exprt dereferencet::dereference_typecast(
const typecast_exprt &expr,
const exprt &offset,
const typet &type)
{
const exprt &op=expr.op();
const typet &op_type=ns.follow(op.type());
// pointer type cast?
if(op_type.id()==ID_pointer)
return dereference_rec(op, offset, type); // just pass down
else if(op_type.id()==ID_signedbv || op_type.id()==ID_unsignedbv)
{
// We got an integer-typed address A. We turn this back (!)
// into *(type *)(A+offset), and then let some other layer
// worry about it.
exprt integer=op;
if(!offset.is_zero())
integer=
plus_exprt(offset, typecast_exprt(op, offset.type()));
exprt new_typecast=
typecast_exprt(integer, pointer_typet(type));
return dereference_exprt(new_typecast, type);
}
else
throw "dereferencet: unexpected cast";
}
void thread_exit_instrumentation(goto_programt &goto_program)
{
if(goto_program.instructions.empty()) return;
// add assertion that all may flags for mutex-locked are gone
// at the end
goto_programt::targett end=goto_program.instructions.end();
end--;
assert(end->is_end_function());
source_locationt source_location=end->source_location;
irep_idt function=end->function;
goto_program.insert_before_swap(end);
exprt mutex_locked_string=
string_constantt("mutex-locked");
binary_exprt get_may("get_may");
// NULL is any
get_may.op0()=constant_exprt(ID_NULL, pointer_typet(empty_typet()));
get_may.op1()=address_of_exprt(mutex_locked_string);
end->make_assertion(not_exprt(get_may));
end->source_location=source_location;
end->source_location.set_comment("mutexes must not be locked on thread exit");
end->function=function;
}
void java_bytecode_convert_classt::add_array_types()
{
const std::string letters="ijsbcfdza";
for(const char l : letters)
{
symbol_typet symbol_type=
to_symbol_type(java_array_type(l).subtype());
struct_typet struct_type;
// we have the base class, java.lang.Object, length and data
// of appropriate type
struct_type.set_tag(symbol_type.get_identifier());
struct_type.components().reserve(3);
struct_typet::componentt
comp0("@java.lang.Object", symbol_typet("java::java.lang.Object"));
struct_type.components().push_back(comp0);
struct_typet::componentt comp1("length", java_int_type());
struct_type.components().push_back(comp1);
struct_typet::componentt
comp2("data", pointer_typet(java_type_from_char(l)));
struct_type.components().push_back(comp2);
symbolt symbol;
symbol.name=symbol_type.get_identifier();
symbol.base_name=symbol_type.get(ID_C_base_name);
symbol.is_type=true;
symbol.type=struct_type;
symbol_table.add(symbol);
}
}
void java_bytecode_convertt::add_array_types()
{
const char letters[]="ijsbcfdza";
for(unsigned i=0; letters[i]!=0; i++)
{
symbol_typet symbol_type=
to_symbol_type(java_array_type(letters[i]).subtype());
struct_typet struct_type;
// we have the base class, java.lang.Object, length and data
// of appropriate type
struct_type.set_tag(symbol_type.get_identifier());
struct_type.components().resize(3);
struct_type.components()[0].set_name("@java.lang.Object");
struct_type.components()[0].type()=symbol_typet("java::java.lang.Object");
struct_type.components()[1].set_name("length");
struct_type.components()[1].type()=java_int_type();
struct_type.components()[2].set_name("data");
struct_type.components()[2].type()=
pointer_typet(java_type_from_char(letters[i]));
symbolt symbol;
symbol.name=symbol_type.get_identifier();
symbol.base_name=symbol_type.get(ID_C_base_name);
symbol.is_type=true;
symbol.type=struct_type;
symbol_table.add(symbol);
}
}
void goto_convertt::do_java_new(
const exprt &lhs,
const side_effect_exprt &rhs,
goto_programt &dest)
{
if(lhs.is_nil())
throw "do_java_new without lhs is yet to be implemented";
source_locationt location=rhs.source_location();
assert(rhs.operands().empty());
if(rhs.type().id()!=ID_pointer)
throw "do_java_new returns pointer";
typet object_type=rhs.type().subtype();
// build size expression
exprt object_size=size_of_expr(object_type, ns);
if(object_size.is_nil())
throw "do_java_new got nil object_size";
// we produce a malloc side-effect, which stays
side_effect_exprt malloc_expr(ID_malloc);
malloc_expr.copy_to_operands(object_size);
malloc_expr.type()=pointer_typet(object_type);
goto_programt::targett t_n=dest.add_instruction(ASSIGN);
t_n->code=code_assignt(lhs, malloc_expr);
t_n->source_location=location;
// zero-initialize the object
dereference_exprt deref(lhs, object_type);
exprt zero_object=zero_initializer(object_type, location, ns, get_message_handler());
set_class_identifier(to_struct_expr(zero_object), ns, to_symbol_type(object_type));
goto_programt::targett t_i=dest.add_instruction(ASSIGN);
t_i->code=code_assignt(deref, zero_object);
t_i->source_location=location;
}
void remove_virtual_functionst::remove_virtual_function(
goto_programt &goto_program,
goto_programt::targett target)
{
const code_function_callt &code=
to_code_function_call(target->code);
const exprt &function=code.function();
assert(function.id()==ID_virtual_function);
assert(!code.arguments().empty());
functionst functions;
get_functions(function, functions);
if(functions.empty())
{
target->make_skip();
return; // give up
}
// the final target is a skip
goto_programt final_skip;
goto_programt::targett t_final=final_skip.add_instruction();
t_final->make_skip();
// build the calls and gotos
goto_programt new_code_calls;
goto_programt new_code_gotos;
for(functionst::const_iterator
it=functions.begin();
it!=functions.end();
it++)
{
// call function
goto_programt::targett t1=new_code_calls.add_instruction();
t1->make_function_call(code);
to_code_function_call(t1->code).function()=it->symbol_expr;
// goto final
goto_programt::targett t3=new_code_calls.add_instruction();
t3->make_goto(t_final, true_exprt());
exprt this_expr=code.arguments()[0];
if(this_expr.type().id()!=ID_pointer ||
this_expr.type().id()!=ID_struct)
{
symbol_typet symbol_type(it->class_id);
this_expr=typecast_exprt(this_expr, pointer_typet(symbol_type));
}
exprt deref=dereference_exprt(this_expr, this_expr.type().subtype());
exprt c_id1=constant_exprt(it->class_id, string_typet());
exprt c_id2=build_class_identifier(deref);
goto_programt::targett t4=new_code_gotos.add_instruction();
t4->make_goto(t1, equal_exprt(c_id1, c_id2));
}
goto_programt new_code;
// patch them all together
new_code.destructive_append(new_code_gotos);
new_code.destructive_append(new_code_calls);
new_code.destructive_append(final_skip);
// set locations
Forall_goto_program_instructions(it, new_code)
{
irep_idt property_class=it->source_location.get_property_class();
irep_idt comment=it->source_location.get_comment();
it->source_location=target->source_location;
it->function=target->function;
if(!property_class.empty()) it->source_location.set_property_class(property_class);
if(!comment.empty()) it->source_location.set_comment(comment);
}
expr2tc
goto_symext::symex_mem(
const bool is_malloc,
const expr2tc &lhs,
const sideeffect2t &code)
{
if (is_nil_expr(lhs))
return expr2tc(); // ignore
// size
type2tc type = code.alloctype;
expr2tc size = code.size;
bool size_is_one = false;
if (is_nil_expr(size))
size_is_one=true;
else
{
cur_state->rename(size);
mp_integer i;
if (is_constant_int2t(size) && to_constant_int2t(size).as_ulong() == 1)
size_is_one = true;
}
if (is_nil_type(type))
type = char_type2();
else if (is_union_type(type)) {
// Filter out creation of instantiated unions. They're now all byte arrays.
size_is_one = false;
type = char_type2();
}
unsigned int &dynamic_counter = get_dynamic_counter();
dynamic_counter++;
// value
symbolt symbol;
symbol.base_name = "dynamic_" + i2string(dynamic_counter) +
(size_is_one ? "_value" : "_array");
symbol.name = "symex_dynamic::" + id2string(symbol.base_name);
symbol.lvalue = true;
typet renamedtype = ns.follow(migrate_type_back(type));
if(size_is_one)
symbol.type=renamedtype;
else
{
symbol.type=typet(typet::t_array);
symbol.type.subtype()=renamedtype;
symbol.type.size(migrate_expr_back(size));
}
symbol.type.dynamic(true);
symbol.mode="C";
new_context.add(symbol);
type2tc new_type;
migrate_type(symbol.type, new_type);
address_of2tc rhs_addrof(get_empty_type(), expr2tc());
if(size_is_one)
{
rhs_addrof.get()->type = get_pointer_type(pointer_typet(symbol.type));
rhs_addrof.get()->ptr_obj = symbol2tc(new_type, symbol.name);
}
else
{
type2tc subtype;
migrate_type(symbol.type.subtype(), subtype);
expr2tc sym = symbol2tc(new_type, symbol.name);
expr2tc idx_val = zero_ulong;
expr2tc idx = index2tc(subtype, sym, idx_val);
rhs_addrof.get()->type =
get_pointer_type(pointer_typet(symbol.type.subtype()));
rhs_addrof.get()->ptr_obj = idx;
}
expr2tc rhs = rhs_addrof;
expr2tc ptr_rhs = rhs;
if (!options.get_bool_option("force-malloc-success")) {
symbol2tc null_sym(rhs->type, "NULL");
sideeffect2tc choice(get_bool_type(), expr2tc(), expr2tc(), std::vector<expr2tc>(), type2tc(), sideeffect2t::nondet);
rhs = if2tc(rhs->type, choice, rhs, null_sym);
replace_nondet(rhs);
ptr_rhs = rhs;
}
if (rhs->type != lhs->type)
rhs = typecast2tc(lhs->type, rhs);
cur_state->rename(rhs);
expr2tc rhs_copy(rhs);
guardt guard;
symex_assign_rec(lhs, rhs, guard);
pointer_object2tc ptr_obj(pointer_type2(), ptr_rhs);
track_new_pointer(ptr_obj, new_type);
dynamic_memory.push_back(allocated_obj(rhs_copy, cur_state->guard, !is_malloc));
return rhs_addrof->ptr_obj;
}
void remove_function_pointerst::remove_function_pointer(
goto_programt &goto_program,
goto_programt::targett target)
{
const code_function_callt &code=
to_code_function_call(target->code);
const exprt &function=code.function();
// this better have the right type
code_typet call_type=to_code_type(function.type());
// refine the type in case the forward declaration was incomplete
if(call_type.has_ellipsis() &&
call_type.parameters().empty())
{
call_type.remove_ellipsis();
forall_expr(it, code.arguments())
call_type.parameters().push_back(
code_typet::parametert(it->type()));
}
assert(function.id()==ID_dereference);
assert(function.operands().size()==1);
bool found_functions;
const exprt &pointer=function.op0();
remove_const_function_pointerst::functionst functions;
does_remove_constt const_removal_check(goto_program, ns);
if(const_removal_check())
{
warning() << "Cast from const to non-const pointer found, only worst case"
<< " function pointer removal will be done." << eom;
found_functions=false;
}
else
{
remove_const_function_pointerst fpr(
get_message_handler(), pointer, ns, symbol_table);
found_functions=fpr(functions);
// Either found_functions is true therefore the functions should not
// be empty
// Or found_functions is false therefore the functions should be empty
assert(found_functions != functions.empty());
if(functions.size()==1)
{
to_code_function_call(target->code).function()=*functions.cbegin();
return;
}
}
if(!found_functions)
{
if(only_resolve_const_fps)
{
// If this mode is enabled, we only remove function pointers
// that we can resolve either to an exact funciton, or an exact subset
// (e.g. a variable index in a constant array).
// Since we haven't found functions, we would now resort to
// replacing the function pointer with any function with a valid signature
// Since we don't want to do that, we abort.
return;
}
bool return_value_used=code.lhs().is_not_nil();
// get all type-compatible functions
// whose address is ever taken
for(const auto &t : type_map)
{
// address taken?
if(address_taken.find(t.first)==address_taken.end())
continue;
// type-compatible?
if(!is_type_compatible(return_value_used, call_type, t.second))
continue;
if(t.first=="pthread_mutex_cleanup")
continue;
symbol_exprt expr;
expr.type()=t.second;
expr.set_identifier(t.first);
functions.insert(expr);
}
}
// the final target is a skip
goto_programt final_skip;
goto_programt::targett t_final=final_skip.add_instruction();
t_final->make_skip();
// build the calls and gotos
goto_programt new_code_calls;
goto_programt new_code_gotos;
for(const auto &fun : functions)
{
// call function
goto_programt::targett t1=new_code_calls.add_instruction();
t1->make_function_call(code);
to_code_function_call(t1->code).function()=fun;
// the signature of the function might not match precisely
fix_argument_types(to_code_function_call(t1->code));
fix_return_type(to_code_function_call(t1->code), new_code_calls);
// goto final
goto_programt::targett t3=new_code_calls.add_instruction();
t3->make_goto(t_final, true_exprt());
// goto to call
address_of_exprt address_of;
address_of.object()=fun;
address_of.type()=pointer_typet();
address_of.type().subtype()=fun.type();
if(address_of.type()!=pointer.type())
address_of.make_typecast(pointer.type());
goto_programt::targett t4=new_code_gotos.add_instruction();
t4->make_goto(t1, equal_exprt(pointer, address_of));
}
// fall-through
if(add_safety_assertion)
{
goto_programt::targett t=new_code_gotos.add_instruction();
t->make_assertion(false_exprt());
t->source_location.set_property_class("pointer dereference");
t->source_location.set_comment("invalid function pointer");
}
goto_programt new_code;
// patch them all together
new_code.destructive_append(new_code_gotos);
new_code.destructive_append(new_code_calls);
new_code.destructive_append(final_skip);
// set locations
Forall_goto_program_instructions(it, new_code)
{
irep_idt property_class=it->source_location.get_property_class();
irep_idt comment=it->source_location.get_comment();
it->source_location=target->source_location;
it->function=target->function;
if(!property_class.empty())
it->source_location.set_property_class(property_class);
if(!comment.empty())
it->source_location.set_comment(comment);
}
void remove_function_pointerst::remove_function_pointer(
goto_programt &goto_program,
goto_programt::targett target)
{
const code_function_callt &code=
to_code_function_call(target->code);
const exprt &function=code.function();
// this better have the right type
const code_typet &call_type=to_code_type(function.type());
assert(function.id()==ID_dereference);
assert(function.operands().size()==1);
const exprt &pointer=function.op0();
typedef std::list<exprt> functionst;
functionst functions;
// get all type-compatible functions
// whose address is ever taken
for(type_mapt::const_iterator f_it=
type_map.begin();
f_it!=type_map.end();
f_it++)
{
// address taken?
if(address_taken.find(f_it->first)==address_taken.end())
continue;
// type-compatible?
if(!is_type_compatible(call_type, f_it->second))
continue;
symbol_exprt expr;
expr.type()=f_it->second;
expr.set_identifier(f_it->first);
functions.push_back(expr);
}
// the final target is a skip
goto_programt final_skip;
goto_programt::targett t_final=final_skip.add_instruction();
t_final->make_skip();
// build the calls and gotos
goto_programt new_code_calls;
goto_programt new_code_gotos;
for(functionst::const_iterator
it=functions.begin();
it!=functions.end();
it++)
{
// call function
goto_programt::targett t1=new_code_calls.add_instruction();
t1->make_function_call(code);
to_code_function_call(t1->code).function()=*it;
// the signature of the function might not match precisely
fix_argument_types(to_code_function_call(t1->code));
fix_return_type(to_code_function_call(t1->code), new_code_calls);
// goto final
goto_programt::targett t3=new_code_calls.add_instruction();
t3->make_goto(t_final, true_exprt());
// goto to call
address_of_exprt address_of;
address_of.object()=*it;
address_of.type()=pointer_typet();
address_of.type().subtype()=it->type();
if(address_of.type()!=pointer.type())
address_of.make_typecast(pointer.type());
goto_programt::targett t4=new_code_gotos.add_instruction();
t4->make_goto(t1, equal_exprt(pointer, address_of));
}
// fall-through
if(add_safety_assertion)
{
goto_programt::targett t=new_code_gotos.add_instruction();
t->make_assertion(false_exprt());
t->location.set(ID_property, "pointer dereference");
t->location.set(ID_comment, "invalid function pointer");
}
goto_programt new_code;
// patch them all together
new_code.destructive_append(new_code_gotos);
new_code.destructive_append(new_code_calls);
new_code.destructive_append(final_skip);
// set locations
Forall_goto_program_instructions(it, new_code)
{
irep_idt property=it->location.get_property();
irep_idt comment=it->location.get_comment();
it->location=target->location;
it->function=target->function;
if(!property.empty()) it->location.set_property(property);
if(!comment.empty()) it->location.set_comment(comment);
}
void remove_function_pointerst::remove_function_pointer(
goto_programt &goto_program,
goto_programt::targett target)
{
const code_function_callt &code=
to_code_function_call(target->code);
const exprt &function=code.function();
// this better have the right type
code_typet call_type=to_code_type(function.type());
// refine the type in case the forward declaration was incomplete
if(call_type.has_ellipsis() &&
call_type.parameters().empty())
{
call_type.remove_ellipsis();
forall_expr(it, code.arguments())
call_type.parameters().push_back(
code_typet::parametert(it->type()));
}
assert(function.id()==ID_dereference);
assert(function.operands().size()==1);
const exprt &pointer=function.op0();
// Is this simple?
if(pointer.id()==ID_address_of &&
to_address_of_expr(pointer).object().id()==ID_symbol)
{
to_code_function_call(target->code).function()=
to_address_of_expr(pointer).object();
return;
}
typedef std::list<exprt> functionst;
functionst functions;
bool return_value_used=code.lhs().is_not_nil();
// get all type-compatible functions
// whose address is ever taken
for(type_mapt::const_iterator f_it=
type_map.begin();
f_it!=type_map.end();
f_it++)
{
// address taken?
if(address_taken.find(f_it->first)==address_taken.end())
continue;
// type-compatible?
if(!is_type_compatible(return_value_used, call_type, f_it->second))
continue;
if(f_it->first=="pthread_mutex_cleanup")
continue;
symbol_exprt expr;
expr.type()=f_it->second;
expr.set_identifier(f_it->first);
functions.push_back(expr);
}
// the final target is a skip
goto_programt final_skip;
goto_programt::targett t_final=final_skip.add_instruction();
t_final->make_skip();
// build the calls and gotos
goto_programt new_code_calls;
goto_programt new_code_gotos;
for(functionst::const_iterator
it=functions.begin();
it!=functions.end();
it++)
{
// call function
goto_programt::targett t1=new_code_calls.add_instruction();
t1->make_function_call(code);
to_code_function_call(t1->code).function()=*it;
// the signature of the function might not match precisely
fix_argument_types(to_code_function_call(t1->code));
fix_return_type(to_code_function_call(t1->code), new_code_calls);
// goto final
goto_programt::targett t3=new_code_calls.add_instruction();
t3->make_goto(t_final, true_exprt());
// goto to call
address_of_exprt address_of;
address_of.object()=*it;
address_of.type()=pointer_typet();
address_of.type().subtype()=it->type();
if(address_of.type()!=pointer.type())
address_of.make_typecast(pointer.type());
goto_programt::targett t4=new_code_gotos.add_instruction();
t4->make_goto(t1, equal_exprt(pointer, address_of));
}
// fall-through
if(add_safety_assertion)
{
goto_programt::targett t=new_code_gotos.add_instruction();
t->make_assertion(false_exprt());
t->source_location.set_property_class("pointer dereference");
t->source_location.set_comment("invalid function pointer");
}
goto_programt new_code;
// patch them all together
new_code.destructive_append(new_code_gotos);
new_code.destructive_append(new_code_calls);
new_code.destructive_append(final_skip);
// set locations
Forall_goto_program_instructions(it, new_code)
{
irep_idt property_class=it->source_location.get_property_class();
irep_idt comment=it->source_location.get_comment();
it->source_location=target->source_location;
it->function=target->function;
if(!property_class.empty()) it->source_location.set_property_class(property_class);
if(!comment.empty()) it->source_location.set_comment(comment);
}
GIVEN("Const and non-const primitive and pointers to primitives")
{
c_qualifierst const_qualifier;
const_qualifier.is_constant=true;
// const int
typet const_primitive_type=integer_typet();
const_qualifier.write(const_primitive_type);
// int
typet non_const_primitive_type=integer_typet();
// pointer (can be reassigned)
// to int (value can be changed)
// int *
typet pointer_to_int_type=pointer_typet(non_const_primitive_type);
// const pointer (can't be reassigned)
// to int (value can be changed)
// int * const
typet const_pointer_to_int_type=pointer_typet(non_const_primitive_type);
const_qualifier.write(const_pointer_to_int_type);
// pointer (can be reassigned)
// to const int (value can't be changed)
// const int *
typet pointer_to_const_int_type=pointer_typet(const_primitive_type);
// constant pointer (can't be reassigned)
// to const int (value can't be changed)
// const int * const
void goto_symext::dereference_rec(
exprt &expr,
statet &state,
guardt &guard,
const bool write)
{
if(expr.id()==ID_dereference)
{
if(expr.operands().size()!=1)
throw "dereference takes one operand";
exprt tmp1;
tmp1.swap(expr.op0());
// first make sure there are no dereferences in there
dereference_rec(tmp1, state, guard, false);
// we need to set up some elaborate call-backs
symex_dereference_statet symex_dereference_state(*this, state);
value_set_dereferencet dereference(
ns,
new_symbol_table,
options,
symex_dereference_state,
language_mode);
// std::cout << "**** " << from_expr(ns, "", tmp1) << std::endl;
exprt tmp2=dereference.dereference(
tmp1, guard, write?value_set_dereferencet::WRITE:value_set_dereferencet::READ);
//std::cout << "**** " << from_expr(ns, "", tmp2) << std::endl;
expr.swap(tmp2);
// this may yield a new auto-object
trigger_auto_object(expr, state);
}
else if(expr.id()==ID_index &&
to_index_expr(expr).array().id()==ID_member &&
to_array_type(ns.follow(to_index_expr(expr).array().type())).
size().is_zero())
{
// This is an expression of the form x.a[i],
// where a is a zero-sized array. This gets
// re-written into *(&x.a+i)
index_exprt index_expr=to_index_expr(expr);
address_of_exprt address_of_expr(index_expr.array());
address_of_expr.type()=pointer_typet(expr.type());
dereference_exprt tmp;
tmp.pointer()=plus_exprt(address_of_expr, index_expr.index());
tmp.type()=expr.type();
tmp.add_source_location()=expr.source_location();
// recursive call
dereference_rec(tmp, state, guard, write);
expr.swap(tmp);
}
else if(expr.id()==ID_index &&
to_index_expr(expr).array().type().id()==ID_pointer)
{
// old stuff, will go away
assert(false);
}
else if(expr.id()==ID_address_of)
{
address_of_exprt &address_of_expr=to_address_of_expr(expr);
exprt &object=address_of_expr.object();
const typet &expr_type=ns.follow(expr.type());
expr=address_arithmetic(object, state, guard,
expr_type.subtype().id()==ID_array);
}
else if(expr.id()==ID_typecast)
{
exprt &tc_op=to_typecast_expr(expr).op();
// turn &array into &array[0] when casting to pointer-to-element-type
if(tc_op.id()==ID_address_of &&
to_address_of_expr(tc_op).object().type().id()==ID_array &&
base_type_eq(
expr.type(),
pointer_typet(to_address_of_expr(tc_op).object().type().subtype()),
ns))
{
expr=
address_of_exprt(
index_exprt(
to_address_of_expr(tc_op).object(),
from_integer(0, index_type())));
dereference_rec(expr, state, guard, write);
}
else
{
dereference_rec(tc_op, state, guard, write);
}
}
else
{
Forall_operands(it, expr)
dereference_rec(*it, state, guard, write);
}
}
void string_instrumentationt::do_strerror(
goto_programt &dest,
goto_programt::targett it,
code_function_callt &call)
{
if(call.lhs().is_nil())
{
it->make_skip();
return;
}
irep_idt identifier_buf="c::__strerror_buffer";
irep_idt identifier_size="c::__strerror_buffer_size";
if(context.symbols.find(identifier_buf)==context.symbols.end())
{
symbolt new_symbol_size;
new_symbol_size.base_name="__strerror_buffer_size";
new_symbol_size.pretty_name=new_symbol_size.base_name;
new_symbol_size.name=identifier_size;
new_symbol_size.mode="C";
new_symbol_size.type=uint_type();
new_symbol_size.is_statevar=true;
new_symbol_size.lvalue=true;
new_symbol_size.static_lifetime=true;
array_typet type;
type.subtype()=char_type();
type.size()=symbol_expr(new_symbol_size);
symbolt new_symbol_buf;
new_symbol_buf.mode="C";
new_symbol_buf.type=type;
new_symbol_buf.is_statevar=true;
new_symbol_buf.lvalue=true;
new_symbol_buf.static_lifetime=true;
new_symbol_buf.base_name="__strerror_buffer";
new_symbol_buf.pretty_name=new_symbol_buf.base_name;
new_symbol_buf.name="c::"+id2string(new_symbol_buf.base_name);
context.move(new_symbol_buf);
context.move(new_symbol_size);
}
const symbolt &symbol_size=ns.lookup(identifier_size);
const symbolt &symbol_buf=ns.lookup(identifier_buf);
goto_programt tmp;
{
goto_programt::targett assignment1=tmp.add_instruction(ASSIGN);
exprt nondet_size=side_effect_expr_nondett(uint_type());
assignment1->code=code_assignt(symbol_expr(symbol_size), nondet_size);
assignment1->location=it->location;
goto_programt::targett assumption1=tmp.add_instruction();
assumption1->make_assumption(binary_relation_exprt(
symbol_expr(symbol_size), "notequal",
gen_zero(symbol_size.type)));
assumption1->location=it->location;
}
// return a pointer to some magic buffer
exprt index=exprt("index", char_type());
index.copy_to_operands(symbol_expr(symbol_buf), gen_zero(uint_type()));
exprt ptr=exprt("address_of", pointer_typet());
ptr.type().subtype()=char_type();
ptr.copy_to_operands(index);
// make that zero-terminated
{
goto_programt::targett assignment2=tmp.add_instruction(ASSIGN);
assignment2->code=code_assignt(is_zero_string(ptr, true), true_exprt());
assignment2->location=it->location;
}
// assign address
{
goto_programt::targett assignment3=tmp.add_instruction(ASSIGN);
exprt rhs=ptr;
make_type(rhs, call.lhs().type());
assignment3->code=code_assignt(call.lhs(), rhs);
assignment3->location=it->location;
}
it->make_skip();
dest.insert_before_swap(it, tmp);
}
void goto_convertt::do_java_new_array(
const exprt &lhs,
const side_effect_exprt &rhs,
goto_programt &dest)
{
if(lhs.is_nil())
throw "do_java_new_array without lhs is yet to be implemented";
source_locationt location=rhs.source_location();
assert(rhs.operands().size()>=1); // one per dimension
if(rhs.type().id()!=ID_pointer)
throw "do_java_new_array returns pointer";
typet object_type=rhs.type().subtype();
// build size expression
exprt object_size=size_of_expr(object_type, ns);
if(object_size.is_nil())
throw "do_java_new_array got nil object_size";
// we produce a malloc side-effect, which stays
side_effect_exprt malloc_expr(ID_malloc);
malloc_expr.copy_to_operands(object_size);
malloc_expr.type()=pointer_typet(object_type);
goto_programt::targett t_n=dest.add_instruction(ASSIGN);
t_n->code=code_assignt(lhs, malloc_expr);
t_n->source_location=location;
// multi-dimensional?
assert(ns.follow(object_type).id()==ID_struct);
const struct_typet &struct_type=to_struct_type(ns.follow(object_type));
assert(struct_type.components().size()==3);
// if it's an array, we need to set the length field
dereference_exprt deref(lhs, object_type);
member_exprt length(deref, struct_type.components()[1].get_name(), struct_type.components()[1].type());
goto_programt::targett t_s=dest.add_instruction(ASSIGN);
t_s->code=code_assignt(length, rhs.op0());
t_s->source_location=location;
// we also need to allocate space for the data
member_exprt data(deref, struct_type.components()[2].get_name(), struct_type.components()[2].type());
side_effect_exprt data_cpp_new_expr(ID_cpp_new_array, data.type());
data_cpp_new_expr.set(ID_size, rhs.op0());
goto_programt::targett t_p=dest.add_instruction(ASSIGN);
t_p->code=code_assignt(data, data_cpp_new_expr);
t_p->source_location=location;
// zero-initialize the data
exprt zero_element=gen_zero(data.type().subtype());
codet array_set(ID_array_set);
array_set.copy_to_operands(data, zero_element);
goto_programt::targett t_d=dest.add_instruction(OTHER);
t_d->code=array_set;
t_d->source_location=location;
if(rhs.operands().size()>=2)
{
// produce
// for(int i=0; i<size; i++) tmp[i]=java_new(dim-1);
// This will be converted recursively.
goto_programt tmp;
symbol_exprt tmp_i=
new_tmp_symbol(index_type(), "index", tmp, location).symbol_expr();
code_fort for_loop;
side_effect_exprt sub_java_new=rhs;
sub_java_new.operands().erase(sub_java_new.operands().begin());
side_effect_exprt inc(ID_assign);
inc.operands().resize(2);
inc.op0()=tmp_i;
inc.op1()=plus_exprt(tmp_i, gen_one(tmp_i.type()));
dereference_exprt deref_expr(plus_exprt(data, tmp_i), data.type().subtype());
for_loop.init()=code_assignt(tmp_i, gen_zero(tmp_i.type()));
for_loop.cond()=binary_relation_exprt(tmp_i, ID_lt, rhs.op0());
for_loop.iter()=inc;
for_loop.body()=code_skipt();
for_loop.body()=code_assignt(deref_expr, sub_java_new);
convert(for_loop, tmp);
dest.destructive_append(tmp);
}
}
void cpp_typecheckt::typecheck_compound_declarator(
const symbolt &symbol,
const cpp_declarationt &declaration,
cpp_declaratort &declarator,
struct_typet::componentst &components,
const irep_idt &access,
bool is_static,
bool is_typedef,
bool is_mutable)
{
bool is_cast_operator=
declaration.type().id()=="cpp-cast-operator";
if(is_cast_operator)
{
assert(declarator.name().get_sub().size()==2 &&
declarator.name().get_sub().front().id()==ID_operator);
typet type=static_cast<typet &>(declarator.name().get_sub()[1]);
declarator.type().subtype()=type;
irept name(ID_name);
name.set(ID_identifier, "("+cpp_type2name(type)+")");
declarator.name().get_sub().back().swap(name);
}
typet final_type=
declarator.merge_type(declaration.type());
// this triggers template elaboration
elaborate_class_template(final_type);
typecheck_type(final_type);
cpp_namet cpp_name;
cpp_name.swap(declarator.name());
irep_idt base_name;
if(cpp_name.is_nil())
{
// Yes, there can be members without name.
base_name=irep_idt();
}
else if(cpp_name.is_simple_name())
{
base_name=cpp_name.get_base_name();
}
else
{
err_location(cpp_name.location());
str << "declarator in compound needs to be simple name";
throw 0;
}
bool is_method=!is_typedef && final_type.id()==ID_code;
bool is_constructor=declaration.is_constructor();
bool is_destructor=declaration.is_destructor();
bool is_virtual=declaration.member_spec().is_virtual();
bool is_explicit=declaration.member_spec().is_explicit();
bool is_inline=declaration.member_spec().is_inline();
final_type.set(ID_C_member_name, symbol.name);
// first do some sanity checks
if(is_virtual && !is_method)
{
err_location(cpp_name.location());
str << "only methods can be virtual";
throw 0;
}
if(is_inline && !is_method)
{
err_location(cpp_name.location());
str << "only methods can be inlined";
throw 0;
}
if(is_virtual && is_static)
{
err_location(cpp_name.location());
str << "static methods cannot be virtual";
throw 0;
}
if(is_cast_operator && is_static)
{
err_location(cpp_name.location());
str << "cast operators cannot be static`";
throw 0;
}
if(is_constructor && is_virtual)
{
err_location(cpp_name.location());
str << "constructors cannot be virtual";
throw 0;
}
if(!is_constructor && is_explicit)
{
err_location(cpp_name.location());
str << "only constructors can be explicit";
throw 0;
}
if(is_constructor &&
base_name!=id2string(symbol.base_name))
{
err_location(cpp_name.location());
str << "member function must return a value or void";
throw 0;
}
if(is_destructor &&
base_name!="~"+id2string(symbol.base_name))
{
err_location(cpp_name.location());
str << "destructor with wrong name";
throw 0;
}
// now do actual work
struct_typet::componentt component;
irep_idt identifier=
language_prefix+
cpp_scopes.current_scope().prefix+
id2string(base_name);
component.set(ID_name, identifier);
component.type()=final_type;
component.set(ID_access, access);
component.set(ID_base_name, base_name);
component.set(ID_pretty_name, base_name);
component.location()=cpp_name.location();
if(cpp_name.is_operator())
{
component.set("is_operator", true);
component.type().set("#is_operator", true);
}
if(is_cast_operator)
component.set("is_cast_operator", true);
if(declaration.member_spec().is_explicit())
component.set("is_explicit", true);
typet &method_qualifier=
(typet &)declarator.add("method_qualifier");
if(is_static)
{
component.set(ID_is_static, true);
component.type().set("#is_static", true);
}
if(is_typedef)
component.set("is_type", true);
if(is_mutable)
component.set("is_mutable", true);
exprt &value=declarator.value();
irept &initializers=declarator.member_initializers();
if(is_method)
{
component.set(ID_is_inline, declaration.member_spec().is_inline());
// the 'virtual' name of the function
std::string virtual_name=
component.get_string(ID_base_name)+
id2string(
function_identifier(static_cast<const typet &>(component.find(ID_type))));
if(method_qualifier.id()==ID_const)
virtual_name += "$const";
if(component.type().get(ID_return_type) == ID_destructor)
virtual_name= "@dtor";
// The method may be virtual implicitly.
std::set<irep_idt> virtual_bases;
for(struct_typet::componentst::const_iterator
it=components.begin();
it!=components.end();
it++)
{
if(it->get_bool("is_virtual"))
{
if(it->get("virtual_name")==virtual_name)
{
is_virtual=true;
const code_typet& code_type = to_code_type(it->type());
assert(code_type.arguments().size()>0);
const typet& pointer_type = code_type.arguments()[0].type();
assert(pointer_type.id() == ID_pointer);
virtual_bases.insert(pointer_type.subtype().get(ID_identifier));
}
}
}
if(!is_virtual)
{
typecheck_member_function(
symbol.name, component, initializers,
method_qualifier, value);
if(!value.is_nil() && !is_static)
{
err_location(cpp_name.location());
str << "no initialization allowed here";
throw 0;
}
}
else // virtual
{
component.type().set("#is_virtual", true);
component.type().set("#virtual_name",virtual_name);
// Check if it is a pure virtual method
if(is_virtual)
{
if(value.is_not_nil() && value.id() == ID_constant)
{
mp_integer i;
to_integer(value, i);
if(i!=0)
{
err_location(declarator.name().location());
str << "expected 0 to mark pure virtual method, got " << i;
}
component.set("is_pure_virtual", true);
value.make_nil();
}
}
typecheck_member_function(
symbol.name,
component,
initializers,
method_qualifier,
value);
// get the virtual-table symbol type
irep_idt vt_name = "virtual_table::"+symbol.name.as_string();
contextt::symbolst::iterator vtit =
context.symbols.find(vt_name);
if(vtit == context.symbols.end())
{
// first time: create a virtual-table symbol type
symbolt vt_symb_type;
vt_symb_type.name= vt_name;
vt_symb_type.base_name="virtual_table::"+symbol.base_name.as_string();
vt_symb_type.pretty_name = vt_symb_type.base_name;
vt_symb_type.mode=ID_cpp;
vt_symb_type.module=module;
vt_symb_type.location=symbol.location;
vt_symb_type.type = struct_typet();
vt_symb_type.type.set(ID_name, vt_symb_type.name);
vt_symb_type.is_type = true;
bool failed = context.move(vt_symb_type);
assert(!failed);
vtit = context.symbols.find(vt_name);
// add a virtual-table pointer
struct_typet::componentt compo;
compo.type() = pointer_typet(symbol_typet(vt_name));
compo.set_name(symbol.name.as_string() +"::@vtable_pointer");
compo.set(ID_base_name, "@vtable_pointer");
compo.set(ID_pretty_name, symbol.base_name.as_string() +"@vtable_pointer");
compo.set("is_vtptr", true);
compo.set(ID_access, ID_public);
components.push_back(compo);
put_compound_into_scope(compo);
}
assert(vtit->second.type.id()==ID_struct);
struct_typet &virtual_table=
to_struct_type(vtit->second.type);
component.set("virtual_name", virtual_name);
component.set("is_virtual", is_virtual);
// add an entry to the virtual table
struct_typet::componentt vt_entry;
vt_entry.type() = pointer_typet(component.type());
vt_entry.set_name(vtit->first.as_string()+"::"+virtual_name);
vt_entry.set(ID_base_name, virtual_name);
vt_entry.set(ID_pretty_name, virtual_name);
vt_entry.set(ID_access, ID_public);
vt_entry.location() = symbol.location;
virtual_table.components().push_back(vt_entry);
// take care of overloading
while(!virtual_bases.empty())
{
irep_idt virtual_base = *virtual_bases.begin();
// a new function that does 'late casting' of the 'this' parameter
symbolt func_symb;
func_symb.name=component.get_name().as_string() + "::" +virtual_base.as_string();
func_symb.base_name=component.get(ID_base_name);
func_symb.pretty_name = component.get(ID_base_name);
func_symb.mode=ID_cpp;
func_symb.module=module;
func_symb.location=component.location();
func_symb.type=component.type();
// change the type of the 'this' pointer
code_typet& code_type = to_code_type(func_symb.type);
code_typet::argumentt& arg= code_type.arguments().front();
arg.type().subtype().set(ID_identifier, virtual_base);
// create symbols for the arguments
code_typet::argumentst& args = code_type.arguments();
for(unsigned i=0; i<args.size(); i++)
{
code_typet::argumentt& arg = args[i];
irep_idt base_name = arg.get_base_name();
if(base_name==irep_idt())
base_name="arg"+i2string(i);
symbolt arg_symb;
arg_symb.name = func_symb.name.as_string() + "::"+ base_name.as_string();
arg_symb.base_name = base_name;
arg_symb.pretty_name = base_name;
arg_symb.mode=ID_cpp;
arg_symb.location=func_symb.location;
arg_symb.type = arg.type();
arg.set(ID_C_identifier, arg_symb.name);
// add the argument to the symbol table
bool failed = context.move(arg_symb);
assert(!failed);
}
// do the body of the function
typecast_exprt late_cast(to_code_type(component.type()).arguments()[0].type());
late_cast.op0()=
symbol_expr(namespacet(context).lookup(
args[0].get(ID_C_identifier)));
if(code_type.return_type().id()!=ID_empty &&
code_type.return_type().id()!=ID_destructor)
{
side_effect_expr_function_callt expr_call;
expr_call.function() = symbol_exprt(component.get_name(),component.type());
expr_call.type() = to_code_type(component.type()).return_type();
expr_call.arguments().reserve(args.size());
expr_call.arguments().push_back(late_cast);
for(unsigned i=1; i < args.size(); i++)
{
expr_call.arguments().push_back(
symbol_expr(namespacet(context).lookup(
args[i].get(ID_C_identifier))));
}
code_returnt code_return;
code_return.return_value() = expr_call;
func_symb.value = code_return;
}
else
{
code_function_callt code_func;
code_func.function() = symbol_exprt(component.get_name(),component.type());
code_func.arguments().reserve(args.size());
code_func.arguments().push_back(late_cast);
for(unsigned i=1; i < args.size(); i++)
{
code_func.arguments().push_back(
symbol_expr(namespacet(context).lookup(
args[i].get(ID_C_identifier))));
}
func_symb.value = code_func;
}
// add this new function to the list of components
struct_typet::componentt new_compo = component;
new_compo.type() = func_symb.type;
new_compo.set_name(func_symb.name);
components.push_back(new_compo);
// add the function to the symbol table
{
bool failed = context.move(func_symb);
assert(!failed);
}
// next base
virtual_bases.erase(virtual_bases.begin());
}
}
}
if(is_static && !is_method) // static non-method member
{
// add as global variable to context
symbolt static_symbol;
static_symbol.mode=symbol.mode;
static_symbol.name=identifier;
static_symbol.type=component.type();
static_symbol.base_name=component.get(ID_base_name);
static_symbol.lvalue=true;
static_symbol.static_lifetime=true;
static_symbol.location=cpp_name.location();
static_symbol.is_extern=true;
// TODO: not sure about this: should be defined separately!
dynamic_initializations.push_back(static_symbol.name);
symbolt *new_symbol;
if(context.move(static_symbol, new_symbol))
{
err_location(cpp_name.location());
str << "redeclaration of static member `"
<< static_symbol.base_name.as_string()
<< "'";
throw 0;
}
if(value.is_not_nil())
{
if(cpp_is_pod(new_symbol->type))
{
new_symbol->value.swap(value);
c_typecheck_baset::do_initializer(*new_symbol);
// these are macros if they are PODs and come with a (constant) value
if(new_symbol->type.get_bool(ID_C_constant))
{
simplify(new_symbol->value, *this);
new_symbol->is_macro=true;
}
}
else
{
symbol_exprt symexpr;
symexpr.set_identifier(new_symbol->name);
exprt::operandst ops;
ops.push_back(value);
codet defcode =
cpp_constructor(locationt(), symexpr, ops);
new_symbol->value.swap(defcode);
}
}
}
// array members must have fixed size
check_fixed_size_array(component.type());
put_compound_into_scope(component);
components.push_back(component);
}
typet pointer_type(const typet &subtype)
{
return pointer_typet(subtype);
}
codet java_bytecode_convertt::convert_instructions(
const instructionst &instructions,
const code_typet &method_type)
{
// Run a worklist algorithm, assuming that the bytecode has not
// been tampered with. See "Leroy, X. (2003). Java bytecode
// verification: algorithms and formalizations. Journal of Automated
// Reasoning, 30(3-4), 235-269." for a more complete treatment.
// first pass: get targets and map addresses to instructions
struct converted_instructiont
{
converted_instructiont(
const instructionst::const_iterator &it,
const codet &_code):source(it), code(_code), done(false)
{
}
instructionst::const_iterator source;
std::list<unsigned> successors;
std::set<unsigned> predecessors;
codet code;
stackt stack;
bool done;
};
typedef std::map<unsigned, converted_instructiont> address_mapt;
address_mapt address_map;
std::set<unsigned> targets;
for(instructionst::const_iterator
i_it=instructions.begin();
i_it!=instructions.end();
i_it++)
{
std::pair<address_mapt::iterator, bool> a_entry=
address_map.insert(std::make_pair(
i_it->address,
converted_instructiont(i_it, code_skipt())));
assert(a_entry.second);
// addresses are strictly increasing, hence we must have inserted
// a new maximal key
assert(a_entry.first==--address_map.end());
if(i_it->statement!="goto" &&
i_it->statement!="return" &&
!(i_it->statement==patternt("?return")) &&
i_it->statement!="athrow")
{
instructionst::const_iterator next=i_it;
if(++next!=instructions.end())
a_entry.first->second.successors.push_back(next->address);
}
if(i_it->statement=="goto" ||
i_it->statement==patternt("if_?cmp??") ||
i_it->statement==patternt("if??") ||
i_it->statement=="ifnonnull" ||
i_it->statement=="ifnull")
{
assert(!i_it->args.empty());
const unsigned target=safe_string2unsigned(
id2string(to_constant_expr(i_it->args[0]).get_value()));
targets.insert(target);
a_entry.first->second.successors.push_back(target);
}
else if(i_it->statement=="tableswitch" ||
i_it->statement=="lookupswitch")
{
bool is_label=true;
for(instructiont::argst::const_iterator
a_it=i_it->args.begin();
a_it!=i_it->args.end();
a_it++, is_label=!is_label)
{
if(is_label)
{
const unsigned target=safe_string2unsigned(
id2string(to_constant_expr(*a_it).get_value()));
targets.insert(target);
a_entry.first->second.successors.push_back(target);
}
}
}
}
for(address_mapt::iterator
it=address_map.begin();
it!=address_map.end();
++it)
{
for(unsigned s : it->second.successors)
{
address_mapt::iterator a_it=address_map.find(s);
assert(a_it!=address_map.end());
a_it->second.predecessors.insert(it->first);
}
}
std::set<unsigned> working_set;
if(!instructions.empty())
working_set.insert(instructions.front().address);
while(!working_set.empty())
{
std::set<unsigned>::iterator cur=working_set.begin();
address_mapt::iterator a_it=address_map.find(*cur);
assert(a_it!=address_map.end());
working_set.erase(cur);
if(a_it->second.done) continue;
working_set.insert(a_it->second.successors.begin(),
a_it->second.successors.end());
instructionst::const_iterator i_it=a_it->second.source;
stack.swap(a_it->second.stack);
a_it->second.stack.clear();
codet &c=a_it->second.code;
assert(stack.empty() ||
a_it->second.predecessors.size()<=1 ||
has_prefix(stack.front().get_string(ID_C_base_name),
"$stack"));
irep_idt statement=i_it->statement;
exprt arg0=i_it->args.size()>=1?i_it->args[0]:nil_exprt();
exprt arg1=i_it->args.size()>=2?i_it->args[1]:nil_exprt();
const bytecode_infot &bytecode_info=get_bytecode_info(statement);
// deal with _idx suffixes
if(statement.size()>=2 &&
statement[statement.size()-2]=='_' &&
isdigit(statement[statement.size()-1]))
{
arg0=constant_exprt(
std::string(id2string(statement), statement.size()-1, 1),
integer_typet());
statement=std::string(id2string(statement), 0, statement.size()-2);
}
exprt::operandst op=pop(bytecode_info.pop);
exprt::operandst results;
results.resize(bytecode_info.push, nil_exprt());
if(statement=="aconst_null")
{
assert(results.size()==1);
results[0]=gen_zero(java_reference_type(void_typet()));
}
else if(statement=="athrow")
{
assert(op.size()==1 && results.size()==1);
side_effect_expr_throwt throw_expr;
throw_expr.add_source_location()=i_it->source_location;
throw_expr.copy_to_operands(op[0]);
c=code_expressiont(throw_expr);
results[0]=op[0];
}
else if(statement=="checkcast")
{
// checkcast throws an exception in case a cast of object
// on stack to given type fails.
// The stack isn't modified.
assert(op.size()==1 && results.size()==1);
results[0]=op[0];
}
else if(statement=="invokedynamic")
{
// not used in Java
code_typet &code_type=to_code_type(arg0.type());
const code_typet::parameterst ¶meters(code_type.parameters());
pop(parameters.size());
const typet &return_type=code_type.return_type();
if(return_type.id()!=ID_empty)
{
results.resize(1);
results[0]=nil_exprt();
}
}
else if(statement=="invokeinterface" ||
statement=="invokespecial" ||
statement=="invokevirtual" ||
statement=="invokestatic")
{
const bool use_this(statement != "invokestatic");
const bool is_virtual(
statement == "invokevirtual" || statement == "invokeinterface");
code_typet &code_type=to_code_type(arg0.type());
code_typet::parameterst ¶meters(code_type.parameters());
if(use_this)
{
if(parameters.empty() || !parameters[0].get_this())
{
const empty_typet empty;
pointer_typet object_ref_type(empty);
code_typet::parametert this_p(object_ref_type);
this_p.set_this();
this_p.set_base_name("this");
parameters.insert(parameters.begin(), this_p);
}
}
code_function_callt call;
call.add_source_location()=i_it->source_location;
call.arguments() = pop(parameters.size());
// double-check a bit
if(use_this)
{
const exprt &this_arg=call.arguments().front();
assert(this_arg.type().id()==ID_pointer);
}
// do some type adjustment for the arguments,
// as Java promotes arguments
for(unsigned i=0; i<parameters.size(); i++)
{
const typet &type=parameters[i].type();
if(type==java_boolean_type() ||
type==java_char_type() ||
type==java_byte_type() ||
type==java_short_type())
{
assert(i<call.arguments().size());
call.arguments()[i].make_typecast(type);
}
}
// do some type adjustment for return values
const typet &return_type=code_type.return_type();
if(return_type.id()!=ID_empty)
{
// return types are promoted in Java
call.lhs()=tmp_variable("return", return_type);
exprt promoted=java_bytecode_promotion(call.lhs());
results.resize(1);
results[0]=promoted;
}
assert(arg0.id()==ID_virtual_function);
// does the function symbol exist?
irep_idt id=arg0.get(ID_identifier);
if(symbol_table.symbols.find(id)==symbol_table.symbols.end())
{
// no, create stub
symbolt symbol;
symbol.name=id;
symbol.base_name=arg0.get(ID_C_base_name);
symbol.type=arg0.type();
symbol.value.make_nil();
symbol.mode=ID_java;
symbol_table.add(symbol);
}
if(is_virtual)
{
// dynamic binding
assert(use_this);
assert(!call.arguments().empty());
call.function()=arg0;
}
else
{
// static binding
/*if(id == "java::java.lang.String.charAt:(I)C")
call.function()=symbol_exprt("java::__CPROVER_uninterpreted_char_at", arg0.type());
else*/
call.function()=symbol_exprt(arg0.get(ID_identifier), arg0.type());
}
call.function().add_source_location()=i_it->source_location;
c = call;
}
else if(statement=="return")
{
assert(op.empty() && results.empty());
c=code_returnt();
}
else if(statement==patternt("?return"))
{
// Return types are promoted in java, so this might need
// conversion.
assert(op.size()==1 && results.empty());
exprt r=op[0];
if(r.type()!=method_return_type) r=typecast_exprt(r, method_return_type);
c=code_returnt(r);
}
else if(statement==patternt("?astore"))
{
assert(op.size()==3 && results.empty());
char type_char=statement[0];
exprt pointer=
typecast_exprt(op[0], java_array_type(type_char));
const dereference_exprt deref(pointer, pointer.type().subtype());
const member_exprt data_ptr(
deref, "data", pointer_typet(java_type_from_char(type_char)));
plus_exprt data_plus_offset(data_ptr, op[1], data_ptr.type());
typet element_type=data_ptr.type().subtype();
const dereference_exprt element(data_plus_offset, element_type);
c=code_assignt(element, op[2]);
}
else if(statement==patternt("?store"))
{
// store value into some local variable
assert(op.size()==1 && results.empty());
exprt var=variable(arg0, statement[0]);
const bool is_array('a' == statement[0]);
if(is_array)
var.type()=op[0].type();
c=code_assignt(var, op[0]);
}
else if(statement==patternt("?aload"))
{
assert(op.size() == 2 && results.size() == 1);
char type_char=statement[0];
exprt pointer=
typecast_exprt(op[0], java_array_type(type_char));
const dereference_exprt deref(pointer, pointer.type().subtype());
const member_exprt data_ptr(
deref, "data", pointer_typet(java_type_from_char(type_char)));
plus_exprt data_plus_offset(data_ptr, op[1], data_ptr.type());
typet element_type=data_ptr.type().subtype();
dereference_exprt element(data_plus_offset, element_type);
results[0]=java_bytecode_promotion(element);
}
else if(statement==patternt("?load"))
{
// load a value from a local variable
results[0]=variable(arg0, statement[0]);
}
else if(statement=="ldc" || statement=="ldc_w" ||
statement=="ldc2" || statement=="ldc2_w")
{
assert(op.empty() && results.size()==1);
// 1) Pushing a String causes a reference to a java.lang.String object
// to be constructed and pushed onto the operand stack.
// 2) Pushing an int or a float causes a primitive value to be pushed
// onto the stack.
// 3) Pushing a Class constant causes a reference to a java.lang.Class
// to be pushed onto the operand stack
if(arg0.id()==ID_java_string_literal)
{
// these need to be references to java.lang.String
results[0]=arg0;
symbol_typet string_type("java::java.lang.String");
results[0].type()=pointer_typet(string_type);
}
else if(arg0.id()==ID_type)
{
irep_idt class_id=arg0.type().get(ID_identifier);
symbol_typet java_lang_Class("java::java.lang.Class");
symbol_exprt symbol_expr(id2string(class_id)+"@class_model", java_lang_Class);
address_of_exprt address_of_expr(symbol_expr);
results[0]=address_of_expr;
}
else if(arg0.id()==ID_constant)
{
results[0]=arg0;
}
else
{
error() << "unexpected ldc argument" << eom;
throw 0;
}
}
else if(statement=="goto" || statement=="goto_w")
{
assert(op.empty() && results.empty());
irep_idt number=to_constant_expr(arg0).get_value();
code_gotot code_goto(label(number));
c=code_goto;
}
else if(statement=="iconst_m1")
{
assert(results.size()==1);
results[0]=from_integer(-1, java_int_type());
}
else if(statement==patternt("?const"))
{
assert(results.size() == 1);
const char type_char=statement[0];
const bool is_double('d' == type_char);
const bool is_float('f' == type_char);
if(is_double || is_float)
{
const ieee_float_spect spec(
is_float ?
ieee_float_spect::single_precision() :
ieee_float_spect::double_precision());
ieee_floatt value(spec);
const typet &arg_type(arg0.type());
if(ID_integer == arg_type.id())
value.from_integer(arg0.get_int(ID_value));
else
value.from_expr(to_constant_expr(arg0));
results[0] = value.to_expr();
}
else
{
const unsigned int value(arg0.get_unsigned_int(ID_value));
const typet type=java_type_from_char(statement[0]);
results[0] = as_number(value, type);
}
}
else if(statement==patternt("?ipush"))
{
assert(results.size()==1);
results[0]=typecast_exprt(arg0, java_int_type());
}
else if(statement==patternt("if_?cmp??"))
{
irep_idt number=to_constant_expr(arg0).get_value();
assert(op.size()==2 && results.empty());
code_ifthenelset code_branch;
const irep_idt cmp_op=get_if_cmp_operator(statement);
binary_relation_exprt condition(op[0], cmp_op, op[1]);
cast_if_necessary(condition);
code_branch.cond()=condition;
code_branch.then_case()=code_gotot(label(number));
code_branch.then_case().add_source_location()=i_it->source_location;
code_branch.add_source_location()=i_it->source_location;
c=code_branch;
}
else if(statement==patternt("if??"))
{
const irep_idt id=
statement=="ifeq"?ID_equal:
statement=="ifne"?ID_notequal:
statement=="iflt"?ID_lt:
statement=="ifge"?ID_ge:
statement=="ifgt"?ID_gt:
statement=="ifle"?ID_le:
(assert(false), "");
irep_idt number=to_constant_expr(arg0).get_value();
assert(op.size()==1 && results.empty());
code_ifthenelset code_branch;
code_branch.cond()=binary_relation_exprt(op[0], id, gen_zero(op[0].type()));
code_branch.cond().add_source_location()=i_it->source_location;
code_branch.then_case()=code_gotot(label(number));
code_branch.then_case().add_source_location()=i_it->source_location;
code_branch.add_source_location()=i_it->source_location;
c=code_branch;
}
else if(statement==patternt("ifnonnull"))
{
irep_idt number=to_constant_expr(arg0).get_value();
assert(op.size()==1 && results.empty());
code_ifthenelset code_branch;
const typecast_exprt lhs(op[0], pointer_typet());
const exprt rhs(gen_zero(lhs.type()));
code_branch.cond()=binary_relation_exprt(lhs, ID_notequal, rhs);
code_branch.then_case()=code_gotot(label(number));
code_branch.then_case().add_source_location()=i_it->source_location;
code_branch.add_source_location()=i_it->source_location;
c=code_branch;
}
else if(statement==patternt("ifnull"))
{
assert(op.size()==1 && results.empty());
irep_idt number=to_constant_expr(arg0).get_value();
code_ifthenelset code_branch;
const typecast_exprt lhs(op[0], pointer_typet(empty_typet()));
const exprt rhs(gen_zero(lhs.type()));
code_branch.cond()=binary_relation_exprt(lhs, ID_equal, rhs);
code_branch.then_case()=code_gotot(label(number));
code_branch.then_case().add_source_location()=i_it->source_location;
code_branch.add_source_location()=i_it->source_location;
c=code_branch;
}
else if(statement=="iinc")
{
code_assignt code_assign;
code_assign.lhs()=variable(arg0, 'i');
code_assign.rhs()=plus_exprt(
variable(arg0, 'i'),
typecast_exprt(arg1, java_int_type()));
c=code_assign;
}
else if(statement==patternt("?xor"))
{
assert(op.size()==2 && results.size()==1);
results[0]=bitxor_exprt(op[0], op[1]);
}
else if(statement==patternt("?or"))
{
assert(op.size()==2 && results.size()==1);
results[0]=bitor_exprt(op[0], op[1]);
}
else if(statement==patternt("?and"))
{
assert(op.size()==2 && results.size()==1);
results[0]=bitand_exprt(op[0], op[1]);
}
else if(statement==patternt("?shl"))
{
assert(op.size()==2 && results.size()==1);
results[0]=shl_exprt(op[0], op[1]);
}
else if(statement==patternt("?shr"))
{
assert(op.size()==2 && results.size()==1);
results[0]=ashr_exprt(op[0], op[1]);
}
else if(statement==patternt("?ushr"))
{
assert(op.size()==2 && results.size()==1);
const typet type(java_type_from_char(statement[0]));
const unsigned int width(type.get_unsigned_int(ID_width));
typet target=unsigned_long_int_type();
target.set(ID_width, width);
const typecast_exprt lhs(op[0], target);
const typecast_exprt rhs(op[1], target);
results[0]=lshr_exprt(lhs, rhs);
}
else if(statement==patternt("?add"))
{
assert(op.size()==2 && results.size()==1);
results[0]=plus_exprt(op[0], op[1]);
}
else if(statement==patternt("?sub"))
{
assert(op.size()==2 && results.size()==1);
results[0]=minus_exprt(op[0], op[1]);
}
else if(statement==patternt("?div"))
{
assert(op.size()==2 && results.size()==1);
results[0]=div_exprt(op[0], op[1]);
}
else if(statement==patternt("?mul"))
{
assert(op.size()==2 && results.size()==1);
results[0]=mult_exprt(op[0], op[1]);
}
else if(statement==patternt("?neg"))
{
assert(op.size()==1 && results.size()==1);
results[0]=unary_minus_exprt(op[0], op[0].type());
}
else if(statement==patternt("?rem"))
{
assert(op.size()==2 && results.size()==1);
if(statement=="frem" || statement=="drem")
results[0]=rem_exprt(op[0], op[1]);
else
results[0]=mod_exprt(op[0], op[1]);
}
else if(statement==patternt("?cmp"))
{
assert(op.size() == 2 && results.size() == 1);
// The integer result on the stack is:
// 0 if op[0] equals op[1]
// -1 if op[0] is less than op[1]
// 1 if op[0] is greater than op[1]
const typet t=java_int_type();
results[0]=
if_exprt(binary_relation_exprt(op[0], ID_equal, op[1]), gen_zero(t),
if_exprt(binary_relation_exprt(op[0], ID_gt, op[1]), from_integer(1, t),
from_integer(-1, t)));
}
else if(statement==patternt("?cmp?"))
{
assert(op.size()==2 && results.size()==1);
const floatbv_typet type(to_floatbv_type(java_type_from_char(statement[0])));
const ieee_float_spect spec(type);
const ieee_floatt nan(ieee_floatt::NaN(spec));
const constant_exprt nan_expr(nan.to_expr());
const int nan_value(statement[4] == 'l' ? -1 : 1);
const typet result_type(java_int_type());
const exprt nan_result(from_integer(nan_value, result_type));
// (value1 == NaN || value2 == NaN) ? nan_value : value1 < value2 ? -1 : value2 < value1 1 ? 1 : 0;
// (value1 == NaN || value2 == NaN) ? nan_value : value1 == value2 ? 0 : value1 < value2 -1 ? 1 : 0;
results[0]=
if_exprt(or_exprt(ieee_float_equal_exprt(nan_expr, op[0]), ieee_float_equal_exprt(nan_expr, op[1])), nan_result,
if_exprt(ieee_float_equal_exprt(op[0], op[1]), gen_zero(result_type),
if_exprt(binary_relation_exprt(op[0], ID_lt, op[1]), from_integer(-1, result_type), from_integer(1, result_type))));
}
else if(statement==patternt("?cmpl"))
{
assert(op.size()==2 && results.size()==1);
results[0]=binary_relation_exprt(op[0], ID_lt, op[1]);
}
else if(statement=="dup")
{
assert(op.size()==1 && results.size()==2);
results[0]=results[1]=op[0];
}
else if(statement=="dup_x1")
{
assert(op.size()==2 && results.size()==3);
results[0]=op[1];
results[1]=op[0];
results[2]=op[1];
}
else if(statement=="dup_x2")
{
assert(op.size()==3 && results.size()==4);
results[0]=op[2];
results[1]=op[0];
results[2]=op[1];
results[3]=op[2];
}
// dup2* behaviour depends on the size of the operands on the
// stack
else if(statement=="dup2")
{
assert(!stack.empty() && results.empty());
if(stack.back().type().get_unsigned_int(ID_width)==32)
op=pop(2);
else
op=pop(1);
results.insert(results.end(), op.begin(), op.end());
results.insert(results.end(), op.begin(), op.end());
}
else if(statement=="dup2_x1")
{
assert(!stack.empty() && results.empty());
if(stack.back().type().get_unsigned_int(ID_width)==32)
op=pop(3);
else
op=pop(2);
results.insert(results.end(), op.begin()+1, op.end());
results.insert(results.end(), op.begin(), op.end());
}
else if(statement=="dup2_x2")
{
assert(!stack.empty() && results.empty());
if(stack.back().type().get_unsigned_int(ID_width)==32)
op=pop(2);
else
op=pop(1);
assert(!stack.empty());
exprt::operandst op2;
if(stack.back().type().get_unsigned_int(ID_width)==32)
op2=pop(2);
else
op2=pop(1);
results.insert(results.end(), op.begin(), op.end());
results.insert(results.end(), op2.begin(), op2.end());
results.insert(results.end(), op.begin(), op.end());
}
else if(statement=="dconst")
{
assert(op.empty() && results.size()==1);
}
else if(statement=="fconst")
{
assert(op.empty() && results.size()==1);
}
else if(statement=="getfield")
{
assert(op.size()==1 && results.size()==1);
results[0]=to_member(op[0], arg0);
}
else if(statement=="getstatic")
{
assert(op.empty() && results.size()==1);
symbol_exprt symbol_expr(arg0.type());
symbol_expr.set_identifier(arg0.get_string(ID_class)+"."+arg0.get_string(ID_component_name));
results[0]=symbol_expr;
}
else if(statement=="putfield")
{
assert(op.size()==2 && results.size()==0);
c = code_assignt(to_member(op[0], arg0), op[1]);
}
else if(statement=="putstatic")
{
assert(op.size()==1 && results.empty());
symbol_exprt symbol_expr(arg0.type());
symbol_expr.set_identifier(arg0.get_string(ID_class)+"."+arg0.get_string(ID_component_name));
c=code_assignt(symbol_expr, op[0]);
}
else if(statement==patternt("?2?")) // i2c etc.
{
assert(op.size()==1 && results.size()==1);
results[0]=typecast_exprt(op[0], java_type_from_char(statement[2]));
}
else if(statement=="new")
{
// use temporary since the stack symbol might get duplicated
assert(op.empty() && results.size()==1);
const pointer_typet ref_type(arg0.type());
exprt java_new_expr=side_effect_exprt(ID_java_new, ref_type);
if(!i_it->source_location.get_line().empty())
java_new_expr.add_source_location()=i_it->source_location;
const exprt tmp=tmp_variable("new", ref_type);
c=code_assignt(tmp, java_new_expr);
results[0]=tmp;
}
else if(statement=="newarray" ||
statement=="anewarray")
{
// the op is the array size
assert(op.size()==1 && results.size()==1);
char element_type;
if(statement=="newarray")
{
irep_idt id=arg0.type().id();
if(id==ID_bool)
element_type='z';
else if(id==ID_char)
element_type='c';
else if(id==ID_float)
element_type='f';
else if(id==ID_double)
element_type='d';
else if(id==ID_byte)
element_type='b';
else if(id==ID_short)
element_type='s';
else if(id==ID_int)
element_type='i';
else if(id==ID_long)
element_type='j';
else
element_type='?';
}
else
element_type='a';
const pointer_typet ref_type=java_array_type(element_type);
side_effect_exprt java_new_array(ID_java_new_array, ref_type);
java_new_array.copy_to_operands(op[0]);
if(!i_it->source_location.get_line().empty())
java_new_array.add_source_location()=i_it->source_location;
const exprt tmp=tmp_variable("newarray", ref_type);
c=code_assignt(tmp, java_new_array);
results[0]=tmp;
}
else if(statement=="multianewarray")
{
// The first argument is the type, the second argument is the dimension.
// The size of each dimension is on the stack.
irep_idt number=to_constant_expr(arg1).get_value();
unsigned dimension=safe_c_str2unsigned(number.c_str());
op=pop(dimension);
assert(results.size()==1);
// arg0.type()
const pointer_typet ref_type=java_array_type('a');
side_effect_exprt java_new_array(ID_java_new_array, ref_type);
java_new_array.operands()=op;
if(!i_it->source_location.get_line().empty())
java_new_array.add_source_location()=i_it->source_location;
const exprt tmp=tmp_variable("newarray", ref_type);
c=code_assignt(tmp, java_new_array);
results[0]=tmp;
}
else if(statement=="arraylength")
{
assert(op.size()==1 && results.size()==1);
exprt pointer=
typecast_exprt(op[0], java_array_type(statement[0]));
const dereference_exprt array(pointer, pointer.type().subtype());
assert(pointer.type().subtype().id()==ID_symbol);
const member_exprt length(array, "length", java_int_type());
results[0]=length;
}
else if(statement=="tableswitch" ||
statement=="lookupswitch")
{
assert(op.size()==1 && results.size()==0);
// we turn into switch-case
code_switcht code_switch;
code_switch.add_source_location()=i_it->source_location;
code_switch.value()=op[0];
code_blockt code_block;
code_block.add_source_location()=i_it->source_location;
bool is_label=true;
for(instructiont::argst::const_iterator
a_it=i_it->args.begin();
a_it!=i_it->args.end();
a_it++, is_label=!is_label)
{
if(is_label)
{
code_switch_caset code_case;
code_case.add_source_location()=i_it->source_location;
irep_idt number=to_constant_expr(*a_it).get_value();
code_case.code()=code_gotot(label(number));
code_case.code().add_source_location()=i_it->source_location;
if(a_it==i_it->args.begin())
code_case.set_default();
else
{
instructiont::argst::const_iterator prev=a_it;
prev--;
code_case.case_op()=typecast_exprt(*prev, op[0].type());
code_case.case_op().add_source_location()=i_it->source_location;
}
code_block.add(code_case);
}
}
code_switch.body()=code_block;
c=code_switch;
}
else if(statement=="pop" || statement=="pop2")
{
// these are skips
c=code_skipt();
// pop2 removes two single-word items from the stack (e.g. two
// integers, or an integer and an object reference) or one
// two-word item (i.e. a double or a long).
// http://cs.au.dk/~mis/dOvs/jvmspec/ref-pop2.html
if(statement=="pop2" &&
op[0].type().get_unsigned_int(ID_width)==32)
pop(1);
}
else if(statement=="instanceof")
{
assert(op.size()==1 && results.size()==1);
results[0]=
binary_predicate_exprt(op[0], "java_instanceof", arg0);
}
else
{
c=codet(statement);
c.operands()=op;
}
if(!i_it->source_location.get_line().empty())
c.add_source_location()=i_it->source_location;
push(results);
a_it->second.done=true;
for(std::list<unsigned>::iterator
it=a_it->second.successors.begin();
it!=a_it->second.successors.end();
++it)
{
address_mapt::iterator a_it2=address_map.find(*it);
assert(a_it2!=address_map.end());
if(!stack.empty() && a_it2->second.predecessors.size()>1)
{
// copy into temporaries
code_blockt more_code;
// introduce temporaries when successor is seen for the first
// time
if(a_it2->second.stack.empty())
{
for(stackt::iterator s_it=stack.begin();
s_it!=stack.end();
++s_it)
{
symbol_exprt lhs=tmp_variable("$stack", s_it->type());
code_assignt a(lhs, *s_it);
more_code.copy_to_operands(a);
s_it->swap(lhs);
}
}
else
{
assert(a_it2->second.stack.size()==stack.size());
stackt::const_iterator os_it=a_it2->second.stack.begin();
for(stackt::iterator s_it=stack.begin();
s_it!=stack.end();
++s_it)
{
assert(has_prefix(os_it->get_string(ID_C_base_name),
"$stack"));
symbol_exprt lhs=to_symbol_expr(*os_it);
code_assignt a(lhs, *s_it);
more_code.copy_to_operands(a);
s_it->swap(lhs);
++os_it;
}
}
if(results.empty())
{
more_code.copy_to_operands(c);
c.swap(more_code);
}
else
{
c.make_block();
forall_operands(o_it, more_code)
c.copy_to_operands(*o_it);
}
}
a_it2->second.stack=stack;
}
}
// TODO: add exception handlers from exception table
// review successor computation of athrow!
code_blockt code;
// temporaries
for(const auto & var : tmp_vars)
{
code.add(code_declt(var));
}
for(const auto & it : address_map)
{
const unsigned address=it.first;
assert(it.first==it.second.source->address);
const codet &c=it.second.code;
if(targets.find(address)!=targets.end())
code.add(code_labelt(label(i2string(address)), c));
else if(c.get_statement()!=ID_skip)
code.add(c);
}
return code;
}
exprt goto_symext::address_arithmetic(
const exprt &expr,
statet &state,
guardt &guard,
bool keep_array)
{
exprt result;
if(expr.id()==ID_byte_extract_little_endian ||
expr.id()==ID_byte_extract_big_endian)
{
// address_of(byte_extract(op, offset, t)) is
// address_of(op) + offset with adjustments for arrays
const byte_extract_exprt &be=to_byte_extract_expr(expr);
// recursive call
result=address_arithmetic(be.op(), state, guard, keep_array);
if(ns.follow(be.op().type()).id()==ID_array &&
result.id()==ID_address_of)
{
address_of_exprt &a=to_address_of_expr(result);
// turn &a of type T[i][j] into &(a[0][0])
for(const typet *t=&(ns.follow(a.type().subtype()));
t->id()==ID_array && !base_type_eq(expr.type(), *t, ns);
t=&(ns.follow(*t).subtype()))
a.object()=index_exprt(a.object(), from_integer(0, index_type()));
}
// do (expr.type() *)(((char *)op)+offset)
result=typecast_exprt(result, pointer_typet(char_type()));
// there could be further dereferencing in the offset
exprt offset=be.offset();
dereference_rec(offset, state, guard, false);
result=plus_exprt(result, offset);
// treat &array as &array[0]
const typet &expr_type=ns.follow(expr.type());
pointer_typet dest_type;
if(expr_type.id()==ID_array && !keep_array)
dest_type.subtype()=expr_type.subtype();
else
dest_type.subtype()=expr_type;
result=typecast_exprt(result, dest_type);
}
else if(expr.id()==ID_index ||
expr.id()==ID_member)
{
object_descriptor_exprt ode;
ode.build(expr, ns);
byte_extract_exprt be(byte_extract_id());
be.type()=expr.type();
be.op()=ode.root_object();
be.offset()=ode.offset();
// recursive call
result=address_arithmetic(be, state, guard, keep_array);
do_simplify(result);
}
else if(expr.id()==ID_dereference)
{
// ANSI-C guarantees &*p == p no matter what p is,
// even if it's complete garbage
// just grab the pointer, but be wary of further dereferencing
// in the pointer itself
result=to_dereference_expr(expr).pointer();
dereference_rec(result, state, guard, false);
}
else if(expr.id()==ID_if)
{
if_exprt if_expr=to_if_expr(expr);
// the condition is not an address
dereference_rec(if_expr.cond(), state, guard, false);
// recursive call
if_expr.true_case()=
address_arithmetic(if_expr.true_case(), state, guard, keep_array);
if_expr.false_case()=
address_arithmetic(if_expr.false_case(), state, guard, keep_array);
result=if_expr;
}
else if(expr.id()==ID_symbol ||
expr.id()==ID_string_constant ||
expr.id()==ID_label ||
expr.id()==ID_array)
{
// give up, just dereference
result=expr;
dereference_rec(result, state, guard, false);
// turn &array into &array[0]
if(ns.follow(result.type()).id()==ID_array && !keep_array)
result=index_exprt(result, from_integer(0, index_type()));
// handle field-sensitive SSA symbol
mp_integer offset=0;
if(expr.id()==ID_symbol &&
expr.get_bool(ID_C_SSA_symbol))
{
offset=compute_pointer_offset(expr, ns);
assert(offset>=0);
}
if(offset>0)
{
byte_extract_exprt be(byte_extract_id());
be.type()=expr.type();
be.op()=to_ssa_expr(expr).get_l1_object();
be.offset()=from_integer(offset, index_type());
result=address_arithmetic(be, state, guard, keep_array);
do_simplify(result);
}
else
result=address_of_exprt(result);
}
else
throw "goto_symext::address_arithmetic does not handle "+expr.id_string();
const typet &expr_type=ns.follow(expr.type());
assert((expr_type.id()==ID_array && !keep_array) ||
base_type_eq(pointer_typet(expr_type), result.type(), ns));
return result;
}