@@ -900,116 +900,126 @@ void goto_checkt::pointer_validity_check(
900900
901901 assert (base_type_eq (pointer_type.subtype (), expr.type (), ns));
902902
903- #if 0
904- add_guarded_claim(
905- good_pointer(expr.pointer()),
906- "dereference failure: pointer not valid",
907- "pointer dereference",
908- expr.find_source_location(),
909- expr,
910- guard);
911- #else
912-
913903 local_bitvector_analysist::flagst flags=
914904 local_bitvector_analysis->get (t, pointer);
915905
916906 const typet &dereference_type=pointer_type.subtype ();
917907
918- if (flags.is_unknown () || flags.is_null ())
908+ irep_idt mode;
909+
919910 {
920- add_guarded_claim (
921- not_exprt (null_pointer (pointer)),
922- " dereference failure: pointer NULL"
923- " pointer dereference"
924- expr.find_source_location (),
925- expr,
926- guard);
911+ const symbolt *init_symbol;
912+ if (!ns.lookup (CPROVER_PREFIX " initialize"
913+ mode=init_symbol->mode ;
927914 }
928915
929- if (flags.is_unknown ())
930- add_guarded_claim (
931- not_exprt (invalid_pointer (pointer)),
932- " dereference failure: pointer invalid"
933- " pointer dereference"
934- expr.find_source_location (),
935- expr,
936- guard);
937-
938- if (flags.is_uninitialized ())
939- add_guarded_claim (
940- not_exprt (invalid_pointer (pointer)),
941- " dereference failure: pointer uninitialized"
942- " pointer dereference"
943- expr.find_source_location (),
944- expr,
945- guard);
946-
947- symbol_tablet symbol_table = ns.get_symbol_table ();
948-
949- symbol_tablet::symbolst::iterator s_it =
950- symbol_table.symbols .find (CPROVER_PREFIX " initialize"
951-
952- // For Java don't check dereference of a deallocated or dead object
953- if (s_it == symbol_table.symbols .end () || (s_it->second ).mode != ID_java)
916+ // For Java, we only need to check for null
917+ if (mode==ID_java)
954918 {
955- if (flags.is_unknown () || flags.is_dynamic_heap ())
956- add_guarded_claim (
957- not_exprt (deallocated (pointer, ns)),
958- " dereference failure: deallocated dynamic object"
959- " pointer dereference"
960- expr.find_source_location (),
961- expr,
962- guard);
919+ if (flags.is_unknown () || flags.is_null ())
920+ {
921+ notequal_exprt not_eq_null (pointer, gen_zero (pointer.type ()));
922+ // exprt not_eq_null=not_exprt(null_pointer(pointer));
963923
964- if (flags.is_unknown () || flags.is_dynamic_local ())
965924 add_guarded_claim (
966- not_exprt ( dead_object (pointer, ns)) ,
967- " dereference failure: dead object "
925+ not_eq_null ,
926+ " reference is null "
968927 " pointer dereference"
969928 expr.find_source_location (),
970929 expr,
971930 guard);
931+ }
972932 }
973-
974- if (enable_bounds_check)
933+ else
975934 {
976- if (flags.is_unknown () || flags.is_dynamic_heap ())
935+ if (flags.is_unknown () || flags.is_null ())
977936 {
978- exprt dynamic_bounds=
979- or_exprt (dynamic_object_lower_bound (pointer),
980- dynamic_object_upper_bound (pointer, dereference_type, ns));
981-
982937 add_guarded_claim (
983- implies_exprt ( malloc_object (pointer, ns), not_exprt (dynamic_bounds )),
984- " dereference failure: dynamic object bounds "
938+ not_exprt ( null_pointer (pointer)),
939+ " dereference failure: pointer NULL "
985940 " pointer dereference"
986941 expr.find_source_location (),
987942 expr,
988943 guard);
989944 }
990- }
991945
992- if (enable_bounds_check)
993- {
994- if (flags.is_unknown () ||
995- flags.is_dynamic_local () ||
996- flags.is_static_lifetime ())
997- {
998- exprt object_bounds=
999- or_exprt (object_lower_bound (pointer),
1000- object_upper_bound (pointer, dereference_type, ns));
946+ if (flags.is_unknown ())
947+ add_guarded_claim (
948+ not_exprt (invalid_pointer (pointer)),
949+ " dereference failure: pointer invalid"
950+ " pointer dereference"
951+ expr.find_source_location (),
952+ expr,
953+ guard);
1001954
955+ if (flags.is_uninitialized ())
1002956 add_guarded_claim (
1003- or_exprt ( dynamic_object (pointer), not_exprt (object_bounds )),
1004- " dereference failure: object bounds "
957+ not_exprt ( invalid_pointer (pointer)),
958+ " dereference failure: pointer uninitialized "
1005959 " pointer dereference"
1006960 expr.find_source_location (),
1007961 expr,
1008962 guard);
963+
964+ if (mode != ID_java)
965+ {
966+ if (flags.is_unknown () || flags.is_dynamic_heap ())
967+ add_guarded_claim (
968+ not_exprt (deallocated (pointer, ns)),
969+ " dereference failure: deallocated dynamic object"
970+ " pointer dereference"
971+ expr.find_source_location (),
972+ expr,
973+ guard);
974+
975+ if (flags.is_unknown () || flags.is_dynamic_local ())
976+ add_guarded_claim (
977+ not_exprt (dead_object (pointer, ns)),
978+ " dereference failure: dead object"
979+ " pointer dereference"
980+ expr.find_source_location (),
981+ expr,
982+ guard);
1009983 }
1010- }
1011984
1012- #endif
985+ if (enable_bounds_check)
986+ {
987+ if (flags.is_unknown () || flags.is_dynamic_heap ())
988+ {
989+ exprt dynamic_bounds=
990+ or_exprt (dynamic_object_lower_bound (pointer),
991+ dynamic_object_upper_bound (pointer, dereference_type, ns));
992+
993+ add_guarded_claim (
994+ implies_exprt (malloc_object (pointer, ns), not_exprt (dynamic_bounds)),
995+ " dereference failure: dynamic object bounds"
996+ " pointer dereference"
997+ expr.find_source_location (),
998+ expr,
999+ guard);
1000+ }
1001+ }
1002+
1003+ if (enable_bounds_check)
1004+ {
1005+ if (flags.is_unknown () ||
1006+ flags.is_dynamic_local () ||
1007+ flags.is_static_lifetime ())
1008+ {
1009+ exprt object_bounds=
1010+ or_exprt (object_lower_bound (pointer),
1011+ object_upper_bound (pointer, dereference_type, ns));
1012+
1013+ add_guarded_claim (
1014+ or_exprt (dynamic_object (pointer), not_exprt (object_bounds)),
1015+ " dereference failure: object bounds"
1016+ " pointer dereference"
1017+ expr.find_source_location (),
1018+ expr,
1019+ guard);
1020+ }
1021+ }
1022+ }
10131023}
10141024
10151025/* ******************************************************************\
0 commit comments