Add support for conversion of pointer arithmetic expressions to new SMT backend.

[NlightNFotis]

This PR adds the capability to handle expressions like the following:

int *a;
int *b;

a + 1;
a + (2 * sizeof(int)
a - 2;
a - b;

to the new SMT backend, along with regression tests and unit tests.

• Each commit message has a non-empty body, explaining why the change was made.
• Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[codecov]

Codecov Report

Merging #6866 (95cab0d) into develop (bcca9da) will increase coverage by 0.01%.
The diff coverage is 98.24%.

❗ Current head 95cab0d differs from pull request most recent head 34b2985. Consider uploading reports for the commit 34b2985 to get more accurate results

@@             Coverage Diff             @@
##           develop    #6866      +/-   ##
===========================================
+ Coverage    77.80%   77.81%   +0.01%     
===========================================
  Files         1567     1568       +1     
  Lines       179916   180023     +107     
===========================================
+ Hits        139988   140093     +105     
- Misses       39928    39930       +2     

Impacted Files	Coverage Δ
..._incremental/smt2_incremental_decision_procedure.h	75.00% <ø> (ø)
...t/solvers/smt2_incremental/convert_expr_to_smt.cpp	99.65% <96.55%> (-0.23%)	⬇️
...c/solvers/smt2_incremental/convert_expr_to_smt.cpp	87.67% <100.00%> (+0.66%)	⬆️
.../solvers/smt2_incremental/pointer_size_mapping.cpp	100.00% <100.00%> (ø)
...ncremental/smt2_incremental_decision_procedure.cpp	94.73% <100.00%> (+0.11%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 679ab3f...34b2985. Read the comment docs.

[thomasspriggs]

Some initial comments.

[thomasspriggs]

⛏️ void * does not mean that "we don't know the underlying base type". It means the type is not defined or "is empty". For example the return type of malloc is void * and the memory to which the returned pointer refers to will have no type associated. Your explanation of why we are using 1 explains how this affects the maths which we are using but not why (or why not) it is the correct thing to do. Critically, pointer arithmetic on void pointers is disallowed by the C standard because void does not have a size. Using a size of 1 is actually a GCC extension. Source references - http://www.c-faq.com/ansi/voidparith.html and https://gcc.gnu.org/onlinedocs/gcc-4.8.0/gcc/Pointer-Arith.html

[thomasspriggs]

This is still unaddressed.

[thomasspriggs]

I thought we agreed to call this a type_size_map rather than a pointer size map? The keys of the map are expected to be the types the pointers point to, not the pointers themselves or the whole pointer type. I don't want to tie the naming of this map to pointers only, because we may want the type size information for other purposes as we add more functionality to the new decision procedure.

[NlightNFotis]

Addressed in the refactor commits.

[thomasspriggs]

Could you rename the file to match as well please?

[NlightNFotis]

Done.

[thomasspriggs]

⛏️ Its worth stating that this function adds the mappings to this map. Your current document doesn't really explain that this is an "output" parameter.

[NlightNFotis]

Addressed in 658672c

[thomasspriggs]

I am not sure what you mean by "Initially empty, by the function.". This function does not empty the map and the map may or may not contain existing entries when it is called. I suggest -

/// \param type_size_map:
///   A map of types to terms expressing the size of the type (in bytes). This
///   function adds new entries to the map for instances of pointer.base_type()
///   from \p expression which are not already keys in the map.

[thomasspriggs]

⛏️ Its worth noting that the name space is needed for looking up (following) type symbols in the case where pointers have tag_typet, rather than a more completely defined type. Ideally the size_of_expr would have doxygen as well, but I am happy to consider that to be "off topic" for this PR.

[NlightNFotis]

This PR is now actively being worked on, and includes a small number of commits that are going to be squashed away or spun out into their own PRs.

[thomasspriggs]

This documentation is inaccurate as the function adds to the map rather than creating/constructing it. The map is (empty) constructed before this function is called.

[thomasspriggs]

I am not sure what you mean by "Initially empty, by the function.". This function does not empty the map and the map may or may not contain existing entries when it is called. I suggest -

/// \param type_size_map:
///   A map of types to terms expressing the size of the type (in bytes). This
///   function adds new entries to the map for instances of pointer.base_type()
///   from \p expression which are not already keys in the map.

[thomasspriggs]

⛏️ I would probably inline pointer_type.base_type() into the call to at. But this should at least be const if you are going to introduce a new variable which is not mutated.

[NlightNFotis]

All of the related definitions have been consted.

[thomasspriggs]

⛏️ I would prefer that one of the standard library definitions of NULL was used instead of defining it in the test, in order to avoid re-definition errors.

[thomasspriggs]

z should be of int type rather than int * type. The result of x - y is an integer not a pointer, so because you declared z as a pointer then the integer result of the subtraction is being implicitly cast back to a pointer. Because you have assumed that x != y the property that z != 0 should hold in a subsequent assertion.

[thomasspriggs]

💡 I suggest using catchs INFO macro to add information of the pretty printing of pointer_arith_expr, so that more information is provided if this test fails in future.

[thomasspriggs]

This looks to be missing the division of the subtraction result by the size.

[thomasspriggs]

I think this is fixed in a following commit?

[thomasspriggs]

This subtraction is actually non-compiling code if I run it through gcc. If I run cbmc with the sat backend then this code is currently accepted and analysed. As this is not valid code it should really be detected in the C type checking performed as part of the C front end. Adding such front-end checks would be outside of the scope of this PR however.

[thomasspriggs]

Looks like the serious issues have all been resolved.

⛏️ It could do with a regression test to check on the result of subtracting two pointers is as we expect in the case where the resulting integer is negative. That is because this is the case where the kind of division used is important. The wrong kind of division would result in a value of the wrong sign and far larger than expected.