Merge pull request #3248 from romainbrenguier/bugfix/char-array-in-string-solver

romainbrenguier · web-flow · commit 64ec1953f4c0 · 2018-11-05T09:25:49.000Z
Bugfix/char array in string solver
diff --git a/jbmc/src/java_bytecode/java_string_library_preprocess.h b/jbmc/src/java_bytecode/java_string_library_preprocess.h
@@ -37,7 +37,7 @@ class java_string_library_preprocesst:public messaget
   java_string_library_preprocesst()
     : char_type(java_char_type()),
       index_type(java_int_type()),
-      refined_string_type(index_type, char_type)
+      refined_string_type(index_type, pointer_type(char_type))
   {
   }
 
diff --git a/jbmc/unit/solvers/refinement/string_constraint_instantiation/instantiate_not_contains.cpp b/jbmc/unit/solvers/refinement/string_constraint_instantiation/instantiate_not_contains.cpp
@@ -36,7 +36,7 @@ class tt
   }
   refined_string_typet string_type() const
   {
-    return refined_string_typet(length_type(), char_type());
+    return refined_string_typet(length_type(), pointer_type(char_type()));
   }
   array_typet witness_type() const
   {
diff --git a/jbmc/unit/solvers/refinement/string_refinement/dependency_graph.cpp b/jbmc/unit/solvers/refinement/string_refinement/dependency_graph.cpp
@@ -48,7 +48,8 @@ SCENARIO("dependency_graph", "[core][solvers][refinement][string_refinement]")
   GIVEN("dependency graph")
   {
     string_dependenciest dependencies;
-    refined_string_typet string_type(java_char_type(), java_int_type());
+    const typet string_type =
+      refined_string_typet(java_int_type(), pointer_type(java_char_type()));
     const exprt string1 = make_string_argument("string1");
     const exprt string2 = make_string_argument("string2");
     const exprt string3 = make_string_argument("string3");
diff --git a/src/solvers/refinement/string_refinement.cpp b/src/solvers/refinement/string_refinement.cpp
@@ -270,12 +270,15 @@ static void make_char_array_pointer_associations(
   }
 }
 
-void replace_symbols_in_equations(
-  const union_find_replacet &symbol_resolve,
-  std::vector<equal_exprt> &equations)
+/// Substitute sub-expressions in equation by representative elements of
+/// `symbol_resolve` whenever possible.
+/// Similar to `symbol_resolve.replace_expr` but doesn't mutate the expression
+/// and returns the transformed expression instead.
+static exprt
+replace_expr_copy(const union_find_replacet &symbol_resolve, exprt expr)
 {
-  for(equal_exprt &eq : equations)
-    symbol_resolve.replace_expr(eq);
+  symbol_resolve.replace_expr(expr);
+  return expr;
 }
 
 /// Record the constraints to ensure that the expression is true when
@@ -301,20 +304,22 @@ void string_refinementt::set_to(const exprt &expr, bool value)
 }
 
 /// Add association for each char pointer in the equation
+/// \param symbol_solver: a union_find_replacet object to keep track of
+///   char pointer equations
 /// \param equations: vector of equations
 /// \param ns: namespace
 /// \param stream: output stream
 /// \return union_find_replacet where char pointer that have been set equal
 ///         by an equation are associated to the same element
-static union_find_replacet generate_symbol_resolution_from_equations(
+static void add_equations_for_symbol_resolution(
+  union_find_replacet &symbol_solver,
   const std::vector<equal_exprt> &equations,
   const namespacet &ns,
   messaget::mstreamt &stream)
 {
   const auto eom = messaget::eom;
   const std::string log_message =
     "WARNING string_refinement.cpp generate_symbol_resolution_from_equations:";
-  union_find_replacet solver;
   for(const equal_exprt &eq : equations)
   {
     const exprt &lhs = eq.lhs();
@@ -335,7 +340,7 @@ static union_find_replacet generate_symbol_resolution_from_equations(
 
     if(is_char_pointer_type(rhs.type()))
     {
-      solver.make_union(lhs, rhs);
+      symbol_solver.make_union(lhs, rhs);
     }
     else if(rhs.id() == ID_function_application)
     {
@@ -355,7 +360,7 @@ static union_find_replacet generate_symbol_resolution_from_equations(
             const member_exprt lhs_data(lhs, comp.get_name(), comp.type());
             const exprt rhs_data = simplify_expr(
               member_exprt(rhs, comp.get_name(), comp.type()), ns);
-            solver.make_union(lhs_data, rhs_data);
+            symbol_solver.make_union(lhs_data, rhs_data);
           }
         }
       }
@@ -366,7 +371,6 @@ static union_find_replacet generate_symbol_resolution_from_equations(
       }
     }
   }
-  return solver;
 }
 
 /// This is meant to be used on the lhs of an equation with string subtype.
@@ -613,9 +617,9 @@ decision_proceduret::resultt string_refinementt::dec_solve()
 #endif
 
   debug() << "dec_solve: Build symbol solver from equations" << eom;
-  // This is used by get, that's why we use a class member here
-  symbol_resolve =
-    generate_symbol_resolution_from_equations(equations, ns, debug());
+  // symbol_resolve is used by get and is kept between calls to dec_solve,
+  // that's why we use a class member here
+  add_equations_for_symbol_resolution(symbol_resolve, equations, ns, debug());
 #ifdef DEBUG
   debug() << "symbol resolve:" << eom;
   for(const auto &pair : symbol_resolve.to_vector())
@@ -632,9 +636,6 @@ decision_proceduret::resultt string_refinementt::dec_solve()
   }
 #endif
 
-  debug() << "dec_solve: Replacing char pointer symbols" << eom;
-  replace_symbols_in_equations(symbol_resolve, equations);
-
   debug() << "dec_solve: Replacing string ids in function applications" << eom;
   for(equal_exprt &eq : equations)
   {
@@ -653,10 +654,18 @@ decision_proceduret::resultt string_refinementt::dec_solve()
 
   debug() << "dec_solve: compute dependency graph and remove function "
           << "applications captured by the dependencies:" << eom;
-  std::vector<exprt> local_equations;
+  std::vector<equal_exprt> local_equations;
   for(const equal_exprt &eq : equations)
   {
-    if(!add_node(dependencies, eq, generator.array_pool))
+    // Ensures that arrays that are equal, are associated to the same nodes
+    // in the graph.
+    const equal_exprt eq_with_char_array_replaced_with_representative_elements =
+      to_equal_expr(replace_expr_copy(symbol_resolve, eq));
+    const bool node_added = add_node(
+      dependencies,
+      eq_with_char_array_replaced_with_representative_elements,
+      generator.array_pool);
+    if(!node_added)
       local_equations.push_back(eq);
   }
   equations.clear();
diff --git a/src/util/refined_string_type.cpp b/src/util/refined_string_type.cpp
@@ -21,10 +21,10 @@ Author: Romain Brenguier, romain.brenguier@diffblue.com
 #include "std_expr.h"
 
 refined_string_typet::refined_string_typet(
-  const typet &index_type, const typet &char_type)
+  const typet &index_type,
+  const pointer_typet &content_type)
 {
-  array_typet char_array(char_type, infinity_exprt(index_type));
   components().emplace_back("length", index_type);
-  components().emplace_back("content", char_array);
+  components().emplace_back("content", content_type);
   set_tag(CPROVER_PREFIX"refined_string_type");
 }
diff --git a/src/util/refined_string_type.h b/src/util/refined_string_type.h
@@ -26,7 +26,9 @@ Author: Romain Brenguier, romain.brenguier@diffblue.com
 class refined_string_typet: public struct_typet
 {
 public:
-  refined_string_typet(const typet &index_type, const typet &char_type);
+  refined_string_typet(
+    const typet &index_type,
+    const pointer_typet &content_type);
 
   // Type for the content (list of characters) of a string
   const array_typet &get_content_type() const
diff --git a/src/util/string_expr.h b/src/util/string_expr.h
@@ -198,7 +198,7 @@ class refined_string_exprt : public struct_exprt,
     : refined_string_exprt(
         _length,
         _content,
-        refined_string_typet(_length.type(), _content.type()))
+        refined_string_typet(_length.type(), to_pointer_type(_content.type())))
   {
   }
 

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ class java_string_library_preprocesst:public messaget`
`37`	`37`	`java_string_library_preprocesst()`
`38`	`38`	`: char_type(java_char_type()),`
`39`	`39`	`index_type(java_int_type()),`
`40`		`- refined_string_type(index_type, char_type)`
	`40`	`+ refined_string_type(index_type, pointer_type(char_type))`
`41`	`41`	`{`
`42`	`42`	`}`
`43`	`43`
Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ class tt`
`36`	`36`	`}`
`37`	`37`	`refined_string_typet string_type() const`
`38`	`38`	`{`
`39`		`- return refined_string_typet(length_type(), char_type());`
	`39`	`+ return refined_string_typet(length_type(), pointer_type(char_type()));`
`40`	`40`	`}`
`41`	`41`	`array_typet witness_type() const`
`42`	`42`	`{`
Original file line number	Diff line number	Diff line change
`@@ -270,12 +270,15 @@ static void make_char_array_pointer_associations(`
`270`	`270`	`}`
`271`	`271`	`}`
`272`	`272`
`273`		`-void replace_symbols_in_equations(`
`274`		`- const union_find_replacet &symbol_resolve,`
`275`		`- std::vector<equal_exprt> &equations)`
	`273`	`+/// Substitute sub-expressions in equation by representative elements of`
	`274`	+/// `symbol_resolve` whenever possible.
	`275`	+/// Similar to `symbol_resolve.replace_expr` but doesn't mutate the expression
	`276`	`+/// and returns the transformed expression instead.`
	`277`	`+static exprt`
	`278`	`+replace_expr_copy(const union_find_replacet &symbol_resolve, exprt expr)`
`276`	`279`	`{`
`277`		`- for(equal_exprt &eq : equations)`
`278`		`- symbol_resolve.replace_expr(eq);`
	`280`	`+ symbol_resolve.replace_expr(expr);`
	`281`	`+ return expr;`
`279`	`282`	`}`
`280`	`283`
`281`	`284`	`/// Record the constraints to ensure that the expression is true when`
`@@ -301,20 +304,22 @@ void string_refinementt::set_to(const exprt &expr, bool value)`
`301`	`304`	`}`
`302`	`305`
`303`	`306`	`/// Add association for each char pointer in the equation`
	`307`	`+/// \param symbol_solver: a union_find_replacet object to keep track of`
	`308`	`+/// char pointer equations`
`304`	`309`	`/// \param equations: vector of equations`
`305`	`310`	`/// \param ns: namespace`
`306`	`311`	`/// \param stream: output stream`
`307`	`312`	`/// \return union_find_replacet where char pointer that have been set equal`
`308`	`313`	`/// by an equation are associated to the same element`
`309`		`-static union_find_replacet generate_symbol_resolution_from_equations(`
	`314`	`+static void add_equations_for_symbol_resolution(`
	`315`	`+ union_find_replacet &symbol_solver,`
`310`	`316`	`const std::vector<equal_exprt> &equations,`
`311`	`317`	`const namespacet &ns,`
`312`	`318`	`messaget::mstreamt &stream)`
`313`	`319`	`{`
`314`	`320`	`const auto eom = messaget::eom;`
`315`	`321`	`const std::string log_message =`
`316`	`322`	`"WARNING string_refinement.cpp generate_symbol_resolution_from_equations:";`
`317`		`- union_find_replacet solver;`
`318`	`323`	`for(const equal_exprt &eq : equations)`
`319`	`324`	`{`
`320`	`325`	`const exprt &lhs = eq.lhs();`
`@@ -335,7 +340,7 @@ static union_find_replacet generate_symbol_resolution_from_equations(`
`335`	`340`
`336`	`341`	`if(is_char_pointer_type(rhs.type()))`
`337`	`342`	`{`
`338`		`- solver.make_union(lhs, rhs);`
	`343`	`+ symbol_solver.make_union(lhs, rhs);`
`339`	`344`	`}`
`340`	`345`	`else if(rhs.id() == ID_function_application)`
`341`	`346`	`{`
`@@ -355,7 +360,7 @@ static union_find_replacet generate_symbol_resolution_from_equations(`
`355`	`360`	`const member_exprt lhs_data(lhs, comp.get_name(), comp.type());`
`356`	`361`	`const exprt rhs_data = simplify_expr(`
`357`	`362`	`member_exprt(rhs, comp.get_name(), comp.type()), ns);`
`358`		`- solver.make_union(lhs_data, rhs_data);`
	`363`	`+ symbol_solver.make_union(lhs_data, rhs_data);`
`359`	`364`	`}`
`360`	`365`	`}`
`361`	`366`	`}`
`@@ -366,7 +371,6 @@ static union_find_replacet generate_symbol_resolution_from_equations(`
`366`	`371`	`}`
`367`	`372`	`}`
`368`	`373`	`}`
`369`		`- return solver;`
`370`	`374`	`}`
`371`	`375`
`372`	`376`	`/// This is meant to be used on the lhs of an equation with string subtype.`
`@@ -613,9 +617,9 @@ decision_proceduret::resultt string_refinementt::dec_solve()`
`613`	`617`	`#endif`
`614`	`618`
`615`	`619`	`debug() << "dec_solve: Build symbol solver from equations" << eom;`
`616`		`- // This is used by get, that's why we use a class member here`
`617`		`- symbol_resolve =`
`618`		`- generate_symbol_resolution_from_equations(equations, ns, debug());`
	`620`	`+ // symbol_resolve is used by get and is kept between calls to dec_solve,`
	`621`	`+ // that's why we use a class member here`
	`622`	`+ add_equations_for_symbol_resolution(symbol_resolve, equations, ns, debug());`
`619`	`623`	`#ifdef DEBUG`
`620`	`624`	`debug() << "symbol resolve:" << eom;`
`621`	`625`	`for(const auto &pair : symbol_resolve.to_vector())`
`@@ -632,9 +636,6 @@ decision_proceduret::resultt string_refinementt::dec_solve()`
`632`	`636`	`}`
`633`	`637`	`#endif`
`634`	`638`
`635`		`- debug() << "dec_solve: Replacing char pointer symbols" << eom;`
`636`		`- replace_symbols_in_equations(symbol_resolve, equations);`
`637`		`-`
`638`	`639`	`debug() << "dec_solve: Replacing string ids in function applications" << eom;`
`639`	`640`	`for(equal_exprt &eq : equations)`
`640`	`641`	`{`
`@@ -653,10 +654,18 @@ decision_proceduret::resultt string_refinementt::dec_solve()`
`653`	`654`
`654`	`655`	`debug() << "dec_solve: compute dependency graph and remove function "`
`655`	`656`	`<< "applications captured by the dependencies:" << eom;`
`656`		`- std::vector<exprt> local_equations;`
	`657`	`+ std::vector<equal_exprt> local_equations;`
`657`	`658`	`for(const equal_exprt &eq : equations)`
`658`	`659`	`{`
`659`		`- if(!add_node(dependencies, eq, generator.array_pool))`
	`660`	`+ // Ensures that arrays that are equal, are associated to the same nodes`
	`661`	`+ // in the graph.`
	`662`	`+ const equal_exprt eq_with_char_array_replaced_with_representative_elements =`
	`663`	`+ to_equal_expr(replace_expr_copy(symbol_resolve, eq));`
	`664`	`+ const bool node_added = add_node(`
	`665`	`+ dependencies,`
	`666`	`+ eq_with_char_array_replaced_with_representative_elements,`
	`667`	`+ generator.array_pool);`
	`668`	`+ if(!node_added)`
`660`	`669`	`local_equations.push_back(eq);`
`661`	`670`	`}`
`662`	`671`	`equations.clear();`
Original file line number	Diff line number	Diff line change
`@@ -21,10 +21,10 @@ Author: Romain Brenguier, [email protected]`
`21`	`21`	`#include "std_expr.h"`
`22`	`22`
`23`	`23`	`refined_string_typet::refined_string_typet(`
`24`		`- const typet &index_type, const typet &char_type)`
	`24`	`+ const typet &index_type,`
	`25`	`+ const pointer_typet &content_type)`
`25`	`26`	`{`
`26`		`- array_typet char_array(char_type, infinity_exprt(index_type));`
`27`	`27`	`components().emplace_back("length", index_type);`
`28`		`- components().emplace_back("content", char_array);`
	`28`	`+ components().emplace_back("content", content_type);`
`29`	`29`	`set_tag(CPROVER_PREFIX"refined_string_type");`
`30`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -198,7 +198,7 @@ class refined_string_exprt : public struct_exprt,`
`198`	`198`	`: refined_string_exprt(`
`199`	`199`	`_length,`
`200`	`200`	`_content,`
`201`		`- refined_string_typet(_length.type(), _content.type()))`
	`201`	`+ refined_string_typet(_length.type(), to_pointer_type(_content.type())))`
`202`	`202`	`{`
`203`	`203`	`}`
`204`	`204`