Value-set based dereferencing must consider possible index expressions

tautschnig · tautschnig · commit d6de37ee2b2b · 2025-01-31T21:40:41.000Z
Value-set based dereferencing must not take an access path through an object that precludes a subsequent index expression from accessing a different part of the object. Such a situation can arise when the value set has a known (constant) offset for the pointer that would identify one particular element in an array (within that object). The code using value-set based dereferencing, however, may be trying to resolve a subexpression of an index expression, where said index expression would lead to a different element that may itself be part of a different array within the same overall object. Fixes: diffblue#8570
diff --git a/regression/cbmc/Pointer_array7/main.c b/regression/cbmc/Pointer_array7/main.c
@@ -18,8 +18,8 @@ int main()
   uint16_t x[2];
   x[0] = 1;
   x[1] = 2;
-  uint8_t *y = (uint8_t *)x;
-  uint16_t z = *((uint16_t *)(y + 1));
+  uint8_t *y = (uint8_t *)x + 1;
+  uint16_t z = *((uint16_t *)(y));
 
 #ifdef USE_BIG_ENDIAN
   assert(z == 256u);
diff --git a/regression/cbmc/Pointer_array8/main.c b/regression/cbmc/Pointer_array8/main.c
@@ -0,0 +1,21 @@
+#pragma pack(push)
+#pragma pack(1)
+typedef struct
+{
+  int data[2];
+} arr;
+
+typedef struct
+{
+  arr vec[2];
+} arrvec;
+#pragma pack(pop)
+
+int main()
+{
+  arrvec A;
+  arrvec *x = &A;
+  __CPROVER_assume(x->vec[1].data[0] < 42);
+  unsigned k;
+  __CPROVER_assert(k != 2 || ((int *)x)[k] < 42, "");
+}
diff --git a/regression/cbmc/Pointer_array8/test.desc b/regression/cbmc/Pointer_array8/test.desc
@@ -0,0 +1,8 @@
+CORE no-new-smt
+main.c
+
+^EXIT=0$
+^SIGNAL=0$
+^VERIFICATION SUCCESSFUL$
+--
+^warning: ignoring
diff --git a/src/goto-programs/rewrite_union.cpp b/src/goto-programs/rewrite_union.cpp
@@ -159,6 +159,7 @@ static bool restore_union_rec(exprt &expr, const namespacet &ns)
             member_exprt{be.op(), comp.get_name(), comp.type()},
             be.offset(),
             be.type(),
+            true,
             ns);
           if(result.has_value())
           {
diff --git a/src/goto-symex/field_sensitivity.cpp b/src/goto-symex/field_sensitivity.cpp
@@ -110,7 +110,7 @@ exprt field_sensitivityt::apply(
         tmp.remove_level_2();
         const member_exprt member{tmp.get_original_expr(), comp};
         auto recursive_member =
-          get_subexpression_at_offset(member, be.offset(), be.type(), ns);
+          get_subexpression_at_offset(member, be.offset(), be.type(), true, ns);
         if(
           recursive_member.has_value() &&
           (recursive_member->id() == ID_member ||
diff --git a/src/memory-analyzer/analyze_symbol.cpp b/src/memory-analyzer/analyze_symbol.cpp
@@ -327,6 +327,7 @@ exprt gdb_value_extractort::get_pointer_to_member_value(
     struct_symbol_expr,
     member_offset,
     to_pointer_type(expr.type()).base_type(),
+    true,
     ns);
   DATA_INVARIANT(
     maybe_member_expr.has_value(), "structure doesn't have member");
@@ -554,7 +555,11 @@ exprt gdb_value_extractort::get_pointer_value(
     if(target_expr.type().id() == ID_array)
     {
       const auto result_indexed_expr = get_subexpression_at_offset(
-        target_expr, 0, to_pointer_type(zero_expr.type()).base_type(), ns);
+        target_expr,
+        0,
+        to_pointer_type(zero_expr.type()).base_type(),
+        true,
+        ns);
       CHECK_RETURN(result_indexed_expr.has_value());
       if(result_indexed_expr->type() == zero_expr.type())
         return *result_indexed_expr;
diff --git a/src/pointer-analysis/value_set_dereference.cpp b/src/pointer-analysis/value_set_dereference.cpp
@@ -643,11 +643,12 @@ value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
       }
     }
 
-    // try to build a member/index expression - do not use byte_extract
+    // Try to build a member/index expression instead of using byte_extract;
+    // don't recurse into aggregate types as the caller's expression may be
+    // within an index expression, i.e., a further offset beyond o.offset() may
+    // get added on to it.
     auto subexpr = get_subexpression_at_offset(
-      root_object, o.offset(), dereference_type, ns);
-    if(subexpr.has_value())
-      simplify(subexpr.value(), ns);
+      root_object, o.offset(), dereference_type, false, ns);
     if(
       subexpr.has_value() &&
       subexpr.value().id() != ID_byte_extract_little_endian &&
diff --git a/src/solvers/flattening/pointer_logic.cpp b/src/solvers/flattening/pointer_logic.cpp
@@ -115,7 +115,7 @@ exprt pointer_logict::pointer_expr(
     }
   }
   auto deep_object_opt =
-    get_subexpression_at_offset(object_expr, pointer.offset, subtype, ns);
+    get_subexpression_at_offset(object_expr, pointer.offset, subtype, true, ns);
   CHECK_RETURN(deep_object_opt.has_value());
   exprt deep_object = deep_object_opt.value();
   simplify(deep_object, ns);
diff --git a/src/util/pointer_offset_size.cpp b/src/util/pointer_offset_size.cpp
@@ -561,17 +561,11 @@ std::optional<exprt> get_subexpression_at_offset(
   const exprt &expr,
   const mp_integer &offset_bytes,
   const typet &target_type_raw,
+  bool recurse_into_arrays,
   const namespacet &ns)
 {
   if(offset_bytes == 0 && expr.type() == target_type_raw)
-  {
-    exprt result = expr;
-
-    if(expr.type() != target_type_raw)
-      result.type() = target_type_raw;
-
-    return result;
-  }
+    return expr;
 
   if(
     offset_bytes == 0 && expr.type().id() == ID_pointer &&
@@ -611,6 +605,7 @@ std::optional<exprt> get_subexpression_at_offset(
           member,
           offset_bytes - m_offset_bits / config.ansi_c.char_width,
           target_type_raw,
+          recurse_into_arrays,
           ns);
       }
 
@@ -638,9 +633,18 @@ std::optional<exprt> get_subexpression_at_offset(
       const auto offset_inside_elem = offset_bytes % elem_size_bytes;
       const auto target_size_bytes =
         *target_size_bits / config.ansi_c.char_width;
-      // only recurse if the cell completely contains the target
       if(
-        index < array_size &&
+        index < array_size && array_type.element_type() == target_type_raw &&
+        offset_inside_elem == 0)
+      {
+        return index_exprt{
+          expr,
+          from_integer(
+            offset_bytes / elem_size_bytes, array_type.index_type())};
+      }
+      // only recurse if the cell completely contains the target
+      else if(
+        recurse_into_arrays && index < array_size &&
         offset_inside_elem + target_size_bytes <= elem_size_bytes)
       {
         return get_subexpression_at_offset(
@@ -650,6 +654,7 @@ std::optional<exprt> get_subexpression_at_offset(
               offset_bytes / elem_size_bytes, array_type.index_type())),
           offset_inside_elem,
           target_type_raw,
+          recurse_into_arrays,
           ns);
       }
     }
@@ -676,7 +681,7 @@ std::optional<exprt> get_subexpression_at_offset(
       {
         const member_exprt member(expr, component.get_name(), component.type());
         return get_subexpression_at_offset(
-          member, offset_bytes, target_type_raw, ns);
+          member, offset_bytes, target_type_raw, recurse_into_arrays, ns);
       }
     }
   }
@@ -689,12 +694,16 @@ std::optional<exprt> get_subexpression_at_offset(
   const exprt &expr,
   const exprt &offset,
   const typet &target_type,
+  bool recurse_into_arrays,
   const namespacet &ns)
 {
   const auto offset_bytes = numeric_cast<mp_integer>(offset);
 
   if(!offset_bytes.has_value())
     return {};
   else
-    return get_subexpression_at_offset(expr, *offset_bytes, target_type, ns);
+  {
+    return get_subexpression_at_offset(
+      expr, *offset_bytes, target_type, recurse_into_arrays, ns);
+  }
 }
diff --git a/src/util/pointer_offset_size.h b/src/util/pointer_offset_size.h
@@ -56,12 +56,14 @@ std::optional<exprt> get_subexpression_at_offset(
   const exprt &expr,
   const mp_integer &offset,
   const typet &target_type,
+  bool recurse_into_arrays,
   const namespacet &ns);
 
 std::optional<exprt> get_subexpression_at_offset(
   const exprt &expr,
   const exprt &offset,
   const typet &target_type,
+  bool recurse_into_arrays,
   const namespacet &ns);
 
 #endif // CPROVER_UTIL_POINTER_OFFSET_SIZE_H
diff --git a/src/util/simplify_expr.cpp b/src/util/simplify_expr.cpp
@@ -2023,7 +2023,7 @@ simplify_exprt::simplify_byte_extract(const byte_extract_exprt &expr)
 
   // try to refine it down to extracting from a member or an index in an array
   auto subexpr =
-    get_subexpression_at_offset(expr.op(), *offset, expr.type(), ns);
+    get_subexpression_at_offset(expr.op(), *offset, expr.type(), true, ns);
   if(subexpr.has_value() && subexpr.value() != expr)
     return changed(simplify_rec(subexpr.value())); // recursive call
 
diff --git a/src/util/simplify_expr_struct.cpp b/src/util/simplify_expr_struct.cpp
@@ -242,7 +242,7 @@ simplify_exprt::simplify_member(const member_exprt &expr)
       if(requested_offset.has_value())
       {
         auto equivalent_member = get_subexpression_at_offset(
-          typecast_expr.op(), *requested_offset, expr.type(), ns);
+          typecast_expr.op(), *requested_offset, expr.type(), true, ns);
 
         // Guess: turning this into a byte-extract operation is not really an
         // optimisation.
diff --git a/unit/util/pointer_offset_size.cpp b/unit/util/pointer_offset_size.cpp
@@ -34,30 +34,30 @@ TEST_CASE("Build subexpression to access element at offset into array")
   symbol_exprt a("array", array_type);
 
   {
-    const auto result = get_subexpression_at_offset(a, 0, t, ns);
+    const auto result = get_subexpression_at_offset(a, 0, t, true, ns);
     REQUIRE(result.value() == index_exprt(a, from_integer(0, c_index_type())));
   }
 
   {
-    const auto result = get_subexpression_at_offset(a, 32 / 8, t, ns);
+    const auto result = get_subexpression_at_offset(a, 32 / 8, t, true, ns);
     REQUIRE(result.value() == index_exprt(a, from_integer(1, c_index_type())));
   }
 
   {
     const auto result =
-      get_subexpression_at_offset(a, from_integer(0, size_type()), t, ns);
+      get_subexpression_at_offset(a, from_integer(0, size_type()), t, true, ns);
     REQUIRE(result.value() == index_exprt(a, from_integer(0, c_index_type())));
   }
 
   {
     const auto result =
-      get_subexpression_at_offset(a, size_of_expr(t, ns).value(), t, ns);
+      get_subexpression_at_offset(a, size_of_expr(t, ns).value(), t, true, ns);
     REQUIRE(result.value() == index_exprt(a, from_integer(1, c_index_type())));
   }
 
   {
     const signedbv_typet small_t(8);
-    const auto result = get_subexpression_at_offset(a, 1, small_t, ns);
+    const auto result = get_subexpression_at_offset(a, 1, small_t, true, ns);
     REQUIRE(
       result.value() == make_byte_extract(
                           index_exprt(a, from_integer(0, c_index_type())),
@@ -67,7 +67,7 @@ TEST_CASE("Build subexpression to access element at offset into array")
 
   {
     const signedbv_typet int16_t(16);
-    const auto result = get_subexpression_at_offset(a, 3, int16_t, ns);
+    const auto result = get_subexpression_at_offset(a, 3, int16_t, true, ns);
     // At offset 3 there are only 8 bits remaining in an element of type t so
     // not enough to fill a 16 bit int, so this cannot be transformed in an
     // index_exprt.
@@ -94,30 +94,30 @@ TEST_CASE("Build subexpression to access element at offset into struct")
   symbol_exprt s("struct", st);
 
   {
-    const auto result = get_subexpression_at_offset(s, 0, t, ns);
+    const auto result = get_subexpression_at_offset(s, 0, t, true, ns);
     REQUIRE(result.value() == member_exprt(s, "foo", t));
   }
 
   {
-    const auto result = get_subexpression_at_offset(s, 32 / 8, t, ns);
+    const auto result = get_subexpression_at_offset(s, 32 / 8, t, true, ns);
     REQUIRE(result.value() == member_exprt(s, "bar", t));
   }
 
   {
     const auto result =
-      get_subexpression_at_offset(s, from_integer(0, size_type()), t, ns);
+      get_subexpression_at_offset(s, from_integer(0, size_type()), t, true, ns);
     REQUIRE(result.value() == member_exprt(s, "foo", t));
   }
 
   {
     const auto result =
-      get_subexpression_at_offset(s, size_of_expr(t, ns).value(), t, ns);
+      get_subexpression_at_offset(s, size_of_expr(t, ns).value(), t, true, ns);
     REQUIRE(result.value() == member_exprt(s, "bar", t));
   }
 
   {
     const signedbv_typet small_t(8);
-    const auto result = get_subexpression_at_offset(s, 1, small_t, ns);
+    const auto result = get_subexpression_at_offset(s, 1, small_t, true, ns);
     REQUIRE(
       result.value() ==
       make_byte_extract(

Original file line number	Diff line number	Diff line change
`@@ -159,6 +159,7 @@ static bool restore_union_rec(exprt &expr, const namespacet &ns)`
`159`	`159`	`member_exprt{be.op(), comp.get_name(), comp.type()},`
`160`	`160`	`be.offset(),`
`161`	`161`	`be.type(),`
	`162`	`+ true,`
`162`	`163`	`ns);`
`163`	`164`	`if(result.has_value())`
`164`	`165`	`{`
Original file line number	Diff line number	Diff line change
`@@ -115,7 +115,7 @@ exprt pointer_logict::pointer_expr(`
`115`	`115`	`}`
`116`	`116`	`}`
`117`	`117`	`auto deep_object_opt =`
`118`		`- get_subexpression_at_offset(object_expr, pointer.offset, subtype, ns);`
	`118`	`+ get_subexpression_at_offset(object_expr, pointer.offset, subtype, true, ns);`
`119`	`119`	`CHECK_RETURN(deep_object_opt.has_value());`
`120`	`120`	`exprt deep_object = deep_object_opt.value();`
`121`	`121`	`simplify(deep_object, ns);`
Original file line number	Diff line number	Diff line change
`@@ -242,7 +242,7 @@ simplify_exprt::simplify_member(const member_exprt &expr)`
`242`	`242`	`if(requested_offset.has_value())`
`243`	`243`	`{`
`244`	`244`	`auto equivalent_member = get_subexpression_at_offset(`
`245`		`- typecast_expr.op(), *requested_offset, expr.type(), ns);`
	`245`	`+ typecast_expr.op(), *requested_offset, expr.type(), true, ns);`
`246`	`246`
`247`	`247`	`// Guess: turning this into a byte-extract operation is not really an`
`248`	`248`	`// optimisation.`
Original file line number	Diff line number	Diff line change
`@@ -34,30 +34,30 @@ TEST_CASE("Build subexpression to access element at offset into array")`
`34`	`34`	`symbol_exprt a("array", array_type);`
`35`	`35`
`36`	`36`	`{`
`37`		`- const auto result = get_subexpression_at_offset(a, 0, t, ns);`
	`37`	`+ const auto result = get_subexpression_at_offset(a, 0, t, true, ns);`
`38`	`38`	`REQUIRE(result.value() == index_exprt(a, from_integer(0, c_index_type())));`
`39`	`39`	`}`
`40`	`40`
`41`	`41`	`{`
`42`		`- const auto result = get_subexpression_at_offset(a, 32 / 8, t, ns);`
	`42`	`+ const auto result = get_subexpression_at_offset(a, 32 / 8, t, true, ns);`
`43`	`43`	`REQUIRE(result.value() == index_exprt(a, from_integer(1, c_index_type())));`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`{`
`47`	`47`	`const auto result =`
`48`		`- get_subexpression_at_offset(a, from_integer(0, size_type()), t, ns);`
	`48`	`+ get_subexpression_at_offset(a, from_integer(0, size_type()), t, true, ns);`
`49`	`49`	`REQUIRE(result.value() == index_exprt(a, from_integer(0, c_index_type())));`
`50`	`50`	`}`
`51`	`51`
`52`	`52`	`{`
`53`	`53`	`const auto result =`
`54`		`- get_subexpression_at_offset(a, size_of_expr(t, ns).value(), t, ns);`
	`54`	`+ get_subexpression_at_offset(a, size_of_expr(t, ns).value(), t, true, ns);`
`55`	`55`	`REQUIRE(result.value() == index_exprt(a, from_integer(1, c_index_type())));`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`{`
`59`	`59`	`const signedbv_typet small_t(8);`
`60`		`- const auto result = get_subexpression_at_offset(a, 1, small_t, ns);`
	`60`	`+ const auto result = get_subexpression_at_offset(a, 1, small_t, true, ns);`
`61`	`61`	`REQUIRE(`
`62`	`62`	`result.value() == make_byte_extract(`
`63`	`63`	`index_exprt(a, from_integer(0, c_index_type())),`
`@@ -67,7 +67,7 @@ TEST_CASE("Build subexpression to access element at offset into array")`
`67`	`67`
`68`	`68`	`{`
`69`	`69`	`const signedbv_typet int16_t(16);`
`70`		`- const auto result = get_subexpression_at_offset(a, 3, int16_t, ns);`
	`70`	`+ const auto result = get_subexpression_at_offset(a, 3, int16_t, true, ns);`
`71`	`71`	`// At offset 3 there are only 8 bits remaining in an element of type t so`
`72`	`72`	`// not enough to fill a 16 bit int, so this cannot be transformed in an`
`73`	`73`	`// index_exprt.`
`@@ -94,30 +94,30 @@ TEST_CASE("Build subexpression to access element at offset into struct")`
`94`	`94`	`symbol_exprt s("struct", st);`
`95`	`95`
`96`	`96`	`{`
`97`		`- const auto result = get_subexpression_at_offset(s, 0, t, ns);`
	`97`	`+ const auto result = get_subexpression_at_offset(s, 0, t, true, ns);`
`98`	`98`	`REQUIRE(result.value() == member_exprt(s, "foo", t));`
`99`	`99`	`}`
`100`	`100`
`101`	`101`	`{`
`102`		`- const auto result = get_subexpression_at_offset(s, 32 / 8, t, ns);`
	`102`	`+ const auto result = get_subexpression_at_offset(s, 32 / 8, t, true, ns);`
`103`	`103`	`REQUIRE(result.value() == member_exprt(s, "bar", t));`
`104`	`104`	`}`
`105`	`105`
`106`	`106`	`{`
`107`	`107`	`const auto result =`
`108`		`- get_subexpression_at_offset(s, from_integer(0, size_type()), t, ns);`
	`108`	`+ get_subexpression_at_offset(s, from_integer(0, size_type()), t, true, ns);`
`109`	`109`	`REQUIRE(result.value() == member_exprt(s, "foo", t));`
`110`	`110`	`}`
`111`	`111`
`112`	`112`	`{`
`113`	`113`	`const auto result =`
`114`		`- get_subexpression_at_offset(s, size_of_expr(t, ns).value(), t, ns);`
	`114`	`+ get_subexpression_at_offset(s, size_of_expr(t, ns).value(), t, true, ns);`
`115`	`115`	`REQUIRE(result.value() == member_exprt(s, "bar", t));`
`116`	`116`	`}`
`117`	`117`
`118`	`118`	`{`
`119`	`119`	`const signedbv_typet small_t(8);`
`120`		`- const auto result = get_subexpression_at_offset(s, 1, small_t, ns);`
	`120`	`+ const auto result = get_subexpression_at_offset(s, 1, small_t, true, ns);`
`121`	`121`	`REQUIRE(`
`122`	`122`	`result.value() ==`
`123`	`123`	`make_byte_extract(`