Function pointer removal: argument conversion must use byte extract

tautschnig · tautschnig · commit e4d74110507a · 2022-06-23T08:44:14.000Z
Only POD can be handled via type casts, all other cases require reinterpreting the byte sequence. For POD, the simplifier will clean up the byte extract. The same problem had already been fixed for goto-symex' function argument conversion back in bb80cdc. Co-authored-by: Celina G. Val <celinval@amazon.com> Fixes: #6956
diff --git a/regression/cbmc/Function_Pointer19/main.c b/regression/cbmc/Function_Pointer19/main.c
@@ -0,0 +1,51 @@
+#include <assert.h>
+
+struct PtrWrapperInner
+{
+  int *value;
+};
+
+struct PtrWrapper
+{
+  int *value;
+  struct PtrWrapperInner inner;
+};
+
+struct AltPtrWrapperInner
+{
+  int *value;
+};
+
+struct AltPtrWrapper
+{
+  unsigned int *value;
+  // A) Doesn't work
+  struct AltPtrWrapperInner inner;
+  // B) Works
+  // struct PtrWrapperInner inner;
+};
+
+void fn(struct PtrWrapper wrapper)
+{
+  assert(*wrapper.value == 10);
+  assert(*wrapper.inner.value == 10);
+}
+
+int main()
+{
+  int ret = 10;
+  int *ptr = &ret;
+
+  struct AltPtrWrapper alt;
+  alt.inner.value = ptr;
+  alt.value = ptr;
+
+  // Casting the structure itself works.
+  struct PtrWrapper wrapper = *(struct PtrWrapper *)&alt;
+  assert(*wrapper.value == 10);
+  assert(*wrapper.inner.value == 10);
+
+  // This only works if there is one level of casting.
+  int (*alias)(struct AltPtrWrapper) = (int (*)(struct AltPtrWrapper))fn;
+  alias(alt);
+}
diff --git a/regression/cbmc/Function_Pointer19/test.desc b/regression/cbmc/Function_Pointer19/test.desc
@@ -0,0 +1,8 @@
+CORE
+main.c
+
+^VERIFICATION SUCCESSFUL$
+^EXIT=0$
+^SIGNAL=0$
+--
+^warning: ignoring
diff --git a/regression/cbmc/Linking7/member-name-mismatch.desc b/regression/cbmc/Linking7/member-name-mismatch.desc
@@ -1,4 +1,4 @@
-CORE broken-smt-backend
+CORE
 main.c
 module2.c
 ^EXIT=10$
diff --git a/regression/cbmc/Linking7/test.desc b/regression/cbmc/Linking7/test.desc
@@ -1,4 +1,4 @@
-CORE broken-smt-backend
+CORE
 main.c
 module.c
 ^EXIT=10$
diff --git a/src/goto-programs/remove_function_pointers.cpp b/src/goto-programs/remove_function_pointers.cpp
@@ -11,6 +11,8 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include "remove_function_pointers.h"
 
+#include <util/arith_tools.h>
+#include <util/byte_operators.h>
 #include <util/c_types.h>
 #include <util/fresh_symbol.h>
 #include <util/invariant.h>
@@ -195,8 +197,10 @@ static void fix_argument_types(code_function_callt &function_call)
     {
       if(call_arguments[i].type() != function_parameters[i].type())
       {
-        call_arguments[i] =
-          typecast_exprt(call_arguments[i], function_parameters[i].type());
+        call_arguments[i] = make_byte_extract(
+          call_arguments[i],
+          from_integer(0, c_index_type()),
+          function_parameters[i].type());
       }
     }
   }
@@ -235,8 +239,10 @@ static void fix_return_type(
   exprt old_lhs=function_call.lhs();
   function_call.lhs()=tmp_symbol_expr;
 
-  dest.add(goto_programt::make_assignment(
-    code_assignt(old_lhs, typecast_exprt(tmp_symbol_expr, old_lhs.type()))));
+  dest.add(goto_programt::make_assignment(code_assignt(
+    old_lhs,
+    make_byte_extract(
+      tmp_symbol_expr, from_integer(0, c_index_type()), old_lhs.type()))));
 }
 
 void remove_function_pointerst::remove_function_pointer(

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-CORE broken-smt-backend`
	`1`	`+CORE`
`2`	`2`	`main.c`
`3`	`3`	`module2.c`
`4`	`4`	`^EXIT=10$`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,8 @@ Author: Daniel Kroening, [email protected]`
`11`	`11`
`12`	`12`	`#include "remove_function_pointers.h"`
`13`	`13`
	`14`	`+#include <util/arith_tools.h>`
	`15`	`+#include <util/byte_operators.h>`
`14`	`16`	`#include <util/c_types.h>`
`15`	`17`	`#include <util/fresh_symbol.h>`
`16`	`18`	`#include <util/invariant.h>`
`@@ -195,8 +197,10 @@ static void fix_argument_types(code_function_callt &function_call)`
`195`	`197`	`{`
`196`	`198`	`if(call_arguments[i].type() != function_parameters[i].type())`
`197`	`199`	`{`
`198`		`- call_arguments[i] =`
`199`		`- typecast_exprt(call_arguments[i], function_parameters[i].type());`
	`200`	`+ call_arguments[i] = make_byte_extract(`
	`201`	`+ call_arguments[i],`
	`202`	`+ from_integer(0, c_index_type()),`
	`203`	`+ function_parameters[i].type());`
`200`	`204`	`}`
`201`	`205`	`}`
`202`	`206`	`}`
`@@ -235,8 +239,10 @@ static void fix_return_type(`
`235`	`239`	`exprt old_lhs=function_call.lhs();`
`236`	`240`	`function_call.lhs()=tmp_symbol_expr;`
`237`	`241`
`238`		`- dest.add(goto_programt::make_assignment(`
`239`		`- code_assignt(old_lhs, typecast_exprt(tmp_symbol_expr, old_lhs.type()))));`
	`242`	`+ dest.add(goto_programt::make_assignment(code_assignt(`
	`243`	`+ old_lhs,`
	`244`	`+ make_byte_extract(`
	`245`	`+ tmp_symbol_expr, from_integer(0, c_index_type()), old_lhs.type()))));`
`240`	`246`	`}`
`241`	`247`
`242`	`248`	`void remove_function_pointerst::remove_function_pointer(`