Re-implement points_to_member query

petr-bauch · petr-bauch · commit 33d0a79b6843 · 2019-05-08T08:49:21.000+01:00
To account for the possibility of the pointee to be dynamically allocated.
diff --git a/src/memory-analyzer/analyze_symbol.cpp b/src/memory-analyzer/analyze_symbol.cpp
@@ -91,6 +91,13 @@ optionalt<std::string> gdb_value_extractort::get_malloc_pointee(
          (pointer_distance > 0 ? "+" + integer2string(pointer_distance) : "");
 }
 
+mp_integer gdb_value_extractort::get_type_size(const typet &type) const
+{
+  const auto maybe_size = pointer_offset_bits(type, ns);
+  CHECK_RETURN(maybe_size.has_value());
+  return *maybe_size / 8;
+}
+
 void gdb_value_extractort::analyze_symbols(
   const std::vector<std::string> &symbols)
 {
@@ -433,11 +440,22 @@ exprt gdb_value_extractort::get_non_char_pointer_value(
 }
 
 bool gdb_value_extractort::points_to_member(
-  const pointer_valuet &pointer_value) const
+  pointer_valuet &pointer_value,
+  const typet &expected_type)
 {
   if(pointer_value.pointee.find("+") != std::string::npos)
     return true;
 
+  if(pointer_value.pointee.empty())
+  {
+    const auto maybe_pointee = get_malloc_pointee(
+      pointer_value.address, get_type_size(expected_type.subtype()));
+    if(maybe_pointee.has_value())
+      pointer_value.pointee = *maybe_pointee;
+    if(pointer_value.pointee.find("+") != std::string::npos)
+      return true;
+  }
+
   const symbolt *pointee_symbol = symbol_table.lookup(pointer_value.pointee);
   if(pointee_symbol == nullptr)
     return false;
@@ -470,7 +488,7 @@ exprt gdb_value_extractort::get_pointer_value(
   if(!memory_location.is_null())
   {
     // pointers-to-char can point to members as well, e.g. char[]
-    if(points_to_member(value))
+    if(points_to_member(value, expr.type()))
     {
       const auto target_expr =
         get_pointer_to_member_value(expr, value, location);
diff --git a/src/memory-analyzer/analyze_symbol.h b/src/memory-analyzer/analyze_symbol.h
@@ -155,6 +155,11 @@ class gdb_value_extractort
   optionalt<std::string>
   get_malloc_pointee(const memory_addresst &point, mp_integer member_size);
 
+  /// Wrapper for call get_offset_pointer_bits
+  /// \param type: type to get the size of
+  /// \return the size of the type in bytes
+  mp_integer get_type_size(const typet &type) const;
+
   /// Assign the gdb-extracted value for \p symbol_name to its symbol
   ///   expression and then process outstanding assignments that this
   ///   extraction introduced.
@@ -274,8 +279,10 @@ class gdb_value_extractort
   /// Analyzes the \p pointer_value to decide if it point to a struct or a
   ///   union (or array)
   /// \param pointer_value: pointer value to be analyzed
+  /// \param expected_type: type of the potential member
   /// \return true if pointing to a member
-  bool points_to_member(const pointer_valuet &pointer_value) const;
+  bool
+  points_to_member(pointer_valuet &pointer_value, const typet &expected_type);
 };
 
 #endif // CPROVER_MEMORY_ANALYZER_ANALYZE_SYMBOL_H
