bool remove_const_function_pointerst::try_resolve_expression(
const exprt &expr, expressionst &out_resolved_expression, bool &out_is_const)
{
exprt simplified_expr=simplify_expr(expr, ns);
bool resolved;
expressionst resolved_expressions;
bool is_resolved_expression_const;
if(simplified_expr.id()==ID_index)
{
const index_exprt &index_expr=to_index_expr(simplified_expr);
resolved=
try_resolve_index_of(
index_expr, resolved_expressions, is_resolved_expression_const);
}
else if(simplified_expr.id()==ID_member)
{
const member_exprt &member_expr=to_member_expr(simplified_expr);
resolved=try_resolve_member(
member_expr, resolved_expressions, is_resolved_expression_const);
}
else if(simplified_expr.id()==ID_dereference)
{
const dereference_exprt &deref=to_dereference_expr(simplified_expr);
resolved=
try_resolve_dereference(
deref, resolved_expressions, is_resolved_expression_const);
}
else if(simplified_expr.id()==ID_typecast)
{
typecast_exprt typecast_expr=to_typecast_expr(simplified_expr);
resolved=
try_resolve_typecast(
typecast_expr, resolved_expressions, is_resolved_expression_const);
}
else if(simplified_expr.id()==ID_symbol)
{
LOG("Non const symbol will not be squashed", simplified_expr);
resolved=false;
}
else
{
resolved_expressions.push_back(simplified_expr);
is_resolved_expression_const=is_const_expression(simplified_expr);
resolved=true;
}
if(resolved)
{
out_resolved_expression.insert(
out_resolved_expression.end(),
resolved_expressions.begin(),
resolved_expressions.end());
out_is_const=is_resolved_expression_const;
return true;
}
else
{
return false;
}
}
exprt local_SSAt::read_rhs_address_of_rec(
const exprt &expr,
locationt loc) const
{
if(expr.id()==ID_dereference)
{
// We 'read' the pointer only, the dereferencing expression stays.
dereference_exprt tmp=to_dereference_expr(expr);
tmp.pointer()=read_rhs_rec(tmp.pointer(), loc);
return tmp;
}
else if(expr.id()==ID_member)
{
member_exprt tmp=to_member_expr(expr);
tmp.struct_op()=read_rhs_address_of_rec(tmp.struct_op(), loc);
return tmp;
}
else if(expr.id()==ID_index)
{
index_exprt tmp=to_index_expr(expr);
tmp.array()=read_rhs_address_of_rec(tmp.array(), loc);
tmp.index()=read_rhs_rec(tmp.index(), loc);
return tmp;
}
else if(expr.id()==ID_if)
{
if_exprt tmp=to_if_expr(expr);
tmp.cond()=read_rhs_rec(tmp.cond(), loc);
tmp.true_case()=read_rhs_address_of_rec(tmp.true_case(), loc);
tmp.false_case()=read_rhs_address_of_rec(tmp.false_case(), loc);
return tmp;
}
else
return expr;
}
void function_modifiest::get_modifies_lhs(
const local_may_aliast &local_may_alias,
const goto_programt::const_targett t,
const exprt &lhs,
modifiest &modifies)
{
if(lhs.id()==ID_symbol)
modifies.insert(lhs);
else if(lhs.id()==ID_dereference)
{
modifiest m=local_may_alias.get(t, to_dereference_expr(lhs).pointer());
for(modifiest::const_iterator m_it=m.begin();
m_it!=m.end(); m_it++)
get_modifies_lhs(local_may_alias, t, *m_it, modifies);
}
else if(lhs.id()==ID_member)
{
}
else if(lhs.id()==ID_index)
{
}
else if(lhs.id()==ID_if)
{
get_modifies_lhs(local_may_alias, t, to_if_expr(lhs).true_case(), modifies);
get_modifies_lhs(
local_may_alias, t, to_if_expr(lhs).false_case(), modifies);
}
}
void rd_range_domaint::assign(
const namespacet &ns,
locationt from,
const exprt &lhs,
const mp_integer &size)
{
if(lhs.id()==ID_typecast)
assign(ns, from, to_typecast_expr(lhs).op(), size);
else if(lhs.id()==ID_if)
assign_if(ns, from, to_if_expr(lhs), size);
else if(lhs.id()==ID_dereference)
assign_dereference(ns, from, to_dereference_expr(lhs), size);
else if(lhs.id()==ID_byte_extract_little_endian ||
lhs.id()==ID_byte_extract_big_endian)
assign_byte_extract(ns, from, to_byte_extract_expr(lhs), size);
else if(lhs.id()==ID_symbol ||
lhs.id()==ID_index ||
lhs.id()==ID_member)
assign(ns, from, lhs, compute_pointer_offset(ns, lhs), size);
else
throw "assignment to `"+lhs.id_string()+"' not handled";
}
/// Use the information in the domain to simplify the expression on the LHS of
/// an assignment. This for example won't simplify symbols to their values, but
/// does simplify indices in arrays, members of structs and dereferencing of
/// pointers
/// \param condition: the expression to simplify
/// \param ns: the namespace
/// \return True if condition did not change. False otherwise. condition will be
/// updated with the simplified condition if it has worked
bool ai_domain_baset::ai_simplify_lhs(
exprt &condition, const namespacet &ns) const
{
// Care must be taken here to give something that is still writable
if(condition.id()==ID_index)
{
index_exprt ie=to_index_expr(condition);
bool no_simplification=ai_simplify(ie.index(), ns);
if(!no_simplification)
condition=simplify_expr(ie, ns);
return no_simplification;
}
else if(condition.id()==ID_dereference)
{
dereference_exprt de=to_dereference_expr(condition);
bool no_simplification=ai_simplify(de.pointer(), ns);
if(!no_simplification)
condition=simplify_expr(de, ns); // So *(&x) -> x
return no_simplification;
}
else if(condition.id()==ID_member)
{
member_exprt me=to_member_expr(condition);
// Since simplify_ai_lhs is required to return an addressable object
// (so remains a valid left hand side), to simplify
// `(something_simplifiable).b` we require that `something_simplifiable`
// must also be addressable
bool no_simplification=ai_simplify_lhs(me.compound(), ns);
if(!no_simplification)
condition=simplify_expr(me, ns);
return no_simplification;
}
else
return true;
}
exprt dereference_rec(
const exprt &src,
const ssa_value_domaint &ssa_value_domain,
const std::string &nondet_prefix,
const namespacet &ns)
{
if(src.id()==ID_dereference)
{
const exprt &pointer=dereference_rec(
to_dereference_expr(src).pointer(),
ssa_value_domain,
nondet_prefix,
ns);
const typet &pointed_type=ns.follow(pointer.type().subtype());
const ssa_value_domaint::valuest values=ssa_value_domain(pointer, ns);
exprt result;
if(values.value_set.empty())
{
result=pointed_object(pointer, ns);
}
else
{
auto it=values.value_set.begin();
if(values.null || values.unknown ||
(values.value_set.size()>1 && it->type().get_bool("#dynamic")))
{
std::string dyn_type_name=pointed_type.id_string();
if(pointed_type.id()==ID_struct)
dyn_type_name+="_"+id2string(to_struct_type(pointed_type).get_tag());
irep_idt identifier="ssa::"+dyn_type_name+"_obj$unknown";
result=symbol_exprt(identifier, src.type());
result.set("#unknown_obj", true);
}
else
{
result=ssa_alias_value(src, (it++)->get_expr(), ns);
result.set("#heap_access", result.type().get_bool("#dynamic"));
}
for(; it!=values.value_set.end(); ++it)
{
exprt guard=ssa_alias_guard(src, it->get_expr(), ns);
exprt value=ssa_alias_value(src, it->get_expr(), ns);
result=if_exprt(guard, value, result);
result.set(
"#heap_access",
result.get_bool("#heap_access") ||
value.type().get_bool("#dynamic"));
}
}
return result;
}
else if(src.id()==ID_member)
{
member_exprt tmp=to_member_expr(src);
tmp.struct_op()=
dereference_rec(tmp.struct_op(), ssa_value_domain, nondet_prefix, ns);
tmp.set("#heap_access", tmp.struct_op().get_bool("#heap_access"));
#ifdef DEBUG
std::cout << "dereference_rec tmp: " << from_expr(ns, "", tmp) << '\n';
#endif
if(tmp.struct_op().is_nil())
return nil_exprt();
return lift_if(tmp);
}
else if(src.id()==ID_address_of)
{
address_of_exprt tmp=to_address_of_expr(src);
tmp.object()=
dereference_rec(tmp.object(), ssa_value_domain, nondet_prefix, ns);
tmp.set("#heap_access", tmp.object().get_bool("#heap_access"));
if(tmp.object().is_nil())
return nil_exprt();
return lift_if(tmp);
}
else
{
exprt tmp=src;
Forall_operands(it, tmp)
{
*it=dereference_rec(*it, ssa_value_domain, nondet_prefix, ns);
if(it->get_bool("#heap_access"))
tmp.set("#heap_access", true);
}
return tmp;
}
exprt dereference_rec(
const exprt &src,
const ssa_value_domaint &ssa_value_domain,
const std::string &nondet_prefix,
const namespacet &ns)
{
if(src.id()==ID_dereference)
{
const exprt &pointer=to_dereference_expr(src).pointer();
exprt pointer_deref=dereference(pointer, ssa_value_domain, nondet_prefix, ns);
// We use the identifier produced by
// local_SSAt::replace_side_effects_rec
exprt result=symbol_exprt(nondet_prefix, src.type());
// query the value sets
const ssa_value_domaint::valuest values=
ssa_value_domain(pointer, ns);
for(ssa_value_domaint::valuest::value_sett::const_iterator
it=values.value_set.begin();
it!=values.value_set.end();
it++)
{
exprt guard=ssa_alias_guard(src, it->get_expr(), ns);
exprt value=ssa_alias_value(src, it->get_expr(), ns);
result=if_exprt(guard, value, result);
}
return result;
}
else if(src.id()==ID_member)
{
member_exprt tmp=to_member_expr(src);
tmp.struct_op()=dereference_rec(tmp.struct_op(), ssa_value_domain, nondet_prefix, ns);
#ifdef DEBUG
std::cout << "dereference_rec tmp: " << from_expr(ns, "", tmp) << '\n';
#endif
if(tmp.struct_op().is_nil())
return nil_exprt();
return lift_if(tmp);
}
else if(src.id()==ID_address_of)
{
address_of_exprt tmp=to_address_of_expr(src);
tmp.object()=dereference_rec(tmp.object(), ssa_value_domain, nondet_prefix, ns);
if(tmp.object().is_nil())
return nil_exprt();
return lift_if(tmp);
}
else
{
exprt tmp=src;
Forall_operands(it, tmp)
*it=dereference_rec(*it, ssa_value_domain, nondet_prefix, ns);
return tmp;
}
}
void goto_checkt::check_rec(
const exprt &expr,
guardt &guard,
bool address)
{
// we don't look into quantifiers
if(expr.id()==ID_exists || expr.id()==ID_forall)
return;
if(address)
{
if(expr.id()==ID_dereference)
{
assert(expr.operands().size()==1);
check_rec(expr.op0(), guard, false);
}
else if(expr.id()==ID_index)
{
assert(expr.operands().size()==2);
check_rec(expr.op0(), guard, true);
check_rec(expr.op1(), guard, false);
}
else
{
forall_operands(it, expr)
check_rec(*it, guard, true);
}
return;
}
if(expr.id()==ID_address_of)
{
assert(expr.operands().size()==1);
check_rec(expr.op0(), guard, true);
return;
}
else if(expr.id()==ID_and || expr.id()==ID_or)
{
if(!expr.is_boolean())
throw "`"+expr.id_string()+"' must be Boolean, but got "+
expr.pretty();
guardt old_guard=guard;
for(unsigned i=0; i<expr.operands().size(); i++)
{
const exprt &op=expr.operands()[i];
if(!op.is_boolean())
throw "`"+expr.id_string()+"' takes Boolean operands only, but got "+
op.pretty();
check_rec(op, guard, false);
if(expr.id()==ID_or)
guard.add(not_exprt(op));
else
guard.add(op);
}
guard.swap(old_guard);
return;
}
else if(expr.id()==ID_if)
{
if(expr.operands().size()!=3)
throw "if takes three arguments";
if(!expr.op0().is_boolean())
{
std::string msg=
"first argument of if must be boolean, but got "
+expr.op0().pretty();
throw msg;
}
check_rec(expr.op0(), guard, false);
{
guardt old_guard=guard;
guard.add(expr.op0());
check_rec(expr.op1(), guard, false);
guard.swap(old_guard);
}
{
guardt old_guard=guard;
guard.add(not_exprt(expr.op0()));
check_rec(expr.op2(), guard, false);
guard.swap(old_guard);
}
return;
}
forall_operands(it, expr)
check_rec(*it, guard, false);
if(expr.id()==ID_index)
{
bounds_check(to_index_expr(expr), guard);
}
else if(expr.id()==ID_div)
{
div_by_zero_check(to_div_expr(expr), guard);
if(expr.type().id()==ID_signedbv)
integer_overflow_check(expr, guard);
else if(expr.type().id()==ID_floatbv)
{
nan_check(expr, guard);
float_overflow_check(expr, guard);
}
}
else if(expr.id()==ID_shl || expr.id()==ID_ashr || expr.id()==ID_lshr)
{
undefined_shift_check(to_shift_expr(expr), guard);
}
else if(expr.id()==ID_mod)
{
mod_by_zero_check(to_mod_expr(expr), guard);
}
else if(expr.id()==ID_plus || expr.id()==ID_minus ||
expr.id()==ID_mult ||
expr.id()==ID_unary_minus)
{
if(expr.type().id()==ID_signedbv ||
expr.type().id()==ID_unsignedbv)
{
if(expr.operands().size()==2 &&
expr.op0().type().id()==ID_pointer)
pointer_overflow_check(expr, guard);
else
integer_overflow_check(expr, guard);
}
else if(expr.type().id()==ID_floatbv)
{
nan_check(expr, guard);
float_overflow_check(expr, guard);
}
else if(expr.type().id()==ID_pointer)
{
pointer_overflow_check(expr, guard);
}
}
else if(expr.id()==ID_typecast)
conversion_check(expr, guard);
else if(expr.id()==ID_le || expr.id()==ID_lt ||
expr.id()==ID_ge || expr.id()==ID_gt)
pointer_rel_check(expr, guard);
else if(expr.id()==ID_dereference)
pointer_validity_check(to_dereference_expr(expr), guard);
}
void goto_checkt::bounds_check(
const index_exprt &expr,
const guardt &guard)
{
if(!enable_bounds_check)
return;
if(expr.find("bounds_check").is_not_nil() &&
!expr.get_bool("bounds_check"))
return;
typet array_type=ns.follow(expr.array().type());
if(array_type.id()==ID_pointer)
return; // done by the pointer code
else if(array_type.id()==ID_incomplete_array)
throw "index got incomplete array";
else if(array_type.id()!=ID_array && array_type.id()!=ID_vector)
throw "bounds check expected array or vector type, got "
+array_type.id_string();
std::string name=array_name(expr.array());
const exprt &index=expr.index();
object_descriptor_exprt ode;
ode.build(expr, ns);
if(index.type().id()!=ID_unsignedbv)
{
// we undo typecasts to signedbv
if(index.id()==ID_typecast &&
index.operands().size()==1 &&
index.op0().type().id()==ID_unsignedbv)
{
// ok
}
else
{
mp_integer i;
if(!to_integer(index, i) && i>=0)
{
// ok
}
else
{
exprt effective_offset=ode.offset();
if(ode.root_object().id()==ID_dereference)
{
exprt p_offset=pointer_offset(
to_dereference_expr(ode.root_object()).pointer());
assert(p_offset.type()==effective_offset.type());
effective_offset=plus_exprt(p_offset, effective_offset);
}
exprt zero=gen_zero(ode.offset().type());
assert(zero.is_not_nil());
// the final offset must not be negative
binary_relation_exprt inequality(effective_offset, ID_ge, zero);
add_guarded_claim(
inequality,
name+" lower bound",
"array bounds",
expr.find_source_location(),
expr,
guard);
}
}
}
if(ode.root_object().id()==ID_dereference)
{
const exprt &pointer=
to_dereference_expr(ode.root_object()).pointer();
if_exprt size(
dynamic_object(pointer),
typecast_exprt(dynamic_size(ns), object_size(pointer).type()),
object_size(pointer));
plus_exprt effective_offset(ode.offset(), pointer_offset(pointer));
assert(effective_offset.op0().type()==effective_offset.op1().type());
assert(effective_offset.type()==size.type());
binary_relation_exprt inequality(effective_offset, ID_lt, size);
or_exprt precond(
and_exprt(
dynamic_object(pointer),
not_exprt(malloc_object(pointer, ns))),
inequality);
add_guarded_claim(
precond,
name+" upper bound",
"array bounds",
expr.find_source_location(),
expr,
guard);
return;
}
const exprt &size=array_type.id()==ID_array ?
to_array_type(array_type).size() :
to_vector_type(array_type).size();
if(size.is_nil())
{
// Linking didn't complete, we don't have a size.
// Not clear what to do.
}
else if(size.id()==ID_infinity)
{
}
else if(size.is_zero() &&
expr.array().id()==ID_member)
{
// a variable sized struct member
}
else
{
binary_relation_exprt inequality(index, ID_lt, size);
// typecast size
if(inequality.op1().type()!=inequality.op0().type())
inequality.op1().make_typecast(inequality.op0().type());
// typecast size
if(inequality.op1().type()!=inequality.op0().type())
inequality.op1().make_typecast(inequality.op0().type());
add_guarded_claim(
inequality,
name+" upper bound",
"array bounds",
expr.find_source_location(),
expr,
guard);
}
}
exprt address_canonizer(
const exprt &address,
const namespacet &ns)
{
assert(ns.follow(address.type()).id()==ID_pointer);
if(address.id()==ID_address_of)
{
const address_of_exprt &address_of_expr=
to_address_of_expr(address);
const exprt &object=address_of_expr.object();
if(object.id()==ID_dereference)
{
// &*x ---> x
return to_dereference_expr(object).pointer();
}
else if(object.id()==ID_member)
{
// get offset
exprt offset=member_offset_expr(to_member_expr(object), ns);
// &x.m ---> (&x)+offset
address_of_exprt address_of_expr(to_member_expr(object).struct_op());
exprt rec_result=address_canonizer(address_of_expr, ns); // rec. call
pointer_typet byte_pointer(unsigned_char_type());
typecast_exprt typecast_expr(rec_result, byte_pointer);
plus_exprt sum(typecast_expr, offset);
if(sum.type()!=address.type())
sum.make_typecast(address.type());
return sum;
}
else if(object.id()==ID_index)
{
// &(x[i]) ---> (&x)+i
address_of_exprt address_of_expr(to_index_expr(object).array());
exprt rec_result=address_canonizer(address_of_expr, ns); // rec. call
pointer_typet pointer_type;
pointer_type.subtype()=object.type();
typecast_exprt typecast_expr(rec_result, pointer_type);
plus_exprt sum(typecast_expr, to_index_expr(object).index());
if(sum.type()!=address.type())
sum.make_typecast(address.type());
return sum;
}
else if(object.id()==ID_symbol && is_iterator(object))
{
// address of iterator is dereferenced to a corresponding symbol -
// will be bound to real address during analysis
symbol_exprt iterator_addr(
id2string(to_symbol_expr(object).get_identifier())+"'addr",
address.type());
return iterator_addr;
}
else
return address;
}
else if(address.id()==ID_plus ||
address.id()==ID_minus)
{
// one of the operands needs to be a pointer
assert(address.operands().size()==2);
exprt tmp=address;
if(ns.follow(tmp.op0().type()).id()==ID_pointer)
{
tmp.op0()=address_canonizer(tmp.op0(), ns);
return tmp;
}
else if(ns.follow(tmp.op1().type()).id()==ID_pointer)
{
tmp.op1()=address_canonizer(tmp.op1(), ns);
return tmp;
}
else
return tmp;
}
else if(address.id()==ID_if)
{
if_exprt tmp=to_if_expr(address);
tmp.true_case()=address_canonizer(tmp.true_case(), ns);
tmp.false_case()=address_canonizer(tmp.false_case(), ns);
return tmp;
}
else if(address.id()==ID_typecast)
{
typecast_exprt tmp=to_typecast_expr(address);
// cast from another pointer?
if(tmp.op().type().id()==ID_pointer)
{
tmp.op()=address_canonizer(tmp.op(), ns);
return tmp;
}
return address;
}
else
return address;
}
bool remove_const_function_pointerst::try_resolve_function_call(
const exprt &expr, functionst &out_functions)
{
assert(out_functions.empty());
const exprt &simplified_expr=simplify_expr(expr, ns);
bool resolved=false;
functionst resolved_functions;
if(simplified_expr.id()==ID_index)
{
const index_exprt &index_expr=to_index_expr(simplified_expr);
resolved=try_resolve_index_of_function_call(index_expr, resolved_functions);
}
else if(simplified_expr.id()==ID_member)
{
const member_exprt &member_expr=to_member_expr(simplified_expr);
resolved=try_resolve_member_function_call(member_expr, resolved_functions);
}
else if(simplified_expr.id()==ID_address_of)
{
address_of_exprt address_expr=to_address_of_expr(simplified_expr);
resolved=try_resolve_address_of_function_call(
address_expr, resolved_functions);
}
else if(simplified_expr.id()==ID_dereference)
{
const dereference_exprt &deref=to_dereference_expr(simplified_expr);
resolved=try_resolve_dereference_function_call(deref, resolved_functions);
}
else if(simplified_expr.id()==ID_typecast)
{
typecast_exprt typecast_expr=to_typecast_expr(simplified_expr);
resolved=
try_resolve_typecast_function_call(typecast_expr, resolved_functions);
}
else if(simplified_expr.id()==ID_symbol)
{
if(simplified_expr.type().id()==ID_code)
{
resolved_functions.insert(simplified_expr);
resolved=true;
}
else
{
LOG("Non const symbol wasn't squashed", simplified_expr);
resolved=false;
}
}
else
{
LOG("Unrecognised expression", simplified_expr);
resolved=false;
}
if(resolved)
{
out_functions.insert(resolved_functions.begin(), resolved_functions.end());
return true;
}
else
{
return false;
}
}
exprt goto_symext::address_arithmetic(
const exprt &expr,
statet &state,
guardt &guard,
bool keep_array)
{
exprt result;
if(expr.id()==ID_byte_extract_little_endian ||
expr.id()==ID_byte_extract_big_endian)
{
// address_of(byte_extract(op, offset, t)) is
// address_of(op) + offset with adjustments for arrays
const byte_extract_exprt &be=to_byte_extract_expr(expr);
// recursive call
result=address_arithmetic(be.op(), state, guard, keep_array);
if(ns.follow(be.op().type()).id()==ID_array &&
result.id()==ID_address_of)
{
address_of_exprt &a=to_address_of_expr(result);
// turn &a of type T[i][j] into &(a[0][0])
for(const typet *t=&(ns.follow(a.type().subtype()));
t->id()==ID_array && !base_type_eq(expr.type(), *t, ns);
t=&(ns.follow(*t).subtype()))
a.object()=index_exprt(a.object(), from_integer(0, index_type()));
}
// do (expr.type() *)(((char *)op)+offset)
result=typecast_exprt(result, pointer_typet(char_type()));
// there could be further dereferencing in the offset
exprt offset=be.offset();
dereference_rec(offset, state, guard, false);
result=plus_exprt(result, offset);
// treat &array as &array[0]
const typet &expr_type=ns.follow(expr.type());
pointer_typet dest_type;
if(expr_type.id()==ID_array && !keep_array)
dest_type.subtype()=expr_type.subtype();
else
dest_type.subtype()=expr_type;
result=typecast_exprt(result, dest_type);
}
else if(expr.id()==ID_index ||
expr.id()==ID_member)
{
object_descriptor_exprt ode;
ode.build(expr, ns);
byte_extract_exprt be(byte_extract_id());
be.type()=expr.type();
be.op()=ode.root_object();
be.offset()=ode.offset();
// recursive call
result=address_arithmetic(be, state, guard, keep_array);
do_simplify(result);
}
else if(expr.id()==ID_dereference)
{
// ANSI-C guarantees &*p == p no matter what p is,
// even if it's complete garbage
// just grab the pointer, but be wary of further dereferencing
// in the pointer itself
result=to_dereference_expr(expr).pointer();
dereference_rec(result, state, guard, false);
}
else if(expr.id()==ID_if)
{
if_exprt if_expr=to_if_expr(expr);
// the condition is not an address
dereference_rec(if_expr.cond(), state, guard, false);
// recursive call
if_expr.true_case()=
address_arithmetic(if_expr.true_case(), state, guard, keep_array);
if_expr.false_case()=
address_arithmetic(if_expr.false_case(), state, guard, keep_array);
result=if_expr;
}
else if(expr.id()==ID_symbol ||
expr.id()==ID_string_constant ||
expr.id()==ID_label ||
expr.id()==ID_array)
{
// give up, just dereference
result=expr;
dereference_rec(result, state, guard, false);
// turn &array into &array[0]
if(ns.follow(result.type()).id()==ID_array && !keep_array)
result=index_exprt(result, from_integer(0, index_type()));
// handle field-sensitive SSA symbol
mp_integer offset=0;
if(expr.id()==ID_symbol &&
expr.get_bool(ID_C_SSA_symbol))
{
offset=compute_pointer_offset(expr, ns);
assert(offset>=0);
}
if(offset>0)
{
byte_extract_exprt be(byte_extract_id());
be.type()=expr.type();
be.op()=to_ssa_expr(expr).get_l1_object();
be.offset()=from_integer(offset, index_type());
result=address_arithmetic(be, state, guard, keep_array);
do_simplify(result);
}
else
result=address_of_exprt(result);
}
else
throw "goto_symext::address_arithmetic does not handle "+expr.id_string();
const typet &expr_type=ns.follow(expr.type());
assert((expr_type.id()==ID_array && !keep_array) ||
base_type_eq(pointer_typet(expr_type), result.type(), ns));
return result;
}
