String refinement must not rely on input equations to be simplified

tautschnig · tautschnig · commit e47155b36fe7 · 2019-02-04T15:39:46.000Z
JBMC would produce wrong results when running the newly added test.
diff --git a/jbmc/regression/strings-smoke-tests/java_starts_with/test-no-simplify.desc b/jbmc/regression/strings-smoke-tests/java_starts_with/test-no-simplify.desc
@@ -0,0 +1,9 @@
+CORE
+test_starts_with.class
+--verbosity 10 --max-nondet-string-length 1000 --function test_starts_with.main --unwind 1 --no-simplify
+^EXIT=10$
+^SIGNAL=0$
+^\[.*assertion.1\].* line 8.* SUCCESS$
+^\[.*assertion.2\].* line 9.* FAILURE$
+--
+non equal types
diff --git a/src/solvers/strings/string_constraint_generator_main.cpp b/src/solvers/strings/string_constraint_generator_main.cpp
@@ -26,6 +26,7 @@ Author: Romain Brenguier, romain.brenguier@diffblue.com
 #include <util/arith_tools.h>
 #include <util/deprecate.h>
 #include <util/pointer_predicates.h>
+#include <util/simplify_expr.h>
 #include <util/ssa_expr.h>
 #include <util/string_constant.h>
 
@@ -180,7 +181,7 @@ exprt string_constraint_generatort::associate_array_to_pointer(
                                       : f.arguments()[0]);
 
   const exprt &pointer_expr = f.arguments()[1];
-  array_pool.insert(pointer_expr, array_expr);
+  array_pool.insert(simplify_expr(pointer_expr, ns), array_expr);
   // created_strings.emplace(to_array_string_expr(array_expr));
   return from_integer(0, f.type());
 }
diff --git a/src/solvers/strings/string_refinement.cpp b/src/solvers/strings/string_refinement.cpp
@@ -338,7 +338,7 @@ static void add_equations_for_symbol_resolution(
 
     if(is_char_pointer_type(rhs.type()))
     {
-      symbol_solver.make_union(lhs, rhs);
+      symbol_solver.make_union(lhs, simplify_expr(rhs, ns));
     }
     else if(rhs.id() == ID_function_application)
     {
@@ -438,7 +438,7 @@ static void add_string_equation_to_symbol_resolution(
 {
   if(eq.rhs().type() == string_typet())
   {
-    symbol_resolve.make_union(eq.lhs(), eq.rhs());
+    symbol_resolve.make_union(eq.lhs(), simplify_expr(eq.rhs(), ns));
   }
   else if(has_subtype(eq.lhs().type(), ID_string, ns))
   {
@@ -645,7 +645,10 @@ decision_proceduret::resultt string_refinementt::dec_solve()
   for(equal_exprt &eq : equations)
   {
     if(can_cast_expr<function_application_exprt>(eq.rhs()))
+    {
+      simplify(eq.rhs(), ns);
       string_id_symbol_resolve.replace_expr(eq.rhs());
+    }
   }
 
   // Generator is also used by get, so we have to use it as a class member

Original file line number	Diff line number	Diff line change
`@@ -338,7 +338,7 @@ static void add_equations_for_symbol_resolution(`
`338`	`338`
`339`	`339`	`if(is_char_pointer_type(rhs.type()))`
`340`	`340`	`{`
`341`		`- symbol_solver.make_union(lhs, rhs);`
	`341`	`+ symbol_solver.make_union(lhs, simplify_expr(rhs, ns));`
`342`	`342`	`}`
`343`	`343`	`else if(rhs.id() == ID_function_application)`
`344`	`344`	`{`
`@@ -438,7 +438,7 @@ static void add_string_equation_to_symbol_resolution(`
`438`	`438`	`{`
`439`	`439`	`if(eq.rhs().type() == string_typet())`
`440`	`440`	`{`
`441`		`- symbol_resolve.make_union(eq.lhs(), eq.rhs());`
	`441`	`+ symbol_resolve.make_union(eq.lhs(), simplify_expr(eq.rhs(), ns));`
`442`	`442`	`}`
`443`	`443`	`else if(has_subtype(eq.lhs().type(), ID_string, ns))`
`444`	`444`	`{`
`@@ -645,7 +645,10 @@ decision_proceduret::resultt string_refinementt::dec_solve()`
`645`	`645`	`for(equal_exprt &eq : equations)`
`646`	`646`	`{`
`647`	`647`	`if(can_cast_expr<function_application_exprt>(eq.rhs()))`
	`648`	`+ {`
	`649`	`+ simplify(eq.rhs(), ns);`
`648`	`650`	`string_id_symbol_resolve.replace_expr(eq.rhs());`
	`651`	`+ }`
`649`	`652`	`}`
`650`	`653`
`651`	`654`	`// Generator is also used by get, so we have to use it as a class member`