-
-/* Atelier-Sulphurpool Orange */
-.hljs-number,
-.hljs-meta,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #c76b29;
-}
-
-/* Atelier-Sulphurpool Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet {
-  color: #ac9739;
-}
-
-/* Atelier-Sulphurpool Blue */
-.hljs-title,
-.hljs-section {
-  color: #3d8fd1;
-}
-
-/* Atelier-Sulphurpool Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #6679cc;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #f5f7ff;
-  color: #5e6687;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/brown-paper.css b/doc/html-manual/highlight/styles/brown-paper.css
deleted file mode 100644
index f0197b924c..0000000000
--- a/doc/html-manual/highlight/styles/brown-paper.css
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
-
-Brown Paper style from goldblog.com.ua (c) Zaripov Yura 
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background:#b7a68e url(./brown-papersq.png);
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-literal {
-  color:#005599;
-  font-weight:bold;
-}
-
-.hljs,
-.hljs-subst {
-  color: #363c69;
-}
-
-.hljs-string,
-.hljs-title,
-.hljs-section,
-.hljs-type,
-.hljs-attribute,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-built_in,
-.hljs-addition,
-.hljs-variable,
-.hljs-template-tag,
-.hljs-template-variable,
-.hljs-link,
-.hljs-name {
-  color: #2c009f;
-}
-
-.hljs-comment,
-.hljs-quote,
-.hljs-meta,
-.hljs-deletion {
-  color: #802022;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-literal,
-.hljs-doctag,
-.hljs-title,
-.hljs-section,
-.hljs-type,
-.hljs-name,
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
diff --git a/doc/html-manual/highlight/styles/brown-papersq.png b/doc/html-manual/highlight/styles/brown-papersq.png
deleted file mode 100644
index 3813903dbf9fa7b1fb5bd11d9534c06667d9056f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 18198
zcmZsCRajhYlWil7yGw9LaCaw2kl^kP!M%at?m>cka0u>ctf6s&e8CzTLSrGMaSIUS
zWM7q;>fa~s$OpT>
zFLY-GO$7j;Wl{{7eE9cF?XPU&ukYpLA870A2vBhFvU6lq^RRVx)N{0T2=eQ4J41(5=2G+8;)w1ZEPMkbF2bGnazV|OLZz2Hb@=WyXBX0)f+0o;fWze0N{t<*y
ztIiNnZC{LRA&k!$ZY8RSSkRr34SfzyO1FQ1#+`5DKBGKIaW*#IpS|)H)0b)RO)vVT
zdmZs``V5~Rd=7^niGNRi-KohFdl7;cLNt=6H%jET$<@@a?HPC}DI+UeV-R$j(|Cgb
zovyEp&h`&JS~h*u+dsTgScW2zDVr4f~DH;Zx@cQhlKiyzUik!{j?26_bcGl3n
zz;xi(8ENgs!;6LMT9?9^)|SgIm+Xu<9pAn@Jwvr@j|kU$Ps<;yJK|Ptilz{)cF~50
z>3}X}-GE2L$gd5vToUcA;ufTe+vCmq6y;EHLIF1Y)!*mMIk7Ufz`-6@{%j+0t}5by-kjAimHgt*AfoWQ3<}2%HH1G)X=gxwsGTnqo!jS
zPp^mHU)Wdo9i$J93f_cGL~o081HVh2MIfFb&r#24&zMhy4-B`@-M4wqKeV5e3rOCk
zzfxnXb=ed%7QxZsGFZ!Bk=ojIqXM0lz`=t&N`(ieb`uT$vaWG--x!ps=kokELG7^v
z+{LRR;H>H{+#Sy9)~}T-X{s*WDIF9ko?!YOUrBL6c1UTt%|c-C%-R`h{*D&-?xTv6%U;Fy)q@zD7n;Mm&VTYo!f>`4|^@IrUrWqi<2`
zIK=%8Y>k7_cJFc62Fm1dsu5V%^D!kOF(oA;3duw
z%pO09{DvbtIv+U1{6MQ8Wq|e~4(8RFaZSiu$
z|CJ~BTvRLdM64V`xYr`XpzSoka%-H{0)Ro-jT6+}
zT18|CY&T<`K}73~WMQMkzj<-{e`EjOV2Ch(n321C+#16;>MjIhblly|M?Br0UERMA
z8yIvk9sVuv0~h)1=S{wY{&V6fDi@0c8|@S!>h`gR_^u~(f!y=uu=3o8U2>$VV-mwV
zeJKl8K*mz%0O$3!XmmqEd#rW!>oY?U<|?CBsX=UMCSrinA}B9GA5MTUzn%ILQD=}Q
z^-qc}to5D!{UYEBFfSF{7{}5#I2`7!9Xcs|{e!rTVYvNetFc@43N$#e!DM_Y#5_4V
z3P*)qJyw97IJGZYj53iEQKK~Zk6QE|wnDAQ6e%ci7WM9yX{3Voy>2v7-{dW*|+Zvy7%^(o^DMc&%_Tp}4@Jo%0Bs7ObY$K2QS=1v19slY*WwV!8B05I;*7gc|
zC}iWT!ocL=zoXCa-*EVkQZPGoFVou4>|(ng{&T`5ns(d;`0IWRE4$3aCE
zX={pif)xfKL2J&CwL-rbsVhFX~Ast|24AzGCb$6bP
zzjP96&p17?0`zA}Cr(1{-
zBWmAc^Tih%c@PSpJD39Rtvbpc27|&`W}18q&trP3z4xp%4^t5T!T})zWON*!hQ+0C
zGnKXI-(t5+$xcN_*!vy^Ebcn(`}3GQ=EjrR)jEu#)a!Qo+uU^L6Sf!vtQo@-)YCH_
zIkq!}#RQ?#H9Na)c>fA?i%F=AwN>+%6IHG_6~07@;tNMw)pj-py?fm5OAkUXC)Brp
z)eG?cTAV-ODy=aRrlcS^!0S!95GOO@_zy6Yr~oZODHiWB(rYDHVW+oP+iSHanvW_2
zD+33#kuvw;P&BQf8OM-`63t1%h)cdnm8}>fIrS=425~>gpk!*nOPF^FRJ!}0{NO(e
z1ANE&sU_mPMS;Pw9^8F*v5!k1Dr?=^%?eWij0f~to7y`V{K(<#9fgxsh1qZ}irc;t
zApc;fE}TBG^?-(ZYfC3hk)rzA9||a50&`5$fOMODInB^CQQz-%|FVW(Me6cd&RQ!Em*`8(cOiTV*}I0^
zkh9#bz+b`^Achh+t!T{E%m*7Spr8X*#NFvrNeQKR9N#NYImXo$orFW}S#|kp!g)
zC|mslRtj
z{<(wk5heSmNTLQPjVu+tu`Ax0<Jp<3;sv=x5%C^te-lbQRUIA>ktvMAj}|$FYU$Qp}=T~;pv%9btR=dxklUy
zkR9E*9e)3CPHhghYGI4o&yB<6Ek^@&s6_$^hHm%y;$mG#6s2Gj@yUh|7NNvbZ*-CiW>(`$PB*?kxl)}lSZKB^Wx?u%oy%PiU;Ucb|V
z|JbtHI`e>wDu43V9mbmTz-O*hsj=x3p@_52uHWdv$KHWXIJ?hAN_O+SE^)}7#rG|6
z_BKM`Ghwpm2fNaI-XM&&0MIfLw+nk~2$Q9!(m1H({sIm*PjV$tD(vHzF8J^I
z$5d)V3#P=#{X0~lkvdz*hO?2|P39$67m%BB>cJ;P&i?e>f6oD0A_x(fXnlhN8_iy~
z=8_i6_?scR{Q@F{<_+s`6F0?)4q>Y!TZURG@z1Xg(XF|Uq<7M}+x3!5CKzKPU%EBw
zWsc%dMB{e=rbNFynyQz;$Wk>xdNDkRB!r}hPlheoBDRi4NdE0U68C8T=FwmB)E|du
zu(3Ry^ER}qt8o=s^t;)ka7?Rw9BkK-AbMm!5YyN{n8j%4(FS=#^NXNFzOKvDh-fh_
ztrMuN#+;}%O*fdC_O-zikI?cL4FkQFbMJ&%;LsLdp2pU1z81byeDrcnfVfSPjd&Tx
z0uTNCRa&zYgwCK{AP>=r8Sx{G=0I#zQ4SAF*CLY5@Ge_3>$_ebR&z8QuoP^G_nMbA
zR!J5=NfW+bA;6g4yh|56J$}zRiUEt*T!NqU4MM$Ik(YO5ElC
z3I>TTR5(&RS-e$~mJ610i3Tb|O!%oihx2Dou=SDi
zY8QGbi&iMst0x9N)(Qw|m<=v9=H$h=d9q7_RC$8&xiTCpO(nAT)09jNd*kDz)xA=d
zA>mDJMEO}wm=z8%##p8Epux^Z?6*hT+bBf^Yw~9wh1mOBI2*B_&;n6YqN$_sLi+`r
zN+}oUEH%!)UEZO0kGwoV{fV0125Liy{XQRjOG;ll15xL$5w(ynu*BE#Y!uUbJlqhC
z*)p9Akd=!p3VXT;Mo_Zvej_{xJkq)x&0<&B)@Utjud|co5aPb~dM)3OKXKmRzZ}RD
zt~hR#D>70m`e$6d9RY-q2@W6QANld%IvZ*VmwpbdVCzWDJ`&UO%hC*(c9AJ;
z8qe|b;=knC|ZRghL9-j+JpIpBjS
zLIz{G#rkZ%K&UOs1pgA;bi1JjfXryT;9AV*AdF1(P;A$V^MMS0X10gTzoNjJBTB;U
z#kJ5|QkG?|zHY}$^ddtj_$wAkIcd;Wk|&B6^`fnOL3uIPj@Z+b!gftAC_YE@sh~EY
z@awBver>U-j(pBMf%*W;OI?#3J3yRO&^PqFHW`#yr|%#0rDM+^ZV
zw!IXpiDk0Qo5iL_mNZlA`+m>mgyn-Z9(
z1VK4OJry2Iq?o90-NhDNVAP3Niev{MJh~PQ7M5U9?Ob1#H}q=Dgn%~Ng=3b;7jX>n
zADv=?=pgaOIN2G2JCr_(7k0YF#OlE0c}by4_|pb-iJ-CYzLbWwHs2A)ZY;uuYwbQMUa1ed5)1G+DXr$;MC*sQ-N@4$xD327+bTrT^
z?kmr?X}=Lu2xf7X5|gkw#k>FEC139#QtL*Y>C)kvvqB=d;fVQ8{+;RhP-)is9rX&jj-Ik
zT00%|O4wv`6`(M(&W*hs2A
z?qIa9QPvO>*ssTM+$((GcA1>?(C1jm10t6@Dy(k%HtIN+5d!Bk;~J%32ZhcKu$-i2gOM1Ek)Av0js<&PBErK4
zp0BqauJ^Yy7bnHdyGOO!FbWP*qG)O@I>y%wAIOX9eD)7R>ow6xlYRy-h|ZmQaLshv
zm7r7H)>I5~>_i>NDSv6k)mCwZu$9K6)JGn#ni#>O5}3aMrYt7e67}_&zNlt_@b&$n
z)VO|sK6qnt57(FA0!{d&$}h!DdNgOgYMn=8${CJ>S2YIAe
zYh9atd77_K6soYC+WALnJL7SxqnE#(+1G`m^0I56gta@e+L0z>IRG+?>DS@Oe-NlQ
z-mQ)F{=7b($L)X@jB5Ot*D*>ceMR8793ItK-tTO`iAnNm-xzYn0#;&=gXJYz8KmnUBrL#cb@ELwnkp?O
zZZ{8tSRklRk}8Ts29G>v-&z?qob#qYSe!ek
zt^r`X2W(J?(qxhOf%h#^?8D`^&MPbuUE9s
z$80u<1iU&&+mQB<4bZeyBaOB}$!d@`^f4+iXS3;h>rXP~*FRrr)Wki^(q)&EwAMt?71xOWwtXa8UsY(_;C*7d*d9Z
z-#(@Mu>`+6lrEC|=E^q^u&A=e+P9|#`hdP0Rg9`gUbNqm@!-Gg-V6vL;!*U<4ZtIa
zv@cWy_^m4cV=F@sv3lCwx|?r%lb?NGQobaW&#Mi<9dngpq({-uy?xwAR&#MBUtybddE
z1Ka>|_TRpK@#mBE#M;ka;RDR*2pXmP#YHG|5qh#YgXDUPD*cs3)>>Co@wnbArjo;_^QGnuQGdUSqu6AMPxBHbW99c9gHFZ*u&-M5cS}n@d
z@wWUbV?X7y#NTCaqV_t*)w+Vzpte?L^08$=xiju5lCZ4~#~@34qa{rJM!{y~Tqe5H
z-`N}U;ZKj9jnYas%EXCD=*$|XC$h{m@?;&T(uT--QOR_H^PcjyAP~pc&dS&v#J%KN
zK|)APC-pnC;EKdibKx8O+Pqef?
zY3J^)uf~;VDge4m$gh`Aj{?OYnES!Tftm1kjZwLB-5soBf8q9RaPk~e{SqHq+Gh(R
z<}KbtcWaoIC!do+k`h}5s~QzJ&#Ro?TzU_eO^xAgvNoX&oKS7|-8Lm;%2@BRKwb9H4rRICqXPIQLdOMGtG>0(Kh}5xDzW
z<`R5ub7|^ov6hX(i^R_d6ZdLQ5t}vu@?2|ueBl^W!CoR=LZ1Urel(cC{`jK##xJ5Z
zW6m&PFV^e{7~mrz4!xy@n!O%C(vIRG0g>FrE1t+=n3;z9D!vWHCUjqMi*QAc4!hId
zk9MAo2%jf}g*lzYPM7_RYQxo3rJR%jUCd5FoBmmSn@QTM@?QERM*E-uEb}GD!7+W4
z;ucS;Fa1*ZgF9U&8>R&|tjy3FH;93-Kpof^^nCm9kp4U+SFqwi@6}>$jo4)7x?L*p
z5eHsG=We;aDoq*x+H6v7x39;dP<1mgK0fQuG+#L+=2<$z#m5Z5
zCEto{j1wIIxQ(7>!yi2iRgQS~c_6N5JHqo=$`q=PD?Y@90#727stD}1n!C~qy
z1q^LAqT}jq4r2TFIf&-|vYu|DXI}0>^}2ev5jUXZCM+ZOWL>l4t}d2Pur%y+XM$j(Cc126Ww7ST~4S;g=2q8j3!|OoWynEtKkuUjZ>k
za%azP+sS^P^KJ=|`TAdnlNkRHqn@0nFWdFeMoI4-_sH22UA`hq_xA?B;_u;ixDrx%9ajWMqLgzfYCofw8KF`gO
zWh92d@!_T((;rc7)Y0;~o3^0R^ALS8opgP}hX%hpsuO^eo@L^`#d1RJD{m2kN6wGw
z5T;|y=;jNZl}W2j;Bc$yGn_%Ti(Jtk4%`
zDK5cCl`%fdh(p%F!
zN4;@Huf@ukLx1k|0(qt;@&Xiw=4#8cVPcfFDX~atn}9jl7(Tz#p-Q|4F%ywo(jlv#
z%qISsaHlw>1|(CS*2KqRSCP8NF(6NfJ>HP|lV`v4llSyqeD!0%X_1>
zg{vvN5D0m~n!O3#;}}s;n>z%iE0e^EX_%IQaWRp4yx4LOzqV3T+W(;k{udVh!#EJ}
zgnXu%H1P~HO=bwcbt57%T)u4QT05g9BA!O6PoHP#DPg-80&W|M33F=n@!{4j6>-=9
zl9KJP6S3H+U>;T?}#WA
z_O%upq*IdOTe9b~q#{Y}07vk515LC)Il|+Aa$f}Tcr-&vQOIH)UZ$6&
z36g&<+>7?MFwXUe`uwpa`gVyIwLJn~p1QK-H&X5vGa};Wdy^Q_m|$Lgl*a(g9EO{h
z##w%7(g(SjboyvXP~vP72(|N1)ZI{XNa-&bPjF54D`q-}^mUm=DGk7I_a#t~zNU)>
zJD=vyGTVi2y}*&qMByXD3Tn-Wj|5S#f(
z1uWJ`3RnO6rh+Yy?c=B~PUJ?nV_{w6l7FulT#(2M_~r)HsCX+L?$5L39mEvBSU`8$
zYq&EhHXoxg(J-om_c-fe@=~3q#OG#^kYLhMnV)y;ZF6Gqz_mr2P
zugbL0xc8{kyxRcLC?m)K&Yj$%)>_B@og|1@e~QPf=dh!p2dBQAtX$a~q4}AI9ArA;
za(4@-P0mv5dlML~u;DO#U*_mx8yZv31rn3O5F4pLW;#xXKA<~u3@cMIw&h)_VR
G3S-EN>9CM!{YB*|;6wg-K3V?)eR((z#1
zHyX+Us~H@9)~!8`K-#ZDU>v8HpiaQ|@=VU5MgT@ehzQ(1nZ!M0ZDk{Fb`>pCb0vQE
z`gX@ZK}6S!(-($v3w8-+L6Xs~;@WTrR}q42gH9p2ncZYDab8*`#p8jbS&H9$DTx{1
z|8L)r+}X3oIp6b9dN^fZsl0TpRK4NW^TVGZOit8~r*qM+QL3pd7G0|~C`PHxw2PM3
z->n8iEh)LU)Je%r7nEt|D%&F&(={XI*19z_HKI38aE6Cfm-buU7W|=mo3gMA57~g`
z7aBx4OS&(O5w@W;2pO@ZVyG;2^F+2cYshx%M2*M@%;(4quYc}>z1WX(9ccb&>8#{j
zE=VlFg+&2-xsr%AY_}ciz4+<$^}2TO2e)byPmJl?+aOU7{UVx$=ZNQDTQLxsh}+(_
zak-NBw`v4=+Ydp_L=w^J1&NT$-AbEUuj%8LN7nJzt^APyl$(ght>;(o{)xCqf8IX6
zq`a-CyPq$UOPJN(oo>$gX?v65Y$GnIq7Fq?=??};kY4#Na69k#iG|Wd|{Tt
z&uFLgaDQ4)`{9^3rX|Bg
zNY8N2w1??HVsq#}Xk&RcmoQBacog;CZ%I-HU?7dT+nZRo?h7BQd5Yrv%sI0rPF^Sk^9@l-_4``bwK!A
z5Ud{#8B%fMPHat04G9kj%j5>0maQK}jQTzGC!2<9FicZ-#V^ZaC)A?QK9EelA!nP)
z+Z2DqYAqTsfZ9k1CW9+h;Uao59}OnJ9>r}xs&nHlM5^Y58T*TkM80zn8=UE2e8u{j
zpH(Cv<_IWBdh<6_f1={d7#R|wGLcIoegMU>82VZLrcn;{FuCmF59Tpu7qQ5TEj5`AFXQxx{XS6|0N#
z3g?J^0RDM8_l@3M4G0f^O03>$S#_it3cdG%7HWo_Xb-<{a&XHHzW`(2t54<~-m{AO)J~7AhPI
zbkz9A9Eq!7aijhY%^=rG`j6?w^hb13^_LKf!X*}jaV$GaXvsies~+H0T#v%OcveHN
zw6t*A@XdVfqJIPsPwPO4;>%M4C+{dTVU{cOk`3puW6b36K2&z%>btSk&&H>Z;<`p>
z`FMTMiHw&wOXcQ$-Y{pG@3aN}s_>;#
zeQ6GDsqIMA?iz{B1XzIIegeu-#qL_ZBH|eh`L{~J(A{bH*vND8W}io(WZ9s;;m3qZ
zElXp!ru)Ht+yJJ|dfvRtcX?~Pn_nW{zZbM5z3mB?Hbf_|+7ZC-9yVjR&7mnNul4vE
z%KEK*b1~tReV{kNh2E=&iwgU8w0kYs3c1o6m;*fZfrF-g?1!~+<-`f!Dj8+i7NJUI
zcZj}vt?|8iHQ3TdM;gn(X(Vidn!cd{^x{>dX&Vt^`^_3pu?t)#>x|K0cW=egSMl9#+mqq-8|RdMP1Dw
zx^5}L#|i6)ERW8LBjm}wD6@3$`!cXl0aV*W>(xz)J2m+v|RNGEXIA%XWv
z$Hx$v!@W5LfaU7iEY}no2e;*F&dh{F;<$?``JyH&l3RVjA{xC=Rq{
z6}dLQKK(BW4N!Y)Mzd3h)PX8L3OR6JX82vsk%|<`y{3G<99ycR8(ZD;4@=k|d
zx1nPOrARPmMi86c#Qn^1g5RVk00)%LY3fdvDm`_|D|ZP>a4hmnJmTiqc40*eItZ0G
z(Cfxe`6oWB{4L&V2-lf)Dz{MkXQ(A{E}?e1cWU;s-J?xBbGBUgebeTI{+k+LT|P=A
z;GHDn*981}=hBJAGXPX?iXEu)RoZN2kKn)}Yp)=+)%`(=Hk2z^Csu^a+hNSE9<}O4
zW9BhF843QW<{+N^4NZ(+Ohu0L$qp9AhpJ?UbX8~fibx(>f3CRh|ZH~FPW;%L4
z2Jfb`#^2zr=0rNvM5{6`q6x-M;QJ8B$W1lwJwBT6OTa+L|E?*68NnD-d
zqirI@#!DTk6=nvBq1t|F2a57+*JomCoPO&bkNHd&fq@7CoA#=ogI@ER;^g6MTjnNJpU8$17lkcby!fn#Y^cf59qs4;WjW9@I`pu+^=!$XvlzSp
zHl-BP6qCLifc*pwQ8vDfUY0lgjC>>zTLL$6VLQBKH2U4M(&?%A718nspPj%tmUBw+
z#X>LH_#p;`9!I5vv6@cVh1b)~bHTXz;!@s>4omWjec#A;((g=Fq_p{u1|<#I-D{h1
zr%{sZ%zv+3T?)s{c78c|r6Ez1kf5OuRJ<^!_`!;|HxG;mZiSf=CdVqy^)Fpf=
zR6<3YrraF!c1|tIJ#;9sg<)`+=a+cw8*6)$-yV3w_=*W`MB#~zjz6^LYX4eVoTxdI
zc3h_Bc-v+z^z5>e3vEp)brfA?bQ>r1^-8x`-ATBNL)99$&
z;rXG-!IBn08OxyuZoj`hcQ)a@7O5;d=o7$6_hSTJ
z;(^Dr%6p+QhE473G62?L^T{&S2^UB8^~fFHE0@wP^b_T#h%rn7^=(?yQf+N!)<~#c
zB&mh#W%khdZrGJgs@ixb%h?ad2HG&$G8+QXR6zbUk;$(r4F#>F^1>Br!mAfDkRR@D
z!K|#|oQjAh)DlY~3|CG`+4@opGIM
z^i^Z4rXu>d*NVXngpKKI2U_*K}S3_}=T|7q^w`XB`
z2D5mfvT(`vMwh8DGJql?=LI15;DsNI&n^nhYwgI&-{a#V-{;<=cJWiZ5HEkDY(4jD
zc2?xCALMIz@)_iwDG(vRJQ8kP7xC8|N5n
z-mb8AOpEdA->ZPnh_c<&o3Jg+X;AwynF(`1Ihpp9xt|hy
zu7!?dLSahdVg=JpZk#xq{L7i0Y3(N`w+}g
zn}vYJKK$VH`HhCBK)g%Cw8flu&$)8+Ef5m{+5}|bRYsP&t~Jk0TLEENO=yT3nrvyfYKk*n#uYjkyI9wC{A(mO8ae&B%;9#dTh)|_V0}&D>^xO(UZ2e
z2{_|CZ)7#U(3yWf5i9##7`c79OX{6Y8(moRVE~tW6|XopYg$JLlxm|Q3X{o#=h{Lt
zyCavxXR*2;2qGJ^XJ;nKfb^TpVwPUUM{br*(tWeRu{4Id4v!3gY2#K~T^)u_Zer}E
zn_7xjY>yK@ouN|9;O0P^ZRT#CcRfGYf%F#Vs;VRb^a|0p^Z(QZ;v
z_h#9VcRfJ+!d^?N=4N?P&mP&Il_OwCQMpD;0zHfk@ay$}8TVzgO~mUpV_LitM@Q8z
z?9S+w#)-R7Wlo;vsZz9D@#pj>8Cxn}a*?q4(u0!Y^j5C?U$fc+Q?CL`w3ANg?&_1
z?FycB-DhP^mg2^y?@lqA_P>^f{|QRaU~igN=blSkS9CZwMjy&9MHhfv%{2!{eynf`
z$pvnj!j!PJ^$UUrQOmKo@@YFMK}y`iI9Na(F-H2m)K^;G@|^OUI0RWuw$|>Zi>>4v
zq8|c(foEJT-K`qR-DS&5P&JlKeXe6o?f)$qE9Lfsl2!ik}0GeaVk8W1YV42f9!
zrDpRi_q@-CcyuXkqt%*k_=Sc09&?96Tu==56A9)J#}xMwb)PC2fO#x-Caabw>Rn0y
z{HI2_IqLYwp=X|p=?Np~=954+Ml?kfMhR7O0xujiI*!b{uTA~|{_q>bBp
z=-{T8<|tDq3CTI;lW2D@h@1>&cH*BDa_y{)8j?pQ@ST4-bycb_leaSjIqXOg!I-dI
zwNUCuLgX|9CoCb|R&9g{#A6D$#nUq#?A;pr8AdUx?+Mg??0rWBc7w@CmP8$GxdE}e
zzHzq~`$CYEEw*mQui5d*E?e~uhB&}WX3EcR8?CKn>HfFzpYY*7uYx^#J!@o8sI_T#
z<9>7j4!UEiu=RQ98@44ed!uGToSby}kzEY$x!v2ihKXiyj2);!CRiFr>vI6V7wV&~
zpF$-W<*Q*jZKoda1CDyKwXd4AY%8NW?9?a@Yy}T{I
z8l%pzl#*N&hVTtVAK9|*u$h3nx1=6hC?%PgdUH$1
zgU4B#9LvX`-GA_Cqken?Okqp8ZYE~ymacnbL{jExU#!eyp{f&~&7KrUZ(@I$|
z*^;qz>W?cO%fU+}`r^A}yw+(=Jny@=CHlQvYr*sZn~Mq?a}U+deU_vMDx=p%_S
zeq4>UTvg|Ns%zPo!tKDK1jo!MHXs5k!B@$&Iw30U0NMQkIcpzN?DYb2*ymZtS+0tL
z|7ZN81f&h|3Gcxa1-K}FIu}UC&Q5;*yA>^uZA?ny{4)}sFcUL|IrhZMoeaaeLpX1W
z;w-j*w2UV02#G(CdabMIPx^&kQ$y&xwe3xF%dn^Zx=-2>R>1)!wONiAju(G&X}wa&e3M9e@y*jUOnq=Da;aeY3U?)V#0wlC4b>zD
zYg41RpwFSrtQS5)@i*U(!g@ZK3qpF#ekkwhzv36}MIRhhvDIX_{kvF-w-i!URUy&1
zZ(GVLd13Rxa`n}=54^&rT5t6b{-~*ny>~1i9TpVYZ!wNEQFHytZc3QlVJihZ*&r<0
z+pVZ@C%9pIE7QsXE_Wp;lEw)G|JA?Qr?Kw4JQlq%?zBMH%3
zQ6JVx`e*&{{{B6UR&7EDCoSR>Ia4d+4zz1c4JkkrJzYuTQJ&qreUvcDtG1l9xOB(^
zrc~7sn*MO0arcJ>5^dNJY0Dd`dhvNp0zvzsHa0TO=<$99GqoAfRNXiNXf(!*IEnmP
zr8tbeCb^b*$m_VvC6g&*bjtGqCpo-Ox`{)A5lw;yGH&b+sGu3`p#9`TQsPue)fUR<
z&`V+$NVA8gzWIS^yrU#20h!!^9m?LW?#vpgS2M(T!&ts|UtGu)ibm12hjYQH3>Qh9
z&4Gq1i{aI05C~XPmovUh_g2b!EvwQ{JyK_xNk>x&ulaux-hYGOKQD&wmOXCwH|wi#
z>ZA;Hh-sqvZJyfmPTTsim;OTNb>l5w$r>9)Wr+8Y$ptx_kA@kv@KugIc@7s51}<>$GYQ56)Ki`;R>$*#5fm%=a3oHXA{2r
ze(gE^q7@6M#NOKDk?lQ!5v+|OS})<3Q$-XinH=iC%oZ$K*8mR&EYajonfKIB3qJw`
zEh)zGw95_xD1yBg7v#8+sMaF^CW02x=1c30XZN3`1|S3xsHPU&%AtideyTVxW^pmN
zC+CEKwcWLdiPK%WA><$Zk_5~1-n5;YlQ3aqhz90Q0Xyfxt(2@|0?VzodBvU=`;yT2
z97iv%rVlOZAzEh~-1FWqO$aNkyaLq>*<|?mOs(GR3FT392W{moZ;HD&I)GzNjoj|$
z6#h>D!~{G0fG#7m_{NwN;WBo+FBYH&u^ak!z=N*W+uPe4om4A>NYVy$G_k2Ag|NAO
z1wvW{1B!~LGZRF@(ZG@sG?88UFOlrO7R5%3$!Z0a^39~K+xO1U`7jU^5z(@hy;s>te8_ua9x0Q
zn(l}+Nj+K~g&_``wy#um;Qzq?f&T;l2mTNIANW7;|84Ov|JCpRS8NUz9_W9coCNv_
z?xl52VVa7r#b5F5PRa<1$EH=S_IdUhr^0@&t!&FBRvJ)_Pg&>TFXt
z;Him`;9z20Fs(B_&VW(!)c3M{jzBor(F1Dq}caD#skevw=^xy`W{jSaVH-|RF^
zSxJ<1s$c_lG4y9pCj12Kt805nHipE(fmI(remtK}i2v8umpU5=fE&6Kz!tKfD5{zY
zco!fp1V_e}JZR%cv(4G}(kNtwr>75|O)au*I`|}b#FsjqhIe!NJ-zeaOcKF`RqzgX
zM*JenjN>g8sc(CV9npdUo7l-3T~TbOt`ob-!+y>EHiCg>^;n^+rmplETdVk@A`cVT
zA1`NM{`03FQ?x4Ad8O#s9fGCv7?9O}iuG`+X$PzYMAI#+5>jAk1=DDL4Zw~OY#s>1
zQelFQX}adIQepTSq~Q#Jb(w>Y{qR)gW)Aw04L6*=W|uYVCY8oiUWoVZpBMokVRv`n
z|G@u&{{#OA{tx^g_&@OfZSgOE^Xp%o&t1c5t;L4bTyJavWpxv!`N2~II|QWnuI)Ob
zYv3~hzdJ|?XBxHj0LyR7#yX)CPY)MQMfjp;JB;mJUhwT5L@?^+5I~?-#K5{H_o>s$tlw9%!2JAO%
zwPewi-QXC{!xhKIj#2sjTTl)0}n}@N`7N{W=1DLw7kpe!!Zsa-=pa8*m(NH%XbHdb1Xf#@^W+
z0!Yl(Z&WF*q+t}rJ+X~J$AAkhsNVDQV?(l=i7Q)eikH_fxBDBC;`#gl3*YY74ymO-
zu^WR8?-b)qS)xc+#&MP};#uWZXjqxtS8$~83O9k&BTMF?%87MjbR|K3ytK
zDO-8yV;5vhR^p`+p+(ZmL}s%bYB1U6cA4RPB%6{$xxo07C&85m{tx^g_&@M};Qzq?
jf&T;l-xmM>p8x{@D(Mktb)u`N00000NkvXXu0mjf(?NUb

diff --git a/doc/html-manual/highlight/styles/codepen-embed.css b/doc/html-manual/highlight/styles/codepen-embed.css
deleted file mode 100644
index 195c4a0784..0000000000
--- a/doc/html-manual/highlight/styles/codepen-embed.css
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
-  codepen.io Embed Theme
-  Author: Justin Perry 
-  Original theme - https://github.com/chriskempson/tomorrow-theme
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #222;
-  color: #fff;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #777;
-}
-
-.hljs-variable,
-.hljs-template-variable,
-.hljs-tag,
-.hljs-regexp,
-.hljs-meta,
-.hljs-number,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-params,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-link,
-.hljs-deletion {
-  color: #ab875d;
-}
-
-.hljs-section,
-.hljs-title,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class,
-.hljs-type,
-.hljs-attribute {
-  color: #9b869b;
-}
-
-.hljs-string,
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-addition {
-  color: #8f9c6c;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/color-brewer.css b/doc/html-manual/highlight/styles/color-brewer.css
deleted file mode 100644
index 7934d986a7..0000000000
--- a/doc/html-manual/highlight/styles/color-brewer.css
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
-
-Colorbrewer theme
-Original: https://github.com/mbostock/colorbrewer-theme (c) Mike Bostock 
-Ported by Fabrício Tavares de Oliveira
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #fff;
-}
-
-.hljs,
-.hljs-subst {
-  color: #000;
-}
-
-.hljs-string,
-.hljs-meta,
-.hljs-symbol,
-.hljs-template-tag,
-.hljs-template-variable,
-.hljs-addition {
-  color: #756bb1;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #636363;
-}
-
-.hljs-number,
-.hljs-regexp,
-.hljs-literal,
-.hljs-bullet,
-.hljs-link {
-  color: #31a354;
-}
-
-.hljs-deletion,
-.hljs-variable {
-  color: #88f;
-}
-
-
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-title,
-.hljs-section,
-.hljs-built_in,
-.hljs-doctag,
-.hljs-type,
-.hljs-tag,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class,
-.hljs-strong {
-  color: #3182bd;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-attribute {
-  color: #e6550d;
-}
diff --git a/doc/html-manual/highlight/styles/dark.css b/doc/html-manual/highlight/styles/dark.css
deleted file mode 100644
index b4724f5f50..0000000000
--- a/doc/html-manual/highlight/styles/dark.css
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
-
-Dark style from softwaremaniacs.org (c) Ivan Sagalaev 
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #444;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-literal,
-.hljs-section,
-.hljs-link {
-  color: white;
-}
-
-.hljs,
-.hljs-subst {
-  color: #ddd;
-}
-
-.hljs-string,
-.hljs-title,
-.hljs-name,
-.hljs-type,
-.hljs-attribute,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-built_in,
-.hljs-addition,
-.hljs-variable,
-.hljs-template-tag,
-.hljs-template-variable {
-  color: #d88;
-}
-
-.hljs-comment,
-.hljs-quote,
-.hljs-deletion,
-.hljs-meta {
-  color: #777;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-literal,
-.hljs-title,
-.hljs-section,
-.hljs-doctag,
-.hljs-type,
-.hljs-name,
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
diff --git a/doc/html-manual/highlight/styles/darkula.css b/doc/html-manual/highlight/styles/darkula.css
deleted file mode 100644
index f4646c3c5d..0000000000
--- a/doc/html-manual/highlight/styles/darkula.css
+++ /dev/null
@@ -1,6 +0,0 @@
-/*
-  Deprecated due to a typo in the name and left here for compatibility purpose only.
-  Please use darcula.css instead.
-*/
-
-@import url('darcula.css');
diff --git a/doc/html-manual/highlight/styles/default.css b/doc/html-manual/highlight/styles/default.css
deleted file mode 100644
index f1bfade31e..0000000000
--- a/doc/html-manual/highlight/styles/default.css
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
-
-Original highlight.js style (c) Ivan Sagalaev 
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #F0F0F0;
-}
-
-
-/* Base color: saturation 0; */
-
-.hljs,
-.hljs-subst {
-  color: #444;
-}
-
-.hljs-comment {
-  color: #888888;
-}
-
-.hljs-keyword,
-.hljs-attribute,
-.hljs-selector-tag,
-.hljs-meta-keyword,
-.hljs-doctag,
-.hljs-name {
-  font-weight: bold;
-}
-
-
-/* User color: hue: 0 */
-
-.hljs-type,
-.hljs-string,
-.hljs-number,
-.hljs-selector-id,
-.hljs-selector-class,
-.hljs-quote,
-.hljs-template-tag,
-.hljs-deletion {
-  color: #880000;
-}
-
-.hljs-title,
-.hljs-section {
-  color: #880000;
-  font-weight: bold;
-}
-
-.hljs-regexp,
-.hljs-symbol,
-.hljs-variable,
-.hljs-template-variable,
-.hljs-link,
-.hljs-selector-attr,
-.hljs-selector-pseudo {
-  color: #BC6060;
-}
-
-
-/* Language color: hue: 90; */
-
-.hljs-literal {
-  color: #78A960;
-}
-
-.hljs-built_in,
-.hljs-bullet,
-.hljs-code,
-.hljs-addition {
-  color: #397300;
-}
-
-
-/* Meta color: hue: 200 */
-
-.hljs-meta {
-  color: #1f7199;
-}
-
-.hljs-meta-string {
-  color: #4d99bf;
-}
-
-
-/* Misc effects */
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/docco.css b/doc/html-manual/highlight/styles/docco.css
deleted file mode 100644
index db366be372..0000000000
--- a/doc/html-manual/highlight/styles/docco.css
+++ /dev/null
@@ -1,97 +0,0 @@
-/*
-Docco style used in http://jashkenas.github.com/docco/ converted by Simon Madine (@thingsinjars)
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  color: #000;
-  background: #f8f8ff;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #408080;
-  font-style: italic;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-literal,
-.hljs-subst {
-  color: #954121;
-}
-
-.hljs-number {
-  color: #40a070;
-}
-
-.hljs-string,
-.hljs-doctag {
-  color: #219161;
-}
-
-.hljs-selector-id,
-.hljs-selector-class,
-.hljs-section,
-.hljs-type {
-  color: #19469d;
-}
-
-.hljs-params {
-  color: #00f;
-}
-
-.hljs-title {
-  color: #458;
-  font-weight: bold;
-}
-
-.hljs-tag,
-.hljs-name,
-.hljs-attribute {
-  color: #000080;
-  font-weight: normal;
-}
-
-.hljs-variable,
-.hljs-template-variable {
-  color: #008080;
-}
-
-.hljs-regexp,
-.hljs-link {
-  color: #b68;
-}
-
-.hljs-symbol,
-.hljs-bullet {
-  color: #990073;
-}
-
-.hljs-built_in,
-.hljs-builtin-name {
-  color: #0086b3;
-}
-
-.hljs-meta {
-  color: #999;
-  font-weight: bold;
-}
-
-.hljs-deletion {
-  background: #fdd;
-}
-
-.hljs-addition {
-  background: #dfd;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/dracula.css b/doc/html-manual/highlight/styles/dracula.css
deleted file mode 100644
index d591db6801..0000000000
--- a/doc/html-manual/highlight/styles/dracula.css
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
-
-Dracula Theme v1.2.0
-
-https://github.com/zenorocha/dracula-theme
-
-Copyright 2015, All rights reserved
-
-Code licensed under the MIT license
-http://zenorocha.mit-license.org
-
-@author Éverton Ribeiro 
-@author Zeno Rocha 
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #282a36;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-literal,
-.hljs-section,
-.hljs-link {
-  color: #8be9fd;
-}
-
-.hljs-function .hljs-keyword {
-  color: #ff79c6;
-}
-
-.hljs,
-.hljs-subst {
-  color: #f8f8f2;
-}
-
-.hljs-string,
-.hljs-title,
-.hljs-name,
-.hljs-type,
-.hljs-attribute,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-addition,
-.hljs-variable,
-.hljs-template-tag,
-.hljs-template-variable {
-  color: #f1fa8c;
-}
-
-.hljs-comment,
-.hljs-quote,
-.hljs-deletion,
-.hljs-meta {
-  color: #6272a4;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-literal,
-.hljs-title,
-.hljs-section,
-.hljs-doctag,
-.hljs-type,
-.hljs-name,
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
diff --git a/doc/html-manual/highlight/styles/far.css b/doc/html-manual/highlight/styles/far.css
deleted file mode 100644
index 2b3f87b562..0000000000
--- a/doc/html-manual/highlight/styles/far.css
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
-
-FAR Style (c) MajestiC 
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #000080;
-}
-
-.hljs,
-.hljs-subst {
-  color: #0ff;
-}
-
-.hljs-string,
-.hljs-attribute,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-template-tag,
-.hljs-template-variable,
-.hljs-addition {
-  color: #ff0;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-section,
-.hljs-type,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class,
-.hljs-variable {
-  color: #fff;
-}
-
-.hljs-comment,
-.hljs-quote,
-.hljs-doctag,
-.hljs-deletion {
-  color: #888;
-}
-
-.hljs-number,
-.hljs-regexp,
-.hljs-literal,
-.hljs-link {
-  color: #0f0;
-}
-
-.hljs-meta {
-  color: #008080;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-title,
-.hljs-section,
-.hljs-name,
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
diff --git a/doc/html-manual/highlight/styles/foundation.css b/doc/html-manual/highlight/styles/foundation.css
deleted file mode 100644
index f1fe64b377..0000000000
--- a/doc/html-manual/highlight/styles/foundation.css
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
-Description: Foundation 4 docs style for highlight.js
-Author: Dan Allen 
-Website: http://foundation.zurb.com/docs/
-Version: 1.0
-Date: 2013-04-02
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #eee; color: black;
-}
-
-.hljs-link,
-.hljs-emphasis,
-.hljs-attribute,
-.hljs-addition {
-  color: #070;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong,
-.hljs-string,
-.hljs-deletion {
-  color: #d14;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-quote,
-.hljs-comment {
-  color: #998;
-  font-style: italic;
-}
-
-.hljs-section,
-.hljs-title {
-  color: #900;
-}
-
-.hljs-class .hljs-title,
-.hljs-type {
-  color: #458;
-}
-
-.hljs-variable,
-.hljs-template-variable {
-  color: #336699;
-}
-
-.hljs-bullet {
-  color: #997700;
-}
-
-.hljs-meta {
-  color: #3344bb;
-}
-
-.hljs-code,
-.hljs-number,
-.hljs-literal,
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #099;
-}
-
-.hljs-regexp {
-  background-color: #fff0ff;
-  color: #880088;
-}
-
-.hljs-symbol {
-  color: #990073;
-}
-
-.hljs-tag,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #007700;
-}
diff --git a/doc/html-manual/highlight/styles/github-gist.css b/doc/html-manual/highlight/styles/github-gist.css
deleted file mode 100644
index 155f0b9160..0000000000
--- a/doc/html-manual/highlight/styles/github-gist.css
+++ /dev/null
@@ -1,71 +0,0 @@
-/**
- * GitHub Gist Theme
- * Author : Louis Barranqueiro - https://github.com/LouisBarranqueiro
- */
-
-.hljs {
-  display: block;
-  background: white;
-  padding: 0.5em;
-  color: #333333;
-  overflow-x: auto;
-}
-
-.hljs-comment,
-.hljs-meta {
-  color: #969896;
-}
-
-.hljs-string,
-.hljs-variable,
-.hljs-template-variable,
-.hljs-strong,
-.hljs-emphasis,
-.hljs-quote {
-  color: #df5000;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-type {
-  color: #a71d5d;
-}
-
-.hljs-literal,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-attribute {
-  color: #0086b3;
-}
-
-.hljs-section,
-.hljs-name {
-  color: #63a35c;
-}
-
-.hljs-tag {
-  color: #333333;
-}
-
-.hljs-title,
-.hljs-attr,
-.hljs-selector-id,
-.hljs-selector-class,
-.hljs-selector-attr,
-.hljs-selector-pseudo {
-  color: #795da3;
-}
-
-.hljs-addition {
-  color: #55a532;
-  background-color: #eaffea;
-}
-
-.hljs-deletion {
-  color: #bd2c00;
-  background-color: #ffecec;
-}
-
-.hljs-link {
-  text-decoration: underline;
-}
diff --git a/doc/html-manual/highlight/styles/github.css b/doc/html-manual/highlight/styles/github.css
deleted file mode 100644
index 791932b87e..0000000000
--- a/doc/html-manual/highlight/styles/github.css
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
-
-github.com style (c) Vasily Polovnyov 
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  color: #333;
-  background: #f8f8f8;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #998;
-  font-style: italic;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-subst {
-  color: #333;
-  font-weight: bold;
-}
-
-.hljs-number,
-.hljs-literal,
-.hljs-variable,
-.hljs-template-variable,
-.hljs-tag .hljs-attr {
-  color: #008080;
-}
-
-.hljs-string,
-.hljs-doctag {
-  color: #d14;
-}
-
-.hljs-title,
-.hljs-section,
-.hljs-selector-id {
-  color: #900;
-  font-weight: bold;
-}
-
-.hljs-subst {
-  font-weight: normal;
-}
-
-.hljs-type,
-.hljs-class .hljs-title {
-  color: #458;
-  font-weight: bold;
-}
-
-.hljs-tag,
-.hljs-name,
-.hljs-attribute {
-  color: #000080;
-  font-weight: normal;
-}
-
-.hljs-regexp,
-.hljs-link {
-  color: #009926;
-}
-
-.hljs-symbol,
-.hljs-bullet {
-  color: #990073;
-}
-
-.hljs-built_in,
-.hljs-builtin-name {
-  color: #0086b3;
-}
-
-.hljs-meta {
-  color: #999;
-  font-weight: bold;
-}
-
-.hljs-deletion {
-  background: #fdd;
-}
-
-.hljs-addition {
-  background: #dfd;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/googlecode.css b/doc/html-manual/highlight/styles/googlecode.css
deleted file mode 100644
index 884ad63538..0000000000
--- a/doc/html-manual/highlight/styles/googlecode.css
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
-
-Google Code style (c) Aahan Krish 
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: white;
-  color: black;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #800;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-section,
-.hljs-title,
-.hljs-name {
-  color: #008;
-}
-
-.hljs-variable,
-.hljs-template-variable {
-  color: #660;
-}
-
-.hljs-string,
-.hljs-selector-attr,
-.hljs-selector-pseudo,
-.hljs-regexp {
-  color: #080;
-}
-
-.hljs-literal,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-meta,
-.hljs-number,
-.hljs-link {
-  color: #066;
-}
-
-.hljs-title,
-.hljs-doctag,
-.hljs-type,
-.hljs-attr,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-params {
-  color: #606;
-}
-
-.hljs-attribute,
-.hljs-subst {
-  color: #000;
-}
-
-.hljs-formula {
-  background-color: #eee;
-  font-style: italic;
-}
-
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #9B703F
-}
-
-.hljs-addition {
-  background-color: #baeeba;
-}
-
-.hljs-deletion {
-  background-color: #ffc8bd;
-}
-
-.hljs-doctag,
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
diff --git a/doc/html-manual/highlight/styles/grayscale.css b/doc/html-manual/highlight/styles/grayscale.css
deleted file mode 100644
index 5376f34064..0000000000
--- a/doc/html-manual/highlight/styles/grayscale.css
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
-
-grayscale style (c) MY Sun 
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  color: #333;
-  background: #fff;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #777;
-  font-style: italic;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-subst {
-  color: #333;
-  font-weight: bold;
-}
-
-.hljs-number,
-.hljs-literal {
-  color: #777;
-}
-
-.hljs-string,
-.hljs-doctag,
-.hljs-formula {
-  color: #333;
-  background: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAQAAAAECAYAAACp8Z5+AAAAJ0lEQVQIW2O8e/fufwYGBgZBQUEQxcCIIfDu3Tuwivfv30NUoAsAALHpFMMLqZlPAAAAAElFTkSuQmCC) repeat;
-}
-
-.hljs-title,
-.hljs-section,
-.hljs-selector-id {
-  color: #000;
-  font-weight: bold;
-}
-
-.hljs-subst {
-  font-weight: normal;
-}
-
-.hljs-class .hljs-title,
-.hljs-type,
-.hljs-name {
-  color: #333;
-  font-weight: bold;
-}
-
-.hljs-tag {
-  color: #333;
-}
-
-.hljs-regexp {
-    color: #333;
-    background: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAoAAAAICAYAAADA+m62AAAAPUlEQVQYV2NkQAN37979r6yszIgujiIAU4RNMVwhuiQ6H6wQl3XI4oy4FMHcCJPHcDS6J2A2EqUQpJhohQDexSef15DBCwAAAABJRU5ErkJggg==) repeat;
-}
-
-.hljs-symbol,
-.hljs-bullet,
-.hljs-link {
-  color: #000;
-  background: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAKElEQVQIW2NkQAO7d+/+z4gsBhJwdXVlhAvCBECKwIIwAbhKZBUwBQA6hBpm5efZsgAAAABJRU5ErkJggg==) repeat;
-}
-
-.hljs-built_in,
-.hljs-builtin-name {
-  color: #000;
-  text-decoration: underline;
-}
-
-.hljs-meta {
-  color: #999;
-  font-weight: bold;
-}
-
-.hljs-deletion {
-  color: #fff;
-  background:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAADCAYAAABS3WWCAAAAE0lEQVQIW2MMDQ39zzhz5kwIAQAyxweWgUHd1AAAAABJRU5ErkJggg==) repeat;
-}
-
-.hljs-addition {
-  color: #000;
-  background: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAkAAAAJCAYAAADgkQYQAAAALUlEQVQYV2N89+7dfwYk8P79ewZBQUFkIQZGOiu6e/cuiptQHAPl0NtNxAQBAM97Oejj3Dg7AAAAAElFTkSuQmCC) repeat;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/gruvbox-dark.css b/doc/html-manual/highlight/styles/gruvbox-dark.css
deleted file mode 100644
index f563811a86..0000000000
--- a/doc/html-manual/highlight/styles/gruvbox-dark.css
+++ /dev/null
@@ -1,108 +0,0 @@
-/*
-
-Gruvbox style (dark) (c) Pavel Pertsev (original style at https://github.com/morhetz/gruvbox)
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #282828;
-}
-
-.hljs,
-.hljs-subst {
-  color: #ebdbb2;
-}
-
-/* Gruvbox Red */
-.hljs-deletion,
-.hljs-formula,
-.hljs-keyword,
-.hljs-link,
-.hljs-selector-tag {
-  color: #fb4934;
-}
-
-/* Gruvbox Blue */
-.hljs-built_in,
-.hljs-emphasis,
-.hljs-name,
-.hljs-quote,
-.hljs-strong,
-.hljs-title,
-.hljs-variable {
-  color: #83a598;
-}
-
-/* Gruvbox Yellow */
-.hljs-attr,
-.hljs-params,
-.hljs-template-tag,
-.hljs-type {
-  color: #fabd2f;
-}
-
-/* Gruvbox Purple */
-.hljs-builtin-name,
-.hljs-doctag,
-.hljs-literal,
-.hljs-number {
-  color: #8f3f71;
-}
-
-/* Gruvbox Orange */
-.hljs-code,
-.hljs-meta,
-.hljs-regexp,
-.hljs-selector-id,
-.hljs-template-variable {
-  color: #fe8019;
-}
-
-/* Gruvbox Green */
-.hljs-addition,
-.hljs-meta-string,
-.hljs-section,
-.hljs-selector-attr,
-.hljs-selector-class,
-.hljs-string,
-.hljs-symbol {
-  color: #b8bb26;
-}
-
-/* Gruvbox Aqua */
-.hljs-attribute,
-.hljs-bullet,
-.hljs-class,
-.hljs-function,
-.hljs-function .hljs-keyword,
-.hljs-meta-keyword,
-.hljs-selector-pseudo,
-.hljs-tag {
-  color: #8ec07c;
-}
-
-/* Gruvbox Gray */
-.hljs-comment {
-  color: #928374;
-}
-
-/* Gruvbox Purple */
-.hljs-link_label,
-.hljs-literal,
-.hljs-number {
-  color: #d3869b;
-}
-
-.hljs-comment,
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-section,
-.hljs-strong,
-.hljs-tag {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/gruvbox-light.css b/doc/html-manual/highlight/styles/gruvbox-light.css
deleted file mode 100644
index ff45468eb2..0000000000
--- a/doc/html-manual/highlight/styles/gruvbox-light.css
+++ /dev/null
@@ -1,108 +0,0 @@
-/*
-
-Gruvbox style (light) (c) Pavel Pertsev (original style at https://github.com/morhetz/gruvbox)
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #fbf1c7;
-}
-
-.hljs,
-.hljs-subst {
-  color: #3c3836;
-}
-
-/* Gruvbox Red */
-.hljs-deletion,
-.hljs-formula,
-.hljs-keyword,
-.hljs-link,
-.hljs-selector-tag {
-  color: #9d0006;
-}
-
-/* Gruvbox Blue */
-.hljs-built_in,
-.hljs-emphasis,
-.hljs-name,
-.hljs-quote,
-.hljs-strong,
-.hljs-title,
-.hljs-variable {
-  color: #076678;
-}
-
-/* Gruvbox Yellow */
-.hljs-attr,
-.hljs-params,
-.hljs-template-tag,
-.hljs-type {
-  color: #b57614;
-}
-
-/* Gruvbox Purple */
-.hljs-builtin-name,
-.hljs-doctag,
-.hljs-literal,
-.hljs-number {
-  color: #8f3f71;
-}
-
-/* Gruvbox Orange */
-.hljs-code,
-.hljs-meta,
-.hljs-regexp,
-.hljs-selector-id,
-.hljs-template-variable {
-  color: #af3a03;
-}
-
-/* Gruvbox Green */
-.hljs-addition,
-.hljs-meta-string,
-.hljs-section,
-.hljs-selector-attr,
-.hljs-selector-class,
-.hljs-string,
-.hljs-symbol {
-  color: #79740e;
-}
-
-/* Gruvbox Aqua */
-.hljs-attribute,
-.hljs-bullet,
-.hljs-class,
-.hljs-function,
-.hljs-function .hljs-keyword,
-.hljs-meta-keyword,
-.hljs-selector-pseudo,
-.hljs-tag {
-  color: #427b58;
-}
-
-/* Gruvbox Gray */
-.hljs-comment {
-  color: #928374;
-}
-
-/* Gruvbox Purple */
-.hljs-link_label,
-.hljs-literal,
-.hljs-number {
-  color: #8f3f71;
-}
-
-.hljs-comment,
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-section,
-.hljs-strong,
-.hljs-tag {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/hopscotch.css b/doc/html-manual/highlight/styles/hopscotch.css
deleted file mode 100644
index 32e60d230a..0000000000
--- a/doc/html-manual/highlight/styles/hopscotch.css
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * Hopscotch
- * by Jan T. Sott
- * https://github.com/idleberg/Hopscotch
- *
- * This work is licensed under the Creative Commons CC0 1.0 Universal License
- */
-
-/* Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #989498;
-}
-
-/* Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute,
-.hljs-tag,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class,
-.hljs-regexp,
-.hljs-link,
-.hljs-deletion {
-  color: #dd464c;
-}
-
-/* Orange */
-.hljs-number,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params {
-  color: #fd8b19;
-}
-
-/* Yellow */
-.hljs-class .hljs-title {
-  color: #fdcc59;
-}
-
-/* Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-addition {
-  color: #8fc13e;
-}
-
-/* Aqua */
-.hljs-meta {
-  color: #149b93;
-}
-
-/* Blue */
-.hljs-function,
-.hljs-section,
-.hljs-title {
-  color: #1290bf;
-}
-
-/* Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #c85e7c;
-}
-
-.hljs {
-  display: block;
-  background: #322931;
-  color: #b9b5b8;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/hybrid.css b/doc/html-manual/highlight/styles/hybrid.css
deleted file mode 100644
index 29735a1890..0000000000
--- a/doc/html-manual/highlight/styles/hybrid.css
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
-
-vim-hybrid theme by w0ng (https://github.com/w0ng/vim-hybrid)
-
-*/
-
-/*background color*/
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #1d1f21;
-}
-
-/*selection color*/
-.hljs::selection,
-.hljs span::selection {
-  background: #373b41;
-}
-
-.hljs::-moz-selection,
-.hljs span::-moz-selection {
-  background: #373b41;
-}
-
-/*foreground color*/
-.hljs {
-  color: #c5c8c6;
-}
-
-/*color: fg_yellow*/
-.hljs-title,
-.hljs-name {
-  color: #f0c674;
-}
-
-/*color: fg_comment*/
-.hljs-comment,
-.hljs-meta,
-.hljs-meta .hljs-keyword {
-  color: #707880;
-}
-
-/*color: fg_red*/
-.hljs-number,
-.hljs-symbol,
-.hljs-literal,
-.hljs-deletion,
-.hljs-link {
- color: #cc6666
-}
-
-/*color: fg_green*/
-.hljs-string,
-.hljs-doctag,
-.hljs-addition,
-.hljs-regexp,
-.hljs-selector-attr,
-.hljs-selector-pseudo {
-  color: #b5bd68;
-}
-
-/*color: fg_purple*/
-.hljs-attribute,
-.hljs-code,
-.hljs-selector-id {
- color: #b294bb;
-}
-
-/*color: fg_blue*/
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-bullet,
-.hljs-tag {
- color: #81a2be;
-}
-
-/*color: fg_aqua*/
-.hljs-subst,
-.hljs-variable,
-.hljs-template-tag,
-.hljs-template-variable {
-  color: #8abeb7;
-}
-
-/*color: fg_orange*/
-.hljs-type,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-quote,
-.hljs-section,
-.hljs-selector-class {
-  color: #de935f;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/idea.css b/doc/html-manual/highlight/styles/idea.css
deleted file mode 100644
index 3bf1892bd4..0000000000
--- a/doc/html-manual/highlight/styles/idea.css
+++ /dev/null
@@ -1,97 +0,0 @@
-/*
-
-Intellij Idea-like styling (c) Vasily Polovnyov 
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  color: #000;
-  background: #fff;
-}
-
-.hljs-subst,
-.hljs-title {
-  font-weight: normal;
-  color: #000;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #808080;
-  font-style: italic;
-}
-
-.hljs-meta {
-  color: #808000;
-}
-
-.hljs-tag {
-  background: #efefef;
-}
-
-.hljs-section,
-.hljs-name,
-.hljs-literal,
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-type,
-.hljs-selector-id,
-.hljs-selector-class {
-  font-weight: bold;
-  color: #000080;
-}
-
-.hljs-attribute,
-.hljs-number,
-.hljs-regexp,
-.hljs-link {
-  font-weight: bold;
-  color: #0000ff;
-}
-
-.hljs-number,
-.hljs-regexp,
-.hljs-link {
-  font-weight: normal;
-}
-
-.hljs-string {
-  color: #008000;
-  font-weight: bold;
-}
-
-.hljs-symbol,
-.hljs-bullet,
-.hljs-formula {
-  color: #000;
-  background: #d0eded;
-  font-style: italic;
-}
-
-.hljs-doctag {
-  text-decoration: underline;
-}
-
-.hljs-variable,
-.hljs-template-variable {
-  color: #660e7a;
-}
-
-.hljs-addition {
-  background: #baeeba;
-}
-
-.hljs-deletion {
-  background: #ffc8bd;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/ir-black.css b/doc/html-manual/highlight/styles/ir-black.css
deleted file mode 100644
index bd4c755ed8..0000000000
--- a/doc/html-manual/highlight/styles/ir-black.css
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
-  IR_Black style (c) Vasily Mikhailitchenko 
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #000;
-  color: #f8f8f8;
-}
-
-.hljs-comment,
-.hljs-quote,
-.hljs-meta {
-  color: #7c7c7c;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-tag,
-.hljs-name {
-  color: #96cbfe;
-}
-
-.hljs-attribute,
-.hljs-selector-id {
-  color: #ffffb6;
-}
-
-.hljs-string,
-.hljs-selector-attr,
-.hljs-selector-pseudo,
-.hljs-addition {
-  color: #a8ff60;
-}
-
-.hljs-subst {
-  color: #daefa3;
-}
-
-.hljs-regexp,
-.hljs-link {
-  color: #e9c062;
-}
-
-.hljs-title,
-.hljs-section,
-.hljs-type,
-.hljs-doctag {
-  color: #ffffb6;
-}
-
-.hljs-symbol,
-.hljs-bullet,
-.hljs-variable,
-.hljs-template-variable,
-.hljs-literal {
-  color: #c6c5fe;
-}
-
-.hljs-number,
-.hljs-deletion {
-  color:#ff73fd;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/kimbie.dark.css b/doc/html-manual/highlight/styles/kimbie.dark.css
deleted file mode 100644
index d139cb5d0c..0000000000
--- a/doc/html-manual/highlight/styles/kimbie.dark.css
+++ /dev/null
@@ -1,74 +0,0 @@
-/*
-    Name:     Kimbie (dark)
-    Author:   Jan T. Sott
-    License:  Creative Commons Attribution-ShareAlike 4.0 Unported License
-    URL:      https://github.com/idleberg/Kimbie-highlight.js
-*/
-
-/* Kimbie Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #d6baad;
-}
-
-/* Kimbie Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-tag,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class,
-.hljs-regexp,
-.hljs-meta {
-  color: #dc3958;
-}
-
-/* Kimbie Orange */
-.hljs-number,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params,
-.hljs-deletion,
-.hljs-link {
-  color: #f79a32;
-}
-
-/* Kimbie Yellow */
-.hljs-title,
-.hljs-section,
-.hljs-attribute {
-  color: #f06431;
-}
-
-/* Kimbie Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-addition {
-  color: #889b4a;
-}
-
-/* Kimbie Purple */
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-function {
-  color: #98676a;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #221a0f;
-  color: #d3af86;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/kimbie.light.css b/doc/html-manual/highlight/styles/kimbie.light.css
deleted file mode 100644
index 04ff6ed3a2..0000000000
--- a/doc/html-manual/highlight/styles/kimbie.light.css
+++ /dev/null
@@ -1,74 +0,0 @@
-/*
-    Name:     Kimbie (light)
-    Author:   Jan T. Sott
-    License:  Creative Commons Attribution-ShareAlike 4.0 Unported License
-    URL:      https://github.com/idleberg/Kimbie-highlight.js
-*/
-
-/* Kimbie Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #a57a4c;
-}
-
-/* Kimbie Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-tag,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class,
-.hljs-regexp,
-.hljs-meta {
-  color: #dc3958;
-}
-
-/* Kimbie Orange */
-.hljs-number,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params,
-.hljs-deletion,
-.hljs-link {
-  color: #f79a32;
-}
-
-/* Kimbie Yellow */
-.hljs-title,
-.hljs-section,
-.hljs-attribute {
-  color: #f06431;
-}
-
-/* Kimbie Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-addition {
-  color: #889b4a;
-}
-
-/* Kimbie Purple */
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-function {
-  color: #98676a;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #fbebd4;
-  color: #84613d;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/magula.css b/doc/html-manual/highlight/styles/magula.css
deleted file mode 100644
index 44dee5e8e1..0000000000
--- a/doc/html-manual/highlight/styles/magula.css
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
-Description: Magula style for highligh.js
-Author: Ruslan Keba 
-Website: http://rukeba.com/
-Version: 1.0
-Date: 2009-01-03
-Music: Aphex Twin / Xtal
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background-color: #f4f4f4;
-}
-
-.hljs,
-.hljs-subst {
-  color: black;
-}
-
-.hljs-string,
-.hljs-title,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-attribute,
-.hljs-addition,
-.hljs-variable,
-.hljs-template-tag,
-.hljs-template-variable {
-  color: #050;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #777;
-}
-
-.hljs-number,
-.hljs-regexp,
-.hljs-literal,
-.hljs-type,
-.hljs-link {
-  color: #800;
-}
-
-.hljs-deletion,
-.hljs-meta {
-  color: #00e;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-doctag,
-.hljs-title,
-.hljs-section,
-.hljs-built_in,
-.hljs-tag,
-.hljs-name {
-  font-weight: bold;
-  color: navy;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/mono-blue.css b/doc/html-manual/highlight/styles/mono-blue.css
deleted file mode 100644
index 884c97c767..0000000000
--- a/doc/html-manual/highlight/styles/mono-blue.css
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
-  Five-color theme from a single blue hue.
-*/
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #eaeef3;
-}
-
-.hljs {
-  color: #00193a;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-title,
-.hljs-section,
-.hljs-doctag,
-.hljs-name,
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-comment {
-  color: #738191;
-}
-
-.hljs-string,
-.hljs-title,
-.hljs-section,
-.hljs-built_in,
-.hljs-literal,
-.hljs-type,
-.hljs-addition,
-.hljs-tag,
-.hljs-quote,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #0048ab;
-}
-
-.hljs-meta,
-.hljs-subst,
-.hljs-symbol,
-.hljs-regexp,
-.hljs-attribute,
-.hljs-deletion,
-.hljs-variable,
-.hljs-template-variable,
-.hljs-link,
-.hljs-bullet {
-  color: #4c81c9;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
diff --git a/doc/html-manual/highlight/styles/monokai-sublime.css b/doc/html-manual/highlight/styles/monokai-sublime.css
deleted file mode 100644
index 2864170daf..0000000000
--- a/doc/html-manual/highlight/styles/monokai-sublime.css
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
-
-Monokai Sublime style. Derived from Monokai by noformnocontent http://nn.mit-license.org/
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #23241f;
-}
-
-.hljs,
-.hljs-tag,
-.hljs-subst {
-  color: #f8f8f2;
-}
-
-.hljs-strong,
-.hljs-emphasis {
-  color: #a8a8a2;
-}
-
-.hljs-bullet,
-.hljs-quote,
-.hljs-number,
-.hljs-regexp,
-.hljs-literal,
-.hljs-link {
-  color: #ae81ff;
-}
-
-.hljs-code,
-.hljs-title,
-.hljs-section,
-.hljs-selector-class {
-  color: #a6e22e;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-name,
-.hljs-attr {
-  color: #f92672;
-}
-
-.hljs-symbol,
-.hljs-attribute {
-  color: #66d9ef;
-}
-
-.hljs-params,
-.hljs-class .hljs-title {
-  color: #f8f8f2;
-}
-
-.hljs-string,
-.hljs-type,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-selector-id,
-.hljs-selector-attr,
-.hljs-selector-pseudo,
-.hljs-addition,
-.hljs-variable,
-.hljs-template-variable {
-  color: #e6db74;
-}
-
-.hljs-comment,
-.hljs-deletion,
-.hljs-meta {
-  color: #75715e;
-}
diff --git a/doc/html-manual/highlight/styles/monokai.css b/doc/html-manual/highlight/styles/monokai.css
deleted file mode 100644
index 775d53f91a..0000000000
--- a/doc/html-manual/highlight/styles/monokai.css
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
-Monokai style - ported by Luigi Maselli - http://grigio.org
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #272822; color: #ddd;
-}
-
-.hljs-tag,
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-literal,
-.hljs-strong,
-.hljs-name {
-  color: #f92672;
-}
-
-.hljs-code {
-  color: #66d9ef;
-}
-
-.hljs-class .hljs-title {
-  color: white;
-}
-
-.hljs-attribute,
-.hljs-symbol,
-.hljs-regexp,
-.hljs-link {
-  color: #bf79db;
-}
-
-.hljs-string,
-.hljs-bullet,
-.hljs-subst,
-.hljs-title,
-.hljs-section,
-.hljs-emphasis,
-.hljs-type,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-selector-attr,
-.hljs-selector-pseudo,
-.hljs-addition,
-.hljs-variable,
-.hljs-template-tag,
-.hljs-template-variable {
-  color: #a6e22e;
-}
-
-.hljs-comment,
-.hljs-quote,
-.hljs-deletion,
-.hljs-meta {
-  color: #75715e;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-literal,
-.hljs-doctag,
-.hljs-title,
-.hljs-section,
-.hljs-type,
-.hljs-selector-id {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/obsidian.css b/doc/html-manual/highlight/styles/obsidian.css
deleted file mode 100644
index 356630fa23..0000000000
--- a/doc/html-manual/highlight/styles/obsidian.css
+++ /dev/null
@@ -1,88 +0,0 @@
-/**
- * Obsidian style
- * ported by Alexander Marenin (http://github.com/ioncreature)
- */
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #282b2e;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-literal,
-.hljs-selector-id {
-  color: #93c763;
-}
-
-.hljs-number {
-  color: #ffcd22;
-}
-
-.hljs {
-  color: #e0e2e4;
-}
-
-.hljs-attribute {
-  color: #668bb0;
-}
-
-.hljs-code,
-.hljs-class .hljs-title,
-.hljs-section {
-  color: white;
-}
-
-.hljs-regexp,
-.hljs-link {
-  color: #d39745;
-}
-
-.hljs-meta {
-  color: #557182;
-}
-
-.hljs-tag,
-.hljs-name,
-.hljs-bullet,
-.hljs-subst,
-.hljs-emphasis,
-.hljs-type,
-.hljs-built_in,
-.hljs-selector-attr,
-.hljs-selector-pseudo,
-.hljs-addition,
-.hljs-variable,
-.hljs-template-tag,
-.hljs-template-variable {
-  color: #8cbbad;
-}
-
-.hljs-string,
-.hljs-symbol {
-  color: #ec7600;
-}
-
-.hljs-comment,
-.hljs-quote,
-.hljs-deletion {
-  color: #818e96;
-}
-
-.hljs-selector-class {
-  color: #A082BD
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-literal,
-.hljs-doctag,
-.hljs-title,
-.hljs-section,
-.hljs-type,
-.hljs-name,
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/paraiso-dark.css b/doc/html-manual/highlight/styles/paraiso-dark.css
deleted file mode 100644
index e7292401c6..0000000000
--- a/doc/html-manual/highlight/styles/paraiso-dark.css
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
-    Paraíso (dark)
-    Created by Jan T. Sott (http://github.com/idleberg)
-    Inspired by the art of Rubens LP (http://www.rubenslp.com.br)
-*/
-
-/* Paraíso Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #8d8687;
-}
-
-/* Paraíso Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-tag,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class,
-.hljs-regexp,
-.hljs-link,
-.hljs-meta {
-  color: #ef6155;
-}
-
-/* Paraíso Orange */
-.hljs-number,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params,
-.hljs-deletion {
-  color: #f99b15;
-}
-
-/* Paraíso Yellow */
-.hljs-title,
-.hljs-section,
-.hljs-attribute {
-  color: #fec418;
-}
-
-/* Paraíso Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-addition {
-  color: #48b685;
-}
-
-/* Paraíso Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #815ba4;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #2f1e2e;
-  color: #a39e9b;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/paraiso-light.css b/doc/html-manual/highlight/styles/paraiso-light.css
deleted file mode 100644
index 944857cd8d..0000000000
--- a/doc/html-manual/highlight/styles/paraiso-light.css
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
-    Paraíso (light)
-    Created by Jan T. Sott (http://github.com/idleberg)
-    Inspired by the art of Rubens LP (http://www.rubenslp.com.br)
-*/
-
-/* Paraíso Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #776e71;
-}
-
-/* Paraíso Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-tag,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class,
-.hljs-regexp,
-.hljs-link,
-.hljs-meta {
-  color: #ef6155;
-}
-
-/* Paraíso Orange */
-.hljs-number,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params,
-.hljs-deletion {
-  color: #f99b15;
-}
-
-/* Paraíso Yellow */
-.hljs-title,
-.hljs-section,
-.hljs-attribute {
-  color: #fec418;
-}
-
-/* Paraíso Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-addition {
-  color: #48b685;
-}
-
-/* Paraíso Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #815ba4;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #e7e9db;
-  color: #4f424c;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/pojoaque.css b/doc/html-manual/highlight/styles/pojoaque.css
deleted file mode 100644
index 2e07847b2b..0000000000
--- a/doc/html-manual/highlight/styles/pojoaque.css
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
-
-Pojoaque Style by Jason Tate
-http://web-cms-designs.com/ftopict-10-pojoaque-style-for-highlight-js-code-highlighter.html
-Based on Solarized Style from http://ethanschoonover.com/solarized
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  color: #dccf8f;
-  background: url(./pojoaque.jpg) repeat scroll left top #181914;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #586e75;
-  font-style: italic;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-literal,
-.hljs-addition {
-  color: #b64926;
-}
-
-.hljs-number,
-.hljs-string,
-.hljs-doctag,
-.hljs-regexp {
-  color: #468966;
-}
-
-.hljs-title,
-.hljs-section,
-.hljs-built_in,
-.hljs-name {
-  color: #ffb03b;
-}
-
-.hljs-variable,
-.hljs-template-variable,
-.hljs-class .hljs-title,
-.hljs-type,
-.hljs-tag {
-  color: #b58900;
-}
-
-.hljs-attribute {
-  color: #b89859;
-}
-
-.hljs-symbol,
-.hljs-bullet,
-.hljs-link,
-.hljs-subst,
-.hljs-meta {
-  color: #cb4b16;
-}
-
-.hljs-deletion {
-  color: #dc322f;
-}
-
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #d3a60c;
-}
-
-.hljs-formula {
-  background: #073642;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/pojoaque.jpg b/doc/html-manual/highlight/styles/pojoaque.jpg
deleted file mode 100644
index 9c07d4ab40b6d77e90ff69f0012bcd33b21d31c3..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1186
zcmZXSe^8Tk9LK-kXFs3)f@f?)Cddzw3v4wdZyXQ;4x3=;Ja*N#%n9ik!UGmt9H3k0
zJST|5jOc(ID$FQt3C?jQZBws#kXolO1lg9Pba9BB=Q+UEBX!nY@6Uhl&+ofe$Q$y5
z@ci`~)&qzDP(lOiQ5p?p
z(`j^e7!yUAVHk%K#^GQXn?s0=VLYCI$HRoe=xCuZ>A6A3@sxEP#XqNFpIb=0)KQ#Nss_tD17;m4@$JKL;LR|K|QF3f%!L5+s(9Ft8SQ
zG|~pGpEGFW5Z|OA)-O@mNHy-g@7m8JTf?kl@vUKBGmw)Y*9sDRNr3PN!IKefWaydTe1D
zjzpyzPnD3}hBNaS4aFX7=0&~I*Hu7#4au@qVBglH#-m;QFOx_`=j
z{EqRY#Eh*yoWP^pa4H>8GH{rO?!_+xwL0(k4yL^D%^nBkJ*UI;Lx;ped8d|f*S_s@
z3~ilcRC(&NT#9Gn#UD;o^EYSMXDMf%XcUi3>;WXXD-QX3P9wMyP7eA&RS{)h5{??W3^Rq=goFJ>?lA~J-
zdYe>!xvYLW*fPT0RK7wsJRg^?x#W1*GP9_f`6t>QD_X>0d!owyN>nO2?U5}|3?hX_UZYT@^>S!9eB~bZ9U`q;`U)@L670o1g
z`Hd}h<_WRvUc|n*%v4Hbb-4tJD40iyF^q%g*&!6>hkYDvi-{Uc4yTM
zzcthN4Z{ka!+F_KzYV#yWi;c^X^q6g`pD8cp?$Kl?hCz0s^a|mH%P!CF%*<6k^~i`
zT5Mi-t5-frUcHkk^Qh}+N)Kz1&Bi95`oNc|quI>tUi~BY>xcF9(%tv2i{G6kE9*q~
qCoAGl20`)w0rdgp9H%Q=M5|p`hOhFz6$I%Y&ncY8>c?7PXyh+SL&XXJ

diff --git a/doc/html-manual/highlight/styles/purebasic.css b/doc/html-manual/highlight/styles/purebasic.css
deleted file mode 100644
index 5ce9b9e071..0000000000
--- a/doc/html-manual/highlight/styles/purebasic.css
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
-
-PureBASIC native IDE style ( version 1.0 - April 2016 )
-
-by Tristano Ajmone 
-
-Public Domain
-
-NOTE_1:	PureBASIC code syntax highlighting only applies the following classes:
-			.hljs-comment
-			.hljs-function
-			.hljs-keywords
-			.hljs-string
-			.hljs-symbol
-
-		Other classes are added here for the benefit of styling other languages with the look and feel of PureBASIC native IDE style.
-		If you need to customize a stylesheet for PureBASIC only, remove all non-relevant classes -- PureBASIC-related classes are followed by
-		a "--- used for PureBASIC ... ---" comment on same line.
-
-NOTE_2:	Color names provided in comments were derived using "Name that Color" online tool:
-			http://chir.ag/projects/name-that-color
-*/
-
-.hljs { /* Common set of rules required by highlight.js (don'r remove!) */
-	display: block;
-	overflow-x: auto;
-	padding: 0.5em;
-	background: #FFFFDF; /* Half and Half (approx.) */
-/* --- Uncomment to add PureBASIC native IDE styled font!
-	font-family: Consolas;
-*/
-}
-
-.hljs, /* --- used for PureBASIC base color --- */
-.hljs-type,  /* --- used for PureBASIC Procedures return type --- */
-.hljs-function, /* --- used for wrapping PureBASIC Procedures definitions --- */
-.hljs-name,
-.hljs-number,
-.hljs-attr,
-.hljs-params,
-.hljs-subst {
-	color: #000000; /* Black */
-}
-
-.hljs-comment, /* --- used for PureBASIC Comments --- */
-.hljs-regexp,
-.hljs-section,
-.hljs-selector-pseudo,
-.hljs-addition {
-	color: #00AAAA; /* Persian Green (approx.) */
-}
-
-.hljs-title, /* --- used for PureBASIC Procedures Names --- */
-.hljs-tag,
-.hljs-variable,
-.hljs-code  {
-	color: #006666; /* Blue Stone (approx.) */
-}
-
-.hljs-keyword, /* --- used for PureBASIC Keywords --- */
-.hljs-class,
-.hljs-meta-keyword,
-.hljs-selector-class,
-.hljs-built_in,
-.hljs-builtin-name {
-	color: #006666; /* Blue Stone (approx.) */
-	font-weight: bold;
-}
-
-.hljs-string, /* --- used for PureBASIC Strings --- */
-.hljs-selector-attr {
-	color: #0080FF; /* Azure Radiance (approx.) */
-}
-
-.hljs-symbol, /* --- used for PureBASIC Constants --- */
-.hljs-link,
-.hljs-deletion,
-.hljs-attribute {
-	color: #924B72; /* Cannon Pink (approx.) */
-}
-
-.hljs-meta,
-.hljs-literal,
-.hljs-selector-id {
-	color: #924B72; /* Cannon Pink (approx.) */
-	font-weight: bold;
-}
-
-.hljs-strong,
-.hljs-name {
-	font-weight: bold;
-}
-
-.hljs-emphasis {
-	font-style: italic;
-}
diff --git a/doc/html-manual/highlight/styles/qtcreator_dark.css b/doc/html-manual/highlight/styles/qtcreator_dark.css
deleted file mode 100644
index 7aa56a3655..0000000000
--- a/doc/html-manual/highlight/styles/qtcreator_dark.css
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
-
-Qt Creator dark color scheme
-
-*/
-
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #000000;
-}
-
-.hljs,
-.hljs-subst,
-.hljs-tag,
-.hljs-title {
-  color: #aaaaaa;
-}
-
-.hljs-strong,
-.hljs-emphasis {
-  color: #a8a8a2;
-}
-
-.hljs-bullet,
-.hljs-quote,
-.hljs-number,
-.hljs-regexp,
-.hljs-literal {
-  color: #ff55ff;
-}
-
-.hljs-code
-.hljs-selector-class {
-  color: #aaaaff;
-}
-
-.hljs-emphasis,
-.hljs-stronge,
-.hljs-type {
-  font-style: italic;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-function,
-.hljs-section,
-.hljs-symbol,
-.hljs-name {
-  color: #ffff55;
-}
-
-.hljs-attribute {
-  color: #ff5555;
-}
-
-.hljs-variable,
-.hljs-params,
-.hljs-class .hljs-title {
-  color: #8888ff;
-}
-
-.hljs-string,
-.hljs-selector-id,
-.hljs-selector-attr,
-.hljs-selector-pseudo,
-.hljs-type,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-template-tag,
-.hljs-template-variable,
-.hljs-addition,
-.hljs-link {
-  color: #ff55ff;
-}
-
-.hljs-comment,
-.hljs-meta,
-.hljs-deletion {
-  color: #55ffff;
-}
diff --git a/doc/html-manual/highlight/styles/qtcreator_light.css b/doc/html-manual/highlight/styles/qtcreator_light.css
deleted file mode 100644
index 1efa2c660f..0000000000
--- a/doc/html-manual/highlight/styles/qtcreator_light.css
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
-
-Qt Creator light color scheme
-
-*/
-
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #ffffff;
-}
-
-.hljs,
-.hljs-subst,
-.hljs-tag,
-.hljs-title {
-  color: #000000;
-}
-
-.hljs-strong,
-.hljs-emphasis {
-  color: #000000;
-}
-
-.hljs-bullet,
-.hljs-quote,
-.hljs-number,
-.hljs-regexp,
-.hljs-literal {
-  color: #000080;
-}
-
-.hljs-code
-.hljs-selector-class {
-  color: #800080;
-}
-
-.hljs-emphasis,
-.hljs-stronge,
-.hljs-type {
-  font-style: italic;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-function,
-.hljs-section,
-.hljs-symbol,
-.hljs-name {
-  color: #808000;
-}
-
-.hljs-attribute {
-  color: #800000;
-}
-
-.hljs-variable,
-.hljs-params,
-.hljs-class .hljs-title {
-  color: #0055AF;
-}
-
-.hljs-string,
-.hljs-selector-id,
-.hljs-selector-attr,
-.hljs-selector-pseudo,
-.hljs-type,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-template-tag,
-.hljs-template-variable,
-.hljs-addition,
-.hljs-link {
-  color: #008000;
-}
-
-.hljs-comment,
-.hljs-meta,
-.hljs-deletion {
-  color: #008000;
-}
diff --git a/doc/html-manual/highlight/styles/railscasts.css b/doc/html-manual/highlight/styles/railscasts.css
deleted file mode 100644
index 008cdc5bf1..0000000000
--- a/doc/html-manual/highlight/styles/railscasts.css
+++ /dev/null
@@ -1,106 +0,0 @@
-/*
-
-Railscasts-like style (c) Visoft, Inc. (Damien White)
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #232323;
-  color: #e6e1dc;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #bc9458;
-  font-style: italic;
-}
-
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #c26230;
-}
-
-.hljs-string,
-.hljs-number,
-.hljs-regexp,
-.hljs-variable,
-.hljs-template-variable {
-  color: #a5c261;
-}
-
-.hljs-subst {
-  color: #519f50;
-}
-
-.hljs-tag,
-.hljs-name {
-  color: #e8bf6a;
-}
-
-.hljs-type {
-  color: #da4939;
-}
-
-
-.hljs-symbol,
-.hljs-bullet,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-attr,
-.hljs-link {
-  color: #6d9cbe;
-}
-
-.hljs-params {
-  color: #d0d0ff;
-}
-
-.hljs-attribute {
-  color: #cda869;
-}
-
-.hljs-meta {
-  color: #9b859d;
-}
-
-.hljs-title,
-.hljs-section {
-  color: #ffc66d;
-}
-
-.hljs-addition {
-  background-color: #144212;
-  color: #e6e1dc;
-  display: inline-block;
-  width: 100%;
-}
-
-.hljs-deletion {
-  background-color: #600;
-  color: #e6e1dc;
-  display: inline-block;
-  width: 100%;
-}
-
-.hljs-selector-class {
-  color: #9b703f;
-}
-
-.hljs-selector-id {
-  color: #8b98ab;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-link {
-  text-decoration: underline;
-}
diff --git a/doc/html-manual/highlight/styles/rainbow.css b/doc/html-manual/highlight/styles/rainbow.css
deleted file mode 100644
index 905eb8ef18..0000000000
--- a/doc/html-manual/highlight/styles/rainbow.css
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
-
-Style with support for rainbow parens
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #474949;
-  color: #d1d9e1;
-}
-
-
-.hljs-comment,
-.hljs-quote {
-  color: #969896;
-  font-style: italic;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-literal,
-.hljs-type,
-.hljs-addition {
-  color: #cc99cc;
-}
-
-.hljs-number,
-.hljs-selector-attr,
-.hljs-selector-pseudo {
-  color: #f99157;
-}
-
-.hljs-string,
-.hljs-doctag,
-.hljs-regexp {
-  color: #8abeb7;
-}
-
-.hljs-title,
-.hljs-name,
-.hljs-section,
-.hljs-built_in {
-  color: #b5bd68;
-}
-
-.hljs-variable,
-.hljs-template-variable,
-.hljs-selector-id,
-.hljs-class .hljs-title {
-   color: #ffcc66;
-}
-
-.hljs-section,
-.hljs-name,
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-symbol,
-.hljs-bullet,
-.hljs-subst,
-.hljs-meta,
-.hljs-link {
-  color: #f99157;
-}
-
-.hljs-deletion {
-  color: #dc322f;
-}
-
-.hljs-formula {
-  background: #eee8d5;
-}
-
-.hljs-attr,
-.hljs-attribute {
-  color: #81a2be;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
diff --git a/doc/html-manual/highlight/styles/school-book.css b/doc/html-manual/highlight/styles/school-book.css
deleted file mode 100644
index 964b51d841..0000000000
--- a/doc/html-manual/highlight/styles/school-book.css
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
-
-School Book style from goldblog.com.ua (c) Zaripov Yura 
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 15px 0.5em 0.5em 30px;
-  font-size: 11px;
-  line-height:16px;
-}
-
-pre{
-  background:#f6f6ae url(./school-book.png);
-  border-top: solid 2px #d2e8b9;
-  border-bottom: solid 1px #d2e8b9;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-literal {
-  color:#005599;
-  font-weight:bold;
-}
-
-.hljs,
-.hljs-subst {
-  color: #3e5915;
-}
-
-.hljs-string,
-.hljs-title,
-.hljs-section,
-.hljs-type,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-attribute,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-addition,
-.hljs-variable,
-.hljs-template-tag,
-.hljs-template-variable,
-.hljs-link {
-  color: #2c009f;
-}
-
-.hljs-comment,
-.hljs-quote,
-.hljs-deletion,
-.hljs-meta {
-  color: #e60415;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-literal,
-.hljs-doctag,
-.hljs-title,
-.hljs-section,
-.hljs-type,
-.hljs-name,
-.hljs-selector-id,
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
diff --git a/doc/html-manual/highlight/styles/school-book.png b/doc/html-manual/highlight/styles/school-book.png
deleted file mode 100644
index 956e9790a0e2c079b3d568348ff3accd1d9cac30..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 486
zcmeAS@N?(olHy`uVBq!ia0y~yV7?7x3vjRjNjAS6Ga$v1?&#~tz_9*=IcwKTAYZb?
zHKHUqKdq!Zu_%?nF(p4KRlzeiF+DXXH8G{K@MNkD0|R4)r;B4q#jQ7Ycl#YS5MfK$
z?b^fh#qmaEhFDxvyThwfhdfkOPApt1lr{NA;Vr%uzxJuVIyzm(ed_8_-0$LLU})H&o5Re&aDemE>EG#(|F^t9_pa-H
z_Mf?rMVrs}-M?S|?ZdY@c6s41zy8~}@a{v&#Ea7V)wJ$+#K|u$5UvWCdFLwGac}6w{_s*=8A6L7Rfc|9gboFyt
I=akR{0OLZ+qyPW_

diff --git a/doc/html-manual/highlight/styles/solarized-dark.css b/doc/html-manual/highlight/styles/solarized-dark.css
deleted file mode 100644
index b4c0da1f78..0000000000
--- a/doc/html-manual/highlight/styles/solarized-dark.css
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
-
-Orginal Style from ethanschoonover.com/solarized (c) Jeremy Hull 
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #002b36;
-  color: #839496;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #586e75;
-}
-
-/* Solarized Green */
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-addition {
-  color: #859900;
-}
-
-/* Solarized Cyan */
-.hljs-number,
-.hljs-string,
-.hljs-meta .hljs-meta-string,
-.hljs-literal,
-.hljs-doctag,
-.hljs-regexp {
-  color: #2aa198;
-}
-
-/* Solarized Blue */
-.hljs-title,
-.hljs-section,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #268bd2;
-}
-
-/* Solarized Yellow */
-.hljs-attribute,
-.hljs-attr,
-.hljs-variable,
-.hljs-template-variable,
-.hljs-class .hljs-title,
-.hljs-type {
-  color: #b58900;
-}
-
-/* Solarized Orange */
-.hljs-symbol,
-.hljs-bullet,
-.hljs-subst,
-.hljs-meta,
-.hljs-meta .hljs-keyword,
-.hljs-selector-attr,
-.hljs-selector-pseudo,
-.hljs-link {
-  color: #cb4b16;
-}
-
-/* Solarized Red */
-.hljs-built_in,
-.hljs-deletion {
-  color: #dc322f;
-}
-
-.hljs-formula {
-  background: #073642;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/solarized-light.css b/doc/html-manual/highlight/styles/solarized-light.css
deleted file mode 100644
index fdcfcc72c4..0000000000
--- a/doc/html-manual/highlight/styles/solarized-light.css
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
-
-Orginal Style from ethanschoonover.com/solarized (c) Jeremy Hull 
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #fdf6e3;
-  color: #657b83;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #93a1a1;
-}
-
-/* Solarized Green */
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-addition {
-  color: #859900;
-}
-
-/* Solarized Cyan */
-.hljs-number,
-.hljs-string,
-.hljs-meta .hljs-meta-string,
-.hljs-literal,
-.hljs-doctag,
-.hljs-regexp {
-  color: #2aa198;
-}
-
-/* Solarized Blue */
-.hljs-title,
-.hljs-section,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #268bd2;
-}
-
-/* Solarized Yellow */
-.hljs-attribute,
-.hljs-attr,
-.hljs-variable,
-.hljs-template-variable,
-.hljs-class .hljs-title,
-.hljs-type {
-  color: #b58900;
-}
-
-/* Solarized Orange */
-.hljs-symbol,
-.hljs-bullet,
-.hljs-subst,
-.hljs-meta,
-.hljs-meta .hljs-keyword,
-.hljs-selector-attr,
-.hljs-selector-pseudo,
-.hljs-link {
-  color: #cb4b16;
-}
-
-/* Solarized Red */
-.hljs-built_in,
-.hljs-deletion {
-  color: #dc322f;
-}
-
-.hljs-formula {
-  background: #eee8d5;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/sunburst.css b/doc/html-manual/highlight/styles/sunburst.css
deleted file mode 100644
index f56dd5e9b6..0000000000
--- a/doc/html-manual/highlight/styles/sunburst.css
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
-
-Sunburst-like style (c) Vasily Polovnyov 
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #000;
-  color: #f8f8f8;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #aeaeae;
-  font-style: italic;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-type {
-  color: #e28964;
-}
-
-.hljs-string {
-  color: #65b042;
-}
-
-.hljs-subst {
-  color: #daefa3;
-}
-
-.hljs-regexp,
-.hljs-link {
-  color: #e9c062;
-}
-
-.hljs-title,
-.hljs-section,
-.hljs-tag,
-.hljs-name {
-  color: #89bdff;
-}
-
-.hljs-class .hljs-title,
-.hljs-doctag {
-  text-decoration: underline;
-}
-
-.hljs-symbol,
-.hljs-bullet,
-.hljs-number {
-  color: #3387cc;
-}
-
-.hljs-params,
-.hljs-variable,
-.hljs-template-variable {
-  color: #3e87e3;
-}
-
-.hljs-attribute {
-  color: #cda869;
-}
-
-.hljs-meta {
-  color: #8996a8;
-}
-
-.hljs-formula {
-  background-color: #0e2231;
-  color: #f8f8f8;
-  font-style: italic;
-}
-
-.hljs-addition {
-  background-color: #253b22;
-  color: #f8f8f8;
-}
-
-.hljs-deletion {
-  background-color: #420e09;
-  color: #f8f8f8;
-}
-
-.hljs-selector-class {
-  color: #9b703f;
-}
-
-.hljs-selector-id {
-  color: #8b98ab;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/tomorrow-night-blue.css b/doc/html-manual/highlight/styles/tomorrow-night-blue.css
deleted file mode 100644
index 78e59cc8cb..0000000000
--- a/doc/html-manual/highlight/styles/tomorrow-night-blue.css
+++ /dev/null
@@ -1,75 +0,0 @@
-/* Tomorrow Night Blue Theme */
-/* http://jmblog.github.com/color-themes-for-google-code-highlightjs */
-/* Original theme - https://github.com/chriskempson/tomorrow-theme */
-/* http://jmblog.github.com/color-themes-for-google-code-highlightjs */
-
-/* Tomorrow Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #7285b7;
-}
-
-/* Tomorrow Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-tag,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class,
-.hljs-regexp,
-.hljs-deletion {
-  color: #ff9da4;
-}
-
-/* Tomorrow Orange */
-.hljs-number,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params,
-.hljs-meta,
-.hljs-link {
-  color: #ffc58f;
-}
-
-/* Tomorrow Yellow */
-.hljs-attribute {
-  color: #ffeead;
-}
-
-/* Tomorrow Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-addition {
-  color: #d1f1a9;
-}
-
-/* Tomorrow Blue */
-.hljs-title,
-.hljs-section {
-  color: #bbdaff;
-}
-
-/* Tomorrow Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #ebbbff;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #002451;
-  color: white;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/tomorrow-night-bright.css b/doc/html-manual/highlight/styles/tomorrow-night-bright.css
deleted file mode 100644
index e05af8ae24..0000000000
--- a/doc/html-manual/highlight/styles/tomorrow-night-bright.css
+++ /dev/null
@@ -1,74 +0,0 @@
-/* Tomorrow Night Bright Theme */
-/* Original theme - https://github.com/chriskempson/tomorrow-theme */
-/* http://jmblog.github.com/color-themes-for-google-code-highlightjs */
-
-/* Tomorrow Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #969896;
-}
-
-/* Tomorrow Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-tag,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class,
-.hljs-regexp,
-.hljs-deletion {
-  color: #d54e53;
-}
-
-/* Tomorrow Orange */
-.hljs-number,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params,
-.hljs-meta,
-.hljs-link {
-  color: #e78c45;
-}
-
-/* Tomorrow Yellow */
-.hljs-attribute {
-  color: #e7c547;
-}
-
-/* Tomorrow Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-addition {
-  color: #b9ca4a;
-}
-
-/* Tomorrow Blue */
-.hljs-title,
-.hljs-section {
-  color: #7aa6da;
-}
-
-/* Tomorrow Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #c397d8;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: black;
-  color: #eaeaea;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/tomorrow-night-eighties.css b/doc/html-manual/highlight/styles/tomorrow-night-eighties.css
deleted file mode 100644
index 08fd51c742..0000000000
--- a/doc/html-manual/highlight/styles/tomorrow-night-eighties.css
+++ /dev/null
@@ -1,74 +0,0 @@
-/* Tomorrow Night Eighties Theme */
-/* Original theme - https://github.com/chriskempson/tomorrow-theme */
-/* http://jmblog.github.com/color-themes-for-google-code-highlightjs */
-
-/* Tomorrow Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #999999;
-}
-
-/* Tomorrow Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-tag,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class,
-.hljs-regexp,
-.hljs-deletion {
-  color: #f2777a;
-}
-
-/* Tomorrow Orange */
-.hljs-number,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params,
-.hljs-meta,
-.hljs-link {
-  color: #f99157;
-}
-
-/* Tomorrow Yellow */
-.hljs-attribute {
-  color: #ffcc66;
-}
-
-/* Tomorrow Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-addition {
-  color: #99cc99;
-}
-
-/* Tomorrow Blue */
-.hljs-title,
-.hljs-section {
-  color: #6699cc;
-}
-
-/* Tomorrow Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #cc99cc;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #2d2d2d;
-  color: #cccccc;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/tomorrow-night.css b/doc/html-manual/highlight/styles/tomorrow-night.css
deleted file mode 100644
index ddd270a4e7..0000000000
--- a/doc/html-manual/highlight/styles/tomorrow-night.css
+++ /dev/null
@@ -1,75 +0,0 @@
-/* Tomorrow Night Theme */
-/* http://jmblog.github.com/color-themes-for-google-code-highlightjs */
-/* Original theme - https://github.com/chriskempson/tomorrow-theme */
-/* http://jmblog.github.com/color-themes-for-google-code-highlightjs */
-
-/* Tomorrow Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #969896;
-}
-
-/* Tomorrow Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-tag,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class,
-.hljs-regexp,
-.hljs-deletion {
-  color: #cc6666;
-}
-
-/* Tomorrow Orange */
-.hljs-number,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params,
-.hljs-meta,
-.hljs-link {
-  color: #de935f;
-}
-
-/* Tomorrow Yellow */
-.hljs-attribute {
-  color: #f0c674;
-}
-
-/* Tomorrow Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-addition {
-  color: #b5bd68;
-}
-
-/* Tomorrow Blue */
-.hljs-title,
-.hljs-section {
-  color: #81a2be;
-}
-
-/* Tomorrow Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #b294bb;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: #1d1f21;
-  color: #c5c8c6;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/tomorrow.css b/doc/html-manual/highlight/styles/tomorrow.css
deleted file mode 100644
index 026a62fe3b..0000000000
--- a/doc/html-manual/highlight/styles/tomorrow.css
+++ /dev/null
@@ -1,72 +0,0 @@
-/* http://jmblog.github.com/color-themes-for-google-code-highlightjs */
-
-/* Tomorrow Comment */
-.hljs-comment,
-.hljs-quote {
-  color: #8e908c;
-}
-
-/* Tomorrow Red */
-.hljs-variable,
-.hljs-template-variable,
-.hljs-tag,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class,
-.hljs-regexp,
-.hljs-deletion {
-  color: #c82829;
-}
-
-/* Tomorrow Orange */
-.hljs-number,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-literal,
-.hljs-type,
-.hljs-params,
-.hljs-meta,
-.hljs-link {
-  color: #f5871f;
-}
-
-/* Tomorrow Yellow */
-.hljs-attribute {
-  color: #eab700;
-}
-
-/* Tomorrow Green */
-.hljs-string,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-addition {
-  color: #718c00;
-}
-
-/* Tomorrow Blue */
-.hljs-title,
-.hljs-section {
-  color: #4271ae;
-}
-
-/* Tomorrow Purple */
-.hljs-keyword,
-.hljs-selector-tag {
-  color: #8959a8;
-}
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  background: white;
-  color: #4d4d4c;
-  padding: 0.5em;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/vs.css b/doc/html-manual/highlight/styles/vs.css
deleted file mode 100644
index c5d07d3115..0000000000
--- a/doc/html-manual/highlight/styles/vs.css
+++ /dev/null
@@ -1,68 +0,0 @@
-/*
-
-Visual Studio-like style based on original C# coloring by Jason Diamond 
-
-*/
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: white;
-  color: black;
-}
-
-.hljs-comment,
-.hljs-quote,
-.hljs-variable {
-  color: #008000;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-built_in,
-.hljs-name,
-.hljs-tag {
-  color: #00f;
-}
-
-.hljs-string,
-.hljs-title,
-.hljs-section,
-.hljs-attribute,
-.hljs-literal,
-.hljs-template-tag,
-.hljs-template-variable,
-.hljs-type,
-.hljs-addition {
-  color: #a31515;
-}
-
-.hljs-deletion,
-.hljs-selector-attr,
-.hljs-selector-pseudo,
-.hljs-meta {
-  color: #2b91af;
-}
-
-.hljs-doctag {
-  color: #808080;
-}
-
-.hljs-attr {
-  color: #f00;
-}
-
-.hljs-symbol,
-.hljs-bullet,
-.hljs-link {
-  color: #00b0e8;
-}
-
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/highlight/styles/xcode.css b/doc/html-manual/highlight/styles/xcode.css
deleted file mode 100644
index 43dddad84d..0000000000
--- a/doc/html-manual/highlight/styles/xcode.css
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
-
-XCode style (c) Angel Garcia 
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #fff;
-  color: black;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #006a00;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-literal {
-  color: #aa0d91;
-}
-
-.hljs-name {
-  color: #008;
-}
-
-.hljs-variable,
-.hljs-template-variable {
-  color: #660;
-}
-
-.hljs-string {
-  color: #c41a16;
-}
-
-.hljs-regexp,
-.hljs-link {
-  color: #080;
-}
-
-.hljs-title,
-.hljs-tag,
-.hljs-symbol,
-.hljs-bullet,
-.hljs-number,
-.hljs-meta {
-  color: #1c00cf;
-}
-
-.hljs-section,
-.hljs-class .hljs-title,
-.hljs-type,
-.hljs-attr,
-.hljs-built_in,
-.hljs-builtin-name,
-.hljs-params {
-  color: #5c2699;
-}
-
-.hljs-attribute,
-.hljs-subst {
-  color: #000;
-}
-
-.hljs-formula {
-  background-color: #eee;
-  font-style: italic;
-}
-
-.hljs-addition {
-  background-color: #baeeba;
-}
-
-.hljs-deletion {
-  background-color: #ffc8bd;
-}
-
-.hljs-selector-id,
-.hljs-selector-class {
-  color: #9b703f;
-}
-
-.hljs-doctag,
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
diff --git a/doc/html-manual/highlight/styles/xt256.css b/doc/html-manual/highlight/styles/xt256.css
deleted file mode 100644
index 58df82cb75..0000000000
--- a/doc/html-manual/highlight/styles/xt256.css
+++ /dev/null
@@ -1,92 +0,0 @@
-
-/*
-  xt256.css
-
-  Contact: initbar [at] protonmail [dot] ch
-         : github.com/initbar
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  color: #eaeaea;
-  background: #000;
-  padding: 0.5;
-}
-
-.hljs-subst {
-  color: #eaeaea;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-builtin-name,
-.hljs-type {
-  color: #eaeaea;
-}
-
-.hljs-params {
-  color: #da0000;
-}
-
-.hljs-literal,
-.hljs-number,
-.hljs-name {
-  color: #ff0000;
-  font-weight: bolder;
-}
-
-.hljs-comment {
-  color: #969896;
-}
-
-.hljs-selector-id,
-.hljs-quote {
-  color: #00ffff;
-}
-
-.hljs-template-variable,
-.hljs-variable,
-.hljs-title {
-  color: #00ffff;
-  font-weight: bold;
-}
-
-.hljs-selector-class,
-.hljs-keyword,
-.hljs-symbol {
-  color: #fff000;
-}
-
-.hljs-string,
-.hljs-bullet {
-  color: #00ff00;
-}
-
-.hljs-tag,
-.hljs-section {
-  color: #000fff;
-}
-
-.hljs-selector-tag {
-  color: #000fff;
-  font-weight: bold;
-}
-
-.hljs-attribute,
-.hljs-built_in,
-.hljs-regexp,
-.hljs-link {
-  color: #ff00ff;
-}
-
-.hljs-meta {
-  color: #fff;
-  font-weight: bolder;
-}
diff --git a/doc/html-manual/highlight/styles/zenburn.css b/doc/html-manual/highlight/styles/zenburn.css
deleted file mode 100644
index 07be502016..0000000000
--- a/doc/html-manual/highlight/styles/zenburn.css
+++ /dev/null
@@ -1,80 +0,0 @@
-/*
-
-Zenburn style from voldmar.ru (c) Vladimir Epifanov 
-based on dark.css by Ivan Sagalaev
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  background: #3f3f3f;
-  color: #dcdcdc;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-tag {
-  color: #e3ceab;
-}
-
-.hljs-template-tag {
-  color: #dcdcdc;
-}
-
-.hljs-number {
-  color: #8cd0d3;
-}
-
-.hljs-variable,
-.hljs-template-variable,
-.hljs-attribute {
-  color: #efdcbc;
-}
-
-.hljs-literal {
-  color: #efefaf;
-}
-
-.hljs-subst {
-  color: #8f8f8f;
-}
-
-.hljs-title,
-.hljs-name,
-.hljs-selector-id,
-.hljs-selector-class,
-.hljs-section,
-.hljs-type {
-  color: #efef8f;
-}
-
-.hljs-symbol,
-.hljs-bullet,
-.hljs-link {
-  color: #dca3a3;
-}
-
-.hljs-deletion,
-.hljs-string,
-.hljs-built_in,
-.hljs-builtin-name {
-  color: #cc9393;
-}
-
-.hljs-addition,
-.hljs-comment,
-.hljs-quote,
-.hljs-meta {
-  color: #7f9f7f;
-}
-
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
diff --git a/doc/html-manual/hwsw-inputs.shtml b/doc/html-manual/hwsw-inputs.shtml
deleted file mode 100644
index f1ffdbbeec..0000000000
--- a/doc/html-manual/hwsw-inputs.shtml
+++ /dev/null
@@ -1,106 +0,0 @@
-
-
-
-
-
-
-
CPROVER Manual TOC

-
-
Hardware and Software Equivalence and Co-Verification

-
-
Synchronizing Inputs

-
-
Driving Primary Inputs

-
-

-The examples in the tutorial are trivial
-in the sense that the model has only one possible trace. The
-initial state is deterministic, and there is only one possible transition,
-so the verification problem can be solved by testing a single run. In contrast,
-consider the following Verilog module:
-

-
-
module top(input clk, input i);
-
-  reg [3:0] counter;
-
-  initial counter=0;
-
-  always @(posedge clk)
-    if(i)
-      counter=counter+1;
-
-endmodule
-

-
-

-The module above has an input named i. The top-level inputs
-of the Verilog design have to be generated by the C program.
-This is done by assigning the desired values to the corresponding struct
-member, and then calling the set_inputs() function
-before calling next_timeframe().
-Consider the following example:
-

-
-
void next_timeframe();
-void set_inputs();
-extern const unsigned int bound;
-
-struct module_top {
-  unsigned int counter;
-  _Bool i;
-};
-
-extern struct module_top top;
-
-int main() {
-  assert(top.counter==0);
-
-  top.i=1;
-  set_inputs(); next_timeframe();
-  assert(top.counter==1);
-
-  top.i=1;
-  set_inputs(); next_timeframe();
-  assert(top.counter==2);
-
-  top.i=0;
-  set_inputs(); next_timeframe();
-  assert(top.counter==2);
-}
-

-
-

-As an example, consider a
-Verilog module that has a signal reset as an input, which is
-active-low. The following C fragment drives this input to be active in the
-first cycle, and not active in any subsequent cycle:
-

-
-
  top.resetn=0;
-  set_inputs(); next_timeframe();
-
-  for(i=1; i<bound; i++) {
-    top.resetn=1;
-    set_inputs(); next_timeframe();
-  }
-

-
-

-Note that the value of the input must be set before
-calling next_timeframe(). The effect of the
-input values on values derived in a combinatorial way
-is immediately visible. The effect on clocked values
-becomes visible in the next time frame.
-

-
-
Using Nondeterminism

-
-

-The examples above use particular, constant values to drive the primary
-inputs.  In order to check the behavior of the Verilog model for more than
-one specific input, use nondeterminism.
-

-
-
-
diff --git a/doc/html-manual/hwsw-mapping.shtml b/doc/html-manual/hwsw-mapping.shtml
deleted file mode 100644
index 6c953dd28c..0000000000
--- a/doc/html-manual/hwsw-mapping.shtml
+++ /dev/null
@@ -1,131 +0,0 @@
-
-
-
-
-
-
-
CPROVER Manual TOC

-
-
Hardware and Software Equivalence and Co-Verification

-
-
Mapping Variables

-
-
Mapping Variables within the Module Hierarchy

-
-

-Verilog modules are hierarchical. The extern declarations shown above
-only allow reading the values of signals and registers that are in the top
-module. In order to read values from sub-modules, CBMC uses structures.
-

-
-

-As an example, consider the following Verilog file
-(hierarchy.v):
-

-
-
module counter(input clk, input [7:0] increment);
-
-  reg [7:0] counter;
-
-  initial counter=0;
-
-  always @(posedge clk)
-    counter=counter+increment;
-
-endmodule
-
-module top(input clk);
-
-  counter c1(clk, 1);
-  counter c2(clk, 2);
-
-endmodule
-

-
-

-The file has two modules: a top module and a counter module. The counter
-module is instantiated twice within the top module. A reference to the
-register counter within the C program would be ambiguous, as the two
-module instances have separate instances of the register. CBMC and SATABS
-use the following data structures for this example:
-

-
-
void next_timeframe();
-extern const unsigned int bound;
-
-struct counter {
-  unsigned char increment;
-  unsigned char counter;
-};
-
-struct module_top {
-  struct module_counter c1, c2;
-};
-
-extern struct module_top top;
-
-int main() {
-  next_timeframe();
-  next_timeframe();
-  next_timeframe();
-  assert(top.c1.counter==3);
-  assert(top.c2.counter==6);
-}
-

-
-

-The main function reads both counter values for cycle 3. A deeper
-hierarchy (modules in modules) is realized by using additional structure
-members. Writing these data structures for large Verilog designs is error
-prone, and thus, HW-CBMC can generate them automatically. The declarations
-above are generated using the command line
-

-
-

-
-hw-cbmc --gen-interface --module top hierarchy.v
-
-

-
-
Mapping Verilog Vectors to Arrays or Scalars

-
-

-In Verilog, a definition such as
-

-
-
-  wire [31:0] x;
-
-
-

-can be used for arithmetic (as in x+10) and as array of Booleans
-(as in x[2]). ANSI-C does not allow both, so when mapping variables
-from Verilog to C, the user has to choose one option for each such variable.
-As an example, the C declaration
-

-
-
-  unsigned int x;
-
-
-

-will allow using x in arithmetic expressions, while the C declaration
-

-
-
-  __CPROVER_bool x[32];
-
-
-

-will allow accessing the individual bits of x using the syntax
-x[bit].  The --gen-interface option of HW-CBMC
-will generate the first variant if the vector has the same size as one of
-the standard integer types, and will use the __CPROVER_bitvector[] type if
-not so.  This choice can be changed by adjusting the declaration
-accordingly.  Note that both SpecC and SystemC offer bit-extraction
-operators, which means that it unnecessary to use the declaration as array
-in order to access individual bits of a vector.
-

-
-
-
diff --git a/doc/html-manual/hwsw-tutorial.shtml b/doc/html-manual/hwsw-tutorial.shtml
deleted file mode 100644
index bda1953759..0000000000
--- a/doc/html-manual/hwsw-tutorial.shtml
+++ /dev/null
@@ -1,220 +0,0 @@
-
-
-
-
-
-
-
CPROVER Manual TOC

-
-
Hardware and Software Equivalence and Co-Verification

-
-
A Small Tutorial

-
-
Verilog vs. ANSI-C

-
-

-We assume that CBMC is installed on your system. If not so, follow
-these instructions.

-
-

-The following Verilog module implements a 4-bit counter
-(counter.v):
-

-
-
module top(input clk);
-
-  reg [3:0] counter;
-
-  initial counter=0;
-
-  always @(posedge clk)
-    counter=counter+1;
-
-endmodule
-

-
-

-HW-CBMC can take Verilog modules as the one above as additional input. Similar
-as in co-simulation, the data in the Verilog modules is available to the C
-program by means of global variables. For the example above, the following C
-fragment shows the definition of the variable that holds the value
-of the counter register:
-

-
-
struct module_top {
-  unsigned int counter;
-};
-
-extern struct module_top top;
-

-
-

-Using this definition, the value of the counter register in the
-Verilog fragment above can be accessed as top.counter. Please note
-that the name of the variable must match the name of the top module.
-The C program only has a view of one state of the Verilog model. The Verilog
-model makes a transition once the function next_timeframe() is
-called.
-

-
-

-As CBMC performs Bounded Model Checking, the number of timeframes available
-for analysis must be bounded (SATABS
-has no such restriction). As it is
-desirable to change the bound to adjust it to the available computing
-capacity, the bound is given on the command line and not as part of the C
-program. This makes it easy to use only one C program for arbitrary bounds.
-The actual bound is available in the C program using the following
-declaration:
-

-
-
-extern const unsigned int bound;
-
-
-

-Also note that the fragment above declares a constant variable of struct
-type. Thus, the C program can only read the trace values and is not able to
-modify them. We will later on describe how to drive inputs of the Verilog
-module from within the C program.
-

-
-

-As described in previous chapters, assertions can be used to verify
-properties of the Verilog trace. As an example, the following program checks
-two values of the trace of the counter module
-(counter.c):
-

-
-
void next_timeframe();
-
-struct module_top {
-  unsigned int counter;
-};
-
-extern struct module_top top;
-
-int main() {
-  next_timeframe();
-  next_timeframe();
-  assert(top.counter==2);
-  next_timeframe();
-  assert(top.counter==3);
-}
-

-
-

-The following CBMC command line checks these assertions with a bound of
-20:
-

-
-

-
-hw-cbmc counter.c counter.v --module top --bound 20
-
-

-
-

-Note that a specific version of CBMC is used, called hw-cbmc.
-The module name given must match the name of the module in the Verilog
-file. Multiple Verilog files can be given on the command line.
-

-
-

-The --bound parameter is not to be confused with the --unwind
-parameter. While the --unwind parameter specifies the maximum
-unwinding depth for loops within the C program, the --bound parameter
-specifies the number of times the transition relation of the Verilog module
-is to be unwound.
-

-
-
Counterexamples

-
-

-For the given example, the verification is successful. If the first
-assertion is changed to
-

-
-
-  assert(top.counter==10);
-
-
-

-and the bound on the command line is changed to 6, CBMC will produce a
-counterexample. CBMC produces two traces: One for the C program, which
-matches the traces described earlier, and a separate trace for the Verilog
-module. The values of the registers in the Verilog module are also shown in
-the C trace as part of the initial state.
-

-
-
-Initial State

-----------------------------------------------------

-  bound=6 (00000000000000000000000000000110)

-  counter={ 0, 1, 2, 3, 4, 5, 6 }

-

-Failed assertion: assertion line 6 function main

-

-Transition system state 0

-----------------------------------------------------

-  counter=0 (0000)

-

-Transition system state 1

-----------------------------------------------------

-  counter=1 (0001)

-

-Transition system state 2

-----------------------------------------------------

-  counter=2 (0010)

-

-Transition system state 3

-----------------------------------------------------

-  counter=3 (0011)

-

-Transition system state 4

-----------------------------------------------------

-  counter=4 (0100)

-

-Transition system state 5

-----------------------------------------------------

-  counter=5 (0101)

-

-Transition system state 6

-----------------------------------------------------

-  counter=6 (0110)
-
-
-
Using the Bound

-
-

-The following program is using the bound variable to check the counter value
-in all cycles:
-

-
-
void next_timeframe();
-extern const unsigned int bound;
-
-struct module_top {
-  unsigned int counter;
-};
-
-extern struct module_top top;
-
-int main() {
-  unsigned cycle;
-
-  for(cycle=0; cycle<bound; cycle++) {
-    assert(top.counter==(cycle & 15));
-    next_timeframe();
-  }
-}
-

-
-

-CBMC performs bounds checking, and restricts the number of times that
-next_timeframe() can be called. SATABS does not re­quire a bound,
-and thus, next_timeframe() can be called arbitrarily many times.
-

-
-
-
diff --git a/doc/html-manual/hwsw.shtml b/doc/html-manual/hwsw.shtml
deleted file mode 100644
index 88fba4e5fe..0000000000
--- a/doc/html-manual/hwsw.shtml
+++ /dev/null
@@ -1,116 +0,0 @@
-
-
-
CPROVER Manual TOC

-
-
Hardware and Software Equivalence and Co-Verification

-
-
Introduction

-
-

-A common hardware design approach employed by many companies is to first
-write a quick prototype that behaves like the planned circuit in a language
-like ANSI-C. This program is then used for extensive testing and debugging,
-in particular of any embedded software that will later on be shipped with
-the circuit. An example is the hardware of a cell phone and its software.
-After testing and debugging of the program, the actual hardware design is
-written using hardware description languages like
-VHDL or
-Verilog.
-

-
-

-Thus, there are two implementations of the same design: one written in
-ANSI-C, which is written for simulation, and one written in register
-transfer level HDL, which is the actual product. The ANSI-C implementation
-is usually thoroughly tested and debugged.
-

-
-

-Due to market constraints, companies aim to sell the chip as soon as
-possible, i.e., shortly after the HDL implementation is designed. There is
-usually little time for additional debugging and testing of the HDL
-implementation. Thus, an automated, or nearly automated way of establishing
-the consistency of the HDL implementation is highly desirable.
-

-
-

-This motivates the verification problem: we want to verify the consistency
-of the HDL implementation, i.e., the product,
-
-using the ANSI-C implementation as a reference. Es­ta­bli­shing the consistency
-does not re­quire a formal specification. However, formal methods to verify
-either the hardware or software design are still desirable.
-

-
-
Related Work

-
-

-There have been several attempts in the past to tackle the problem. 
-
-Semeria et al. describe a tool for verifying the combinational equivalence of
-RTL-C and an HDL.  They translate the C code into HDL and use
-standard equivalence checkers to establish the equivalence.  The C code has
-to be very close to a hardware description (RTL level), which implies that
-the source and target have to be implemented in a very similar way.  There
-are also variants of C specifically for this purpose.  The SystemC standard defines a
-subset of C++ that can be used for synthesis.  Further
-variants of ANSI-C for specifying hardware are SpecC and Handel C, among
-others.

-
-

-The concept of verifying the equivalence of a software implementation and a
-synchronous transition system was introduced by
-Pnueli, Siegel, and
-Shtrichman. The C program is re­quired to be in a very
-specific form, since a mechanical translation is assumed.
-

-
-

-In 2000, 
-Currie, Hu, and Rajan transform DSP assembly language
-into an equation for the Stanford Validity Checker.
-The symbolic execution of programs for comparison with RTL is now
-common practice.
-

-
-

-The previous work focuses on a small subset of ANSI-C that is particularly
-close to register transfer language. Thus, the designer is often re­quired to
-rewrite the C program manually in order to comply with these constraints. We
-extend the methodology to handle the full set of ANSI-C language features.
-This is a challenge in the presence of complex, dynamic data structures and
-pointers that may dynamically point to multiple objects. Furthermore, our
-methodology allows arbitrary loop constructs.
-

-
-
Further Material

-
-
We provide a small 
-tutorial and a description on 
-how to synchronize inputs between the C model and the Verilog model.
-There is also a collection of 
-benchmark problems available.
-

-
-

-
Further Reading

-
-
-
 
-
-
-
diff --git a/doc/html-manual/index.shtml b/doc/html-manual/index.shtml
deleted file mode 100644
index 1e5690411f..0000000000
--- a/doc/html-manual/index.shtml
+++ /dev/null
@@ -1,62 +0,0 @@
-
-
-
Table of Contents

-
-
1. Introduction

-
-
2. Installation

-

-CBMC,
-SATABS,
-Eclipse plugin
-

-
-
3. CBMC – Bounded Model Checking

-
-

-A Short Tutorial,
-Loop Unwinding,
-Test Suite Generation
-

-
-
4. SATABS – Predicate Abstraction
-with SAT

-
-

-Introduction,
-Background,
-Tutorials
-

-
-
5. Modeling

-
-

-Nondeterminism,
-Assumptions and Assertions,
-Pointers,
-Floating Point
-

-
-
6. Hardware/Software Co-Verification

-
-

-Introduction,
-Tutorial,
-Mapping Variables,
-Synchronizing Inputs
-

-
-
7. Build Systems, Libraries and Instrumentation

-
-

-Introduction,
-Integration into Build Systems with goto-cc,
-Visual Studio Builds,
-Variants of goto-cc,
-Architectural Settings,
-Property Instrumentation
-with goto-instrument,
-The CPROVER API Reference
-

-
-
diff --git a/doc/html-manual/installation-cbmc.shtml b/doc/html-manual/installation-cbmc.shtml
deleted file mode 100644
index 2ee1a8df0e..0000000000
--- a/doc/html-manual/installation-cbmc.shtml
+++ /dev/null
@@ -1,80 +0,0 @@
-
-
-
CPROVER Manual TOC

-
-
Installing CBMC

-
-
Requirements

-
-

-CBMC is available for Windows, i86 Linux, and MacOS X. 
-CBMC requires a code pre-processing environment comprising of a
-suitable preprocessor and an a set of header files.

-
-
    
-
-
  1. 
-Linux: the preprocessor and the header files typically come with a
-package called gcc, which must be installed prior to the installation
-of CBMC.
-
    2. 
-
-
  2. 
-Windows: The Windows version of CBMC requires the preprocessor 
-cl.exe, which is part of Microsoft Visual Studio. We recommend
-the free Visual
-Studio Community 2013.
-
    3. 
-
-
  3. 
-MacOS: Install the
-XCode Command Line Utilities
-prior to installing CBMC. Just installing XCode alone is not enough.
-
    4. 
-
-

-
-

-Important note for Windows users: Visual Studio's
-cl.exe relies on a
-complex set of environment variables to identify the target architecture and
-the directories that contain the header files.
-You must run CBMC
-from within the Visual Studio Command Prompt.
-

-
-

-Note that the distribution files for the
-Eclipse plugin include the
-CBMC executable.  Therefore, if you intend to run CBMC
-exclusively within Eclipse, you can skip the installation of the
-CBMC executable.  However, you still have to install the compiler
-environment as described above.

-
-
Installing the CBMC Binaries

-
-
    
-
  1. Download CBMC for your operating system.
-The binaries are available from 
-http://www.cprover.org/cbmc/.
-
    2. 
-
-
  2. Unzip/untar the archive into a directory of your choice. 
-We recommend to add this directory to your PATH environment
-variable.
    3. 
-
-

-
-

-You are now ready to use CBMC!

-
-
Building CBMC from Source

-
-

-Alternatively, the CBMC source code is available via SVN.
-To compile the source code, follow
-these instructions.
-

-
-
-
diff --git a/doc/html-manual/installation-plugin.shtml b/doc/html-manual/installation-plugin.shtml
deleted file mode 100644
index 39e32cfe1b..0000000000
--- a/doc/html-manual/installation-plugin.shtml
+++ /dev/null
@@ -1,42 +0,0 @@
-
-
-
CPROVER Manual TOC

-
-
Installing the Eclipse Plugin

-
-
Requirements

-
-

-We provide a graphical user interface to CBMC and SATABS, which is
-realized as a plugin to the Eclipse framework.  Eclipse is available at http://www.eclipse.org.  We do not provide
-installation instructions for Eclipse (basically, you only have to download
-the current version and extract the files to your hard-disk) and assume that
-you have already installed the current version.

-
-

-CBMC and SATABS have their own requirements.  As an example, both CBMC
-and SATABS require a suitable preprocessor and a set of header files.  As
-first step, you should therefore follow the installation instructions for CBMC and SATABS.
-
-

-Important note for Windows users: Visual Studio's
-cl.exe relies on a
-complex set of environment variables to identify the target architecture and
-the directories that contain the header files.
-You must run Eclipse from within the
-Visual Studio Command Prompt.
-

-
-
Installing the Eclipse Plugin

-
-

-The installation instructions for the Eclipse Plugin, including the
-link to the download site, are available 
-here. This includes a small tutorial on how to use the Eclipse plugin.
-

-
-
-
diff --git a/doc/html-manual/installation-satabs.shtml b/doc/html-manual/installation-satabs.shtml
deleted file mode 100644
index 46ca303bd6..0000000000
--- a/doc/html-manual/installation-satabs.shtml
+++ /dev/null
@@ -1,139 +0,0 @@
-
-
-
CPROVER Manual TOC

-
-
Installing SATABS

-
-
Requirements

-
-

-SATABS is available for Windows, i86 Linux, and MacOS X. 
-SATABS requires a code pre-processing environment comprising of a
-suitable preprocessor and an a set of header files.

-
-
    
-
-
  1. Linux: the preprocessor and the header files typically come with a
-package called gcc, which must be installed prior to the installation
-of SATABS.
    2. 
-
-
  2. Windows: The Windows version of SATABS requires the preprocessor 
-cl.exe, which is part of Visual Studio (including
-the free Visual
-Studio Express).
    3. 
-
-
  3. MacOS: Install XCode
-prior to installing SATABS.
    4. 
-
-

-
-

-Important note for Windows users: Visual Studio's
-cl.exe relies on a
-complex set of environment variables to identify the target architecture and
-the directories that contain the header files.
-You must run SATABS
-from within the Visual Studio Command Prompt.
-

-
-

-Note that the distribution files for the
-Eclipse plugin include the
-command-line tools.  Therefore, if you intend to run SATABS
-exclusively within Eclipse, you can skip the installation of the
-command-line tools.  However, you still have to install the compiler
-environment as described above.

-
-
Choosing and Installing a Model Checker

-
-You need to install a Model Checker in order to be able
-to run SATABS. You can choose between following alternatives:
-
    
-
  • 
-Cadence SMV.
-Available from 
-http://www.kenmcmil.com/smv.html.
-Cadence SMV is a commercial model checker. The free version
-that is available on the homepage above must not be used for
-commercial purposes (read the license agreement thoroughly
-before you download the tool).
-The documentation for SMV can be found in the directory where 
-you unzip/untar SMV under ./smv/doc/smv/. Read the installation
-instructions carefully. The Linux/MacOS versions require
-setting environment variables. You must add
-add the directory containing the smv binary
-(located in ./smv/bin/, relative to the path where you
-unpacked it) to your PATH environment variable.
-SATABS uses Cadence SMV by default.
    
-
    • 
-
-
  • 
-NuSMV. Available from
-http://nusmv.irst.itc.it/.
-NuSMV is the open source alternative to Cadence SMV. Installation
-instructions and documentation can be found on the NuSMV homepage.
-The directory containing the NuSMV binary should be added
-to your PATH environment variable.
-Use the option
    
-
-
    
---modelchecker nusmv
-
    
-
-
    
-to instruct SATABS to use NuSMV.
    
-
    • 
-
-
  • 
-BOPPO. Available from 
-http://www.cprover.org/boppo/.
-BOPPO is a model checker that uses SAT-solving algorithms.
-BOPPO relies on a built-in SAT solver and Quantor, a solver
-for quantified boolean formulas that is currently bundled
-with BOPPO, but also available separately from
-http://fmv.jku.at/quantor/.
-We recommend to add the directories containing both tools to your
-PATH environment variable.
-Use the option
    
-
-
    
---modelchecker boppo
-
    
-
-
    
-when you call SATABS and want it to use BOPPO instead of SMV.
-
    
-
    • 
-
-
  • 
-BOOM. Available from 
-http://www.cprover.org/boom/. Boom has a number of unique features,
-including the verification of programs with unbounded thread creation.
-
    
-
    • 
-
-

-
-
Installing SATABS

-
-
    
-
  1. Download SATABS for your operating system.
-The binaries are available from 
-http://www.cprover.org/satabs/.
-
    2. 
-
-
  2. Unzip/untar the archive into a directory of your choice. 
-We recommend to add this directory to your PATH environment
-variable.
    3. 
-
-

-
-

-Now you can execute SATABS. Try running SATABS
-on the small examples presented in the 
-tutorial section. If you use the Cadence SMV model checker, the only
-command line arguments you have to specify are the names
-of the files that contain your program.
-

-
-
diff --git a/doc/html-manual/introduction.shtml b/doc/html-manual/introduction.shtml
deleted file mode 100644
index 687e056484..0000000000
--- a/doc/html-manual/introduction.shtml
+++ /dev/null
@@ -1,162 +0,0 @@
-
-
-
CPROVER Manual TOC

-
-
Introduction

-
-
Motivation

-
-

-Numerous tools to hunt down functional design flaws in silicon have
-been available for many years, mainly due to the enormous cost of hardware
-bugs. The use of such tools is wide-spread. In contrast, the market
-for tools that address the need for quality software is still in its
-infancy.

-
-

-Research in software quality has an enormous breadth.
-We focus the presentation using two criteria:

-
-
    
-
-
  1. 
-We believe that any form of quality requires a specific
-guarantee, in theory and practice.
    2. 
-
-
  2. The sheer size of software designs requires techniques that
-are highly automated.
    3. 
-
-

-
-

-In practice, quality guarantees usually do not refer to "total
-correctness" of a design, as ensuring the absence of all bugs is too
-expensive for most applications. In contrast, a guarantee of the
-absence of specific flaws is achievable, and is a good metric of
-quality.

-
-

-We document two programs that try to achieve formal guarantees of
-the absence of specific problems: CBMC and SATABS. The algorithms
-implemented by CBMC and SATABS are complementary, and often, one tool
-is able to solve a problem that the other cannot solve.

-
-

-Both CBMC and SATABS are verification tools for ANSI-C/C++ programs. They
-verify array bounds (buffer overflows), pointer safety, exceptions and
-user-specified assertions. Both tools model integer arithmetic accurately,
-and are able to reason about machine-level artifacts such as integer
-overflow. CBMC and SATABS are therefore able to detect a class of bugs that
-has so far gone unnoticed by many other verification tools. This manual
-also covers some variants of CBMC, which includes HW-CBMC
-for hardware/software co-verification.

-
-
Bounded Model Checking with CBMC

-
-

-CBMC implements a technique called Bounded Model Checking (BMC). In
-BMC, the transition relation for a complex state machine and its
-specification are jointly unwound to obtain a Boolean formula, which is then
-checked for satisfiability by using an efficient SAT procedure. If the
-formula is satisfiable, a counterexample is extracted from the output of the
-SAT procedure. If the formula is not satisfiable, the program can be unwound
-more to determine if a longer counterexample exists.

-
-

-In many engineering domains, real-time guarantees are a strict requirement.
-An example is software embedded in automotive controllers. As a consequence,
-the loop constructs in these types of programs often have a strict bound
-on the number of iterations. CBMC is able to formally verify such bounds
-by means of unwinding assertions. Once this bound is established,
-CBMC is able to prove the absence of errors.

-
-

-A more detailed description of how to apply CBMC verify programs is
-here.

-
-
Automatic Program Verification with SATABS

-
-

-In many cases, lightweight properties such as array bounds do not rely on
-the entire program. A large fraction of the program is irrelevant to
-the property. SATABS exploits this observation and computes an
-abstraction of the program in order to handle large amounts of code.
-

-
-

-In order to use SATABS it is not necessary to understand the abstraction
-refinement process. For the interested reader, a high-level introduction
-to abstraction refinement is provided
-here. We also provide
-tutorials on how to use SATABS.
-

-
-

-Just as CBMC, SATABS attempts to build counterexamples that refute the
-property. If such a counterexample is found, it is presented to the engineer
-to facilitate localization and repair of the program.
-

-
-

-
Example: Buffer Overflows

-
-

-In order to give a brief overview of the capabilities of CBMC and SATABS we
-start with a small example.
-The issue of buffer
-overflows has obtained wide public attention.  A
-buffer is a contiguously-allocated chunk of memory, represented by an array or
-a pointer in C.  Programs written in C do not provide automatic bounds
-checking on the buffer, which means a program can – accidentally or
-maliciously – write past a buffer.  The following example is a perfectly
-valid C program (in the sense that a compiler compiles it without any
-errors):

-
-
-int main() {

-  int buffer[10];

-  buffer[20] = 10;

-}
-
-

-However, the write access to an address outside the allocated memory
-region can lead to unexpected behavior.  In particular, such bugs can be
-exploited to overwrite the return address of a function, thus enabling the
-execution of arbitrary user-induced code.  CBMC and SATABS are able to
-detect this problem and reports that the "upper bound property" of the
-buffer is violated.  CBMC and SATABS are capable of checking these lower and
-upper bounds, even for arrays with dynamic size. A detailed discussion
-of the properties that CBMC and SATABS can check automatically
-is here.

-

-
-
Hardware/Software Co-Verification

-
-

-Software programs often interact with hardware in a non-trivial manner, and
-many properties of the overall design only arise from the interplay of both
-components. CBMC and SATABS therefore support Co-Verification,
-i.e., are able to reason about a C/C++ program together with a circuit
-description given in Verilog.

-
-

-These co-verification capabilities can also be applied to perform refinement
-proofs. Software programs are often used as high-level descriptions of
-circuitry. While both describe the same functionality, the hardware
-implementation usually contains more detail. It is highly desirable to
-establish some form for equivalence between the two descriptions.
-Hardware/Software co-verification and equivalence checking with CBMC and
-SATABS are described here.
-

-
-

-
Further Reading

-
-

-
-
-
diff --git a/doc/html-manual/libraries.shtml b/doc/html-manual/libraries.shtml
deleted file mode 100644
index 7ea2fe1bff..0000000000
--- a/doc/html-manual/libraries.shtml
+++ /dev/null
@@ -1,54 +0,0 @@
-
-
-
CPROVER Manual TOC

-
-
Build Systems and Libraries

-
-
The Problem

-
-

-Similar to unit testing, the model checking approach requires 
-the user to clearly define what parts of the program should
-be tested and what the behavior of these parts is.
-This requirement has following reasons:
-

-
-
    
-  
-
  •  Despite recent advances, the size of the programs that
-    model checkers can cope with is still restricted.
-
    • 
-  
-
  •  Typically, you want to verify your program and
-    not the libraries or the operating that it uses (the correctness of these
-    libraries and the OS us usually addressed separately).
-
    • 
-  
-
  •  CBMC and SATABS cannot verify binary libraries. 
-
    • 
-  
-
  •  CBMC and SATABS does not provide a
-    model for the hardware
-    (e.g., hard disk, input/output devices) the tested program
-    runs on. Since CBMC and SATABS are supposed to examine the
-    behavior of the tested program for all possible inputs
-    and outputs, it is reasonable to model input and output
-    by means of non-deterministic choice.
-
    • 
-
-

-
-
Further Reading

-
-

-Existing software projects usually do not come in a single source file that
-may simply be passed to a model checker, but is a collection of files held
-together by a build system. The ex­trac­tion of models from such
-a build system using goto-cc is described here.
-The ap­pli­ca­tion of goto-cc to the entire Linux kernel is described
-here. The problem of architectural
-pa­ram­e­ters (word with, endianness) is explained
-here.
-

-
-
diff --git a/doc/html-manual/modeling-assertions.shtml b/doc/html-manual/modeling-assertions.shtml
deleted file mode 100644
index 19ef6e65d1..0000000000
--- a/doc/html-manual/modeling-assertions.shtml
+++ /dev/null
@@ -1,152 +0,0 @@
-
-
-
-
-
-
-
CPROVER Manual TOC

-
-
Modeling with Assertions and Assumptions

-
-
Assertions

-
-
Assertions
-are statements within the program that attempt to capture the programmer's
-intent.  The ANSI-C standard defines a header file assert.h, which offers a
-macro assert(cond). When executing a statement such
-as

-
-
  assert(p!=NULL);
-

-
-
the execution is aborted with an error message if the
-condition evaluates to false, i.e., if p is NULL in the
-example above.  The CPROVER tools can check the validity of the
-programmer-annotated assertions statically.  Specifically, the CPROVER tools
-will check that the assertions hold for any nondeterministic choice
-that the program can make.  The static assertion checks can be disabled
-using the --no-assertions command line option.

-
-
In addition, there is a CPROVER-specific way
-to specify assertions, using the built-in function __CPROVER_assert:

-
-
  __CPROVER_assert(p!=NULL, "p is not NULL");
-

-
-
The (mandatory) string that is passed as the
-second argument provides an informal description of the assertion.
-It is shown in the list of properties together with the condition.

-
-
The assertion language of the CPROVER tools is
-identical to the language used for expressions.  Note that nondeterminism can be exploited in order
-to check a range of choices.  As an example, the following code fragment
-asserts that all elements of the array are zero:
-

-
-
  int a[100], i;
-
-  ...
-
-  i=nondet_uint();
-  if(i>=0 && i<100)
-    assert(a[i]==0);
-

-
-
The nondeterministic choice will guess the
-element of the array that is nonzero. The code fragment above
-is therefore equivalent to
-

-
-
  int a[100], i;
-
-  ...
-
-  for(i=0; i<100; i++)
-    assert(a[i]==0);
-

-
-
Future CPROVER releases will
-support explicit quantifiers with a syntax that resembles Spec#:
-

-
-
-

-__CPROVER_forall { type identifier ; expression }

-__CPROVER_exists { type identifier ; expression }
-

-
-
-
Assumptions

-
-
Assumptions are used to restrict nondeterministic
-choices made by the program. As an example, suppose we wish to model
-a nondeterministic choice that returns a number from 1 to 100. There
-is no integer type with this range. We therefore use __CPROVER_assume
-to restrict the range of a nondeterministically chosen integer:

-
-
unsigned int nondet_uint();
-
-unsigned int one_to_hundred()
-{
-  unsigned int result=nondet_uint();
-  __CPROVER_assume(result>=1 && result<=100);
-  return result;
-}

-
-
The function above returns the desired integer from 1
-to 100.  You must ensure that the condition given as
-an assumption is actually satisfiable by some nondeterministic choice, or
-otherwise the model checking step will pass vacuously.

-
-
Also note that assumptions are never retroactive: They
-only affect assertions (or other properties) that follow them in program
-order. This is best illustrated with an example. In the following fragment,
-the assumption has no effect on the assertion, which means that
-the assertion will fail:
-

-
-
  x=nondet_uint();
-  assert(x==100);
-  __CPROVER_assume(x==100);
-

-
-

-Assumptions do restrict the search space, but only for assertions that follow.
-As an example, the following program will pass:

-
-
int main() {
-  int x;
-
-  __CPROVER_assume(x>=1 && x<=100000);
-
-  x*=-1;
-
-  __CPROVER_assert(x<0, "x is negative");
-}
-

-
-
Beware that nondeterminism cannot be used to obtain
-the effect of universal quantification in assumptions. As an example,
-

-
-
int main() {
-  int a[10], x, y;
-
-  x=nondet_int();
-  y=nondet_int();
-  __CPROVER_assume(x>=0 && x<10 && y>=0 && y<10);
-
-  __CPROVER_assume(a[x]>=0);
-
-  assert(a[y]>=0);
-}
-

-
-
fails, as there is a choice of x and y which
-results in a counterexample (any choice in which x and y are different).
-

-
-
diff --git a/doc/html-manual/modeling-floating-point.shtml b/doc/html-manual/modeling-floating-point.shtml
deleted file mode 100644
index 8c0cdbeec4..0000000000
--- a/doc/html-manual/modeling-floating-point.shtml
+++ /dev/null
@@ -1,140 +0,0 @@
-
-
-
CPROVER Manual TOC

-
-
Floating Point

-
-
The CPROVER tools support bit-accurate reasoning about
-  IEEE-754 floating-point and fixed-point arithmetic.  The C standard
-  contains a number of areas of implementation-defined behaviour with regard
-  to floating-point arithmetic:

-
-
    
-
-
  • 
-  CPROVER supports C99 Appendix F, and thus,
-  the __STD_IEC_559__ macro is defined.  This means that
-  the C float data type maps to IEEE
-  754 binary32 and double maps
-  to binary64 and operations on them are as specified in
-  IEEE 754.
    • 
-
-
  • 
-  long double can be configured to
-  be binary64, binary128 (quad precision) or
-  a 96 bit type with 15 exponent bits and 80 significant bits.  The
-  last is an approximation of Intel's x87 extended precision double data
-  type.  As the C standard allows a implementations a fairly wide set
-  of options for long double, it is best avoided for both
-  portable code and bit-precise analysis.  The default is to match the
-  build architecture as closely as possible.
-  
    • 
-
-
  • 
-  In CPROVER, floating-point expressions are evaluated at the
-  'natural precision' (the greatest of the arguments) and not at a
-  higher precision.  This corresponds to FLT_EVAL_METHOD
-  set to 0.  Note that this is a different policy to
-  some platforms (see below).
-  
    • 
-
-
  • 
-  Expression contraction (for example, converting x * y +
-  c to fma(x,y,c)) is not performed.  In effect,
-  the FP_CONTRACT pragma is always off.
-  
    • 
-
-
  • 
-  Constant expressions are evaluated at `run' time wherever possible
-  and so will respect changes in the rounding mode.  In effect,
-  the FENV_ACCESS pragma is always off.  Note that
-  floating point constants are treated as doubles (unless they are
-  followed by f when they are float) as specified in the
-  C standard.  goto-cc
-  supports -fsingle-precision-constant, which allows the
-  (non-standard) treatment of constants as floats.
-  
    • 
-
-
  • 
-  Casts from int to float and float to float make use of the current
-  rounding mode.  Note that the standard requires that casts from
-  float to int use round-to-zero (i.e. truncation).
-  
    • 
-

-
-
x86 and Other Platform-specific Issues

-
-
Not all platforms have the same implementation-defined
-  behaviour as CPROVER.  This can cause mismatches between the verification
-  environment and the execution environment.  If this occurs, check the
-  compiler manual for the choices listed above.  There are two common cases
-  that can cause these problems: 32-bit x86 code and the use of unsafe
-  optimisations.

-
-
Many compilers that target 32-bit x86 platforms
-  employ a different evaluation method.  The extended precision
-  format of the x87 unit is used for all computations regardless of
-  their native precision.  Most of the time, this results in more
-  accurate results and avoids edge cases.  However, it can result in
-  some obscure and difficult to debug behaviour.  Checking
-  if the FLT_EVAL_METHOD macro is non-zero (for these
-  platforms it will typically be 2), should warn of these problems.
-  Changing the compiler flags to use the SSE registers will resolve
-  many of them, give a more standards-compliant platform and will
-  likely perform better.  Thus it is highly recommended.
-  Use -msse2 -mfpmath=sse to enable this option for
-  GCC.  Visual C++ does not have an option to force the exclusive use
-  of SSE instructions, but /arch:SSE2 will pick SSE
-  instructions "when it [the compiler] determines that it is faster to
-  use the SSE/SSE2 instructions" and is thus better
-  than /arch:IA32, which exclusively uses the x87 unit.

-
-
The other common cause of discrepancy between
-  CPROVER results and the actual platform are the use of unsafe
-  optimisations.  Some higher optimisation levels enable
-  transformations that are unsound with respect to the IEEE-754
-  standard.  Consult the compiler manual and disable any
-  optimisations that are described as unsafe (for
-  example, the GCC options -ffast-math).
-  The options -ffp-contract=off (which replaces
-  -mno-fused-madd), -frounding-math
-  and -fsignaling-nans are needed for GCC to be strictly
-  compliant with IEEE-754.

-
-
Rounding Mode

-
-
CPROVER supports the four rounding modes given by
-  IEEE-754 1985; round to nearest (ties to even), round up, round
-  down and round towards zero.  By default, round to nearest is used.
-  However, command line options (--round-to-zero, etc.) can
-  be used to over-ride this.  If more control is needed, CPROVER has
-  models of fesetround (for POSIX systems)
-  and _controlfp (for Windows), which can be used to change
-  the rounding mode during program execution. Furthermore,
-  the inline assembly commands fstcw/fnstcw/fldcw (on x86) can
-  be used.

-
-
The rounding mode is stored in the (thread local)
-  variable __CPROVER_rounding_mode, but users are strongly advised
-  not to use this directly.

-
-
Math Library

-
-
CPROVER implements some of math.h,
-  including fabs, fpclassify
-  and signbit.  It has very limited support for
-  elementary functions.  Care must be taken when verifying properties
-  that are dependent on these functions as the accuracy of
-  implementations can vary considerably.  The C compilers can (and
-  many do) say that the accuracy of these functions is unknown.

-
-
Fixed-point Arithmetic

-
-
CPROVER also has support for fixed-point types.
-  The --fixedbv flag
-  switches float, double and long
-  double to fixed-point types.  The length of these types is
-  platform specific.  The upper half of each type is the integer
-  component and the lower half is the fractional part.

-
-
diff --git a/doc/html-manual/modeling-nondet.shtml b/doc/html-manual/modeling-nondet.shtml
deleted file mode 100644
index 3b0809ffb7..0000000000
--- a/doc/html-manual/modeling-nondet.shtml
+++ /dev/null
@@ -1,65 +0,0 @@
-
-
-
CPROVER Manual TOC

-
-
Nondeterminism

-
-
Rationale

-
-
Programs typically read inputs from an environment. 
-These inputs can take the form of data read from a file, keyboard or network
-socket, or arguments passed on the command line.  It is usually desirable to
-analyze the program for any choice of these inputs.  In Model Checking,
-inputs are therefore modeled by means of nondeterminism, which means
-that the value of the input is not specified. The program may follow any
-computation that results from any choice of inputs.

-
-
Sources of Nondeterminism

-
-
The CPROVER tools support the following sources of nondeterminism:

-
-
    
-
  • functions that read inputs from the environments;
    • 
-
  • the thread schedule in concurrent programs;
    • 
-
  • initial values of local-scoped variables and memory allocated with
-malloc;
    • 
-
  • initial values of variables that are extern in all
-compilation units;
    • 
-
  • explicit functions for generating nondeterminism.
    • 
-

-
-
The CPROVER tools are shipped with a number of stubs
-for the most commonly used library functions. When executing a statement
-such as getchar(), a nondeterministic value is chosen instead
-of reading a character from the keyboard.
-
-
When desired, nondeterminism can be introduced
-explicitly into the program by means of functions that begin with the
-prefix nondet_. As an example, the following function
-returns a nondeterministically chosen unsigned short int:
-

-
-
unsigned short int nondet_ushortint();
-

-
-
Note that the body of the function is not defined.  The
-name of the function itself is irrelevant (save for the prefix), but must be
-unique.  Also note that a nondeterministic choice is not to be confused with
-a probabilistic (or random) choice.

-
-
Uninterpreted Functions

-
-
It may be necessary to check parts of a program
-independently. Nondeterminism can be used to over-approximate the
-behaviour of part of the system which is not being checked.  Rather
-than calling a complex or unrelated function, a nondeterministic stub
-is used. However, separate calls to the function can return different
-results, even for the same inputs.  If the function output only
-depends on its inputs then this can introduce spurious errors.  To
-avoid this problem, functions whose names begin with the
-prefix __CPROVER_uninterpreted_ are treated as
-uninterpreted functions.  Their value is non-deterministic but different
-invocations will return the same value if their inputs are the same.
-Note that uninterpreted functions are not supported by all back-end solvers.

-
-
diff --git a/doc/html-manual/modeling-pointers.shtml b/doc/html-manual/modeling-pointers.shtml
deleted file mode 100644
index fb3a506cf8..0000000000
--- a/doc/html-manual/modeling-pointers.shtml
+++ /dev/null
@@ -1,108 +0,0 @@
-
-
-
-
-
-
-
CPROVER Manual TOC

-
-
Pointer Model

-
-
Pointers in C

-
-
C programs (and sometimes C++ programs as well) make
-intensive use of pointers in order to decouple program code from specific
-data.  A pointer variable does not store data such as numbers or letters,
-but instead points to a location in memory that hold the relevant data.
-This section describes the way the CPROVER tools model pointers.
-

-
-
Objects and Offsets

-
-
The CPROVER tools represent pointers as a pair.  The
-first member of the pair is the object the pointer points to, and the
-second is the offset within the object.

-
-
In C, objects are simply continuous fragments of memory
-(this definition of "object" is not to be confused with the use of the term
-in object-oriented programming).  Variables of any type are guaranteed to be
-stored as one object, irrespectively of their type.  As an example, all
-members of a struct or array belong to the same object.  CPROVER simply
-assigns a number to each active object.  The object number of a pointer
-p can be extracted using the expression
-__CPROVER_POINTER_OBJECT(p).  As a consequence, pointers to
-different objects are always different, which is not sound.
-
-

-
-
The offset (the second member of the pair that forms a
-pointer) is relative to the beginning of the object; it uses byte
-granularity. As an example, the code fragment
-

-
-
  unsigned array[10];
-  char *p;
-
-  p=(char *)(array+1);
-  p++;
-

-
-
will result in a pointer with offset 5. The offset of
-a pointer p can be extracted using the expression
-__CPROVER_POINTER_OFFSET(p).

-
-
Dereferencing Pointers

-
-
The CPROVER tools require that pointers that
-are dereferenced point to a valid object. Assertions that check
-this requirement can be generated using the option --pointer-check
-and, if desired, --bounds-check. These options will ensure
-that NULL pointers are not dereferenced, and that dynamically
-allocated objects have not yet been deallocated.

-
-
Furthermore, the CPROVER
-tools check that dynamically allocated memory is not
-deallocated twice. The goto-instrument tool is also able
-to add checks for memory leaks, i.e., it detects dynamically
-allocated objects that are not deallocated once the program
-terminates.

-
-
The CPROVER tools support pointer typecasts.  Most
-casts are supported, with the following exceptions:
-

-
-
    
-
  1. 
-One notable exception is that pointers can only be
-accessed using a pointer type.  The conversion of a pointer into an
-integer-type using a pointer typecast is not supported.
-
    2. 
-
-
  2. 
-Casts from integers to pointers yield a pointer that is either
-NULL (if the integer is zero) or that point into a special
-array for modeling 
-memory-mapped I/O. Such pointers are assumed not to
-overlap with any other objects. This is, of course, only sound if
-a corresponding range check is instrumented.
-
    3. 
-
-
  3. 
-Accesses to arrays via pointers that have the array subtype need
-to be well-aligned.
-
    4. 
-
-

-
-
Pointers in Open Programs

-
-
It is frequently desired to validate an open program,
-i.e., a fragment of a program. Some variables are left undefined. In case
-an undefined pointer is dereferenced, CBMC assumes that the pointer
-points to a separate object of appropriate type with unbounded size.
-The object is assumed not to alias with any other object.
-This assumption may obviously be wrong in specific extensions
-of the program.
-

-
-
diff --git a/doc/html-manual/pid_test_suites.xml b/doc/html-manual/pid_test_suites.xml
deleted file mode 100644
index 014fea1229..0000000000
--- a/doc/html-manual/pid_test_suites.xml
+++ /dev/null
@@ -1,500 +0,0 @@
-
-
-CBMC 5.5
-
-  CBMC version 5.5 64-bit x86_64 macos
-
-
-
-  Parsing pid.c
-
-
-
-  Converting
-
-
-
-  Type-checking pid
-
-
-
-  
-  function `nondet_float' is not declared
-
-
-
-  Generating GOTO Program
-
-
-
-  Adding CPROVER library (x86_64)
-
-
-
-  Removal of function pointers and virtual functions
-
-
-
-  Partial Inlining
-
-
-
-  Generic Property Instrumentation
-
-
-criterion: mcdc
-
-
-  Instrumenting coverage goals
-
-
-
-  Starting Bounded Model Checking
-
-
-
-  Unwinding loop main.0 iteration 1 (6 max) file pid.c line 56 function main thread 0
-
-
-
-  Unwinding loop main.0 iteration 2 (6 max) file pid.c line 56 function main thread 0
-
-
-
-  Unwinding loop main.0 iteration 3 (6 max) file pid.c line 56 function main thread 0
-
-
-
-  Unwinding loop main.0 iteration 4 (6 max) file pid.c line 56 function main thread 0
-
-
-
-  Unwinding loop main.0 iteration 5 (6 max) file pid.c line 56 function main thread 0
-
-
-
-  Not unwinding loop main.0 iteration 6 (6 max) file pid.c line 56 function main thread 0
-
-
-
-  size of program expression: 416 steps
-
-
-
-  Generated 114 VCC(s), 108 remaining after simplification
-
-
-
-  Passing problem to propositional reduction
-
-
-
-  converting SSA
-
-
-
-  Aiming to cover 19 goal(s)
-
-
-
-  Running propositional reduction
-
-
-
-  Post-processing
-
-
-
-  Solving with MiniSAT 2.2.1 with simplifier
-
-
-
-  131818 variables, 553801 clauses
-
-
-
-  SAT checker: instance is SATISFIABLE
-
-
-
-  Covered decision/condition `1 != 0' true
-
-
-
-  Solving with MiniSAT 2.2.1 with simplifier
-
-
-
-  131818 variables, 395675 clauses
-
-
-
-  SAT checker: instance is SATISFIABLE
-
-
-
-  Covered MC/DC independence condition `!(pprz >= (float)0) && pprz <= (float)(16 * 600)'
-
-
-
-  Covered decision `pprz >= (float)0 && pprz <= (float)(16 * 600)' false
-
-
-
-  Covered condition `pprz >= (float)0' false
-
-
-
-  Covered decision/condition `pprz > (float)(16 * 600)' false
-
-
-
-  Covered condition `pprz <= (float)(16 * 600)' true
-
-
-
-  Covered decision/condition `desired_climb > (float)0' false
-
-
-
-  Covered decision/condition `climb_sum_err > (float)10' false
-
-
-
-  Covered decision/condition `climb_sum_err < (float)-10' false
-
-
-
-  Solving with MiniSAT 2.2.1 with simplifier
-
-
-
-  131818 variables, 393279 clauses
-
-
-
-  SAT checker: instance is SATISFIABLE
-
-
-
-  Covered MC/DC independence condition `pprz >= (float)0 && !(pprz <= (float)(16 * 600))'
-
-
-
-  Covered condition `pprz >= (float)0' true
-
-
-
-  Covered decision/condition `pprz > (float)(16 * 600)' true
-
-
-
-  Covered condition `pprz <= (float)(16 * 600)' false
-
-
-
-  Covered decision/condition `desired_climb > (float)0' true
-
-
-
-  Solving with MiniSAT 2.2.1 with simplifier
-
-
-
-  131818 variables, 391285 clauses
-
-
-
-  SAT checker: instance is SATISFIABLE
-
-
-
-  Covered MC/DC independence condition `pprz >= (float)0 && pprz <= (float)(16 * 600)'
-
-
-
-  Covered decision `pprz >= (float)0 && pprz <= (float)(16 * 600)' true
-
-
-
-  Solving with MiniSAT 2.2.1 with simplifier
-
-
-
-  131818 variables, 390122 clauses
-
-
-
-  SAT checker: instance is SATISFIABLE
-
-
-
-  Covered decision/condition `climb_sum_err < (float)-10' true
-
-
-
-  Solving with MiniSAT 2.2.1 with simplifier
-
-
-
-  131818 variables, 390121 clauses
-
-
-
-  SAT checker: instance is SATISFIABLE
-
-
-
-  Covered decision/condition `climb_sum_err > (float)10' true
-
-
-
-  Solving with MiniSAT 2.2.1 with simplifier
-
-
-
-  131818 variables, 387493 clauses
-
-
-
-  SAT checker inconsistent: instance is UNSATISFIABLE
-
-
-
-  Runtime decision procedure: 3.806s
-
-
-
-  
-
-
-
-  
-
-
-
-  
-
-
-
-  
-
-
-
-  
-
-
-
-  
-
-
-
-  
-
-
-
-  
-
-
-
-  
-
-
-
-  
-
-
-
-  
-
-
-
-  
-
-
-
-  
-
-
-
-  
-
-
-
-  
-
-
-
-  
-
-
-
-  
-
-
-
-  
-
-
-
-  
-
-
-
-  
-  
-
-
-
-  
-    
-      -1.000000
-    
-    
-      1.000000
-    
-  
-  
-  
-  
-  
-  
-  
-  
-  
-
-
-
-  
-    
-      -1.000000
-    
-    
-      1.000000
-    
-    
-      1.000000
-    
-    
-      -1.000000
-    
-  
-  
-  
-  
-  
-  
-
-
-
-  
-    
-      0.000000
-    
-    
-      -1.000000
-    
-    
-      1.000000
-    
-    
-      -1.000000
-    
-  
-  
-  
-
-
-
-  
-    
-      1.000000
-    
-    
-      -1.000000
-    
-    
-      1.000000
-    
-    
-      -1.000000
-    
-    
-      1.000000
-    
-    
-      -1.000000
-    
-    
-      1.000000
-    
-    
-      -1.000000
-    
-    
-      0.000000
-    
-    
-      -1.000000
-    
-    
-      1.000000
-    
-    
-      -1.000000
-    
-  
-  
-
-
-
-  
-    
-      -1.000000
-    
-    
-      1.000000
-    
-    
-      -1.000000
-    
-    
-      1.000000
-    
-    
-      -1.000000
-    
-    
-      1.000000
-    
-    
-      -1.000000
-    
-    
-      1.000000
-    
-    
-      -1.000000
-    
-    
-      1.000000
-    
-    
-      -1.000000
-    
-    
-      1.000000
-    
-  
-  
-
-
-
-  ** 18 of 19 covered (94.7%)
-
-
-
-  ** Used 7 iterations
-
-
-
diff --git a/doc/html-manual/properties.shtml b/doc/html-manual/properties.shtml
deleted file mode 100644
index af49380998..0000000000
--- a/doc/html-manual/properties.shtml
+++ /dev/null
@@ -1,208 +0,0 @@
-
-
-
CPROVER Manual TOC

-
-
Property Instrumentation

-
-
Properties

-
-

-We have mentioned properties several times so far, but we never
-explained what kind of properties CBMC
-and SATABS can verify.  We
-cover this topic in more detail in this section.

-
-

-Both CBMC and SATABS use 
-assertions to specify program properties. Assertions are properties of
-the state of the program when the program reaches a particular program
-location. Assertions are often written by the programmer by means of the
-assert macro.

-
-

-In addition to the assertions written by the programmer, assertions
-for specific properties can also be generated automatically
-by CBMC and SATABS, often relieving the programmer from writing
-"obvious" assertions.

-
-

-CBMC and SATABS come with an assertion generator called
-goto-instrument, which performs a conservative
-static analysis
-to determine program locations that potentially
-contain a bug. Due to the imprecision of the static
-analysis, it is important to emphasize that these
-generated assertions are only potential bugs, and
-that the Model Checker first needs to confirm that
-they are indeed genuine bugs.

-
-

-The assertion generator can generate assertions for
-the verification of the following properties:

-
-
    
-
  • 
-
    
-Buffer overflows.
-For each array access, check whether the upper and lower bounds
-are violated.
-
    • 
-
-
  • 
-Pointer safety. Search for NULL-pointer
-dereferences or dereferences of other invalid pointers.
-
    
-
    • 
-
-
  • 
-Division by zero.
-Check whether there is a division by zero in the program.
-
    
-
    • 
-
-
  • 
-Not-a-Number.
-Check whether floating-point computation may result in
-NaNs.
-
    
-
    • 
-
-
  • 
-Unitialized local.
-Check whether the program uses an uninitialized local variable.
-
    
-
    • 
-
-
  • 
-Data race.
-Check whether a concurrent program accesses a shared variable
-at the same time in two threads.
-
    
-
    • 
-
-

-
-
We refrain from explaining the properties above in
-detail.  Most of them relate to behaviors that are left undefined by the
-respective language semantics.  For a discussion on why these behaviors are
-usually very undesirable, read this blog post by John
-Regehr.

-
-

-All the properties described above are reachability properties.
-They are always of the form
-

-
-

-"Is there a path through the program such that property ...
-is violated?"
-

-
-

-The counterexamples to such properties are always
-program paths. Users of the Eclipse plugin can step through 
-these  counterexamples in a way that is similar to debugging programs.
-The installation of this plugin is explained 
-here.
-

-
-
Using goto-instrument

-
-

-The goto-instrument static analyzer operates on goto-binaries, which
-is a binary representation of control-flow graphs. The goto-binary
-is extracted from program source code using goto-cc, which
-is explained here.
-Given a goto-program, goto-instrument operates as follows:
-

-
-

-
    
-
  1. A goto-binary is read in.
    2. 
-
  2. The specified static analyses are performed.
    3. 
-
  3. Any potential bugs found are transformed into corresponding
-assertions, and are added into the program.
    4. 
-
  4. A new goto-binary (with assertions) is written to disc.
    5. 
-

-

-
-

-

-As an example, we begin with small C program we call
-expr.c
-(taken from here):
-

-
-

-
int *ptr;
-
-int main(void) {
-  if (ptr)
-    *ptr = 0;
-  if (!ptr)
-    *ptr = 1;
-}

-

-
-

-The program contains an obvious NULL-pointer dereference.
-We first compile the example program with goto-cc and
-then instrument the resulting goto-binary with
-pointer checks.
-

-
-

-
-  goto-cc expr.c -o in.gb

-  goto-instrument in.gb out.gb --pointer-check
-
-

-
-

-We can now get a list of the assertions that have been generated
-as follows:
-

-
-

-
-  goto-instrument out.gb --show-properties
-
-

-
-
Using either CBMC or SATABS on out.gb,
-we can obtain a counterexample trace for the NULL-pointer dereference:
-

-
-

-
-  cbmc out.gb
-
-

-

-
-
The goto-instrument program supports the following
-checks:
-

-
-
-
-
-
-
-
-
-
-
-
-
-
--no-assertions           ignore user assertions
--bounds-check            add array bounds checks
--div-by-zero-check       add division by zero checks
--pointer-check           add pointer checks
--signed-overflow-check   add arithmetic over- and underflow checks
--unsigned-overflow-check add arithmetic over- and underflow checks
--undefined-shift-check   add range checks for shift distances
--nan-check               add floating-point NaN checks
--uninitialized-check     add checks for uninitialized locals (experimental)
--error-label labelcheck that given label is unreachable

-
-

-
Further Reading

-
-

-
-
diff --git a/doc/html-manual/satabs-aeon.shtml b/doc/html-manual/satabs-aeon.shtml
deleted file mode 100644
index 3f078d406f..0000000000
--- a/doc/html-manual/satabs-aeon.shtml
+++ /dev/null
@@ -1,266 +0,0 @@
-
-
-
-
-
-
-
CPROVER Manual TOC

-
-
SATABS – Predicate Abstraction with SAT

-
-
Tutorials

-
-
Example: Buffer Overflow in a Mail Transfer Agent

-
-

-
-We explain how to model check Aeon version 0.2a, a small
-mail transfer agent written by Piotr Benetkiewicz. The description
-advertises Aeon as a "good choice for hardened or
-minimalistic boxes". The sources are available
-
-here.

-
-

-Our first naive attempt to verify Aeon using 
-

-
-

-satabs *.c
-

-
-

-produces a positive result, but also warns us that the property holds
-trivially.  It also reveals that a large number library functions are
-missing: SATABS is unable to find the source code for library functions like
-send, write and close.
-

-
-

-Now, do you have to provide a body for all missing library functions?
-There is no easy answer to this question, but a viable answer would
-be "most likely not". It is necessary to understand how SATABS 
-handles functions without bodies: It simply assumes that such a function
-returns an arbitrary value, but that no other
-locations than the one on the left hand side of the assignment are
-changed. Obviously, there are cases in which this assumption is
-un­sound, since the function potentially modifies all memory locations
-that it can somehow address.
-

-
-

-We now use static analysis to generate array bounds checks for
-Aeon:
-

-
-

-satabs *.c --pointer-check --bounds-check --show-properties
-

-
-

-SATABS will show about 300 properties in various functions
-(read this for more information
-on the property instrumentation).
-Now consider the first few lines of the main function 
-of Aeon:
-

-
-
int main(int argc, char **argv)
-{
-  char settings[MAX_SETTINGS][MAX_LEN];
-  ...
-  numSet = getConfig(settings);
-  if (numSet == -1) {
-    logEntry("Missing config file!");
-    exit(1);
-  }
-  ...
-

-
-

-and the function getConfig in lib_aeon.c:
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
int getConfig(char settings[MAX_SETTINGS][MAX_LEN])
{
  char home[MAX_LEN];
FILE *fp;                    /* .rc file handler */
int numSet = 0;              /* number of settings */
 
strcpy(home, getenv("HOME"));  /* get home path */
strcat(home, "/.aeonrc");    /* full path to rc file */
fp = fopen(home, "r");
if (fp == NULL) return -1;   /* no cfg - ERROR */

-
  while (fgets(settings[numSet], MAX_LEN-1, fp)
    && (numSet < MAX_SETTINGS)) numSet++;
fclose(fp);
 
return numSet;
}

-
-
-

-The function getConfig makes calls to 
-strcpy, strcat, getenv, fopen,
-fgets, and fclose. 
-It is very easy to provide an implementation for the functions from
-the string library (string.h), and SATABS comes with meaningful definitions
-for most of them.
-The definition of getenv is not so straight-forward.
-The man-page of getenv (which we obtain by entering
-man 3 getenv in a Unix or cygwin command prompt) tells us:
-

-
-

-
-`getenv'  searches  the  list  of en­vi­ron­ment 
-variable names and values
-(using the global pointer char **environ) 
-for a variable whose name
-matches  the  string  at NAME. If a variable name matches, 
-getenv returns a pointer to the associated value.
-
-

-
-

-SATABS has no information whatsoever about the content of
-environ. Even if SATABS could access the
-en­vi­ron­ment variables on your computer, a successful verification
-of Aeon would then only guarantee that the properties for
-this program hold on your computer with a specific set of
-en­vi­ron­ment variables. We have to assume that environ
-contains en­vi­ron­ment variables that have an arbitrary content
-of arbitrary length. The content of en­vi­ron­ment
-variables is not only arbitrary but could be malefic, since it
-can be modified by the user.  The approximation of the behavior of
-getenv that is shipped with SATABS completely ignores the
-content of the string.

-
-

-Now let us have another look at the properties that SATABS generates for the
-models of the the string library and for getenv.  Most of these
-properties require that we verify that the upper and lower bounds of buffers or
-arrays are not violated.  Let us look at one of the properties that SATABS
-generates for the code in function getConfig:
-

-
-

-
-Claim getConfig.3:

-  file lib_aeon.c line 19 function getConfig

-  dereference failure: NULL plus offset pointer

-  !(SAME-OBJECT(src, NULL))
-
-

-
-
The model of the function strcpy
-dereferences the pointer returned by getenv, which may
-return a NULL pointer. This possibility is detected by the static
-analysis, and thus a corresponding property is generated. Let us 
-check this specific property:
-

-
-

-satabs *.c --pointer-check --bounds-check --property getConfig.3
-

-
-
SATABS immediately returns a counterexample path
-that demonstrates how getenv returns a NULL, which
-is subsequently dereferenced. We have identified the first
-bug in this program: it requires that the environment variable
-HOME is set, and crashes otherwise.
-

-
-
Let us examine one more property in the
-same function:

-
-

-Claim getConfig.7:

-  file lib_aeon.c line 19 function getConfig

-  dereference failure: array `home' upper bound

-  !(POINTER_OFFSET(dst) + (int)i >= 512) || !(SAME-OBJECT(dst, &home[0]))

-

-
-

-This property asserts that the upper bound of the array home
-is not violated. The variable home
-looks familiar: We encountered it in the function getConfig
-given above. The function getenv in combination with functions
-strcpy, strcat or sprintf is indeed
-often the source for buffer overflows. Therefore, we try to use SATABS
-to check the upper bound of the array home:
-

-
-

-satabs *.c --pointer-check --bounds-check --property getConfig.7
-

-
-

-SATABS runs for quite a while and will eventually give up,
-telling us that its upper bound for abstraction refinement iterations
-has been exceeded. This is not exactly the result we were hoping for,
-and we could now increase the bound for iterations with help of the
---iterations command line switch of SATABS.
-

-
-

-Before we do this, let us investigate why SATABS has failed to provide
-a useful result. The function strcpy contains a loop
-that counts from 1 to the length of the input string. Predicate
-abstraction, the mechanism SATABS is based on, is unable to detect
-such loops and will therefore unroll the loop body as often as necessary.
-The array home has MAX_LEN elements, and 
-MAX_LEN is defined to be 512 in aeon.h. 
-Therefore, SATABS would have to run through at least 512 iterations, only to
-verify (or reject) one of the more than 300 properties! Does this fact
-defeat the purpose of static verification?
-

-
-

-We can make the job easier: after reducing the value of MAX_LEN
-in aeon.h to a small value, say to 10, SATABS provides a
-counterexample trace that demonstrates how the buffer overflow be
-reproduced.  If you use the Eclipse plugin (as described here), you can step through this
-counterexample. The trace contains the string that is returned
-by getenv.
-

-
-
-
-
-
diff --git a/doc/html-manual/satabs-background.shtml b/doc/html-manual/satabs-background.shtml
deleted file mode 100644
index b6d20fb08f..0000000000
--- a/doc/html-manual/satabs-background.shtml
+++ /dev/null
@@ -1,152 +0,0 @@
-
-
-
CPROVER Manual TOC

-
-
SATABS – Predicate Abstraction with SAT

-
-
Background

-
-
Sound Abstractions

-
-

-This section provides background information on how SATABS operates.  Even
-for very trivial C programs it is impossible to exhaustively examine their
-state space (which is potentially unbounded).  However, not all details in a
-C program necessarily contribute to a bug, so it may be sufficient to only
-examine those parts of the program that are somehow related to a bug.

-
-

-In practice, many static verification tools (such as lint) try to
-achieve this goal by applying heuristics.  This approach comes at a cost:
-bugs might be overlooked because the heuristics do not cover all relevant
-aspects of the program.  Therefore, the conclusion that a program is correct
-whenever such a static verification tool is unable to find an error is
-invalid.
-

-
-

-CEGAR Loop
-

-
-

-A more sophisticated approach that has been very successful recently
-is to generate a sound abstraction of the original program.
-In this context, soundness refers to the fact that the abstract program
-contains (at least) all relevant behaviors (i.e., bugs) that are present
-in the original program. In the Figure above, the first component 
-strips details from the original program. The number of possible behaviors
-increases as the number of details in the abstract program decreases.
-Intuitively, the reason is that whenever the model checking tool lacks the
-information that is necessary to make an accurate decision on whether a 
-branch of an control flow statement can be taken or not, both branches
-have to be considered.

-
-

-In the resulting abstract program, a set of concrete 
-states is subsumed by means of a single abstract state. Consider
-the following figure:
-

-
-

-
-

-
-

-The concrete states x1
-and x2 are mapped to an
-abstract state X, and similarly
-Y subsumes
-y1
-and y2.
-However, all transitions that are possible in the concrete program are also
-possible in the abstract model.  The abstract transition
-XY
-summarizes the concrete transitions
-x1y1
-and x1 →
-x1, and Y →
-X
-corresponds to x1 →
-x2.  The
-behavior 
-XY → 
-X is feasible in the original program,
-because it maps to
-x1 →
-x1 →
-x2.  However,
-Y →
-X →
-Y
-is feasible only in the abstract model.

-
-
Spurious Counterexamples

-
-

-The consequence is that the model checker (component number two in the
-figure above) possibly reports a spurious counterexample.  We call a
-counterexample spurious whenever it is feasible in the current abstract
-model but not in the original program.  However, whenever the model checker
-is unable to find an execution trace that violates the given property, we
-can conclude that there is no such trace in the original program, either.
-

-
-

-The feasibility of counterexamples is checked by symbolic simulation
-(performed by component three in the figure above).  If the counterexample
-is indeed feasible, SATABS found a bug in the original program and reports
-it to the user.
-

-
-
Automatic Refinement

-
-

-On the other hand, infeasible counterexamples
-(that originate from abstract behaviors that
-result from the omission of details and are not present in the original
-program) are never reported to the user.  Instead, the information is used
-in order to refine the abstraction such that the spurious counterexample is
-not part of the refined model anymore.  For instance, the reason for the
-infeasibility of Y
-→ X →
-Y is
-that neither
-y1 nor
-x1 can
-be reached from
-x2.
-Therefore, the abstraction can be refined by partitioning 
-X.
-

-
-

-The refinement steps can be illustrated as follows:
-

-
-

-Iterative refinement
-

-
-

-The first step (1) is to generate a very coarse abstraction with
-a very small state space. This abstraction is then successively
-refined (2, 3, ...) until either a feasible counterexample is found or the 
-abstract program is detailed enough to show that there is no
-path that leads to a violation of the given property. The problem
-is that this point is not necessarily reached for every input program,
-i.e., it is possible that the the abstraction refinement loop never
-terminates. Therefore, SATABS allows to specify an upper
-bound for the number of iterations.
-

-
-

-

-When this upper bound is reached and no counterexample was found,
-this does not necessarily mean that there is none. In this case, 
-you cannot make any conclusions at all with respect to the correctness 
-of the input program.
-

-

-
-
diff --git a/doc/html-manual/satabs-driver.shtml b/doc/html-manual/satabs-driver.shtml
deleted file mode 100644
index 2774b3fef6..0000000000
--- a/doc/html-manual/satabs-driver.shtml
+++ /dev/null
@@ -1,264 +0,0 @@
-
-
-
-
-
-
-
CPROVER Manual TOC

-
-
SATABS – Predicate Abstraction with SAT

-
-
Tutorials

-
-
Example: Reference Counting in Linux Device Drivers

-
-

-Microsoft's SLAM toolkit
-has been successfully used to find bugs in Windows device drivers.  SLAM
-automatically verifies device driver whether a device driver adheres to a
-set of specifications.  SLAM provides a test harness for device drivers that
-calls the device driver dispatch routines in a non-deterministic order. 
-Therefore, the Model Checker examines all combinations of calls.  Motivated
-by the success this approach, we provide a toy example based on Linux device
-drivers. For a more complete approach to the verification of Linux
-device drivers, consider DDVerify.
-

-
-

-Dynamically loadable modules enable the Linux Kernel to load device drivers
-on demand and to release them when they are not needed anymore.  When a
-device driver is registered, the kernel provides a major number that is used
-to uniquely identify the device driver.  The corresponding device can be
-accessed through special files in the filesystem; by convention, they are
-located in the /dev directory.  If a process accesses a device file
-the kernel calls the corresponding open, read and
-write functions of the device driver.  Since a driver must not be
-released by the kernel as long as it is used by at least one process, the
-device driver must maintain a usage counter (in more recent Linux kernels, this
-is done automatically, however, drivers that must maintain backward
-compatibility have to adjust this counter).
-

-
-

-We provide a skeleton of such a driver. Download the
-files
-spec.c,
-driver.c,
-driver.h,
-kdev_t.h, and
-modules.h.
-

-
-

-The driver contains following functions:

-
-
    
-
-  
  1.  register_chrdev:
-    (in spec.c) 
-    Registers a character device. In
-    our implementation, the function sets the variable usecount
-    to zero and returns a major number for this device (a constant, if
-    the user provides 0 as argument for the major number, and the value
-    specified by the user otherwise).
-  
    
-
-
    int usecount;
-
-int register_chrdev (unsigned int major, const char* name)
-{
-  usecount = 0;
-  if (major == 0)
-    return MAJOR_NUMBER;
-  return major;
-}
    
-
-
    2. 
-
-  
  2.  unregister_chrdev: (in spec.c)
-    Unregisters a character device.
-    This function asserts that the device is not used by any process
-    anymore (we use the macro MOD_IN_USE to check this).
-  
    
-
-
    int unregister_chrdev (unsigned int major, const char* name)
-{
-  if (MOD_IN_USE)
-    {
-    ERROR: assert (0);
-    }
-  else
-    return 0;
-}
    
-
    3. 
-
-  
  3.  dummy_open: (in
-    driver.c) This function
-    increases the usecount. If the device is locked by
-    some other process dummy_open returns -1. Otherwise
-    it locks the device for the caller.     
-  
    
-
    4. 
-
-
  4.  dummy_read: (in driver.c) This function
-    "simulates" a read access to the device. In fact it does 
-    nothing, since we are currently not interested in the potential buffer
-    overflow that may result from a call to this function.
-    Note the usage of
-    the function nondet_int: 
-    This is an internal SATABS-function that non­determi­nistically
-    returns an arbitrary integer
-    value. The function __CPROVER_assume
-    tells SATABS to ignore
-    all traces that do not adhere to the given assumption. Therefore,
-    whenever the lock is held, dummy_read will 
-    return a value between 0 and  max. If the lock is not held,
-    then dummy_read returns -1.
-  
    
-
    5. 
-
-
  5.  dummy_release: (in driver.c) If the lock
-is held, then dummy_release decreases
-the usecount, releases the lock, and returns 0. Otherwise,
-the function returns -1.
-
    6. 
-
-

-
-

-We now want to check if any valid sequence of calls of the 
-dispatch functions (in driver.c) can lead to the violation 
-of the assertion (in spec.c).
-Obviously, a call to dummy_open that is immediately followed
-by a call to unregister_chrdev violates the assertion.
-

-
-

-The function main in spec.c gives an example of
-how these functions are called. First, a character device
-"dummy" is registered. The major number is stored
-in the inode structure of the device. The values
-for the file structure are assigned non-deterministically.
-We rule out invalid sequences of calls by ensuring
-that no device is unregistered while it is still locked.
-We use the following model checking harness for calling the
-dispatching functions:
-

-
-
      random = nondet_uchar ();
-      __CPROVER_assume (0 <= random && random <= 3);
-
-      switch (random)
-      {
-      case 1: 
-        rval = dummy_open (&inode, &my_file);
-        if (rval == 0)
-          lock_held = TRUE;
-        break;
-      case 2:
-        __CPROVER_assume (lock_held);
-        count = dummy_read (&my_file, buffer, BUF_SIZE); 
-        break;
-      case 3:
-        dummy_release (&inode, &my_file);
-        lock_held = FALSE;
-        break;
-      default:
-        break;
-      }
-

-
-

-The variable random is assigned non-deterministically.
-Subsequently, the value of random
-is restricted to be 0 &le random ≤ 3 by a call to
-__CPROVER_assume. Whenever the value of random is
-not in this interval, the corresponding execution trace is simply 
-discarded by SATABS. Depending on the value of random, the
-harness calls either dummy_open, dummy_read or
-dummy_close. Therefore, 
-if there is a sequence of calls to these three
-functions that leads to a violation of the assertion in 
-unregister_chrdev, then SATABS
-will eventually consider it.
-

-
-

-If we ask SATABS to show us the properties it verifies with
-

-
-

-satabs driver.c spec.c --show-properties
-

-
-

-for our example, we obtain 
-

-
-
    
-
-
  1. 
-Claim unregister_chrdev.1:
    
-    file spec.c line 18 function unregister_chrdev
    
-    MOD_IN_USE in unregister_chrdev
    
-    FALSE
-
    
-
    2. 
-
-
  2. 
-Claim dummy_open.1:
    
-    file driver.c line 15 function dummy_open
    
-    i_rdev mismatch
    
-    (unsigned int)inode->i_rdev >> 8 == (unsigned int)dummy_major
-
    
-
    3. 
-
-

-
-

-It seems obvious that the property dummy_open.1
-can never be violated. SATABS confirms
-this assumption: We call
-

-
-

-satabs driver.c spec.c --property dummy_open.1
-

-
-

-and SATABS reports VERIFICATION SUCCESSFUL after a few iterations.
-

-
-
 If we try to verify property unregister_chrdev.1, SATABS
-reports that the property in line 18 in file spec.c is violated (i.e., the
-assertion does not hold, therefore the VERIFICATION FAILED). 
-Furthermore, SATABS provides a detailed description of the problem in the
-form of a counterexample (i.e., an execution trace that violates the
-property).  On this trace, dummy_open is called twice,
-leading to a usecount of 2. The second call of course fails
-with rval=-1, but the counter is increased nevertheless:
-

-
-
int dummy_open (struct inode *inode, struct file *filp)
-{
-  __CPROVER_assert(MAJOR (inode->i_rdev) == dummy_major,
-      "i_rdev mismatch");
-  MOD_INC_USE_COUNT;
-
-  if (locked)
-    return -1;
-  locked = TRUE;
-
-  return 0; /* success */
-}
-

-
-

-Then, dummy_release is called to release the lock on the
-device.  Finally, the loop is left and the call to
-unregister_chrdev results in a violation of the assertion
-(since usecount is still 1, even though locked=0). 
-

-
-
-
diff --git a/doc/html-manual/satabs-tutorials.shtml b/doc/html-manual/satabs-tutorials.shtml
deleted file mode 100644
index f842f6a30c..0000000000
--- a/doc/html-manual/satabs-tutorials.shtml
+++ /dev/null
@@ -1,25 +0,0 @@
-
-
-
CPROVER Manual TOC

-
-
SATABS – Predicate Abstraction with SAT

-
-
Tutorials

-
-

-We provide an introduction to model checking "real"
-C programs with SATABS using two small examples:
-

-
-
    
-
-
  • An example based on Linux device drivers.
-
    • 
-
-
  • An example based on a Mail Transfer Agent.
-
    • 
-
-
    
-
-
-
diff --git a/doc/html-manual/satabs.shtml b/doc/html-manual/satabs.shtml
deleted file mode 100644
index 8418012047..0000000000
--- a/doc/html-manual/satabs.shtml
+++ /dev/null
@@ -1,178 +0,0 @@
-
-
-
-
-
-
-
    CPROVER Manual TOC
    
-
-
    SATABS – Predicate Abstraction with SAT
    
-
-
    Overview
    
-
-
    
-This section describes SATABS from the point of view of the user. To learn
-about the technology implemented in SATABS, read this
-section.
-
    
-
-
    
-We assume you have already installed SATABS and the necessary support files
-on your system. If not so, please follow 
-these instructions.
-
    
-
-
    
-While users of SATABS
-almost never have to be concerned about the underlying refinement
-abstraction algorithms, understanding the classes of properties that 
-can be verified is crucial. Predicate abstraction is most effective
-when applied to control-flow dominated properties. As
-an example, reconsider the following program
-(lock-example-fixed.c):
-
    
-
-
    _Bool nondet_bool();
-_Bool LOCK = 0;
-
-_Bool lock() {
-  if(nondet_bool()) {
-    assert(!LOCK);
-    LOCK=1;
-    return 1; }
-
-  return 0;
-}
-
-void unlock() {
-  assert(LOCK);
-  LOCK=0;
-}
-
-int main() {
-  unsigned got_lock = 0;
-  int times;
-
-  while(times > 0) {
-    if(lock()) {
-      got_lock++;
-      /* critical section */
-    }
-
-    if(got_lock!=0) {
-      unlock();
-      got_lock--;
-    }
-
-    times--;
-} }
-
    
-
-
    
-The two assertions in the program model that the functions lock()
-and unlock() are called in the right order. Note that the value
-of times is chosen non-deterministically and is not bounded. The program has
-no run-time bound, and thus, unwinding the code with 
-CBMC will never terminate.
    
-
-
    Working with Claims
    
-
-
    
-The two assertions will give rise to two properties.
-Each property is associated to a specific line of code, i.e., a property is violated when
-some condition can become false at the corresponding program location.
-SATABS will generate a list of all properties for the programs as follows:
-
    
-
-
    
-
-satabs lock-example-fixed.c --show-properties
-
-
    
-
-
    SATABS will list two properties; each property corresponds to one of the
-two assertions. We can use SATABS to verify both properties
-as follows:
-
    
-
-
    
-
-satabs lock-example-fixed.c
-
-
    
-
-
    
-SATABS will conclude the verification successfully, that is, both
-assertions hold for execution traces of any length.
-
    
-
-
    
-By default, SATABS attempts to verify all properties at once.
-A single property can be verified (or refuted) by using the
---property id option of SATABS,
-where id denotes the identifier of the property in the list
-obtained by calling SATABS with the --show-properties flag. Whenever
-a property is violated, SATABS reports a feasible path that leads to a state
-in which the condition that corresponds to the violated property evaluates to
-false.
-
    
-
-
    Programs that use Libraries
    
-
-
    
-SATABS cannot check programs that use functions that are
-only available in binary (compiled) form (this restriction
-is not imposed by the verification algorithms that are used by SATABS –
-they also work on assembly code). The reason is simply that so far
-no assembly language frontend is available for SATABS. At the moment,
-(library) functions for which no C source code is available have to be
-replaced by stubs. The usage of stubs and harnesses (as known from unit 
-testing) also allows to check more complicated properties (like, for 
-example, whether function fopen is always called before
-fclose). This technique is explained in detail 
-in the SATABS tutorials.
-
    
-
-
    Unit Testing with SATABS
    
-
-
    
-The example presented here is obviously a
-toy example and can hardly be used to convince your project manager to use
-static verification in your next project.  Even though we recommend to use
-formal verification and specification already in the early phases of your
-project, the sad truth is that in most projects verification (of any kind)
-is still pushed to the very end of the development cycle.  Therefore, this
-section is dedicated to the verification of legacy code.  However, the
-techniques presented here can also be used for unit testing.
-
    
-
-
    
-Unit testing is used in most software development projects, and static
-verification with SATABS can be very well combined with this technique. 
-Unit testing relies on a number test cases that yield the desired code
-coverage.  Such test cases are implemented by a software testing engineer in
-terms of a test harness (aka test driver) and a set of function stubs. 
-Typically, a slight modification to the test harness allows it to be used
-with SATABS.  Replacing the explicit input values with non-deterministic
-inputs (as explained in here and
-here) guarantees that SATABS will try to
-achieve full path and state coverage (due to the fact that
-predicate abstraction implicitly detects equivalence classes).
-However, it is not guaranteed that SATABS terminates in all cases.
-Keep in mind that you must not make any assumptions about the
-validity of the properties if SATABS did not run to completion!
-
    
-
-
    
-
    Further Reading
    
-
-
    
-
-
diff --git a/src/doxyfile b/src/doxyfile
index 7d894c4e70..1929468b70 100644
--- a/src/doxyfile
+++ b/src/doxyfile
@@ -771,7 +771,7 @@ WARN_LOGFILE           =
 # spaces. See also FILE_PATTERNS and EXTENSION_MAPPING
 # Note: If this tag is empty the current directory is searched.
 
-INPUT                  = .
+INPUT                  = . ../doc
 
 # This tag can be used to specify the character encoding of the source files
 # that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses
@@ -797,7 +797,8 @@ INPUT_ENCODING         = UTF-8
 # *.vhd, *.vhdl, *.ucf, *.qsf, *.as and *.js.
 
 FILE_PATTERNS          = *.cpp \
-                         *.h
+                         *.h    \
+                         *.md
 
 # The RECURSIVE tag can be used to specify whether or not subdirectories should
 # be searched for input files as well.
@@ -846,7 +847,7 @@ EXCLUDE_SYMBOLS        =
 # that contain example code fragments that are included (see the \include
 # command).
 
-EXAMPLE_PATH           = 
+EXAMPLE_PATH           = ../doc/assets
 
 # If the value of the EXAMPLE_PATH tag contains directories, you can use the
 # EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp and
@@ -866,7 +867,7 @@ EXAMPLE_RECURSIVE      = NO
 # that contain images that are to be included in the documentation (see the
 # \image command).
 
-IMAGE_PATH             = 
+IMAGE_PATH             = ../doc/assets
 
 # The INPUT_FILTER tag can be used to specify a program that doxygen should
 # invoke to filter for each input file. Doxygen will invoke the filter program
@@ -922,7 +923,7 @@ FILTER_SOURCE_PATTERNS =
 # (index.html). This can be useful if you have a project on for instance GitHub
 # and want to reuse the introduction page also for the doxygen output.
 
-USE_MDFILE_AS_MAINPAGE = 
+USE_MDFILE_AS_MAINPAGE = ../doc/architectural/front-page.md
 
 #---------------------------------------------------------------------------
 # Configuration options related to source browsing

From f5be7f11903c94727db863f69851239ecbd22ecd Mon Sep 17 00:00:00 2001
From: Kareem Khazem 
Date: Wed, 5 Jul 2017 08:48:54 +0100
Subject: [PATCH 30/89] [docs 2/5] Remove empty module group documentation

Doxygen module groups that did not contain any documentation are removed
from the codebase. There are still a few module groups remaining, which
do contain useful content. This commit declutters the Doxygen Modules
section in preparation for a commit introducing per-directory module
documentation.
---
 src/ansi-c/ansi_c_language.h              | 5 -----
 src/cpp/cpp_language.h                    | 5 -----
 src/goto-programs/goto_program.h          | 1 -
 src/goto-programs/goto_program_template.h | 3 ---
 src/goto-programs/wp.h                    | 5 -----
 src/goto-symex/goto_symex.h               | 3 ---
 src/solvers/smt1/smt1_dec.h               | 3 ---
 src/solvers/smt2/smt2_dec.h               | 3 ---
 src/util/xml.h                            | 5 -----
 9 files changed, 33 deletions(-)

diff --git a/src/ansi-c/ansi_c_language.h b/src/ansi-c/ansi_c_language.h
index 45b7d6aaa3..89f8399b11 100644
--- a/src/ansi-c/ansi_c_language.h
+++ b/src/ansi-c/ansi_c_language.h
@@ -10,15 +10,10 @@ Author: Daniel Kroening, kroening@kroening.com
 #ifndef CPROVER_ANSI_C_ANSI_C_LANGUAGE_H
 #define CPROVER_ANSI_C_ANSI_C_LANGUAGE_H
 
-/*! \defgroup gr_ansi_c ANSI-C front-end */
-
 #include 
 
 #include "ansi_c_parse_tree.h"
 
-/*! \brief TO_BE_DOCUMENTED
-    \ingroup gr_ansi_c
-*/
 class ansi_c_languaget:public languaget
 {
 public:
diff --git a/src/cpp/cpp_language.h b/src/cpp/cpp_language.h
index 982e2e180c..5be4330da2 100644
--- a/src/cpp/cpp_language.h
+++ b/src/cpp/cpp_language.h
@@ -12,15 +12,10 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #ifndef CPROVER_CPP_CPP_LANGUAGE_H
 #define CPROVER_CPP_CPP_LANGUAGE_H
 
-/*! \defgroup gr_cpp C++ front-end */
-
 #include 
 
 #include "cpp_parse_tree.h"
 
-/*! \brief TO_BE_DOCUMENTED
-    \ingroup gr_cpp
-*/
 class cpp_languaget:public languaget
 {
 public:
diff --git a/src/goto-programs/goto_program.h b/src/goto-programs/goto_program.h
index 8e96628395..622eb000fe 100644
--- a/src/goto-programs/goto_program.h
+++ b/src/goto-programs/goto_program.h
@@ -20,7 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 /*! \brief A specialization of goto_program_templatet over
            goto programs in which instructions have codet type.
-    \ingroup gr_goto_programs
 */
 class goto_programt:public goto_program_templatet
 {
diff --git a/src/goto-programs/goto_program_template.h b/src/goto-programs/goto_program_template.h
index af121f7844..9b46dd2ba6 100644
--- a/src/goto-programs/goto_program_template.h
+++ b/src/goto-programs/goto_program_template.h
@@ -12,8 +12,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #ifndef CPROVER_GOTO_PROGRAMS_GOTO_PROGRAM_TEMPLATE_H
 #define CPROVER_GOTO_PROGRAMS_GOTO_PROGRAM_TEMPLATE_H
 
-/*! \defgroup gr_goto_programs Goto programs */
-
 #include 
 #include 
 #include 
@@ -53,7 +51,6 @@ std::ostream &operator<<(std::ostream &, goto_program_instruction_typet);
 
 /*! \brief A generic container class for a control flow graph
            for one function, in the form of a goto-program
-    \ingroup gr_goto_programs
 */
 template 
 class goto_program_templatet
diff --git a/src/goto-programs/wp.h b/src/goto-programs/wp.h
index 836832efbc..d967ce3dd0 100644
--- a/src/goto-programs/wp.h
+++ b/src/goto-programs/wp.h
@@ -16,16 +16,12 @@ class codet;
 class exprt;
 class namespacet;
 
-/*! \defgroup gr_wp Weakest precondition */
-
 /*! \brief Compute the weakest precondition of the given program
  * piece \a code with respect to the expression \a post.
  * \param code  Program
  * \param post  Postcondition
  * \param ns    Namespace
  * \return Weakest precondition
- *
- * \ingroup gr_wp
 */
 exprt wp(
   const codet &code,
@@ -34,7 +30,6 @@ exprt wp(
 
 /*! \brief approximate the non-deterministic choice
            in a way cheaper than by (proper) quantification
- * \ingroup gr_wp
 */
 
 void approximate_nondet(exprt &dest);
diff --git a/src/goto-symex/goto_symex.h b/src/goto-symex/goto_symex.h
index a9d428ae07..de4253f4dc 100644
--- a/src/goto-symex/goto_symex.h
+++ b/src/goto-symex/goto_symex.h
@@ -12,9 +12,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #ifndef CPROVER_GOTO_SYMEX_GOTO_SYMEX_H
 #define CPROVER_GOTO_SYMEX_GOTO_SYMEX_H
 
-/*! \defgroup goto_symex Symbolic execution of goto programs
-*/
-
 #include 
 #include 
 
diff --git a/src/solvers/smt1/smt1_dec.h b/src/solvers/smt1/smt1_dec.h
index 1eb20115fc..7d1c8e49e9 100644
--- a/src/solvers/smt1/smt1_dec.h
+++ b/src/solvers/smt1/smt1_dec.h
@@ -10,8 +10,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #ifndef CPROVER_SOLVERS_SMT1_SMT1_DEC_H
 #define CPROVER_SOLVERS_SMT1_SMT1_DEC_H
 
-/*! \defgroup gr_smt1 SMT-LIB 1.x Interface */
-
 #include 
 
 #include "smt1_conv.h"
@@ -28,7 +26,6 @@ protected:
 };
 
 /*! \brief Decision procedure interface for various SMT 1.x solvers
-    \ingroup gr_smt1
 */
 class smt1_dect:protected smt1_temp_filet, public smt1_convt
 {
diff --git a/src/solvers/smt2/smt2_dec.h b/src/solvers/smt2/smt2_dec.h
index b0806b4580..8770485e18 100644
--- a/src/solvers/smt2/smt2_dec.h
+++ b/src/solvers/smt2/smt2_dec.h
@@ -10,8 +10,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #ifndef CPROVER_SOLVERS_SMT2_SMT2_DEC_H
 #define CPROVER_SOLVERS_SMT2_SMT2_DEC_H
 
-/*! \defgroup gr_smt2 SMT-LIB 2.x Interface */
-
 #include 
 
 #include "smt2_conv.h"
@@ -33,7 +31,6 @@ protected:
 };
 
 /*! \brief Decision procedure interface for various SMT 2.x solvers
-    \ingroup gr_smt2
 */
 class smt2_dect:protected smt2_stringstreamt, public smt2_convt
 {
diff --git a/src/util/xml.h b/src/util/xml.h
index fdc1b2a604..28a52f59c3 100644
--- a/src/util/xml.h
+++ b/src/util/xml.h
@@ -15,11 +15,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-/*! \defgroup gr_xml XML file processing */
-
-/*! \brief TO_BE_DOCUMENTED
-    \ingroup xml
-*/
 class xmlt
 {
 public:

From 3a58226cf40df6421d1fc30251dae9ca7a31f74f Mon Sep 17 00:00:00 2001
From: Kareem Khazem 
Date: Wed, 5 Jul 2017 08:51:42 +0100
Subject: [PATCH 31/89] [docs 3/5] Add per-directory high-level docs

This commit introduces a module.md file for several CProver directories.
Each of these is turned into a page under the Modules section in the
generated Doxygen documentation.

The intention is that developers wishing to contribute to one specific
aspect of CProver can get a high-level architectural overview of a
particular directory; the documentation describes the input to and
output from that directory, and introduces the main classes or entry
points.

By way of a "table of contents," the file cbmc/module.md contains a
diagram describing how each of the directories is invoked by CBMC in
order, and the nodes of the diagram hyperlink to the appropriate
documentation. The intention is that developers wishing to contribute to
CBMC as a whole can understand the entire process, from source files to
bug reports and counterexample production.

This documentation is derived from Mark Tuttle's notes on a talk given
by Michael Tautschnig.
---
 doc/architectural/front-page.md  |  15 +-
 src/ansi-c/module.md             | 114 +++++++++++++
 src/cbmc/module.md               |  47 ++++++
 src/goto-programs/module.md      | 273 +++++++++++++++++++++++++++++++
 src/goto-symex/module.md         |  44 +++++
 src/solvers/module.md            |  49 ++++++
 src/util/command-line-parsing.md |  14 ++
 7 files changed, 554 insertions(+), 2 deletions(-)
 create mode 100644 src/ansi-c/module.md
 create mode 100644 src/cbmc/module.md
 create mode 100644 src/goto-programs/module.md
 create mode 100644 src/goto-symex/module.md
 create mode 100644 src/solvers/module.md
 create mode 100644 src/util/command-line-parsing.md

diff --git a/doc/architectural/front-page.md b/doc/architectural/front-page.md
index 4a75c82bbb..9c2ec836d6 100644
--- a/doc/architectural/front-page.md
+++ b/doc/architectural/front-page.md
@@ -1,8 +1,11 @@
 CProver Documentation
 =====================
 
-These pages contain both user tutorials and automatically-generated API
-documentation. Users can download CProver tools from the
+\author Kareem Khazem
+
+These pages contain user tutorials, automatically-generated API
+documentation, and higher-level architectural overviews for the
+CProver codebase. Users can download CProver tools from the
 CProver website; contributors
 should use the repository
 hosted on GitHub.
@@ -21,4 +24,12 @@ hosted on GitHub.
   members in the search bar at top-right or use one of the links in the
   sidebar.
 
+* For higher-level architectural information, each of the pages under
+  the "Modules" link in the sidebar gives an overview of a directory in
+  the CProver codebase.
+
+* The \ref module_cbmc "CBMC guided tour" is a good start for new
+  contributors to CBMC. It describes the stages through which CBMC
+  transforms source files into bug reports and counterexamples, linking
+  to the relevant documentation for each stage.
 \defgroup module_hidden _hidden
diff --git a/src/ansi-c/module.md b/src/ansi-c/module.md
new file mode 100644
index 0000000000..db72087f4d
--- /dev/null
+++ b/src/ansi-c/module.md
@@ -0,0 +1,114 @@
+\ingroup module_hidden
+\defgroup module_ansi-c ANSI-C Language Front-end
+
+\author Kareem Khazem
+
+\section preprocessing Preprocessing & Parsing
+
+In the \ref ansi-c and \ref java_bytecode directories
+
+**Key classes:**
+* \ref languaget and its subclasses
+* ansi_c_parse_treet
+
+\dot
+digraph G {
+  node [shape=box];
+  rankdir="LR";
+  1 [shape=none, label=""];
+  2 [label="preprocessing & parsing"];
+  3 [shape=none, label=""];
+  1 -> 2 [label="Command line options, file names"];
+  2 -> 3 [label="Parse tree"];
+}
+\enddot
+
+
+
+---
+\section type-checking Type-checking
+
+In the \ref ansi-c and \ref java_bytecode directories.
+
+**Key classes:**
+* \ref languaget and its subclasses
+* \ref irept
+* \ref irep_idt
+* \ref symbolt
+* symbol_tablet
+
+\dot
+digraph G {
+  node [shape=box];
+  rankdir="LR";
+  1 [shape=none, label=""];
+  2 [label="type checking"];
+  3 [shape=none, label=""];
+  1 -> 2 [label="Parse tree"];
+  2 -> 3 [label="Symbol table"];
+}
+\enddot
+
+This stage generates a symbol table, mapping identifiers to symbols;
+\ref symbolt "symbols" are tuples of (value, type, location, flags).
+
+This is a good point to introduce the \ref irept ("internal
+representation") class---the base type of many of CBMC's hierarchical
+data structures. In particular, \ref exprt "expressions",
+\ref typet "types" and \ref codet "statements" are all subtypes of
+\ref irept.
+An irep is a tree of ireps. A subtlety is that an irep is actually the
+root of _three_ (possibly empty) trees, i.e. it has three disjoint sets
+of children: \ref irept::get_sub() returns a list of children, and
+\ref irept::get_named_sub() and \ref irept::get_comments() each return an
+association from names to children. **Most clients never use these
+functions directly**, as subtypes of irept generally provide more
+descriptive functions. For example, the operands of an
+\ref exprt "expression" (\ref exprt::op0() "op0", op1 etc) are
+really that expression's children; the
+\ref code_assignt::lhs() "left-hand" and right-hand side of an
+\ref code_assignt "assignment" are the children of that assignment.
+The \ref irept::pretty() function provides a descriptive string
+representation of an irep.
+
+\ref irep_idt "irep_idts" ("identifiers") are strings that use sharing
+to improve memory consumption. A common pattern is a map from irep_idts
+to ireps. A goto-program contains a single symbol table (with a single
+scope), meaning that the names of identifiers in the target program are
+lightly mangled in order to make them globally unique. If there is an
+identifier `foo` in the target program, the `name` field of `foo`'s
+\ref symbolt "symbol" in the goto-program will be
+* `foo` if it is global;
+* bar\::foo if it is a parameter to a function `bar()`;
+* bar\::3\::foo if it is a local variable in a function
+  `bar()`, where `3` is a counter that is incremented every time a
+  newly-scoped `foo` is encountered in that function.
+
+The use of *sharing* to save memory is a pervasive design decision in
+the implementation of ireps and identifiers. Sharing makes equality
+comparisons fast (as there is no need to traverse entire trees), and
+this is especially important given the large number of map lookups
+throughout the codebase. More importantly, the use of sharing saves vast
+amounts of memory, as there is plenty of duplication within the
+goto-program data structures. For example, every statement, and every
+sub-expression of a statement, contains a \ref source_locationt
+that indicates the source file and location that it came from. Every
+symbol in every expression has a field indicating its type and location;
+etc. Although each of these are constructed as separate objects, the
+values that they eventually point to are shared throughout the codebase,
+decreasing memory consumption dramatically.
+
+The Type Checking stage turns a parse tree into a
+\ref symbol_tablet "symbol table". In this context, the 'symbols'
+consist of code statements as well as what might more traditionally be
+called symbols. Thus, for example:
+* The statement `int foo = 11;` is converted into a symbol whose type is
+  integer_typet and value is the \ref constant_exprt
+  "constant expression" `11`; that symbol is stored in the symbol table
+  using the mangled name of `foo` as the key;
+* The function definition `void foo(){ int x = 11; bar(); }` is
+  converted into a symbol whose type is \ref code_typet (not to be
+  confused with \ref typet or \ref codet!); the code_typet contains the
+  parameter and return types of the function. The value of the symbol is
+  the function's body (a \ref codet), and the symbol is stored in the
+  symbol table with `foo` as the key.
diff --git a/src/cbmc/module.md b/src/cbmc/module.md
new file mode 100644
index 0000000000..d2dcb75b4b
--- /dev/null
+++ b/src/cbmc/module.md
@@ -0,0 +1,47 @@
+\ingroup module_hidden
+\defgroup module_cbmc CBMC tour
+
+\author Kareem Khazem
+
+CBMC takes C code or a goto-binary as input and tries to emit traces of
+executions that lead to crashes or undefined behaviour. The diagram
+below shows the intermediate steps in this process.
+
+
+\dot
+digraph G {
+
+  rankdir="TB";
+  node [shape=box, fontcolor=blue];
+
+  subgraph top {
+    rank=same;
+    1 -> 2 -> 3 -> 4;
+  }
+
+  subgraph bottom {
+    rank=same;
+    5 -> 6 -> 7 -> 8 -> 9;
+  }
+
+  /* shift bottom subgraph over */
+  9 -> 1 [color=white];
+
+  4 -> 5;
+
+  1 [label="command line\nparsing" URL="\ref cbmc_parse_optionst"];
+  2 [label="preprocessing,\nparsing" URL="\ref preprocessing"];
+  3 [label="language\ntype-checking" URL="\ref type-checking"];
+  4 [label="goto\nconversion" URL="\ref goto-conversion"];
+  5 [label="instrumentation" URL="\ref instrumentation"];
+  6 [label="symbolic\nexecution" URL="\ref symbolic-execution"];
+  7 [label="SAT/SMT\nencoding" URL="\ref sat-smt-encoding"];
+  8 [label="decision\nprocedure" URL="\ref decision-procedure"];
+  9 [label="counter example\nproduction" URL="\ref counter-example-production"];
+}
+\enddot
+
+The \ref cprover-manual "CProver Manual" describes CBMC from a user
+perspective. Each node in the diagram above links to the appropriate
+class or module documentation, describing that particular stage in the
+CBMC pipeline.
diff --git a/src/goto-programs/module.md b/src/goto-programs/module.md
new file mode 100644
index 0000000000..f1224d4649
--- /dev/null
+++ b/src/goto-programs/module.md
@@ -0,0 +1,273 @@
+\ingroup module_hidden
+\defgroup module_goto-programs Goto Conversion & Instrumentation
+
+\author Kareem Khazem
+
+\section goto-conversion Goto Conversion
+
+In the \ref goto-programs directory.
+
+**Key classes:**
+* goto_programt
+* goto_functionst
+* \ref goto_program_templatet::instructiont
+
+\dot
+digraph G {
+  node [shape=box];
+  rankdir="LR";
+  1 [shape=none, label=""];
+  2 [label="goto conversion"];
+  3 [shape=none, label=""];
+  1 -> 2 [label="Symbol table"];
+  2 -> 3 [label="goto-programs, goto-functions, symbol table"];
+}
+\enddot
+
+At this stage, CBMC constructs a goto-program from a symbol table. It
+does not use the parse tree or the source file at all for this step. This
+may seem surprising, because the symbols are stored in a hash table and
+therefore have no intrinsic order; nevertheless, every \ref symbolt is
+associated with a \ref source_locationt, allowing CBMC to figure out the
+lexical order.
+
+The structure of what is informally called a goto-program follows.  The
+entire target program is converted to a single \ref goto_functionst
+object. The goto functions contains a set of \ref goto_programt objects;
+each of these correspond to a "function" or "method" in the target
+program. Each goto_program contains a list of
+\ref goto_program_templatet::instructiont "instructions"; each
+instruction contains an associated statement---these are subtypes of
+\ref codet. Each instruction also contains a "target", which will be
+empty for now.
+
+\dot
+digraph G{
+  graph [nojustify=true];
+  node [shape=box];
+  compound=true;
+
+  subgraph cluster_src {
+    1 [shape="none", label="source files"];
+    2 [label="file1.c\n-----------\nint main(){
+  int x = 5;
+  if(x > 7){
+    x = 9; } }
+
+void foo(){}"];
+  1 -> 2 [color=white];
+
+    100 [label="file2.c\n--------\nchar bar(){ }"];
+    2 -> 100 [color=white];
+  }
+
+  1 -> 3 [label="corresponds to", lhead=cluster_goto,
+  ltail=cluster_src];
+
+  subgraph cluster_goto {
+    3 [label="a\ngoto_functionst", URL="\ref goto_functionst", shape=none];
+    4 [label="function_map\n(a map from irep_idt\nto goto_programt)"];
+  }
+  4 -> 5 [lhead=cluster_funmap, label="value:"];
+
+  subgraph cluster_funmap {
+    9 [label="bar\n(an irep_idt)", URL="\ref irep_idt"];
+   10 [label="a goto_programt", URL="\ref goto_programt"];
+    9->10 [label="maps to"];
+
+    5 [label="main\n(an irep_idt)", URL="\ref irep_idt"];
+
+    7 [label="foo\n(an irep_idt)", URL="\ref irep_idt"];
+    8 [label="a goto_programt", URL="\ref goto_programt"];
+    7->8 [label="maps to"];
+
+    subgraph cluster_goto_program {
+     11 [shape=none, label="a\ngoto_programt", URL="\ref goto_programt"];
+     12 [label="instructions\n(a list of instructiont)"];
+    }
+    5 -> 11 [lhead=cluster_goto_program, label="maps to:"];
+
+  }
+
+  12 -> target1 [lhead=cluster_instructions];
+
+  subgraph cluster_instructions {
+    subgraph cluster_ins1{
+      code1 [label="code", URL="\ref codet"];
+      target1 [label="target"];
+    }
+
+    target1 -> target2 [color=white,lhead=cluster_ins2,
+    ltail=cluster_ins1];
+
+    subgraph cluster_ins2{
+      code2 [label="code", URL="\ref codet"];
+      target2 [label="target"];
+    }
+
+    target2 -> target3 [color=white,lhead=cluster_ins3,
+    ltail=cluster_ins2];
+
+    subgraph cluster_ins3{
+      code3 [label="code", URL="\ref codet"];
+      target3 [label="target"];
+    }
+
+    target3 -> target4 [color=white,lhead=cluster_ins4,
+    ltail=cluster_ins3];
+
+    subgraph cluster_ins4{
+      code4 [label="code", URL="\ref codet"];
+      target4 [label="target"];
+    }
+
+  }
+
+  subgraph cluster_decl {
+    decl1 [label="type:\ncode_declt", URL="\ref code_declt",
+           shape=none];
+    subgraph cluster_decl_in{
+      cluster_decl_in_1 [label="symbol()", shape=none];
+      cluster_decl_in_2 [label="x"];
+      cluster_decl_in_1 -> cluster_decl_in_2 [color=white];
+    }
+    decl1 -> cluster_decl_in_1 [lhead="cluster_decl_in", color=white];
+  }
+  code1 -> decl1 [lhead=cluster_decl];
+
+  subgraph cluster_assign1 {
+    assign1 [label="type:\ncode_assignt", URL="\ref code_assignt",
+           shape=none];
+    subgraph cluster_assign1_in{
+      cluster_assign1_in_1 [label="lhs()", shape=none];
+      cluster_assign1_in_2 [label="x"];
+      cluster_assign1_in_1 -> cluster_assign1_in_2 [color=white];
+
+      cluster_assign1_in_3 [label="rhs()", shape=none];
+      cluster_assign1_in_4 [label="5"];
+      cluster_assign1_in_3 -> cluster_assign1_in_4 [color=white];
+    }
+    assign1 -> cluster_assign1_in_1 [lhead="cluster_assign1_in", color=white];
+  }
+  code2 -> assign1 [lhead=cluster_assign1];
+
+  subgraph cluster_if {
+    if [label="type:\ncode_ifthenelset", URL="\ref code_ifthenelset",
+           shape=none];
+    if_body [label="..."];
+    if -> if_body [color=white];
+  }
+  code3 -> if [lhead=cluster_if];
+
+  subgraph cluster_assign2 {
+    assign2 [label="type:\ncode_assignt", URL="\ref code_assignt",
+           shape=none];
+    subgraph cluster_assign2_in{
+      cluster_assign2_in_1 [label="lhs()", shape=none];
+      cluster_assign2_in_2 [label="x"];
+      cluster_assign2_in_1 -> cluster_assign2_in_2 [color=white];
+
+      cluster_assign2_in_3 [label="rhs()", shape=none];
+      cluster_assign2_in_4 [label="9"];
+      cluster_assign2_in_3 -> cluster_assign2_in_4 [color=white];
+    }
+    assign2 -> cluster_assign2_in_1 [lhead="cluster_assign2_in", color=white];
+  }
+  code4 -> assign2 [lhead=cluster_assign2];
+
+}
+\enddot
+
+This is not the final form of the goto-functions, since the lists of
+instructions will be 'normalized' in the next step (Instrumentation),
+which removes some instructions and adds targets to others.
+
+Note that goto_programt and goto_functionst are each template
+instantiations; they are currently the *only* specialization of
+goto_program_templatet and goto_functions_templatet, respectively. This
+means that the generated Doxygen documentation can be somewhat obtuse
+about the actual types of things, and is unable to generate links to the
+correct classes. Note that the
+\ref goto_program_templatet::instructiont::code "code" member of a
+goto_programt's instruction has type \ref codet (its type in the
+goto_program_templatet documentation is given as "codeT", as this is the
+name of the template's type parameter); similarly, the type of a guard
+of an instruction is \ref guardt.
+
+---
+\section instrumentation Instrumentation
+
+In the \ref goto-programs directory.
+
+**Key classes:**
+* goto_programt
+* goto_functionst
+* \ref goto_program_templatet::instructiont
+
+\dot
+digraph G {
+  node [shape=box];
+  rankdir="LR";
+  1 [shape=none, label=""];
+  2 [label="goto conversion"];
+  3 [shape=none, label=""];
+  1 -> 2 [label="goto-programs, goto-functions, symbol table"];
+  2 -> 3 [label="transformed goto-programs"];
+}
+\enddot
+
+This stage applies several transformations to the goto-programs from the
+previous stage:
+
+* The diagram in the previous stage showed a goto_programt with four
+  instructions, but real programs usually yield instruction lists that
+  are littered with \ref code_skipt "skip" statements. The
+  instrumentation stage removes the majority of these.
+
+* Function pointers are removed. They are turned into switch statements
+  (but see the next point; switch statements are further transformed).
+
+* Compound blocks are eliminated. There are several subclasses of
+  \ref codet that count as 'compound blocks;' therefore, later stages in
+  the CBMC pipeline that switch over the codet subtype of a particular
+  instruction should not need to consider these types. In particular:
+
+  * code_ifthenelset is turned into GOTOs. In particular, the bodies of
+    the conditionals are flattened into lists of instructions, inline
+    with the rest of the instruction in the goto_programt. The guard of
+    the conditional is placed onto the
+    \ref goto_program_templatet::instructiont::guard "guard" member of
+    an instruction whose code member is of type \ref code_gotot. The
+    \ref goto_program_templatet::instructiont::targets "targets" member
+    of that instruction points to the appropriate branch of the
+    conditional. (Note that although instructions have a list of
+    targets, in practice an instruction should only ever have at most
+    one target; you should check this invariant with an assertion if you
+    rely on it).
+
+    The order of instructions in a list of instructions---as well as the
+    targets of GOTOs---are both displayed as arrows when viewing a
+    goto-program as a Graphviz DOT file with `goto-instrument --dot`.
+    The semantics of a goto-program is: the next instruction is the next
+    instruction in the list, unless the current instruction has a
+    target; in that case, check the guard of the instruction, and jump
+    to the target if the guard evaluates to true.
+
+  * switch statements, for and while loops, and try-catches are also
+    transformed into lists of instructions guarded by GOTOs.
+
+  * \ref code_blockt "code blocks" are transformed into lists of
+    instructions.
+
+* \ref code_returnt "return statements" are transformed into
+  (unconditional) GOTOs whose target is the \ref END_FUNCTION
+  instruction. Each goto_programt should have precisely one such
+  instruction. Note the presence of \ref code_deadt, which has a
+  \ref code_deadt::symbol() "symbol()" member. Deads mark symbols that
+  have just gone out of scope; typically, a GOTO that jumps to an
+  END_FUNCTION instruction is preceded by a series of deads. Deads also
+  follow sequences of instructions that were part of the body of a
+  block (loop, conditional etc.) if there were symbols declared in that
+  block.
+
+This stage concludes the *analysis-independent* program transformations.
diff --git a/src/goto-symex/module.md b/src/goto-symex/module.md
new file mode 100644
index 0000000000..6c8321ce33
--- /dev/null
+++ b/src/goto-symex/module.md
@@ -0,0 +1,44 @@
+\ingroup module_hidden
+\defgroup module_goto-symex Symbolic Execution & Counterexample Production
+
+\author Kareem Khazem
+
+**Key classes:**
+* goto_symex_statet
+* goto_symext
+
+\dot
+digraph G {
+	node [shape=box];
+	rankdir="LR";
+	1 [shape=none, label=""];
+	2 [label="goto conversion"];
+	3 [shape=none, label=""];
+	1 -> 2 [label="goto-programs, goto-functions, symbol table"];
+	2 -> 3 [label="equations"];
+}
+\enddot
+
+---
+\section counter-example-production Counter Example Production
+
+In the \ref goto-symex directory.
+
+**Key classes:**
+* symex_target_equationt
+* prop_convt
+* \ref bmct
+* fault_localizationt
+* counterexample_beautificationt
+
+\dot
+digraph G {
+  node [shape=box];
+  rankdir="LR";
+  1 [shape=none, label=""];
+  2 [label="goto conversion"];
+  3 [shape=none, label=""];
+  1 -> 2 [label="solutions"];
+  2 -> 3 [label="counter-examples"];
+}
+\enddot
diff --git a/src/solvers/module.md b/src/solvers/module.md
new file mode 100644
index 0000000000..98eeae6719
--- /dev/null
+++ b/src/solvers/module.md
@@ -0,0 +1,49 @@
+\ingroup module_hidden
+\defgroup module_solvers SAT/SMT Encoding and Decision Procedure
+
+\author Kareem Khazem
+
+\section sat-smt-encoding SAT/SMT Encoding
+
+In the \ref solvers directory.
+
+**Key classes:**
+* \ref literalt
+* \ref boolbvt
+* \ref propt
+
+\dot
+digraph G {
+	node [shape=box];
+	rankdir="LR";
+	1 [shape=none, label=""];
+	2 [label="goto conversion"];
+	3 [shape=none, label=""];
+	1 -> 2 [label="equations"];
+	2 -> 3 [label="propositional variables as bitvectors, constraints"];
+}
+\enddot
+
+
+---
+
+\section decision-procedure Decision Procedure
+
+In the \ref solvers directory.
+
+**Key classes:**
+* symex_target_equationt
+* \ref propt
+* \ref bmct
+
+\dot
+digraph G {
+	node [shape=box];
+	rankdir="LR";
+	1 [shape=none, label=""];
+	2 [label="goto conversion"];
+	3 [shape=none, label=""];
+	1 -> 2 [label="propositional variables as bitvectors, constraints"];
+	2 -> 3 [label="solutions"];
+}
+\enddot
diff --git a/src/util/command-line-parsing.md b/src/util/command-line-parsing.md
new file mode 100644
index 0000000000..3e9f803ed0
--- /dev/null
+++ b/src/util/command-line-parsing.md
@@ -0,0 +1,14 @@
+\ingroup module_hidden
+\defgroup module_command-line-parsing Command Line Parsing
+
+\dot
+digraph G {
+  node [shape=box];
+  rankdir="LR";
+  1 [shape=none, label=""];
+  2 [label="command line parsing"];
+  3 [shape=none, label=""];
+  1 -> 2 [label="C files or goto-binaries"];
+  2 -> 3 [label="Command line options, file names"];
+}
+\enddot

From d86ede0f4ba38776955ae12319d9c07e629467b6 Mon Sep 17 00:00:00 2001
From: Kareem Khazem 
Date: Wed, 5 Jul 2017 08:59:34 +0100
Subject: [PATCH 32/89] [docs 4/5] Add CBMC hacking tutorial

A practical tutorial on getting started with CProver development is
added and linked to from the front page. The tutorial contains an
overview of the codebase and a few preliminary programming exercises,
intended to give would-be CProver contributors an introduction to the
key data structures used throughout the codebase.
---
 doc/architectural/front-page.md |   6 +
 doc/architectural/howto.md      | 243 ++++++++++++++++++++++++++++++++
 2 files changed, 249 insertions(+)
 create mode 100644 doc/architectural/howto.md

diff --git a/doc/architectural/front-page.md b/doc/architectural/front-page.md
index 9c2ec836d6..f978dfe88d 100644
--- a/doc/architectural/front-page.md
+++ b/doc/architectural/front-page.md
@@ -32,4 +32,10 @@ hosted on GitHub.
   contributors to CBMC. It describes the stages through which CBMC
   transforms source files into bug reports and counterexamples, linking
   to the relevant documentation for each stage.
+
+* The \subpage cbmc-hacking "CBMC hacking HOWTO" helps new contributors
+  to CProver to get their feet wet through a series of programming
+  exercises---mostly modifying goto-instrument, and thus learning to
+  manipulate the main data structures used within CBMC.
+
 \defgroup module_hidden _hidden
diff --git a/doc/architectural/howto.md b/doc/architectural/howto.md
new file mode 100644
index 0000000000..5eee0f0058
--- /dev/null
+++ b/doc/architectural/howto.md
@@ -0,0 +1,243 @@
+\ingroup module_hidden
+\page cbmc-hacking CBMC Hacking HOWTO
+
+\author Kareem Khazem
+
+This is an introduction to hacking on the `cprover` codebase.  It is not
+intended as a user guide to `CBMC` or related tools.  It is structured
+as a series of programming exercises that aim to acclimatise the reader
+to the basic data structures and workflow needed for contributing to
+`CBMC`.
+
+
+## Initial setup
+
+Clone the [CBMC repository][cbmc-repo] and build it:
+
+    git clone https://github.com/diffblue/cbmc.git
+    cd cbmc/src
+    make minisat2-download
+    make
+
+Ensure that [graphviz][graphviz] is installed on your system (in
+particular, you should be able to run a program called `dot`).  Install
+[Doxygen][doxygen] and generate doxygen documentation:
+
+    # In the src directory
+    doxygen doxyfile
+    # View the documentation in a web browser
+    firefox doxy/html/index.html
+
+If you've never used doxygen documentation before, get familiar with the
+layout.  Open the generated HTML page in a web browser; search for the
+class `goto_programt` in the search bar, and jump to the documentation
+for that class; and read through the copious documentation.
+
+The build writes executable programs into several of the source
+directories.  In this tutorial, we'll be using binaries inside the
+`cbmc`, `goto-instrument`, and `goto-cc` directories.  Add these
+directories to your `$PATH`:
+
+    # Assuming you cloned CBMC into ~/code
+    export PATH=~/code/cbmc/src/goto-instrument:~/code/cbmc/src/goto-cc:~/code/cbmc/src/cbmc:$PATH
+    # Add to your shell's startup configuration file so that you don't have to run that command every time.
+    echo 'export PATH=~/code/cbmc/src/goto-instrument:~/code/cbmc/src/goto-cc:~/code/cbmc/src/cbmc:$PATH' >> .bashrc
+
+Optional: install an image viewer that can read images on stdin.
+I use [feh][feh].
+
+[cbmc-repo]:  https://github.com/diffblue/cbmc/
+[doxygen]:    http://www.stack.nl/~dimitri/doxygen/
+[graphviz]:   http://www.graphviz.org/
+[feh]:        https://feh.finalrewind.org/
+
+
+
+## Whirlwind tour of the tools
+
+CBMC's code is located under the `cbmc` directory.  Even if you plan to
+contribute only to CBMC, it is important to be familiar with several
+other of cprover's auxiliary tools.
+
+
+### Compiling with `goto-cc`
+
+There should be an executable file called `goto-cc` in the `goto-cc`
+directory; make a symbolic link to it called `goto-gcc`:
+
+    cd cbmc/src/goto-cc
+    ln -s "$(pwd)/goto-cc" goto-gcc
+
+Find or write a moderately-interesting C program; we'll call it `main.c`.
+Run the following commands:
+
+    goto-gcc -o main.goto main.c
+    cc -o main.exe main.c
+
+Invoke `./main.goto` and `./main.exe` and observe that they run identically.
+The version that was compiled with `goto-gcc` is larger, though:
+
+    du -hs *.{goto,exe}
+
+Programs compiled with `goto-gcc` are mostly identical to their `clang`-
+or `gcc`-compiled counterparts, but contain additional object code in
+cprover's intermediate representation.  The intermediate representation
+is (informally) called a *goto-program*.
+
+
+### Viewing goto-programs
+
+`goto-instrument` is a Swiss army knife for viewing goto-programs and
+performing single program analyses on them.  Run the following command:
+
+    goto-instrument --show-goto-functions main.goto
+
+Many of the instructions in the goto-program intermediate representation
+are similar to their C counterparts.  `if` and `goto` statements replace
+structured programming constructs.
+
+Find or write a small C program (2 or 3 functions, each containing a few
+varied statements).  Compile it using `goto-gcc` as above into an object
+file called `main`.  If you installed `feh`, try the following command
+to dump a control-flow graph:
+
+    goto-instrument --dot main | tail -n +2 | dot -Tpng | feh -
+
+If you didn't install `feh`, you can write the diagram to the file and
+then view it:
+
+    goto-instrument --dot main | tail -n +2 | dot -Tpng > main.png
+    Now open main.png with an image viewer
+
+(the invocation of `tail` is used to filter out the first line of
+`goto-instrument` output.  If `goto-instrument` writes more or less
+debug output by the time you read this, read the output of
+`goto-instrument --dot main` and change the invocation of `tail`
+accordingly.)
+
+There are a few other views of goto-programs.  Run `goto-instrument -h`
+and try the various switches under the "Diagnosis" section.
+
+
+
+## Learning about goto-programs
+
+In this section, you will learn about the basic goto-program data
+structures.  Reading from and manipulating these data structures form
+the core of writing an analysis for CBMC.
+
+
+### First steps with `goto-instrument`
+
+
    
+**Task:** Write a simple C program with a few functions, each containing
+a few statements.  Compile the program with `goto-gcc` into a binary
+called `main`.
+
    
+
+
+The entry point of `goto-instrument` is in `goto_instrument_main.cpp`.
+Follow the control flow into `goto_instrument_parse_optionst::doit()`, located in `goto_instrument_parse_options.cpp`.
+At some point in that function, there will be a long sequence of `if` statements.
+
+
    
+**Task:** Add a `--greet` switch to `goto-instrument`, taking an optional
+argument, with the following behaviour:
+
+    $ goto-instrument --greet main
+    hello, world!
+    $ goto-instrument --greet Leperina main
+    hello, Leperina!
+
+You will also need to add the `greet` option to the
+`goto_instrument_parse_options.h` file in order for this to work.
+Notice that in the `.h` file, options that take an argument are followed
+by a colon (like `(property):`), while simple switches have no colon.
+Make sure that you `return 0;` after printing the message.
+
    
+
+The idea behind `goto-instrument` is that it parses a goto-program and
+then performs one single analysis on that goto-program, and then
+returns.  Each of the switches in  `doit` function of
+`goto_instrument_parse_options` does something different with the
+goto-program that was supplied on the command line.
+
+
+### Goto-program basics
+
+At this point in `goto-instrument_parse_options` (where the `if`
+statements are), the goto-program will have been loaded into the object
+`goto_functions`, of type `goto_functionst`.  This has a field called
+`function_map`, a map from function names to functions.
+
+
+
    
+**Task:** Add a `--print-function-names` switch to `goto-instrument`
+that prints out the name of every function in the goto-binary.  Are
+there any functions that you didn't expect to see?
+
    
+
+The following is quite difficult to follow from doxygen, but: the value
+type of `function_map` is `goto_function_templatet`.
+
+
+
    
+**Task:** Read the documentation for `goto_function_templatet`
+and `goto_programt`.
+
    
+
+Each goto_programt object contains a list of
+\ref goto_program_templatet::instructiont called
+`instructions`.  Each instruction has a field called `code`, which has
+type \ref codet.
+
+
    
+**Task:** Add a `--pretty-program` switch to `goto-instrument`.  This
+switch should use the `codet::pretty()` function to pretty-print every
+\ref codet in the entire program.  The strings that `pretty()` generates
+for a codet look like this:
+
+    index
+      * type: unsignedbv
+          * width: 8
+          * #c_type: char
+      0: symbol
+          * type: array
+              * size: nil
+                  * type: 
+              * #source_location: 
+                * file: src/main.c
+                * line: 18
+                * function: 
+                * working_directory: /some/dir
+              0: unsignedbv
+                  * width: 8
+                  * #c_type: char
+    ...
+
    
+
+The sub-nodes of a particular node in the pretty representation are
+numbered, starting from 0.  They can be accessed through the `op0()`,
+`op1()` and `op2()` methods in the `exprt` class.
+
+Every node in the pretty representation has an identifier, accessed
+through the `id()` function.  The file `util/irep_ids.def` lists the
+possible values of these identifiers; have a quick scan through that
+file.  In the pretty representation above, the following facts are true
+of that particular node:
+
+  - `node.id() == ID_index`
+  - `node.type().id() == ID_unsignedbv`
+  - `node.op0().id() == ID_symbol`
+  - `node.op0().type().id() == ID_array`
+
+The fact that the `op0()` child has a `symbol` ID menas that you could
+cast it to a `symbol_exprt` (which is a subtype of `exprt`) using the
+function `to_symbol_expr`.
+
+
    
+**Task:** Add flags to `goto-instrument` to print out the following information:
+* the name of every function that is *called* in the program;
+* the value of every constant in the program;
+* the value of every symbol in the program.
+
    

From 58f6dde12c278960f9103d93f7216fc91d8e5db3 Mon Sep 17 00:00:00 2001
From: Kareem Khazem 
Date: Wed, 5 Jul 2017 13:50:24 +0100
Subject: [PATCH 33/89] [docs 5/5] Convert CBMC Guide to Markdown

The CBMC Guide (previously a TeX file) is now part of the Doxygen
codebase.
---
 doc/architectural/cbmc-guide.md | 601 +++++++++++++++++++++++++++
 doc/architectural/front-page.md |   5 +
 doc/guide/CBMC-guide.tex        | 714 --------------------------------
 3 files changed, 606 insertions(+), 714 deletions(-)
 create mode 100644 doc/architectural/cbmc-guide.md
 delete mode 100644 doc/guide/CBMC-guide.tex

diff --git a/doc/architectural/cbmc-guide.md b/doc/architectural/cbmc-guide.md
new file mode 100644
index 0000000000..ccbf0068ce
--- /dev/null
+++ b/doc/architectural/cbmc-guide.md
@@ -0,0 +1,601 @@
+\ingroup module_hidden
+\page cbmc-guide CBMC Guide
+
+\author Martin Brain
+
+Background Information
+======================
+
+First off; read the \ref cprover-manual "CProver Manual". It describes
+how to get, build and use CBMC and SATABS. This document covers the
+internals of the system and how to get started on development.
+
+Documentation
+-------------
+
+Apart from the (user-orientated) CPROVER manual and this document, most
+of the rest of the documentation is inline in the code as `doxygen` and
+some comments. A man page for CBMC, goto-cc and goto-instrument is
+contained in the `doc/` directory and gives some options for these
+tools. All of these could be improved and patches are very welcome. In
+some cases the algorithms used are described in the relevant papers.
+
+Architecture
+------------
+
+CPROVER is structured in a similar fashion to a compiler. It has
+language specific front-ends which perform limited syntactic analysis
+and then convert to an intermediate format. The intermediate format can
+be output to files (this is what `goto-cc` does) and are (informally)
+referred to as “goto binaries” or “goto programs”. The back-end are
+tools process this format, either directly from the front-end or from
+it’s saved output. These include a wide range of analysis and
+transformation tools (see Section \[section:other-apps\]).
+
+Coding Standards
+----------------
+
+CPROVER is written in a fairly minimalist subset of C++; templates and
+meta-programming are avoided except where necessary. The standard
+library is used but in many cases there are alternatives provided in
+`util/` (see Section \[section:util\]) which are preferred.  Boost is
+not used.
+
+Patches should be formatted so that code is indented with two space
+characters, not tab and wrapped to 75 or 72 columns. Headers for doxygen
+should be given (and preferably filled!) and the author will be the
+person who first created the file.
+
+Identifiers should be lower case with underscores to separate words.
+Types (classes, structures and typedefs) names must[^1] end with a `t`.
+Types that model types (i.e. C types in the program that is being
+interpreted) are named with `_typet`. For example `ui_message_handlert`
+rather than `UI_message_handlert` or `UIMessageHandler` and
+`union_typet`.
+
+How to Contribute
+-----------------
+
+Fixes, changes and enhancements to the CPROVER code base should be
+developed against the `trunk` version and submitted to Daniel as patches
+produced by `diff -Naur` or `svn diff`. Entire applications are best
+developed independently (`git svn` is a popular choice for tracking the
+main trunk but also having local development) until it is clear what
+their utility, future and maintenance is likely to be.
+
+Other Useful Code {#section:other-apps}
+-----------------
+
+The CPROVER subversion archive contains a number of separate programs.
+Others are developed separately as patches or separate
+branches.Interfaces are have been and are continuing to stablise but
+older code may require work to compile and function correctly.
+
+In the main archive:
+
+* `CBMC`:   A bounded model checking tool for C and C++. See Section
+  \[section:CBMC\].
+
+* `goto-cc`:   A drop-in, flag compatible replacement for GCC and other
+  compilers that produces goto-programs rather than executable binaries.
+  See Section \[section:goto-cc\].
+
+* `goto-instrument`:   A collection of functions for instrumenting and
+  modifying goto-programs. See Section \[section:goto-instrument\].
+
+Model checkers and similar tools:
+
+* `SatABS`:   A CEGAR model checker using predicate abstraction. Is
+  roughly 10,000 lines of code (on top of the CPROVER code base) and is
+  developed in its own subversion archive. It uses an external model
+  checker to find potentially feasible paths. Key limitations are
+  related to code with pointers and there is scope for significant
+  improvement.
+
+* `Scratch`:   Alistair Donaldson’s k-induction based tool. The
+  front-end is in the old project CVS and some of the functionality is
+  in `goto-instrument`.
+
+* `Wolverine`:   An implementation of Ken McMillan’s IMPACT algorithm
+  for sequential programs. In the old project CVS.
+
+* `C-Impact`:   An implementation of Ken McMillan’s IMPACT algorithm for
+  parallel programs. In the old project CVS.
+
+* `LoopFrog`:   A loop summarisation tool.
+
+* `???`:   Christoph’s termination analyser.
+
+Test case generation:
+
+* `cover`:   A basic test-input generation tool. In the old
+    project CVS.
+
+* `FShell`:   A test-input generation tool that allows the user to
+  specify the desired coverage using a custom language (which includes
+  regular expressions over paths). It uses incremental SAT and is thus
+  faster than the naïve “add assertions one at a time and use the
+  counter-examples” approach. Is developed in its own subversion.
+
+Alternative front-ends and input translators:
+
+* `Scoot`:   A System-C to C translator. Probably in the old
+    project CVS.
+
+* `???`:   A Simulink to C translator. In the old project CVS.
+
+* `???`:   A Verilog front-end. In the old project CVS.
+
+* `???`:   A converter from Codewarrior project files to Makefiles. In
+    the old project CVS.
+
+Other tools:
+
+* `ai`:   Leo’s hybrid abstract interpretation / CEGAR tool.
+
+* `DeltaCheck?`:   Ajitha’s slicing tool, aimed at locating changes and
+  differential verification. In the old project CVS.
+
+There are tools based on the CPROVER framework from other research
+groups which are not listed here.
+
+Source Walkthrough
+==================
+
+This section walks through the code bases in a rough order of interest /
+comprehensibility to the new developer.
+
+`doc`
+-----
+
+At the moment just contains the CBMC man page.
+
+`regression/`
+-------------
+
+The regression tests are currently being moved from CVS. The
+`regression/` directory contains all of those that have
+been moved. They are grouped into directories for each of the tools.
+Each of these contains a directory per test case, containing a C or C++
+file that triggers the bug and a `.dsc` file that describes
+the tests, expected output and so on. There is a Perl script,
+`test.pl` that is used to invoke the tests as:
+
+    ../test.pl -c PATH_TO_CBMC
+
+The `–help` option gives instructions for use and the
+format of the description files.
+
+`src/`
+------
+
+The source code is divided into a number of sub-directories, each
+containing the code for a different part of the system. In the top level
+files there are only a few files:
+
+* `config.inc`:   The user-editable configuration parameters for the
+  build process. The main use of this file is setting the paths for the
+  various external SAT solvers that are used. As such, anyone building
+  from source will likely need to edit this.
+
+* `Makefile`:   The main systems Make file. Parallel builds are
+  supported and encouraged; please don’t break them!
+
+* `common`:   System specific magic required to get the system to build.
+  This should only need to be edited if porting CBMC to a new platform /
+  build environment.
+
+* `doxygen.cfg`:   The config file for doxygen.cfg
+
+### `util/` {#section:util}
+
+`util/` contains the low-level data structures and
+manipulation functions that are used through-out the CPROVER code-base.
+For almost any low-level task, the code required is probably in
+`util/`. Key files include:
+
+* `irep.h`:   This contains the definition of `irept`, the basis of many
+  of the data structures in the project. They should not be used
+  directly; one of the derived classes should be used. For more
+  information see Section \[section:irept\].
+
+* `expr.h`:   The parent class for all of the expressions. Provides a
+  number of generic functions, `exprt` can be used with these but when
+  creating data, subclasses of `exprt` should be used.
+
+* `std_expr.h`:   Provides subclasses of `exprt` for common kinds of
+  expression for example `plus_exprt`, `minus_exprt`,
+  `dereference_exprt`. These are the intended interface for creating
+  expressions.
+
+* `std_types.h`:   Provides subclasses of `typet` (a subclass of
+  `irept`) to model C and C++ types. This is one of the preferred
+  interfaces to `irept`. The front-ends handle type promotion and most
+  coercision so the type system and checking goto-programs is simpler
+  than C.
+
+* `dstring.h`:   The CPROVER string class. This enables sharing between
+  strings which significantly reduces the amount of memory required and
+  speeds comparison. `dstring` should not be used directly, `irep_idt`
+  should be used instead, which (dependent on build options) is an alias
+  for `dstring`.
+
+* `mp_arith.h`:   The wrapper class for multi-precision arithmetic
+  within CPROVER. Also see `arith_tools.h`.
+
+* `ieee_float.h`:   The arbitrary precision float model used within
+  CPROVER. Based on `mp_integer`s.
+
+* `context.h`:   A generic container for symbol table like constructs
+  such as namespaces. Lookup gives type, location of declaration, name,
+  ‘pretty name’, whether it is static or not.
+
+* `namespace.h`:   The preferred interface for the context class. The
+  key function is `lookup` which converts a string (`irep_idt`) to a
+  symbol which gives the scope of declaration, type and so on. This
+  works for functions as well as variables.
+
+### `langapi/`
+
+This contains the basic interfaces and support classes for programming
+language front ends. Developers only really need look at this if they
+are adding support for a new language. It’s main users are the two (in
+trunk) language front-ends; `ansi-c/` and
+`cpp/`.
+
+### `ansi-c/`
+
+Contains the front-end for ANSI C, plus a variety of common extensions.
+This parses the file, performs some basic sanity checks (this is one
+area in which the UI could be improved; patches most welcome) and then
+produces a goto-program (see below). The parser is a traditional Flex /
+Bison system.
+
+`internal_addition.c` contains the implementation of various ‘magic’
+functions that are that allow control of the analysis from the source
+code level. These include assertions, assumptions, atomic blocks, memory
+fences and rounding modes.
+
+The `library/` subdirectory contains versions of some of the C standard
+header files that make use of the CPROVER built-in functions. This
+allows CPROVER programs to be ‘aware’ of the functionality and model it
+correctly. Examples include `stdio.c`, `string.c`, `setjmp.c` and
+various threading interfaces.
+
+### `cpp/`
+
+This directory contains the C++ front-end. It supports the subset of C++
+commonly found in embedded and system applications. Consequentially it
+doesn’t have full support for templates and many of the more advanced
+and obscure C++ features. The subset of the language that can be handled
+is being extended over time so bug reports of programs that cannot be
+parsed are useful.
+
+The functionality is very similar to the ANSI C front end; parsing the
+code and converting to goto-programs. It makes use of code from
+`langapi` and `ansi-c`.
+
+### `goto-programs/`
+
+Goto programs are the intermediate representation of the CPROVER tool
+chain. They are language independent and similar to many of the compiler
+intermediate languages. Section \[section:goto-programs\] describes the
+`goto_programt` and `goto_functionst` data structures in detail. However
+it useful to understand some of the basic concepts. Each function is a
+list of instructions, each of which has a type (one of 18 kinds of
+instruction), a code expression, a guard expression and potentially some
+targets for the next instruction. They are not natively in static
+single-assign (SSA) form. Transitions are nondeterministic (although in
+practise the guards on the transitions normally cover form a disjoint
+cover of all possibilities). Local variables have non-deterministic
+values if they are not initialised.  Variables and data within the
+program is commonly one of three types (parameterised by width):
+`unsignedbv_typet`, `signedbv_typet` and `floatbv_typet`, see
+`util/std_types.h` for more information. Goto programs can be serialised
+in a binary (wrapped in ELF headers) format or in XML (see the various
+`_serialization` files).
+
+The `cbmc` option `–show-goto-programs` is often a good starting point
+as it outputs goto-programs in a human readable form. However there are
+a few things to be aware of. Functions have an internal name (for
+example `c::f00`) and a ‘pretty name’ (for example `f00`) and which is
+used depends on whether it is internal or being presented to the user.
+The `main` method is the ‘logical’ main which is not necessarily the
+main method from the code. In the output `NONDET` is use to represent a
+nondeterministic assignment to a variable. Likewise `IF` as a beautified
+`GOTO` instruction where the guard expression is used as the condition.
+`RETURN` instructions may be dropped if they precede an `END_FUNCTION`
+instruction. The comment lines are generated from the `locationt` field
+of the `instructiont` structure.
+
+`goto-programs/` is one of the few places in the CPROVER codebase that
+templates are used. The intention is to allow the general architecture
+of program and functions to be used for other formalisms.  At the moment
+most of the templates have a single instantiation; for example
+`goto_functionst` and `goto_function_templatet` and `goto_programt` and
+`goto_program_templatet`.
+
+### `goto-symex/`
+
+This directory contains a symbolic evaluation system for goto-programs.
+This takes a goto-program and translates it to an equation system by
+traversing the program, branching and merging and unwinding loops as
+needed. Each reverse goto has a separate counter (the actual counting is
+handled by `cbmc`, see the `–unwind` and `–unwind-set` options). When a
+counter limit is reach, an assertion can be added to explicitly show
+when analysis is incomplete.  The symbolic execution includes constant
+folding so loops that have a constant number of iterations will be
+handled completely (assuming the unwinding limit is sufficient).
+
+The output of the symbolic execution is a system of equations; an object
+containing a list of `symex_target_elements`, each of which are
+equalities between `expr` expressions. See `symex_target_equation.h`.
+The output is in static, single assignment (SSA) form, which is *not*
+the case for goto-programs.
+
+### `pointer-analysis/`
+
+To perform symbolic execution on programs with dereferencing of
+arbitrary pointers, some alias analysis is needed.  `pointer-analysis`
+contains the three levels of analysis; flow and context insensitive,
+context sensitive and flow and context sensitive. The code needed is
+subtle and sophisticated and thus there may be bugs.
+
+### `solvers/`
+
+The `solvers/` directory contains interfaces to a number of
+different decision procedures, roughly one per directory.
+
+* prop/:   The basic and common functionality. The key file is
+  `prop_conv.h` which defines `prop_convt`.  This is the base class that
+  is used to interface to the decision procedures. The key functions are
+  `convert` which takes an `exprt` and converts it to the appropriate,
+  solver specific, data structures and `dec_solve` (inherited from
+  `decision_proceduret`) which invokes the actual decision procedures.
+  Individual decision procedures (named `*_dect`) objects can be created
+  but `prop_convt` is the preferred interface for code that uses them.
+
+* flattening/:   A library that converts operations to bit-vectors,
+  including calling the conversions in `floatbv` as necessary. Is
+  implemented as a simple conversion (with caching) and then a
+  post-processing function that adds extra constraints. This is not used
+  by the SMT or CVC back-ends.
+
+* dplib/:   Provides the `dplib_dect` object which used the decision
+  procedure library from “Decision Procedures : An Algorithmic Point of
+  View”.
+
+* cvc/:   Provides the `cvc_dect` type which interfaces to the old (pre
+  SMTLib) input format for the CVC family of solvers.  This format is
+  still supported by depreciated in favour of SMTLib 2.
+
+* smt1/:   Provides the `smt1_dect` type which converts the formulae to
+  SMTLib version 1 and then invokes one of Boolector, CVC3, OpenSMT,
+  Yices, MathSAT or Z3. Again, note that this format is depreciated.
+
+* smt2/:   Provides the `smt2_dect` type which functions in a similar
+  way to `smt1_dect`, calling Boolector, CVC3, MathSAT, Yices or Z3.
+  Note that the interaction with the solver is batched and uses
+  temporary files rather than using the interactive command supported by
+  SMTLib 2. With the `–fpa` option, this output mode will not flatten
+  the floating point arithmetic and instead output the proposed SMTLib
+  floating point standard.
+
+* qbf/:   Back-ends for a variety of QBF solvers. Appears to be no
+  longer used or maintained.
+
+* sat/:   Back-ends for a variety of SAT solvers and DIMACS output.
+
+### `cbmc/` {#section:CBMC}
+
+This contains the first full application. CBMC is a bounded model
+checker that uses the front ends (`ansi-c`, `cpp`, goto-program or
+others) to create a goto-program, `goto-symex` to unwind the loops the
+given number of times and to produce and equation system and finally
+`solvers` to find a counter-example (technically, `goto-symex` is then
+used to construct the counter-example trace).
+
+### `goto-cc/` {#section:goto-cc}
+
+`goto-cc` is a compiler replacement that just performs the first step of
+the process; converting C or C++ programs to goto-binaries. It is
+intended to be dropped in to an existing build procedure in place of the
+compiler, thus it emulates flags that would affect the semantics of the
+code produced. Which set of flags are emulated depends on the naming of
+the `goto-cc/` binary. If it is called `goto-cc` then it emulates GCC
+flags, `goto-armcc` emulates the ARM compiler, `goto-cl` emulates VCC
+and `goto-cw` emulates the Code Warrior compiler. The output of this
+tool can then be used with `cbmc` or `goto-instrument`.
+
+### `goto-instrument/` {#section:goto-instrument}
+
+The `goto-instrument/` directory contains a number of tools, one per
+file, that are built into the `goto-instrument` program. All of them
+take in a goto-program (produced by `goto-cc`) and either modify it or
+perform some analysis. Examples include `nondet_static.cpp` which
+initialises static variables to a non-deterministic value,
+`nondet_volatile.cpp` which assigns a non-deterministic value to any
+volatile variable before it is read and `weak_memory.h` which performs
+the necessary transformations to reason about weak memory models. The
+exception to the “one file for each piece of functionality” rule are the
+program instrumentation options (mostly those given as “Safety checks”
+in the `goto-instrument` help text) which are included in the
+`goto-program/` directory. An example of this is
+`goto-program/stack_depth.h` and the general rule seems to be that
+transformations and instrumentation that `cbmc` uses should be in
+`goto-program/`, others should be in `goto-instrument`.
+
+`goto-instrument` is a very good template for new analysis tools. New
+developers are advised to copy the directory, remove all files apart
+from `main.*`, `parseoptions.*` and the `Makefile` and use these as the
+skeleton of their application. The `doit()` method in `parseoptions.cpp`
+is the preferred location for the top level control for the program.
+
+### `linking/`
+
+Probably the code to emulate a linker. This allows multiple ‘object
+files’ (goto-programs) to be linked into one ‘executable’ (another
+goto-program), thus allowing existing build systems to be used to build
+complete goto-program binaries.
+
+### `big-int/`
+
+CPROVER is distributed with its own multi-precision arithmetic library;
+mainly for historical and portability reasons. The library is externally
+developed and thus `big-int` contains the source as it is distributed.
+This should not be used directly, see `util/mp_arith.h` for the CPROVER
+interface.
+
+### `xmllang/`
+
+CPROVER has optional XML output for results and there is an XML format
+for goto-programs. It is used to interface to various IDEs. The
+`xmllang/` directory contains the parser and helper functions for
+handling this format.
+
+### `floatbv/`
+
+This library contains the code that is used to convert floating point
+variables (`floatbv`) to bit vectors (`bv`).  This is referred to as
+‘bit-blasting’ and is called in the `solver` code during conversion to
+SAT or SMT. It also contains the abstraction code described in the
+FMCAD09 paper.
+
+Data Structures
+===============
+
+This section discusses some of the key data-structures used in the
+CPROVER codebase.
+
+`irept` {#section:irept}
+------------------------
+
+There are a large number of kind of tree structured or tree-like data in
+CPROVER. `irept` provides a single, unified representation for all of
+these, allowing structure sharing and reference counting of data. As
+such `irept` is the basic unit of data in CPROVER.  Each `irept`
+contains[^2] a basic unit of data (of type `dt`) which contains four
+things:
+
+* `data`:   A string[^3], which is returned when the `id()` function is
+  used.
+
+* `named_sub`:   A map from `irep_namet` (a string) to an `irept`. This
+  is used for named children, i.e.  subexpressions, parameters, etc.
+
+* `comments`:   Another map from `irep_namet` to `irept` which is used
+  for annotations and other ‘non-semantic’ information
+
+* `sub`:   A vector of `irept` which is used to store ordered but
+  unnamed children.
+
+The `irept::pretty` function outputs the contents of an `irept` directly
+and can be used to understand an debug problems with `irept`s.
+
+On their own `irept`s do not “mean” anything; they are effectively
+generic tree nodes. Their interpretation depends on the contents of
+result of the `id` function (the `data`) field. `util/irep_ids.txt`
+contains the complete list of `id` values. During the build process it
+is used to generate `util/irep_ids.h` which gives constants for each id
+(named `ID_`). These can then be used to identify what kind of data
+`irept` stores and thus what can be done with it.
+
+To simplify this process, there are a variety of classes that inherit
+from `irept`, roughly corresponding to the ids listed (i.e.  `ID_or`
+(the string `"or”`) corresponds to the class `or_exprt`). These give
+semantically relevant accessor functions for the data; effectively
+different APIs for the same underlying data structure. None of these
+classes add fields (only methods) and so static casting can be used. The
+inheritance graph of the subclasses of `irept` is a useful starting
+point for working out how to manipulate data.
+
+There are three main groups of classes (or APIs); those derived from
+`typet`, `codet` and `exprt` respectively. Although all of these inherit
+from `irept`, these are the most abstract level that code should handle
+data. If code is manipulating plain `irept`s then something is wrong
+with the architecture of the code.
+
+Many of the key descendent of `exprt` are declared in `std_expr.h`. All
+expressions have a named subfield / annotation which gives the type of
+the expression (slightly simplified from C/C++ as `unsignedbv_typet`,
+`signedbv_typet`, `floatbv_typet`, etc.). All type conversions are
+explicit with an expression with `id() == ID_typecast` and an ‘interface
+class’ named `typecast_exprt`. One key descendent of `exprt` is
+`symbol_exprt` which creates `irept` instances with the id of “symbol”.
+These are used to represent variables; the name of which can be found
+using the `get_identifier` accessor function.
+
+`codet` inherits from `exprt` and is defined in `std_code.h`. They
+represent executable code; statements in C rather than expressions. In
+the front-end there are versions of these that hold whole code blocks,
+but in goto-programs these have been flattened so that each `irept`
+represents one sequence point (almost one line of code / one
+semi-colon). The most common descendents of `codet` are `code_assignt`
+so a common pattern is to cast the `codet` to an assignment and then
+recurse on the expression on either side.
+
+`goto-programs` {#section:goto-programs}
+----------------------------------------
+
+The common starting point for working with goto-programs is the
+`read_goto_binary` function which populates an object of
+`goto_functionst` type. This is defined in `goto_functions.h` and is an
+instantiation of the template `goto_functions_templatet` which is
+contained in `goto_functions_template.h`. They are wrappers around a map
+from strings to `goto_programt`’s and iteration macros are provided.
+Note that `goto_function_templatet` (no `s`) is defined in the same
+header as `goto_functions_templatet` and is gives the C type for the
+function and Boolean which indicates whether the body is available
+(before linking this might not always be true). Also note the slightly
+counter-intuitive naming; `goto_functionst` instances are the top level
+structure representing the program and contain `goto_programt` instances
+which represent the individual functions. At the time of writing
+`goto_functionst` is the only instantiation of the template
+`goto_functions_templatet` but other could be produced if a different
+data-structures / kinds of models were needed for functions.
+
+`goto_programt` is also an instantiation of a template. In a similar
+fashion it is `goto_program_templatet` and allows the types of the guard
+and expression used in instructions to be parameterised. Again, this is
+currently the only use of the template. As such there are only really
+helper functions in `goto_program.h` and thus `goto_program_template.h`
+is probably the key file that describes the representation of (C)
+functions in the goto-program format. It is reasonably stable and
+reasonably documented and thus is a good place to start looking at the
+code.
+
+An instance of `goto_program_templatet` is effectively a list of
+instructions (and inner template called `instructiont`). It is important
+to use the copy and insertion functions that are provided as iterators
+are used to link instructions to their predecessors and targets and
+careless manipulation of the list could break these. Likewise there are
+helper macros for iterating over the instructions in an instance of
+`goto_program_templatet` and the use of these is good style and strongly
+encouraged.
+
+Individual instructions are instances of type `instructiont`. They
+represent one step in the function.  Each has a type, an instance of
+`goto_program_instruction_typet` which denotes what kind of instruction
+it is. They can be computational (such as `ASSIGN` or `FUNCTION_CALL`),
+logical (such as `ASSUME` and `ASSERT`) or informational (such as
+`LOCATION` and `DEAD`). At the time of writing there are 18 possible
+values for `goto_program_instruction_typet` / kinds of instruction.
+Instructions also have a guard field (the condition under which it is
+executed) and a code field (what the instruction does). These may be
+empty depending on the kind of instruction. In the default
+instantiations these are of type `exprt` and `codet` respectively and
+thus covered by the previous discussion of `irept` and its descendents.
+The next instructions (remembering that transitions are guarded by
+non-deterministic) are given by the list `targets` (with the
+corresponding list of labels `labels`) and the corresponding set of
+previous instructions is get by `incoming_edges`. Finally `instructiont`
+have informational `function` and `location` fields that indicate where
+they are in the code.
+
+[^1]: There are a couple of exceptions, including the graph classes
+
+[^2]: Or references, if reference counted data sharing is enabled. It is
+    enabled by default; see the `SHARING` macro.
+
+[^3]: When `USE_DSTRING` is enabled (it is by default), this is actually
+a `dstring` and thus an integer which is a reference into a string table
diff --git a/doc/architectural/front-page.md b/doc/architectural/front-page.md
index f978dfe88d..13e832074a 100644
--- a/doc/architectural/front-page.md
+++ b/doc/architectural/front-page.md
@@ -38,4 +38,9 @@ hosted on GitHub.
   exercises---mostly modifying goto-instrument, and thus learning to
   manipulate the main data structures used within CBMC.
 
+* The \subpage cbmc-guide "CBMC guide" is a single document describing
+  the layout of the codebase and many of the important data structures.
+  It probably contains more information than the module pages at the
+  moment, but may be somewhat out-of-date.
+
 \defgroup module_hidden _hidden
diff --git a/doc/guide/CBMC-guide.tex b/doc/guide/CBMC-guide.tex
deleted file mode 100644
index 0285bf82c1..0000000000
--- a/doc/guide/CBMC-guide.tex
+++ /dev/null
@@ -1,714 +0,0 @@
-\documentclass{article}
-
-\newcommand{\dir}[1]{\texttt{#1}}
-\newcommand{\file}[1]{\texttt{#1}}
-\newcommand{\code}[1]{\texttt{#1}}
-\newcommand{\prog}[1]{\texttt{#1}}
-
-\title{Beginner's Guide to CPROVER}
-\author{Martin Brain\thanks{But most of the content is from Michael Tautschnig}}
-
-\begin{document}
-
-\maketitle
-
-\section{Background Information}
-
-First off; read the CPROVER manual.  It describes how to get, build
-and use CBMC and SATABS.  This document covers the internals of the
-system and how to get started on development.
-
-
-\subsection{Documentation}
-
-Apart from the (user-orientated) CPROVER manual and this document,
-most of the rest of the documentation is inline in the code
-as \texttt{doxygen} and some comments.  A man page for CBMC, goto-cc
-and goto-instrument is contained in the \dir{doc/} directory and gives
-some options for these tools.  All of these could be improved
-and patches are very welcome.  In some cases the algorithms used are
-described in the relevant papers.
-
-\subsection{Architecture}
-
-CPROVER is structured in a similar fashion to a compiler.  It has
-language specific front-ends which perform limited syntactic analysis
-and then convert to an intermediate format.  The intermediate format
-can be output to files (this is what \texttt{goto-cc} does) and are
-(informally) referred to as ``goto binaries'' or ``goto programs''.
-The back-end are tools process this format, either directly from the
-front-end or from it's saved output.  These include a wide range of
-analysis and transformation tools (see Section \ref{section:other-apps}).
-
-\subsection{Coding Standards}
-
-CPROVER is written in a fairly minimalist subset of C++; templates and
-meta-programming are avoided except where necessary.  The standard
-library is used but in many cases there are alternatives provided in
-\dir{util/} (see Section \ref{section:util}) which are preferred.
-Boost is not used.
-
-Patches should be formatted so that code is indented with two space
-characters, not tab and wrapped to 75 or 72 columns.  Headers for
-doxygen should be given (and preferably filled!) and the author will
-be the person who first created the file.
-
-Identifiers should be lower case with underscores to separate words.
-Types (classes, structures and typedefs) names must\footnote{There are
-a couple of exceptions, including the graph classes} end with a
-\code{t}.  Types that model types (i.e. C types in the program that is
-being interpreted) are named with \code{\_typet}.
-For example \code{ui\_message\_handlert} rather than
-\code{UI\_message\_handlert} or \code{UIMessageHandler} and
-\code{union\_typet}.
-
-
-
-\subsection{How to Contribute}
-
-Fixes, changes and enhancements to the CPROVER code base should be
-developed against the \texttt{trunk} version and submitted to Daniel
-as patches produced by \texttt{diff -Naur} or \texttt{svn diff}.
-Entire applications are best developed independently (\texttt{git svn}
-is a popular choice for tracking the main trunk but also having local
-development) until it is clear what their utility, future and
-maintenance is likely to be.
-
-
-\subsection{Other Useful Code}
-\label{section:other-apps}
-
-The CPROVER subversion archive contains a number of separate
-programs.  Others are developed separately as patches or separate
-branches.%  New applications are initially developed in their version
-%control system and may be merged into the main subversion system
-%depending on their utility, popularity and maintenance.
-Interfaces are have been and are continuing to stablise but older code
-may require work to compile and function correctly.
-
-In the main archive:
-
-\begin{description}
-  \item[\prog{CBMC}]{A bounded model checking tool for C and C++. See
-    Section \ref{section:CBMC}.}
-  \item[\prog{goto-cc}]{A drop-in, flag compatible replacement for GCC
-    and other compilers that produces goto-programs rather than
-    executable binaries.  See Section \ref{section:goto-cc}.}
-  \item[\prog{goto-instrument}]{A collection of functions for
-    instrumenting and modifying goto-programs.  See Section
-    \ref{section:goto-instrument}.}
-\end{description}
-
-Model checkers and similar tools:
-
-\begin{description}
-  \item[\prog{SatABS}]{A CEGAR model checker using predicate
-    abstraction.  Is roughly 10,000 lines of code (on top of the CPROVER
-    code base) and is developed in its own subversion archive.  It
-    uses an external model checker to find potentially feasible paths.
-    Key limitations are related to code with pointers and there is
-    scope for significant improvement.}
-
-  \item[\prog{Scratch}]{Alistair Donaldson's k-induction based tool.
-    The front-end is in the old project CVS and some of the
-    functionality is in \prog{goto-instrument}.}
-
-  \item[\prog{Wolverine}]{An implementation of Ken McMillan's IMPACT
-    algorithm for sequential programs.  In the old project CVS.}
-
-  \item[\prog{C-Impact}]{An implementation of Ken McMillan's IMPACT
-    algorithm for parallel programs.  In the old project CVS.}
-
-  \item[\prog{LoopFrog}]{A loop summarisation tool.}
-
-  \item[\prog{???}]{Christoph's termination analyser.}
-
-\end{description}
-
-
-Test case generation:
-
-\begin{description}
-  \item[\prog{cover}]{A basic test-input generation tool.  In the old
-    project CVS.}
-
-  \item[\prog{FShell}]{A test-input generation tool that allows the
-      user to specify the desired coverage using a custom language
-      (which includes regular expressions over paths).  It uses
-      incremental SAT and is thus faster than the na\"ive ``add
-      assertions one at a time and use the counter-examples''
-      approach.  Is developed in its own subversion.}
-\end{description}
-
-
-
-Alternative front-ends and input translators:
-
-\begin{description}
-  \item[\prog{Scoot}]{A System-C to C translator.  Probably in the old
-    project CVS.}
-  
-  \item[\prog{???}]{A Simulink to C translator.  In the old project CVS.}
-
-  \item[\prog{???}]{A Verilog front-end.  In the old project CVS.}
-
-  \item[\prog{???}]{A converter from Codewarrior project files to
-    Makefiles.  In the old project CVS.}
-\end{description}
-
-
-Other tools:
-
-\begin{description}
-  \item[\prog{ai}]{Leo's hybrid abstract interpretation / CEGAR tool.}
-
-  \item[\prog{DeltaCheck?}]{Ajitha's slicing tool, aimed at locating
-    changes and differential verification.  In the old project CVS.}
-\end{description}
-
-
-There are tools based on the CPROVER framework from other research
-groups which are not listed here.
-
-
-
-
-
-
-\section{Source Walkthrough}
-
-This section walks through the code bases in a rough order of interest
-/ comprehensibility to the new developer.
-
-
-
-\subsection{\dir{doc}}
-
-At the moment just contains the CBMC man page.
-
-\subsection{\dir{regression/}}
-
-The regression tests are currently being moved from CVS.  The
-\dir{regression/} directory contains all of those that have been
-moved.  They are grouped into directories for each of the tools.  Each
-of these contains a directory per test case, containing a C or C++
-file that triggers the bug and a \file{.dsc} file that describes the
-tests, expected output and so on.  There is a Perl script,
-\file{test.pl} that is used to invoke the tests as:
-
-\begin{center}
-  \code{../test.pl -c PATH\_TO\_CBMC}
-\end{center}
-
-The \code{--help} option gives instructions for use and the format of
-the description files.
-
-
-
-\subsection{\dir{src/}}
-
-The source code is divided into a number of sub-directories, each
-containing the code for a different part of the system.  In the top
-level files there are only a few files:
-
-\begin{description}
-  \item[\file{config.inc}]{The user-editable configuration parameters
-    for the build process.  The main use of this file is setting the
-    paths for the various external SAT solvers that are used.  As
-    such, anyone building from source will likely need to edit this.}
-  \item[\file{Makefile}]{The main systems Make file.  Parallel builds
-    are supported and encouraged; please don't break them!}
-  \item[\file{common}]{System specific magic required to get the
-    system to build.  This should only need to be edited if porting
-    CBMC to a new platform / build environment.}
-  \item[\file{doxygen.cfg}]{The config file for doxygen.cfg}
-\end{description}
-
-
-
-\subsubsection{\dir{util/}}
-\label{section:util}
-
-\dir{util/} contains the low-level data structures and manipulation
-functions that are used through-out the CPROVER code-base.  For almost
-any low-level task, the code required is probably in \dir{util/}.  Key
-files include:
-
-\begin{description}
-  \item[\file{irep.h}]{This contains the definition of \code{irept},
-    the basis of many of the data structures in the project.  They
-    should not be used directly; one of the derived classes should be
-    used.  For more information see Section \ref{section:irept}.}
-  \item[\file{expr.h}]{The parent class for all of the expressions.
-    Provides a number of generic functions, \code{exprt} can be used
-    with these but when creating data, subclasses of \code{exprt}
-    should be used.}
-  \item[\file{std\_expr.h}]{Provides subclasses of \code{exprt} for
-    common kinds of expression for example \code{plus\_exprt},
-    \code{minus\_exprt}, \code{dereference\_exprt}.  These are the
-    intended interface for creating expressions.}
-  \item[\file{std\_types.h}]{Provides subclasses of \code{typet} (a
-    subclass of \code{irept}) to model C and C++ types.  This is one
-    of the preferred interfaces to \code{irept}.  The front-ends handle
-    type promotion and most coercision so the type system and checking
-    goto-programs is simpler than C.}
-  \item[\file{dstring.h}]{The CPROVER string class.  This enables
-    sharing between strings which significantly reduces the amount of
-    memory required and speeds comparison.  \code{dstring} should not
-    be used directly, \code{irep\_idt} should be used instead, which
-    (dependent on build options) is an alias for \code{dstring}.}
-  \item[\file{mp\_arith.h}]{The wrapper class for multi-precision
-    arithmetic within CPROVER.  Also see \file{arith\_tools.h}.}
-  \item[\file{ieee\_float.h}]{The arbitrary precision float model used
-    within CPROVER.  Based on \code{mp\_integer}s.}
-  \item[\file{context.h}]{A generic container for symbol table like
-    constructs such as namespaces.  Lookup gives type, location of
-    declaration, name, `pretty name', whether it is static or not.}
-  \item[\file{namespace.h}]{The preferred interface for the context
-    class.  The key function is \code{lookup} which converts a string
-    (\code{irep\_idt}) to a symbol which gives the scope of
-    declaration, type and so on.  This works for functions as well as variables.}
-\end{description}
-
-
-
-
-\subsubsection{\dir{langapi/}}
-
-This contains the basic interfaces and support classes for programming
-language front ends.  Developers only really need look at this if they
-are adding support for a new language.  It's main users are the two
-(in trunk) language front-ends; \dir{ansi-c/} and \dir{cpp/}.
-
-
-\subsubsection{\dir{ansi-c/}}
-
-Contains the front-end for ANSI C, plus a variety of common
-extensions.  This parses the file, performs some basic sanity checks
-(this is one area in which the UI could be improved; patches most
-welcome) and then produces a goto-program (see below).  The parser is
-a traditional Flex / Bison system.  
-
-\file{internal\_addition.c} contains the implementation of various
-`magic' functions that are that allow control of the analysis from the
-source code level.  These include assertions, assumptions, atomic
-blocks, memory fences and rounding modes.
-
-The \dir{library/} subdirectory contains versions of some of the C
-standard header files that make use of the CPROVER built-in
-functions.  This allows CPROVER programs to be `aware' of the
-functionality and model it correctly.  Examples include
-\file{stdio.c}, \file{string.c}, \file{setjmp.c} and various threading
-interfaces.
-
-
-\subsubsection{\dir{cpp/}}
-
-This directory contains the C++ front-end.  It supports the subset of
-C++ commonly found in embedded and system applications.
-Consequentially it doesn't have full support for templates and many of
-the more advanced and obscure C++ features.  The subset of the
-language that can be handled is being extended over time so bug
-reports of programs that cannot be parsed are useful.
-
-The functionality is very similar to the ANSI C front end; parsing the
-code and converting to goto-programs.  It makes use of code from
-\dir{langapi} and \dir{ansi-c}.
-
-
-
-
-\subsubsection{\dir{goto-programs/}}
-
-Goto programs are the intermediate representation of the CPROVER tool
-chain.  They are language independent and similar to many of the
-compiler intermediate languages.  Section \ref{section:goto-programs}
-describes the \code{goto\_programt} and \code{goto\_functionst} data
-structures in detail.  However it useful to understand some of the
-basic concepts.  Each function is a list of instructions, each of
-which has a type (one of 18 kinds of instruction), a code expression,
-a guard expression and potentially some targets for the next
-instruction.  They are not natively in static single-assign (SSA)
-form.  Transitions are nondeterministic (although in practise the
-guards on the transitions normally cover form a disjoint cover of all
-possibilities).  Local variables have non-deterministic values if they
-are not initialised.  Variables and data within the program is
-commonly one of three types (parameterised by width):
-\code{unsignedbv\_typet}, \code{signedbv\_typet} and
-\code{floatbv\_typet}, see \file{util/std\_types.h} for more
-information. Goto programs can be serialised in a binary (wrapped in
-ELF headers) format or in XML (see the various \code{\_serialization}
-files).
-
-
-The \prog{cbmc} option \code{--show-goto-programs} is often a
-good starting point as it outputs goto-programs in a human
-readable form.  However there are a few things to be aware of.
-Functions have an internal name (for example \code{c::f00}) and a
-`pretty name' (for example \code{f00}) and which is used depends on
-whether it is internal or being presented to the user.  The
-\code{main} method is the `logical' main which is not necessarily the
-main method from the code.  In the output \code{NONDET} is use to
-represent a nondeterministic assignment to a variable.  Likewise
-\code{IF} as a beautified \code{GOTO} instruction where the guard
-expression is used as the condition.  \code{RETURN} instructions may
-be dropped if they precede an \code{END\_FUNCTION} instruction.  The
-comment lines are generated from the \code{locationt} field of the
-\code{instructiont} structure.
-
-\dir{goto-programs/} is one of the few places in the CPROVER codebase
-that templates are used.  The intention is to allow the general
-architecture of program and functions to be used for other
-formalisms.  At the moment most of the templates have a single
-instantiation; for example \code{goto\_functionst} and
-\code{goto\_function\_templatet} and \code{goto\_programt} and \code{goto\_program\_templatet}.
-
-
-
-\subsubsection{\dir{goto-symex/}}
-
-This directory contains a symbolic evaluation system for
-goto-programs.  This takes a goto-program and translates it to an
-equation system by traversing the program, branching and merging and
-unwinding loops as needed.  Each reverse goto has a separate counter
-(the actual counting is handled by \prog{cbmc}, see the \code{--unwind}
-and \code{--unwind-set} options).  When a counter limit
-is reach, an assertion can be added to explicitly show when analysis
-is incomplete.  The symbolic execution includes constant folding so
-loops that have a constant number of iterations will be handled
-completely (assuming the unwinding limit is sufficient).
-
-The output of the symbolic execution is a system of equations; an
-object containing a list of \code{symex\_target\_elements}, each of
-which are equalities between \prog{expr} expressions.  See
-\file{symex\_target\_equation.h}.  The output is in static, single
-assignment (SSA) form, which is \emph{not} the case for goto-programs.
-
-
-
-\subsubsection{\dir{pointer-analysis/}}
-
-To perform symbolic execution on programs with dereferencing of
-arbitrary pointers, some alias analysis is needed.
-\dir{pointer-analysis} contains the three levels of analysis; flow and
-context insensitive, context sensitive and flow and context
-sensitive.  The code needed is subtle and sophisticated and thus there
-may be bugs.
-
-
-
-
-\subsubsection{\dir{solvers/}}
-
-The \dir{solvers/} directory contains interfaces to a number of
-different decision procedures, roughly one per directory.  
-
-\begin{description}
-
-  \item[prop/]{The basic and common functionality.  The key file is
-    \file{prop\_conv.h} which defines \code{prop\_convt}.  This is the
-     base class that is used to interface to the decision procedures.
-     The key functions are \code{convert} which takes an \code{exprt}
-     and converts it to the appropriate, solver specific, data
-     structures and \code{dec\_solve} (inherited from
-     \code{decision\_proceduret}) which invokes the actual decision
-     procedures.  Individual decision procedures (named
-     \code{*\_dect}) objects can be created but \code{prop\_convt} is
-     the preferred interface for code that uses them.}  
-
-  \item[flattening/]{A library that converts operations to
-    bit-vectors, including calling the conversions in \dir{floatbv} as
-    necessary.  Is implemented as a simple conversion (with caching)
-    and then a post-processing function that adds extra constraints.
-    This is not used by the SMT or CVC back-ends.}  
-
-  %%%%
-
-  \item[dplib/]{Provides the \code{dplib\_dect} object which used the
-    decision procedure library from ``Decision Procedures : An
-    Algorithmic Point of View''.}  
-
-  \item[cvc/]{Provides the \code{cvc\_dect} type which interfaces to
-    the old (pre SMTLib) input format for the CVC family of solvers.
-    This format is still supported by depreciated in favour of SMTLib 2.}  
-
-  \item[smt1/]{Provides the \code{smt1\_dect} type which converts the
-    formulae to SMTLib version 1 and then invokes one of Boolector,
-    CVC3, OpenSMT, Yices, MathSAT or Z3.  Again, note that this format
-    is depreciated.}  
-
-  \item[smt2/]{Provides the \code{smt2\_dect} type which functions in
-    a similar way to \code{smt1\_dect}, calling Boolector, CVC3,
-    MathSAT, Yices or Z3.  Note that the interaction with the solver
-    is batched and uses temporary files rather than using the
-    interactive command supported by SMTLib 2.  With the \code{--fpa}
-    option, this output mode will not flatten the floating point
-    arithmetic and instead output the proposed SMTLib floating point
-    standard.}
-  
-  \item[qbf/]{Back-ends for a variety of QBF solvers.  Appears to be
-    no longer used or maintained.}
-  
-  \item[sat/]{Back-ends for a variety of SAT solvers and DIMACS
-    output.}  
-\end{description}
-
-
-
-
-
-\subsubsection{\dir{cbmc/}}
-\label{section:CBMC}
-
-This contains the first full application.  CBMC is a bounded model
-checker that uses the front ends (\dir{ansi-c}, \dir{cpp}, goto-program or others)
-to create a goto-program, \dir{goto-symex} to unwind the loops the given
-number of times and to produce and equation system and finally
-\dir{solvers} to find a counter-example (technically, \dir{goto-symex}
-is then used to construct the counter-example trace).
-
-
-
-\subsubsection{\dir{goto-cc/}}
-\label{section:goto-cc}
-
-\dir{goto-cc} is a compiler replacement that just performs the first
-step of the process; converting C or C++ programs to goto-binaries.
-It is intended to be dropped in to an existing build procedure in
-place of the compiler, thus it emulates flags that would affect the
-semantics of the code produced.  Which set of flags are emulated
-depends on the naming of the \dir{goto-cc/} binary.  If it is called
-\prog{goto-cc} then it emulates GCC flags, \prog{goto-armcc} emulates
-the ARM compiler, \prog{goto-cl} emulates VCC and \prog{goto-cw}
-emulates the Code Warrior compiler.  The output of this tool can then
-be used with \prog{cbmc} or \prog{goto-instrument}.
-
-
-
-
-\subsubsection{\dir{goto-instrument/}}
-\label{section:goto-instrument}
-
-The \dir{goto-instrument/} directory contains a number of tools, one
-per file, that are built into the \prog{goto-instrument} program.  All
-of them take in a goto-program (produced by \prog{goto-cc}) and either
-modify it or perform some analysis.  Examples include
-\file{nondet\_static.cpp} which initialises static variables to a
-non-deterministic value, \file{nondet\_volatile.cpp} which assigns
-a non-deterministic value to any volatile variable before it is read
-and \file{weak\_memory.h} which performs the necessary transformations
-to reason about weak memory models.  The exception to the ``one file
-for each piece of functionality'' rule are the program instrumentation
-options (mostly those given as ``Safety checks'' in the
-\prog{goto-instrument} help text) which are included in the
-\prog{goto-program/} directory.  An example of this is
-\file{goto-program/stack\_depth.h} and the general rule seems to be
-that transformations and instrumentation that \prog{cbmc} uses should
-be in \dir{goto-program/}, others should be in \dir{goto-instrument}.
-
-\prog{goto-instrument} is a very good template for new analysis
-tools.  New developers are advised to copy the directory, remove all
-files apart from \file{main.*}, \file{parseoptions.*} and the
-\file{Makefile} and use these as the skeleton of their application.
-The \code{doit()} method in \file{parseoptions.cpp} is the preferred
-location for the top level control for the program.
-
-
-
-\subsubsection{\dir{linking/}}
-
-Probably the code to emulate a linker.  This allows multiple `object
-files' (goto-programs) to be linked into one `executable' (another
-goto-program), thus allowing existing build systems to be used to
-build complete goto-program binaries.
-
-
-\subsubsection{\dir{big-int/}}
-
-CPROVER is distributed with its own multi-precision arithmetic
-library; mainly for historical and portability reasons.  The library is externally
-developed and thus \dir{big-int} contains the source as it is
-distributed.  This should not be used directly, see
-\file{util/mp\_arith.h} for the CPROVER interface.
-
-
-
-\subsubsection{\dir{xmllang/}}
-
-CPROVER has optional XML output for results and there is an XML format
-for goto-programs.  It is used to interface to various IDEs.  The
-\dir{xmllang/} directory contains the parser and helper functions for
-handling this format.
-
-
-
-\subsubsection{\dir{floatbv/}}
-
-This library contains the code that is used to convert floating point
-variables (\code{floatbv}) to bit vectors (\code{bv}).  This is
-referred to as `bit-blasting' and is called in the \dir{solver} code
-during conversion to SAT or SMT.  It also contains the abstraction
-code described in the FMCAD09 paper.
-
-
-
-
-
-
-
-
-\section{Data Structures}
-
-This section discusses some of the key data-structures used in the
-CPROVER codebase.
-
-\subsection{\code{irept}}
-\label{section:irept}
-
-There are a large number of kind of tree structured or tree-like data
-in CPROVER.  \code{irept} provides a single, unified representation for
-all of these, allowing structure sharing and reference counting of
-data.  As such \code{irept} is the basic unit of data in CPROVER.
-Each \code{irept} contains\footnote{Or references, if reference
-  counted data sharing is enabled.  It is enabled by default; see the
-  \code{SHARING} macro.} a basic unit of data (of type \code{dt})
-which contains four things:
-
-\begin{description}
-\item[\code{data}]{A string\footnote{When \code{USE\_DSTRING} is enabled (it
-    is by default), this is actually a \code{dstring} and thus an
-    integer which is a reference into a string table}, which is
-    returned when the \code{id()} function is used.}
-\item[\code{named\_sub}]{A map from \code{irep\_namet} (a string) to
-    an \code{irept}.  This is used for named children,
-    i.e. subexpressions, parameters, etc.}
-\item[\code{comments}]{Another map from \code{irep\_namet} to
-  \code{irept} which is used for annotations and other `non-semantic' information}
-\item[\code{sub}]{A vector of \code{irept} which is used to store
-  ordered but unnamed children.}
-\end{description}
-
-The \code{irept::pretty} function outputs the contents of an
-\code{irept} directly and can be used to understand an debug problems
-with \code{irept}s.
-
-
-On their own \code{irept}s do not ``mean'' anything; they are
-effectively generic tree nodes.  Their interpretation depends on the
-contents of result of the \code{id} function (the \code{data}) field.
-\file{util/irep\_ids.txt} contains the complete list of \code{id}
-values.  During the build process it is used to generate
-\file{util/irep\_ids.h} which gives constants for each id (named
-\code{ID\_*}).  These can then be used to identify what kind of data
-\code{irept} stores and thus what can be done with it.
-
-To simplify this process, there are a variety of classes that inherit
-from \code{irept}, roughly corresponding to the ids listed
-(i.e. \code{ID\_or} (the string \code{"or''}) corresponds to the class
-\code{or\_exprt}).  These give semantically relevant accessor
-functions for the data; effectively different APIs for the same
-underlying data structure.  None of these classes add fields (only
-methods) and so static casting can be used.  The inheritance graph of
-the subclasses of \code{irept} is a useful starting point for working
-out how to manipulate data.
-
-There are three main groups of classes (or APIs); those derived from
-\code{typet}, \code{codet} and \code{exprt} respectively.  Although
-all of these inherit from \code{irept}, these are the most abstract
-level that code should handle data.  If code is manipulating plain
-\code{irept}s then something is wrong with the architecture of the
-code.
-
-Many of the key descendent of \code{exprt} are declared in
-\file{std\_expr.h}.  All expressions have a named subfield /
-annotation which gives the type of the expression (slightly
-simplified from C/C++ as \code{unsignedbv\_typet},
-\code{signedbv\_typet}, \code{floatbv\_typet}, etc.).  All type
-conversions are explicit with an expression with \code{id() ==
-  ID\_typecast} and an `interface class' named
-\code{typecast\_exprt}.  One key descendent of \code{exprt} is
-\code{symbol\_exprt} which creates \code{irept} instances with the id
-of ``symbol''.  These are used to represent variables; the name of
-which can be found using the \code{get\_identifier} accessor function.
-
-
-\code{codet} inherits from \code{exprt} and is defined in
-\file{std\_code.h}.  They represent executable code; statements in C
-rather than expressions.  In the front-end there are versions of these
-that hold whole code blocks, but in goto-programs these have been
-flattened so that each \code{irept} represents one sequence point
-(almost one line of code / one semi-colon).  The most common
-descendents of \code{codet} are \code{code\_assignt} so a common
-pattern is to cast the \code{codet} to an assignment and then recurse
-on the expression on either side.
-
-
-
-
-
-
-\subsection{\code{goto-programs}}
-\label{section:goto-programs}
-
-The common starting point for working with goto-programs is the
-\code{read\_goto\_binary} function which populates an object of
-\code{goto\_functionst} type.  This is defined in
-\file{goto\_functions.h} and is an instantiation of the template
-\code{goto\_functions\_templatet} which is contained in
-\file{goto\_functions\_template.h}.  They are wrappers around a map from
-strings to \code{goto\_programt}'s and iteration macros are provided.
-Note that \code{goto\_function\_templatet} (no \code{s}) is defined in
-the same header as \code{goto\_functions\_templatet} and is gives the
-C type for the function and Boolean which indicates whether the body
-is available (before linking this might not always be true).  Also
-note the slightly counter-intuitive naming; \code{goto\_functionst}
-instances are the top level structure representing the program and
-contain \code{goto\_programt} instances which represent the individual
-functions.  At the time of writing \code{goto\_functionst} is the only
-instantiation of the template \code{goto\_functions\_templatet} but
-other could be produced if a different data-structures / kinds of models
-were needed for functions.
-
-\code{goto\_programt} is also an instantiation of a template.  In a
-similar fashion it is \code{goto\_program\_templatet} and allows the
-types of the guard and expression used in instructions to be
-parameterised.  Again, this is currently the only use of the template.
-As such there are only really helper functions in
-\file{goto\_program.h} and thus \code{goto\_program\_template.h} is
-probably the key file that describes the representation of (C)
-functions in the goto-program format.  It is reasonably stable and
-reasonably documented and thus is a good place to start looking at the code.
-
-An instance of \code{goto\_program\_templatet} is effectively a list
-of instructions (and inner template called \code{instructiont}).  It
-is important to use the copy and insertion functions that are provided
-as iterators are used to link instructions to their predecessors and
-targets and careless manipulation of the list could break these.
-Likewise there are helper macros for iterating over the instructions
-in an instance of \code{goto\_program\_templatet} and the use of these
-is good style and strongly encouraged.
-
-Individual instructions are instances of type \code{instructiont}.
-They represent one step in the function.  Each has a type, an instance
-of \code{goto\_program\_instruction\_typet} which denotes what kind of
-instruction it is.  They can be computational (such as \code{ASSIGN}
-or \code{FUNCTION\_CALL}), logical (such as \code{ASSUME} and
-\code{ASSERT}) or informational (such as \code{LOCATION} and
-\code{DEAD}).  At the time of writing there are 18 possible values for
-\code{goto\_program\_instruction\_typet} / kinds of instruction.
-Instructions also have a guard field (the condition under which it is
-executed) and a code field (what the instruction does).  These may be
-empty depending on the kind of instruction.  In the default
-instantiations these are of type \code{exprt} and \code{codet}
-respectively and thus covered by the previous discussion of
-\code{irept} and its descendents.  The next instructions (remembering
-that transitions are guarded by non-deterministic) are given by the
-list \code{targets} (with the corresponding list of labels
-\code{labels}) and the corresponding set of previous instructions is
-get by \code{incoming\_edges}.  Finally \code{instructiont} have
-informational \code{function} and \code{location} fields that indicate
-where they are in the code.
-
-
-
-\end{document}

From 369f077d2efe8ffee0aa54b2583ba36ffbeb07c8 Mon Sep 17 00:00:00 2001
From: Michael Tautschnig 
Date: Tue, 11 Jul 2017 16:19:33 +0100
Subject: [PATCH 34/89] Do not assign to objects that have gone out of scope

Pointer dereferencing may yield objects that have meanwhile gone out of scope.
Assigning to them is unnecessary, and performing a merge on those would yield
inconsistent equations (as witnessed by the included regression test).

Filtering out the merge in phi nodes is not easily possible as there are several
cases where it is permissible that only one of the states entering the phi node
has an (L1) object, such as declarations only seen in one branch.

Fixes: #1115
---
 regression/cbmc/Local_out_of_scope3/main.c    | 24 +++++++++++++++++++
 regression/cbmc/Local_out_of_scope3/test.desc |  8 +++++++
 src/goto-symex/symex_assign.cpp               | 11 +++++++++
 3 files changed, 43 insertions(+)
 create mode 100644 regression/cbmc/Local_out_of_scope3/main.c
 create mode 100644 regression/cbmc/Local_out_of_scope3/test.desc

diff --git a/regression/cbmc/Local_out_of_scope3/main.c b/regression/cbmc/Local_out_of_scope3/main.c
new file mode 100644
index 0000000000..977efe689a
--- /dev/null
+++ b/regression/cbmc/Local_out_of_scope3/main.c
@@ -0,0 +1,24 @@
+unsigned int *GLOBAL_POINTER[1];
+
+int index;
+
+void f(void)
+{
+  unsigned int actual=0u;
+  GLOBAL_POINTER[0] = &actual;
+
+  if(index==0)
+    *GLOBAL_POINTER[index] = 1u;
+  else
+    actual = 2u;
+
+  __CPROVER_assume(1u == actual);
+}
+
+void main(void)
+{
+  index=nondet_int();
+  f();
+  f();
+  __CPROVER_assert(0==1, "");
+}
diff --git a/regression/cbmc/Local_out_of_scope3/test.desc b/regression/cbmc/Local_out_of_scope3/test.desc
new file mode 100644
index 0000000000..6de7955991
--- /dev/null
+++ b/regression/cbmc/Local_out_of_scope3/test.desc
@@ -0,0 +1,8 @@
+CORE
+main.c
+
+^EXIT=10$
+^SIGNAL=0$
+^VERIFICATION FAILED$
+--
+^warning: ignoring
diff --git a/src/goto-symex/symex_assign.cpp b/src/goto-symex/symex_assign.cpp
index 047f3be832..de5ba76df7 100644
--- a/src/goto-symex/symex_assign.cpp
+++ b/src/goto-symex/symex_assign.cpp
@@ -209,6 +209,17 @@ void goto_symext::symex_assign_symbol(
   guardt &guard,
   assignment_typet assignment_type)
 {
+  // do not assign to L1 objects that have gone out of scope --
+  // pointer dereferencing may yield such objects; parameters do not
+  // have an L2 entry set up beforehand either, so exempt them from
+  // this check (all other L1 objects should have seen a declaration)
+  const symbolt *s;
+  if(!ns.lookup(lhs.get_object_name(), s) &&
+     !s->is_parameter &&
+     !lhs.get_level_1().empty() &&
+     state.level2.current_count(lhs.get_identifier())==0)
+    return;
+
   exprt ssa_rhs=rhs;
 
   // put assignment guard into the rhs

From 427194c6261573028aa5b5b861cc63f349bf9f5b Mon Sep 17 00:00:00 2001
From: Pascal Kesseli 
Date: Sun, 18 Jun 2017 21:11:19 +0100
Subject: [PATCH 35/89] Allow anonymous namespaces

Only give warnings for namespaces with actual names, in accordance with
https://github.com/diffblue/cbmc/commit/ad4137535398efcca8f3defa291d85c2baa9faa3.
This enables the use of anonymous namespaces without warnings.

Fixes: #932
---
 regression/cpp-linter/namespace/main.cpp  | 34 +++++++++++++++++++++++
 regression/cpp-linter/namespace/test.desc | 11 ++++++++
 scripts/cpplint.py                        | 19 +++++++++++--
 3 files changed, 61 insertions(+), 3 deletions(-)
 create mode 100644 regression/cpp-linter/namespace/main.cpp
 create mode 100644 regression/cpp-linter/namespace/test.desc

diff --git a/regression/cpp-linter/namespace/main.cpp b/regression/cpp-linter/namespace/main.cpp
new file mode 100644
index 0000000000..f1c1ebd0a6
--- /dev/null
+++ b/regression/cpp-linter/namespace/main.cpp
@@ -0,0 +1,34 @@
+// Author: Pascal Kesseli, pascal.kesseli@diffblue.com
+
+namespace asdf {}
+
+namespace
+asdf
+{}
+
+namespace
+asdf
+  {}
+
+  namespace
+
+
+asdf
+{}
+
+namespace xyz = my::nested::namespaces;
+
+
+
+namespace {}
+
+namespace
+{ }
+
+namespace
+{
+}
+
+    namespace
+{
+}
diff --git a/regression/cpp-linter/namespace/test.desc b/regression/cpp-linter/namespace/test.desc
new file mode 100644
index 0000000000..06525f7f9a
--- /dev/null
+++ b/regression/cpp-linter/namespace/test.desc
@@ -0,0 +1,11 @@
+CORE
+main.cpp
+
+main\.cpp:3:  Do not use namespaces  \[readability/namespace\] \[4\]
+main\.cpp:5:  Do not use namespaces  \[readability/namespace\] \[4\]
+main\.cpp:9:  Do not use namespaces  \[readability/namespace\] \[4\]
+main\.cpp:13:  Do not use namespaces  \[readability/namespace\] \[4\]
+main\.cpp:19:  Do not use namespaces  \[readability/namespace\] \[4\]
+^EXIT=1$
+^SIGNAL=0$
+--
diff --git a/scripts/cpplint.py b/scripts/cpplint.py
index 6f8797445e..a41d26d772 100755
--- a/scripts/cpplint.py
+++ b/scripts/cpplint.py
@@ -6216,9 +6216,22 @@ def CheckItemIndentationInNamespace(filename, raw_lines_no_comments, linenum,
 
 def CheckNamespaceOrUsing(filename, clean_lines, linenum, error):
   line = clean_lines.elided[linenum]
-  if Match(r'^namespace(\s|$)', line):
-    error(filename, linenum, 'readability/namespace', 4,
-          'Do not use namespaces')
+  if Match(r'^\s*namespace(\s+.*)?$', line):
+    num_lines=len(clean_lines.elided)
+    current_linenum=linenum
+    while current_linenum
Date: Thu, 13 Jul 2017 12:37:43 +0100
Subject: [PATCH 36/89] Adapt perl script to handle multiple .desc files

Changes test.pl to name output *.out files after *.desc instead
of *.class files. Also updates failed-test-printer.pl to work with
those new *.out files and multiple *.desc files.
---
 regression/failed-tests-printer.pl | 12 ++++++++----
 regression/test.pl                 |  5 ++++-
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/regression/failed-tests-printer.pl b/regression/failed-tests-printer.pl
index 40767185d5..aa5f28b593 100755
--- a/regression/failed-tests-printer.pl
+++ b/regression/failed-tests-printer.pl
@@ -6,21 +6,25 @@ open LOG,") {
   chomp;
   if (/^Test '(.+)'/) {
     $current_test = $1;
     $printed_this_test = 0;
+  } elsif (/Descriptor:\s+([^\s]+)/) {
+    $descriptor_file = $1;
+  } elsif (/Output:\s+([^\s]+)/) {
+    $output_file = $1;
   } elsif (/\[FAILED\]\s*$/) {
     if(0 == $printed_this_test) {
       $printed_this_test = 1;
       print "\n\n";
       print "Failed test: $current_test\n";
-      my $outf = `sed -n '2p' $current_test/test.desc`;
-      $outf =~ s/\..*$/.out/;
-      system("cat $current_test/$outf");
-      print "\n\nFailed test.desc lines:\n";
+      system("cat $current_test/$output_file");
+      print "\n\nFailed $descriptor_file lines:\n";
     }
     print "$_\n";
   }
diff --git a/regression/test.pl b/regression/test.pl
index 0bf364b86c..be4762936a 100755
--- a/regression/test.pl
+++ b/regression/test.pl
@@ -71,7 +71,9 @@ sub test($$$$$) {
 
   $options =~ s/$ign//g if(defined($ign));
 
-  my $output = $input;
+  my $descriptor = $test;
+  $descriptor =~ s/^.*\///;
+  my $output = $descriptor;
   $output =~ s/\.[^.]*$/.out/;
 
   if($output eq $input) {
@@ -82,6 +84,7 @@ sub test($$$$$) {
   print LOG "Test '$name'\n";
   print LOG "  Level: $level\n";
   print LOG "  Input: $input\n";
+  print LOG "  Descriptor: $descriptor\n";
   print LOG "  Output: $output\n";
   print LOG "  Options: $options\n";
   print LOG "  Results:\n";

From 515ee7f24701eabfb9c8830af525991452237eea Mon Sep 17 00:00:00 2001
From: Michael Tautschnig 
Date: Tue, 20 Jun 2017 14:18:05 +0000
Subject: [PATCH 37/89] goto-gcc: Reproduce GCC's exit code when output is
 /dev/null

Follow-up to a24a4a781033c

Command-lines such as
goto-gcc -lnoSUCHlibrary -nostdlib -shared -o /dev/null foo.c
must yield a non-zero exit code.
---
 src/goto-cc/gcc_mode.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/goto-cc/gcc_mode.cpp b/src/goto-cc/gcc_mode.cpp
index ce2fa4405e..a53bccea02 100644
--- a/src/goto-cc/gcc_mode.cpp
+++ b/src/goto-cc/gcc_mode.cpp
@@ -803,7 +803,7 @@ int gcc_modet::gcc_hybrid_binary()
   if(output_files.empty() ||
      (output_files.size()==1 &&
       output_files.front()=="/dev/null"))
-    return EX_OK;
+    return run_gcc();
 
   debug() << "Running " << native_tool_name
           << " to generate hybrid binary" << eom;

From 585a290493a9df075c9356a2df984d1662e761a6 Mon Sep 17 00:00:00 2001
From: Michael Tautschnig 
Date: Thu, 6 Jul 2017 15:37:18 +0000
Subject: [PATCH 38/89] Use native --version output in goto-gcc

Follow-up/fixes "goto-{gcc,bcc,ld} -v should not print version info
twice"
---
 src/goto-cc/gcc_mode.cpp | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/goto-cc/gcc_mode.cpp b/src/goto-cc/gcc_mode.cpp
index a53bccea02..5bf2733361 100644
--- a/src/goto-cc/gcc_mode.cpp
+++ b/src/goto-cc/gcc_mode.cpp
@@ -265,10 +265,10 @@ int gcc_modet::doit()
     base_name=="bcc" ||
     base_name.find("goto-bcc")!=std::string::npos;
 
-  if((cmdline.isset('v') || cmdline.isset("version")) &&
-     cmdline.have_infile_arg()) // let the native tool print the version
+  if((cmdline.isset('v') && cmdline.have_infile_arg()) ||
+     (cmdline.isset("version") && !produce_hybrid_binary))
   {
-    // This a) prints the version and b) increases verbosity.
+    // "-v" a) prints the version and b) increases verbosity.
     // Compilation continues, don't exit!
 
     if(act_as_ld)
@@ -282,6 +282,9 @@ int gcc_modet::doit()
 
   if(cmdline.isset("version"))
   {
+    if(produce_hybrid_binary)
+      return run_gcc();
+
     std::cout << '\n' <<
       "Copyright (C) 2006-2014 Daniel Kroening, Christoph Wintersteiger\n" <<
       "CBMC version: " CBMC_VERSION << '\n' <<
@@ -293,6 +296,9 @@ int gcc_modet::doit()
 
   if(cmdline.isset("dumpversion"))
   {
+    if(produce_hybrid_binary)
+      return run_gcc();
+
     std::cout << "3.4.4\n";
     return EX_OK;
   }

From b272c6290346bba3d62e0cf5a8a5788a69086312 Mon Sep 17 00:00:00 2001
From: Michael Tautschnig 
Date: Fri, 7 Jul 2017 07:25:19 +0000
Subject: [PATCH 39/89] goto-as: handle input from stdin

`goto-as -Qy - -o bla.o` would previously fail with 1) an uninterpreted
option "-Qy" and 2) "Failed to open input source -". As stdin is
properly redirected to a file by goto_cc_cmdlinet, this file should be
used (and -Qy should be ignored).
---
 src/goto-cc/as_cmdline.cpp | 1 +
 src/goto-cc/as_mode.cpp    | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/goto-cc/as_cmdline.cpp b/src/goto-cc/as_cmdline.cpp
index fd3fa17706..52f7f06a25 100644
--- a/src/goto-cc/as_cmdline.cpp
+++ b/src/goto-cc/as_cmdline.cpp
@@ -42,6 +42,7 @@ const char *as_options_without_argument[]=
   "-K",
   "-L",
   "--keep-locals",
+  "-Qy",
   "-R",
   "--reduce-memory-overheads",
   "--statistics",
diff --git a/src/goto-cc/as_mode.cpp b/src/goto-cc/as_mode.cpp
index c36e755b47..0c1f17c627 100644
--- a/src/goto-cc/as_mode.cpp
+++ b/src/goto-cc/as_mode.cpp
@@ -173,11 +173,11 @@ int as_modet::doit()
       continue;
 
     // extract the preprocessed source from the file
-    std::ifstream is(arg_it->arg);
+    std::string infile=arg_it->arg=="-"?cmdline.stdin_file:arg_it->arg;
+    std::ifstream is(infile);
     if(!is.is_open())
     {
-      error() << "Failed to open input source " << arg_it->arg
-        << eom;
+      error() << "Failed to open input source " << infile << eom;
       return 1;
     }
 
@@ -205,7 +205,7 @@ int as_modet::doit()
 
         ++outputs;
         std::string new_name=
-          get_base_name(arg_it->arg, true)+"_"+
+          get_base_name(infile, true)+"_"+
           std::to_string(outputs)+".i";
         dest=temp_dir(new_name);
 

From b2358bc3ea1131b3696475b5c620759125e5eb5b Mon Sep 17 00:00:00 2001
From: Daniel Kroening 
Date: Sat, 15 Jul 2017 15:16:37 +0100
Subject: [PATCH 40/89] added assertions to miniBDD

---
 src/solvers/miniBDD/miniBDD.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/solvers/miniBDD/miniBDD.cpp b/src/solvers/miniBDD/miniBDD.cpp
index 2b337c2ec1..7d47221295 100644
--- a/src/solvers/miniBDD/miniBDD.cpp
+++ b/src/solvers/miniBDD/miniBDD.cpp
@@ -262,6 +262,7 @@ mini_bddt mini_bddt::operator^(const mini_bddt &other) const
 
 mini_bddt mini_bddt::operator!() const
 {
+  assert(is_initialized());
   return node->mgr->True()^*this;
 }
 
@@ -304,6 +305,8 @@ mini_bddt mini_bdd_mgrt::mk(
   const mini_bddt &high)
 {
   assert(var<=var_table.size());
+  assert(low.var()>var);
+  assert(high.var()>var);
 
   if(low.node_number()==high.node_number())
     return low;

From a55ff13294af70d5a1e76c4b8529076d61ada792 Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 12:40:46 +0100
Subject: [PATCH 41/89] Fix include order in analyses

---
 src/analyses/ai.cpp                        | 4 ++--
 src/analyses/call_graph.cpp                | 4 ++--
 src/analyses/constant_propagator.cpp       | 4 ++--
 src/analyses/custom_bitvector_analysis.cpp | 4 ++--
 src/analyses/dependence_graph.cpp          | 4 ++--
 src/analyses/dirty.cpp                     | 4 ++--
 src/analyses/does_remove_const.cpp         | 4 ++--
 src/analyses/does_remove_const.h           | 2 ++
 src/analyses/escape_analysis.cpp           | 4 ++--
 src/analyses/flow_insensitive_analysis.cpp | 4 ++--
 src/analyses/goto_check.cpp                | 3 ++-
 src/analyses/goto_rw.cpp                   | 3 +--
 src/analyses/interval_analysis.cpp         | 3 ++-
 src/analyses/interval_domain.cpp           | 4 ++--
 src/analyses/invariant_propagation.cpp     | 4 ++--
 src/analyses/invariant_set.cpp             | 4 ++--
 src/analyses/invariant_set_domain.cpp      | 4 ++--
 src/analyses/is_threaded.cpp               | 3 ++-
 src/analyses/local_bitvector_analysis.cpp  | 4 ++--
 src/analyses/local_cfg.cpp                 | 4 ++--
 src/analyses/local_may_alias.cpp           | 4 ++--
 src/analyses/locals.cpp                    | 4 ++--
 src/analyses/natural_loops.cpp             | 4 ++--
 src/analyses/reaching_definitions.cpp      | 4 ++--
 src/analyses/replace_symbol_ext.cpp        | 4 ++--
 src/analyses/static_analysis.cpp           | 6 +++---
 src/analyses/uninitialized_domain.cpp      | 4 ++--
 27 files changed, 54 insertions(+), 50 deletions(-)

diff --git a/src/analyses/ai.cpp b/src/analyses/ai.cpp
index 1eca272c19..f7b9506213 100644
--- a/src/analyses/ai.cpp
+++ b/src/analyses/ai.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Abstract Interpretation
 
+#include "ai.h"
+
 #include 
 #include 
 #include 
@@ -19,8 +21,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include "is_threaded.h"
 
-#include "ai.h"
-
 jsont ai_domain_baset::output_json(
   const ai_baset &ai,
   const namespacet &ns) const
diff --git a/src/analyses/call_graph.cpp b/src/analyses/call_graph.cpp
index 2d91e502a3..a711c254c2 100644
--- a/src/analyses/call_graph.cpp
+++ b/src/analyses/call_graph.cpp
@@ -9,11 +9,11 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Function Call Graphs
 
+#include "call_graph.h"
+
 #include 
 #include 
 
-#include "call_graph.h"
-
 call_grapht::call_grapht()
 {
 }
diff --git a/src/analyses/constant_propagator.cpp b/src/analyses/constant_propagator.cpp
index 15cda33e86..02913f9360 100644
--- a/src/analyses/constant_propagator.cpp
+++ b/src/analyses/constant_propagator.cpp
@@ -9,6 +9,8 @@ Author: Peter Schrammel
 /// \file
 /// Constant Propagation
 
+#include "constant_propagator.h"
+
 #ifdef DEBUG
 #include 
 #endif
@@ -17,8 +19,6 @@ Author: Peter Schrammel
 #include 
 #include 
 
-#include "constant_propagator.h"
-
 exprt concatenate_array_id(
 		const exprt &array, const exprt &index,
 		const typet &type)
diff --git a/src/analyses/custom_bitvector_analysis.cpp b/src/analyses/custom_bitvector_analysis.cpp
index fd64d08585..da5bd52fb6 100644
--- a/src/analyses/custom_bitvector_analysis.cpp
+++ b/src/analyses/custom_bitvector_analysis.cpp
@@ -9,11 +9,11 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Field-insensitive, location-sensitive bitvector analysis
 
+#include "custom_bitvector_analysis.h"
+
 #include 
 #include 
 
-#include "custom_bitvector_analysis.h"
-
 #include 
 
 void custom_bitvector_domaint::set_bit(
diff --git a/src/analyses/dependence_graph.cpp b/src/analyses/dependence_graph.cpp
index 4d9d37eae6..9707f9a3eb 100644
--- a/src/analyses/dependence_graph.cpp
+++ b/src/analyses/dependence_graph.cpp
@@ -12,6 +12,8 @@ Date: August 2013
 /// \file
 /// Field-Sensitive Program Dependence Analysis, Litvak et al., FSE 2010
 
+#include "dependence_graph.h"
+
 #include 
 
 #include 
@@ -19,8 +21,6 @@ Date: August 2013
 
 #include "goto_rw.h"
 
-#include "dependence_graph.h"
-
 bool dep_graph_domaint::merge(
   const dep_graph_domaint &src,
   goto_programt::const_targett from,
diff --git a/src/analyses/dirty.cpp b/src/analyses/dirty.cpp
index 9a42e7f0a0..0231b50c77 100644
--- a/src/analyses/dirty.cpp
+++ b/src/analyses/dirty.cpp
@@ -11,10 +11,10 @@ Date: March 2013
 /// \file
 /// Local variables whose address is taken
 
-#include 
-
 #include "dirty.h"
 
+#include 
+
 void dirtyt::build(const goto_functiont &goto_function)
 {
   forall_goto_program_instructions(it, goto_function.body)
diff --git a/src/analyses/does_remove_const.cpp b/src/analyses/does_remove_const.cpp
index 90d82f99e1..9bf7c8b428 100644
--- a/src/analyses/does_remove_const.cpp
+++ b/src/analyses/does_remove_const.cpp
@@ -9,6 +9,8 @@
 /// \file
 /// Analyses
 
+#include "does_remove_const.h"
+
 #include 
 #include 
 #include 
@@ -16,8 +18,6 @@
 #include 
 #include 
 
-#include "does_remove_const.h"
-
 /// A naive analysis to look for casts that remove const-ness from pointers.
 /// \param goto_program: the goto program to check
 /// \param ns: the namespace of the goto program (used for checking type
diff --git a/src/analyses/does_remove_const.h b/src/analyses/does_remove_const.h
index f0cf2a2579..3fe4bf8acd 100644
--- a/src/analyses/does_remove_const.h
+++ b/src/analyses/does_remove_const.h
@@ -14,6 +14,8 @@
 #include 
 
 class goto_programt;
+class namespacet;
+class exprt;
 
 class does_remove_constt
 {
diff --git a/src/analyses/escape_analysis.cpp b/src/analyses/escape_analysis.cpp
index c724460527..a9b7c71db0 100644
--- a/src/analyses/escape_analysis.cpp
+++ b/src/analyses/escape_analysis.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Field-insensitive, location-sensitive escape analysis
 
-#include 
-
 #include "escape_analysis.h"
 
+#include 
+
 bool escape_domaint::is_tracked(const symbol_exprt &symbol)
 {
   const irep_idt &identifier=symbol.get_identifier();
diff --git a/src/analyses/flow_insensitive_analysis.cpp b/src/analyses/flow_insensitive_analysis.cpp
index f6766038eb..b8ad09a4b5 100644
--- a/src/analyses/flow_insensitive_analysis.cpp
+++ b/src/analyses/flow_insensitive_analysis.cpp
@@ -10,13 +10,13 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Flow Insensitive Static Analysis
 
+#include "flow_insensitive_analysis.h"
+
 #include 
 
 #include 
 #include 
 
-#include "flow_insensitive_analysis.h"
-
 exprt flow_insensitive_abstract_domain_baset::get_guard(
   locationt from,
   locationt to) const
diff --git a/src/analyses/goto_check.cpp b/src/analyses/goto_check.cpp
index cddc054cc2..8fe596d926 100644
--- a/src/analyses/goto_check.cpp
+++ b/src/analyses/goto_check.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// GOTO Programs
 
+#include "goto_check.h"
+
 #include 
 
 #include 
@@ -27,7 +29,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 
 #include "local_bitvector_analysis.h"
-#include "goto_check.h"
 
 class goto_checkt
 {
diff --git a/src/analyses/goto_rw.cpp b/src/analyses/goto_rw.cpp
index 73b7a8c352..be3ef3e0a8 100644
--- a/src/analyses/goto_rw.cpp
+++ b/src/analyses/goto_rw.cpp
@@ -8,6 +8,7 @@ Date: April 2010
 
 \*******************************************************************/
 
+#include "goto_rw.h"
 
 #include 
 #include 
@@ -24,8 +25,6 @@ Date: April 2010
 
 #include 
 
-#include "goto_rw.h"
-
 range_domain_baset::~range_domain_baset()
 {
 }
diff --git a/src/analyses/interval_analysis.cpp b/src/analyses/interval_analysis.cpp
index d81d857b1f..c6d739c8bf 100644
--- a/src/analyses/interval_analysis.cpp
+++ b/src/analyses/interval_analysis.cpp
@@ -9,10 +9,11 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Interval Analysis
 
+#include "interval_analysis.h"
+
 #include 
 
 #include "interval_domain.h"
-#include "interval_analysis.h"
 
 void instrument_intervals(
   const ait &interval_analysis,
diff --git a/src/analyses/interval_domain.cpp b/src/analyses/interval_domain.cpp
index 6dc4fd37fa..5f1b9a314b 100644
--- a/src/analyses/interval_domain.cpp
+++ b/src/analyses/interval_domain.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Interval Domain
 
+#include "interval_domain.h"
+
 #ifdef DEBUG
 #include 
 #endif
@@ -17,8 +19,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "interval_domain.h"
-
 void interval_domaint::output(
   std::ostream &out,
   const ai_baset &ai,
diff --git a/src/analyses/invariant_propagation.cpp b/src/analyses/invariant_propagation.cpp
index 8e93ce4ee1..97211760f5 100644
--- a/src/analyses/invariant_propagation.cpp
+++ b/src/analyses/invariant_propagation.cpp
@@ -9,13 +9,13 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Invariant Propagation
 
+#include "invariant_propagation.h"
+
 #include 
 #include 
 #include 
 #include 
 
-#include "invariant_propagation.h"
-
 void invariant_propagationt::make_all_true()
 {
   for(auto &state : state_map)
diff --git a/src/analyses/invariant_set.cpp b/src/analyses/invariant_set.cpp
index 101a330d31..6127abdd57 100644
--- a/src/analyses/invariant_set.cpp
+++ b/src/analyses/invariant_set.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Invariant Set
 
+#include "invariant_set.h"
+
 #include 
 
 #include 
@@ -22,8 +24,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "invariant_set.h"
-
 void inv_object_storet::output(std::ostream &out) const
 {
   for(unsigned i=0; i
-
 #include "invariant_set_domain.h"
 
+#include 
+
 void invariant_set_domaint::transform(
   locationt from_l,
   locationt to_l,
diff --git a/src/analyses/is_threaded.cpp b/src/analyses/is_threaded.cpp
index 64b1e48f95..1ac32d2341 100644
--- a/src/analyses/is_threaded.cpp
+++ b/src/analyses/is_threaded.cpp
@@ -11,9 +11,10 @@ Date: October 2012
 /// \file
 /// Over-approximate Concurrency for Threaded Goto Programs
 
-#include "ai.h"
 #include "is_threaded.h"
 
+#include "ai.h"
+
 class is_threaded_domaint:public ai_domain_baset
 {
 public:
diff --git a/src/analyses/local_bitvector_analysis.cpp b/src/analyses/local_bitvector_analysis.cpp
index 219d446eea..f48b34a760 100644
--- a/src/analyses/local_bitvector_analysis.cpp
+++ b/src/analyses/local_bitvector_analysis.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Field-insensitive, location-sensitive may-alias analysis
 
+#include "local_bitvector_analysis.h"
+
 #include 
 #include 
 
@@ -19,8 +21,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "local_bitvector_analysis.h"
-
 void local_bitvector_analysist::flagst::print(std::ostream &out) const
 {
   if(is_unknown())
diff --git a/src/analyses/local_cfg.cpp b/src/analyses/local_cfg.cpp
index fffc5af771..fca97f53e9 100644
--- a/src/analyses/local_cfg.cpp
+++ b/src/analyses/local_cfg.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// CFG for One Function
 
+#include "local_cfg.h"
+
 #if 0
 #include 
 #include 
@@ -22,8 +24,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #endif
 
-#include "local_cfg.h"
-
 void local_cfgt::build(const goto_programt &goto_program)
 {
   nodes.resize(goto_program.instructions.size());
diff --git a/src/analyses/local_may_alias.cpp b/src/analyses/local_may_alias.cpp
index 02a5c69818..e1af3b4e88 100644
--- a/src/analyses/local_may_alias.cpp
+++ b/src/analyses/local_may_alias.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Field-insensitive, location-sensitive may-alias analysis
 
+#include "local_may_alias.h"
+
 #include 
 #include 
 
@@ -19,8 +21,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "local_may_alias.h"
-
 /// \return return 'true' iff changed
 bool local_may_aliast::loc_infot::merge(const loc_infot &src)
 {
diff --git a/src/analyses/locals.cpp b/src/analyses/locals.cpp
index 09d7ebfe7c..8d146f9713 100644
--- a/src/analyses/locals.cpp
+++ b/src/analyses/locals.cpp
@@ -11,10 +11,10 @@ Date: March 2013
 /// \file
 /// Local variables
 
-#include 
-
 #include "locals.h"
 
+#include 
+
 void localst::build(const goto_functiont &goto_function)
 {
   forall_goto_program_instructions(it, goto_function.body)
diff --git a/src/analyses/natural_loops.cpp b/src/analyses/natural_loops.cpp
index 57e835d7ef..7101613e41 100644
--- a/src/analyses/natural_loops.cpp
+++ b/src/analyses/natural_loops.cpp
@@ -9,10 +9,10 @@ Author: Georg Weissenbacher, georg@weissenbacher.name
 /// \file
 /// Dominators
 
-#include 
-
 #include "natural_loops.h"
 
+#include 
+
 void show_natural_loops(const goto_functionst &goto_functions)
 {
   forall_goto_functions(it, goto_functions)
diff --git a/src/analyses/reaching_definitions.cpp b/src/analyses/reaching_definitions.cpp
index 217bbb5f5d..0e0462c3c8 100644
--- a/src/analyses/reaching_definitions.cpp
+++ b/src/analyses/reaching_definitions.cpp
@@ -13,6 +13,8 @@ Date: February 2013
 /// Range-based reaching definitions analysis (following Field- Sensitive
 ///   Program Dependence Analysis, Litvak et al., FSE 2010)
 
+#include "reaching_definitions.h"
+
 #include 
 #include 
 
@@ -21,8 +23,6 @@ Date: February 2013
 #include "is_threaded.h"
 #include "dirty.h"
 
-#include "reaching_definitions.h"
-
 void rd_range_domaint::populate_cache(const irep_idt &identifier) const
 {
   assert(bv_container);
diff --git a/src/analyses/replace_symbol_ext.cpp b/src/analyses/replace_symbol_ext.cpp
index 75c697030b..18e0474629 100644
--- a/src/analyses/replace_symbol_ext.cpp
+++ b/src/analyses/replace_symbol_ext.cpp
@@ -9,11 +9,11 @@ Author: Peter Schrammel
 /// \file
 /// Modified expression replacement for constant propagator
 
+#include "replace_symbol_ext.h"
+
 #include 
 #include 
 
-#include "replace_symbol_ext.h"
-
 /// does not replace object in address_of expressions
 bool replace_symbol_extt::replace(exprt &dest) const
 {
diff --git a/src/analyses/static_analysis.cpp b/src/analyses/static_analysis.cpp
index dd6b8ac0f5..27acbbc365 100644
--- a/src/analyses/static_analysis.cpp
+++ b/src/analyses/static_analysis.cpp
@@ -9,6 +9,9 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Value Set Propagation
 
+#define USE_DEPRECATED_STATIC_ANALYSIS_H
+#include "static_analysis.h"
+
 #include 
 #include 
 
@@ -17,9 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include "is_threaded.h"
 
-#define USE_DEPRECATED_STATIC_ANALYSIS_H
-#include "static_analysis.h"
-
 exprt static_analysis_baset::get_guard(
   locationt from,
   locationt to)
diff --git a/src/analyses/uninitialized_domain.cpp b/src/analyses/uninitialized_domain.cpp
index d042fa5876..48830ed204 100644
--- a/src/analyses/uninitialized_domain.cpp
+++ b/src/analyses/uninitialized_domain.cpp
@@ -11,11 +11,11 @@ Date: January 2010
 /// \file
 /// Detection for Uninitialized Local Variables
 
+#include "uninitialized_domain.h"
+
 #include 
 #include 
 
-#include "uninitialized_domain.h"
-
 void uninitialized_domaint::transform(
   locationt from,
   locationt to,

From caec1dbc9239315406ac0acc6fd2e1c049306161 Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 12:41:31 +0100
Subject: [PATCH 42/89] Fix include order in ansi-c

---
 src/ansi-c/anonymous_member.cpp                   | 4 ++--
 src/ansi-c/ansi_c_convert_type.cpp                | 4 ++--
 src/ansi-c/ansi_c_declaration.cpp                 | 4 ++--
 src/ansi-c/ansi_c_entry_point.cpp                 | 2 +-
 src/ansi-c/ansi_c_internal_additions.cpp          | 3 +--
 src/ansi-c/ansi_c_language.cpp                    | 2 +-
 src/ansi-c/ansi_c_parse_tree.cpp                  | 3 +--
 src/ansi-c/ansi_c_parser.cpp                      | 2 +-
 src/ansi-c/ansi_c_scope.cpp                       | 3 +--
 src/ansi-c/c_misc.cpp                             | 4 ++--
 src/ansi-c/c_nondet_symbol_factory.cpp            | 4 ++--
 src/ansi-c/c_preprocess.cpp                       | 3 +--
 src/ansi-c/c_qualifiers.cpp                       | 3 +--
 src/ansi-c/c_sizeof.cpp                           | 5 +++--
 src/ansi-c/c_storage_spec.cpp                     | 3 +--
 src/ansi-c/c_typecast.cpp                         | 2 +-
 src/ansi-c/c_typecheck_argc_argv.cpp              | 4 ++--
 src/ansi-c/c_typecheck_base.cpp                   | 3 ++-
 src/ansi-c/c_typecheck_code.cpp                   | 3 ++-
 src/ansi-c/c_typecheck_expr.cpp                   | 3 ++-
 src/ansi-c/c_typecheck_initializer.cpp            | 3 ++-
 src/ansi-c/c_typecheck_type.cpp                   | 3 ++-
 src/ansi-c/c_typecheck_typecast.cpp               | 2 +-
 src/ansi-c/cprover_library.cpp                    | 2 +-
 src/ansi-c/designator.cpp                         | 4 ++--
 src/ansi-c/expr2c.cpp                             | 2 +-
 src/ansi-c/literals/convert_character_literal.cpp | 3 ++-
 src/ansi-c/literals/convert_float_literal.cpp     | 3 ++-
 src/ansi-c/literals/convert_integer_literal.cpp   | 4 ++--
 src/ansi-c/literals/convert_string_literal.cpp    | 3 ++-
 src/ansi-c/literals/parse_float.cpp               | 4 ++--
 src/ansi-c/literals/unescape_string.cpp           | 4 ++--
 src/ansi-c/padding.cpp                            | 4 ++--
 src/ansi-c/preprocessor_line.cpp                  | 3 ++-
 src/ansi-c/printf_formatter.cpp                   | 4 ++--
 src/ansi-c/string_constant.cpp                    | 3 +--
 src/ansi-c/type2name.cpp                          | 4 ++--
 src/ansi-c/type2name.h                            | 2 ++
 38 files changed, 63 insertions(+), 58 deletions(-)

diff --git a/src/ansi-c/anonymous_member.cpp b/src/ansi-c/anonymous_member.cpp
index 197739f594..524d725dd9 100644
--- a/src/ansi-c/anonymous_member.cpp
+++ b/src/ansi-c/anonymous_member.cpp
@@ -9,11 +9,11 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// ANSI-C Language Type Checking
 
+#include "anonymous_member.h"
+
 #include 
 #include 
 
-#include "anonymous_member.h"
-
 static exprt make_member_expr(
   const exprt &struct_union,
   const struct_union_typet::componentt &component,
diff --git a/src/ansi-c/ansi_c_convert_type.cpp b/src/ansi-c/ansi_c_convert_type.cpp
index 7f42f94c8a..23be0fdb93 100644
--- a/src/ansi-c/ansi_c_convert_type.cpp
+++ b/src/ansi-c/ansi_c_convert_type.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// SpecC Language Conversion
 
+#include "ansi_c_convert_type.h"
+
 #include 
 
 #include 
@@ -18,8 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "ansi_c_convert_type.h"
-
 void ansi_c_convert_typet::read(const typet &type)
 {
   clear();
diff --git a/src/ansi-c/ansi_c_declaration.cpp b/src/ansi-c/ansi_c_declaration.cpp
index 74915af0f4..a764ab1a63 100644
--- a/src/ansi-c/ansi_c_declaration.cpp
+++ b/src/ansi-c/ansi_c_declaration.cpp
@@ -9,14 +9,14 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// ANSI-C Language Type Checking
 
+#include "ansi_c_declaration.h"
+
 #include 
 #include 
 
 #include 
 #include 
 
-#include "ansi_c_declaration.h"
-
 void ansi_c_declaratort::build(irept &src)
 {
   typet *p=static_cast(&src);
diff --git a/src/ansi-c/ansi_c_entry_point.cpp b/src/ansi-c/ansi_c_entry_point.cpp
index 90f1fda46d..c0cd29a387 100644
--- a/src/ansi-c/ansi_c_entry_point.cpp
+++ b/src/ansi-c/ansi_c_entry_point.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "ansi_c_entry_point.h"
 
 #include 
 #include 
@@ -24,7 +25,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "ansi_c_entry_point.h"
 #include "c_nondet_symbol_factory.h"
 
 exprt::operandst build_function_environment(
diff --git a/src/ansi-c/ansi_c_internal_additions.cpp b/src/ansi-c/ansi_c_internal_additions.cpp
index 1468b5441b..aa1d82e010 100644
--- a/src/ansi-c/ansi_c_internal_additions.cpp
+++ b/src/ansi-c/ansi_c_internal_additions.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "ansi_c_internal_additions.h"
 
 #include 
 
-#include "ansi_c_internal_additions.h"
-
 const char gcc_builtin_headers_generic[]=
 "# 1 \"gcc_builtin_headers_generic.h\"\n"
 #include "gcc_builtin_headers_generic.inc"
diff --git a/src/ansi-c/ansi_c_language.cpp b/src/ansi-c/ansi_c_language.cpp
index 30f8b7b9b2..2147019fda 100644
--- a/src/ansi-c/ansi_c_language.cpp
+++ b/src/ansi-c/ansi_c_language.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "ansi_c_language.h"
 
 #include 
 #include 
@@ -18,7 +19,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 
 #include "ansi_c_entry_point.h"
-#include "ansi_c_language.h"
 #include "ansi_c_typecheck.h"
 #include "ansi_c_parser.h"
 #include "expr2c.h"
diff --git a/src/ansi-c/ansi_c_parse_tree.cpp b/src/ansi-c/ansi_c_parse_tree.cpp
index 4ae1f955ea..f652c3b1e3 100644
--- a/src/ansi-c/ansi_c_parse_tree.cpp
+++ b/src/ansi-c/ansi_c_parse_tree.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "ansi_c_parse_tree.h"
 
 #include 
 
-#include "ansi_c_parse_tree.h"
-
 void ansi_c_parse_treet::swap(ansi_c_parse_treet &ansi_c_parse_tree)
 {
   ansi_c_parse_tree.items.swap(items);
diff --git a/src/ansi-c/ansi_c_parser.cpp b/src/ansi-c/ansi_c_parser.cpp
index 6ce4f63b14..46d9f51d1b 100644
--- a/src/ansi-c/ansi_c_parser.cpp
+++ b/src/ansi-c/ansi_c_parser.cpp
@@ -6,10 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "ansi_c_parser.h"
 
 #include 
 
-#include "ansi_c_parser.h"
 #include "c_storage_spec.h"
 
 ansi_c_parsert ansi_c_parser;
diff --git a/src/ansi-c/ansi_c_scope.cpp b/src/ansi-c/ansi_c_scope.cpp
index 6a4a626b3f..646a1d24dd 100644
--- a/src/ansi-c/ansi_c_scope.cpp
+++ b/src/ansi-c/ansi_c_scope.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "ansi_c_scope.h"
 
 #include 
 
-#include "ansi_c_scope.h"
-
 void ansi_c_scopet::print(std::ostream &out) const
 {
   out << "Prefix: " << prefix << "\n";
diff --git a/src/ansi-c/c_misc.cpp b/src/ansi-c/c_misc.cpp
index 6af272c86a..5b1913bdf0 100644
--- a/src/ansi-c/c_misc.cpp
+++ b/src/ansi-c/c_misc.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// ANSI-C Misc Utilities
 
+#include "c_misc.h"
+
 #include 
 
 #ifdef _WIN32
@@ -17,8 +19,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #endif
 #endif
 
-#include "c_misc.h"
-
 static void MetaChar(std::string &out, char c, bool inString)
 {
   switch(c)
diff --git a/src/ansi-c/c_nondet_symbol_factory.cpp b/src/ansi-c/c_nondet_symbol_factory.cpp
index 2b51ce8fb0..53f21aa5ab 100644
--- a/src/ansi-c/c_nondet_symbol_factory.cpp
+++ b/src/ansi-c/c_nondet_symbol_factory.cpp
@@ -9,6 +9,8 @@ Author: DiffBlue Limited. All rights reserved.
 /// \file
 /// C Nondet Symbol Factory
 
+#include "c_nondet_symbol_factory.h"
+
 #include 
 #include 
 
@@ -28,8 +30,6 @@ Author: DiffBlue Limited. All rights reserved.
 
 #include 
 
-#include "c_nondet_symbol_factory.h"
-
 /// Create a new temporary static symbol
 /// \param symbol_table: The symbol table to create the symbol in
 /// \param loc: The location to assign to the symbol
diff --git a/src/ansi-c/c_preprocess.cpp b/src/ansi-c/c_preprocess.cpp
index 6ff6ec9cb2..6ba8e6f359 100644
--- a/src/ansi-c/c_preprocess.cpp
+++ b/src/ansi-c/c_preprocess.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "c_preprocess.h"
 
 #include 
 #include 
@@ -31,8 +32,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "c_preprocess.h"
-
 #define GCC_DEFINES_16 \
   " -D__INT_MAX__=32767"\
   " -D__CHAR_BIT__=8"\
diff --git a/src/ansi-c/c_qualifiers.cpp b/src/ansi-c/c_qualifiers.cpp
index b4ac5650bf..0802d14439 100644
--- a/src/ansi-c/c_qualifiers.cpp
+++ b/src/ansi-c/c_qualifiers.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "c_qualifiers.h"
 
 #include 
 
-#include "c_qualifiers.h"
-
 std::string c_qualifierst::as_string() const
 {
   std::string qualifiers;
diff --git a/src/ansi-c/c_sizeof.cpp b/src/ansi-c/c_sizeof.cpp
index 63518a5db3..fad6d00ce9 100644
--- a/src/ansi-c/c_sizeof.cpp
+++ b/src/ansi-c/c_sizeof.cpp
@@ -9,13 +9,14 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Conversion of sizeof Expressions
 
-#include 
+#include "c_sizeof.h"
+
 #include 
 #include 
 #include 
 #include 
+#include 
 
-#include "c_sizeof.h"
 #include "c_typecast.h"
 
 exprt c_sizeoft::sizeof_rec(const typet &type)
diff --git a/src/ansi-c/c_storage_spec.cpp b/src/ansi-c/c_storage_spec.cpp
index 993a93f724..5ed8314bd4 100644
--- a/src/ansi-c/c_storage_spec.cpp
+++ b/src/ansi-c/c_storage_spec.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "c_storage_spec.h"
 
 #include 
 
-#include "c_storage_spec.h"
-
 void c_storage_spect::read(const typet &type)
 {
   if(type.id()==ID_merged_type ||
diff --git a/src/ansi-c/c_typecast.cpp b/src/ansi-c/c_typecast.cpp
index 6af56f507b..ce451e79f7 100644
--- a/src/ansi-c/c_typecast.cpp
+++ b/src/ansi-c/c_typecast.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "c_typecast.h"
 
 #include 
 
@@ -20,7 +21,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "c_typecast.h"
 #include "c_qualifiers.h"
 
 bool c_implicit_typecast(
diff --git a/src/ansi-c/c_typecheck_argc_argv.cpp b/src/ansi-c/c_typecheck_argc_argv.cpp
index 5b6b11c8c1..879887db5b 100644
--- a/src/ansi-c/c_typecheck_argc_argv.cpp
+++ b/src/ansi-c/c_typecheck_argc_argv.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// ANSI-C Conversion / Type Checking
 
-#include 
-
 #include "c_typecheck_base.h"
 
+#include 
+
 void c_typecheck_baset::add_argc_argv(const symbolt &main_symbol)
 {
   const code_typet::parameterst ¶meters=
diff --git a/src/ansi-c/c_typecheck_base.cpp b/src/ansi-c/c_typecheck_base.cpp
index d77d057688..391039691c 100644
--- a/src/ansi-c/c_typecheck_base.cpp
+++ b/src/ansi-c/c_typecheck_base.cpp
@@ -9,11 +9,12 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// ANSI-C Conversion / Type Checking
 
+#include "c_typecheck_base.h"
+
 #include 
 #include 
 #include 
 
-#include "c_typecheck_base.h"
 #include "expr2c.h"
 #include "type2name.h"
 #include "c_storage_spec.h"
diff --git a/src/ansi-c/c_typecheck_code.cpp b/src/ansi-c/c_typecheck_code.cpp
index b02e6c2971..9715fc2e4d 100644
--- a/src/ansi-c/c_typecheck_code.cpp
+++ b/src/ansi-c/c_typecheck_code.cpp
@@ -9,11 +9,12 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// C Language Type Checking
 
+#include "c_typecheck_base.h"
+
 #include 
 #include 
 
 #include "ansi_c_declaration.h"
-#include "c_typecheck_base.h"
 
 void c_typecheck_baset::start_typecheck_code()
 {
diff --git a/src/ansi-c/c_typecheck_expr.cpp b/src/ansi-c/c_typecheck_expr.cpp
index f010ff0dcc..677a0c7815 100644
--- a/src/ansi-c/c_typecheck_expr.cpp
+++ b/src/ansi-c/c_typecheck_expr.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// ANSI-C Language Type Checking
 
+#include "c_typecheck_base.h"
+
 #include 
 
 #include 
@@ -24,7 +26,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 
 #include "c_typecast.h"
-#include "c_typecheck_base.h"
 #include "c_sizeof.h"
 #include "c_qualifiers.h"
 #include "string_constant.h"
diff --git a/src/ansi-c/c_typecheck_initializer.cpp b/src/ansi-c/c_typecheck_initializer.cpp
index 2edf574243..fd09825979 100644
--- a/src/ansi-c/c_typecheck_initializer.cpp
+++ b/src/ansi-c/c_typecheck_initializer.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// ANSI-C Conversion / Type Checking
 
+#include "c_typecheck_base.h"
+
 #include 
 #include 
 #include 
@@ -19,7 +21,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "c_typecheck_base.h"
 #include "string_constant.h"
 #include "anonymous_member.h"
 
diff --git a/src/ansi-c/c_typecheck_type.cpp b/src/ansi-c/c_typecheck_type.cpp
index aa5217b79c..6abcf8f81a 100644
--- a/src/ansi-c/c_typecheck_type.cpp
+++ b/src/ansi-c/c_typecheck_type.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// C++ Language Type Checking
 
+#include "c_typecheck_base.h"
+
 #include 
 
 #include 
@@ -18,7 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "c_typecheck_base.h"
 #include "c_sizeof.h"
 #include "c_qualifiers.h"
 #include "ansi_c_declaration.h"
diff --git a/src/ansi-c/c_typecheck_typecast.cpp b/src/ansi-c/c_typecheck_typecast.cpp
index 62069d90fe..2ce03d83f1 100644
--- a/src/ansi-c/c_typecheck_typecast.cpp
+++ b/src/ansi-c/c_typecheck_typecast.cpp
@@ -6,9 +6,9 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "c_typecheck_base.h"
 
 #include "c_typecast.h"
-#include "c_typecheck_base.h"
 
 void c_typecheck_baset::implicit_typecast(
   exprt &expr,
diff --git a/src/ansi-c/cprover_library.cpp b/src/ansi-c/cprover_library.cpp
index 6b7f05af99..8f99f987bf 100644
--- a/src/ansi-c/cprover_library.cpp
+++ b/src/ansi-c/cprover_library.cpp
@@ -6,12 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "cprover_library.h"
 
 #include 
 
 #include 
 
-#include "cprover_library.h"
 #include "ansi_c_language.h"
 
 struct cprover_library_entryt
diff --git a/src/ansi-c/designator.cpp b/src/ansi-c/designator.cpp
index 1d54f11d5f..d3902115a6 100644
--- a/src/ansi-c/designator.cpp
+++ b/src/ansi-c/designator.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// ANSI-C Language Type Checking
 
-#include 
-
 #include "designator.h"
 
+#include 
+
 void designatort::print(std::ostream &out) const
 {
   for(index_listt::const_iterator it=index_list.begin();
diff --git a/src/ansi-c/expr2c.cpp b/src/ansi-c/expr2c.cpp
index 311b780cd7..9c980cc842 100644
--- a/src/ansi-c/expr2c.cpp
+++ b/src/ansi-c/expr2c.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "expr2c.h"
 
 #include 
 #include 
@@ -38,7 +39,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include "c_misc.h"
 #include "c_qualifiers.h"
-#include "expr2c.h"
 #include "expr2c_class.h"
 
 /*
diff --git a/src/ansi-c/literals/convert_character_literal.cpp b/src/ansi-c/literals/convert_character_literal.cpp
index 3d0dd9c9a8..7ce010bdb4 100644
--- a/src/ansi-c/literals/convert_character_literal.cpp
+++ b/src/ansi-c/literals/convert_character_literal.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// C Language Conversion
 
+#include "convert_character_literal.h"
+
 #include 
 
 #include 
@@ -16,7 +18,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 
 #include "unescape_string.h"
-#include "convert_character_literal.h"
 
 exprt convert_character_literal(
   const std::string &src,
diff --git a/src/ansi-c/literals/convert_float_literal.cpp b/src/ansi-c/literals/convert_float_literal.cpp
index 00e98d7f7b..8838a2e349 100644
--- a/src/ansi-c/literals/convert_float_literal.cpp
+++ b/src/ansi-c/literals/convert_float_literal.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// C++ Language Conversion
 
+#include "convert_float_literal.h"
+
 #include 
 
 #include 
@@ -20,7 +22,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 
 #include "parse_float.h"
-#include "convert_float_literal.h"
 
 exprt convert_float_literal(const std::string &src)
 {
diff --git a/src/ansi-c/literals/convert_integer_literal.cpp b/src/ansi-c/literals/convert_integer_literal.cpp
index d14c5c92b2..7123f2dddd 100644
--- a/src/ansi-c/literals/convert_integer_literal.cpp
+++ b/src/ansi-c/literals/convert_integer_literal.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// C++ Language Conversion
 
+#include "convert_integer_literal.h"
+
 #include 
 #include 
 
@@ -18,8 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "convert_integer_literal.h"
-
 exprt convert_integer_literal(const std::string &src)
 {
   bool is_unsigned=false, is_imaginary=false;
diff --git a/src/ansi-c/literals/convert_string_literal.cpp b/src/ansi-c/literals/convert_string_literal.cpp
index a32a4fb0c9..7167bdd817 100644
--- a/src/ansi-c/literals/convert_string_literal.cpp
+++ b/src/ansi-c/literals/convert_string_literal.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// C/C++ Language Conversion
 
+#include "convert_string_literal.h"
+
 #include 
 
 #include 
@@ -18,7 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "../string_constant.h"
 
 #include "unescape_string.h"
-#include "convert_string_literal.h"
 
 std::basic_string convert_one_string_literal(
   const std::string &src)
diff --git a/src/ansi-c/literals/parse_float.cpp b/src/ansi-c/literals/parse_float.cpp
index e5c67ea4d7..d6b85acecb 100644
--- a/src/ansi-c/literals/parse_float.cpp
+++ b/src/ansi-c/literals/parse_float.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Conversion of Expressions
 
-#include 
-
 #include "parse_float.h"
 
+#include 
+
 void parse_float(
   const std::string &src,
   mp_integer &significand,
diff --git a/src/ansi-c/literals/unescape_string.cpp b/src/ansi-c/literals/unescape_string.cpp
index 1ca8edc7ca..ab633795de 100644
--- a/src/ansi-c/literals/unescape_string.cpp
+++ b/src/ansi-c/literals/unescape_string.cpp
@@ -9,13 +9,13 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// ANSI-C Language Conversion
 
+#include "unescape_string.h"
+
 #include 
 #include 
 
 #include 
 
-#include "unescape_string.h"
-
 static void append_universal_char(
   unsigned int value,
   std::string &dest)
diff --git a/src/ansi-c/padding.cpp b/src/ansi-c/padding.cpp
index 4973354e50..e7219fd615 100644
--- a/src/ansi-c/padding.cpp
+++ b/src/ansi-c/padding.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// C++ Language Type Checking
 
+#include "padding.h"
+
 #include 
 
 #include 
@@ -16,8 +18,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "padding.h"
-
 mp_integer alignment(const typet &type, const namespacet &ns)
 {
   // we need to consider a number of different cases:
diff --git a/src/ansi-c/preprocessor_line.cpp b/src/ansi-c/preprocessor_line.cpp
index b3b2ea1e2c..b43b1fc4bb 100644
--- a/src/ansi-c/preprocessor_line.cpp
+++ b/src/ansi-c/preprocessor_line.cpp
@@ -9,13 +9,14 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// ANSI-C Language Conversion
 
+#include "preprocessor_line.h"
+
 #include 
 
 #include 
 #include 
 
 #include "literals/unescape_string.h"
-#include "preprocessor_line.h"
 
 void preprocessor_line(
   const char *text,
diff --git a/src/ansi-c/printf_formatter.cpp b/src/ansi-c/printf_formatter.cpp
index 52f9c7e638..1cbbf87954 100644
--- a/src/ansi-c/printf_formatter.cpp
+++ b/src/ansi-c/printf_formatter.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// printf Formatting
 
+#include "printf_formatter.h"
+
 #include 
 #include 
 
@@ -16,8 +18,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "printf_formatter.h"
-
 const exprt printf_formattert::make_type(
   const exprt &src, const typet &dest)
 {
diff --git a/src/ansi-c/string_constant.cpp b/src/ansi-c/string_constant.cpp
index 05f99c85e5..3c083e4c32 100644
--- a/src/ansi-c/string_constant.cpp
+++ b/src/ansi-c/string_constant.cpp
@@ -6,13 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "string_constant.h"
 
 #include 
 #include 
 #include 
 
-#include "string_constant.h"
-
 string_constantt::string_constantt():
   exprt(ID_string_constant)
 {
diff --git a/src/ansi-c/type2name.cpp b/src/ansi-c/type2name.cpp
index e9a564d35b..edc5c51f87 100644
--- a/src/ansi-c/type2name.cpp
+++ b/src/ansi-c/type2name.cpp
@@ -9,14 +9,14 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// Type Naming for C
 
+#include "type2name.h"
+
 #include 
 #include 
 #include 
 #include 
 #include 
 
-#include "type2name.h"
-
 typedef std::unordered_map, irep_id_hash>
   symbol_numbert;
 
diff --git a/src/ansi-c/type2name.h b/src/ansi-c/type2name.h
index b8d2d5c0e0..e86b4f8b40 100644
--- a/src/ansi-c/type2name.h
+++ b/src/ansi-c/type2name.h
@@ -16,6 +16,8 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 
 #include 
 
+class namespacet;
+
 std::string type2name(const typet &type);
 std::string type2name(const typet &type, const namespacet &ns);
 

From 5a1eb4230808aeedd19353faa3c9b399057324b9 Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 12:43:21 +0100
Subject: [PATCH 43/89] Fix include order in assembler

---
 src/assembler/assembler_parser.cpp | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/assembler/assembler_parser.cpp b/src/assembler/assembler_parser.cpp
index c4be4aa2bf..1ad30f9568 100644
--- a/src/assembler/assembler_parser.cpp
+++ b/src/assembler/assembler_parser.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "assembler_parser.h"
 
 #include 
 
-#include "assembler_parser.h"
-
 assembler_parsert assembler_parser;
 
 extern char *yyassemblertext;

From bec4da6bf2976533838cf788dab85b9825886a9a Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 12:47:20 +0100
Subject: [PATCH 44/89] Fix include order in cbmc

---
 src/cbmc/all_properties.cpp                | 4 ++--
 src/cbmc/bmc.cpp                           | 3 ++-
 src/cbmc/bmc_cover.cpp                     | 3 ++-
 src/cbmc/bv_cbmc.cpp                       | 3 +--
 src/cbmc/cbmc_dimacs.cpp                   | 4 ++--
 src/cbmc/cbmc_languages.cpp                | 4 ++--
 src/cbmc/cbmc_main.cpp                     | 4 ++--
 src/cbmc/cbmc_parse_options.cpp            | 3 ++-
 src/cbmc/cbmc_solvers.cpp                  | 3 ++-
 src/cbmc/counterexample_beautification.cpp | 4 ++--
 src/cbmc/fault_localization.cpp            | 3 ++-
 src/cbmc/show_vcc.cpp                      | 4 ++--
 src/cbmc/symex_bmc.cpp                     | 4 ++--
 src/cbmc/symex_coverage.cpp                | 4 ++--
 src/cbmc/xml_interface.cpp                 | 4 ++--
 15 files changed, 29 insertions(+), 25 deletions(-)

diff --git a/src/cbmc/all_properties.cpp b/src/cbmc/all_properties.cpp
index bd9c5242dd..f91fd5c52c 100644
--- a/src/cbmc/all_properties.cpp
+++ b/src/cbmc/all_properties.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution of ANSI-C
 
+#include "all_properties_class.h"
+
 #include 
 
 #include 
@@ -24,8 +26,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include "bv_cbmc.h"
 
-#include "all_properties_class.h"
-
 void bmc_all_propertiest::goal_covered(const cover_goalst::goalt &)
 {
   for(auto &g : goal_map)
diff --git a/src/cbmc/bmc.cpp b/src/cbmc/bmc.cpp
index f92483d244..6d44147ec2 100644
--- a/src/cbmc/bmc.cpp
+++ b/src/cbmc/bmc.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution of ANSI-C
 
+#include "bmc.h"
+
 #include 
 #include 
 #include 
@@ -40,7 +42,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include "counterexample_beautification.h"
 #include "fault_localization.h"
-#include "bmc.h"
 
 void bmct::do_unwind_module()
 {
diff --git a/src/cbmc/bmc_cover.cpp b/src/cbmc/bmc_cover.cpp
index 28deebef17..8485988b4a 100644
--- a/src/cbmc/bmc_cover.cpp
+++ b/src/cbmc/bmc_cover.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Test-Suite Generation with BMC
 
+#include "bmc.h"
+
 #include 
 
 #include 
@@ -24,7 +26,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "bmc.h"
 #include "bv_cbmc.h"
 
 class bmc_covert:
diff --git a/src/cbmc/bv_cbmc.cpp b/src/cbmc/bv_cbmc.cpp
index 1d0ddb384f..e165269579 100644
--- a/src/cbmc/bv_cbmc.cpp
+++ b/src/cbmc/bv_cbmc.cpp
@@ -6,12 +6,11 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "bv_cbmc.h"
 
 #include 
 #include 
 
-#include "bv_cbmc.h"
-
 bvt bv_cbmct::convert_waitfor(const exprt &expr)
 {
   if(expr.operands().size()!=4)
diff --git a/src/cbmc/cbmc_dimacs.cpp b/src/cbmc/cbmc_dimacs.cpp
index 8584c8fac4..fc28153edc 100644
--- a/src/cbmc/cbmc_dimacs.cpp
+++ b/src/cbmc/cbmc_dimacs.cpp
@@ -9,13 +9,13 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Writing DIMACS Files
 
+#include "cbmc_dimacs.h"
+
 #include 
 #include 
 
 #include 
 
-#include "cbmc_dimacs.h"
-
 bool cbmc_dimacst::write_dimacs(const std::string &filename)
 {
   if(filename.empty() || filename=="-")
diff --git a/src/cbmc/cbmc_languages.cpp b/src/cbmc/cbmc_languages.cpp
index 2f44ea7c97..06b919b9cc 100644
--- a/src/cbmc/cbmc_languages.cpp
+++ b/src/cbmc/cbmc_languages.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Language Registration
 
+#include "cbmc_parse_options.h"
+
 #include 
 
 #include 
@@ -19,8 +21,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #endif
 
-#include "cbmc_parse_options.h"
-
 void cbmc_parse_optionst::register_languages()
 {
   register_language(new_ansi_c_language);
diff --git a/src/cbmc/cbmc_main.cpp b/src/cbmc/cbmc_main.cpp
index e5e679a8d0..3a35c6bb19 100644
--- a/src/cbmc/cbmc_main.cpp
+++ b/src/cbmc/cbmc_main.cpp
@@ -17,14 +17,14 @@ Author: Daniel Kroening, kroening@kroening.com
 
 */
 
+#include "cbmc_parse_options.h"
+
 #include 
 
 #ifdef IREP_HASH_STATS
 #include 
 #endif
 
-#include "cbmc_parse_options.h"
-
 #ifdef IREP_HASH_STATS
 extern unsigned long long irep_hash_cnt;
 extern unsigned long long irep_cmp_cnt;
diff --git a/src/cbmc/cbmc_parse_options.cpp b/src/cbmc/cbmc_parse_options.cpp
index d2f1c178d8..65a4386077 100644
--- a/src/cbmc/cbmc_parse_options.cpp
+++ b/src/cbmc/cbmc_parse_options.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// CBMC Command Line Option Processing
 
+#include "cbmc_parse_options.h"
+
 #include 
 #include  // exit()
 #include 
@@ -58,7 +60,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 
 #include "cbmc_solvers.h"
-#include "cbmc_parse_options.h"
 #include "bmc.h"
 #include "version.h"
 #include "xml_interface.h"
diff --git a/src/cbmc/cbmc_solvers.cpp b/src/cbmc/cbmc_solvers.cpp
index 2fb47bf239..d319824955 100644
--- a/src/cbmc/cbmc_solvers.cpp
+++ b/src/cbmc/cbmc_solvers.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Solvers for VCs Generated by Symbolic Execution of ANSI-C
 
+#include "cbmc_solvers.h"
+
 #include 
 #include 
 #include 
@@ -23,7 +25,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "cbmc_solvers.h"
 #include "bv_cbmc.h"
 #include "cbmc_dimacs.h"
 #include "counterexample_beautification.h"
diff --git a/src/cbmc/counterexample_beautification.cpp b/src/cbmc/counterexample_beautification.cpp
index 334366ca8f..3cee2da664 100644
--- a/src/cbmc/counterexample_beautification.cpp
+++ b/src/cbmc/counterexample_beautification.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Counterexample Beautification using Incremental SAT
 
+#include "counterexample_beautification.h"
+
 #include 
 #include 
 #include 
@@ -17,8 +19,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "counterexample_beautification.h"
-
 void counterexample_beautificationt::get_minimization_list(
   prop_convt &prop_conv,
   const symex_target_equationt &equation,
diff --git a/src/cbmc/fault_localization.cpp b/src/cbmc/fault_localization.cpp
index 2beae26ff7..414c30e5e9 100644
--- a/src/cbmc/fault_localization.cpp
+++ b/src/cbmc/fault_localization.cpp
@@ -9,6 +9,8 @@ Author: Peter Schrammel
 /// \file
 /// Fault Localization
 
+#include "fault_localization.h"
+
 #include 
 #include 
 #include 
@@ -21,7 +23,6 @@ Author: Peter Schrammel
 
 #include 
 
-#include "fault_localization.h"
 #include "counterexample_beautification.h"
 
 void fault_localizationt::freeze_guards()
diff --git a/src/cbmc/show_vcc.cpp b/src/cbmc/show_vcc.cpp
index f7a777173c..f42f2dcdd1 100644
--- a/src/cbmc/show_vcc.cpp
+++ b/src/cbmc/show_vcc.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution of ANSI-C
 
+#include "bmc.h"
+
 #include 
 #include 
 
@@ -21,8 +23,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "bmc.h"
-
 void bmct::show_vcc_plain(std::ostream &out)
 {
   out << "\n" << "VERIFICATION CONDITIONS:" << "\n" << "\n";
diff --git a/src/cbmc/symex_bmc.cpp b/src/cbmc/symex_bmc.cpp
index ce6afc9dfa..e0906fec06 100644
--- a/src/cbmc/symex_bmc.cpp
+++ b/src/cbmc/symex_bmc.cpp
@@ -9,13 +9,13 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Bounded Model Checking for ANSI-C
 
+#include "symex_bmc.h"
+
 #include 
 
 #include 
 #include 
 
-#include "symex_bmc.h"
-
 symex_bmct::symex_bmct(
   const namespacet &_ns,
   symbol_tablet &_new_symbol_table,
diff --git a/src/cbmc/symex_coverage.cpp b/src/cbmc/symex_coverage.cpp
index 8f41ece766..f9ac9cc207 100644
--- a/src/cbmc/symex_coverage.cpp
+++ b/src/cbmc/symex_coverage.cpp
@@ -11,6 +11,8 @@ Date: March 2016
 /// \file
 /// Record and print code coverage of symbolic execution
 
+#include "symex_coverage.h"
+
 #include 
 #include 
 #include 
@@ -24,8 +26,6 @@ Date: March 2016
 #include 
 #include 
 
-#include "symex_coverage.h"
-
 class coverage_recordt
 {
 public:
diff --git a/src/cbmc/xml_interface.cpp b/src/cbmc/xml_interface.cpp
index da58cfe12c..09856b69bf 100644
--- a/src/cbmc/xml_interface.cpp
+++ b/src/cbmc/xml_interface.cpp
@@ -9,14 +9,14 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// XML Interface
 
+#include "xml_interface.h"
+
 #include 
 
 #include 
 
 #include 
 
-#include "xml_interface.h"
-
 /// XML User Interface
 void xml_interfacet::get_xml_options(cmdlinet &cmdline)
 {

From fbc4dcb55d1fc733f473a27af93bf2b3d2c7da41 Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 12:49:05 +0100
Subject: [PATCH 45/89] Fix include order in clobber

---
 src/clobber/clobber_main.cpp          | 4 ++--
 src/clobber/clobber_parse_options.cpp | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/clobber/clobber_main.cpp b/src/clobber/clobber_main.cpp
index 16e2a28690..e63a9d63e4 100644
--- a/src/clobber/clobber_main.cpp
+++ b/src/clobber/clobber_main.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symex Main Module
 
-#include 
-
 #include "clobber_parse_options.h"
 
+#include 
+
 #ifdef _MSC_VER
 int wmain(int argc, const wchar_t **argv_wide)
 {
diff --git a/src/clobber/clobber_parse_options.cpp b/src/clobber/clobber_parse_options.cpp
index 6537445e88..36cc3e49ab 100644
--- a/src/clobber/clobber_parse_options.cpp
+++ b/src/clobber/clobber_parse_options.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symex Command Line Options Processing
 
+#include "clobber_parse_options.h"
+
 #include 
 #include 
 #include 
@@ -37,7 +39,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "clobber_parse_options.h"
 // #include "clobber_instrumenter.h"
 
 clobber_parse_optionst::clobber_parse_optionst(int argc, const char **argv):

From 1ccd30e37a9e8be9c8cb14c18679bde80f7eb1fb Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 13:08:06 +0100
Subject: [PATCH 46/89] Fix include order in cpp

---
 src/cpp/cpp_constructor.cpp             | 3 ++-
 src/cpp/cpp_convert_type.cpp            | 3 ++-
 src/cpp/cpp_declaration.cpp             | 4 ++--
 src/cpp/cpp_declarator.cpp              | 4 ++--
 src/cpp/cpp_declarator_converter.cpp    | 3 ++-
 src/cpp/cpp_destructor.cpp              | 4 ++--
 src/cpp/cpp_enum_type.cpp               | 4 ++--
 src/cpp/cpp_id.cpp                      | 3 ++-
 src/cpp/cpp_instantiate_template.cpp    | 3 ++-
 src/cpp/cpp_internal_additions.cpp      | 3 +--
 src/cpp/cpp_language.cpp                | 3 ++-
 src/cpp/cpp_name.cpp                    | 4 ++--
 src/cpp/cpp_namespace_spec.cpp          | 3 ++-
 src/cpp/cpp_parser.cpp                  | 4 ++--
 src/cpp/cpp_scope.cpp                   | 3 ++-
 src/cpp/cpp_scopes.cpp                  | 5 ++---
 src/cpp/cpp_token_buffer.cpp            | 4 ++--
 src/cpp/cpp_type2name.cpp               | 4 ++--
 src/cpp/cpp_type2name.h                 | 2 ++
 src/cpp/cpp_typecheck.cpp               | 3 ++-
 src/cpp/cpp_typecheck_bases.cpp         | 4 ++--
 src/cpp/cpp_typecheck_code.cpp          | 3 ++-
 src/cpp/cpp_typecheck_compound_type.cpp | 3 ++-
 src/cpp/cpp_typecheck_constructor.cpp   | 3 ++-
 src/cpp/cpp_typecheck_conversions.cpp   | 4 ++--
 src/cpp/cpp_typecheck_declaration.cpp   | 1 +
 src/cpp/cpp_typecheck_enum_type.cpp     | 3 ++-
 src/cpp/cpp_typecheck_expr.cpp          | 3 ++-
 src/cpp/cpp_typecheck_fargs.cpp         | 3 ++-
 src/cpp/cpp_typecheck_fargs.h           | 1 +
 src/cpp/cpp_typecheck_function.cpp      | 3 ++-
 src/cpp/cpp_typecheck_initializer.cpp   | 3 ++-
 src/cpp/cpp_typecheck_method_bodies.cpp | 1 -
 src/cpp/cpp_typecheck_namespace.cpp     | 4 ++--
 src/cpp/cpp_typecheck_resolve.cpp       | 3 ++-
 src/cpp/cpp_typecheck_resolve.h         | 1 +
 src/cpp/cpp_typecheck_static_assert.cpp | 4 ++--
 src/cpp/cpp_typecheck_template.cpp      | 3 ++-
 src/cpp/cpp_typecheck_type.cpp          | 3 ++-
 src/cpp/cpp_typecheck_using.cpp         | 4 ++--
 src/cpp/cpp_typecheck_virtual_table.cpp | 4 ++--
 src/cpp/cpp_util.cpp                    | 3 +--
 src/cpp/expr2cpp.cpp                    | 3 +--
 src/cpp/parse.cpp                       | 3 ++-
 src/cpp/template_map.cpp                | 4 ++--
 45 files changed, 82 insertions(+), 61 deletions(-)

diff --git a/src/cpp/cpp_constructor.cpp b/src/cpp/cpp_constructor.cpp
index 44f458162f..e584d25fc4 100644
--- a/src/cpp/cpp_constructor.cpp
+++ b/src/cpp/cpp_constructor.cpp
@@ -9,12 +9,13 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_typecheck.h"
+
 #include 
 #include 
 
 #include 
 
-#include "cpp_typecheck.h"
 #include "cpp_util.h"
 
 /// \param object: non-typechecked object
diff --git a/src/cpp/cpp_convert_type.cpp b/src/cpp/cpp_convert_type.cpp
index e1ea09606a..cd552871b9 100644
--- a/src/cpp/cpp_convert_type.cpp
+++ b/src/cpp/cpp_convert_type.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Conversion
 
+#include "cpp_convert_type.h"
+
 #include 
 
 #include 
@@ -17,7 +19,6 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 
 #include 
 
-#include "cpp_convert_type.h"
 #include "cpp_declaration.h"
 #include "cpp_name.h"
 
diff --git a/src/cpp/cpp_declaration.cpp b/src/cpp/cpp_declaration.cpp
index 432390c79b..a01afe82aa 100644
--- a/src/cpp/cpp_declaration.cpp
+++ b/src/cpp/cpp_declaration.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
-#include 
-
 #include "cpp_declaration.h"
 
+#include 
+
 void cpp_declarationt::output(std::ostream &out) const
 {
   out << "is_template: " << is_template() << "\n";
diff --git a/src/cpp/cpp_declarator.cpp b/src/cpp/cpp_declarator.cpp
index cbf97d6a06..1b9df60f2d 100644
--- a/src/cpp/cpp_declarator.cpp
+++ b/src/cpp/cpp_declarator.cpp
@@ -9,11 +9,11 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_declarator.h"
+
 #include 
 #include 
 
-#include "cpp_declarator.h"
-
 void cpp_declaratort::output(std::ostream &out) const
 {
   out << "  name: " << name().pretty() << "\n";
diff --git a/src/cpp/cpp_declarator_converter.cpp b/src/cpp/cpp_declarator_converter.cpp
index 986da53bb1..a843328bbd 100644
--- a/src/cpp/cpp_declarator_converter.cpp
+++ b/src/cpp/cpp_declarator_converter.cpp
@@ -9,13 +9,14 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_declarator_converter.h"
+
 #include 
 #include 
 
 #include 
 
 #include "cpp_type2name.h"
-#include "cpp_declarator_converter.h"
 #include "cpp_typecheck.h"
 
 cpp_declarator_convertert::cpp_declarator_convertert(
diff --git a/src/cpp/cpp_destructor.cpp b/src/cpp/cpp_destructor.cpp
index 00137a3138..6f4157c15f 100644
--- a/src/cpp/cpp_destructor.cpp
+++ b/src/cpp/cpp_destructor.cpp
@@ -9,12 +9,12 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_typecheck.h"
+
 #include 
 
 #include 
 
-#include "cpp_typecheck.h"
-
 /// \return typechecked code
 codet cpp_typecheckt::cpp_destructor(
   const source_locationt &source_location,
diff --git a/src/cpp/cpp_enum_type.cpp b/src/cpp/cpp_enum_type.cpp
index 7d2c1de8e6..d9a8d2e1ef 100644
--- a/src/cpp/cpp_enum_type.cpp
+++ b/src/cpp/cpp_enum_type.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
-#include 
-
 #include "cpp_enum_type.h"
 
+#include 
+
 cpp_enum_typet::cpp_enum_typet():typet(ID_c_enum)
 {
 }
diff --git a/src/cpp/cpp_id.cpp b/src/cpp/cpp_id.cpp
index 7a18c134ba..e6c13ca4cf 100644
--- a/src/cpp/cpp_id.cpp
+++ b/src/cpp/cpp_id.cpp
@@ -9,9 +9,10 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_id.h"
+
 #include 
 
-#include "cpp_id.h"
 #include "cpp_scope.h"
 
 cpp_idt::cpp_idt():
diff --git a/src/cpp/cpp_instantiate_template.cpp b/src/cpp/cpp_instantiate_template.cpp
index 5ed613f925..c28fe5ca54 100644
--- a/src/cpp/cpp_instantiate_template.cpp
+++ b/src/cpp/cpp_instantiate_template.cpp
@@ -9,13 +9,14 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_typecheck.h"
+
 #include 
 #include 
 
 #include 
 
 #include "cpp_type2name.h"
-#include "cpp_typecheck.h"
 
 std::string cpp_typecheckt::template_suffix(
   const cpp_template_args_tct &template_args)
diff --git a/src/cpp/cpp_internal_additions.cpp b/src/cpp/cpp_internal_additions.cpp
index cd80ac8f29..78384905a8 100644
--- a/src/cpp/cpp_internal_additions.cpp
+++ b/src/cpp/cpp_internal_additions.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "cpp_internal_additions.h"
 
 #include 
 
@@ -13,8 +14,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "cpp_internal_additions.h"
-
 std::string c2cpp(const std::string &s)
 {
   std::string result;
diff --git a/src/cpp/cpp_language.cpp b/src/cpp/cpp_language.cpp
index 3843038950..59e538265c 100644
--- a/src/cpp/cpp_language.cpp
+++ b/src/cpp/cpp_language.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Module
 
+#include "cpp_language.h"
+
 #include 
 #include 
 #include 
@@ -23,7 +25,6 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include 
 
 #include "cpp_internal_additions.h"
-#include "cpp_language.h"
 #include "expr2cpp.h"
 #include "cpp_parser.h"
 #include "cpp_typecheck.h"
diff --git a/src/cpp/cpp_name.cpp b/src/cpp/cpp_name.cpp
index cdc3806c48..1206ade0a7 100644
--- a/src/cpp/cpp_name.cpp
+++ b/src/cpp/cpp_name.cpp
@@ -9,11 +9,11 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_name.h"
+
 #include 
 #include 
 
-#include "cpp_name.h"
-
 irep_idt cpp_namet::get_base_name() const
 {
   const subt &sub=get_sub();
diff --git a/src/cpp/cpp_namespace_spec.cpp b/src/cpp/cpp_namespace_spec.cpp
index c4b60e3eb2..2254f2b7d3 100644
--- a/src/cpp/cpp_namespace_spec.cpp
+++ b/src/cpp/cpp_namespace_spec.cpp
@@ -9,9 +9,10 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_namespace_spec.h"
+
 #include 
 
-#include "cpp_namespace_spec.h"
 #include "cpp_item.h"
 
 void cpp_namespace_spect::output(std::ostream &out) const
diff --git a/src/cpp/cpp_parser.cpp b/src/cpp/cpp_parser.cpp
index fd0135bb25..eae4728bbc 100644
--- a/src/cpp/cpp_parser.cpp
+++ b/src/cpp/cpp_parser.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Parser
 
-#include 
-
 #include "cpp_parser.h"
 
+#include 
+
 cpp_parsert cpp_parser;
 
 bool cpp_parse();
diff --git a/src/cpp/cpp_scope.cpp b/src/cpp/cpp_scope.cpp
index 0594660ffe..c3849384d6 100644
--- a/src/cpp/cpp_scope.cpp
+++ b/src/cpp/cpp_scope.cpp
@@ -9,9 +9,10 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
-#include "cpp_typecheck.h"
 #include "cpp_scope.h"
 
+#include "cpp_typecheck.h"
+
 std::ostream &operator << (std::ostream &out, cpp_scopet::lookup_kindt kind)
 {
   switch(kind)
diff --git a/src/cpp/cpp_scopes.cpp b/src/cpp/cpp_scopes.cpp
index 2a9496fe7c..71a6b1edfb 100644
--- a/src/cpp/cpp_scopes.cpp
+++ b/src/cpp/cpp_scopes.cpp
@@ -9,11 +9,10 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
-#include 
-
-
 #include "cpp_scopes.h"
 
+#include 
+
 cpp_scopet &cpp_scopest::new_block_scope()
 {
   unsigned prefix=++current_scope().compound_counter;
diff --git a/src/cpp/cpp_token_buffer.cpp b/src/cpp/cpp_token_buffer.cpp
index dcd17a6266..472a4333cf 100644
--- a/src/cpp/cpp_token_buffer.cpp
+++ b/src/cpp/cpp_token_buffer.cpp
@@ -9,13 +9,13 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Parser: Token Buffer
 
+#include "cpp_token_buffer.h"
+
 #include 
 
 #include 
 #include 
 
-#include "cpp_token_buffer.h"
-
 int cpp_token_buffert::LookAhead(unsigned offset)
 {
   assert(current_pos<=token_vector.size());
diff --git a/src/cpp/cpp_type2name.cpp b/src/cpp/cpp_type2name.cpp
index c92c32eb2a..f40af72413 100644
--- a/src/cpp/cpp_type2name.cpp
+++ b/src/cpp/cpp_type2name.cpp
@@ -9,13 +9,13 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Module
 
+#include "cpp_type2name.h"
+
 #include 
 
 #include 
 #include 
 
-#include "cpp_type2name.h"
-
 static std::string do_prefix(const std::string &s)
 {
   if(s.find(',')!=std::string::npos ||
diff --git a/src/cpp/cpp_type2name.h b/src/cpp/cpp_type2name.h
index 96aa6b58d8..1f5015c076 100644
--- a/src/cpp/cpp_type2name.h
+++ b/src/cpp/cpp_type2name.h
@@ -16,6 +16,8 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 
 #include 
 
+class exprt;
+
 std::string cpp_type2name(const typet &type);
 std::string cpp_expr2name(const exprt &expr);
 
diff --git a/src/cpp/cpp_typecheck.cpp b/src/cpp/cpp_typecheck.cpp
index 827f342131..e87efb885f 100644
--- a/src/cpp/cpp_typecheck.cpp
+++ b/src/cpp/cpp_typecheck.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_typecheck.h"
+
 #include 
 
 #include 
@@ -18,7 +20,6 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include 
 #include 
 
-#include "cpp_typecheck.h"
 #include "expr2cpp.h"
 #include "cpp_convert_type.h"
 #include "cpp_declarator.h"
diff --git a/src/cpp/cpp_typecheck_bases.cpp b/src/cpp/cpp_typecheck_bases.cpp
index 9d8060301d..c076d1e131 100644
--- a/src/cpp/cpp_typecheck_bases.cpp
+++ b/src/cpp/cpp_typecheck_bases.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
-#include 
-
 #include "cpp_typecheck.h"
 
+#include 
+
 void cpp_typecheckt::typecheck_compound_bases(struct_typet &type)
 {
   std::set bases;
diff --git a/src/cpp/cpp_typecheck_code.cpp b/src/cpp/cpp_typecheck_code.cpp
index 88cc259d0a..4613918ce8 100644
--- a/src/cpp/cpp_typecheck_code.cpp
+++ b/src/cpp/cpp_typecheck_code.cpp
@@ -9,9 +9,10 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_typecheck.h"
+
 #include 
 
-#include "cpp_typecheck.h"
 #include "cpp_convert_type.h"
 #include "cpp_declarator_converter.h"
 #include "cpp_template_type.h"
diff --git a/src/cpp/cpp_typecheck_compound_type.cpp b/src/cpp/cpp_typecheck_compound_type.cpp
index 8bb655da6e..12fbfa6784 100644
--- a/src/cpp/cpp_typecheck_compound_type.cpp
+++ b/src/cpp/cpp_typecheck_compound_type.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_typecheck.h"
+
 #include 
 
 #include 
@@ -19,7 +21,6 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 
 #include "cpp_type2name.h"
 #include "cpp_declarator_converter.h"
-#include "cpp_typecheck.h"
 #include "cpp_convert_type.h"
 #include "cpp_name.h"
 
diff --git a/src/cpp/cpp_typecheck_constructor.cpp b/src/cpp/cpp_typecheck_constructor.cpp
index 32981b866c..cfc645c5cb 100644
--- a/src/cpp/cpp_typecheck_constructor.cpp
+++ b/src/cpp/cpp_typecheck_constructor.cpp
@@ -9,13 +9,14 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_typecheck.h"
+
 #include 
 #include 
 #include 
 
 #include 
 
-#include "cpp_typecheck.h"
 #include "cpp_util.h"
 
 /// \param parent_base_name: base name of typechecked parent
diff --git a/src/cpp/cpp_typecheck_conversions.cpp b/src/cpp/cpp_typecheck_conversions.cpp
index dc28db9d1c..4b76a2ebd4 100644
--- a/src/cpp/cpp_typecheck_conversions.cpp
+++ b/src/cpp/cpp_typecheck_conversions.cpp
@@ -9,6 +9,8 @@ Author:
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_typecheck.h"
+
 #include 
 
 #include 
@@ -20,8 +22,6 @@ Author:
 #include 
 #include 
 
-#include "cpp_typecheck.h"
-
 /// Lvalue-to-rvalue conversion
 ///
 ///  An lvalue (3.10) of a non-function, non-array type T can be
diff --git a/src/cpp/cpp_typecheck_declaration.cpp b/src/cpp/cpp_typecheck_declaration.cpp
index 8568b525a9..c91c8d979c 100644
--- a/src/cpp/cpp_typecheck_declaration.cpp
+++ b/src/cpp/cpp_typecheck_declaration.cpp
@@ -10,6 +10,7 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// C++ Language Type Checking
 
 #include "cpp_typecheck.h"
+
 #include "cpp_declarator_converter.h"
 
 void cpp_typecheckt::convert(cpp_declarationt &declaration)
diff --git a/src/cpp/cpp_typecheck_enum_type.cpp b/src/cpp/cpp_typecheck_enum_type.cpp
index a470b2c66f..74a1810762 100644
--- a/src/cpp/cpp_typecheck_enum_type.cpp
+++ b/src/cpp/cpp_typecheck_enum_type.cpp
@@ -9,12 +9,13 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_typecheck.h"
+
 #include 
 
 #include 
 #include 
 
-#include "cpp_typecheck.h"
 #include "cpp_enum_type.h"
 
 void cpp_typecheckt::typecheck_enum_body(symbolt &enum_symbol)
diff --git a/src/cpp/cpp_typecheck_expr.cpp b/src/cpp/cpp_typecheck_expr.cpp
index 10c0b1c9b5..e54f69589f 100644
--- a/src/cpp/cpp_typecheck_expr.cpp
+++ b/src/cpp/cpp_typecheck_expr.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_typecheck.h"
+
 #include 
 
 #include 
@@ -25,7 +27,6 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include 
 
 #include "cpp_type2name.h"
-#include "cpp_typecheck.h"
 #include "cpp_convert_type.h"
 #include "cpp_exception_id.h"
 #include "expr2cpp.h"
diff --git a/src/cpp/cpp_typecheck_fargs.cpp b/src/cpp/cpp_typecheck_fargs.cpp
index d3f6a4767e..6f6f905c32 100644
--- a/src/cpp/cpp_typecheck_fargs.cpp
+++ b/src/cpp/cpp_typecheck_fargs.cpp
@@ -9,13 +9,14 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_typecheck_fargs.h"
+
 #include 
 
 #include 
 
 #include 
 
-#include "cpp_typecheck_fargs.h"
 #include "cpp_typecheck.h"
 
 bool cpp_typecheck_fargst::has_class_type() const
diff --git a/src/cpp/cpp_typecheck_fargs.h b/src/cpp/cpp_typecheck_fargs.h
index 5b6a62e0b4..fac18356d7 100644
--- a/src/cpp/cpp_typecheck_fargs.h
+++ b/src/cpp/cpp_typecheck_fargs.h
@@ -15,6 +15,7 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include 
 
 class cpp_typecheckt;
+class code_typet;
 
 class cpp_typecheck_fargst // for function overloading
 {
diff --git a/src/cpp/cpp_typecheck_function.cpp b/src/cpp/cpp_typecheck_function.cpp
index 5dd98b4733..06739870df 100644
--- a/src/cpp/cpp_typecheck_function.cpp
+++ b/src/cpp/cpp_typecheck_function.cpp
@@ -9,10 +9,11 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_typecheck.h"
+
 #include 
 
 #include "cpp_template_type.h"
-#include "cpp_typecheck.h"
 #include "cpp_type2name.h"
 #include "cpp_util.h"
 
diff --git a/src/cpp/cpp_typecheck_initializer.cpp b/src/cpp/cpp_typecheck_initializer.cpp
index c6352f25fc..e492a170cb 100644
--- a/src/cpp/cpp_typecheck_initializer.cpp
+++ b/src/cpp/cpp_typecheck_initializer.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_typecheck.h"
+
 #include 
 #include 
 
@@ -16,7 +18,6 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include 
 #include 
 
-#include "cpp_typecheck.h"
 #include "cpp_util.h"
 
 /// Initialize an object with a value
diff --git a/src/cpp/cpp_typecheck_method_bodies.cpp b/src/cpp/cpp_typecheck_method_bodies.cpp
index d37b686a21..5e134f7955 100644
--- a/src/cpp/cpp_typecheck_method_bodies.cpp
+++ b/src/cpp/cpp_typecheck_method_bodies.cpp
@@ -6,7 +6,6 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 
 \*******************************************************************/
 
-
 /// \file
 /// C++ Language Type Checking
 
diff --git a/src/cpp/cpp_typecheck_namespace.cpp b/src/cpp/cpp_typecheck_namespace.cpp
index 437a874aeb..c3ae770ad9 100644
--- a/src/cpp/cpp_typecheck_namespace.cpp
+++ b/src/cpp/cpp_typecheck_namespace.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
-#include 
-
 #include "cpp_typecheck.h"
 
+#include 
+
 void cpp_typecheckt::convert(cpp_namespace_spect &namespace_spec)
 {
   // save the scope
diff --git a/src/cpp/cpp_typecheck_resolve.cpp b/src/cpp/cpp_typecheck_resolve.cpp
index 5de6c9f551..28d42e6af6 100644
--- a/src/cpp/cpp_typecheck_resolve.cpp
+++ b/src/cpp/cpp_typecheck_resolve.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_typecheck_resolve.h"
+
 #include 
 #include 
 
@@ -22,7 +24,6 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include 
 
 #include "cpp_typecheck.h"
-#include "cpp_typecheck_resolve.h"
 #include "cpp_template_type.h"
 #include "cpp_type2name.h"
 #include "cpp_util.h"
diff --git a/src/cpp/cpp_typecheck_resolve.h b/src/cpp/cpp_typecheck_resolve.h
index 1b6e1af615..a10e0c32ee 100644
--- a/src/cpp/cpp_typecheck_resolve.h
+++ b/src/cpp/cpp_typecheck_resolve.h
@@ -15,6 +15,7 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include "cpp_typecheck_fargs.h"
 #include "cpp_name.h"
 #include "cpp_template_args.h"
+#include "cpp_scopes.h"
 
 class cpp_typecheck_resolvet
 {
diff --git a/src/cpp/cpp_typecheck_static_assert.cpp b/src/cpp/cpp_typecheck_static_assert.cpp
index e72dc31809..d5d862772d 100644
--- a/src/cpp/cpp_typecheck_static_assert.cpp
+++ b/src/cpp/cpp_typecheck_static_assert.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
-#include 
-
 #include "cpp_typecheck.h"
 
+#include 
+
 void cpp_typecheckt::convert(cpp_static_assertt &cpp_static_assert)
 {
   typecheck_expr(cpp_static_assert.op0());
diff --git a/src/cpp/cpp_typecheck_template.cpp b/src/cpp/cpp_typecheck_template.cpp
index 4ce4c55919..47ebd7f006 100644
--- a/src/cpp/cpp_typecheck_template.cpp
+++ b/src/cpp/cpp_typecheck_template.cpp
@@ -9,10 +9,11 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_typecheck.h"
+
 #include 
 
 #include "cpp_type2name.h"
-#include "cpp_typecheck.h"
 #include "cpp_declarator_converter.h"
 #include "cpp_template_type.h"
 #include "cpp_convert_type.h"
diff --git a/src/cpp/cpp_typecheck_type.cpp b/src/cpp/cpp_typecheck_type.cpp
index 376efd6f9e..cf392b2957 100644
--- a/src/cpp/cpp_typecheck_type.cpp
+++ b/src/cpp/cpp_typecheck_type.cpp
@@ -9,12 +9,13 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_typecheck.h"
+
 #include 
 #include 
 
 #include 
 
-#include "cpp_typecheck.h"
 #include "cpp_convert_type.h"
 #include "expr2cpp.h"
 
diff --git a/src/cpp/cpp_typecheck_using.cpp b/src/cpp/cpp_typecheck_using.cpp
index 8a67e6a409..07796c4f1b 100644
--- a/src/cpp/cpp_typecheck_using.cpp
+++ b/src/cpp/cpp_typecheck_using.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
-#include 
-
 #include "cpp_typecheck.h"
 
+#include 
+
 void cpp_typecheckt::convert(cpp_usingt &cpp_using)
 {
   // there are two forms of using clauses:
diff --git a/src/cpp/cpp_typecheck_virtual_table.cpp b/src/cpp/cpp_typecheck_virtual_table.cpp
index 4e76629720..b36e42d132 100644
--- a/src/cpp/cpp_typecheck_virtual_table.cpp
+++ b/src/cpp/cpp_typecheck_virtual_table.cpp
@@ -9,11 +9,11 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
+#include "cpp_typecheck.h"
+
 #include 
 #include 
 
-#include "cpp_typecheck.h"
-
 void cpp_typecheckt::do_virtual_table(const symbolt &symbol)
 {
   assert(symbol.type.id()==ID_struct);
diff --git a/src/cpp/cpp_util.cpp b/src/cpp/cpp_util.cpp
index e41ba6871f..0e040b378a 100644
--- a/src/cpp/cpp_util.cpp
+++ b/src/cpp/cpp_util.cpp
@@ -6,12 +6,11 @@ Author:
 
 \*******************************************************************/
 
+#include "cpp_util.h"
 
 #include 
 #include 
 
-#include "cpp_util.h"
-
 exprt cpp_symbol_expr(const symbolt &symbol)
 {
   exprt tmp(ID_symbol, symbol.type);
diff --git a/src/cpp/expr2cpp.cpp b/src/cpp/expr2cpp.cpp
index 1ed9ff738c..7327811ac5 100644
--- a/src/cpp/expr2cpp.cpp
+++ b/src/cpp/expr2cpp.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 
 \*******************************************************************/
 
+#include "expr2cpp.h"
 
 #include 
 
@@ -20,8 +21,6 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include 
 #include 
 
-#include "expr2cpp.h"
-
 class expr2cppt:public expr2ct
 {
 public:
diff --git a/src/cpp/parse.cpp b/src/cpp/parse.cpp
index baa831d2cd..a2cd41a8dd 100644
--- a/src/cpp/parse.cpp
+++ b/src/cpp/parse.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Parsing
 
+#include "cpp_parser.h"
+
 #include 
 #include 
 
@@ -20,7 +22,6 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include 
 
 #include "cpp_token_buffer.h"
-#include "cpp_parser.h"
 #include "cpp_member_spec.h"
 #include "cpp_enum_type.h"
 
diff --git a/src/cpp/template_map.cpp b/src/cpp/template_map.cpp
index a76fac96a4..4df80e3a08 100644
--- a/src/cpp/template_map.cpp
+++ b/src/cpp/template_map.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 /// \file
 /// C++ Language Type Checking
 
-#include 
-
 #include "template_map.h"
 
+#include 
+
 void template_mapt::apply(typet &type) const
 {
   if(type.id()==ID_array)

From c4c0deac9f7c607b51858cb2120c7ff99185b484 Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 13:09:35 +0100
Subject: [PATCH 47/89] Fix include order in goto-analyzer

---
 src/goto-analyzer/goto_analyzer_main.cpp          | 4 ++--
 src/goto-analyzer/goto_analyzer_parse_options.cpp | 3 ++-
 src/goto-analyzer/static_analyzer.cpp             | 3 +--
 src/goto-analyzer/taint_analysis.cpp              | 3 ++-
 src/goto-analyzer/taint_parser.cpp                | 4 ++--
 src/goto-analyzer/unreachable_instructions.cpp    | 4 ++--
 6 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/src/goto-analyzer/goto_analyzer_main.cpp b/src/goto-analyzer/goto_analyzer_main.cpp
index 64e14c7493..8e367dd7eb 100644
--- a/src/goto-analyzer/goto_analyzer_main.cpp
+++ b/src/goto-analyzer/goto_analyzer_main.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Goto-Analyser Main Module
 
-#include 
-
 #include "goto_analyzer_parse_options.h"
 
+#include 
+
 #ifdef _MSC_VER
 int wmain(int argc, const wchar_t **argv_wide)
 {
diff --git a/src/goto-analyzer/goto_analyzer_parse_options.cpp b/src/goto-analyzer/goto_analyzer_parse_options.cpp
index 904ab58768..91e7694aba 100644
--- a/src/goto-analyzer/goto_analyzer_parse_options.cpp
+++ b/src/goto-analyzer/goto_analyzer_parse_options.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Goto-Analyser Command Line Option Processing
 
+#include "goto_analyzer_parse_options.h"
+
 #include  // exit()
 #include 
 #include 
@@ -48,7 +50,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "goto_analyzer_parse_options.h"
 #include "taint_analysis.h"
 #include "unreachable_instructions.h"
 #include "static_analyzer.h"
diff --git a/src/goto-analyzer/static_analyzer.cpp b/src/goto-analyzer/static_analyzer.cpp
index 4125e5d44c..e92a8da8d6 100644
--- a/src/goto-analyzer/static_analyzer.cpp
+++ b/src/goto-analyzer/static_analyzer.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "static_analyzer.h"
 
 #include 
 
@@ -15,8 +16,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "static_analyzer.h"
-
 class static_analyzert:public messaget
 {
 public:
diff --git a/src/goto-analyzer/taint_analysis.cpp b/src/goto-analyzer/taint_analysis.cpp
index 7e59ac5c39..5137422384 100644
--- a/src/goto-analyzer/taint_analysis.cpp
+++ b/src/goto-analyzer/taint_analysis.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Taint Analysis
 
+#include "taint_analysis.h"
+
 #include 
 #include 
 
@@ -22,7 +24,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "taint_analysis.h"
 #include "taint_parser.h"
 
 class taint_analysist:public messaget
diff --git a/src/goto-analyzer/taint_parser.cpp b/src/goto-analyzer/taint_parser.cpp
index 234a8e53c3..58ef09f18a 100644
--- a/src/goto-analyzer/taint_parser.cpp
+++ b/src/goto-analyzer/taint_parser.cpp
@@ -9,14 +9,14 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Taint Parser
 
+#include "taint_parser.h"
+
 #include 
 
 #include 
 
 #include 
 
-#include "taint_parser.h"
-
 bool taint_parser(
   const std::string &file_name,
   taint_parse_treet &dest,
diff --git a/src/goto-analyzer/unreachable_instructions.cpp b/src/goto-analyzer/unreachable_instructions.cpp
index 77f97d31d5..44a4e8cd9b 100644
--- a/src/goto-analyzer/unreachable_instructions.cpp
+++ b/src/goto-analyzer/unreachable_instructions.cpp
@@ -11,6 +11,8 @@ Date: April 2016
 /// \file
 /// List all unreachable instructions
 
+#include "unreachable_instructions.h"
+
 #include 
 
 #include 
@@ -22,8 +24,6 @@ Date: April 2016
 #include 
 #include 
 
-#include "unreachable_instructions.h"
-
 typedef std::map dead_mapt;
 
 static void unreachable_instructions(

From d5191a77078cac33e278c219caabae933b3236f3 Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 13:14:41 +0100
Subject: [PATCH 48/89] Fix include order in goto-cc

---
 src/goto-cc/armcc_cmdline.cpp                          | 4 ++--
 src/goto-cc/armcc_mode.cpp                             | 3 ++-
 src/goto-cc/as86_cmdline.cpp                           | 4 ++--
 src/goto-cc/as_cmdline.cpp                             | 4 ++--
 src/goto-cc/as_mode.cpp                                | 4 ++--
 src/goto-cc/bcc_cmdline.cpp                            | 4 ++--
 src/goto-cc/compile.cpp                                | 4 ++--
 src/goto-cc/cw_mode.cpp                                | 3 ++-
 src/goto-cc/gcc_cmdline.cpp                            | 4 ++--
 src/goto-cc/gcc_mode.cpp                               | 3 ++-
 src/goto-cc/goto_cc_cmdline.cpp                        | 4 ++--
 src/goto-cc/goto_cc_languages.cpp                      | 4 ++--
 src/goto-cc/goto_cc_mode.cpp                           | 4 ++--
 src/goto-cc/ld_cmdline.cpp                             | 4 ++--
 src/goto-cc/ms_cl_cmdline.cpp                          | 4 ++--
 src/goto-cc/ms_cl_mode.cpp                             | 3 ++-
 src/goto-cc/xml_binaries/read_goto_object.cpp          | 3 ++-
 src/goto-cc/xml_binaries/xml_goto_function.cpp         | 3 ++-
 src/goto-cc/xml_binaries/xml_goto_function_hashing.cpp | 1 +
 src/goto-cc/xml_binaries/xml_goto_program.cpp          | 4 ++--
 src/goto-cc/xml_binaries/xml_goto_program_hashing.cpp  | 3 ++-
 src/goto-cc/xml_binaries/xml_irep_hashing.cpp          | 3 ++-
 src/goto-cc/xml_binaries/xml_symbol.cpp                | 3 ++-
 src/goto-cc/xml_binaries/xml_symbol_hashing.cpp        | 3 ++-
 24 files changed, 47 insertions(+), 36 deletions(-)

diff --git a/src/goto-cc/armcc_cmdline.cpp b/src/goto-cc/armcc_cmdline.cpp
index 2512e1f0ab..9cb3fccfd0 100644
--- a/src/goto-cc/armcc_cmdline.cpp
+++ b/src/goto-cc/armcc_cmdline.cpp
@@ -9,11 +9,11 @@ Author: Daniel Kroening
 /// \file
 /// A special command line object to mimic ARM's armcc
 
+#include "armcc_cmdline.h"
+
 #include 
 #include 
 
-#include "armcc_cmdline.h"
-
 /// parses the command line options into a cmdlinet
 /// \par parameters: argument count, argument strings
 /// \return none
diff --git a/src/goto-cc/armcc_mode.cpp b/src/goto-cc/armcc_mode.cpp
index 65eebddb0c..b297ade124 100644
--- a/src/goto-cc/armcc_mode.cpp
+++ b/src/goto-cc/armcc_mode.cpp
@@ -9,6 +9,8 @@ Author: CM Wintersteiger, 2006
 /// \file
 /// Command line option container
 
+#include "armcc_mode.h"
+
 #ifdef _WIN32
 #define EX_OK 0
 #define EX_USAGE 64
@@ -24,7 +26,6 @@ Author: CM Wintersteiger, 2006
 #include 
 #include 
 
-#include "armcc_mode.h"
 #include "compile.h"
 
 /// does it.
diff --git a/src/goto-cc/as86_cmdline.cpp b/src/goto-cc/as86_cmdline.cpp
index b319c17741..e60f0152bc 100644
--- a/src/goto-cc/as86_cmdline.cpp
+++ b/src/goto-cc/as86_cmdline.cpp
@@ -9,13 +9,13 @@ Author: Michael Tautschnig
 /// \file
 /// A special command line object for as86 (of Bruce's C Compiler)
 
+#include "as86_cmdline.h"
+
 #include 
 #include 
 
 #include 
 
-#include "as86_cmdline.h"
-
 // non-as86 options
 const char *goto_as86_options_with_argument[]=
 {
diff --git a/src/goto-cc/as_cmdline.cpp b/src/goto-cc/as_cmdline.cpp
index 52f7f06a25..172b281458 100644
--- a/src/goto-cc/as_cmdline.cpp
+++ b/src/goto-cc/as_cmdline.cpp
@@ -9,13 +9,13 @@ Author: Michael Tautschnig
 /// \file
 /// A special command line object for GNU Assembler
 
+#include "as_cmdline.h"
+
 #include 
 #include 
 
 #include 
 
-#include "as_cmdline.h"
-
 // non-as options
 const char *goto_as_options_with_argument[]=
 {
diff --git a/src/goto-cc/as_mode.cpp b/src/goto-cc/as_mode.cpp
index 0c1f17c627..da39c28a90 100644
--- a/src/goto-cc/as_mode.cpp
+++ b/src/goto-cc/as_mode.cpp
@@ -9,6 +9,8 @@ Author: Michael Tautschnig
 /// \file
 /// Assembler Mode
 
+#include "as_mode.h"
+
 #ifdef _WIN32
 #define EX_OK 0
 #define EX_USAGE 64
@@ -31,8 +33,6 @@ Author: Michael Tautschnig
 
 #include "compile.h"
 
-#include "as_mode.h"
-
 static std::string assembler_name(
   const cmdlinet &cmdline,
   const std::string &base_name)
diff --git a/src/goto-cc/bcc_cmdline.cpp b/src/goto-cc/bcc_cmdline.cpp
index ba1db68dcd..c4cbbc80b3 100644
--- a/src/goto-cc/bcc_cmdline.cpp
+++ b/src/goto-cc/bcc_cmdline.cpp
@@ -9,13 +9,13 @@ Author: Michael Tautschnig
 /// \file
 /// A special command line object for Bruce's C Compiler
 
+#include "bcc_cmdline.h"
+
 #include 
 #include 
 
 #include 
 
-#include "bcc_cmdline.h"
-
 // non-bcc options
 const char *goto_bcc_options_with_argument[]=
 {
diff --git a/src/goto-cc/compile.cpp b/src/goto-cc/compile.cpp
index 16363fa2e3..96b76260e9 100644
--- a/src/goto-cc/compile.cpp
+++ b/src/goto-cc/compile.cpp
@@ -11,6 +11,8 @@ Date: June 2006
 /// \file
 /// Compile and link source and object files.
 
+#include "compile.h"
+
 #include 
 #include 
 #include 
@@ -40,8 +42,6 @@ Date: June 2006
 
 #include 
 
-#include "compile.h"
-
 #define DOTGRAPHSETTINGS  "color=black;" \
                           "orientation=portrait;" \
                           "fontsize=20;"\
diff --git a/src/goto-cc/cw_mode.cpp b/src/goto-cc/cw_mode.cpp
index 46746ae529..ee84c58959 100644
--- a/src/goto-cc/cw_mode.cpp
+++ b/src/goto-cc/cw_mode.cpp
@@ -9,6 +9,8 @@ Author: CM Wintersteiger, 2006
 /// \file
 /// Command line option container
 
+#include "cw_mode.h"
+
 #ifdef _WIN32
 #define EX_OK 0
 #define EX_USAGE 64
@@ -24,7 +26,6 @@ Author: CM Wintersteiger, 2006
 #include 
 #include 
 
-#include "cw_mode.h"
 #include "compile.h"
 
 /// does it.
diff --git a/src/goto-cc/gcc_cmdline.cpp b/src/goto-cc/gcc_cmdline.cpp
index 61d07b265d..c5b4057ed1 100644
--- a/src/goto-cc/gcc_cmdline.cpp
+++ b/src/goto-cc/gcc_cmdline.cpp
@@ -9,6 +9,8 @@ Author: CM Wintersteiger, 2006
 /// \file
 /// A special command line object for the gcc-like options
 
+#include "gcc_cmdline.h"
+
 #include 
 #include 
 #include 
@@ -16,8 +18,6 @@ Author: CM Wintersteiger, 2006
 
 #include 
 
-#include "gcc_cmdline.h"
-
 /// parses the command line options into a cmdlinet
 /// \par parameters: argument count, argument strings
 /// \return none
diff --git a/src/goto-cc/gcc_mode.cpp b/src/goto-cc/gcc_mode.cpp
index 18c6763fb4..a001d4c2dd 100644
--- a/src/goto-cc/gcc_mode.cpp
+++ b/src/goto-cc/gcc_mode.cpp
@@ -9,6 +9,8 @@ Author: CM Wintersteiger, 2006
 /// \file
 /// GCC Mode
 
+#include "gcc_mode.h"
+
 #ifdef _WIN32
 #define EX_OK 0
 #define EX_USAGE 64
@@ -33,7 +35,6 @@ Author: CM Wintersteiger, 2006
 #include 
 
 #include "compile.h"
-#include "gcc_mode.h"
 
 static std::string compiler_name(
   const cmdlinet &cmdline,
diff --git a/src/goto-cc/goto_cc_cmdline.cpp b/src/goto-cc/goto_cc_cmdline.cpp
index a9090012ad..71bb06f816 100644
--- a/src/goto-cc/goto_cc_cmdline.cpp
+++ b/src/goto-cc/goto_cc_cmdline.cpp
@@ -11,6 +11,8 @@ Date:   April 2010
 /// \file
 /// Command line interpretation for goto-cc
 
+#include "goto_cc_cmdline.h"
+
 #include 
 #include 
 #include 
@@ -19,8 +21,6 @@ Date:   April 2010
 #include 
 #include 
 
-#include "goto_cc_cmdline.h"
-
 goto_cc_cmdlinet::~goto_cc_cmdlinet()
 {
   if(!stdin_file.empty())
diff --git a/src/goto-cc/goto_cc_languages.cpp b/src/goto-cc/goto_cc_languages.cpp
index 0c076187ee..12ea70c04e 100644
--- a/src/goto-cc/goto_cc_languages.cpp
+++ b/src/goto-cc/goto_cc_languages.cpp
@@ -9,6 +9,8 @@ Author: CM Wintersteiger
 /// \file
 /// Language Registration
 
+#include "goto_cc_mode.h"
+
 #include 
 
 #include 
@@ -20,8 +22,6 @@ Author: CM Wintersteiger
 #include 
 #endif
 
-#include "goto_cc_mode.h"
-
 void goto_cc_modet::register_languages()
 {
   register_language(new_ansi_c_language);
diff --git a/src/goto-cc/goto_cc_mode.cpp b/src/goto-cc/goto_cc_mode.cpp
index 8822122d02..f398864b6c 100644
--- a/src/goto-cc/goto_cc_mode.cpp
+++ b/src/goto-cc/goto_cc_mode.cpp
@@ -9,6 +9,8 @@ Author: CM Wintersteiger, 2006
 /// \file
 /// Command line option container
 
+#include "goto_cc_mode.h"
+
 #include 
 #include 
 
@@ -22,8 +24,6 @@ Author: CM Wintersteiger, 2006
 
 #include 
 
-#include "goto_cc_mode.h"
-
 /// constructor
 goto_cc_modet::goto_cc_modet(
   goto_cc_cmdlinet &_cmdline,
diff --git a/src/goto-cc/ld_cmdline.cpp b/src/goto-cc/ld_cmdline.cpp
index 45a7fab5b9..1f17dabd10 100644
--- a/src/goto-cc/ld_cmdline.cpp
+++ b/src/goto-cc/ld_cmdline.cpp
@@ -9,13 +9,13 @@ Author: Daniel Kroening, 2013
 /// \file
 /// A special command line object for the ld-like options
 
+#include "ld_cmdline.h"
+
 #include 
 #include 
 
 #include 
 
-#include "ld_cmdline.h"
-
 /// parses the command line options into a cmdlinet
 /// \par parameters: argument count, argument strings
 /// \return none
diff --git a/src/goto-cc/ms_cl_cmdline.cpp b/src/goto-cc/ms_cl_cmdline.cpp
index fdc5987929..ea605ef6d8 100644
--- a/src/goto-cc/ms_cl_cmdline.cpp
+++ b/src/goto-cc/ms_cl_cmdline.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening
 /// \file
 /// A special command line object for the CL options
 
+#include "ms_cl_cmdline.h"
+
 #include 
 #include 
 #include 
@@ -17,8 +19,6 @@ Author: Daniel Kroening
 
 #include 
 
-#include "ms_cl_cmdline.h"
-
 /// parses the command line options into a cmdlinet
 /// \par parameters: argument count, argument strings
 /// \return none
diff --git a/src/goto-cc/ms_cl_mode.cpp b/src/goto-cc/ms_cl_mode.cpp
index 615bf6e03b..946a645471 100644
--- a/src/goto-cc/ms_cl_mode.cpp
+++ b/src/goto-cc/ms_cl_mode.cpp
@@ -9,6 +9,8 @@ Author: CM Wintersteiger, 2006
 /// \file
 /// Visual Studio CL Mode
 
+#include "ms_cl_mode.h"
+
 #ifdef _WIN32
 #define EX_OK 0
 #define EX_USAGE 64
@@ -27,7 +29,6 @@ Author: CM Wintersteiger, 2006
 
 #include 
 
-#include "ms_cl_mode.h"
 #include "compile.h"
 
 /// does it.
diff --git a/src/goto-cc/xml_binaries/read_goto_object.cpp b/src/goto-cc/xml_binaries/read_goto_object.cpp
index 5a2f24bf58..24dde49bec 100644
--- a/src/goto-cc/xml_binaries/read_goto_object.cpp
+++ b/src/goto-cc/xml_binaries/read_goto_object.cpp
@@ -11,6 +11,8 @@ Date: June 2006
 /// \file
 /// Read goto object files.
 
+#include "read_goto_object.h"
+
 #include 
 #include 
 #include 
@@ -20,7 +22,6 @@ Date: June 2006
 
 #include 
 
-#include "read_goto_object.h"
 #include "xml_goto_function_hashing.h"
 #include "xml_irep_hashing.h"
 #include "xml_symbol_hashing.h"
diff --git a/src/goto-cc/xml_binaries/xml_goto_function.cpp b/src/goto-cc/xml_binaries/xml_goto_function.cpp
index 589838154f..7475a990a4 100644
--- a/src/goto-cc/xml_binaries/xml_goto_function.cpp
+++ b/src/goto-cc/xml_binaries/xml_goto_function.cpp
@@ -11,9 +11,10 @@ Date: June 2006
 /// \file
 /// Convert goto functions to xml structures and back.
 
+#include "xml_goto_function.h"
+
 #include 
 
-#include "xml_goto_function.h"
 #include "xml_goto_program.h"
 
 /// takes a goto_function and creates an according xml structure
diff --git a/src/goto-cc/xml_binaries/xml_goto_function_hashing.cpp b/src/goto-cc/xml_binaries/xml_goto_function_hashing.cpp
index 23769f5b44..a0a2f428da 100644
--- a/src/goto-cc/xml_binaries/xml_goto_function_hashing.cpp
+++ b/src/goto-cc/xml_binaries/xml_goto_function_hashing.cpp
@@ -13,6 +13,7 @@ Date: July 2006
 /// Convert goto functions to xml structures and back (with irep hashing)
 
 #include "xml_goto_function_hashing.h"
+
 #include "xml_goto_program_hashing.h"
 
 /// takes a goto_function and creates an according xml structure
diff --git a/src/goto-cc/xml_binaries/xml_goto_program.cpp b/src/goto-cc/xml_binaries/xml_goto_program.cpp
index 9ab9c77db9..1f12fcff98 100644
--- a/src/goto-cc/xml_binaries/xml_goto_program.cpp
+++ b/src/goto-cc/xml_binaries/xml_goto_program.cpp
@@ -11,13 +11,13 @@ Date: June 2006
 /// \file
 /// Convert goto programs to xml structures and back.
 
+#include "xml_goto_program.h"
+
 #include 
 #include 
 
 #include 
 
-#include "xml_goto_program.h"
-
 /// constructs the xml structure according to the goto program and the namespace
 /// into the given xml object.
 /// \par parameters: goto program, namespace and an xml structure to fill
diff --git a/src/goto-cc/xml_binaries/xml_goto_program_hashing.cpp b/src/goto-cc/xml_binaries/xml_goto_program_hashing.cpp
index 5097fd6e3e..129f90dd9d 100644
--- a/src/goto-cc/xml_binaries/xml_goto_program_hashing.cpp
+++ b/src/goto-cc/xml_binaries/xml_goto_program_hashing.cpp
@@ -12,11 +12,12 @@ Date: July 2006
 /// \file
 /// Convert goto programs to xml structures and back (with irep hashing)
 
+#include "xml_goto_program_hashing.h"
+
 #include 
 #include 
 
 #include "xml_irep_hashing.h"
-#include "xml_goto_program_hashing.h"
 
 /// constructs the xml structure according to the goto program and the namespace
 /// into the given xml object.
diff --git a/src/goto-cc/xml_binaries/xml_irep_hashing.cpp b/src/goto-cc/xml_binaries/xml_irep_hashing.cpp
index 1469965839..312a076bef 100644
--- a/src/goto-cc/xml_binaries/xml_irep_hashing.cpp
+++ b/src/goto-cc/xml_binaries/xml_irep_hashing.cpp
@@ -11,10 +11,11 @@ Date: July 2006
 /// \file
 /// XML-irep conversions with hashing
 
+#include "xml_irep_hashing.h"
+
 #include 
 #include 
 
-#include "xml_irep_hashing.h"
 #include "string_hash.h"
 
 void xml_irep_convertt::convert(
diff --git a/src/goto-cc/xml_binaries/xml_symbol.cpp b/src/goto-cc/xml_binaries/xml_symbol.cpp
index a323d4ef2a..0fa7acd806 100644
--- a/src/goto-cc/xml_binaries/xml_symbol.cpp
+++ b/src/goto-cc/xml_binaries/xml_symbol.cpp
@@ -11,9 +11,10 @@ Date: June 2006
 /// \file
 /// Compile and link source and object files.
 
-#include "xml_irep.h"
 #include "xml_symbol.h"
 
+#include "xml_irep.h"
+
 /// converts a symbol to an xml symbol node
 /// \par parameters: a symbol and an xml node
 /// \return none
diff --git a/src/goto-cc/xml_binaries/xml_symbol_hashing.cpp b/src/goto-cc/xml_binaries/xml_symbol_hashing.cpp
index 862522451e..e666487df7 100644
--- a/src/goto-cc/xml_binaries/xml_symbol_hashing.cpp
+++ b/src/goto-cc/xml_binaries/xml_symbol_hashing.cpp
@@ -11,9 +11,10 @@ Date: July 2006
 /// \file
 /// XML-symbol conversions with irep hashing
 
-#include "xml_symbol_hashing.h"
 #include "xml_irep_hashing.h"
 
+#include "xml_symbol_hashing.h"
+
 /// converts a symbol to an xml symbol node
 /// \par parameters: a symbol and an xml node
 /// \return none

From 4f0dc2d0aa738f250ab8e1d3dfbe5265e9e046ce Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 13:17:47 +0100
Subject: [PATCH 49/89] Fix include order in goto-diff

---
 src/goto-diff/change_impact.cpp           | 3 ++-
 src/goto-diff/goto_diff_base.cpp          | 4 ++--
 src/goto-diff/goto_diff_languages.cpp     | 4 ++--
 src/goto-diff/goto_diff_main.cpp          | 4 ++--
 src/goto-diff/goto_diff_parse_options.cpp | 3 ++-
 src/goto-diff/unified_diff.cpp            | 4 ++--
 src/goto-diff/unified_diff.h              | 2 ++
 7 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/src/goto-diff/change_impact.cpp b/src/goto-diff/change_impact.cpp
index c7ea9a7771..44946ab2f4 100644
--- a/src/goto-diff/change_impact.cpp
+++ b/src/goto-diff/change_impact.cpp
@@ -11,6 +11,8 @@ Date: April 2016
 /// \file
 /// Data and control-dependencies of syntactic diff
 
+#include "change_impact.h"
+
 #include 
 
 #include 
@@ -19,7 +21,6 @@ Date: April 2016
 
 #include "unified_diff.h"
 
-#include "change_impact.h"
 #if 0
   struct cfg_nodet
   {
diff --git a/src/goto-diff/goto_diff_base.cpp b/src/goto-diff/goto_diff_base.cpp
index f2af3eb4c4..1ad26dbee7 100644
--- a/src/goto-diff/goto_diff_base.cpp
+++ b/src/goto-diff/goto_diff_base.cpp
@@ -9,10 +9,10 @@ Author: Peter Schrammel
 /// \file
 /// GOTO-DIFF Base Class
 
-#include 
-
 #include "goto_diff.h"
 
+#include 
+
 std::ostream &goto_difft::output_functions(std::ostream &out) const
 {
   switch(ui)
diff --git a/src/goto-diff/goto_diff_languages.cpp b/src/goto-diff/goto_diff_languages.cpp
index d1ad10c5a0..c55f82e637 100644
--- a/src/goto-diff/goto_diff_languages.cpp
+++ b/src/goto-diff/goto_diff_languages.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Language Registration
 
+#include "goto_diff_languages.h"
+
 #include 
 
 #include 
@@ -22,8 +24,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #endif
 
-#include "goto_diff_languages.h"
-
 void goto_diff_languagest::register_languages()
 {
   register_language(new_ansi_c_language);
diff --git a/src/goto-diff/goto_diff_main.cpp b/src/goto-diff/goto_diff_main.cpp
index 604777582d..8affa71874 100644
--- a/src/goto-diff/goto_diff_main.cpp
+++ b/src/goto-diff/goto_diff_main.cpp
@@ -9,14 +9,14 @@ Author: Peter Schrammel
 /// \file
 /// GOTO-DIFF Main Module
 
+#include "goto_diff_parse_options.h"
+
 #include 
 
 #ifdef IREP_HASH_STATS
 #include 
 #endif
 
-#include "goto_diff_parse_options.h"
-
 #ifdef IREP_HASH_STATS
 extern unsigned long long irep_hash_cnt;
 extern unsigned long long irep_cmp_cnt;
diff --git a/src/goto-diff/goto_diff_parse_options.cpp b/src/goto-diff/goto_diff_parse_options.cpp
index ee2a74a0b2..146fe27eb1 100644
--- a/src/goto-diff/goto_diff_parse_options.cpp
+++ b/src/goto-diff/goto_diff_parse_options.cpp
@@ -9,6 +9,8 @@ Author: Peter Schrammel
 /// \file
 /// GOTO-DIFF Command Line Option Processing
 
+#include "goto_diff_parse_options.h"
+
 #include 
 #include  // exit()
 #include 
@@ -41,7 +43,6 @@ Author: Peter Schrammel
 
 #include 
 
-#include "goto_diff_parse_options.h"
 #include "goto_diff.h"
 #include "syntactic_diff.h"
 #include "unified_diff.h"
diff --git a/src/goto-diff/unified_diff.cpp b/src/goto-diff/unified_diff.cpp
index 05a5960f6c..911d7aef06 100644
--- a/src/goto-diff/unified_diff.cpp
+++ b/src/goto-diff/unified_diff.cpp
@@ -11,12 +11,12 @@ Date: April 2016
 /// \file
 /// Unified diff (using LCSS) of goto functions
 
+#include "unified_diff.h"
+
 #include 
 
 #include 
 
-#include "unified_diff.h"
-
 unified_difft::unified_difft(const goto_modelt &model_old,
                              const goto_modelt &model_new):
   old_goto_functions(model_old.goto_functions),
diff --git a/src/goto-diff/unified_diff.h b/src/goto-diff/unified_diff.h
index 76694d7a7d..65549c5759 100644
--- a/src/goto-diff/unified_diff.h
+++ b/src/goto-diff/unified_diff.h
@@ -21,6 +21,8 @@ Date: April 2016
 
 #include 
 
+#include "goto-programs/goto_program.h"
+
 class goto_functionst;
 class goto_modelt;
 class goto_programt;

From 0c05ad42334334dd7fde7fad3b4ed86a0cf65c1f Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 13:34:46 +0100
Subject: [PATCH 50/89] Fix include order in goto-instrument

---
 src/goto-instrument/accelerate/accelerate.cpp                | 3 ++-
 src/goto-instrument/accelerate/acceleration_utils.cpp        | 3 ++-
 src/goto-instrument/accelerate/all_paths_enumerator.cpp      | 4 ++--
 src/goto-instrument/accelerate/cone_of_influence.cpp         | 4 ++--
 .../accelerate/disjunctive_polynomial_acceleration.cpp       | 3 ++-
 .../accelerate/enumerating_loop_acceleration.cpp             | 4 ++--
 src/goto-instrument/accelerate/overflow_instrumenter.cpp     | 3 ++-
 src/goto-instrument/accelerate/path.cpp                      | 4 ++--
 src/goto-instrument/accelerate/polynomial.cpp                | 3 ++-
 src/goto-instrument/accelerate/polynomial_accelerator.cpp    | 3 ++-
 src/goto-instrument/accelerate/sat_path_enumerator.cpp       | 3 ++-
 src/goto-instrument/accelerate/scratch_program.cpp           | 4 ++--
 src/goto-instrument/accelerate/trace_automaton.cpp           | 3 ++-
 src/goto-instrument/accelerate/util.cpp                      | 4 ++--
 src/goto-instrument/alignment_checks.cpp                     | 4 ++--
 src/goto-instrument/branch.cpp                               | 3 ++-
 src/goto-instrument/call_sequences.cpp                       | 4 ++--
 src/goto-instrument/code_contracts.cpp                       | 3 ++-
 src/goto-instrument/concurrency.cpp                          | 4 ++--
 src/goto-instrument/count_eloc.cpp                           | 4 ++--
 src/goto-instrument/cover.cpp                                | 4 ++--
 src/goto-instrument/cover.h                                  | 2 ++
 src/goto-instrument/document_properties.cpp                  | 4 ++--
 src/goto-instrument/dot.cpp                                  | 4 ++--
 src/goto-instrument/dump_c.cpp                               | 4 ++--
 src/goto-instrument/full_slicer.cpp                          | 5 +++--
 src/goto-instrument/function.cpp                             | 4 ++--
 src/goto-instrument/function_modifies.cpp                    | 4 ++--
 src/goto-instrument/goto_instrument_languages.cpp            | 4 ++--
 src/goto-instrument/goto_instrument_main.cpp                 | 4 ++--
 src/goto-instrument/goto_instrument_parse_options.cpp        | 3 ++-
 src/goto-instrument/goto_program2code.cpp                    | 4 ++--
 src/goto-instrument/goto_program2code.h                      | 1 +
 src/goto-instrument/havoc_loops.cpp                          | 3 ++-
 src/goto-instrument/horn_encoding.cpp                        | 4 ++--
 src/goto-instrument/interrupt.cpp                            | 3 ++-
 src/goto-instrument/k_induction.cpp                          | 3 ++-
 src/goto-instrument/loop_utils.cpp                           | 4 ++--
 src/goto-instrument/mmio.cpp                                 | 4 ++--
 src/goto-instrument/model_argc_argv.cpp                      | 4 ++--
 src/goto-instrument/nondet_static.cpp                        | 4 ++--
 src/goto-instrument/nondet_volatile.cpp                      | 4 ++--
 src/goto-instrument/race_check.cpp                           | 3 ++-
 src/goto-instrument/reachability_slicer.cpp                  | 4 ++--
 src/goto-instrument/rw_set.cpp                               | 4 ++--
 src/goto-instrument/show_locations.cpp                       | 4 ++--
 src/goto-instrument/skip_loops.cpp                           | 4 ++--
 src/goto-instrument/stack_depth.cpp                          | 4 ++--
 src/goto-instrument/thread_instrumentation.cpp               | 3 +--
 src/goto-instrument/undefined_functions.cpp                  | 4 ++--
 src/goto-instrument/undefined_functions.h                    | 2 ++
 src/goto-instrument/uninitialized.cpp                        | 4 ++--
 src/goto-instrument/unwind.cpp                               | 3 ++-
 src/goto-instrument/unwind.h                                 | 2 ++
 src/goto-instrument/wmm/cycle_collection.cpp                 | 4 ++--
 src/goto-instrument/wmm/data_dp.cpp                          | 3 ++-
 src/goto-instrument/wmm/fence.cpp                            | 4 ++--
 src/goto-instrument/wmm/goto2graph.cpp                       | 3 ++-
 src/goto-instrument/wmm/instrumenter_strategies.cpp          | 5 ++---
 src/goto-instrument/wmm/pair_collection.cpp                  | 4 ++--
 src/goto-instrument/wmm/shared_buffers.cpp                   | 1 +
 src/goto-instrument/wmm/weak_memory.cpp                      | 3 ++-
 src/goto-instrument/wmm/weak_memory.h                        | 4 ++++
 63 files changed, 126 insertions(+), 96 deletions(-)

diff --git a/src/goto-instrument/accelerate/accelerate.cpp b/src/goto-instrument/accelerate/accelerate.cpp
index 9fda8311c6..19203e1cd8 100644
--- a/src/goto-instrument/accelerate/accelerate.cpp
+++ b/src/goto-instrument/accelerate/accelerate.cpp
@@ -9,6 +9,8 @@ Author: Matt Lewis
 /// \file
 /// Loop Acceleration
 
+#include "accelerate.h"
+
 #include 
 
 #include 
@@ -22,7 +24,6 @@ Author: Matt Lewis
 #include 
 #include 
 
-#include "accelerate.h"
 #include "path.h"
 #include "polynomial_accelerator.h"
 #include "enumerating_loop_acceleration.h"
diff --git a/src/goto-instrument/accelerate/acceleration_utils.cpp b/src/goto-instrument/accelerate/acceleration_utils.cpp
index 7da7a6dce8..b275be15ba 100644
--- a/src/goto-instrument/accelerate/acceleration_utils.cpp
+++ b/src/goto-instrument/accelerate/acceleration_utils.cpp
@@ -9,6 +9,8 @@ Author: Matt Lewis
 /// \file
 /// Loop Acceleration
 
+#include "acceleration_utils.h"
+
 #include 
 #include 
 #include 
@@ -39,7 +41,6 @@ Author: Matt Lewis
 #include 
 #include 
 
-#include "acceleration_utils.h"
 #include "accelerator.h"
 #include "util.h"
 #include "cone_of_influence.h"
diff --git a/src/goto-instrument/accelerate/all_paths_enumerator.cpp b/src/goto-instrument/accelerate/all_paths_enumerator.cpp
index f681549a8f..34de1d9af9 100644
--- a/src/goto-instrument/accelerate/all_paths_enumerator.cpp
+++ b/src/goto-instrument/accelerate/all_paths_enumerator.cpp
@@ -9,10 +9,10 @@ Author: Matt Lewis
 /// \file
 /// Loop Acceleration
 
-#include 
-
 #include "all_paths_enumerator.h"
 
+#include 
+
 bool all_paths_enumeratort::next(patht &path)
 {
   if(last_path.empty())
diff --git a/src/goto-instrument/accelerate/cone_of_influence.cpp b/src/goto-instrument/accelerate/cone_of_influence.cpp
index 9d2ed86ca0..c99f7bdc6f 100644
--- a/src/goto-instrument/accelerate/cone_of_influence.cpp
+++ b/src/goto-instrument/accelerate/cone_of_influence.cpp
@@ -9,12 +9,12 @@ Author: Matt Lewis
 /// \file
 /// Loop Acceleration
 
+#include "cone_of_influence.h"
+
 #include 
 
 #include 
 
-#include "cone_of_influence.h"
-
 void cone_of_influencet::cone_of_influence(
   const expr_sett &targets,
   expr_sett &cone)
diff --git a/src/goto-instrument/accelerate/disjunctive_polynomial_acceleration.cpp b/src/goto-instrument/accelerate/disjunctive_polynomial_acceleration.cpp
index 6029c6ecd3..acf0bf264c 100644
--- a/src/goto-instrument/accelerate/disjunctive_polynomial_acceleration.cpp
+++ b/src/goto-instrument/accelerate/disjunctive_polynomial_acceleration.cpp
@@ -9,6 +9,8 @@ Author: Matt Lewis
 /// \file
 /// Loop Acceleration
 
+#include "disjunctive_polynomial_acceleration.h"
+
 #include 
 #include 
 #include 
@@ -39,7 +41,6 @@ Author: Matt Lewis
 #include 
 #include 
 
-#include "disjunctive_polynomial_acceleration.h"
 #include "polynomial_accelerator.h"
 #include "accelerator.h"
 #include "util.h"
diff --git a/src/goto-instrument/accelerate/enumerating_loop_acceleration.cpp b/src/goto-instrument/accelerate/enumerating_loop_acceleration.cpp
index 6a313a5b6d..01cf26f477 100644
--- a/src/goto-instrument/accelerate/enumerating_loop_acceleration.cpp
+++ b/src/goto-instrument/accelerate/enumerating_loop_acceleration.cpp
@@ -9,10 +9,10 @@ Author: Matt Lewis
 /// \file
 /// Loop Acceleration
 
-#include 
-
 #include "enumerating_loop_acceleration.h"
 
+#include 
+
 bool enumerating_loop_accelerationt::accelerate(
   path_acceleratort &accelerator)
 {
diff --git a/src/goto-instrument/accelerate/overflow_instrumenter.cpp b/src/goto-instrument/accelerate/overflow_instrumenter.cpp
index efe9c97842..4c5e9bebd4 100644
--- a/src/goto-instrument/accelerate/overflow_instrumenter.cpp
+++ b/src/goto-instrument/accelerate/overflow_instrumenter.cpp
@@ -9,6 +9,8 @@ Author: Matt Lewis
 /// \file
 /// Loop Acceleration
 
+#include "overflow_instrumenter.h"
+
 #include 
 
 #include 
@@ -18,7 +20,6 @@ Author: Matt Lewis
 
 #include 
 
-#include "overflow_instrumenter.h"
 #include "util.h"
 
 /*
diff --git a/src/goto-instrument/accelerate/path.cpp b/src/goto-instrument/accelerate/path.cpp
index effa48f768..229c72cdb6 100644
--- a/src/goto-instrument/accelerate/path.cpp
+++ b/src/goto-instrument/accelerate/path.cpp
@@ -9,12 +9,12 @@ Author: Matt Lewis
 /// \file
 /// Loop Acceleration
 
+#include "path.h"
+
 #include 
 
 #include 
 
-#include "path.h"
-
 void output_path(
   const patht &path,
   const goto_programt &program,
diff --git a/src/goto-instrument/accelerate/polynomial.cpp b/src/goto-instrument/accelerate/polynomial.cpp
index b37cfaafe8..df72550d5c 100644
--- a/src/goto-instrument/accelerate/polynomial.cpp
+++ b/src/goto-instrument/accelerate/polynomial.cpp
@@ -9,6 +9,8 @@ Author: Matt Lewis
 /// \file
 /// Loop Acceleration
 
+#include "polynomial.h"
+
 #include 
 #include 
 
@@ -16,7 +18,6 @@ Author: Matt Lewis
 #include 
 #include 
 
-#include "polynomial.h"
 #include "util.h"
 
 exprt polynomialt::to_expr()
diff --git a/src/goto-instrument/accelerate/polynomial_accelerator.cpp b/src/goto-instrument/accelerate/polynomial_accelerator.cpp
index 3e8caf6742..c1a84b45a6 100644
--- a/src/goto-instrument/accelerate/polynomial_accelerator.cpp
+++ b/src/goto-instrument/accelerate/polynomial_accelerator.cpp
@@ -9,6 +9,8 @@ Author: Matt Lewis
 /// \file
 /// Loop Acceleration
 
+#include "polynomial_accelerator.h"
+
 #include 
 #include 
 #include 
@@ -37,7 +39,6 @@ Author: Matt Lewis
 #include 
 #include 
 
-#include "polynomial_accelerator.h"
 #include "accelerator.h"
 #include "util.h"
 #include "cone_of_influence.h"
diff --git a/src/goto-instrument/accelerate/sat_path_enumerator.cpp b/src/goto-instrument/accelerate/sat_path_enumerator.cpp
index 0929d8daf2..b2e2177ed8 100644
--- a/src/goto-instrument/accelerate/sat_path_enumerator.cpp
+++ b/src/goto-instrument/accelerate/sat_path_enumerator.cpp
@@ -9,6 +9,8 @@ Author: Matt Lewis
 /// \file
 /// Loop Acceleration
 
+#include "sat_path_enumerator.h"
+
 #include 
 #include 
 #include 
@@ -39,7 +41,6 @@ Author: Matt Lewis
 #include 
 #include 
 
-#include "sat_path_enumerator.h"
 #include "polynomial_accelerator.h"
 #include "accelerator.h"
 #include "util.h"
diff --git a/src/goto-instrument/accelerate/scratch_program.cpp b/src/goto-instrument/accelerate/scratch_program.cpp
index 93c16f8848..fcea2eb483 100644
--- a/src/goto-instrument/accelerate/scratch_program.cpp
+++ b/src/goto-instrument/accelerate/scratch_program.cpp
@@ -9,6 +9,8 @@ Author: Matt Lewis
 /// \file
 /// Loop Acceleration
 
+#include "scratch_program.h"
+
 #include 
 #include 
 
@@ -16,8 +18,6 @@ Author: Matt Lewis
 
 #include 
 
-#include "scratch_program.h"
-
 #ifdef DEBUG
 #include 
 #endif
diff --git a/src/goto-instrument/accelerate/trace_automaton.cpp b/src/goto-instrument/accelerate/trace_automaton.cpp
index ac885fcf0f..8043b1b586 100644
--- a/src/goto-instrument/accelerate/trace_automaton.cpp
+++ b/src/goto-instrument/accelerate/trace_automaton.cpp
@@ -9,10 +9,11 @@ Author: Matt Lewis
 /// \file
 /// Loop Acceleration
 
+#include "trace_automaton.h"
+
 #include 
 #include 
 
-#include "trace_automaton.h"
 #include "path.h"
 
 void trace_automatont::build()
diff --git a/src/goto-instrument/accelerate/util.cpp b/src/goto-instrument/accelerate/util.cpp
index 0af56c088e..15563559ad 100644
--- a/src/goto-instrument/accelerate/util.cpp
+++ b/src/goto-instrument/accelerate/util.cpp
@@ -9,14 +9,14 @@ Author: Matt Lewis
 /// \file
 /// Loop Acceleration
 
+#include "util.h"
+
 #include 
 #include 
 
 #include 
 #include 
 
-#include "util.h"
-
 signedbv_typet signed_poly_type()
 {
   return signedbv_typet(config.ansi_c.int_width);
diff --git a/src/goto-instrument/alignment_checks.cpp b/src/goto-instrument/alignment_checks.cpp
index 98740c254a..3a177bdcd2 100644
--- a/src/goto-instrument/alignment_checks.cpp
+++ b/src/goto-instrument/alignment_checks.cpp
@@ -9,12 +9,12 @@ Author:
 /// \file
 /// Alignment Checks
 
+#include "alignment_checks.h"
+
 #include 
 #include 
 #include 
 
-#include "alignment_checks.h"
-
 void print_struct_alignment_problems(
   const symbol_tablet &symbol_table,
   std::ostream &out)
diff --git a/src/goto-instrument/branch.cpp b/src/goto-instrument/branch.cpp
index 689a9f4843..e224a59265 100644
--- a/src/goto-instrument/branch.cpp
+++ b/src/goto-instrument/branch.cpp
@@ -9,11 +9,12 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Branch Instrumentation
 
+#include "branch.h"
+
 #include 
 #include 
 
 #include "function.h"
-#include "branch.h"
 
 void branch(
   symbol_tablet &symbol_table,
diff --git a/src/goto-instrument/call_sequences.cpp b/src/goto-instrument/call_sequences.cpp
index 6e535c2524..7c8ed65a91 100644
--- a/src/goto-instrument/call_sequences.cpp
+++ b/src/goto-instrument/call_sequences.cpp
@@ -11,6 +11,8 @@ Date: April 2013
 /// \file
 /// Printing function call sequences for Ofer
 
+#include "call_sequences.h"
+
 #include 
 #include 
 #include 
@@ -18,8 +20,6 @@ Date: April 2013
 #include 
 #include 
 
-#include "call_sequences.h"
-
 void show_call_sequences(
   const irep_idt &function,
   const goto_programt &goto_program,
diff --git a/src/goto-instrument/code_contracts.cpp b/src/goto-instrument/code_contracts.cpp
index e828b3c790..5b118d3645 100644
--- a/src/goto-instrument/code_contracts.cpp
+++ b/src/goto-instrument/code_contracts.cpp
@@ -11,6 +11,8 @@ Date: February 2016
 /// \file
 /// Verify and use annotated invariants and pre/post-conditions
 
+#include "code_contracts.h"
+
 #include 
 #include 
 #include 
@@ -20,7 +22,6 @@ Date: February 2016
 #include 
 
 #include "loop_utils.h"
-#include "code_contracts.h"
 
 class code_contractst
 {
diff --git a/src/goto-instrument/concurrency.cpp b/src/goto-instrument/concurrency.cpp
index e04ff9c869..579edc36ed 100644
--- a/src/goto-instrument/concurrency.cpp
+++ b/src/goto-instrument/concurrency.cpp
@@ -11,14 +11,14 @@ Date: October 2012
 /// \file
 /// Encoding for Threaded Goto Programs
 
+#include "concurrency.h"
+
 #include 
 #include 
 #include 
 
 #include 
 
-#include "concurrency.h"
-
 class concurrency_instrumentationt
 {
 public:
diff --git a/src/goto-instrument/count_eloc.cpp b/src/goto-instrument/count_eloc.cpp
index d986d335e9..fa8cb858da 100644
--- a/src/goto-instrument/count_eloc.cpp
+++ b/src/goto-instrument/count_eloc.cpp
@@ -11,6 +11,8 @@ Date: December 2012
 /// \file
 /// Count effective lines of code
 
+#include "count_eloc.h"
+
 #include 
 #include 
 
@@ -19,8 +21,6 @@ Date: December 2012
 
 #include 
 
-#include "count_eloc.h"
-
 typedef std::unordered_set linest;
 typedef std::unordered_map filest;
 typedef std::unordered_map working_dirst;
diff --git a/src/goto-instrument/cover.cpp b/src/goto-instrument/cover.cpp
index 9beffb29c8..5baadcb9a8 100644
--- a/src/goto-instrument/cover.cpp
+++ b/src/goto-instrument/cover.cpp
@@ -11,14 +11,14 @@ Date: May 2016
 /// \file
 /// Coverage Instrumentation
 
+#include "cover.h"
+
 #include 
 #include 
 
 #include 
 #include 
 
-#include "cover.h"
-
 class basic_blockst
 {
 public:
diff --git a/src/goto-instrument/cover.h b/src/goto-instrument/cover.h
index 5a8872bc32..c2dd453b28 100644
--- a/src/goto-instrument/cover.h
+++ b/src/goto-instrument/cover.h
@@ -17,6 +17,8 @@ Date: May 2016
 #include 
 #include 
 
+class message_handlert;
+
 enum class coverage_criteriont
 {
   LOCATION, BRANCH, DECISION, CONDITION,
diff --git a/src/goto-instrument/document_properties.cpp b/src/goto-instrument/document_properties.cpp
index e1dad4ffe4..aeb5b43f54 100644
--- a/src/goto-instrument/document_properties.cpp
+++ b/src/goto-instrument/document_properties.cpp
@@ -9,14 +9,14 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Subgoal Documentation
 
+#include "document_properties.h"
+
 #include 
 
 #include 
 
 #include 
 
-#include "document_properties.h"
-
 #define MAXWIDTH 62
 
 class document_propertiest
diff --git a/src/goto-instrument/dot.cpp b/src/goto-instrument/dot.cpp
index 7c9f225289..bf58fe12cd 100644
--- a/src/goto-instrument/dot.cpp
+++ b/src/goto-instrument/dot.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Dump Goto-Program as DOT Graph
 
+#include "dot.h"
+
 #include 
 #include 
 #include 
@@ -20,8 +22,6 @@ Author: Daniel Kroening, kroening@kroening.com
                           "size=\"30,40\";"\
                           "ratio=compress;"
 
-#include "dot.h"
-
 class dott
 {
 public:
diff --git a/src/goto-instrument/dump_c.cpp b/src/goto-instrument/dump_c.cpp
index fa9ebf6335..efa0ac4afc 100644
--- a/src/goto-instrument/dump_c.cpp
+++ b/src/goto-instrument/dump_c.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Dump Goto-Program as C/C++ Source
 
+#include "dump_c.h"
+
 #include 
 #include 
 
@@ -26,8 +28,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "goto_program2code.h"
 #include "dump_c_class.h"
 
-#include "dump_c.h"
-
 inline std::ostream &operator << (std::ostream &out, dump_ct &src)
 {
   src(out);
diff --git a/src/goto-instrument/full_slicer.cpp b/src/goto-instrument/full_slicer.cpp
index ca8de0f2cf..4b37e2da83 100644
--- a/src/goto-instrument/full_slicer.cpp
+++ b/src/goto-instrument/full_slicer.cpp
@@ -9,6 +9,9 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Slicing
 
+#include "full_slicer.h"
+#include "full_slicer_class.h"
+
 #include 
 #include 
 #ifdef DEBUG_FULL_SLICERT
@@ -16,8 +19,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "full_slicer_class.h"
-
 void full_slicert::add_dependencies(
   const cfgt::nodet &node,
   queuet &queue,
diff --git a/src/goto-instrument/function.cpp b/src/goto-instrument/function.cpp
index f6c3ffdce5..9af29573ad 100644
--- a/src/goto-instrument/function.cpp
+++ b/src/goto-instrument/function.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Function Entering and Exiting
 
+#include "function.h"
+
 #include 
 #include 
 #include 
@@ -17,8 +19,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "function.h"
-
 code_function_callt function_to_call(
   symbol_tablet &symbol_table,
   const irep_idt &id,
diff --git a/src/goto-instrument/function_modifies.cpp b/src/goto-instrument/function_modifies.cpp
index f4d18c4a1e..62721a3542 100644
--- a/src/goto-instrument/function_modifies.cpp
+++ b/src/goto-instrument/function_modifies.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Modifies
 
-#include 
-
 #include "function_modifies.h"
 
+#include 
+
 void function_modifiest::get_modifies_lhs(
   const local_may_aliast &local_may_alias,
   const goto_programt::const_targett t,
diff --git a/src/goto-instrument/goto_instrument_languages.cpp b/src/goto-instrument/goto_instrument_languages.cpp
index 2193318b13..cf0731573a 100644
--- a/src/goto-instrument/goto_instrument_languages.cpp
+++ b/src/goto-instrument/goto_instrument_languages.cpp
@@ -9,14 +9,14 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Language Registration
 
+#include "goto_instrument_parse_options.h"
+
 #include 
 
 #include 
 #include 
 #include 
 
-#include "goto_instrument_parse_options.h"
-
 void goto_instrument_parse_optionst::register_languages()
 {
   register_language(new_ansi_c_language);
diff --git a/src/goto-instrument/goto_instrument_main.cpp b/src/goto-instrument/goto_instrument_main.cpp
index fb394efbb3..0782ab6352 100644
--- a/src/goto-instrument/goto_instrument_main.cpp
+++ b/src/goto-instrument/goto_instrument_main.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Main Module
 
-#include 
-
 #include "goto_instrument_parse_options.h"
 
+#include 
+
 #ifdef _MSC_VER
 int wmain(int argc, const wchar_t **argv_wide)
 {
diff --git a/src/goto-instrument/goto_instrument_parse_options.cpp b/src/goto-instrument/goto_instrument_parse_options.cpp
index 2a3d4ed590..888853c6dc 100644
--- a/src/goto-instrument/goto_instrument_parse_options.cpp
+++ b/src/goto-instrument/goto_instrument_parse_options.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Main Module
 
+#include "goto_instrument_parse_options.h"
+
 #include 
 #include 
 #include 
@@ -60,7 +62,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "goto_instrument_parse_options.h"
 #include "document_properties.h"
 #include "uninitialized.h"
 #include "full_slicer.h"
diff --git a/src/goto-instrument/goto_program2code.cpp b/src/goto-instrument/goto_program2code.cpp
index dac40c7b4e..968b49026c 100644
--- a/src/goto-instrument/goto_program2code.cpp
+++ b/src/goto-instrument/goto_program2code.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Dump Goto-Program as C/C++ Source
 
+#include "goto_program2code.h"
+
 #include 
 
 #include 
@@ -19,8 +21,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "goto_program2code.h"
-
 static const exprt &skip_typecast(const exprt &expr)
 {
   if(expr.id()!=ID_typecast)
diff --git a/src/goto-instrument/goto_program2code.h b/src/goto-instrument/goto_program2code.h
index 3bf1ea7404..2093774b70 100644
--- a/src/goto-instrument/goto_program2code.h
+++ b/src/goto-instrument/goto_program2code.h
@@ -13,6 +13,7 @@ Author: Daniel Kroening, kroening@kroening.com
 #define CPROVER_GOTO_INSTRUMENT_GOTO_PROGRAM2CODE_H
 
 #include 
+#include 
 
 #include 
 
diff --git a/src/goto-instrument/havoc_loops.cpp b/src/goto-instrument/havoc_loops.cpp
index 08478565ec..d612a31fc0 100644
--- a/src/goto-instrument/havoc_loops.cpp
+++ b/src/goto-instrument/havoc_loops.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Havoc Loops
 
+#include "havoc_loops.h"
+
 #include 
 
 #include 
@@ -17,7 +19,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 
 #include "function_modifies.h"
-#include "havoc_loops.h"
 
 class havoc_loopst
 {
diff --git a/src/goto-instrument/horn_encoding.cpp b/src/goto-instrument/horn_encoding.cpp
index a1842b28a9..31fcb18784 100644
--- a/src/goto-instrument/horn_encoding.cpp
+++ b/src/goto-instrument/horn_encoding.cpp
@@ -11,10 +11,10 @@ Date: June 2015
 /// \file
 /// Horn-clause Encoding
 
-#include 
-
 #include "horn_encoding.h"
 
+#include 
+
 void horn_encoding(
   const goto_functionst &,
   const namespacet &,
diff --git a/src/goto-instrument/interrupt.cpp b/src/goto-instrument/interrupt.cpp
index 93b1135279..38a5a258ff 100644
--- a/src/goto-instrument/interrupt.cpp
+++ b/src/goto-instrument/interrupt.cpp
@@ -11,6 +11,8 @@ Date: September 2011
 /// \file
 /// Interrupt Instrumentation
 
+#include "interrupt.h"
+
 #include 
 #include 
 #include 
@@ -19,7 +21,6 @@ Date: September 2011
 
 #include 
 
-#include "interrupt.h"
 #include "rw_set.h"
 
 #ifdef LOCAL_MAY
diff --git a/src/goto-instrument/k_induction.cpp b/src/goto-instrument/k_induction.cpp
index 1a39e8f2ea..9a018e1c33 100644
--- a/src/goto-instrument/k_induction.cpp
+++ b/src/goto-instrument/k_induction.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// k-induction
 
+#include "k_induction.h"
+
 #include 
 
 #include 
@@ -18,7 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include "unwind.h"
 #include "loop_utils.h"
-#include "k_induction.h"
 
 class k_inductiont
 {
diff --git a/src/goto-instrument/loop_utils.cpp b/src/goto-instrument/loop_utils.cpp
index 27e2797958..ee02a3b169 100644
--- a/src/goto-instrument/loop_utils.cpp
+++ b/src/goto-instrument/loop_utils.cpp
@@ -9,13 +9,13 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Helper functions for k-induction and loop invariants
 
+#include "loop_utils.h"
+
 #include 
 
 #include 
 #include 
 
-#include "loop_utils.h"
-
 goto_programt::targett get_loop_exit(const loopt &loop)
 {
   assert(!loop.empty());
diff --git a/src/goto-instrument/mmio.cpp b/src/goto-instrument/mmio.cpp
index 99112118d3..a7a21a2f1a 100644
--- a/src/goto-instrument/mmio.cpp
+++ b/src/goto-instrument/mmio.cpp
@@ -11,6 +11,8 @@ Date: September 2011
 /// \file
 /// Memory-mapped I/O Instrumentation for Goto Programs
 
+#include "mmio.h"
+
 #include 
 
 #include 
@@ -31,8 +33,6 @@ Date: September 2011
 #include 
 #endif
 
-#include "mmio.h"
-
 void mmio(
   value_setst &value_sets,
   const symbol_tablet &symbol_table,
diff --git a/src/goto-instrument/model_argc_argv.cpp b/src/goto-instrument/model_argc_argv.cpp
index cc82ab8642..bae8010d90 100644
--- a/src/goto-instrument/model_argc_argv.cpp
+++ b/src/goto-instrument/model_argc_argv.cpp
@@ -11,6 +11,8 @@ Date: April 2016
 /// \file
 /// Initialize command line arguments
 
+#include "model_argc_argv.h"
+
 #include 
 
 #include 
@@ -27,8 +29,6 @@ Date: April 2016
 #include 
 #include 
 
-#include "model_argc_argv.h"
-
 bool model_argc_argv(
   symbol_tablet &symbol_table,
   goto_functionst &goto_functions,
diff --git a/src/goto-instrument/nondet_static.cpp b/src/goto-instrument/nondet_static.cpp
index db5aab9ef3..e5e3b7649c 100644
--- a/src/goto-instrument/nondet_static.cpp
+++ b/src/goto-instrument/nondet_static.cpp
@@ -12,6 +12,8 @@ Date: November 2011
 /// \file
 /// Nondeterministic initialization of certain global scope variables
 
+#include "nondet_static.h"
+
 #include 
 #include 
 #include 
@@ -19,8 +21,6 @@ Date: November 2011
 
 #include 
 
-#include "nondet_static.h"
-
 void nondet_static(
   const namespacet &ns,
   goto_functionst &goto_functions,
diff --git a/src/goto-instrument/nondet_volatile.cpp b/src/goto-instrument/nondet_volatile.cpp
index d85868275d..4da1ebf673 100644
--- a/src/goto-instrument/nondet_volatile.cpp
+++ b/src/goto-instrument/nondet_volatile.cpp
@@ -11,11 +11,11 @@ Date: September 2011
 /// \file
 /// Volatile Variables
 
+#include "nondet_volatile.h"
+
 #include 
 #include 
 
-#include "nondet_volatile.h"
-
 bool is_volatile(
   const symbol_tablet &symbol_table,
   const typet &src)
diff --git a/src/goto-instrument/race_check.cpp b/src/goto-instrument/race_check.cpp
index 952657ff0e..aec5eedda5 100644
--- a/src/goto-instrument/race_check.cpp
+++ b/src/goto-instrument/race_check.cpp
@@ -11,6 +11,8 @@ Date: February 2006
 /// \file
 /// Race Detection for Threaded Goto Programs
 
+#include "race_check.h"
+
 #include 
 #include 
 #include 
@@ -23,7 +25,6 @@ Date: February 2006
 #include 
 #include 
 
-#include "race_check.h"
 #include "rw_set.h"
 
 #ifdef LOCAL_MAY
diff --git a/src/goto-instrument/reachability_slicer.cpp b/src/goto-instrument/reachability_slicer.cpp
index 72b63fa76c..c92333e31a 100644
--- a/src/goto-instrument/reachability_slicer.cpp
+++ b/src/goto-instrument/reachability_slicer.cpp
@@ -9,15 +9,15 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Slicer
 
-#include 
+#include "reachability_slicer.h"
 
+#include 
 
 #include 
 #include 
 #include 
 
 #include "full_slicer_class.h"
-#include "reachability_slicer.h"
 #include "reachability_slicer_class.h"
 
 void reachability_slicert::fixedpoint_assertions(
diff --git a/src/goto-instrument/rw_set.cpp b/src/goto-instrument/rw_set.cpp
index 1d6a4dfff3..39681fe566 100644
--- a/src/goto-instrument/rw_set.cpp
+++ b/src/goto-instrument/rw_set.cpp
@@ -11,6 +11,8 @@ Date: February 2006
 /// \file
 /// Race Detection for Threaded Goto Programs
 
+#include "rw_set.h"
+
 #include 
 #include 
 #include 
@@ -19,8 +21,6 @@ Date: February 2006
 
 #include 
 
-#include "rw_set.h"
-
 void rw_set_baset::output(std::ostream &out) const
 {
   out << "READ:\n";
diff --git a/src/goto-instrument/show_locations.cpp b/src/goto-instrument/show_locations.cpp
index 31993269e6..b02dcb1b09 100644
--- a/src/goto-instrument/show_locations.cpp
+++ b/src/goto-instrument/show_locations.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Show program locations
 
+#include "show_locations.h"
+
 #include 
 
 #include 
@@ -16,8 +18,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "show_locations.h"
-
 void show_locations(
   ui_message_handlert::uit ui,
   const irep_idt function_id,
diff --git a/src/goto-instrument/skip_loops.cpp b/src/goto-instrument/skip_loops.cpp
index 55a7e4cd3c..d8be5f1e7e 100644
--- a/src/goto-instrument/skip_loops.cpp
+++ b/src/goto-instrument/skip_loops.cpp
@@ -11,13 +11,13 @@ Date: January 2016
 /// \file
 /// Skip over selected loops by adding gotos
 
+#include "skip_loops.h"
+
 #include 
 #include 
 
 #include 
 
-#include "skip_loops.h"
-
 typedef std::set loop_idst;
 typedef std::map loop_mapt;
 
diff --git a/src/goto-instrument/stack_depth.cpp b/src/goto-instrument/stack_depth.cpp
index e422b54184..2897a4e669 100644
--- a/src/goto-instrument/stack_depth.cpp
+++ b/src/goto-instrument/stack_depth.cpp
@@ -11,6 +11,8 @@ Date: November 2011
 /// \file
 /// Stack depth checks
 
+#include "stack_depth.h"
+
 #include 
 #include 
 #include 
@@ -19,8 +21,6 @@ Date: November 2011
 
 #include 
 
-#include "stack_depth.h"
-
 symbol_exprt add_stack_depth_symbol(symbol_tablet &symbol_table)
 {
   const irep_idt identifier="$stack_depth";
diff --git a/src/goto-instrument/thread_instrumentation.cpp b/src/goto-instrument/thread_instrumentation.cpp
index 1720beb9e1..3cfb0b5775 100644
--- a/src/goto-instrument/thread_instrumentation.cpp
+++ b/src/goto-instrument/thread_instrumentation.cpp
@@ -6,12 +6,11 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "thread_instrumentation.h"
 
 #include 
 #include 
 
-#include "thread_instrumentation.h"
-
 static bool has_start_thread(const goto_programt &goto_program)
 {
   for(const auto &instruction : goto_program.instructions)
diff --git a/src/goto-instrument/undefined_functions.cpp b/src/goto-instrument/undefined_functions.cpp
index cb4c854d8f..f76815d300 100644
--- a/src/goto-instrument/undefined_functions.cpp
+++ b/src/goto-instrument/undefined_functions.cpp
@@ -11,12 +11,12 @@ Date: July 2016
 /// \file
 /// Handling of functions without body
 
+#include "undefined_functions.h"
+
 #include 
 
 #include 
 
-#include "undefined_functions.h"
-
 void list_undefined_functions(
   const goto_functionst &goto_functions,
   const namespacet &ns,
diff --git a/src/goto-instrument/undefined_functions.h b/src/goto-instrument/undefined_functions.h
index 85c6ba7755..e9bb9df6f9 100644
--- a/src/goto-instrument/undefined_functions.h
+++ b/src/goto-instrument/undefined_functions.h
@@ -16,6 +16,8 @@ Date: July 2016
 
 #include 
 
+class namespacet;
+
 class goto_functionst;
 
 void list_undefined_functions(
diff --git a/src/goto-instrument/uninitialized.cpp b/src/goto-instrument/uninitialized.cpp
index c4f0d58829..ca33c6bfbb 100644
--- a/src/goto-instrument/uninitialized.cpp
+++ b/src/goto-instrument/uninitialized.cpp
@@ -11,14 +11,14 @@ Date: January 2010
 /// \file
 /// Detection for Uninitialized Local Variables
 
+#include "uninitialized.h"
+
 #include 
 #include 
 #include 
 
 #include 
 
-#include "uninitialized.h"
-
 class uninitializedt
 {
 public:
diff --git a/src/goto-instrument/unwind.cpp b/src/goto-instrument/unwind.cpp
index f7e8c8d088..78015b22e6 100644
--- a/src/goto-instrument/unwind.cpp
+++ b/src/goto-instrument/unwind.cpp
@@ -10,6 +10,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Loop unwinding
 
+#include "unwind.h"
+
 #ifdef DEBUG
 #include 
 #endif
@@ -18,7 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "unwind.h"
 #include "loop_utils.h"
 
 void parse_unwindset(const std::string &us, unwind_sett &unwind_set)
diff --git a/src/goto-instrument/unwind.h b/src/goto-instrument/unwind.h
index 16ee2cf945..6e86a5d98e 100644
--- a/src/goto-instrument/unwind.h
+++ b/src/goto-instrument/unwind.h
@@ -17,6 +17,8 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
+class goto_functionst;
+
 // -1: do not unwind loop
 typedef std::map> unwind_sett;
 
diff --git a/src/goto-instrument/wmm/cycle_collection.cpp b/src/goto-instrument/wmm/cycle_collection.cpp
index 465b013aa6..caef3e7ee7 100644
--- a/src/goto-instrument/wmm/cycle_collection.cpp
+++ b/src/goto-instrument/wmm/cycle_collection.cpp
@@ -11,10 +11,10 @@ Date: 2012
 /// \file
 /// collection of cycles in graph of abstract events
 
-#include 
-
 #include "event_graph.h"
 
+#include 
+
 /// after the collection, eliminates the executions forbidden by an indirect
 /// thin-air
 void event_grapht::graph_explorert::filter_thin_air(
diff --git a/src/goto-instrument/wmm/data_dp.cpp b/src/goto-instrument/wmm/data_dp.cpp
index d220174c42..d24b17d965 100644
--- a/src/goto-instrument/wmm/data_dp.cpp
+++ b/src/goto-instrument/wmm/data_dp.cpp
@@ -11,9 +11,10 @@ Date: 2012
 /// \file
 /// data dependencies
 
+#include "data_dp.h"
+
 #include 
 
-#include "data_dp.h"
 #include "abstract_event.h"
 
 /// insertion
diff --git a/src/goto-instrument/wmm/fence.cpp b/src/goto-instrument/wmm/fence.cpp
index 7c820f238f..82e9308278 100644
--- a/src/goto-instrument/wmm/fence.cpp
+++ b/src/goto-instrument/wmm/fence.cpp
@@ -11,10 +11,10 @@ Date: February 2012
 /// \file
 /// Fences for instrumentation
 
-#include 
-
 #include "fence.h"
 
+#include 
+
 bool is_fence(
   const goto_programt::instructiont &instruction,
   const namespacet &ns)
diff --git a/src/goto-instrument/wmm/goto2graph.cpp b/src/goto-instrument/wmm/goto2graph.cpp
index 77338b3ead..7828ac8008 100644
--- a/src/goto-instrument/wmm/goto2graph.cpp
+++ b/src/goto-instrument/wmm/goto2graph.cpp
@@ -11,6 +11,8 @@ Date: 2012
 /// \file
 /// Turns a goto-program into an abstract event graph
 
+#include "goto2graph.h"
+
 #include 
 #include 
 #include 
@@ -28,7 +30,6 @@ Date: 2012
 
 #include "../rw_set.h"
 #include "fence.h"
-#include "goto2graph.h"
 
 // #define PRINT_UNSAFES
 
diff --git a/src/goto-instrument/wmm/instrumenter_strategies.cpp b/src/goto-instrument/wmm/instrumenter_strategies.cpp
index 258eec8df0..df22da5254 100644
--- a/src/goto-instrument/wmm/instrumenter_strategies.cpp
+++ b/src/goto-instrument/wmm/instrumenter_strategies.cpp
@@ -11,12 +11,11 @@ Date: 2012
 /// \file
 /// Strategies for picking the abstract events to instrument
 
+#include "goto2graph.h"
+
 #include 
 #include 
 
-
-#include "goto2graph.h"
-
 #ifdef HAVE_GLPK
 #include 
 #include 
diff --git a/src/goto-instrument/wmm/pair_collection.cpp b/src/goto-instrument/wmm/pair_collection.cpp
index a2bd0880eb..bceae75663 100644
--- a/src/goto-instrument/wmm/pair_collection.cpp
+++ b/src/goto-instrument/wmm/pair_collection.cpp
@@ -13,12 +13,12 @@ Date: 2013
 /// collection of pairs (for Pensieve's static delay-set analysis) in graph of
 ///   abstract events
 
+#include "event_graph.h"
+
 #include 
 
 #include 
 
-#include "event_graph.h"
-
 #define OUTPUT(s, fence, file, line, id, type)  \
   s<
 
 #include 
@@ -29,7 +31,6 @@ Date: September 2011
 
 #include "../rw_set.h"
 
-#include "weak_memory.h"
 #include "shared_buffers.h"
 #include "goto2graph.h"
 
diff --git a/src/goto-instrument/wmm/weak_memory.h b/src/goto-instrument/wmm/weak_memory.h
index 7dbf31b8c9..34b98e6a76 100644
--- a/src/goto-instrument/wmm/weak_memory.h
+++ b/src/goto-instrument/wmm/weak_memory.h
@@ -16,10 +16,14 @@ Date: September 2011
 
 #include "wmm.h"
 
+#include "util/irep.h"
+
 class value_setst;
 class goto_functionst;
 class symbol_tablet;
 class message_handlert;
+class goto_programt;
+class messaget;
 
 void weak_memory(
   memory_modelt model,

From 70b352c30eab165ab16720667a5fbfe7049fb8c0 Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 13:47:26 +0100
Subject: [PATCH 51/89] Fix include order in goto-programs

---
 src/goto-programs/builtin_functions.cpp            | 3 ++-
 src/goto-programs/class_hierarchy.cpp              | 4 ++--
 src/goto-programs/compute_called_functions.cpp     | 4 ++--
 src/goto-programs/destructor.cpp                   | 4 ++--
 src/goto-programs/destructor.h                     | 2 +-
 src/goto-programs/elf_reader.cpp                   | 4 ++--
 src/goto-programs/format_strings.cpp               | 4 ++--
 src/goto-programs/goto_clean_expr.cpp              | 4 ++--
 src/goto-programs/goto_convert.cpp                 | 3 ++-
 src/goto-programs/goto_convert_exceptions.cpp      | 4 ++--
 src/goto-programs/goto_convert_function_call.cpp   | 4 ++--
 src/goto-programs/goto_convert_functions.cpp       | 3 ++-
 src/goto-programs/goto_convert_new_switch_case.cpp | 3 ++-
 src/goto-programs/goto_convert_side_effect.cpp     | 4 ++--
 src/goto-programs/goto_inline.cpp                  | 3 ++-
 src/goto-programs/goto_inline_class.cpp            | 3 ++-
 src/goto-programs/goto_program.cpp                 | 4 ++--
 src/goto-programs/goto_program_irep.cpp            | 4 ++--
 src/goto-programs/goto_program_template.cpp        | 4 ++--
 src/goto-programs/goto_trace.cpp                   | 4 ++--
 src/goto-programs/graphml_witness.cpp              | 4 ++--
 src/goto-programs/initialize_goto_model.cpp        | 3 ++-
 src/goto-programs/interpreter.cpp                  | 3 ++-
 src/goto-programs/interpreter_evaluate.cpp         | 4 ++--
 src/goto-programs/json_goto_trace.cpp              | 4 ++--
 src/goto-programs/link_to_library.cpp              | 3 ++-
 src/goto-programs/loop_ids.cpp                     | 4 ++--
 src/goto-programs/mm_io.cpp                        | 3 ++-
 src/goto-programs/osx_fat_reader.cpp               | 4 ++--
 src/goto-programs/parameter_assignments.cpp        | 4 ++--
 src/goto-programs/pointer_arithmetic.cpp           | 3 +--
 src/goto-programs/read_bin_goto_object.cpp         | 3 ++-
 src/goto-programs/read_goto_binary.cpp             | 3 ++-
 src/goto-programs/remove_asm.cpp                   | 4 ++--
 src/goto-programs/remove_complex.cpp               | 4 ++--
 src/goto-programs/remove_exceptions.cpp            | 4 ++--
 src/goto-programs/remove_function_pointers.cpp     | 3 ++-
 src/goto-programs/remove_instanceof.cpp            | 4 +++-
 src/goto-programs/remove_returns.cpp               | 4 ++--
 src/goto-programs/remove_static_init_loops.cpp     | 4 ++--
 src/goto-programs/remove_unreachable.cpp           | 4 ++--
 src/goto-programs/remove_unused_functions.cpp      | 4 ++--
 src/goto-programs/remove_vector.cpp                | 4 ++--
 src/goto-programs/remove_virtual_functions.cpp     | 3 ++-
 src/goto-programs/set_properties.cpp               | 5 ++---
 src/goto-programs/show_goto_functions.cpp          | 3 ++-
 src/goto-programs/show_goto_functions_json.cpp     | 3 ++-
 src/goto-programs/show_goto_functions_xml.cpp      | 5 ++---
 src/goto-programs/show_properties.cpp              | 3 ++-
 src/goto-programs/show_symbol_table.cpp            | 3 ++-
 src/goto-programs/slice_global_inits.cpp           | 4 ++--
 src/goto-programs/string_abstraction.cpp           | 3 ++-
 src/goto-programs/string_instrumentation.cpp       | 4 ++--
 src/goto-programs/string_instrumentation.h         | 2 ++
 src/goto-programs/vcd_goto_trace.cpp               | 4 ++--
 src/goto-programs/wp.cpp                           | 4 ++--
 src/goto-programs/write_goto_binary.cpp            | 4 ++--
 src/goto-programs/xml_goto_trace.cpp               | 4 ++--
 58 files changed, 115 insertions(+), 95 deletions(-)

diff --git a/src/goto-programs/builtin_functions.cpp b/src/goto-programs/builtin_functions.cpp
index a5bf81a722..e7b128ff28 100644
--- a/src/goto-programs/builtin_functions.cpp
+++ b/src/goto-programs/builtin_functions.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Program Transformation
 
+#include "goto_convert_class.h"
+
 #include 
 
 #include 
@@ -30,7 +32,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "goto_convert_class.h"
 #include "format_strings.h"
 
 void goto_convertt::do_prob_uniform(
diff --git a/src/goto-programs/class_hierarchy.cpp b/src/goto-programs/class_hierarchy.cpp
index 77323aa83e..0f2fb6c5de 100644
--- a/src/goto-programs/class_hierarchy.cpp
+++ b/src/goto-programs/class_hierarchy.cpp
@@ -11,13 +11,13 @@ Date: April 2016
 /// \file
 /// Class Hierarchy
 
+#include "class_hierarchy.h"
+
 #include 
 
 #include 
 #include 
 
-#include "class_hierarchy.h"
-
 /// Looks for all the struct types in the symbol table and construct a map from
 /// class names to a data structure that contains lists of parent and child
 /// classes for each struct type (ie class).
diff --git a/src/goto-programs/compute_called_functions.cpp b/src/goto-programs/compute_called_functions.cpp
index 251a89c505..36e2b7a1a8 100644
--- a/src/goto-programs/compute_called_functions.cpp
+++ b/src/goto-programs/compute_called_functions.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Query Called Functions
 
-#include 
-
 #include "compute_called_functions.h"
 
+#include 
+
 /// get all functions whose address is taken
 void compute_address_taken_functions(
   const exprt &src,
diff --git a/src/goto-programs/destructor.cpp b/src/goto-programs/destructor.cpp
index 956734ddee..3efdd50c5b 100644
--- a/src/goto-programs/destructor.cpp
+++ b/src/goto-programs/destructor.cpp
@@ -9,11 +9,11 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Destructor Calls
 
+#include "destructor.h"
+
 #include 
 #include 
 
-#include "destructor.h"
-
 code_function_callt get_destructor(
   const namespacet &ns,
   const typet &type)
diff --git a/src/goto-programs/destructor.h b/src/goto-programs/destructor.h
index 3fd62efb0c..737ada1d93 100644
--- a/src/goto-programs/destructor.h
+++ b/src/goto-programs/destructor.h
@@ -15,7 +15,7 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-code_function_callt get_destructor(
+class code_function_callt get_destructor(
   const namespacet &ns,
   const typet &type);
 
diff --git a/src/goto-programs/elf_reader.cpp b/src/goto-programs/elf_reader.cpp
index 1668a88c8b..39bc20de7c 100644
--- a/src/goto-programs/elf_reader.cpp
+++ b/src/goto-programs/elf_reader.cpp
@@ -9,10 +9,10 @@ Author:
 /// \file
 /// Read ELF
 
-#include 
-
 #include "elf_reader.h"
 
+#include 
+
 elf_readert::elf_readert(std::istream &_in):in(_in)
 {
   // read 32-bit header
diff --git a/src/goto-programs/format_strings.cpp b/src/goto-programs/format_strings.cpp
index 0d8dd959ec..91c229e8d7 100644
--- a/src/goto-programs/format_strings.cpp
+++ b/src/goto-programs/format_strings.cpp
@@ -9,6 +9,8 @@ Author: CM Wintersteiger
 /// \file
 /// Format String Parser
 
+#include "format_strings.h"
+
 #include 
 #include 
 
@@ -16,8 +18,6 @@ Author: CM Wintersteiger
 
 #include 
 
-#include "format_strings.h"
-
 void parse_flags(
   std::string::const_iterator &it,
   format_tokent &curtok)
diff --git a/src/goto-programs/goto_clean_expr.cpp b/src/goto-programs/goto_clean_expr.cpp
index 6df78c5af9..ad5fea6ac5 100644
--- a/src/goto-programs/goto_clean_expr.cpp
+++ b/src/goto-programs/goto_clean_expr.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Program Transformation
 
+#include "goto_convert_class.h"
+
 #include 
 #include 
 #include 
@@ -17,8 +19,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "goto_convert_class.h"
-
 symbol_exprt goto_convertt::make_compound_literal(
   const exprt &expr,
   goto_programt &dest)
diff --git a/src/goto-programs/goto_convert.cpp b/src/goto-programs/goto_convert.cpp
index 5b48fb0670..3218d3f7f8 100644
--- a/src/goto-programs/goto_convert.cpp
+++ b/src/goto-programs/goto_convert.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Program Transformation
 
+#include "goto_convert.h"
+
 #include 
 
 #include 
@@ -22,7 +24,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "goto_convert.h"
 #include "goto_convert_class.h"
 #include "destructor.h"
 
diff --git a/src/goto-programs/goto_convert_exceptions.cpp b/src/goto-programs/goto_convert_exceptions.cpp
index 0f17c7c011..581ae2bcec 100644
--- a/src/goto-programs/goto_convert_exceptions.cpp
+++ b/src/goto-programs/goto_convert_exceptions.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Program Transformation
 
-#include 
-
 #include "goto_convert_class.h"
 
+#include 
+
 void goto_convertt::convert_msc_try_finally(
   const codet &code,
   goto_programt &dest)
diff --git a/src/goto-programs/goto_convert_function_call.cpp b/src/goto-programs/goto_convert_function_call.cpp
index c8688cc6c7..85d5d75358 100644
--- a/src/goto-programs/goto_convert_function_call.cpp
+++ b/src/goto-programs/goto_convert_function_call.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Program Transformation
 
+#include "goto_convert_class.h"
+
 #include 
 
 #include 
@@ -19,8 +21,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "goto_convert_class.h"
-
 void goto_convertt::convert_function_call(
   const code_function_callt &function_call,
   goto_programt &dest)
diff --git a/src/goto-programs/goto_convert_functions.cpp b/src/goto-programs/goto_convert_functions.cpp
index 69f35bbdbe..2b334994e7 100644
--- a/src/goto-programs/goto_convert_functions.cpp
+++ b/src/goto-programs/goto_convert_functions.cpp
@@ -8,6 +8,8 @@ Date: June 2003
 
 \*******************************************************************/
 
+#include "goto_convert_functions.h"
+
 #include 
 
 #include 
@@ -15,7 +17,6 @@ Date: June 2003
 #include 
 #include 
 
-#include "goto_convert_functions.h"
 #include "goto_inline.h"
 
 goto_convert_functionst::goto_convert_functionst(
diff --git a/src/goto-programs/goto_convert_new_switch_case.cpp b/src/goto-programs/goto_convert_new_switch_case.cpp
index 315d9ae810..290c3a241e 100644
--- a/src/goto-programs/goto_convert_new_switch_case.cpp
+++ b/src/goto-programs/goto_convert_new_switch_case.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Program Transformation
 
+#include "goto_convert_class.h"
+
 #include 
 
 #include 
@@ -21,7 +23,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 
 #include "goto_convert.h"
-#include "goto_convert_class.h"
 #include "destructor.h"
 
 static bool is_empty(const goto_programt &goto_program)
diff --git a/src/goto-programs/goto_convert_side_effect.cpp b/src/goto-programs/goto_convert_side_effect.cpp
index 1ed77b3166..1d12ba8e9d 100644
--- a/src/goto-programs/goto_convert_side_effect.cpp
+++ b/src/goto-programs/goto_convert_side_effect.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Program Transformation
 
+#include "goto_convert_class.h"
+
 #include 
 #include 
 #include 
@@ -18,8 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "goto_convert_class.h"
-
 bool goto_convertt::has_function_call(const exprt &expr)
 {
   forall_operands(it, expr)
diff --git a/src/goto-programs/goto_inline.cpp b/src/goto-programs/goto_inline.cpp
index 58db12c183..49aca830b3 100644
--- a/src/goto-programs/goto_inline.cpp
+++ b/src/goto-programs/goto_inline.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Function Inlining
 
+#include "goto_inline.h"
+
 #include 
 
 #include 
@@ -18,7 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 
 #include "remove_skip.h"
-#include "goto_inline.h"
 #include "goto_inline_class.h"
 
 void goto_inline(
diff --git a/src/goto-programs/goto_inline_class.cpp b/src/goto-programs/goto_inline_class.cpp
index 592630f144..355c25d6d2 100644
--- a/src/goto-programs/goto_inline_class.cpp
+++ b/src/goto-programs/goto_inline_class.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Function Inlining
 
+#include "goto_inline_class.h"
+
 #ifdef DEBUG
 #include 
 #endif
@@ -24,7 +26,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include "remove_skip.h"
 #include "goto_inline.h"
-#include "goto_inline_class.h"
 
 void goto_inlinet::parameter_assignments(
   const goto_programt::targett target,
diff --git a/src/goto-programs/goto_program.cpp b/src/goto-programs/goto_program.cpp
index be564d3715..347e156e58 100644
--- a/src/goto-programs/goto_program.cpp
+++ b/src/goto-programs/goto_program.cpp
@@ -9,14 +9,14 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Program Transformation
 
+#include "goto_program.h"
+
 #include 
 
 #include 
 
 #include 
 
-#include "goto_program.h"
-
 /// See below.
 /// \param ns: the namespace to resolve the expressions in
 /// \param identifier: the identifier used to find a symbol to identify the
diff --git a/src/goto-programs/goto_program_irep.cpp b/src/goto-programs/goto_program_irep.cpp
index 8e473a3341..91ffd45065 100644
--- a/src/goto-programs/goto_program_irep.cpp
+++ b/src/goto-programs/goto_program_irep.cpp
@@ -11,12 +11,12 @@ Date: May 2007
 /// \file
 /// goto_programt -> irep conversion
 
+#include "goto_program_irep.h"
+
 #include 
 
 #include 
 
-#include "goto_program_irep.h"
-
 void convert(const goto_programt::instructiont &instruction, irept &irep)
 {
   irep.set(ID_code, instruction.code);
diff --git a/src/goto-programs/goto_program_template.cpp b/src/goto-programs/goto_program_template.cpp
index bc4522a684..89b310c8d0 100644
--- a/src/goto-programs/goto_program_template.cpp
+++ b/src/goto-programs/goto_program_template.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Goto Program Template
 
-#include 
-
 #include "goto_program_template.h"
 
+#include 
+
 std::ostream &operator<<(std::ostream &out, goto_program_instruction_typet t)
 {
   switch(t)
diff --git a/src/goto-programs/goto_trace.cpp b/src/goto-programs/goto_trace.cpp
index 4485aed515..ddea10e38d 100644
--- a/src/goto-programs/goto_trace.cpp
+++ b/src/goto-programs/goto_trace.cpp
@@ -11,6 +11,8 @@ Author: Daniel Kroening
 /// \file
 /// Traces of GOTO Programs
 
+#include "goto_trace.h"
+
 #include 
 #include 
 
@@ -20,8 +22,6 @@ Author: Daniel Kroening
 #include 
 #include 
 
-#include "goto_trace.h"
-
 void goto_tracet::output(
   const class namespacet &ns,
   std::ostream &out) const
diff --git a/src/goto-programs/graphml_witness.cpp b/src/goto-programs/graphml_witness.cpp
index 2362d8f146..4f4f6f5674 100644
--- a/src/goto-programs/graphml_witness.cpp
+++ b/src/goto-programs/graphml_witness.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening
 /// \file
 /// Witnesses for Traces and Proofs
 
+#include "graphml_witness.h"
+
 #include 
 #include 
 #include 
@@ -16,8 +18,6 @@ Author: Daniel Kroening
 #include 
 #include 
 
-#include "graphml_witness.h"
-
 void graphml_witnesst::remove_l0_l1(exprt &expr)
 {
   if(expr.id()==ID_symbol)
diff --git a/src/goto-programs/initialize_goto_model.cpp b/src/goto-programs/initialize_goto_model.cpp
index df678c522c..d284bc403c 100644
--- a/src/goto-programs/initialize_goto_model.cpp
+++ b/src/goto-programs/initialize_goto_model.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Get a Goto Program
 
+#include "initialize_goto_model.h"
+
 #include 
 #include 
 
@@ -21,7 +23,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include "goto_convert_functions.h"
 #include "read_goto_binary.h"
-#include "initialize_goto_model.h"
 
 bool initialize_goto_model(
   goto_modelt &goto_model,
diff --git a/src/goto-programs/interpreter.cpp b/src/goto-programs/interpreter.cpp
index 8a5c23f1a6..a79910b765 100644
--- a/src/goto-programs/interpreter.cpp
+++ b/src/goto-programs/interpreter.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Interpreter for GOTO Programs
 
+#include "interpreter.h"
+
 #include 
 #include 
 #include 
@@ -17,7 +19,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "interpreter.h"
 #include "interpreter_class.h"
 
 void interpretert::operator()()
diff --git a/src/goto-programs/interpreter_evaluate.cpp b/src/goto-programs/interpreter_evaluate.cpp
index 43a072cfaf..ac84831561 100644
--- a/src/goto-programs/interpreter_evaluate.cpp
+++ b/src/goto-programs/interpreter_evaluate.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Interpreter for GOTO Programs
 
+#include "interpreter_class.h"
+
 #include 
 #include 
 
@@ -16,8 +18,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "interpreter_class.h"
-
 void interpretert::read(
   mp_integer address,
   std::vector &dest) const
diff --git a/src/goto-programs/json_goto_trace.cpp b/src/goto-programs/json_goto_trace.cpp
index ddc9f44ad3..744e26500d 100644
--- a/src/goto-programs/json_goto_trace.cpp
+++ b/src/goto-programs/json_goto_trace.cpp
@@ -11,14 +11,14 @@ Author: Daniel Kroening
 /// \file
 /// Traces of GOTO Programs
 
+#include "json_goto_trace.h"
+
 #include 
 
 #include 
 
 #include 
 
-#include "json_goto_trace.h"
-
 void convert(
   const namespacet &ns,
   const goto_tracet &goto_trace,
diff --git a/src/goto-programs/link_to_library.cpp b/src/goto-programs/link_to_library.cpp
index f78abb5dc3..2464aca83f 100644
--- a/src/goto-programs/link_to_library.cpp
+++ b/src/goto-programs/link_to_library.cpp
@@ -9,11 +9,12 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Library Linking
 
+#include "link_to_library.h"
+
 #include 
 
 #include 
 
-#include "link_to_library.h"
 #include "compute_called_functions.h"
 #include "goto_convert_functions.h"
 
diff --git a/src/goto-programs/loop_ids.cpp b/src/goto-programs/loop_ids.cpp
index 46ca3ad3e8..5f4c560a0b 100644
--- a/src/goto-programs/loop_ids.cpp
+++ b/src/goto-programs/loop_ids.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Loop IDs
 
+#include "loop_ids.h"
+
 #include 
 
 #include 
@@ -16,8 +18,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "loop_ids.h"
-
 void show_loop_ids(
   ui_message_handlert::uit ui,
   const goto_modelt &goto_model)
diff --git a/src/goto-programs/mm_io.cpp b/src/goto-programs/mm_io.cpp
index 7d639eed9c..16ffc1063d 100644
--- a/src/goto-programs/mm_io.cpp
+++ b/src/goto-programs/mm_io.cpp
@@ -11,12 +11,13 @@ Date:   April 2017
 /// \file
 /// Perform Memory-mapped I/O instrumentation
 
+#include "mm_io.h"
+
 #include 
 #include 
 #include 
 
 #include "remove_returns.h"
-#include "mm_io.h"
 
 void collect_deref_expr(
   const exprt &src,
diff --git a/src/goto-programs/osx_fat_reader.cpp b/src/goto-programs/osx_fat_reader.cpp
index 93bc0f93db..c8a853922f 100644
--- a/src/goto-programs/osx_fat_reader.cpp
+++ b/src/goto-programs/osx_fat_reader.cpp
@@ -9,11 +9,11 @@ Author:
 /// \file
 /// Read Mach-O
 
+#include "osx_fat_reader.h"
+
 #include 
 #include 
 
-#include "osx_fat_reader.h"
-
 #ifdef __APPLE__
 #include 
 #endif
diff --git a/src/goto-programs/parameter_assignments.cpp b/src/goto-programs/parameter_assignments.cpp
index 98d9f80a1c..747ed374b2 100644
--- a/src/goto-programs/parameter_assignments.cpp
+++ b/src/goto-programs/parameter_assignments.cpp
@@ -11,11 +11,11 @@ Date:   September 2015
 /// \file
 /// Add parameter assignments
 
+#include "parameter_assignments.h"
+
 #include 
 #include 
 
-#include "parameter_assignments.h"
-
 class parameter_assignmentst
 {
 public:
diff --git a/src/goto-programs/pointer_arithmetic.cpp b/src/goto-programs/pointer_arithmetic.cpp
index 9911e3432c..a89e1c0421 100644
--- a/src/goto-programs/pointer_arithmetic.cpp
+++ b/src/goto-programs/pointer_arithmetic.cpp
@@ -6,12 +6,11 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "pointer_arithmetic.h"
 
 #include 
 #include 
 
-#include "pointer_arithmetic.h"
-
 pointer_arithmetict::pointer_arithmetict(const exprt &src)
 {
   pointer.make_nil();
diff --git a/src/goto-programs/read_bin_goto_object.cpp b/src/goto-programs/read_bin_goto_object.cpp
index faad12665a..1286d28e0b 100644
--- a/src/goto-programs/read_bin_goto_object.cpp
+++ b/src/goto-programs/read_bin_goto_object.cpp
@@ -11,13 +11,14 @@ Date: June 2006
 /// \file
 /// Read goto object files.
 
+#include "read_bin_goto_object.h"
+
 #include 
 #include 
 #include 
 #include 
 
 #include "goto_functions.h"
-#include "read_bin_goto_object.h"
 
 /// read goto binary format v3
 /// \par parameters: input stream, symbol_table, functions
diff --git a/src/goto-programs/read_goto_binary.cpp b/src/goto-programs/read_goto_binary.cpp
index 6eaede5fd9..1a4887cf0e 100644
--- a/src/goto-programs/read_goto_binary.cpp
+++ b/src/goto-programs/read_goto_binary.cpp
@@ -9,6 +9,8 @@ Author:
 /// \file
 /// Read Goto Programs
 
+#include "read_goto_binary.h"
+
 #if defined(__linux__) || \
     defined(__FreeBSD_kernel__) || \
     defined(__GNU__) || \
@@ -32,7 +34,6 @@ Author:
 #include 
 
 #include "goto_model.h"
-#include "read_goto_binary.h"
 #include "read_bin_goto_object.h"
 #include "elf_reader.h"
 #include "osx_fat_reader.h"
diff --git a/src/goto-programs/remove_asm.cpp b/src/goto-programs/remove_asm.cpp
index c40fbb8334..bd3517ce0a 100644
--- a/src/goto-programs/remove_asm.cpp
+++ b/src/goto-programs/remove_asm.cpp
@@ -12,6 +12,8 @@ Date:   December 2014
 /// \file
 /// Remove 'asm' statements by compiling into suitable standard code
 
+#include "remove_asm.h"
+
 #include 
 
 #include 
@@ -19,8 +21,6 @@ Date:   December 2014
 #include 
 #include 
 
-#include "remove_asm.h"
-
 class remove_asmt
 {
 public:
diff --git a/src/goto-programs/remove_complex.cpp b/src/goto-programs/remove_complex.cpp
index bb031082bd..13ff90f908 100644
--- a/src/goto-programs/remove_complex.cpp
+++ b/src/goto-programs/remove_complex.cpp
@@ -11,10 +11,10 @@ Date:   September 2014
 /// \file
 /// Remove 'complex' data type
 
-#include 
-
 #include "remove_complex.h"
 
+#include 
+
 static exprt complex_member(const exprt &expr, irep_idt id)
 {
   if(expr.id()==ID_struct && expr.operands().size()==2)
diff --git a/src/goto-programs/remove_exceptions.cpp b/src/goto-programs/remove_exceptions.cpp
index 320c0c7385..4b24980f5b 100644
--- a/src/goto-programs/remove_exceptions.cpp
+++ b/src/goto-programs/remove_exceptions.cpp
@@ -11,6 +11,8 @@ Date:   December 2016
 /// \file
 /// Remove exception handling
 
+#include "remove_exceptions.h"
+
 #ifdef DEBUG
 #include 
 #endif
@@ -21,8 +23,6 @@ Date:   December 2016
 #include 
 #include 
 
-#include "remove_exceptions.h"
-
 class remove_exceptionst
 {
   typedef std::vector
 
 #include 
@@ -25,7 +27,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 
 #include "remove_skip.h"
-#include "remove_function_pointers.h"
 #include "compute_called_functions.h"
 #include "remove_const_function_pointers.h"
 
diff --git a/src/goto-programs/remove_instanceof.cpp b/src/goto-programs/remove_instanceof.cpp
index ec895ff800..bc76c7e599 100644
--- a/src/goto-programs/remove_instanceof.cpp
+++ b/src/goto-programs/remove_instanceof.cpp
@@ -9,9 +9,11 @@ Author: Chris Smowton, chris.smowton@diffblue.com
 /// \file
 /// Remove Instance-of Operators
 
+#include "remove_instanceof.h"
+
 #include "class_hierarchy.h"
 #include "class_identifier.h"
-#include "remove_instanceof.h"
+
 #include 
 
 #include 
diff --git a/src/goto-programs/remove_returns.cpp b/src/goto-programs/remove_returns.cpp
index fd8f49df4b..d74e135693 100644
--- a/src/goto-programs/remove_returns.cpp
+++ b/src/goto-programs/remove_returns.cpp
@@ -11,11 +11,11 @@ Date:   September 2009
 /// \file
 /// Remove function return values
 
+#include "remove_returns.h"
+
 #include 
 #include 
 
-#include "remove_returns.h"
-
 class remove_returnst
 {
 public:
diff --git a/src/goto-programs/remove_static_init_loops.cpp b/src/goto-programs/remove_static_init_loops.cpp
index 1c5065c63d..b30cc2a9cb 100644
--- a/src/goto-programs/remove_static_init_loops.cpp
+++ b/src/goto-programs/remove_static_init_loops.cpp
@@ -9,14 +9,14 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Unwind loops in static initializers
 
+#include "remove_static_init_loops.h"
+
 #include 
 
 #include 
 #include 
 #include 
 
-#include "remove_static_init_loops.h"
-
 class remove_static_init_loopst
 {
 public:
diff --git a/src/goto-programs/remove_unreachable.cpp b/src/goto-programs/remove_unreachable.cpp
index 1e34355ab9..562546f377 100644
--- a/src/goto-programs/remove_unreachable.cpp
+++ b/src/goto-programs/remove_unreachable.cpp
@@ -9,11 +9,11 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Program Transformation
 
+#include "remove_unreachable.h"
+
 #include 
 #include 
 
-#include "remove_unreachable.h"
-
 /// remove unreachable code
 void remove_unreachable(goto_programt &goto_program)
 {
diff --git a/src/goto-programs/remove_unused_functions.cpp b/src/goto-programs/remove_unused_functions.cpp
index 5f41e1d608..fd2d8cca61 100644
--- a/src/goto-programs/remove_unused_functions.cpp
+++ b/src/goto-programs/remove_unused_functions.cpp
@@ -9,10 +9,10 @@ Author: CM Wintersteiger
 /// \file
 /// Unused function removal
 
-#include 
-
 #include "remove_unused_functions.h"
 
+#include 
+
 void remove_unused_functions(
   goto_functionst &functions,
   message_handlert &message_handler)
diff --git a/src/goto-programs/remove_vector.cpp b/src/goto-programs/remove_vector.cpp
index 827bbb322d..c0e9003396 100644
--- a/src/goto-programs/remove_vector.cpp
+++ b/src/goto-programs/remove_vector.cpp
@@ -11,10 +11,10 @@ Date:   September 2014
 /// \file
 /// Remove 'vector' data type
 
-#include 
-
 #include "remove_vector.h"
 
+#include 
+
 static bool have_to_remove_vector(const typet &type);
 
 static bool have_to_remove_vector(const exprt &expr)
diff --git a/src/goto-programs/remove_virtual_functions.cpp b/src/goto-programs/remove_virtual_functions.cpp
index e766b08927..c512e2b321 100644
--- a/src/goto-programs/remove_virtual_functions.cpp
+++ b/src/goto-programs/remove_virtual_functions.cpp
@@ -9,12 +9,13 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Remove Virtual Function (Method) Calls
 
+#include "remove_virtual_functions.h"
+
 #include 
 #include 
 
 #include "class_hierarchy.h"
 #include "class_identifier.h"
-#include "remove_virtual_functions.h"
 
 class remove_virtual_functionst
 {
diff --git a/src/goto-programs/set_properties.cpp b/src/goto-programs/set_properties.cpp
index 303d8a9367..5861d8d2fd 100644
--- a/src/goto-programs/set_properties.cpp
+++ b/src/goto-programs/set_properties.cpp
@@ -9,12 +9,11 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Set Properties
 
+#include "set_properties.h"
+
 #include 
 #include 
 
-
-#include "set_properties.h"
-
 void set_properties(
   goto_programt &goto_program,
   std::unordered_set &property_set)
diff --git a/src/goto-programs/show_goto_functions.cpp b/src/goto-programs/show_goto_functions.cpp
index 516d2e6a3d..05ff49f7ca 100644
--- a/src/goto-programs/show_goto_functions.cpp
+++ b/src/goto-programs/show_goto_functions.cpp
@@ -9,6 +9,8 @@ Author: Peter Schrammel
 /// \file
 /// Show goto functions
 
+#include "show_goto_functions.h"
+
 #include 
 
 #include 
@@ -22,7 +24,6 @@ Author: Peter Schrammel
 #include 
 #include 
 
-#include "show_goto_functions.h"
 #include "goto_functions.h"
 #include "goto_model.h"
 
diff --git a/src/goto-programs/show_goto_functions_json.cpp b/src/goto-programs/show_goto_functions_json.cpp
index 6afbf023c6..3cb1dfd4dd 100644
--- a/src/goto-programs/show_goto_functions_json.cpp
+++ b/src/goto-programs/show_goto_functions_json.cpp
@@ -9,6 +9,8 @@ Author: Thomas Kiley
 /// \file
 /// Goto Program
 
+#include "show_goto_functions_json.h"
+
 #include 
 #include 
 
@@ -21,7 +23,6 @@ Author: Thomas Kiley
 
 #include "goto_functions.h"
 #include "goto_model.h"
-#include "show_goto_functions_json.h"
 
 /// For outputting the GOTO program in a readable JSON format.
 /// \param ns: the namespace to use to resolve names with
diff --git a/src/goto-programs/show_goto_functions_xml.cpp b/src/goto-programs/show_goto_functions_xml.cpp
index 10e624902e..3342407494 100644
--- a/src/goto-programs/show_goto_functions_xml.cpp
+++ b/src/goto-programs/show_goto_functions_xml.cpp
@@ -9,10 +9,11 @@ Author: Thomas Kiley
 /// \file
 /// Goto Program
 
+#include "show_goto_functions_xml.h"
+
 #include 
 #include 
 
-
 #include 
 #include 
 #include 
@@ -22,8 +23,6 @@ Author: Thomas Kiley
 #include "goto_functions.h"
 #include "goto_model.h"
 
-#include "show_goto_functions_xml.h"
-
 /// For outputting the GOTO program in a readable xml format.
 /// \param ns: the namespace to use to resolve names with
 show_goto_functions_xmlt::show_goto_functions_xmlt(const namespacet &ns):
diff --git a/src/goto-programs/show_properties.cpp b/src/goto-programs/show_properties.cpp
index a052a8aaec..df88b4cb8b 100644
--- a/src/goto-programs/show_properties.cpp
+++ b/src/goto-programs/show_properties.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Show Claims
 
+#include "show_properties.h"
+
 #include 
 
 #include 
@@ -18,7 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "show_properties.h"
 #include "goto_functions.h"
 #include "goto_model.h"
 
diff --git a/src/goto-programs/show_symbol_table.cpp b/src/goto-programs/show_symbol_table.cpp
index 60460147e5..1d5ce87f5a 100644
--- a/src/goto-programs/show_symbol_table.cpp
+++ b/src/goto-programs/show_symbol_table.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Show the symbol table
 
+#include "show_symbol_table.h"
+
 #include 
 #include 
 
@@ -16,7 +18,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 
 #include "goto_model.h"
-#include "show_symbol_table.h"
 
 void show_symbol_table_xml_ui()
 {
diff --git a/src/goto-programs/slice_global_inits.cpp b/src/goto-programs/slice_global_inits.cpp
index 5496a8266a..2518a754af 100644
--- a/src/goto-programs/slice_global_inits.cpp
+++ b/src/goto-programs/slice_global_inits.cpp
@@ -11,6 +11,8 @@ Date:   December 2016
 /// \file
 /// Remove initializations of unused global variables
 
+#include "slice_global_inits.h"
+
 #include 
 
 #include 
@@ -23,8 +25,6 @@ Date:   December 2016
 #include 
 #include 
 
-#include "slice_global_inits.h"
-
 void slice_global_inits(
   const namespacet &ns,
   goto_functionst &goto_functions)
diff --git a/src/goto-programs/string_abstraction.cpp b/src/goto-programs/string_abstraction.cpp
index 1e4f110a1f..da6119d242 100644
--- a/src/goto-programs/string_abstraction.cpp
+++ b/src/goto-programs/string_abstraction.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// String Abstraction
 
+#include "string_abstraction.h"
+
 #include 
 
 #include 
@@ -21,7 +23,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 
 #include "pointer_arithmetic.h"
-#include "string_abstraction.h"
 
 bool string_abstractiont::build_wrap(
   const exprt &object,
diff --git a/src/goto-programs/string_instrumentation.cpp b/src/goto-programs/string_instrumentation.cpp
index a114730330..41bf92a529 100644
--- a/src/goto-programs/string_instrumentation.cpp
+++ b/src/goto-programs/string_instrumentation.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// String Abstraction
 
+#include "string_instrumentation.h"
+
 #include 
 
 #include 
@@ -21,8 +23,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "string_instrumentation.h"
-
 exprt is_zero_string(
   const exprt &what,
   bool write)
diff --git a/src/goto-programs/string_instrumentation.h b/src/goto-programs/string_instrumentation.h
index 261b8dcdb1..9d8bda0037 100644
--- a/src/goto-programs/string_instrumentation.h
+++ b/src/goto-programs/string_instrumentation.h
@@ -14,6 +14,8 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include "goto_functions.h"
 
+class message_handlert;
+
 void string_instrumentation(
   symbol_tablet &symbol_table,
   message_handlert &message_handler,
diff --git a/src/goto-programs/vcd_goto_trace.cpp b/src/goto-programs/vcd_goto_trace.cpp
index d6c39603cc..4becb3af58 100644
--- a/src/goto-programs/vcd_goto_trace.cpp
+++ b/src/goto-programs/vcd_goto_trace.cpp
@@ -11,6 +11,8 @@ Date: June 2011
 /// \file
 /// Traces of GOTO Programs in VCD (Value Change Dump) Format
 
+#include "vcd_goto_trace.h"
+
 #include 
 #include 
 #include 
@@ -19,8 +21,6 @@ Date: June 2011
 #include 
 #include 
 
-#include "vcd_goto_trace.h"
-
 std::string as_vcd_binary(
   const exprt &expr,
   const namespacet &ns)
diff --git a/src/goto-programs/wp.cpp b/src/goto-programs/wp.cpp
index ea6ddd6a28..cb9981793d 100644
--- a/src/goto-programs/wp.cpp
+++ b/src/goto-programs/wp.cpp
@@ -9,14 +9,14 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Weakest Preconditions
 
+#include "wp.h"
+
 // #include 
 
 #include 
 #include 
 #include 
 
-#include "wp.h"
-
 bool has_nondet(const exprt &dest)
 {
   forall_operands(it, dest)
diff --git a/src/goto-programs/write_goto_binary.cpp b/src/goto-programs/write_goto_binary.cpp
index 045aa9984f..75542144d9 100644
--- a/src/goto-programs/write_goto_binary.cpp
+++ b/src/goto-programs/write_goto_binary.cpp
@@ -9,14 +9,14 @@ Author: CM Wintersteiger
 /// \file
 /// Write GOTO binaries
 
+#include "write_goto_binary.h"
+
 #include 
 
 #include 
 #include 
 #include 
 
-#include "write_goto_binary.h"
-
 /// Writes a goto program to disc, using goto binary format ver 2
 bool write_goto_binary_v3(
   std::ostream &out,
diff --git a/src/goto-programs/xml_goto_trace.cpp b/src/goto-programs/xml_goto_trace.cpp
index 25e61157e9..dca2c704a2 100644
--- a/src/goto-programs/xml_goto_trace.cpp
+++ b/src/goto-programs/xml_goto_trace.cpp
@@ -11,6 +11,8 @@ Author: Daniel Kroening
 /// \file
 /// Traces of GOTO Programs
 
+#include "xml_goto_trace.h"
+
 #include 
 
 #include 
@@ -19,8 +21,6 @@ Author: Daniel Kroening
 #include 
 #include 
 
-#include "xml_goto_trace.h"
-
 void convert(
   const namespacet &ns,
   const goto_tracet &goto_trace,

From a5c8a5fabd6e6a981ecd605b71a820ffec6fb80a Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 13:53:00 +0100
Subject: [PATCH 52/89] Fix include order in goto-symex

---
 src/goto-symex/adjust_float_expressions.cpp  | 4 ++--
 src/goto-symex/auto_objects.cpp              | 4 ++--
 src/goto-symex/build_goto_trace.cpp          | 4 ++--
 src/goto-symex/goto_symex.cpp                | 4 ++--
 src/goto-symex/goto_symex_state.cpp          | 4 ++--
 src/goto-symex/memory_model.cpp              | 4 ++--
 src/goto-symex/memory_model_sc.cpp           | 4 ++--
 src/goto-symex/memory_model_tso.cpp          | 4 ++--
 src/goto-symex/partial_order_concurrency.cpp | 4 ++--
 src/goto-symex/postcondition.cpp             | 3 ++-
 src/goto-symex/precondition.cpp              | 3 ++-
 src/goto-symex/rewrite_union.cpp             | 4 ++--
 src/goto-symex/slice.cpp                     | 3 ++-
 src/goto-symex/slice_by_trace.cpp            | 4 ++--
 src/goto-symex/symex_assign.cpp              | 3 ++-
 src/goto-symex/symex_builtin_functions.cpp   | 3 ++-
 src/goto-symex/symex_clean_expr.cpp          | 4 ++--
 src/goto-symex/symex_dead.cpp                | 4 ++--
 src/goto-symex/symex_decl.cpp                | 4 ++--
 src/goto-symex/symex_dereference.cpp         | 3 ++-
 src/goto-symex/symex_dereference_state.cpp   | 4 ++--
 src/goto-symex/symex_function_call.cpp       | 4 ++--
 src/goto-symex/symex_goto.cpp                | 4 ++--
 src/goto-symex/symex_main.cpp                | 4 ++--
 src/goto-symex/symex_other.cpp               | 4 ++--
 src/goto-symex/symex_start_thread.cpp        | 4 ++--
 src/goto-symex/symex_target_equation.cpp     | 3 ++-
 27 files changed, 54 insertions(+), 47 deletions(-)

diff --git a/src/goto-symex/adjust_float_expressions.cpp b/src/goto-symex/adjust_float_expressions.cpp
index 67eb4a06b5..f2b09db09e 100644
--- a/src/goto-symex/adjust_float_expressions.cpp
+++ b/src/goto-symex/adjust_float_expressions.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution
 
+#include "adjust_float_expressions.h"
+
 #include 
 #include 
 #include 
@@ -18,8 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "adjust_float_expressions.h"
-
 static bool have_to_adjust_float_expressions(
   const exprt &expr,
   const namespacet &ns)
diff --git a/src/goto-symex/auto_objects.cpp b/src/goto-symex/auto_objects.cpp
index dab9cdfa9b..f2a90b1550 100644
--- a/src/goto-symex/auto_objects.cpp
+++ b/src/goto-symex/auto_objects.cpp
@@ -9,13 +9,13 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution of ANSI-C
 
+#include "goto_symex.h"
+
 #include 
 #include 
 #include 
 #include 
 
-#include "goto_symex.h"
-
 exprt goto_symext::make_auto_object(const typet &type)
 {
   dynamic_counter++;
diff --git a/src/goto-symex/build_goto_trace.cpp b/src/goto-symex/build_goto_trace.cpp
index 1657266b65..8bb5bb8c6e 100644
--- a/src/goto-symex/build_goto_trace.cpp
+++ b/src/goto-symex/build_goto_trace.cpp
@@ -11,6 +11,8 @@ Author: Daniel Kroening
 /// \file
 /// Traces of GOTO Programs
 
+#include "build_goto_trace.h"
+
 #include 
 
 #include 
@@ -22,8 +24,6 @@ Author: Daniel Kroening
 
 #include "partial_order_concurrency.h"
 
-#include "build_goto_trace.h"
-
 exprt build_full_lhs_rec(
   const prop_convt &prop_conv,
   const namespacet &ns,
diff --git a/src/goto-symex/goto_symex.cpp b/src/goto-symex/goto_symex.cpp
index 0ed472967c..7e50d9d912 100644
--- a/src/goto-symex/goto_symex.cpp
+++ b/src/goto-symex/goto_symex.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution
 
-#include 
-
 #include "goto_symex.h"
 
+#include 
+
 unsigned goto_symext::nondet_count=0;
 unsigned goto_symext::dynamic_counter=0;
 
diff --git a/src/goto-symex/goto_symex_state.cpp b/src/goto-symex/goto_symex_state.cpp
index 361669c5be..6fdf4b54aa 100644
--- a/src/goto-symex/goto_symex_state.cpp
+++ b/src/goto-symex/goto_symex_state.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution
 
+#include "goto_symex_state.h"
+
 #include 
 #include 
 #include 
@@ -18,8 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "goto_symex_state.h"
-
 goto_symex_statet::goto_symex_statet():
   depth(0),
   symex_target(NULL),
diff --git a/src/goto-symex/memory_model.cpp b/src/goto-symex/memory_model.cpp
index ebe44e15c7..4a647f7811 100644
--- a/src/goto-symex/memory_model.cpp
+++ b/src/goto-symex/memory_model.cpp
@@ -9,10 +9,10 @@ Author: Michael Tautschnig, michael.tautschnig@cs.ox.ac.uk
 /// \file
 /// Memory model for partial order concurrency
 
-#include 
-
 #include "memory_model.h"
 
+#include 
+
 memory_model_baset::memory_model_baset(const namespacet &_ns):
   partial_order_concurrencyt(_ns),
   var_cnt(0)
diff --git a/src/goto-symex/memory_model_sc.cpp b/src/goto-symex/memory_model_sc.cpp
index c6be709dfd..cfe30c8076 100644
--- a/src/goto-symex/memory_model_sc.cpp
+++ b/src/goto-symex/memory_model_sc.cpp
@@ -9,10 +9,10 @@ Author: Michael Tautschnig, michael.tautschnig@cs.ox.ac.uk
 /// \file
 /// Memory model for partial order concurrency
 
-#include 
-
 #include "memory_model_sc.h"
 
+#include 
+
 void memory_model_sct::operator()(symex_target_equationt &equation)
 {
   statistics() << "Adding SC constraints" << eom;
diff --git a/src/goto-symex/memory_model_tso.cpp b/src/goto-symex/memory_model_tso.cpp
index f45d3db9d9..5b39026708 100644
--- a/src/goto-symex/memory_model_tso.cpp
+++ b/src/goto-symex/memory_model_tso.cpp
@@ -9,11 +9,11 @@ Author: Michael Tautschnig, michael.tautschnig@cs.ox.ac.uk
 /// \file
 /// Memory model for partial order concurrency
 
+#include "memory_model_tso.h"
+
 #include 
 #include 
 
-#include "memory_model_tso.h"
-
 void memory_model_tsot::operator()(symex_target_equationt &equation)
 {
   statistics() << "Adding TSO constraints" << eom;
diff --git a/src/goto-symex/partial_order_concurrency.cpp b/src/goto-symex/partial_order_concurrency.cpp
index 8cb323fec3..e0f82ba6af 100644
--- a/src/goto-symex/partial_order_concurrency.cpp
+++ b/src/goto-symex/partial_order_concurrency.cpp
@@ -9,13 +9,13 @@ Author: Michael Tautschnig, michael.tautschnig@cs.ox.ac.uk
 /// \file
 /// Add constraints to equation encoding partial orders on events
 
+#include "partial_order_concurrency.h"
+
 #include 
 
 #include 
 #include 
 
-#include "partial_order_concurrency.h"
-
 partial_order_concurrencyt::partial_order_concurrencyt(
   const namespacet &_ns):ns(_ns)
 {
diff --git a/src/goto-symex/postcondition.cpp b/src/goto-symex/postcondition.cpp
index 43aa79f6aa..4383439b72 100644
--- a/src/goto-symex/postcondition.cpp
+++ b/src/goto-symex/postcondition.cpp
@@ -9,11 +9,12 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution
 
+#include "postcondition.h"
+
 #include 
 #include 
 
 #include "goto_symex_state.h"
-#include "postcondition.h"
 
 class postconditiont
 {
diff --git a/src/goto-symex/precondition.cpp b/src/goto-symex/precondition.cpp
index 091408f0af..11657a78e5 100644
--- a/src/goto-symex/precondition.cpp
+++ b/src/goto-symex/precondition.cpp
@@ -9,12 +9,13 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution
 
+#include "precondition.h"
+
 #include 
 
 #include 
 
 #include "goto_symex_state.h"
-#include "precondition.h"
 
 class preconditiont
 {
diff --git a/src/goto-symex/rewrite_union.cpp b/src/goto-symex/rewrite_union.cpp
index 2ecf09bed6..0f40f934b8 100644
--- a/src/goto-symex/rewrite_union.cpp
+++ b/src/goto-symex/rewrite_union.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution of ANSI-C
 
+#include "rewrite_union.h"
+
 #include 
 #include 
 #include 
@@ -18,8 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "rewrite_union.h"
-
 static bool have_to_rewrite_union(
   const exprt &expr,
   const namespacet &ns)
diff --git a/src/goto-symex/slice.cpp b/src/goto-symex/slice.cpp
index a398264963..0a59b7befe 100644
--- a/src/goto-symex/slice.cpp
+++ b/src/goto-symex/slice.cpp
@@ -9,9 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Slicer for symex traces
 
+#include "slice.h"
+
 #include 
 
-#include "slice.h"
 #include "symex_slice_class.h"
 
 void symex_slicet::get_symbols(const exprt &expr)
diff --git a/src/goto-symex/slice_by_trace.cpp b/src/goto-symex/slice_by_trace.cpp
index f0dfccba4f..80acfa4add 100644
--- a/src/goto-symex/slice_by_trace.cpp
+++ b/src/goto-symex/slice_by_trace.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Slicer for symex traces
 
+#include "slice_by_trace.h"
+
 #include 
 #include 
 #include 
@@ -22,8 +24,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "slice_by_trace.h"
-
 void symex_slice_by_tracet::slice_by_trace(
   std::string trace_files,
   symex_target_equationt &equation)
diff --git a/src/goto-symex/symex_assign.cpp b/src/goto-symex/symex_assign.cpp
index de5ba76df7..a403ff3a12 100644
--- a/src/goto-symex/symex_assign.cpp
+++ b/src/goto-symex/symex_assign.cpp
@@ -9,12 +9,13 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution
 
+#include "goto_symex.h"
+
 #include 
 #include 
 
 #include 
 
-#include "goto_symex.h"
 #include "goto_symex_state.h"
 
 // #define USE_UPDATE
diff --git a/src/goto-symex/symex_builtin_functions.cpp b/src/goto-symex/symex_builtin_functions.cpp
index a85d6e5b18..d3d26b540f 100644
--- a/src/goto-symex/symex_builtin_functions.cpp
+++ b/src/goto-symex/symex_builtin_functions.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution of ANSI-C
 
+#include "goto_symex.h"
+
 #include 
 
 #include 
@@ -26,7 +28,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "goto_symex.h"
 #include "goto_symex_state.h"
 
 inline static typet c_sizeof_type_rec(const exprt &expr)
diff --git a/src/goto-symex/symex_clean_expr.cpp b/src/goto-symex/symex_clean_expr.cpp
index ed455757bf..a894403c81 100644
--- a/src/goto-symex/symex_clean_expr.cpp
+++ b/src/goto-symex/symex_clean_expr.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution of ANSI-C
 
+#include "goto_symex.h"
+
 #include 
 #include 
 #include 
@@ -16,8 +18,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "goto_symex.h"
-
 void goto_symext::process_array_expr_rec(
   exprt &expr,
   const typet &type) const
diff --git a/src/goto-symex/symex_dead.cpp b/src/goto-symex/symex_dead.cpp
index 11bcadcfbd..eacf6d247a 100644
--- a/src/goto-symex/symex_dead.cpp
+++ b/src/goto-symex/symex_dead.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution
 
+#include "goto_symex.h"
+
 #include 
 
 #include 
@@ -16,8 +18,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "goto_symex.h"
-
 void goto_symext::symex_dead(statet &state)
 {
   const goto_programt::instructiont &instruction=*state.source.pc;
diff --git a/src/goto-symex/symex_decl.cpp b/src/goto-symex/symex_decl.cpp
index 436a2d6e55..eda7144f99 100644
--- a/src/goto-symex/symex_decl.cpp
+++ b/src/goto-symex/symex_decl.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution
 
+#include "goto_symex.h"
+
 #include 
 
 #include 
@@ -18,8 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "goto_symex.h"
-
 void goto_symext::symex_decl(statet &state)
 {
   const goto_programt::instructiont &instruction=*state.source.pc;
diff --git a/src/goto-symex/symex_dereference.cpp b/src/goto-symex/symex_dereference.cpp
index 6b28ec35ad..61dcecbf3a 100644
--- a/src/goto-symex/symex_dereference.cpp
+++ b/src/goto-symex/symex_dereference.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution of ANSI-C
 
+#include "goto_symex.h"
+
 #include 
 #include 
 #include 
@@ -20,7 +22,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "goto_symex.h"
 #include "symex_dereference_state.h"
 
 void goto_symext::dereference_rec_address_of(
diff --git a/src/goto-symex/symex_dereference_state.cpp b/src/goto-symex/symex_dereference_state.cpp
index 1e75222786..f0e36f5d03 100644
--- a/src/goto-symex/symex_dereference_state.cpp
+++ b/src/goto-symex/symex_dereference_state.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution of ANSI-C
 
-#include 
-
 #include "symex_dereference_state.h"
 
+#include 
+
 void symex_dereference_statet::dereference_failure(
   const std::string &property,
   const std::string &msg,
diff --git a/src/goto-symex/symex_function_call.cpp b/src/goto-symex/symex_function_call.cpp
index d50c66f85f..a71a142b89 100644
--- a/src/goto-symex/symex_function_call.cpp
+++ b/src/goto-symex/symex_function_call.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution of ANSI-C
 
+#include "goto_symex.h"
+
 #include 
 #include 
 #include 
@@ -24,8 +26,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "goto_symex.h"
-
 bool goto_symext::get_unwind_recursion(
   const irep_idt &identifier,
   const unsigned thread_nr,
diff --git a/src/goto-symex/symex_goto.cpp b/src/goto-symex/symex_goto.cpp
index 410a7e94eb..a86efc0815 100644
--- a/src/goto-symex/symex_goto.cpp
+++ b/src/goto-symex/symex_goto.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution
 
+#include "goto_symex.h"
+
 #include 
 #include 
 
@@ -16,8 +18,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "goto_symex.h"
-
 void goto_symext::symex_goto(statet &state)
 {
   const goto_programt::instructiont &instruction=*state.source.pc;
diff --git a/src/goto-symex/symex_main.cpp b/src/goto-symex/symex_main.cpp
index e64ee0b93b..b8a1e294f1 100644
--- a/src/goto-symex/symex_main.cpp
+++ b/src/goto-symex/symex_main.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution
 
+#include "goto_symex.h"
+
 #include 
 
 #include 
@@ -18,8 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "goto_symex.h"
-
 void goto_symext::symex_transition(
   statet &state,
   goto_programt::const_targett to,
diff --git a/src/goto-symex/symex_other.cpp b/src/goto-symex/symex_other.cpp
index b9b2c7fd59..d5b30fa4b0 100644
--- a/src/goto-symex/symex_other.cpp
+++ b/src/goto-symex/symex_other.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution
 
+#include "goto_symex.h"
+
 #include 
 
 #include 
@@ -19,8 +21,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "goto_symex.h"
-
 void goto_symext::symex_other(
   const goto_functionst &goto_functions,
   statet &state)
diff --git a/src/goto-symex/symex_start_thread.cpp b/src/goto-symex/symex_start_thread.cpp
index c4e2e83422..8ebed5216c 100644
--- a/src/goto-symex/symex_start_thread.cpp
+++ b/src/goto-symex/symex_start_thread.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution
 
-#include 
-
 #include "goto_symex.h"
 
+#include 
+
 void goto_symext::symex_start_thread(statet &state)
 {
   if(state.guard.is_false())
diff --git a/src/goto-symex/symex_target_equation.cpp b/src/goto-symex/symex_target_equation.cpp
index e0c8e86a42..ab8b7383c0 100644
--- a/src/goto-symex/symex_target_equation.cpp
+++ b/src/goto-symex/symex_target_equation.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution
 
+#include "symex_target_equation.h"
+
 #include 
 
 #include 
@@ -19,7 +21,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 
 #include "goto_symex_state.h"
-#include "symex_target_equation.h"
 
 symex_target_equationt::symex_target_equationt(
   const namespacet &_ns):ns(_ns)

From 0c05241eae23b183921f26d97587955eb7c9ea61 Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 14:00:12 +0100
Subject: [PATCH 53/89] Fix include order in java_bytecode

---
 .../character_refine_preprocess.cpp           |  3 +-
 .../character_refine_preprocess.h             |  1 +
 src/java_bytecode/ci_lazy_methods.cpp         |  4 +--
 src/java_bytecode/expr2java.cpp               |  2 +-
 src/java_bytecode/jar_file.cpp                |  3 +-
 .../java_bytecode_convert_class.cpp           |  3 +-
 .../java_bytecode_convert_method.cpp          | 32 +++----------------
 .../java_bytecode_internal_additions.cpp      |  3 +-
 src/java_bytecode/java_bytecode_language.cpp  |  2 +-
 src/java_bytecode/java_bytecode_language.h    |  2 ++
 .../java_bytecode_parse_tree.cpp              |  3 +-
 src/java_bytecode/java_bytecode_parser.cpp    |  2 +-
 src/java_bytecode/java_bytecode_typecheck.cpp |  3 +-
 .../java_bytecode_typecheck_expr.cpp          |  3 +-
 .../java_bytecode_typecheck_type.cpp          |  4 +--
 src/java_bytecode/java_bytecode_vtable.cpp    |  3 +-
 src/java_bytecode/java_class_loader.cpp       |  2 +-
 src/java_bytecode/java_class_loader_limit.cpp |  4 +--
 src/java_bytecode/java_entry_point.cpp        |  2 +-
 src/java_bytecode/java_entry_point.h          |  1 +
 .../java_local_variable_table.cpp             |  1 +
 src/java_bytecode/java_object_factory.cpp     |  2 +-
 src/java_bytecode/java_pointer_casts.cpp      |  4 +--
 src/java_bytecode/java_pointer_casts.h        |  4 +++
 src/java_bytecode/java_root_class.cpp         |  2 +-
 src/java_bytecode/java_types.cpp              |  3 +-
 src/java_bytecode/java_utils.cpp              |  3 +-
 27 files changed, 43 insertions(+), 58 deletions(-)

diff --git a/src/java_bytecode/character_refine_preprocess.cpp b/src/java_bytecode/character_refine_preprocess.cpp
index 912ea2ab13..b7c1e1b281 100644
--- a/src/java_bytecode/character_refine_preprocess.cpp
+++ b/src/java_bytecode/character_refine_preprocess.cpp
@@ -13,9 +13,10 @@ Date:   March 2017
 /// Preprocess a goto-programs so that calls to the java Character library are
 ///   replaced by simple expressions.
 
+#include "character_refine_preprocess.h"
+
 #include 
 #include 
-#include "character_refine_preprocess.h"
 
 /// converts based on a function on expressions
 /// \param expr_function: A reference to a function on expressions
diff --git a/src/java_bytecode/character_refine_preprocess.h b/src/java_bytecode/character_refine_preprocess.h
index afef65eb8d..3714aa6b9a 100644
--- a/src/java_bytecode/character_refine_preprocess.h
+++ b/src/java_bytecode/character_refine_preprocess.h
@@ -22,6 +22,7 @@ Date:   March 2017
 
 #include 
 #include 
+#include 
 
 class character_refine_preprocesst:public messaget
 {
diff --git a/src/java_bytecode/ci_lazy_methods.cpp b/src/java_bytecode/ci_lazy_methods.cpp
index dc71b1c0cd..d7d95e85b9 100644
--- a/src/java_bytecode/ci_lazy_methods.cpp
+++ b/src/java_bytecode/ci_lazy_methods.cpp
@@ -9,10 +9,10 @@ Author: Chris Smowton, chris.smowton@diffblue.com
 /// \file
 /// Context-insensitive lazy methods container
 
-#include 
-
 #include "ci_lazy_methods.h"
 
+#include 
+
 /// Notes `method_symbol_name` is referenced from some reachable function, and
 /// should therefore be elaborated.
 /// \par parameters: `method_symbol_name`: method name; must exist in symbol
diff --git a/src/java_bytecode/expr2java.cpp b/src/java_bytecode/expr2java.cpp
index c6f2d0f90e..69829c676d 100644
--- a/src/java_bytecode/expr2java.cpp
+++ b/src/java_bytecode/expr2java.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 
 \*******************************************************************/
 
+#include "expr2java.h"
 
 #include 
 
@@ -20,7 +21,6 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include 
 
 #include "java_types.h"
-#include "expr2java.h"
 
 std::string expr2javat::convert_code_function_call(
   const code_function_callt &src,
diff --git a/src/java_bytecode/jar_file.cpp b/src/java_bytecode/jar_file.cpp
index f70ef35492..26bb1a9de5 100644
--- a/src/java_bytecode/jar_file.cpp
+++ b/src/java_bytecode/jar_file.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "jar_file.h"
 
 #include 
 #include 
@@ -14,8 +15,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "jar_file.h"
-
 void jar_filet::open(
   java_class_loader_limitt &class_loader_limit,
   const std::string &filename)
diff --git a/src/java_bytecode/java_bytecode_convert_class.cpp b/src/java_bytecode/java_bytecode_convert_class.cpp
index 05b4e44e47..b6f28694f1 100644
--- a/src/java_bytecode/java_bytecode_convert_class.cpp
+++ b/src/java_bytecode/java_bytecode_convert_class.cpp
@@ -9,11 +9,12 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// JAVA Bytecode Language Conversion
 
+#include "java_bytecode_convert_class.h"
+
 #ifdef DEBUG
 #include 
 #endif
 
-#include "java_bytecode_convert_class.h"
 #include "java_root_class.h"
 #include "java_types.h"
 #include "java_bytecode_convert_method.h"
diff --git a/src/java_bytecode/java_bytecode_convert_method.cpp b/src/java_bytecode/java_bytecode_convert_method.cpp
index b1f3d956ec..9adf82a021 100644
--- a/src/java_bytecode/java_bytecode_convert_method.cpp
+++ b/src/java_bytecode/java_bytecode_convert_method.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// JAVA Bytecode Language Conversion
 
+#include "java_bytecode_convert_method.h"
+
 #ifdef DEBUG
 #include 
 #endif
@@ -26,7 +28,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "java_bytecode_convert_method.h"
 #include "java_bytecode_convert_method_class.h"
 #include "bytecode_info.h"
 #include "java_types.h"
@@ -2402,19 +2403,8 @@ void java_bytecode_convert_method(
   java_bytecode_convert_method(class_symbol, method);
 }
 
-/*******************************************************************\
-
-Function: java_bytecode_convert_methodt::save_stack_entries
-
-  Inputs:
-
- Outputs:
-
- Purpose: create temporary variables if a write instruction can have undesired
-          side-effects
-
-\*******************************************************************/
-
+/// create temporary variables if a write instruction can have undesired side-
+/// effects
 void java_bytecode_convert_methodt::save_stack_entries(
   const std::string &tmp_var_prefix,
   const typet &tmp_var_type,
@@ -2455,19 +2445,7 @@ void java_bytecode_convert_methodt::save_stack_entries(
   }
 }
 
-/*******************************************************************\
-
-Function: java_bytecode_convert_methodt::create_stack_tmp_var
-
-  Inputs:
-
- Outputs:
-
- Purpose: actually create a temporary variable to hold the value of a stack
-          entry
-
-\*******************************************************************/
-
+/// actually create a temporary variable to hold the value of a stack entry
 void java_bytecode_convert_methodt::create_stack_tmp_var(
   const std::string &tmp_var_prefix,
   const typet &tmp_var_type,
diff --git a/src/java_bytecode/java_bytecode_internal_additions.cpp b/src/java_bytecode/java_bytecode_internal_additions.cpp
index 9177b22ad2..9a0211239d 100644
--- a/src/java_bytecode/java_bytecode_internal_additions.cpp
+++ b/src/java_bytecode/java_bytecode_internal_additions.cpp
@@ -6,14 +6,13 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "java_bytecode_internal_additions.h"
 
 #include 
 #include 
 
 #include 
 
-#include "java_bytecode_internal_additions.h"
-
 void java_internal_additions(symbol_tablet &dest)
 {
   // add __CPROVER_rounding_mode
diff --git a/src/java_bytecode/java_bytecode_language.cpp b/src/java_bytecode/java_bytecode_language.cpp
index 85205c7525..7710e84ba5 100644
--- a/src/java_bytecode/java_bytecode_language.cpp
+++ b/src/java_bytecode/java_bytecode_language.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "java_bytecode_language.h"
 
 #include 
 
@@ -18,7 +19,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "java_bytecode_language.h"
 #include "java_bytecode_convert_class.h"
 #include "java_bytecode_convert_method.h"
 #include "java_bytecode_internal_additions.h"
diff --git a/src/java_bytecode/java_bytecode_language.h b/src/java_bytecode/java_bytecode_language.h
index 1d9f2c5e34..9077e89bd8 100644
--- a/src/java_bytecode/java_bytecode_language.h
+++ b/src/java_bytecode/java_bytecode_language.h
@@ -18,6 +18,8 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #define MAX_NONDET_ARRAY_LENGTH_DEFAULT 5
 
+class symbolt;
+
 enum lazy_methods_modet
 {
   LAZY_METHODS_MODE_EAGER,
diff --git a/src/java_bytecode/java_bytecode_parse_tree.cpp b/src/java_bytecode/java_bytecode_parse_tree.cpp
index 6da1a7f187..d7dda70268 100644
--- a/src/java_bytecode/java_bytecode_parse_tree.cpp
+++ b/src/java_bytecode/java_bytecode_parse_tree.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "java_bytecode_parse_tree.h"
 
 #include 
 
@@ -16,8 +17,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include "expr2java.h"
 
-#include "java_bytecode_parse_tree.h"
-
 void java_bytecode_parse_treet::classt::swap(
   classt &other)
 {
diff --git a/src/java_bytecode/java_bytecode_parser.cpp b/src/java_bytecode/java_bytecode_parser.cpp
index ca271aaaba..77874da494 100644
--- a/src/java_bytecode/java_bytecode_parser.cpp
+++ b/src/java_bytecode/java_bytecode_parser.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "java_bytecode_parser.h"
 
 #include 
 #include 
@@ -20,7 +21,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "java_bytecode_parser.h"
 #include "java_bytecode_parse_tree.h"
 #include "java_types.h"
 #include "bytecode_info.h"
diff --git a/src/java_bytecode/java_bytecode_typecheck.cpp b/src/java_bytecode/java_bytecode_typecheck.cpp
index 2386cdc87f..5b09fcdaf2 100644
--- a/src/java_bytecode/java_bytecode_typecheck.cpp
+++ b/src/java_bytecode/java_bytecode_typecheck.cpp
@@ -9,12 +9,13 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// JAVA Bytecode Conversion / Type Checking
 
+#include "java_bytecode_typecheck.h"
+
 #include 
 #include 
 #include 
 
 #include "expr2java.h"
-#include "java_bytecode_typecheck.h"
 
 std::string java_bytecode_typecheckt::to_string(const exprt &expr)
 {
diff --git a/src/java_bytecode/java_bytecode_typecheck_expr.cpp b/src/java_bytecode/java_bytecode_typecheck_expr.cpp
index d1d0e988d4..5b7fa0d886 100644
--- a/src/java_bytecode/java_bytecode_typecheck_expr.cpp
+++ b/src/java_bytecode/java_bytecode_typecheck_expr.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// JAVA Bytecode Conversion / Type Checking
 
+#include "java_bytecode_typecheck.h"
+
 #include 
 
 #include 
@@ -18,7 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "java_bytecode_typecheck.h"
 #include "java_pointer_casts.h"
 #include "java_types.h"
 
diff --git a/src/java_bytecode/java_bytecode_typecheck_type.cpp b/src/java_bytecode/java_bytecode_typecheck_type.cpp
index 79b2146f07..aa92d9333c 100644
--- a/src/java_bytecode/java_bytecode_typecheck_type.cpp
+++ b/src/java_bytecode/java_bytecode_typecheck_type.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// JAVA Bytecode Conversion / Type Checking
 
-#include 
-
 #include "java_bytecode_typecheck.h"
 
+#include 
+
 void java_bytecode_typecheckt::typecheck_type(typet &type)
 {
   if(type.id()==ID_symbol)
diff --git a/src/java_bytecode/java_bytecode_vtable.cpp b/src/java_bytecode/java_bytecode_vtable.cpp
index d6a7b7fb4c..a352fbd74c 100644
--- a/src/java_bytecode/java_bytecode_vtable.cpp
+++ b/src/java_bytecode/java_bytecode_vtable.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "java_bytecode_vtable.h"
 
 #include 
 #include 
@@ -17,8 +18,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "java_bytecode_vtable.h"
-
 const char ID_virtual_name[]="virtual_name";
 
 class is_virtual_name_equalt
diff --git a/src/java_bytecode/java_class_loader.cpp b/src/java_bytecode/java_class_loader.cpp
index dfb849a498..6b720f05fb 100644
--- a/src/java_bytecode/java_class_loader.cpp
+++ b/src/java_bytecode/java_class_loader.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "java_class_loader.h"
 
 #include 
 #include 
@@ -16,7 +17,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 
 #include "java_bytecode_parser.h"
-#include "java_class_loader.h"
 #include "jar_file.h"
 
 java_bytecode_parse_treet &java_class_loadert::operator()(
diff --git a/src/java_bytecode/java_class_loader_limit.cpp b/src/java_bytecode/java_class_loader_limit.cpp
index 7ba1d4fe0e..dbf8d23d27 100644
--- a/src/java_bytecode/java_class_loader_limit.cpp
+++ b/src/java_bytecode/java_class_loader_limit.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// limit class path loading
 
-#include 
-
 #include "java_class_loader_limit.h"
 
+#include 
+
 /// initializes class with either regex matcher or match set
 /// \par parameters: parameter from `java-cp-include-files`
 void java_class_loader_limitt::setup_class_load_limit(
diff --git a/src/java_bytecode/java_entry_point.cpp b/src/java_bytecode/java_entry_point.cpp
index 3e2496d144..1cb0a10d70 100644
--- a/src/java_bytecode/java_entry_point.cpp
+++ b/src/java_bytecode/java_entry_point.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "java_entry_point.h"
 
 #include 
 #include 
@@ -28,7 +29,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "java_entry_point.h"
 #include "java_object_factory.h"
 #include "java_types.h"
 
diff --git a/src/java_bytecode/java_entry_point.h b/src/java_bytecode/java_entry_point.h
index 75108dd1d9..e2d2fa3f41 100644
--- a/src/java_bytecode/java_entry_point.h
+++ b/src/java_bytecode/java_entry_point.h
@@ -11,6 +11,7 @@ Author: Daniel Kroening, kroening@kroening.com
 #define CPROVER_JAVA_BYTECODE_JAVA_ENTRY_POINT_H
 
 #include 
+#include 
 
 bool java_entry_point(
   class symbol_tablet &symbol_table,
diff --git a/src/java_bytecode/java_local_variable_table.cpp b/src/java_bytecode/java_local_variable_table.cpp
index b1462e4321..052b958d05 100644
--- a/src/java_bytecode/java_local_variable_table.cpp
+++ b/src/java_bytecode/java_local_variable_table.cpp
@@ -10,6 +10,7 @@ Author: Chris Smowton, chris.smowton@diffblue.com
 /// Java local variable table processing
 
 #include "java_bytecode_convert_method_class.h"
+
 #include "java_types.h"
 
 #include 
diff --git a/src/java_bytecode/java_object_factory.cpp b/src/java_bytecode/java_object_factory.cpp
index 628b830bd0..15d8eac7bc 100644
--- a/src/java_bytecode/java_object_factory.cpp
+++ b/src/java_bytecode/java_object_factory.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "java_object_factory.h"
 
 #include 
 #include 
@@ -23,7 +24,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "java_object_factory.h"
 #include "java_types.h"
 #include "java_utils.h"
 
diff --git a/src/java_bytecode/java_pointer_casts.cpp b/src/java_bytecode/java_pointer_casts.cpp
index c2f04e4d1a..4d0371bca6 100644
--- a/src/java_bytecode/java_pointer_casts.cpp
+++ b/src/java_bytecode/java_pointer_casts.cpp
@@ -9,12 +9,12 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// JAVA Pointer Casts
 
+#include "java_pointer_casts.h"
+
 #include 
 #include 
 #include 
 
-#include "java_pointer_casts.h"
-
 /// dereference pointer expression
 /// \return dereferenced pointer
 static exprt clean_deref(const exprt &ptr)
diff --git a/src/java_bytecode/java_pointer_casts.h b/src/java_bytecode/java_pointer_casts.h
index eff1f6ccef..8c635c9ab5 100644
--- a/src/java_bytecode/java_pointer_casts.h
+++ b/src/java_bytecode/java_pointer_casts.h
@@ -12,6 +12,10 @@ Author: DiffBlue
 #ifndef CPROVER_JAVA_BYTECODE_JAVA_POINTER_CASTS_H
 #define CPROVER_JAVA_BYTECODE_JAVA_POINTER_CASTS_H
 
+class exprt;
+class typet;
+class namespacet;
+
 bool find_superclass_with_type(
   exprt &ptr,
   const typet &target_type,
diff --git a/src/java_bytecode/java_root_class.cpp b/src/java_bytecode/java_root_class.cpp
index 1e93ca62d1..f3353c48d1 100644
--- a/src/java_bytecode/java_root_class.cpp
+++ b/src/java_bytecode/java_root_class.cpp
@@ -6,12 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "java_root_class.h"
 
 #include 
 #include 
 
 #include "java_types.h"
-#include "java_root_class.h"
 
 /*******************************************************************
 
diff --git a/src/java_bytecode/java_types.cpp b/src/java_bytecode/java_types.cpp
index 59c33e1005..ae8d64d102 100644
--- a/src/java_bytecode/java_types.cpp
+++ b/src/java_bytecode/java_types.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "java_types.h"
 
 #include 
 #include 
@@ -15,8 +16,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "java_types.h"
-
 typet java_int_type()
 {
   return signedbv_typet(32);
diff --git a/src/java_bytecode/java_utils.cpp b/src/java_bytecode/java_utils.cpp
index 0754eae13a..6611b359f0 100644
--- a/src/java_bytecode/java_utils.cpp
+++ b/src/java_bytecode/java_utils.cpp
@@ -6,12 +6,11 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "java_utils.h"
 
 #include 
 #include 
 
-#include "java_utils.h"
-
 bool java_is_array_type(const typet &type)
 {
   if(type.id()!=ID_struct)

From 95d377a7fa3652c2e6852563f304d998c940945f Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 14:02:18 +0100
Subject: [PATCH 54/89] Fix include order in jsil

---
 src/jsil/expr2jsil.cpp               | 4 ++--
 src/jsil/jsil_convert.cpp            | 3 ++-
 src/jsil/jsil_entry_point.cpp        | 4 ++--
 src/jsil/jsil_internal_additions.cpp | 4 ++--
 src/jsil/jsil_language.cpp           | 4 ++--
 src/jsil/jsil_parse_tree.cpp         | 4 ++--
 src/jsil/jsil_typecheck.cpp          | 4 ++--
 src/jsil/jsil_typecheck.h            | 2 +-
 src/jsil/jsil_types.cpp              | 4 ++--
 9 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/src/jsil/expr2jsil.cpp b/src/jsil/expr2jsil.cpp
index 811a9a1608..5f88416b2c 100644
--- a/src/jsil/expr2jsil.cpp
+++ b/src/jsil/expr2jsil.cpp
@@ -9,10 +9,10 @@ Author: Michael Tautschnig, tautschn@amazon.com
 /// \file
 /// Jsil Language
 
-#include 
-
 #include "expr2jsil.h"
 
+#include 
+
 class expr2jsilt:public expr2ct
 {
 public:
diff --git a/src/jsil/jsil_convert.cpp b/src/jsil/jsil_convert.cpp
index aa4ff02fff..328a1c7622 100644
--- a/src/jsil/jsil_convert.cpp
+++ b/src/jsil/jsil_convert.cpp
@@ -9,11 +9,12 @@ Author: Michael Tautschnig, tautschn@amazon.com
 /// \file
 /// Jsil Language Conversion
 
+#include "jsil_convert.h"
+
 #include 
 #include 
 
 #include "jsil_parse_tree.h"
-#include "jsil_convert.h"
 
 class jsil_convertt:public messaget
 {
diff --git a/src/jsil/jsil_entry_point.cpp b/src/jsil/jsil_entry_point.cpp
index ba1860ce6f..2f4d88e1bb 100644
--- a/src/jsil/jsil_entry_point.cpp
+++ b/src/jsil/jsil_entry_point.cpp
@@ -9,6 +9,8 @@ Author: Michael Tautschnig, tautschn@amazon.com
 /// \file
 /// Jsil Language
 
+#include "jsil_entry_point.h"
+
 #include 
 #include 
 #include 
@@ -18,8 +20,6 @@ Author: Michael Tautschnig, tautschn@amazon.com
 
 #include 
 
-#include "jsil_entry_point.h"
-
 #define INITIALIZE CPROVER_PREFIX "initialize"
 
 static void create_initialize(symbol_tablet &symbol_table)
diff --git a/src/jsil/jsil_internal_additions.cpp b/src/jsil/jsil_internal_additions.cpp
index 6250258b4b..446910062d 100644
--- a/src/jsil/jsil_internal_additions.cpp
+++ b/src/jsil/jsil_internal_additions.cpp
@@ -9,6 +9,8 @@ Author: Michael Tautschnig, tautschn@amazon.com
 /// \file
 /// Jsil Language
 
+#include "jsil_internal_additions.h"
+
 #include 
 #include 
 #include 
@@ -17,8 +19,6 @@ Author: Michael Tautschnig, tautschn@amazon.com
 
 #include "jsil_types.h"
 
-#include "jsil_internal_additions.h"
-
 void jsil_internal_additions(symbol_tablet &dest)
 {
   // add __CPROVER_rounding_mode
diff --git a/src/jsil/jsil_language.cpp b/src/jsil/jsil_language.cpp
index baa9cebee0..48b5c8dcbe 100644
--- a/src/jsil/jsil_language.cpp
+++ b/src/jsil/jsil_language.cpp
@@ -9,6 +9,8 @@ Author: Michael Tautschnig, tautschn@amazon.com
 /// \file
 /// Jsil Language
 
+#include "jsil_language.h"
+
 #include 
 #include 
 
@@ -19,8 +21,6 @@ Author: Michael Tautschnig, tautschn@amazon.com
 #include "jsil_parser.h"
 #include "jsil_typecheck.h"
 
-#include "jsil_language.h"
-
 std::set jsil_languaget::extensions() const
 {
   return { "jsil" };
diff --git a/src/jsil/jsil_parse_tree.cpp b/src/jsil/jsil_parse_tree.cpp
index 75573ad063..093a62f4fb 100644
--- a/src/jsil/jsil_parse_tree.cpp
+++ b/src/jsil/jsil_parse_tree.cpp
@@ -9,12 +9,12 @@ Author: Michael Tautschnig, tautschn@amazon.com
 /// \file
 /// Jsil Language
 
+#include "jsil_parse_tree.h"
+
 #include 
 
 #include "jsil_types.h"
 
-#include "jsil_parse_tree.h"
-
 static bool insert_at_label(
   const codet &code,
   const irep_idt &label,
diff --git a/src/jsil/jsil_typecheck.cpp b/src/jsil/jsil_typecheck.cpp
index 892a8df7f2..81ebf82f87 100644
--- a/src/jsil/jsil_typecheck.cpp
+++ b/src/jsil/jsil_typecheck.cpp
@@ -9,6 +9,8 @@ Author: Michael Tautschnig, tautschn@amazon.com
 /// \file
 /// Jsil Language
 
+#include "jsil_typecheck.h"
+
 #include 
 #include 
 #include 
@@ -16,8 +18,6 @@ Author: Michael Tautschnig, tautschn@amazon.com
 #include "expr2jsil.h"
 #include "jsil_types.h"
 
-#include "jsil_typecheck.h"
-
 std::string jsil_typecheckt::to_string(const exprt &expr)
 {
   return expr2jsil(expr, ns);
diff --git a/src/jsil/jsil_typecheck.h b/src/jsil/jsil_typecheck.h
index a1be82cfdd..bca8bde208 100644
--- a/src/jsil/jsil_typecheck.h
+++ b/src/jsil/jsil_typecheck.h
@@ -18,7 +18,7 @@ Author: Michael Tautschnig, tautschn@amazon.com
 #include 
 #include 
 
-
+class symbol_exprt;
 class codet;
 
 bool jsil_typecheck(
diff --git a/src/jsil/jsil_types.cpp b/src/jsil/jsil_types.cpp
index 68c75b8827..12a7678714 100644
--- a/src/jsil/jsil_types.cpp
+++ b/src/jsil/jsil_types.cpp
@@ -9,10 +9,10 @@ Author: Daiva Naudziuniene, daivan@amazon.com
 /// \file
 /// Jsil Language
 
-#include 
-
 #include "jsil_types.h"
 
+#include 
+
 typet jsil_any_type()
 {
   return jsil_union_typet({ // NOLINT(whitespace/braces)

From b25a3f9f90d29fad2e33a355da39212bf490d8a3 Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 14:03:03 +0100
Subject: [PATCH 55/89] Fix include order in json

---
 src/json/json_parser.cpp | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/json/json_parser.cpp b/src/json/json_parser.cpp
index 30b0ee6158..fb244a10f9 100644
--- a/src/json/json_parser.cpp
+++ b/src/json/json_parser.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "json_parser.h"
 
 #include 
 
-#include "json_parser.h"
-
 json_parsert json_parser;
 
 // 'do it all' function

From eb2124916c073d80ad963b24e96039c63ebcfa5c Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 14:04:15 +0100
Subject: [PATCH 56/89] Fix include order in langapi

---
 src/langapi/language_ui.cpp   | 2 +-
 src/langapi/language_util.cpp | 2 +-
 src/langapi/mode.cpp          | 3 +--
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/langapi/language_ui.cpp b/src/langapi/language_ui.cpp
index f718d57a5f..ddd774f2c4 100644
--- a/src/langapi/language_ui.cpp
+++ b/src/langapi/language_ui.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 
 \*******************************************************************/
 
+#include "language_ui.h"
 
 #include 
 #include 
@@ -16,7 +17,6 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include 
 #include 
 
-#include "language_ui.h"
 #include "mode.h"
 
 /// Constructor
diff --git a/src/langapi/language_util.cpp b/src/langapi/language_util.cpp
index 03f9d98df9..dd31f122ea 100644
--- a/src/langapi/language_util.cpp
+++ b/src/langapi/language_util.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 
 \*******************************************************************/
 
+#include "language_util.h"
 
 #include 
 
@@ -14,7 +15,6 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include 
 #include 
 
-#include "language_util.h"
 #include "mode.h"
 
 static languaget* get_language(
diff --git a/src/langapi/mode.cpp b/src/langapi/mode.cpp
index a558c9be5e..55c533f949 100644
--- a/src/langapi/mode.cpp
+++ b/src/langapi/mode.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 
 \*******************************************************************/
 
+#include "mode.h"
 
 #include 
 #include 
@@ -17,8 +18,6 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 
 #include 
 
-#include "mode.h"
-
 struct language_entryt
 {
   language_factoryt factory;

From e42a09088371a1da9676bf9b38a79df2202b2926 Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 14:05:13 +0100
Subject: [PATCH 57/89] Fix include order in linking

---
 src/linking/linking.cpp                 | 3 ++-
 src/linking/remove_internal_symbols.cpp | 4 ++--
 src/linking/static_lifetime_init.cpp    | 2 +-
 src/linking/zero_initializer.cpp        | 4 ++--
 4 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/linking/linking.cpp b/src/linking/linking.cpp
index 645cbf32e0..cdd8c2df8d 100644
--- a/src/linking/linking.cpp
+++ b/src/linking/linking.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// ANSI-C Linking
 
+#include "linking.h"
+
 #include 
 #include 
 
@@ -22,7 +24,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "linking.h"
 #include "linking_class.h"
 
 std::string linkingt::expr_to_string(
diff --git a/src/linking/remove_internal_symbols.cpp b/src/linking/remove_internal_symbols.cpp
index 3aca40f821..4755515200 100644
--- a/src/linking/remove_internal_symbols.cpp
+++ b/src/linking/remove_internal_symbols.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening
 /// \file
 /// Remove symbols that are internal only
 
+#include "remove_internal_symbols.h"
+
 #include 
 #include 
 #include 
@@ -16,8 +18,6 @@ Author: Daniel Kroening
 #include 
 #include 
 
-#include "remove_internal_symbols.h"
-
 void get_symbols_rec(
   const namespacet &ns,
   const symbolt &symbol,
diff --git a/src/linking/static_lifetime_init.cpp b/src/linking/static_lifetime_init.cpp
index 2ea7762ab9..2cacc49b03 100644
--- a/src/linking/static_lifetime_init.cpp
+++ b/src/linking/static_lifetime_init.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "static_lifetime_init.h"
 
 #include 
 #include 
@@ -21,7 +22,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "static_lifetime_init.h"
 #include "zero_initializer.h"
 
 bool static_lifetime_init(
diff --git a/src/linking/zero_initializer.cpp b/src/linking/zero_initializer.cpp
index 95016b9229..4e6963b6fc 100644
--- a/src/linking/zero_initializer.cpp
+++ b/src/linking/zero_initializer.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Linking: Zero Initialization
 
+#include "zero_initializer.h"
+
 #include 
 
 #include 
@@ -21,8 +23,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "zero_initializer.h"
-
 class zero_initializert:public messaget
 {
 public:

From dc809b73d9821c0b9b241d414419259338c6a8bd Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 14:07:13 +0100
Subject: [PATCH 58/89] Fix include order in memory-models

---
 src/memory-models/mm2cpp.cpp             | 3 +--
 src/memory-models/mmcc_main.cpp          | 4 ++--
 src/memory-models/mmcc_parse_options.cpp | 3 ++-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/memory-models/mm2cpp.cpp b/src/memory-models/mm2cpp.cpp
index a151658d49..65d74b89cf 100644
--- a/src/memory-models/mm2cpp.cpp
+++ b/src/memory-models/mm2cpp.cpp
@@ -6,13 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "mm2cpp.h"
 
 #include 
 
 #include 
 
-#include "mm2cpp.h"
-
 class mm2cppt
 {
 public:
diff --git a/src/memory-models/mmcc_main.cpp b/src/memory-models/mmcc_main.cpp
index 9e73843b3c..962c5bbf52 100644
--- a/src/memory-models/mmcc_main.cpp
+++ b/src/memory-models/mmcc_main.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// mmcc Main Module
 
-#include 
-
 #include "mmcc_parse_options.h"
 
+#include 
+
 #ifdef _MSC_VER
 int wmain(int argc, const wchar_t **argv_wide)
 {
diff --git a/src/memory-models/mmcc_parse_options.cpp b/src/memory-models/mmcc_parse_options.cpp
index 5a45833201..8fae924483 100644
--- a/src/memory-models/mmcc_parse_options.cpp
+++ b/src/memory-models/mmcc_parse_options.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// mmcc Command Line Option Processing
 
+#include "mmcc_parse_options.h"
+
 #include 
 #include 
 
@@ -18,7 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include "mm_parser.h"
 #include "mm2cpp.h"
-#include "mmcc_parse_options.h"
 
 mmcc_parse_optionst::mmcc_parse_optionst(int argc, const char **argv):
   parse_options_baset(MMCC_OPTIONS, argc, argv)

From 895a8fdd53655a3869017df55364ebec0be283af Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 14:09:31 +0100
Subject: [PATCH 59/89] Fix include order in musketeer

---
 src/musketeer/cycles_visitor.cpp                    | 3 ++-
 src/musketeer/fence_inserter.cpp                    | 3 ++-
 src/musketeer/fence_shared.cpp                      | 3 +--
 src/musketeer/fencer.cpp                            | 3 ++-
 src/musketeer/graph_visitor.cpp                     | 3 ++-
 src/musketeer/languages.cpp                         | 4 ++--
 src/musketeer/musketeer_parse_options.cpp           | 3 ++-
 src/musketeer/pensieve.cpp                          | 3 +--
 src/musketeer/propagate_const_function_pointers.cpp | 4 ++--
 9 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/src/musketeer/cycles_visitor.cpp b/src/musketeer/cycles_visitor.cpp
index 6e220cae17..08bbe4bea9 100644
--- a/src/musketeer/cycles_visitor.cpp
+++ b/src/musketeer/cycles_visitor.cpp
@@ -9,10 +9,11 @@ Author: Vincent Nimal
 /// \file
 /// cycles visitor for computing edges involved for fencing
 
+#include "cycles_visitor.h"
+
 #include 
 #include 
 
-#include "cycles_visitor.h"
 #include "fence_inserter.h"
 
 class instrumentert;
diff --git a/src/musketeer/fence_inserter.cpp b/src/musketeer/fence_inserter.cpp
index c534452707..cd1aaa910f 100644
--- a/src/musketeer/fence_inserter.cpp
+++ b/src/musketeer/fence_inserter.cpp
@@ -9,6 +9,8 @@ Author: Vincent Nimal
 /// \file
 /// ILP construction for all cycles and resolution
 
+#include "fence_inserter.h"
+
 #include 
 
 #include 
@@ -19,7 +21,6 @@ Author: Vincent Nimal
 #include 
 #endif
 
-#include "fence_inserter.h"
 #include "ilp.h"
 
 class abstract_eventt;
diff --git a/src/musketeer/fence_shared.cpp b/src/musketeer/fence_shared.cpp
index b53f67a5cf..4dc970c513 100644
--- a/src/musketeer/fence_shared.cpp
+++ b/src/musketeer/fence_shared.cpp
@@ -6,6 +6,7 @@ Author: Vincent Nimal
 
 \*******************************************************************/
 
+#include "fence_shared.h"
 
 #include 
 #include 
@@ -24,8 +25,6 @@ Author: Vincent Nimal
 #include 
 // #include 
 
-#include "fence_shared.h"
-
 #ifdef LOCAL_MAY
 #include 
 #endif
diff --git a/src/musketeer/fencer.cpp b/src/musketeer/fencer.cpp
index 86de5d8fc8..f62917df4e 100644
--- a/src/musketeer/fencer.cpp
+++ b/src/musketeer/fencer.cpp
@@ -9,6 +9,8 @@ Author: Vincent Nimal
 /// \file
 /// Fence inference: Main
 
+#include "fencer.h"
+
 #include 
 #include 
 
@@ -19,7 +21,6 @@ Author: Vincent Nimal
 #include "fence_inserter.h"
 #include "fence_user_def.h"
 #include "fence_assert.h"
-#include "fencer.h"
 
 void fence_weak_memory(
   memory_modelt model,
diff --git a/src/musketeer/graph_visitor.cpp b/src/musketeer/graph_visitor.cpp
index 883246b589..87fe14e0cb 100644
--- a/src/musketeer/graph_visitor.cpp
+++ b/src/musketeer/graph_visitor.cpp
@@ -9,9 +9,10 @@ Author: Vincent Nimal
 /// \file
 /// graph visitor for computing edges involved for fencing
 
-#include "fence_inserter.h"
 #include "graph_visitor.h"
 
+#include "fence_inserter.h"
+
 /* implemented: BTWN1, BTWN4 */
 #define BTWN1
 
diff --git a/src/musketeer/languages.cpp b/src/musketeer/languages.cpp
index a7e4497a03..8ae85e2e27 100644
--- a/src/musketeer/languages.cpp
+++ b/src/musketeer/languages.cpp
@@ -9,12 +9,12 @@ Author:
 /// \file
 /// Language Registration
 
+#include "musketeer_parse_options.h"
+
 #include 
 
 #include 
 
-#include "musketeer_parse_options.h"
-
 void goto_fence_inserter_parse_optionst::register_languages()
 {
   register_language(new_ansi_c_language);
diff --git a/src/musketeer/musketeer_parse_options.cpp b/src/musketeer/musketeer_parse_options.cpp
index 16860e7b20..ace7368743 100644
--- a/src/musketeer/musketeer_parse_options.cpp
+++ b/src/musketeer/musketeer_parse_options.cpp
@@ -9,6 +9,8 @@ Author:
 /// \file
 /// Main Module
 
+#include "musketeer_parse_options.h"
+
 #include 
 #include 
 #include 
@@ -42,7 +44,6 @@ Author:
 
 #include "propagate_const_function_pointers.h"
 #include "version.h"
-#include "musketeer_parse_options.h"
 #include "fencer.h"
 #include "fence_shared.h"
 #include "pensieve.h"
diff --git a/src/musketeer/pensieve.cpp b/src/musketeer/pensieve.cpp
index a58c4bf05d..d46397f74a 100644
--- a/src/musketeer/pensieve.cpp
+++ b/src/musketeer/pensieve.cpp
@@ -6,6 +6,7 @@ Author: Vincent Nimal
 
 \*******************************************************************/
 
+#include "pensieve.h"
 
 #include 
 #include 
@@ -15,8 +16,6 @@ Author: Vincent Nimal
 #include 
 #include 
 
-#include "pensieve.h"
-
 void fence_pensieve(
   value_setst &value_sets,
   symbol_tablet &symbol_table,
diff --git a/src/musketeer/propagate_const_function_pointers.cpp b/src/musketeer/propagate_const_function_pointers.cpp
index d48ce8da63..eca3648c28 100644
--- a/src/musketeer/propagate_const_function_pointers.cpp
+++ b/src/musketeer/propagate_const_function_pointers.cpp
@@ -9,6 +9,8 @@ Author: Vincent Nimal
 /// \file
 /// Constant Function Pointer Propagation
 
+#include "propagate_const_function_pointers.h"
+
 #include 
 #include 
 #include 
@@ -23,8 +25,6 @@ Author: Vincent Nimal
 #include 
 #include 
 
-#include "propagate_const_function_pointers.h"
-
 class const_function_pointer_propagationt
 {
 protected:

From 4856844016e1c16108a7093d04f3330a8286af9d Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 14:13:10 +0100
Subject: [PATCH 60/89] Fix include order in path-symex

---
 src/path-symex/loc_ref.h                 | 2 +-
 src/path-symex/path_symex.cpp            | 3 ++-
 src/path-symex/path_symex_history.cpp    | 4 ++--
 src/path-symex/path_symex_state.cpp      | 4 ++--
 src/path-symex/path_symex_state_read.cpp | 4 ++--
 src/path-symex/var_map.cpp               | 4 ++--
 src/path-symex/var_map.h                 | 1 +
 7 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/src/path-symex/loc_ref.h b/src/path-symex/loc_ref.h
index 8f192c7958..56cbb7b19b 100644
--- a/src/path-symex/loc_ref.h
+++ b/src/path-symex/loc_ref.h
@@ -12,7 +12,7 @@ Author: Daniel Kroening, kroening@kroening.com
 #ifndef CPROVER_PATH_SYMEX_LOC_REF_H
 #define CPROVER_PATH_SYMEX_LOC_REF_H
 
-#include 
+#include 
 
 class loc_reft
 {
diff --git a/src/path-symex/path_symex.cpp b/src/path-symex/path_symex.cpp
index 2aef635cbf..c5004e51d5 100644
--- a/src/path-symex/path_symex.cpp
+++ b/src/path-symex/path_symex.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Concrete Symbolic Transformer
 
+#include "path_symex.h"
+
 #include 
 #include 
 #include 
@@ -22,7 +24,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "path_symex.h"
 #include "path_symex_class.h"
 
 #ifdef DEBUG
diff --git a/src/path-symex/path_symex_history.cpp b/src/path-symex/path_symex_history.cpp
index 502f3af19e..618dbbce33 100644
--- a/src/path-symex/path_symex_history.cpp
+++ b/src/path-symex/path_symex_history.cpp
@@ -9,14 +9,14 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// History of path-based symbolic simulator
 
+#include "path_symex_history.h"
+
 #include 
 
 #include 
 
 #include 
 
-#include "path_symex_history.h"
-
 void path_symex_stept::output(std::ostream &out) const
 {
   out << "PCs:";
diff --git a/src/path-symex/path_symex_state.cpp b/src/path-symex/path_symex_state.cpp
index 293de5966c..495f598202 100644
--- a/src/path-symex/path_symex_state.cpp
+++ b/src/path-symex/path_symex_state.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// State of path-based symbolic simulator
 
+#include "path_symex_state.h"
+
 #include 
 #include 
 #include 
@@ -19,8 +21,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "path_symex_state.h"
-
 #ifdef DEBUG
 #include 
 #include 
diff --git a/src/path-symex/path_symex_state_read.cpp b/src/path-symex/path_symex_state_read.cpp
index 885160beb9..a6993c19b0 100644
--- a/src/path-symex/path_symex_state_read.cpp
+++ b/src/path-symex/path_symex_state_read.cpp
@@ -9,13 +9,13 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// State of path-based symbolic simulator
 
+#include "path_symex_state.h"
+
 #include 
 #include 
 
 #include 
 
-#include "path_symex_state.h"
-
 #ifdef DEBUG
 #include 
 #include 
diff --git a/src/path-symex/var_map.cpp b/src/path-symex/var_map.cpp
index 97563e3124..f5dea20a96 100644
--- a/src/path-symex/var_map.cpp
+++ b/src/path-symex/var_map.cpp
@@ -9,14 +9,14 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Variable Numbering
 
+#include "var_map.h"
+
 #include 
 
 #include 
 #include 
 #include 
 
-#include "var_map.h"
-
 var_mapt::var_infot &var_mapt::operator()(
   const irep_idt &symbol,
   const irep_idt &suffix,
diff --git a/src/path-symex/var_map.h b/src/path-symex/var_map.h
index 11ffcdbdc4..7b17169c44 100644
--- a/src/path-symex/var_map.h
+++ b/src/path-symex/var_map.h
@@ -17,6 +17,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 #include 
+#include 
 
 class var_mapt
 {

From 1bf245a0df8d7b58c76d1976a23ac0e12ea456eb Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 14:17:13 +0100
Subject: [PATCH 61/89] Fix include order in pointer-analysis

---
 src/pointer-analysis/add_failed_symbols.cpp        | 4 ++--
 src/pointer-analysis/dereference.cpp               | 4 ++--
 src/pointer-analysis/goto_program_dereference.cpp  | 4 ++--
 src/pointer-analysis/rewrite_index.cpp             | 4 ++--
 src/pointer-analysis/show_value_sets.cpp           | 3 ++-
 src/pointer-analysis/value_set.cpp                 | 3 ++-
 src/pointer-analysis/value_set_analysis.cpp        | 4 ++--
 src/pointer-analysis/value_set_analysis_fi.cpp     | 4 ++--
 src/pointer-analysis/value_set_analysis_fivr.cpp   | 4 ++--
 src/pointer-analysis/value_set_analysis_fivrns.cpp | 4 ++--
 src/pointer-analysis/value_set_dereference.cpp     | 3 ++-
 src/pointer-analysis/value_set_domain.cpp          | 4 ++--
 src/pointer-analysis/value_set_domain_fi.cpp       | 4 ++--
 src/pointer-analysis/value_set_domain_fivr.cpp     | 4 ++--
 src/pointer-analysis/value_set_domain_fivrns.cpp   | 4 ++--
 src/pointer-analysis/value_set_fi.cpp              | 4 ++--
 src/pointer-analysis/value_set_fivr.cpp            | 4 ++--
 src/pointer-analysis/value_set_fivrns.cpp          | 4 ++--
 18 files changed, 36 insertions(+), 33 deletions(-)

diff --git a/src/pointer-analysis/add_failed_symbols.cpp b/src/pointer-analysis/add_failed_symbols.cpp
index 5def51a449..e8da3c0d77 100644
--- a/src/pointer-analysis/add_failed_symbols.cpp
+++ b/src/pointer-analysis/add_failed_symbols.cpp
@@ -9,12 +9,12 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Pointer Dereferencing
 
+#include "add_failed_symbols.h"
+
 #include 
 #include 
 #include 
 
-#include "add_failed_symbols.h"
-
 irep_idt failed_symbol_id(const irep_idt &id)
 {
   return id2string(id)+"$object";
diff --git a/src/pointer-analysis/dereference.cpp b/src/pointer-analysis/dereference.cpp
index 56a42effa3..5063278d4c 100644
--- a/src/pointer-analysis/dereference.cpp
+++ b/src/pointer-analysis/dereference.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution of ANSI-C
 
+#include "dereference.h"
+
 #ifdef DEBUG
 #include 
 #include 
@@ -23,8 +25,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "dereference.h"
-
 /// \par parameters: expression, to be dereferenced
 /// \return returns object after dereferencing
 exprt dereferencet::operator()(const exprt &pointer)
diff --git a/src/pointer-analysis/goto_program_dereference.cpp b/src/pointer-analysis/goto_program_dereference.cpp
index 44340aa0fc..857f9e722f 100644
--- a/src/pointer-analysis/goto_program_dereference.cpp
+++ b/src/pointer-analysis/goto_program_dereference.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Dereferencing Operations on GOTO Programs
 
+#include "goto_program_dereference.h"
+
 #include 
 #include 
 #include 
@@ -16,8 +18,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "goto_program_dereference.h"
-
 bool goto_program_dereferencet::has_failed_symbol(
   const exprt &expr,
   const symbolt *&symbol)
diff --git a/src/pointer-analysis/rewrite_index.cpp b/src/pointer-analysis/rewrite_index.cpp
index 1594267afb..cc7011f1ed 100644
--- a/src/pointer-analysis/rewrite_index.cpp
+++ b/src/pointer-analysis/rewrite_index.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Pointer Dereferencing
 
-#include 
-
 #include "rewrite_index.h"
 
+#include 
+
 /// rewrite a[i] to *(a+i)
 dereference_exprt rewrite_index(const index_exprt &index_expr)
 {
diff --git a/src/pointer-analysis/show_value_sets.cpp b/src/pointer-analysis/show_value_sets.cpp
index be1b1893ba..ce555e2dd0 100644
--- a/src/pointer-analysis/show_value_sets.cpp
+++ b/src/pointer-analysis/show_value_sets.cpp
@@ -9,12 +9,13 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Show Value Sets
 
+#include "show_value_sets.h"
+
 #include 
 
 #include 
 
 #include "value_set_analysis.h"
-#include "show_value_sets.h"
 
 void show_value_sets(
   ui_message_handlert::uit ui,
diff --git a/src/pointer-analysis/value_set.cpp b/src/pointer-analysis/value_set.cpp
index a41796677a..28b5bf360a 100644
--- a/src/pointer-analysis/value_set.cpp
+++ b/src/pointer-analysis/value_set.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Value Set
 
+#include "value_set.h"
+
 #include 
 #include 
 
@@ -29,7 +31,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #endif
 
-#include "value_set.h"
 #include "add_failed_symbols.h"
 
 const value_sett::object_map_dt value_sett::object_map_dt::blank;
diff --git a/src/pointer-analysis/value_set_analysis.cpp b/src/pointer-analysis/value_set_analysis.cpp
index 549fd53a34..d4a3388142 100644
--- a/src/pointer-analysis/value_set_analysis.cpp
+++ b/src/pointer-analysis/value_set_analysis.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Value Set Propagation
 
+#include "value_set_analysis.h"
+
 #include 
 #include 
 #include 
@@ -16,8 +18,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "value_set_analysis.h"
-
 void value_set_analysist::initialize(
   const goto_programt &goto_program)
 {
diff --git a/src/pointer-analysis/value_set_analysis_fi.cpp b/src/pointer-analysis/value_set_analysis_fi.cpp
index 63aaa330ac..dee9db9ad9 100644
--- a/src/pointer-analysis/value_set_analysis_fi.cpp
+++ b/src/pointer-analysis/value_set_analysis_fi.cpp
@@ -10,6 +10,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Value Set Propagation (Flow Insensitive)
 
+#include "value_set_analysis_fi.h"
+
 #include 
 #include 
 #include 
@@ -17,8 +19,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "value_set_analysis_fi.h"
-
 void value_set_analysis_fit::initialize(
   const goto_programt &goto_program)
 {
diff --git a/src/pointer-analysis/value_set_analysis_fivr.cpp b/src/pointer-analysis/value_set_analysis_fivr.cpp
index dab177cc5f..9b46f45889 100644
--- a/src/pointer-analysis/value_set_analysis_fivr.cpp
+++ b/src/pointer-analysis/value_set_analysis_fivr.cpp
@@ -10,6 +10,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Value Set Propagation (Flow Insensitive)
 
+#include "value_set_analysis_fivr.h"
+
 #include 
 #include 
 #include 
@@ -17,8 +19,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "value_set_analysis_fivr.h"
-
 void value_set_analysis_fivrt::initialize(
   const goto_programt &goto_program)
 {
diff --git a/src/pointer-analysis/value_set_analysis_fivrns.cpp b/src/pointer-analysis/value_set_analysis_fivrns.cpp
index 5fbd77522b..63870eb743 100644
--- a/src/pointer-analysis/value_set_analysis_fivrns.cpp
+++ b/src/pointer-analysis/value_set_analysis_fivrns.cpp
@@ -10,6 +10,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Value Set Propagation (Flow Insensitive, Validity Regions)
 
+#include "value_set_analysis_fivrns.h"
+
 #include 
 #include 
 #include 
@@ -17,8 +19,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "value_set_analysis_fivrns.h"
-
 void value_set_analysis_fivrnst::initialize(
   const goto_programt &goto_program)
 {
diff --git a/src/pointer-analysis/value_set_dereference.cpp b/src/pointer-analysis/value_set_dereference.cpp
index 81edc39bbd..d2098ece10 100644
--- a/src/pointer-analysis/value_set_dereference.cpp
+++ b/src/pointer-analysis/value_set_dereference.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution of ANSI-C
 
+#include "value_set_dereference.h"
+
 #ifdef DEBUG
 #include 
 #endif
@@ -39,7 +41,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "value_set_dereference.h"
 #include "pointer_offset_sum.h"
 
 // global data, horrible
diff --git a/src/pointer-analysis/value_set_domain.cpp b/src/pointer-analysis/value_set_domain.cpp
index 7ddfd6deb2..4b296b541d 100644
--- a/src/pointer-analysis/value_set_domain.cpp
+++ b/src/pointer-analysis/value_set_domain.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Value Set
 
-#include 
-
 #include "value_set_domain.h"
 
+#include 
+
 void value_set_domaint::transform(
   const namespacet &ns,
   locationt from_l,
diff --git a/src/pointer-analysis/value_set_domain_fi.cpp b/src/pointer-analysis/value_set_domain_fi.cpp
index c56e1bdb32..09bc21174f 100644
--- a/src/pointer-analysis/value_set_domain_fi.cpp
+++ b/src/pointer-analysis/value_set_domain_fi.cpp
@@ -10,10 +10,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Value Set Domain (Flow Insensitive)
 
-#include 
-
 #include "value_set_domain_fi.h"
 
+#include 
+
 bool value_set_domain_fit::transform(
   const namespacet &ns,
   locationt from_l,
diff --git a/src/pointer-analysis/value_set_domain_fivr.cpp b/src/pointer-analysis/value_set_domain_fivr.cpp
index 4defd25047..27fec810fc 100644
--- a/src/pointer-analysis/value_set_domain_fivr.cpp
+++ b/src/pointer-analysis/value_set_domain_fivr.cpp
@@ -10,10 +10,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Value Set Domain (Flow Insensitive, Sharing, Validity Regions)
 
-#include 
-
 #include "value_set_domain_fivr.h"
 
+#include 
+
 bool value_set_domain_fivrt::transform(
   const namespacet &ns,
   locationt from_l,
diff --git a/src/pointer-analysis/value_set_domain_fivrns.cpp b/src/pointer-analysis/value_set_domain_fivrns.cpp
index f4ecf66842..c2ae1e8177 100644
--- a/src/pointer-analysis/value_set_domain_fivrns.cpp
+++ b/src/pointer-analysis/value_set_domain_fivrns.cpp
@@ -10,10 +10,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Value Set Domain (Flow Insensitive, Validity Regions)
 
-#include 
-
 #include "value_set_domain_fivrns.h"
 
+#include 
+
 bool value_set_domain_fivrnst::transform(
   const namespacet &ns,
   locationt from_l,
diff --git a/src/pointer-analysis/value_set_fi.cpp b/src/pointer-analysis/value_set_fi.cpp
index 64336252d1..77962a3b3b 100644
--- a/src/pointer-analysis/value_set_fi.cpp
+++ b/src/pointer-analysis/value_set_fi.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Value Set (Flow Insensitive, Sharing)
 
+#include "value_set_fi.h"
+
 #include 
 #include 
 
@@ -23,8 +25,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "value_set_fi.h"
-
 const value_set_fit::object_map_dt value_set_fit::object_map_dt::blank;
 object_numberingt value_set_fit::object_numbering;
 hash_numbering value_set_fit::function_numbering;
diff --git a/src/pointer-analysis/value_set_fivr.cpp b/src/pointer-analysis/value_set_fivr.cpp
index 763eb9407c..6bd7e1321e 100644
--- a/src/pointer-analysis/value_set_fivr.cpp
+++ b/src/pointer-analysis/value_set_fivr.cpp
@@ -10,6 +10,8 @@ Author: Daniel Kroening, kroening@kroening.com,
 /// \file
 /// Value Set (Flow Insensitive, Sharing, Validity Regions)
 
+#include "value_set_fivr.h"
+
 #include 
 #include 
 
@@ -24,8 +26,6 @@ Author: Daniel Kroening, kroening@kroening.com,
 #include 
 #include 
 
-#include "value_set_fivr.h"
-
 const value_set_fivrt::object_map_dt value_set_fivrt::object_map_dt::blank;
 object_numberingt value_set_fivrt::object_numbering;
 hash_numbering value_set_fivrt::function_numbering;
diff --git a/src/pointer-analysis/value_set_fivrns.cpp b/src/pointer-analysis/value_set_fivrns.cpp
index bb15453d99..0eaf08b201 100644
--- a/src/pointer-analysis/value_set_fivrns.cpp
+++ b/src/pointer-analysis/value_set_fivrns.cpp
@@ -10,6 +10,8 @@ Author: Daniel Kroening, kroening@kroening.com,
 /// \file
 /// Value Set (Flow Insensitive, Validity Regions)
 
+#include "value_set_fivrns.h"
+
 #include 
 #include 
 
@@ -24,8 +26,6 @@ Author: Daniel Kroening, kroening@kroening.com,
 #include 
 #include 
 
-#include "value_set_fivrns.h"
-
 const value_set_fivrnst::object_map_dt value_set_fivrnst::object_map_dt::blank;
 object_numberingt value_set_fivrnst::object_numbering;
 hash_numbering value_set_fivrnst::function_numbering;

From 97f14fb4e83590004dec2ed32d22fae528a8a2ed Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 14:33:11 +0100
Subject: [PATCH 62/89] Fix include order in solvers

---
 src/solvers/cvc/cvc_conv.cpp                                  | 3 +--
 src/solvers/cvc/cvc_dec.cpp                                   | 3 +--
 src/solvers/cvc/cvc_prop.cpp                                  | 4 +---
 src/solvers/dplib/dplib_conv.cpp                              | 3 +--
 src/solvers/dplib/dplib_dec.cpp                               | 3 +--
 src/solvers/dplib/dplib_prop.cpp                              | 4 +---
 src/solvers/flattening/arrays.cpp                             | 3 +--
 src/solvers/flattening/boolbv.cpp                             | 2 +-
 src/solvers/flattening/boolbv_abs.cpp                         | 2 +-
 src/solvers/flattening/boolbv_add_sub.cpp                     | 3 +--
 src/solvers/flattening/boolbv_array_of.cpp                    | 3 +--
 src/solvers/flattening/boolbv_bv_rel.cpp                      | 2 +-
 src/solvers/flattening/boolbv_byte_extract.cpp                | 2 +-
 src/solvers/flattening/boolbv_byte_update.cpp                 | 3 +--
 src/solvers/flattening/boolbv_case.cpp                        | 3 +--
 src/solvers/flattening/boolbv_cond.cpp                        | 3 +--
 src/solvers/flattening/boolbv_div.cpp                         | 3 +--
 src/solvers/flattening/boolbv_equality.cpp                    | 2 +-
 src/solvers/flattening/boolbv_extractbit.cpp                  | 3 +--
 src/solvers/flattening/boolbv_extractbits.cpp                 | 3 +--
 src/solvers/flattening/boolbv_floatbv_op.cpp                  | 3 +--
 src/solvers/flattening/boolbv_get.cpp                         | 2 +-
 src/solvers/flattening/boolbv_ieee_float_rel.cpp              | 2 +-
 src/solvers/flattening/boolbv_index.cpp                       | 3 +--
 src/solvers/flattening/boolbv_map.cpp                         | 2 +-
 src/solvers/flattening/boolbv_member.cpp                      | 3 +--
 src/solvers/flattening/boolbv_mult.cpp                        | 3 +--
 src/solvers/flattening/boolbv_overflow.cpp                    | 3 +--
 src/solvers/flattening/boolbv_quantifier.cpp                  | 3 +--
 src/solvers/flattening/boolbv_replication.cpp                 | 3 +--
 src/solvers/flattening/boolbv_shift.cpp                       | 3 +--
 src/solvers/flattening/boolbv_struct.cpp                      | 3 +--
 src/solvers/flattening/boolbv_typecast.cpp                    | 2 +-
 src/solvers/flattening/boolbv_unary_minus.cpp                 | 2 +-
 src/solvers/flattening/boolbv_union.cpp                       | 3 +--
 src/solvers/flattening/boolbv_update.cpp                      | 3 +--
 src/solvers/flattening/boolbv_width.cpp                       | 3 +--
 src/solvers/flattening/boolbv_with.cpp                        | 3 +--
 src/solvers/flattening/bv_minimize.cpp                        | 3 +--
 src/solvers/flattening/bv_pointers.cpp                        | 3 +--
 src/solvers/flattening/bv_utils.cpp                           | 3 +--
 src/solvers/flattening/equality.cpp                           | 2 +-
 src/solvers/flattening/flatten_byte_operators.cpp             | 1 -
 src/solvers/flattening/functions.cpp                          | 3 +--
 src/solvers/flattening/pointer_logic.cpp                      | 4 ++--
 src/solvers/flattening/pointer_logic.h                        | 2 ++
 src/solvers/floatbv/float_approximation.cpp                   | 3 +--
 src/solvers/floatbv/float_bv.cpp                              | 3 +--
 src/solvers/floatbv/float_utils.cpp                           | 3 +--
 src/solvers/miniBDD/example.cpp                               | 4 ++--
 src/solvers/miniBDD/miniBDD.cpp                               | 4 ++--
 src/solvers/prop/aig.cpp                                      | 3 +--
 src/solvers/prop/aig_prop.cpp                                 | 3 +--
 src/solvers/prop/bdd_expr.cpp                                 | 4 ++--
 src/solvers/prop/cover_goals.cpp                              | 3 ++-
 src/solvers/prop/literal.cpp                                  | 4 ++--
 src/solvers/prop/minimize.cpp                                 | 3 ++-
 src/solvers/prop/prop.cpp                                     | 3 +--
 src/solvers/prop/prop_conv.cpp                                | 2 +-
 src/solvers/prop/prop_conv_store.cpp                          | 3 +--
 src/solvers/qbf/qbf_bdd_core.cpp                              | 3 +--
 src/solvers/qbf/qbf_quantor.cpp                               | 3 +--
 src/solvers/qbf/qbf_qube.cpp                                  | 3 +--
 src/solvers/qbf/qbf_qube_core.cpp                             | 3 +--
 src/solvers/qbf/qbf_skizzo.cpp                                | 3 +--
 src/solvers/qbf/qbf_squolem.cpp                               | 1 -
 src/solvers/qbf/qbf_squolem_core.cpp                          | 4 ++--
 src/solvers/qbf/qdimacs_cnf.cpp                               | 3 +--
 src/solvers/qbf/qdimacs_core.cpp                              | 3 +--
 src/solvers/refinement/bv_refinement_loop.cpp                 | 3 +--
 src/solvers/refinement/refine_arithmetic.cpp                  | 3 +--
 src/solvers/refinement/refine_arrays.cpp                      | 2 +-
 src/solvers/refinement/refined_string_type.cpp                | 4 ++--
 .../refinement/string_constraint_generator_constants.cpp      | 3 ++-
 src/solvers/refinement/string_constraint_generator_main.cpp   | 3 ++-
 .../refinement/string_constraint_generator_valueof.cpp        | 1 +
 src/solvers/refinement/string_refinement.cpp                  | 3 ++-
 src/solvers/sat/cnf.cpp                                       | 3 ++-
 src/solvers/sat/cnf_clause_list.cpp                           | 4 ++--
 src/solvers/sat/pbs_dimacs_cnf.cpp                            | 3 +--
 src/solvers/sat/read_dimacs_cnf.cpp                           | 4 ++--
 src/solvers/sat/resolution_proof.cpp                          | 3 +--
 src/solvers/sat/satcheck_booleforce.cpp                       | 4 +---
 src/solvers/sat/satcheck_glucose.cpp                          | 3 +--
 src/solvers/sat/satcheck_limmat.cpp                           | 4 +---
 src/solvers/sat/satcheck_lingeling.cpp                        | 3 +--
 src/solvers/sat/satcheck_minisat.cpp                          | 3 +--
 src/solvers/sat/satcheck_minisat2.cpp                         | 4 ++--
 src/solvers/sat/satcheck_picosat.cpp                          | 3 +--
 src/solvers/sat/satcheck_precosat.cpp                         | 3 +--
 src/solvers/sat/satcheck_smvsat.cpp                           | 4 +---
 src/solvers/sat/satcheck_zchaff.cpp                           | 4 +---
 src/solvers/sat/satcheck_zcore.cpp                            | 3 +--
 src/solvers/smt1/smt1_conv.cpp                                | 4 ++--
 src/solvers/smt1/smt1_dec.cpp                                 | 3 +--
 src/solvers/smt1/smt1_prop.cpp                                | 4 +---
 src/solvers/smt2/smt2_conv.cpp                                | 4 ++--
 src/solvers/smt2/smt2_dec.cpp                                 | 2 +-
 src/solvers/smt2/smt2_parser.cpp                              | 3 +--
 src/solvers/smt2/smt2_prop.cpp                                | 4 +---
 src/solvers/smt2/smt2irep.cpp                                 | 2 +-
 101 files changed, 118 insertions(+), 183 deletions(-)

diff --git a/src/solvers/cvc/cvc_conv.cpp b/src/solvers/cvc/cvc_conv.cpp
index 3646a5add6..356a9af1fd 100644
--- a/src/solvers/cvc/cvc_conv.cpp
+++ b/src/solvers/cvc/cvc_conv.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "cvc_conv.h"
 
 #include 
 #include 
@@ -21,8 +22,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "cvc_conv.h"
-
 void cvc_convt::print_assignment(std::ostream &out) const
 {
   // Boolean stuff
diff --git a/src/solvers/cvc/cvc_dec.cpp b/src/solvers/cvc/cvc_dec.cpp
index e61479a2db..cdb83e67af 100644
--- a/src/solvers/cvc/cvc_dec.cpp
+++ b/src/solvers/cvc/cvc_dec.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "cvc_dec.h"
 
 #include 
 #include 
@@ -28,8 +29,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "cvc_dec.h"
-
 cvc_temp_filet::cvc_temp_filet()
 {
   temp_out_filename="cvc_dec_out_"+std::to_string(getpid())+".tmp";
diff --git a/src/solvers/cvc/cvc_prop.cpp b/src/solvers/cvc/cvc_prop.cpp
index 23f51daa33..7a02bd6533 100644
--- a/src/solvers/cvc/cvc_prop.cpp
+++ b/src/solvers/cvc/cvc_prop.cpp
@@ -6,13 +6,11 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "cvc_prop.h"
 
 #include 
 #include 
 
-
-#include "cvc_prop.h"
-
 explicit cvc_propt::cvc_propt(std::ostream &_out):out(_out)
 {
   _no_variables=0;
diff --git a/src/solvers/dplib/dplib_conv.cpp b/src/solvers/dplib/dplib_conv.cpp
index 7d0ea0f45c..a87cd0c25a 100644
--- a/src/solvers/dplib/dplib_conv.cpp
+++ b/src/solvers/dplib/dplib_conv.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "dplib_conv.h"
 
 #include 
 #include 
@@ -20,8 +21,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "dplib_conv.h"
-
 std::string dplib_convt::bin_zero(unsigned bits)
 {
   assert(bits!=0);
diff --git a/src/solvers/dplib/dplib_dec.cpp b/src/solvers/dplib/dplib_dec.cpp
index 1750e7bc6f..111805276b 100644
--- a/src/solvers/dplib/dplib_dec.cpp
+++ b/src/solvers/dplib/dplib_dec.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "dplib_dec.h"
 
 #include 
 #include 
@@ -27,8 +28,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "dplib_dec.h"
-
 dplib_temp_filet::dplib_temp_filet()
 {
   temp_out_filename="dplib_dec_out_"+std::to_string(getpid())+".tmp";
diff --git a/src/solvers/dplib/dplib_prop.cpp b/src/solvers/dplib/dplib_prop.cpp
index ccc2261419..a0111b3b8f 100644
--- a/src/solvers/dplib/dplib_prop.cpp
+++ b/src/solvers/dplib/dplib_prop.cpp
@@ -6,14 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "dplib_prop.h"
 
 #include 
 
 #include 
 
-
-#include "dplib_prop.h"
-
 dplib_propt::dplib_propt(std::ostream &_out):out(_out)
 {
   // we skip index 0
diff --git a/src/solvers/flattening/arrays.cpp b/src/solvers/flattening/arrays.cpp
index a7c92cbc27..c628997ca5 100644
--- a/src/solvers/flattening/arrays.cpp
+++ b/src/solvers/flattening/arrays.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "arrays.h"
 
 #include 
 #include 
@@ -20,8 +21,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "arrays.h"
-
 arrayst::arrayst(
   const namespacet &_ns,
   propt &_prop):equalityt(_ns, _prop)
diff --git a/src/solvers/flattening/boolbv.cpp b/src/solvers/flattening/boolbv.cpp
index b3edb8e24c..58b09b0d1b 100644
--- a/src/solvers/flattening/boolbv.cpp
+++ b/src/solvers/flattening/boolbv.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 #include 
@@ -23,7 +24,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "boolbv.h"
 #include "boolbv_type.h"
 
 #include "../floatbv/float_utils.h"
diff --git a/src/solvers/flattening/boolbv_abs.cpp b/src/solvers/flattening/boolbv_abs.cpp
index c32bca58cd..7f10b724ed 100644
--- a/src/solvers/flattening/boolbv_abs.cpp
+++ b/src/solvers/flattening/boolbv_abs.cpp
@@ -6,10 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 
-#include "boolbv.h"
 #include "boolbv_type.h"
 
 #include "../floatbv/float_utils.h"
diff --git a/src/solvers/flattening/boolbv_add_sub.cpp b/src/solvers/flattening/boolbv_add_sub.cpp
index 373738fe1f..0486874d6d 100644
--- a/src/solvers/flattening/boolbv_add_sub.cpp
+++ b/src/solvers/flattening/boolbv_add_sub.cpp
@@ -6,13 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 
 #include 
 
-#include "boolbv.h"
-
 #include "../floatbv/float_utils.h"
 
 bvt boolbvt::convert_add_sub(const exprt &expr)
diff --git a/src/solvers/flattening/boolbv_array_of.cpp b/src/solvers/flattening/boolbv_array_of.cpp
index 2ddd2b674a..2c01f09563 100644
--- a/src/solvers/flattening/boolbv_array_of.cpp
+++ b/src/solvers/flattening/boolbv_array_of.cpp
@@ -6,12 +6,11 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 #include 
 
-#include "boolbv.h"
-
 bvt boolbvt::convert_array_of(const array_of_exprt &expr)
 {
   if(expr.type().id()!=ID_array)
diff --git a/src/solvers/flattening/boolbv_bv_rel.cpp b/src/solvers/flattening/boolbv_bv_rel.cpp
index 7cf0812793..37f3dbadd3 100644
--- a/src/solvers/flattening/boolbv_bv_rel.cpp
+++ b/src/solvers/flattening/boolbv_bv_rel.cpp
@@ -6,10 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 
-#include "boolbv.h"
 #include "boolbv_type.h"
 
 #include "../floatbv/float_utils.h"
diff --git a/src/solvers/flattening/boolbv_byte_extract.cpp b/src/solvers/flattening/boolbv_byte_extract.cpp
index 98a8e4b507..0cc2c46bd8 100644
--- a/src/solvers/flattening/boolbv_byte_extract.cpp
+++ b/src/solvers/flattening/boolbv_byte_extract.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 
@@ -14,7 +15,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "boolbv.h"
 #include "flatten_byte_operators.h"
 
 bvt map_bv(const endianness_mapt &map, const bvt &src)
diff --git a/src/solvers/flattening/boolbv_byte_update.cpp b/src/solvers/flattening/boolbv_byte_update.cpp
index cd8851ccfc..5446a0498c 100644
--- a/src/solvers/flattening/boolbv_byte_update.cpp
+++ b/src/solvers/flattening/boolbv_byte_update.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 #include 
@@ -14,8 +15,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "boolbv.h"
-
 bvt boolbvt::convert_byte_update(const byte_update_exprt &expr)
 {
   if(expr.operands().size()!=3)
diff --git a/src/solvers/flattening/boolbv_case.cpp b/src/solvers/flattening/boolbv_case.cpp
index 9bedb525dc..6434f21617 100644
--- a/src/solvers/flattening/boolbv_case.cpp
+++ b/src/solvers/flattening/boolbv_case.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 
-#include "boolbv.h"
-
 bvt boolbvt::convert_case(const exprt &expr)
 {
   const std::vector &operands=expr.operands();
diff --git a/src/solvers/flattening/boolbv_cond.cpp b/src/solvers/flattening/boolbv_cond.cpp
index 0b2184a212..514c1e817f 100644
--- a/src/solvers/flattening/boolbv_cond.cpp
+++ b/src/solvers/flattening/boolbv_cond.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 
-#include "boolbv.h"
-
 bvt boolbvt::convert_cond(const exprt &expr)
 {
   const exprt::operandst &operands=expr.operands();
diff --git a/src/solvers/flattening/boolbv_div.cpp b/src/solvers/flattening/boolbv_div.cpp
index 1eacc7c64c..d8c0581fce 100644
--- a/src/solvers/flattening/boolbv_div.cpp
+++ b/src/solvers/flattening/boolbv_div.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 
-#include "boolbv.h"
-
 bvt boolbvt::convert_div(const div_exprt &expr)
 {
   if(expr.type().id()!=ID_unsignedbv &&
diff --git a/src/solvers/flattening/boolbv_equality.cpp b/src/solvers/flattening/boolbv_equality.cpp
index 997f8738c9..95a379a5a9 100644
--- a/src/solvers/flattening/boolbv_equality.cpp
+++ b/src/solvers/flattening/boolbv_equality.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 
@@ -15,7 +16,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 
 #include "flatten_byte_operators.h"
-#include "boolbv.h"
 
 literalt boolbvt::convert_equality(const equal_exprt &expr)
 {
diff --git a/src/solvers/flattening/boolbv_extractbit.cpp b/src/solvers/flattening/boolbv_extractbit.cpp
index 607926550a..f24b8a1394 100644
--- a/src/solvers/flattening/boolbv_extractbit.cpp
+++ b/src/solvers/flattening/boolbv_extractbit.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 #include 
@@ -14,8 +15,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "boolbv.h"
-
 literalt boolbvt::convert_extractbit(const extractbit_exprt &expr)
 {
   const exprt::operandst &operands=expr.operands();
diff --git a/src/solvers/flattening/boolbv_extractbits.cpp b/src/solvers/flattening/boolbv_extractbits.cpp
index e0576b0222..3b363a6367 100644
--- a/src/solvers/flattening/boolbv_extractbits.cpp
+++ b/src/solvers/flattening/boolbv_extractbits.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 
-#include "boolbv.h"
-
 bvt boolbvt::convert_extractbits(const extractbits_exprt &expr)
 {
   std::size_t width=boolbv_width(expr.type());
diff --git a/src/solvers/flattening/boolbv_floatbv_op.cpp b/src/solvers/flattening/boolbv_floatbv_op.cpp
index 6dbf6181c2..d6609691df 100644
--- a/src/solvers/flattening/boolbv_floatbv_op.cpp
+++ b/src/solvers/flattening/boolbv_floatbv_op.cpp
@@ -6,14 +6,13 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 #include 
 
 #include 
 
-#include "boolbv.h"
-
 #include "../floatbv/float_utils.h"
 
 bvt boolbvt::convert_floatbv_typecast(const floatbv_typecast_exprt &expr)
diff --git a/src/solvers/flattening/boolbv_get.cpp b/src/solvers/flattening/boolbv_get.cpp
index fc166f758d..a0f86997e1 100644
--- a/src/solvers/flattening/boolbv_get.cpp
+++ b/src/solvers/flattening/boolbv_get.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 
@@ -15,7 +16,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "boolbv.h"
 #include "boolbv_type.h"
 
 exprt boolbvt::get(const exprt &expr) const
diff --git a/src/solvers/flattening/boolbv_ieee_float_rel.cpp b/src/solvers/flattening/boolbv_ieee_float_rel.cpp
index 4f5ad89436..c7297d2679 100644
--- a/src/solvers/flattening/boolbv_ieee_float_rel.cpp
+++ b/src/solvers/flattening/boolbv_ieee_float_rel.cpp
@@ -6,10 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 
-#include "boolbv.h"
 #include "boolbv_type.h"
 
 #include "../floatbv/float_utils.h"
diff --git a/src/solvers/flattening/boolbv_index.cpp b/src/solvers/flattening/boolbv_index.cpp
index 4be4408c79..ff63fedf14 100644
--- a/src/solvers/flattening/boolbv_index.cpp
+++ b/src/solvers/flattening/boolbv_index.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 
@@ -13,8 +14,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "boolbv.h"
-
 bvt boolbvt::convert_index(const index_exprt &expr)
 {
   if(expr.id()!=ID_index)
diff --git a/src/solvers/flattening/boolbv_map.cpp b/src/solvers/flattening/boolbv_map.cpp
index 37c66024ca..7e5c069cd6 100644
--- a/src/solvers/flattening/boolbv_map.cpp
+++ b/src/solvers/flattening/boolbv_map.cpp
@@ -6,12 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv_map.h"
 
 #include 
 
 #include "../prop/prop.h"
 
-#include "boolbv_map.h"
 #include "boolbv_width.h"
 
 #ifdef DEBUG
diff --git a/src/solvers/flattening/boolbv_member.cpp b/src/solvers/flattening/boolbv_member.cpp
index 16d5de84ca..448e80f565 100644
--- a/src/solvers/flattening/boolbv_member.cpp
+++ b/src/solvers/flattening/boolbv_member.cpp
@@ -6,13 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 #include 
 #include 
 
-#include "boolbv.h"
-
 bvt boolbvt::convert_member(const member_exprt &expr)
 {
   const exprt &struct_op=expr.struct_op();
diff --git a/src/solvers/flattening/boolbv_mult.cpp b/src/solvers/flattening/boolbv_mult.cpp
index 51d8f342eb..15803b7ead 100644
--- a/src/solvers/flattening/boolbv_mult.cpp
+++ b/src/solvers/flattening/boolbv_mult.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 
-#include "boolbv.h"
-
 bvt boolbvt::convert_mult(const exprt &expr)
 {
   std::size_t width=boolbv_width(expr.type());
diff --git a/src/solvers/flattening/boolbv_overflow.cpp b/src/solvers/flattening/boolbv_overflow.cpp
index 748975540a..33dd61bca3 100644
--- a/src/solvers/flattening/boolbv_overflow.cpp
+++ b/src/solvers/flattening/boolbv_overflow.cpp
@@ -6,14 +6,13 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 
 #include 
 #include 
 
-#include "boolbv.h"
-
 literalt boolbvt::convert_overflow(const exprt &expr)
 {
   const exprt::operandst &operands=expr.operands();
diff --git a/src/solvers/flattening/boolbv_quantifier.cpp b/src/solvers/flattening/boolbv_quantifier.cpp
index 0a706b41fa..23f8857f80 100644
--- a/src/solvers/flattening/boolbv_quantifier.cpp
+++ b/src/solvers/flattening/boolbv_quantifier.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 
@@ -13,8 +14,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "boolbv.h"
-
 /// A method to detect equivalence between experts that can contain typecast
 bool expr_eq(const exprt &expr1, const exprt &expr2)
 {
diff --git a/src/solvers/flattening/boolbv_replication.cpp b/src/solvers/flattening/boolbv_replication.cpp
index a9ff908749..c7368cc183 100644
--- a/src/solvers/flattening/boolbv_replication.cpp
+++ b/src/solvers/flattening/boolbv_replication.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 
-#include "boolbv.h"
-
 bvt boolbvt::convert_replication(const replication_exprt &expr)
 {
   std::size_t width=boolbv_width(expr.type());
diff --git a/src/solvers/flattening/boolbv_shift.cpp b/src/solvers/flattening/boolbv_shift.cpp
index 8c09d7d92e..596d51067e 100644
--- a/src/solvers/flattening/boolbv_shift.cpp
+++ b/src/solvers/flattening/boolbv_shift.cpp
@@ -6,13 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 
 #include 
 
-#include "boolbv.h"
-
 bvt boolbvt::convert_shift(const binary_exprt &expr)
 {
   const irep_idt &type_id=expr.type().id();
diff --git a/src/solvers/flattening/boolbv_struct.cpp b/src/solvers/flattening/boolbv_struct.cpp
index f900430a6f..e1dbe90601 100644
--- a/src/solvers/flattening/boolbv_struct.cpp
+++ b/src/solvers/flattening/boolbv_struct.cpp
@@ -6,12 +6,11 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 #include 
 
-#include "boolbv.h"
-
 bvt boolbvt::convert_struct(const struct_exprt &expr)
 {
   const struct_typet &struct_type=to_struct_type(ns.follow(expr.type()));
diff --git a/src/solvers/flattening/boolbv_typecast.cpp b/src/solvers/flattening/boolbv_typecast.cpp
index 4f41d48330..ecd2522532 100644
--- a/src/solvers/flattening/boolbv_typecast.cpp
+++ b/src/solvers/flattening/boolbv_typecast.cpp
@@ -6,12 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 
 #include 
 
-#include "boolbv.h"
 #include "boolbv_type.h"
 #include "c_bit_field_replacement_type.h"
 
diff --git a/src/solvers/flattening/boolbv_unary_minus.cpp b/src/solvers/flattening/boolbv_unary_minus.cpp
index 2cef5e38e7..e4b2707c10 100644
--- a/src/solvers/flattening/boolbv_unary_minus.cpp
+++ b/src/solvers/flattening/boolbv_unary_minus.cpp
@@ -6,10 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 
-#include "boolbv.h"
 #include "boolbv_type.h"
 
 #include "../floatbv/float_utils.h"
diff --git a/src/solvers/flattening/boolbv_union.cpp b/src/solvers/flattening/boolbv_union.cpp
index f35c6b8344..9432741019 100644
--- a/src/solvers/flattening/boolbv_union.cpp
+++ b/src/solvers/flattening/boolbv_union.cpp
@@ -6,13 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 #include 
 #include 
 
-#include "boolbv.h"
-
 bvt boolbvt::convert_union(const union_exprt &expr)
 {
   std::size_t width=boolbv_width(expr.type());
diff --git a/src/solvers/flattening/boolbv_update.cpp b/src/solvers/flattening/boolbv_update.cpp
index 96fce25225..e48e5990f0 100644
--- a/src/solvers/flattening/boolbv_update.cpp
+++ b/src/solvers/flattening/boolbv_update.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 #include 
@@ -16,8 +17,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "boolbv.h"
-
 bvt boolbvt::convert_update(const exprt &expr)
 {
   const exprt::operandst &ops=expr.operands();
diff --git a/src/solvers/flattening/boolbv_width.cpp b/src/solvers/flattening/boolbv_width.cpp
index 5d8eef0196..a61be58ad7 100644
--- a/src/solvers/flattening/boolbv_width.cpp
+++ b/src/solvers/flattening/boolbv_width.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv_width.h"
 
 #include 
 
@@ -13,8 +14,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "boolbv_width.h"
-
 boolbv_widtht::boolbv_widtht(const namespacet &_ns):ns(_ns)
 {
 }
diff --git a/src/solvers/flattening/boolbv_with.cpp b/src/solvers/flattening/boolbv_with.cpp
index c5f92806bf..b3a8170d8f 100644
--- a/src/solvers/flattening/boolbv_with.cpp
+++ b/src/solvers/flattening/boolbv_with.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "boolbv.h"
 
 #include 
 #include 
@@ -14,8 +15,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "boolbv.h"
-
 bvt boolbvt::convert_with(const exprt &expr)
 {
   if(expr.operands().size()<3)
diff --git a/src/solvers/flattening/bv_minimize.cpp b/src/solvers/flattening/bv_minimize.cpp
index 263c9b4ccc..5bc26cee31 100644
--- a/src/solvers/flattening/bv_minimize.cpp
+++ b/src/solvers/flattening/bv_minimize.cpp
@@ -6,13 +6,12 @@ Author: Georg Weissenbacher, georg.weissenbacher@inf.ethz.ch
 
 \*******************************************************************/
 
+#include "bv_minimize.h"
 
 #include 
 
 #include 
 
-#include "bv_minimize.h"
-
 void bv_minimizet::add_objective(
   prop_minimizet &prop_minimize,
   const exprt &objective)
diff --git a/src/solvers/flattening/bv_pointers.cpp b/src/solvers/flattening/bv_pointers.cpp
index aeecd21e2b..9ecb81c984 100644
--- a/src/solvers/flattening/bv_pointers.cpp
+++ b/src/solvers/flattening/bv_pointers.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "bv_pointers.h"
 
 #include 
 #include 
@@ -15,8 +16,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "bv_pointers.h"
-
 literalt bv_pointerst::convert_rest(const exprt &expr)
 {
   if(expr.type().id()!=ID_bool)
diff --git a/src/solvers/flattening/bv_utils.cpp b/src/solvers/flattening/bv_utils.cpp
index e916b9e41e..cff775d659 100644
--- a/src/solvers/flattening/bv_utils.cpp
+++ b/src/solvers/flattening/bv_utils.cpp
@@ -6,13 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "bv_utils.h"
 
 #include 
 
 #include 
 
-#include "bv_utils.h"
-
 bvt bv_utilst::build_constant(const mp_integer &n, std::size_t width)
 {
   std::string n_str=integer2binary(n, width);
diff --git a/src/solvers/flattening/equality.cpp b/src/solvers/flattening/equality.cpp
index 547ef74305..79890ab897 100644
--- a/src/solvers/flattening/equality.cpp
+++ b/src/solvers/flattening/equality.cpp
@@ -6,12 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "equality.h"
 
 #ifdef DEBUG
 #include 
 #endif
 
-#include "equality.h"
 #include "bv_utils.h"
 
 literalt equalityt::equality(const exprt &e1, const exprt &e2)
diff --git a/src/solvers/flattening/flatten_byte_operators.cpp b/src/solvers/flattening/flatten_byte_operators.cpp
index 364565fe0f..b5837f3206 100644
--- a/src/solvers/flattening/flatten_byte_operators.cpp
+++ b/src/solvers/flattening/flatten_byte_operators.cpp
@@ -6,7 +6,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
-
 #include 
 #include 
 #include 
diff --git a/src/solvers/flattening/functions.cpp b/src/solvers/flattening/functions.cpp
index 1f2ed42be9..181d901fd5 100644
--- a/src/solvers/flattening/functions.cpp
+++ b/src/solvers/flattening/functions.cpp
@@ -6,14 +6,13 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "functions.h"
 
 #include 
 
 #include 
 #include 
 
-#include "functions.h"
-
 void functionst::record(
   const function_application_exprt &function_application)
 {
diff --git a/src/solvers/flattening/pointer_logic.cpp b/src/solvers/flattening/pointer_logic.cpp
index 5086e62bbf..3f1ffd4779 100644
--- a/src/solvers/flattening/pointer_logic.cpp
+++ b/src/solvers/flattening/pointer_logic.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Pointer Logic
 
+#include "pointer_logic.h"
+
 #include 
 
 #include 
@@ -16,8 +18,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "pointer_logic.h"
-
 bool pointer_logict::is_dynamic_object(const exprt &expr) const
 {
   if(expr.type().get_bool("#dynamic"))
diff --git a/src/solvers/flattening/pointer_logic.h b/src/solvers/flattening/pointer_logic.h
index a0dc8b7fb5..0719381935 100644
--- a/src/solvers/flattening/pointer_logic.h
+++ b/src/solvers/flattening/pointer_logic.h
@@ -18,6 +18,8 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #define BV_ADDR_BITS 8
 
+class namespacet;
+
 class pointer_logict
 {
 public:
diff --git a/src/solvers/floatbv/float_approximation.cpp b/src/solvers/floatbv/float_approximation.cpp
index 799efcbb4a..6a70b5f509 100644
--- a/src/solvers/floatbv/float_approximation.cpp
+++ b/src/solvers/floatbv/float_approximation.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "float_approximation.h"
 
 #include 
 
-#include "float_approximation.h"
-
 float_approximationt::~float_approximationt()
 {
 }
diff --git a/src/solvers/floatbv/float_bv.cpp b/src/solvers/floatbv/float_bv.cpp
index 65ba54deb4..b1810b85d0 100644
--- a/src/solvers/floatbv/float_bv.cpp
+++ b/src/solvers/floatbv/float_bv.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "float_bv.h"
 
 #include 
 #include 
@@ -13,8 +14,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "float_bv.h"
-
 exprt float_bvt::convert(const exprt &expr)
 {
   if(expr.id()==ID_abs)
diff --git a/src/solvers/floatbv/float_utils.cpp b/src/solvers/floatbv/float_utils.cpp
index c2752a29e1..6dd36849af 100644
--- a/src/solvers/floatbv/float_utils.cpp
+++ b/src/solvers/floatbv/float_utils.cpp
@@ -6,14 +6,13 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "float_utils.h"
 
 #include 
 #include 
 
 #include 
 
-#include "float_utils.h"
-
 void float_utilst::set_rounding_mode(const bvt &src)
 {
   bvt round_to_even=
diff --git a/src/solvers/miniBDD/example.cpp b/src/solvers/miniBDD/example.cpp
index 4918b89a60..3307c7722d 100644
--- a/src/solvers/miniBDD/example.cpp
+++ b/src/solvers/miniBDD/example.cpp
@@ -11,10 +11,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// A minimalistic BDD library, following Bryant's original paper and Andersen's
 ///   lecture notes
 
-#include 
-
 #include "miniBDD.h"
 
+#include 
+
 int main()
 {
   miniBDD::mgr mgr;
diff --git a/src/solvers/miniBDD/miniBDD.cpp b/src/solvers/miniBDD/miniBDD.cpp
index 7d47221295..d32330a099 100644
--- a/src/solvers/miniBDD/miniBDD.cpp
+++ b/src/solvers/miniBDD/miniBDD.cpp
@@ -11,12 +11,12 @@ Author: Daniel Kroening, kroening@kroening.com
 /// A minimalistic BDD library, following Bryant's original paper and Andersen's
 ///   lecture notes
 
+#include "miniBDD.h"
+
 #include 
 
 #include 
 
-#include "miniBDD.h"
-
 #define forall_nodes(it) for(nodest::const_iterator it=nodes.begin(); \
   it!=nodes.end(); it++)
 
diff --git a/src/solvers/prop/aig.cpp b/src/solvers/prop/aig.cpp
index a6f3886539..a164b379db 100644
--- a/src/solvers/prop/aig.cpp
+++ b/src/solvers/prop/aig.cpp
@@ -6,13 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "aig.h"
 
 #include 
 #include 
 #include 
 
-#include "aig.h"
-
 std::string aigt::label(nodest::size_type v) const
 {
   return "var("+std::to_string(v)+")";
diff --git a/src/solvers/prop/aig_prop.cpp b/src/solvers/prop/aig_prop.cpp
index 759041cc8b..9b8e90427e 100644
--- a/src/solvers/prop/aig_prop.cpp
+++ b/src/solvers/prop/aig_prop.cpp
@@ -6,12 +6,11 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "aig_prop.h"
 
 #include 
 #include 
 
-#include "aig_prop.h"
-
 // Tries to compact AIGs corresponding to xor and equality
 // Needed to match the performance of the native CNF back-end.
 #define USE_AIG_COMPACT
diff --git a/src/solvers/prop/bdd_expr.cpp b/src/solvers/prop/bdd_expr.cpp
index 9a885c031b..2a5b4ffa78 100644
--- a/src/solvers/prop/bdd_expr.cpp
+++ b/src/solvers/prop/bdd_expr.cpp
@@ -9,13 +9,13 @@ Author: Michael Tautschnig, michael.tautschnig@qmul.ac.uk
 /// \file
 /// Conversion between exprt and miniBDD
 
+#include "bdd_expr.h"
+
 #include 
 
 #include 
 #include 
 
-#include "bdd_expr.h"
-
 mini_bddt bdd_exprt::from_expr_rec(const exprt &expr)
 {
   assert(expr.type().id()==ID_bool);
diff --git a/src/solvers/prop/cover_goals.cpp b/src/solvers/prop/cover_goals.cpp
index 1783983ccf..aaf494169e 100644
--- a/src/solvers/prop/cover_goals.cpp
+++ b/src/solvers/prop/cover_goals.cpp
@@ -9,10 +9,11 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Cover a set of goals incrementally
 
+#include "cover_goals.h"
+
 #include 
 
 #include "literal_expr.h"
-#include "cover_goals.h"
 
 cover_goalst::~cover_goalst()
 {
diff --git a/src/solvers/prop/literal.cpp b/src/solvers/prop/literal.cpp
index e00f3bb37b..02e1db3404 100644
--- a/src/solvers/prop/literal.cpp
+++ b/src/solvers/prop/literal.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Literals
 
-#include 
-
 #include "literal.h"
 
+#include 
+
 std::ostream &operator << (std::ostream &out, literalt l)
 {
   if(l.is_constant())
diff --git a/src/solvers/prop/minimize.cpp b/src/solvers/prop/minimize.cpp
index 8ae18a1787..c28ab411bf 100644
--- a/src/solvers/prop/minimize.cpp
+++ b/src/solvers/prop/minimize.cpp
@@ -9,10 +9,11 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Minimize some target function incrementally
 
+#include "minimize.h"
+
 #include 
 
 #include "literal_expr.h"
-#include "minimize.h"
 
 /// Add an objective
 void prop_minimizet::objective(
diff --git a/src/solvers/prop/prop.cpp b/src/solvers/prop/prop.cpp
index 6810ca4fef..bfa3a00591 100644
--- a/src/solvers/prop/prop.cpp
+++ b/src/solvers/prop/prop.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "prop.h"
 
 #include 
 
-#include "prop.h"
-
 /// asserts a==b in the propositional formula
 void propt::set_equal(literalt a, literalt b)
 {
diff --git a/src/solvers/prop/prop_conv.cpp b/src/solvers/prop/prop_conv.cpp
index 72caa7ec6e..734d11a680 100644
--- a/src/solvers/prop/prop_conv.cpp
+++ b/src/solvers/prop/prop_conv.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "prop_conv.h"
 
 #include 
 #include 
@@ -16,7 +17,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 
 #include "prop.h"
-#include "prop_conv.h"
 #include "literal_expr.h"
 
 /// determine whether a variable is in the final conflict
diff --git a/src/solvers/prop/prop_conv_store.cpp b/src/solvers/prop/prop_conv_store.cpp
index 109c2f0cee..5ac16b8ff2 100644
--- a/src/solvers/prop/prop_conv_store.cpp
+++ b/src/solvers/prop/prop_conv_store.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "prop_conv_store.h"
 
 #include 
 
-#include "prop_conv_store.h"
-
 void prop_conv_storet::set_to(const exprt &expr, bool value)
 {
   constraintt &constraint=constraints.add_constraint();
diff --git a/src/solvers/qbf/qbf_bdd_core.cpp b/src/solvers/qbf/qbf_bdd_core.cpp
index 03779c3b7d..d0bef9244c 100644
--- a/src/solvers/qbf/qbf_bdd_core.cpp
+++ b/src/solvers/qbf/qbf_bdd_core.cpp
@@ -6,6 +6,7 @@ Author: CM Wintersteiger
 
 \*******************************************************************/
 
+#include 
 
 #include 
 #include 
@@ -15,8 +16,6 @@ Author: CM Wintersteiger
 
 #include 
 
-#include 
-
 #include  // CUDD Library
 
 /*! \cond */
diff --git a/src/solvers/qbf/qbf_quantor.cpp b/src/solvers/qbf/qbf_quantor.cpp
index fef41a7e89..ab187e20ad 100644
--- a/src/solvers/qbf/qbf_quantor.cpp
+++ b/src/solvers/qbf/qbf_quantor.cpp
@@ -6,13 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "qbf_quantor.h"
 
 #include 
 #include 
 #include 
 
-#include "qbf_quantor.h"
-
 qbf_quantort::qbf_quantort()
 {
 }
diff --git a/src/solvers/qbf/qbf_qube.cpp b/src/solvers/qbf/qbf_qube.cpp
index eb3b73ddbf..9953fbc922 100644
--- a/src/solvers/qbf/qbf_qube.cpp
+++ b/src/solvers/qbf/qbf_qube.cpp
@@ -6,13 +6,12 @@ Author: CM Wintersteiger
 
 \*******************************************************************/
 
+#include "qbf_qube.h"
 
 #include 
 #include 
 #include 
 
-#include "qbf_qube.h"
-
 qbf_qubet::qbf_qubet()
 {
   // skizzo crashes on broken lines
diff --git a/src/solvers/qbf/qbf_qube_core.cpp b/src/solvers/qbf/qbf_qube_core.cpp
index 1315ef4a59..281771c56e 100644
--- a/src/solvers/qbf/qbf_qube_core.cpp
+++ b/src/solvers/qbf/qbf_qube_core.cpp
@@ -6,6 +6,7 @@ Author: CM Wintersteiger
 
 \*******************************************************************/
 
+#include "qbf_qube_core.h"
 
 #include 
 #include 
@@ -13,8 +14,6 @@ Author: CM Wintersteiger
 
 #include 
 
-#include "qbf_qube_core.h"
-
 qbf_qube_coret::qbf_qube_coret() : qdimacs_coret()
 {
   break_lines=false;
diff --git a/src/solvers/qbf/qbf_skizzo.cpp b/src/solvers/qbf/qbf_skizzo.cpp
index c26132f70b..55813caf56 100644
--- a/src/solvers/qbf/qbf_skizzo.cpp
+++ b/src/solvers/qbf/qbf_skizzo.cpp
@@ -6,13 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "qbf_skizzo.h"
 
 #include 
 #include 
 #include 
 
-#include "qbf_skizzo.h"
-
 qbf_skizzot::qbf_skizzot()
 {
   // skizzo crashes on broken lines
diff --git a/src/solvers/qbf/qbf_squolem.cpp b/src/solvers/qbf/qbf_squolem.cpp
index 6724a3f189..97ab3ebb5e 100644
--- a/src/solvers/qbf/qbf_squolem.cpp
+++ b/src/solvers/qbf/qbf_squolem.cpp
@@ -6,7 +6,6 @@ Author: CM Wintersteiger
 
 \*******************************************************************/
 
-
 /// \file
 /// Squolem Backend
 
diff --git a/src/solvers/qbf/qbf_squolem_core.cpp b/src/solvers/qbf/qbf_squolem_core.cpp
index f927117b22..04f5c7ae3c 100644
--- a/src/solvers/qbf/qbf_squolem_core.cpp
+++ b/src/solvers/qbf/qbf_squolem_core.cpp
@@ -9,6 +9,8 @@ Author: CM Wintersteiger
 /// \file
 /// Squolem Backend (with proofs)
 
+#include "qbf_squolem_core.h"
+
 #include 
 
 #include 
@@ -16,8 +18,6 @@ Author: CM Wintersteiger
 
 #include  // uint type for indices
 
-#include "qbf_squolem_core.h"
-
 qbf_squolem_coret::qbf_squolem_coret() : squolem(NULL)
 {
   setup();
diff --git a/src/solvers/qbf/qdimacs_cnf.cpp b/src/solvers/qbf/qdimacs_cnf.cpp
index e0333c569c..11638606d6 100644
--- a/src/solvers/qbf/qdimacs_cnf.cpp
+++ b/src/solvers/qbf/qdimacs_cnf.cpp
@@ -6,12 +6,11 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "qdimacs_cnf.h"
 
 #include 
 #include 
 
-#include "qdimacs_cnf.h"
-
 void qdimacs_cnft::write_qdimacs_cnf(std::ostream &out)
 {
   write_problem_line(out);
diff --git a/src/solvers/qbf/qdimacs_core.cpp b/src/solvers/qbf/qdimacs_core.cpp
index 8deb11be70..e729d8ece5 100644
--- a/src/solvers/qbf/qdimacs_core.cpp
+++ b/src/solvers/qbf/qdimacs_core.cpp
@@ -6,12 +6,11 @@ Author: CM Wintersteiger
 
 \*******************************************************************/
 
+#include "qdimacs_core.h"
 
 #include 
 #include 
 
-#include "qdimacs_core.h"
-
 void qdimacs_coret::simplify_extractbits(exprt &expr) const
 {
   if(expr.id()==ID_and)
diff --git a/src/solvers/refinement/bv_refinement_loop.cpp b/src/solvers/refinement/bv_refinement_loop.cpp
index cf21409ee8..5492f0e603 100644
--- a/src/solvers/refinement/bv_refinement_loop.cpp
+++ b/src/solvers/refinement/bv_refinement_loop.cpp
@@ -6,13 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "bv_refinement.h"
 
 #include 
 
 #include 
 
-#include "bv_refinement.h"
-
 bv_refinementt::bv_refinementt(
   const namespacet &_ns, propt &_prop):
   bv_pointerst(_ns, _prop),
diff --git a/src/solvers/refinement/refine_arithmetic.cpp b/src/solvers/refinement/refine_arithmetic.cpp
index 70faf0e600..f0be4a531b 100644
--- a/src/solvers/refinement/refine_arithmetic.cpp
+++ b/src/solvers/refinement/refine_arithmetic.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "bv_refinement.h"
 
 #include 
 #include 
@@ -16,8 +17,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "bv_refinement.h"
-
 // Parameters
 #define MAX_INTEGER_UNDERAPPROX 3
 #define MAX_FLOAT_UNDERAPPROX 10
diff --git a/src/solvers/refinement/refine_arrays.cpp b/src/solvers/refinement/refine_arrays.cpp
index 5caee4b01b..5aebddf2e1 100644
--- a/src/solvers/refinement/refine_arrays.cpp
+++ b/src/solvers/refinement/refine_arrays.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "bv_refinement.h"
 
 #ifdef DEBUG
 #include 
@@ -15,7 +16,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "bv_refinement.h"
 #include 
 
 /// generate array constraints
diff --git a/src/solvers/refinement/refined_string_type.cpp b/src/solvers/refinement/refined_string_type.cpp
index dd91489e8f..edd1c43e49 100644
--- a/src/solvers/refinement/refined_string_type.cpp
+++ b/src/solvers/refinement/refined_string_type.cpp
@@ -16,10 +16,10 @@ Author: Romain Brenguier, romain.brenguier@diffblue.com
 ///   `content` of type `content_type`. This module also defines functions to
 ///   recognise the C and java string types.
 
-#include 
-
 #include "refined_string_type.h"
 
+#include 
+
 refined_string_typet::refined_string_typet(
   const typet &index_type, const typet &char_type)
 {
diff --git a/src/solvers/refinement/string_constraint_generator_constants.cpp b/src/solvers/refinement/string_constraint_generator_constants.cpp
index 3c05aaf544..fe85c70dc4 100644
--- a/src/solvers/refinement/string_constraint_generator_constants.cpp
+++ b/src/solvers/refinement/string_constraint_generator_constants.cpp
@@ -9,8 +9,9 @@ Author: Romain Brenguier, romain.brenguier@diffblue.com
 /// \file
 /// Generates string constraints for constant strings
 
-#include 
 #include 
+
+#include 
 #include 
 #include 
 
diff --git a/src/solvers/refinement/string_constraint_generator_main.cpp b/src/solvers/refinement/string_constraint_generator_main.cpp
index b0b48df18b..308846338e 100644
--- a/src/solvers/refinement/string_constraint_generator_main.cpp
+++ b/src/solvers/refinement/string_constraint_generator_main.cpp
@@ -17,9 +17,10 @@ Author: Romain Brenguier, romain.brenguier@diffblue.com
 ///   Li and Indradeep Ghosh, which gives examples of constraints for several
 ///   functions.
 
+#include 
+
 #include 
 #include 
-#include 
 #include 
 #include 
 #include 
diff --git a/src/solvers/refinement/string_constraint_generator_valueof.cpp b/src/solvers/refinement/string_constraint_generator_valueof.cpp
index 6fe11ca6c1..66364bcdc2 100644
--- a/src/solvers/refinement/string_constraint_generator_valueof.cpp
+++ b/src/solvers/refinement/string_constraint_generator_valueof.cpp
@@ -12,6 +12,7 @@ Author: Romain Brenguier, romain.brenguier@diffblue.com
 ///   types, in particular int, long, float, double, char, bool
 
 #include 
+
 #include 
 
 /// add axioms corresponding to the String.valueOf(I) java function
diff --git a/src/solvers/refinement/string_refinement.cpp b/src/solvers/refinement/string_refinement.cpp
index 36f619b8ad..34e3217e27 100644
--- a/src/solvers/refinement/string_refinement.cpp
+++ b/src/solvers/refinement/string_refinement.cpp
@@ -17,12 +17,13 @@ Author: Alberto Griggio, alberto.griggio@gmail.com
 ///   Parameterized Array and Interval Automaton" by Guodong Li and Indradeep
 ///   Ghosh.
 
+#include 
+
 #include 
 #include 
 #include 
 #include 
 #include 
-#include 
 #include 
 
 string_refinementt::string_refinementt(
diff --git a/src/solvers/sat/cnf.cpp b/src/solvers/sat/cnf.cpp
index 7ff2fc1c52..bed97954ba 100644
--- a/src/solvers/sat/cnf.cpp
+++ b/src/solvers/sat/cnf.cpp
@@ -9,12 +9,13 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// CNF Generation, via Tseitin
 
+#include "cnf.h"
+
 #include 
 #include 
 #include 
 #include 
 
-#include "cnf.h"
 // #define VERBOSE
 
 /// Tseitin encoding of conjunction of two literals
diff --git a/src/solvers/sat/cnf_clause_list.cpp b/src/solvers/sat/cnf_clause_list.cpp
index cb68ddad24..20c0e5168c 100644
--- a/src/solvers/sat/cnf_clause_list.cpp
+++ b/src/solvers/sat/cnf_clause_list.cpp
@@ -9,11 +9,11 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// CNF Generation
 
+#include "cnf_clause_list.h"
+
 #include 
 #include 
 
-#include "cnf_clause_list.h"
-
 void cnf_clause_listt::lcnf(const bvt &bv)
 {
   bvt new_bv;
diff --git a/src/solvers/sat/pbs_dimacs_cnf.cpp b/src/solvers/sat/pbs_dimacs_cnf.cpp
index d8bfa28339..731c6ac7ae 100644
--- a/src/solvers/sat/pbs_dimacs_cnf.cpp
+++ b/src/solvers/sat/pbs_dimacs_cnf.cpp
@@ -6,14 +6,13 @@ Author: Alex Groce
 
 \*******************************************************************/
 
+#include "pbs_dimacs_cnf.h"
 
 #include 
 #include 
 #include 
 #include 
 
-#include "pbs_dimacs_cnf.h"
-
 void pbs_dimacs_cnft::write_dimacs_pb(std::ostream &out)
 {
   double d_sum=0;
diff --git a/src/solvers/sat/read_dimacs_cnf.cpp b/src/solvers/sat/read_dimacs_cnf.cpp
index 5a12e16b5e..4228851fcd 100644
--- a/src/solvers/sat/read_dimacs_cnf.cpp
+++ b/src/solvers/sat/read_dimacs_cnf.cpp
@@ -9,13 +9,13 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Reading DIMACS CNF
 
+#include "read_dimacs_cnf.h"
+
 #include 
 #include  // for abs()
 
 #include 
 
-#include "read_dimacs_cnf.h"
-
 // #define VERBOSE
 
 void read_dimacs_cnf(std::istream &in, cnft &dest)
diff --git a/src/solvers/sat/resolution_proof.cpp b/src/solvers/sat/resolution_proof.cpp
index 061e9d2cf1..c0102da2ae 100644
--- a/src/solvers/sat/resolution_proof.cpp
+++ b/src/solvers/sat/resolution_proof.cpp
@@ -6,12 +6,11 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "resolution_proof.h"
 
 #include 
 #include 
 
-#include "resolution_proof.h"
-
 template
 void resolution_prooft::build_core(std::vector &in_core)
 {
diff --git a/src/solvers/sat/satcheck_booleforce.cpp b/src/solvers/sat/satcheck_booleforce.cpp
index 51e8684a2f..c6374c7012 100644
--- a/src/solvers/sat/satcheck_booleforce.cpp
+++ b/src/solvers/sat/satcheck_booleforce.cpp
@@ -6,12 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "satcheck_booleforce.h"
 
 #include 
 
-
-#include "satcheck_booleforce.h"
-
 extern "C"
 {
 #include "booleforce.h"
diff --git a/src/solvers/sat/satcheck_glucose.cpp b/src/solvers/sat/satcheck_glucose.cpp
index cb51184395..3d6e2ae393 100644
--- a/src/solvers/sat/satcheck_glucose.cpp
+++ b/src/solvers/sat/satcheck_glucose.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "satcheck_glucose.h"
 
 #ifndef _MSC_VER
 #include 
@@ -16,8 +17,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "satcheck_glucose.h"
-
 #include 
 #include 
 
diff --git a/src/solvers/sat/satcheck_limmat.cpp b/src/solvers/sat/satcheck_limmat.cpp
index 1ff47403ec..10fd310ff3 100644
--- a/src/solvers/sat/satcheck_limmat.cpp
+++ b/src/solvers/sat/satcheck_limmat.cpp
@@ -6,12 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "satcheck_limmat.h"
 
 #include 
 
-
-#include "satcheck_limmat.h"
-
 extern "C"
 {
 #include "limmat.h"
diff --git a/src/solvers/sat/satcheck_lingeling.cpp b/src/solvers/sat/satcheck_lingeling.cpp
index 8d74a7706a..ad0a504d41 100644
--- a/src/solvers/sat/satcheck_lingeling.cpp
+++ b/src/solvers/sat/satcheck_lingeling.cpp
@@ -6,13 +6,12 @@ Author: Michael Tautschnig, michael.tautschnig@cs.ox.ac.uk
 
 \*******************************************************************/
 
+#include "satcheck_lingeling.h"
 
 #include 
 
 #include 
 
-#include "satcheck_lingeling.h"
-
 extern "C"
 {
 #include 
diff --git a/src/solvers/sat/satcheck_minisat.cpp b/src/solvers/sat/satcheck_minisat.cpp
index 4e61f2d33d..fb892707b8 100644
--- a/src/solvers/sat/satcheck_minisat.cpp
+++ b/src/solvers/sat/satcheck_minisat.cpp
@@ -6,14 +6,13 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "satcheck_minisat.h"
 
 #include 
 #include 
 
 #include 
 
-#include "satcheck_minisat.h"
-
 #include 
 #include 
 
diff --git a/src/solvers/sat/satcheck_minisat2.cpp b/src/solvers/sat/satcheck_minisat2.cpp
index 5fa9e44b13..ef6605532c 100644
--- a/src/solvers/sat/satcheck_minisat2.cpp
+++ b/src/solvers/sat/satcheck_minisat2.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "satcheck_minisat2.h"
 
 #ifndef _MSC_VER
 #include 
@@ -14,11 +15,10 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
+#include 
 #include 
 #include 
 
-#include "satcheck_minisat2.h"
-
 #include 
 #include 
 
diff --git a/src/solvers/sat/satcheck_picosat.cpp b/src/solvers/sat/satcheck_picosat.cpp
index 6c69d0ab0b..de54f70f9c 100644
--- a/src/solvers/sat/satcheck_picosat.cpp
+++ b/src/solvers/sat/satcheck_picosat.cpp
@@ -6,13 +6,12 @@ Author: Michael Tautschnig, michael.tautschnig@cs.ox.ac.uk
 
 \*******************************************************************/
 
+#include "satcheck_picosat.h"
 
 #include 
 
 #include 
 
-#include "satcheck_picosat.h"
-
 extern "C"
 {
 #include 
diff --git a/src/solvers/sat/satcheck_precosat.cpp b/src/solvers/sat/satcheck_precosat.cpp
index ec60b64927..6e9a2248c9 100644
--- a/src/solvers/sat/satcheck_precosat.cpp
+++ b/src/solvers/sat/satcheck_precosat.cpp
@@ -6,13 +6,12 @@ Author: Michael Tautschnig, michael.tautschnig@cs.ox.ac.uk
 
 \*******************************************************************/
 
+#include "satcheck_precosat.h"
 
 #include 
 
 #include 
 
-#include "satcheck_precosat.h"
-
 #include 
 
 #ifndef HAVE_PRECOSAT
diff --git a/src/solvers/sat/satcheck_smvsat.cpp b/src/solvers/sat/satcheck_smvsat.cpp
index 21c9f8b516..1018a4d96b 100644
--- a/src/solvers/sat/satcheck_smvsat.cpp
+++ b/src/solvers/sat/satcheck_smvsat.cpp
@@ -6,13 +6,11 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "satcheck_smvsat.h"
 
 #include 
 #include 
 
-
-#include "satcheck_smvsat.h"
-
 #include 
 #include 
 
diff --git a/src/solvers/sat/satcheck_zchaff.cpp b/src/solvers/sat/satcheck_zchaff.cpp
index 548bb04ff8..9a854286a6 100644
--- a/src/solvers/sat/satcheck_zchaff.cpp
+++ b/src/solvers/sat/satcheck_zchaff.cpp
@@ -6,12 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "satcheck_zchaff.h"
 
 #include 
 
-
-#include "satcheck_zchaff.h"
-
 #include 
 
 satcheck_zchaff_baset::satcheck_zchaff_baset(CSolver *_solver):solver(_solver)
diff --git a/src/solvers/sat/satcheck_zcore.cpp b/src/solvers/sat/satcheck_zcore.cpp
index 6886ab1b6c..ac0d60977f 100644
--- a/src/solvers/sat/satcheck_zcore.cpp
+++ b/src/solvers/sat/satcheck_zcore.cpp
@@ -6,14 +6,13 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "satcheck_zcore.h"
 
 #include 
 #include 
 
 #include 
 
-#include "satcheck_zcore.h"
-
 #include 
 
 satcheck_zcoret::satcheck_zcoret()
diff --git a/src/solvers/smt1/smt1_conv.cpp b/src/solvers/smt1/smt1_conv.cpp
index ac2326fbc0..65f5564040 100644
--- a/src/solvers/smt1/smt1_conv.cpp
+++ b/src/solvers/smt1/smt1_conv.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// SMT Version 1 Backend
 
+#include "smt1_conv.h"
+
 #include 
 
 #include 
@@ -29,8 +31,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "smt1_conv.h"
-
 void smt1_convt::print_assignment(std::ostream &out) const
 {
   // Boolean stuff
diff --git a/src/solvers/smt1/smt1_dec.cpp b/src/solvers/smt1/smt1_dec.cpp
index be1001c2ca..807fa52733 100644
--- a/src/solvers/smt1/smt1_dec.cpp
+++ b/src/solvers/smt1/smt1_dec.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "smt1_dec.h"
 
 #include 
 
@@ -25,8 +26,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "smt1_dec.h"
-
 std::string smt1_dect::decision_procedure_text() const
 {
   return "SMT1 "+logic+" using "+
diff --git a/src/solvers/smt1/smt1_prop.cpp b/src/solvers/smt1/smt1_prop.cpp
index 3f3c33dbf5..481d0d289c 100644
--- a/src/solvers/smt1/smt1_prop.cpp
+++ b/src/solvers/smt1/smt1_prop.cpp
@@ -8,12 +8,10 @@ Revisions: Roberto Bruttomesso, roberto.bruttomesso@unisi.ch
 
 \*******************************************************************/
 
+#include "smt1_prop.h"
 
 #include 
 
-
-#include "smt1_prop.h"
-
 smt1_propt::smt1_propt(
   const std::string &benchmark,
   const std::string &source,
diff --git a/src/solvers/smt2/smt2_conv.cpp b/src/solvers/smt2/smt2_conv.cpp
index a26dd2445c..d6198ebea5 100644
--- a/src/solvers/smt2/smt2_conv.cpp
+++ b/src/solvers/smt2/smt2_conv.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// SMT Backend
 
+#include "smt2_conv.h"
+
 #include 
 
 #include 
@@ -31,8 +33,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "smt2_conv.h"
-
 // Mark different kinds of error condition
 // General
 #define PARSERERROR(S) throw S
diff --git a/src/solvers/smt2/smt2_dec.cpp b/src/solvers/smt2/smt2_dec.cpp
index 1c3ea406e1..41f17d66fc 100644
--- a/src/solvers/smt2/smt2_dec.cpp
+++ b/src/solvers/smt2/smt2_dec.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "smt2_dec.h"
 
 #include 
 
@@ -24,7 +25,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "smt2_dec.h"
 #include "smt2irep.h"
 
 std::string smt2_dect::decision_procedure_text() const
diff --git a/src/solvers/smt2/smt2_parser.cpp b/src/solvers/smt2/smt2_parser.cpp
index cd271a37d5..c29d54dda2 100644
--- a/src/solvers/smt2/smt2_parser.cpp
+++ b/src/solvers/smt2/smt2_parser.cpp
@@ -6,12 +6,11 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "smt2_parser.h"
 
 #include 
 #include 
 
-#include "smt2_parser.h"
-
 bool smt2_parsert::is_simple_symbol_character(char ch)
 {
   // any non-empty sequence of letters, digits and the characters
diff --git a/src/solvers/smt2/smt2_prop.cpp b/src/solvers/smt2/smt2_prop.cpp
index 9dac1b64e6..d6810e5d0c 100644
--- a/src/solvers/smt2/smt2_prop.cpp
+++ b/src/solvers/smt2/smt2_prop.cpp
@@ -6,12 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "smt2_prop.h"
 
 #include 
 
-
-#include "smt2_prop.h"
-
 smt2_propt::smt2_propt(
   const std::string &benchmark,
   const std::string &source,
diff --git a/src/solvers/smt2/smt2irep.cpp b/src/solvers/smt2/smt2irep.cpp
index 4154ea291e..a549d55867 100644
--- a/src/solvers/smt2/smt2irep.cpp
+++ b/src/solvers/smt2/smt2irep.cpp
@@ -6,11 +6,11 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "smt2irep.h"
 
 #include 
 #include 
 
-#include "smt2irep.h"
 #include "smt2_parser.h"
 
 class smt2irept:public smt2_parsert

From 81745863894abf30a0598050f7ce527bf7ccd486 Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 14:34:02 +0100
Subject: [PATCH 63/89] Fix include order in symex

---
 src/symex/path_search.cpp         | 4 ++--
 src/symex/symex_cover.cpp         | 4 ++--
 src/symex/symex_main.cpp          | 4 ++--
 src/symex/symex_parse_options.cpp | 3 ++-
 4 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/symex/path_search.cpp b/src/symex/path_search.cpp
index d90ffcbd49..6b03b163fa 100644
--- a/src/symex/path_search.cpp
+++ b/src/symex/path_search.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Path-based Symbolic Execution
 
+#include "path_search.h"
+
 #include 
 #include 
 
@@ -18,8 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "path_search.h"
-
 path_searcht::resultt path_searcht::operator()(
   const goto_functionst &goto_functions)
 {
diff --git a/src/symex/symex_cover.cpp b/src/symex/symex_cover.cpp
index 50c6a54988..e7f101c087 100644
--- a/src/symex/symex_cover.cpp
+++ b/src/symex/symex_cover.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symex Test Suite Generation
 
+#include "symex_parse_options.h"
+
 #include 
 
 #include 
@@ -17,8 +19,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "symex_parse_options.h"
-
 std::string symex_parse_optionst::get_test(const goto_tracet &goto_trace)
 {
   bool first=true;
diff --git a/src/symex/symex_main.cpp b/src/symex/symex_main.cpp
index 2407aad561..36080f4a69 100644
--- a/src/symex/symex_main.cpp
+++ b/src/symex/symex_main.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symex Main Module
 
-#include 
-
 #include "symex_parse_options.h"
 
+#include 
+
 #ifdef _MSC_VER
 int wmain(int argc, const wchar_t **argv_wide)
 {
diff --git a/src/symex/symex_parse_options.cpp b/src/symex/symex_parse_options.cpp
index 9b77014a2d..5fc475ee15 100644
--- a/src/symex/symex_parse_options.cpp
+++ b/src/symex/symex_parse_options.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symex Command Line Options Processing
 
+#include "symex_parse_options.h"
+
 #include 
 #include 
 #include 
@@ -52,7 +54,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 
 #include "path_search.h"
-#include "symex_parse_options.h"
 
 symex_parse_optionst::symex_parse_optionst(int argc, const char **argv):
   parse_options_baset(SYMEX_OPTIONS, argc, argv),

From ae0ba27690d0b3b89585a475a4fd6b3e33f49ecb Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 14:34:43 +0100
Subject: [PATCH 64/89] Fix include order in xmllang

---
 src/xmllang/graphml.cpp    | 4 ++--
 src/xmllang/xml_parser.cpp | 3 +--
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/xmllang/graphml.cpp b/src/xmllang/graphml.cpp
index 3a0591f8ec..d76f5b1f95 100644
--- a/src/xmllang/graphml.cpp
+++ b/src/xmllang/graphml.cpp
@@ -9,14 +9,14 @@ Author: Michael Tautschnig, mt@eecs.qmul.ac.uk
 /// \file
 /// Read/write graphs as GraphML
 
+#include "graphml.h"
+
 #include 
 #include 
 
 #include 
 #include 
 
-#include "graphml.h"
-
 // include last to make sure #define stack(x) of parser.h does not
 // collide with std::stack included by graph.h
 #include "xml_parser.h"
diff --git a/src/xmllang/xml_parser.cpp b/src/xmllang/xml_parser.cpp
index 8a92480bc2..f03d4d87b2 100644
--- a/src/xmllang/xml_parser.cpp
+++ b/src/xmllang/xml_parser.cpp
@@ -6,13 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "xml_parser.h"
 
 #include 
 #include 
 #include 
 
-#include "xml_parser.h"
-
 xml_parsert xml_parser;
 
 // 'do it all' function

From ba73db3875e32ac1f2482b35a162bed373fb50c5 Mon Sep 17 00:00:00 2001
From: reuk 
Date: Sun, 7 May 2017 14:47:30 +0100
Subject: [PATCH 65/89] Fix include order in util

---
 src/util/arith_tools.cpp           | 3 +--
 src/util/array_name.cpp            | 1 +
 src/util/base_type.cpp             | 3 ++-
 src/util/bv_arithmetic.cpp         | 2 +-
 src/util/byte_operators.cpp        | 2 +-
 src/util/cmdline.cpp               | 3 +--
 src/util/config.cpp                | 2 +-
 src/util/cout_message.cpp          | 2 +-
 src/util/decision_procedure.cpp    | 4 ++--
 src/util/endianness_map.cpp        | 2 +-
 src/util/expr.cpp                  | 5 ++++-
 src/util/expr_util.cpp             | 1 +
 src/util/file_util.cpp             | 4 ++--
 src/util/find_macros.cpp           | 2 +-
 src/util/find_symbols.cpp          | 3 +--
 src/util/fixedbv.cpp               | 2 +-
 src/util/format_constant.cpp       | 1 +
 src/util/get_module.cpp            | 3 ++-
 src/util/guard.cpp                 | 3 ++-
 src/util/identifier.cpp            | 3 +--
 src/util/ieee_float.cpp            | 2 +-
 src/util/irep.cpp                  | 4 ++--
 src/util/irep_hash_container.cpp   | 1 +
 src/util/irep_ids.cpp              | 3 ++-
 src/util/irep_serialization.cpp    | 3 ++-
 src/util/json.cpp                  | 3 +--
 src/util/json_expr.cpp             | 4 ++--
 src/util/json_irep.cpp             | 3 ++-
 src/util/language.cpp              | 1 +
 src/util/language_file.cpp         | 2 +-
 src/util/lispexpr.cpp              | 3 +--
 src/util/lispirep.cpp              | 1 +
 src/util/memory_info.cpp           | 3 +--
 src/util/merge_irep.cpp            | 2 +-
 src/util/mp_arith.cpp              | 2 +-
 src/util/namespace.cpp             | 3 ++-
 src/util/options.cpp               | 3 ++-
 src/util/parse_options.cpp         | 2 +-
 src/util/pipe_stream.cpp           | 3 ++-
 src/util/pipe_stream.h             | 2 +-
 src/util/pointer_offset_size.cpp   | 4 ++--
 src/util/pointer_predicates.cpp    | 4 ++--
 src/util/rational.cpp              | 4 ++--
 src/util/rational_tools.cpp        | 4 ++--
 src/util/rename.cpp                | 2 +-
 src/util/rename_symbol.cpp         | 2 +-
 src/util/replace_symbol.cpp        | 2 +-
 src/util/run.cpp                   | 3 +--
 src/util/signal_catcher.cpp        | 3 +--
 src/util/simplify_expr.cpp         | 2 +-
 src/util/simplify_expr_array.cpp   | 2 +-
 src/util/simplify_expr_boolean.cpp | 2 +-
 src/util/simplify_expr_floatbv.cpp | 2 +-
 src/util/simplify_expr_int.cpp     | 2 +-
 src/util/simplify_expr_pointer.cpp | 2 +-
 src/util/simplify_expr_struct.cpp  | 2 +-
 src/util/simplify_utils.cpp        | 3 +--
 src/util/source_location.cpp       | 2 +-
 src/util/ssa_expr.cpp              | 3 +--
 src/util/std_code.cpp              | 1 +
 src/util/std_expr.cpp              | 2 +-
 src/util/std_types.cpp             | 2 +-
 src/util/string2int.cpp            | 3 +--
 src/util/string_container.cpp      | 4 ++--
 src/util/string_utils.cpp          | 3 +--
 src/util/substitute.cpp            | 3 +--
 src/util/symbol.cpp                | 2 +-
 src/util/symbol_table.cpp          | 3 +--
 src/util/tempdir.cpp               | 2 +-
 src/util/tempfile.cpp              | 3 +--
 src/util/threeval.cpp              | 3 +--
 src/util/time_stopping.cpp         | 4 ++--
 src/util/timer.cpp                 | 4 ++--
 src/util/type_eq.cpp               | 3 ++-
 src/util/ui_message.cpp            | 2 +-
 src/util/unicode.cpp               | 3 +--
 src/util/union_find.cpp            | 3 +--
 src/util/xml.cpp                   | 2 +-
 src/util/xml_expr.cpp              | 4 ++--
 src/util/xml_irep.cpp              | 2 +-
 80 files changed, 105 insertions(+), 104 deletions(-)

diff --git a/src/util/arith_tools.cpp b/src/util/arith_tools.cpp
index cd65775360..5b94a141df 100644
--- a/src/util/arith_tools.cpp
+++ b/src/util/arith_tools.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "arith_tools.h"
 
 #include 
 
@@ -14,8 +15,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "std_types.h"
 #include "std_expr.h"
 
-#include "arith_tools.h"
-
 bool to_integer(const exprt &expr, mp_integer &int_value)
 {
   if(!expr.is_constant())
diff --git a/src/util/array_name.cpp b/src/util/array_name.cpp
index cd0c22dac6..a4bfa42c8d 100644
--- a/src/util/array_name.cpp
+++ b/src/util/array_name.cpp
@@ -10,6 +10,7 @@ Author: Daniel Kroening, kroening@kroening.com
 /// Misc Utilities
 
 #include "array_name.h"
+
 #include "expr.h"
 #include "namespace.h"
 #include "symbol.h"
diff --git a/src/util/base_type.cpp b/src/util/base_type.cpp
index 148f7b4215..f8c29a95e0 100644
--- a/src/util/base_type.cpp
+++ b/src/util/base_type.cpp
@@ -9,11 +9,12 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Base Type Computation
 
+#include "base_type.h"
+
 #include 
 #include 
 
 #include "std_types.h"
-#include "base_type.h"
 #include "namespace.h"
 #include "symbol.h"
 
diff --git a/src/util/bv_arithmetic.cpp b/src/util/bv_arithmetic.cpp
index 0507523930..4287e04adf 100644
--- a/src/util/bv_arithmetic.cpp
+++ b/src/util/bv_arithmetic.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "bv_arithmetic.h"
 
 #include 
 #include 
@@ -14,7 +15,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "arith_tools.h"
 #include "std_types.h"
 #include "std_expr.h"
-#include "bv_arithmetic.h"
 
 typet bv_spect::to_type() const
 {
diff --git a/src/util/byte_operators.cpp b/src/util/byte_operators.cpp
index f1d58c5289..9ebc340d9c 100644
--- a/src/util/byte_operators.cpp
+++ b/src/util/byte_operators.cpp
@@ -6,10 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "byte_operators.h"
 
 #include 
 
-#include "byte_operators.h"
 #include "config.h"
 
 irep_idt byte_extract_id()
diff --git a/src/util/cmdline.cpp b/src/util/cmdline.cpp
index 10ca6ac97c..5010a48e8d 100644
--- a/src/util/cmdline.cpp
+++ b/src/util/cmdline.cpp
@@ -6,13 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "cmdline.h"
 
 #include 
 #include 
 #include 
 
-#include "cmdline.h"
-
 cmdlinet::cmdlinet()
 {
 }
diff --git a/src/util/config.cpp b/src/util/config.cpp
index 2422092f4c..ee24ab7b0f 100644
--- a/src/util/config.cpp
+++ b/src/util/config.cpp
@@ -6,11 +6,11 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "config.h"
 
 #include 
 
 #include "namespace.h"
-#include "config.h"
 #include "symbol_table.h"
 #include "arith_tools.h"
 #include "cmdline.h"
diff --git a/src/util/cout_message.cpp b/src/util/cout_message.cpp
index 357453bd20..5221fda0f2 100644
--- a/src/util/cout_message.cpp
+++ b/src/util/cout_message.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "cout_message.h"
 
 #include 
 
@@ -17,7 +18,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #endif
 
 #include "unicode.h"
-#include "cout_message.h"
 
 cout_message_handlert::cout_message_handlert():
   stream_message_handlert(std::cout)
diff --git a/src/util/decision_procedure.cpp b/src/util/decision_procedure.cpp
index bfee87da74..85f52acdba 100644
--- a/src/util/decision_procedure.cpp
+++ b/src/util/decision_procedure.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Decision Procedure Interface
 
-#include 
-
 #include "decision_procedure.h"
 
+#include 
+
 bool decision_proceduret::in_core(const exprt &expr)
 {
   assert(false);
diff --git a/src/util/endianness_map.cpp b/src/util/endianness_map.cpp
index 6b636ca658..913bc8ad5d 100644
--- a/src/util/endianness_map.cpp
+++ b/src/util/endianness_map.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "endianness_map.h"
 
 #include 
 #include 
@@ -13,7 +14,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "std_types.h"
 #include "pointer_offset_size.h"
 #include "arith_tools.h"
-#include "endianness_map.h"
 #include "namespace.h"
 
 void endianness_mapt::output(std::ostream &out) const
diff --git a/src/util/expr.cpp b/src/util/expr.cpp
index cc02253894..ee7f310d47 100644
--- a/src/util/expr.cpp
+++ b/src/util/expr.cpp
@@ -9,6 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Expression Representation
 
+#include "expr.h"
+
+#include 
+
 #include 
 
 #include "string2int.h"
@@ -16,7 +20,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "fixedbv.h"
 #include "ieee_float.h"
 #include "invariant.h"
-#include "expr.h"
 #include "rational.h"
 #include "rational_tools.h"
 #include "arith_tools.h"
diff --git a/src/util/expr_util.cpp b/src/util/expr_util.cpp
index 7370b165ea..001e58ee19 100644
--- a/src/util/expr_util.cpp
+++ b/src/util/expr_util.cpp
@@ -8,6 +8,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 
 #include "expr_util.h"
+
 #include "expr.h"
 #include "fixedbv.h"
 #include "ieee_float.h"
diff --git a/src/util/file_util.cpp b/src/util/file_util.cpp
index 701a1ea93c..3753fa5aab 100644
--- a/src/util/file_util.cpp
+++ b/src/util/file_util.cpp
@@ -11,6 +11,8 @@ Date: January 2012
 /// \file
 /// File Utilities
 
+#include "file_util.h"
+
 #include 
 
 #if defined(__linux__) || \
@@ -38,8 +40,6 @@ Date: January 2012
 #include 
 #endif
 
-#include "file_util.h"
-
 /// \return current working directory
 std::string get_current_working_directory()
 {
diff --git a/src/util/find_macros.cpp b/src/util/find_macros.cpp
index f6b2b748ad..10adacba6c 100644
--- a/src/util/find_macros.cpp
+++ b/src/util/find_macros.cpp
@@ -6,10 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "find_macros.h"
 
 #include 
 
-#include "find_macros.h"
 #include "expr.h"
 #include "namespace.h"
 #include "symbol.h"
diff --git a/src/util/find_symbols.cpp b/src/util/find_symbols.cpp
index e58d64855f..9984ae584c 100644
--- a/src/util/find_symbols.cpp
+++ b/src/util/find_symbols.cpp
@@ -6,12 +6,11 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "find_symbols.h"
 
 #include "std_types.h"
 #include "std_expr.h"
 
-#include "find_symbols.h"
-
 enum class kindt { F_TYPE, F_TYPE_NON_PTR, F_EXPR, F_BOTH };
 
 void find_symbols(
diff --git a/src/util/fixedbv.cpp b/src/util/fixedbv.cpp
index 3f62619e74..4ea2a16612 100644
--- a/src/util/fixedbv.cpp
+++ b/src/util/fixedbv.cpp
@@ -6,10 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "fixedbv.h"
 
 #include "std_types.h"
 #include "std_expr.h"
-#include "fixedbv.h"
 #include "arith_tools.h"
 
 fixedbv_spect::fixedbv_spect(const fixedbv_typet &type)
diff --git a/src/util/format_constant.cpp b/src/util/format_constant.cpp
index f5419f4dcd..85778504e4 100644
--- a/src/util/format_constant.cpp
+++ b/src/util/format_constant.cpp
@@ -8,6 +8,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 
 #include "format_constant.h"
+
 #include "arith_tools.h"
 #include "fixedbv.h"
 #include "ieee_float.h"
diff --git a/src/util/get_module.cpp b/src/util/get_module.cpp
index 655c64c665..3af2c46b49 100644
--- a/src/util/get_module.cpp
+++ b/src/util/get_module.cpp
@@ -9,10 +9,11 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Find module symbol using name
 
+#include "get_module.h"
+
 #include 
 #include 
 
-#include "get_module.h"
 #include "message.h"
 #include "symbol_table.h"
 
diff --git a/src/util/guard.cpp b/src/util/guard.cpp
index 6bad260f84..693b48602c 100644
--- a/src/util/guard.cpp
+++ b/src/util/guard.cpp
@@ -9,11 +9,12 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Symbolic Execution
 
+#include "guard.h"
+
 #include 
 
 #include "std_expr.h"
 #include "simplify_utils.h"
-#include "guard.h"
 
 void guardt::guard_expr(exprt &dest) const
 {
diff --git a/src/util/identifier.cpp b/src/util/identifier.cpp
index 289eb4ecb2..daa41cad07 100644
--- a/src/util/identifier.cpp
+++ b/src/util/identifier.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "identifier.h"
 
 #include 
 
-#include "identifier.h"
-
 std::string identifiert::as_string() const
 {
   std::string result;
diff --git a/src/util/ieee_float.cpp b/src/util/ieee_float.cpp
index b2afe32197..154ba29c55 100644
--- a/src/util/ieee_float.cpp
+++ b/src/util/ieee_float.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "ieee_float.h"
 
 //  is yet to come
 #include 
@@ -18,7 +19,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "arith_tools.h"
 #include "std_types.h"
 #include "std_expr.h"
-#include "ieee_float.h"
 
 mp_integer ieee_float_spect::bias() const
 {
diff --git a/src/util/irep.cpp b/src/util/irep.cpp
index 1bedec03f1..96c92b6174 100644
--- a/src/util/irep.cpp
+++ b/src/util/irep.cpp
@@ -9,12 +9,12 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Internal Representation
 
+#include "irep.h"
+
 #include 
 
 #include "invariant.h"
-
 #include "string2int.h"
-#include "irep.h"
 #include "string_hash.h"
 #include "irep_hash.h"
 
diff --git a/src/util/irep_hash_container.cpp b/src/util/irep_hash_container.cpp
index 82f6b81248..c72d231592 100644
--- a/src/util/irep_hash_container.cpp
+++ b/src/util/irep_hash_container.cpp
@@ -10,6 +10,7 @@ Author: Daniel Kroening, kroening@kroening.com
 /// Hashing IREPs
 
 #include "irep_hash_container.h"
+
 #include "irep.h"
 #include "irep_hash.h"
 
diff --git a/src/util/irep_ids.cpp b/src/util/irep_ids.cpp
index 15ff849a05..8aff81777a 100644
--- a/src/util/irep_ids.cpp
+++ b/src/util/irep_ids.cpp
@@ -9,9 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Internal Representation
 
+#include "irep_ids.h"
+
 #include 
 
-#include "irep_ids.h"
 #include "string_container.h"
 
 const char *irep_ids_table[]=
diff --git a/src/util/irep_serialization.cpp b/src/util/irep_serialization.cpp
index c21d14916b..5226b2353d 100644
--- a/src/util/irep_serialization.cpp
+++ b/src/util/irep_serialization.cpp
@@ -11,10 +11,11 @@ Date: May 2007
 /// \file
 /// binary irep conversions with hashing
 
+#include "irep_serialization.h"
+
 #include 
 #include 
 
-#include "irep_serialization.h"
 #include "string_hash.h"
 
 void irep_serializationt::write_irep(
diff --git a/src/util/json.cpp b/src/util/json.cpp
index dcfa985860..79352da4f7 100644
--- a/src/util/json.cpp
+++ b/src/util/json.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "json.h"
 
 #include 
 
-#include "json.h"
-
 const jsont jsont::null_json_object(jsont::kindt::J_NULL);
 
 void jsont::escape_string(const std::string &src, std::ostream &out)
diff --git a/src/util/json_expr.cpp b/src/util/json_expr.cpp
index 511e37ef68..43f12ee82b 100644
--- a/src/util/json_expr.cpp
+++ b/src/util/json_expr.cpp
@@ -9,6 +9,8 @@ Author: Peter Schrammel
 /// \file
 /// Expressions in JSON
 
+#include "json_expr.h"
+
 #include "namespace.h"
 #include "expr.h"
 #include "json.h"
@@ -18,8 +20,6 @@ Author: Peter Schrammel
 #include "std_expr.h"
 #include "config.h"
 
-#include "json_expr.h"
-
 json_objectt json(const source_locationt &location)
 {
   json_objectt result;
diff --git a/src/util/json_irep.cpp b/src/util/json_irep.cpp
index ca9db86284..c091b22733 100644
--- a/src/util/json_irep.cpp
+++ b/src/util/json_irep.cpp
@@ -9,9 +9,10 @@ Author: Thomas Kiley, thomas.kiley@diffblue.com
 /// \file
 /// Util
 
+#include "json_irep.h"
+
 #include "irep.h"
 #include "json.h"
-#include "json_irep.h"
 
 #include 
 
diff --git a/src/util/language.cpp b/src/util/language.cpp
index 2abe1b9178..2afbbcb17e 100644
--- a/src/util/language.cpp
+++ b/src/util/language.cpp
@@ -10,6 +10,7 @@ Author: Daniel Kroening, kroening@kroening.com
 /// Abstract interface to support a programming language
 
 #include "language.h"
+
 #include "expr.h"
 
 bool languaget::final(symbol_tablet &symbol_table)
diff --git a/src/util/language_file.cpp b/src/util/language_file.cpp
index 1fff96d215..2aa57a85c6 100644
--- a/src/util/language_file.cpp
+++ b/src/util/language_file.cpp
@@ -6,11 +6,11 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "language_file.h"
 
 #include 
 
 #include "language.h"
-#include "language_file.h"
 
 language_filet::language_filet(const language_filet &rhs):
   modules(rhs.modules),
diff --git a/src/util/lispexpr.cpp b/src/util/lispexpr.cpp
index 156d718f5b..80f62d15c3 100644
--- a/src/util/lispexpr.cpp
+++ b/src/util/lispexpr.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "lispexpr.h"
 
 #include 
 
-#include "lispexpr.h"
-
 std::string lispexprt::expr2string() const
 {
   std::string result;
diff --git a/src/util/lispirep.cpp b/src/util/lispirep.cpp
index 6ad94df06a..22e3e0b99a 100644
--- a/src/util/lispirep.cpp
+++ b/src/util/lispirep.cpp
@@ -8,6 +8,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 
 #include "lispirep.h"
+
 #include "irep.h"
 #include "lispexpr.h"
 
diff --git a/src/util/memory_info.cpp b/src/util/memory_info.cpp
index 59cc987479..3840ba4fc5 100644
--- a/src/util/memory_info.cpp
+++ b/src/util/memory_info.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "memory_info.h"
 
 #ifdef __APPLE__
 #include 
@@ -24,8 +25,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
-#include "memory_info.h"
-
 void memory_info(std::ostream &out)
 {
   #if defined(__linux__) && defined(__GLIBC__)
diff --git a/src/util/merge_irep.cpp b/src/util/merge_irep.cpp
index fafc834eab..02e04b461e 100644
--- a/src/util/merge_irep.cpp
+++ b/src/util/merge_irep.cpp
@@ -6,9 +6,9 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "merge_irep.h"
 
 #include "irep_hash.h"
-#include "merge_irep.h"
 
 std::size_t to_be_merged_irept::hash() const
 {
diff --git a/src/util/mp_arith.cpp b/src/util/mp_arith.cpp
index 980284ffcd..035541749e 100644
--- a/src/util/mp_arith.cpp
+++ b/src/util/mp_arith.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "mp_arith.h"
 
 #include 
 #include 
@@ -15,7 +16,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "mp_arith.h"
 #include "arith_tools.h"
 
 mp_integer operator>>(const mp_integer &a, const mp_integer &b)
diff --git a/src/util/namespace.cpp b/src/util/namespace.cpp
index 4aeff9046e..50de95f296 100644
--- a/src/util/namespace.cpp
+++ b/src/util/namespace.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Namespace
 
+#include "namespace.h"
+
 #include 
 
 #include 
@@ -17,7 +19,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "symbol_table.h"
 #include "prefix.h"
 #include "std_types.h"
-#include "namespace.h"
 
 unsigned get_max(
   const std::string &prefix,
diff --git a/src/util/options.cpp b/src/util/options.cpp
index 85b59d64fa..bd952760a4 100644
--- a/src/util/options.cpp
+++ b/src/util/options.cpp
@@ -9,9 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Options
 
-#include "string2int.h"
 #include "options.h"
 
+#include "string2int.h"
+
 void optionst::set_option(const std::string &option,
                           const std::string &value)
 {
diff --git a/src/util/parse_options.cpp b/src/util/parse_options.cpp
index 2e4d91e75e..db809a387a 100644
--- a/src/util/parse_options.cpp
+++ b/src/util/parse_options.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "parse_options.h"
 
 #include 
 
@@ -17,7 +18,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #endif
 
 #include "cmdline.h"
-#include "parse_options.h"
 #include "signal_catcher.h"
 
 parse_options_baset::parse_options_baset(
diff --git a/src/util/pipe_stream.cpp b/src/util/pipe_stream.cpp
index 9a9c629701..4306bce8e0 100644
--- a/src/util/pipe_stream.cpp
+++ b/src/util/pipe_stream.cpp
@@ -9,12 +9,13 @@ Author:
 /// \file
 /// A stdin/stdout pipe as STL stream
 
+#include "pipe_stream.h"
+
 #include 
 #include 
 #include 
 
 #include "unicode.h"
-#include "pipe_stream.h"
 
 #ifdef _WIN32
 #include 
diff --git a/src/util/pipe_stream.h b/src/util/pipe_stream.h
index e03169ffd1..385cb65f79 100644
--- a/src/util/pipe_stream.h
+++ b/src/util/pipe_stream.h
@@ -12,7 +12,7 @@ Author:
 #ifndef CPROVER_UTIL_PIPE_STREAM_H
 #define CPROVER_UTIL_PIPE_STREAM_H
 
-#include 
+#include 
 #include 
 #include 
 
diff --git a/src/util/pointer_offset_size.cpp b/src/util/pointer_offset_size.cpp
index 28915b5af0..dee9aeff82 100644
--- a/src/util/pointer_offset_size.cpp
+++ b/src/util/pointer_offset_size.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Pointer Logic
 
+#include "pointer_offset_size.h"
+
 #include 
 
 #include "c_types.h"
@@ -23,8 +25,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "symbol.h"
 #include "ssa_expr.h"
 
-#include "pointer_offset_size.h"
-
 member_offset_iterator::member_offset_iterator(
   const struct_typet &_type,
   const namespacet &_ns):
diff --git a/src/util/pointer_predicates.cpp b/src/util/pointer_predicates.cpp
index 9d2791a923..e0ef139be4 100644
--- a/src/util/pointer_predicates.cpp
+++ b/src/util/pointer_predicates.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Various predicates over pointers in programs
 
+#include "pointer_predicates.h"
+
 #include "c_types.h"
 #include "cprover_prefix.h"
 #include "namespace.h"
@@ -19,8 +21,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "config.h"
 #include "symbol.h"
 
-#include "pointer_predicates.h"
-
 exprt pointer_object(const exprt &p)
 {
   return unary_exprt(ID_pointer_object, p, size_type());
diff --git a/src/util/rational.cpp b/src/util/rational.cpp
index f43b5915a2..521e7683c1 100644
--- a/src/util/rational.cpp
+++ b/src/util/rational.cpp
@@ -9,11 +9,11 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Rational Numbers
 
+#include "rational.h"
+
 #include 
 #include 
 
-#include "rational.h"
-
 rationalt &rationalt::operator+=(const rationalt &n)
 {
   rationalt tmp(n);
diff --git a/src/util/rational_tools.cpp b/src/util/rational_tools.cpp
index 140241a917..cd03b1bd9c 100644
--- a/src/util/rational_tools.cpp
+++ b/src/util/rational_tools.cpp
@@ -9,11 +9,11 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Rational Numbers
 
+#include "rational_tools.h"
+
 #include "rational.h"
 #include "std_types.h"
 
-#include "rational_tools.h"
-
 static mp_integer power10(size_t i)
 {
   mp_integer result=1;
diff --git a/src/util/rename.cpp b/src/util/rename.cpp
index da127c4f3f..52977ab8c6 100644
--- a/src/util/rename.cpp
+++ b/src/util/rename.cpp
@@ -6,10 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "rename.h"
 
 #include 
 
-#include "rename.h"
 #include "symbol.h"
 #include "expr.h"
 #include "namespace.h"
diff --git a/src/util/rename_symbol.cpp b/src/util/rename_symbol.cpp
index 727f83b0ed..59b257b09a 100644
--- a/src/util/rename_symbol.cpp
+++ b/src/util/rename_symbol.cpp
@@ -6,10 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "rename_symbol.h"
 
 #include "std_types.h"
 #include "std_expr.h"
-#include "rename_symbol.h"
 
 rename_symbolt::rename_symbolt()
 {
diff --git a/src/util/replace_symbol.cpp b/src/util/replace_symbol.cpp
index 51d4a14049..2f5fce05ee 100644
--- a/src/util/replace_symbol.cpp
+++ b/src/util/replace_symbol.cpp
@@ -6,10 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "replace_symbol.h"
 
 #include "std_types.h"
 #include "std_expr.h"
-#include "replace_symbol.h"
 
 replace_symbolt::replace_symbolt()
 {
diff --git a/src/util/run.cpp b/src/util/run.cpp
index d29082ea0b..164cac834d 100644
--- a/src/util/run.cpp
+++ b/src/util/run.cpp
@@ -8,6 +8,7 @@ Date: August 2012
 
 \*******************************************************************/
 
+#include "run.h"
 
 #include 
 
@@ -32,8 +33,6 @@ Date: August 2012
 #include 
 #include 
 
-#include "run.h"
-
 int run_shell(const std::string &command)
 {
   std::string shell="/bin/sh";
diff --git a/src/util/signal_catcher.cpp b/src/util/signal_catcher.cpp
index 9c67c23f30..168eaa3d5a 100644
--- a/src/util/signal_catcher.cpp
+++ b/src/util/signal_catcher.cpp
@@ -8,6 +8,7 @@ Date:
 
 \*******************************************************************/
 
+#include "signal_catcher.h"
 
 #if defined(_WIN32)
 #include 
@@ -18,8 +19,6 @@ Date:
 
 #include 
 
-#include "signal_catcher.h"
-
 // Here we have an instance of an ugly global object.
 // It keeps track of any child processes that we'll kill
 // when we are told to terminate.
diff --git a/src/util/simplify_expr.cpp b/src/util/simplify_expr.cpp
index 28b9ab87c2..6bb5b776f4 100644
--- a/src/util/simplify_expr.cpp
+++ b/src/util/simplify_expr.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "simplify_expr.h"
 
 #include 
 #include 
@@ -13,7 +14,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "c_types.h"
 #include "rational.h"
 #include "simplify_expr_class.h"
-#include "simplify_expr.h"
 #include "mp_arith.h"
 #include "arith_tools.h"
 #include "replace_expr.h"
diff --git a/src/util/simplify_expr_array.cpp b/src/util/simplify_expr_array.cpp
index c12d810939..26a61f65be 100644
--- a/src/util/simplify_expr_array.cpp
+++ b/src/util/simplify_expr_array.cpp
@@ -6,10 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "simplify_expr_class.h"
 
 #include 
 
-#include "simplify_expr_class.h"
 #include "expr.h"
 #include "namespace.h"
 #include "std_expr.h"
diff --git a/src/util/simplify_expr_boolean.cpp b/src/util/simplify_expr_boolean.cpp
index f50c9b61b1..238dfd384c 100644
--- a/src/util/simplify_expr_boolean.cpp
+++ b/src/util/simplify_expr_boolean.cpp
@@ -6,11 +6,11 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "simplify_expr_class.h"
 
 #include 
 #include 
 
-#include "simplify_expr_class.h"
 #include "expr.h"
 #include "namespace.h"
 #include "std_expr.h"
diff --git a/src/util/simplify_expr_floatbv.cpp b/src/util/simplify_expr_floatbv.cpp
index f8da4276bb..cff452cfcb 100644
--- a/src/util/simplify_expr_floatbv.cpp
+++ b/src/util/simplify_expr_floatbv.cpp
@@ -6,10 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "simplify_expr_class.h"
 
 #include 
 
-#include "simplify_expr_class.h"
 #include "expr.h"
 #include "namespace.h"
 #include "ieee_float.h"
diff --git a/src/util/simplify_expr_int.cpp b/src/util/simplify_expr_int.cpp
index b41de055d6..d103ea79bb 100644
--- a/src/util/simplify_expr_int.cpp
+++ b/src/util/simplify_expr_int.cpp
@@ -6,12 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "simplify_expr_class.h"
 
 #include 
 
 #include "base_type.h"
 #include "rational.h"
-#include "simplify_expr_class.h"
 #include "expr.h"
 #include "namespace.h"
 #include "config.h"
diff --git a/src/util/simplify_expr_pointer.cpp b/src/util/simplify_expr_pointer.cpp
index d4b9736c43..1044d43dac 100644
--- a/src/util/simplify_expr_pointer.cpp
+++ b/src/util/simplify_expr_pointer.cpp
@@ -6,11 +6,11 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "simplify_expr_class.h"
 
 #include 
 
 #include "c_types.h"
-#include "simplify_expr_class.h"
 #include "expr.h"
 #include "namespace.h"
 #include "std_expr.h"
diff --git a/src/util/simplify_expr_struct.cpp b/src/util/simplify_expr_struct.cpp
index 148b45fc67..a6ac35ca00 100644
--- a/src/util/simplify_expr_struct.cpp
+++ b/src/util/simplify_expr_struct.cpp
@@ -6,10 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "simplify_expr_class.h"
 
 #include 
 
-#include "simplify_expr_class.h"
 #include "expr.h"
 #include "namespace.h"
 #include "std_expr.h"
diff --git a/src/util/simplify_utils.cpp b/src/util/simplify_utils.cpp
index 482d6ba4fe..53b2f38f7e 100644
--- a/src/util/simplify_utils.cpp
+++ b/src/util/simplify_utils.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "simplify_utils.h"
 
 #include 
 
-#include "simplify_utils.h"
-
 /// sort operands of an expression according to ordering defined by operator<
 /// \par parameters: operand list
 /// \return modifies operand list returns true iff nothing was changed
diff --git a/src/util/source_location.cpp b/src/util/source_location.cpp
index 6ec49d530f..7fc392620b 100644
--- a/src/util/source_location.cpp
+++ b/src/util/source_location.cpp
@@ -6,10 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "source_location.h"
 
 #include 
 
-#include "source_location.h"
 #include "file_util.h"
 
 /// \par parameters: print_cwd, print the absolute path to the file
diff --git a/src/util/ssa_expr.cpp b/src/util/ssa_expr.cpp
index feb37fe84c..f5f1dec9f1 100644
--- a/src/util/ssa_expr.cpp
+++ b/src/util/ssa_expr.cpp
@@ -6,14 +6,13 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "ssa_expr.h"
 
 #include 
 #include 
 
 #include 
 
-#include "ssa_expr.h"
-
 static void build_ssa_identifier_rec(
   const exprt &expr,
   const irep_idt &l0,
diff --git a/src/util/std_code.cpp b/src/util/std_code.cpp
index 021f244ac4..b57f1d1b44 100644
--- a/src/util/std_code.cpp
+++ b/src/util/std_code.cpp
@@ -8,6 +8,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 
 #include "std_code.h"
+
 #include "std_expr.h"
 
 const irep_idt &code_declt::get_identifier() const
diff --git a/src/util/std_expr.cpp b/src/util/std_expr.cpp
index 14b4072cd2..6fc3de230d 100644
--- a/src/util/std_expr.cpp
+++ b/src/util/std_expr.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "std_expr.h"
 
 #include 
 
@@ -17,7 +18,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "pointer_offset_size.h"
 
 #include "std_types.h"
-#include "std_expr.h"
 
 bool constant_exprt::value_is_zero_string() const
 {
diff --git a/src/util/std_types.cpp b/src/util/std_types.cpp
index b06af1ecf7..b2d0c4f36d 100644
--- a/src/util/std_types.cpp
+++ b/src/util/std_types.cpp
@@ -6,10 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "std_types.h"
 
 #include "string2int.h"
 #include "arith_tools.h"
-#include "std_types.h"
 #include "std_expr.h"
 
 std::size_t fixedbv_typet::get_integer_bits() const
diff --git a/src/util/string2int.cpp b/src/util/string2int.cpp
index 4febe054b5..bb8bdf484d 100644
--- a/src/util/string2int.cpp
+++ b/src/util/string2int.cpp
@@ -6,14 +6,13 @@ Author: Michael Tautschnig, michael.tautschnig@cs.ox.ac.uk
 
 \*******************************************************************/
 
+#include "string2int.h"
 
 #include 
 #include 
 #include 
 #include 
 
-#include "string2int.h"
-
 template 
 inline T str2number(const char *str, int base, bool safe)
 {
diff --git a/src/util/string_container.cpp b/src/util/string_container.cpp
index 189d721b8e..8793666506 100644
--- a/src/util/string_container.cpp
+++ b/src/util/string_container.cpp
@@ -9,10 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Container for C-Strings
 
-#include 
-
 #include "string_container.h"
 
+#include 
+
 string_containert string_container;
 
 string_ptrt::string_ptrt(const char *_s):s(_s), len(strlen(_s))
diff --git a/src/util/string_utils.cpp b/src/util/string_utils.cpp
index 1bf5af4f68..101b6cd520 100644
--- a/src/util/string_utils.cpp
+++ b/src/util/string_utils.cpp
@@ -6,13 +6,12 @@ Author: Daniel Poetzl
 
 \*******************************************************************/
 
+#include "string_utils.h"
 
 #include 
 #include 
 #include 
 
-#include "string_utils.h"
-
 std::string strip_string(const std::string &s)
 {
   auto pred=[](char c){ return std::isspace(c); };
diff --git a/src/util/substitute.cpp b/src/util/substitute.cpp
index fc0eb2bea1..39010d7967 100644
--- a/src/util/substitute.cpp
+++ b/src/util/substitute.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "substitute.h"
 
 #include 
 
-#include "substitute.h"
-
 void substitute(
   std::string &dest,
   const std::string &what,
diff --git a/src/util/symbol.cpp b/src/util/symbol.cpp
index 1a7bc84994..652fe422c5 100644
--- a/src/util/symbol.cpp
+++ b/src/util/symbol.cpp
@@ -6,10 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "symbol.h"
 
 #include 
 
-#include "symbol.h"
 #include "source_location.h"
 #include "std_expr.h"
 
diff --git a/src/util/symbol_table.cpp b/src/util/symbol_table.cpp
index 2dd167600c..3ee5211e99 100644
--- a/src/util/symbol_table.cpp
+++ b/src/util/symbol_table.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "symbol_table.h"
 
 #include 
 
-#include "symbol_table.h"
-
 /// Add a new symbol to the symbol table
 /// \param symbol: The symbol to be added to the symbol table
 /// \return Returns a boolean indicating whether the process failed, which
diff --git a/src/util/tempdir.cpp b/src/util/tempdir.cpp
index 317112b0c0..9133c6232d 100644
--- a/src/util/tempdir.cpp
+++ b/src/util/tempdir.cpp
@@ -6,6 +6,7 @@ Author: CM Wintersteiger
 
 \*******************************************************************/
 
+#include "tempdir.h"
 
 #ifdef _WIN32
 #include 
@@ -26,7 +27,6 @@ Author: CM Wintersteiger
 #include 
 #endif
 
-#include "tempdir.h"
 #include "file_util.h"
 
 std::string get_temporary_directory(const std::string &name_template)
diff --git a/src/util/tempfile.cpp b/src/util/tempfile.cpp
index edf643059f..bbb6c526db 100644
--- a/src/util/tempfile.cpp
+++ b/src/util/tempfile.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening
 
 \*******************************************************************/
 
+#include "tempfile.h"
 
 #ifdef _WIN32
 #include 
@@ -33,8 +34,6 @@ Author: Daniel Kroening
 #include 
 #endif
 
-#include "tempfile.h"
-
 /// Substitute for mkstemps (OpenBSD standard) for Windows, where it is
 /// unavailable.
 #ifdef _WIN32
diff --git a/src/util/threeval.cpp b/src/util/threeval.cpp
index b959d5c9ac..0431132504 100644
--- a/src/util/threeval.cpp
+++ b/src/util/threeval.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "threeval.h"
 
 #include 
 
-#include "threeval.h"
-
 const char *tvt::to_string() const
 {
   switch(value)
diff --git a/src/util/time_stopping.cpp b/src/util/time_stopping.cpp
index f41b3401fd..b81848c323 100644
--- a/src/util/time_stopping.cpp
+++ b/src/util/time_stopping.cpp
@@ -11,6 +11,8 @@ Date: February 2004
 /// \file
 /// Time Stopping
 
+#include "time_stopping.h"
+
 #include 
 
 #if defined(_WIN32) && !defined(__MINGW32__)
@@ -20,8 +22,6 @@ Date: February 2004
 #include 
 #endif
 
-#include "time_stopping.h"
-
 #if defined(_WIN32) && !defined(__MINGW32__)
 // NOLINTNEXTLINE(readability/identifiers)
 struct timezone
diff --git a/src/util/timer.cpp b/src/util/timer.cpp
index 63b561174c..095947a65d 100644
--- a/src/util/timer.cpp
+++ b/src/util/timer.cpp
@@ -11,11 +11,11 @@ Date:
 /// \file
 /// Time Stopping
 
+#include "timer.h"
+
 #include 
 #include 
 
-#include "timer.h"
-
 timert::~timert()
 {
 }
diff --git a/src/util/type_eq.cpp b/src/util/type_eq.cpp
index 0166c34778..0f78c20880 100644
--- a/src/util/type_eq.cpp
+++ b/src/util/type_eq.cpp
@@ -9,9 +9,10 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// Type Checking
 
+#include "type_eq.h"
+
 #include 
 
-#include "type_eq.h"
 #include "type.h"
 #include "symbol.h"
 #include "namespace.h"
diff --git a/src/util/ui_message.cpp b/src/util/ui_message.cpp
index e750c60e3b..b680184e5a 100644
--- a/src/util/ui_message.cpp
+++ b/src/util/ui_message.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "ui_message.h"
 
 #include 
 #include 
@@ -14,7 +15,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "json.h"
 #include "xml_expr.h"
 #include "cout_message.h"
-#include "ui_message.h"
 #include "cmdline.h"
 
 ui_message_handlert::ui_message_handlert(
diff --git a/src/util/unicode.cpp b/src/util/unicode.cpp
index bf8ce51531..60c6e06ff9 100644
--- a/src/util/unicode.cpp
+++ b/src/util/unicode.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "unicode.h"
 
 #include 
 #include 
@@ -13,8 +14,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
-#include "unicode.h"
-
 #ifdef _WIN32
 #include 
 #endif
diff --git a/src/util/union_find.cpp b/src/util/union_find.cpp
index 6e32019186..e7b3230f30 100644
--- a/src/util/union_find.cpp
+++ b/src/util/union_find.cpp
@@ -6,11 +6,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "union_find.h"
 
 #include 
 
-#include "union_find.h"
-
 void unsigned_union_find::make_union(size_type j, size_type k)
 {
   check_index(j);
diff --git a/src/util/xml.cpp b/src/util/xml.cpp
index 64f731545e..991617cca7 100644
--- a/src/util/xml.cpp
+++ b/src/util/xml.cpp
@@ -6,11 +6,11 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include "xml.h"
 
 #include 
 
 #include "string2int.h"
-#include "xml.h"
 
 void xmlt::clear()
 {
diff --git a/src/util/xml_expr.cpp b/src/util/xml_expr.cpp
index c027025af8..c3551617b6 100644
--- a/src/util/xml_expr.cpp
+++ b/src/util/xml_expr.cpp
@@ -11,6 +11,8 @@ Author: Daniel Kroening
 /// \file
 /// Expressions in XML
 
+#include "xml_expr.h"
+
 #include "namespace.h"
 #include "expr.h"
 #include "xml.h"
@@ -20,8 +22,6 @@ Author: Daniel Kroening
 #include "std_expr.h"
 #include "config.h"
 
-#include "xml_expr.h"
-
 xmlt xml(const source_locationt &location)
 {
   xmlt result;
diff --git a/src/util/xml_irep.cpp b/src/util/xml_irep.cpp
index 7fa3d955f2..33d09f42c9 100644
--- a/src/util/xml_irep.cpp
+++ b/src/util/xml_irep.cpp
@@ -8,11 +8,11 @@ Author: Daniel Kroening
 
 \*******************************************************************/
 
+#include "xml_irep.h"
 
 #include 
 #include 
 
-#include "xml_irep.h"
 #include "irep.h"
 #include "xml.h"
 

From 835216347f173a7cea04bb805475d6fc6e762ed5 Mon Sep 17 00:00:00 2001
From: reuk 
Date: Mon, 17 Jul 2017 16:34:19 +0100
Subject: [PATCH 66/89] Update coding standard with include-ordering rule

---
 CODING_STANDARD.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CODING_STANDARD.md b/CODING_STANDARD.md
index 7710858d3d..4d57b09da3 100644
--- a/CODING_STANDARD.md
+++ b/CODING_STANDARD.md
@@ -103,6 +103,10 @@ Here a few minimalistic coding rules for the CPROVER source tree.
 - Prefer forward declaration to includes, but forward declare at the top of the
   header file rather than in line
 - Guard headers with `#ifndef CPROVER_DIRECTORIES_FILE_H`, etc
+- The corresponding header for a given source file should always be the *first*
+  include in the source file. For example, given `foo.h` and `foo.cpp`, the
+  line `#include "foo.h"` should precede all other include statements in
+  `foo.cpp`.
 
 # Makefiles
 - Each source file should appear on a separate line

From 40d1560702c394ba526f16c945255a7099908792 Mon Sep 17 00:00:00 2001
From: Michael Tautschnig 
Date: Mon, 17 Jul 2017 09:48:25 +0100
Subject: [PATCH 67/89] Always initialize pretty_name when reading a
 declaration

---
 src/ansi-c/ansi_c_declaration.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/ansi-c/ansi_c_declaration.cpp b/src/ansi-c/ansi_c_declaration.cpp
index a764ab1a63..00beb3a92c 100644
--- a/src/ansi-c/ansi_c_declaration.cpp
+++ b/src/ansi-c/ansi_c_declaration.cpp
@@ -128,6 +128,7 @@ void ansi_c_declarationt::to_symbol(
   symbol.value=declarator.value();
   symbol.type=full_type(declarator);
   symbol.name=declarator.get_name();
+  symbol.pretty_name=symbol.name;
   symbol.base_name=declarator.get_base_name();
   symbol.is_type=get_is_typedef();
   symbol.location=declarator.source_location();

From 544682c934f13b0d7fafadae1f96b47756723e5f Mon Sep 17 00:00:00 2001
From: Michael Tautschnig 
Date: Mon, 17 Jul 2017 09:49:03 +0100
Subject: [PATCH 68/89] Do not accept arrays of variable size with static
 lifetime

Neither Clang nor GCC accept these. In addition to rejecting such declarations,
also fix the off-by-one error reported in #525: type declarations are type
checked before their symbols are processed, thus the symbol name needs to be set
up early. A lookup via the symbol table, however, is not yet possible. Thus
maintain the full symbol.

Fixes: #525
---
 regression/ansi-c/Array_Declarator8/main.c    | 20 +++++++++++++++++++
 regression/ansi-c/Array_Declarator8/test.desc |  9 +++++++++
 src/ansi-c/c_typecheck_base.cpp               |  3 +--
 src/ansi-c/c_typecheck_base.h                 |  2 +-
 src/ansi-c/c_typecheck_type.cpp               | 19 ++++++++++++------
 5 files changed, 44 insertions(+), 9 deletions(-)
 create mode 100644 regression/ansi-c/Array_Declarator8/main.c
 create mode 100644 regression/ansi-c/Array_Declarator8/test.desc

diff --git a/regression/ansi-c/Array_Declarator8/main.c b/regression/ansi-c/Array_Declarator8/main.c
new file mode 100644
index 0000000000..4320252ca8
--- /dev/null
+++ b/regression/ansi-c/Array_Declarator8/main.c
@@ -0,0 +1,20 @@
+typedef unsigned char u1;
+typedef unsigned short u2;
+typedef unsigned long long u4;
+
+// Not resolved (as expected)
+u4 B[( (u1)( ( (u1)15 ) / ( ( (((sizeof(u4))/(sizeof(u1)))*((u1)15)) > ((u1)64)) ? (0) : (1) ) ) )];
+
+// Correctly resolved
+u2 C[( (u1)( ( (u1)11 ) / ( ( (((sizeof(u2))/(sizeof(u1)))*((u1)11)) > ((u1)64)) ? (0) : (1) ) ) )];
+
+int main()
+{
+  // Correctly resolved
+  u2 A[( (u1)( ( (u1)1 ) / ( ( (((sizeof(u2))/(sizeof(u1)))*((u1)1)) > ((u1)64)) ? (0) : (1) ) ) )];
+
+  // Correctly resolved
+  static u4 D[( (u1)( ( (u1)4 ) / ( ( (((sizeof(u4))/(sizeof(u1)))*((u1)4)) > ((u1)64)) ? (0) : (1) ) ) )];
+
+  return 0;
+}
diff --git a/regression/ansi-c/Array_Declarator8/test.desc b/regression/ansi-c/Array_Declarator8/test.desc
new file mode 100644
index 0000000000..d42f8db33a
--- /dev/null
+++ b/regression/ansi-c/Array_Declarator8/test.desc
@@ -0,0 +1,9 @@
+CORE
+main.c
+
+^EXIT=(64|1)$
+^SIGNAL=0$
+^CONVERSION ERROR$
+array size of static symbol `B' is not constant$
+--
+^warning: ignoring
diff --git a/src/ansi-c/c_typecheck_base.cpp b/src/ansi-c/c_typecheck_base.cpp
index 391039691c..0d18016602 100644
--- a/src/ansi-c/c_typecheck_base.cpp
+++ b/src/ansi-c/c_typecheck_base.cpp
@@ -45,8 +45,6 @@ void c_typecheck_baset::move_symbol(symbolt &symbol, symbolt *&new_symbol)
 
 void c_typecheck_baset::typecheck_symbol(symbolt &symbol)
 {
-  current_symbol_id=symbol.name;
-
   bool is_function=symbol.type.id()==ID_code;
 
   const typet &final_type=follow(symbol.type);
@@ -703,6 +701,7 @@ void c_typecheck_baset::typecheck_declaration(
 
       symbolt symbol;
       declaration.to_symbol(*d_it, symbol);
+      current_symbol=symbol;
 
       // now check other half of type
       typecheck_type(symbol.type);
diff --git a/src/ansi-c/c_typecheck_base.h b/src/ansi-c/c_typecheck_base.h
index 684b0b64ed..521ae29aa4 100644
--- a/src/ansi-c/c_typecheck_base.h
+++ b/src/ansi-c/c_typecheck_base.h
@@ -61,7 +61,7 @@ protected:
   symbol_tablet &symbol_table;
   const irep_idt module;
   const irep_idt mode;
-  irep_idt current_symbol_id;
+  symbolt current_symbol;
 
   typedef std::unordered_map id_type_mapt;
   id_type_mapt parameter_map;
diff --git a/src/ansi-c/c_typecheck_type.cpp b/src/ansi-c/c_typecheck_type.cpp
index 6abcf8f81a..62e651f913 100644
--- a/src/ansi-c/c_typecheck_type.cpp
+++ b/src/ansi-c/c_typecheck_type.cpp
@@ -15,6 +15,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -551,9 +552,15 @@ void c_typecheck_baset::typecheck_array_type(array_typet &type)
     {
       // not a constant and not infinity
 
-      assert(!current_symbol_id.empty());
+      PRECONDITION(!current_symbol.name.empty());
 
-      const symbolt &base_symbol=lookup(current_symbol_id);
+      if(current_symbol.is_static_lifetime)
+      {
+        error().source_location=current_symbol.location;
+        error() << "array size of static symbol `"
+                << current_symbol.base_name << "' is not constant" << eom;
+        throw 0;
+      }
 
       // Need to pull out! We insert new symbol.
       source_locationt source_location=size.find_source_location();
@@ -564,7 +571,7 @@ void c_typecheck_baset::typecheck_array_type(array_typet &type)
       do
       {
         suffix="$array_size"+std::to_string(count);
-        temp_identifier=id2string(base_symbol.name)+suffix;
+        temp_identifier=id2string(current_symbol.name)+suffix;
         count++;
       }
       while(symbol_table.symbols.find(temp_identifier)!=
@@ -573,13 +580,13 @@ void c_typecheck_baset::typecheck_array_type(array_typet &type)
       // add the symbol to symbol table
       auxiliary_symbolt new_symbol;
       new_symbol.name=temp_identifier;
-      new_symbol.pretty_name=id2string(base_symbol.pretty_name)+suffix;
-      new_symbol.base_name=id2string(base_symbol.base_name)+suffix;
+      new_symbol.pretty_name=id2string(current_symbol.pretty_name)+suffix;
+      new_symbol.base_name=id2string(current_symbol.base_name)+suffix;
       new_symbol.type=size.type();
       new_symbol.type.set(ID_C_constant, true);
       new_symbol.is_type=false;
       new_symbol.is_static_lifetime=false;
-      new_symbol.value.make_nil();
+      new_symbol.value=size;
       new_symbol.location=source_location;
 
       symbol_table.add(new_symbol);

From 2779399a9dce3bc1c205e4c864a252f0dc0e7f2b Mon Sep 17 00:00:00 2001
From: thk123 
Date: Mon, 10 Jul 2017 14:36:59 +0100
Subject: [PATCH 69/89] Correct unit Makefile to use OBJ rather than LIBS

Previously the order of the libraries in LIB would effect whether the
unit tests compiled.

Use OBJ rather than LIBS to ensure the --start-group/--end-group flags are
used in linking.

Previously, if a file in CProver changed, though the libraries would be
rebuilt, the unit tests wouldn't be relinked against the new library,
meaning you would get out of date binaries.

This change ensures that the link process is rerun if any of the
libraries are rebuilt.

Adding dependency to cprover libs for other unit executables
---
 unit/Makefile | 34 ++++++++++++++++++----------------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/unit/Makefile b/unit/Makefile
index 0afe791678..37955b07d0 100644
--- a/unit/Makefile
+++ b/unit/Makefile
@@ -15,19 +15,21 @@ include ../src/common
 cprover.dir:
 	$(MAKE) $(MAKEARGS) -C ../src
 
-LIBS += ../src/ansi-c/ansi-c$(LIBEXT) \
-        ../src/cpp/cpp$(LIBEXT) \
-        ../src/json/json$(LIBEXT) \
-        ../src/linking/linking$(LIBEXT) \
-        ../src/util/util$(LIBEXT) \
-        ../src/big-int/big-int$(LIBEXT) \
-        ../src/goto-programs/goto-programs$(LIBEXT) \
-        ../src/pointer-analysis/pointer-analysis$(LIBEXT) \
-        ../src/langapi/langapi$(LIBEXT) \
-        ../src/assembler/assembler$(LIBEXT) \
-        ../src/analyses/analyses$(LIBEXT) \
-        ../src/solvers/solvers$(LIBEXT) \
-        # Empty last line
+CPROVER_LIBS =../src/ansi-c/ansi-c$(LIBEXT) \
+              ../src/cpp/cpp$(LIBEXT) \
+              ../src/json/json$(LIBEXT) \
+              ../src/linking/linking$(LIBEXT) \
+              ../src/util/util$(LIBEXT) \
+              ../src/big-int/big-int$(LIBEXT) \
+              ../src/goto-programs/goto-programs$(LIBEXT) \
+              ../src/pointer-analysis/pointer-analysis$(LIBEXT) \
+              ../src/langapi/langapi$(LIBEXT) \
+              ../src/assembler/assembler$(LIBEXT) \
+              ../src/analyses/analyses$(LIBEXT) \
+              ../src/solvers/solvers$(LIBEXT) \
+              # Empty last line
+
+OBJ += $(CPROVER_LIBS)
 
 TESTS = unit_tests$(EXEEXT) \
         miniBDD$(EXEEXT) \
@@ -49,11 +51,11 @@ test: all
 unit_tests$(EXEEXT): $(OBJ)
 	$(LINKBIN)
 
-miniBDD$(EXEEXT): miniBDD$(OBJEXT)
+miniBDD$(EXEEXT): miniBDD$(OBJEXT) $(CPROVER_LIBS)
 	$(LINKBIN)
 
-string_utils$(EXEEXT): string_utils$(OBJEXT)
+string_utils$(EXEEXT): string_utils$(OBJEXT) $(CPROVER_LIBS)
 	$(LINKBIN)
 
-sharing_node$(EXEEXT): sharing_node$(OBJEXT)
+sharing_node$(EXEEXT): sharing_node$(OBJEXT) $(CPROVER_LIBS)
 	$(LINKBIN)

From b5c55b3e5e9da250b2f067aa90ead365645b5b9b Mon Sep 17 00:00:00 2001
From: thk123 
Date: Mon, 10 Jul 2017 13:52:32 +0100
Subject: [PATCH 70/89] Added utility functions for checking expressions

Use namespace rather than class with static functions as more semantically
correct.
---
 unit/Makefile                  | 15 ++++---
 unit/src/expr/require_expr.cpp | 76 ++++++++++++++++++++++++++++++++++
 unit/src/expr/require_expr.h   | 33 +++++++++++++++
 3 files changed, 119 insertions(+), 5 deletions(-)
 create mode 100644 unit/src/expr/require_expr.cpp
 create mode 100644 unit/src/expr/require_expr.h

diff --git a/unit/Makefile b/unit/Makefile
index 37955b07d0..6e4e5dfa9d 100644
--- a/unit/Makefile
+++ b/unit/Makefile
@@ -1,12 +1,17 @@
 .PHONY: all cprover.dir test
 
-SRC = unit_tests.cpp \
-      analyses/does_remove_const/does_expr_lose_const.cpp \
-      analyses/does_remove_const/does_type_preserve_const_correctness.cpp \
-      analyses/does_remove_const/is_type_at_least_as_const_as.cpp \
-      catch_example.cpp \
+# Source files for test utilities
+SRC = src/expr/require_expr.cpp \
       # Empty last line
 
+# Test source files
+SRC += unit_tests.cpp \
+       analyses/does_remove_const/does_expr_lose_const.cpp \
+       analyses/does_remove_const/does_type_preserve_const_correctness.cpp \
+       analyses/does_remove_const/is_type_at_least_as_const_as.cpp \
+       catch_example.cpp \
+       # Empty last line
+
 INCLUDES= -I ../src/ -I.
 
 include ../src/config.inc
diff --git a/unit/src/expr/require_expr.cpp b/unit/src/expr/require_expr.cpp
new file mode 100644
index 0000000000..e81b5a2d70
--- /dev/null
+++ b/unit/src/expr/require_expr.cpp
@@ -0,0 +1,76 @@
+/*******************************************************************\
+
+ Module: Unit test utilities
+
+ Author: DiffBlue Limited. All rights reserved.
+
+\*******************************************************************/
+
+/// \file
+/// Helper functions for requiring specific expressions
+/// If the expression is of the wrong type, throw a CATCH exception
+/// Also checks associated properties and returns a casted version of the
+/// expression.
+
+#include "require_expr.h"
+
+#include 
+#include 
+
+/// Verify a given exprt is an index_exprt with a a constant value equal to the
+/// expected value
+/// \param expr: The expression.
+/// \param expected_index: The constant value that should be the index.
+/// \return The expr cast to an index_exprt
+index_exprt require_expr::require_index(const exprt &expr, int expected_index)
+{
+  REQUIRE(expr.id()==ID_index);
+  const index_exprt &index_expr=to_index_expr(expr);
+  REQUIRE(index_expr.index().id()==ID_constant);
+  const constant_exprt &index_value=to_constant_expr(index_expr.index());
+  mp_integer index_integer_value;
+  to_integer(index_value, index_integer_value);
+  REQUIRE(index_integer_value==expected_index);
+
+  return index_expr;
+}
+
+/// Verify a given exprt is an index_exprt with a nil value as its index
+/// \param expr: The expression.
+/// \return The expr cast to an index_exprt
+index_exprt require_expr::require_top_index(const exprt &expr)
+{
+  REQUIRE(expr.id()==ID_index);
+  const index_exprt &index_expr=to_index_expr(expr);
+  REQUIRE(index_expr.index().id()==ID_nil);
+  return index_expr;
+}
+
+/// Verify a given exprt is an member_exprt with a component name equal to the
+/// component_identifier
+/// \param expr: The expression.
+/// \param component_identifier: The name of the component that should be being
+///   accessed.
+/// \return The expr cast to a member_exprt.
+member_exprt require_expr::require_member(
+  const exprt &expr, const irep_idt &component_identifier)
+{
+  REQUIRE(expr.id()==ID_member);
+  const member_exprt &member_expr=to_member_expr(expr);
+  REQUIRE(member_expr.get_component_name()==component_identifier);
+  return member_expr;
+}
+
+/// Verify a given exprt is an symbol_exprt with a identifier name equal to the
+/// symbol_name.
+/// \param expr: The expression.
+/// \param symbol_name: The intended identifier of the symbol
+/// \return The expr cast to a symbol_exprt
+symbol_exprt require_expr::require_symbol(
+  const exprt &expr, const irep_idt &symbol_name)
+{
+  REQUIRE(expr.id()==ID_symbol);
+  const symbol_exprt &symbol_expr=to_symbol_expr(expr);
+  REQUIRE(symbol_expr.get_identifier()==symbol_name);
+  return symbol_expr;
+}
diff --git a/unit/src/expr/require_expr.h b/unit/src/expr/require_expr.h
new file mode 100644
index 0000000000..83bdad2132
--- /dev/null
+++ b/unit/src/expr/require_expr.h
@@ -0,0 +1,33 @@
+/*******************************************************************\
+
+ Module: Unit test utilities
+
+ Author: DiffBlue Limited. All rights reserved.
+
+\*******************************************************************/
+
+/// \file
+/// Helper functions for requiring specific expressions
+/// If the expression is of the wrong type, throw a CATCH exception
+/// Also checks associated properties and returns a casted version of the
+/// expression.
+
+#ifndef CPROVER_SRC_EXPR_REQUIRE_EXPR_H
+#define CPROVER_SRC_EXPR_REQUIRE_EXPR_H
+
+#include 
+
+// NOLINTNEXTLINE(readability/namespace)
+namespace require_expr
+{
+  index_exprt require_index(const exprt &expr, int expected_index);
+  index_exprt require_top_index(const exprt &expr);
+
+  member_exprt require_member(
+    const exprt &expr, const irep_idt &component_identifier);
+
+  symbol_exprt require_symbol(
+    const exprt &expr, const irep_idt &symbol_name);
+}
+
+#endif // CPROVER_SRC_EXPR_REQUIRE_EXPR_H

From 00477334210a76ae76f54ca6befc4e8748831bd1 Mon Sep 17 00:00:00 2001
From: thk123 
Date: Mon, 10 Jul 2017 13:54:26 +0100
Subject: [PATCH 71/89] Adding pretty printer to main file

---
 unit/unit_tests.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/unit/unit_tests.cpp b/unit/unit_tests.cpp
index a4ae333109..8d007b8369 100644
--- a/unit/unit_tests.cpp
+++ b/unit/unit_tests.cpp
@@ -8,3 +8,11 @@
 
 #define CATCH_CONFIG_MAIN
 #include "catch.hpp"
+#include 
+
+// Debug printer for irept
+std::ostream &operator<<(std::ostream &os, const irept &value)
+{
+  os << value.pretty();
+  return os;
+}

From 318502880f3876d153c56d049153f45154c9764d Mon Sep 17 00:00:00 2001
From: thk123 
Date: Mon, 10 Jul 2017 14:11:44 +0100
Subject: [PATCH 72/89] Added utility class to convert strings into expressions

In turns the error return state into a CATCH exception so the test will
fail without cluttering tests with checks on the flag when it is just setup
code for the actual test.
---
 unit/Makefile                 |  1 +
 unit/src/ansi-c/c_to_expr.cpp | 35 +++++++++++++++++++++++++++++++++++
 unit/src/ansi-c/c_to_expr.h   | 35 +++++++++++++++++++++++++++++++++++
 3 files changed, 71 insertions(+)
 create mode 100644 unit/src/ansi-c/c_to_expr.cpp
 create mode 100644 unit/src/ansi-c/c_to_expr.h

diff --git a/unit/Makefile b/unit/Makefile
index 6e4e5dfa9d..f329e48977 100644
--- a/unit/Makefile
+++ b/unit/Makefile
@@ -2,6 +2,7 @@
 
 # Source files for test utilities
 SRC = src/expr/require_expr.cpp \
+      src/ansi-c/c_to_expr.cpp \
       # Empty last line
 
 # Test source files
diff --git a/unit/src/ansi-c/c_to_expr.cpp b/unit/src/ansi-c/c_to_expr.cpp
new file mode 100644
index 0000000000..bb71d5fabb
--- /dev/null
+++ b/unit/src/ansi-c/c_to_expr.cpp
@@ -0,0 +1,35 @@
+/*******************************************************************\
+
+ Module: Unit test utilities
+
+ Author: DiffBlue Limited. All rights reserved.
+
+\*******************************************************************/
+
+/// \file
+/// Utility for converting strings in to exprt, throwing a CATCH exception
+/// if this fails in any way.
+///
+#include "c_to_expr.h"
+
+#include 
+
+c_to_exprt::c_to_exprt():
+  message_handler(
+    std::unique_ptr(new ui_message_handlert()))
+{
+  language.set_message_handler(*message_handler);
+}
+
+/// Take an input string that should be a valid C rhs expression
+/// \param input_string: The string to convert
+/// \param ns: The global namespace
+/// \return: A constructed expr representing the string
+exprt c_to_exprt::operator()(
+  const std::string &input_string, const namespacet &ns)
+{
+  exprt expr;
+  bool result=language.to_expr(input_string, "",  expr, ns);
+  REQUIRE(!result);
+  return expr;
+}
diff --git a/unit/src/ansi-c/c_to_expr.h b/unit/src/ansi-c/c_to_expr.h
new file mode 100644
index 0000000000..dcaf0b0d1b
--- /dev/null
+++ b/unit/src/ansi-c/c_to_expr.h
@@ -0,0 +1,35 @@
+/*******************************************************************\
+
+ Module: Unit test utilities
+
+ Author: DiffBlue Limited. All rights reserved.
+
+\*******************************************************************/
+
+/// \file
+/// Utility for converting strings in to exprt, throwing a CATCH exception
+/// if this fails in any way.
+
+#ifndef CPROVER_SRC_ANSI_C_C_TO_EXPR_H
+#define CPROVER_SRC_ANSI_C_C_TO_EXPR_H
+
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+class c_to_exprt
+{
+public:
+  c_to_exprt();
+  exprt operator()(const std::string &input_string, const namespacet &ns);
+
+private:
+  std::unique_ptr message_handler;
+  ansi_c_languaget language;
+};
+
+#endif // CPROVER_SRC_ANSI_C_C_TO_EXPR_H

From e3f8d4aa2bbad999c3d64d9fb98c47922aa8e374 Mon Sep 17 00:00:00 2001
From: thk123 
Date: Mon, 10 Jul 2017 16:54:44 +0100
Subject: [PATCH 73/89] Added constructor to auxilary symbol instead of a
 helper function

The auxilary function had the same flags requried for the test, so added
a utility constructor that allows specifying of name and type.
---
 src/util/symbol.h | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/util/symbol.h b/src/util/symbol.h
index 5c9240c1dd..7edae3146c 100644
--- a/src/util/symbol.h
+++ b/src/util/symbol.h
@@ -145,6 +145,14 @@ public:
     is_file_local=true;
     is_auxiliary=true;
   }
+
+  auxiliary_symbolt(const irep_idt &name, const typet &type):
+    auxiliary_symbolt()
+  {
+    this->name=name;
+    this->base_name=name;
+    this->type=type;
+  }
 };
 
 /*! \brief Symbol table entry of function parameter

From 64ab7230b5d7b949ba39b9dd0d2e7ba1055af9e1 Mon Sep 17 00:00:00 2001
From: thk123 
Date: Tue, 27 Jun 2017 18:23:09 +0100
Subject: [PATCH 74/89] Corrected simplify lhs in ai_domain_baset

The boolean flag was the wrong way round for ai_simplify_lhs - this
corrects this.
---
 src/analyses/ai.cpp | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/src/analyses/ai.cpp b/src/analyses/ai.cpp
index f7b9506213..10653ada42 100644
--- a/src/analyses/ai.cpp
+++ b/src/analyses/ai.cpp
@@ -57,29 +57,33 @@ bool ai_domain_baset::ai_simplify_lhs(
   if(condition.id()==ID_index)
   {
     index_exprt ie=to_index_expr(condition);
-    bool changed=ai_simplify(ie.index(), ns);
-    if(changed)
+    bool no_simplification=ai_simplify(ie.index(), ns);
+    if(!no_simplification)
       condition=simplify_expr(ie, ns);
 
-    return !changed;
+    return no_simplification;
   }
   else if(condition.id()==ID_dereference)
   {
     dereference_exprt de=to_dereference_expr(condition);
-    bool changed=ai_simplify(de.pointer(), ns);
-    if(changed)
+    bool no_simplification=ai_simplify(de.pointer(), ns);
+    if(!no_simplification)
       condition=simplify_expr(de, ns);  // So *(&x) -> x
 
-    return !changed;
+    return no_simplification;
   }
   else if(condition.id()==ID_member)
   {
     member_exprt me=to_member_expr(condition);
-    bool changed=ai_simplify_lhs(me.compound(), ns); // <-- lhs!
-    if(changed)
+    // Since simplify_ai_lhs is required to return an addressable object
+    // (so remains a valid left hand side), to simplify
+    // `(something_simplifiable).b` we require that `something_simplifiable`
+    // must also be addressable
+    bool no_simplification=ai_simplify_lhs(me.compound(), ns);
+    if(!no_simplification)
       condition=simplify_expr(me, ns);
 
-    return !changed;
+    return no_simplification;
   }
   else
     return true;

From d4d976a410f3c3d220a45c38a737e834ba9c4435 Mon Sep 17 00:00:00 2001
From: thk123 
Date: Mon, 10 Jul 2017 18:01:21 +0100
Subject: [PATCH 75/89] Added unit tests to validate the return meaning of
 ai_simplify_lhs

These tests use a mock implementation of the `ai_domain_baset` interface
just to validate that true means no simplification.
---
 unit/Makefile                        |   1 +
 unit/analyses/ai/ai_simplify_lhs.cpp | 168 +++++++++++++++++++++++++++
 2 files changed, 169 insertions(+)
 create mode 100644 unit/analyses/ai/ai_simplify_lhs.cpp

diff --git a/unit/Makefile b/unit/Makefile
index f329e48977..3e5bb48afb 100644
--- a/unit/Makefile
+++ b/unit/Makefile
@@ -7,6 +7,7 @@ SRC = src/expr/require_expr.cpp \
 
 # Test source files
 SRC += unit_tests.cpp \
+       analyses/ai/ai_simplify_lhs.cpp \
        analyses/does_remove_const/does_expr_lose_const.cpp \
        analyses/does_remove_const/does_type_preserve_const_correctness.cpp \
        analyses/does_remove_const/is_type_at_least_as_const_as.cpp \
diff --git a/unit/analyses/ai/ai_simplify_lhs.cpp b/unit/analyses/ai/ai_simplify_lhs.cpp
new file mode 100644
index 0000000000..2d276fdbbd
--- /dev/null
+++ b/unit/analyses/ai/ai_simplify_lhs.cpp
@@ -0,0 +1,168 @@
+/*******************************************************************\
+
+ Module: Unit tests for ai_domain_baset::ai_simplify_lhs
+
+ Author: DiffBlue Limited. All rights reserved.
+
+\*******************************************************************/
+
+/// \file
+/// Unit tests for ai_domain_baset::ai_simplify_lhs
+
+#include 
+
+#include 
+
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+class constant_simplification_mockt:public ai_domain_baset
+{
+public:
+  void transform(locationt, locationt, ai_baset &, const namespacet &) override
+  {}
+  void make_bottom() override
+  {}
+  void make_top() override
+  {}
+  void make_entry() override
+  {}
+
+  bool ai_simplify(exprt &condition, const namespacet &ns) const override;
+};
+
+bool constant_simplification_mockt::ai_simplify(
+  exprt &condition, const namespacet &ns) const
+{
+  exprt simplified_expr=simplify_expr(condition, ns);
+  // no simplification
+  if(simplified_expr==condition)
+  {
+    return true;
+  }
+  // a simplification has occurred
+  condition=simplified_expr;
+  return false;
+}
+
+SCENARIO("ai_domain_baset::ai_simplify_lhs",
+  "[core][analyses][ai][ai_simplify_lhs]")
+{
+  ui_message_handlert message_handler;
+  ansi_c_languaget language;
+  language.set_message_handler(message_handler);
+
+  symbol_tablet symbol_table;
+  namespacet ns(symbol_table);
+
+  constant_simplification_mockt mock_ai_domain;
+
+  config.set_arch("none");
+
+  GIVEN("A index_exprt")
+  {
+    // Construct an expression that the simplify_expr can simplify
+    exprt simplifiable_expression;
+    bool compile_failed=
+      language.to_expr("1 + 1", "", simplifiable_expression, ns);
+
+    const unsigned int array_size=5;
+    array_typet array_type(
+      signedbv_typet(32), constant_exprt::integer_constant(array_size));
+
+    // Verify the results of the setup
+    REQUIRE_FALSE(compile_failed);\
+    REQUIRE(simplifiable_expression.id()==ID_plus);
+    exprt simplified_version=simplify_expr(simplifiable_expression, ns);
+    REQUIRE(simplified_version.id()==ID_constant);
+
+    WHEN(
+      "Simplifying an index expression with constant index but variable array")
+    {
+      const index_exprt &index_expr=
+        index_exprt(symbol_exprt("a", array_type), simplifiable_expression);
+
+      THEN("Then only the index of the part of the expression should be "
+        "simplified")
+      {
+        exprt out_expr=index_expr;
+        bool no_simplification=mock_ai_domain.ai_simplify_lhs(out_expr, ns);
+        REQUIRE_FALSE(no_simplification);
+        REQUIRE(index_expr.id()==ID_index);
+
+        index_exprt simplified_index_expr=to_index_expr(out_expr);
+        REQUIRE(simplified_index_expr.index().id()==ID_constant);
+
+        constant_exprt constant_index=
+          to_constant_expr(simplified_index_expr.index());
+
+        mp_integer out_index;
+        bool failed_to_integer=to_integer(constant_index, out_index);
+        REQUIRE_FALSE(failed_to_integer);
+        REQUIRE(out_index==2);
+      }
+    }
+    WHEN("Simplifying an index expression with variable index and array")
+    {
+      // a[i]
+      const index_exprt &index_expr=
+        index_exprt(
+          symbol_exprt("a", array_type), symbol_exprt("i", signedbv_typet(32)));
+
+      THEN("Then no simplification should occur")
+      {
+        exprt out_expr=index_expr;
+        bool no_simplification=mock_ai_domain.ai_simplify_lhs(out_expr, ns);
+        REQUIRE(no_simplification);
+        REQUIRE(index_expr.id()==ID_index);
+
+        index_exprt simplified_index_expr=to_index_expr(out_expr);
+        REQUIRE(simplified_index_expr.index().id()==ID_symbol);
+      }
+    }
+
+    // This fails since the implementation does do a constant simplification
+    // on the array part. It isn't clear to me if this is correct
+#if 0
+    WHEN(
+      "Simplifying an index expression with constant index in a constant array")
+    {
+      array_exprt constant_array=array_exprt(array_type);
+      for(unsigned int i=0; i
Date: Sun, 16 Jul 2017 16:35:43 +0100
Subject: [PATCH 76/89] cleanup array theory solver

---
 src/solvers/flattening/arrays.cpp | 225 +++++++++---------------------
 src/solvers/flattening/arrays.h   |   2 -
 2 files changed, 65 insertions(+), 162 deletions(-)

diff --git a/src/solvers/flattening/arrays.cpp b/src/solvers/flattening/arrays.cpp
index c628997ca5..82d82c0b3e 100644
--- a/src/solvers/flattening/arrays.cpp
+++ b/src/solvers/flattening/arrays.cpp
@@ -108,73 +108,64 @@ void arrayst::collect_arrays(const exprt &a)
 
   if(a.id()==ID_with)
   {
-    if(a.operands().size()!=3)
-      throw "with expected to have three operands";
+    const with_exprt &with_expr=to_with_expr(a);
 
     // check types
-    if(!base_type_eq(array_type, a.op0().type(), ns))
+    if(!base_type_eq(array_type, with_expr.old().type(), ns))
     {
       std::cout << a.pretty() << '\n';
       throw "collect_arrays got 'with' without matching types";
     }
 
-    arrays.make_union(a, a.op0());
-    collect_arrays(a.op0());
+    arrays.make_union(a, with_expr.old());
+    collect_arrays(with_expr.old());
 
     // make sure this shows as an application
-    index_exprt index_expr;
-    index_expr.type()=array_type.subtype();
-    index_expr.array()=a.op0();
-    index_expr.index()=a.op1();
+    index_exprt index_expr(with_expr.old(), with_expr.where());
     record_array_index(index_expr);
   }
-  else if(a.id()==ID_update) // TODO: is this obsolete?
+  else if(a.id()==ID_update)
   {
-    if(a.operands().size()!=3)
-      throw "update expected to have three operands";
+    const update_exprt &update_expr=to_update_expr(a);
 
     // check types
-    if(!base_type_eq(array_type, a.op0().type(), ns))
+    if(!base_type_eq(array_type, update_expr.old().type(), ns))
     {
       std::cout << a.pretty() << '\n';
       throw "collect_arrays got 'update' without matching types";
     }
 
-    arrays.make_union(a, a.op0());
-    collect_arrays(a.op0());
+    arrays.make_union(a, update_expr.old());
+    collect_arrays(update_expr.old());
 
 #if 0
     // make sure this shows as an application
-    index_exprt index_expr;
-    index_expr.type()=array_type.subtype();
-    index_expr.array()=a.op0();
-    index_expr.index()=a.op1();
+    index_exprt index_expr(update_expr.old(), update_expr.index());
     record_array_index(index_expr);
 #endif
   }
   else if(a.id()==ID_if)
   {
-    if(a.operands().size()!=3)
-      throw "if expected to have three operands";
+    const if_exprt &if_expr=to_if_expr(a);
 
     // check types
-    if(!base_type_eq(array_type, a.op1().type(), ns))
+    if(!base_type_eq(array_type, if_expr.true_case().type(), ns))
     {
       std::cout << a.pretty() << '\n';
       throw "collect_arrays got if without matching types";
     }
 
     // check types
-    if(!base_type_eq(array_type, a.op2().type(), ns))
+    if(!base_type_eq(array_type, if_expr.false_case().type(), ns))
     {
       std::cout << a.pretty() << '\n';
       throw "collect_arrays got if without matching types";
     }
 
-    arrays.make_union(a, a.op1());
-    arrays.make_union(a, a.op2());
-    collect_arrays(a.op1());
-    collect_arrays(a.op2());
+    arrays.make_union(a, if_expr.true_case());
+    arrays.make_union(a, if_expr.false_case());
+    collect_arrays(if_expr.true_case());
+    collect_arrays(if_expr.false_case());
   }
   else if(a.id()==ID_symbol)
   {
@@ -272,14 +263,11 @@ void arrayst::add_array_constraints()
   }
 
   // add constraints for equalities
-  for(array_equalitiest::const_iterator it=
-      array_equalities.begin();
-      it!=array_equalities.end();
-      it++)
+  for(const auto &equality : array_equalities)
   {
-    add_array_constraints(
-      index_map[arrays.find_number(it->f1)],
-      *it);
+    add_array_constraints_equality(
+      index_map[arrays.find_number(equality.f1)],
+      equality);
 
     // update_index_map should not be necessary here
   }
@@ -333,10 +321,8 @@ void arrayst::add_array_Ackermann_constraints()
 
           if(indices_equal_lit!=const_literal(false))
           {
-            index_exprt index_expr1;
-            index_expr1.type()=ns.follow(arrays[i].type()).subtype();
-            index_expr1.array()=arrays[i];
-            index_expr1.index()=*i1;
+            const typet &subtype=ns.follow(arrays[i].type()).subtype();
+            index_exprt index_expr1(arrays[i], *i1, subtype);
 
             index_exprt index_expr2=index_expr1;
             index_expr2.index()=*i2;
@@ -387,52 +373,39 @@ void arrayst::update_index_map(bool update_all)
   }
   else
   {
-    for(std::set::const_iterator
-        it=update_indices.begin();
-        it!=update_indices.end(); it++)
-      update_index_map(*it);
+    for(const auto &index : update_indices)
+      update_index_map(index);
+
     update_indices.clear();
   }
 
 #ifdef DEBUG
   // print index sets
-  for(index_mapt::const_iterator
-      i1=index_map.begin();
-      i1!=index_map.end();
-      i1++)
-    for(index_sett::const_iterator
-        i2=i1->second.begin();
-        i2!=i1->second.end();
-        i2++)
-      std::cout << "Index set (" << i1->first << " = "
-                << arrays.find_number(i1->first) << " = "
-                << from_expr(ns, "", arrays[arrays.find_number(i1->first)])
+  for(const auto &index_entry : index_map)
+    for(const auto &index : index_entry.second)
+      std::cout << "Index set (" << index_entry.first << " = "
+                << arrays.find_number(index_entry.first) << " = "
+                << from_expr(ns, "",
+                             arrays[arrays.find_number(index_entry.first)])
                 << "): "
-                << from_expr(ns, "", *i2) << '\n';
+                << from_expr(ns, "", index) << '\n';
   std::cout << "-----\n";
 #endif
 }
 
-void arrayst::add_array_constraints(
+void arrayst::add_array_constraints_equality(
   const index_sett &index_set,
   const array_equalityt &array_equality)
 {
   // add constraints x=y => x[i]=y[i]
 
-  for(index_sett::const_iterator
-      it=index_set.begin();
-      it!=index_set.end();
-      it++)
+  for(const auto &index : index_set)
   {
-    index_exprt index_expr1;
-    index_expr1.type()=ns.follow(array_equality.f1.type()).subtype();
-    index_expr1.array()=array_equality.f1;
-    index_expr1.index()=*it;
+    const typet &subtype1=ns.follow(array_equality.f1.type()).subtype();
+    index_exprt index_expr1(array_equality.f1, index, subtype1);
 
-    index_exprt index_expr2;
-    index_expr2.type()=ns.follow(array_equality.f2.type()).subtype();
-    index_expr2.array()=array_equality.f2;
-    index_expr2.index()=*it;
+    const typet &subtype2=ns.follow(array_equality.f2.type()).subtype();
+    index_exprt index_expr2(array_equality.f2, index, subtype2);
 
     assert(index_expr1.type()==index_expr2.type());
 
@@ -484,20 +457,11 @@ void arrayst::add_array_constraints(
     assert(expr.operands().size()==1);
 
     // add a[i]=b[i]
-    for(index_sett::const_iterator
-        it=index_set.begin();
-        it!=index_set.end();
-        it++)
+    for(const auto &index : index_set)
     {
-      index_exprt index_expr1;
-      index_expr1.type()=ns.follow(expr.type()).subtype();
-      index_expr1.array()=expr;
-      index_expr1.index()=*it;
-
-      index_exprt index_expr2;
-      index_expr2.type()=ns.follow(expr.type()).subtype();
-      index_expr2.array()=expr.op0();
-      index_expr2.index()=*it;
+      const typet &subtype=ns.follow(expr.type()).subtype();
+      index_exprt index_expr1(expr, index, subtype);
+      index_exprt index_expr2(expr.op0(), index, subtype);
 
       assert(index_expr1.type()==index_expr2.type());
 
@@ -527,10 +491,7 @@ void arrayst::add_array_constraints_with(
   const exprt &value=expr.new_value();
 
   {
-    index_exprt index_expr;
-    index_expr.type()=ns.follow(expr.type()).subtype();
-    index_expr.array()=expr;
-    index_expr.index()=index;
+    index_exprt index_expr(expr, index, ns.follow(expr.type()).subtype());
 
     if(index_expr.type()!=value.type())
     {
@@ -546,13 +507,8 @@ void arrayst::add_array_constraints_with(
   // use other array index applications for "else" case
   // add constraint x[I]=y[I] for I!=i
 
-  for(index_sett::const_iterator
-      it=index_set.begin();
-      it!=index_set.end();
-      it++)
+  for(auto other_index : index_set)
   {
-    exprt other_index=*it;
-
     if(other_index!=index)
     {
       // we first build the guard
@@ -564,17 +520,9 @@ void arrayst::add_array_constraints_with(
 
       if(guard_lit!=const_literal(true))
       {
-        index_exprt index_expr1;
-        index_expr1.type()=ns.follow(expr.type()).subtype();
-        index_expr1.array()=expr;
-        index_expr1.index()=other_index;
-
-        index_exprt index_expr2;
-        index_expr2.type()=ns.follow(expr.type()).subtype();
-        index_expr2.array()=expr.op0();
-        index_expr2.index()=other_index;
-
-        assert(index_expr1.type()==index_expr2.type());
+        const typet &subtype=ns.follow(expr.type()).subtype();
+        index_exprt index_expr1(expr, other_index, subtype);
+        index_exprt index_expr2(expr.op0(), other_index, subtype);
 
         equal_exprt equality_expr(index_expr1, index_expr2);
 
@@ -611,10 +559,7 @@ void arrayst::add_array_constraints_update(
   const exprt &value=expr.new_value();
 
   {
-    index_exprt index_expr;
-    index_expr.type()=ns.follow(expr.type()).subtype();
-    index_expr.array()=expr;
-    index_expr.index()=index;
+    index_exprt index_expr(expr, index, ns.follow(expr.type()).subtype());
 
     if(index_expr.type()!=value.type())
     {
@@ -628,13 +573,8 @@ void arrayst::add_array_constraints_update(
   // use other array index applications for "else" case
   // add constraint x[I]=y[I] for I!=i
 
-  for(index_sett::const_iterator
-      it=index_set.begin();
-      it!=index_set.end();
-      it++)
+  for(auto other_index : index_set)
   {
-    exprt other_index=*it;
-
     if(other_index!=index)
     {
       // we first build the guard
@@ -646,17 +586,9 @@ void arrayst::add_array_constraints_update(
 
       if(guard_lit!=const_literal(true))
       {
-        index_exprt index_expr1;
-        index_expr1.type()=ns.follow(expr.type()).subtype();
-        index_expr1.array()=expr;
-        index_expr1.index()=other_index;
-
-        index_exprt index_expr2;
-        index_expr2.type()=ns.follow(expr.type()).subtype();
-        index_expr2.array()=expr.op0();
-        index_expr2.index()=other_index;
-
-        assert(index_expr1.type()==index_expr2.type());
+        const typet &subtype=ns.follow(expr.type()).subtype();
+        index_exprt index_expr1(expr, other_index, subtype);
+        index_exprt index_expr2(expr.op0(), other_index, subtype);
 
         equal_exprt equality_expr(index_expr1, index_expr2);
 
@@ -682,15 +614,10 @@ void arrayst::add_array_constraints_array_of(
   // get other array index applications
   // and add constraint x[i]=v
 
-  for(index_sett::const_iterator
-      it=index_set.begin();
-      it!=index_set.end();
-      it++)
+  for(const auto &index : index_set)
   {
-    index_exprt index_expr;
-    index_expr.type()=ns.follow(expr.type()).subtype();
-    index_expr.array()=expr;
-    index_expr.index()=*it;
+    const typet &subtype=ns.follow(expr.type()).subtype();
+    index_exprt index_expr(expr, index, subtype);
 
     assert(base_type_eq(index_expr.type(), expr.op0().type(), ns));
 
@@ -714,22 +641,11 @@ void arrayst::add_array_constraints_if(
 
   // first do true case
 
-  for(index_sett::const_iterator
-      it=index_set.begin();
-      it!=index_set.end();
-      it++)
+  for(const auto &index : index_set)
   {
-    index_exprt index_expr1;
-    index_expr1.type()=ns.follow(expr.type()).subtype();
-    index_expr1.array()=expr;
-    index_expr1.index()=*it;
-
-    index_exprt index_expr2;
-    index_expr2.type()=ns.follow(expr.type()).subtype();
-    index_expr2.array()=expr.true_case();
-    index_expr2.index()=*it;
-
-    assert(index_expr1.type()==index_expr2.type());
+    const typet subtype=ns.follow(expr.type()).subtype();
+    index_exprt index_expr1(expr, index, subtype);
+    index_exprt index_expr2(expr.true_case(), index, subtype);
 
     // add implication
     lazy_constraintt lazy(lazy_typet::ARRAY_IF,
@@ -743,22 +659,11 @@ void arrayst::add_array_constraints_if(
   }
 
   // now the false case
-  for(index_sett::const_iterator
-      it=index_set.begin();
-      it!=index_set.end();
-      it++)
+  for(const auto &index : index_set)
   {
-    index_exprt index_expr1;
-    index_expr1.type()=ns.follow(expr.type()).subtype();
-    index_expr1.array()=expr;
-    index_expr1.index()=*it;
-
-    index_exprt index_expr2;
-    index_expr2.type()=ns.follow(expr.type()).subtype();
-    index_expr2.array()=expr.false_case();
-    index_expr2.index()=*it;
-
-    assert(index_expr1.type()==index_expr2.type());
+    const typet subtype=ns.follow(expr.type()).subtype();
+    index_exprt index_expr1(expr, index, subtype);
+    index_exprt index_expr2(expr.false_case(), index, subtype);
 
     // add implication
     lazy_constraintt lazy(
diff --git a/src/solvers/flattening/arrays.h b/src/solvers/flattening/arrays.h
index b0c1e45cfe..a5434c3e48 100644
--- a/src/solvers/flattening/arrays.h
+++ b/src/solvers/flattening/arrays.h
@@ -105,8 +105,6 @@ protected:
     const index_sett &index_set, const array_equalityt &array_equality);
   void add_array_constraints(
     const index_sett &index_set, const exprt &expr);
-  void add_array_constraints(
-    const index_sett &index_set, const array_equalityt &array_equality);
   void add_array_constraints_if(
     const index_sett &index_set, const if_exprt &exprt);
   void add_array_constraints_with(

From a06cf766fc957523618ba4c1c919f142277e203f Mon Sep 17 00:00:00 2001
From: reuk 
Date: Wed, 19 Jul 2017 18:25:49 +0100
Subject: [PATCH 77/89] Fix nullptr

---
 src/analyses/goto_check.cpp                   |   2 +-
 src/analyses/goto_rw.cpp                      |   8 +-
 src/analyses/goto_rw.h                        |   4 +-
 src/analyses/invariant_set.cpp                |   6 +-
 src/analyses/invariant_set.h                  |   6 +-
 src/analyses/local_may_alias.h                |   4 +-
 src/analyses/reaching_definitions.cpp         |   4 +-
 src/analyses/reaching_definitions.h           |  10 +-
 src/ansi-c/c_preprocess.cpp                   |   6 +-
 src/ansi-c/cprover_library.cpp                |   2 +-
 src/ansi-c/expr2c.cpp                         |   2 +-
 src/big-int/bigint-test.cc                    |   2 +-
 src/big-int/bigint.cc                         |  10 +-
 src/cbmc/cbmc_parse_options.cpp               |   4 +-
 src/clobber/clobber_parse_options.cpp         |   2 +-
 src/cpp/cpp_id.cpp                            |   2 +-
 src/cpp/cpp_id.h                              |   2 +-
 src/cpp/cpp_instantiate_template.cpp          |   6 +-
 src/cpp/cpp_language.cpp                      |   2 +-
 src/cpp/cpp_typecheck_compound_type.cpp       |   2 +-
 src/cpp/cpp_typecheck_expr.cpp                |   2 +-
 src/cpp/cpp_typecheck_resolve.cpp             |   4 +-
 src/cpp/cpp_typecheck_template.cpp            |   4 +-
 src/cpp/parse.cpp                             |   4 +-
 src/goto-cc/armcc_cmdline.cpp                 |   6 +-
 src/goto-cc/as86_cmdline.cpp                  |  10 +-
 src/goto-cc/as_cmdline.cpp                    |  10 +-
 src/goto-cc/bcc_cmdline.cpp                   |  10 +-
 src/goto-cc/compile.cpp                       |   4 +-
 src/goto-cc/gcc_cmdline.cpp                   |  20 +-
 src/goto-cc/goto_cc_cmdline.cpp               |   4 +-
 src/goto-cc/goto_cc_main.cpp                  |   2 +-
 src/goto-cc/ld_cmdline.cpp                    |  12 +-
 src/goto-cc/ms_cl_cmdline.cpp                 |  14 +-
 src/goto-instrument/dump_c.cpp                |  10 +-
 src/goto-instrument/model_argc_argv.cpp       |   2 +-
 src/goto-instrument/wmm/cycle_collection.cpp  |   2 +-
 src/goto-instrument/wmm/goto2graph.cpp        |   2 +-
 src/goto-programs/initialize_goto_model.cpp   |   2 +-
 src/goto-programs/interpreter.cpp             |   2 +-
 src/goto-programs/show_symbol_table.cpp       |   2 +-
 src/goto-symex/goto_symex_state.cpp           |  10 +-
 src/goto-symex/slice_by_trace.cpp             |   6 +-
 src/goto-symex/symex_dereference_state.cpp    |   4 +-
 src/goto-symex/symex_function_call.cpp        |   2 +-
 src/goto-symex/symex_main.cpp                 |   2 +-
 .../java_bytecode_convert_method.cpp          |   2 +-
 src/java_bytecode/java_bytecode_parser.cpp    |   2 +-
 .../java_local_variable_table.cpp             |   2 +-
 src/langapi/language_ui.cpp                   |   4 +-
 src/langapi/language_util.cpp                 |   2 +-
 src/langapi/mode.cpp                          |   8 +-
 src/miniz/miniz.cpp                           | 192 +++++++++---------
 src/path-symex/path_symex_history.h           |   8 +-
 src/path-symex/path_symex_state_read.cpp      |   4 +-
 src/path-symex/var_map.cpp                    |   2 +-
 src/pointer-analysis/value_set_fi.cpp         |   6 +-
 src/pointer-analysis/value_set_fivr.cpp       |   6 +-
 src/pointer-analysis/value_set_fivrns.cpp     |   6 +-
 src/solvers/miniBDD/miniBDD.h                 |   2 +-
 src/solvers/miniBDD/miniBDD.inc               |   4 +-
 src/solvers/sat/pbs_dimacs_cnf.cpp            |  12 +-
 src/util/config.cpp                           |   4 +-
 src/util/file_util.cpp                        |   6 +-
 src/util/invariant.cpp                        |   2 +-
 src/util/irep_ids.cpp                         |   4 +-
 src/util/language_file.cpp                    |   4 +-
 src/util/language_file.h                      |   2 +-
 src/util/message.h                            |   2 +-
 src/util/namespace.cpp                        |   8 +-
 src/util/namespace.h                          |   6 +-
 src/util/parser.h                             |   2 +-
 src/util/pipe_stream.cpp                      |   8 +-
 src/util/ref_expr_set.h                       |   6 +-
 src/util/reference_counting.h                 |  16 +-
 src/util/run.cpp                              |   8 +-
 src/util/signal_catcher.cpp                   |   4 +-
 src/util/tempdir.cpp                          |   2 +-
 src/util/tempfile.cpp                         |   2 +-
 src/util/unicode.cpp                          |   6 +-
 80 files changed, 296 insertions(+), 296 deletions(-)

diff --git a/src/analyses/goto_check.cpp b/src/analyses/goto_check.cpp
index 8fe596d926..be4edbf288 100644
--- a/src/analyses/goto_check.cpp
+++ b/src/analyses/goto_check.cpp
@@ -37,7 +37,7 @@ public:
     const namespacet &_ns,
     const optionst &_options):
     ns(_ns),
-    local_bitvector_analysis(0)
+    local_bitvector_analysis(nullptr)
   {
     enable_bounds_check=_options.get_bool_option("bounds-check");
     enable_pointer_check=_options.get_bool_option("pointer-check");
diff --git a/src/analyses/goto_rw.cpp b/src/analyses/goto_rw.cpp
index be3ef3e0a8..36c2bf8c95 100644
--- a/src/analyses/goto_rw.cpp
+++ b/src/analyses/goto_rw.cpp
@@ -463,9 +463,9 @@ void rw_range_sett::add(
 {
   objectst::iterator entry=(mode==get_modet::LHS_W ? w_range_set : r_range_set).
     insert(
-      std::pair(identifier, 0)).first;
+      std::pair(identifier, nullptr)).first;
 
-  if(entry->second==0)
+  if(entry->second==nullptr)
     entry->second=new range_domaint();
 
   static_cast(entry->second)->push_back(
@@ -663,9 +663,9 @@ void rw_guarded_range_set_value_sett::add(
 {
   objectst::iterator entry=(mode==get_modet::LHS_W ? w_range_set : r_range_set).
     insert(
-      std::pair(identifier, 0)).first;
+      std::pair(identifier, nullptr)).first;
 
-  if(entry->second==0)
+  if(entry->second==nullptr)
     entry->second=new guarded_range_domaint();
 
   static_cast(entry->second)->insert(
diff --git a/src/analyses/goto_rw.h b/src/analyses/goto_rw.h
index 06b7a7ab41..60dfe5ca6f 100644
--- a/src/analyses/goto_rw.h
+++ b/src/analyses/goto_rw.h
@@ -108,7 +108,7 @@ public:
 
   const range_domaint &get_ranges(objectst::const_iterator it) const
   {
-    assert(dynamic_cast(it->second)!=0);
+    assert(dynamic_cast(it->second)!=nullptr);
     return *static_cast(it->second);
   }
 
@@ -277,7 +277,7 @@ public:
 
   const guarded_range_domaint &get_ranges(objectst::const_iterator it) const
   {
-    assert(dynamic_cast(it->second)!=0);
+    assert(dynamic_cast(it->second)!=nullptr);
     return *static_cast(it->second);
   }
 
diff --git a/src/analyses/invariant_set.cpp b/src/analyses/invariant_set.cpp
index 6127abdd57..550c39d3ab 100644
--- a/src/analyses/invariant_set.cpp
+++ b/src/analyses/invariant_set.cpp
@@ -144,7 +144,7 @@ bool invariant_sett::get_object(
   const exprt &expr,
   unsigned &n) const
 {
-  assert(object_store!=NULL);
+  assert(object_store!=nullptr);
   return object_store->get(expr, n);
 }
 
@@ -315,7 +315,7 @@ void invariant_sett::output(
     return;
   }
 
-  assert(object_store!=NULL);
+  assert(object_store!=nullptr);
 
   for(unsigned i=0; ito_string(a, identifier);
 }
 
diff --git a/src/analyses/invariant_set.h b/src/analyses/invariant_set.h
index 6bb40bd3e9..b65ce7897f 100644
--- a/src/analyses/invariant_set.h
+++ b/src/analyses/invariant_set.h
@@ -98,9 +98,9 @@ public:
   invariant_sett():
     threaded(false),
     is_false(false),
-    value_sets(NULL),
-    object_store(NULL),
-    ns(NULL)
+    value_sets(nullptr),
+    object_store(nullptr),
+    ns(nullptr)
   {
   }
 
diff --git a/src/analyses/local_may_alias.h b/src/analyses/local_may_alias.h
index b54cf4e9e8..c9c7680368 100644
--- a/src/analyses/local_may_alias.h
+++ b/src/analyses/local_may_alias.h
@@ -94,7 +94,7 @@ protected:
 class local_may_alias_factoryt
 {
 public:
-  local_may_alias_factoryt():goto_functions(NULL)
+  local_may_alias_factoryt():goto_functions(nullptr)
   {
   }
 
@@ -109,7 +109,7 @@ public:
 
   local_may_aliast &operator()(const irep_idt &fkt)
   {
-    assert(goto_functions!=NULL);
+    assert(goto_functions!=nullptr);
     fkt_mapt::iterator f_it=fkt_map.find(fkt);
     if(f_it!=fkt_map.end())
       return *f_it->second;
diff --git a/src/analyses/reaching_definitions.cpp b/src/analyses/reaching_definitions.cpp
index 0e0462c3c8..b001261a69 100644
--- a/src/analyses/reaching_definitions.cpp
+++ b/src/analyses/reaching_definitions.cpp
@@ -51,7 +51,7 @@ void rd_range_domaint::transform(
 {
   reaching_definitions_analysist *rd=
     dynamic_cast(&ai);
-  assert(rd!=0);
+  assert(rd!=nullptr);
 
   assert(bv_container);
 
@@ -298,7 +298,7 @@ void rd_range_domaint::transform_assign(
     const symbolt *symbol_ptr;
     if(ns.lookup(identifier, symbol_ptr))
       continue;
-    assert(symbol_ptr!=0);
+    assert(symbol_ptr!=nullptr);
 
     const range_domaint &ranges=rw_set.get_ranges(it);
 
diff --git a/src/analyses/reaching_definitions.h b/src/analyses/reaching_definitions.h
index e5f0d5f12b..462b8c1d45 100644
--- a/src/analyses/reaching_definitions.h
+++ b/src/analyses/reaching_definitions.h
@@ -102,7 +102,7 @@ public:
   rd_range_domaint():
     ai_domain_baset(),
     has_values(false),
-    bv_container(0)
+    bv_container(nullptr)
   {
   }
 
@@ -243,9 +243,9 @@ public:
   explicit reaching_definitions_analysist(const namespacet &_ns):
     concurrency_aware_ait(),
     ns(_ns),
-    value_sets(0),
-    is_threaded(0),
-    is_dirty(0)
+    value_sets(nullptr),
+    is_threaded(nullptr),
+    is_dirty(nullptr)
   {
   }
 
@@ -259,7 +259,7 @@ public:
     statet &s=concurrency_aware_ait::get_state(l);
 
     rd_range_domaint *rd_state=dynamic_cast(&s);
-    assert(rd_state!=0);
+    assert(rd_state!=nullptr);
 
     rd_state->set_bitvector_container(*this);
 
diff --git a/src/ansi-c/c_preprocess.cpp b/src/ansi-c/c_preprocess.cpp
index 6ba8e6f359..927a928b18 100644
--- a/src/ansi-c/c_preprocess.cpp
+++ b/src/ansi-c/c_preprocess.cpp
@@ -344,7 +344,7 @@ bool c_preprocess(
 static bool is_dot_i_file(const std::string &path)
 {
   const char *ext=strrchr(path.c_str(), '.');
-  if(ext==NULL)
+  if(ext==nullptr)
     return false;
   if(std::string(ext)==".i" ||
      std::string(ext)==".ii")
@@ -889,7 +889,7 @@ bool c_preprocess_gcc_clang(
 
   FILE *stream=popen(command.c_str(), "r");
 
-  if(stream!=NULL)
+  if(stream!=nullptr)
   {
     int ch;
     while((ch=fgetc(stream))!=EOF)
@@ -1011,7 +1011,7 @@ bool c_preprocess_arm(
 
   FILE *stream=popen(command.c_str(), "r");
 
-  if(stream!=NULL)
+  if(stream!=nullptr)
   {
     int ch;
     while((ch=fgetc(stream))!=EOF)
diff --git a/src/ansi-c/cprover_library.cpp b/src/ansi-c/cprover_library.cpp
index 8f99f987bf..f13e321d75 100644
--- a/src/ansi-c/cprover_library.cpp
+++ b/src/ansi-c/cprover_library.cpp
@@ -38,7 +38,7 @@ std::string get_cprover_library_text(
   std::size_t count=0;
 
   for(cprover_library_entryt *e=cprover_library;
-      e->function!=NULL;
+      e->function!=nullptr;
       e++)
   {
     irep_idt id=e->function;
diff --git a/src/ansi-c/expr2c.cpp b/src/ansi-c/expr2c.cpp
index 9c980cc842..d1dbf3bb6b 100644
--- a/src/ansi-c/expr2c.cpp
+++ b/src/ansi-c/expr2c.cpp
@@ -2664,7 +2664,7 @@ std::string expr2ct::convert_code_decl(
 
   std::string dest=indent_str(indent);
 
-  const symbolt *symbol=0;
+  const symbolt *symbol=nullptr;
   if(!ns.lookup(to_symbol_expr(src.op0()).get_identifier(), symbol))
   {
     if(symbol->is_file_local &&
diff --git a/src/big-int/bigint-test.cc b/src/big-int/bigint-test.cc
index 5d506a8901..7c11e164e2 100644
--- a/src/big-int/bigint-test.cc
+++ b/src/big-int/bigint-test.cc
@@ -161,7 +161,7 @@ static void
 run_clisp_tests (char const *fn)
 {
   FILE *f = fopen (fn, "rt");
-  if (f == 0)
+  if (f == nullptr)
     {
       fprintf (stderr, "Error opening %s: %s.\n", fn, strerror (errno));
       return;
diff --git a/src/big-int/bigint.cc b/src/big-int/bigint.cc
index a53e42ebdb..b55a14865d 100644
--- a/src/big-int/bigint.cc
+++ b/src/big-int/bigint.cc
@@ -266,7 +266,7 @@ digit_div (onedig_t *r, const onedig_t *y, unsigned yl, onedig_t *q, unsigned ql
 	  --qh;
 	  add_back (r, y, yl);
 	}
-      if (q != 0)
+      if (q != nullptr)
 	q[i] = qh;
     }
 }
@@ -580,7 +580,7 @@ char *
 BigInt::as_string (char *p, unsigned l, onedig_t b) const
 {
   if (l < 2)
-    return 0;				// Not enough room for number.
+    return nullptr;				// Not enough room for number.
   p[--l] = '\0';
   // Check for zero. Would otherwise print as empty string.
   unsigned len = length;
@@ -598,7 +598,7 @@ BigInt::as_string (char *p, unsigned l, onedig_t b) const
   do
     {
       if (l == 0)
-	return 0;
+	return nullptr;
       onedig_t r = digit_div (dig, len, b);
       p[--l] = r < 10 ? r + '0' : 'A' + r - 10;
       if (dig[len-1] == 0)
@@ -608,7 +608,7 @@ BigInt::as_string (char *p, unsigned l, onedig_t b) const
   // Maybe attach sign.
   if (!positive){
     if (l == 0)
-      return 0;
+      return nullptr;
     else
       p[--l] = '-';
   }
@@ -1268,7 +1268,7 @@ BigInt::operator%= (BigInt const &y)
 	}
       if (a[al-1] >= b[bl-1])
 	a[al++] = 0;
-      digit_div (a, b, bl, 0, al - bl);
+      digit_div (a, b, bl, nullptr, al - bl);
       length = bl;
       adjust();
       if (scale != 1)
diff --git a/src/cbmc/cbmc_parse_options.cpp b/src/cbmc/cbmc_parse_options.cpp
index 65a4386077..b4099967f8 100644
--- a/src/cbmc/cbmc_parse_options.cpp
+++ b/src/cbmc/cbmc_parse_options.cpp
@@ -590,7 +590,7 @@ int cbmc_parse_optionst::get_goto_program(
 
       languaget *language=get_language_from_filename(filename);
 
-      if(language==NULL)
+      if(language==nullptr)
       {
         error() << "failed to figure out type of file `"
                 <<  filename << "'" << eom;
@@ -739,7 +739,7 @@ void cbmc_parse_optionst::preprocessing()
 
     languaget *ptr=get_language_from_filename(filename);
 
-    if(ptr==NULL)
+    if(ptr==nullptr)
     {
       error() << "failed to figure out type of file" << eom;
       return;
diff --git a/src/clobber/clobber_parse_options.cpp b/src/clobber/clobber_parse_options.cpp
index 36cc3e49ab..8c2b2dc1f5 100644
--- a/src/clobber/clobber_parse_options.cpp
+++ b/src/clobber/clobber_parse_options.cpp
@@ -250,7 +250,7 @@ bool clobber_parse_optionst::get_goto_program(
 
       languaget *language=get_language_from_filename(filename);
 
-      if(language==NULL)
+      if(language==nullptr)
       {
         error() << "failed to figure out type of file `" <<  filename << "'"
                 << eom;
diff --git a/src/cpp/cpp_id.cpp b/src/cpp/cpp_id.cpp
index e6c13ca4cf..edcc139ce4 100644
--- a/src/cpp/cpp_id.cpp
+++ b/src/cpp/cpp_id.cpp
@@ -24,7 +24,7 @@ cpp_idt::cpp_idt():
   id_class(id_classt::UNKNOWN),
   this_expr(static_cast(get_nil_irep())),
   compound_counter(0),
-  parent(NULL)
+  parent(nullptr)
 {
 }
 
diff --git a/src/cpp/cpp_id.h b/src/cpp/cpp_id.h
index f7fe339cc1..1ba4649334 100644
--- a/src/cpp/cpp_id.h
+++ b/src/cpp/cpp_id.h
@@ -81,7 +81,7 @@ public:
 
   cpp_idt &get_parent() const
   {
-    assert(parent!=NULL);
+    assert(parent!=nullptr);
     return *parent;
   }
 
diff --git a/src/cpp/cpp_instantiate_template.cpp b/src/cpp/cpp_instantiate_template.cpp
index c28fe5ca54..27c8e2c9a3 100644
--- a/src/cpp/cpp_instantiate_template.cpp
+++ b/src/cpp/cpp_instantiate_template.cpp
@@ -130,7 +130,7 @@ const symbolt &cpp_typecheckt::class_template_symbol(
   cpp_scopet *template_scope=
     static_cast(cpp_scopes.id_map[template_symbol.name]);
 
-  assert(template_scope!=NULL);
+  assert(template_scope!=nullptr);
 
   irep_idt identifier=
     id2string(template_scope->prefix)+
@@ -276,7 +276,7 @@ const symbolt &cpp_typecheckt::instantiate_template(
   cpp_scopet *template_scope=
     static_cast(cpp_scopes.id_map[template_symbol.name]);
 
-  if(template_scope==NULL)
+  if(template_scope==nullptr)
   {
     error().source_location=source_location;
     error() << "identifier: " << template_symbol.name << '\n'
@@ -284,7 +284,7 @@ const symbolt &cpp_typecheckt::instantiate_template(
     throw 0;
   }
 
-  assert(template_scope!=NULL);
+  assert(template_scope!=nullptr);
 
   // produce new declaration
   cpp_declarationt new_decl=to_cpp_declaration(template_symbol.type);
diff --git a/src/cpp/cpp_language.cpp b/src/cpp/cpp_language.cpp
index 59e538265c..c8b7f99965 100644
--- a/src/cpp/cpp_language.cpp
+++ b/src/cpp/cpp_language.cpp
@@ -65,7 +65,7 @@ bool cpp_languaget::preprocess(
   // check extension
 
   const char *ext=strrchr(path.c_str(), '.');
-  if(ext!=NULL && std::string(ext)==".ipp")
+  if(ext!=nullptr && std::string(ext)==".ipp")
   {
     std::ifstream infile(path);
 
diff --git a/src/cpp/cpp_typecheck_compound_type.cpp b/src/cpp/cpp_typecheck_compound_type.cpp
index 12fbfa6784..39b2710952 100644
--- a/src/cpp/cpp_typecheck_compound_type.cpp
+++ b/src/cpp/cpp_typecheck_compound_type.cpp
@@ -109,7 +109,7 @@ void cpp_typecheckt::typecheck_compound_type(
   // get the tag name
   bool has_tag=type.find(ID_tag).is_not_nil();
   irep_idt base_name;
-  cpp_scopet *dest_scope=NULL;
+  cpp_scopet *dest_scope=nullptr;
   bool has_body=type.find(ID_body).is_not_nil();
   bool tag_only_declaration=type.get_bool(ID_C_tag_only_declaration);
 
diff --git a/src/cpp/cpp_typecheck_expr.cpp b/src/cpp/cpp_typecheck_expr.cpp
index e54f69589f..bc398dccfb 100644
--- a/src/cpp/cpp_typecheck_expr.cpp
+++ b/src/cpp/cpp_typecheck_expr.cpp
@@ -471,7 +471,7 @@ struct operator_entryt
   { ID_notequal, "!=" },
   { ID_dereference, "*" },
   { ID_ptrmember, "->" },
-  { irep_idt(), NULL }
+  { irep_idt(), nullptr }
 };
 
 bool cpp_typecheckt::operator_is_overloaded(exprt &expr)
diff --git a/src/cpp/cpp_typecheck_resolve.cpp b/src/cpp/cpp_typecheck_resolve.cpp
index 28d42e6af6..d8e0e8c3d9 100644
--- a/src/cpp/cpp_typecheck_resolve.cpp
+++ b/src/cpp/cpp_typecheck_resolve.cpp
@@ -1117,7 +1117,7 @@ symbol_typet cpp_typecheck_resolvet::disambiguate_template_classes(
       static_cast(
         cpp_typecheck.cpp_scopes.id_map[id]);
 
-    if(template_scope==NULL)
+    if(template_scope==nullptr)
     {
       cpp_typecheck.error().source_location=source_location;
       cpp_typecheck.error() << "template identifier: " << id << '\n'
@@ -1959,7 +1959,7 @@ exprt cpp_typecheck_resolvet::guess_function_template_args(
     static_cast(
       cpp_typecheck.cpp_scopes.id_map[template_identifier]);
 
-  if(template_scope==NULL)
+  if(template_scope==nullptr)
   {
     cpp_typecheck.error().source_location=source_location;
     cpp_typecheck.error() << "template identifier: "
diff --git a/src/cpp/cpp_typecheck_template.cpp b/src/cpp/cpp_typecheck_template.cpp
index 47ebd7f006..5837a5706a 100644
--- a/src/cpp/cpp_typecheck_template.cpp
+++ b/src/cpp/cpp_typecheck_template.cpp
@@ -910,7 +910,7 @@ cpp_template_args_tct cpp_typecheckt::typecheck_template_args(
       // these need to be typechecked in the scope of the template,
       // not in the current scope!
       cpp_idt *template_scope=cpp_scopes.id_map[template_symbol.name];
-      assert(template_scope!=NULL);
+      assert(template_scope!=nullptr);
       cpp_scopes.go_to(*template_scope);
     }
 
@@ -960,7 +960,7 @@ cpp_template_args_tct cpp_typecheckt::typecheck_template_args(
       {
         cpp_save_scopet cpp_saved_scope(cpp_scopes);
         cpp_idt *template_scope=cpp_scopes.id_map[template_symbol.name];
-        assert(template_scope!=NULL);
+        assert(template_scope!=nullptr);
         cpp_scopes.go_to(*template_scope);
         typecheck_type(type);
       }
diff --git a/src/cpp/parse.cpp b/src/cpp/parse.cpp
index a2cd41a8dd..2e7aaaa416 100644
--- a/src/cpp/parse.cpp
+++ b/src/cpp/parse.cpp
@@ -48,7 +48,7 @@ struct indenter // NOLINT(readability/identifiers)
 class new_scopet
 {
 public:
-  new_scopet():kind(kindt::NONE), anon_count(0), parent(NULL)
+  new_scopet():kind(kindt::NONE), anon_count(0), parent(nullptr)
   {
   }
 
@@ -155,7 +155,7 @@ public:
 
   std::string full_name() const
   {
-    return (parent==NULL?"":(parent->full_name()+"::"))+
+    return (parent==nullptr?"":(parent->full_name()+"::"))+
            id2string(id);
   }
 
diff --git a/src/goto-cc/armcc_cmdline.cpp b/src/goto-cc/armcc_cmdline.cpp
index 9cb3fccfd0..d0a16ac95a 100644
--- a/src/goto-cc/armcc_cmdline.cpp
+++ b/src/goto-cc/armcc_cmdline.cpp
@@ -192,7 +192,7 @@ static const char *options_no_arg[]=
   "--translate_gcc",
   "--translate_gld",
   "-W",
-  NULL
+  nullptr
 };
 
 static const char *options_with_prefix[]=
@@ -242,7 +242,7 @@ static const char *options_with_prefix[]=
   "--configure_cpp_headers=",
   "--configure_extra_includes=",
   "--configure_extra_libraries=",
-  NULL
+  nullptr
 };
 
 static const char *options_with_arg[]=
@@ -262,7 +262,7 @@ static const char *options_with_arg[]=
   "-o",
   "--cpu",
   "--apcs",
-  NULL
+  nullptr
 };
 
 bool armcc_cmdlinet::parse(int argc, const char **argv)
diff --git a/src/goto-cc/as86_cmdline.cpp b/src/goto-cc/as86_cmdline.cpp
index e60f0152bc..dce3deecf2 100644
--- a/src/goto-cc/as86_cmdline.cpp
+++ b/src/goto-cc/as86_cmdline.cpp
@@ -23,7 +23,7 @@ const char *goto_as86_options_with_argument[]=
   "--function",
   "--native-assembler",
   "--print-rejected-preprocessed-source",
-  NULL
+  nullptr
 };
 
 const char *as86_options_without_argument[]=
@@ -40,7 +40,7 @@ const char *as86_options_without_argument[]=
   "-u-", // both -u and -u- seem to be accepted
   "-v",
   "-w-",
-  NULL
+  nullptr
 };
 
 const char *as86_options_with_argument[]=
@@ -52,7 +52,7 @@ const char *as86_options_with_argument[]=
   "-b",
   "-s",
   "-t",
-  NULL
+  nullptr
 };
 
 bool as86_cmdlinet::parse(int argc, const char **argv)
@@ -75,7 +75,7 @@ bool as86_cmdlinet::parse(int argc, const char **argv)
 
     // separated only, and also allow concatenation with "="
     for(const char **o=goto_as86_options_with_argument;
-        *o!=NULL && !found;
+        *o!=nullptr && !found;
         ++o)
     {
       std::string os(*o);
@@ -113,7 +113,7 @@ bool as86_cmdlinet::parse(int argc, const char **argv)
     }
 
     for(const char **o=as86_options_with_argument;
-        *o!=NULL && !found;
+        *o!=nullptr && !found;
         ++o)
     {
       std::string os(*o);
diff --git a/src/goto-cc/as_cmdline.cpp b/src/goto-cc/as_cmdline.cpp
index 172b281458..2c22cfc70d 100644
--- a/src/goto-cc/as_cmdline.cpp
+++ b/src/goto-cc/as_cmdline.cpp
@@ -23,7 +23,7 @@ const char *goto_as_options_with_argument[]=
   "--function",
   "--native-assembler",
   "--print-rejected-preprocessed-source",
-  NULL
+  nullptr
 };
 
 const char *as_options_without_argument[]=
@@ -59,7 +59,7 @@ const char *as_options_without_argument[]=
   "--32", // i386
   "--64", // i386
   "-n", // i386
-  NULL
+  nullptr
 };
 
 const char *as_options_with_argument[]=
@@ -74,7 +74,7 @@ const char *as_options_with_argument[]=
   "-o",
   "-march", // i386
   "-mtune", // i386
-  NULL
+  nullptr
 };
 
 bool as_cmdlinet::parse(int argc, const char **argv)
@@ -104,7 +104,7 @@ bool as_cmdlinet::parse(int argc, const char **argv)
 
     // separated only, and also allow concatenation with "="
     for(const char **o=goto_as_options_with_argument;
-        *o!=NULL && !found;
+        *o!=nullptr && !found;
         ++o)
     {
       std::string os(*o);
@@ -170,7 +170,7 @@ bool as_cmdlinet::parse(int argc, const char **argv)
     }
 
     for(const char **o=as_options_with_argument;
-        *o!=NULL && !found;
+        *o!=nullptr && !found;
         ++o)
     {
       std::string os(*o);
diff --git a/src/goto-cc/bcc_cmdline.cpp b/src/goto-cc/bcc_cmdline.cpp
index c4cbbc80b3..f4c0626b14 100644
--- a/src/goto-cc/bcc_cmdline.cpp
+++ b/src/goto-cc/bcc_cmdline.cpp
@@ -24,7 +24,7 @@ const char *goto_bcc_options_with_argument[]=
   "--native-compiler",
   "--native-linker",
   "--print-rejected-preprocessed-source",
-  NULL
+  nullptr
 };
 
 const char *bcc_options_without_argument[]=
@@ -46,7 +46,7 @@ const char *bcc_options_without_argument[]=
   "-x",
   "-W",
   "-ansi",
-  NULL
+  nullptr
 };
 
 const char *bcc_options_with_argument[]=
@@ -64,7 +64,7 @@ const char *bcc_options_with_argument[]=
   "-T",
   "-Q",
   "-t",
-  NULL
+  nullptr
 };
 
 bool bcc_cmdlinet::parse(int argc, const char **argv)
@@ -87,7 +87,7 @@ bool bcc_cmdlinet::parse(int argc, const char **argv)
 
     // separated only, and also allow concatenation with "="
     for(const char **o=goto_bcc_options_with_argument;
-        *o!=NULL && !found;
+        *o!=nullptr && !found;
         ++o)
     {
       std::string os(*o);
@@ -125,7 +125,7 @@ bool bcc_cmdlinet::parse(int argc, const char **argv)
     }
 
     for(const char **o=bcc_options_with_argument;
-        *o!=NULL && !found;
+        *o!=nullptr && !found;
         ++o)
     {
       std::string os(*o);
diff --git a/src/goto-cc/compile.cpp b/src/goto-cc/compile.cpp
index 96b76260e9..d5dcf8b570 100644
--- a/src/goto-cc/compile.cpp
+++ b/src/goto-cc/compile.cpp
@@ -232,7 +232,7 @@ bool compilet::add_input_file(const std::string &file_name)
 
     stream=popen(cmd.str().c_str(), "r");
 
-    if(stream!=NULL)
+    if(stream!=nullptr)
     {
       std::string line;
       int ch; // fgetc returns an int, not char
@@ -472,7 +472,7 @@ bool compilet::parse(const std::string &file_name)
   else
     languagep=get_language_from_filename(file_name);
 
-  if(languagep==NULL)
+  if(languagep==nullptr)
   {
     error() << "failed to figure out type of file `" << file_name << "'" << eom;
     return true;
diff --git a/src/goto-cc/gcc_cmdline.cpp b/src/goto-cc/gcc_cmdline.cpp
index c5b4057ed1..e4b2bb1ddb 100644
--- a/src/goto-cc/gcc_cmdline.cpp
+++ b/src/goto-cc/gcc_cmdline.cpp
@@ -29,7 +29,7 @@ const char *goto_cc_options_with_separated_argument[]=
   "--native-compiler",
   "--native-linker",
   "--print-rejected-preprocessed-source",
-  NULL
+  nullptr
 };
 
 // non-gcc options
@@ -52,7 +52,7 @@ const char *goto_cc_options_without_argument[]=
   "--no-arch",
   "--partial-inlining",
   "-?",
-  NULL
+  nullptr
 };
 
 // separated or concatenated
@@ -75,7 +75,7 @@ const char *gcc_options_with_argument[]=
   "-U",
   "-u", // goes to linker
   "-T", // goes to linker
-  NULL
+  nullptr
 };
 
 const char *gcc_options_with_separated_argument[]=
@@ -107,7 +107,7 @@ const char *gcc_options_with_separated_argument[]=
   "-current_version", // on the Mac
   "-compatibility_version",  // on the Mac
   "-z",
-  NULL
+  nullptr
 };
 
 const char *gcc_options_with_concatenated_argument[]=
@@ -115,7 +115,7 @@ const char *gcc_options_with_concatenated_argument[]=
   "-d",
   "-g",
   "-A",
-  NULL
+  nullptr
 };
 
 const char *gcc_options_without_argument[]=
@@ -209,7 +209,7 @@ const char *gcc_options_without_argument[]=
   "-EB",
   "-EL",
   "-fast", // Apple only
-  NULL
+  nullptr
 };
 
 bool gcc_cmdlinet::parse(int argc, const char **argv)
@@ -282,7 +282,7 @@ bool gcc_cmdlinet::parse_arguments(
 
       // separated only, and also allow concatenation with "="
       for(const char **o=goto_cc_options_with_separated_argument;
-          *o!=NULL && !found;
+          *o!=nullptr && !found;
           ++o)
       {
         if(argv_i==*o) // separated
@@ -354,7 +354,7 @@ bool gcc_cmdlinet::parse_arguments(
 
       // separated only, and also allow concatenation with "="
       for(const char **o=gcc_options_with_separated_argument;
-          *o!=NULL && !found;
+          *o!=nullptr && !found;
           ++o)
       {
         if(argv_i==*o) // separated
@@ -380,7 +380,7 @@ bool gcc_cmdlinet::parse_arguments(
 
       // concatenated _or_ separated, e.g., -I
       for(const char **o=gcc_options_with_argument;
-          *o!=NULL && !found;
+          *o!=nullptr && !found;
           ++o)
       {
         if(argv_i==*o) // separated
@@ -405,7 +405,7 @@ bool gcc_cmdlinet::parse_arguments(
 
       // concatenated only
       for(const char **o=gcc_options_with_concatenated_argument;
-          *o!=NULL && !found;
+          *o!=nullptr && !found;
           ++o)
       {
         if(has_prefix(argv_i, *o)) // concatenated
diff --git a/src/goto-cc/goto_cc_cmdline.cpp b/src/goto-cc/goto_cc_cmdline.cpp
index 71bb06f816..cb030366e3 100644
--- a/src/goto-cc/goto_cc_cmdline.cpp
+++ b/src/goto-cc/goto_cc_cmdline.cpp
@@ -29,7 +29,7 @@ goto_cc_cmdlinet::~goto_cc_cmdlinet()
 
 bool goto_cc_cmdlinet::in_list(const char *option, const char **list)
 {
-  for(std::size_t i=0; list[i]!=NULL; i++)
+  for(std::size_t i=0; list[i]!=nullptr; i++)
   {
     if(strcmp(option, list[i])==0)
       return true;
@@ -43,7 +43,7 @@ bool goto_cc_cmdlinet::prefix_in_list(
   const char **list,
   std::string &prefix)
 {
-  for(std::size_t i=0; list[i]!=NULL; i++)
+  for(std::size_t i=0; list[i]!=nullptr; i++)
   {
     if(strncmp(option, list[i], strlen(list[i]))==0)
     {
diff --git a/src/goto-cc/goto_cc_main.cpp b/src/goto-cc/goto_cc_main.cpp
index ebe885a37a..8d3e422219 100644
--- a/src/goto-cc/goto_cc_main.cpp
+++ b/src/goto-cc/goto_cc_main.cpp
@@ -48,7 +48,7 @@ int main(int argc, const char **argv)
   const char **argv=narrow_argv(argc, argv_wide);
   #endif
 
-  if(argv==NULL || argc<1)
+  if(argv==nullptr || argc<1)
   {
     std::cerr << "failed to determine base name\n";
     return 1;
diff --git a/src/goto-cc/ld_cmdline.cpp b/src/goto-cc/ld_cmdline.cpp
index 1f17dabd10..c77ee68773 100644
--- a/src/goto-cc/ld_cmdline.cpp
+++ b/src/goto-cc/ld_cmdline.cpp
@@ -24,7 +24,7 @@ const char *goto_ld_options_with_argument[]=
   "--verbosity",
   "--native-compiler",
   "--native-linker",
-  NULL
+  nullptr
 };
 
 const char *ld_options_with_argument[]=
@@ -99,7 +99,7 @@ const char *ld_options_with_argument[]=
   "--ios_version_min", // Apple only
   "--macosx_version_min", // Apple only
   "--install_name", // Apple only
-  NULL
+  nullptr
 };
 
 const char *ld_options_without_argument[]=
@@ -233,7 +233,7 @@ const char *ld_options_without_argument[]=
   "--dylib", // Apple only
   "--dylinker", // Apple only
   "--bundle", // Apple only
-  NULL
+  nullptr
 };
 
 bool ld_cmdlinet::parse(int argc, const char **argv)
@@ -262,7 +262,7 @@ bool ld_cmdlinet::parse(int argc, const char **argv)
     bool found=false;
 
     for(const char **o=goto_ld_options_with_argument;
-        *o!=NULL && !found;
+        *o!=nullptr && !found;
         ++o)
     {
       std::string os(*o);
@@ -299,7 +299,7 @@ bool ld_cmdlinet::parse(int argc, const char **argv)
 
     // also store in cmdlinet
 
-    for(const char **o=ld_options_without_argument; *o!=NULL && !found; o++)
+    for(const char **o=ld_options_without_argument; *o!=nullptr && !found; o++)
     {
       std::string os(*o);
       // ld accepts all long options also as short option
@@ -316,7 +316,7 @@ bool ld_cmdlinet::parse(int argc, const char **argv)
     // 2) concatenated with '=' for long options
     // 3) separate
 
-    for(const char **o=ld_options_with_argument; *o!=NULL && !found; o++)
+    for(const char **o=ld_options_with_argument; *o!=nullptr && !found; o++)
     {
       std::string os(*o);
 
diff --git a/src/goto-cc/ms_cl_cmdline.cpp b/src/goto-cc/ms_cl_cmdline.cpp
index ea605ef6d8..cdc9458bb0 100644
--- a/src/goto-cc/ms_cl_cmdline.cpp
+++ b/src/goto-cc/ms_cl_cmdline.cpp
@@ -44,7 +44,7 @@ const char *non_ms_cl_options[]=
   "--partial-inlining",
   "--verbosity",
   "--function",
-  NULL
+  nullptr
 };
 
 bool ms_cl_cmdlinet::parse(const std::vector &options)
@@ -110,7 +110,7 @@ void ms_cl_cmdlinet::parse_env()
 
   const char *CL_env=getenv("CL");
 
-  if(CL_env!=NULL)
+  if(CL_env!=nullptr)
     process_response_file_line(CL_env);
 
   #endif
@@ -275,7 +275,7 @@ void ms_cl_cmdlinet::process_non_cl_option(
 {
   set(s);
 
-  for(unsigned j=0; non_ms_cl_options[j]!=NULL; j++)
+  for(unsigned j=0; non_ms_cl_options[j]!=nullptr; j++)
     if(s==non_ms_cl_options[j])
       return;
 
@@ -288,7 +288,7 @@ void ms_cl_cmdlinet::process_non_cl_option(
 const char *ms_cl_flags[]=
 {
   "c", // compile only
-  NULL
+  nullptr
 };
 
 const char *ms_cl_prefixes[]=
@@ -406,7 +406,7 @@ const char *ms_cl_prefixes[]=
   "MT", //  link with LIBCMT.LIB
   "MDd", //  link with MSVCRTD.LIB debug lib
   "MTd", //  link with LIBCMTD.LIB debug lib
-  NULL
+  nullptr
 };
 
 void ms_cl_cmdlinet::process_cl_option(const std::string &s)
@@ -420,7 +420,7 @@ void ms_cl_cmdlinet::process_cl_option(const std::string &s)
     return;
   }
 
-  for(std::size_t j=0; ms_cl_flags[j]!=NULL; j++)
+  for(std::size_t j=0; ms_cl_flags[j]!=nullptr; j++)
   {
     if(std::string(s, 1, std::string::npos)==ms_cl_flags[j])
     {
@@ -453,7 +453,7 @@ void ms_cl_cmdlinet::process_cl_option(const std::string &s)
     }
   }
 
-  for(std::size_t j=0; ms_cl_prefixes[j]!=NULL; j++)
+  for(std::size_t j=0; ms_cl_prefixes[j]!=nullptr; j++)
   {
     std::string ms_cl_prefix=ms_cl_prefixes[j];
 
diff --git a/src/goto-instrument/dump_c.cpp b/src/goto-instrument/dump_c.cpp
index efa0ac4afc..1020d2021a 100644
--- a/src/goto-instrument/dump_c.cpp
+++ b/src/goto-instrument/dump_c.cpp
@@ -1309,7 +1309,7 @@ static bool find_block_position_rec(
   if(!root.has_operands())
     return false;
 
-  code_blockt *our_dest=0;
+  code_blockt *our_dest=nullptr;
 
   exprt::operandst &operands=root.operands();
   exprt::operandst::iterator first_found=operands.end();
@@ -1400,14 +1400,14 @@ void dump_ct::insert_local_static_decls(
     std::list redundant;
     cleanup_decl(d, redundant, type_decls);
 
-    code_blockt *dest_ptr=0;
+    code_blockt *dest_ptr=nullptr;
     exprt::operandst::iterator before=b.operands().end();
 
     // some use of static variables might be optimised out if it is
     // within an if(false) { ... } block
     if(find_block_position_rec(*it, b, dest_ptr, before))
     {
-      CHECK_RETURN(dest_ptr!=0);
+      CHECK_RETURN(dest_ptr!=nullptr);
       dest_ptr->operands().insert(before, d);
     }
   }
@@ -1437,14 +1437,14 @@ void dump_ct::insert_local_type_decls(
     // another hack to ensure symbols inside types are seen
     skip.type()=type;
 
-    code_blockt *dest_ptr=0;
+    code_blockt *dest_ptr=nullptr;
     exprt::operandst::iterator before=b.operands().end();
 
     // we might not find it in case a transparent union type cast
     // has been removed by cleanup operations
     if(find_block_position_rec(*it, b, dest_ptr, before))
     {
-      CHECK_RETURN(dest_ptr!=0);
+      CHECK_RETURN(dest_ptr!=nullptr);
       dest_ptr->operands().insert(before, skip);
     }
   }
diff --git a/src/goto-instrument/model_argc_argv.cpp b/src/goto-instrument/model_argc_argv.cpp
index bae8010d90..7e01d66e62 100644
--- a/src/goto-instrument/model_argc_argv.cpp
+++ b/src/goto-instrument/model_argc_argv.cpp
@@ -38,7 +38,7 @@ bool model_argc_argv(
   messaget message(message_handler);
   const namespacet ns(symbol_table);
 
-  const symbolt *init_symbol=0;
+  const symbolt *init_symbol=nullptr;
   if(ns.lookup(CPROVER_PREFIX "initialize", init_symbol))
   {
     message.error() << "Linking not done, missing "
diff --git a/src/goto-instrument/wmm/cycle_collection.cpp b/src/goto-instrument/wmm/cycle_collection.cpp
index caef3e7ee7..64b619c436 100644
--- a/src/goto-instrument/wmm/cycle_collection.cpp
+++ b/src/goto-instrument/wmm/cycle_collection.cpp
@@ -56,7 +56,7 @@ void event_grapht::graph_explorert::collect_cycles(
   for(std::size_t i=0; i* order=0;
+  std::list* order=nullptr;
   /* on Power, rfe pairs are also potentially unsafe */
   switch(model)
   {
diff --git a/src/goto-instrument/wmm/goto2graph.cpp b/src/goto-instrument/wmm/goto2graph.cpp
index 7828ac8008..011ef1a36a 100644
--- a/src/goto-instrument/wmm/goto2graph.cpp
+++ b/src/goto-instrument/wmm/goto2graph.cpp
@@ -1198,7 +1198,7 @@ bool instrumentert::is_cfg_spurious(const event_grapht::critical_cyclet &cyc)
     const source_locationt ¤t_location=current_event.source_location;
 
     /* select relevant thread (po) -- or function contained in this thread */
-    goto_programt *current_po=0;
+    goto_programt *current_po=nullptr;
     bool thread_found=false;
 
     Forall_goto_functions(f_it, goto_functions)
diff --git a/src/goto-programs/initialize_goto_model.cpp b/src/goto-programs/initialize_goto_model.cpp
index d284bc403c..eb2b6f8490 100644
--- a/src/goto-programs/initialize_goto_model.cpp
+++ b/src/goto-programs/initialize_goto_model.cpp
@@ -81,7 +81,7 @@ bool initialize_goto_model(
         lf.filename=filename;
         lf.language=get_language_from_filename(filename);
 
-        if(lf.language==NULL)
+        if(lf.language==nullptr)
         {
           source_locationt location;
           location.set_file(filename);
diff --git a/src/goto-programs/interpreter.cpp b/src/goto-programs/interpreter.cpp
index a79910b765..817d04c3a5 100644
--- a/src/goto-programs/interpreter.cpp
+++ b/src/goto-programs/interpreter.cpp
@@ -70,7 +70,7 @@ void interpretert::command()
 {
   #define BUFSIZE 100
   char command[BUFSIZE];
-  if(fgets(command, BUFSIZE-1, stdin)==NULL)
+  if(fgets(command, BUFSIZE-1, stdin)==nullptr)
   {
     done=true;
     return;
diff --git a/src/goto-programs/show_symbol_table.cpp b/src/goto-programs/show_symbol_table.cpp
index 1d5ce87f5a..6a15759f11 100644
--- a/src/goto-programs/show_symbol_table.cpp
+++ b/src/goto-programs/show_symbol_table.cpp
@@ -48,7 +48,7 @@ void show_symbol_table_plain(
     else
     {
       ptr=get_language_from_mode(symbol.mode);
-      if(ptr==NULL)
+      if(ptr==nullptr)
         throw "symbol "+id2string(symbol.name)+" has unknown mode";
     }
 
diff --git a/src/goto-symex/goto_symex_state.cpp b/src/goto-symex/goto_symex_state.cpp
index 6fdf4b54aa..934e8edf71 100644
--- a/src/goto-symex/goto_symex_state.cpp
+++ b/src/goto-symex/goto_symex_state.cpp
@@ -22,10 +22,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 goto_symex_statet::goto_symex_statet():
   depth(0),
-  symex_target(NULL),
+  symex_target(nullptr),
   atomic_section_id(0),
   record_events(true),
-  dirty(0)
+  dirty(nullptr)
 {
   threads.resize(1);
   new_frame();
@@ -541,7 +541,7 @@ bool goto_symex_statet::l2_thread_read_encoding(
     return false;
 
   // is it a shared object?
-  assert(dirty!=0);
+  assert(dirty!=nullptr);
   const irep_idt &obj_identifier=expr.get_object_name();
   if(obj_identifier=="goto_symex::\\guard" ||
      (!ns.lookup(obj_identifier).is_shared() &&
@@ -666,7 +666,7 @@ bool goto_symex_statet::l2_thread_read_encoding(
   expr=ssa_l1;
 
   // and record that
-  assert(symex_target!=NULL);
+  assert(symex_target!=nullptr);
   symex_target->shared_read(
     guard.as_expr(),
     expr,
@@ -685,7 +685,7 @@ bool goto_symex_statet::l2_thread_write_encoding(
     return false;
 
   // is it a shared object?
-  assert(dirty!=0);
+  assert(dirty!=nullptr);
   const irep_idt &obj_identifier=expr.get_object_name();
   if(obj_identifier=="goto_symex::\\guard" ||
      (!ns.lookup(obj_identifier).is_shared() &&
diff --git a/src/goto-symex/slice_by_trace.cpp b/src/goto-symex/slice_by_trace.cpp
index 80acfa4add..828b457caa 100644
--- a/src/goto-symex/slice_by_trace.cpp
+++ b/src/goto-symex/slice_by_trace.cpp
@@ -187,9 +187,9 @@ void symex_slice_by_tracet::parse_events(std::string read_line)
 {
   if(read_line=="")
     return;
-  bool parity=strstr(read_line.c_str(), "!")==NULL;
-  bool universe=strstr(read_line.c_str(), "?")!=NULL;
-  bool has_values=strstr(read_line.c_str(), " ")!=NULL;
+  bool parity=strstr(read_line.c_str(), "!")==nullptr;
+  bool universe=strstr(read_line.c_str(), "?")!=nullptr;
+  bool has_values=strstr(read_line.c_str(), " ")!=nullptr;
   std::cout << "Trace: " << read_line << '\n';
   std::vector value_v;
   if(has_values)
diff --git a/src/goto-symex/symex_dereference_state.cpp b/src/goto-symex/symex_dereference_state.cpp
index f0e36f5d03..9911ba51e7 100644
--- a/src/goto-symex/symex_dereference_state.cpp
+++ b/src/goto-symex/symex_dereference_state.cpp
@@ -43,7 +43,7 @@ bool symex_dereference_statet::has_failed_symbol(
         !ns.lookup(failed_symbol, symbol))
     {
       symbolt sym=*symbol;
-      symbolt *sym_ptr=0;
+      symbolt *sym_ptr=nullptr;
       symbol_exprt sym_expr=sym.symbol_expr();
       state.rename(sym_expr, ns, goto_symex_statet::L1);
       sym.name=to_ssa_expr(sym_expr).get_identifier();
@@ -64,7 +64,7 @@ bool symex_dereference_statet::has_failed_symbol(
         !ns.lookup(failed_symbol, symbol))
     {
       symbolt sym=*symbol;
-      symbolt *sym_ptr=0;
+      symbolt *sym_ptr=nullptr;
       symbol_exprt sym_expr=sym.symbol_expr();
       state.rename(sym_expr, ns, goto_symex_statet::L1);
       sym.name=to_ssa_expr(sym_expr).get_identifier();
diff --git a/src/goto-symex/symex_function_call.cpp b/src/goto-symex/symex_function_call.cpp
index a71a142b89..06d519e494 100644
--- a/src/goto-symex/symex_function_call.cpp
+++ b/src/goto-symex/symex_function_call.cpp
@@ -139,7 +139,7 @@ void goto_symext::parameter_assignments(
   {
     // These are va_arg arguments; their types may differ from call to call
     unsigned va_count=0;
-    const symbolt *va_sym=0;
+    const symbolt *va_sym=nullptr;
     while(!ns.lookup(
         id2string(function_identifier)+"::va_arg"+std::to_string(va_count),
         va_sym))
diff --git a/src/goto-symex/symex_main.cpp b/src/goto-symex/symex_main.cpp
index b8a1e294f1..4fce789ad3 100644
--- a/src/goto-symex/symex_main.cpp
+++ b/src/goto-symex/symex_main.cpp
@@ -158,7 +158,7 @@ void goto_symext::operator()(
   }
 
   delete state.dirty;
-  state.dirty=0;
+  state.dirty=nullptr;
 }
 
 /// symex starting from given program
diff --git a/src/java_bytecode/java_bytecode_convert_method.cpp b/src/java_bytecode/java_bytecode_convert_method.cpp
index 9adf82a021..69f79be2f2 100644
--- a/src/java_bytecode/java_bytecode_convert_method.cpp
+++ b/src/java_bytecode/java_bytecode_convert_method.cpp
@@ -405,7 +405,7 @@ void java_bytecode_convert_methodt::convert(
 const bytecode_infot &java_bytecode_convert_methodt::get_bytecode_info(
   const irep_idt &statement)
 {
-  for(const bytecode_infot *p=bytecode_info; p->mnemonic!=0; p++)
+  for(const bytecode_infot *p=bytecode_info; p->mnemonic!=nullptr; p++)
     if(statement==p->mnemonic)
       return *p;
 
diff --git a/src/java_bytecode/java_bytecode_parser.cpp b/src/java_bytecode/java_bytecode_parser.cpp
index 77874da494..d24141b76d 100644
--- a/src/java_bytecode/java_bytecode_parser.cpp
+++ b/src/java_bytecode/java_bytecode_parser.cpp
@@ -99,7 +99,7 @@ protected:
   {
     // pre-hash the mnemonics, so we do this only once
     bytecodes.resize(256);
-    for(const bytecode_infot *p=bytecode_info; p->mnemonic!=0; p++)
+    for(const bytecode_infot *p=bytecode_info; p->mnemonic!=nullptr; p++)
     {
       assert(p->opcodeopcode].mnemonic=p->mnemonic;
diff --git a/src/java_bytecode/java_local_variable_table.cpp b/src/java_bytecode/java_local_variable_table.cpp
index 052b958d05..94d5062fb2 100644
--- a/src/java_bytecode/java_local_variable_table.cpp
+++ b/src/java_bytecode/java_local_variable_table.cpp
@@ -288,7 +288,7 @@ static void populate_predecessor_map(
         auto pred_var=
           (predmode);
 
-  if(ptr==NULL)
+  if(ptr==nullptr)
     throw "symbol `"+id2string(symbol->name)+
       "' has unknown mode '"+id2string(symbol->mode)+"'";
 
diff --git a/src/langapi/mode.cpp b/src/langapi/mode.cpp
index 55c533f949..2c3a852b73 100644
--- a/src/langapi/mode.cpp
+++ b/src/langapi/mode.cpp
@@ -45,7 +45,7 @@ languaget *get_language_from_mode(const irep_idt &mode)
     if(mode==it->mode)
       return it->factory();
 
-  return NULL;
+  return nullptr;
 }
 
 languaget *get_language_from_filename(const std::string &filename)
@@ -53,13 +53,13 @@ languaget *get_language_from_filename(const std::string &filename)
   std::size_t ext_pos=filename.rfind('.');
 
   if(ext_pos==std::string::npos)
-    return NULL;
+    return nullptr;
 
   std::string extension=
     std::string(filename, ext_pos+1, std::string::npos);
 
   if(extension=="")
-    return NULL;
+    return nullptr;
 
   for(languagest::const_iterator
       l_it=languages.begin();
@@ -79,7 +79,7 @@ languaget *get_language_from_filename(const std::string &filename)
     #endif
   }
 
-  return NULL;
+  return nullptr;
 }
 
 languaget *get_default_language()
diff --git a/src/miniz/miniz.cpp b/src/miniz/miniz.cpp
index 4fff76e87d..d5dfa3bda1 100644
--- a/src/miniz/miniz.cpp
+++ b/src/miniz/miniz.cpp
@@ -197,7 +197,7 @@ int mz_deflateInit2(mz_streamp pStream, int level, int method, int window_bits,
 
     pStream->data_type = 0;
     pStream->adler = MZ_ADLER32_INIT;
-    pStream->msg = NULL;
+    pStream->msg = nullptr;
     pStream->reserved = 0;
     pStream->total_in = 0;
     pStream->total_out = 0;
@@ -212,7 +212,7 @@ int mz_deflateInit2(mz_streamp pStream, int level, int method, int window_bits,
 
     pStream->state = (struct mz_internal_state *)pComp;
 
-    if(tdefl_init(pComp, NULL, NULL, comp_flags) != TDEFL_STATUS_OKAY)
+    if(tdefl_init(pComp, nullptr, nullptr, comp_flags) != TDEFL_STATUS_OKAY)
     {
         mz_deflateEnd(pStream);
         return MZ_PARAM_ERROR;
@@ -226,7 +226,7 @@ int mz_deflateReset(mz_streamp pStream)
     if((!pStream) || (!pStream->state) || (!pStream->zalloc) || (!pStream->zfree))
         return MZ_STREAM_ERROR;
     pStream->total_in = pStream->total_out = 0;
-    tdefl_init((tdefl_compressor *)pStream->state, NULL, NULL, ((tdefl_compressor *)pStream->state)->m_flags);
+    tdefl_init((tdefl_compressor *)pStream->state, nullptr, nullptr, ((tdefl_compressor *)pStream->state)->m_flags);
     return MZ_OK;
 }
 
@@ -295,7 +295,7 @@ int mz_deflateEnd(mz_streamp pStream)
     if(pStream->state)
     {
         pStream->zfree(pStream->opaque, pStream->state);
-        pStream->state = NULL;
+        pStream->state = nullptr;
     }
     return MZ_OK;
 }
@@ -344,7 +344,7 @@ int mz_compress(unsigned char *pDest, mz_ulong *pDest_len, const unsigned char *
 
 mz_ulong mz_compressBound(mz_ulong source_len)
 {
-    return mz_deflateBound(NULL, source_len);
+    return mz_deflateBound(nullptr, source_len);
 }
 
 typedef struct
@@ -366,7 +366,7 @@ int mz_inflateInit2(mz_streamp pStream, int window_bits)
 
     pStream->data_type = 0;
     pStream->adler = 0;
-    pStream->msg = NULL;
+    pStream->msg = nullptr;
     pStream->total_in = 0;
     pStream->total_out = 0;
     pStream->reserved = 0;
@@ -516,7 +516,7 @@ int mz_inflateEnd(mz_streamp pStream)
     if(pStream->state)
     {
         pStream->zfree(pStream->opaque, pStream->state);
-        pStream->state = NULL;
+        pStream->state = nullptr;
     }
     return MZ_OK;
 }
@@ -566,7 +566,7 @@ const char *mz_error(int err)
     for(i = 0; i < sizeof(s_error_descs) / sizeof(s_error_descs[0]); ++i)
         if(s_error_descs[i].m_err == err)
             return s_error_descs[i].m_pDesc;
-    return NULL;
+    return nullptr;
 }
 
 #endif /*MINIZ_NO_ZLIB_APIS */
@@ -1210,7 +1210,7 @@ static int tdefl_flush_block(tdefl_compressor *d, int flush)
     mz_uint8 *pSaved_output_buf;
     mz_bool comp_block_succeeded = MZ_FALSE;
     int n, use_raw_block = ((d->m_flags & TDEFL_FORCE_ALL_RAW_BLOCKS) != 0) && (d->m_lookahead_pos - d->m_lz_code_buf_dict_pos) <= d->m_dict_size;
-    mz_uint8 *pOutput_buf_start = ((d->m_pPut_buf_func == NULL) && ((*d->m_pOut_buf_size - d->m_out_buf_ofs) >= TDEFL_OUT_BUF_SIZE)) ? ((mz_uint8 *)d->m_pOut_buf + d->m_out_buf_ofs) : d->m_output_buf;
+    mz_uint8 *pOutput_buf_start = ((d->m_pPut_buf_func == nullptr) && ((*d->m_pOut_buf_size - d->m_out_buf_ofs) >= TDEFL_OUT_BUF_SIZE)) ? ((mz_uint8 *)d->m_pOut_buf + d->m_out_buf_ofs) : d->m_output_buf;
 
     d->m_pOutput_buf = pOutput_buf_start;
     d->m_pOutput_buf_end = d->m_pOutput_buf + TDEFL_OUT_BUF_SIZE - 16;
@@ -1839,7 +1839,7 @@ tdefl_status tdefl_compress(tdefl_compressor *d, const void *pIn_buf, size_t *pI
     d->m_out_buf_ofs = 0;
     d->m_flush = flush;
 
-    if(((d->m_pPut_buf_func != NULL) == ((pOut_buf != NULL) || (pOut_buf_size != NULL))) || (d->m_prev_return_status != TDEFL_STATUS_OKAY) ||
+    if(((d->m_pPut_buf_func != nullptr) == ((pOut_buf != nullptr) || (pOut_buf_size != nullptr))) || (d->m_prev_return_status != TDEFL_STATUS_OKAY) ||
         (d->m_wants_to_finish && (flush != TDEFL_FINISH)) || (pIn_buf_size && *pIn_buf_size && !pIn_buf) || (pOut_buf_size && *pOut_buf_size && !pOut_buf))
     {
         if(pIn_buf_size)
@@ -1890,7 +1890,7 @@ tdefl_status tdefl_compress(tdefl_compressor *d, const void *pIn_buf, size_t *pI
 tdefl_status tdefl_compress_buffer(tdefl_compressor *d, const void *pIn_buf, size_t in_buf_size, tdefl_flush flush)
 {
     MZ_ASSERT(d->m_pPut_buf_func);
-    return tdefl_compress(d, pIn_buf, &in_buf_size, NULL, NULL, flush);
+    return tdefl_compress(d, pIn_buf, &in_buf_size, nullptr, nullptr, flush);
 }
 
 tdefl_status tdefl_init(tdefl_compressor *d, tdefl_put_buf_func_ptr pPut_buf_func, void *pPut_buf_user, int flags)
@@ -1913,12 +1913,12 @@ tdefl_status tdefl_init(tdefl_compressor *d, tdefl_put_buf_func_ptr pPut_buf_fun
     d->m_prev_return_status = TDEFL_STATUS_OKAY;
     d->m_saved_match_dist = d->m_saved_match_len = d->m_saved_lit = 0;
     d->m_adler32 = 1;
-    d->m_pIn_buf = NULL;
-    d->m_pOut_buf = NULL;
-    d->m_pIn_buf_size = NULL;
-    d->m_pOut_buf_size = NULL;
+    d->m_pIn_buf = nullptr;
+    d->m_pOut_buf = nullptr;
+    d->m_pIn_buf_size = nullptr;
+    d->m_pOut_buf_size = nullptr;
     d->m_flush = TDEFL_NO_FLUSH;
-    d->m_pSrc = NULL;
+    d->m_pSrc = nullptr;
     d->m_src_buf_left = 0;
     d->m_out_buf_ofs = 0;
     memset(&d->m_huff_count[0][0], 0, sizeof(d->m_huff_count[0][0]) * TDEFL_MAX_HUFF_SYMBOLS_0);
@@ -1993,7 +1993,7 @@ void *tdefl_compress_mem_to_heap(const void *pSrc_buf, size_t src_buf_len, size_
         *pOut_len = 0;
     out_buf.m_expandable = MZ_TRUE;
     if(!tdefl_compress_mem_to_output(pSrc_buf, src_buf_len, tdefl_output_buffer_putter, &out_buf, flags))
-        return NULL;
+        return nullptr;
     *pOut_len = out_buf.m_size;
     return out_buf.m_pBuf;
 }
@@ -2054,14 +2054,14 @@ void *tdefl_write_image_to_png_file_in_memory_ex(const void *pImage, int w, int
     mz_uint32 c;
     *pLen_out = 0;
     if(!pComp)
-        return NULL;
+        return nullptr;
     MZ_CLEAR_OBJ(out_buf);
     out_buf.m_expandable = MZ_TRUE;
     out_buf.m_capacity = 57 + MZ_MAX(64, (1 + bpl) * h);
-    if(NULL == (out_buf.m_pBuf = (mz_uint8 *)MZ_MALLOC(out_buf.m_capacity)))
+    if(nullptr == (out_buf.m_pBuf = (mz_uint8 *)MZ_MALLOC(out_buf.m_capacity)))
     {
         MZ_FREE(pComp);
-        return NULL;
+        return nullptr;
     }
     /* write dummy header */
     for(z = 41; z; --z)
@@ -2073,11 +2073,11 @@ void *tdefl_write_image_to_png_file_in_memory_ex(const void *pImage, int w, int
         tdefl_compress_buffer(pComp, &z, 1, TDEFL_NO_FLUSH);
         tdefl_compress_buffer(pComp, (mz_uint8 *)pImage + (flip ? (h - 1 - y) : y) * bpl, bpl, TDEFL_NO_FLUSH);
     }
-    if(tdefl_compress_buffer(pComp, NULL, 0, TDEFL_FINISH) != TDEFL_STATUS_DONE)
+    if(tdefl_compress_buffer(pComp, nullptr, 0, TDEFL_FINISH) != TDEFL_STATUS_DONE)
     {
         MZ_FREE(pComp);
         MZ_FREE(out_buf.m_pBuf);
-        return NULL;
+        return nullptr;
     }
     /* write real header */
     *pLen_out = out_buf.m_size - 41;
@@ -2097,7 +2097,7 @@ void *tdefl_write_image_to_png_file_in_memory_ex(const void *pImage, int w, int
         *pLen_out = 0;
         MZ_FREE(pComp);
         MZ_FREE(out_buf.m_pBuf);
-        return NULL;
+        return nullptr;
     }
     c = (mz_uint32)mz_crc32(MZ_CRC32_INIT, out_buf.m_pBuf + 41 - 4, *pLen_out + 4);
     for(i = 0; i < 4; ++i, c <<= 8)
@@ -2778,20 +2778,20 @@ common_exit:
 void *tinfl_decompress_mem_to_heap(const void *pSrc_buf, size_t src_buf_len, size_t *pOut_len, int flags)
 {
     tinfl_decompressor decomp;
-    void *pBuf = NULL, *pNew_buf;
+    void *pBuf = nullptr, *pNew_buf;
     size_t src_buf_ofs = 0, out_buf_capacity = 0;
     *pOut_len = 0;
     tinfl_init(&decomp);
     for(;;)
     {
         size_t src_buf_size = src_buf_len - src_buf_ofs, dst_buf_size = out_buf_capacity - *pOut_len, new_out_buf_capacity;
-        tinfl_status status = tinfl_decompress(&decomp, (const mz_uint8 *)pSrc_buf + src_buf_ofs, &src_buf_size, (mz_uint8 *)pBuf, pBuf ? (mz_uint8 *)pBuf + *pOut_len : NULL, &dst_buf_size,
+        tinfl_status status = tinfl_decompress(&decomp, (const mz_uint8 *)pSrc_buf + src_buf_ofs, &src_buf_size, (mz_uint8 *)pBuf, pBuf ? (mz_uint8 *)pBuf + *pOut_len : nullptr, &dst_buf_size,
                                                (flags & ~TINFL_FLAG_HAS_MORE_INPUT) | TINFL_FLAG_USING_NON_WRAPPING_OUTPUT_BUF);
         if((status < 0) || (status == TINFL_STATUS_NEEDS_MORE_INPUT))
         {
             MZ_FREE(pBuf);
             *pOut_len = 0;
-            return NULL;
+            return nullptr;
         }
         src_buf_ofs += src_buf_size;
         *pOut_len += dst_buf_size;
@@ -2805,7 +2805,7 @@ void *tinfl_decompress_mem_to_heap(const void *pSrc_buf, size_t src_buf_len, siz
         {
             MZ_FREE(pBuf);
             *pOut_len = 0;
-            return NULL;
+            return nullptr;
         }
         pBuf = pNew_buf;
         out_buf_capacity = new_out_buf_capacity;
@@ -3175,7 +3175,7 @@ static mz_bool mz_zip_array_ensure_capacity(mz_zip_archive *pZip, mz_zip_array *
         while(new_capacity < min_new_capacity)
             new_capacity *= 2;
     }
-    if(NULL == (pNew_p = pZip->m_pRealloc(pZip->m_pAlloc_opaque, pArray->m_p, pArray->m_element_size, new_capacity)))
+    if(nullptr == (pNew_p = pZip->m_pRealloc(pZip->m_pAlloc_opaque, pArray->m_p, pArray->m_element_size, new_capacity)))
         return MZ_FALSE;
     pArray->m_p = pNew_p;
     pArray->m_capacity = new_capacity;
@@ -3304,7 +3304,7 @@ static mz_bool mz_zip_reader_init_internal(mz_zip_archive *pZip, mz_uint flags)
     pZip->m_total_files = 0;
     pZip->m_last_error = MZ_ZIP_NO_ERROR;
 
-    if(NULL == (pZip->m_pState = (mz_zip_internal_state *)pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, sizeof(mz_zip_internal_state))))
+    if(nullptr == (pZip->m_pState = (mz_zip_internal_state *)pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, sizeof(mz_zip_internal_state))))
         return mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
 
     memset(pZip->m_pState, 0, sizeof(mz_zip_internal_state));
@@ -3692,7 +3692,7 @@ static mz_bool mz_zip_reader_end_internal(mz_zip_archive *pZip, mz_bool set_last
     if(pZip->m_pState)
     {
         mz_zip_internal_state *pState = pZip->m_pState;
-        pZip->m_pState = NULL;
+        pZip->m_pState = nullptr;
 
         mz_zip_array_clear(pZip, &pState->m_central_dir);
         mz_zip_array_clear(pZip, &pState->m_central_dir_offsets);
@@ -3710,7 +3710,7 @@ static mz_bool mz_zip_reader_end_internal(mz_zip_archive *pZip, mz_bool set_last
                     status = MZ_FALSE;
                 }
             }
-            pState->m_pFile = NULL;
+            pState->m_pFile = nullptr;
         }
 #endif /* #ifndef MINIZ_NO_STDIO */
 
@@ -3899,7 +3899,7 @@ mz_bool mz_zip_reader_init_cfile(mz_zip_archive *pZip, MZ_FILE *pFile, mz_uint64
 static MZ_FORCEINLINE const mz_uint8 *mz_zip_get_cdh(mz_zip_archive *pZip, mz_uint file_index)
 {
     if((!pZip) || (!pZip->m_pState) || (file_index >= pZip->m_total_files))
-        return NULL;
+        return nullptr;
     return &MZ_ZIP_ARRAY_ELEMENT(&pZip->m_pState->m_central_dir, mz_uint8, MZ_ZIP_ARRAY_ELEMENT(&pZip->m_pState->m_central_dir_offsets, mz_uint32, file_index));
 }
 
@@ -4333,7 +4333,7 @@ mz_bool mz_zip_reader_extract_to_mem_no_alloc(mz_zip_archive *pZip, mz_uint file
         if(((sizeof(size_t) == sizeof(mz_uint32))) && (read_buf_size > 0x7FFFFFFF))
             return mz_zip_set_error(pZip, MZ_ZIP_INTERNAL_ERROR);
 
-        if(NULL == (pRead_buf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, (size_t)read_buf_size)))
+        if(nullptr == (pRead_buf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, (size_t)read_buf_size)))
             return mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
 
         read_buf_avail = 0;
@@ -4390,19 +4390,19 @@ mz_bool mz_zip_reader_extract_to_mem_no_alloc(mz_zip_archive *pZip, mz_uint file
 mz_bool mz_zip_reader_extract_file_to_mem_no_alloc(mz_zip_archive *pZip, const char *pFilename, void *pBuf, size_t buf_size, mz_uint flags, void *pUser_read_buf, size_t user_read_buf_size)
 {
     mz_uint32 file_index;
-    if(!mz_zip_reader_locate_file_v2(pZip, pFilename, NULL, flags, &file_index))
+    if(!mz_zip_reader_locate_file_v2(pZip, pFilename, nullptr, flags, &file_index))
         return MZ_FALSE;
     return mz_zip_reader_extract_to_mem_no_alloc(pZip, file_index, pBuf, buf_size, flags, pUser_read_buf, user_read_buf_size);
 }
 
 mz_bool mz_zip_reader_extract_to_mem(mz_zip_archive *pZip, mz_uint file_index, void *pBuf, size_t buf_size, mz_uint flags)
 {
-    return mz_zip_reader_extract_to_mem_no_alloc(pZip, file_index, pBuf, buf_size, flags, NULL, 0);
+    return mz_zip_reader_extract_to_mem_no_alloc(pZip, file_index, pBuf, buf_size, flags, nullptr, 0);
 }
 
 mz_bool mz_zip_reader_extract_file_to_mem(mz_zip_archive *pZip, const char *pFilename, void *pBuf, size_t buf_size, mz_uint flags)
 {
-    return mz_zip_reader_extract_file_to_mem_no_alloc(pZip, pFilename, pBuf, buf_size, flags, NULL, 0);
+    return mz_zip_reader_extract_file_to_mem_no_alloc(pZip, pFilename, pBuf, buf_size, flags, nullptr, 0);
 }
 
 void *mz_zip_reader_extract_to_heap(mz_zip_archive *pZip, mz_uint file_index, size_t *pSize, mz_uint flags)
@@ -4417,7 +4417,7 @@ void *mz_zip_reader_extract_to_heap(mz_zip_archive *pZip, mz_uint file_index, si
     if(!p)
     {
         mz_zip_set_error(pZip, MZ_ZIP_INVALID_PARAMETER);
-        return NULL;
+        return nullptr;
     }
 
     comp_size = MZ_READ_LE32(p + MZ_ZIP_CDH_COMPRESSED_SIZE_OFS);
@@ -4427,19 +4427,19 @@ void *mz_zip_reader_extract_to_heap(mz_zip_archive *pZip, mz_uint file_index, si
     if(((sizeof(size_t) == sizeof(mz_uint32))) && (alloc_size > 0x7FFFFFFF))
     {
         mz_zip_set_error(pZip, MZ_ZIP_INTERNAL_ERROR);
-        return NULL;
+        return nullptr;
     }
 
-    if(NULL == (pBuf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, (size_t)alloc_size)))
+    if(nullptr == (pBuf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, (size_t)alloc_size)))
     {
         mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
-        return NULL;
+        return nullptr;
     }
 
     if(!mz_zip_reader_extract_to_mem(pZip, file_index, pBuf, (size_t)alloc_size, flags))
     {
         pZip->m_pFree(pZip->m_pAlloc_opaque, pBuf);
-        return NULL;
+        return nullptr;
     }
 
     if(pSize)
@@ -4450,7 +4450,7 @@ void *mz_zip_reader_extract_to_heap(mz_zip_archive *pZip, mz_uint file_index, si
 void *mz_zip_reader_extract_file_to_heap(mz_zip_archive *pZip, const char *pFilename, size_t *pSize, mz_uint flags)
 {
     mz_uint32 file_index;
-    if(!mz_zip_reader_locate_file_v2(pZip, pFilename, NULL, flags, &file_index))
+    if(!mz_zip_reader_locate_file_v2(pZip, pFilename, nullptr, flags, &file_index))
     {
         if(pSize)
             *pSize = 0;
@@ -4465,8 +4465,8 @@ mz_bool mz_zip_reader_extract_to_callback(mz_zip_archive *pZip, mz_uint file_ind
     mz_uint file_crc32 = MZ_CRC32_INIT;
     mz_uint64 read_buf_size, read_buf_ofs = 0, read_buf_avail, comp_remaining, out_buf_ofs = 0, cur_file_ofs;
     mz_zip_archive_file_stat file_stat;
-    void *pRead_buf = NULL;
-    void *pWrite_buf = NULL;
+    void *pRead_buf = nullptr;
+    void *pWrite_buf = nullptr;
     mz_uint32 local_header_u32[(MZ_ZIP_LOCAL_DIR_HEADER_SIZE + sizeof(mz_uint32) - 1) / sizeof(mz_uint32)];
     mz_uint8 *pLocal_header = (mz_uint8 *)local_header_u32;
 
@@ -4510,7 +4510,7 @@ mz_bool mz_zip_reader_extract_to_callback(mz_zip_archive *pZip, mz_uint file_ind
     else
     {
         read_buf_size = MZ_MIN(file_stat.m_comp_size, (mz_uint64)MZ_ZIP_MAX_IO_BUF_SIZE);
-        if(NULL == (pRead_buf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, (size_t)read_buf_size)))
+        if(nullptr == (pRead_buf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, (size_t)read_buf_size)))
             return mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
 
         read_buf_avail = 0;
@@ -4578,7 +4578,7 @@ mz_bool mz_zip_reader_extract_to_callback(mz_zip_archive *pZip, mz_uint file_ind
         tinfl_decompressor inflator;
         tinfl_init(&inflator);
 
-        if(NULL == (pWrite_buf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, TINFL_LZ_DICT_SIZE)))
+        if(nullptr == (pWrite_buf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, TINFL_LZ_DICT_SIZE)))
         {
             mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
             status = TINFL_STATUS_FAILED;
@@ -4660,7 +4660,7 @@ mz_bool mz_zip_reader_extract_to_callback(mz_zip_archive *pZip, mz_uint file_ind
 mz_bool mz_zip_reader_extract_file_to_callback(mz_zip_archive *pZip, const char *pFilename, mz_file_write_func pCallback, void *pOpaque, mz_uint flags)
 {
     mz_uint32 file_index;
-    if(!mz_zip_reader_locate_file_v2(pZip, pFilename, NULL, flags, &file_index))
+    if(!mz_zip_reader_locate_file_v2(pZip, pFilename, nullptr, flags, &file_index))
         return MZ_FALSE;
 
     return mz_zip_reader_extract_to_callback(pZip, file_index, pCallback, pOpaque, flags);
@@ -4711,7 +4711,7 @@ mz_bool mz_zip_reader_extract_to_file(mz_zip_archive *pZip, mz_uint file_index,
 mz_bool mz_zip_reader_extract_file_to_file(mz_zip_archive *pZip, const char *pArchive_filename, const char *pDst_filename, mz_uint flags)
 {
     mz_uint32 file_index;
-    if(!mz_zip_reader_locate_file_v2(pZip, pArchive_filename, NULL, flags, &file_index))
+    if(!mz_zip_reader_locate_file_v2(pZip, pArchive_filename, nullptr, flags, &file_index))
         return MZ_FALSE;
 
     return mz_zip_reader_extract_to_file(pZip, file_index, pDst_filename, flags);
@@ -4733,7 +4733,7 @@ mz_bool mz_zip_reader_extract_to_cfile(mz_zip_archive *pZip, mz_uint file_index,
 mz_bool mz_zip_reader_extract_file_to_cfile(mz_zip_archive *pZip, const char *pArchive_filename, MZ_FILE *pFile, mz_uint flags)
 {
     mz_uint32 file_index;
-    if(!mz_zip_reader_locate_file_v2(pZip, pArchive_filename, NULL, flags, &file_index))
+    if(!mz_zip_reader_locate_file_v2(pZip, pArchive_filename, nullptr, flags, &file_index))
         return MZ_FALSE;
 
     return mz_zip_reader_extract_to_cfile(pZip, file_index, pFile, flags);
@@ -4989,7 +4989,7 @@ mz_bool mz_zip_validate_archive(mz_zip_archive *pZip, mz_uint flags)
             if(!mz_zip_reader_file_stat(pZip, i, &stat))
                 return MZ_FALSE;
 
-            if(!mz_zip_reader_locate_file_v2(pZip, stat.m_filename, NULL, 0, &found_index))
+            if(!mz_zip_reader_locate_file_v2(pZip, stat.m_filename, nullptr, 0, &found_index))
                 return MZ_FALSE;
 
             /* This check can fail if there are duplicate filenames in the archive (which we don't check for when writing - that's up to the user) */
@@ -5138,7 +5138,7 @@ static size_t mz_zip_heap_write_func(void *pOpaque, mz_uint64 file_ofs, const vo
         while(new_capacity < new_size)
             new_capacity *= 2;
 
-        if(NULL == (pNew_block = pZip->m_pRealloc(pZip->m_pAlloc_opaque, pState->m_pMem, 1, new_capacity)))
+        if(nullptr == (pNew_block = pZip->m_pRealloc(pZip->m_pAlloc_opaque, pState->m_pMem, 1, new_capacity)))
         {
             mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
             return 0;
@@ -5165,7 +5165,7 @@ static mz_bool mz_zip_writer_end_internal(mz_zip_archive *pZip, mz_bool set_last
     }
 
     pState = pZip->m_pState;
-    pZip->m_pState = NULL;
+    pZip->m_pState = nullptr;
     mz_zip_array_clear(pZip, &pState->m_central_dir);
     mz_zip_array_clear(pZip, &pState->m_central_dir_offsets);
     mz_zip_array_clear(pZip, &pState->m_sorted_central_dir_offsets);
@@ -5183,14 +5183,14 @@ static mz_bool mz_zip_writer_end_internal(mz_zip_archive *pZip, mz_bool set_last
             }
         }
 
-        pState->m_pFile = NULL;
+        pState->m_pFile = nullptr;
     }
 #endif /* #ifndef MINIZ_NO_STDIO */
 
     if((pZip->m_pWrite == mz_zip_heap_write_func) && (pState->m_pMem))
     {
         pZip->m_pFree(pZip->m_pAlloc_opaque, pState->m_pMem);
-        pState->m_pMem = NULL;
+        pState->m_pMem = nullptr;
     }
 
     pZip->m_pFree(pZip->m_pAlloc_opaque, pState);
@@ -5229,7 +5229,7 @@ mz_bool mz_zip_writer_init_v2(mz_zip_archive *pZip, mz_uint64 existing_size, mz_
     pZip->m_central_directory_file_ofs = 0;
     pZip->m_total_files = 0;
 
-    if(NULL == (pZip->m_pState = (mz_zip_internal_state *)pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, sizeof(mz_zip_internal_state))))
+    if(nullptr == (pZip->m_pState = (mz_zip_internal_state *)pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, sizeof(mz_zip_internal_state))))
         return mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
 
     memset(pZip->m_pState, 0, sizeof(mz_zip_internal_state));
@@ -5268,7 +5268,7 @@ mz_bool mz_zip_writer_init_heap_v2(mz_zip_archive *pZip, size_t size_to_reserve_
 
     if(0 != (initial_allocation_size = MZ_MAX(initial_allocation_size, size_to_reserve_at_beginning)))
     {
-        if(NULL == (pZip->m_pState->m_pMem = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, initial_allocation_size)))
+        if(nullptr == (pZip->m_pState->m_pMem = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, initial_allocation_size)))
         {
             mz_zip_writer_end_internal(pZip, MZ_FALSE);
             return mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
@@ -5320,7 +5320,7 @@ mz_bool mz_zip_writer_init_file_v2(mz_zip_archive *pZip, const char *pFilename,
     if(!mz_zip_writer_init_v2(pZip, size_to_reserve_at_beginning, flags))
         return MZ_FALSE;
 
-    if(NULL == (pFile = MZ_FOPEN(pFilename, (flags & MZ_ZIP_FLAG_WRITE_ALLOW_READING) ? "w+b" : "wb")))
+    if(nullptr == (pFile = MZ_FOPEN(pFilename, (flags & MZ_ZIP_FLAG_WRITE_ALLOW_READING) ? "w+b" : "wb")))
     {
         mz_zip_writer_end(pZip);
         return mz_zip_set_error(pZip, MZ_ZIP_FILE_OPEN_FAILED);
@@ -5418,7 +5418,7 @@ mz_bool mz_zip_writer_init_from_reader_v2(mz_zip_archive *pZip, const char *pFil
                 return mz_zip_set_error(pZip, MZ_ZIP_INVALID_PARAMETER);
 
             /* Archive is being read from stdio and was originally opened only for reading. Try to reopen as writable. */
-            if(NULL == (pState->m_pFile = MZ_FREOPEN(pFilename, "r+b", pState->m_pFile)))
+            if(nullptr == (pState->m_pFile = MZ_FREOPEN(pFilename, "r+b", pState->m_pFile)))
             {
                 /* The mz_zip_archive is now in a bogus state because pState->m_pFile is NULL, so just close it. */
                 mz_zip_reader_end_internal(pZip, MZ_FALSE);
@@ -5465,7 +5465,7 @@ mz_bool mz_zip_writer_init_from_reader(mz_zip_archive *pZip, const char *pFilena
 /* TODO: pArchive_name is a terrible name here! */
 mz_bool mz_zip_writer_add_mem(mz_zip_archive *pZip, const char *pArchive_name, const void *pBuf, size_t buf_size, mz_uint level_and_flags)
 {
-    return mz_zip_writer_add_mem_ex(pZip, pArchive_name, pBuf, buf_size, NULL, 0, level_and_flags, 0, 0);
+    return mz_zip_writer_add_mem_ex(pZip, pArchive_name, pBuf, buf_size, nullptr, 0, level_and_flags, 0, 0);
 }
 
 typedef struct
@@ -5652,7 +5652,7 @@ static mz_bool mz_zip_writer_write_zeros(mz_zip_archive *pZip, mz_uint64 cur_fil
 mz_bool mz_zip_writer_add_mem_ex(mz_zip_archive *pZip, const char *pArchive_name, const void *pBuf, size_t buf_size, const void *pComment, mz_uint16 comment_size, mz_uint level_and_flags,
                                  mz_uint64 uncomp_size, mz_uint32 uncomp_crc32)
 {
-    return mz_zip_writer_add_mem_ex_v2(pZip, pArchive_name, pBuf, buf_size, pComment, comment_size, level_and_flags, uncomp_size, uncomp_crc32, NULL, NULL, 0, NULL, 0);
+    return mz_zip_writer_add_mem_ex_v2(pZip, pArchive_name, pBuf, buf_size, pComment, comment_size, level_and_flags, uncomp_size, uncomp_crc32, nullptr, nullptr, 0, nullptr, 0);
 }
 
 mz_bool mz_zip_writer_add_mem_ex_v2(mz_zip_archive *pZip, const char *pArchive_name, const void *pBuf, size_t buf_size, const void *pComment, mz_uint16 comment_size,
@@ -5664,10 +5664,10 @@ mz_bool mz_zip_writer_add_mem_ex_v2(mz_zip_archive *pZip, const char *pArchive_n
     mz_uint64 local_dir_header_ofs = pZip->m_archive_size, cur_archive_file_ofs = pZip->m_archive_size, comp_size = 0;
     size_t archive_name_size;
     mz_uint8 local_dir_header[MZ_ZIP_LOCAL_DIR_HEADER_SIZE];
-    tdefl_compressor *pComp = NULL;
+    tdefl_compressor *pComp = nullptr;
     mz_bool store_data_uncompressed;
     mz_zip_internal_state *pState;
-    mz_uint8 *pExtra_data = NULL;
+    mz_uint8 *pExtra_data = nullptr;
     mz_uint32 extra_size = 0;
     mz_uint8 extra_data[MZ_ZIP64_MAX_CENTRAL_EXTRA_FIELD_SIZE];
     mz_uint16 bit_flags = 0;
@@ -5713,7 +5713,7 @@ mz_bool mz_zip_writer_add_mem_ex_v2(mz_zip_archive *pZip, const char *pArchive_n
     if(!mz_zip_writer_validate_archive_name(pArchive_name))
         return mz_zip_set_error(pZip, MZ_ZIP_INVALID_FILENAME);
 
-    if(last_modified != NULL)
+    if(last_modified != nullptr)
     {
         mz_zip_time_t_to_dos_time(*last_modified, &dos_time, &dos_date);
     }
@@ -5764,7 +5764,7 @@ mz_bool mz_zip_writer_add_mem_ex_v2(mz_zip_archive *pZip, const char *pArchive_n
 
     if((!store_data_uncompressed) && (buf_size))
     {
-        if(NULL == (pComp = (tdefl_compressor *)pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, sizeof(tdefl_compressor))))
+        if(nullptr == (pComp = (tdefl_compressor *)pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, sizeof(tdefl_compressor))))
             return mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
     }
 
@@ -5793,8 +5793,8 @@ mz_bool mz_zip_writer_add_mem_ex_v2(mz_zip_archive *pZip, const char *pArchive_n
         if(uncomp_size >= MZ_UINT32_MAX || local_dir_header_ofs >= MZ_UINT32_MAX)
         {
             pExtra_data = extra_data;
-            extra_size = mz_zip_writer_create_zip64_extra_data(extra_data, (uncomp_size >= MZ_UINT32_MAX) ? &uncomp_size : NULL,
-                                                               (uncomp_size >= MZ_UINT32_MAX) ? &comp_size : NULL, (local_dir_header_ofs >= MZ_UINT32_MAX) ? &local_dir_header_ofs : NULL);
+            extra_size = mz_zip_writer_create_zip64_extra_data(extra_data, (uncomp_size >= MZ_UINT32_MAX) ? &uncomp_size : nullptr,
+                                                               (uncomp_size >= MZ_UINT32_MAX) ? &comp_size : nullptr, (local_dir_header_ofs >= MZ_UINT32_MAX) ? &local_dir_header_ofs : nullptr);
         }
 
         if(!mz_zip_writer_create_local_dir_header(pZip, local_dir_header, (mz_uint16)archive_name_size, extra_size + user_extra_data_len, 0, 0, 0, method, bit_flags, dos_time, dos_date))
@@ -5812,7 +5812,7 @@ mz_bool mz_zip_writer_add_mem_ex_v2(mz_zip_archive *pZip, const char *pArchive_n
         }
         cur_archive_file_ofs += archive_name_size;
 
-        if(pExtra_data != NULL)
+        if(pExtra_data != nullptr)
         {
             if(pZip->m_pWrite(pZip->m_pIO_opaque, cur_archive_file_ofs, extra_data, extra_size) != extra_size)
                 return mz_zip_set_error(pZip, MZ_ZIP_FILE_WRITE_FAILED);
@@ -5890,7 +5890,7 @@ mz_bool mz_zip_writer_add_mem_ex_v2(mz_zip_archive *pZip, const char *pArchive_n
     }
 
     pZip->m_pFree(pZip->m_pAlloc_opaque, pComp);
-    pComp = NULL;
+    pComp = nullptr;
 
     if(uncomp_size)
     {
@@ -5901,7 +5901,7 @@ mz_bool mz_zip_writer_add_mem_ex_v2(mz_zip_archive *pZip, const char *pArchive_n
 
         MZ_WRITE_LE32(local_dir_footer + 0, MZ_ZIP_DATA_DESCRIPTOR_ID);
         MZ_WRITE_LE32(local_dir_footer + 4, uncomp_crc32);
-        if(pExtra_data == NULL)
+        if(pExtra_data == nullptr)
         {
             if((comp_size > MZ_UINT32_MAX) || (cur_archive_file_ofs > MZ_UINT32_MAX))
                 return mz_zip_set_error(pZip, MZ_ZIP_ARCHIVE_TOO_LARGE);
@@ -5922,10 +5922,10 @@ mz_bool mz_zip_writer_add_mem_ex_v2(mz_zip_archive *pZip, const char *pArchive_n
         cur_archive_file_ofs += local_dir_footer_size;
     }
 
-    if(pExtra_data != NULL)
+    if(pExtra_data != nullptr)
     {
-        extra_size = mz_zip_writer_create_zip64_extra_data(extra_data, (uncomp_size >= MZ_UINT32_MAX) ? &uncomp_size : NULL,
-                                                           (uncomp_size >= MZ_UINT32_MAX) ? &comp_size : NULL, (local_dir_header_ofs >= MZ_UINT32_MAX) ? &local_dir_header_ofs : NULL);
+        extra_size = mz_zip_writer_create_zip64_extra_data(extra_data, (uncomp_size >= MZ_UINT32_MAX) ? &uncomp_size : nullptr,
+                                                           (uncomp_size >= MZ_UINT32_MAX) ? &comp_size : nullptr, (local_dir_header_ofs >= MZ_UINT32_MAX) ? &local_dir_header_ofs : nullptr);
     }
 
     if(!mz_zip_writer_add_to_central_dir(pZip, pArchive_name, (mz_uint16)archive_name_size, pExtra_data, extra_size, pComment,
@@ -5949,7 +5949,7 @@ mz_bool mz_zip_writer_add_cfile(mz_zip_archive *pZip, const char *pArchive_name,
     mz_uint64 local_dir_header_ofs, cur_archive_file_ofs = pZip->m_archive_size, uncomp_size = size_to_add, comp_size = 0;
     size_t archive_name_size;
     mz_uint8 local_dir_header[MZ_ZIP_LOCAL_DIR_HEADER_SIZE];
-    mz_uint8 *pExtra_data = NULL;
+    mz_uint8 *pExtra_data = nullptr;
     mz_uint32 extra_size = 0;
     mz_uint8 extra_data[MZ_ZIP64_MAX_CENTRAL_EXTRA_FIELD_SIZE];
     mz_zip_internal_state *pState;
@@ -6049,8 +6049,8 @@ mz_bool mz_zip_writer_add_cfile(mz_zip_archive *pZip, const char *pArchive_name,
         if(uncomp_size >= MZ_UINT32_MAX || local_dir_header_ofs >= MZ_UINT32_MAX)
         {
             pExtra_data = extra_data;
-            extra_size = mz_zip_writer_create_zip64_extra_data(extra_data, (uncomp_size >= MZ_UINT32_MAX) ? &uncomp_size : NULL,
-                                                               (uncomp_size >= MZ_UINT32_MAX) ? &comp_size : NULL, (local_dir_header_ofs >= MZ_UINT32_MAX) ? &local_dir_header_ofs : NULL);
+            extra_size = mz_zip_writer_create_zip64_extra_data(extra_data, (uncomp_size >= MZ_UINT32_MAX) ? &uncomp_size : nullptr,
+                                                               (uncomp_size >= MZ_UINT32_MAX) ? &comp_size : nullptr, (local_dir_header_ofs >= MZ_UINT32_MAX) ? &local_dir_header_ofs : nullptr);
         }
 
         if(!mz_zip_writer_create_local_dir_header(pZip, local_dir_header, (mz_uint16)archive_name_size, extra_size + user_extra_data_len, 0, 0, 0, method, gen_flags, dos_time, dos_date))
@@ -6195,7 +6195,7 @@ mz_bool mz_zip_writer_add_cfile(mz_zip_archive *pZip, const char *pArchive_name,
 
     MZ_WRITE_LE32(local_dir_footer + 0, MZ_ZIP_DATA_DESCRIPTOR_ID);
     MZ_WRITE_LE32(local_dir_footer + 4, uncomp_crc32);
-    if(pExtra_data == NULL)
+    if(pExtra_data == nullptr)
     {
         if(comp_size > MZ_UINT32_MAX)
             return mz_zip_set_error(pZip, MZ_ZIP_ARCHIVE_TOO_LARGE);
@@ -6215,10 +6215,10 @@ mz_bool mz_zip_writer_add_cfile(mz_zip_archive *pZip, const char *pArchive_name,
 
     cur_archive_file_ofs += local_dir_footer_size;
 
-    if(pExtra_data != NULL)
+    if(pExtra_data != nullptr)
     {
-        extra_size = mz_zip_writer_create_zip64_extra_data(extra_data, (uncomp_size >= MZ_UINT32_MAX) ? &uncomp_size : NULL,
-                                                           (uncomp_size >= MZ_UINT32_MAX) ? &comp_size : NULL, (local_dir_header_ofs >= MZ_UINT32_MAX) ? &local_dir_header_ofs : NULL);
+        extra_size = mz_zip_writer_create_zip64_extra_data(extra_data, (uncomp_size >= MZ_UINT32_MAX) ? &uncomp_size : nullptr,
+                                                           (uncomp_size >= MZ_UINT32_MAX) ? &comp_size : nullptr, (local_dir_header_ofs >= MZ_UINT32_MAX) ? &local_dir_header_ofs : nullptr);
     }
 
     if(!mz_zip_writer_add_to_central_dir(pZip, pArchive_name, (mz_uint16)archive_name_size, pExtra_data, extra_size, pComment, comment_size,
@@ -6234,10 +6234,10 @@ mz_bool mz_zip_writer_add_cfile(mz_zip_archive *pZip, const char *pArchive_name,
 
 mz_bool mz_zip_writer_add_file(mz_zip_archive *pZip, const char *pArchive_name, const char *pSrc_filename, const void *pComment, mz_uint16 comment_size, mz_uint level_and_flags)
 {
-    MZ_FILE *pSrc_file = NULL;
+    MZ_FILE *pSrc_file = nullptr;
     mz_uint64 uncomp_size = 0;
     MZ_TIME_T file_modified_time;
-    MZ_TIME_T *pFile_time = NULL;
+    MZ_TIME_T *pFile_time = nullptr;
 
     memset(&file_modified_time, 0, sizeof(file_modified_time));
 
@@ -6255,7 +6255,7 @@ mz_bool mz_zip_writer_add_file(mz_zip_archive *pZip, const char *pArchive_name,
     uncomp_size = MZ_FTELL64(pSrc_file);
     MZ_FSEEK64(pSrc_file, 0, SEEK_SET);
 
-    mz_bool status = mz_zip_writer_add_cfile(pZip, pArchive_name, pSrc_file, uncomp_size, pFile_time, pComment, comment_size, level_and_flags, NULL, 0, NULL, 0);
+    mz_bool status = mz_zip_writer_add_cfile(pZip, pArchive_name, pSrc_file, uncomp_size, pFile_time, pComment, comment_size, level_and_flags, nullptr, 0, nullptr, 0);
 
     MZ_FCLOSE(pSrc_file);
 
@@ -6372,7 +6372,7 @@ mz_bool mz_zip_writer_add_from_zip_reader(mz_zip_archive *pZip, mz_zip_archive *
         return mz_zip_set_error(pZip, MZ_ZIP_INVALID_PARAMETER);
 
     /* Get pointer to the source central dir header and crack it */
-    if(NULL == (pSrc_central_header = mz_zip_get_cdh(pSource_zip, src_file_index)))
+    if(nullptr == (pSrc_central_header = mz_zip_get_cdh(pSource_zip, src_file_index)))
         return mz_zip_set_error(pZip, MZ_ZIP_INVALID_PARAMETER);
 
     if(MZ_READ_LE32(pSrc_central_header + MZ_ZIP_CDH_SIG_OFS) != MZ_ZIP_CENTRAL_DIR_HEADER_SIG)
@@ -6401,7 +6401,7 @@ mz_bool mz_zip_writer_add_from_zip_reader(mz_zip_archive *pZip, mz_zip_archive *
             return mz_zip_set_error(pZip, MZ_ZIP_TOO_MANY_FILES);
     }
 
-    if(!mz_zip_file_stat_internal(pSource_zip, src_file_index, pSrc_central_header, &src_file_stat, NULL))
+    if(!mz_zip_file_stat_internal(pSource_zip, src_file_index, pSrc_central_header, &src_file_stat, nullptr))
         return MZ_FALSE;
 
     cur_src_file_ofs = src_file_stat.m_local_header_ofs;
@@ -6516,7 +6516,7 @@ mz_bool mz_zip_writer_add_from_zip_reader(mz_zip_archive *pZip, mz_zip_archive *
     cur_dst_file_ofs += MZ_ZIP_LOCAL_DIR_HEADER_SIZE;
 
     /* Copy over the source archive bytes to the dest archive, also ensure we have enough buf space to handle optional data descriptor */
-    if(NULL == (pBuf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, (size_t)MZ_MAX(32U, MZ_MIN((mz_uint64)MZ_ZIP_MAX_IO_BUF_SIZE, src_archive_bytes_remaining)))))
+    if(nullptr == (pBuf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, (size_t)MZ_MAX(32U, MZ_MIN((mz_uint64)MZ_ZIP_MAX_IO_BUF_SIZE, src_archive_bytes_remaining)))))
         return mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
 
     while(src_archive_bytes_remaining)
@@ -6624,7 +6624,7 @@ mz_bool mz_zip_writer_add_from_zip_reader(mz_zip_archive *pZip, mz_zip_archive *
         MZ_WRITE_LE32(new_central_header + MZ_ZIP_CDH_DECOMPRESSED_SIZE_OFS, MZ_UINT32_MAX);
         MZ_WRITE_LE32(new_central_header + MZ_ZIP_CDH_LOCAL_HEADER_OFS, MZ_UINT32_MAX);
 
-        if(!mz_zip_writer_update_zip64_extension_block(&new_ext_block, pZip, pSrc_ext, src_ext_len, &src_file_stat.m_comp_size, &src_file_stat.m_uncomp_size, &local_dir_header_ofs, NULL))
+        if(!mz_zip_writer_update_zip64_extension_block(&new_ext_block, pZip, pSrc_ext, src_ext_len, &src_file_stat.m_comp_size, &src_file_stat.m_uncomp_size, &local_dir_header_ofs, nullptr))
         {
             mz_zip_array_clear(pZip, &new_ext_block);
             return MZ_FALSE;
@@ -6796,7 +6796,7 @@ mz_bool mz_zip_writer_finalize_heap_archive(mz_zip_archive *pZip, void **ppBuf,
     if((!ppBuf) || (!pSize))
         return mz_zip_set_error(pZip, MZ_ZIP_INVALID_PARAMETER);
 
-    *ppBuf = NULL;
+    *ppBuf = nullptr;
     *pSize = 0;
 
     if((!pZip) || (!pZip->m_pState))
@@ -6810,7 +6810,7 @@ mz_bool mz_zip_writer_finalize_heap_archive(mz_zip_archive *pZip, void **ppBuf,
 
     *ppBuf = pZip->m_pState->m_pMem;
     *pSize = pZip->m_pState->m_mem_size;
-    pZip->m_pState->m_pMem = NULL;
+    pZip->m_pState->m_pMem = nullptr;
     pZip->m_pState->m_mem_size = pZip->m_pState->m_mem_capacity = 0;
 
     return MZ_TRUE;
@@ -6824,7 +6824,7 @@ mz_bool mz_zip_writer_end(mz_zip_archive *pZip)
 #ifndef MINIZ_NO_STDIO
 mz_bool mz_zip_add_mem_to_archive_file_in_place(const char *pZip_filename, const char *pArchive_name, const void *pBuf, size_t buf_size, const void *pComment, mz_uint16 comment_size, mz_uint level_and_flags)
 {
-    return mz_zip_add_mem_to_archive_file_in_place_v2(pZip_filename, pArchive_name, pBuf, buf_size, pComment, comment_size, level_and_flags, NULL);
+    return mz_zip_add_mem_to_archive_file_in_place_v2(pZip_filename, pArchive_name, pBuf, buf_size, pComment, comment_size, level_and_flags, nullptr);
 }
 
 mz_bool mz_zip_add_mem_to_archive_file_in_place_v2(const char *pZip_filename, const char *pArchive_name, const void *pBuf, size_t buf_size, const void *pComment, mz_uint16 comment_size, mz_uint level_and_flags, mz_zip_error *pErr)
@@ -6924,7 +6924,7 @@ void *mz_zip_extract_archive_file_to_heap_v2(const char *pZip_filename, const ch
 {
     mz_uint32 file_index;
     mz_zip_archive zip_archive;
-    void *p = NULL;
+    void *p = nullptr;
 
     if(pSize)
         *pSize = 0;
@@ -6934,7 +6934,7 @@ void *mz_zip_extract_archive_file_to_heap_v2(const char *pZip_filename, const ch
         if(pErr)
             *pErr = MZ_ZIP_INVALID_PARAMETER;
 
-        return NULL;
+        return nullptr;
     }
 
     mz_zip_zero_struct(&zip_archive);
@@ -6943,7 +6943,7 @@ void *mz_zip_extract_archive_file_to_heap_v2(const char *pZip_filename, const ch
         if(pErr)
             *pErr = zip_archive.m_last_error;
 
-        return NULL;
+        return nullptr;
     }
 
     if(mz_zip_reader_locate_file_v2(&zip_archive, pArchive_name, pComment, flags, &file_index))
@@ -6951,7 +6951,7 @@ void *mz_zip_extract_archive_file_to_heap_v2(const char *pZip_filename, const ch
         p = mz_zip_reader_extract_to_heap(&zip_archive, file_index, pSize, flags);
     }
 
-    mz_zip_reader_end_internal(&zip_archive, p != NULL);
+    mz_zip_reader_end_internal(&zip_archive, p != nullptr);
 
     if(pErr)
         *pErr = zip_archive.m_last_error;
@@ -6961,7 +6961,7 @@ void *mz_zip_extract_archive_file_to_heap_v2(const char *pZip_filename, const ch
 
 void *mz_zip_extract_archive_file_to_heap(const char *pZip_filename, const char *pArchive_name, size_t *pSize, mz_uint flags)
 {
-    return mz_zip_extract_archive_file_to_heap_v2(pZip_filename, pArchive_name, NULL, pSize, flags, NULL);
+    return mz_zip_extract_archive_file_to_heap_v2(pZip_filename, pArchive_name, nullptr, pSize, flags, nullptr);
 }
 
 #endif /* #ifndef MINIZ_NO_STDIO */
@@ -7133,7 +7133,7 @@ mz_uint64 mz_zip_get_archive_file_start_offset(mz_zip_archive *pZip)
 MZ_FILE *mz_zip_get_cfile(mz_zip_archive *pZip)
 {
     if((!pZip) || (!pZip->m_pState))
-        return 0;
+        return nullptr;
     return pZip->m_pState->m_pFile;
 }
 
@@ -7168,7 +7168,7 @@ mz_uint mz_zip_reader_get_filename(mz_zip_archive *pZip, mz_uint file_index, cha
 
 mz_bool mz_zip_reader_file_stat(mz_zip_archive *pZip, mz_uint file_index, mz_zip_archive_file_stat *pStat)
 {
-    return mz_zip_file_stat_internal(pZip, file_index, mz_zip_get_cdh(pZip, file_index), pStat, NULL);
+    return mz_zip_file_stat_internal(pZip, file_index, mz_zip_get_cdh(pZip, file_index), pStat, nullptr);
 }
 
 mz_bool mz_zip_end(mz_zip_archive *pZip)
diff --git a/src/path-symex/path_symex_history.h b/src/path-symex/path_symex_history.h
index 4371e5e26d..e2fbc3273f 100644
--- a/src/path-symex/path_symex_history.h
+++ b/src/path-symex/path_symex_history.h
@@ -35,7 +35,7 @@ public:
   }
 
   path_symex_step_reft():
-    index(std::numeric_limits::max()), history(0)
+    index(std::numeric_limits::max()), history(nullptr)
   {
   }
 
@@ -46,7 +46,7 @@ public:
 
   path_symex_historyt &get_history() const
   {
-    assert(history!=0);
+    assert(history!=nullptr);
     return *history;
   }
 
@@ -154,7 +154,7 @@ public:
 
 inline void path_symex_step_reft::generate_successor()
 {
-  assert(history!=0);
+  assert(history!=nullptr);
   path_symex_step_reft old=*this;
   index=history->step_container.size();
   history->step_container.push_back(path_symex_stept());
@@ -169,7 +169,7 @@ inline path_symex_step_reft &path_symex_step_reft::operator--()
 
 inline path_symex_stept &path_symex_step_reft::get() const
 {
-  assert(history!=0);
+  assert(history!=nullptr);
   assert(!is_nil());
   return history->step_container[index];
 }
diff --git a/src/path-symex/path_symex_state_read.cpp b/src/path-symex/path_symex_state_read.cpp
index a6993c19b0..139b6956a0 100644
--- a/src/path-symex/path_symex_state_read.cpp
+++ b/src/path-symex/path_symex_state_read.cpp
@@ -430,7 +430,7 @@ bool path_symex_statet::is_symbol_member_index(const exprt &src) const
   // the loop avoids recursion
   while(true)
   {
-    const exprt *next=0;
+    const exprt *next=nullptr;
 
     if(current->id()==ID_symbol)
     {
@@ -465,7 +465,7 @@ bool path_symex_statet::is_symbol_member_index(const exprt &src) const
       return false;
 
     // next round
-    assert(next!=0);
+    assert(next!=nullptr);
     current=next;
   }
 }
diff --git a/src/path-symex/var_map.cpp b/src/path-symex/var_map.cpp
index f5dea20a96..96d079c48f 100644
--- a/src/path-symex/var_map.cpp
+++ b/src/path-symex/var_map.cpp
@@ -84,7 +84,7 @@ void var_mapt::init(var_infot &var_info)
     }
     else
     {
-      const symbolt *symbol=0;
+      const symbolt *symbol=nullptr;
       if(ns.lookup(var_info.symbol, symbol))
         throw "var_mapt::init identifier \""
           +id2string(var_info.full_identifier)
diff --git a/src/pointer-analysis/value_set_fi.cpp b/src/pointer-analysis/value_set_fi.cpp
index 77962a3b3b..d08694b82d 100644
--- a/src/pointer-analysis/value_set_fi.cpp
+++ b/src/pointer-analysis/value_set_fi.cpp
@@ -550,18 +550,18 @@ void value_set_fit::get_value_set_rec(
     if(expr.type().id()==ID_pointer)
     {
       // find the pointer operand
-      const exprt *ptr_operand=NULL;
+      const exprt *ptr_operand=nullptr;
 
       forall_operands(it, expr)
         if(it->type().id()==ID_pointer)
         {
-          if(ptr_operand==NULL)
+          if(ptr_operand==nullptr)
             ptr_operand=&(*it);
           else
             throw "more than one pointer operand in pointer arithmetic";
         }
 
-      if(ptr_operand==NULL)
+      if(ptr_operand==nullptr)
         throw "pointer type sum expected to have pointer operand";
 
       object_mapt pointer_expr_set;
diff --git a/src/pointer-analysis/value_set_fivr.cpp b/src/pointer-analysis/value_set_fivr.cpp
index 6bd7e1321e..3ea5ef1aa8 100644
--- a/src/pointer-analysis/value_set_fivr.cpp
+++ b/src/pointer-analysis/value_set_fivr.cpp
@@ -668,18 +668,18 @@ void value_set_fivrt::get_value_set_rec(
     if(expr.type().id()==ID_pointer)
     {
       // find the pointer operand
-      const exprt *ptr_operand=NULL;
+      const exprt *ptr_operand=nullptr;
 
       forall_operands(it, expr)
         if(it->type().id()==ID_pointer)
         {
-          if(ptr_operand==NULL)
+          if(ptr_operand==nullptr)
             ptr_operand=&(*it);
           else
             throw "more than one pointer operand in pointer arithmetic";
         }
 
-      if(ptr_operand==NULL)
+      if(ptr_operand==nullptr)
         throw "pointer type sum expected to have pointer operand";
 
       object_mapt pointer_expr_set;
diff --git a/src/pointer-analysis/value_set_fivrns.cpp b/src/pointer-analysis/value_set_fivrns.cpp
index 0eaf08b201..3b5ce55a3a 100644
--- a/src/pointer-analysis/value_set_fivrns.cpp
+++ b/src/pointer-analysis/value_set_fivrns.cpp
@@ -454,18 +454,18 @@ void value_set_fivrnst::get_value_set_rec(
     if(expr.type().id()==ID_pointer)
     {
       // find the pointer operand
-      const exprt *ptr_operand=NULL;
+      const exprt *ptr_operand=nullptr;
 
       forall_operands(it, expr)
         if(it->type().id()==ID_pointer)
         {
-          if(ptr_operand==NULL)
+          if(ptr_operand==nullptr)
             ptr_operand=&(*it);
           else
             throw "more than one pointer operand in pointer arithmetic";
         }
 
-      if(ptr_operand==NULL)
+      if(ptr_operand==nullptr)
         throw "pointer type sum expected to have pointer operand";
 
       object_mapt pointer_expr_set;
diff --git a/src/solvers/miniBDD/miniBDD.h b/src/solvers/miniBDD/miniBDD.h
index f7dde020fe..9b994b88ff 100644
--- a/src/solvers/miniBDD/miniBDD.h
+++ b/src/solvers/miniBDD/miniBDD.h
@@ -55,7 +55,7 @@ public:
   unsigned node_number() const;
   void clear();
 
-  bool is_initialized() const { return node!=0; }
+  bool is_initialized() const { return node!=nullptr; }
 
   // internal
   explicit mini_bddt(class mini_bdd_nodet *_node);
diff --git a/src/solvers/miniBDD/miniBDD.inc b/src/solvers/miniBDD/miniBDD.inc
index 091725ed33..a2077ab95f 100644
--- a/src/solvers/miniBDD/miniBDD.inc
+++ b/src/solvers/miniBDD/miniBDD.inc
@@ -2,7 +2,7 @@
 
 // inline functions
 
-inline mini_bddt::mini_bddt():node(0)
+inline mini_bddt::mini_bddt():node(nullptr)
 {
 }
 
@@ -82,7 +82,7 @@ inline void mini_bddt::clear()
   if(is_initialized())
   {
     node->remove_reference();
-    node=NULL;
+    node=nullptr;
   }
 }
 
diff --git a/src/solvers/sat/pbs_dimacs_cnf.cpp b/src/solvers/sat/pbs_dimacs_cnf.cpp
index 731c6ac7ae..69e4c78a29 100644
--- a/src/solvers/sat/pbs_dimacs_cnf.cpp
+++ b/src/solvers/sat/pbs_dimacs_cnf.cpp
@@ -125,7 +125,7 @@ bool pbs_dimacs_cnft::pbs_solve()
     {
       std::getline(file, line);
       if(strstr(line.c_str(),
-                "Variable Assignments Satisfying CNF Formula:")!=NULL)
+                "Variable Assignments Satisfying CNF Formula:")!=nullptr)
         {
           // print ("Reading assignments...\n");
           // std::cout << "No literals: " << no_variables() << "\n";
@@ -143,12 +143,12 @@ bool pbs_dimacs_cnft::pbs_solve()
           // std::cout << "\n";
           // print ("Finished reading assignments.\n");
         }
-      else if(strstr(line.c_str(), "SAT... SUM")!=NULL)
+      else if(strstr(line.c_str(), "SAT... SUM")!=nullptr)
         {
           // print (line);
           sscanf(line.c_str(), "%*s %*s %*s %d", &opt_sum);
         }
-      else if(strstr(line.c_str(), "SAT - All implied")!=NULL)
+      else if(strstr(line.c_str(), "SAT - All implied")!=nullptr)
         {
           // print (line);
           sscanf(
@@ -156,15 +156,15 @@ bool pbs_dimacs_cnft::pbs_solve()
             "%*s %*s %*s %*s %*s %*s %*s %*s %*s %*s %*s %d",
             &opt_sum);
         }
-      else if(strstr(line.c_str(), "SAT... Solution")!=NULL)
+      else if(strstr(line.c_str(), "SAT... Solution")!=nullptr)
         {
           // print(line);
           sscanf(line.c_str(), "%*s %*s %*s %d", &opt_sum);
         }
-      else if(strstr(line.c_str(), "Optimal Soln")!=NULL)
+      else if(strstr(line.c_str(), "Optimal Soln")!=nullptr)
         {
           // print(line);
-          if(strstr(line.c_str(), "time out")!=NULL)
+          if(strstr(line.c_str(), "time out")!=nullptr)
             {
               status() << "WARNING:  TIMED OUT.  SOLUTION MAY BE INCORRECT."
                        << eom;
diff --git a/src/util/config.cpp b/src/util/config.cpp
index ee24ab7b0f..a256ff6b17 100644
--- a/src/util/config.cpp
+++ b/src/util/config.cpp
@@ -739,7 +739,7 @@ bool configt::set(const cmdlinet &cmdline)
   ansi_c.arch="none";
   ansi_c.lib=configt::ansi_ct::libt::LIB_NONE;
   // NOLINTNEXTLINE(readability/casting)
-  ansi_c.NULL_is_zero=reinterpret_cast((void*)0)==0;
+  ansi_c.NULL_is_zero=reinterpret_cast(nullptr)==0;
 
   // Default is ROUND_TO_EVEN, justified by C99:
   // 1 At program startup the floating-point environment is initialized as
@@ -773,7 +773,7 @@ bool configt::set(const cmdlinet &cmdline)
   {
     // environment variable set?
     const char *CLASSPATH=getenv("CLASSPATH");
-    if(CLASSPATH!=NULL)
+    if(CLASSPATH!=nullptr)
       set_classpath(CLASSPATH);
     else
       set_classpath("."); // default
diff --git a/src/util/file_util.cpp b/src/util/file_util.cpp
index 3753fa5aab..37dfd59587 100644
--- a/src/util/file_util.cpp
+++ b/src/util/file_util.cpp
@@ -51,7 +51,7 @@ std::string get_current_working_directory()
 
   errno=0;
 
-  while(buf && getcwd(buf, bsize-1)==NULL && errno==ERANGE)
+  while(buf && getcwd(buf, bsize-1)==nullptr && errno==ERANGE)
   {
     bsize*=2;
     buf=reinterpret_cast(realloc(buf, sizeof(char)*bsize));
@@ -98,10 +98,10 @@ void delete_directory(const std::string &path)
   delete_directory_utf16(utf8_to_utf16_little_endian(path));
 #else
   DIR *dir=opendir(path.c_str());
-  if(dir!=NULL)
+  if(dir!=nullptr)
   {
     struct dirent *ent;
-    while((ent=readdir(dir))!=NULL)
+    while((ent=readdir(dir))!=nullptr)
     {
       // Needed for Alpine Linux
       if(strcmp(ent->d_name, ".")==0 || strcmp(ent->d_name, "..")==0)
diff --git a/src/util/invariant.cpp b/src/util/invariant.cpp
index b0047cccf4..5e63639556 100644
--- a/src/util/invariant.cpp
+++ b/src/util/invariant.cpp
@@ -57,7 +57,7 @@ static bool output_demangled_name(
 
     int demangle_success=1;
     char *demangled=
-      abi::__cxa_demangle(mangled.c_str(), NULL, 0, &demangle_success);
+      abi::__cxa_demangle(mangled.c_str(), nullptr, nullptr, &demangle_success);
 
     if(demangle_success==0)
     {
diff --git a/src/util/irep_ids.cpp b/src/util/irep_ids.cpp
index 8aff81777a..50e0f537fa 100644
--- a/src/util/irep_ids.cpp
+++ b/src/util/irep_ids.cpp
@@ -22,7 +22,7 @@ const char *irep_ids_table[]=
 
 #include "irep_ids.def"
 
-  NULL,
+  nullptr,
 };
 
 #ifdef USE_DSTRING
@@ -47,7 +47,7 @@ void initialize_string_container()
 {
   // this is called by the constructor of string_containert
 
-  for(unsigned i=0; irep_ids_table[i]!=NULL; i++)
+  for(unsigned i=0; irep_ids_table[i]!=nullptr; i++)
   {
     unsigned x;
     x=string_container[irep_ids_table[i]];
diff --git a/src/util/language_file.cpp b/src/util/language_file.cpp
index 2aa57a85c6..7ca179f68f 100644
--- a/src/util/language_file.cpp
+++ b/src/util/language_file.cpp
@@ -14,14 +14,14 @@ Author: Daniel Kroening, kroening@kroening.com
 
 language_filet::language_filet(const language_filet &rhs):
   modules(rhs.modules),
-  language(rhs.language==NULL?NULL:rhs.language->new_language()),
+  language(rhs.language==nullptr?nullptr:rhs.language->new_language()),
   filename(rhs.filename)
 {
 }
 
 language_filet::~language_filet()
 {
-  if(language!=NULL)
+  if(language!=nullptr)
     delete language;
 }
 
diff --git a/src/util/language_file.h b/src/util/language_file.h
index e2e8750be5..a18d4685a3 100644
--- a/src/util/language_file.h
+++ b/src/util/language_file.h
@@ -49,7 +49,7 @@ public:
 
   language_filet(const language_filet &rhs);
 
-  language_filet():language(NULL)
+  language_filet():language(nullptr)
   {
   }
 
diff --git a/src/util/message.h b/src/util/message.h
index 41c9117400..c3d73d5f4d 100644
--- a/src/util/message.h
+++ b/src/util/message.h
@@ -133,7 +133,7 @@ public:
   // constructors, destructor
 
   messaget():
-    message_handler(NULL),
+    message_handler(nullptr),
     mstream(M_DEBUG, *this)
   {
   }
diff --git a/src/util/namespace.cpp b/src/util/namespace.cpp
index 50de95f296..218e73d285 100644
--- a/src/util/namespace.cpp
+++ b/src/util/namespace.cpp
@@ -127,10 +127,10 @@ unsigned namespacet::get_max(const std::string &prefix) const
 {
   unsigned m=0;
 
-  if(symbol_table1!=NULL)
+  if(symbol_table1!=nullptr)
     m=std::max(m, ::get_max(prefix, symbol_table1->symbols));
 
-  if(symbol_table2!=NULL)
+  if(symbol_table2!=nullptr)
     m=std::max(m, ::get_max(prefix, symbol_table2->symbols));
 
   return m;
@@ -142,7 +142,7 @@ bool namespacet::lookup(
 {
   symbol_tablet::symbolst::const_iterator it;
 
-  if(symbol_table1!=NULL)
+  if(symbol_table1!=nullptr)
   {
     it=symbol_table1->symbols.find(name);
 
@@ -153,7 +153,7 @@ bool namespacet::lookup(
     }
   }
 
-  if(symbol_table2!=NULL)
+  if(symbol_table2!=nullptr)
   {
     it=symbol_table2->symbols.find(name);
 
diff --git a/src/util/namespace.h b/src/util/namespace.h
index ea6b33cfdb..a3b9f3827c 100644
--- a/src/util/namespace.h
+++ b/src/util/namespace.h
@@ -64,7 +64,7 @@ class namespacet:public namespace_baset
 public:
   // constructors
   explicit namespacet(const symbol_tablet &_symbol_table)
-  { symbol_table1=&_symbol_table; symbol_table2=NULL; }
+  { symbol_table1=&_symbol_table; symbol_table2=nullptr; }
 
   namespacet(
     const symbol_tablet &_symbol_table1,
@@ -101,12 +101,12 @@ class multi_namespacet:public namespacet
 {
 public:
   // constructors
-  multi_namespacet():namespacet(NULL, NULL)
+  multi_namespacet():namespacet(nullptr, nullptr)
   {
   }
 
   explicit multi_namespacet(
-    const symbol_tablet &symbol_table):namespacet(NULL, NULL)
+    const symbol_tablet &symbol_table):namespacet(nullptr, nullptr)
   {
     add(symbol_table);
   }
diff --git a/src/util/parser.h b/src/util/parser.h
index b450de7f61..bf572e6004 100644
--- a/src/util/parser.h
+++ b/src/util/parser.h
@@ -39,7 +39,7 @@ public:
     last_line.clear();
   }
 
-  parsert():in(NULL) { clear(); }
+  parsert():in(nullptr) { clear(); }
   virtual ~parsert() { }
 
   // The following are for the benefit of the scanner
diff --git a/src/util/pipe_stream.cpp b/src/util/pipe_stream.cpp
index 4306bce8e0..44ac29b3eb 100644
--- a/src/util/pipe_stream.cpp
+++ b/src/util/pipe_stream.cpp
@@ -159,12 +159,12 @@ int pipe_streamt::run()
         a_it++, i++)
        _argv[i]=strdup(a_it->c_str());
 
-    _argv[args.size()+1]=NULL;
+    _argv[args.size()+1]=nullptr;
 
     int result=execvp(executable.c_str(), _argv);
 
     if(result==-1)
-      perror(0);
+      perror(nullptr);
 
     return result;
   }
@@ -289,7 +289,7 @@ std::streamsize filedescriptor_streambuft::xsputn(
 /// read a character from the piped process
 std::streambuf::int_type filedescriptor_streambuft::underflow()
 {
-  if(gptr()==0)
+  if(gptr()==nullptr)
     return traits_type::eof();
 
   if(gptr()expr_set.empty();
   }
@@ -52,13 +52,13 @@ public:
 
   bool make_union(const ref_expr_sett &s2)
   {
-    if(s2.d==NULL)
+    if(s2.d==nullptr)
       return false;
 
     if(s2.d==d)
       return false;
 
-    if(d==NULL)
+    if(d==nullptr)
     {
       copy_from(s2);
       return true;
diff --git a/src/util/reference_counting.h b/src/util/reference_counting.h
index ffdc8eed75..4d5accb5ec 100644
--- a/src/util/reference_counting.h
+++ b/src/util/reference_counting.h
@@ -19,7 +19,7 @@ template
 class reference_counting
 {
 public:
-  reference_counting():d(NULL)
+  reference_counting():d(nullptr)
   {
   }
 
@@ -31,7 +31,7 @@ public:
   // copy constructor
   reference_counting(const reference_counting &other):d(other.d)
   {
-    if(d!=NULL)
+    if(d!=nullptr)
     {
       assert(d->ref_count!=0);
       d->ref_count++;
@@ -50,7 +50,7 @@ public:
   ~reference_counting()
   {
     remove_ref(d);
-    d=NULL;
+    d=nullptr;
   }
 
   void swap(reference_counting &other)
@@ -61,12 +61,12 @@ public:
   void clear()
   {
     remove_ref(d);
-    d=NULL;
+    d=nullptr;
   }
 
   const T &read() const
   {
-    if(d==NULL)
+    if(d==nullptr)
       return T::blank;
     return *d;
   }
@@ -104,7 +104,7 @@ protected:
 
     remove_ref(d);
     d=other.d;
-    if(d!=NULL)
+    if(d!=nullptr)
       d->ref_count++;
   }
 
@@ -118,7 +118,7 @@ public:
 template
 void reference_counting::remove_ref(dt *old_d)
 {
-  if(old_d==NULL)
+  if(old_d==nullptr)
     return;
 
   assert(old_d->ref_count!=0);
@@ -151,7 +151,7 @@ void reference_counting::detatch()
   std::cout << "DETATCH1: " << d << '\n';
   #endif
 
-  if(d==NULL)
+  if(d==nullptr)
   {
     d=new dt;
 
diff --git a/src/util/run.cpp b/src/util/run.cpp
index 164cac834d..c01aff35bd 100644
--- a/src/util/run.cpp
+++ b/src/util/run.cpp
@@ -117,13 +117,13 @@ int run(
     {
       // resume signals
       remove_signal_catcher();
-      sigprocmask(SIG_SETMASK, &old_mask, NULL);
+      sigprocmask(SIG_SETMASK, &old_mask, nullptr);
 
       char **_argv=new char * [argv.size()+1];
       for(std::size_t i=0; i &s)
 
 const char **narrow_argv(int argc, const wchar_t **argv_wide)
 {
-  if(argv_wide==NULL)
-    return NULL;
+  if(argv_wide==nullptr)
+    return nullptr;
 
   // the following never gets deleted
   const char **argv_narrow=new const char *[argc+1];
-  argv_narrow[argc]=0;
+  argv_narrow[argc]=nullptr;
 
   for(int i=0; i
Date: Thu, 20 Jul 2017 13:53:53 +0100
Subject: [PATCH 78/89] Fix linter errors, ignoring big-int and miniz

---
 src/analyses/goto_rw.cpp                 | 6 ++++--
 src/analyses/goto_rw.h                   | 4 ++--
 src/analyses/invariant_set.cpp           | 7 ++++---
 src/analyses/invariant_set.h             | 2 ++
 src/analyses/local_may_alias.h           | 2 +-
 src/analyses/reaching_definitions.cpp    | 8 ++++++--
 src/analyses/reaching_definitions.h      | 7 ++++++-
 src/cpp/cpp_id.h                         | 3 ++-
 src/cpp/cpp_instantiate_template.cpp     | 6 ++++--
 src/cpp/cpp_typecheck.h                  | 2 ++
 src/cpp/cpp_typecheck_template.cpp       | 7 +++++--
 src/goto-symex/goto_symex_state.cpp      | 6 +++---
 src/goto-symex/goto_symex_state.h        | 2 ++
 src/path-symex/path_symex_history.h      | 8 +++++---
 src/path-symex/path_symex_state.h        | 2 ++
 src/path-symex/path_symex_state_read.cpp | 2 +-
 16 files changed, 51 insertions(+), 23 deletions(-)

diff --git a/src/analyses/goto_rw.cpp b/src/analyses/goto_rw.cpp
index 36c2bf8c95..49827bd2bd 100644
--- a/src/analyses/goto_rw.cpp
+++ b/src/analyses/goto_rw.cpp
@@ -463,7 +463,8 @@ void rw_range_sett::add(
 {
   objectst::iterator entry=(mode==get_modet::LHS_W ? w_range_set : r_range_set).
     insert(
-      std::pair(identifier, nullptr)).first;
+      std::pair(
+        identifier, nullptr)).first;
 
   if(entry->second==nullptr)
     entry->second=new range_domaint();
@@ -663,7 +664,8 @@ void rw_guarded_range_set_value_sett::add(
 {
   objectst::iterator entry=(mode==get_modet::LHS_W ? w_range_set : r_range_set).
     insert(
-      std::pair(identifier, nullptr)).first;
+      std::pair(
+        identifier, nullptr)).first;
 
   if(entry->second==nullptr)
     entry->second=new guarded_range_domaint();
diff --git a/src/analyses/goto_rw.h b/src/analyses/goto_rw.h
index 60dfe5ca6f..1f92c3e0e1 100644
--- a/src/analyses/goto_rw.h
+++ b/src/analyses/goto_rw.h
@@ -108,7 +108,7 @@ public:
 
   const range_domaint &get_ranges(objectst::const_iterator it) const
   {
-    assert(dynamic_cast(it->second)!=nullptr);
+    PRECONDITION(dynamic_cast(it->second)!=nullptr);
     return *static_cast(it->second);
   }
 
@@ -277,7 +277,7 @@ public:
 
   const guarded_range_domaint &get_ranges(objectst::const_iterator it) const
   {
-    assert(dynamic_cast(it->second)!=nullptr);
+    PRECONDITION(dynamic_cast(it->second)!=nullptr);
     return *static_cast(it->second);
   }
 
diff --git a/src/analyses/invariant_set.cpp b/src/analyses/invariant_set.cpp
index 550c39d3ab..a041119cbb 100644
--- a/src/analyses/invariant_set.cpp
+++ b/src/analyses/invariant_set.cpp
@@ -144,7 +144,7 @@ bool invariant_sett::get_object(
   const exprt &expr,
   unsigned &n) const
 {
-  assert(object_store!=nullptr);
+  PRECONDITION(object_store!=nullptr);
   return object_store->get(expr, n);
 }
 
@@ -315,7 +315,8 @@ void invariant_sett::output(
     return;
   }
 
-  assert(object_store!=nullptr);
+  INVARIANT(
+    object_store!=nullptr, nullptr_exceptiont("Object store is null"));
 
   for(unsigned i=0; ito_string(a, identifier);
 }
 
diff --git a/src/analyses/invariant_set.h b/src/analyses/invariant_set.h
index b65ce7897f..f2999d191a 100644
--- a/src/analyses/invariant_set.h
+++ b/src/analyses/invariant_set.h
@@ -22,6 +22,8 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include "interval_template.h"
 
+#define nullptr_exceptiont(str) str
+
 class inv_object_storet
 {
 public:
diff --git a/src/analyses/local_may_alias.h b/src/analyses/local_may_alias.h
index c9c7680368..5e04ff01a7 100644
--- a/src/analyses/local_may_alias.h
+++ b/src/analyses/local_may_alias.h
@@ -109,7 +109,7 @@ public:
 
   local_may_aliast &operator()(const irep_idt &fkt)
   {
-    assert(goto_functions!=nullptr);
+    PRECONDITION(goto_functions!=nullptr);
     fkt_mapt::iterator f_it=fkt_map.find(fkt);
     if(f_it!=fkt_map.end())
       return *f_it->second;
diff --git a/src/analyses/reaching_definitions.cpp b/src/analyses/reaching_definitions.cpp
index b001261a69..3bbf55a60a 100644
--- a/src/analyses/reaching_definitions.cpp
+++ b/src/analyses/reaching_definitions.cpp
@@ -51,7 +51,9 @@ void rd_range_domaint::transform(
 {
   reaching_definitions_analysist *rd=
     dynamic_cast(&ai);
-  assert(rd!=nullptr);
+  INVARIANT(
+    rd!=nullptr,
+    bad_cast_exceptiont("ai has type reaching_definitions_analysist"));
 
   assert(bv_container);
 
@@ -298,7 +300,9 @@ void rd_range_domaint::transform_assign(
     const symbolt *symbol_ptr;
     if(ns.lookup(identifier, symbol_ptr))
       continue;
-    assert(symbol_ptr!=nullptr);
+    INVARIANT(
+      symbol_ptr!=nullptr,
+      nullptr_exceptiont("Symbol is in symbol table"));
 
     const range_domaint &ranges=rw_set.get_ranges(it);
 
diff --git a/src/analyses/reaching_definitions.h b/src/analyses/reaching_definitions.h
index 462b8c1d45..f0a4fd6085 100644
--- a/src/analyses/reaching_definitions.h
+++ b/src/analyses/reaching_definitions.h
@@ -26,6 +26,9 @@ class is_threadedt;
 class dirtyt;
 class reaching_definitions_analysist;
 
+#define bad_cast_exceptiont(str) str
+#define nullptr_exceptiont(str) str
+
 // requirement: V has a member "identifier" of type irep_idt
 template
 class sparse_bitvector_analysist
@@ -259,7 +262,9 @@ public:
     statet &s=concurrency_aware_ait::get_state(l);
 
     rd_range_domaint *rd_state=dynamic_cast(&s);
-    assert(rd_state!=nullptr);
+    INVARIANT(
+      rd_state!=nullptr,
+      bad_cast_exceptiont("rd_state has type rd_range_domaint"));
 
     rd_state->set_bitvector_container(*this);
 
diff --git a/src/cpp/cpp_id.h b/src/cpp/cpp_id.h
index 1ba4649334..b2efbc2718 100644
--- a/src/cpp/cpp_id.h
+++ b/src/cpp/cpp_id.h
@@ -20,6 +20,7 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include 
 
 #include 
+#include 
 #include 
 
 class cpp_scopet;
@@ -81,7 +82,7 @@ public:
 
   cpp_idt &get_parent() const
   {
-    assert(parent!=nullptr);
+    PRECONDITION(parent!=nullptr);
     return *parent;
   }
 
diff --git a/src/cpp/cpp_instantiate_template.cpp b/src/cpp/cpp_instantiate_template.cpp
index 27c8e2c9a3..3afc3cdd72 100644
--- a/src/cpp/cpp_instantiate_template.cpp
+++ b/src/cpp/cpp_instantiate_template.cpp
@@ -130,7 +130,8 @@ const symbolt &cpp_typecheckt::class_template_symbol(
   cpp_scopet *template_scope=
     static_cast(cpp_scopes.id_map[template_symbol.name]);
 
-  assert(template_scope!=nullptr);
+  INVARIANT(
+    template_scope!=nullptr, nullptr_exceptiont("template_scope is null"));
 
   irep_idt identifier=
     id2string(template_scope->prefix)+
@@ -284,7 +285,8 @@ const symbolt &cpp_typecheckt::instantiate_template(
     throw 0;
   }
 
-  assert(template_scope!=nullptr);
+  INVARIANT(
+    template_scope!=nullptr, nullptr_exceptiont("template_scope is null"));
 
   // produce new declaration
   cpp_declarationt new_decl=to_cpp_declaration(template_symbol.type);
diff --git a/src/cpp/cpp_typecheck.h b/src/cpp/cpp_typecheck.h
index 5c0a6afe28..50cc26fb9e 100644
--- a/src/cpp/cpp_typecheck.h
+++ b/src/cpp/cpp_typecheck.h
@@ -30,6 +30,8 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include "cpp_template_type.h"
 #include "cpp_util.h"
 
+#define nullptr_exceptiont(str) str
+
 bool cpp_typecheck(
   cpp_parse_treet &cpp_parse_tree,
   symbol_tablet &symbol_table,
diff --git a/src/cpp/cpp_typecheck_template.cpp b/src/cpp/cpp_typecheck_template.cpp
index 5837a5706a..2338371379 100644
--- a/src/cpp/cpp_typecheck_template.cpp
+++ b/src/cpp/cpp_typecheck_template.cpp
@@ -910,7 +910,8 @@ cpp_template_args_tct cpp_typecheckt::typecheck_template_args(
       // these need to be typechecked in the scope of the template,
       // not in the current scope!
       cpp_idt *template_scope=cpp_scopes.id_map[template_symbol.name];
-      assert(template_scope!=nullptr);
+      INVARIANT(
+        template_scope!=nullptr, nullptr_exceptiont("template_scope is null"));
       cpp_scopes.go_to(*template_scope);
     }
 
@@ -960,7 +961,9 @@ cpp_template_args_tct cpp_typecheckt::typecheck_template_args(
       {
         cpp_save_scopet cpp_saved_scope(cpp_scopes);
         cpp_idt *template_scope=cpp_scopes.id_map[template_symbol.name];
-        assert(template_scope!=nullptr);
+        INVARIANT(
+          template_scope!=nullptr,
+          nullptr_exceptiont("template_scope is null"));
         cpp_scopes.go_to(*template_scope);
         typecheck_type(type);
       }
diff --git a/src/goto-symex/goto_symex_state.cpp b/src/goto-symex/goto_symex_state.cpp
index 934e8edf71..3e49fd7e48 100644
--- a/src/goto-symex/goto_symex_state.cpp
+++ b/src/goto-symex/goto_symex_state.cpp
@@ -541,7 +541,7 @@ bool goto_symex_statet::l2_thread_read_encoding(
     return false;
 
   // is it a shared object?
-  assert(dirty!=nullptr);
+  INVARIANT(dirty!=nullptr, nullptr_exceptiont("dirty is null"));
   const irep_idt &obj_identifier=expr.get_object_name();
   if(obj_identifier=="goto_symex::\\guard" ||
      (!ns.lookup(obj_identifier).is_shared() &&
@@ -666,7 +666,7 @@ bool goto_symex_statet::l2_thread_read_encoding(
   expr=ssa_l1;
 
   // and record that
-  assert(symex_target!=nullptr);
+  INVARIANT(symex_target!=nullptr, nullptr_exceptiont("symex_target is null"));
   symex_target->shared_read(
     guard.as_expr(),
     expr,
@@ -685,7 +685,7 @@ bool goto_symex_statet::l2_thread_write_encoding(
     return false;
 
   // is it a shared object?
-  assert(dirty!=nullptr);
+  INVARIANT(dirty!=nullptr, nullptr_exceptiont("dirty is null"));
   const irep_idt &obj_identifier=expr.get_object_name();
   if(obj_identifier=="goto_symex::\\guard" ||
      (!ns.lookup(obj_identifier).is_shared() &&
diff --git a/src/goto-symex/goto_symex_state.h b/src/goto-symex/goto_symex_state.h
index d62d4a66af..b7e645ab39 100644
--- a/src/goto-symex/goto_symex_state.h
+++ b/src/goto-symex/goto_symex_state.h
@@ -26,6 +26,8 @@ Author: Daniel Kroening, kroening@kroening.com
 
 class dirtyt;
 
+#define nullptr_exceptiont(str) str
+
 // central data structure: state
 class goto_symex_statet
 {
diff --git a/src/path-symex/path_symex_history.h b/src/path-symex/path_symex_history.h
index e2fbc3273f..794679d72d 100644
--- a/src/path-symex/path_symex_history.h
+++ b/src/path-symex/path_symex_history.h
@@ -21,6 +21,8 @@ Author: Daniel Kroening, kroening@kroening.com
 
 class path_symex_stept;
 
+#define nullptr_exceptiont(str) str
+
 // This is a reference to a path_symex_stept,
 // and is really cheap to copy. These references are stable,
 // even though the underlying vector is not.
@@ -46,7 +48,7 @@ public:
 
   path_symex_historyt &get_history() const
   {
-    assert(history!=nullptr);
+    INVARIANT(history!=nullptr, nullptr_exceptiont("history is null"));
     return *history;
   }
 
@@ -154,7 +156,7 @@ public:
 
 inline void path_symex_step_reft::generate_successor()
 {
-  assert(history!=nullptr);
+  INVARIANT(history!=nullptr, nullptr_exceptiont("history is null"));
   path_symex_step_reft old=*this;
   index=history->step_container.size();
   history->step_container.push_back(path_symex_stept());
@@ -169,7 +171,7 @@ inline path_symex_step_reft &path_symex_step_reft::operator--()
 
 inline path_symex_stept &path_symex_step_reft::get() const
 {
-  assert(history!=nullptr);
+  INVARIANT(history!=nullptr, nullptr_exceptiont("history is null"));
   assert(!is_nil());
   return history->step_container[index];
 }
diff --git a/src/path-symex/path_symex_state.h b/src/path-symex/path_symex_state.h
index eb23e891f8..796864cc80 100644
--- a/src/path-symex/path_symex_state.h
+++ b/src/path-symex/path_symex_state.h
@@ -16,6 +16,8 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "var_map.h"
 #include "path_symex_history.h"
 
+#define nullptr_exceptiont(str) str
+
 struct path_symex_statet
 {
 public:
diff --git a/src/path-symex/path_symex_state_read.cpp b/src/path-symex/path_symex_state_read.cpp
index 139b6956a0..fb34aaf93d 100644
--- a/src/path-symex/path_symex_state_read.cpp
+++ b/src/path-symex/path_symex_state_read.cpp
@@ -465,7 +465,7 @@ bool path_symex_statet::is_symbol_member_index(const exprt &src) const
       return false;
 
     // next round
-    assert(next!=nullptr);
+    INVARIANT(next!=nullptr, nullptr_exceptiont("next is null"));
     current=next;
   }
 }

From d0c9bd3f6f2a4f31605887cd7200e304230cb335 Mon Sep 17 00:00:00 2001
From: Daniel Kroening 
Date: Thu, 25 May 2017 16:20:27 +0100
Subject: [PATCH 79/89] get rid of typet(ID_pointer)

---
 src/cpp/cpp_constructor.cpp             |  5 ++---
 src/cpp/cpp_destructor.cpp              |  6 +++---
 src/cpp/cpp_typecheck_expr.cpp          | 13 ++++---------
 src/goto-programs/remove_exceptions.cpp |  2 +-
 src/java_bytecode/java_entry_point.cpp  |  2 +-
 5 files changed, 11 insertions(+), 17 deletions(-)

diff --git a/src/cpp/cpp_constructor.cpp b/src/cpp/cpp_constructor.cpp
index e584d25fc4..819b946c4b 100644
--- a/src/cpp/cpp_constructor.cpp
+++ b/src/cpp/cpp_constructor.cpp
@@ -289,9 +289,8 @@ codet cpp_typecheckt::cpp_constructor(
     assert(tmp_this.id()==ID_address_of
            && tmp_this.op0().id()=="new_object");
 
-    exprt address_of(ID_address_of, typet(ID_pointer));
-    address_of.type().subtype()=object_tc.type();
-    address_of.copy_to_operands(object_tc);
+    exprt address_of=
+      address_of_exprt(object_tc, pointer_type(object_tc.type()));
     tmp_this.swap(address_of);
 
     if(block.operands().empty())
diff --git a/src/cpp/cpp_destructor.cpp b/src/cpp/cpp_destructor.cpp
index 6f4157c15f..20dfb3ed00 100644
--- a/src/cpp/cpp_destructor.cpp
+++ b/src/cpp/cpp_destructor.cpp
@@ -142,9 +142,9 @@ codet cpp_typecheckt::cpp_destructor(
     assert(tmp_this.id()==ID_address_of
            && tmp_this.op0().id()=="new_object");
 
-    exprt address_of(ID_address_of, typet(ID_pointer));
-    address_of.type().subtype()=object.type();
-    address_of.copy_to_operands(object);
+    exprt address_of=
+      address_of_exprt(object, pointer_type(object.type()));
+
     tmp_this.swap(address_of);
 
     new_code.swap(initializer);
diff --git a/src/cpp/cpp_typecheck_expr.cpp b/src/cpp/cpp_typecheck_expr.cpp
index e54f69589f..53600dbfc8 100644
--- a/src/cpp/cpp_typecheck_expr.cpp
+++ b/src/cpp/cpp_typecheck_expr.cpp
@@ -722,9 +722,7 @@ void cpp_typecheckt::typecheck_expr_address_of(exprt &expr)
     // we take the address of the method.
     assert(expr.op0().id()==ID_member);
     exprt symb=cpp_symbol_expr(lookup(expr.op0().get(ID_component_name)));
-    exprt address(ID_address_of, typet(ID_pointer));
-    address.copy_to_operands(symb);
-    address.type().subtype()=symb.type();
+    address_of_exprt address(symb, pointer_type(symb.type()));
     address.set(ID_C_implicit, true);
     expr.op0().swap(address);
   }
@@ -2255,10 +2253,8 @@ void cpp_typecheckt::typecheck_side_effect_function_call(
       if(operand.type().id()!=ID_pointer &&
          operand.type()==argument.type().subtype())
       {
-        exprt tmp(ID_address_of, typet(ID_pointer));
-        tmp.type().subtype()=operand.type();
+        exprt tmp=address_of_exprt(operand, pointer_type(operand.type()));
         tmp.add_source_location()=operand.source_location();
-        tmp.move_to_operands(operand);
         operand.swap(tmp);
       }
     }
@@ -2671,9 +2667,8 @@ void cpp_typecheckt::convert_pmop(exprt &expr)
     else
     {
       assert(expr.op0().get_bool(ID_C_lvalue));
-      exprt address_of(ID_address_of, typet(ID_pointer));
-      address_of.copy_to_operands(expr.op0());
-      address_of.type().subtype()=address_of.op0().type();
+      exprt address_of=
+        address_of_exprt(expr.op0(), pointer_type(expr.op0().type()));
       expr.op0().swap(address_of);
     }
   }
diff --git a/src/goto-programs/remove_exceptions.cpp b/src/goto-programs/remove_exceptions.cpp
index 4b24980f5b..2788faa85d 100644
--- a/src/goto-programs/remove_exceptions.cpp
+++ b/src/goto-programs/remove_exceptions.cpp
@@ -108,7 +108,7 @@ void remove_exceptionst::add_exceptional_returns(
     new_symbol.base_name=id2string(function_symbol.base_name)+EXC_SUFFIX;
     new_symbol.name=id2string(function_symbol.name)+EXC_SUFFIX;
     new_symbol.mode=function_symbol.mode;
-    new_symbol.type=typet(ID_pointer, empty_typet());
+    new_symbol.type=pointer_typet(empty_typet());
     symbol_table.add(new_symbol);
 
     // initialize the exceptional return with NULL
diff --git a/src/java_bytecode/java_entry_point.cpp b/src/java_bytecode/java_entry_point.cpp
index 1cb0a10d70..7241495578 100644
--- a/src/java_bytecode/java_entry_point.cpp
+++ b/src/java_bytecode/java_entry_point.cpp
@@ -556,7 +556,7 @@ bool java_entry_point(
   exc_symbol.is_static_lifetime=false;
   exc_symbol.name=id2string(symbol.name)+EXC_SUFFIX;
   exc_symbol.base_name=id2string(symbol.name)+EXC_SUFFIX;
-  exc_symbol.type=typet(ID_pointer, empty_typet());
+  exc_symbol.type=java_reference_type(empty_typet());
   symbol_table.add(exc_symbol);
 
   exprt::operandst main_arguments=

From 13f3d5fb3fe09bc7da4abd3268398515d904bed6 Mon Sep 17 00:00:00 2001
From: Daniel Kroening 
Date: Thu, 25 May 2017 18:08:28 +0100
Subject: [PATCH 80/89] use pointer_type() instead of pointer_typet()

---
 src/ansi-c/ansi_c_entry_point.cpp             |   3 +-
 src/ansi-c/c_typecheck_type.cpp               |   4 +-
 src/cpp/cpp_convert_type.cpp                  |   4 +-
 src/cpp/cpp_typecheck_compound_type.cpp       |   7 +-
 src/cpp/cpp_typecheck_conversions.cpp         | 148 ++++++++----------
 src/cpp/cpp_typecheck_expr.cpp                |   9 +-
 src/cpp/cpp_typecheck_type.cpp                |   4 +-
 src/cpp/cpp_typecheck_virtual_table.cpp       |  13 +-
 src/cpp/parse.cpp                             |   2 +-
 src/goto-instrument/function.cpp              |   2 +-
 src/goto-instrument/goto_program2code.cpp     |   4 +-
 .../thread_instrumentation.cpp                |   2 +-
 src/goto-instrument/wmm/shared_buffers.cpp    |   7 +-
 src/goto-programs/builtin_functions.cpp       |   7 +-
 src/goto-programs/class_identifier.cpp        |   3 +-
 src/goto-programs/goto_convert.cpp            |   4 +-
 .../goto_convert_new_switch_case.cpp          |   4 +-
 src/goto-programs/remove_asm.cpp              |   4 +-
 src/goto-programs/remove_exceptions.cpp       |   9 +-
 .../remove_function_pointers.cpp              |   5 +-
 .../remove_virtual_functions.cpp              |   4 +-
 src/goto-programs/string_abstraction.cpp      |   7 +-
 src/goto-programs/string_instrumentation.cpp  |   4 +-
 src/goto-symex/symex_builtin_functions.cpp    |   6 +-
 src/goto-symex/symex_dereference.cpp          |  16 +-
 .../java_bytecode_convert_class.cpp           |   9 +-
 .../java_bytecode_convert_method.cpp          |  32 ++--
 .../java_bytecode_internal_additions.cpp      |   3 +-
 src/java_bytecode/java_bytecode_vtable.cpp    |  10 +-
 src/java_bytecode/java_object_factory.cpp     |  10 +-
 src/jsil/jsil_internal_additions.cpp          |   2 +-
 src/path-symex/path_symex.cpp                 |   4 +-
 src/pointer-analysis/dereference.cpp          |   2 +-
 src/solvers/smt1/smt1_conv.cpp                |  13 +-
 src/solvers/smt2/smt2_conv.cpp                |  13 +-
 35 files changed, 185 insertions(+), 195 deletions(-)

diff --git a/src/ansi-c/ansi_c_entry_point.cpp b/src/ansi-c/ansi_c_entry_point.cpp
index c0cd29a387..43cb331df6 100644
--- a/src/ansi-c/ansi_c_entry_point.cpp
+++ b/src/ansi-c/ansi_c_entry_point.cpp
@@ -327,8 +327,7 @@ bool ansi_c_entry_point(
         zero_string.type().set(ID_size, "infinity");
         exprt index(ID_index, char_type());
         index.copy_to_operands(zero_string, from_integer(0, uint_type()));
-        exprt address_of("address_of", pointer_typet());
-        address_of.type().subtype()=char_type();
+        exprt address_of("address_of", pointer_type(char_type()));
         address_of.copy_to_operands(index);
 
         if(argv_symbol.type.subtype()!=address_of.type())
diff --git a/src/ansi-c/c_typecheck_type.cpp b/src/ansi-c/c_typecheck_type.cpp
index 62e651f913..5195e65336 100644
--- a/src/ansi-c/c_typecheck_type.cpp
+++ b/src/ansi-c/c_typecheck_type.cpp
@@ -1498,9 +1498,7 @@ void c_typecheck_baset::adjust_function_parameter(typet &type) const
   {
     // see ISO/IEC 9899:1999 page 199 clause 8,
     // may be hidden in typedef
-    pointer_typet tmp;
-    tmp.subtype()=type;
-    type.swap(tmp);
+    type=pointer_type(type);
   }
   else if(type.id()==ID_KnR)
   {
diff --git a/src/cpp/cpp_convert_type.cpp b/src/cpp/cpp_convert_type.cpp
index cd552871b9..b98845964e 100644
--- a/src/cpp/cpp_convert_type.cpp
+++ b/src/cpp/cpp_convert_type.cpp
@@ -251,8 +251,8 @@ void cpp_convert_typet::read_function_type(const typet &type)
         // see if it's an array type
         if(final_type.id()==ID_array)
         {
-          final_type.id(ID_pointer);
-          final_type.remove(ID_size);
+          // turn into pointer type
+          final_type=pointer_type(final_type.subtype());
         }
 
         code_typet::parametert new_parameter(final_type);
diff --git a/src/cpp/cpp_typecheck_compound_type.cpp b/src/cpp/cpp_typecheck_compound_type.cpp
index 12fbfa6784..36d2a2e70b 100644
--- a/src/cpp/cpp_typecheck_compound_type.cpp
+++ b/src/cpp/cpp_typecheck_compound_type.cpp
@@ -16,6 +16,7 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include 
 #include 
 #include 
+#include 
 
 #include 
 
@@ -545,7 +546,7 @@ void cpp_typecheckt::typecheck_compound_declarator(
 
         // add a virtual-table pointer
         struct_typet::componentt compo;
-        compo.type()=pointer_typet(symbol_typet(vt_name));
+        compo.type()=pointer_type(symbol_typet(vt_name));
         compo.set_name(id2string(symbol.name) +"::@vtable_pointer");
         compo.set(ID_base_name, "@vtable_pointer");
         compo.set(
@@ -567,7 +568,7 @@ void cpp_typecheckt::typecheck_compound_declarator(
 
       // add an entry to the virtual table
       struct_typet::componentt vt_entry;
-      vt_entry.type()=pointer_typet(component.type());
+      vt_entry.type()=pointer_type(component.type());
       vt_entry.set_name(id2string(vtit->first)+"::"+virtual_name);
       vt_entry.set(ID_base_name, virtual_name);
       vt_entry.set(ID_pretty_name, virtual_name);
@@ -1353,7 +1354,7 @@ void cpp_typecheckt::add_this_to_method_type(
   if(has_volatile(method_qualifier))
     subtype.set(ID_C_volatile, true);
 
-  parameter.type()=pointer_typet(subtype);
+  parameter.type()=pointer_type(subtype);
 }
 
 void cpp_typecheckt::add_anonymous_members_to_scope(
diff --git a/src/cpp/cpp_typecheck_conversions.cpp b/src/cpp/cpp_typecheck_conversions.cpp
index 4b76a2ebd4..58634fc0e9 100644
--- a/src/cpp/cpp_typecheck_conversions.cpp
+++ b/src/cpp/cpp_typecheck_conversions.cpp
@@ -73,15 +73,17 @@ bool cpp_typecheckt::standard_conversion_array_to_pointer(
 {
   assert(expr.type().id()==ID_array);
 
-  exprt index(ID_index, expr.type().subtype());
-  index.copy_to_operands(expr, from_integer(0, index_type()));
+  index_exprt index(
+    expr,
+    from_integer(0, index_type()),
+    expr.type().subtype());
+
   index.set(ID_C_lvalue, true);
 
-  pointer_typet pointer;
-  pointer.subtype()=expr.type().subtype();
+  pointer_typet pointer=
+    pointer_type(expr.type().subtype());
 
-  new_expr=exprt(ID_address_of, pointer);
-  new_expr.move_to_operands(index);
+  new_expr=address_of_exprt(index, pointer);
 
   return true;
 }
@@ -101,12 +103,9 @@ bool cpp_typecheckt::standard_conversion_function_to_pointer(
   if(!expr.get_bool(ID_C_lvalue))
     return false;
 
-  pointer_typet pointer;
-  pointer.subtype()=func_type;
+  pointer_typet pointer=pointer_type(func_type);
 
-  new_expr=exprt(ID_address_of);
-  new_expr.copy_to_operands(expr);
-  new_expr.type()=pointer;
+  new_expr=address_of_exprt(expr, pointer);
 
   return true;
 }
@@ -887,16 +886,13 @@ bool cpp_typecheckt::user_defined_conversion_sequence(
 
         if(subtype_typecast(from_struct, to_struct))
         {
-          exprt address(ID_address_of, pointer_typet());
-          address.copy_to_operands(expr);
-          address.type().subtype()=expr.type();
+          exprt address=address_of_exprt(expr, pointer_type(expr.type()));
 
           // simplify address
           if(expr.id()==ID_dereference)
             address=expr.op0();
 
-          pointer_typet ptr_sub;
-          ptr_sub.subtype()=type;
+          pointer_typet ptr_sub=pointer_type(type);
           c_qualifierst qual_from;
           qual_from.read(expr.type());
           qual_from.write(ptr_sub.subtype());
@@ -1019,62 +1015,60 @@ bool cpp_typecheckt::user_defined_conversion_sequence(
           }
           else if(from_struct.is_not_nil() && arg1_struct.is_not_nil())
           {
-              // try derived-to-base conversion
-              exprt expr_pfrom(ID_address_of, pointer_typet());
-              expr_pfrom.type().subtype()=expr.type();
-              expr_pfrom.copy_to_operands(expr);
+            // try derived-to-base conversion
+            exprt expr_pfrom=
+              address_of_exprt(expr, pointer_type(expr.type()));
 
-              pointer_typet pto;
-              pto.subtype()=arg1_type;
+            pointer_typet pto=pointer_type(arg1_type);
 
-              exprt expr_ptmp;
-              tmp_rank=0;
-              if(standard_conversion_sequence(
-                  expr_pfrom, pto, expr_ptmp, tmp_rank))
+            exprt expr_ptmp;
+            tmp_rank=0;
+            if(standard_conversion_sequence(
+                expr_pfrom, pto, expr_ptmp, tmp_rank))
+            {
+              // check if it's ambiguous
+              if(found)
+                return false;
+              found=true;
+
+              rank+=tmp_rank;
+
+              // create temporary object
+              exprt expr_deref=
+                exprt(ID_dereference, expr_ptmp.type().subtype());
+              expr_deref.set(ID_C_lvalue, true);
+              expr_deref.copy_to_operands(expr_ptmp);
+              expr_deref.add_source_location()=expr.source_location();
+
+              exprt new_object("new_object", type);
+              new_object.set(ID_C_lvalue, true);
+              new_object.type().set(ID_C_constant, false);
+
+              exprt func_symb=cpp_symbol_expr(lookup(component.get(ID_name)));
+              func_symb.type()=comp_type;
               {
-                // check if it's ambiguous
-                if(found)
-                  return false;
-                found=true;
-
-                rank+=tmp_rank;
-
-                // create temporary object
-                exprt expr_deref=
-                  exprt(ID_dereference, expr_ptmp.type().subtype());
-                expr_deref.set(ID_C_lvalue, true);
-                expr_deref.copy_to_operands(expr_ptmp);
-                expr_deref.add_source_location()=expr.source_location();
-
-                exprt new_object("new_object", type);
-                new_object.set(ID_C_lvalue, true);
-                new_object.type().set(ID_C_constant, false);
-
-                exprt func_symb=cpp_symbol_expr(lookup(component.get(ID_name)));
-                func_symb.type()=comp_type;
-                {
-                  exprt tmp("already_typechecked");
-                  tmp.copy_to_operands(func_symb);
-                  func_symb.swap(func_symb);
-                }
-
-                side_effect_expr_function_callt ctor_expr;
-                ctor_expr.add_source_location()=expr.source_location();
-                ctor_expr.function().swap(func_symb);
-                ctor_expr.arguments().push_back(expr_deref);
-                typecheck_side_effect_function_call(ctor_expr);
-
-                new_expr.swap(ctor_expr);
-
-                assert(new_expr.get(ID_statement)==ID_temporary_object);
-
-                if(to.get_bool(ID_C_constant))
-                  new_expr.type().set(ID_C_constant, true);
+                exprt tmp("already_typechecked");
+                tmp.copy_to_operands(func_symb);
+                func_symb.swap(func_symb);
               }
+
+              side_effect_expr_function_callt ctor_expr;
+              ctor_expr.add_source_location()=expr.source_location();
+              ctor_expr.function().swap(func_symb);
+              ctor_expr.arguments().push_back(expr_deref);
+              typecheck_side_effect_function_call(ctor_expr);
+
+              new_expr.swap(ctor_expr);
+
+              assert(new_expr.get(ID_statement)==ID_temporary_object);
+
+              if(to.get_bool(ID_C_constant))
+                new_expr.type().set(ID_C_constant, true);
             }
           }
-          if(found)
-            return true;
+        }
+        if(found)
+          return true;
       }
   }
 
@@ -1297,9 +1291,8 @@ bool cpp_typecheckt::reference_binding(
         address_of_exprt tmp;
         tmp.add_source_location()=expr.source_location();
         tmp.object()=expr;
-        tmp.type()=pointer_typet();
+        tmp.type()=pointer_type(tmp.op0().type());
         tmp.type().set(ID_C_reference, true);
-        tmp.type().subtype()=tmp.op0().type();
         new_expr.swap(tmp);
       }
 
@@ -1427,10 +1420,9 @@ bool cpp_typecheckt::reference_binding(
   if(user_defined_conversion_sequence(arg_expr, type.subtype(), new_expr, rank))
   {
     address_of_exprt tmp;
-    tmp.type()=pointer_typet();
+    tmp.type()=pointer_type(new_expr.type());
     tmp.object()=new_expr;
     tmp.type().set(ID_C_reference, true);
-    tmp.type().subtype()= new_expr.type();
     tmp.add_source_location()=new_expr.source_location();
     new_expr.swap(tmp);
     return true;
@@ -1449,11 +1441,11 @@ bool cpp_typecheckt::reference_binding(
       new_expr.swap(tmp);
     }
 
-    exprt tmp(ID_address_of, pointer_typet());
-    tmp.copy_to_operands(new_expr);
+    exprt tmp=
+      address_of_exprt(new_expr, pointer_type(new_expr.type()));
     tmp.type().set(ID_C_reference, true);
-    tmp.type().subtype()= new_expr.type();
     tmp.add_source_location()=new_expr.source_location();
+
     new_expr.swap(tmp);
     return true;
   }
@@ -1880,9 +1872,7 @@ bool cpp_typecheckt::reinterpret_typecast(
 
   if(is_reference(type) && e.get_bool(ID_C_lvalue))
   {
-    exprt tmp(ID_address_of, pointer_typet());
-    tmp.type().subtype()=e.type();
-    tmp.copy_to_operands(e);
+    exprt tmp=address_of_exprt(e, pointer_type(e.type()));
     tmp.make_typecast(type);
     new_expr.swap(tmp);
     return true;
@@ -1946,10 +1936,8 @@ bool cpp_typecheckt::static_typecast(
           return true;
         }
 
-        exprt address_of(ID_address_of, pointer_typet());
-        address_of.type().subtype()=e.type();
-        address_of.copy_to_operands(e);
-        make_ptr_typecast(address_of , type);
+        exprt address_of=address_of_exprt(e, pointer_type(e.type()));
+        make_ptr_typecast(address_of, type);
         new_expr.swap(address_of);
         return true;
       }
diff --git a/src/cpp/cpp_typecheck_expr.cpp b/src/cpp/cpp_typecheck_expr.cpp
index 53600dbfc8..b50bdd8c7e 100644
--- a/src/cpp/cpp_typecheck_expr.cpp
+++ b/src/cpp/cpp_typecheck_expr.cpp
@@ -755,7 +755,7 @@ void cpp_typecheckt::typecheck_expr_address_of(exprt &expr)
   const bool is_ref=is_reference(expr.type());
   c_typecheck_baset::typecheck_expr_address_of(expr);
   if(is_ref)
-    expr.type()=reference_typet(expr.type().subtype());
+    expr.type()=reference_type(expr.type().subtype());
 }
 
 void cpp_typecheckt::typecheck_expr_throw(exprt &expr)
@@ -808,8 +808,8 @@ void cpp_typecheckt::typecheck_expr_new(exprt &expr)
     expr.set(ID_size, to_array_type(expr.type()).size());
 
     // new actually returns a pointer, not an array
-    pointer_typet ptr_type;
-    ptr_type.subtype()=expr.type().subtype();
+    pointer_typet ptr_type=
+      pointer_type(expr.type().subtype());
     expr.type().swap(ptr_type);
   }
   else
@@ -819,8 +819,7 @@ void cpp_typecheckt::typecheck_expr_new(exprt &expr)
 
     expr.set(ID_statement, ID_cpp_new);
 
-    pointer_typet ptr_type;
-    ptr_type.subtype().swap(expr.type());
+    pointer_typet ptr_type=pointer_type(expr.type());
     expr.type().swap(ptr_type);
   }
 
diff --git a/src/cpp/cpp_typecheck_type.cpp b/src/cpp/cpp_typecheck_type.cpp
index cf392b2957..41fcd49b68 100644
--- a/src/cpp/cpp_typecheck_type.cpp
+++ b/src/cpp/cpp_typecheck_type.cpp
@@ -13,6 +13,7 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 
 #include 
 #include 
+#include 
 
 #include 
 
@@ -107,8 +108,7 @@ void cpp_typecheckt::typecheck_type(typet &type)
           // Add 'this' to the parameters
           exprt a0(ID_parameter);
           a0.set(ID_C_base_name, ID_this);
-          a0.type().id(ID_pointer);
-          a0.type().subtype() = class_object;
+          a0.type()=pointer_type(class_object);
           parameters.insert(parameters.begin(), a0);
         }
       }
diff --git a/src/cpp/cpp_typecheck_virtual_table.cpp b/src/cpp/cpp_typecheck_virtual_table.cpp
index b36e42d132..f882db1f1a 100644
--- a/src/cpp/cpp_typecheck_virtual_table.cpp
+++ b/src/cpp/cpp_typecheck_virtual_table.cpp
@@ -11,7 +11,7 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 
 #include "cpp_typecheck.h"
 
-#include 
+#include 
 #include 
 
 void cpp_typecheckt::do_virtual_table(const symbolt &symbol)
@@ -32,21 +32,20 @@ void cpp_typecheckt::do_virtual_table(const symbolt &symbol)
     const code_typet &code_type=to_code_type(compo.type());
     assert(code_type.parameters().size() > 0);
 
-    const pointer_typet &pointer_type =
-      static_cast(code_type.parameters()[0].type());
+    const pointer_typet ¶meter_pointer_type=
+      to_pointer_type(code_type.parameters()[0].type());
 
-    irep_idt class_id=pointer_type.subtype().get("identifier");
+    irep_idt class_id=parameter_pointer_type.subtype().get("identifier");
 
     std::map &value_map =
       vt_value_maps[class_id];
 
-
     exprt e=symbol_exprt(compo.get_name(), code_type);
 
     if(compo.get_bool("is_pure_virtual"))
     {
-      pointer_typet pointer_type(code_type);
-      e=null_pointer_exprt(pointer_type);
+      pointer_typet code_pointer_type=pointer_type(code_type);
+      e=null_pointer_exprt(code_pointer_type);
       value_map[compo.get("virtual_name")]=e;
     }
     else
diff --git a/src/cpp/parse.cpp b/src/cpp/parse.cpp
index a2cd41a8dd..87e9ad099d 100644
--- a/src/cpp/parse.cpp
+++ b/src/cpp/parse.cpp
@@ -6476,7 +6476,7 @@ bool Parser::rPrimaryExpr(exprt &exp)
 
   case TOK_NULLPTR:
     lex.get_token(tk);
-    exp=constant_exprt(ID_NULL, pointer_typet(typet(ID_nullptr)));
+    exp=constant_exprt(ID_NULL, typet(ID_pointer, typet(ID_nullptr)));
     set_location(exp, tk);
     #ifdef DEBUG
     std::cout << std::string(__indent, ' ') << "Parser::rPrimaryExpr 6\n";
diff --git a/src/goto-instrument/function.cpp b/src/goto-instrument/function.cpp
index 9af29573ad..6c62a07f4f 100644
--- a/src/goto-instrument/function.cpp
+++ b/src/goto-instrument/function.cpp
@@ -32,7 +32,7 @@ code_function_callt function_to_call(
   if(s_it==symbol_table.symbols.end())
   {
     // not there
-    pointer_typet p(char_type());
+    typet p=pointer_type(char_type());
     p.subtype().set(ID_C_constant, true);
 
     code_typet function_type;
diff --git a/src/goto-instrument/goto_program2code.cpp b/src/goto-instrument/goto_program2code.cpp
index 968b49026c..1a96eb4ee3 100644
--- a/src/goto-instrument/goto_program2code.cpp
+++ b/src/goto-instrument/goto_program2code.cpp
@@ -384,7 +384,7 @@ goto_programt::const_targett goto_program2codet::convert_assign_varargs(
       static_cast(r.find(ID_C_va_arg_type));
 
     dereference_exprt deref(
-      null_pointer_exprt(pointer_typet(va_arg_type)),
+      null_pointer_exprt(pointer_type(va_arg_type)),
       va_arg_type);
 
     type_of.arguments().push_back(deref);
@@ -1378,7 +1378,7 @@ goto_programt::const_targett goto_program2codet::convert_start_thread(
     // we don't bother setting the type
     f.lhs()=cf.lhs();
     f.function()=symbol_exprt("pthread_create", code_typet());
-    exprt n=null_pointer_exprt(pointer_typet(empty_typet()));
+    exprt n=null_pointer_exprt(pointer_type(empty_typet()));
     f.arguments().push_back(n);
     f.arguments().push_back(n);
     f.arguments().push_back(cf.function());
diff --git a/src/goto-instrument/thread_instrumentation.cpp b/src/goto-instrument/thread_instrumentation.cpp
index 3cfb0b5775..a2943424a3 100644
--- a/src/goto-instrument/thread_instrumentation.cpp
+++ b/src/goto-instrument/thread_instrumentation.cpp
@@ -43,7 +43,7 @@ void thread_exit_instrumentation(goto_programt &goto_program)
   binary_exprt get_may("get_may");
 
   // NULL is any
-  get_may.op0()=null_pointer_exprt(to_pointer_type(pointer_type(empty_typet())));
+  get_may.op0()=null_pointer_exprt(pointer_type(empty_typet()));
   get_may.op1()=address_of_exprt(mutex_locked_string);
 
   end->make_assertion(not_exprt(get_may));
diff --git a/src/goto-instrument/wmm/shared_buffers.cpp b/src/goto-instrument/wmm/shared_buffers.cpp
index 5e70bc9c6a..85a9f7249d 100644
--- a/src/goto-instrument/wmm/shared_buffers.cpp
+++ b/src/goto-instrument/wmm/shared_buffers.cpp
@@ -6,6 +6,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
+#include 
 
 #include "shared_buffers.h"
 
@@ -54,7 +55,7 @@ const shared_bufferst::varst &shared_bufferst::operator()(
       object,
       symbol.base_name,
       "$read_delayed_var",
-      pointer_typet(symbol.type));
+      pointer_type(symbol.type));
 
   for(unsigned cnt=0; cntsecond.object, vars.type);
                   symbol_exprt new_read_expr=symbol_exprt(
                     vars.read_delayed_var,
-                  pointer_typet(vars.type));
+                    pointer_type(vars.type));
                   symbol_exprt read_delayed_expr=symbol_exprt(
                     vars.read_delayed, bool_typet());
 
diff --git a/src/goto-programs/builtin_functions.cpp b/src/goto-programs/builtin_functions.cpp
index e7b128ff28..530e5e3157 100644
--- a/src/goto-programs/builtin_functions.cpp
+++ b/src/goto-programs/builtin_functions.cpp
@@ -602,7 +602,7 @@ void goto_convertt::do_java_new(
   // we produce a malloc side-effect, which stays
   side_effect_exprt malloc_expr(ID_malloc);
   malloc_expr.copy_to_operands(object_size);
-  malloc_expr.type()=pointer_typet(object_type);
+  malloc_expr.type()=rhs.type();
 
   goto_programt::targett t_n=dest.add_instruction(ASSIGN);
   t_n->code=code_assignt(lhs, malloc_expr);
@@ -658,7 +658,7 @@ void goto_convertt::do_java_new_array(
   // we produce a malloc side-effect, which stays
   side_effect_exprt malloc_expr(ID_malloc);
   malloc_expr.copy_to_operands(object_size);
-  malloc_expr.type()=pointer_typet(object_type);
+  malloc_expr.type()=rhs.type();
 
   goto_programt::targett t_n=dest.add_instruction(ASSIGN);
   t_n->code=code_assignt(lhs, malloc_expr);
@@ -1384,8 +1384,7 @@ void goto_convertt::do_function_call_symbol(
 
     if(lhs.is_not_nil())
     {
-      typet t=pointer_typet();
-      t.subtype()=lhs.type();
+      typet t=pointer_type(lhs.type());
       dereference_exprt rhs(lhs.type());
       rhs.op0()=typecast_exprt(list_arg, t);
       rhs.add_source_location()=function.source_location();
diff --git a/src/goto-programs/class_identifier.cpp b/src/goto-programs/class_identifier.cpp
index bbdc94c853..3e92586e75 100644
--- a/src/goto-programs/class_identifier.cpp
+++ b/src/goto-programs/class_identifier.cpp
@@ -12,6 +12,7 @@ Author: Chris Smowton, chris.smowton@diffblue.com
 #include "class_identifier.h"
 
 #include 
+#include 
 #include 
 
 /// \par parameters: Struct expression
@@ -66,7 +67,7 @@ exprt get_class_identifier_field(
          "Non-pointer this-arg in remove-virtuals?");
   const auto &points_to=this_expr.type().subtype();
   if(points_to==empty_typet())
-    this_expr=typecast_exprt(this_expr, pointer_typet(suggested_type));
+    this_expr=typecast_exprt(this_expr, pointer_type(suggested_type));
   exprt deref=dereference_exprt(this_expr, this_expr.type().subtype());
   return build_class_identifier(deref, ns);
 }
diff --git a/src/goto-programs/goto_convert.cpp b/src/goto-programs/goto_convert.cpp
index 3218d3f7f8..5f308b3f9f 100644
--- a/src/goto-programs/goto_convert.cpp
+++ b/src/goto-programs/goto_convert.cpp
@@ -712,9 +712,7 @@ void goto_convertt::convert_decl(
   if(destructor.is_not_nil())
   {
     // add "this"
-    exprt this_expr(ID_address_of, pointer_typet());
-    this_expr.type().subtype()=symbol.type;
-    this_expr.copy_to_operands(symbol_expr);
+    address_of_exprt this_expr(symbol_expr, pointer_type(symbol.type));
     destructor.arguments().push_back(this_expr);
 
     targets.destructor_stack.push_back(destructor);
diff --git a/src/goto-programs/goto_convert_new_switch_case.cpp b/src/goto-programs/goto_convert_new_switch_case.cpp
index 290c3a241e..cf8c6579d6 100644
--- a/src/goto-programs/goto_convert_new_switch_case.cpp
+++ b/src/goto-programs/goto_convert_new_switch_case.cpp
@@ -555,9 +555,7 @@ void goto_convertt::convert_decl(
   if(destructor.is_not_nil())
   {
     // add "this"
-    exprt this_expr(ID_address_of, pointer_typet());
-    this_expr.type().subtype()=symbol.type;
-    this_expr.copy_to_operands(symbol_expr);
+    address_of_exprt this_expr(symbol_expr, pointer_type(symbol.type));
     destructor.arguments().push_back(this_expr);
 
     targets.destructor_stack.push_back(destructor);
diff --git a/src/goto-programs/remove_asm.cpp b/src/goto-programs/remove_asm.cpp
index bd3517ce0a..c2688df9d1 100644
--- a/src/goto-programs/remove_asm.cpp
+++ b/src/goto-programs/remove_asm.cpp
@@ -17,6 +17,7 @@ Date:   December 2014
 #include 
 
 #include 
+#include 
 
 #include 
 #include 
@@ -61,7 +62,8 @@ void remove_asmt::gcc_asm_function_call(
   code_function_callt function_call;
   function_call.lhs().make_nil();
 
-  const pointer_typet void_pointer=pointer_typet(void_typet());
+  const typet void_pointer=
+    pointer_type(void_typet());
 
   // outputs
   forall_operands(it, code.op1())
diff --git a/src/goto-programs/remove_exceptions.cpp b/src/goto-programs/remove_exceptions.cpp
index 2788faa85d..8d95e97186 100644
--- a/src/goto-programs/remove_exceptions.cpp
+++ b/src/goto-programs/remove_exceptions.cpp
@@ -21,6 +21,7 @@ Date:   December 2016
 #include 
 
 #include 
+#include 
 #include 
 
 class remove_exceptionst
@@ -108,12 +109,12 @@ void remove_exceptionst::add_exceptional_returns(
     new_symbol.base_name=id2string(function_symbol.base_name)+EXC_SUFFIX;
     new_symbol.name=id2string(function_symbol.name)+EXC_SUFFIX;
     new_symbol.mode=function_symbol.mode;
-    new_symbol.type=pointer_typet(empty_typet());
+    new_symbol.type=pointer_type(empty_typet());
     symbol_table.add(new_symbol);
 
     // initialize the exceptional return with NULL
     symbol_exprt lhs_expr_null=new_symbol.symbol_expr();
-    null_pointer_exprt rhs_expr_null((pointer_typet(empty_typet())));
+    null_pointer_exprt rhs_expr_null(pointer_type(empty_typet()));
     goto_programt::targett t_null=
       goto_program.insert_before(goto_program.instructions.begin());
     t_null->make_assignment();
@@ -146,7 +147,7 @@ void remove_exceptionst::instrument_exception_handler(
       symbol_table.lookup(id2string(function_id)+EXC_SUFFIX);
     // next we reset the exceptional return to NULL
     symbol_exprt lhs_expr_null=function_symbol.symbol_expr();
-    null_pointer_exprt rhs_expr_null((pointer_typet(empty_typet())));
+    null_pointer_exprt rhs_expr_null(pointer_type(empty_typet()));
 
     // add the assignment
     goto_programt::targett t_null=goto_program.insert_after(instr_it);
@@ -326,7 +327,7 @@ void remove_exceptionst::instrument_function_call(
     // add a null check (so that instanceof can be applied)
     equal_exprt eq_null(
       callee_exc,
-      null_pointer_exprt(pointer_typet(empty_typet())));
+      null_pointer_exprt(pointer_type(empty_typet())));
     goto_programt::targett t_null=goto_program.insert_after(instr_it);
     t_null->make_goto(next_it);
     t_null->source_location=instr_it->source_location;
diff --git a/src/goto-programs/remove_function_pointers.cpp b/src/goto-programs/remove_function_pointers.cpp
index 142fc8a957..bec1ce5ea4 100644
--- a/src/goto-programs/remove_function_pointers.cpp
+++ b/src/goto-programs/remove_function_pointers.cpp
@@ -375,10 +375,7 @@ void remove_function_pointerst::remove_function_pointer(
     t3->make_goto(t_final, true_exprt());
 
     // goto to call
-    address_of_exprt address_of;
-    address_of.object()=fun;
-    address_of.type()=pointer_typet();
-    address_of.type().subtype()=fun.type();
+    address_of_exprt address_of(fun, pointer_type(fun.type()));
 
     if(address_of.type()!=pointer.type())
       address_of.make_typecast(pointer.type());
diff --git a/src/goto-programs/remove_virtual_functions.cpp b/src/goto-programs/remove_virtual_functions.cpp
index c512e2b321..3803f77f42 100644
--- a/src/goto-programs/remove_virtual_functions.cpp
+++ b/src/goto-programs/remove_virtual_functions.cpp
@@ -13,6 +13,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 #include 
+#include 
 
 #include "class_hierarchy.h"
 #include "class_identifier.h"
@@ -147,7 +148,8 @@ void remove_virtual_functionst::remove_virtual_function(
         t1->make_function_call(code);
         auto &newcall=to_code_function_call(t1->code);
         newcall.function()=fun.symbol_expr;
-        pointer_typet need_type(symbol_typet(fun.symbol_expr.get(ID_C_class)));
+        typet need_type=
+          pointer_type(symbol_typet(fun.symbol_expr.get(ID_C_class)));
         if(!type_eq(newcall.arguments()[0].type(), need_type, ns))
           newcall.arguments()[0].make_typecast(need_type);
       }
diff --git a/src/goto-programs/string_abstraction.cpp b/src/goto-programs/string_abstraction.cpp
index da6119d242..299d27ccee 100644
--- a/src/goto-programs/string_abstraction.cpp
+++ b/src/goto-programs/string_abstraction.cpp
@@ -207,7 +207,7 @@ void string_abstractiont::add_argument(
     const irep_idt &identifier)
 {
   typet final_type=is_ptr_argument(type)?
-    type:pointer_typet(type);
+                   type:pointer_type(type);
 
   str_args.push_back(code_typet::parametert(final_type));
   str_args.back().add_source_location()=fct_symbol.location;
@@ -689,7 +689,7 @@ const typet &string_abstractiont::build_abstraction_type_rec(const typet &type,
     // char* or void* or char[]
     if(is_char_type(eff_type.subtype()) ||
         eff_type.subtype().id()==ID_empty)
-      map_entry.first->second=pointer_typet(string_struct);
+      map_entry.first->second=pointer_type(string_struct);
     else
     {
       const typet &subt=build_abstraction_type_rec(eff_type.subtype(), known);
@@ -699,8 +699,7 @@ const typet &string_abstractiont::build_abstraction_type_rec(const typet &type,
           map_entry.first->second=
             array_typet(subt, to_array_type(eff_type).size());
         else
-          map_entry.first->second=
-            pointer_typet(subt);
+          map_entry.first->second=pointer_type(subt);
       }
     }
   }
diff --git a/src/goto-programs/string_instrumentation.cpp b/src/goto-programs/string_instrumentation.cpp
index 41bf92a529..955d34d3ab 100644
--- a/src/goto-programs/string_instrumentation.cpp
+++ b/src/goto-programs/string_instrumentation.cpp
@@ -830,9 +830,7 @@ void string_instrumentationt::do_strerror(
     symbol_buf.symbol_expr(),
     from_integer(0, index_type()));
 
-  exprt ptr=exprt(ID_address_of, pointer_typet());
-  ptr.type().subtype()=char_type();
-  ptr.copy_to_operands(index);
+  exprt ptr=address_of_exprt(index, pointer_type(char_type()));
 
   // make that zero-terminated
   {
diff --git a/src/goto-symex/symex_builtin_functions.cpp b/src/goto-symex/symex_builtin_functions.cpp
index d3d26b540f..d6e9fd416d 100644
--- a/src/goto-symex/symex_builtin_functions.cpp
+++ b/src/goto-symex/symex_builtin_functions.cpp
@@ -169,7 +169,7 @@ void goto_symext::symex_malloc(
 
   if(object_type.id()==ID_array)
   {
-    rhs.type()=pointer_typet(value_symbol.type.subtype());
+    rhs.type()=pointer_type(value_symbol.type.subtype());
     index_exprt index_expr(value_symbol.type.subtype());
     index_expr.array()=value_symbol.symbol_expr();
     index_expr.index()=from_integer(0, index_type());
@@ -178,7 +178,7 @@ void goto_symext::symex_malloc(
   else
   {
     rhs.op0()=value_symbol.symbol_expr();
-    rhs.type()=pointer_typet(value_symbol.type);
+    rhs.type()=pointer_type(value_symbol.type);
   }
 
   if(rhs.type()!=lhs.type())
@@ -404,7 +404,7 @@ void goto_symext::symex_cpp_new(
 
   // make symbol expression
 
-  exprt rhs(ID_address_of, pointer_typet());
+  exprt rhs(ID_address_of, code.type());
   rhs.type().subtype()=code.type().subtype();
 
   if(do_array)
diff --git a/src/goto-symex/symex_dereference.cpp b/src/goto-symex/symex_dereference.cpp
index 61dcecbf3a..f066ee1065 100644
--- a/src/goto-symex/symex_dereference.cpp
+++ b/src/goto-symex/symex_dereference.cpp
@@ -122,7 +122,7 @@ exprt goto_symext::address_arithmetic(
     }
 
     // do (expr.type() *)(((char *)op)+offset)
-    result=typecast_exprt(result, pointer_typet(char_type()));
+    result=typecast_exprt(result, pointer_type(char_type()));
 
     // there could be further dereferencing in the offset
     exprt offset=be.offset();
@@ -132,14 +132,14 @@ exprt goto_symext::address_arithmetic(
 
     // treat &array as &array[0]
     const typet &expr_type=ns.follow(expr.type());
-    pointer_typet dest_type;
+    typet dest_type_subtype;
 
     if(expr_type.id()==ID_array && !keep_array)
-      dest_type.subtype()=expr_type.subtype();
+      dest_type_subtype=expr_type.subtype();
     else
-      dest_type.subtype()=expr_type;
+      dest_type_subtype=expr_type;
 
-    result=typecast_exprt(result, dest_type);
+    result=typecast_exprt(result, pointer_type(dest_type_subtype));
   }
   else if(expr.id()==ID_index ||
           expr.id()==ID_member)
@@ -222,7 +222,7 @@ exprt goto_symext::address_arithmetic(
 
   const typet &expr_type=ns.follow(expr.type());
   assert((expr_type.id()==ID_array && !keep_array) ||
-         base_type_eq(pointer_typet(expr_type), result.type(), ns));
+         base_type_eq(pointer_type(expr_type), result.type(), ns));
 
   return result;
 }
@@ -281,7 +281,7 @@ void goto_symext::dereference_rec(
     index_exprt index_expr=to_index_expr(expr);
 
     address_of_exprt address_of_expr(index_expr.array());
-    address_of_expr.type()=pointer_typet(expr.type());
+    address_of_expr.type()=pointer_type(expr.type());
 
     dereference_exprt tmp;
     tmp.pointer()=plus_exprt(address_of_expr, index_expr.index());
@@ -318,7 +318,7 @@ void goto_symext::dereference_rec(
        to_address_of_expr(tc_op).object().type().id()==ID_array &&
        base_type_eq(
          expr.type(),
-         pointer_typet(to_address_of_expr(tc_op).object().type().subtype()),
+         pointer_type(to_address_of_expr(tc_op).object().type().subtype()),
          ns))
     {
       expr=
diff --git a/src/java_bytecode/java_bytecode_convert_class.cpp b/src/java_bytecode/java_bytecode_convert_class.cpp
index b6f28694f1..707614f2f7 100644
--- a/src/java_bytecode/java_bytecode_convert_class.cpp
+++ b/src/java_bytecode/java_bytecode_convert_class.cpp
@@ -22,6 +22,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 #include 
+#include 
 
 #include 
 
@@ -294,7 +295,7 @@ void java_bytecode_convert_classt::add_array_types()
     struct_type.components().push_back(comp1);
 
     struct_typet::componentt
-      comp2("data", pointer_typet(java_type_from_char(l)));
+      comp2("data", pointer_type(java_type_from_char(l)));
     struct_type.components().push_back(comp2);
 
     symbolt symbol;
@@ -366,7 +367,7 @@ void java_bytecode_convert_classt::add_string_type()
   // Use a pointer-to-unbounded-array instead of a pointer-to-char.
   // Saves some casting in the string refinement algorithm but may
   // be unnecessary.
-  string_type.components()[2].type()=pointer_typet(
+  string_type.components()[2].type()=pointer_type(
     array_typet(java_char_type(), infinity_exprt(java_int_type())));
   string_type.add_base(symbol_typet("java::java.lang.Object"));
 
@@ -392,9 +393,9 @@ void java_bytecode_convert_classt::add_string_type()
   string_equals_type.return_type()=java_boolean_type();
   code_typet::parametert thisparam;
   thisparam.set_this();
-  thisparam.type()=pointer_typet(symbol_typet(string_symbol.name));
+  thisparam.type()=java_reference_type(symbol_typet(string_symbol.name));
   code_typet::parametert otherparam;
-  otherparam.type()=pointer_typet(symbol_typet("java::java.lang.Object"));
+  otherparam.type()=java_reference_type(symbol_typet("java::java.lang.Object"));
   string_equals_type.parameters().push_back(thisparam);
   string_equals_type.parameters().push_back(otherparam);
   string_equals_symbol.type=std::move(string_equals_type);
diff --git a/src/java_bytecode/java_bytecode_convert_method.cpp b/src/java_bytecode/java_bytecode_convert_method.cpp
index 9adf82a021..586cca70f3 100644
--- a/src/java_bytecode/java_bytecode_convert_method.cpp
+++ b/src/java_bytecode/java_bytecode_convert_method.cpp
@@ -22,6 +22,7 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 #include 
+#include 
 
 #include 
 
@@ -242,7 +243,8 @@ void java_bytecode_convert_method_lazy(
     code_typet &code_type=to_code_type(member_type);
     code_typet::parameterst ¶meters=code_type.parameters();
     code_typet::parametert this_p;
-    const reference_typet object_ref_type(symbol_typet(class_symbol.name));
+    const reference_typet object_ref_type=
+      java_reference_type(symbol_typet(class_symbol.name));
     this_p.type()=object_ref_type;
     this_p.set_this();
     parameters.insert(parameters.begin(), this_p);
@@ -437,7 +439,7 @@ static member_exprt to_member(const exprt &pointer, const exprt &fieldref)
   symbol_typet class_type(fieldref.get(ID_class));
 
   exprt pointer2=
-    typecast_exprt(pointer, pointer_typet(class_type));
+    typecast_exprt(pointer, java_reference_type(class_type));
 
   const dereference_exprt obj_deref(pointer2, class_type);
 
@@ -1016,7 +1018,7 @@ codet java_bytecode_convert_methodt::convert_instructions(
       assert(op.size()==1 && results.size()==1);
       code_blockt block;
       // TODO throw NullPointerException instead
-      const typecast_exprt lhs(op[0], pointer_typet(empty_typet()));
+      const typecast_exprt lhs(op[0], java_reference_type(empty_typet()));
       const exprt rhs(null_pointer_exprt(to_pointer_type(lhs.type())));
       const exprt not_equal_null(
         binary_relation_exprt(lhs, ID_notequal, rhs));
@@ -1103,7 +1105,7 @@ codet java_bytecode_convert_methodt::convert_instructions(
             else
               code_type.set(ID_java_super_method_call, true);
           }
-          pointer_typet object_ref_type(thistype);
+          reference_typet object_ref_type=java_reference_type(thistype);
           code_typet::parametert this_p(object_ref_type);
           this_p.set_this();
           this_p.set_base_name("this");
@@ -1227,7 +1229,7 @@ codet java_bytecode_convert_methodt::convert_instructions(
       const member_exprt data_ptr(
         deref,
         "data",
-        pointer_typet(java_type_from_char(type_char)));
+        pointer_type(java_type_from_char(type_char)));
 
       plus_exprt data_plus_offset(data_ptr, op[1], data_ptr.type());
       typet element_type=data_ptr.type().subtype();
@@ -1292,7 +1294,7 @@ codet java_bytecode_convert_methodt::convert_instructions(
       const member_exprt data_ptr(
         deref,
         "data",
-        pointer_typet(java_type_from_char(type_char)));
+        pointer_type(java_type_from_char(type_char)));
 
       plus_exprt data_plus_offset(data_ptr, op[1], data_ptr.type());
       typet element_type=data_ptr.type().subtype();
@@ -1327,7 +1329,7 @@ codet java_bytecode_convert_methodt::convert_instructions(
         // these need to be references to java.lang.String
         results[0]=arg0;
         symbol_typet string_type("java::java.lang.String");
-        results[0].type()=pointer_typet(string_type);
+        results[0].type()=java_reference_type(string_type);
       }
       else if(arg0.id()==ID_type)
       {
@@ -1500,7 +1502,7 @@ codet java_bytecode_convert_methodt::convert_instructions(
       irep_idt number=to_constant_expr(arg0).get_value();
       assert(op.size()==1 && results.empty());
       code_ifthenelset code_branch;
-      const typecast_exprt lhs(op[0], pointer_typet(empty_typet()));
+      const typecast_exprt lhs(op[0], java_reference_type(empty_typet()));
       const exprt rhs(null_pointer_exprt(to_pointer_type(lhs.type())));
       code_branch.cond()=binary_relation_exprt(lhs, ID_notequal, rhs);
       code_branch.then_case()=code_gotot(label(number));
@@ -1514,7 +1516,7 @@ codet java_bytecode_convert_methodt::convert_instructions(
       assert(op.size()==1 && results.empty());
       irep_idt number=to_constant_expr(arg0).get_value();
       code_ifthenelset code_branch;
-      const typecast_exprt lhs(op[0], pointer_typet(empty_typet()));
+      const typecast_exprt lhs(op[0], java_reference_type(empty_typet()));
       const exprt rhs(null_pointer_exprt(to_pointer_type(lhs.type())));
       code_branch.cond()=binary_relation_exprt(lhs, ID_equal, rhs);
       code_branch.then_case()=code_gotot(label(number));
@@ -1820,7 +1822,7 @@ codet java_bytecode_convert_methodt::convert_instructions(
     {
       // use temporary since the stack symbol might get duplicated
       assert(op.empty() && results.size()==1);
-      const pointer_typet ref_type(arg0.type());
+      const reference_typet ref_type=java_reference_type(arg0.type());
       exprt java_new_expr=side_effect_exprt(ID_java_new, ref_type);
 
       if(!i_it->source_location.get_line().empty())
@@ -1865,7 +1867,8 @@ codet java_bytecode_convert_methodt::convert_instructions(
       else
         element_type='a';
 
-      const pointer_typet ref_type=java_array_type(element_type);
+      const reference_typet ref_type=
+        java_array_type(element_type);
 
       side_effect_exprt java_new_array(ID_java_new_array, ref_type);
       java_new_array.copy_to_operands(op[0]);
@@ -1905,7 +1908,8 @@ codet java_bytecode_convert_methodt::convert_instructions(
       op=pop(dimension);
       assert(results.size()==1);
 
-      const pointer_typet ref_type(arg0.type());
+      const reference_typet ref_type=
+        java_reference_type(arg0.type());
 
       side_effect_exprt java_new_array(ID_java_new_array, ref_type);
       java_new_array.operands()=op;
@@ -2020,7 +2024,7 @@ codet java_bytecode_convert_methodt::convert_instructions(
       code_typet type;
       type.return_type()=void_typet();
       type.parameters().resize(1);
-      type.parameters()[0].type()=reference_typet(void_typet());
+      type.parameters()[0].type()=java_reference_type(void_typet());
       code_function_callt call;
       call.function()=symbol_exprt("java::monitorenter", type);
       call.lhs().make_nil();
@@ -2034,7 +2038,7 @@ codet java_bytecode_convert_methodt::convert_instructions(
       code_typet type;
       type.return_type()=void_typet();
       type.parameters().resize(1);
-      type.parameters()[0].type()=reference_typet(void_typet());
+      type.parameters()[0].type()=java_reference_type(void_typet());
       code_function_callt call;
       call.function()=symbol_exprt("java::monitorexit", type);
       call.lhs().make_nil();
diff --git a/src/java_bytecode/java_bytecode_internal_additions.cpp b/src/java_bytecode/java_bytecode_internal_additions.cpp
index 9a0211239d..bc7715ecd9 100644
--- a/src/java_bytecode/java_bytecode_internal_additions.cpp
+++ b/src/java_bytecode/java_bytecode_internal_additions.cpp
@@ -10,7 +10,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 #include 
-
 #include 
 
 void java_internal_additions(symbol_tablet &dest)
@@ -35,7 +34,7 @@ void java_internal_additions(symbol_tablet &dest)
     symbolt symbol;
     symbol.base_name="__CPROVER_malloc_object";
     symbol.name=CPROVER_PREFIX "malloc_object";
-    symbol.type=pointer_typet(empty_typet());
+    symbol.type=pointer_type(empty_typet());
     symbol.mode=ID_C;
     symbol.is_lvalue=true;
     symbol.is_state_var=true;
diff --git a/src/java_bytecode/java_bytecode_vtable.cpp b/src/java_bytecode/java_bytecode_vtable.cpp
index a352fbd74c..68da4c6b49 100644
--- a/src/java_bytecode/java_bytecode_vtable.cpp
+++ b/src/java_bytecode/java_bytecode_vtable.cpp
@@ -118,7 +118,7 @@ public:
     struct_typet::componentt entry_component;
     entry_component.set_name(ifc_name);
     entry_component.set_base_name(ifc_method->get_base_name());
-    entry_component.type()=pointer_typet(implementation.type());
+    entry_component.type()=pointer_type(implementation.type());
     vtable_type.components().push_back(entry_component);
 
     const irep_idt &impl_name(implementation.get_name());
@@ -288,7 +288,7 @@ static void add_vtable_pointer_member(
 {
   struct_typet::componentt comp;
 
-  comp.type()=pointer_typet(symbol_typet(vt_name));
+  comp.type()=pointer_type(symbol_typet(vt_name));
   comp.set_name(ID_vtable_pointer);
   comp.set_base_name(ID_vtable_pointer);
   comp.set_pretty_name(ID_vtable_pointer);
@@ -391,7 +391,7 @@ static exprt get_ref(
   if(ID_symbol==type_id)
     return get_ref(address_of_exprt(this_obj), target_type);
   assert(ID_pointer==type_id);
-  const typecast_exprt cast(this_obj, pointer_typet(target_type));
+  const typecast_exprt cast(this_obj, pointer_type(target_type));
   return dereference_exprt(cast, target_type);
 }
 
@@ -436,13 +436,13 @@ exprt make_vtable_function(
   }
 
   const symbol_typet vtable_type(vtnamest::get_type(class_id));
-  const pointer_typet vt_ptr_type(vtable_type);
+  const pointer_typet vt_ptr_type=pointer_type(vtable_type);
   const symbol_typet target_type(class_id);
   const exprt this_ref(get_ref(this_obj, target_type));
   const typet ref_type(this_ref.type());
   const member_exprt vtable_member(this_ref, ID_vtable_pointer, vt_ptr_type);
   const dereference_exprt vtable(vtable_member, vtable_type); // TODO: cast?
-  const pointer_typet func_ptr_type(func.type());
+  const pointer_typet func_ptr_type=pointer_type(func.type());
   const member_exprt func_ptr(vtable, func_name, func_ptr_type);
   const dereference_exprt virtual_func(func_ptr, func.type());
   return virtual_func;
diff --git a/src/java_bytecode/java_object_factory.cpp b/src/java_bytecode/java_object_factory.cpp
index 15d8eac7bc..a903483aa4 100644
--- a/src/java_bytecode/java_object_factory.cpp
+++ b/src/java_bytecode/java_object_factory.cpp
@@ -13,7 +13,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 #include 
-#include 
+#include 
 #include 
 #include 
 #include 
@@ -167,7 +167,7 @@ exprt java_object_factoryt::allocate_object(
       // malloc expression
       exprt malloc_expr=side_effect_exprt(ID_malloc);
       malloc_expr.copy_to_operands(object_size);
-      typet result_type=pointer_typet(allocate_type);
+      typet result_type=pointer_type(allocate_type);
       malloc_expr.type()=result_type;
       // Create a symbol for the malloc expression so we can initialize
       // without having to do it potentially through a double-deref, which
@@ -175,7 +175,7 @@ exprt java_object_factoryt::allocate_object(
       symbolt &malloc_sym=new_tmp_symbol(
         symbol_table,
         loc,
-        pointer_typet(allocate_type),
+        pointer_type(allocate_type),
         "malloc_site");
       symbols_created.push_back(&malloc_sym);
       code_assignt assign=code_assignt(malloc_sym.symbol_expr(), malloc_expr);
@@ -532,9 +532,9 @@ void java_object_factoryt::gen_nondet_array_init(
   exprt length_expr=member_exprt(deref_expr, "length", comps[1].type());
   exprt init_array_expr=member_exprt(deref_expr, "data", comps[2].type());
 
-  if(init_array_expr.type()!=pointer_typet(element_type))
+  if(init_array_expr.type()!=pointer_type(element_type))
     init_array_expr=
-      typecast_exprt(init_array_expr, pointer_typet(element_type));
+      typecast_exprt(init_array_expr, pointer_type(element_type));
 
   // Interpose a new symbol, as the goto-symex stage can't handle array indexing
   // via a cast.
diff --git a/src/jsil/jsil_internal_additions.cpp b/src/jsil/jsil_internal_additions.cpp
index 446910062d..af963454e2 100644
--- a/src/jsil/jsil_internal_additions.cpp
+++ b/src/jsil/jsil_internal_additions.cpp
@@ -43,7 +43,7 @@ void jsil_internal_additions(symbol_tablet &dest)
     symbolt symbol;
     symbol.base_name="__CPROVER_malloc_object";
     symbol.name=CPROVER_PREFIX "malloc_object";
-    symbol.type=pointer_typet(empty_typet());
+    symbol.type=pointer_type(empty_typet());
     symbol.mode=ID_C;
     symbol.is_lvalue=true;
     symbol.is_state_var=true;
diff --git a/src/path-symex/path_symex.cpp b/src/path-symex/path_symex.cpp
index c5004e51d5..f64071ec61 100644
--- a/src/path-symex/path_symex.cpp
+++ b/src/path-symex/path_symex.cpp
@@ -249,7 +249,7 @@ void path_symext::symex_malloc(
 
   if(object_type.id()==ID_array)
   {
-    rhs.type()=pointer_typet(value_symbol.type.subtype());
+    rhs.type()=pointer_type(value_symbol.type.subtype());
     index_exprt index_expr(value_symbol.type.subtype());
     index_expr.array()=value_symbol.symbol_expr();
     index_expr.index()=from_integer(0, index_type());
@@ -258,7 +258,7 @@ void path_symext::symex_malloc(
   else
   {
     rhs.op0()=value_symbol.symbol_expr();
-    rhs.type()=pointer_typet(value_symbol.type);
+    rhs.type()=pointer_type(value_symbol.type);
   }
 
   if(rhs.type()!=lhs.type())
diff --git a/src/pointer-analysis/dereference.cpp b/src/pointer-analysis/dereference.cpp
index 5063278d4c..aaf33ca18d 100644
--- a/src/pointer-analysis/dereference.cpp
+++ b/src/pointer-analysis/dereference.cpp
@@ -275,7 +275,7 @@ exprt dereferencet::dereference_typecast(
         plus_exprt(offset, typecast_exprt(op, offset.type()));
 
     exprt new_typecast=
-      typecast_exprt(integer, pointer_typet(type));
+      typecast_exprt(integer, pointer_type(type));
 
     return dereference_exprt(new_typecast, type);
   }
diff --git a/src/solvers/smt1/smt1_conv.cpp b/src/solvers/smt1/smt1_conv.cpp
index 65f5564040..ee85dfc63a 100644
--- a/src/solvers/smt1/smt1_conv.cpp
+++ b/src/solvers/smt1/smt1_conv.cpp
@@ -21,6 +21,7 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 #include 
+#include 
 
 #include 
 
@@ -286,12 +287,14 @@ void smt1_convt::convert_address_of_rec(
       exprt new_index_expr=expr;
       new_index_expr.op1()=from_integer(0, index.type());
 
-      exprt address_of_expr(ID_address_of, pointer_typet());
-      address_of_expr.type().subtype()=array.type().subtype();
-      address_of_expr.copy_to_operands(new_index_expr);
+      address_of_exprt address_of_expr(
+        new_index_expr,
+        pointer_type(array.type().subtype()));
 
-      exprt plus_expr(ID_plus, address_of_expr.type());
-      plus_expr.copy_to_operands(address_of_expr, index);
+      plus_exprt plus_expr(
+        address_of_expr,
+        index,
+        address_of_expr.type());
 
       convert_expr(plus_expr, true);
     }
diff --git a/src/solvers/smt2/smt2_conv.cpp b/src/solvers/smt2/smt2_conv.cpp
index d6198ebea5..39b0ed8bc8 100644
--- a/src/solvers/smt2/smt2_conv.cpp
+++ b/src/solvers/smt2/smt2_conv.cpp
@@ -23,6 +23,7 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 #include 
+#include 
 
 #include 
 
@@ -512,12 +513,14 @@ void smt2_convt::convert_address_of_rec(
       exprt new_index_expr=expr;
       new_index_expr.op1()=from_integer(0, index.type());
 
-      exprt address_of_expr(ID_address_of, pointer_typet());
-      address_of_expr.type().subtype()=array.type().subtype();
-      address_of_expr.copy_to_operands(new_index_expr);
+      address_of_exprt address_of_expr(
+        new_index_expr,
+        pointer_type(array.type().subtype()));
 
-      exprt plus_expr(ID_plus, address_of_expr.type());
-      plus_expr.copy_to_operands(address_of_expr, index);
+      plus_exprt plus_expr(
+        address_of_expr,
+        index,
+        address_of_expr.type());
 
       convert_expr(plus_expr);
     }

From 636655d156a112b549dd53e36bfe525b4748e355 Mon Sep 17 00:00:00 2001
From: Daniel Kroening 
Date: Sat, 27 May 2017 12:02:15 +0100
Subject: [PATCH 81/89] address_of now needs a pointer type

---
 src/ansi-c/ansi_c_entry_point.cpp            | 29 +++++++++--------
 src/ansi-c/c_typecheck_expr.cpp              | 10 +++---
 src/cpp/cpp_constructor.cpp                  |  4 +--
 src/cpp/cpp_destructor.cpp                   |  5 +--
 src/cpp/cpp_typecheck_conversions.cpp        | 34 +++++++-------------
 src/cpp/cpp_typecheck_expr.cpp               |  8 ++---
 src/goto-programs/string_instrumentation.cpp |  8 ++---
 src/goto-symex/auto_objects.cpp              |  5 +--
 src/util/std_expr.cpp                        | 19 +++++++++--
 src/util/std_expr.h                          | 12 +++----
 10 files changed, 65 insertions(+), 69 deletions(-)

diff --git a/src/ansi-c/ansi_c_entry_point.cpp b/src/ansi-c/ansi_c_entry_point.cpp
index 43cb331df6..b22896bd7f 100644
--- a/src/ansi-c/ansi_c_entry_point.cpp
+++ b/src/ansi-c/ansi_c_entry_point.cpp
@@ -327,15 +327,13 @@ bool ansi_c_entry_point(
         zero_string.type().set(ID_size, "infinity");
         exprt index(ID_index, char_type());
         index.copy_to_operands(zero_string, from_integer(0, uint_type()));
-        exprt address_of("address_of", pointer_type(char_type()));
-        address_of.copy_to_operands(index);
+        exprt address_of=address_of_exprt(index, pointer_type(char_type()));
 
         if(argv_symbol.type.subtype()!=address_of.type())
           address_of.make_typecast(argv_symbol.type.subtype());
 
         // assign argv[*] to the address of a string-object
-        exprt array_of("array_of", argv_symbol.type);
-        array_of.copy_to_operands(address_of);
+        array_of_exprt array_of(address_of, argv_symbol.type);
 
         init_code.copy_to_operands(
           code_assignt(argv_symbol.symbol_expr(), array_of));
@@ -399,17 +397,18 @@ bool ansi_c_entry_point(
 
         {
           const exprt &arg1=parameters[1];
+          const pointer_typet &pointer_type=
+            to_pointer_type(arg1.type());
 
-          exprt index_expr(ID_index, arg1.type().subtype());
-          index_expr.copy_to_operands(
+          index_exprt index_expr(
             argv_symbol.symbol_expr(),
-            from_integer(0, index_type()));
+            from_integer(0, index_type()),
+            pointer_type.subtype());
 
           // disable bounds check on that one
           index_expr.set("bounds_check", false);
 
-          op1=exprt(ID_address_of, arg1.type());
-          op1.move_to_operands(index_expr);
+          op1=address_of_exprt(index_expr, pointer_type);
         }
 
         // do we need envp?
@@ -419,13 +418,15 @@ bool ansi_c_entry_point(
           exprt &op2=operands[2];
 
           const exprt &arg2=parameters[2];
+          const pointer_typet &pointer_type=
+            to_pointer_type(arg2.type());
 
-          exprt index_expr(ID_index, arg2.type().subtype());
-          index_expr.copy_to_operands(
-            envp_symbol.symbol_expr(), from_integer(0, index_type()));
+          index_exprt index_expr(
+            envp_symbol.symbol_expr(),
+            from_integer(0, index_type()),
+            pointer_type.subtype());
 
-          op2=exprt(ID_address_of, arg2.type());
-          op2.move_to_operands(index_expr);
+          op2=address_of_exprt(index_expr, pointer_type);
         }
       }
     }
diff --git a/src/ansi-c/c_typecheck_expr.cpp b/src/ansi-c/c_typecheck_expr.cpp
index 677a0c7815..fee4e8685d 100644
--- a/src/ansi-c/c_typecheck_expr.cpp
+++ b/src/ansi-c/c_typecheck_expr.cpp
@@ -834,11 +834,10 @@ void c_typecheck_baset::typecheck_expr_symbol(exprt &expr)
 
     if(expr.type().id()==ID_code) // function designator
     { // special case: this is sugar for &f
-      exprt tmp(ID_address_of, pointer_type(expr.type()));
+      address_of_exprt tmp(expr, pointer_type(expr.type()));
       tmp.set("#implicit", true);
       tmp.add_source_location()=expr.source_location();
-      tmp.move_to_operands(expr);
-      expr.swap(tmp);
+      expr=tmp;
     }
   }
 }
@@ -1778,11 +1777,10 @@ void c_typecheck_baset::typecheck_expr_function_identifier(exprt &expr)
 {
   if(expr.type().id()==ID_code)
   {
-    exprt tmp(ID_address_of, pointer_type(expr.type()));
+    address_of_exprt tmp(expr, pointer_type(expr.type()));
     tmp.set(ID_C_implicit, true);
     tmp.add_source_location()=expr.source_location();
-    tmp.move_to_operands(expr);
-    expr.swap(tmp);
+    expr=tmp;
   }
 }
 
diff --git a/src/cpp/cpp_constructor.cpp b/src/cpp/cpp_constructor.cpp
index 819b946c4b..9be6e8c3f0 100644
--- a/src/cpp/cpp_constructor.cpp
+++ b/src/cpp/cpp_constructor.cpp
@@ -289,9 +289,7 @@ codet cpp_typecheckt::cpp_constructor(
     assert(tmp_this.id()==ID_address_of
            && tmp_this.op0().id()=="new_object");
 
-    exprt address_of=
-      address_of_exprt(object_tc, pointer_type(object_tc.type()));
-    tmp_this.swap(address_of);
+    tmp_this=address_of_exprt(object_tc);
 
     if(block.operands().empty())
       return to_code(initializer);
diff --git a/src/cpp/cpp_destructor.cpp b/src/cpp/cpp_destructor.cpp
index 20dfb3ed00..6a35398475 100644
--- a/src/cpp/cpp_destructor.cpp
+++ b/src/cpp/cpp_destructor.cpp
@@ -142,10 +142,7 @@ codet cpp_typecheckt::cpp_destructor(
     assert(tmp_this.id()==ID_address_of
            && tmp_this.op0().id()=="new_object");
 
-    exprt address_of=
-      address_of_exprt(object, pointer_type(object.type()));
-
-    tmp_this.swap(address_of);
+    tmp_this=address_of_exprt(object, pointer_type(object.type()));
 
     new_code.swap(initializer);
   }
diff --git a/src/cpp/cpp_typecheck_conversions.cpp b/src/cpp/cpp_typecheck_conversions.cpp
index 58634fc0e9..b1374eda41 100644
--- a/src/cpp/cpp_typecheck_conversions.cpp
+++ b/src/cpp/cpp_typecheck_conversions.cpp
@@ -75,15 +75,11 @@ bool cpp_typecheckt::standard_conversion_array_to_pointer(
 
   index_exprt index(
     expr,
-    from_integer(0, index_type()),
-    expr.type().subtype());
+    from_integer(0, index_type()));
 
   index.set(ID_C_lvalue, true);
 
-  pointer_typet pointer=
-    pointer_type(expr.type().subtype());
-
-  new_expr=address_of_exprt(index, pointer);
+  new_expr=address_of_exprt(index);
 
   return true;
 }
@@ -98,14 +94,10 @@ bool cpp_typecheckt::standard_conversion_array_to_pointer(
 bool cpp_typecheckt::standard_conversion_function_to_pointer(
   const exprt &expr, exprt &new_expr) const
 {
-  const code_typet &func_type=to_code_type(expr.type());
-
   if(!expr.get_bool(ID_C_lvalue))
     return false;
 
-  pointer_typet pointer=pointer_type(func_type);
-
-  new_expr=address_of_exprt(expr, pointer);
+  new_expr=address_of_exprt(expr);
 
   return true;
 }
@@ -886,7 +878,7 @@ bool cpp_typecheckt::user_defined_conversion_sequence(
 
         if(subtype_typecast(from_struct, to_struct))
         {
-          exprt address=address_of_exprt(expr, pointer_type(expr.type()));
+          exprt address=address_of_exprt(expr);
 
           // simplify address
           if(expr.id()==ID_dereference)
@@ -1016,9 +1008,7 @@ bool cpp_typecheckt::user_defined_conversion_sequence(
           else if(from_struct.is_not_nil() && arg1_struct.is_not_nil())
           {
             // try derived-to-base conversion
-            exprt expr_pfrom=
-              address_of_exprt(expr, pointer_type(expr.type()));
-
+            address_of_exprt expr_pfrom(expr, pointer_type(expr.type()));
             pointer_typet pto=pointer_type(arg1_type);
 
             exprt expr_ptmp;
@@ -1441,12 +1431,11 @@ bool cpp_typecheckt::reference_binding(
       new_expr.swap(tmp);
     }
 
-    exprt tmp=
-      address_of_exprt(new_expr, pointer_type(new_expr.type()));
+    address_of_exprt tmp(new_expr, pointer_type(new_expr.type()));
     tmp.type().set(ID_C_reference, true);
     tmp.add_source_location()=new_expr.source_location();
 
-    new_expr.swap(tmp);
+    new_expr=tmp;
     return true;
   }
 
@@ -1707,10 +1696,9 @@ bool cpp_typecheckt::const_typecast(
     if(new_expr.type()!=type.subtype())
       return false;
 
-    exprt address_of(ID_address_of, type);
-    address_of.copy_to_operands(expr);
+    exprt address_of=address_of_exprt(expr, to_pointer_type(type));
     add_implicit_dereference(address_of);
-    new_expr.swap(address_of);
+    new_expr=address_of;
     return true;
   }
   else if(type.id()==ID_pointer)
@@ -1872,7 +1860,7 @@ bool cpp_typecheckt::reinterpret_typecast(
 
   if(is_reference(type) && e.get_bool(ID_C_lvalue))
   {
-    exprt tmp=address_of_exprt(e, pointer_type(e.type()));
+    exprt tmp=address_of_exprt(e);
     tmp.make_typecast(type);
     new_expr.swap(tmp);
     return true;
@@ -1936,7 +1924,7 @@ bool cpp_typecheckt::static_typecast(
           return true;
         }
 
-        exprt address_of=address_of_exprt(e, pointer_type(e.type()));
+        exprt address_of=address_of_exprt(e);
         make_ptr_typecast(address_of, type);
         new_expr.swap(address_of);
         return true;
diff --git a/src/cpp/cpp_typecheck_expr.cpp b/src/cpp/cpp_typecheck_expr.cpp
index b50bdd8c7e..87f15a16a3 100644
--- a/src/cpp/cpp_typecheck_expr.cpp
+++ b/src/cpp/cpp_typecheck_expr.cpp
@@ -2252,9 +2252,9 @@ void cpp_typecheckt::typecheck_side_effect_function_call(
       if(operand.type().id()!=ID_pointer &&
          operand.type()==argument.type().subtype())
       {
-        exprt tmp=address_of_exprt(operand, pointer_type(operand.type()));
+        address_of_exprt tmp(operand, pointer_type(operand.type()));
         tmp.add_source_location()=operand.source_location();
-        operand.swap(tmp);
+        operand=tmp;
       }
     }
   }
@@ -2666,9 +2666,7 @@ void cpp_typecheckt::convert_pmop(exprt &expr)
     else
     {
       assert(expr.op0().get_bool(ID_C_lvalue));
-      exprt address_of=
-        address_of_exprt(expr.op0(), pointer_type(expr.op0().type()));
-      expr.op0().swap(address_of);
+      expr.op0()=address_of_exprt(expr.op0());
     }
   }
 
diff --git a/src/goto-programs/string_instrumentation.cpp b/src/goto-programs/string_instrumentation.cpp
index 955d34d3ab..f4ce4129ee 100644
--- a/src/goto-programs/string_instrumentation.cpp
+++ b/src/goto-programs/string_instrumentation.cpp
@@ -825,12 +825,12 @@ void string_instrumentationt::do_strerror(
   }
 
   // return a pointer to some magic buffer
-  exprt index=exprt(ID_index, char_type());
-  index.copy_to_operands(
+  index_exprt index(
     symbol_buf.symbol_expr(),
-    from_integer(0, index_type()));
+    from_integer(0, index_type()),
+    char_type());
 
-  exprt ptr=address_of_exprt(index, pointer_type(char_type()));
+  address_of_exprt ptr(index);
 
   // make that zero-terminated
   {
diff --git a/src/goto-symex/auto_objects.cpp b/src/goto-symex/auto_objects.cpp
index f2a90b1550..2338b10259 100644
--- a/src/goto-symex/auto_objects.cpp
+++ b/src/goto-symex/auto_objects.cpp
@@ -66,8 +66,9 @@ void goto_symext::initialize_auto_object(
     {
       // could be NULL nondeterministically
 
-      address_of_exprt address_of_expr=
-        address_of_exprt(make_auto_object(type.subtype()));
+      address_of_exprt address_of_expr(
+        make_auto_object(type.subtype()),
+        pointer_type);
 
       if_exprt rhs(
         side_effect_expr_nondett(bool_typet()),
diff --git a/src/util/std_expr.cpp b/src/util/std_expr.cpp
index 6fc3de230d..cef9446e2e 100644
--- a/src/util/std_expr.cpp
+++ b/src/util/std_expr.cpp
@@ -13,10 +13,8 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "arith_tools.h"
 #include "byte_operators.h"
 #include "c_types.h"
-#include "config.h"
 #include "namespace.h"
 #include "pointer_offset_size.h"
-
 #include "std_types.h"
 
 bool constant_exprt::value_is_zero_string() const
@@ -171,3 +169,20 @@ extractbits_exprt::extractbits_exprt(
   upper()=constant_exprt::integer_constant(_upper);
   lower()=constant_exprt::integer_constant(_lower);
 }
+
+/*******************************************************************\
+
+Function: address_of_exprt::address_of_exprt
+
+  Inputs:
+
+ Outputs:
+
+ Purpose:
+
+\*******************************************************************/
+
+address_of_exprt::address_of_exprt(const exprt &_op):
+  unary_exprt(ID_address_of, _op, pointer_type(_op.type()))
+{
+}
diff --git a/src/util/std_expr.h b/src/util/std_expr.h
index e2ed2ad433..c4837be001 100644
--- a/src/util/std_expr.h
+++ b/src/util/std_expr.h
@@ -2590,19 +2590,19 @@ inline extractbits_exprt &to_extractbits_expr(exprt &expr)
 
 /*! \brief Operator to return the address of an object
 */
-class address_of_exprt:public exprt
+class address_of_exprt:public unary_exprt
 {
 public:
-  explicit address_of_exprt(const exprt &op):
-    exprt(ID_address_of, pointer_typet(op.type()))
+  explicit address_of_exprt(const exprt &op);
+
+  address_of_exprt(const exprt &op, const pointer_typet &_type):
+    unary_exprt(ID_address_of, op, _type)
   {
-    copy_to_operands(op);
   }
 
   address_of_exprt():
-    exprt(ID_address_of, pointer_typet())
+    unary_exprt(ID_address_of, pointer_typet())
   {
-    operands().resize(1);
   }
 
   exprt &object()

From d430319bc502639a41a8338b9d60b872edfadbef Mon Sep 17 00:00:00 2001
From: Daniel Kroening 
Date: Wed, 19 Jul 2017 12:45:23 +0100
Subject: [PATCH 82/89] removed an assert

---
 src/cpp/cpp_typecheck_conversions.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/cpp/cpp_typecheck_conversions.cpp b/src/cpp/cpp_typecheck_conversions.cpp
index b1374eda41..f2c5d04f36 100644
--- a/src/cpp/cpp_typecheck_conversions.cpp
+++ b/src/cpp/cpp_typecheck_conversions.cpp
@@ -1050,7 +1050,9 @@ bool cpp_typecheckt::user_defined_conversion_sequence(
 
               new_expr.swap(ctor_expr);
 
-              assert(new_expr.get(ID_statement)==ID_temporary_object);
+              INVARIANT(
+                new_expr.get(ID_statement)==ID_temporary_object,
+                "statement ID");
 
               if(to.get_bool(ID_C_constant))
                 new_expr.type().set(ID_C_constant, true);

From db71221c957c501ca0138a0249a48ac304f1ef42 Mon Sep 17 00:00:00 2001
From: Daniel Kroening 
Date: Thu, 20 Jul 2017 10:30:28 +0100
Subject: [PATCH 83/89] include order cleanup

---
 src/goto-instrument/wmm/shared_buffers.cpp    |  6 ++----
 src/goto-programs/remove_asm.cpp              |  2 +-
 src/goto-programs/remove_exceptions.cpp       |  2 +-
 .../remove_virtual_functions.cpp              |  9 ++++----
 .../java_bytecode_convert_class.cpp           |  2 +-
 .../java_bytecode_convert_method.cpp          | 21 +++++++++----------
 src/solvers/smt2/smt2_conv.cpp                | 12 +++++------
 7 files changed, 25 insertions(+), 29 deletions(-)

diff --git a/src/goto-instrument/wmm/shared_buffers.cpp b/src/goto-instrument/wmm/shared_buffers.cpp
index 85a9f7249d..f68b29b2fe 100644
--- a/src/goto-instrument/wmm/shared_buffers.cpp
+++ b/src/goto-instrument/wmm/shared_buffers.cpp
@@ -6,14 +6,12 @@ Author: Daniel Kroening, kroening@kroening.com
 
 \*******************************************************************/
 
-#include 
-
 #include "shared_buffers.h"
-
 #include "fence.h"
-
 #include "../rw_set.h"
 
+#include 
+
 /// returns a unique id (for fresh variables)
 std::string shared_bufferst::unique(void)
 {
diff --git a/src/goto-programs/remove_asm.cpp b/src/goto-programs/remove_asm.cpp
index c2688df9d1..29958434d4 100644
--- a/src/goto-programs/remove_asm.cpp
+++ b/src/goto-programs/remove_asm.cpp
@@ -16,8 +16,8 @@ Date:   December 2014
 
 #include 
 
-#include 
 #include 
+#include 
 
 #include 
 #include 
diff --git a/src/goto-programs/remove_exceptions.cpp b/src/goto-programs/remove_exceptions.cpp
index 8d95e97186..09fe45f2de 100644
--- a/src/goto-programs/remove_exceptions.cpp
+++ b/src/goto-programs/remove_exceptions.cpp
@@ -20,8 +20,8 @@ Date:   December 2016
 #include 
 #include 
 
-#include 
 #include 
+#include 
 #include 
 
 class remove_exceptionst
diff --git a/src/goto-programs/remove_virtual_functions.cpp b/src/goto-programs/remove_virtual_functions.cpp
index 3803f77f42..5ae06fceeb 100644
--- a/src/goto-programs/remove_virtual_functions.cpp
+++ b/src/goto-programs/remove_virtual_functions.cpp
@@ -10,14 +10,13 @@ Author: Daniel Kroening, kroening@kroening.com
 /// Remove Virtual Function (Method) Calls
 
 #include "remove_virtual_functions.h"
-
-#include 
-#include 
-#include 
-
 #include "class_hierarchy.h"
 #include "class_identifier.h"
 
+#include 
+#include 
+#include 
+
 class remove_virtual_functionst
 {
 public:
diff --git a/src/java_bytecode/java_bytecode_convert_class.cpp b/src/java_bytecode/java_bytecode_convert_class.cpp
index 707614f2f7..ab4c3d50ce 100644
--- a/src/java_bytecode/java_bytecode_convert_class.cpp
+++ b/src/java_bytecode/java_bytecode_convert_class.cpp
@@ -20,9 +20,9 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "java_bytecode_convert_method.h"
 #include "java_bytecode_language.h"
 
+#include 
 #include 
 #include 
-#include 
 
 #include 
 
diff --git a/src/java_bytecode/java_bytecode_convert_method.cpp b/src/java_bytecode/java_bytecode_convert_method.cpp
index 586cca70f3..8a02f4f885 100644
--- a/src/java_bytecode/java_bytecode_convert_method.cpp
+++ b/src/java_bytecode/java_bytecode_convert_method.cpp
@@ -9,30 +9,29 @@ Author: Daniel Kroening, kroening@kroening.com
 /// \file
 /// JAVA Bytecode Language Conversion
 
-#include "java_bytecode_convert_method.h"
-
 #ifdef DEBUG
 #include 
 #endif
 
+#include "java_bytecode_convert_method.h"
+#include "java_bytecode_convert_method_class.h"
+#include "bytecode_info.h"
+#include "java_types.h"
+
+#include 
+#include 
+#include 
 #include 
+#include 
+#include 
 #include 
 #include 
-#include 
-#include 
-#include 
-#include 
-#include 
 
 #include 
 
 #include 
 #include 
 
-#include "java_bytecode_convert_method_class.h"
-#include "bytecode_info.h"
-#include "java_types.h"
-
 #include 
 #include 
 #include 
diff --git a/src/solvers/smt2/smt2_conv.cpp b/src/solvers/smt2/smt2_conv.cpp
index 39b0ed8bc8..ccf6087379 100644
--- a/src/solvers/smt2/smt2_conv.cpp
+++ b/src/solvers/smt2/smt2_conv.cpp
@@ -14,16 +14,16 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 
 #include 
+#include 
+#include 
 #include 
+#include 
+#include 
+#include 
+#include 
 #include 
 #include 
-#include 
-#include 
-#include 
-#include 
 #include 
-#include 
-#include 
 
 #include 
 

From 493e9beb8dcd2c266d362486353289622f183f00 Mon Sep 17 00:00:00 2001
From: Chris Smowton 
Date: Mon, 26 Jun 2017 18:17:33 +0100
Subject: [PATCH 84/89] Allow invariants with structured exceptions

---
 .travis.yml                                   |   2 +-
 regression/Makefile                           |   1 +
 regression/cbmc/invariant-failure/main.c      |   4 -
 regression/invariants/.gitignore              |   1 +
 regression/invariants/Makefile                |  32 ++++
 regression/invariants/driver.cpp              |  88 ++++++++++
 .../invariant-failure/test.desc               |   6 +-
 .../invariants/invariant-failure10/test.desc  |  13 ++
 .../invariants/invariant-failure11/test.desc  |  12 ++
 .../invariants/invariant-failure12/test.desc  |  13 ++
 .../invariants/invariant-failure2/test.desc   |  13 ++
 .../invariants/invariant-failure3/test.desc   |  12 ++
 .../invariants/invariant-failure4/test.desc   |  13 ++
 .../invariants/invariant-failure5/test.desc   |  12 ++
 .../invariants/invariant-failure6/test.desc   |  13 ++
 .../invariants/invariant-failure7/test.desc   |  12 ++
 .../invariants/invariant-failure8/test.desc   |  13 ++
 .../invariants/invariant-failure9/test.desc   |  12 ++
 src/cbmc/cbmc_parse_options.cpp               |  21 ---
 src/cbmc/cbmc_parse_options.h                 |   1 -
 src/util/invariant.cpp                        |  84 +++++----
 src/util/invariant.h                          | 164 +++++++++++++++---
 22 files changed, 445 insertions(+), 97 deletions(-)
 delete mode 100644 regression/cbmc/invariant-failure/main.c
 create mode 100644 regression/invariants/.gitignore
 create mode 100644 regression/invariants/Makefile
 create mode 100644 regression/invariants/driver.cpp
 rename regression/{cbmc => invariants}/invariant-failure/test.desc (62%)
 create mode 100644 regression/invariants/invariant-failure10/test.desc
 create mode 100644 regression/invariants/invariant-failure11/test.desc
 create mode 100644 regression/invariants/invariant-failure12/test.desc
 create mode 100644 regression/invariants/invariant-failure2/test.desc
 create mode 100644 regression/invariants/invariant-failure3/test.desc
 create mode 100644 regression/invariants/invariant-failure4/test.desc
 create mode 100644 regression/invariants/invariant-failure5/test.desc
 create mode 100644 regression/invariants/invariant-failure6/test.desc
 create mode 100644 regression/invariants/invariant-failure7/test.desc
 create mode 100644 regression/invariants/invariant-failure8/test.desc
 create mode 100644 regression/invariants/invariant-failure9/test.desc

diff --git a/.travis.yml b/.travis.yml
index 0cf80acccf..1145190171 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -159,7 +159,7 @@ install:
 
 script:
   - if [ -e bin/gcc ] ; then export PATH=$PWD/bin:$PATH ; fi ;
-    COMMAND="env UBSAN_OPTIONS=print_stacktrace=1 make -C regression test" &&
+    COMMAND="env UBSAN_OPTIONS=print_stacktrace=1 make -C regression test CXX=\"$COMPILER\" CXXFLAGS=\"-Wall -Werror -pedantic -O2 -g $EXTRA_CXXFLAGS\"" &&
     eval ${PRE_COMMAND} ${COMMAND}
   - COMMAND="make -C unit CXX=\"$COMPILER\" CXXFLAGS=\"-Wall -Werror -pedantic -O2 -g $EXTRA_CXXFLAGS\" -j2" &&
     eval ${PRE_COMMAND} ${COMMAND}
diff --git a/regression/Makefile b/regression/Makefile
index b6d109b604..87dcd7c93f 100644
--- a/regression/Makefile
+++ b/regression/Makefile
@@ -6,6 +6,7 @@ DIRS = ansi-c \
        goto-instrument \
        goto-instrument-typedef \
        goto-diff \
+       invariants \
        test-script \
        # Empty last line
 
diff --git a/regression/cbmc/invariant-failure/main.c b/regression/cbmc/invariant-failure/main.c
deleted file mode 100644
index f8b643afbf..0000000000
--- a/regression/cbmc/invariant-failure/main.c
+++ /dev/null
@@ -1,4 +0,0 @@
-int main()
-{
-  return 0;
-}
diff --git a/regression/invariants/.gitignore b/regression/invariants/.gitignore
new file mode 100644
index 0000000000..e54525b1ee
--- /dev/null
+++ b/regression/invariants/.gitignore
@@ -0,0 +1 @@
+driver
diff --git a/regression/invariants/Makefile b/regression/invariants/Makefile
new file mode 100644
index 0000000000..b561a96083
--- /dev/null
+++ b/regression/invariants/Makefile
@@ -0,0 +1,32 @@
+default: tests.log
+
+SRC = driver.cpp
+
+INCLUDES = -I ../../src
+
+OBJ += ../../src/util/util$(LIBEXT)
+
+include ../../src/config.inc
+include ../../src/common
+
+test: driver$(EXEEXT)
+	@if ! ../test.pl -c ../driver ; then \
+		../failed-tests-printer.pl ; \
+		exit 1 ; \
+	fi
+
+tests.log: ../test.pl driver$(EXEEXT)
+	@if ! ../test.pl -c ../driver ; then \
+		../failed-tests-printer.pl ; \
+		exit 1 ; \
+	fi
+
+show:
+	@for dir in *; do \
+		if [ -d "$$dir" ]; then \
+			vim -o "$$dir/*.c" "$$dir/*.out"; \
+		fi; \
+	done;
+
+driver$(EXEEXT): $(OBJ)
+	$(LINKBIN)
diff --git a/regression/invariants/driver.cpp b/regression/invariants/driver.cpp
new file mode 100644
index 0000000000..824ae588c0
--- /dev/null
+++ b/regression/invariants/driver.cpp
@@ -0,0 +1,88 @@
+/*******************************************************************\
+
+Module: Invariant violation testing
+
+Author: Chris Smowton, chris.smowton@diffblue.com
+
+\*******************************************************************/
+
+/// \file
+/// Invariant violation testing
+
+#include 
+#include 
+#include 
+
+/// An example of structured invariants-- this contains fields to
+/// describe the error to a catcher, and also produces a human-readable
+/// message containing all the information for use by the current aborting
+/// invariant implementation and/or any generic error catcher in the future.
+class structured_error_testt: public invariant_failedt
+{
+  std::string pretty_print(int code, const std::string &desc)
+  {
+    std::ostringstream ret;
+    ret << "Error code: " << code
+        << "\nDescription: " << desc;
+    return ret.str();
+  }
+
+public:
+  const int error_code;
+  const std::string description;
+
+  structured_error_testt(
+    const std::string &file,
+    const std::string &function,
+    int line,
+    const std::string &backtrace,
+    int code,
+    const std::string &_description):
+    invariant_failedt(
+      file,
+      function,
+      line,
+      backtrace,
+      pretty_print(code, _description)),
+    error_code(code),
+    description(_description)
+  {
+  }
+};
+
+/// Causes an invariant failure dependent on first argument value.
+/// One ignored argument is accepted to conform with the test.pl script,
+/// which would be the input source file for other cbmc driver programs.
+/// Returns 1 on unexpected arguments.
+int main(int argc, char** argv)
+{
+  if(argc!=3)
+    return 1;
+  std::string arg=argv[1];
+  if(arg=="structured")
+    INVARIANT_STRUCTURED(false, structured_error_testt, 1, "Structured error"); // NOLINT
+  else if(arg=="string")
+    INVARIANT(false, "Test invariant failure");
+  else if(arg=="precondition-structured")
+    PRECONDITION_STRUCTURED(false, structured_error_testt, 1, "Structured error"); // NOLINT
+  else if(arg=="precondition-string")
+    PRECONDITION(false);
+  else if(arg=="postcondition-structured")
+    POSTCONDITION_STRUCTURED(false, structured_error_testt, 1, "Structured error"); // NOLINT
+  else if(arg=="postcondition-string")
+    POSTCONDITION(false);
+  else if(arg=="check-return-structured")
+    CHECK_RETURN_STRUCTURED(false, structured_error_testt, 1, "Structured error"); // NOLINT
+  else if(arg=="check-return-string")
+    CHECK_RETURN(false);
+  else if(arg=="unreachable-structured")
+    UNREACHABLE_STRUCTURED(structured_error_testt, 1, "Structured error"); // NOLINT
+  else if(arg=="unreachable-string")
+    UNREACHABLE;
+  else if(arg=="data-invariant-structured")
+    DATA_INVARIANT_STRUCTURED(false, structured_error_testt, 1, "Structured error"); // NOLINT
+  else if(arg=="data-invariant-string")
+    DATA_INVARIANT(false, "Test invariant failure");
+  else
+    return 1;
+}
diff --git a/regression/cbmc/invariant-failure/test.desc b/regression/invariants/invariant-failure/test.desc
similarity index 62%
rename from regression/cbmc/invariant-failure/test.desc
rename to regression/invariants/invariant-failure/test.desc
index 9966d66547..70628a2e06 100644
--- a/regression/cbmc/invariant-failure/test.desc
+++ b/regression/invariants/invariant-failure/test.desc
@@ -1,8 +1,10 @@
 CORE
-main.c
---test-invariant-failure
+dummy_parameter.c
+string
 ^EXIT=(0|127|134|137)$
 ^SIGNAL=0$
+--- begin invariant violation report ---
+Test invariant failure
 Invariant check failed
 ^(Backtrace)|(Backtraces not supported)$
 --
diff --git a/regression/invariants/invariant-failure10/test.desc b/regression/invariants/invariant-failure10/test.desc
new file mode 100644
index 0000000000..fae345f2b2
--- /dev/null
+++ b/regression/invariants/invariant-failure10/test.desc
@@ -0,0 +1,13 @@
+CORE
+dummy_parameter.c
+unreachable-structured
+^EXIT=(0|127|134|137)$
+^SIGNAL=0$
+--- begin invariant violation report ---
+Invariant check failed
+Error code: 1
+Description: Structured error
+^(Backtrace)|(Backtraces not supported)$
+--
+^warning: ignoring
+^VERIFICATION SUCCESSFUL$
diff --git a/regression/invariants/invariant-failure11/test.desc b/regression/invariants/invariant-failure11/test.desc
new file mode 100644
index 0000000000..fc160b2130
--- /dev/null
+++ b/regression/invariants/invariant-failure11/test.desc
@@ -0,0 +1,12 @@
+CORE
+dummy_parameter.c
+data-invariant-string
+^EXIT=(0|127|134|137)$
+^SIGNAL=0$
+--- begin invariant violation report ---
+Test invariant failure
+Invariant check failed
+^(Backtrace)|(Backtraces not supported)$
+--
+^warning: ignoring
+^VERIFICATION SUCCESSFUL$
diff --git a/regression/invariants/invariant-failure12/test.desc b/regression/invariants/invariant-failure12/test.desc
new file mode 100644
index 0000000000..498af6f2cc
--- /dev/null
+++ b/regression/invariants/invariant-failure12/test.desc
@@ -0,0 +1,13 @@
+CORE
+dummy_parameter.c
+data-invariant-structured
+^EXIT=(0|127|134|137)$
+^SIGNAL=0$
+--- begin invariant violation report ---
+Invariant check failed
+Error code: 1
+Description: Structured error
+^(Backtrace)|(Backtraces not supported)$
+--
+^warning: ignoring
+^VERIFICATION SUCCESSFUL$
diff --git a/regression/invariants/invariant-failure2/test.desc b/regression/invariants/invariant-failure2/test.desc
new file mode 100644
index 0000000000..daadab22c4
--- /dev/null
+++ b/regression/invariants/invariant-failure2/test.desc
@@ -0,0 +1,13 @@
+CORE
+dummy_parameter.c
+structured
+^EXIT=(0|127|134|137)$
+^SIGNAL=0$
+--- begin invariant violation report ---
+Invariant check failed
+Error code: 1
+Description: Structured error
+^(Backtrace)|(Backtraces not supported)$
+--
+^warning: ignoring
+^VERIFICATION SUCCESSFUL$
diff --git a/regression/invariants/invariant-failure3/test.desc b/regression/invariants/invariant-failure3/test.desc
new file mode 100644
index 0000000000..42aba0fc5b
--- /dev/null
+++ b/regression/invariants/invariant-failure3/test.desc
@@ -0,0 +1,12 @@
+CORE
+dummy_parameter.c
+precondition-string
+^EXIT=(0|127|134|137)$
+^SIGNAL=0$
+--- begin invariant violation report ---
+Precondition
+Invariant check failed
+^(Backtrace)|(Backtraces not supported)$
+--
+^warning: ignoring
+^VERIFICATION SUCCESSFUL$
diff --git a/regression/invariants/invariant-failure4/test.desc b/regression/invariants/invariant-failure4/test.desc
new file mode 100644
index 0000000000..6339338d49
--- /dev/null
+++ b/regression/invariants/invariant-failure4/test.desc
@@ -0,0 +1,13 @@
+CORE
+dummy_parameter.c
+precondition-structured
+^EXIT=(0|127|134|137)$
+^SIGNAL=0$
+--- begin invariant violation report ---
+Invariant check failed
+Error code: 1
+Description: Structured error
+^(Backtrace)|(Backtraces not supported)$
+--
+^warning: ignoring
+^VERIFICATION SUCCESSFUL$
diff --git a/regression/invariants/invariant-failure5/test.desc b/regression/invariants/invariant-failure5/test.desc
new file mode 100644
index 0000000000..f6f6971351
--- /dev/null
+++ b/regression/invariants/invariant-failure5/test.desc
@@ -0,0 +1,12 @@
+CORE
+dummy_parameter.c
+postcondition-string
+^EXIT=(0|127|134|137)$
+^SIGNAL=0$
+--- begin invariant violation report ---
+Postcondition
+Invariant check failed
+^(Backtrace)|(Backtraces not supported)$
+--
+^warning: ignoring
+^VERIFICATION SUCCESSFUL$
diff --git a/regression/invariants/invariant-failure6/test.desc b/regression/invariants/invariant-failure6/test.desc
new file mode 100644
index 0000000000..1b83f2630b
--- /dev/null
+++ b/regression/invariants/invariant-failure6/test.desc
@@ -0,0 +1,13 @@
+CORE
+dummy_parameter.c
+postcondition-structured
+^EXIT=(0|127|134|137)$
+^SIGNAL=0$
+--- begin invariant violation report ---
+Invariant check failed
+Error code: 1
+Description: Structured error
+^(Backtrace)|(Backtraces not supported)$
+--
+^warning: ignoring
+^VERIFICATION SUCCESSFUL$
diff --git a/regression/invariants/invariant-failure7/test.desc b/regression/invariants/invariant-failure7/test.desc
new file mode 100644
index 0000000000..9b25a5ac5e
--- /dev/null
+++ b/regression/invariants/invariant-failure7/test.desc
@@ -0,0 +1,12 @@
+CORE
+dummy_parameter.c
+check-return-string
+^EXIT=(0|127|134|137)$
+^SIGNAL=0$
+--- begin invariant violation report ---
+Check return value
+Invariant check failed
+^(Backtrace)|(Backtraces not supported)$
+--
+^warning: ignoring
+^VERIFICATION SUCCESSFUL$
diff --git a/regression/invariants/invariant-failure8/test.desc b/regression/invariants/invariant-failure8/test.desc
new file mode 100644
index 0000000000..1165b32a25
--- /dev/null
+++ b/regression/invariants/invariant-failure8/test.desc
@@ -0,0 +1,13 @@
+CORE
+dummy_parameter.c
+check-return-structured
+^EXIT=(0|127|134|137)$
+^SIGNAL=0$
+--- begin invariant violation report ---
+Invariant check failed
+Error code: 1
+Description: Structured error
+^(Backtrace)|(Backtraces not supported)$
+--
+^warning: ignoring
+^VERIFICATION SUCCESSFUL$
diff --git a/regression/invariants/invariant-failure9/test.desc b/regression/invariants/invariant-failure9/test.desc
new file mode 100644
index 0000000000..38aebd70d6
--- /dev/null
+++ b/regression/invariants/invariant-failure9/test.desc
@@ -0,0 +1,12 @@
+CORE
+dummy_parameter.c
+unreachable-string
+^EXIT=(0|127|134|137)$
+^SIGNAL=0$
+--- begin invariant violation report ---
+Unreachable
+Invariant check failed
+^(Backtrace)|(Backtraces not supported)$
+--
+^warning: ignoring
+^VERIFICATION SUCCESSFUL$
diff --git a/src/cbmc/cbmc_parse_options.cpp b/src/cbmc/cbmc_parse_options.cpp
index 65a4386077..2943d9a18d 100644
--- a/src/cbmc/cbmc_parse_options.cpp
+++ b/src/cbmc/cbmc_parse_options.cpp
@@ -106,27 +106,6 @@ void cbmc_parse_optionst::get_command_line_options(optionst &options)
     exit(1); // should contemplate EX_USAGE from sysexits.h
   }
 
-  // Test only; do not use for input validation
-  if(cmdline.isset("test-invariant-failure"))
-  {
-    // Have to catch this as the default handling of uncaught exceptions
-    // on windows appears to be silent termination.
-    try
-    {
-      INVARIANT(0, "Test invariant failure");
-    }
-    catch (const invariant_failedt &e)
-    {
-      std::cerr << e.what();
-      exit(0); // should contemplate EX_OK from sysexits.h
-    }
-    catch (...)
-    {
-      error() << "Unexpected exception type\n";
-    }
-    exit(1);
-  }
-
   if(cmdline.isset("program-only"))
     options.set_option("program-only", true);
 
diff --git a/src/cbmc/cbmc_parse_options.h b/src/cbmc/cbmc_parse_options.h
index d95e60eb25..4d8e675347 100644
--- a/src/cbmc/cbmc_parse_options.h
+++ b/src/cbmc/cbmc_parse_options.h
@@ -63,7 +63,6 @@ class optionst;
   "(java-cp-include-files):" \
   "(localize-faults)(localize-faults-method):" \
   "(lazy-methods)" \
-  "(test-invariant-failure)" \
   "(fixedbv)(floatbv)(all-claims)(all-properties)" // legacy, and will eventually disappear // NOLINT(whitespace/line_length)
 
 class cbmc_parse_optionst:
diff --git a/src/util/invariant.cpp b/src/util/invariant.cpp
index b0047cccf4..eb63382ef7 100644
--- a/src/util/invariant.cpp
+++ b/src/util/invariant.cpp
@@ -12,10 +12,7 @@ Author: Martin Brain, martin.brain@diffblue.com
 #include 
 #include 
 
-#ifdef CPROVER_INVARIANT_PRINT_STACK_TRACE
 #include 
-#include 
-#endif
 
 // Backtraces compiler and C library specific
 // So we should include something explicitly from the C library
@@ -39,7 +36,7 @@ Author: Martin Brain, martin.brain@diffblue.com
 /// \return True <=> the entry has been successfully demangled and printed.
 static bool output_demangled_name(
   std::ostream &out,
-  const char * const stack_entry)
+  const std::string &stack_entry)
 {
   bool return_value=false;
 
@@ -75,40 +72,11 @@ static bool output_demangled_name(
 #endif
 
 
-/// Checks that the given invariant condition holds and prints a back trace
-/// and / or throws an exception depending on build configuration.
-/// Does not return if condition is false.
-/// Returns with no output or state change if true.
-///
-/// \param file : C string giving the name of the file.
-/// \param function : C string giving the name of the function.
-/// \param line : The line number of the invariant
-/// \param condition : The result of evaluating the invariant condition.
-/// \param reason : C string giving the reason why the invariant should be true.
-void check_invariant(
-  const char * const file,
-  const char * const function,
-  const int line,
-  const bool condition,
-  const char * const reason)
+/// Prints a back trace to 'out'
+/// \param out: Stream to print backtrace
+void print_backtrace(
+  std::ostream &out)
 {
-  if(condition)
-    return;
-
-#ifdef CPROVER_INVARIANT_PRINT_STACK_TRACE
-    std::ostream & out(std::cerr);
-#else
-    std::ostringstream out;
-#endif
-
-    // Flush regularly so that errors during output will result in
-    // partial error logs rather than nothing
-    out << "Invariant check failed\n" << std::flush;
-    out << "File " << file
-        << " function " << function
-        << " line " << line
-        << '\n' << std::flush;
-
 #ifdef __GLIBC__
     out << "Backtrace\n" << std::flush;
 
@@ -129,11 +97,39 @@ void check_invariant(
 #else
     out << "Backtraces not supported\n" << std::flush;
 #endif
-
-
-#ifdef CPROVER_INVARIANT_PRINT_STACK_TRACE
-    abort();
-#else
-    throw invariant_failedt(out.str());
-#endif
+}
+
+/// Returns a backtrace
+/// \return backtrace with a file / function / line header.
+std::string get_backtrace()
+{
+  std::ostringstream ostr;
+  print_backtrace(ostr);
+  return ostr.str();
+}
+
+/// Dump exception report to stderr
+void report_exception_to_stderr(const invariant_failedt &reason)
+{
+  std::cerr << "--- begin invariant violation report ---\n";
+  std::cerr << reason.what() << '\n';
+  std::cerr << "--- end invariant violation report ---\n";
+}
+
+std::string invariant_failedt::get_invariant_failed_message(
+  const std::string &file,
+  const std::string &function,
+  int line,
+  const std::string &backtrace,
+  const std::string &reason)
+{
+  std::ostringstream out;
+  out << "Invariant check failed\n"
+      << "File " << file
+      << " function " << function
+      << " line " << line << '\n'
+      << "Reason: " << reason
+      << "Backtrace:\n"
+      << backtrace << '\n';
+  return out.str();
 }
diff --git a/src/util/invariant.h b/src/util/invariant.h
index e5bc07b3d5..325020a0d6 100644
--- a/src/util/invariant.h
+++ b/src/util/invariant.h
@@ -10,6 +10,9 @@ Author: Martin Brain, martin.brain@diffblue.com
 #define CPROVER_UTIL_INVARIANT_H
 
 #include 
+#include 
+#include 
+#include 
 
 /*
 ** Invariants document conditions that the programmer believes to
@@ -42,7 +45,7 @@ Author: Martin Brain, martin.brain@diffblue.com
 **       OR there will be undefined behaviour
 **
 ** Consequentally, programmers may assume that the condition of an
-** invariant is true after it has been executed.  Applications are 
+** invariant is true after it has been executed.  Applications are
 ** encouraged to (at least) catch exceptions at the top level and
 ** output them.
 **
@@ -51,13 +54,63 @@ Author: Martin Brain, martin.brain@diffblue.com
 ** CPROVER_INVARIANT_* macros.
 */
 
+/// A logic error, augmented with a distinguished field to hold a backtrace.
+/// Classes that extend this one should share the same initial constructor
+/// parameters: their constructor signature should be of the form:
+/// my_invariantt::my_invariantt(
+///   const std::string &file,
+///   const std::string &function,
+///   int line,
+///   const std::string &backtrace,
+///   T1 arg1,
+///   T2 arg2 ...
+///   Tn argn)
+/// It should pretty-print the T1 ... Tn arguments and pass it as `reason` to
+/// invariant_failedt's constructor, or else simply pass a reason string
+/// through.
+/// Conforming to this pattern allows the class to be used with the INVARIANT
+/// family of macros, allowing constructs like
+/// `INVARIANT(x==y, my_invariantt, (T1)actual1, (T2)actual2, ...)`
+///
 class invariant_failedt: public std::logic_error
 {
-public:
-  explicit invariant_failedt(const std::string& what) : logic_error(what) {}
-  explicit invariant_failedt(const char* what) : logic_error(what) {}
-};
+ private:
+  std::string get_invariant_failed_message(
+    const std::string &file,
+    const std::string &function,
+    int line,
+    const std::string &backtrace,
+    const std::string &reason);
 
+ public:
+
+  const std::string file;
+  const std::string function;
+  const int line;
+  const std::string backtrace;
+  const std::string reason;
+
+  invariant_failedt(
+    const std::string &_file,
+    const std::string &_function,
+    int _line,
+    const std::string &_backtrace,
+    const std::string &_reason):
+    logic_error(
+      get_invariant_failed_message(
+        _file,
+        _function,
+        _line,
+        _backtrace,
+        _reason)),
+    file(_file),
+    function(_function),
+    line(_line),
+    backtrace(_backtrace),
+    reason(_reason)
+  {
+  }
+};
 
 #if defined(CPROVER_INVARIANT_CPROVER_ASSERT)
 // Used to allow CPROVER to check itself
@@ -70,66 +123,129 @@ public:
 // This is *not* recommended as it can result in unpredictable behaviour
 // including silently reporting incorrect results.
 // This is also useful for checking side-effect freedom.
-#define INVARIANT(CONDITION, REASON) do {} while(0)
-
+#define INVARIANT(CONDITION, REASON, ...) do {} while(0)
 
 #elif defined(CPROVER_INVARIANT_ASSERT)
 // Not recommended but provided for backwards compatability
 #include 
 // NOLINTNEXTLINE(*)
-#define INVARIANT(CONDITION, REASON) assert((CONDITION) && (REASON))
-
+#define INVARIANT(CONDITION, REASON, ...) assert((CONDITION) && ((REASON), true))
 
 #else
-// CPROVER_INVARIANT_PRINT_STACK_TRACE affects the implementation of
-// this function but not it's generation from the macro
 
-void check_invariant(
-  const char * const file,
-  const char * const function,
+void print_backtrace(std::ostream &out);
+
+std::string get_backtrace();
+
+void report_exception_to_stderr(const invariant_failedt &);
+
+/// Takes a backtrace, gives it to the reason structure, then aborts, printing
+/// reason.what() (which therefore includes the backtrace).
+/// In future this may throw `reason` instead of aborting.
+/// \param ET : (template type parameter), type of exception to construct
+/// \param file : C string giving the name of the file.
+/// \param function : C string giving the name of the function.
+/// \param line : The line number of the invariant
+/// \param params : (variadic) parameters to forward to ET's constructor
+///  its backtrace member will be set before it is used.
+template
+typename std::enable_if::value>::type
+invariant_violated_structured(
+  const std::string &file,
+  const std::string &function,
   const int line,
-  const bool condition,
-  const char * const reason);
+  Params &&... params)
+{
+  std::string backtrace=get_backtrace();
+  ET to_throw(file, function, line, backtrace, std::forward(params)...);
+  // We now have a structured exception ready to use;
+  // in future this is the place to put a 'throw'.
+  report_exception_to_stderr(to_throw);
+  abort();
+}
 
+/// Takes a backtrace, constructs an invariant_violatedt from reason and the
+/// backtrace, aborts printing the invariant's description.
+/// In future this may throw rather than aborting.
+/// \param file : C string giving the name of the file.
+/// \param function : C string giving the name of the function.
+/// \param line : The line number of the invariant
+/// \param reason : brief description of the invariant violation.
+inline void invariant_violated_string(
+  const std::string &file,
+  const std::string &function,
+  const int line,
+  const std::string &reason)
+{
+  invariant_violated_structured(
+    file,
+    function,
+    line,
+    reason);
+}
+
+// These require a trailing semicolon by the user, such that INVARIANT
+// behaves syntactically like a function call.
+// NOLINT as macro definitions confuse the linter it seems.
 #ifdef _MSC_VER
-#define INVARIANT(CONDITION, REASON) \
-  check_invariant(__FILE__, __FUNCTION__, __LINE__, (CONDITION), (REASON))
+#define __this_function__ __FUNCTION__
 #else
-#define INVARIANT(CONDITION, REASON)                                    \
-  check_invariant(__FILE__, __func__, __LINE__, (CONDITION), (REASON))
+#define __this_function__ __func__
 #endif
 
+#define INVARIANT(CONDITION, REASON) \
+  do /* NOLINT */ \
+  { \
+  if(!(CONDITION)) \
+    invariant_violated_string(__FILE__, __this_function__, __LINE__, (REASON)); /* NOLINT */  \
+  } while(0)
 
-#endif
+#define INVARIANT_STRUCTURED(CONDITION, TYPENAME, ...) \
+  do /* NOLINT */ \
+  { \
+  if(!(CONDITION)) \
+    invariant_violated_structured(__FILE__, __this_function__, __LINE__, __VA_ARGS__); /* NOLINT */ \
+  } while(0)
 
+#endif // End CPROVER_DO_NOT_CHECK / CPROVER_ASSERT / ... if block
 
-
-// Short hand macros
+// Short hand macros. The second variant of each one permits including an
+// explanation or structured exception, in which case they are synonyms
+// for INVARIANT.
 
 // The condition should only contain (unmodified) arguments to the method.
 // "The design of the system means that the arguments to this method
 //  will always meet this condition".
 #define PRECONDITION(CONDITION) INVARIANT(CONDITION, "Precondition")
+#define PRECONDITION_STRUCTURED(CONDITION, TYPENAME, ...) \
+  INVARIANT_STRUCTURED(CONDITION, TYPENAME, __VA_ARGS__)
 
 // The condition should only contain variables that will be returned /
 // output without further modification.
 // "The implementation of this method means that the condition will hold".
 #define POSTCONDITION(CONDITION) INVARIANT(CONDITION, "Postcondition")
+#define POSTCONDITION_STRUCTURED(CONDITION, TYPENAME, ...) \
+  INVARIANT_STRUCTURED(CONDITION, TYPENAME, __VA_ARGS__)
 
 // The condition should only contain (unmodified) values that were
 // changed by a previous method call.
 // "The contract of the previous method call means the following
 //  condition holds".
 #define CHECK_RETURN(CONDITION) INVARIANT(CONDITION, "Check return value")
+#define CHECK_RETURN_STRUCTURED(CONDITION, TYPENAME, ...)  \
+  INVARIANT_STRUCTURED(CONDITION, TYPENAME, __VA_ARGS__)
 
 // This should be used to mark dead code
 #define UNREACHABLE INVARIANT(false, "Unreachable")
+#define UNREACHABLE_STRUCTURED(TYPENAME, ...) \
+  INVARIANT_STRUCTURED(false, TYPENAME, __VA_ARGS__)
 
 // This condition should be used to document that assumptions that are
 // made on goto_functions, goto_programs, exprts, etc. being well formed.
 // "The data structure is corrupt or malformed"
 #define DATA_INVARIANT(CONDITION, REASON) INVARIANT(CONDITION, REASON)
-
+#define DATA_INVARIANT_STRUCTURED(CONDITION, TYPENAME, ...) \
+  INVARIANT_STRUCTURED(CONDITION, TYPENAME, __VA_ARGS__)
 
 // Legacy annotations
 

From 6fea4fae2ef7a67f05d5b524089915479f08541e Mon Sep 17 00:00:00 2001
From: Daniel Kroening 
Date: Mon, 24 Jul 2017 15:18:57 +0100
Subject: [PATCH 85/89] Revert "[depends: #1063] Use nullptr to represent null
 pointers (targets master)"

---
 src/analyses/goto_check.cpp                   |   2 +-
 src/analyses/goto_rw.cpp                      |  10 +-
 src/analyses/goto_rw.h                        |   4 +-
 src/analyses/invariant_set.cpp                |   7 +-
 src/analyses/invariant_set.h                  |   8 +-
 src/analyses/local_may_alias.h                |   4 +-
 src/analyses/reaching_definitions.cpp         |   8 +-
 src/analyses/reaching_definitions.h           |  15 +-
 src/ansi-c/c_preprocess.cpp                   |   6 +-
 src/ansi-c/cprover_library.cpp                |   2 +-
 src/ansi-c/expr2c.cpp                         |   2 +-
 src/big-int/bigint-test.cc                    |   2 +-
 src/big-int/bigint.cc                         |  10 +-
 src/cbmc/cbmc_parse_options.cpp               |   4 +-
 src/clobber/clobber_parse_options.cpp         |   2 +-
 src/cpp/cpp_id.cpp                            |   2 +-
 src/cpp/cpp_id.h                              |   3 +-
 src/cpp/cpp_instantiate_template.cpp          |   8 +-
 src/cpp/cpp_language.cpp                      |   2 +-
 src/cpp/cpp_typecheck.h                       |   2 -
 src/cpp/cpp_typecheck_compound_type.cpp       |   2 +-
 src/cpp/cpp_typecheck_expr.cpp                |   2 +-
 src/cpp/cpp_typecheck_resolve.cpp             |   4 +-
 src/cpp/cpp_typecheck_template.cpp            |   7 +-
 src/cpp/parse.cpp                             |   4 +-
 src/goto-cc/armcc_cmdline.cpp                 |   6 +-
 src/goto-cc/as86_cmdline.cpp                  |  10 +-
 src/goto-cc/as_cmdline.cpp                    |  10 +-
 src/goto-cc/bcc_cmdline.cpp                   |  10 +-
 src/goto-cc/compile.cpp                       |   4 +-
 src/goto-cc/gcc_cmdline.cpp                   |  20 +-
 src/goto-cc/goto_cc_cmdline.cpp               |   4 +-
 src/goto-cc/goto_cc_main.cpp                  |   2 +-
 src/goto-cc/ld_cmdline.cpp                    |  12 +-
 src/goto-cc/ms_cl_cmdline.cpp                 |  14 +-
 src/goto-instrument/dump_c.cpp                |  10 +-
 src/goto-instrument/model_argc_argv.cpp       |   2 +-
 src/goto-instrument/wmm/cycle_collection.cpp  |   2 +-
 src/goto-instrument/wmm/goto2graph.cpp        |   2 +-
 src/goto-programs/initialize_goto_model.cpp   |   2 +-
 src/goto-programs/interpreter.cpp             |   2 +-
 src/goto-programs/show_symbol_table.cpp       |   2 +-
 src/goto-symex/goto_symex_state.cpp           |  10 +-
 src/goto-symex/goto_symex_state.h             |   2 -
 src/goto-symex/slice_by_trace.cpp             |   6 +-
 src/goto-symex/symex_dereference_state.cpp    |   4 +-
 src/goto-symex/symex_function_call.cpp        |   2 +-
 src/goto-symex/symex_main.cpp                 |   2 +-
 .../java_bytecode_convert_method.cpp          |   2 +-
 src/java_bytecode/java_bytecode_parser.cpp    |   2 +-
 .../java_local_variable_table.cpp             |   2 +-
 src/langapi/language_ui.cpp                   |   4 +-
 src/langapi/language_util.cpp                 |   2 +-
 src/langapi/mode.cpp                          |   8 +-
 src/miniz/miniz.cpp                           | 192 +++++++++---------
 src/path-symex/path_symex_history.h           |  10 +-
 src/path-symex/path_symex_state.h             |   2 -
 src/path-symex/path_symex_state_read.cpp      |   4 +-
 src/path-symex/var_map.cpp                    |   2 +-
 src/pointer-analysis/value_set_fi.cpp         |   6 +-
 src/pointer-analysis/value_set_fivr.cpp       |   6 +-
 src/pointer-analysis/value_set_fivrns.cpp     |   6 +-
 src/solvers/miniBDD/miniBDD.h                 |   2 +-
 src/solvers/miniBDD/miniBDD.inc               |   4 +-
 src/solvers/sat/pbs_dimacs_cnf.cpp            |  12 +-
 src/util/config.cpp                           |   4 +-
 src/util/file_util.cpp                        |   6 +-
 src/util/invariant.cpp                        |   2 +-
 src/util/irep_ids.cpp                         |   4 +-
 src/util/language_file.cpp                    |   4 +-
 src/util/language_file.h                      |   2 +-
 src/util/message.h                            |   2 +-
 src/util/namespace.cpp                        |   8 +-
 src/util/namespace.h                          |   6 +-
 src/util/parser.h                             |   2 +-
 src/util/pipe_stream.cpp                      |   8 +-
 src/util/ref_expr_set.h                       |   6 +-
 src/util/reference_counting.h                 |  16 +-
 src/util/run.cpp                              |   8 +-
 src/util/signal_catcher.cpp                   |   4 +-
 src/util/tempdir.cpp                          |   2 +-
 src/util/tempfile.cpp                         |   2 +-
 src/util/unicode.cpp                          |   6 +-
 83 files changed, 296 insertions(+), 324 deletions(-)

diff --git a/src/analyses/goto_check.cpp b/src/analyses/goto_check.cpp
index be4edbf288..8fe596d926 100644
--- a/src/analyses/goto_check.cpp
+++ b/src/analyses/goto_check.cpp
@@ -37,7 +37,7 @@ public:
     const namespacet &_ns,
     const optionst &_options):
     ns(_ns),
-    local_bitvector_analysis(nullptr)
+    local_bitvector_analysis(0)
   {
     enable_bounds_check=_options.get_bool_option("bounds-check");
     enable_pointer_check=_options.get_bool_option("pointer-check");
diff --git a/src/analyses/goto_rw.cpp b/src/analyses/goto_rw.cpp
index 49827bd2bd..be3ef3e0a8 100644
--- a/src/analyses/goto_rw.cpp
+++ b/src/analyses/goto_rw.cpp
@@ -463,10 +463,9 @@ void rw_range_sett::add(
 {
   objectst::iterator entry=(mode==get_modet::LHS_W ? w_range_set : r_range_set).
     insert(
-      std::pair(
-        identifier, nullptr)).first;
+      std::pair(identifier, 0)).first;
 
-  if(entry->second==nullptr)
+  if(entry->second==0)
     entry->second=new range_domaint();
 
   static_cast(entry->second)->push_back(
@@ -664,10 +663,9 @@ void rw_guarded_range_set_value_sett::add(
 {
   objectst::iterator entry=(mode==get_modet::LHS_W ? w_range_set : r_range_set).
     insert(
-      std::pair(
-        identifier, nullptr)).first;
+      std::pair(identifier, 0)).first;
 
-  if(entry->second==nullptr)
+  if(entry->second==0)
     entry->second=new guarded_range_domaint();
 
   static_cast(entry->second)->insert(
diff --git a/src/analyses/goto_rw.h b/src/analyses/goto_rw.h
index 1f92c3e0e1..06b7a7ab41 100644
--- a/src/analyses/goto_rw.h
+++ b/src/analyses/goto_rw.h
@@ -108,7 +108,7 @@ public:
 
   const range_domaint &get_ranges(objectst::const_iterator it) const
   {
-    PRECONDITION(dynamic_cast(it->second)!=nullptr);
+    assert(dynamic_cast(it->second)!=0);
     return *static_cast(it->second);
   }
 
@@ -277,7 +277,7 @@ public:
 
   const guarded_range_domaint &get_ranges(objectst::const_iterator it) const
   {
-    PRECONDITION(dynamic_cast(it->second)!=nullptr);
+    assert(dynamic_cast(it->second)!=0);
     return *static_cast(it->second);
   }
 
diff --git a/src/analyses/invariant_set.cpp b/src/analyses/invariant_set.cpp
index a041119cbb..6127abdd57 100644
--- a/src/analyses/invariant_set.cpp
+++ b/src/analyses/invariant_set.cpp
@@ -144,7 +144,7 @@ bool invariant_sett::get_object(
   const exprt &expr,
   unsigned &n) const
 {
-  PRECONDITION(object_store!=nullptr);
+  assert(object_store!=NULL);
   return object_store->get(expr, n);
 }
 
@@ -315,8 +315,7 @@ void invariant_sett::output(
     return;
   }
 
-  INVARIANT(
-    object_store!=nullptr, nullptr_exceptiont("Object store is null"));
+  assert(object_store!=NULL);
 
   for(unsigned i=0; ito_string(a, identifier);
 }
 
diff --git a/src/analyses/invariant_set.h b/src/analyses/invariant_set.h
index f2999d191a..6bb40bd3e9 100644
--- a/src/analyses/invariant_set.h
+++ b/src/analyses/invariant_set.h
@@ -22,8 +22,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include "interval_template.h"
 
-#define nullptr_exceptiont(str) str
-
 class inv_object_storet
 {
 public:
@@ -100,9 +98,9 @@ public:
   invariant_sett():
     threaded(false),
     is_false(false),
-    value_sets(nullptr),
-    object_store(nullptr),
-    ns(nullptr)
+    value_sets(NULL),
+    object_store(NULL),
+    ns(NULL)
   {
   }
 
diff --git a/src/analyses/local_may_alias.h b/src/analyses/local_may_alias.h
index 5e04ff01a7..b54cf4e9e8 100644
--- a/src/analyses/local_may_alias.h
+++ b/src/analyses/local_may_alias.h
@@ -94,7 +94,7 @@ protected:
 class local_may_alias_factoryt
 {
 public:
-  local_may_alias_factoryt():goto_functions(nullptr)
+  local_may_alias_factoryt():goto_functions(NULL)
   {
   }
 
@@ -109,7 +109,7 @@ public:
 
   local_may_aliast &operator()(const irep_idt &fkt)
   {
-    PRECONDITION(goto_functions!=nullptr);
+    assert(goto_functions!=NULL);
     fkt_mapt::iterator f_it=fkt_map.find(fkt);
     if(f_it!=fkt_map.end())
       return *f_it->second;
diff --git a/src/analyses/reaching_definitions.cpp b/src/analyses/reaching_definitions.cpp
index 3bbf55a60a..0e0462c3c8 100644
--- a/src/analyses/reaching_definitions.cpp
+++ b/src/analyses/reaching_definitions.cpp
@@ -51,9 +51,7 @@ void rd_range_domaint::transform(
 {
   reaching_definitions_analysist *rd=
     dynamic_cast(&ai);
-  INVARIANT(
-    rd!=nullptr,
-    bad_cast_exceptiont("ai has type reaching_definitions_analysist"));
+  assert(rd!=0);
 
   assert(bv_container);
 
@@ -300,9 +298,7 @@ void rd_range_domaint::transform_assign(
     const symbolt *symbol_ptr;
     if(ns.lookup(identifier, symbol_ptr))
       continue;
-    INVARIANT(
-      symbol_ptr!=nullptr,
-      nullptr_exceptiont("Symbol is in symbol table"));
+    assert(symbol_ptr!=0);
 
     const range_domaint &ranges=rw_set.get_ranges(it);
 
diff --git a/src/analyses/reaching_definitions.h b/src/analyses/reaching_definitions.h
index f0a4fd6085..e5f0d5f12b 100644
--- a/src/analyses/reaching_definitions.h
+++ b/src/analyses/reaching_definitions.h
@@ -26,9 +26,6 @@ class is_threadedt;
 class dirtyt;
 class reaching_definitions_analysist;
 
-#define bad_cast_exceptiont(str) str
-#define nullptr_exceptiont(str) str
-
 // requirement: V has a member "identifier" of type irep_idt
 template
 class sparse_bitvector_analysist
@@ -105,7 +102,7 @@ public:
   rd_range_domaint():
     ai_domain_baset(),
     has_values(false),
-    bv_container(nullptr)
+    bv_container(0)
   {
   }
 
@@ -246,9 +243,9 @@ public:
   explicit reaching_definitions_analysist(const namespacet &_ns):
     concurrency_aware_ait(),
     ns(_ns),
-    value_sets(nullptr),
-    is_threaded(nullptr),
-    is_dirty(nullptr)
+    value_sets(0),
+    is_threaded(0),
+    is_dirty(0)
   {
   }
 
@@ -262,9 +259,7 @@ public:
     statet &s=concurrency_aware_ait::get_state(l);
 
     rd_range_domaint *rd_state=dynamic_cast(&s);
-    INVARIANT(
-      rd_state!=nullptr,
-      bad_cast_exceptiont("rd_state has type rd_range_domaint"));
+    assert(rd_state!=0);
 
     rd_state->set_bitvector_container(*this);
 
diff --git a/src/ansi-c/c_preprocess.cpp b/src/ansi-c/c_preprocess.cpp
index 927a928b18..6ba8e6f359 100644
--- a/src/ansi-c/c_preprocess.cpp
+++ b/src/ansi-c/c_preprocess.cpp
@@ -344,7 +344,7 @@ bool c_preprocess(
 static bool is_dot_i_file(const std::string &path)
 {
   const char *ext=strrchr(path.c_str(), '.');
-  if(ext==nullptr)
+  if(ext==NULL)
     return false;
   if(std::string(ext)==".i" ||
      std::string(ext)==".ii")
@@ -889,7 +889,7 @@ bool c_preprocess_gcc_clang(
 
   FILE *stream=popen(command.c_str(), "r");
 
-  if(stream!=nullptr)
+  if(stream!=NULL)
   {
     int ch;
     while((ch=fgetc(stream))!=EOF)
@@ -1011,7 +1011,7 @@ bool c_preprocess_arm(
 
   FILE *stream=popen(command.c_str(), "r");
 
-  if(stream!=nullptr)
+  if(stream!=NULL)
   {
     int ch;
     while((ch=fgetc(stream))!=EOF)
diff --git a/src/ansi-c/cprover_library.cpp b/src/ansi-c/cprover_library.cpp
index f13e321d75..8f99f987bf 100644
--- a/src/ansi-c/cprover_library.cpp
+++ b/src/ansi-c/cprover_library.cpp
@@ -38,7 +38,7 @@ std::string get_cprover_library_text(
   std::size_t count=0;
 
   for(cprover_library_entryt *e=cprover_library;
-      e->function!=nullptr;
+      e->function!=NULL;
       e++)
   {
     irep_idt id=e->function;
diff --git a/src/ansi-c/expr2c.cpp b/src/ansi-c/expr2c.cpp
index d1dbf3bb6b..9c980cc842 100644
--- a/src/ansi-c/expr2c.cpp
+++ b/src/ansi-c/expr2c.cpp
@@ -2664,7 +2664,7 @@ std::string expr2ct::convert_code_decl(
 
   std::string dest=indent_str(indent);
 
-  const symbolt *symbol=nullptr;
+  const symbolt *symbol=0;
   if(!ns.lookup(to_symbol_expr(src.op0()).get_identifier(), symbol))
   {
     if(symbol->is_file_local &&
diff --git a/src/big-int/bigint-test.cc b/src/big-int/bigint-test.cc
index 7c11e164e2..5d506a8901 100644
--- a/src/big-int/bigint-test.cc
+++ b/src/big-int/bigint-test.cc
@@ -161,7 +161,7 @@ static void
 run_clisp_tests (char const *fn)
 {
   FILE *f = fopen (fn, "rt");
-  if (f == nullptr)
+  if (f == 0)
     {
       fprintf (stderr, "Error opening %s: %s.\n", fn, strerror (errno));
       return;
diff --git a/src/big-int/bigint.cc b/src/big-int/bigint.cc
index b55a14865d..a53e42ebdb 100644
--- a/src/big-int/bigint.cc
+++ b/src/big-int/bigint.cc
@@ -266,7 +266,7 @@ digit_div (onedig_t *r, const onedig_t *y, unsigned yl, onedig_t *q, unsigned ql
 	  --qh;
 	  add_back (r, y, yl);
 	}
-      if (q != nullptr)
+      if (q != 0)
 	q[i] = qh;
     }
 }
@@ -580,7 +580,7 @@ char *
 BigInt::as_string (char *p, unsigned l, onedig_t b) const
 {
   if (l < 2)
-    return nullptr;				// Not enough room for number.
+    return 0;				// Not enough room for number.
   p[--l] = '\0';
   // Check for zero. Would otherwise print as empty string.
   unsigned len = length;
@@ -598,7 +598,7 @@ BigInt::as_string (char *p, unsigned l, onedig_t b) const
   do
     {
       if (l == 0)
-	return nullptr;
+	return 0;
       onedig_t r = digit_div (dig, len, b);
       p[--l] = r < 10 ? r + '0' : 'A' + r - 10;
       if (dig[len-1] == 0)
@@ -608,7 +608,7 @@ BigInt::as_string (char *p, unsigned l, onedig_t b) const
   // Maybe attach sign.
   if (!positive){
     if (l == 0)
-      return nullptr;
+      return 0;
     else
       p[--l] = '-';
   }
@@ -1268,7 +1268,7 @@ BigInt::operator%= (BigInt const &y)
 	}
       if (a[al-1] >= b[bl-1])
 	a[al++] = 0;
-      digit_div (a, b, bl, nullptr, al - bl);
+      digit_div (a, b, bl, 0, al - bl);
       length = bl;
       adjust();
       if (scale != 1)
diff --git a/src/cbmc/cbmc_parse_options.cpp b/src/cbmc/cbmc_parse_options.cpp
index b4099967f8..65a4386077 100644
--- a/src/cbmc/cbmc_parse_options.cpp
+++ b/src/cbmc/cbmc_parse_options.cpp
@@ -590,7 +590,7 @@ int cbmc_parse_optionst::get_goto_program(
 
       languaget *language=get_language_from_filename(filename);
 
-      if(language==nullptr)
+      if(language==NULL)
       {
         error() << "failed to figure out type of file `"
                 <<  filename << "'" << eom;
@@ -739,7 +739,7 @@ void cbmc_parse_optionst::preprocessing()
 
     languaget *ptr=get_language_from_filename(filename);
 
-    if(ptr==nullptr)
+    if(ptr==NULL)
     {
       error() << "failed to figure out type of file" << eom;
       return;
diff --git a/src/clobber/clobber_parse_options.cpp b/src/clobber/clobber_parse_options.cpp
index 8c2b2dc1f5..36cc3e49ab 100644
--- a/src/clobber/clobber_parse_options.cpp
+++ b/src/clobber/clobber_parse_options.cpp
@@ -250,7 +250,7 @@ bool clobber_parse_optionst::get_goto_program(
 
       languaget *language=get_language_from_filename(filename);
 
-      if(language==nullptr)
+      if(language==NULL)
       {
         error() << "failed to figure out type of file `" <<  filename << "'"
                 << eom;
diff --git a/src/cpp/cpp_id.cpp b/src/cpp/cpp_id.cpp
index edcc139ce4..e6c13ca4cf 100644
--- a/src/cpp/cpp_id.cpp
+++ b/src/cpp/cpp_id.cpp
@@ -24,7 +24,7 @@ cpp_idt::cpp_idt():
   id_class(id_classt::UNKNOWN),
   this_expr(static_cast(get_nil_irep())),
   compound_counter(0),
-  parent(nullptr)
+  parent(NULL)
 {
 }
 
diff --git a/src/cpp/cpp_id.h b/src/cpp/cpp_id.h
index b2efbc2718..f7fe339cc1 100644
--- a/src/cpp/cpp_id.h
+++ b/src/cpp/cpp_id.h
@@ -20,7 +20,6 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include 
 
 #include 
-#include 
 #include 
 
 class cpp_scopet;
@@ -82,7 +81,7 @@ public:
 
   cpp_idt &get_parent() const
   {
-    PRECONDITION(parent!=nullptr);
+    assert(parent!=NULL);
     return *parent;
   }
 
diff --git a/src/cpp/cpp_instantiate_template.cpp b/src/cpp/cpp_instantiate_template.cpp
index 3afc3cdd72..c28fe5ca54 100644
--- a/src/cpp/cpp_instantiate_template.cpp
+++ b/src/cpp/cpp_instantiate_template.cpp
@@ -130,8 +130,7 @@ const symbolt &cpp_typecheckt::class_template_symbol(
   cpp_scopet *template_scope=
     static_cast(cpp_scopes.id_map[template_symbol.name]);
 
-  INVARIANT(
-    template_scope!=nullptr, nullptr_exceptiont("template_scope is null"));
+  assert(template_scope!=NULL);
 
   irep_idt identifier=
     id2string(template_scope->prefix)+
@@ -277,7 +276,7 @@ const symbolt &cpp_typecheckt::instantiate_template(
   cpp_scopet *template_scope=
     static_cast(cpp_scopes.id_map[template_symbol.name]);
 
-  if(template_scope==nullptr)
+  if(template_scope==NULL)
   {
     error().source_location=source_location;
     error() << "identifier: " << template_symbol.name << '\n'
@@ -285,8 +284,7 @@ const symbolt &cpp_typecheckt::instantiate_template(
     throw 0;
   }
 
-  INVARIANT(
-    template_scope!=nullptr, nullptr_exceptiont("template_scope is null"));
+  assert(template_scope!=NULL);
 
   // produce new declaration
   cpp_declarationt new_decl=to_cpp_declaration(template_symbol.type);
diff --git a/src/cpp/cpp_language.cpp b/src/cpp/cpp_language.cpp
index c8b7f99965..59e538265c 100644
--- a/src/cpp/cpp_language.cpp
+++ b/src/cpp/cpp_language.cpp
@@ -65,7 +65,7 @@ bool cpp_languaget::preprocess(
   // check extension
 
   const char *ext=strrchr(path.c_str(), '.');
-  if(ext!=nullptr && std::string(ext)==".ipp")
+  if(ext!=NULL && std::string(ext)==".ipp")
   {
     std::ifstream infile(path);
 
diff --git a/src/cpp/cpp_typecheck.h b/src/cpp/cpp_typecheck.h
index 50cc26fb9e..5c0a6afe28 100644
--- a/src/cpp/cpp_typecheck.h
+++ b/src/cpp/cpp_typecheck.h
@@ -30,8 +30,6 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include "cpp_template_type.h"
 #include "cpp_util.h"
 
-#define nullptr_exceptiont(str) str
-
 bool cpp_typecheck(
   cpp_parse_treet &cpp_parse_tree,
   symbol_tablet &symbol_table,
diff --git a/src/cpp/cpp_typecheck_compound_type.cpp b/src/cpp/cpp_typecheck_compound_type.cpp
index 39f229bfbe..36d2a2e70b 100644
--- a/src/cpp/cpp_typecheck_compound_type.cpp
+++ b/src/cpp/cpp_typecheck_compound_type.cpp
@@ -110,7 +110,7 @@ void cpp_typecheckt::typecheck_compound_type(
   // get the tag name
   bool has_tag=type.find(ID_tag).is_not_nil();
   irep_idt base_name;
-  cpp_scopet *dest_scope=nullptr;
+  cpp_scopet *dest_scope=NULL;
   bool has_body=type.find(ID_body).is_not_nil();
   bool tag_only_declaration=type.get_bool(ID_C_tag_only_declaration);
 
diff --git a/src/cpp/cpp_typecheck_expr.cpp b/src/cpp/cpp_typecheck_expr.cpp
index 88b2646148..87f15a16a3 100644
--- a/src/cpp/cpp_typecheck_expr.cpp
+++ b/src/cpp/cpp_typecheck_expr.cpp
@@ -471,7 +471,7 @@ struct operator_entryt
   { ID_notequal, "!=" },
   { ID_dereference, "*" },
   { ID_ptrmember, "->" },
-  { irep_idt(), nullptr }
+  { irep_idt(), NULL }
 };
 
 bool cpp_typecheckt::operator_is_overloaded(exprt &expr)
diff --git a/src/cpp/cpp_typecheck_resolve.cpp b/src/cpp/cpp_typecheck_resolve.cpp
index d8e0e8c3d9..28d42e6af6 100644
--- a/src/cpp/cpp_typecheck_resolve.cpp
+++ b/src/cpp/cpp_typecheck_resolve.cpp
@@ -1117,7 +1117,7 @@ symbol_typet cpp_typecheck_resolvet::disambiguate_template_classes(
       static_cast(
         cpp_typecheck.cpp_scopes.id_map[id]);
 
-    if(template_scope==nullptr)
+    if(template_scope==NULL)
     {
       cpp_typecheck.error().source_location=source_location;
       cpp_typecheck.error() << "template identifier: " << id << '\n'
@@ -1959,7 +1959,7 @@ exprt cpp_typecheck_resolvet::guess_function_template_args(
     static_cast(
       cpp_typecheck.cpp_scopes.id_map[template_identifier]);
 
-  if(template_scope==nullptr)
+  if(template_scope==NULL)
   {
     cpp_typecheck.error().source_location=source_location;
     cpp_typecheck.error() << "template identifier: "
diff --git a/src/cpp/cpp_typecheck_template.cpp b/src/cpp/cpp_typecheck_template.cpp
index 2338371379..47ebd7f006 100644
--- a/src/cpp/cpp_typecheck_template.cpp
+++ b/src/cpp/cpp_typecheck_template.cpp
@@ -910,8 +910,7 @@ cpp_template_args_tct cpp_typecheckt::typecheck_template_args(
       // these need to be typechecked in the scope of the template,
       // not in the current scope!
       cpp_idt *template_scope=cpp_scopes.id_map[template_symbol.name];
-      INVARIANT(
-        template_scope!=nullptr, nullptr_exceptiont("template_scope is null"));
+      assert(template_scope!=NULL);
       cpp_scopes.go_to(*template_scope);
     }
 
@@ -961,9 +960,7 @@ cpp_template_args_tct cpp_typecheckt::typecheck_template_args(
       {
         cpp_save_scopet cpp_saved_scope(cpp_scopes);
         cpp_idt *template_scope=cpp_scopes.id_map[template_symbol.name];
-        INVARIANT(
-          template_scope!=nullptr,
-          nullptr_exceptiont("template_scope is null"));
+        assert(template_scope!=NULL);
         cpp_scopes.go_to(*template_scope);
         typecheck_type(type);
       }
diff --git a/src/cpp/parse.cpp b/src/cpp/parse.cpp
index d0c2e01ecf..87e9ad099d 100644
--- a/src/cpp/parse.cpp
+++ b/src/cpp/parse.cpp
@@ -48,7 +48,7 @@ struct indenter // NOLINT(readability/identifiers)
 class new_scopet
 {
 public:
-  new_scopet():kind(kindt::NONE), anon_count(0), parent(nullptr)
+  new_scopet():kind(kindt::NONE), anon_count(0), parent(NULL)
   {
   }
 
@@ -155,7 +155,7 @@ public:
 
   std::string full_name() const
   {
-    return (parent==nullptr?"":(parent->full_name()+"::"))+
+    return (parent==NULL?"":(parent->full_name()+"::"))+
            id2string(id);
   }
 
diff --git a/src/goto-cc/armcc_cmdline.cpp b/src/goto-cc/armcc_cmdline.cpp
index d0a16ac95a..9cb3fccfd0 100644
--- a/src/goto-cc/armcc_cmdline.cpp
+++ b/src/goto-cc/armcc_cmdline.cpp
@@ -192,7 +192,7 @@ static const char *options_no_arg[]=
   "--translate_gcc",
   "--translate_gld",
   "-W",
-  nullptr
+  NULL
 };
 
 static const char *options_with_prefix[]=
@@ -242,7 +242,7 @@ static const char *options_with_prefix[]=
   "--configure_cpp_headers=",
   "--configure_extra_includes=",
   "--configure_extra_libraries=",
-  nullptr
+  NULL
 };
 
 static const char *options_with_arg[]=
@@ -262,7 +262,7 @@ static const char *options_with_arg[]=
   "-o",
   "--cpu",
   "--apcs",
-  nullptr
+  NULL
 };
 
 bool armcc_cmdlinet::parse(int argc, const char **argv)
diff --git a/src/goto-cc/as86_cmdline.cpp b/src/goto-cc/as86_cmdline.cpp
index dce3deecf2..e60f0152bc 100644
--- a/src/goto-cc/as86_cmdline.cpp
+++ b/src/goto-cc/as86_cmdline.cpp
@@ -23,7 +23,7 @@ const char *goto_as86_options_with_argument[]=
   "--function",
   "--native-assembler",
   "--print-rejected-preprocessed-source",
-  nullptr
+  NULL
 };
 
 const char *as86_options_without_argument[]=
@@ -40,7 +40,7 @@ const char *as86_options_without_argument[]=
   "-u-", // both -u and -u- seem to be accepted
   "-v",
   "-w-",
-  nullptr
+  NULL
 };
 
 const char *as86_options_with_argument[]=
@@ -52,7 +52,7 @@ const char *as86_options_with_argument[]=
   "-b",
   "-s",
   "-t",
-  nullptr
+  NULL
 };
 
 bool as86_cmdlinet::parse(int argc, const char **argv)
@@ -75,7 +75,7 @@ bool as86_cmdlinet::parse(int argc, const char **argv)
 
     // separated only, and also allow concatenation with "="
     for(const char **o=goto_as86_options_with_argument;
-        *o!=nullptr && !found;
+        *o!=NULL && !found;
         ++o)
     {
       std::string os(*o);
@@ -113,7 +113,7 @@ bool as86_cmdlinet::parse(int argc, const char **argv)
     }
 
     for(const char **o=as86_options_with_argument;
-        *o!=nullptr && !found;
+        *o!=NULL && !found;
         ++o)
     {
       std::string os(*o);
diff --git a/src/goto-cc/as_cmdline.cpp b/src/goto-cc/as_cmdline.cpp
index 2c22cfc70d..172b281458 100644
--- a/src/goto-cc/as_cmdline.cpp
+++ b/src/goto-cc/as_cmdline.cpp
@@ -23,7 +23,7 @@ const char *goto_as_options_with_argument[]=
   "--function",
   "--native-assembler",
   "--print-rejected-preprocessed-source",
-  nullptr
+  NULL
 };
 
 const char *as_options_without_argument[]=
@@ -59,7 +59,7 @@ const char *as_options_without_argument[]=
   "--32", // i386
   "--64", // i386
   "-n", // i386
-  nullptr
+  NULL
 };
 
 const char *as_options_with_argument[]=
@@ -74,7 +74,7 @@ const char *as_options_with_argument[]=
   "-o",
   "-march", // i386
   "-mtune", // i386
-  nullptr
+  NULL
 };
 
 bool as_cmdlinet::parse(int argc, const char **argv)
@@ -104,7 +104,7 @@ bool as_cmdlinet::parse(int argc, const char **argv)
 
     // separated only, and also allow concatenation with "="
     for(const char **o=goto_as_options_with_argument;
-        *o!=nullptr && !found;
+        *o!=NULL && !found;
         ++o)
     {
       std::string os(*o);
@@ -170,7 +170,7 @@ bool as_cmdlinet::parse(int argc, const char **argv)
     }
 
     for(const char **o=as_options_with_argument;
-        *o!=nullptr && !found;
+        *o!=NULL && !found;
         ++o)
     {
       std::string os(*o);
diff --git a/src/goto-cc/bcc_cmdline.cpp b/src/goto-cc/bcc_cmdline.cpp
index f4c0626b14..c4cbbc80b3 100644
--- a/src/goto-cc/bcc_cmdline.cpp
+++ b/src/goto-cc/bcc_cmdline.cpp
@@ -24,7 +24,7 @@ const char *goto_bcc_options_with_argument[]=
   "--native-compiler",
   "--native-linker",
   "--print-rejected-preprocessed-source",
-  nullptr
+  NULL
 };
 
 const char *bcc_options_without_argument[]=
@@ -46,7 +46,7 @@ const char *bcc_options_without_argument[]=
   "-x",
   "-W",
   "-ansi",
-  nullptr
+  NULL
 };
 
 const char *bcc_options_with_argument[]=
@@ -64,7 +64,7 @@ const char *bcc_options_with_argument[]=
   "-T",
   "-Q",
   "-t",
-  nullptr
+  NULL
 };
 
 bool bcc_cmdlinet::parse(int argc, const char **argv)
@@ -87,7 +87,7 @@ bool bcc_cmdlinet::parse(int argc, const char **argv)
 
     // separated only, and also allow concatenation with "="
     for(const char **o=goto_bcc_options_with_argument;
-        *o!=nullptr && !found;
+        *o!=NULL && !found;
         ++o)
     {
       std::string os(*o);
@@ -125,7 +125,7 @@ bool bcc_cmdlinet::parse(int argc, const char **argv)
     }
 
     for(const char **o=bcc_options_with_argument;
-        *o!=nullptr && !found;
+        *o!=NULL && !found;
         ++o)
     {
       std::string os(*o);
diff --git a/src/goto-cc/compile.cpp b/src/goto-cc/compile.cpp
index d5dcf8b570..96b76260e9 100644
--- a/src/goto-cc/compile.cpp
+++ b/src/goto-cc/compile.cpp
@@ -232,7 +232,7 @@ bool compilet::add_input_file(const std::string &file_name)
 
     stream=popen(cmd.str().c_str(), "r");
 
-    if(stream!=nullptr)
+    if(stream!=NULL)
     {
       std::string line;
       int ch; // fgetc returns an int, not char
@@ -472,7 +472,7 @@ bool compilet::parse(const std::string &file_name)
   else
     languagep=get_language_from_filename(file_name);
 
-  if(languagep==nullptr)
+  if(languagep==NULL)
   {
     error() << "failed to figure out type of file `" << file_name << "'" << eom;
     return true;
diff --git a/src/goto-cc/gcc_cmdline.cpp b/src/goto-cc/gcc_cmdline.cpp
index e4b2bb1ddb..c5b4057ed1 100644
--- a/src/goto-cc/gcc_cmdline.cpp
+++ b/src/goto-cc/gcc_cmdline.cpp
@@ -29,7 +29,7 @@ const char *goto_cc_options_with_separated_argument[]=
   "--native-compiler",
   "--native-linker",
   "--print-rejected-preprocessed-source",
-  nullptr
+  NULL
 };
 
 // non-gcc options
@@ -52,7 +52,7 @@ const char *goto_cc_options_without_argument[]=
   "--no-arch",
   "--partial-inlining",
   "-?",
-  nullptr
+  NULL
 };
 
 // separated or concatenated
@@ -75,7 +75,7 @@ const char *gcc_options_with_argument[]=
   "-U",
   "-u", // goes to linker
   "-T", // goes to linker
-  nullptr
+  NULL
 };
 
 const char *gcc_options_with_separated_argument[]=
@@ -107,7 +107,7 @@ const char *gcc_options_with_separated_argument[]=
   "-current_version", // on the Mac
   "-compatibility_version",  // on the Mac
   "-z",
-  nullptr
+  NULL
 };
 
 const char *gcc_options_with_concatenated_argument[]=
@@ -115,7 +115,7 @@ const char *gcc_options_with_concatenated_argument[]=
   "-d",
   "-g",
   "-A",
-  nullptr
+  NULL
 };
 
 const char *gcc_options_without_argument[]=
@@ -209,7 +209,7 @@ const char *gcc_options_without_argument[]=
   "-EB",
   "-EL",
   "-fast", // Apple only
-  nullptr
+  NULL
 };
 
 bool gcc_cmdlinet::parse(int argc, const char **argv)
@@ -282,7 +282,7 @@ bool gcc_cmdlinet::parse_arguments(
 
       // separated only, and also allow concatenation with "="
       for(const char **o=goto_cc_options_with_separated_argument;
-          *o!=nullptr && !found;
+          *o!=NULL && !found;
           ++o)
       {
         if(argv_i==*o) // separated
@@ -354,7 +354,7 @@ bool gcc_cmdlinet::parse_arguments(
 
       // separated only, and also allow concatenation with "="
       for(const char **o=gcc_options_with_separated_argument;
-          *o!=nullptr && !found;
+          *o!=NULL && !found;
           ++o)
       {
         if(argv_i==*o) // separated
@@ -380,7 +380,7 @@ bool gcc_cmdlinet::parse_arguments(
 
       // concatenated _or_ separated, e.g., -I
       for(const char **o=gcc_options_with_argument;
-          *o!=nullptr && !found;
+          *o!=NULL && !found;
           ++o)
       {
         if(argv_i==*o) // separated
@@ -405,7 +405,7 @@ bool gcc_cmdlinet::parse_arguments(
 
       // concatenated only
       for(const char **o=gcc_options_with_concatenated_argument;
-          *o!=nullptr && !found;
+          *o!=NULL && !found;
           ++o)
       {
         if(has_prefix(argv_i, *o)) // concatenated
diff --git a/src/goto-cc/goto_cc_cmdline.cpp b/src/goto-cc/goto_cc_cmdline.cpp
index cb030366e3..71bb06f816 100644
--- a/src/goto-cc/goto_cc_cmdline.cpp
+++ b/src/goto-cc/goto_cc_cmdline.cpp
@@ -29,7 +29,7 @@ goto_cc_cmdlinet::~goto_cc_cmdlinet()
 
 bool goto_cc_cmdlinet::in_list(const char *option, const char **list)
 {
-  for(std::size_t i=0; list[i]!=nullptr; i++)
+  for(std::size_t i=0; list[i]!=NULL; i++)
   {
     if(strcmp(option, list[i])==0)
       return true;
@@ -43,7 +43,7 @@ bool goto_cc_cmdlinet::prefix_in_list(
   const char **list,
   std::string &prefix)
 {
-  for(std::size_t i=0; list[i]!=nullptr; i++)
+  for(std::size_t i=0; list[i]!=NULL; i++)
   {
     if(strncmp(option, list[i], strlen(list[i]))==0)
     {
diff --git a/src/goto-cc/goto_cc_main.cpp b/src/goto-cc/goto_cc_main.cpp
index 8d3e422219..ebe885a37a 100644
--- a/src/goto-cc/goto_cc_main.cpp
+++ b/src/goto-cc/goto_cc_main.cpp
@@ -48,7 +48,7 @@ int main(int argc, const char **argv)
   const char **argv=narrow_argv(argc, argv_wide);
   #endif
 
-  if(argv==nullptr || argc<1)
+  if(argv==NULL || argc<1)
   {
     std::cerr << "failed to determine base name\n";
     return 1;
diff --git a/src/goto-cc/ld_cmdline.cpp b/src/goto-cc/ld_cmdline.cpp
index c77ee68773..1f17dabd10 100644
--- a/src/goto-cc/ld_cmdline.cpp
+++ b/src/goto-cc/ld_cmdline.cpp
@@ -24,7 +24,7 @@ const char *goto_ld_options_with_argument[]=
   "--verbosity",
   "--native-compiler",
   "--native-linker",
-  nullptr
+  NULL
 };
 
 const char *ld_options_with_argument[]=
@@ -99,7 +99,7 @@ const char *ld_options_with_argument[]=
   "--ios_version_min", // Apple only
   "--macosx_version_min", // Apple only
   "--install_name", // Apple only
-  nullptr
+  NULL
 };
 
 const char *ld_options_without_argument[]=
@@ -233,7 +233,7 @@ const char *ld_options_without_argument[]=
   "--dylib", // Apple only
   "--dylinker", // Apple only
   "--bundle", // Apple only
-  nullptr
+  NULL
 };
 
 bool ld_cmdlinet::parse(int argc, const char **argv)
@@ -262,7 +262,7 @@ bool ld_cmdlinet::parse(int argc, const char **argv)
     bool found=false;
 
     for(const char **o=goto_ld_options_with_argument;
-        *o!=nullptr && !found;
+        *o!=NULL && !found;
         ++o)
     {
       std::string os(*o);
@@ -299,7 +299,7 @@ bool ld_cmdlinet::parse(int argc, const char **argv)
 
     // also store in cmdlinet
 
-    for(const char **o=ld_options_without_argument; *o!=nullptr && !found; o++)
+    for(const char **o=ld_options_without_argument; *o!=NULL && !found; o++)
     {
       std::string os(*o);
       // ld accepts all long options also as short option
@@ -316,7 +316,7 @@ bool ld_cmdlinet::parse(int argc, const char **argv)
     // 2) concatenated with '=' for long options
     // 3) separate
 
-    for(const char **o=ld_options_with_argument; *o!=nullptr && !found; o++)
+    for(const char **o=ld_options_with_argument; *o!=NULL && !found; o++)
     {
       std::string os(*o);
 
diff --git a/src/goto-cc/ms_cl_cmdline.cpp b/src/goto-cc/ms_cl_cmdline.cpp
index cdc9458bb0..ea605ef6d8 100644
--- a/src/goto-cc/ms_cl_cmdline.cpp
+++ b/src/goto-cc/ms_cl_cmdline.cpp
@@ -44,7 +44,7 @@ const char *non_ms_cl_options[]=
   "--partial-inlining",
   "--verbosity",
   "--function",
-  nullptr
+  NULL
 };
 
 bool ms_cl_cmdlinet::parse(const std::vector &options)
@@ -110,7 +110,7 @@ void ms_cl_cmdlinet::parse_env()
 
   const char *CL_env=getenv("CL");
 
-  if(CL_env!=nullptr)
+  if(CL_env!=NULL)
     process_response_file_line(CL_env);
 
   #endif
@@ -275,7 +275,7 @@ void ms_cl_cmdlinet::process_non_cl_option(
 {
   set(s);
 
-  for(unsigned j=0; non_ms_cl_options[j]!=nullptr; j++)
+  for(unsigned j=0; non_ms_cl_options[j]!=NULL; j++)
     if(s==non_ms_cl_options[j])
       return;
 
@@ -288,7 +288,7 @@ void ms_cl_cmdlinet::process_non_cl_option(
 const char *ms_cl_flags[]=
 {
   "c", // compile only
-  nullptr
+  NULL
 };
 
 const char *ms_cl_prefixes[]=
@@ -406,7 +406,7 @@ const char *ms_cl_prefixes[]=
   "MT", //  link with LIBCMT.LIB
   "MDd", //  link with MSVCRTD.LIB debug lib
   "MTd", //  link with LIBCMTD.LIB debug lib
-  nullptr
+  NULL
 };
 
 void ms_cl_cmdlinet::process_cl_option(const std::string &s)
@@ -420,7 +420,7 @@ void ms_cl_cmdlinet::process_cl_option(const std::string &s)
     return;
   }
 
-  for(std::size_t j=0; ms_cl_flags[j]!=nullptr; j++)
+  for(std::size_t j=0; ms_cl_flags[j]!=NULL; j++)
   {
     if(std::string(s, 1, std::string::npos)==ms_cl_flags[j])
     {
@@ -453,7 +453,7 @@ void ms_cl_cmdlinet::process_cl_option(const std::string &s)
     }
   }
 
-  for(std::size_t j=0; ms_cl_prefixes[j]!=nullptr; j++)
+  for(std::size_t j=0; ms_cl_prefixes[j]!=NULL; j++)
   {
     std::string ms_cl_prefix=ms_cl_prefixes[j];
 
diff --git a/src/goto-instrument/dump_c.cpp b/src/goto-instrument/dump_c.cpp
index 1020d2021a..efa0ac4afc 100644
--- a/src/goto-instrument/dump_c.cpp
+++ b/src/goto-instrument/dump_c.cpp
@@ -1309,7 +1309,7 @@ static bool find_block_position_rec(
   if(!root.has_operands())
     return false;
 
-  code_blockt *our_dest=nullptr;
+  code_blockt *our_dest=0;
 
   exprt::operandst &operands=root.operands();
   exprt::operandst::iterator first_found=operands.end();
@@ -1400,14 +1400,14 @@ void dump_ct::insert_local_static_decls(
     std::list redundant;
     cleanup_decl(d, redundant, type_decls);
 
-    code_blockt *dest_ptr=nullptr;
+    code_blockt *dest_ptr=0;
     exprt::operandst::iterator before=b.operands().end();
 
     // some use of static variables might be optimised out if it is
     // within an if(false) { ... } block
     if(find_block_position_rec(*it, b, dest_ptr, before))
     {
-      CHECK_RETURN(dest_ptr!=nullptr);
+      CHECK_RETURN(dest_ptr!=0);
       dest_ptr->operands().insert(before, d);
     }
   }
@@ -1437,14 +1437,14 @@ void dump_ct::insert_local_type_decls(
     // another hack to ensure symbols inside types are seen
     skip.type()=type;
 
-    code_blockt *dest_ptr=nullptr;
+    code_blockt *dest_ptr=0;
     exprt::operandst::iterator before=b.operands().end();
 
     // we might not find it in case a transparent union type cast
     // has been removed by cleanup operations
     if(find_block_position_rec(*it, b, dest_ptr, before))
     {
-      CHECK_RETURN(dest_ptr!=nullptr);
+      CHECK_RETURN(dest_ptr!=0);
       dest_ptr->operands().insert(before, skip);
     }
   }
diff --git a/src/goto-instrument/model_argc_argv.cpp b/src/goto-instrument/model_argc_argv.cpp
index 7e01d66e62..bae8010d90 100644
--- a/src/goto-instrument/model_argc_argv.cpp
+++ b/src/goto-instrument/model_argc_argv.cpp
@@ -38,7 +38,7 @@ bool model_argc_argv(
   messaget message(message_handler);
   const namespacet ns(symbol_table);
 
-  const symbolt *init_symbol=nullptr;
+  const symbolt *init_symbol=0;
   if(ns.lookup(CPROVER_PREFIX "initialize", init_symbol))
   {
     message.error() << "Linking not done, missing "
diff --git a/src/goto-instrument/wmm/cycle_collection.cpp b/src/goto-instrument/wmm/cycle_collection.cpp
index 64b619c436..caef3e7ee7 100644
--- a/src/goto-instrument/wmm/cycle_collection.cpp
+++ b/src/goto-instrument/wmm/cycle_collection.cpp
@@ -56,7 +56,7 @@ void event_grapht::graph_explorert::collect_cycles(
   for(std::size_t i=0; i* order=nullptr;
+  std::list* order=0;
   /* on Power, rfe pairs are also potentially unsafe */
   switch(model)
   {
diff --git a/src/goto-instrument/wmm/goto2graph.cpp b/src/goto-instrument/wmm/goto2graph.cpp
index 011ef1a36a..7828ac8008 100644
--- a/src/goto-instrument/wmm/goto2graph.cpp
+++ b/src/goto-instrument/wmm/goto2graph.cpp
@@ -1198,7 +1198,7 @@ bool instrumentert::is_cfg_spurious(const event_grapht::critical_cyclet &cyc)
     const source_locationt ¤t_location=current_event.source_location;
 
     /* select relevant thread (po) -- or function contained in this thread */
-    goto_programt *current_po=nullptr;
+    goto_programt *current_po=0;
     bool thread_found=false;
 
     Forall_goto_functions(f_it, goto_functions)
diff --git a/src/goto-programs/initialize_goto_model.cpp b/src/goto-programs/initialize_goto_model.cpp
index eb2b6f8490..d284bc403c 100644
--- a/src/goto-programs/initialize_goto_model.cpp
+++ b/src/goto-programs/initialize_goto_model.cpp
@@ -81,7 +81,7 @@ bool initialize_goto_model(
         lf.filename=filename;
         lf.language=get_language_from_filename(filename);
 
-        if(lf.language==nullptr)
+        if(lf.language==NULL)
         {
           source_locationt location;
           location.set_file(filename);
diff --git a/src/goto-programs/interpreter.cpp b/src/goto-programs/interpreter.cpp
index 817d04c3a5..a79910b765 100644
--- a/src/goto-programs/interpreter.cpp
+++ b/src/goto-programs/interpreter.cpp
@@ -70,7 +70,7 @@ void interpretert::command()
 {
   #define BUFSIZE 100
   char command[BUFSIZE];
-  if(fgets(command, BUFSIZE-1, stdin)==nullptr)
+  if(fgets(command, BUFSIZE-1, stdin)==NULL)
   {
     done=true;
     return;
diff --git a/src/goto-programs/show_symbol_table.cpp b/src/goto-programs/show_symbol_table.cpp
index 6a15759f11..1d5ce87f5a 100644
--- a/src/goto-programs/show_symbol_table.cpp
+++ b/src/goto-programs/show_symbol_table.cpp
@@ -48,7 +48,7 @@ void show_symbol_table_plain(
     else
     {
       ptr=get_language_from_mode(symbol.mode);
-      if(ptr==nullptr)
+      if(ptr==NULL)
         throw "symbol "+id2string(symbol.name)+" has unknown mode";
     }
 
diff --git a/src/goto-symex/goto_symex_state.cpp b/src/goto-symex/goto_symex_state.cpp
index 3e49fd7e48..6fdf4b54aa 100644
--- a/src/goto-symex/goto_symex_state.cpp
+++ b/src/goto-symex/goto_symex_state.cpp
@@ -22,10 +22,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 goto_symex_statet::goto_symex_statet():
   depth(0),
-  symex_target(nullptr),
+  symex_target(NULL),
   atomic_section_id(0),
   record_events(true),
-  dirty(nullptr)
+  dirty(0)
 {
   threads.resize(1);
   new_frame();
@@ -541,7 +541,7 @@ bool goto_symex_statet::l2_thread_read_encoding(
     return false;
 
   // is it a shared object?
-  INVARIANT(dirty!=nullptr, nullptr_exceptiont("dirty is null"));
+  assert(dirty!=0);
   const irep_idt &obj_identifier=expr.get_object_name();
   if(obj_identifier=="goto_symex::\\guard" ||
      (!ns.lookup(obj_identifier).is_shared() &&
@@ -666,7 +666,7 @@ bool goto_symex_statet::l2_thread_read_encoding(
   expr=ssa_l1;
 
   // and record that
-  INVARIANT(symex_target!=nullptr, nullptr_exceptiont("symex_target is null"));
+  assert(symex_target!=NULL);
   symex_target->shared_read(
     guard.as_expr(),
     expr,
@@ -685,7 +685,7 @@ bool goto_symex_statet::l2_thread_write_encoding(
     return false;
 
   // is it a shared object?
-  INVARIANT(dirty!=nullptr, nullptr_exceptiont("dirty is null"));
+  assert(dirty!=0);
   const irep_idt &obj_identifier=expr.get_object_name();
   if(obj_identifier=="goto_symex::\\guard" ||
      (!ns.lookup(obj_identifier).is_shared() &&
diff --git a/src/goto-symex/goto_symex_state.h b/src/goto-symex/goto_symex_state.h
index b7e645ab39..d62d4a66af 100644
--- a/src/goto-symex/goto_symex_state.h
+++ b/src/goto-symex/goto_symex_state.h
@@ -26,8 +26,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 class dirtyt;
 
-#define nullptr_exceptiont(str) str
-
 // central data structure: state
 class goto_symex_statet
 {
diff --git a/src/goto-symex/slice_by_trace.cpp b/src/goto-symex/slice_by_trace.cpp
index 828b457caa..80acfa4add 100644
--- a/src/goto-symex/slice_by_trace.cpp
+++ b/src/goto-symex/slice_by_trace.cpp
@@ -187,9 +187,9 @@ void symex_slice_by_tracet::parse_events(std::string read_line)
 {
   if(read_line=="")
     return;
-  bool parity=strstr(read_line.c_str(), "!")==nullptr;
-  bool universe=strstr(read_line.c_str(), "?")!=nullptr;
-  bool has_values=strstr(read_line.c_str(), " ")!=nullptr;
+  bool parity=strstr(read_line.c_str(), "!")==NULL;
+  bool universe=strstr(read_line.c_str(), "?")!=NULL;
+  bool has_values=strstr(read_line.c_str(), " ")!=NULL;
   std::cout << "Trace: " << read_line << '\n';
   std::vector value_v;
   if(has_values)
diff --git a/src/goto-symex/symex_dereference_state.cpp b/src/goto-symex/symex_dereference_state.cpp
index 9911ba51e7..f0e36f5d03 100644
--- a/src/goto-symex/symex_dereference_state.cpp
+++ b/src/goto-symex/symex_dereference_state.cpp
@@ -43,7 +43,7 @@ bool symex_dereference_statet::has_failed_symbol(
         !ns.lookup(failed_symbol, symbol))
     {
       symbolt sym=*symbol;
-      symbolt *sym_ptr=nullptr;
+      symbolt *sym_ptr=0;
       symbol_exprt sym_expr=sym.symbol_expr();
       state.rename(sym_expr, ns, goto_symex_statet::L1);
       sym.name=to_ssa_expr(sym_expr).get_identifier();
@@ -64,7 +64,7 @@ bool symex_dereference_statet::has_failed_symbol(
         !ns.lookup(failed_symbol, symbol))
     {
       symbolt sym=*symbol;
-      symbolt *sym_ptr=nullptr;
+      symbolt *sym_ptr=0;
       symbol_exprt sym_expr=sym.symbol_expr();
       state.rename(sym_expr, ns, goto_symex_statet::L1);
       sym.name=to_ssa_expr(sym_expr).get_identifier();
diff --git a/src/goto-symex/symex_function_call.cpp b/src/goto-symex/symex_function_call.cpp
index 06d519e494..a71a142b89 100644
--- a/src/goto-symex/symex_function_call.cpp
+++ b/src/goto-symex/symex_function_call.cpp
@@ -139,7 +139,7 @@ void goto_symext::parameter_assignments(
   {
     // These are va_arg arguments; their types may differ from call to call
     unsigned va_count=0;
-    const symbolt *va_sym=nullptr;
+    const symbolt *va_sym=0;
     while(!ns.lookup(
         id2string(function_identifier)+"::va_arg"+std::to_string(va_count),
         va_sym))
diff --git a/src/goto-symex/symex_main.cpp b/src/goto-symex/symex_main.cpp
index 4fce789ad3..b8a1e294f1 100644
--- a/src/goto-symex/symex_main.cpp
+++ b/src/goto-symex/symex_main.cpp
@@ -158,7 +158,7 @@ void goto_symext::operator()(
   }
 
   delete state.dirty;
-  state.dirty=nullptr;
+  state.dirty=0;
 }
 
 /// symex starting from given program
diff --git a/src/java_bytecode/java_bytecode_convert_method.cpp b/src/java_bytecode/java_bytecode_convert_method.cpp
index 5c2135e8af..8a02f4f885 100644
--- a/src/java_bytecode/java_bytecode_convert_method.cpp
+++ b/src/java_bytecode/java_bytecode_convert_method.cpp
@@ -406,7 +406,7 @@ void java_bytecode_convert_methodt::convert(
 const bytecode_infot &java_bytecode_convert_methodt::get_bytecode_info(
   const irep_idt &statement)
 {
-  for(const bytecode_infot *p=bytecode_info; p->mnemonic!=nullptr; p++)
+  for(const bytecode_infot *p=bytecode_info; p->mnemonic!=0; p++)
     if(statement==p->mnemonic)
       return *p;
 
diff --git a/src/java_bytecode/java_bytecode_parser.cpp b/src/java_bytecode/java_bytecode_parser.cpp
index d24141b76d..77874da494 100644
--- a/src/java_bytecode/java_bytecode_parser.cpp
+++ b/src/java_bytecode/java_bytecode_parser.cpp
@@ -99,7 +99,7 @@ protected:
   {
     // pre-hash the mnemonics, so we do this only once
     bytecodes.resize(256);
-    for(const bytecode_infot *p=bytecode_info; p->mnemonic!=nullptr; p++)
+    for(const bytecode_infot *p=bytecode_info; p->mnemonic!=0; p++)
     {
       assert(p->opcodeopcode].mnemonic=p->mnemonic;
diff --git a/src/java_bytecode/java_local_variable_table.cpp b/src/java_bytecode/java_local_variable_table.cpp
index 94d5062fb2..052b958d05 100644
--- a/src/java_bytecode/java_local_variable_table.cpp
+++ b/src/java_bytecode/java_local_variable_table.cpp
@@ -288,7 +288,7 @@ static void populate_predecessor_map(
         auto pred_var=
           (predmode);
 
-  if(ptr==nullptr)
+  if(ptr==NULL)
     throw "symbol `"+id2string(symbol->name)+
       "' has unknown mode '"+id2string(symbol->mode)+"'";
 
diff --git a/src/langapi/mode.cpp b/src/langapi/mode.cpp
index 2c3a852b73..55c533f949 100644
--- a/src/langapi/mode.cpp
+++ b/src/langapi/mode.cpp
@@ -45,7 +45,7 @@ languaget *get_language_from_mode(const irep_idt &mode)
     if(mode==it->mode)
       return it->factory();
 
-  return nullptr;
+  return NULL;
 }
 
 languaget *get_language_from_filename(const std::string &filename)
@@ -53,13 +53,13 @@ languaget *get_language_from_filename(const std::string &filename)
   std::size_t ext_pos=filename.rfind('.');
 
   if(ext_pos==std::string::npos)
-    return nullptr;
+    return NULL;
 
   std::string extension=
     std::string(filename, ext_pos+1, std::string::npos);
 
   if(extension=="")
-    return nullptr;
+    return NULL;
 
   for(languagest::const_iterator
       l_it=languages.begin();
@@ -79,7 +79,7 @@ languaget *get_language_from_filename(const std::string &filename)
     #endif
   }
 
-  return nullptr;
+  return NULL;
 }
 
 languaget *get_default_language()
diff --git a/src/miniz/miniz.cpp b/src/miniz/miniz.cpp
index d5dfa3bda1..4fff76e87d 100644
--- a/src/miniz/miniz.cpp
+++ b/src/miniz/miniz.cpp
@@ -197,7 +197,7 @@ int mz_deflateInit2(mz_streamp pStream, int level, int method, int window_bits,
 
     pStream->data_type = 0;
     pStream->adler = MZ_ADLER32_INIT;
-    pStream->msg = nullptr;
+    pStream->msg = NULL;
     pStream->reserved = 0;
     pStream->total_in = 0;
     pStream->total_out = 0;
@@ -212,7 +212,7 @@ int mz_deflateInit2(mz_streamp pStream, int level, int method, int window_bits,
 
     pStream->state = (struct mz_internal_state *)pComp;
 
-    if(tdefl_init(pComp, nullptr, nullptr, comp_flags) != TDEFL_STATUS_OKAY)
+    if(tdefl_init(pComp, NULL, NULL, comp_flags) != TDEFL_STATUS_OKAY)
     {
         mz_deflateEnd(pStream);
         return MZ_PARAM_ERROR;
@@ -226,7 +226,7 @@ int mz_deflateReset(mz_streamp pStream)
     if((!pStream) || (!pStream->state) || (!pStream->zalloc) || (!pStream->zfree))
         return MZ_STREAM_ERROR;
     pStream->total_in = pStream->total_out = 0;
-    tdefl_init((tdefl_compressor *)pStream->state, nullptr, nullptr, ((tdefl_compressor *)pStream->state)->m_flags);
+    tdefl_init((tdefl_compressor *)pStream->state, NULL, NULL, ((tdefl_compressor *)pStream->state)->m_flags);
     return MZ_OK;
 }
 
@@ -295,7 +295,7 @@ int mz_deflateEnd(mz_streamp pStream)
     if(pStream->state)
     {
         pStream->zfree(pStream->opaque, pStream->state);
-        pStream->state = nullptr;
+        pStream->state = NULL;
     }
     return MZ_OK;
 }
@@ -344,7 +344,7 @@ int mz_compress(unsigned char *pDest, mz_ulong *pDest_len, const unsigned char *
 
 mz_ulong mz_compressBound(mz_ulong source_len)
 {
-    return mz_deflateBound(nullptr, source_len);
+    return mz_deflateBound(NULL, source_len);
 }
 
 typedef struct
@@ -366,7 +366,7 @@ int mz_inflateInit2(mz_streamp pStream, int window_bits)
 
     pStream->data_type = 0;
     pStream->adler = 0;
-    pStream->msg = nullptr;
+    pStream->msg = NULL;
     pStream->total_in = 0;
     pStream->total_out = 0;
     pStream->reserved = 0;
@@ -516,7 +516,7 @@ int mz_inflateEnd(mz_streamp pStream)
     if(pStream->state)
     {
         pStream->zfree(pStream->opaque, pStream->state);
-        pStream->state = nullptr;
+        pStream->state = NULL;
     }
     return MZ_OK;
 }
@@ -566,7 +566,7 @@ const char *mz_error(int err)
     for(i = 0; i < sizeof(s_error_descs) / sizeof(s_error_descs[0]); ++i)
         if(s_error_descs[i].m_err == err)
             return s_error_descs[i].m_pDesc;
-    return nullptr;
+    return NULL;
 }
 
 #endif /*MINIZ_NO_ZLIB_APIS */
@@ -1210,7 +1210,7 @@ static int tdefl_flush_block(tdefl_compressor *d, int flush)
     mz_uint8 *pSaved_output_buf;
     mz_bool comp_block_succeeded = MZ_FALSE;
     int n, use_raw_block = ((d->m_flags & TDEFL_FORCE_ALL_RAW_BLOCKS) != 0) && (d->m_lookahead_pos - d->m_lz_code_buf_dict_pos) <= d->m_dict_size;
-    mz_uint8 *pOutput_buf_start = ((d->m_pPut_buf_func == nullptr) && ((*d->m_pOut_buf_size - d->m_out_buf_ofs) >= TDEFL_OUT_BUF_SIZE)) ? ((mz_uint8 *)d->m_pOut_buf + d->m_out_buf_ofs) : d->m_output_buf;
+    mz_uint8 *pOutput_buf_start = ((d->m_pPut_buf_func == NULL) && ((*d->m_pOut_buf_size - d->m_out_buf_ofs) >= TDEFL_OUT_BUF_SIZE)) ? ((mz_uint8 *)d->m_pOut_buf + d->m_out_buf_ofs) : d->m_output_buf;
 
     d->m_pOutput_buf = pOutput_buf_start;
     d->m_pOutput_buf_end = d->m_pOutput_buf + TDEFL_OUT_BUF_SIZE - 16;
@@ -1839,7 +1839,7 @@ tdefl_status tdefl_compress(tdefl_compressor *d, const void *pIn_buf, size_t *pI
     d->m_out_buf_ofs = 0;
     d->m_flush = flush;
 
-    if(((d->m_pPut_buf_func != nullptr) == ((pOut_buf != nullptr) || (pOut_buf_size != nullptr))) || (d->m_prev_return_status != TDEFL_STATUS_OKAY) ||
+    if(((d->m_pPut_buf_func != NULL) == ((pOut_buf != NULL) || (pOut_buf_size != NULL))) || (d->m_prev_return_status != TDEFL_STATUS_OKAY) ||
         (d->m_wants_to_finish && (flush != TDEFL_FINISH)) || (pIn_buf_size && *pIn_buf_size && !pIn_buf) || (pOut_buf_size && *pOut_buf_size && !pOut_buf))
     {
         if(pIn_buf_size)
@@ -1890,7 +1890,7 @@ tdefl_status tdefl_compress(tdefl_compressor *d, const void *pIn_buf, size_t *pI
 tdefl_status tdefl_compress_buffer(tdefl_compressor *d, const void *pIn_buf, size_t in_buf_size, tdefl_flush flush)
 {
     MZ_ASSERT(d->m_pPut_buf_func);
-    return tdefl_compress(d, pIn_buf, &in_buf_size, nullptr, nullptr, flush);
+    return tdefl_compress(d, pIn_buf, &in_buf_size, NULL, NULL, flush);
 }
 
 tdefl_status tdefl_init(tdefl_compressor *d, tdefl_put_buf_func_ptr pPut_buf_func, void *pPut_buf_user, int flags)
@@ -1913,12 +1913,12 @@ tdefl_status tdefl_init(tdefl_compressor *d, tdefl_put_buf_func_ptr pPut_buf_fun
     d->m_prev_return_status = TDEFL_STATUS_OKAY;
     d->m_saved_match_dist = d->m_saved_match_len = d->m_saved_lit = 0;
     d->m_adler32 = 1;
-    d->m_pIn_buf = nullptr;
-    d->m_pOut_buf = nullptr;
-    d->m_pIn_buf_size = nullptr;
-    d->m_pOut_buf_size = nullptr;
+    d->m_pIn_buf = NULL;
+    d->m_pOut_buf = NULL;
+    d->m_pIn_buf_size = NULL;
+    d->m_pOut_buf_size = NULL;
     d->m_flush = TDEFL_NO_FLUSH;
-    d->m_pSrc = nullptr;
+    d->m_pSrc = NULL;
     d->m_src_buf_left = 0;
     d->m_out_buf_ofs = 0;
     memset(&d->m_huff_count[0][0], 0, sizeof(d->m_huff_count[0][0]) * TDEFL_MAX_HUFF_SYMBOLS_0);
@@ -1993,7 +1993,7 @@ void *tdefl_compress_mem_to_heap(const void *pSrc_buf, size_t src_buf_len, size_
         *pOut_len = 0;
     out_buf.m_expandable = MZ_TRUE;
     if(!tdefl_compress_mem_to_output(pSrc_buf, src_buf_len, tdefl_output_buffer_putter, &out_buf, flags))
-        return nullptr;
+        return NULL;
     *pOut_len = out_buf.m_size;
     return out_buf.m_pBuf;
 }
@@ -2054,14 +2054,14 @@ void *tdefl_write_image_to_png_file_in_memory_ex(const void *pImage, int w, int
     mz_uint32 c;
     *pLen_out = 0;
     if(!pComp)
-        return nullptr;
+        return NULL;
     MZ_CLEAR_OBJ(out_buf);
     out_buf.m_expandable = MZ_TRUE;
     out_buf.m_capacity = 57 + MZ_MAX(64, (1 + bpl) * h);
-    if(nullptr == (out_buf.m_pBuf = (mz_uint8 *)MZ_MALLOC(out_buf.m_capacity)))
+    if(NULL == (out_buf.m_pBuf = (mz_uint8 *)MZ_MALLOC(out_buf.m_capacity)))
     {
         MZ_FREE(pComp);
-        return nullptr;
+        return NULL;
     }
     /* write dummy header */
     for(z = 41; z; --z)
@@ -2073,11 +2073,11 @@ void *tdefl_write_image_to_png_file_in_memory_ex(const void *pImage, int w, int
         tdefl_compress_buffer(pComp, &z, 1, TDEFL_NO_FLUSH);
         tdefl_compress_buffer(pComp, (mz_uint8 *)pImage + (flip ? (h - 1 - y) : y) * bpl, bpl, TDEFL_NO_FLUSH);
     }
-    if(tdefl_compress_buffer(pComp, nullptr, 0, TDEFL_FINISH) != TDEFL_STATUS_DONE)
+    if(tdefl_compress_buffer(pComp, NULL, 0, TDEFL_FINISH) != TDEFL_STATUS_DONE)
     {
         MZ_FREE(pComp);
         MZ_FREE(out_buf.m_pBuf);
-        return nullptr;
+        return NULL;
     }
     /* write real header */
     *pLen_out = out_buf.m_size - 41;
@@ -2097,7 +2097,7 @@ void *tdefl_write_image_to_png_file_in_memory_ex(const void *pImage, int w, int
         *pLen_out = 0;
         MZ_FREE(pComp);
         MZ_FREE(out_buf.m_pBuf);
-        return nullptr;
+        return NULL;
     }
     c = (mz_uint32)mz_crc32(MZ_CRC32_INIT, out_buf.m_pBuf + 41 - 4, *pLen_out + 4);
     for(i = 0; i < 4; ++i, c <<= 8)
@@ -2778,20 +2778,20 @@ common_exit:
 void *tinfl_decompress_mem_to_heap(const void *pSrc_buf, size_t src_buf_len, size_t *pOut_len, int flags)
 {
     tinfl_decompressor decomp;
-    void *pBuf = nullptr, *pNew_buf;
+    void *pBuf = NULL, *pNew_buf;
     size_t src_buf_ofs = 0, out_buf_capacity = 0;
     *pOut_len = 0;
     tinfl_init(&decomp);
     for(;;)
     {
         size_t src_buf_size = src_buf_len - src_buf_ofs, dst_buf_size = out_buf_capacity - *pOut_len, new_out_buf_capacity;
-        tinfl_status status = tinfl_decompress(&decomp, (const mz_uint8 *)pSrc_buf + src_buf_ofs, &src_buf_size, (mz_uint8 *)pBuf, pBuf ? (mz_uint8 *)pBuf + *pOut_len : nullptr, &dst_buf_size,
+        tinfl_status status = tinfl_decompress(&decomp, (const mz_uint8 *)pSrc_buf + src_buf_ofs, &src_buf_size, (mz_uint8 *)pBuf, pBuf ? (mz_uint8 *)pBuf + *pOut_len : NULL, &dst_buf_size,
                                                (flags & ~TINFL_FLAG_HAS_MORE_INPUT) | TINFL_FLAG_USING_NON_WRAPPING_OUTPUT_BUF);
         if((status < 0) || (status == TINFL_STATUS_NEEDS_MORE_INPUT))
         {
             MZ_FREE(pBuf);
             *pOut_len = 0;
-            return nullptr;
+            return NULL;
         }
         src_buf_ofs += src_buf_size;
         *pOut_len += dst_buf_size;
@@ -2805,7 +2805,7 @@ void *tinfl_decompress_mem_to_heap(const void *pSrc_buf, size_t src_buf_len, siz
         {
             MZ_FREE(pBuf);
             *pOut_len = 0;
-            return nullptr;
+            return NULL;
         }
         pBuf = pNew_buf;
         out_buf_capacity = new_out_buf_capacity;
@@ -3175,7 +3175,7 @@ static mz_bool mz_zip_array_ensure_capacity(mz_zip_archive *pZip, mz_zip_array *
         while(new_capacity < min_new_capacity)
             new_capacity *= 2;
     }
-    if(nullptr == (pNew_p = pZip->m_pRealloc(pZip->m_pAlloc_opaque, pArray->m_p, pArray->m_element_size, new_capacity)))
+    if(NULL == (pNew_p = pZip->m_pRealloc(pZip->m_pAlloc_opaque, pArray->m_p, pArray->m_element_size, new_capacity)))
         return MZ_FALSE;
     pArray->m_p = pNew_p;
     pArray->m_capacity = new_capacity;
@@ -3304,7 +3304,7 @@ static mz_bool mz_zip_reader_init_internal(mz_zip_archive *pZip, mz_uint flags)
     pZip->m_total_files = 0;
     pZip->m_last_error = MZ_ZIP_NO_ERROR;
 
-    if(nullptr == (pZip->m_pState = (mz_zip_internal_state *)pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, sizeof(mz_zip_internal_state))))
+    if(NULL == (pZip->m_pState = (mz_zip_internal_state *)pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, sizeof(mz_zip_internal_state))))
         return mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
 
     memset(pZip->m_pState, 0, sizeof(mz_zip_internal_state));
@@ -3692,7 +3692,7 @@ static mz_bool mz_zip_reader_end_internal(mz_zip_archive *pZip, mz_bool set_last
     if(pZip->m_pState)
     {
         mz_zip_internal_state *pState = pZip->m_pState;
-        pZip->m_pState = nullptr;
+        pZip->m_pState = NULL;
 
         mz_zip_array_clear(pZip, &pState->m_central_dir);
         mz_zip_array_clear(pZip, &pState->m_central_dir_offsets);
@@ -3710,7 +3710,7 @@ static mz_bool mz_zip_reader_end_internal(mz_zip_archive *pZip, mz_bool set_last
                     status = MZ_FALSE;
                 }
             }
-            pState->m_pFile = nullptr;
+            pState->m_pFile = NULL;
         }
 #endif /* #ifndef MINIZ_NO_STDIO */
 
@@ -3899,7 +3899,7 @@ mz_bool mz_zip_reader_init_cfile(mz_zip_archive *pZip, MZ_FILE *pFile, mz_uint64
 static MZ_FORCEINLINE const mz_uint8 *mz_zip_get_cdh(mz_zip_archive *pZip, mz_uint file_index)
 {
     if((!pZip) || (!pZip->m_pState) || (file_index >= pZip->m_total_files))
-        return nullptr;
+        return NULL;
     return &MZ_ZIP_ARRAY_ELEMENT(&pZip->m_pState->m_central_dir, mz_uint8, MZ_ZIP_ARRAY_ELEMENT(&pZip->m_pState->m_central_dir_offsets, mz_uint32, file_index));
 }
 
@@ -4333,7 +4333,7 @@ mz_bool mz_zip_reader_extract_to_mem_no_alloc(mz_zip_archive *pZip, mz_uint file
         if(((sizeof(size_t) == sizeof(mz_uint32))) && (read_buf_size > 0x7FFFFFFF))
             return mz_zip_set_error(pZip, MZ_ZIP_INTERNAL_ERROR);
 
-        if(nullptr == (pRead_buf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, (size_t)read_buf_size)))
+        if(NULL == (pRead_buf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, (size_t)read_buf_size)))
             return mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
 
         read_buf_avail = 0;
@@ -4390,19 +4390,19 @@ mz_bool mz_zip_reader_extract_to_mem_no_alloc(mz_zip_archive *pZip, mz_uint file
 mz_bool mz_zip_reader_extract_file_to_mem_no_alloc(mz_zip_archive *pZip, const char *pFilename, void *pBuf, size_t buf_size, mz_uint flags, void *pUser_read_buf, size_t user_read_buf_size)
 {
     mz_uint32 file_index;
-    if(!mz_zip_reader_locate_file_v2(pZip, pFilename, nullptr, flags, &file_index))
+    if(!mz_zip_reader_locate_file_v2(pZip, pFilename, NULL, flags, &file_index))
         return MZ_FALSE;
     return mz_zip_reader_extract_to_mem_no_alloc(pZip, file_index, pBuf, buf_size, flags, pUser_read_buf, user_read_buf_size);
 }
 
 mz_bool mz_zip_reader_extract_to_mem(mz_zip_archive *pZip, mz_uint file_index, void *pBuf, size_t buf_size, mz_uint flags)
 {
-    return mz_zip_reader_extract_to_mem_no_alloc(pZip, file_index, pBuf, buf_size, flags, nullptr, 0);
+    return mz_zip_reader_extract_to_mem_no_alloc(pZip, file_index, pBuf, buf_size, flags, NULL, 0);
 }
 
 mz_bool mz_zip_reader_extract_file_to_mem(mz_zip_archive *pZip, const char *pFilename, void *pBuf, size_t buf_size, mz_uint flags)
 {
-    return mz_zip_reader_extract_file_to_mem_no_alloc(pZip, pFilename, pBuf, buf_size, flags, nullptr, 0);
+    return mz_zip_reader_extract_file_to_mem_no_alloc(pZip, pFilename, pBuf, buf_size, flags, NULL, 0);
 }
 
 void *mz_zip_reader_extract_to_heap(mz_zip_archive *pZip, mz_uint file_index, size_t *pSize, mz_uint flags)
@@ -4417,7 +4417,7 @@ void *mz_zip_reader_extract_to_heap(mz_zip_archive *pZip, mz_uint file_index, si
     if(!p)
     {
         mz_zip_set_error(pZip, MZ_ZIP_INVALID_PARAMETER);
-        return nullptr;
+        return NULL;
     }
 
     comp_size = MZ_READ_LE32(p + MZ_ZIP_CDH_COMPRESSED_SIZE_OFS);
@@ -4427,19 +4427,19 @@ void *mz_zip_reader_extract_to_heap(mz_zip_archive *pZip, mz_uint file_index, si
     if(((sizeof(size_t) == sizeof(mz_uint32))) && (alloc_size > 0x7FFFFFFF))
     {
         mz_zip_set_error(pZip, MZ_ZIP_INTERNAL_ERROR);
-        return nullptr;
+        return NULL;
     }
 
-    if(nullptr == (pBuf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, (size_t)alloc_size)))
+    if(NULL == (pBuf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, (size_t)alloc_size)))
     {
         mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
-        return nullptr;
+        return NULL;
     }
 
     if(!mz_zip_reader_extract_to_mem(pZip, file_index, pBuf, (size_t)alloc_size, flags))
     {
         pZip->m_pFree(pZip->m_pAlloc_opaque, pBuf);
-        return nullptr;
+        return NULL;
     }
 
     if(pSize)
@@ -4450,7 +4450,7 @@ void *mz_zip_reader_extract_to_heap(mz_zip_archive *pZip, mz_uint file_index, si
 void *mz_zip_reader_extract_file_to_heap(mz_zip_archive *pZip, const char *pFilename, size_t *pSize, mz_uint flags)
 {
     mz_uint32 file_index;
-    if(!mz_zip_reader_locate_file_v2(pZip, pFilename, nullptr, flags, &file_index))
+    if(!mz_zip_reader_locate_file_v2(pZip, pFilename, NULL, flags, &file_index))
     {
         if(pSize)
             *pSize = 0;
@@ -4465,8 +4465,8 @@ mz_bool mz_zip_reader_extract_to_callback(mz_zip_archive *pZip, mz_uint file_ind
     mz_uint file_crc32 = MZ_CRC32_INIT;
     mz_uint64 read_buf_size, read_buf_ofs = 0, read_buf_avail, comp_remaining, out_buf_ofs = 0, cur_file_ofs;
     mz_zip_archive_file_stat file_stat;
-    void *pRead_buf = nullptr;
-    void *pWrite_buf = nullptr;
+    void *pRead_buf = NULL;
+    void *pWrite_buf = NULL;
     mz_uint32 local_header_u32[(MZ_ZIP_LOCAL_DIR_HEADER_SIZE + sizeof(mz_uint32) - 1) / sizeof(mz_uint32)];
     mz_uint8 *pLocal_header = (mz_uint8 *)local_header_u32;
 
@@ -4510,7 +4510,7 @@ mz_bool mz_zip_reader_extract_to_callback(mz_zip_archive *pZip, mz_uint file_ind
     else
     {
         read_buf_size = MZ_MIN(file_stat.m_comp_size, (mz_uint64)MZ_ZIP_MAX_IO_BUF_SIZE);
-        if(nullptr == (pRead_buf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, (size_t)read_buf_size)))
+        if(NULL == (pRead_buf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, (size_t)read_buf_size)))
             return mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
 
         read_buf_avail = 0;
@@ -4578,7 +4578,7 @@ mz_bool mz_zip_reader_extract_to_callback(mz_zip_archive *pZip, mz_uint file_ind
         tinfl_decompressor inflator;
         tinfl_init(&inflator);
 
-        if(nullptr == (pWrite_buf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, TINFL_LZ_DICT_SIZE)))
+        if(NULL == (pWrite_buf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, TINFL_LZ_DICT_SIZE)))
         {
             mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
             status = TINFL_STATUS_FAILED;
@@ -4660,7 +4660,7 @@ mz_bool mz_zip_reader_extract_to_callback(mz_zip_archive *pZip, mz_uint file_ind
 mz_bool mz_zip_reader_extract_file_to_callback(mz_zip_archive *pZip, const char *pFilename, mz_file_write_func pCallback, void *pOpaque, mz_uint flags)
 {
     mz_uint32 file_index;
-    if(!mz_zip_reader_locate_file_v2(pZip, pFilename, nullptr, flags, &file_index))
+    if(!mz_zip_reader_locate_file_v2(pZip, pFilename, NULL, flags, &file_index))
         return MZ_FALSE;
 
     return mz_zip_reader_extract_to_callback(pZip, file_index, pCallback, pOpaque, flags);
@@ -4711,7 +4711,7 @@ mz_bool mz_zip_reader_extract_to_file(mz_zip_archive *pZip, mz_uint file_index,
 mz_bool mz_zip_reader_extract_file_to_file(mz_zip_archive *pZip, const char *pArchive_filename, const char *pDst_filename, mz_uint flags)
 {
     mz_uint32 file_index;
-    if(!mz_zip_reader_locate_file_v2(pZip, pArchive_filename, nullptr, flags, &file_index))
+    if(!mz_zip_reader_locate_file_v2(pZip, pArchive_filename, NULL, flags, &file_index))
         return MZ_FALSE;
 
     return mz_zip_reader_extract_to_file(pZip, file_index, pDst_filename, flags);
@@ -4733,7 +4733,7 @@ mz_bool mz_zip_reader_extract_to_cfile(mz_zip_archive *pZip, mz_uint file_index,
 mz_bool mz_zip_reader_extract_file_to_cfile(mz_zip_archive *pZip, const char *pArchive_filename, MZ_FILE *pFile, mz_uint flags)
 {
     mz_uint32 file_index;
-    if(!mz_zip_reader_locate_file_v2(pZip, pArchive_filename, nullptr, flags, &file_index))
+    if(!mz_zip_reader_locate_file_v2(pZip, pArchive_filename, NULL, flags, &file_index))
         return MZ_FALSE;
 
     return mz_zip_reader_extract_to_cfile(pZip, file_index, pFile, flags);
@@ -4989,7 +4989,7 @@ mz_bool mz_zip_validate_archive(mz_zip_archive *pZip, mz_uint flags)
             if(!mz_zip_reader_file_stat(pZip, i, &stat))
                 return MZ_FALSE;
 
-            if(!mz_zip_reader_locate_file_v2(pZip, stat.m_filename, nullptr, 0, &found_index))
+            if(!mz_zip_reader_locate_file_v2(pZip, stat.m_filename, NULL, 0, &found_index))
                 return MZ_FALSE;
 
             /* This check can fail if there are duplicate filenames in the archive (which we don't check for when writing - that's up to the user) */
@@ -5138,7 +5138,7 @@ static size_t mz_zip_heap_write_func(void *pOpaque, mz_uint64 file_ofs, const vo
         while(new_capacity < new_size)
             new_capacity *= 2;
 
-        if(nullptr == (pNew_block = pZip->m_pRealloc(pZip->m_pAlloc_opaque, pState->m_pMem, 1, new_capacity)))
+        if(NULL == (pNew_block = pZip->m_pRealloc(pZip->m_pAlloc_opaque, pState->m_pMem, 1, new_capacity)))
         {
             mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
             return 0;
@@ -5165,7 +5165,7 @@ static mz_bool mz_zip_writer_end_internal(mz_zip_archive *pZip, mz_bool set_last
     }
 
     pState = pZip->m_pState;
-    pZip->m_pState = nullptr;
+    pZip->m_pState = NULL;
     mz_zip_array_clear(pZip, &pState->m_central_dir);
     mz_zip_array_clear(pZip, &pState->m_central_dir_offsets);
     mz_zip_array_clear(pZip, &pState->m_sorted_central_dir_offsets);
@@ -5183,14 +5183,14 @@ static mz_bool mz_zip_writer_end_internal(mz_zip_archive *pZip, mz_bool set_last
             }
         }
 
-        pState->m_pFile = nullptr;
+        pState->m_pFile = NULL;
     }
 #endif /* #ifndef MINIZ_NO_STDIO */
 
     if((pZip->m_pWrite == mz_zip_heap_write_func) && (pState->m_pMem))
     {
         pZip->m_pFree(pZip->m_pAlloc_opaque, pState->m_pMem);
-        pState->m_pMem = nullptr;
+        pState->m_pMem = NULL;
     }
 
     pZip->m_pFree(pZip->m_pAlloc_opaque, pState);
@@ -5229,7 +5229,7 @@ mz_bool mz_zip_writer_init_v2(mz_zip_archive *pZip, mz_uint64 existing_size, mz_
     pZip->m_central_directory_file_ofs = 0;
     pZip->m_total_files = 0;
 
-    if(nullptr == (pZip->m_pState = (mz_zip_internal_state *)pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, sizeof(mz_zip_internal_state))))
+    if(NULL == (pZip->m_pState = (mz_zip_internal_state *)pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, sizeof(mz_zip_internal_state))))
         return mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
 
     memset(pZip->m_pState, 0, sizeof(mz_zip_internal_state));
@@ -5268,7 +5268,7 @@ mz_bool mz_zip_writer_init_heap_v2(mz_zip_archive *pZip, size_t size_to_reserve_
 
     if(0 != (initial_allocation_size = MZ_MAX(initial_allocation_size, size_to_reserve_at_beginning)))
     {
-        if(nullptr == (pZip->m_pState->m_pMem = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, initial_allocation_size)))
+        if(NULL == (pZip->m_pState->m_pMem = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, initial_allocation_size)))
         {
             mz_zip_writer_end_internal(pZip, MZ_FALSE);
             return mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
@@ -5320,7 +5320,7 @@ mz_bool mz_zip_writer_init_file_v2(mz_zip_archive *pZip, const char *pFilename,
     if(!mz_zip_writer_init_v2(pZip, size_to_reserve_at_beginning, flags))
         return MZ_FALSE;
 
-    if(nullptr == (pFile = MZ_FOPEN(pFilename, (flags & MZ_ZIP_FLAG_WRITE_ALLOW_READING) ? "w+b" : "wb")))
+    if(NULL == (pFile = MZ_FOPEN(pFilename, (flags & MZ_ZIP_FLAG_WRITE_ALLOW_READING) ? "w+b" : "wb")))
     {
         mz_zip_writer_end(pZip);
         return mz_zip_set_error(pZip, MZ_ZIP_FILE_OPEN_FAILED);
@@ -5418,7 +5418,7 @@ mz_bool mz_zip_writer_init_from_reader_v2(mz_zip_archive *pZip, const char *pFil
                 return mz_zip_set_error(pZip, MZ_ZIP_INVALID_PARAMETER);
 
             /* Archive is being read from stdio and was originally opened only for reading. Try to reopen as writable. */
-            if(nullptr == (pState->m_pFile = MZ_FREOPEN(pFilename, "r+b", pState->m_pFile)))
+            if(NULL == (pState->m_pFile = MZ_FREOPEN(pFilename, "r+b", pState->m_pFile)))
             {
                 /* The mz_zip_archive is now in a bogus state because pState->m_pFile is NULL, so just close it. */
                 mz_zip_reader_end_internal(pZip, MZ_FALSE);
@@ -5465,7 +5465,7 @@ mz_bool mz_zip_writer_init_from_reader(mz_zip_archive *pZip, const char *pFilena
 /* TODO: pArchive_name is a terrible name here! */
 mz_bool mz_zip_writer_add_mem(mz_zip_archive *pZip, const char *pArchive_name, const void *pBuf, size_t buf_size, mz_uint level_and_flags)
 {
-    return mz_zip_writer_add_mem_ex(pZip, pArchive_name, pBuf, buf_size, nullptr, 0, level_and_flags, 0, 0);
+    return mz_zip_writer_add_mem_ex(pZip, pArchive_name, pBuf, buf_size, NULL, 0, level_and_flags, 0, 0);
 }
 
 typedef struct
@@ -5652,7 +5652,7 @@ static mz_bool mz_zip_writer_write_zeros(mz_zip_archive *pZip, mz_uint64 cur_fil
 mz_bool mz_zip_writer_add_mem_ex(mz_zip_archive *pZip, const char *pArchive_name, const void *pBuf, size_t buf_size, const void *pComment, mz_uint16 comment_size, mz_uint level_and_flags,
                                  mz_uint64 uncomp_size, mz_uint32 uncomp_crc32)
 {
-    return mz_zip_writer_add_mem_ex_v2(pZip, pArchive_name, pBuf, buf_size, pComment, comment_size, level_and_flags, uncomp_size, uncomp_crc32, nullptr, nullptr, 0, nullptr, 0);
+    return mz_zip_writer_add_mem_ex_v2(pZip, pArchive_name, pBuf, buf_size, pComment, comment_size, level_and_flags, uncomp_size, uncomp_crc32, NULL, NULL, 0, NULL, 0);
 }
 
 mz_bool mz_zip_writer_add_mem_ex_v2(mz_zip_archive *pZip, const char *pArchive_name, const void *pBuf, size_t buf_size, const void *pComment, mz_uint16 comment_size,
@@ -5664,10 +5664,10 @@ mz_bool mz_zip_writer_add_mem_ex_v2(mz_zip_archive *pZip, const char *pArchive_n
     mz_uint64 local_dir_header_ofs = pZip->m_archive_size, cur_archive_file_ofs = pZip->m_archive_size, comp_size = 0;
     size_t archive_name_size;
     mz_uint8 local_dir_header[MZ_ZIP_LOCAL_DIR_HEADER_SIZE];
-    tdefl_compressor *pComp = nullptr;
+    tdefl_compressor *pComp = NULL;
     mz_bool store_data_uncompressed;
     mz_zip_internal_state *pState;
-    mz_uint8 *pExtra_data = nullptr;
+    mz_uint8 *pExtra_data = NULL;
     mz_uint32 extra_size = 0;
     mz_uint8 extra_data[MZ_ZIP64_MAX_CENTRAL_EXTRA_FIELD_SIZE];
     mz_uint16 bit_flags = 0;
@@ -5713,7 +5713,7 @@ mz_bool mz_zip_writer_add_mem_ex_v2(mz_zip_archive *pZip, const char *pArchive_n
     if(!mz_zip_writer_validate_archive_name(pArchive_name))
         return mz_zip_set_error(pZip, MZ_ZIP_INVALID_FILENAME);
 
-    if(last_modified != nullptr)
+    if(last_modified != NULL)
     {
         mz_zip_time_t_to_dos_time(*last_modified, &dos_time, &dos_date);
     }
@@ -5764,7 +5764,7 @@ mz_bool mz_zip_writer_add_mem_ex_v2(mz_zip_archive *pZip, const char *pArchive_n
 
     if((!store_data_uncompressed) && (buf_size))
     {
-        if(nullptr == (pComp = (tdefl_compressor *)pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, sizeof(tdefl_compressor))))
+        if(NULL == (pComp = (tdefl_compressor *)pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, sizeof(tdefl_compressor))))
             return mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
     }
 
@@ -5793,8 +5793,8 @@ mz_bool mz_zip_writer_add_mem_ex_v2(mz_zip_archive *pZip, const char *pArchive_n
         if(uncomp_size >= MZ_UINT32_MAX || local_dir_header_ofs >= MZ_UINT32_MAX)
         {
             pExtra_data = extra_data;
-            extra_size = mz_zip_writer_create_zip64_extra_data(extra_data, (uncomp_size >= MZ_UINT32_MAX) ? &uncomp_size : nullptr,
-                                                               (uncomp_size >= MZ_UINT32_MAX) ? &comp_size : nullptr, (local_dir_header_ofs >= MZ_UINT32_MAX) ? &local_dir_header_ofs : nullptr);
+            extra_size = mz_zip_writer_create_zip64_extra_data(extra_data, (uncomp_size >= MZ_UINT32_MAX) ? &uncomp_size : NULL,
+                                                               (uncomp_size >= MZ_UINT32_MAX) ? &comp_size : NULL, (local_dir_header_ofs >= MZ_UINT32_MAX) ? &local_dir_header_ofs : NULL);
         }
 
         if(!mz_zip_writer_create_local_dir_header(pZip, local_dir_header, (mz_uint16)archive_name_size, extra_size + user_extra_data_len, 0, 0, 0, method, bit_flags, dos_time, dos_date))
@@ -5812,7 +5812,7 @@ mz_bool mz_zip_writer_add_mem_ex_v2(mz_zip_archive *pZip, const char *pArchive_n
         }
         cur_archive_file_ofs += archive_name_size;
 
-        if(pExtra_data != nullptr)
+        if(pExtra_data != NULL)
         {
             if(pZip->m_pWrite(pZip->m_pIO_opaque, cur_archive_file_ofs, extra_data, extra_size) != extra_size)
                 return mz_zip_set_error(pZip, MZ_ZIP_FILE_WRITE_FAILED);
@@ -5890,7 +5890,7 @@ mz_bool mz_zip_writer_add_mem_ex_v2(mz_zip_archive *pZip, const char *pArchive_n
     }
 
     pZip->m_pFree(pZip->m_pAlloc_opaque, pComp);
-    pComp = nullptr;
+    pComp = NULL;
 
     if(uncomp_size)
     {
@@ -5901,7 +5901,7 @@ mz_bool mz_zip_writer_add_mem_ex_v2(mz_zip_archive *pZip, const char *pArchive_n
 
         MZ_WRITE_LE32(local_dir_footer + 0, MZ_ZIP_DATA_DESCRIPTOR_ID);
         MZ_WRITE_LE32(local_dir_footer + 4, uncomp_crc32);
-        if(pExtra_data == nullptr)
+        if(pExtra_data == NULL)
         {
             if((comp_size > MZ_UINT32_MAX) || (cur_archive_file_ofs > MZ_UINT32_MAX))
                 return mz_zip_set_error(pZip, MZ_ZIP_ARCHIVE_TOO_LARGE);
@@ -5922,10 +5922,10 @@ mz_bool mz_zip_writer_add_mem_ex_v2(mz_zip_archive *pZip, const char *pArchive_n
         cur_archive_file_ofs += local_dir_footer_size;
     }
 
-    if(pExtra_data != nullptr)
+    if(pExtra_data != NULL)
     {
-        extra_size = mz_zip_writer_create_zip64_extra_data(extra_data, (uncomp_size >= MZ_UINT32_MAX) ? &uncomp_size : nullptr,
-                                                           (uncomp_size >= MZ_UINT32_MAX) ? &comp_size : nullptr, (local_dir_header_ofs >= MZ_UINT32_MAX) ? &local_dir_header_ofs : nullptr);
+        extra_size = mz_zip_writer_create_zip64_extra_data(extra_data, (uncomp_size >= MZ_UINT32_MAX) ? &uncomp_size : NULL,
+                                                           (uncomp_size >= MZ_UINT32_MAX) ? &comp_size : NULL, (local_dir_header_ofs >= MZ_UINT32_MAX) ? &local_dir_header_ofs : NULL);
     }
 
     if(!mz_zip_writer_add_to_central_dir(pZip, pArchive_name, (mz_uint16)archive_name_size, pExtra_data, extra_size, pComment,
@@ -5949,7 +5949,7 @@ mz_bool mz_zip_writer_add_cfile(mz_zip_archive *pZip, const char *pArchive_name,
     mz_uint64 local_dir_header_ofs, cur_archive_file_ofs = pZip->m_archive_size, uncomp_size = size_to_add, comp_size = 0;
     size_t archive_name_size;
     mz_uint8 local_dir_header[MZ_ZIP_LOCAL_DIR_HEADER_SIZE];
-    mz_uint8 *pExtra_data = nullptr;
+    mz_uint8 *pExtra_data = NULL;
     mz_uint32 extra_size = 0;
     mz_uint8 extra_data[MZ_ZIP64_MAX_CENTRAL_EXTRA_FIELD_SIZE];
     mz_zip_internal_state *pState;
@@ -6049,8 +6049,8 @@ mz_bool mz_zip_writer_add_cfile(mz_zip_archive *pZip, const char *pArchive_name,
         if(uncomp_size >= MZ_UINT32_MAX || local_dir_header_ofs >= MZ_UINT32_MAX)
         {
             pExtra_data = extra_data;
-            extra_size = mz_zip_writer_create_zip64_extra_data(extra_data, (uncomp_size >= MZ_UINT32_MAX) ? &uncomp_size : nullptr,
-                                                               (uncomp_size >= MZ_UINT32_MAX) ? &comp_size : nullptr, (local_dir_header_ofs >= MZ_UINT32_MAX) ? &local_dir_header_ofs : nullptr);
+            extra_size = mz_zip_writer_create_zip64_extra_data(extra_data, (uncomp_size >= MZ_UINT32_MAX) ? &uncomp_size : NULL,
+                                                               (uncomp_size >= MZ_UINT32_MAX) ? &comp_size : NULL, (local_dir_header_ofs >= MZ_UINT32_MAX) ? &local_dir_header_ofs : NULL);
         }
 
         if(!mz_zip_writer_create_local_dir_header(pZip, local_dir_header, (mz_uint16)archive_name_size, extra_size + user_extra_data_len, 0, 0, 0, method, gen_flags, dos_time, dos_date))
@@ -6195,7 +6195,7 @@ mz_bool mz_zip_writer_add_cfile(mz_zip_archive *pZip, const char *pArchive_name,
 
     MZ_WRITE_LE32(local_dir_footer + 0, MZ_ZIP_DATA_DESCRIPTOR_ID);
     MZ_WRITE_LE32(local_dir_footer + 4, uncomp_crc32);
-    if(pExtra_data == nullptr)
+    if(pExtra_data == NULL)
     {
         if(comp_size > MZ_UINT32_MAX)
             return mz_zip_set_error(pZip, MZ_ZIP_ARCHIVE_TOO_LARGE);
@@ -6215,10 +6215,10 @@ mz_bool mz_zip_writer_add_cfile(mz_zip_archive *pZip, const char *pArchive_name,
 
     cur_archive_file_ofs += local_dir_footer_size;
 
-    if(pExtra_data != nullptr)
+    if(pExtra_data != NULL)
     {
-        extra_size = mz_zip_writer_create_zip64_extra_data(extra_data, (uncomp_size >= MZ_UINT32_MAX) ? &uncomp_size : nullptr,
-                                                           (uncomp_size >= MZ_UINT32_MAX) ? &comp_size : nullptr, (local_dir_header_ofs >= MZ_UINT32_MAX) ? &local_dir_header_ofs : nullptr);
+        extra_size = mz_zip_writer_create_zip64_extra_data(extra_data, (uncomp_size >= MZ_UINT32_MAX) ? &uncomp_size : NULL,
+                                                           (uncomp_size >= MZ_UINT32_MAX) ? &comp_size : NULL, (local_dir_header_ofs >= MZ_UINT32_MAX) ? &local_dir_header_ofs : NULL);
     }
 
     if(!mz_zip_writer_add_to_central_dir(pZip, pArchive_name, (mz_uint16)archive_name_size, pExtra_data, extra_size, pComment, comment_size,
@@ -6234,10 +6234,10 @@ mz_bool mz_zip_writer_add_cfile(mz_zip_archive *pZip, const char *pArchive_name,
 
 mz_bool mz_zip_writer_add_file(mz_zip_archive *pZip, const char *pArchive_name, const char *pSrc_filename, const void *pComment, mz_uint16 comment_size, mz_uint level_and_flags)
 {
-    MZ_FILE *pSrc_file = nullptr;
+    MZ_FILE *pSrc_file = NULL;
     mz_uint64 uncomp_size = 0;
     MZ_TIME_T file_modified_time;
-    MZ_TIME_T *pFile_time = nullptr;
+    MZ_TIME_T *pFile_time = NULL;
 
     memset(&file_modified_time, 0, sizeof(file_modified_time));
 
@@ -6255,7 +6255,7 @@ mz_bool mz_zip_writer_add_file(mz_zip_archive *pZip, const char *pArchive_name,
     uncomp_size = MZ_FTELL64(pSrc_file);
     MZ_FSEEK64(pSrc_file, 0, SEEK_SET);
 
-    mz_bool status = mz_zip_writer_add_cfile(pZip, pArchive_name, pSrc_file, uncomp_size, pFile_time, pComment, comment_size, level_and_flags, nullptr, 0, nullptr, 0);
+    mz_bool status = mz_zip_writer_add_cfile(pZip, pArchive_name, pSrc_file, uncomp_size, pFile_time, pComment, comment_size, level_and_flags, NULL, 0, NULL, 0);
 
     MZ_FCLOSE(pSrc_file);
 
@@ -6372,7 +6372,7 @@ mz_bool mz_zip_writer_add_from_zip_reader(mz_zip_archive *pZip, mz_zip_archive *
         return mz_zip_set_error(pZip, MZ_ZIP_INVALID_PARAMETER);
 
     /* Get pointer to the source central dir header and crack it */
-    if(nullptr == (pSrc_central_header = mz_zip_get_cdh(pSource_zip, src_file_index)))
+    if(NULL == (pSrc_central_header = mz_zip_get_cdh(pSource_zip, src_file_index)))
         return mz_zip_set_error(pZip, MZ_ZIP_INVALID_PARAMETER);
 
     if(MZ_READ_LE32(pSrc_central_header + MZ_ZIP_CDH_SIG_OFS) != MZ_ZIP_CENTRAL_DIR_HEADER_SIG)
@@ -6401,7 +6401,7 @@ mz_bool mz_zip_writer_add_from_zip_reader(mz_zip_archive *pZip, mz_zip_archive *
             return mz_zip_set_error(pZip, MZ_ZIP_TOO_MANY_FILES);
     }
 
-    if(!mz_zip_file_stat_internal(pSource_zip, src_file_index, pSrc_central_header, &src_file_stat, nullptr))
+    if(!mz_zip_file_stat_internal(pSource_zip, src_file_index, pSrc_central_header, &src_file_stat, NULL))
         return MZ_FALSE;
 
     cur_src_file_ofs = src_file_stat.m_local_header_ofs;
@@ -6516,7 +6516,7 @@ mz_bool mz_zip_writer_add_from_zip_reader(mz_zip_archive *pZip, mz_zip_archive *
     cur_dst_file_ofs += MZ_ZIP_LOCAL_DIR_HEADER_SIZE;
 
     /* Copy over the source archive bytes to the dest archive, also ensure we have enough buf space to handle optional data descriptor */
-    if(nullptr == (pBuf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, (size_t)MZ_MAX(32U, MZ_MIN((mz_uint64)MZ_ZIP_MAX_IO_BUF_SIZE, src_archive_bytes_remaining)))))
+    if(NULL == (pBuf = pZip->m_pAlloc(pZip->m_pAlloc_opaque, 1, (size_t)MZ_MAX(32U, MZ_MIN((mz_uint64)MZ_ZIP_MAX_IO_BUF_SIZE, src_archive_bytes_remaining)))))
         return mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
 
     while(src_archive_bytes_remaining)
@@ -6624,7 +6624,7 @@ mz_bool mz_zip_writer_add_from_zip_reader(mz_zip_archive *pZip, mz_zip_archive *
         MZ_WRITE_LE32(new_central_header + MZ_ZIP_CDH_DECOMPRESSED_SIZE_OFS, MZ_UINT32_MAX);
         MZ_WRITE_LE32(new_central_header + MZ_ZIP_CDH_LOCAL_HEADER_OFS, MZ_UINT32_MAX);
 
-        if(!mz_zip_writer_update_zip64_extension_block(&new_ext_block, pZip, pSrc_ext, src_ext_len, &src_file_stat.m_comp_size, &src_file_stat.m_uncomp_size, &local_dir_header_ofs, nullptr))
+        if(!mz_zip_writer_update_zip64_extension_block(&new_ext_block, pZip, pSrc_ext, src_ext_len, &src_file_stat.m_comp_size, &src_file_stat.m_uncomp_size, &local_dir_header_ofs, NULL))
         {
             mz_zip_array_clear(pZip, &new_ext_block);
             return MZ_FALSE;
@@ -6796,7 +6796,7 @@ mz_bool mz_zip_writer_finalize_heap_archive(mz_zip_archive *pZip, void **ppBuf,
     if((!ppBuf) || (!pSize))
         return mz_zip_set_error(pZip, MZ_ZIP_INVALID_PARAMETER);
 
-    *ppBuf = nullptr;
+    *ppBuf = NULL;
     *pSize = 0;
 
     if((!pZip) || (!pZip->m_pState))
@@ -6810,7 +6810,7 @@ mz_bool mz_zip_writer_finalize_heap_archive(mz_zip_archive *pZip, void **ppBuf,
 
     *ppBuf = pZip->m_pState->m_pMem;
     *pSize = pZip->m_pState->m_mem_size;
-    pZip->m_pState->m_pMem = nullptr;
+    pZip->m_pState->m_pMem = NULL;
     pZip->m_pState->m_mem_size = pZip->m_pState->m_mem_capacity = 0;
 
     return MZ_TRUE;
@@ -6824,7 +6824,7 @@ mz_bool mz_zip_writer_end(mz_zip_archive *pZip)
 #ifndef MINIZ_NO_STDIO
 mz_bool mz_zip_add_mem_to_archive_file_in_place(const char *pZip_filename, const char *pArchive_name, const void *pBuf, size_t buf_size, const void *pComment, mz_uint16 comment_size, mz_uint level_and_flags)
 {
-    return mz_zip_add_mem_to_archive_file_in_place_v2(pZip_filename, pArchive_name, pBuf, buf_size, pComment, comment_size, level_and_flags, nullptr);
+    return mz_zip_add_mem_to_archive_file_in_place_v2(pZip_filename, pArchive_name, pBuf, buf_size, pComment, comment_size, level_and_flags, NULL);
 }
 
 mz_bool mz_zip_add_mem_to_archive_file_in_place_v2(const char *pZip_filename, const char *pArchive_name, const void *pBuf, size_t buf_size, const void *pComment, mz_uint16 comment_size, mz_uint level_and_flags, mz_zip_error *pErr)
@@ -6924,7 +6924,7 @@ void *mz_zip_extract_archive_file_to_heap_v2(const char *pZip_filename, const ch
 {
     mz_uint32 file_index;
     mz_zip_archive zip_archive;
-    void *p = nullptr;
+    void *p = NULL;
 
     if(pSize)
         *pSize = 0;
@@ -6934,7 +6934,7 @@ void *mz_zip_extract_archive_file_to_heap_v2(const char *pZip_filename, const ch
         if(pErr)
             *pErr = MZ_ZIP_INVALID_PARAMETER;
 
-        return nullptr;
+        return NULL;
     }
 
     mz_zip_zero_struct(&zip_archive);
@@ -6943,7 +6943,7 @@ void *mz_zip_extract_archive_file_to_heap_v2(const char *pZip_filename, const ch
         if(pErr)
             *pErr = zip_archive.m_last_error;
 
-        return nullptr;
+        return NULL;
     }
 
     if(mz_zip_reader_locate_file_v2(&zip_archive, pArchive_name, pComment, flags, &file_index))
@@ -6951,7 +6951,7 @@ void *mz_zip_extract_archive_file_to_heap_v2(const char *pZip_filename, const ch
         p = mz_zip_reader_extract_to_heap(&zip_archive, file_index, pSize, flags);
     }
 
-    mz_zip_reader_end_internal(&zip_archive, p != nullptr);
+    mz_zip_reader_end_internal(&zip_archive, p != NULL);
 
     if(pErr)
         *pErr = zip_archive.m_last_error;
@@ -6961,7 +6961,7 @@ void *mz_zip_extract_archive_file_to_heap_v2(const char *pZip_filename, const ch
 
 void *mz_zip_extract_archive_file_to_heap(const char *pZip_filename, const char *pArchive_name, size_t *pSize, mz_uint flags)
 {
-    return mz_zip_extract_archive_file_to_heap_v2(pZip_filename, pArchive_name, nullptr, pSize, flags, nullptr);
+    return mz_zip_extract_archive_file_to_heap_v2(pZip_filename, pArchive_name, NULL, pSize, flags, NULL);
 }
 
 #endif /* #ifndef MINIZ_NO_STDIO */
@@ -7133,7 +7133,7 @@ mz_uint64 mz_zip_get_archive_file_start_offset(mz_zip_archive *pZip)
 MZ_FILE *mz_zip_get_cfile(mz_zip_archive *pZip)
 {
     if((!pZip) || (!pZip->m_pState))
-        return nullptr;
+        return 0;
     return pZip->m_pState->m_pFile;
 }
 
@@ -7168,7 +7168,7 @@ mz_uint mz_zip_reader_get_filename(mz_zip_archive *pZip, mz_uint file_index, cha
 
 mz_bool mz_zip_reader_file_stat(mz_zip_archive *pZip, mz_uint file_index, mz_zip_archive_file_stat *pStat)
 {
-    return mz_zip_file_stat_internal(pZip, file_index, mz_zip_get_cdh(pZip, file_index), pStat, nullptr);
+    return mz_zip_file_stat_internal(pZip, file_index, mz_zip_get_cdh(pZip, file_index), pStat, NULL);
 }
 
 mz_bool mz_zip_end(mz_zip_archive *pZip)
diff --git a/src/path-symex/path_symex_history.h b/src/path-symex/path_symex_history.h
index 794679d72d..4371e5e26d 100644
--- a/src/path-symex/path_symex_history.h
+++ b/src/path-symex/path_symex_history.h
@@ -21,8 +21,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 class path_symex_stept;
 
-#define nullptr_exceptiont(str) str
-
 // This is a reference to a path_symex_stept,
 // and is really cheap to copy. These references are stable,
 // even though the underlying vector is not.
@@ -37,7 +35,7 @@ public:
   }
 
   path_symex_step_reft():
-    index(std::numeric_limits::max()), history(nullptr)
+    index(std::numeric_limits::max()), history(0)
   {
   }
 
@@ -48,7 +46,7 @@ public:
 
   path_symex_historyt &get_history() const
   {
-    INVARIANT(history!=nullptr, nullptr_exceptiont("history is null"));
+    assert(history!=0);
     return *history;
   }
 
@@ -156,7 +154,7 @@ public:
 
 inline void path_symex_step_reft::generate_successor()
 {
-  INVARIANT(history!=nullptr, nullptr_exceptiont("history is null"));
+  assert(history!=0);
   path_symex_step_reft old=*this;
   index=history->step_container.size();
   history->step_container.push_back(path_symex_stept());
@@ -171,7 +169,7 @@ inline path_symex_step_reft &path_symex_step_reft::operator--()
 
 inline path_symex_stept &path_symex_step_reft::get() const
 {
-  INVARIANT(history!=nullptr, nullptr_exceptiont("history is null"));
+  assert(history!=0);
   assert(!is_nil());
   return history->step_container[index];
 }
diff --git a/src/path-symex/path_symex_state.h b/src/path-symex/path_symex_state.h
index 796864cc80..eb23e891f8 100644
--- a/src/path-symex/path_symex_state.h
+++ b/src/path-symex/path_symex_state.h
@@ -16,8 +16,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "var_map.h"
 #include "path_symex_history.h"
 
-#define nullptr_exceptiont(str) str
-
 struct path_symex_statet
 {
 public:
diff --git a/src/path-symex/path_symex_state_read.cpp b/src/path-symex/path_symex_state_read.cpp
index fb34aaf93d..a6993c19b0 100644
--- a/src/path-symex/path_symex_state_read.cpp
+++ b/src/path-symex/path_symex_state_read.cpp
@@ -430,7 +430,7 @@ bool path_symex_statet::is_symbol_member_index(const exprt &src) const
   // the loop avoids recursion
   while(true)
   {
-    const exprt *next=nullptr;
+    const exprt *next=0;
 
     if(current->id()==ID_symbol)
     {
@@ -465,7 +465,7 @@ bool path_symex_statet::is_symbol_member_index(const exprt &src) const
       return false;
 
     // next round
-    INVARIANT(next!=nullptr, nullptr_exceptiont("next is null"));
+    assert(next!=0);
     current=next;
   }
 }
diff --git a/src/path-symex/var_map.cpp b/src/path-symex/var_map.cpp
index 96d079c48f..f5dea20a96 100644
--- a/src/path-symex/var_map.cpp
+++ b/src/path-symex/var_map.cpp
@@ -84,7 +84,7 @@ void var_mapt::init(var_infot &var_info)
     }
     else
     {
-      const symbolt *symbol=nullptr;
+      const symbolt *symbol=0;
       if(ns.lookup(var_info.symbol, symbol))
         throw "var_mapt::init identifier \""
           +id2string(var_info.full_identifier)
diff --git a/src/pointer-analysis/value_set_fi.cpp b/src/pointer-analysis/value_set_fi.cpp
index d08694b82d..77962a3b3b 100644
--- a/src/pointer-analysis/value_set_fi.cpp
+++ b/src/pointer-analysis/value_set_fi.cpp
@@ -550,18 +550,18 @@ void value_set_fit::get_value_set_rec(
     if(expr.type().id()==ID_pointer)
     {
       // find the pointer operand
-      const exprt *ptr_operand=nullptr;
+      const exprt *ptr_operand=NULL;
 
       forall_operands(it, expr)
         if(it->type().id()==ID_pointer)
         {
-          if(ptr_operand==nullptr)
+          if(ptr_operand==NULL)
             ptr_operand=&(*it);
           else
             throw "more than one pointer operand in pointer arithmetic";
         }
 
-      if(ptr_operand==nullptr)
+      if(ptr_operand==NULL)
         throw "pointer type sum expected to have pointer operand";
 
       object_mapt pointer_expr_set;
diff --git a/src/pointer-analysis/value_set_fivr.cpp b/src/pointer-analysis/value_set_fivr.cpp
index 3ea5ef1aa8..6bd7e1321e 100644
--- a/src/pointer-analysis/value_set_fivr.cpp
+++ b/src/pointer-analysis/value_set_fivr.cpp
@@ -668,18 +668,18 @@ void value_set_fivrt::get_value_set_rec(
     if(expr.type().id()==ID_pointer)
     {
       // find the pointer operand
-      const exprt *ptr_operand=nullptr;
+      const exprt *ptr_operand=NULL;
 
       forall_operands(it, expr)
         if(it->type().id()==ID_pointer)
         {
-          if(ptr_operand==nullptr)
+          if(ptr_operand==NULL)
             ptr_operand=&(*it);
           else
             throw "more than one pointer operand in pointer arithmetic";
         }
 
-      if(ptr_operand==nullptr)
+      if(ptr_operand==NULL)
         throw "pointer type sum expected to have pointer operand";
 
       object_mapt pointer_expr_set;
diff --git a/src/pointer-analysis/value_set_fivrns.cpp b/src/pointer-analysis/value_set_fivrns.cpp
index 3b5ce55a3a..0eaf08b201 100644
--- a/src/pointer-analysis/value_set_fivrns.cpp
+++ b/src/pointer-analysis/value_set_fivrns.cpp
@@ -454,18 +454,18 @@ void value_set_fivrnst::get_value_set_rec(
     if(expr.type().id()==ID_pointer)
     {
       // find the pointer operand
-      const exprt *ptr_operand=nullptr;
+      const exprt *ptr_operand=NULL;
 
       forall_operands(it, expr)
         if(it->type().id()==ID_pointer)
         {
-          if(ptr_operand==nullptr)
+          if(ptr_operand==NULL)
             ptr_operand=&(*it);
           else
             throw "more than one pointer operand in pointer arithmetic";
         }
 
-      if(ptr_operand==nullptr)
+      if(ptr_operand==NULL)
         throw "pointer type sum expected to have pointer operand";
 
       object_mapt pointer_expr_set;
diff --git a/src/solvers/miniBDD/miniBDD.h b/src/solvers/miniBDD/miniBDD.h
index 9b994b88ff..f7dde020fe 100644
--- a/src/solvers/miniBDD/miniBDD.h
+++ b/src/solvers/miniBDD/miniBDD.h
@@ -55,7 +55,7 @@ public:
   unsigned node_number() const;
   void clear();
 
-  bool is_initialized() const { return node!=nullptr; }
+  bool is_initialized() const { return node!=0; }
 
   // internal
   explicit mini_bddt(class mini_bdd_nodet *_node);
diff --git a/src/solvers/miniBDD/miniBDD.inc b/src/solvers/miniBDD/miniBDD.inc
index a2077ab95f..091725ed33 100644
--- a/src/solvers/miniBDD/miniBDD.inc
+++ b/src/solvers/miniBDD/miniBDD.inc
@@ -2,7 +2,7 @@
 
 // inline functions
 
-inline mini_bddt::mini_bddt():node(nullptr)
+inline mini_bddt::mini_bddt():node(0)
 {
 }
 
@@ -82,7 +82,7 @@ inline void mini_bddt::clear()
   if(is_initialized())
   {
     node->remove_reference();
-    node=nullptr;
+    node=NULL;
   }
 }
 
diff --git a/src/solvers/sat/pbs_dimacs_cnf.cpp b/src/solvers/sat/pbs_dimacs_cnf.cpp
index 69e4c78a29..731c6ac7ae 100644
--- a/src/solvers/sat/pbs_dimacs_cnf.cpp
+++ b/src/solvers/sat/pbs_dimacs_cnf.cpp
@@ -125,7 +125,7 @@ bool pbs_dimacs_cnft::pbs_solve()
     {
       std::getline(file, line);
       if(strstr(line.c_str(),
-                "Variable Assignments Satisfying CNF Formula:")!=nullptr)
+                "Variable Assignments Satisfying CNF Formula:")!=NULL)
         {
           // print ("Reading assignments...\n");
           // std::cout << "No literals: " << no_variables() << "\n";
@@ -143,12 +143,12 @@ bool pbs_dimacs_cnft::pbs_solve()
           // std::cout << "\n";
           // print ("Finished reading assignments.\n");
         }
-      else if(strstr(line.c_str(), "SAT... SUM")!=nullptr)
+      else if(strstr(line.c_str(), "SAT... SUM")!=NULL)
         {
           // print (line);
           sscanf(line.c_str(), "%*s %*s %*s %d", &opt_sum);
         }
-      else if(strstr(line.c_str(), "SAT - All implied")!=nullptr)
+      else if(strstr(line.c_str(), "SAT - All implied")!=NULL)
         {
           // print (line);
           sscanf(
@@ -156,15 +156,15 @@ bool pbs_dimacs_cnft::pbs_solve()
             "%*s %*s %*s %*s %*s %*s %*s %*s %*s %*s %*s %d",
             &opt_sum);
         }
-      else if(strstr(line.c_str(), "SAT... Solution")!=nullptr)
+      else if(strstr(line.c_str(), "SAT... Solution")!=NULL)
         {
           // print(line);
           sscanf(line.c_str(), "%*s %*s %*s %d", &opt_sum);
         }
-      else if(strstr(line.c_str(), "Optimal Soln")!=nullptr)
+      else if(strstr(line.c_str(), "Optimal Soln")!=NULL)
         {
           // print(line);
-          if(strstr(line.c_str(), "time out")!=nullptr)
+          if(strstr(line.c_str(), "time out")!=NULL)
             {
               status() << "WARNING:  TIMED OUT.  SOLUTION MAY BE INCORRECT."
                        << eom;
diff --git a/src/util/config.cpp b/src/util/config.cpp
index a256ff6b17..ee24ab7b0f 100644
--- a/src/util/config.cpp
+++ b/src/util/config.cpp
@@ -739,7 +739,7 @@ bool configt::set(const cmdlinet &cmdline)
   ansi_c.arch="none";
   ansi_c.lib=configt::ansi_ct::libt::LIB_NONE;
   // NOLINTNEXTLINE(readability/casting)
-  ansi_c.NULL_is_zero=reinterpret_cast(nullptr)==0;
+  ansi_c.NULL_is_zero=reinterpret_cast((void*)0)==0;
 
   // Default is ROUND_TO_EVEN, justified by C99:
   // 1 At program startup the floating-point environment is initialized as
@@ -773,7 +773,7 @@ bool configt::set(const cmdlinet &cmdline)
   {
     // environment variable set?
     const char *CLASSPATH=getenv("CLASSPATH");
-    if(CLASSPATH!=nullptr)
+    if(CLASSPATH!=NULL)
       set_classpath(CLASSPATH);
     else
       set_classpath("."); // default
diff --git a/src/util/file_util.cpp b/src/util/file_util.cpp
index 37dfd59587..3753fa5aab 100644
--- a/src/util/file_util.cpp
+++ b/src/util/file_util.cpp
@@ -51,7 +51,7 @@ std::string get_current_working_directory()
 
   errno=0;
 
-  while(buf && getcwd(buf, bsize-1)==nullptr && errno==ERANGE)
+  while(buf && getcwd(buf, bsize-1)==NULL && errno==ERANGE)
   {
     bsize*=2;
     buf=reinterpret_cast(realloc(buf, sizeof(char)*bsize));
@@ -98,10 +98,10 @@ void delete_directory(const std::string &path)
   delete_directory_utf16(utf8_to_utf16_little_endian(path));
 #else
   DIR *dir=opendir(path.c_str());
-  if(dir!=nullptr)
+  if(dir!=NULL)
   {
     struct dirent *ent;
-    while((ent=readdir(dir))!=nullptr)
+    while((ent=readdir(dir))!=NULL)
     {
       // Needed for Alpine Linux
       if(strcmp(ent->d_name, ".")==0 || strcmp(ent->d_name, "..")==0)
diff --git a/src/util/invariant.cpp b/src/util/invariant.cpp
index 5e63639556..b0047cccf4 100644
--- a/src/util/invariant.cpp
+++ b/src/util/invariant.cpp
@@ -57,7 +57,7 @@ static bool output_demangled_name(
 
     int demangle_success=1;
     char *demangled=
-      abi::__cxa_demangle(mangled.c_str(), nullptr, nullptr, &demangle_success);
+      abi::__cxa_demangle(mangled.c_str(), NULL, 0, &demangle_success);
 
     if(demangle_success==0)
     {
diff --git a/src/util/irep_ids.cpp b/src/util/irep_ids.cpp
index 50e0f537fa..8aff81777a 100644
--- a/src/util/irep_ids.cpp
+++ b/src/util/irep_ids.cpp
@@ -22,7 +22,7 @@ const char *irep_ids_table[]=
 
 #include "irep_ids.def"
 
-  nullptr,
+  NULL,
 };
 
 #ifdef USE_DSTRING
@@ -47,7 +47,7 @@ void initialize_string_container()
 {
   // this is called by the constructor of string_containert
 
-  for(unsigned i=0; irep_ids_table[i]!=nullptr; i++)
+  for(unsigned i=0; irep_ids_table[i]!=NULL; i++)
   {
     unsigned x;
     x=string_container[irep_ids_table[i]];
diff --git a/src/util/language_file.cpp b/src/util/language_file.cpp
index 7ca179f68f..2aa57a85c6 100644
--- a/src/util/language_file.cpp
+++ b/src/util/language_file.cpp
@@ -14,14 +14,14 @@ Author: Daniel Kroening, kroening@kroening.com
 
 language_filet::language_filet(const language_filet &rhs):
   modules(rhs.modules),
-  language(rhs.language==nullptr?nullptr:rhs.language->new_language()),
+  language(rhs.language==NULL?NULL:rhs.language->new_language()),
   filename(rhs.filename)
 {
 }
 
 language_filet::~language_filet()
 {
-  if(language!=nullptr)
+  if(language!=NULL)
     delete language;
 }
 
diff --git a/src/util/language_file.h b/src/util/language_file.h
index a18d4685a3..e2e8750be5 100644
--- a/src/util/language_file.h
+++ b/src/util/language_file.h
@@ -49,7 +49,7 @@ public:
 
   language_filet(const language_filet &rhs);
 
-  language_filet():language(nullptr)
+  language_filet():language(NULL)
   {
   }
 
diff --git a/src/util/message.h b/src/util/message.h
index c3d73d5f4d..41c9117400 100644
--- a/src/util/message.h
+++ b/src/util/message.h
@@ -133,7 +133,7 @@ public:
   // constructors, destructor
 
   messaget():
-    message_handler(nullptr),
+    message_handler(NULL),
     mstream(M_DEBUG, *this)
   {
   }
diff --git a/src/util/namespace.cpp b/src/util/namespace.cpp
index 218e73d285..50de95f296 100644
--- a/src/util/namespace.cpp
+++ b/src/util/namespace.cpp
@@ -127,10 +127,10 @@ unsigned namespacet::get_max(const std::string &prefix) const
 {
   unsigned m=0;
 
-  if(symbol_table1!=nullptr)
+  if(symbol_table1!=NULL)
     m=std::max(m, ::get_max(prefix, symbol_table1->symbols));
 
-  if(symbol_table2!=nullptr)
+  if(symbol_table2!=NULL)
     m=std::max(m, ::get_max(prefix, symbol_table2->symbols));
 
   return m;
@@ -142,7 +142,7 @@ bool namespacet::lookup(
 {
   symbol_tablet::symbolst::const_iterator it;
 
-  if(symbol_table1!=nullptr)
+  if(symbol_table1!=NULL)
   {
     it=symbol_table1->symbols.find(name);
 
@@ -153,7 +153,7 @@ bool namespacet::lookup(
     }
   }
 
-  if(symbol_table2!=nullptr)
+  if(symbol_table2!=NULL)
   {
     it=symbol_table2->symbols.find(name);
 
diff --git a/src/util/namespace.h b/src/util/namespace.h
index a3b9f3827c..ea6b33cfdb 100644
--- a/src/util/namespace.h
+++ b/src/util/namespace.h
@@ -64,7 +64,7 @@ class namespacet:public namespace_baset
 public:
   // constructors
   explicit namespacet(const symbol_tablet &_symbol_table)
-  { symbol_table1=&_symbol_table; symbol_table2=nullptr; }
+  { symbol_table1=&_symbol_table; symbol_table2=NULL; }
 
   namespacet(
     const symbol_tablet &_symbol_table1,
@@ -101,12 +101,12 @@ class multi_namespacet:public namespacet
 {
 public:
   // constructors
-  multi_namespacet():namespacet(nullptr, nullptr)
+  multi_namespacet():namespacet(NULL, NULL)
   {
   }
 
   explicit multi_namespacet(
-    const symbol_tablet &symbol_table):namespacet(nullptr, nullptr)
+    const symbol_tablet &symbol_table):namespacet(NULL, NULL)
   {
     add(symbol_table);
   }
diff --git a/src/util/parser.h b/src/util/parser.h
index bf572e6004..b450de7f61 100644
--- a/src/util/parser.h
+++ b/src/util/parser.h
@@ -39,7 +39,7 @@ public:
     last_line.clear();
   }
 
-  parsert():in(nullptr) { clear(); }
+  parsert():in(NULL) { clear(); }
   virtual ~parsert() { }
 
   // The following are for the benefit of the scanner
diff --git a/src/util/pipe_stream.cpp b/src/util/pipe_stream.cpp
index 44ac29b3eb..4306bce8e0 100644
--- a/src/util/pipe_stream.cpp
+++ b/src/util/pipe_stream.cpp
@@ -159,12 +159,12 @@ int pipe_streamt::run()
         a_it++, i++)
        _argv[i]=strdup(a_it->c_str());
 
-    _argv[args.size()+1]=nullptr;
+    _argv[args.size()+1]=NULL;
 
     int result=execvp(executable.c_str(), _argv);
 
     if(result==-1)
-      perror(nullptr);
+      perror(0);
 
     return result;
   }
@@ -289,7 +289,7 @@ std::streamsize filedescriptor_streambuft::xsputn(
 /// read a character from the piped process
 std::streambuf::int_type filedescriptor_streambuft::underflow()
 {
-  if(gptr()==nullptr)
+  if(gptr()==0)
     return traits_type::eof();
 
   if(gptr()expr_set.empty();
   }
@@ -52,13 +52,13 @@ public:
 
   bool make_union(const ref_expr_sett &s2)
   {
-    if(s2.d==nullptr)
+    if(s2.d==NULL)
       return false;
 
     if(s2.d==d)
       return false;
 
-    if(d==nullptr)
+    if(d==NULL)
     {
       copy_from(s2);
       return true;
diff --git a/src/util/reference_counting.h b/src/util/reference_counting.h
index 4d5accb5ec..ffdc8eed75 100644
--- a/src/util/reference_counting.h
+++ b/src/util/reference_counting.h
@@ -19,7 +19,7 @@ template
 class reference_counting
 {
 public:
-  reference_counting():d(nullptr)
+  reference_counting():d(NULL)
   {
   }
 
@@ -31,7 +31,7 @@ public:
   // copy constructor
   reference_counting(const reference_counting &other):d(other.d)
   {
-    if(d!=nullptr)
+    if(d!=NULL)
     {
       assert(d->ref_count!=0);
       d->ref_count++;
@@ -50,7 +50,7 @@ public:
   ~reference_counting()
   {
     remove_ref(d);
-    d=nullptr;
+    d=NULL;
   }
 
   void swap(reference_counting &other)
@@ -61,12 +61,12 @@ public:
   void clear()
   {
     remove_ref(d);
-    d=nullptr;
+    d=NULL;
   }
 
   const T &read() const
   {
-    if(d==nullptr)
+    if(d==NULL)
       return T::blank;
     return *d;
   }
@@ -104,7 +104,7 @@ protected:
 
     remove_ref(d);
     d=other.d;
-    if(d!=nullptr)
+    if(d!=NULL)
       d->ref_count++;
   }
 
@@ -118,7 +118,7 @@ public:
 template
 void reference_counting::remove_ref(dt *old_d)
 {
-  if(old_d==nullptr)
+  if(old_d==NULL)
     return;
 
   assert(old_d->ref_count!=0);
@@ -151,7 +151,7 @@ void reference_counting::detatch()
   std::cout << "DETATCH1: " << d << '\n';
   #endif
 
-  if(d==nullptr)
+  if(d==NULL)
   {
     d=new dt;
 
diff --git a/src/util/run.cpp b/src/util/run.cpp
index c01aff35bd..164cac834d 100644
--- a/src/util/run.cpp
+++ b/src/util/run.cpp
@@ -117,13 +117,13 @@ int run(
     {
       // resume signals
       remove_signal_catcher();
-      sigprocmask(SIG_SETMASK, &old_mask, nullptr);
+      sigprocmask(SIG_SETMASK, &old_mask, NULL);
 
       char **_argv=new char * [argv.size()+1];
       for(std::size_t i=0; i &s)
 
 const char **narrow_argv(int argc, const wchar_t **argv_wide)
 {
-  if(argv_wide==nullptr)
-    return nullptr;
+  if(argv_wide==NULL)
+    return NULL;
 
   // the following never gets deleted
   const char **argv_narrow=new const char *[argc+1];
-  argv_narrow[argc]=nullptr;
+  argv_narrow[argc]=0;
 
   for(int i=0; i
Date: Mon, 24 Jul 2017 17:55:07 +0100
Subject: [PATCH 86/89] Fix nullptr usage, ignoring miniz and big-int

---
 src/analyses/goto_check.cpp                   |  2 +-
 src/analyses/goto_rw.cpp                      |  8 ++++----
 src/analyses/goto_rw.h                        |  4 ++--
 src/analyses/invariant_set.cpp                |  6 +++---
 src/analyses/invariant_set.h                  |  6 +++---
 src/analyses/local_may_alias.h                |  4 ++--
 src/analyses/reaching_definitions.cpp         |  4 ++--
 src/analyses/reaching_definitions.h           | 10 +++++-----
 src/ansi-c/c_preprocess.cpp                   |  6 +++---
 src/ansi-c/cprover_library.cpp                |  2 +-
 src/ansi-c/expr2c.cpp                         |  2 +-
 src/cbmc/cbmc_parse_options.cpp               |  4 ++--
 src/clobber/clobber_parse_options.cpp         |  2 +-
 src/cpp/cpp_id.cpp                            |  2 +-
 src/cpp/cpp_id.h                              |  2 +-
 src/cpp/cpp_instantiate_template.cpp          |  6 +++---
 src/cpp/cpp_language.cpp                      |  2 +-
 src/cpp/cpp_typecheck_compound_type.cpp       |  2 +-
 src/cpp/cpp_typecheck_expr.cpp                |  2 +-
 src/cpp/cpp_typecheck_resolve.cpp             |  4 ++--
 src/cpp/cpp_typecheck_template.cpp            |  4 ++--
 src/cpp/parse.cpp                             |  4 ++--
 src/goto-cc/armcc_cmdline.cpp                 |  6 +++---
 src/goto-cc/as86_cmdline.cpp                  | 10 +++++-----
 src/goto-cc/as_cmdline.cpp                    | 10 +++++-----
 src/goto-cc/bcc_cmdline.cpp                   | 10 +++++-----
 src/goto-cc/compile.cpp                       |  4 ++--
 src/goto-cc/gcc_cmdline.cpp                   | 20 +++++++++----------
 src/goto-cc/goto_cc_cmdline.cpp               |  4 ++--
 src/goto-cc/goto_cc_main.cpp                  |  2 +-
 src/goto-cc/ld_cmdline.cpp                    | 12 +++++------
 src/goto-cc/ms_cl_cmdline.cpp                 | 14 ++++++-------
 src/goto-instrument/dump_c.cpp                | 10 +++++-----
 src/goto-instrument/model_argc_argv.cpp       |  2 +-
 src/goto-instrument/wmm/cycle_collection.cpp  |  2 +-
 src/goto-instrument/wmm/goto2graph.cpp        |  2 +-
 src/goto-programs/initialize_goto_model.cpp   |  2 +-
 src/goto-programs/interpreter.cpp             |  2 +-
 src/goto-programs/show_symbol_table.cpp       |  2 +-
 src/goto-symex/goto_symex_state.cpp           | 10 +++++-----
 src/goto-symex/slice_by_trace.cpp             |  6 +++---
 src/goto-symex/symex_dereference_state.cpp    |  4 ++--
 src/goto-symex/symex_function_call.cpp        |  2 +-
 src/goto-symex/symex_main.cpp                 |  2 +-
 .../java_bytecode_convert_method.cpp          |  2 +-
 src/java_bytecode/java_bytecode_parser.cpp    |  2 +-
 .../java_local_variable_table.cpp             |  2 +-
 src/langapi/language_ui.cpp                   |  4 ++--
 src/langapi/language_util.cpp                 |  2 +-
 src/langapi/mode.cpp                          |  8 ++++----
 src/path-symex/path_symex_history.h           |  8 ++++----
 src/path-symex/path_symex_state_read.cpp      |  4 ++--
 src/path-symex/var_map.cpp                    |  2 +-
 src/pointer-analysis/value_set_fi.cpp         |  6 +++---
 src/pointer-analysis/value_set_fivr.cpp       |  6 +++---
 src/pointer-analysis/value_set_fivrns.cpp     |  6 +++---
 src/solvers/miniBDD/miniBDD.h                 |  2 +-
 src/solvers/miniBDD/miniBDD.inc               |  4 ++--
 src/solvers/sat/pbs_dimacs_cnf.cpp            | 12 +++++------
 src/util/config.cpp                           |  4 ++--
 src/util/file_util.cpp                        |  6 +++---
 src/util/invariant.cpp                        |  2 +-
 src/util/irep_ids.cpp                         |  4 ++--
 src/util/language_file.cpp                    |  4 ++--
 src/util/language_file.h                      |  2 +-
 src/util/message.h                            |  2 +-
 src/util/namespace.cpp                        |  8 ++++----
 src/util/namespace.h                          |  6 +++---
 src/util/parser.h                             |  2 +-
 src/util/pipe_stream.cpp                      |  8 ++++----
 src/util/ref_expr_set.h                       |  6 +++---
 src/util/reference_counting.h                 | 16 +++++++--------
 src/util/run.cpp                              |  8 ++++----
 src/util/signal_catcher.cpp                   |  4 ++--
 src/util/tempdir.cpp                          |  2 +-
 src/util/tempfile.cpp                         |  2 +-
 src/util/unicode.cpp                          |  6 +++---
 77 files changed, 194 insertions(+), 194 deletions(-)

diff --git a/src/analyses/goto_check.cpp b/src/analyses/goto_check.cpp
index 8fe596d926..be4edbf288 100644
--- a/src/analyses/goto_check.cpp
+++ b/src/analyses/goto_check.cpp
@@ -37,7 +37,7 @@ public:
     const namespacet &_ns,
     const optionst &_options):
     ns(_ns),
-    local_bitvector_analysis(0)
+    local_bitvector_analysis(nullptr)
   {
     enable_bounds_check=_options.get_bool_option("bounds-check");
     enable_pointer_check=_options.get_bool_option("pointer-check");
diff --git a/src/analyses/goto_rw.cpp b/src/analyses/goto_rw.cpp
index be3ef3e0a8..36c2bf8c95 100644
--- a/src/analyses/goto_rw.cpp
+++ b/src/analyses/goto_rw.cpp
@@ -463,9 +463,9 @@ void rw_range_sett::add(
 {
   objectst::iterator entry=(mode==get_modet::LHS_W ? w_range_set : r_range_set).
     insert(
-      std::pair(identifier, 0)).first;
+      std::pair(identifier, nullptr)).first;
 
-  if(entry->second==0)
+  if(entry->second==nullptr)
     entry->second=new range_domaint();
 
   static_cast(entry->second)->push_back(
@@ -663,9 +663,9 @@ void rw_guarded_range_set_value_sett::add(
 {
   objectst::iterator entry=(mode==get_modet::LHS_W ? w_range_set : r_range_set).
     insert(
-      std::pair(identifier, 0)).first;
+      std::pair(identifier, nullptr)).first;
 
-  if(entry->second==0)
+  if(entry->second==nullptr)
     entry->second=new guarded_range_domaint();
 
   static_cast(entry->second)->insert(
diff --git a/src/analyses/goto_rw.h b/src/analyses/goto_rw.h
index 06b7a7ab41..60dfe5ca6f 100644
--- a/src/analyses/goto_rw.h
+++ b/src/analyses/goto_rw.h
@@ -108,7 +108,7 @@ public:
 
   const range_domaint &get_ranges(objectst::const_iterator it) const
   {
-    assert(dynamic_cast(it->second)!=0);
+    assert(dynamic_cast(it->second)!=nullptr);
     return *static_cast(it->second);
   }
 
@@ -277,7 +277,7 @@ public:
 
   const guarded_range_domaint &get_ranges(objectst::const_iterator it) const
   {
-    assert(dynamic_cast(it->second)!=0);
+    assert(dynamic_cast(it->second)!=nullptr);
     return *static_cast(it->second);
   }
 
diff --git a/src/analyses/invariant_set.cpp b/src/analyses/invariant_set.cpp
index 6127abdd57..550c39d3ab 100644
--- a/src/analyses/invariant_set.cpp
+++ b/src/analyses/invariant_set.cpp
@@ -144,7 +144,7 @@ bool invariant_sett::get_object(
   const exprt &expr,
   unsigned &n) const
 {
-  assert(object_store!=NULL);
+  assert(object_store!=nullptr);
   return object_store->get(expr, n);
 }
 
@@ -315,7 +315,7 @@ void invariant_sett::output(
     return;
   }
 
-  assert(object_store!=NULL);
+  assert(object_store!=nullptr);
 
   for(unsigned i=0; ito_string(a, identifier);
 }
 
diff --git a/src/analyses/invariant_set.h b/src/analyses/invariant_set.h
index 6bb40bd3e9..b65ce7897f 100644
--- a/src/analyses/invariant_set.h
+++ b/src/analyses/invariant_set.h
@@ -98,9 +98,9 @@ public:
   invariant_sett():
     threaded(false),
     is_false(false),
-    value_sets(NULL),
-    object_store(NULL),
-    ns(NULL)
+    value_sets(nullptr),
+    object_store(nullptr),
+    ns(nullptr)
   {
   }
 
diff --git a/src/analyses/local_may_alias.h b/src/analyses/local_may_alias.h
index b54cf4e9e8..c9c7680368 100644
--- a/src/analyses/local_may_alias.h
+++ b/src/analyses/local_may_alias.h
@@ -94,7 +94,7 @@ protected:
 class local_may_alias_factoryt
 {
 public:
-  local_may_alias_factoryt():goto_functions(NULL)
+  local_may_alias_factoryt():goto_functions(nullptr)
   {
   }
 
@@ -109,7 +109,7 @@ public:
 
   local_may_aliast &operator()(const irep_idt &fkt)
   {
-    assert(goto_functions!=NULL);
+    assert(goto_functions!=nullptr);
     fkt_mapt::iterator f_it=fkt_map.find(fkt);
     if(f_it!=fkt_map.end())
       return *f_it->second;
diff --git a/src/analyses/reaching_definitions.cpp b/src/analyses/reaching_definitions.cpp
index 0e0462c3c8..b001261a69 100644
--- a/src/analyses/reaching_definitions.cpp
+++ b/src/analyses/reaching_definitions.cpp
@@ -51,7 +51,7 @@ void rd_range_domaint::transform(
 {
   reaching_definitions_analysist *rd=
     dynamic_cast(&ai);
-  assert(rd!=0);
+  assert(rd!=nullptr);
 
   assert(bv_container);
 
@@ -298,7 +298,7 @@ void rd_range_domaint::transform_assign(
     const symbolt *symbol_ptr;
     if(ns.lookup(identifier, symbol_ptr))
       continue;
-    assert(symbol_ptr!=0);
+    assert(symbol_ptr!=nullptr);
 
     const range_domaint &ranges=rw_set.get_ranges(it);
 
diff --git a/src/analyses/reaching_definitions.h b/src/analyses/reaching_definitions.h
index e5f0d5f12b..462b8c1d45 100644
--- a/src/analyses/reaching_definitions.h
+++ b/src/analyses/reaching_definitions.h
@@ -102,7 +102,7 @@ public:
   rd_range_domaint():
     ai_domain_baset(),
     has_values(false),
-    bv_container(0)
+    bv_container(nullptr)
   {
   }
 
@@ -243,9 +243,9 @@ public:
   explicit reaching_definitions_analysist(const namespacet &_ns):
     concurrency_aware_ait(),
     ns(_ns),
-    value_sets(0),
-    is_threaded(0),
-    is_dirty(0)
+    value_sets(nullptr),
+    is_threaded(nullptr),
+    is_dirty(nullptr)
   {
   }
 
@@ -259,7 +259,7 @@ public:
     statet &s=concurrency_aware_ait::get_state(l);
 
     rd_range_domaint *rd_state=dynamic_cast(&s);
-    assert(rd_state!=0);
+    assert(rd_state!=nullptr);
 
     rd_state->set_bitvector_container(*this);
 
diff --git a/src/ansi-c/c_preprocess.cpp b/src/ansi-c/c_preprocess.cpp
index 6ba8e6f359..927a928b18 100644
--- a/src/ansi-c/c_preprocess.cpp
+++ b/src/ansi-c/c_preprocess.cpp
@@ -344,7 +344,7 @@ bool c_preprocess(
 static bool is_dot_i_file(const std::string &path)
 {
   const char *ext=strrchr(path.c_str(), '.');
-  if(ext==NULL)
+  if(ext==nullptr)
     return false;
   if(std::string(ext)==".i" ||
      std::string(ext)==".ii")
@@ -889,7 +889,7 @@ bool c_preprocess_gcc_clang(
 
   FILE *stream=popen(command.c_str(), "r");
 
-  if(stream!=NULL)
+  if(stream!=nullptr)
   {
     int ch;
     while((ch=fgetc(stream))!=EOF)
@@ -1011,7 +1011,7 @@ bool c_preprocess_arm(
 
   FILE *stream=popen(command.c_str(), "r");
 
-  if(stream!=NULL)
+  if(stream!=nullptr)
   {
     int ch;
     while((ch=fgetc(stream))!=EOF)
diff --git a/src/ansi-c/cprover_library.cpp b/src/ansi-c/cprover_library.cpp
index 8f99f987bf..f13e321d75 100644
--- a/src/ansi-c/cprover_library.cpp
+++ b/src/ansi-c/cprover_library.cpp
@@ -38,7 +38,7 @@ std::string get_cprover_library_text(
   std::size_t count=0;
 
   for(cprover_library_entryt *e=cprover_library;
-      e->function!=NULL;
+      e->function!=nullptr;
       e++)
   {
     irep_idt id=e->function;
diff --git a/src/ansi-c/expr2c.cpp b/src/ansi-c/expr2c.cpp
index 9c980cc842..d1dbf3bb6b 100644
--- a/src/ansi-c/expr2c.cpp
+++ b/src/ansi-c/expr2c.cpp
@@ -2664,7 +2664,7 @@ std::string expr2ct::convert_code_decl(
 
   std::string dest=indent_str(indent);
 
-  const symbolt *symbol=0;
+  const symbolt *symbol=nullptr;
   if(!ns.lookup(to_symbol_expr(src.op0()).get_identifier(), symbol))
   {
     if(symbol->is_file_local &&
diff --git a/src/cbmc/cbmc_parse_options.cpp b/src/cbmc/cbmc_parse_options.cpp
index 2943d9a18d..2e21dae825 100644
--- a/src/cbmc/cbmc_parse_options.cpp
+++ b/src/cbmc/cbmc_parse_options.cpp
@@ -569,7 +569,7 @@ int cbmc_parse_optionst::get_goto_program(
 
       languaget *language=get_language_from_filename(filename);
 
-      if(language==NULL)
+      if(language==nullptr)
       {
         error() << "failed to figure out type of file `"
                 <<  filename << "'" << eom;
@@ -718,7 +718,7 @@ void cbmc_parse_optionst::preprocessing()
 
     languaget *ptr=get_language_from_filename(filename);
 
-    if(ptr==NULL)
+    if(ptr==nullptr)
     {
       error() << "failed to figure out type of file" << eom;
       return;
diff --git a/src/clobber/clobber_parse_options.cpp b/src/clobber/clobber_parse_options.cpp
index 36cc3e49ab..8c2b2dc1f5 100644
--- a/src/clobber/clobber_parse_options.cpp
+++ b/src/clobber/clobber_parse_options.cpp
@@ -250,7 +250,7 @@ bool clobber_parse_optionst::get_goto_program(
 
       languaget *language=get_language_from_filename(filename);
 
-      if(language==NULL)
+      if(language==nullptr)
       {
         error() << "failed to figure out type of file `" <<  filename << "'"
                 << eom;
diff --git a/src/cpp/cpp_id.cpp b/src/cpp/cpp_id.cpp
index e6c13ca4cf..edcc139ce4 100644
--- a/src/cpp/cpp_id.cpp
+++ b/src/cpp/cpp_id.cpp
@@ -24,7 +24,7 @@ cpp_idt::cpp_idt():
   id_class(id_classt::UNKNOWN),
   this_expr(static_cast(get_nil_irep())),
   compound_counter(0),
-  parent(NULL)
+  parent(nullptr)
 {
 }
 
diff --git a/src/cpp/cpp_id.h b/src/cpp/cpp_id.h
index f7fe339cc1..1ba4649334 100644
--- a/src/cpp/cpp_id.h
+++ b/src/cpp/cpp_id.h
@@ -81,7 +81,7 @@ public:
 
   cpp_idt &get_parent() const
   {
-    assert(parent!=NULL);
+    assert(parent!=nullptr);
     return *parent;
   }
 
diff --git a/src/cpp/cpp_instantiate_template.cpp b/src/cpp/cpp_instantiate_template.cpp
index c28fe5ca54..27c8e2c9a3 100644
--- a/src/cpp/cpp_instantiate_template.cpp
+++ b/src/cpp/cpp_instantiate_template.cpp
@@ -130,7 +130,7 @@ const symbolt &cpp_typecheckt::class_template_symbol(
   cpp_scopet *template_scope=
     static_cast(cpp_scopes.id_map[template_symbol.name]);
 
-  assert(template_scope!=NULL);
+  assert(template_scope!=nullptr);
 
   irep_idt identifier=
     id2string(template_scope->prefix)+
@@ -276,7 +276,7 @@ const symbolt &cpp_typecheckt::instantiate_template(
   cpp_scopet *template_scope=
     static_cast(cpp_scopes.id_map[template_symbol.name]);
 
-  if(template_scope==NULL)
+  if(template_scope==nullptr)
   {
     error().source_location=source_location;
     error() << "identifier: " << template_symbol.name << '\n'
@@ -284,7 +284,7 @@ const symbolt &cpp_typecheckt::instantiate_template(
     throw 0;
   }
 
-  assert(template_scope!=NULL);
+  assert(template_scope!=nullptr);
 
   // produce new declaration
   cpp_declarationt new_decl=to_cpp_declaration(template_symbol.type);
diff --git a/src/cpp/cpp_language.cpp b/src/cpp/cpp_language.cpp
index 59e538265c..c8b7f99965 100644
--- a/src/cpp/cpp_language.cpp
+++ b/src/cpp/cpp_language.cpp
@@ -65,7 +65,7 @@ bool cpp_languaget::preprocess(
   // check extension
 
   const char *ext=strrchr(path.c_str(), '.');
-  if(ext!=NULL && std::string(ext)==".ipp")
+  if(ext!=nullptr && std::string(ext)==".ipp")
   {
     std::ifstream infile(path);
 
diff --git a/src/cpp/cpp_typecheck_compound_type.cpp b/src/cpp/cpp_typecheck_compound_type.cpp
index 36d2a2e70b..39f229bfbe 100644
--- a/src/cpp/cpp_typecheck_compound_type.cpp
+++ b/src/cpp/cpp_typecheck_compound_type.cpp
@@ -110,7 +110,7 @@ void cpp_typecheckt::typecheck_compound_type(
   // get the tag name
   bool has_tag=type.find(ID_tag).is_not_nil();
   irep_idt base_name;
-  cpp_scopet *dest_scope=NULL;
+  cpp_scopet *dest_scope=nullptr;
   bool has_body=type.find(ID_body).is_not_nil();
   bool tag_only_declaration=type.get_bool(ID_C_tag_only_declaration);
 
diff --git a/src/cpp/cpp_typecheck_expr.cpp b/src/cpp/cpp_typecheck_expr.cpp
index 87f15a16a3..88b2646148 100644
--- a/src/cpp/cpp_typecheck_expr.cpp
+++ b/src/cpp/cpp_typecheck_expr.cpp
@@ -471,7 +471,7 @@ struct operator_entryt
   { ID_notequal, "!=" },
   { ID_dereference, "*" },
   { ID_ptrmember, "->" },
-  { irep_idt(), NULL }
+  { irep_idt(), nullptr }
 };
 
 bool cpp_typecheckt::operator_is_overloaded(exprt &expr)
diff --git a/src/cpp/cpp_typecheck_resolve.cpp b/src/cpp/cpp_typecheck_resolve.cpp
index 28d42e6af6..d8e0e8c3d9 100644
--- a/src/cpp/cpp_typecheck_resolve.cpp
+++ b/src/cpp/cpp_typecheck_resolve.cpp
@@ -1117,7 +1117,7 @@ symbol_typet cpp_typecheck_resolvet::disambiguate_template_classes(
       static_cast(
         cpp_typecheck.cpp_scopes.id_map[id]);
 
-    if(template_scope==NULL)
+    if(template_scope==nullptr)
     {
       cpp_typecheck.error().source_location=source_location;
       cpp_typecheck.error() << "template identifier: " << id << '\n'
@@ -1959,7 +1959,7 @@ exprt cpp_typecheck_resolvet::guess_function_template_args(
     static_cast(
       cpp_typecheck.cpp_scopes.id_map[template_identifier]);
 
-  if(template_scope==NULL)
+  if(template_scope==nullptr)
   {
     cpp_typecheck.error().source_location=source_location;
     cpp_typecheck.error() << "template identifier: "
diff --git a/src/cpp/cpp_typecheck_template.cpp b/src/cpp/cpp_typecheck_template.cpp
index 47ebd7f006..5837a5706a 100644
--- a/src/cpp/cpp_typecheck_template.cpp
+++ b/src/cpp/cpp_typecheck_template.cpp
@@ -910,7 +910,7 @@ cpp_template_args_tct cpp_typecheckt::typecheck_template_args(
       // these need to be typechecked in the scope of the template,
       // not in the current scope!
       cpp_idt *template_scope=cpp_scopes.id_map[template_symbol.name];
-      assert(template_scope!=NULL);
+      assert(template_scope!=nullptr);
       cpp_scopes.go_to(*template_scope);
     }
 
@@ -960,7 +960,7 @@ cpp_template_args_tct cpp_typecheckt::typecheck_template_args(
       {
         cpp_save_scopet cpp_saved_scope(cpp_scopes);
         cpp_idt *template_scope=cpp_scopes.id_map[template_symbol.name];
-        assert(template_scope!=NULL);
+        assert(template_scope!=nullptr);
         cpp_scopes.go_to(*template_scope);
         typecheck_type(type);
       }
diff --git a/src/cpp/parse.cpp b/src/cpp/parse.cpp
index 87e9ad099d..d0c2e01ecf 100644
--- a/src/cpp/parse.cpp
+++ b/src/cpp/parse.cpp
@@ -48,7 +48,7 @@ struct indenter // NOLINT(readability/identifiers)
 class new_scopet
 {
 public:
-  new_scopet():kind(kindt::NONE), anon_count(0), parent(NULL)
+  new_scopet():kind(kindt::NONE), anon_count(0), parent(nullptr)
   {
   }
 
@@ -155,7 +155,7 @@ public:
 
   std::string full_name() const
   {
-    return (parent==NULL?"":(parent->full_name()+"::"))+
+    return (parent==nullptr?"":(parent->full_name()+"::"))+
            id2string(id);
   }
 
diff --git a/src/goto-cc/armcc_cmdline.cpp b/src/goto-cc/armcc_cmdline.cpp
index 9cb3fccfd0..d0a16ac95a 100644
--- a/src/goto-cc/armcc_cmdline.cpp
+++ b/src/goto-cc/armcc_cmdline.cpp
@@ -192,7 +192,7 @@ static const char *options_no_arg[]=
   "--translate_gcc",
   "--translate_gld",
   "-W",
-  NULL
+  nullptr
 };
 
 static const char *options_with_prefix[]=
@@ -242,7 +242,7 @@ static const char *options_with_prefix[]=
   "--configure_cpp_headers=",
   "--configure_extra_includes=",
   "--configure_extra_libraries=",
-  NULL
+  nullptr
 };
 
 static const char *options_with_arg[]=
@@ -262,7 +262,7 @@ static const char *options_with_arg[]=
   "-o",
   "--cpu",
   "--apcs",
-  NULL
+  nullptr
 };
 
 bool armcc_cmdlinet::parse(int argc, const char **argv)
diff --git a/src/goto-cc/as86_cmdline.cpp b/src/goto-cc/as86_cmdline.cpp
index e60f0152bc..dce3deecf2 100644
--- a/src/goto-cc/as86_cmdline.cpp
+++ b/src/goto-cc/as86_cmdline.cpp
@@ -23,7 +23,7 @@ const char *goto_as86_options_with_argument[]=
   "--function",
   "--native-assembler",
   "--print-rejected-preprocessed-source",
-  NULL
+  nullptr
 };
 
 const char *as86_options_without_argument[]=
@@ -40,7 +40,7 @@ const char *as86_options_without_argument[]=
   "-u-", // both -u and -u- seem to be accepted
   "-v",
   "-w-",
-  NULL
+  nullptr
 };
 
 const char *as86_options_with_argument[]=
@@ -52,7 +52,7 @@ const char *as86_options_with_argument[]=
   "-b",
   "-s",
   "-t",
-  NULL
+  nullptr
 };
 
 bool as86_cmdlinet::parse(int argc, const char **argv)
@@ -75,7 +75,7 @@ bool as86_cmdlinet::parse(int argc, const char **argv)
 
     // separated only, and also allow concatenation with "="
     for(const char **o=goto_as86_options_with_argument;
-        *o!=NULL && !found;
+        *o!=nullptr && !found;
         ++o)
     {
       std::string os(*o);
@@ -113,7 +113,7 @@ bool as86_cmdlinet::parse(int argc, const char **argv)
     }
 
     for(const char **o=as86_options_with_argument;
-        *o!=NULL && !found;
+        *o!=nullptr && !found;
         ++o)
     {
       std::string os(*o);
diff --git a/src/goto-cc/as_cmdline.cpp b/src/goto-cc/as_cmdline.cpp
index 172b281458..2c22cfc70d 100644
--- a/src/goto-cc/as_cmdline.cpp
+++ b/src/goto-cc/as_cmdline.cpp
@@ -23,7 +23,7 @@ const char *goto_as_options_with_argument[]=
   "--function",
   "--native-assembler",
   "--print-rejected-preprocessed-source",
-  NULL
+  nullptr
 };
 
 const char *as_options_without_argument[]=
@@ -59,7 +59,7 @@ const char *as_options_without_argument[]=
   "--32", // i386
   "--64", // i386
   "-n", // i386
-  NULL
+  nullptr
 };
 
 const char *as_options_with_argument[]=
@@ -74,7 +74,7 @@ const char *as_options_with_argument[]=
   "-o",
   "-march", // i386
   "-mtune", // i386
-  NULL
+  nullptr
 };
 
 bool as_cmdlinet::parse(int argc, const char **argv)
@@ -104,7 +104,7 @@ bool as_cmdlinet::parse(int argc, const char **argv)
 
     // separated only, and also allow concatenation with "="
     for(const char **o=goto_as_options_with_argument;
-        *o!=NULL && !found;
+        *o!=nullptr && !found;
         ++o)
     {
       std::string os(*o);
@@ -170,7 +170,7 @@ bool as_cmdlinet::parse(int argc, const char **argv)
     }
 
     for(const char **o=as_options_with_argument;
-        *o!=NULL && !found;
+        *o!=nullptr && !found;
         ++o)
     {
       std::string os(*o);
diff --git a/src/goto-cc/bcc_cmdline.cpp b/src/goto-cc/bcc_cmdline.cpp
index c4cbbc80b3..f4c0626b14 100644
--- a/src/goto-cc/bcc_cmdline.cpp
+++ b/src/goto-cc/bcc_cmdline.cpp
@@ -24,7 +24,7 @@ const char *goto_bcc_options_with_argument[]=
   "--native-compiler",
   "--native-linker",
   "--print-rejected-preprocessed-source",
-  NULL
+  nullptr
 };
 
 const char *bcc_options_without_argument[]=
@@ -46,7 +46,7 @@ const char *bcc_options_without_argument[]=
   "-x",
   "-W",
   "-ansi",
-  NULL
+  nullptr
 };
 
 const char *bcc_options_with_argument[]=
@@ -64,7 +64,7 @@ const char *bcc_options_with_argument[]=
   "-T",
   "-Q",
   "-t",
-  NULL
+  nullptr
 };
 
 bool bcc_cmdlinet::parse(int argc, const char **argv)
@@ -87,7 +87,7 @@ bool bcc_cmdlinet::parse(int argc, const char **argv)
 
     // separated only, and also allow concatenation with "="
     for(const char **o=goto_bcc_options_with_argument;
-        *o!=NULL && !found;
+        *o!=nullptr && !found;
         ++o)
     {
       std::string os(*o);
@@ -125,7 +125,7 @@ bool bcc_cmdlinet::parse(int argc, const char **argv)
     }
 
     for(const char **o=bcc_options_with_argument;
-        *o!=NULL && !found;
+        *o!=nullptr && !found;
         ++o)
     {
       std::string os(*o);
diff --git a/src/goto-cc/compile.cpp b/src/goto-cc/compile.cpp
index 96b76260e9..d5dcf8b570 100644
--- a/src/goto-cc/compile.cpp
+++ b/src/goto-cc/compile.cpp
@@ -232,7 +232,7 @@ bool compilet::add_input_file(const std::string &file_name)
 
     stream=popen(cmd.str().c_str(), "r");
 
-    if(stream!=NULL)
+    if(stream!=nullptr)
     {
       std::string line;
       int ch; // fgetc returns an int, not char
@@ -472,7 +472,7 @@ bool compilet::parse(const std::string &file_name)
   else
     languagep=get_language_from_filename(file_name);
 
-  if(languagep==NULL)
+  if(languagep==nullptr)
   {
     error() << "failed to figure out type of file `" << file_name << "'" << eom;
     return true;
diff --git a/src/goto-cc/gcc_cmdline.cpp b/src/goto-cc/gcc_cmdline.cpp
index c5b4057ed1..e4b2bb1ddb 100644
--- a/src/goto-cc/gcc_cmdline.cpp
+++ b/src/goto-cc/gcc_cmdline.cpp
@@ -29,7 +29,7 @@ const char *goto_cc_options_with_separated_argument[]=
   "--native-compiler",
   "--native-linker",
   "--print-rejected-preprocessed-source",
-  NULL
+  nullptr
 };
 
 // non-gcc options
@@ -52,7 +52,7 @@ const char *goto_cc_options_without_argument[]=
   "--no-arch",
   "--partial-inlining",
   "-?",
-  NULL
+  nullptr
 };
 
 // separated or concatenated
@@ -75,7 +75,7 @@ const char *gcc_options_with_argument[]=
   "-U",
   "-u", // goes to linker
   "-T", // goes to linker
-  NULL
+  nullptr
 };
 
 const char *gcc_options_with_separated_argument[]=
@@ -107,7 +107,7 @@ const char *gcc_options_with_separated_argument[]=
   "-current_version", // on the Mac
   "-compatibility_version",  // on the Mac
   "-z",
-  NULL
+  nullptr
 };
 
 const char *gcc_options_with_concatenated_argument[]=
@@ -115,7 +115,7 @@ const char *gcc_options_with_concatenated_argument[]=
   "-d",
   "-g",
   "-A",
-  NULL
+  nullptr
 };
 
 const char *gcc_options_without_argument[]=
@@ -209,7 +209,7 @@ const char *gcc_options_without_argument[]=
   "-EB",
   "-EL",
   "-fast", // Apple only
-  NULL
+  nullptr
 };
 
 bool gcc_cmdlinet::parse(int argc, const char **argv)
@@ -282,7 +282,7 @@ bool gcc_cmdlinet::parse_arguments(
 
       // separated only, and also allow concatenation with "="
       for(const char **o=goto_cc_options_with_separated_argument;
-          *o!=NULL && !found;
+          *o!=nullptr && !found;
           ++o)
       {
         if(argv_i==*o) // separated
@@ -354,7 +354,7 @@ bool gcc_cmdlinet::parse_arguments(
 
       // separated only, and also allow concatenation with "="
       for(const char **o=gcc_options_with_separated_argument;
-          *o!=NULL && !found;
+          *o!=nullptr && !found;
           ++o)
       {
         if(argv_i==*o) // separated
@@ -380,7 +380,7 @@ bool gcc_cmdlinet::parse_arguments(
 
       // concatenated _or_ separated, e.g., -I
       for(const char **o=gcc_options_with_argument;
-          *o!=NULL && !found;
+          *o!=nullptr && !found;
           ++o)
       {
         if(argv_i==*o) // separated
@@ -405,7 +405,7 @@ bool gcc_cmdlinet::parse_arguments(
 
       // concatenated only
       for(const char **o=gcc_options_with_concatenated_argument;
-          *o!=NULL && !found;
+          *o!=nullptr && !found;
           ++o)
       {
         if(has_prefix(argv_i, *o)) // concatenated
diff --git a/src/goto-cc/goto_cc_cmdline.cpp b/src/goto-cc/goto_cc_cmdline.cpp
index 71bb06f816..cb030366e3 100644
--- a/src/goto-cc/goto_cc_cmdline.cpp
+++ b/src/goto-cc/goto_cc_cmdline.cpp
@@ -29,7 +29,7 @@ goto_cc_cmdlinet::~goto_cc_cmdlinet()
 
 bool goto_cc_cmdlinet::in_list(const char *option, const char **list)
 {
-  for(std::size_t i=0; list[i]!=NULL; i++)
+  for(std::size_t i=0; list[i]!=nullptr; i++)
   {
     if(strcmp(option, list[i])==0)
       return true;
@@ -43,7 +43,7 @@ bool goto_cc_cmdlinet::prefix_in_list(
   const char **list,
   std::string &prefix)
 {
-  for(std::size_t i=0; list[i]!=NULL; i++)
+  for(std::size_t i=0; list[i]!=nullptr; i++)
   {
     if(strncmp(option, list[i], strlen(list[i]))==0)
     {
diff --git a/src/goto-cc/goto_cc_main.cpp b/src/goto-cc/goto_cc_main.cpp
index ebe885a37a..8d3e422219 100644
--- a/src/goto-cc/goto_cc_main.cpp
+++ b/src/goto-cc/goto_cc_main.cpp
@@ -48,7 +48,7 @@ int main(int argc, const char **argv)
   const char **argv=narrow_argv(argc, argv_wide);
   #endif
 
-  if(argv==NULL || argc<1)
+  if(argv==nullptr || argc<1)
   {
     std::cerr << "failed to determine base name\n";
     return 1;
diff --git a/src/goto-cc/ld_cmdline.cpp b/src/goto-cc/ld_cmdline.cpp
index 1f17dabd10..c77ee68773 100644
--- a/src/goto-cc/ld_cmdline.cpp
+++ b/src/goto-cc/ld_cmdline.cpp
@@ -24,7 +24,7 @@ const char *goto_ld_options_with_argument[]=
   "--verbosity",
   "--native-compiler",
   "--native-linker",
-  NULL
+  nullptr
 };
 
 const char *ld_options_with_argument[]=
@@ -99,7 +99,7 @@ const char *ld_options_with_argument[]=
   "--ios_version_min", // Apple only
   "--macosx_version_min", // Apple only
   "--install_name", // Apple only
-  NULL
+  nullptr
 };
 
 const char *ld_options_without_argument[]=
@@ -233,7 +233,7 @@ const char *ld_options_without_argument[]=
   "--dylib", // Apple only
   "--dylinker", // Apple only
   "--bundle", // Apple only
-  NULL
+  nullptr
 };
 
 bool ld_cmdlinet::parse(int argc, const char **argv)
@@ -262,7 +262,7 @@ bool ld_cmdlinet::parse(int argc, const char **argv)
     bool found=false;
 
     for(const char **o=goto_ld_options_with_argument;
-        *o!=NULL && !found;
+        *o!=nullptr && !found;
         ++o)
     {
       std::string os(*o);
@@ -299,7 +299,7 @@ bool ld_cmdlinet::parse(int argc, const char **argv)
 
     // also store in cmdlinet
 
-    for(const char **o=ld_options_without_argument; *o!=NULL && !found; o++)
+    for(const char **o=ld_options_without_argument; *o!=nullptr && !found; o++)
     {
       std::string os(*o);
       // ld accepts all long options also as short option
@@ -316,7 +316,7 @@ bool ld_cmdlinet::parse(int argc, const char **argv)
     // 2) concatenated with '=' for long options
     // 3) separate
 
-    for(const char **o=ld_options_with_argument; *o!=NULL && !found; o++)
+    for(const char **o=ld_options_with_argument; *o!=nullptr && !found; o++)
     {
       std::string os(*o);
 
diff --git a/src/goto-cc/ms_cl_cmdline.cpp b/src/goto-cc/ms_cl_cmdline.cpp
index ea605ef6d8..cdc9458bb0 100644
--- a/src/goto-cc/ms_cl_cmdline.cpp
+++ b/src/goto-cc/ms_cl_cmdline.cpp
@@ -44,7 +44,7 @@ const char *non_ms_cl_options[]=
   "--partial-inlining",
   "--verbosity",
   "--function",
-  NULL
+  nullptr
 };
 
 bool ms_cl_cmdlinet::parse(const std::vector &options)
@@ -110,7 +110,7 @@ void ms_cl_cmdlinet::parse_env()
 
   const char *CL_env=getenv("CL");
 
-  if(CL_env!=NULL)
+  if(CL_env!=nullptr)
     process_response_file_line(CL_env);
 
   #endif
@@ -275,7 +275,7 @@ void ms_cl_cmdlinet::process_non_cl_option(
 {
   set(s);
 
-  for(unsigned j=0; non_ms_cl_options[j]!=NULL; j++)
+  for(unsigned j=0; non_ms_cl_options[j]!=nullptr; j++)
     if(s==non_ms_cl_options[j])
       return;
 
@@ -288,7 +288,7 @@ void ms_cl_cmdlinet::process_non_cl_option(
 const char *ms_cl_flags[]=
 {
   "c", // compile only
-  NULL
+  nullptr
 };
 
 const char *ms_cl_prefixes[]=
@@ -406,7 +406,7 @@ const char *ms_cl_prefixes[]=
   "MT", //  link with LIBCMT.LIB
   "MDd", //  link with MSVCRTD.LIB debug lib
   "MTd", //  link with LIBCMTD.LIB debug lib
-  NULL
+  nullptr
 };
 
 void ms_cl_cmdlinet::process_cl_option(const std::string &s)
@@ -420,7 +420,7 @@ void ms_cl_cmdlinet::process_cl_option(const std::string &s)
     return;
   }
 
-  for(std::size_t j=0; ms_cl_flags[j]!=NULL; j++)
+  for(std::size_t j=0; ms_cl_flags[j]!=nullptr; j++)
   {
     if(std::string(s, 1, std::string::npos)==ms_cl_flags[j])
     {
@@ -453,7 +453,7 @@ void ms_cl_cmdlinet::process_cl_option(const std::string &s)
     }
   }
 
-  for(std::size_t j=0; ms_cl_prefixes[j]!=NULL; j++)
+  for(std::size_t j=0; ms_cl_prefixes[j]!=nullptr; j++)
   {
     std::string ms_cl_prefix=ms_cl_prefixes[j];
 
diff --git a/src/goto-instrument/dump_c.cpp b/src/goto-instrument/dump_c.cpp
index efa0ac4afc..1020d2021a 100644
--- a/src/goto-instrument/dump_c.cpp
+++ b/src/goto-instrument/dump_c.cpp
@@ -1309,7 +1309,7 @@ static bool find_block_position_rec(
   if(!root.has_operands())
     return false;
 
-  code_blockt *our_dest=0;
+  code_blockt *our_dest=nullptr;
 
   exprt::operandst &operands=root.operands();
   exprt::operandst::iterator first_found=operands.end();
@@ -1400,14 +1400,14 @@ void dump_ct::insert_local_static_decls(
     std::list redundant;
     cleanup_decl(d, redundant, type_decls);
 
-    code_blockt *dest_ptr=0;
+    code_blockt *dest_ptr=nullptr;
     exprt::operandst::iterator before=b.operands().end();
 
     // some use of static variables might be optimised out if it is
     // within an if(false) { ... } block
     if(find_block_position_rec(*it, b, dest_ptr, before))
     {
-      CHECK_RETURN(dest_ptr!=0);
+      CHECK_RETURN(dest_ptr!=nullptr);
       dest_ptr->operands().insert(before, d);
     }
   }
@@ -1437,14 +1437,14 @@ void dump_ct::insert_local_type_decls(
     // another hack to ensure symbols inside types are seen
     skip.type()=type;
 
-    code_blockt *dest_ptr=0;
+    code_blockt *dest_ptr=nullptr;
     exprt::operandst::iterator before=b.operands().end();
 
     // we might not find it in case a transparent union type cast
     // has been removed by cleanup operations
     if(find_block_position_rec(*it, b, dest_ptr, before))
     {
-      CHECK_RETURN(dest_ptr!=0);
+      CHECK_RETURN(dest_ptr!=nullptr);
       dest_ptr->operands().insert(before, skip);
     }
   }
diff --git a/src/goto-instrument/model_argc_argv.cpp b/src/goto-instrument/model_argc_argv.cpp
index bae8010d90..7e01d66e62 100644
--- a/src/goto-instrument/model_argc_argv.cpp
+++ b/src/goto-instrument/model_argc_argv.cpp
@@ -38,7 +38,7 @@ bool model_argc_argv(
   messaget message(message_handler);
   const namespacet ns(symbol_table);
 
-  const symbolt *init_symbol=0;
+  const symbolt *init_symbol=nullptr;
   if(ns.lookup(CPROVER_PREFIX "initialize", init_symbol))
   {
     message.error() << "Linking not done, missing "
diff --git a/src/goto-instrument/wmm/cycle_collection.cpp b/src/goto-instrument/wmm/cycle_collection.cpp
index caef3e7ee7..64b619c436 100644
--- a/src/goto-instrument/wmm/cycle_collection.cpp
+++ b/src/goto-instrument/wmm/cycle_collection.cpp
@@ -56,7 +56,7 @@ void event_grapht::graph_explorert::collect_cycles(
   for(std::size_t i=0; i* order=0;
+  std::list* order=nullptr;
   /* on Power, rfe pairs are also potentially unsafe */
   switch(model)
   {
diff --git a/src/goto-instrument/wmm/goto2graph.cpp b/src/goto-instrument/wmm/goto2graph.cpp
index 7828ac8008..011ef1a36a 100644
--- a/src/goto-instrument/wmm/goto2graph.cpp
+++ b/src/goto-instrument/wmm/goto2graph.cpp
@@ -1198,7 +1198,7 @@ bool instrumentert::is_cfg_spurious(const event_grapht::critical_cyclet &cyc)
     const source_locationt ¤t_location=current_event.source_location;
 
     /* select relevant thread (po) -- or function contained in this thread */
-    goto_programt *current_po=0;
+    goto_programt *current_po=nullptr;
     bool thread_found=false;
 
     Forall_goto_functions(f_it, goto_functions)
diff --git a/src/goto-programs/initialize_goto_model.cpp b/src/goto-programs/initialize_goto_model.cpp
index d284bc403c..eb2b6f8490 100644
--- a/src/goto-programs/initialize_goto_model.cpp
+++ b/src/goto-programs/initialize_goto_model.cpp
@@ -81,7 +81,7 @@ bool initialize_goto_model(
         lf.filename=filename;
         lf.language=get_language_from_filename(filename);
 
-        if(lf.language==NULL)
+        if(lf.language==nullptr)
         {
           source_locationt location;
           location.set_file(filename);
diff --git a/src/goto-programs/interpreter.cpp b/src/goto-programs/interpreter.cpp
index a79910b765..817d04c3a5 100644
--- a/src/goto-programs/interpreter.cpp
+++ b/src/goto-programs/interpreter.cpp
@@ -70,7 +70,7 @@ void interpretert::command()
 {
   #define BUFSIZE 100
   char command[BUFSIZE];
-  if(fgets(command, BUFSIZE-1, stdin)==NULL)
+  if(fgets(command, BUFSIZE-1, stdin)==nullptr)
   {
     done=true;
     return;
diff --git a/src/goto-programs/show_symbol_table.cpp b/src/goto-programs/show_symbol_table.cpp
index 1d5ce87f5a..6a15759f11 100644
--- a/src/goto-programs/show_symbol_table.cpp
+++ b/src/goto-programs/show_symbol_table.cpp
@@ -48,7 +48,7 @@ void show_symbol_table_plain(
     else
     {
       ptr=get_language_from_mode(symbol.mode);
-      if(ptr==NULL)
+      if(ptr==nullptr)
         throw "symbol "+id2string(symbol.name)+" has unknown mode";
     }
 
diff --git a/src/goto-symex/goto_symex_state.cpp b/src/goto-symex/goto_symex_state.cpp
index 6fdf4b54aa..934e8edf71 100644
--- a/src/goto-symex/goto_symex_state.cpp
+++ b/src/goto-symex/goto_symex_state.cpp
@@ -22,10 +22,10 @@ Author: Daniel Kroening, kroening@kroening.com
 
 goto_symex_statet::goto_symex_statet():
   depth(0),
-  symex_target(NULL),
+  symex_target(nullptr),
   atomic_section_id(0),
   record_events(true),
-  dirty(0)
+  dirty(nullptr)
 {
   threads.resize(1);
   new_frame();
@@ -541,7 +541,7 @@ bool goto_symex_statet::l2_thread_read_encoding(
     return false;
 
   // is it a shared object?
-  assert(dirty!=0);
+  assert(dirty!=nullptr);
   const irep_idt &obj_identifier=expr.get_object_name();
   if(obj_identifier=="goto_symex::\\guard" ||
      (!ns.lookup(obj_identifier).is_shared() &&
@@ -666,7 +666,7 @@ bool goto_symex_statet::l2_thread_read_encoding(
   expr=ssa_l1;
 
   // and record that
-  assert(symex_target!=NULL);
+  assert(symex_target!=nullptr);
   symex_target->shared_read(
     guard.as_expr(),
     expr,
@@ -685,7 +685,7 @@ bool goto_symex_statet::l2_thread_write_encoding(
     return false;
 
   // is it a shared object?
-  assert(dirty!=0);
+  assert(dirty!=nullptr);
   const irep_idt &obj_identifier=expr.get_object_name();
   if(obj_identifier=="goto_symex::\\guard" ||
      (!ns.lookup(obj_identifier).is_shared() &&
diff --git a/src/goto-symex/slice_by_trace.cpp b/src/goto-symex/slice_by_trace.cpp
index 80acfa4add..828b457caa 100644
--- a/src/goto-symex/slice_by_trace.cpp
+++ b/src/goto-symex/slice_by_trace.cpp
@@ -187,9 +187,9 @@ void symex_slice_by_tracet::parse_events(std::string read_line)
 {
   if(read_line=="")
     return;
-  bool parity=strstr(read_line.c_str(), "!")==NULL;
-  bool universe=strstr(read_line.c_str(), "?")!=NULL;
-  bool has_values=strstr(read_line.c_str(), " ")!=NULL;
+  bool parity=strstr(read_line.c_str(), "!")==nullptr;
+  bool universe=strstr(read_line.c_str(), "?")!=nullptr;
+  bool has_values=strstr(read_line.c_str(), " ")!=nullptr;
   std::cout << "Trace: " << read_line << '\n';
   std::vector value_v;
   if(has_values)
diff --git a/src/goto-symex/symex_dereference_state.cpp b/src/goto-symex/symex_dereference_state.cpp
index f0e36f5d03..9911ba51e7 100644
--- a/src/goto-symex/symex_dereference_state.cpp
+++ b/src/goto-symex/symex_dereference_state.cpp
@@ -43,7 +43,7 @@ bool symex_dereference_statet::has_failed_symbol(
         !ns.lookup(failed_symbol, symbol))
     {
       symbolt sym=*symbol;
-      symbolt *sym_ptr=0;
+      symbolt *sym_ptr=nullptr;
       symbol_exprt sym_expr=sym.symbol_expr();
       state.rename(sym_expr, ns, goto_symex_statet::L1);
       sym.name=to_ssa_expr(sym_expr).get_identifier();
@@ -64,7 +64,7 @@ bool symex_dereference_statet::has_failed_symbol(
         !ns.lookup(failed_symbol, symbol))
     {
       symbolt sym=*symbol;
-      symbolt *sym_ptr=0;
+      symbolt *sym_ptr=nullptr;
       symbol_exprt sym_expr=sym.symbol_expr();
       state.rename(sym_expr, ns, goto_symex_statet::L1);
       sym.name=to_ssa_expr(sym_expr).get_identifier();
diff --git a/src/goto-symex/symex_function_call.cpp b/src/goto-symex/symex_function_call.cpp
index a71a142b89..06d519e494 100644
--- a/src/goto-symex/symex_function_call.cpp
+++ b/src/goto-symex/symex_function_call.cpp
@@ -139,7 +139,7 @@ void goto_symext::parameter_assignments(
   {
     // These are va_arg arguments; their types may differ from call to call
     unsigned va_count=0;
-    const symbolt *va_sym=0;
+    const symbolt *va_sym=nullptr;
     while(!ns.lookup(
         id2string(function_identifier)+"::va_arg"+std::to_string(va_count),
         va_sym))
diff --git a/src/goto-symex/symex_main.cpp b/src/goto-symex/symex_main.cpp
index b8a1e294f1..4fce789ad3 100644
--- a/src/goto-symex/symex_main.cpp
+++ b/src/goto-symex/symex_main.cpp
@@ -158,7 +158,7 @@ void goto_symext::operator()(
   }
 
   delete state.dirty;
-  state.dirty=0;
+  state.dirty=nullptr;
 }
 
 /// symex starting from given program
diff --git a/src/java_bytecode/java_bytecode_convert_method.cpp b/src/java_bytecode/java_bytecode_convert_method.cpp
index 8a02f4f885..5c2135e8af 100644
--- a/src/java_bytecode/java_bytecode_convert_method.cpp
+++ b/src/java_bytecode/java_bytecode_convert_method.cpp
@@ -406,7 +406,7 @@ void java_bytecode_convert_methodt::convert(
 const bytecode_infot &java_bytecode_convert_methodt::get_bytecode_info(
   const irep_idt &statement)
 {
-  for(const bytecode_infot *p=bytecode_info; p->mnemonic!=0; p++)
+  for(const bytecode_infot *p=bytecode_info; p->mnemonic!=nullptr; p++)
     if(statement==p->mnemonic)
       return *p;
 
diff --git a/src/java_bytecode/java_bytecode_parser.cpp b/src/java_bytecode/java_bytecode_parser.cpp
index 77874da494..d24141b76d 100644
--- a/src/java_bytecode/java_bytecode_parser.cpp
+++ b/src/java_bytecode/java_bytecode_parser.cpp
@@ -99,7 +99,7 @@ protected:
   {
     // pre-hash the mnemonics, so we do this only once
     bytecodes.resize(256);
-    for(const bytecode_infot *p=bytecode_info; p->mnemonic!=0; p++)
+    for(const bytecode_infot *p=bytecode_info; p->mnemonic!=nullptr; p++)
     {
       assert(p->opcodeopcode].mnemonic=p->mnemonic;
diff --git a/src/java_bytecode/java_local_variable_table.cpp b/src/java_bytecode/java_local_variable_table.cpp
index 052b958d05..94d5062fb2 100644
--- a/src/java_bytecode/java_local_variable_table.cpp
+++ b/src/java_bytecode/java_local_variable_table.cpp
@@ -288,7 +288,7 @@ static void populate_predecessor_map(
         auto pred_var=
           (predmode);
 
-  if(ptr==NULL)
+  if(ptr==nullptr)
     throw "symbol `"+id2string(symbol->name)+
       "' has unknown mode '"+id2string(symbol->mode)+"'";
 
diff --git a/src/langapi/mode.cpp b/src/langapi/mode.cpp
index 55c533f949..2c3a852b73 100644
--- a/src/langapi/mode.cpp
+++ b/src/langapi/mode.cpp
@@ -45,7 +45,7 @@ languaget *get_language_from_mode(const irep_idt &mode)
     if(mode==it->mode)
       return it->factory();
 
-  return NULL;
+  return nullptr;
 }
 
 languaget *get_language_from_filename(const std::string &filename)
@@ -53,13 +53,13 @@ languaget *get_language_from_filename(const std::string &filename)
   std::size_t ext_pos=filename.rfind('.');
 
   if(ext_pos==std::string::npos)
-    return NULL;
+    return nullptr;
 
   std::string extension=
     std::string(filename, ext_pos+1, std::string::npos);
 
   if(extension=="")
-    return NULL;
+    return nullptr;
 
   for(languagest::const_iterator
       l_it=languages.begin();
@@ -79,7 +79,7 @@ languaget *get_language_from_filename(const std::string &filename)
     #endif
   }
 
-  return NULL;
+  return nullptr;
 }
 
 languaget *get_default_language()
diff --git a/src/path-symex/path_symex_history.h b/src/path-symex/path_symex_history.h
index 4371e5e26d..e2fbc3273f 100644
--- a/src/path-symex/path_symex_history.h
+++ b/src/path-symex/path_symex_history.h
@@ -35,7 +35,7 @@ public:
   }
 
   path_symex_step_reft():
-    index(std::numeric_limits::max()), history(0)
+    index(std::numeric_limits::max()), history(nullptr)
   {
   }
 
@@ -46,7 +46,7 @@ public:
 
   path_symex_historyt &get_history() const
   {
-    assert(history!=0);
+    assert(history!=nullptr);
     return *history;
   }
 
@@ -154,7 +154,7 @@ public:
 
 inline void path_symex_step_reft::generate_successor()
 {
-  assert(history!=0);
+  assert(history!=nullptr);
   path_symex_step_reft old=*this;
   index=history->step_container.size();
   history->step_container.push_back(path_symex_stept());
@@ -169,7 +169,7 @@ inline path_symex_step_reft &path_symex_step_reft::operator--()
 
 inline path_symex_stept &path_symex_step_reft::get() const
 {
-  assert(history!=0);
+  assert(history!=nullptr);
   assert(!is_nil());
   return history->step_container[index];
 }
diff --git a/src/path-symex/path_symex_state_read.cpp b/src/path-symex/path_symex_state_read.cpp
index a6993c19b0..139b6956a0 100644
--- a/src/path-symex/path_symex_state_read.cpp
+++ b/src/path-symex/path_symex_state_read.cpp
@@ -430,7 +430,7 @@ bool path_symex_statet::is_symbol_member_index(const exprt &src) const
   // the loop avoids recursion
   while(true)
   {
-    const exprt *next=0;
+    const exprt *next=nullptr;
 
     if(current->id()==ID_symbol)
     {
@@ -465,7 +465,7 @@ bool path_symex_statet::is_symbol_member_index(const exprt &src) const
       return false;
 
     // next round
-    assert(next!=0);
+    assert(next!=nullptr);
     current=next;
   }
 }
diff --git a/src/path-symex/var_map.cpp b/src/path-symex/var_map.cpp
index f5dea20a96..96d079c48f 100644
--- a/src/path-symex/var_map.cpp
+++ b/src/path-symex/var_map.cpp
@@ -84,7 +84,7 @@ void var_mapt::init(var_infot &var_info)
     }
     else
     {
-      const symbolt *symbol=0;
+      const symbolt *symbol=nullptr;
       if(ns.lookup(var_info.symbol, symbol))
         throw "var_mapt::init identifier \""
           +id2string(var_info.full_identifier)
diff --git a/src/pointer-analysis/value_set_fi.cpp b/src/pointer-analysis/value_set_fi.cpp
index 77962a3b3b..d08694b82d 100644
--- a/src/pointer-analysis/value_set_fi.cpp
+++ b/src/pointer-analysis/value_set_fi.cpp
@@ -550,18 +550,18 @@ void value_set_fit::get_value_set_rec(
     if(expr.type().id()==ID_pointer)
     {
       // find the pointer operand
-      const exprt *ptr_operand=NULL;
+      const exprt *ptr_operand=nullptr;
 
       forall_operands(it, expr)
         if(it->type().id()==ID_pointer)
         {
-          if(ptr_operand==NULL)
+          if(ptr_operand==nullptr)
             ptr_operand=&(*it);
           else
             throw "more than one pointer operand in pointer arithmetic";
         }
 
-      if(ptr_operand==NULL)
+      if(ptr_operand==nullptr)
         throw "pointer type sum expected to have pointer operand";
 
       object_mapt pointer_expr_set;
diff --git a/src/pointer-analysis/value_set_fivr.cpp b/src/pointer-analysis/value_set_fivr.cpp
index 6bd7e1321e..3ea5ef1aa8 100644
--- a/src/pointer-analysis/value_set_fivr.cpp
+++ b/src/pointer-analysis/value_set_fivr.cpp
@@ -668,18 +668,18 @@ void value_set_fivrt::get_value_set_rec(
     if(expr.type().id()==ID_pointer)
     {
       // find the pointer operand
-      const exprt *ptr_operand=NULL;
+      const exprt *ptr_operand=nullptr;
 
       forall_operands(it, expr)
         if(it->type().id()==ID_pointer)
         {
-          if(ptr_operand==NULL)
+          if(ptr_operand==nullptr)
             ptr_operand=&(*it);
           else
             throw "more than one pointer operand in pointer arithmetic";
         }
 
-      if(ptr_operand==NULL)
+      if(ptr_operand==nullptr)
         throw "pointer type sum expected to have pointer operand";
 
       object_mapt pointer_expr_set;
diff --git a/src/pointer-analysis/value_set_fivrns.cpp b/src/pointer-analysis/value_set_fivrns.cpp
index 0eaf08b201..3b5ce55a3a 100644
--- a/src/pointer-analysis/value_set_fivrns.cpp
+++ b/src/pointer-analysis/value_set_fivrns.cpp
@@ -454,18 +454,18 @@ void value_set_fivrnst::get_value_set_rec(
     if(expr.type().id()==ID_pointer)
     {
       // find the pointer operand
-      const exprt *ptr_operand=NULL;
+      const exprt *ptr_operand=nullptr;
 
       forall_operands(it, expr)
         if(it->type().id()==ID_pointer)
         {
-          if(ptr_operand==NULL)
+          if(ptr_operand==nullptr)
             ptr_operand=&(*it);
           else
             throw "more than one pointer operand in pointer arithmetic";
         }
 
-      if(ptr_operand==NULL)
+      if(ptr_operand==nullptr)
         throw "pointer type sum expected to have pointer operand";
 
       object_mapt pointer_expr_set;
diff --git a/src/solvers/miniBDD/miniBDD.h b/src/solvers/miniBDD/miniBDD.h
index f7dde020fe..9b994b88ff 100644
--- a/src/solvers/miniBDD/miniBDD.h
+++ b/src/solvers/miniBDD/miniBDD.h
@@ -55,7 +55,7 @@ public:
   unsigned node_number() const;
   void clear();
 
-  bool is_initialized() const { return node!=0; }
+  bool is_initialized() const { return node!=nullptr; }
 
   // internal
   explicit mini_bddt(class mini_bdd_nodet *_node);
diff --git a/src/solvers/miniBDD/miniBDD.inc b/src/solvers/miniBDD/miniBDD.inc
index 091725ed33..a2077ab95f 100644
--- a/src/solvers/miniBDD/miniBDD.inc
+++ b/src/solvers/miniBDD/miniBDD.inc
@@ -2,7 +2,7 @@
 
 // inline functions
 
-inline mini_bddt::mini_bddt():node(0)
+inline mini_bddt::mini_bddt():node(nullptr)
 {
 }
 
@@ -82,7 +82,7 @@ inline void mini_bddt::clear()
   if(is_initialized())
   {
     node->remove_reference();
-    node=NULL;
+    node=nullptr;
   }
 }
 
diff --git a/src/solvers/sat/pbs_dimacs_cnf.cpp b/src/solvers/sat/pbs_dimacs_cnf.cpp
index 731c6ac7ae..69e4c78a29 100644
--- a/src/solvers/sat/pbs_dimacs_cnf.cpp
+++ b/src/solvers/sat/pbs_dimacs_cnf.cpp
@@ -125,7 +125,7 @@ bool pbs_dimacs_cnft::pbs_solve()
     {
       std::getline(file, line);
       if(strstr(line.c_str(),
-                "Variable Assignments Satisfying CNF Formula:")!=NULL)
+                "Variable Assignments Satisfying CNF Formula:")!=nullptr)
         {
           // print ("Reading assignments...\n");
           // std::cout << "No literals: " << no_variables() << "\n";
@@ -143,12 +143,12 @@ bool pbs_dimacs_cnft::pbs_solve()
           // std::cout << "\n";
           // print ("Finished reading assignments.\n");
         }
-      else if(strstr(line.c_str(), "SAT... SUM")!=NULL)
+      else if(strstr(line.c_str(), "SAT... SUM")!=nullptr)
         {
           // print (line);
           sscanf(line.c_str(), "%*s %*s %*s %d", &opt_sum);
         }
-      else if(strstr(line.c_str(), "SAT - All implied")!=NULL)
+      else if(strstr(line.c_str(), "SAT - All implied")!=nullptr)
         {
           // print (line);
           sscanf(
@@ -156,15 +156,15 @@ bool pbs_dimacs_cnft::pbs_solve()
             "%*s %*s %*s %*s %*s %*s %*s %*s %*s %*s %*s %d",
             &opt_sum);
         }
-      else if(strstr(line.c_str(), "SAT... Solution")!=NULL)
+      else if(strstr(line.c_str(), "SAT... Solution")!=nullptr)
         {
           // print(line);
           sscanf(line.c_str(), "%*s %*s %*s %d", &opt_sum);
         }
-      else if(strstr(line.c_str(), "Optimal Soln")!=NULL)
+      else if(strstr(line.c_str(), "Optimal Soln")!=nullptr)
         {
           // print(line);
-          if(strstr(line.c_str(), "time out")!=NULL)
+          if(strstr(line.c_str(), "time out")!=nullptr)
             {
               status() << "WARNING:  TIMED OUT.  SOLUTION MAY BE INCORRECT."
                        << eom;
diff --git a/src/util/config.cpp b/src/util/config.cpp
index ee24ab7b0f..a256ff6b17 100644
--- a/src/util/config.cpp
+++ b/src/util/config.cpp
@@ -739,7 +739,7 @@ bool configt::set(const cmdlinet &cmdline)
   ansi_c.arch="none";
   ansi_c.lib=configt::ansi_ct::libt::LIB_NONE;
   // NOLINTNEXTLINE(readability/casting)
-  ansi_c.NULL_is_zero=reinterpret_cast((void*)0)==0;
+  ansi_c.NULL_is_zero=reinterpret_cast(nullptr)==0;
 
   // Default is ROUND_TO_EVEN, justified by C99:
   // 1 At program startup the floating-point environment is initialized as
@@ -773,7 +773,7 @@ bool configt::set(const cmdlinet &cmdline)
   {
     // environment variable set?
     const char *CLASSPATH=getenv("CLASSPATH");
-    if(CLASSPATH!=NULL)
+    if(CLASSPATH!=nullptr)
       set_classpath(CLASSPATH);
     else
       set_classpath("."); // default
diff --git a/src/util/file_util.cpp b/src/util/file_util.cpp
index 3753fa5aab..37dfd59587 100644
--- a/src/util/file_util.cpp
+++ b/src/util/file_util.cpp
@@ -51,7 +51,7 @@ std::string get_current_working_directory()
 
   errno=0;
 
-  while(buf && getcwd(buf, bsize-1)==NULL && errno==ERANGE)
+  while(buf && getcwd(buf, bsize-1)==nullptr && errno==ERANGE)
   {
     bsize*=2;
     buf=reinterpret_cast(realloc(buf, sizeof(char)*bsize));
@@ -98,10 +98,10 @@ void delete_directory(const std::string &path)
   delete_directory_utf16(utf8_to_utf16_little_endian(path));
 #else
   DIR *dir=opendir(path.c_str());
-  if(dir!=NULL)
+  if(dir!=nullptr)
   {
     struct dirent *ent;
-    while((ent=readdir(dir))!=NULL)
+    while((ent=readdir(dir))!=nullptr)
     {
       // Needed for Alpine Linux
       if(strcmp(ent->d_name, ".")==0 || strcmp(ent->d_name, "..")==0)
diff --git a/src/util/invariant.cpp b/src/util/invariant.cpp
index eb63382ef7..d3f750041a 100644
--- a/src/util/invariant.cpp
+++ b/src/util/invariant.cpp
@@ -54,7 +54,7 @@ static bool output_demangled_name(
 
     int demangle_success=1;
     char *demangled=
-      abi::__cxa_demangle(mangled.c_str(), NULL, 0, &demangle_success);
+      abi::__cxa_demangle(mangled.c_str(), nullptr, nullptr, &demangle_success);
 
     if(demangle_success==0)
     {
diff --git a/src/util/irep_ids.cpp b/src/util/irep_ids.cpp
index 8aff81777a..50e0f537fa 100644
--- a/src/util/irep_ids.cpp
+++ b/src/util/irep_ids.cpp
@@ -22,7 +22,7 @@ const char *irep_ids_table[]=
 
 #include "irep_ids.def"
 
-  NULL,
+  nullptr,
 };
 
 #ifdef USE_DSTRING
@@ -47,7 +47,7 @@ void initialize_string_container()
 {
   // this is called by the constructor of string_containert
 
-  for(unsigned i=0; irep_ids_table[i]!=NULL; i++)
+  for(unsigned i=0; irep_ids_table[i]!=nullptr; i++)
   {
     unsigned x;
     x=string_container[irep_ids_table[i]];
diff --git a/src/util/language_file.cpp b/src/util/language_file.cpp
index 2aa57a85c6..7ca179f68f 100644
--- a/src/util/language_file.cpp
+++ b/src/util/language_file.cpp
@@ -14,14 +14,14 @@ Author: Daniel Kroening, kroening@kroening.com
 
 language_filet::language_filet(const language_filet &rhs):
   modules(rhs.modules),
-  language(rhs.language==NULL?NULL:rhs.language->new_language()),
+  language(rhs.language==nullptr?nullptr:rhs.language->new_language()),
   filename(rhs.filename)
 {
 }
 
 language_filet::~language_filet()
 {
-  if(language!=NULL)
+  if(language!=nullptr)
     delete language;
 }
 
diff --git a/src/util/language_file.h b/src/util/language_file.h
index e2e8750be5..a18d4685a3 100644
--- a/src/util/language_file.h
+++ b/src/util/language_file.h
@@ -49,7 +49,7 @@ public:
 
   language_filet(const language_filet &rhs);
 
-  language_filet():language(NULL)
+  language_filet():language(nullptr)
   {
   }
 
diff --git a/src/util/message.h b/src/util/message.h
index 41c9117400..c3d73d5f4d 100644
--- a/src/util/message.h
+++ b/src/util/message.h
@@ -133,7 +133,7 @@ public:
   // constructors, destructor
 
   messaget():
-    message_handler(NULL),
+    message_handler(nullptr),
     mstream(M_DEBUG, *this)
   {
   }
diff --git a/src/util/namespace.cpp b/src/util/namespace.cpp
index 50de95f296..218e73d285 100644
--- a/src/util/namespace.cpp
+++ b/src/util/namespace.cpp
@@ -127,10 +127,10 @@ unsigned namespacet::get_max(const std::string &prefix) const
 {
   unsigned m=0;
 
-  if(symbol_table1!=NULL)
+  if(symbol_table1!=nullptr)
     m=std::max(m, ::get_max(prefix, symbol_table1->symbols));
 
-  if(symbol_table2!=NULL)
+  if(symbol_table2!=nullptr)
     m=std::max(m, ::get_max(prefix, symbol_table2->symbols));
 
   return m;
@@ -142,7 +142,7 @@ bool namespacet::lookup(
 {
   symbol_tablet::symbolst::const_iterator it;
 
-  if(symbol_table1!=NULL)
+  if(symbol_table1!=nullptr)
   {
     it=symbol_table1->symbols.find(name);
 
@@ -153,7 +153,7 @@ bool namespacet::lookup(
     }
   }
 
-  if(symbol_table2!=NULL)
+  if(symbol_table2!=nullptr)
   {
     it=symbol_table2->symbols.find(name);
 
diff --git a/src/util/namespace.h b/src/util/namespace.h
index ea6b33cfdb..a3b9f3827c 100644
--- a/src/util/namespace.h
+++ b/src/util/namespace.h
@@ -64,7 +64,7 @@ class namespacet:public namespace_baset
 public:
   // constructors
   explicit namespacet(const symbol_tablet &_symbol_table)
-  { symbol_table1=&_symbol_table; symbol_table2=NULL; }
+  { symbol_table1=&_symbol_table; symbol_table2=nullptr; }
 
   namespacet(
     const symbol_tablet &_symbol_table1,
@@ -101,12 +101,12 @@ class multi_namespacet:public namespacet
 {
 public:
   // constructors
-  multi_namespacet():namespacet(NULL, NULL)
+  multi_namespacet():namespacet(nullptr, nullptr)
   {
   }
 
   explicit multi_namespacet(
-    const symbol_tablet &symbol_table):namespacet(NULL, NULL)
+    const symbol_tablet &symbol_table):namespacet(nullptr, nullptr)
   {
     add(symbol_table);
   }
diff --git a/src/util/parser.h b/src/util/parser.h
index b450de7f61..bf572e6004 100644
--- a/src/util/parser.h
+++ b/src/util/parser.h
@@ -39,7 +39,7 @@ public:
     last_line.clear();
   }
 
-  parsert():in(NULL) { clear(); }
+  parsert():in(nullptr) { clear(); }
   virtual ~parsert() { }
 
   // The following are for the benefit of the scanner
diff --git a/src/util/pipe_stream.cpp b/src/util/pipe_stream.cpp
index 4306bce8e0..44ac29b3eb 100644
--- a/src/util/pipe_stream.cpp
+++ b/src/util/pipe_stream.cpp
@@ -159,12 +159,12 @@ int pipe_streamt::run()
         a_it++, i++)
        _argv[i]=strdup(a_it->c_str());
 
-    _argv[args.size()+1]=NULL;
+    _argv[args.size()+1]=nullptr;
 
     int result=execvp(executable.c_str(), _argv);
 
     if(result==-1)
-      perror(0);
+      perror(nullptr);
 
     return result;
   }
@@ -289,7 +289,7 @@ std::streamsize filedescriptor_streambuft::xsputn(
 /// read a character from the piped process
 std::streambuf::int_type filedescriptor_streambuft::underflow()
 {
-  if(gptr()==0)
+  if(gptr()==nullptr)
     return traits_type::eof();
 
   if(gptr()expr_set.empty();
   }
@@ -52,13 +52,13 @@ public:
 
   bool make_union(const ref_expr_sett &s2)
   {
-    if(s2.d==NULL)
+    if(s2.d==nullptr)
       return false;
 
     if(s2.d==d)
       return false;
 
-    if(d==NULL)
+    if(d==nullptr)
     {
       copy_from(s2);
       return true;
diff --git a/src/util/reference_counting.h b/src/util/reference_counting.h
index ffdc8eed75..4d5accb5ec 100644
--- a/src/util/reference_counting.h
+++ b/src/util/reference_counting.h
@@ -19,7 +19,7 @@ template
 class reference_counting
 {
 public:
-  reference_counting():d(NULL)
+  reference_counting():d(nullptr)
   {
   }
 
@@ -31,7 +31,7 @@ public:
   // copy constructor
   reference_counting(const reference_counting &other):d(other.d)
   {
-    if(d!=NULL)
+    if(d!=nullptr)
     {
       assert(d->ref_count!=0);
       d->ref_count++;
@@ -50,7 +50,7 @@ public:
   ~reference_counting()
   {
     remove_ref(d);
-    d=NULL;
+    d=nullptr;
   }
 
   void swap(reference_counting &other)
@@ -61,12 +61,12 @@ public:
   void clear()
   {
     remove_ref(d);
-    d=NULL;
+    d=nullptr;
   }
 
   const T &read() const
   {
-    if(d==NULL)
+    if(d==nullptr)
       return T::blank;
     return *d;
   }
@@ -104,7 +104,7 @@ protected:
 
     remove_ref(d);
     d=other.d;
-    if(d!=NULL)
+    if(d!=nullptr)
       d->ref_count++;
   }
 
@@ -118,7 +118,7 @@ public:
 template
 void reference_counting::remove_ref(dt *old_d)
 {
-  if(old_d==NULL)
+  if(old_d==nullptr)
     return;
 
   assert(old_d->ref_count!=0);
@@ -151,7 +151,7 @@ void reference_counting::detatch()
   std::cout << "DETATCH1: " << d << '\n';
   #endif
 
-  if(d==NULL)
+  if(d==nullptr)
   {
     d=new dt;
 
diff --git a/src/util/run.cpp b/src/util/run.cpp
index 164cac834d..c01aff35bd 100644
--- a/src/util/run.cpp
+++ b/src/util/run.cpp
@@ -117,13 +117,13 @@ int run(
     {
       // resume signals
       remove_signal_catcher();
-      sigprocmask(SIG_SETMASK, &old_mask, NULL);
+      sigprocmask(SIG_SETMASK, &old_mask, nullptr);
 
       char **_argv=new char * [argv.size()+1];
       for(std::size_t i=0; i &s)
 
 const char **narrow_argv(int argc, const wchar_t **argv_wide)
 {
-  if(argv_wide==NULL)
-    return NULL;
+  if(argv_wide==nullptr)
+    return nullptr;
 
   // the following never gets deleted
   const char **argv_narrow=new const char *[argc+1];
-  argv_narrow[argc]=0;
+  argv_narrow[argc]=nullptr;
 
   for(int i=0; i
Date: Thu, 20 Jul 2017 13:53:53 +0100
Subject: [PATCH 87/89] Fix linter errors, ignoring big-int and miniz

---
 src/analyses/goto_rw.cpp                 | 6 ++++--
 src/analyses/goto_rw.h                   | 4 ++--
 src/analyses/invariant_set.cpp           | 7 ++++---
 src/analyses/invariant_set.h             | 2 ++
 src/analyses/local_may_alias.h           | 2 +-
 src/analyses/reaching_definitions.cpp    | 8 ++++++--
 src/analyses/reaching_definitions.h      | 7 ++++++-
 src/cpp/cpp_id.h                         | 3 ++-
 src/cpp/cpp_instantiate_template.cpp     | 6 ++++--
 src/cpp/cpp_typecheck.h                  | 2 ++
 src/cpp/cpp_typecheck_template.cpp       | 7 +++++--
 src/goto-symex/goto_symex_state.cpp      | 6 +++---
 src/goto-symex/goto_symex_state.h        | 2 ++
 src/path-symex/path_symex_history.h      | 8 +++++---
 src/path-symex/path_symex_state.h        | 2 ++
 src/path-symex/path_symex_state_read.cpp | 2 +-
 16 files changed, 51 insertions(+), 23 deletions(-)

diff --git a/src/analyses/goto_rw.cpp b/src/analyses/goto_rw.cpp
index 36c2bf8c95..49827bd2bd 100644
--- a/src/analyses/goto_rw.cpp
+++ b/src/analyses/goto_rw.cpp
@@ -463,7 +463,8 @@ void rw_range_sett::add(
 {
   objectst::iterator entry=(mode==get_modet::LHS_W ? w_range_set : r_range_set).
     insert(
-      std::pair(identifier, nullptr)).first;
+      std::pair(
+        identifier, nullptr)).first;
 
   if(entry->second==nullptr)
     entry->second=new range_domaint();
@@ -663,7 +664,8 @@ void rw_guarded_range_set_value_sett::add(
 {
   objectst::iterator entry=(mode==get_modet::LHS_W ? w_range_set : r_range_set).
     insert(
-      std::pair(identifier, nullptr)).first;
+      std::pair(
+        identifier, nullptr)).first;
 
   if(entry->second==nullptr)
     entry->second=new guarded_range_domaint();
diff --git a/src/analyses/goto_rw.h b/src/analyses/goto_rw.h
index 60dfe5ca6f..1f92c3e0e1 100644
--- a/src/analyses/goto_rw.h
+++ b/src/analyses/goto_rw.h
@@ -108,7 +108,7 @@ public:
 
   const range_domaint &get_ranges(objectst::const_iterator it) const
   {
-    assert(dynamic_cast(it->second)!=nullptr);
+    PRECONDITION(dynamic_cast(it->second)!=nullptr);
     return *static_cast(it->second);
   }
 
@@ -277,7 +277,7 @@ public:
 
   const guarded_range_domaint &get_ranges(objectst::const_iterator it) const
   {
-    assert(dynamic_cast(it->second)!=nullptr);
+    PRECONDITION(dynamic_cast(it->second)!=nullptr);
     return *static_cast(it->second);
   }
 
diff --git a/src/analyses/invariant_set.cpp b/src/analyses/invariant_set.cpp
index 550c39d3ab..a041119cbb 100644
--- a/src/analyses/invariant_set.cpp
+++ b/src/analyses/invariant_set.cpp
@@ -144,7 +144,7 @@ bool invariant_sett::get_object(
   const exprt &expr,
   unsigned &n) const
 {
-  assert(object_store!=nullptr);
+  PRECONDITION(object_store!=nullptr);
   return object_store->get(expr, n);
 }
 
@@ -315,7 +315,8 @@ void invariant_sett::output(
     return;
   }
 
-  assert(object_store!=nullptr);
+  INVARIANT(
+    object_store!=nullptr, nullptr_exceptiont("Object store is null"));
 
   for(unsigned i=0; ito_string(a, identifier);
 }
 
diff --git a/src/analyses/invariant_set.h b/src/analyses/invariant_set.h
index b65ce7897f..f2999d191a 100644
--- a/src/analyses/invariant_set.h
+++ b/src/analyses/invariant_set.h
@@ -22,6 +22,8 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include "interval_template.h"
 
+#define nullptr_exceptiont(str) str
+
 class inv_object_storet
 {
 public:
diff --git a/src/analyses/local_may_alias.h b/src/analyses/local_may_alias.h
index c9c7680368..5e04ff01a7 100644
--- a/src/analyses/local_may_alias.h
+++ b/src/analyses/local_may_alias.h
@@ -109,7 +109,7 @@ public:
 
   local_may_aliast &operator()(const irep_idt &fkt)
   {
-    assert(goto_functions!=nullptr);
+    PRECONDITION(goto_functions!=nullptr);
     fkt_mapt::iterator f_it=fkt_map.find(fkt);
     if(f_it!=fkt_map.end())
       return *f_it->second;
diff --git a/src/analyses/reaching_definitions.cpp b/src/analyses/reaching_definitions.cpp
index b001261a69..3bbf55a60a 100644
--- a/src/analyses/reaching_definitions.cpp
+++ b/src/analyses/reaching_definitions.cpp
@@ -51,7 +51,9 @@ void rd_range_domaint::transform(
 {
   reaching_definitions_analysist *rd=
     dynamic_cast(&ai);
-  assert(rd!=nullptr);
+  INVARIANT(
+    rd!=nullptr,
+    bad_cast_exceptiont("ai has type reaching_definitions_analysist"));
 
   assert(bv_container);
 
@@ -298,7 +300,9 @@ void rd_range_domaint::transform_assign(
     const symbolt *symbol_ptr;
     if(ns.lookup(identifier, symbol_ptr))
       continue;
-    assert(symbol_ptr!=nullptr);
+    INVARIANT(
+      symbol_ptr!=nullptr,
+      nullptr_exceptiont("Symbol is in symbol table"));
 
     const range_domaint &ranges=rw_set.get_ranges(it);
 
diff --git a/src/analyses/reaching_definitions.h b/src/analyses/reaching_definitions.h
index 462b8c1d45..f0a4fd6085 100644
--- a/src/analyses/reaching_definitions.h
+++ b/src/analyses/reaching_definitions.h
@@ -26,6 +26,9 @@ class is_threadedt;
 class dirtyt;
 class reaching_definitions_analysist;
 
+#define bad_cast_exceptiont(str) str
+#define nullptr_exceptiont(str) str
+
 // requirement: V has a member "identifier" of type irep_idt
 template
 class sparse_bitvector_analysist
@@ -259,7 +262,9 @@ public:
     statet &s=concurrency_aware_ait::get_state(l);
 
     rd_range_domaint *rd_state=dynamic_cast(&s);
-    assert(rd_state!=nullptr);
+    INVARIANT(
+      rd_state!=nullptr,
+      bad_cast_exceptiont("rd_state has type rd_range_domaint"));
 
     rd_state->set_bitvector_container(*this);
 
diff --git a/src/cpp/cpp_id.h b/src/cpp/cpp_id.h
index 1ba4649334..b2efbc2718 100644
--- a/src/cpp/cpp_id.h
+++ b/src/cpp/cpp_id.h
@@ -20,6 +20,7 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include 
 
 #include 
+#include 
 #include 
 
 class cpp_scopet;
@@ -81,7 +82,7 @@ public:
 
   cpp_idt &get_parent() const
   {
-    assert(parent!=nullptr);
+    PRECONDITION(parent!=nullptr);
     return *parent;
   }
 
diff --git a/src/cpp/cpp_instantiate_template.cpp b/src/cpp/cpp_instantiate_template.cpp
index 27c8e2c9a3..3afc3cdd72 100644
--- a/src/cpp/cpp_instantiate_template.cpp
+++ b/src/cpp/cpp_instantiate_template.cpp
@@ -130,7 +130,8 @@ const symbolt &cpp_typecheckt::class_template_symbol(
   cpp_scopet *template_scope=
     static_cast(cpp_scopes.id_map[template_symbol.name]);
 
-  assert(template_scope!=nullptr);
+  INVARIANT(
+    template_scope!=nullptr, nullptr_exceptiont("template_scope is null"));
 
   irep_idt identifier=
     id2string(template_scope->prefix)+
@@ -284,7 +285,8 @@ const symbolt &cpp_typecheckt::instantiate_template(
     throw 0;
   }
 
-  assert(template_scope!=nullptr);
+  INVARIANT(
+    template_scope!=nullptr, nullptr_exceptiont("template_scope is null"));
 
   // produce new declaration
   cpp_declarationt new_decl=to_cpp_declaration(template_symbol.type);
diff --git a/src/cpp/cpp_typecheck.h b/src/cpp/cpp_typecheck.h
index 5c0a6afe28..50cc26fb9e 100644
--- a/src/cpp/cpp_typecheck.h
+++ b/src/cpp/cpp_typecheck.h
@@ -30,6 +30,8 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include "cpp_template_type.h"
 #include "cpp_util.h"
 
+#define nullptr_exceptiont(str) str
+
 bool cpp_typecheck(
   cpp_parse_treet &cpp_parse_tree,
   symbol_tablet &symbol_table,
diff --git a/src/cpp/cpp_typecheck_template.cpp b/src/cpp/cpp_typecheck_template.cpp
index 5837a5706a..2338371379 100644
--- a/src/cpp/cpp_typecheck_template.cpp
+++ b/src/cpp/cpp_typecheck_template.cpp
@@ -910,7 +910,8 @@ cpp_template_args_tct cpp_typecheckt::typecheck_template_args(
       // these need to be typechecked in the scope of the template,
       // not in the current scope!
       cpp_idt *template_scope=cpp_scopes.id_map[template_symbol.name];
-      assert(template_scope!=nullptr);
+      INVARIANT(
+        template_scope!=nullptr, nullptr_exceptiont("template_scope is null"));
       cpp_scopes.go_to(*template_scope);
     }
 
@@ -960,7 +961,9 @@ cpp_template_args_tct cpp_typecheckt::typecheck_template_args(
       {
         cpp_save_scopet cpp_saved_scope(cpp_scopes);
         cpp_idt *template_scope=cpp_scopes.id_map[template_symbol.name];
-        assert(template_scope!=nullptr);
+        INVARIANT(
+          template_scope!=nullptr,
+          nullptr_exceptiont("template_scope is null"));
         cpp_scopes.go_to(*template_scope);
         typecheck_type(type);
       }
diff --git a/src/goto-symex/goto_symex_state.cpp b/src/goto-symex/goto_symex_state.cpp
index 934e8edf71..3e49fd7e48 100644
--- a/src/goto-symex/goto_symex_state.cpp
+++ b/src/goto-symex/goto_symex_state.cpp
@@ -541,7 +541,7 @@ bool goto_symex_statet::l2_thread_read_encoding(
     return false;
 
   // is it a shared object?
-  assert(dirty!=nullptr);
+  INVARIANT(dirty!=nullptr, nullptr_exceptiont("dirty is null"));
   const irep_idt &obj_identifier=expr.get_object_name();
   if(obj_identifier=="goto_symex::\\guard" ||
      (!ns.lookup(obj_identifier).is_shared() &&
@@ -666,7 +666,7 @@ bool goto_symex_statet::l2_thread_read_encoding(
   expr=ssa_l1;
 
   // and record that
-  assert(symex_target!=nullptr);
+  INVARIANT(symex_target!=nullptr, nullptr_exceptiont("symex_target is null"));
   symex_target->shared_read(
     guard.as_expr(),
     expr,
@@ -685,7 +685,7 @@ bool goto_symex_statet::l2_thread_write_encoding(
     return false;
 
   // is it a shared object?
-  assert(dirty!=nullptr);
+  INVARIANT(dirty!=nullptr, nullptr_exceptiont("dirty is null"));
   const irep_idt &obj_identifier=expr.get_object_name();
   if(obj_identifier=="goto_symex::\\guard" ||
      (!ns.lookup(obj_identifier).is_shared() &&
diff --git a/src/goto-symex/goto_symex_state.h b/src/goto-symex/goto_symex_state.h
index d62d4a66af..b7e645ab39 100644
--- a/src/goto-symex/goto_symex_state.h
+++ b/src/goto-symex/goto_symex_state.h
@@ -26,6 +26,8 @@ Author: Daniel Kroening, kroening@kroening.com
 
 class dirtyt;
 
+#define nullptr_exceptiont(str) str
+
 // central data structure: state
 class goto_symex_statet
 {
diff --git a/src/path-symex/path_symex_history.h b/src/path-symex/path_symex_history.h
index e2fbc3273f..794679d72d 100644
--- a/src/path-symex/path_symex_history.h
+++ b/src/path-symex/path_symex_history.h
@@ -21,6 +21,8 @@ Author: Daniel Kroening, kroening@kroening.com
 
 class path_symex_stept;
 
+#define nullptr_exceptiont(str) str
+
 // This is a reference to a path_symex_stept,
 // and is really cheap to copy. These references are stable,
 // even though the underlying vector is not.
@@ -46,7 +48,7 @@ public:
 
   path_symex_historyt &get_history() const
   {
-    assert(history!=nullptr);
+    INVARIANT(history!=nullptr, nullptr_exceptiont("history is null"));
     return *history;
   }
 
@@ -154,7 +156,7 @@ public:
 
 inline void path_symex_step_reft::generate_successor()
 {
-  assert(history!=nullptr);
+  INVARIANT(history!=nullptr, nullptr_exceptiont("history is null"));
   path_symex_step_reft old=*this;
   index=history->step_container.size();
   history->step_container.push_back(path_symex_stept());
@@ -169,7 +171,7 @@ inline path_symex_step_reft &path_symex_step_reft::operator--()
 
 inline path_symex_stept &path_symex_step_reft::get() const
 {
-  assert(history!=nullptr);
+  INVARIANT(history!=nullptr, nullptr_exceptiont("history is null"));
   assert(!is_nil());
   return history->step_container[index];
 }
diff --git a/src/path-symex/path_symex_state.h b/src/path-symex/path_symex_state.h
index eb23e891f8..796864cc80 100644
--- a/src/path-symex/path_symex_state.h
+++ b/src/path-symex/path_symex_state.h
@@ -16,6 +16,8 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "var_map.h"
 #include "path_symex_history.h"
 
+#define nullptr_exceptiont(str) str
+
 struct path_symex_statet
 {
 public:
diff --git a/src/path-symex/path_symex_state_read.cpp b/src/path-symex/path_symex_state_read.cpp
index 139b6956a0..fb34aaf93d 100644
--- a/src/path-symex/path_symex_state_read.cpp
+++ b/src/path-symex/path_symex_state_read.cpp
@@ -465,7 +465,7 @@ bool path_symex_statet::is_symbol_member_index(const exprt &src) const
       return false;
 
     // next round
-    assert(next!=nullptr);
+    INVARIANT(next!=nullptr, nullptr_exceptiont("next is null"));
     current=next;
   }
 }

From 26fb85043ac088f7961b8a4410e7ab798f991183 Mon Sep 17 00:00:00 2001
From: reuk 
Date: Mon, 24 Jul 2017 17:50:30 +0100
Subject: [PATCH 88/89] Replace macros with exception types

---
 src/analyses/invariant_set.cpp           |  5 ++--
 src/analyses/invariant_set.h             |  2 --
 src/analyses/reaching_definitions.cpp    | 10 ++++----
 src/analyses/reaching_definitions.h      |  9 ++++----
 src/cpp/cpp_instantiate_template.cpp     |  9 ++++----
 src/cpp/cpp_typecheck.h                  |  2 --
 src/cpp/cpp_typecheck_template.cpp       | 10 ++++----
 src/goto-symex/goto_symex_state.cpp      |  8 ++++---
 src/goto-symex/goto_symex_state.h        |  2 --
 src/path-symex/path_symex_history.h      | 12 ++++++----
 src/path-symex/path_symex_state.h        |  2 --
 src/path-symex/path_symex_state_read.cpp |  2 +-
 src/util/base_exceptions.h               | 29 ++++++++++++++++++++++++
 13 files changed, 66 insertions(+), 36 deletions(-)
 create mode 100644 src/util/base_exceptions.h

diff --git a/src/analyses/invariant_set.cpp b/src/analyses/invariant_set.cpp
index a041119cbb..a91c0349bb 100644
--- a/src/analyses/invariant_set.cpp
+++ b/src/analyses/invariant_set.cpp
@@ -13,6 +13,7 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include 
 
+#include 
 #include 
 #include 
 #include 
@@ -315,8 +316,8 @@ void invariant_sett::output(
     return;
   }
 
-  INVARIANT(
-    object_store!=nullptr, nullptr_exceptiont("Object store is null"));
+  INVARIANT_STRUCTURED(
+    object_store!=nullptr, nullptr_exceptiont, "Object store is null");
 
   for(unsigned i=0; i(&ai);
-  INVARIANT(
+  INVARIANT_STRUCTURED(
     rd!=nullptr,
-    bad_cast_exceptiont("ai has type reaching_definitions_analysist"));
+    bad_cast_exceptiont,
+    "ai has type reaching_definitions_analysist");
 
   assert(bv_container);
 
@@ -300,9 +301,10 @@ void rd_range_domaint::transform_assign(
     const symbolt *symbol_ptr;
     if(ns.lookup(identifier, symbol_ptr))
       continue;
-    INVARIANT(
+    INVARIANT_STRUCTURED(
       symbol_ptr!=nullptr,
-      nullptr_exceptiont("Symbol is in symbol table"));
+      nullptr_exceptiont,
+      "Symbol is in symbol table");
 
     const range_domaint &ranges=rw_set.get_ranges(it);
 
diff --git a/src/analyses/reaching_definitions.h b/src/analyses/reaching_definitions.h
index f0a4fd6085..21cbd1ed37 100644
--- a/src/analyses/reaching_definitions.h
+++ b/src/analyses/reaching_definitions.h
@@ -16,6 +16,7 @@ Date: February 2013
 #ifndef CPROVER_ANALYSES_REACHING_DEFINITIONS_H
 #define CPROVER_ANALYSES_REACHING_DEFINITIONS_H
 
+#include 
 #include 
 
 #include "ai.h"
@@ -26,9 +27,6 @@ class is_threadedt;
 class dirtyt;
 class reaching_definitions_analysist;
 
-#define bad_cast_exceptiont(str) str
-#define nullptr_exceptiont(str) str
-
 // requirement: V has a member "identifier" of type irep_idt
 template
 class sparse_bitvector_analysist
@@ -262,9 +260,10 @@ public:
     statet &s=concurrency_aware_ait::get_state(l);
 
     rd_range_domaint *rd_state=dynamic_cast(&s);
-    INVARIANT(
+    INVARIANT_STRUCTURED(
       rd_state!=nullptr,
-      bad_cast_exceptiont("rd_state has type rd_range_domaint"));
+      bad_cast_exceptiont,
+      "rd_state has type rd_range_domaint");
 
     rd_state->set_bitvector_container(*this);
 
diff --git a/src/cpp/cpp_instantiate_template.cpp b/src/cpp/cpp_instantiate_template.cpp
index 3afc3cdd72..fe0b3e28ac 100644
--- a/src/cpp/cpp_instantiate_template.cpp
+++ b/src/cpp/cpp_instantiate_template.cpp
@@ -12,6 +12,7 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include "cpp_typecheck.h"
 
 #include 
+#include 
 #include 
 
 #include 
@@ -130,8 +131,8 @@ const symbolt &cpp_typecheckt::class_template_symbol(
   cpp_scopet *template_scope=
     static_cast(cpp_scopes.id_map[template_symbol.name]);
 
-  INVARIANT(
-    template_scope!=nullptr, nullptr_exceptiont("template_scope is null"));
+  INVARIANT_STRUCTURED(
+    template_scope!=nullptr, nullptr_exceptiont, "template_scope is null");
 
   irep_idt identifier=
     id2string(template_scope->prefix)+
@@ -285,8 +286,8 @@ const symbolt &cpp_typecheckt::instantiate_template(
     throw 0;
   }
 
-  INVARIANT(
-    template_scope!=nullptr, nullptr_exceptiont("template_scope is null"));
+  INVARIANT_STRUCTURED(
+    template_scope!=nullptr, nullptr_exceptiont, "template_scope is null");
 
   // produce new declaration
   cpp_declarationt new_decl=to_cpp_declaration(template_symbol.type);
diff --git a/src/cpp/cpp_typecheck.h b/src/cpp/cpp_typecheck.h
index 50cc26fb9e..5c0a6afe28 100644
--- a/src/cpp/cpp_typecheck.h
+++ b/src/cpp/cpp_typecheck.h
@@ -30,8 +30,6 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 #include "cpp_template_type.h"
 #include "cpp_util.h"
 
-#define nullptr_exceptiont(str) str
-
 bool cpp_typecheck(
   cpp_parse_treet &cpp_parse_tree,
   symbol_tablet &symbol_table,
diff --git a/src/cpp/cpp_typecheck_template.cpp b/src/cpp/cpp_typecheck_template.cpp
index 2338371379..7c46420826 100644
--- a/src/cpp/cpp_typecheck_template.cpp
+++ b/src/cpp/cpp_typecheck_template.cpp
@@ -11,6 +11,7 @@ Author: Daniel Kroening, kroening@cs.cmu.edu
 
 #include "cpp_typecheck.h"
 
+#include 
 #include 
 
 #include "cpp_type2name.h"
@@ -910,8 +911,8 @@ cpp_template_args_tct cpp_typecheckt::typecheck_template_args(
       // these need to be typechecked in the scope of the template,
       // not in the current scope!
       cpp_idt *template_scope=cpp_scopes.id_map[template_symbol.name];
-      INVARIANT(
-        template_scope!=nullptr, nullptr_exceptiont("template_scope is null"));
+      INVARIANT_STRUCTURED(
+        template_scope!=nullptr, nullptr_exceptiont, "template_scope is null");
       cpp_scopes.go_to(*template_scope);
     }
 
@@ -961,9 +962,10 @@ cpp_template_args_tct cpp_typecheckt::typecheck_template_args(
       {
         cpp_save_scopet cpp_saved_scope(cpp_scopes);
         cpp_idt *template_scope=cpp_scopes.id_map[template_symbol.name];
-        INVARIANT(
+        INVARIANT_STRUCTURED(
           template_scope!=nullptr,
-          nullptr_exceptiont("template_scope is null"));
+          nullptr_exceptiont,
+          "template_scope is null");
         cpp_scopes.go_to(*template_scope);
         typecheck_type(type);
       }
diff --git a/src/goto-symex/goto_symex_state.cpp b/src/goto-symex/goto_symex_state.cpp
index 3e49fd7e48..6402923c4c 100644
--- a/src/goto-symex/goto_symex_state.cpp
+++ b/src/goto-symex/goto_symex_state.cpp
@@ -15,6 +15,7 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
+#include 
 #include 
 #include 
 
@@ -541,7 +542,7 @@ bool goto_symex_statet::l2_thread_read_encoding(
     return false;
 
   // is it a shared object?
-  INVARIANT(dirty!=nullptr, nullptr_exceptiont("dirty is null"));
+  INVARIANT_STRUCTURED(dirty!=nullptr, nullptr_exceptiont, "dirty is null");
   const irep_idt &obj_identifier=expr.get_object_name();
   if(obj_identifier=="goto_symex::\\guard" ||
      (!ns.lookup(obj_identifier).is_shared() &&
@@ -666,7 +667,8 @@ bool goto_symex_statet::l2_thread_read_encoding(
   expr=ssa_l1;
 
   // and record that
-  INVARIANT(symex_target!=nullptr, nullptr_exceptiont("symex_target is null"));
+  INVARIANT_STRUCTURED(
+    symex_target!=nullptr, nullptr_exceptiont, "symex_target is null");
   symex_target->shared_read(
     guard.as_expr(),
     expr,
@@ -685,7 +687,7 @@ bool goto_symex_statet::l2_thread_write_encoding(
     return false;
 
   // is it a shared object?
-  INVARIANT(dirty!=nullptr, nullptr_exceptiont("dirty is null"));
+  INVARIANT_STRUCTURED(dirty!=nullptr, nullptr_exceptiont, "dirty is null");
   const irep_idt &obj_identifier=expr.get_object_name();
   if(obj_identifier=="goto_symex::\\guard" ||
      (!ns.lookup(obj_identifier).is_shared() &&
diff --git a/src/goto-symex/goto_symex_state.h b/src/goto-symex/goto_symex_state.h
index b7e645ab39..d62d4a66af 100644
--- a/src/goto-symex/goto_symex_state.h
+++ b/src/goto-symex/goto_symex_state.h
@@ -26,8 +26,6 @@ Author: Daniel Kroening, kroening@kroening.com
 
 class dirtyt;
 
-#define nullptr_exceptiont(str) str
-
 // central data structure: state
 class goto_symex_statet
 {
diff --git a/src/path-symex/path_symex_history.h b/src/path-symex/path_symex_history.h
index 794679d72d..0783281c70 100644
--- a/src/path-symex/path_symex_history.h
+++ b/src/path-symex/path_symex_history.h
@@ -15,14 +15,13 @@ Author: Daniel Kroening, kroening@kroening.com
 #include 
 #include 
 
+#include 
 #include 
 
 #include "loc_ref.h"
 
 class path_symex_stept;
 
-#define nullptr_exceptiont(str) str
-
 // This is a reference to a path_symex_stept,
 // and is really cheap to copy. These references are stable,
 // even though the underlying vector is not.
@@ -48,7 +47,8 @@ public:
 
   path_symex_historyt &get_history() const
   {
-    INVARIANT(history!=nullptr, nullptr_exceptiont("history is null"));
+    INVARIANT_STRUCTURED(
+      history!=nullptr, nullptr_exceptiont, "history is null");
     return *history;
   }
 
@@ -156,7 +156,8 @@ public:
 
 inline void path_symex_step_reft::generate_successor()
 {
-  INVARIANT(history!=nullptr, nullptr_exceptiont("history is null"));
+  INVARIANT_STRUCTURED(
+    history!=nullptr, nullptr_exceptiont, "history is null");
   path_symex_step_reft old=*this;
   index=history->step_container.size();
   history->step_container.push_back(path_symex_stept());
@@ -171,7 +172,8 @@ inline path_symex_step_reft &path_symex_step_reft::operator--()
 
 inline path_symex_stept &path_symex_step_reft::get() const
 {
-  INVARIANT(history!=nullptr, nullptr_exceptiont("history is null"));
+  INVARIANT_STRUCTURED(
+    history!=nullptr, nullptr_exceptiont, "history is null");
   assert(!is_nil());
   return history->step_container[index];
 }
diff --git a/src/path-symex/path_symex_state.h b/src/path-symex/path_symex_state.h
index 796864cc80..eb23e891f8 100644
--- a/src/path-symex/path_symex_state.h
+++ b/src/path-symex/path_symex_state.h
@@ -16,8 +16,6 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "var_map.h"
 #include "path_symex_history.h"
 
-#define nullptr_exceptiont(str) str
-
 struct path_symex_statet
 {
 public:
diff --git a/src/path-symex/path_symex_state_read.cpp b/src/path-symex/path_symex_state_read.cpp
index fb34aaf93d..87dea21be4 100644
--- a/src/path-symex/path_symex_state_read.cpp
+++ b/src/path-symex/path_symex_state_read.cpp
@@ -465,7 +465,7 @@ bool path_symex_statet::is_symbol_member_index(const exprt &src) const
       return false;
 
     // next round
-    INVARIANT(next!=nullptr, nullptr_exceptiont("next is null"));
+    INVARIANT_STRUCTURED(next!=nullptr, nullptr_exceptiont, "next is null");
     current=next;
   }
 }
diff --git a/src/util/base_exceptions.h b/src/util/base_exceptions.h
new file mode 100644
index 0000000000..46efaeea62
--- /dev/null
+++ b/src/util/base_exceptions.h
@@ -0,0 +1,29 @@
+/*******************************************************************\
+
+Module: Util base exceptions
+
+Author: Diffblue Ltd.
+
+\*******************************************************************/
+
+/// \file
+/// Generic exception types primarily designed for use with invariants.
+
+#ifndef CPROVER_UTIL_BASE_EXCEPTIONS_H
+#define CPROVER_UTIL_BASE_EXCEPTIONS_H
+
+#include "util/invariant.h"
+
+class bad_cast_exceptiont:public invariant_failedt
+{
+public:
+  using invariant_failedt::invariant_failedt;
+};
+
+class nullptr_exceptiont:public invariant_failedt
+{
+public:
+  using invariant_failedt::invariant_failedt;
+};
+
+#endif

From cf9182fdae9f10c66e1760073d3a41ddbf749d7e Mon Sep 17 00:00:00 2001
From: reuk 
Date: Tue, 25 Jul 2017 09:41:37 +0100
Subject: [PATCH 89/89] Update exception types with vs2013 support

---
 src/util/base_exceptions.h | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/util/base_exceptions.h b/src/util/base_exceptions.h
index 46efaeea62..6d1218a9e7 100644
--- a/src/util/base_exceptions.h
+++ b/src/util/base_exceptions.h
@@ -17,13 +17,21 @@ Author: Diffblue Ltd.
 class bad_cast_exceptiont:public invariant_failedt
 {
 public:
-  using invariant_failedt::invariant_failedt;
+  // Normally we'd prefer
+  // using invariant_failedt::invariant_failedt;
+  // However, this isn't supported on VS2013.
+
+  template 
+  explicit bad_cast_exceptiont(Ts &&...ts):
+    invariant_failedt(std::forward(ts)...) {}
 };
 
 class nullptr_exceptiont:public invariant_failedt
 {
 public:
-  using invariant_failedt::invariant_failedt;
+  template 
+  explicit nullptr_exceptiont(Ts &&...ts):
+    invariant_failedt(std::forward(ts)...) {}
 };
 
 #endif