Add pointer field to value_set_dereferencet::valuet

Owen · smowton · commit a989ccadf35a · 2019-05-10T10:01:10.000+01:00
value_set_dereferencet::valuet is only used as the return value of
value_set_dereferencet::build_reference_to. valuet::value is an
expression for the object pointed to, which is what's needed for
dereferencing. In other contexts, e.g. filtering value-sets, what
is needed is an expression for the pointer. This logic already
existed in try_filter_value_set, but putting it directly in
build_reference_to makes it easier to use it in other places and
makes it clear that it didn't cope with typecasts properly.
diff --git a/src/goto-symex/symex_main.cpp b/src/goto-symex/symex_main.cpp
@@ -707,9 +707,11 @@ void goto_symext::try_filter_value_sets(
   // one of its possible values in turn. If that leads to a true for some
   // value_set_element then we can delete it from the value set that will be
   // used if the condition is false, and vice versa.
-  for(const auto &value_set_element : value_set_elements)
+  for(const exprt &value_set_element : value_set_elements)
   {
-    if(value_set_element.id() == ID_unknown)
+    if(
+      value_set_element.id() == ID_unknown ||
+      value_set_element.id() == ID_invalid)
     {
       continue;
     }
@@ -721,19 +723,17 @@ void goto_symext::try_filter_value_sets(
       continue;
     }
 
-    value_set_dereferencet::valuet possible_value =
+    value_set_dereferencet::valuet value =
       value_set_dereferencet::build_reference_to(
         value_set_element, *symbol_expr, ns);
 
-    exprt replacement_expr =
-      possible_value.value.is_nil()
-        ? static_cast<exprt>(null_pointer_exprt{symbol_type})
-        : static_cast<exprt>(address_of_exprt{possible_value.value});
+    if(value.pointer.is_nil())
+      continue;
 
     exprt modified_condition(condition);
 
     address_of_aware_replace_symbolt replace_symbol{};
-    replace_symbol.insert(*symbol_expr, replacement_expr);
+    replace_symbol.insert(*symbol_expr, value.pointer);
     replace_symbol(modified_condition);
 
     // This do_simplify() is needed for the following reason: if `condition` is
diff --git a/src/pointer-analysis/value_set_dereference.cpp b/src/pointer-analysis/value_set_dereference.cpp
@@ -22,6 +22,7 @@ Author: Daniel Kroening, kroening@kroening.com
 #include <util/c_types.h>
 #include <util/config.h>
 #include <util/cprover_prefix.h>
+#include <util/expr_util.h>
 #include <util/format_type.h>
 #include <util/fresh_symbol.h>
 #include <util/options.h>
@@ -295,7 +296,9 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
   const exprt &pointer_expr,
   const namespacet &ns)
 {
-  const typet &dereference_type = pointer_expr.type().subtype();
+  const pointer_typet &pointer_type =
+    type_checked_cast<pointer_typet>(pointer_expr.type());
+  const typet &dereference_type = pointer_type.subtype();
 
   if(what.id()==ID_unknown ||
      what.id()==ID_invalid)
@@ -319,6 +322,7 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
 
   if(root_object.id() == ID_null_object)
   {
+    result.pointer = null_pointer_exprt{pointer_type};
   }
   else if(root_object.id()==ID_dynamic_object)
   {
@@ -328,6 +332,7 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
 
     // can't remove here, turn into *p
     result.value = dereference_exprt{pointer_expr};
+    result.pointer = pointer_expr;
   }
   else if(root_object.id()==ID_integer_address)
   {
@@ -348,6 +353,7 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
         memory_symbol.type.subtype());
 
       result.value=index_expr;
+      result.pointer = address_of_exprt{index_expr};
     }
     else if(
       dereference_type_compare(
@@ -358,6 +364,8 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
         pointer_offset(pointer_expr),
         memory_symbol.type.subtype());
       result.value=typecast_exprt(index_expr, dereference_type);
+      result.pointer =
+        typecast_exprt{address_of_exprt{index_expr}, pointer_type};
     }
     else
     {
@@ -374,6 +382,7 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
           symbol_expr,
           pointer_offset(pointer_expr),
           dereference_type);
+        result.pointer = address_of_exprt{result.value};
       }
     }
   }
@@ -406,6 +415,8 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
       // This is great, we are almost done.
 
       result.value = typecast_exprt::conditional_cast(object, dereference_type);
+      result.pointer =
+        typecast_exprt::conditional_cast(object_pointer, pointer_type);
     }
     else if(
       root_object_type.id() == ID_array &&
@@ -449,9 +460,12 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
         // TODO: need to assert well-alignedness
       }
 
-      result.value = typecast_exprt::conditional_cast(
-        index_exprt(root_object, adjusted_offset, root_object_type.subtype()),
-        dereference_type);
+      const index_exprt &index_expr =
+        index_exprt(root_object, adjusted_offset, root_object_type.subtype());
+      result.value =
+        typecast_exprt::conditional_cast(index_expr, dereference_type);
+      result.pointer = typecast_exprt::conditional_cast(
+        address_of_exprt{index_expr}, pointer_type);
     }
     else
     {
@@ -465,11 +479,15 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
         // Successfully found a member, array index, or combination thereof
         // that matches the desired type and offset:
         result.value = subexpr.value();
+        result.pointer = typecast_exprt::conditional_cast(
+          address_of_exprt{skip_typecast(subexpr.value())}, pointer_type);
         return result;
       }
 
       // we extract something from the root object
       result.value=o.root_object();
+      result.pointer = typecast_exprt::conditional_cast(
+        address_of_exprt{skip_typecast(o.root_object())}, pointer_type);
 
       // this is relative to the root object
       exprt offset;
diff --git a/src/pointer-analysis/value_set_dereference.h b/src/pointer-analysis/value_set_dereference.h
@@ -59,9 +59,13 @@ class value_set_dereferencet final
   {
   public:
     exprt value;
+    exprt pointer;
     exprt pointer_guard;
 
-    valuet() : value(nil_exprt()), pointer_guard(false_exprt())
+    valuet()
+      : value{nil_exprt{}},
+        pointer{nil_exprt{}},
+        pointer_guard{false_exprt{}}
     {
     }
   };

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@ Author: Daniel Kroening, [email protected]`
`22`	`22`	`#include <util/c_types.h>`
`23`	`23`	`#include <util/config.h>`
`24`	`24`	`#include <util/cprover_prefix.h>`
	`25`	`+#include <util/expr_util.h>`
`25`	`26`	`#include <util/format_type.h>`
`26`	`27`	`#include <util/fresh_symbol.h>`
`27`	`28`	`#include <util/options.h>`
`@@ -295,7 +296,9 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(`
`295`	`296`	`const exprt &pointer_expr,`
`296`	`297`	`const namespacet &ns)`
`297`	`298`	`{`
`298`		`- const typet &dereference_type = pointer_expr.type().subtype();`
	`299`	`+ const pointer_typet &pointer_type =`
	`300`	`+ type_checked_cast<pointer_typet>(pointer_expr.type());`
	`301`	`+ const typet &dereference_type = pointer_type.subtype();`
`299`	`302`
`300`	`303`	`if(what.id()==ID_unknown \|\|`
`301`	`304`	`what.id()==ID_invalid)`
`@@ -319,6 +322,7 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(`
`319`	`322`
`320`	`323`	`if(root_object.id() == ID_null_object)`
`321`	`324`	`{`
	`325`	`+ result.pointer = null_pointer_exprt{pointer_type};`
`322`	`326`	`}`
`323`	`327`	`else if(root_object.id()==ID_dynamic_object)`
`324`	`328`	`{`
`@@ -328,6 +332,7 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(`
`328`	`332`
`329`	`333`	`// can't remove here, turn into *p`
`330`	`334`	`result.value = dereference_exprt{pointer_expr};`
	`335`	`+ result.pointer = pointer_expr;`
`331`	`336`	`}`
`332`	`337`	`else if(root_object.id()==ID_integer_address)`
`333`	`338`	`{`
`@@ -348,6 +353,7 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(`
`348`	`353`	`memory_symbol.type.subtype());`
`349`	`354`
`350`	`355`	`result.value=index_expr;`
	`356`	`+ result.pointer = address_of_exprt{index_expr};`
`351`	`357`	`}`
`352`	`358`	`else if(`
`353`	`359`	`dereference_type_compare(`
`@@ -358,6 +364,8 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(`
`358`	`364`	`pointer_offset(pointer_expr),`
`359`	`365`	`memory_symbol.type.subtype());`
`360`	`366`	`result.value=typecast_exprt(index_expr, dereference_type);`
	`367`	`+ result.pointer =`
	`368`	`+ typecast_exprt{address_of_exprt{index_expr}, pointer_type};`
`361`	`369`	`}`
`362`	`370`	`else`
`363`	`371`	`{`
`@@ -374,6 +382,7 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(`
`374`	`382`	`symbol_expr,`
`375`	`383`	`pointer_offset(pointer_expr),`
`376`	`384`	`dereference_type);`
	`385`	`+ result.pointer = address_of_exprt{result.value};`
`377`	`386`	`}`
`378`	`387`	`}`
`379`	`388`	`}`
`@@ -406,6 +415,8 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(`
`406`	`415`	`// This is great, we are almost done.`
`407`	`416`
`408`	`417`	`result.value = typecast_exprt::conditional_cast(object, dereference_type);`
	`418`	`+ result.pointer =`
	`419`	`+ typecast_exprt::conditional_cast(object_pointer, pointer_type);`
`409`	`420`	`}`
`410`	`421`	`else if(`
`411`	`422`	`root_object_type.id() == ID_array &&`
`@@ -449,9 +460,12 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(`
`449`	`460`	`// TODO: need to assert well-alignedness`
`450`	`461`	`}`
`451`	`462`
`452`		`- result.value = typecast_exprt::conditional_cast(`
`453`		`- index_exprt(root_object, adjusted_offset, root_object_type.subtype()),`
`454`		`- dereference_type);`
	`463`	`+ const index_exprt &index_expr =`
	`464`	`+ index_exprt(root_object, adjusted_offset, root_object_type.subtype());`
	`465`	`+ result.value =`
	`466`	`+ typecast_exprt::conditional_cast(index_expr, dereference_type);`
	`467`	`+ result.pointer = typecast_exprt::conditional_cast(`
	`468`	`+ address_of_exprt{index_expr}, pointer_type);`
`455`	`469`	`}`
`456`	`470`	`else`
`457`	`471`	`{`
`@@ -465,11 +479,15 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(`
`465`	`479`	`// Successfully found a member, array index, or combination thereof`
`466`	`480`	`// that matches the desired type and offset:`
`467`	`481`	`result.value = subexpr.value();`
	`482`	`+ result.pointer = typecast_exprt::conditional_cast(`
	`483`	`+ address_of_exprt{skip_typecast(subexpr.value())}, pointer_type);`
`468`	`484`	`return result;`
`469`	`485`	`}`
`470`	`486`
`471`	`487`	`// we extract something from the root object`
`472`	`488`	`result.value=o.root_object();`
	`489`	`+ result.pointer = typecast_exprt::conditional_cast(`
	`490`	`+ address_of_exprt{skip_typecast(o.root_object())}, pointer_type);`
`473`	`491`
`474`	`492`	`// this is relative to the root object`
`475`	`493`	`exprt offset;`
Original file line number	Diff line number	Diff line change
`@@ -59,9 +59,13 @@ class value_set_dereferencet final`
`59`	`59`	`{`
`60`	`60`	`public:`
`61`	`61`	`exprt value;`
	`62`	`+ exprt pointer;`
`62`	`63`	`exprt pointer_guard;`
`63`	`64`
`64`		`- valuet() : value(nil_exprt()), pointer_guard(false_exprt())`
	`65`	`+ valuet()`
	`66`	`+ : value{nil_exprt{}},`
	`67`	`+ pointer{nil_exprt{}},`
	`68`	`+ pointer_guard{false_exprt{}}`
`65`	`69`	`{`
`66`	`70`	`}`
`67`	`71`	`};`