Add pointer field to value_set_dereferencet::valuet

Owen · smowton · commit 2fb47cc77b4c · 2019-05-13T17:07:52.000+01:00
value_set_dereferencet::valuet is only used as the return value of
value_set_dereferencet::build_reference_to. valuet::value is an
expression for the object pointed to, which is what's needed for
dereferencing. In other contexts, e.g. filtering value-sets, what
is needed is an expression for the pointer. This logic already
existed in try_filter_value_set, but putting it directly in
build_reference_to makes it easier to use it in other places and
makes it clear that it didn't cope with typecasts properly.
diff --git a/src/goto-symex/symex_main.cpp b/src/goto-symex/symex_main.cpp
@@ -721,9 +721,11 @@ void goto_symext::try_filter_value_sets(
   // one of its possible values in turn. If that leads to a true for some
   // value_set_element then we can delete it from the value set that will be
   // used if the condition is false, and vice versa.
-  for(const auto &value_set_element : value_set_elements)
+  for(const exprt &value_set_element : value_set_elements)
   {
-    if(value_set_element.id() == ID_unknown)
+    if(
+      value_set_element.id() == ID_unknown ||
+      value_set_element.id() == ID_invalid)
     {
       continue;
     }
@@ -735,19 +737,17 @@ void goto_symext::try_filter_value_sets(
       continue;
     }
 
-    value_set_dereferencet::valuet possible_value =
+    value_set_dereferencet::valuet value =
       value_set_dereferencet::build_reference_to(
         value_set_element, *symbol_expr, ns);
 
-    exprt replacement_expr =
-      possible_value.value.is_nil()
-        ? static_cast<exprt>(null_pointer_exprt{symbol_type})
-        : static_cast<exprt>(address_of_exprt{possible_value.value});
+    if(value.pointer.is_nil())
+      continue;
 
     exprt modified_condition(condition);
 
     address_of_aware_replace_symbolt replace_symbol{};
-    replace_symbol.insert(*symbol_expr, replacement_expr);
+    replace_symbol.insert(*symbol_expr, value.pointer);
     replace_symbol(modified_condition);
 
     // This do_simplify() is needed for the following reason: if `condition` is
diff --git a/src/pointer-analysis/value_set_dereference.cpp b/src/pointer-analysis/value_set_dereference.cpp
@@ -23,6 +23,7 @@ Author: Daniel Kroening, kroening@kroening.com
 #include <util/config.h>
 #include <util/cprover_prefix.h>
 #include <util/expr_iterator.h>
+#include <util/expr_util.h>
 #include <util/format_type.h>
 #include <util/fresh_symbol.h>
 #include <util/options.h>
@@ -361,7 +362,9 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
   const exprt &pointer_expr,
   const namespacet &ns)
 {
-  const typet &dereference_type = pointer_expr.type().subtype();
+  const pointer_typet &pointer_type =
+    type_checked_cast<pointer_typet>(pointer_expr.type());
+  const typet &dereference_type = pointer_type.subtype();
 
   if(what.id()==ID_unknown ||
      what.id()==ID_invalid)
@@ -385,6 +388,7 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
 
   if(root_object.id() == ID_null_object)
   {
+    result.pointer = null_pointer_exprt{pointer_type};
   }
   else if(root_object.id()==ID_dynamic_object)
   {
@@ -394,6 +398,7 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
 
     // can't remove here, turn into *p
     result.value = dereference_exprt{pointer_expr};
+    result.pointer = pointer_expr;
   }
   else if(root_object.id()==ID_integer_address)
   {
@@ -414,6 +419,7 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
         memory_symbol.type.subtype());
 
       result.value=index_expr;
+      result.pointer = address_of_exprt{index_expr};
     }
     else if(
       dereference_type_compare(
@@ -424,6 +430,8 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
         pointer_offset(pointer_expr),
         memory_symbol.type.subtype());
       result.value=typecast_exprt(index_expr, dereference_type);
+      result.pointer =
+        typecast_exprt{address_of_exprt{index_expr}, pointer_type};
     }
     else
     {
@@ -440,6 +448,7 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
           symbol_expr,
           pointer_offset(pointer_expr),
           dereference_type);
+        result.pointer = address_of_exprt{result.value};
       }
     }
   }
@@ -472,6 +481,8 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
       // This is great, we are almost done.
 
       result.value = typecast_exprt::conditional_cast(object, dereference_type);
+      result.pointer =
+        typecast_exprt::conditional_cast(object_pointer, pointer_type);
     }
     else if(
       root_object_type.id() == ID_array &&
@@ -515,9 +526,12 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
         // TODO: need to assert well-alignedness
       }
 
-      result.value = typecast_exprt::conditional_cast(
-        index_exprt(root_object, adjusted_offset, root_object_type.subtype()),
-        dereference_type);
+      const index_exprt &index_expr =
+        index_exprt(root_object, adjusted_offset, root_object_type.subtype());
+      result.value =
+        typecast_exprt::conditional_cast(index_expr, dereference_type);
+      result.pointer = typecast_exprt::conditional_cast(
+        address_of_exprt{index_expr}, pointer_type);
     }
     else
     {
@@ -531,11 +545,15 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
         // Successfully found a member, array index, or combination thereof
         // that matches the desired type and offset:
         result.value = subexpr.value();
+        result.pointer = typecast_exprt::conditional_cast(
+          address_of_exprt{skip_typecast(subexpr.value())}, pointer_type);
         return result;
       }
 
       // we extract something from the root object
       result.value=o.root_object();
+      result.pointer = typecast_exprt::conditional_cast(
+        address_of_exprt{skip_typecast(o.root_object())}, pointer_type);
 
       // this is relative to the root object
       exprt offset;
diff --git a/src/pointer-analysis/value_set_dereference.h b/src/pointer-analysis/value_set_dereference.h
@@ -59,9 +59,11 @@ class value_set_dereferencet final
   {
   public:
     exprt value;
+    exprt pointer;
     exprt pointer_guard;
 
-    valuet() : value(nil_exprt()), pointer_guard(false_exprt())
+    valuet()
+      : value{nil_exprt{}}, pointer{nil_exprt{}}, pointer_guard{false_exprt{}}
     {
     }
   };

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ Author: Daniel Kroening, [email protected]`
`23`	`23`	`#include <util/config.h>`
`24`	`24`	`#include <util/cprover_prefix.h>`
`25`	`25`	`#include <util/expr_iterator.h>`
	`26`	`+#include <util/expr_util.h>`
`26`	`27`	`#include <util/format_type.h>`
`27`	`28`	`#include <util/fresh_symbol.h>`
`28`	`29`	`#include <util/options.h>`
`@@ -361,7 +362,9 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(`
`361`	`362`	`const exprt &pointer_expr,`
`362`	`363`	`const namespacet &ns)`
`363`	`364`	`{`
`364`		`- const typet &dereference_type = pointer_expr.type().subtype();`
	`365`	`+ const pointer_typet &pointer_type =`
	`366`	`+ type_checked_cast<pointer_typet>(pointer_expr.type());`
	`367`	`+ const typet &dereference_type = pointer_type.subtype();`
`365`	`368`
`366`	`369`	`if(what.id()==ID_unknown \|\|`
`367`	`370`	`what.id()==ID_invalid)`
`@@ -385,6 +388,7 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(`
`385`	`388`
`386`	`389`	`if(root_object.id() == ID_null_object)`
`387`	`390`	`{`
	`391`	`+ result.pointer = null_pointer_exprt{pointer_type};`
`388`	`392`	`}`
`389`	`393`	`else if(root_object.id()==ID_dynamic_object)`
`390`	`394`	`{`
`@@ -394,6 +398,7 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(`
`394`	`398`
`395`	`399`	`// can't remove here, turn into *p`
`396`	`400`	`result.value = dereference_exprt{pointer_expr};`
	`401`	`+ result.pointer = pointer_expr;`
`397`	`402`	`}`
`398`	`403`	`else if(root_object.id()==ID_integer_address)`
`399`	`404`	`{`
`@@ -414,6 +419,7 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(`
`414`	`419`	`memory_symbol.type.subtype());`
`415`	`420`
`416`	`421`	`result.value=index_expr;`
	`422`	`+ result.pointer = address_of_exprt{index_expr};`
`417`	`423`	`}`
`418`	`424`	`else if(`
`419`	`425`	`dereference_type_compare(`
`@@ -424,6 +430,8 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(`
`424`	`430`	`pointer_offset(pointer_expr),`
`425`	`431`	`memory_symbol.type.subtype());`
`426`	`432`	`result.value=typecast_exprt(index_expr, dereference_type);`
	`433`	`+ result.pointer =`
	`434`	`+ typecast_exprt{address_of_exprt{index_expr}, pointer_type};`
`427`	`435`	`}`
`428`	`436`	`else`
`429`	`437`	`{`
`@@ -440,6 +448,7 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(`
`440`	`448`	`symbol_expr,`
`441`	`449`	`pointer_offset(pointer_expr),`
`442`	`450`	`dereference_type);`
	`451`	`+ result.pointer = address_of_exprt{result.value};`
`443`	`452`	`}`
`444`	`453`	`}`
`445`	`454`	`}`
`@@ -472,6 +481,8 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(`
`472`	`481`	`// This is great, we are almost done.`
`473`	`482`
`474`	`483`	`result.value = typecast_exprt::conditional_cast(object, dereference_type);`
	`484`	`+ result.pointer =`
	`485`	`+ typecast_exprt::conditional_cast(object_pointer, pointer_type);`
`475`	`486`	`}`
`476`	`487`	`else if(`
`477`	`488`	`root_object_type.id() == ID_array &&`
`@@ -515,9 +526,12 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(`
`515`	`526`	`// TODO: need to assert well-alignedness`
`516`	`527`	`}`
`517`	`528`
`518`		`- result.value = typecast_exprt::conditional_cast(`
`519`		`- index_exprt(root_object, adjusted_offset, root_object_type.subtype()),`
`520`		`- dereference_type);`
	`529`	`+ const index_exprt &index_expr =`
	`530`	`+ index_exprt(root_object, adjusted_offset, root_object_type.subtype());`
	`531`	`+ result.value =`
	`532`	`+ typecast_exprt::conditional_cast(index_expr, dereference_type);`
	`533`	`+ result.pointer = typecast_exprt::conditional_cast(`
	`534`	`+ address_of_exprt{index_expr}, pointer_type);`
`521`	`535`	`}`
`522`	`536`	`else`
`523`	`537`	`{`
`@@ -531,11 +545,15 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(`
`531`	`545`	`// Successfully found a member, array index, or combination thereof`
`532`	`546`	`// that matches the desired type and offset:`
`533`	`547`	`result.value = subexpr.value();`
	`548`	`+ result.pointer = typecast_exprt::conditional_cast(`
	`549`	`+ address_of_exprt{skip_typecast(subexpr.value())}, pointer_type);`
`534`	`550`	`return result;`
`535`	`551`	`}`
`536`	`552`
`537`	`553`	`// we extract something from the root object`
`538`	`554`	`result.value=o.root_object();`
	`555`	`+ result.pointer = typecast_exprt::conditional_cast(`
	`556`	`+ address_of_exprt{skip_typecast(o.root_object())}, pointer_type);`
`539`	`557`
`540`	`558`	`// this is relative to the root object`
`541`	`559`	`exprt offset;`
Original file line number	Diff line number	Diff line change
`@@ -59,9 +59,11 @@ class value_set_dereferencet final`
`59`	`59`	`{`
`60`	`60`	`public:`
`61`	`61`	`exprt value;`
	`62`	`+ exprt pointer;`
`62`	`63`	`exprt pointer_guard;`
`63`	`64`
`64`		`- valuet() : value(nil_exprt()), pointer_guard(false_exprt())`
	`65`	`+ valuet()`
	`66`	`+ : value{nil_exprt{}}, pointer{nil_exprt{}}, pointer_guard{false_exprt{}}`
`65`	`67`	`{`
`66`	`68`	`}`
`67`	`69`	`};`