static void build_object_descriptor_rec(
const namespacet &ns,
const exprt &expr,
object_descriptor_exprt &dest)
{
const signedbv_typet index_type(config.ansi_c.pointer_width);
if(expr.id()==ID_index)
{
const index_exprt &index=to_index_expr(expr);
build_object_descriptor_rec(ns, index.array(), dest);
exprt sub_size=size_of_expr(expr.type(), ns);
assert(sub_size.is_not_nil());
dest.offset()=
plus_exprt(dest.offset(),
mult_exprt(typecast_exprt(index.index(), index_type),
typecast_exprt(sub_size, index_type)));
}
else if(expr.id()==ID_member)
{
const member_exprt &member=to_member_expr(expr);
const exprt &struct_op=member.struct_op();
build_object_descriptor_rec(ns, struct_op, dest);
exprt offset=member_offset_expr(member, ns);
assert(offset.is_not_nil());
dest.offset()=
plus_exprt(dest.offset(),
typecast_exprt(offset, index_type));
}
else if(expr.id()==ID_byte_extract_little_endian ||
expr.id()==ID_byte_extract_big_endian)
{
const byte_extract_exprt &be=to_byte_extract_expr(expr);
dest.object()=be.op();
build_object_descriptor_rec(ns, be.op(), dest);
dest.offset()=
plus_exprt(dest.offset(),
typecast_exprt(to_byte_extract_expr(expr).offset(),
index_type));
}
else if(expr.id()==ID_typecast)
{
const typecast_exprt &tc=to_typecast_expr(expr);
dest.object()=tc.op();
build_object_descriptor_rec(ns, tc.op(), dest);
}
}
exprt ssa_alias_guard(
const exprt &e1,
const exprt &e2,
const namespacet &ns)
{
exprt a1=address_canonizer(address_of_exprt(e1), ns);
exprt a2=address_canonizer(address_of_exprt(e2), ns);
// in some cases, we can use plain address equality,
// as we assume well-aligned-ness
mp_integer size1=pointer_offset_size(e1.type(), ns);
mp_integer size2=pointer_offset_size(e2.type(), ns);
if(size1>=size2)
{
exprt lhs=a1;
exprt rhs=a2;
if(ns.follow(rhs.type())!=ns.follow(lhs.type()))
rhs=typecast_exprt(rhs, lhs.type());
return equal_exprt(lhs, rhs);
}
return same_object(a1, a2);
}
void remove_function_pointerst::fix_return_type(
code_function_callt &function_call,
goto_programt &dest)
{
// are we returning anything at all?
if(function_call.lhs().is_nil()) return;
const code_typet &code_type=
to_code_type(ns.follow(function_call.function().type()));
// type already ok?
if(type_eq(
function_call.lhs().type(),
code_type.return_type(), ns))
return;
symbolt &tmp_symbol=new_tmp_symbol();
tmp_symbol.type=code_type.return_type();
tmp_symbol.location=function_call.location();
symbol_exprt tmp_symbol_expr;
tmp_symbol_expr.type()=tmp_symbol.type;
tmp_symbol_expr.set_identifier(tmp_symbol.name);
exprt old_lhs=function_call.lhs();
function_call.lhs()=tmp_symbol_expr;
goto_programt::targett t_assign=dest.add_instruction();
t_assign->make_assignment();
t_assign->code=code_assignt(
old_lhs, typecast_exprt(tmp_symbol_expr, old_lhs.type()));
}
exprt ssa_alias_guard(
const exprt &e1,
const exprt &e2,
const namespacet &ns)
{
exprt a1=address_canonizer(address_of_exprt(e1), ns);
// TODO: We should compare 'base' pointers here because
// we have a higher chance that there was no pointer arithmetic
// on the base pointer than that the result of the pointer
// arithmetic points to a base pointer.
// The following hack does that:
if(a1.id()==ID_plus)
a1=a1.op0();
exprt a2=address_canonizer(address_of_exprt(e2), ns);
// in some cases, we can use plain address equality,
// as we assume well-aligned-ness
mp_integer size1=pointer_offset_size(e1.type(), ns);
mp_integer size2=pointer_offset_size(e2.type(), ns);
if(size1>=size2)
{
exprt lhs=a1;
exprt rhs=a2;
if(ns.follow(rhs.type())!=ns.follow(lhs.type()))
rhs=typecast_exprt(rhs, lhs.type());
return equal_exprt(lhs, rhs);
}
return same_object(a1, a2);
}
exprt string_constraint_generatort::add_axioms_for_last_index_of(
const function_application_exprt &f)
{
const function_application_exprt::argumentst &args=f.arguments();
string_exprt str=add_axioms_for_string_expr(args[0]);
exprt c=args[1];
const refined_string_typet &ref_type=to_refined_string_type(str.type());
exprt from_index;
assert(f.type()==ref_type.get_index_type());
if(args.size()==2)
from_index=minus_exprt(str.length(), from_integer(1, str.length().type()));
else if(args.size()==3)
from_index=args[2];
else
assert(false);
if(refined_string_typet::is_java_string_pointer_type(c.type()))
{
string_exprt sub=add_axioms_for_string_expr(c);
return add_axioms_for_last_index_of_string(str, sub, from_index);
}
else
return add_axioms_for_last_index_of(
str, typecast_exprt(c, ref_type.get_char_type()), from_index);
}
code_function_callt function_to_call(
symbol_tablet &symbol_table,
const irep_idt &id,
const irep_idt &argument)
{
// already there?
symbol_tablet::symbolst::const_iterator s_it=
symbol_table.symbols.find(id);
if(s_it==symbol_table.symbols.end())
{
// not there
pointer_typet p(char_type());
p.subtype().set(ID_C_constant, true);
code_typet function_type;
function_type.return_type()=empty_typet();
function_type.parameters().push_back(
code_typet::parametert(p));
symbolt new_symbol;
new_symbol.name=id;
new_symbol.base_name=id;
new_symbol.type=function_type;
symbol_table.move(new_symbol);
s_it=symbol_table.symbols.find(id);
assert(s_it!=symbol_table.symbols.end());
}
// signature is expected to be
// (type *) -> ...
if(s_it->second.type.id()!=ID_code ||
to_code_type(s_it->second.type).parameters().size()!=1 ||
to_code_type(s_it->second.type).parameters()[0].type().id()!=ID_pointer)
{
std::string error="function `"+id2string(id)+"' has wrong signature";
throw error;
}
string_constantt function_id_string(argument);
code_function_callt call;
call.lhs().make_nil();
call.function()=
symbol_exprt(s_it->second.name, s_it->second.type);
call.arguments().resize(1);
call.arguments()[0]=
typecast_exprt(
address_of_exprt(
index_exprt(
function_id_string, from_integer(0, index_type()))),
to_code_type(s_it->second.type).parameters()[0].type());
return call;
}
void cegis_assign(const symbol_tablet &st, goto_programt::instructiont &instr,
const exprt &lhs, const exprt &rhs, const source_locationt &loc)
{
instr.type=goto_program_instruction_typet::ASSIGN;
instr.source_location=loc;
const namespacet ns(st);
const typet &type=lhs.type();
if (type_eq(type, rhs.type(), ns)) instr.code=code_assignt(lhs, rhs);
else instr.code=code_assignt(lhs, typecast_exprt(rhs, type));
}
exprt dereferencet::dereference_rec(
const exprt &address,
const exprt &offset,
const typet &type)
{
if(address.id()==ID_address_of)
{
const address_of_exprt &address_of_expr=to_address_of_expr(address);
const exprt &object=address_of_expr.object();
return read_object(object, offset, type);
}
else if(address.id()==ID_typecast)
{
const typecast_exprt &typecast_expr=to_typecast_expr(address);
return dereference_typecast(typecast_expr, offset, type);
}
else if(address.id()==ID_plus)
{
// pointer arithmetic
if(address.operands().size()<2)
throw "plus with less than two operands";
return dereference_plus(address, offset, type);
}
else if(address.id()==ID_if)
{
const if_exprt &if_expr=to_if_expr(address);
return dereference_if(if_expr, offset, type);
}
else if(address.id()==ID_constant)
{
const typet result_type=ns.follow(address.type()).subtype();
// pointer-typed constant
if(to_constant_expr(address).get_value()==ID_NULL) // NULL
{
// we turn this into (type *)0
exprt zero=gen_zero(index_type());
return dereference_rec(
typecast_exprt(zero, address.type()), offset, type);
}
else
throw "dereferencet: unexpected pointer constant "+address.pretty();
}
else
{
throw "failed to dereference `"+address.id_string()+"'";
}
}
void goto_checkt::bounds_check(
const index_exprt &expr,
const guardt &guard)
{
if(!enable_bounds_check)
return;
if(expr.find("bounds_check").is_not_nil() &&
!expr.get_bool("bounds_check"))
return;
typet array_type=ns.follow(expr.array().type());
if(array_type.id()==ID_pointer)
return; // done by the pointer code
else if(array_type.id()==ID_incomplete_array)
throw "index got incomplete array";
else if(array_type.id()!=ID_array && array_type.id()!=ID_vector)
throw "bounds check expected array or vector type, got "
+array_type.id_string();
std::string name=array_name(expr.array());
const exprt &index=expr.index();
object_descriptor_exprt ode;
ode.build(expr, ns);
if(index.type().id()!=ID_unsignedbv)
{
// we undo typecasts to signedbv
if(index.id()==ID_typecast &&
index.operands().size()==1 &&
index.op0().type().id()==ID_unsignedbv)
{
// ok
}
else
{
mp_integer i;
if(!to_integer(index, i) && i>=0)
{
// ok
}
else
{
exprt effective_offset=ode.offset();
if(ode.root_object().id()==ID_dereference)
{
exprt p_offset=pointer_offset(
to_dereference_expr(ode.root_object()).pointer());
assert(p_offset.type()==effective_offset.type());
effective_offset=plus_exprt(p_offset, effective_offset);
}
exprt zero=gen_zero(ode.offset().type());
assert(zero.is_not_nil());
// the final offset must not be negative
binary_relation_exprt inequality(effective_offset, ID_ge, zero);
add_guarded_claim(
inequality,
name+" lower bound",
"array bounds",
expr.find_source_location(),
expr,
guard);
}
}
}
if(ode.root_object().id()==ID_dereference)
{
const exprt &pointer=
to_dereference_expr(ode.root_object()).pointer();
if_exprt size(
dynamic_object(pointer),
typecast_exprt(dynamic_size(ns), object_size(pointer).type()),
object_size(pointer));
plus_exprt effective_offset(ode.offset(), pointer_offset(pointer));
assert(effective_offset.op0().type()==effective_offset.op1().type());
assert(effective_offset.type()==size.type());
binary_relation_exprt inequality(effective_offset, ID_lt, size);
or_exprt precond(
and_exprt(
dynamic_object(pointer),
not_exprt(malloc_object(pointer, ns))),
inequality);
add_guarded_claim(
precond,
name+" upper bound",
"array bounds",
expr.find_source_location(),
expr,
guard);
return;
}
const exprt &size=array_type.id()==ID_array ?
to_array_type(array_type).size() :
to_vector_type(array_type).size();
if(size.is_nil())
{
// Linking didn't complete, we don't have a size.
// Not clear what to do.
}
else if(size.id()==ID_infinity)
{
}
else if(size.is_zero() &&
expr.array().id()==ID_member)
{
// a variable sized struct member
}
else
{
binary_relation_exprt inequality(index, ID_lt, size);
// typecast size
if(inequality.op1().type()!=inequality.op0().type())
inequality.op1().make_typecast(inequality.op0().type());
// typecast size
if(inequality.op1().type()!=inequality.op0().type())
inequality.op1().make_typecast(inequality.op0().type());
add_guarded_claim(
inequality,
name+" upper bound",
"array bounds",
expr.find_source_location(),
expr,
guard);
}
}
value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
const exprt &what,
const modet mode,
const exprt &pointer_expr,
const guardt &guard)
{
const typet &dereference_type=
ns.follow(pointer_expr.type()).subtype();
if(what.id()==ID_unknown ||
what.id()==ID_invalid)
{
invalid_pointer(pointer_expr, guard);
return valuet();
}
if(what.id()!=ID_object_descriptor)
throw "unknown points-to: "+what.id_string();
const object_descriptor_exprt &o=to_object_descriptor_expr(what);
const exprt &root_object=o.root_object();
const exprt &object=o.object();
#if 0
std::cout << "O: " << from_expr(ns, "", root_object) << '\n';
#endif
valuet result;
if(root_object.id()=="NULL-object")
{
if(options.get_bool_option("pointer-check"))
{
guardt tmp_guard(guard);
if(o.offset().is_zero())
{
tmp_guard.add(null_pointer(pointer_expr));
dereference_callback.dereference_failure(
"pointer dereference",
"NULL pointer", tmp_guard);
}
else
{
tmp_guard.add(null_object(pointer_expr));
dereference_callback.dereference_failure(
"pointer dereference",
"NULL plus offset pointer", tmp_guard);
}
}
}
else if(root_object.id()==ID_dynamic_object)
{
// const dynamic_object_exprt &dynamic_object=
// to_dynamic_object_expr(root_object);
// the object produced by malloc
exprt malloc_object=
ns.lookup(CPROVER_PREFIX "malloc_object").symbol_expr();
exprt is_malloc_object=same_object(pointer_expr, malloc_object);
// constraint that it actually is a dynamic object
exprt dynamic_object_expr(ID_dynamic_object, bool_typet());
dynamic_object_expr.copy_to_operands(pointer_expr);
// this is also our guard
result.pointer_guard=dynamic_object_expr;
// can't remove here, turn into *p
result.value=dereference_exprt(pointer_expr, dereference_type);
if(options.get_bool_option("pointer-check"))
{
// if(!dynamic_object.valid().is_true())
{
// check if it is still alive
guardt tmp_guard(guard);
tmp_guard.add(deallocated(pointer_expr, ns));
dereference_callback.dereference_failure(
"pointer dereference",
"dynamic object deallocated",
tmp_guard);
}
if(options.get_bool_option("bounds-check"))
{
if(!o.offset().is_zero())
{
// check lower bound
guardt tmp_guard(guard);
tmp_guard.add(is_malloc_object);
tmp_guard.add(
dynamic_object_lower_bound(
pointer_expr,
ns,
nil_exprt()));
dereference_callback.dereference_failure(
"pointer dereference",
"dynamic object lower bound", tmp_guard);
}
{
// check upper bound
// we check SAME_OBJECT(__CPROVER_malloc_object, p) &&
// POINTER_OFFSET(p)+size>__CPROVER_malloc_size
guardt tmp_guard(guard);
tmp_guard.add(is_malloc_object);
tmp_guard.add(
dynamic_object_upper_bound(
pointer_expr,
dereference_type,
ns,
size_of_expr(dereference_type, ns)));
dereference_callback.dereference_failure(
"pointer dereference",
"dynamic object upper bound", tmp_guard);
}
}
}
}
else if(root_object.id()==ID_integer_address)
{
// This is stuff like *((char *)5).
// This is turned into an access to __CPROVER_memory[...].
if(language_mode==ID_java)
{
result.value=nil_exprt();
return result;
}
const symbolt &memory_symbol=ns.lookup(CPROVER_PREFIX "memory");
exprt symbol_expr=symbol_exprt(memory_symbol.name, memory_symbol.type);
if(base_type_eq(
ns.follow(memory_symbol.type).subtype(),
dereference_type, ns))
{
// Types match already, what a coincidence!
// We can use an index expression.
exprt index_expr=index_exprt(symbol_expr, pointer_offset(pointer_expr));
index_expr.type()=ns.follow(memory_symbol.type).subtype();
result.value=index_expr;
}
else if(dereference_type_compare(
ns.follow(memory_symbol.type).subtype(),
dereference_type))
{
exprt index_expr=index_exprt(symbol_expr, pointer_offset(pointer_expr));
index_expr.type()=ns.follow(memory_symbol.type).subtype();
result.value=typecast_exprt(index_expr, dereference_type);
}
else
{
// We need to use byte_extract.
// Won't do this without a commitment to an endianness.
if(config.ansi_c.endianness==configt::ansi_ct::endiannesst::NO_ENDIANNESS)
{
}
else
{
exprt byte_extract(byte_extract_id(), dereference_type);
byte_extract.copy_to_operands(
symbol_expr, pointer_offset(pointer_expr));
result.value=byte_extract;
}
}
}
else
{
// something generic -- really has to be a symbol
address_of_exprt object_pointer(object);
if(o.offset().is_zero())
{
equal_exprt equality(pointer_expr, object_pointer);
if(ns.follow(equality.lhs().type())!=ns.follow(equality.rhs().type()))
equality.lhs().make_typecast(equality.rhs().type());
result.pointer_guard=equality;
}
else
{
result.pointer_guard=same_object(pointer_expr, object_pointer);
}
guardt tmp_guard(guard);
tmp_guard.add(result.pointer_guard);
valid_check(object, tmp_guard, mode);
const typet &object_type=ns.follow(object.type());
const exprt &root_object=o.root_object();
const typet &root_object_type=ns.follow(root_object.type());
exprt root_object_subexpression=root_object;
if(dereference_type_compare(object_type, dereference_type) &&
o.offset().is_zero())
{
// The simplest case: types match, and offset is zero!
// This is great, we are almost done.
result.value=object;
if(object_type!=ns.follow(dereference_type))
result.value.make_typecast(dereference_type);
}
else if(root_object_type.id()==ID_array &&
dereference_type_compare(
root_object_type.subtype(),
dereference_type))
{
// We have an array with a subtype that matches
// the dereferencing type.
// We will require well-alignedness!
exprt offset;
// this should work as the object is essentially the root object
if(o.offset().is_constant())
offset=o.offset();
else
offset=pointer_offset(pointer_expr);
exprt adjusted_offset;
// are we doing a byte?
mp_integer element_size=
dereference_type.id()==ID_empty?
pointer_offset_size(char_type(), ns):
pointer_offset_size(dereference_type, ns);
if(element_size==1)
{
// no need to adjust offset
adjusted_offset=offset;
}
else if(element_size<=0)
{
throw "unknown or invalid type size of:\n"+dereference_type.pretty();
}
else
{
exprt element_size_expr=
from_integer(element_size, offset.type());
adjusted_offset=binary_exprt(
offset, ID_div, element_size_expr, offset.type());
// TODO: need to assert well-alignedness
}
index_exprt index_expr=
index_exprt(root_object, adjusted_offset, root_object_type.subtype());
bounds_check(index_expr, tmp_guard);
result.value=index_expr;
if(ns.follow(result.value.type())!=ns.follow(dereference_type))
result.value.make_typecast(dereference_type);
}
else if(get_subexpression_at_offset(
root_object_subexpression,
o.offset(),
dereference_type,
ns))
{
// Successfully found a member, array index, or combination thereof
// that matches the desired type and offset:
result.value=root_object_subexpression;
}
else
{
// we extract something from the root object
result.value=o.root_object();
// this is relative to the root object
const exprt offset=pointer_offset(pointer_expr);
if(memory_model(result.value, dereference_type, tmp_guard, offset))
{
// ok, done
}
else
{
if(options.get_bool_option("pointer-check"))
{
std::string msg="memory model not applicable (got `";
msg+=from_type(ns, "", result.value.type());
msg+="', expected `";
msg+=from_type(ns, "", dereference_type);
msg+="')";
dereference_callback.dereference_failure(
"pointer dereference",
msg, tmp_guard);
}
return valuet(); // give up, no way that this is ok
}
}
}
return result;
}
codet java_bytecode_convertt::convert_instructions(
const instructionst &instructions,
const code_typet &method_type)
{
// Run a worklist algorithm, assuming that the bytecode has not
// been tampered with. See "Leroy, X. (2003). Java bytecode
// verification: algorithms and formalizations. Journal of Automated
// Reasoning, 30(3-4), 235-269." for a more complete treatment.
// first pass: get targets and map addresses to instructions
struct converted_instructiont
{
converted_instructiont(
const instructionst::const_iterator &it,
const codet &_code):source(it), code(_code), done(false)
{
}
instructionst::const_iterator source;
std::list<unsigned> successors;
std::set<unsigned> predecessors;
codet code;
stackt stack;
bool done;
};
typedef std::map<unsigned, converted_instructiont> address_mapt;
address_mapt address_map;
std::set<unsigned> targets;
for(instructionst::const_iterator
i_it=instructions.begin();
i_it!=instructions.end();
i_it++)
{
std::pair<address_mapt::iterator, bool> a_entry=
address_map.insert(std::make_pair(
i_it->address,
converted_instructiont(i_it, code_skipt())));
assert(a_entry.second);
// addresses are strictly increasing, hence we must have inserted
// a new maximal key
assert(a_entry.first==--address_map.end());
if(i_it->statement!="goto" &&
i_it->statement!="return" &&
!(i_it->statement==patternt("?return")) &&
i_it->statement!="athrow")
{
instructionst::const_iterator next=i_it;
if(++next!=instructions.end())
a_entry.first->second.successors.push_back(next->address);
}
if(i_it->statement=="goto" ||
i_it->statement==patternt("if_?cmp??") ||
i_it->statement==patternt("if??") ||
i_it->statement=="ifnonnull" ||
i_it->statement=="ifnull")
{
assert(!i_it->args.empty());
const unsigned target=safe_string2unsigned(
id2string(to_constant_expr(i_it->args[0]).get_value()));
targets.insert(target);
a_entry.first->second.successors.push_back(target);
}
else if(i_it->statement=="tableswitch" ||
i_it->statement=="lookupswitch")
{
bool is_label=true;
for(instructiont::argst::const_iterator
a_it=i_it->args.begin();
a_it!=i_it->args.end();
a_it++, is_label=!is_label)
{
if(is_label)
{
const unsigned target=safe_string2unsigned(
id2string(to_constant_expr(*a_it).get_value()));
targets.insert(target);
a_entry.first->second.successors.push_back(target);
}
}
}
}
for(address_mapt::iterator
it=address_map.begin();
it!=address_map.end();
++it)
{
for(unsigned s : it->second.successors)
{
address_mapt::iterator a_it=address_map.find(s);
assert(a_it!=address_map.end());
a_it->second.predecessors.insert(it->first);
}
}
std::set<unsigned> working_set;
if(!instructions.empty())
working_set.insert(instructions.front().address);
while(!working_set.empty())
{
std::set<unsigned>::iterator cur=working_set.begin();
address_mapt::iterator a_it=address_map.find(*cur);
assert(a_it!=address_map.end());
working_set.erase(cur);
if(a_it->second.done) continue;
working_set.insert(a_it->second.successors.begin(),
a_it->second.successors.end());
instructionst::const_iterator i_it=a_it->second.source;
stack.swap(a_it->second.stack);
a_it->second.stack.clear();
codet &c=a_it->second.code;
assert(stack.empty() ||
a_it->second.predecessors.size()<=1 ||
has_prefix(stack.front().get_string(ID_C_base_name),
"$stack"));
irep_idt statement=i_it->statement;
exprt arg0=i_it->args.size()>=1?i_it->args[0]:nil_exprt();
exprt arg1=i_it->args.size()>=2?i_it->args[1]:nil_exprt();
const bytecode_infot &bytecode_info=get_bytecode_info(statement);
// deal with _idx suffixes
if(statement.size()>=2 &&
statement[statement.size()-2]=='_' &&
isdigit(statement[statement.size()-1]))
{
arg0=constant_exprt(
std::string(id2string(statement), statement.size()-1, 1),
integer_typet());
statement=std::string(id2string(statement), 0, statement.size()-2);
}
exprt::operandst op=pop(bytecode_info.pop);
exprt::operandst results;
results.resize(bytecode_info.push, nil_exprt());
if(statement=="aconst_null")
{
assert(results.size()==1);
results[0]=gen_zero(java_reference_type(void_typet()));
}
else if(statement=="athrow")
{
assert(op.size()==1 && results.size()==1);
side_effect_expr_throwt throw_expr;
throw_expr.add_source_location()=i_it->source_location;
throw_expr.copy_to_operands(op[0]);
c=code_expressiont(throw_expr);
results[0]=op[0];
}
else if(statement=="checkcast")
{
// checkcast throws an exception in case a cast of object
// on stack to given type fails.
// The stack isn't modified.
assert(op.size()==1 && results.size()==1);
results[0]=op[0];
}
else if(statement=="invokedynamic")
{
// not used in Java
code_typet &code_type=to_code_type(arg0.type());
const code_typet::parameterst ¶meters(code_type.parameters());
pop(parameters.size());
const typet &return_type=code_type.return_type();
if(return_type.id()!=ID_empty)
{
results.resize(1);
results[0]=nil_exprt();
}
}
else if(statement=="invokeinterface" ||
statement=="invokespecial" ||
statement=="invokevirtual" ||
statement=="invokestatic")
{
const bool use_this(statement != "invokestatic");
const bool is_virtual(
statement == "invokevirtual" || statement == "invokeinterface");
code_typet &code_type=to_code_type(arg0.type());
code_typet::parameterst ¶meters(code_type.parameters());
if(use_this)
{
if(parameters.empty() || !parameters[0].get_this())
{
const empty_typet empty;
pointer_typet object_ref_type(empty);
code_typet::parametert this_p(object_ref_type);
this_p.set_this();
this_p.set_base_name("this");
parameters.insert(parameters.begin(), this_p);
}
}
code_function_callt call;
call.add_source_location()=i_it->source_location;
call.arguments() = pop(parameters.size());
// double-check a bit
if(use_this)
{
const exprt &this_arg=call.arguments().front();
assert(this_arg.type().id()==ID_pointer);
}
// do some type adjustment for the arguments,
// as Java promotes arguments
for(unsigned i=0; i<parameters.size(); i++)
{
const typet &type=parameters[i].type();
if(type==java_boolean_type() ||
type==java_char_type() ||
type==java_byte_type() ||
type==java_short_type())
{
assert(i<call.arguments().size());
call.arguments()[i].make_typecast(type);
}
}
// do some type adjustment for return values
const typet &return_type=code_type.return_type();
if(return_type.id()!=ID_empty)
{
// return types are promoted in Java
call.lhs()=tmp_variable("return", return_type);
exprt promoted=java_bytecode_promotion(call.lhs());
results.resize(1);
results[0]=promoted;
}
assert(arg0.id()==ID_virtual_function);
// does the function symbol exist?
irep_idt id=arg0.get(ID_identifier);
if(symbol_table.symbols.find(id)==symbol_table.symbols.end())
{
// no, create stub
symbolt symbol;
symbol.name=id;
symbol.base_name=arg0.get(ID_C_base_name);
symbol.type=arg0.type();
symbol.value.make_nil();
symbol.mode=ID_java;
symbol_table.add(symbol);
}
if(is_virtual)
{
// dynamic binding
assert(use_this);
assert(!call.arguments().empty());
call.function()=arg0;
}
else
{
// static binding
/*if(id == "java::java.lang.String.charAt:(I)C")
call.function()=symbol_exprt("java::__CPROVER_uninterpreted_char_at", arg0.type());
else*/
call.function()=symbol_exprt(arg0.get(ID_identifier), arg0.type());
}
call.function().add_source_location()=i_it->source_location;
c = call;
}
else if(statement=="return")
{
assert(op.empty() && results.empty());
c=code_returnt();
}
else if(statement==patternt("?return"))
{
// Return types are promoted in java, so this might need
// conversion.
assert(op.size()==1 && results.empty());
exprt r=op[0];
if(r.type()!=method_return_type) r=typecast_exprt(r, method_return_type);
c=code_returnt(r);
}
else if(statement==patternt("?astore"))
{
assert(op.size()==3 && results.empty());
char type_char=statement[0];
exprt pointer=
typecast_exprt(op[0], java_array_type(type_char));
const dereference_exprt deref(pointer, pointer.type().subtype());
const member_exprt data_ptr(
deref, "data", pointer_typet(java_type_from_char(type_char)));
plus_exprt data_plus_offset(data_ptr, op[1], data_ptr.type());
typet element_type=data_ptr.type().subtype();
const dereference_exprt element(data_plus_offset, element_type);
c=code_assignt(element, op[2]);
}
else if(statement==patternt("?store"))
{
// store value into some local variable
assert(op.size()==1 && results.empty());
exprt var=variable(arg0, statement[0]);
const bool is_array('a' == statement[0]);
if(is_array)
var.type()=op[0].type();
c=code_assignt(var, op[0]);
}
else if(statement==patternt("?aload"))
{
assert(op.size() == 2 && results.size() == 1);
char type_char=statement[0];
exprt pointer=
typecast_exprt(op[0], java_array_type(type_char));
const dereference_exprt deref(pointer, pointer.type().subtype());
const member_exprt data_ptr(
deref, "data", pointer_typet(java_type_from_char(type_char)));
plus_exprt data_plus_offset(data_ptr, op[1], data_ptr.type());
typet element_type=data_ptr.type().subtype();
dereference_exprt element(data_plus_offset, element_type);
results[0]=java_bytecode_promotion(element);
}
else if(statement==patternt("?load"))
{
// load a value from a local variable
results[0]=variable(arg0, statement[0]);
}
else if(statement=="ldc" || statement=="ldc_w" ||
statement=="ldc2" || statement=="ldc2_w")
{
assert(op.empty() && results.size()==1);
// 1) Pushing a String causes a reference to a java.lang.String object
// to be constructed and pushed onto the operand stack.
// 2) Pushing an int or a float causes a primitive value to be pushed
// onto the stack.
// 3) Pushing a Class constant causes a reference to a java.lang.Class
// to be pushed onto the operand stack
if(arg0.id()==ID_java_string_literal)
{
// these need to be references to java.lang.String
results[0]=arg0;
symbol_typet string_type("java::java.lang.String");
results[0].type()=pointer_typet(string_type);
}
else if(arg0.id()==ID_type)
{
irep_idt class_id=arg0.type().get(ID_identifier);
symbol_typet java_lang_Class("java::java.lang.Class");
symbol_exprt symbol_expr(id2string(class_id)+"@class_model", java_lang_Class);
address_of_exprt address_of_expr(symbol_expr);
results[0]=address_of_expr;
}
else if(arg0.id()==ID_constant)
{
results[0]=arg0;
}
else
{
error() << "unexpected ldc argument" << eom;
throw 0;
}
}
else if(statement=="goto" || statement=="goto_w")
{
assert(op.empty() && results.empty());
irep_idt number=to_constant_expr(arg0).get_value();
code_gotot code_goto(label(number));
c=code_goto;
}
else if(statement=="iconst_m1")
{
assert(results.size()==1);
results[0]=from_integer(-1, java_int_type());
}
else if(statement==patternt("?const"))
{
assert(results.size() == 1);
const char type_char=statement[0];
const bool is_double('d' == type_char);
const bool is_float('f' == type_char);
if(is_double || is_float)
{
const ieee_float_spect spec(
is_float ?
ieee_float_spect::single_precision() :
ieee_float_spect::double_precision());
ieee_floatt value(spec);
const typet &arg_type(arg0.type());
if(ID_integer == arg_type.id())
value.from_integer(arg0.get_int(ID_value));
else
value.from_expr(to_constant_expr(arg0));
results[0] = value.to_expr();
}
else
{
const unsigned int value(arg0.get_unsigned_int(ID_value));
const typet type=java_type_from_char(statement[0]);
results[0] = as_number(value, type);
}
}
else if(statement==patternt("?ipush"))
{
assert(results.size()==1);
results[0]=typecast_exprt(arg0, java_int_type());
}
else if(statement==patternt("if_?cmp??"))
{
irep_idt number=to_constant_expr(arg0).get_value();
assert(op.size()==2 && results.empty());
code_ifthenelset code_branch;
const irep_idt cmp_op=get_if_cmp_operator(statement);
binary_relation_exprt condition(op[0], cmp_op, op[1]);
cast_if_necessary(condition);
code_branch.cond()=condition;
code_branch.then_case()=code_gotot(label(number));
code_branch.then_case().add_source_location()=i_it->source_location;
code_branch.add_source_location()=i_it->source_location;
c=code_branch;
}
else if(statement==patternt("if??"))
{
const irep_idt id=
statement=="ifeq"?ID_equal:
statement=="ifne"?ID_notequal:
statement=="iflt"?ID_lt:
statement=="ifge"?ID_ge:
statement=="ifgt"?ID_gt:
statement=="ifle"?ID_le:
(assert(false), "");
irep_idt number=to_constant_expr(arg0).get_value();
assert(op.size()==1 && results.empty());
code_ifthenelset code_branch;
code_branch.cond()=binary_relation_exprt(op[0], id, gen_zero(op[0].type()));
code_branch.cond().add_source_location()=i_it->source_location;
code_branch.then_case()=code_gotot(label(number));
code_branch.then_case().add_source_location()=i_it->source_location;
code_branch.add_source_location()=i_it->source_location;
c=code_branch;
}
else if(statement==patternt("ifnonnull"))
{
irep_idt number=to_constant_expr(arg0).get_value();
assert(op.size()==1 && results.empty());
code_ifthenelset code_branch;
const typecast_exprt lhs(op[0], pointer_typet());
const exprt rhs(gen_zero(lhs.type()));
code_branch.cond()=binary_relation_exprt(lhs, ID_notequal, rhs);
code_branch.then_case()=code_gotot(label(number));
code_branch.then_case().add_source_location()=i_it->source_location;
code_branch.add_source_location()=i_it->source_location;
c=code_branch;
}
else if(statement==patternt("ifnull"))
{
assert(op.size()==1 && results.empty());
irep_idt number=to_constant_expr(arg0).get_value();
code_ifthenelset code_branch;
const typecast_exprt lhs(op[0], pointer_typet(empty_typet()));
const exprt rhs(gen_zero(lhs.type()));
code_branch.cond()=binary_relation_exprt(lhs, ID_equal, rhs);
code_branch.then_case()=code_gotot(label(number));
code_branch.then_case().add_source_location()=i_it->source_location;
code_branch.add_source_location()=i_it->source_location;
c=code_branch;
}
else if(statement=="iinc")
{
code_assignt code_assign;
code_assign.lhs()=variable(arg0, 'i');
code_assign.rhs()=plus_exprt(
variable(arg0, 'i'),
typecast_exprt(arg1, java_int_type()));
c=code_assign;
}
else if(statement==patternt("?xor"))
{
assert(op.size()==2 && results.size()==1);
results[0]=bitxor_exprt(op[0], op[1]);
}
else if(statement==patternt("?or"))
{
assert(op.size()==2 && results.size()==1);
results[0]=bitor_exprt(op[0], op[1]);
}
else if(statement==patternt("?and"))
{
assert(op.size()==2 && results.size()==1);
results[0]=bitand_exprt(op[0], op[1]);
}
else if(statement==patternt("?shl"))
{
assert(op.size()==2 && results.size()==1);
results[0]=shl_exprt(op[0], op[1]);
}
else if(statement==patternt("?shr"))
{
assert(op.size()==2 && results.size()==1);
results[0]=ashr_exprt(op[0], op[1]);
}
else if(statement==patternt("?ushr"))
{
assert(op.size()==2 && results.size()==1);
const typet type(java_type_from_char(statement[0]));
const unsigned int width(type.get_unsigned_int(ID_width));
typet target=unsigned_long_int_type();
target.set(ID_width, width);
const typecast_exprt lhs(op[0], target);
const typecast_exprt rhs(op[1], target);
results[0]=lshr_exprt(lhs, rhs);
}
else if(statement==patternt("?add"))
{
assert(op.size()==2 && results.size()==1);
results[0]=plus_exprt(op[0], op[1]);
}
else if(statement==patternt("?sub"))
{
assert(op.size()==2 && results.size()==1);
results[0]=minus_exprt(op[0], op[1]);
}
else if(statement==patternt("?div"))
{
assert(op.size()==2 && results.size()==1);
results[0]=div_exprt(op[0], op[1]);
}
else if(statement==patternt("?mul"))
{
assert(op.size()==2 && results.size()==1);
results[0]=mult_exprt(op[0], op[1]);
}
else if(statement==patternt("?neg"))
{
assert(op.size()==1 && results.size()==1);
results[0]=unary_minus_exprt(op[0], op[0].type());
}
else if(statement==patternt("?rem"))
{
assert(op.size()==2 && results.size()==1);
if(statement=="frem" || statement=="drem")
results[0]=rem_exprt(op[0], op[1]);
else
results[0]=mod_exprt(op[0], op[1]);
}
else if(statement==patternt("?cmp"))
{
assert(op.size() == 2 && results.size() == 1);
// The integer result on the stack is:
// 0 if op[0] equals op[1]
// -1 if op[0] is less than op[1]
// 1 if op[0] is greater than op[1]
const typet t=java_int_type();
results[0]=
if_exprt(binary_relation_exprt(op[0], ID_equal, op[1]), gen_zero(t),
if_exprt(binary_relation_exprt(op[0], ID_gt, op[1]), from_integer(1, t),
from_integer(-1, t)));
}
else if(statement==patternt("?cmp?"))
{
assert(op.size()==2 && results.size()==1);
const floatbv_typet type(to_floatbv_type(java_type_from_char(statement[0])));
const ieee_float_spect spec(type);
const ieee_floatt nan(ieee_floatt::NaN(spec));
const constant_exprt nan_expr(nan.to_expr());
const int nan_value(statement[4] == 'l' ? -1 : 1);
const typet result_type(java_int_type());
const exprt nan_result(from_integer(nan_value, result_type));
// (value1 == NaN || value2 == NaN) ? nan_value : value1 < value2 ? -1 : value2 < value1 1 ? 1 : 0;
// (value1 == NaN || value2 == NaN) ? nan_value : value1 == value2 ? 0 : value1 < value2 -1 ? 1 : 0;
results[0]=
if_exprt(or_exprt(ieee_float_equal_exprt(nan_expr, op[0]), ieee_float_equal_exprt(nan_expr, op[1])), nan_result,
if_exprt(ieee_float_equal_exprt(op[0], op[1]), gen_zero(result_type),
if_exprt(binary_relation_exprt(op[0], ID_lt, op[1]), from_integer(-1, result_type), from_integer(1, result_type))));
}
else if(statement==patternt("?cmpl"))
{
assert(op.size()==2 && results.size()==1);
results[0]=binary_relation_exprt(op[0], ID_lt, op[1]);
}
else if(statement=="dup")
{
assert(op.size()==1 && results.size()==2);
results[0]=results[1]=op[0];
}
else if(statement=="dup_x1")
{
assert(op.size()==2 && results.size()==3);
results[0]=op[1];
results[1]=op[0];
results[2]=op[1];
}
else if(statement=="dup_x2")
{
assert(op.size()==3 && results.size()==4);
results[0]=op[2];
results[1]=op[0];
results[2]=op[1];
results[3]=op[2];
}
// dup2* behaviour depends on the size of the operands on the
// stack
else if(statement=="dup2")
{
assert(!stack.empty() && results.empty());
if(stack.back().type().get_unsigned_int(ID_width)==32)
op=pop(2);
else
op=pop(1);
results.insert(results.end(), op.begin(), op.end());
results.insert(results.end(), op.begin(), op.end());
}
else if(statement=="dup2_x1")
{
assert(!stack.empty() && results.empty());
if(stack.back().type().get_unsigned_int(ID_width)==32)
op=pop(3);
else
op=pop(2);
results.insert(results.end(), op.begin()+1, op.end());
results.insert(results.end(), op.begin(), op.end());
}
else if(statement=="dup2_x2")
{
assert(!stack.empty() && results.empty());
if(stack.back().type().get_unsigned_int(ID_width)==32)
op=pop(2);
else
op=pop(1);
assert(!stack.empty());
exprt::operandst op2;
if(stack.back().type().get_unsigned_int(ID_width)==32)
op2=pop(2);
else
op2=pop(1);
results.insert(results.end(), op.begin(), op.end());
results.insert(results.end(), op2.begin(), op2.end());
results.insert(results.end(), op.begin(), op.end());
}
else if(statement=="dconst")
{
assert(op.empty() && results.size()==1);
}
else if(statement=="fconst")
{
assert(op.empty() && results.size()==1);
}
else if(statement=="getfield")
{
assert(op.size()==1 && results.size()==1);
results[0]=to_member(op[0], arg0);
}
else if(statement=="getstatic")
{
assert(op.empty() && results.size()==1);
symbol_exprt symbol_expr(arg0.type());
symbol_expr.set_identifier(arg0.get_string(ID_class)+"."+arg0.get_string(ID_component_name));
results[0]=symbol_expr;
}
else if(statement=="putfield")
{
assert(op.size()==2 && results.size()==0);
c = code_assignt(to_member(op[0], arg0), op[1]);
}
else if(statement=="putstatic")
{
assert(op.size()==1 && results.empty());
symbol_exprt symbol_expr(arg0.type());
symbol_expr.set_identifier(arg0.get_string(ID_class)+"."+arg0.get_string(ID_component_name));
c=code_assignt(symbol_expr, op[0]);
}
else if(statement==patternt("?2?")) // i2c etc.
{
assert(op.size()==1 && results.size()==1);
results[0]=typecast_exprt(op[0], java_type_from_char(statement[2]));
}
else if(statement=="new")
{
// use temporary since the stack symbol might get duplicated
assert(op.empty() && results.size()==1);
const pointer_typet ref_type(arg0.type());
exprt java_new_expr=side_effect_exprt(ID_java_new, ref_type);
if(!i_it->source_location.get_line().empty())
java_new_expr.add_source_location()=i_it->source_location;
const exprt tmp=tmp_variable("new", ref_type);
c=code_assignt(tmp, java_new_expr);
results[0]=tmp;
}
else if(statement=="newarray" ||
statement=="anewarray")
{
// the op is the array size
assert(op.size()==1 && results.size()==1);
char element_type;
if(statement=="newarray")
{
irep_idt id=arg0.type().id();
if(id==ID_bool)
element_type='z';
else if(id==ID_char)
element_type='c';
else if(id==ID_float)
element_type='f';
else if(id==ID_double)
element_type='d';
else if(id==ID_byte)
element_type='b';
else if(id==ID_short)
element_type='s';
else if(id==ID_int)
element_type='i';
else if(id==ID_long)
element_type='j';
else
element_type='?';
}
else
element_type='a';
const pointer_typet ref_type=java_array_type(element_type);
side_effect_exprt java_new_array(ID_java_new_array, ref_type);
java_new_array.copy_to_operands(op[0]);
if(!i_it->source_location.get_line().empty())
java_new_array.add_source_location()=i_it->source_location;
const exprt tmp=tmp_variable("newarray", ref_type);
c=code_assignt(tmp, java_new_array);
results[0]=tmp;
}
else if(statement=="multianewarray")
{
// The first argument is the type, the second argument is the dimension.
// The size of each dimension is on the stack.
irep_idt number=to_constant_expr(arg1).get_value();
unsigned dimension=safe_c_str2unsigned(number.c_str());
op=pop(dimension);
assert(results.size()==1);
// arg0.type()
const pointer_typet ref_type=java_array_type('a');
side_effect_exprt java_new_array(ID_java_new_array, ref_type);
java_new_array.operands()=op;
if(!i_it->source_location.get_line().empty())
java_new_array.add_source_location()=i_it->source_location;
const exprt tmp=tmp_variable("newarray", ref_type);
c=code_assignt(tmp, java_new_array);
results[0]=tmp;
}
else if(statement=="arraylength")
{
assert(op.size()==1 && results.size()==1);
exprt pointer=
typecast_exprt(op[0], java_array_type(statement[0]));
const dereference_exprt array(pointer, pointer.type().subtype());
assert(pointer.type().subtype().id()==ID_symbol);
const member_exprt length(array, "length", java_int_type());
results[0]=length;
}
else if(statement=="tableswitch" ||
statement=="lookupswitch")
{
assert(op.size()==1 && results.size()==0);
// we turn into switch-case
code_switcht code_switch;
code_switch.add_source_location()=i_it->source_location;
code_switch.value()=op[0];
code_blockt code_block;
code_block.add_source_location()=i_it->source_location;
bool is_label=true;
for(instructiont::argst::const_iterator
a_it=i_it->args.begin();
a_it!=i_it->args.end();
a_it++, is_label=!is_label)
{
if(is_label)
{
code_switch_caset code_case;
code_case.add_source_location()=i_it->source_location;
irep_idt number=to_constant_expr(*a_it).get_value();
code_case.code()=code_gotot(label(number));
code_case.code().add_source_location()=i_it->source_location;
if(a_it==i_it->args.begin())
code_case.set_default();
else
{
instructiont::argst::const_iterator prev=a_it;
prev--;
code_case.case_op()=typecast_exprt(*prev, op[0].type());
code_case.case_op().add_source_location()=i_it->source_location;
}
code_block.add(code_case);
}
}
code_switch.body()=code_block;
c=code_switch;
}
else if(statement=="pop" || statement=="pop2")
{
// these are skips
c=code_skipt();
// pop2 removes two single-word items from the stack (e.g. two
// integers, or an integer and an object reference) or one
// two-word item (i.e. a double or a long).
// http://cs.au.dk/~mis/dOvs/jvmspec/ref-pop2.html
if(statement=="pop2" &&
op[0].type().get_unsigned_int(ID_width)==32)
pop(1);
}
else if(statement=="instanceof")
{
assert(op.size()==1 && results.size()==1);
results[0]=
binary_predicate_exprt(op[0], "java_instanceof", arg0);
}
else
{
c=codet(statement);
c.operands()=op;
}
if(!i_it->source_location.get_line().empty())
c.add_source_location()=i_it->source_location;
push(results);
a_it->second.done=true;
for(std::list<unsigned>::iterator
it=a_it->second.successors.begin();
it!=a_it->second.successors.end();
++it)
{
address_mapt::iterator a_it2=address_map.find(*it);
assert(a_it2!=address_map.end());
if(!stack.empty() && a_it2->second.predecessors.size()>1)
{
// copy into temporaries
code_blockt more_code;
// introduce temporaries when successor is seen for the first
// time
if(a_it2->second.stack.empty())
{
for(stackt::iterator s_it=stack.begin();
s_it!=stack.end();
++s_it)
{
symbol_exprt lhs=tmp_variable("$stack", s_it->type());
code_assignt a(lhs, *s_it);
more_code.copy_to_operands(a);
s_it->swap(lhs);
}
}
else
{
assert(a_it2->second.stack.size()==stack.size());
stackt::const_iterator os_it=a_it2->second.stack.begin();
for(stackt::iterator s_it=stack.begin();
s_it!=stack.end();
++s_it)
{
assert(has_prefix(os_it->get_string(ID_C_base_name),
"$stack"));
symbol_exprt lhs=to_symbol_expr(*os_it);
code_assignt a(lhs, *s_it);
more_code.copy_to_operands(a);
s_it->swap(lhs);
++os_it;
}
}
if(results.empty())
{
more_code.copy_to_operands(c);
c.swap(more_code);
}
else
{
c.make_block();
forall_operands(o_it, more_code)
c.copy_to_operands(*o_it);
}
}
a_it2->second.stack=stack;
}
}
// TODO: add exception handlers from exception table
// review successor computation of athrow!
code_blockt code;
// temporaries
for(const auto & var : tmp_vars)
{
code.add(code_declt(var));
}
for(const auto & it : address_map)
{
const unsigned address=it.first;
assert(it.first==it.second.source->address);
const codet &c=it.second.code;
if(targets.find(address)!=targets.end())
code.add(code_labelt(label(i2string(address)), c));
else if(c.get_statement()!=ID_skip)
code.add(c);
}
return code;
}
bool equality_domaint::adapt_types(exprt &v1, exprt &v2)
{
// signed, unsigned integers
if((v1.type().id()==ID_signedbv || v1.type().id()==ID_unsignedbv) &&
(v2.type().id()==ID_signedbv || v2.type().id()==ID_unsignedbv))
{
unsigned size1=0, size2=0;
if(v1.type().id()==ID_signedbv)
size1=to_signedbv_type(v1.type()).get_width();
if(v1.type().id()==ID_unsignedbv)
size1=to_unsignedbv_type(v1.type()).get_width();
if(v2.type().id()==ID_signedbv)
size2=to_signedbv_type(v2.type()).get_width();
if(v2.type().id()==ID_unsignedbv)
size2=to_unsignedbv_type(v2.type()).get_width();
if(v1.type().id()==v2.type().id())
{
if(size1==size2)
return true;
typet new_type=v1.type();
if(new_type.id()==ID_signedbv)
to_signedbv_type(new_type).set_width(std::max(size1, size2));
else // if(new_type.id()==ID_unsignedbv)
to_unsignedbv_type(new_type).set_width(std::max(size1, size2));
if(size1>size2)
v2=typecast_exprt(v2, new_type);
else
v1=typecast_exprt(v1, new_type);
return true;
}
// types are different
typet new_type=signedbv_typet(std::max(size1, size2)+1);
v1=typecast_exprt(v1, new_type);
v2=typecast_exprt(v2, new_type);
return true;
}
// pointer equality
if(v1.type().id()==ID_pointer && v2.type().id()==ID_pointer)
{
if(to_pointer_type(v1.type()).subtype()==
to_pointer_type(v2.type()).subtype())
return true;
return false;
}
if(v1.id()==ID_index || v2.id()==ID_index)
{
#if 0
std::cout << "v1: " << v1 << std::endl;
std::cout << "v2: " << v2 << std::endl;
#endif
// TODO: implement
return false;
}
return false; // types incompatible
}
exprt dereferencet::read_object(
const exprt &object,
const exprt &offset,
const typet &type)
{
const typet &object_type=ns.follow(object.type());
const typet &dest_type=ns.follow(type);
// is the object an array with matching subtype?
exprt simplified_offset=simplify_expr(offset, ns);
// check if offset is zero
if(simplified_offset.is_zero())
{
// check type
if(base_type_eq(object_type, dest_type, ns))
{
return object; // trivial case
}
else if(type_compatible(object_type, dest_type))
{
// the type differs, but we can do this with a typecast
return typecast_exprt(object, dest_type);
}
}
if(object.id()==ID_index)
{
const index_exprt &index_expr=to_index_expr(object);
exprt index=index_expr.index();
// multiply index by object size
exprt size=size_of_expr(object_type, ns);
if(size.is_nil())
throw "dereference failed to get object size for index";
index.make_typecast(simplified_offset.type());
size.make_typecast(index.type());
exprt new_offset=plus_exprt(simplified_offset, mult_exprt(index, size));
return read_object(index_expr.array(), new_offset, type);
}
else if(object.id()==ID_member)
{
const member_exprt &member_expr=to_member_expr(object);
const typet &compound_type=
ns.follow(member_expr.struct_op().type());
if(compound_type.id()==ID_struct)
{
const struct_typet &struct_type=
to_struct_type(compound_type);
exprt member_offset=member_offset_expr(
struct_type, member_expr.get_component_name(), ns);
if(member_offset.is_nil())
throw "dereference failed to get member offset";
member_offset.make_typecast(simplified_offset.type());
exprt new_offset=plus_exprt(simplified_offset, member_offset);
return read_object(member_expr.struct_op(), new_offset, type);
}
else if(compound_type.id()==ID_union)
{
// Unions are easy: the offset is always zero,
// so simply pass down.
return read_object(member_expr.struct_op(), offset, type);
}
}
// check if we have an array with the right subtype
if(object_type.id()==ID_array &&
base_type_eq(object_type.subtype(), dest_type, ns))
{
// check proper alignment
exprt size=size_of_expr(dest_type, ns);
if(size.is_not_nil())
{
mp_integer size_constant, offset_constant;
if(!to_integer(simplify_expr(size, ns), size_constant) &&
!to_integer(simplified_offset, offset_constant) &&
(offset_constant%size_constant)==0)
{
// Yes! Can use index expression!
mp_integer index_constant=offset_constant/size_constant;
exprt index_expr=from_integer(index_constant, size.type());
return index_exprt(object, index_expr, dest_type);
}
}
}
// give up and use byte_extract
return binary_exprt(object, byte_extract_id(), simplified_offset, dest_type);
}
void disjunctive_polynomial_accelerationt::assert_for_values(
scratch_programt &program,
std::map<exprt, exprt> &values,
std::set<std::pair<expr_listt, exprt> > &coefficients,
int num_unwindings,
goto_programt &loop_body,
exprt &target)
{
// First figure out what the appropriate type for this expression is.
typet expr_type = nil_typet();
for (std::map<exprt, exprt>::iterator it = values.begin();
it != values.end();
++it) {
if (expr_type == nil_typet()) {
expr_type = it->first.type();
} else {
expr_type = join_types(expr_type, it->first.type());
}
}
// Now set the initial values of the all the variables...
for (std::map<exprt, exprt>::iterator it = values.begin();
it != values.end();
++it) {
program.assign(it->first, it->second);
}
// Now unwind the loop as many times as we need to.
for (int i = 0; i < num_unwindings; i++) {
program.append(loop_body);
}
// Now build the polynomial for this point and assert it fits.
exprt rhs = nil_exprt();
for (std::set<std::pair<expr_listt, exprt> >::iterator it = coefficients.begin();
it != coefficients.end();
++it) {
exprt concrete_value = from_integer(1, expr_type);
for (expr_listt::const_iterator e_it = it->first.begin();
e_it != it->first.end();
++e_it) {
exprt e = *e_it;
if (e == loop_counter) {
mult_exprt mult(from_integer(num_unwindings, expr_type),
concrete_value);
mult.swap(concrete_value);
} else {
std::map<exprt, exprt>::iterator v_it = values.find(e);
assert(v_it != values.end());
mult_exprt mult(concrete_value, v_it->second);
mult.swap(concrete_value);
}
}
// OK, concrete_value now contains the value of all the relevant variables
// multiplied together. Create the term concrete_value*coefficient and add
// it into the polynomial.
typecast_exprt cast(it->second, expr_type);
exprt term = mult_exprt(concrete_value, cast);
if (rhs.is_nil()) {
rhs = term;
} else {
rhs = plus_exprt(rhs, term);
}
}
rhs = typecast_exprt(rhs, target.type());
// We now have the RHS of the polynomial. Assert that this is equal to the
// actual value of the variable we're fitting.
exprt polynomial_holds = equal_exprt(target, rhs);
// Finally, assert that the polynomial equals the variable we're fitting.
goto_programt::targett assumption = program.add_instruction(ASSUME);
assumption->guard = polynomial_holds;
}
void goto_convertt::do_function_call_symbol(
const exprt &lhs,
const symbol_exprt &function,
const exprt::operandst &arguments,
goto_programt &dest)
{
if(function.get_bool("#invalid_object"))
return; // ignore
// lookup symbol
const irep_idt &identifier=function.get_identifier();
const symbolt *symbol;
if(ns.lookup(identifier, symbol))
{
err_location(function);
throw "error: function `"+id2string(identifier)+"' not found";
}
if(symbol->type.id()!=ID_code)
{
err_location(function);
throw "error: function `"+id2string(identifier)+"' type mismatch: expected code";
}
if(identifier==CPROVER_PREFIX "assume" ||
identifier=="__VERIFIER_assume")
{
if(arguments.size()!=1)
{
err_location(function);
throw "`"+id2string(identifier)+"' expected to have one argument";
}
goto_programt::targett t=dest.add_instruction(ASSUME);
t->guard=arguments.front();
t->source_location=function.source_location();
t->source_location.set("user-provided", true);
// let's double-check the type of the argument
if(t->guard.type().id()!=ID_bool)
t->guard.make_typecast(bool_typet());
if(lhs.is_not_nil())
{
err_location(function);
throw id2string(identifier)+" expected not to have LHS";
}
}
else if(identifier=="__VERIFIER_error")
{
if(!arguments.empty())
{
err_location(function);
throw "`"+id2string(identifier)+"' expected to have no arguments";
}
goto_programt::targett t=dest.add_instruction(ASSERT);
t->guard=false_exprt();
t->source_location=function.source_location();
t->source_location.set("user-provided", true);
t->source_location.set_property_class(ID_assertion);
if(lhs.is_not_nil())
{
err_location(function);
throw id2string(identifier)+" expected not to have LHS";
}
}
else if(has_prefix(id2string(identifier), "java::java.lang.AssertionError.<init>:"))
{
// insert function call anyway
code_function_callt function_call;
function_call.lhs()=lhs;
function_call.function()=function;
function_call.arguments()=arguments;
function_call.add_source_location()=function.source_location();
copy(function_call, FUNCTION_CALL, dest);
if(arguments.size()!=1 && arguments.size()!=2)
{
err_location(function);
throw "`"+id2string(identifier)+"' expected to have one or two arguments";
}
goto_programt::targett t=dest.add_instruction(ASSERT);
t->guard=false_exprt();
t->source_location=function.source_location();
t->source_location.set("user-provided", true);
t->source_location.set_property_class(ID_assertion);
t->source_location.set_comment("assertion at "+function.source_location().as_string());
}
else if(identifier=="assert" &&
!ns.lookup(identifier).location.get_function().empty())
{
if(arguments.size()!=1)
{
err_location(function);
throw "`"+id2string(identifier)+"' expected to have one argument";
}
goto_programt::targett t=dest.add_instruction(ASSERT);
t->guard=arguments.front();
t->source_location=function.source_location();
t->source_location.set("user-provided", true);
t->source_location.set_property_class(ID_assertion);
t->source_location.set_comment("assertion "+id2string(from_expr(ns, "", t->guard)));
// let's double-check the type of the argument
if(t->guard.type().id()!=ID_bool)
t->guard.make_typecast(bool_typet());
if(lhs.is_not_nil())
{
err_location(function);
throw id2string(identifier)+" expected not to have LHS";
}
}
else if(identifier==CPROVER_PREFIX "assert")
{
if(arguments.size()!=2)
{
err_location(function);
throw "`"+id2string(identifier)+"' expected to have two arguments";
}
const irep_idt description=
get_string_constant(arguments[1]);
goto_programt::targett t=dest.add_instruction(ASSERT);
t->guard=arguments[0];
t->source_location=function.source_location();
t->source_location.set("user-provided", true);
t->source_location.set_property_class(ID_assertion);
t->source_location.set_comment(description);
// let's double-check the type of the argument
if(t->guard.type().id()!=ID_bool)
t->guard.make_typecast(bool_typet());
if(lhs.is_not_nil())
{
err_location(function);
throw id2string(identifier)+" expected not to have LHS";
}
}
else if(identifier==CPROVER_PREFIX "printf")
{
do_printf(lhs, function, arguments, dest);
}
else if(identifier==CPROVER_PREFIX "scanf")
{
do_scanf(lhs, function, arguments, dest);
}
else if(identifier==CPROVER_PREFIX "input" ||
identifier=="__CPROVER::input")
{
do_input(lhs, function, arguments, dest);
}
else if(identifier==CPROVER_PREFIX "output" ||
identifier=="__CPROVER::output")
{
do_output(lhs, function, arguments, dest);
}
else if(identifier==CPROVER_PREFIX "atomic_begin" ||
identifier=="__CPROVER::atomic_begin" ||
identifier=="__VERIFIER_atomic_begin")
{
do_atomic_begin(lhs, function, arguments, dest);
}
else if(identifier==CPROVER_PREFIX "atomic_end" ||
identifier=="__CPROVER::atomic_end" ||
identifier=="__VERIFIER_atomic_end")
{
do_atomic_end(lhs, function, arguments, dest);
}
else if(identifier==CPROVER_PREFIX "prob_biased_coin")
{
do_prob_coin(lhs, function, arguments, dest);
}
else if(has_prefix(id2string(identifier), CPROVER_PREFIX "prob_uniform_"))
{
do_prob_uniform(lhs, function, arguments, dest);
}
else if(has_prefix(id2string(identifier), "nondet_") ||
has_prefix(id2string(identifier), "__VERIFIER_nondet_"))
{
// make it a side effect if there is an LHS
if(lhs.is_nil()) return;
exprt rhs;
// We need to special-case for _Bool, which
// can only be 0 or 1.
if(lhs.type().id()==ID_c_bool)
{
rhs=side_effect_expr_nondett(bool_typet());
rhs.add_source_location()=function.source_location();
rhs.set(ID_C_identifier, identifier);
rhs=typecast_exprt(rhs, lhs.type());
}
else
{
rhs=side_effect_expr_nondett(lhs.type());
rhs.add_source_location()=function.source_location();
rhs.set(ID_C_identifier, identifier);
}
code_assignt assignment(lhs, rhs);
assignment.add_source_location()=function.source_location();
copy(assignment, ASSIGN, dest);
}
else if(has_prefix(id2string(identifier), CPROVER_PREFIX "uninterpreted_"))
{
// make it a side effect if there is an LHS
if(lhs.is_nil()) return;
function_application_exprt rhs;
rhs.type()=lhs.type();
rhs.add_source_location()=function.source_location();
rhs.function()=function;
rhs.arguments()=arguments;
code_assignt assignment(lhs, rhs);
assignment.add_source_location()=function.source_location();
copy(assignment, ASSIGN, dest);
}
else if(has_prefix(id2string(identifier), CPROVER_PREFIX "array_set"))
{
do_array_set(lhs, function, arguments, dest);
}
else if(identifier==CPROVER_PREFIX "array_equal" ||
identifier=="__CPROVER::array_equal")
{
do_array_equal(lhs, function, arguments, dest);
}
else if(identifier==CPROVER_PREFIX "array_copy" ||
identifier=="__CPROVER::array_equal")
{
do_array_copy(lhs, function, arguments, dest);
}
else if(identifier=="printf")
/*
identifier=="fprintf" ||
identifier=="sprintf" ||
identifier=="snprintf")
*/
{
do_printf(lhs, function, arguments, dest);
}
else if(identifier=="__assert_fail" ||
identifier=="_assert" ||
identifier=="__assert_c99" ||
identifier=="_wassert")
{
// __assert_fail is Linux
// These take four arguments:
// "expression", "file.c", line, __func__
// klibc has __assert_fail with 3 arguments
// "expression", "file.c", line
// MingW has
// void _assert (const char*, const char*, int);
// with three arguments:
// "expression", "file.c", line
// This has been seen in Solaris 11.
// Signature:
// void __assert_c99(const char *desc, const char *file, int line, const char *func);
// _wassert is Windows. The arguments are
// L"expression", L"file.c", line
if(arguments.size()!=4 &&
arguments.size()!=3)
{
err_location(function);
throw "`"+id2string(identifier)+"' expected to have four arguments";
}
const irep_idt description=
"assertion "+id2string(get_string_constant(arguments[0]));
goto_programt::targett t=dest.add_instruction(ASSERT);
t->guard=false_exprt();
t->source_location=function.source_location();
t->source_location.set("user-provided", true);
t->source_location.set_property_class(ID_assertion);
t->source_location.set_comment(description);
// we ignore any LHS
}
else if(identifier=="__assert_rtn" ||
identifier=="__assert")
{
// __assert_rtn has been seen on MacOS;
// __assert is FreeBSD and Solaris 11.
// These take four arguments:
// __func__, "file.c", line, "expression"
// On Solaris 11, it's three arguments:
// "expression", "file", line
irep_idt description;
if(arguments.size()==4)
{
description=
"assertion "+id2string(get_string_constant(arguments[3]));
}
else if(arguments.size()==3)
{
description=
"assertion "+id2string(get_string_constant(arguments[1]));
}
else
{
err_location(function);
throw "`"+id2string(identifier)+"' expected to have four arguments";
}
goto_programt::targett t=dest.add_instruction(ASSERT);
t->guard=false_exprt();
t->source_location=function.source_location();
t->source_location.set("user-provided", true);
t->source_location.set_property_class(ID_assertion);
t->source_location.set_comment(description);
// we ignore any LHS
}
else if(identifier=="__assert_func")
{
// __assert_func is newlib (used by, e.g., cygwin)
// These take four arguments:
// "file.c", line, __func__, "expression"
if(arguments.size()!=4)
{
err_location(function);
throw "`"+id2string(identifier)+"' expected to have four arguments";
}
const irep_idt description=
"assertion "+id2string(get_string_constant(arguments[3]));
goto_programt::targett t=dest.add_instruction(ASSERT);
t->guard=false_exprt();
t->source_location=function.source_location();
t->source_location.set("user-provided", true);
t->source_location.set_property_class(ID_assertion);
t->source_location.set_comment(description);
// we ignore any LHS
}
else if(identifier==CPROVER_PREFIX "fence")
{
if(arguments.size()<1)
{
err_location(function);
throw "`"+id2string(identifier)+"' expected to have at least one argument";
}
goto_programt::targett t=dest.add_instruction(OTHER);
t->source_location=function.source_location();
t->code.set(ID_statement, ID_fence);
forall_expr(it, arguments)
{
const irep_idt kind=get_string_constant(*it);
t->code.set(kind, true);
}
}
else if(identifier=="__builtin_prefetch")
void remove_virtual_functionst::remove_virtual_function(
goto_programt &goto_program,
goto_programt::targett target)
{
const code_function_callt &code=
to_code_function_call(target->code);
const exprt &function=code.function();
assert(function.id()==ID_virtual_function);
assert(!code.arguments().empty());
functionst functions;
get_functions(function, functions);
if(functions.empty())
{
target->make_skip();
return; // give up
}
// the final target is a skip
goto_programt final_skip;
goto_programt::targett t_final=final_skip.add_instruction();
t_final->make_skip();
// build the calls and gotos
goto_programt new_code_calls;
goto_programt new_code_gotos;
for(functionst::const_iterator
it=functions.begin();
it!=functions.end();
it++)
{
// call function
goto_programt::targett t1=new_code_calls.add_instruction();
t1->make_function_call(code);
to_code_function_call(t1->code).function()=it->symbol_expr;
// goto final
goto_programt::targett t3=new_code_calls.add_instruction();
t3->make_goto(t_final, true_exprt());
exprt this_expr=code.arguments()[0];
if(this_expr.type().id()!=ID_pointer ||
this_expr.type().id()!=ID_struct)
{
symbol_typet symbol_type(it->class_id);
this_expr=typecast_exprt(this_expr, pointer_typet(symbol_type));
}
exprt deref=dereference_exprt(this_expr, this_expr.type().subtype());
exprt c_id1=constant_exprt(it->class_id, string_typet());
exprt c_id2=build_class_identifier(deref);
goto_programt::targett t4=new_code_gotos.add_instruction();
t4->make_goto(t1, equal_exprt(c_id1, c_id2));
}
goto_programt new_code;
// patch them all together
new_code.destructive_append(new_code_gotos);
new_code.destructive_append(new_code_calls);
new_code.destructive_append(final_skip);
// set locations
Forall_goto_program_instructions(it, new_code)
{
irep_idt property_class=it->source_location.get_property_class();
irep_idt comment=it->source_location.get_comment();
it->source_location=target->source_location;
it->function=target->function;
if(!property_class.empty()) it->source_location.set_property_class(property_class);
if(!comment.empty()) it->source_location.set_comment(comment);
}
void goto_convertt::do_scanf(
const exprt &lhs,
const exprt &function,
const exprt::operandst &arguments,
goto_programt &dest)
{
const irep_idt &f_id=function.get(ID_identifier);
if(f_id==CPROVER_PREFIX "scanf")
{
if(arguments.size()<1)
{
err_location(function);
error() << "scanf takes at least one argument" << eom;
throw 0;
}
irep_idt format_string;
if(!get_string_constant(arguments[0], format_string))
{
// use our model
format_token_listt token_list=parse_format_string(id2string(format_string));
std::size_t argument_number=1;
for(const auto & t : token_list)
{
typet type=get_type(t);
if(type.is_not_nil())
{
if(argument_number<arguments.size())
{
exprt ptr=
typecast_exprt(arguments[argument_number], pointer_type(type));
argument_number++;
// make it nondet for now
exprt lhs=dereference_exprt(ptr, type);
exprt rhs=side_effect_expr_nondett(type);
code_assignt assign(lhs, rhs);
assign.add_source_location()=function.source_location();
copy(assign, ASSIGN, dest);
}
}
}
}
else
{
// we'll just do nothing
code_function_callt function_call;
function_call.lhs()=lhs;
function_call.function()=function;
function_call.arguments()=arguments;
function_call.add_source_location()=function.source_location();
copy(function_call, FUNCTION_CALL, dest);
}
}
else
assert(false);
}
/// add axioms corresponding to the String.compareTo java function
/// \par parameters: function application with two string arguments
/// \return a integer expression
exprt string_constraint_generatort::add_axioms_for_compare_to(
const function_application_exprt &f)
{
string_exprt s1=add_axioms_for_string_expr(args(f, 2)[0]);
string_exprt s2=add_axioms_for_string_expr(args(f, 2)[1]);
const typet &return_type=f.type();
symbol_exprt res=fresh_symbol("compare_to", return_type);
typet index_type=s1.length().type();
// In the lexicographic comparison, x is the first point where the two
// strings differ.
// We add axioms:
// a1 : res==0 => |s1|=|s2|
// a2 : forall i<|s1|. s1[i]==s2[i]
// a3 : exists x.
// res!=0 ==> x> 0 &&
// ((|s1| <= |s2| &&x<|s1|) || (|s1| >= |s2| &&x<|s2|)
// &&res=s1[x]-s2[x] )
// || cond2:
// (|s1|<|s2| &&x=|s1|) || (|s1| > |s2| &&x=|s2|) &&res=|s1|-|s2|)
// a4 : forall i<x. res!=0 => s1[i]=s2[i]
assert(return_type.id()==ID_signedbv);
equal_exprt res_null=equal_exprt(res, from_integer(0, return_type));
implies_exprt a1(res_null, s1.axiom_for_has_same_length_as(s2));
axioms.push_back(a1);
symbol_exprt i=fresh_univ_index("QA_compare_to", index_type);
string_constraintt a2(i, s1.length(), res_null, equal_exprt(s1[i], s2[i]));
axioms.push_back(a2);
symbol_exprt x=fresh_exist_index("index_compare_to", index_type);
equal_exprt ret_char_diff(
res,
minus_exprt(
typecast_exprt(s1[x], return_type),
typecast_exprt(s2[x], return_type)));
equal_exprt ret_length_diff(
res,
minus_exprt(
typecast_exprt(s1.length(), return_type),
typecast_exprt(s2.length(), return_type)));
or_exprt guard1(
and_exprt(s1.axiom_for_is_shorter_than(s2),
s1.axiom_for_is_strictly_longer_than(x)),
and_exprt(s1.axiom_for_is_longer_than(s2),
s2.axiom_for_is_strictly_longer_than(x)));
and_exprt cond1(ret_char_diff, guard1);
or_exprt guard2(
and_exprt(s2.axiom_for_is_strictly_longer_than(s1),
s1.axiom_for_has_length(x)),
and_exprt(s1.axiom_for_is_strictly_longer_than(s2),
s2.axiom_for_has_length(x)));
and_exprt cond2(ret_length_diff, guard2);
implies_exprt a3(
not_exprt(res_null),
and_exprt(
binary_relation_exprt(x, ID_ge, from_integer(0, return_type)),
or_exprt(cond1, cond2)));
axioms.push_back(a3);
string_constraintt a4(i, x, not_exprt(res_null), equal_exprt(s1[i], s2[i]));
axioms.push_back(a4);
return res;
}
void goto_convertt::do_cpp_new(
const exprt &lhs,
const side_effect_exprt &rhs,
goto_programt &dest)
{
if(lhs.is_nil())
throw "do_cpp_new without lhs is yet to be implemented";
// build size expression
exprt object_size=
static_cast<const exprt &>(rhs.find(ID_sizeof));
bool new_array=rhs.get(ID_statement)==ID_cpp_new_array;
exprt count;
if(new_array)
{
count=static_cast<const exprt &>(rhs.find(ID_size));
if(count.type()!=object_size.type())
count.make_typecast(object_size.type());
// might have side-effect
clean_expr(count, dest);
}
exprt tmp_symbol_expr;
// is this a placement new?
if(rhs.operands().empty()) // no, "regular" one
{
// call __new or __new_array
exprt new_symbol=
ns.lookup(new_array?"__new_array":"__new").symbol_expr();
const code_typet &code_type=
to_code_type(new_symbol.type());
const typet &return_type=
code_type.return_type();
assert(code_type.parameters().size()==1 ||
code_type.parameters().size()==2);
const symbolt &tmp_symbol=
new_tmp_symbol(return_type, "new", dest, rhs.source_location());
tmp_symbol_expr=tmp_symbol.symbol_expr();
code_function_callt new_call;
new_call.function()=new_symbol;
if(new_array) new_call.arguments().push_back(count);
new_call.arguments().push_back(object_size);
new_call.set("#type", lhs.type().subtype());
new_call.lhs()=tmp_symbol_expr;
new_call.add_source_location()=rhs.source_location();
convert(new_call, dest);
}
else if(rhs.operands().size()==1)
{
// call __placement_new
exprt new_symbol=
ns.lookup(new_array?"__placement_new_array":"__placement_new").symbol_expr();
const code_typet &code_type=
to_code_type(new_symbol.type());
const typet &return_type=code_type.return_type();
assert(code_type.parameters().size()==2 ||
code_type.parameters().size()==3);
const symbolt &tmp_symbol=
new_tmp_symbol(return_type, "new", dest, rhs.source_location());
tmp_symbol_expr=tmp_symbol.symbol_expr();
code_function_callt new_call;
new_call.function()=new_symbol;
if(new_array) new_call.arguments().push_back(count);
new_call.arguments().push_back(object_size);
new_call.arguments().push_back(rhs.op0()); // memory location
new_call.set("#type", lhs.type().subtype());
new_call.lhs()=tmp_symbol_expr;
new_call.add_source_location()=rhs.source_location();
for(unsigned i=0; i<code_type.parameters().size(); i++)
if(new_call.arguments()[i].type()!=code_type.parameters()[i].type())
new_call.arguments()[i].make_typecast(code_type.parameters()[i].type());
convert(new_call, dest);
}
else
throw "cpp_new expected to have 0 or 1 operands";
goto_programt::targett t_n=dest.add_instruction(ASSIGN);
t_n->code=code_assignt(
lhs, typecast_exprt(tmp_symbol_expr, lhs.type()));
t_n->source_location=rhs.find_source_location();
// grab initializer
goto_programt tmp_initializer;
cpp_new_initializer(lhs, rhs, tmp_initializer);
dest.destructive_append(tmp_initializer);
}
void polynomial_acceleratort::assert_for_values(scratch_programt &program,
std::map<exprt, int> &values,
std::set<std::pair<expr_listt, exprt> >
&coefficients,
int num_unwindings,
goto_programt::instructionst
&loop_body,
exprt &target,
overflow_instrumentert &overflow) {
// First figure out what the appropriate type for this expression is.
typet expr_type = nil_typet();
for (std::map<exprt, int>::iterator it = values.begin();
it != values.end();
++it) {
typet this_type=it->first.type();
if (this_type.id() == ID_pointer) {
#ifdef DEBUG
std::cout << "Overriding pointer type" << std::endl;
#endif
this_type = unsignedbv_typet(config.ansi_c.pointer_width);
}
if (expr_type == nil_typet()) {
expr_type = this_type;
} else {
expr_type = join_types(expr_type, this_type);
}
}
assert(to_bitvector_type(expr_type).get_width()>0);
// Now set the initial values of the all the variables...
for (std::map<exprt, int>::iterator it = values.begin();
it != values.end();
++it) {
program.assign(it->first, from_integer(it->second, expr_type));
}
// Now unwind the loop as many times as we need to.
for (int i = 0; i < num_unwindings; i++) {
program.append(loop_body);
}
// Now build the polynomial for this point and assert it fits.
exprt rhs = nil_exprt();
for (std::set<std::pair<expr_listt, exprt> >::iterator it = coefficients.begin();
it != coefficients.end();
++it) {
int concrete_value = 1;
for (expr_listt::const_iterator e_it = it->first.begin();
e_it != it->first.end();
++e_it) {
exprt e = *e_it;
if (e == loop_counter) {
concrete_value *= num_unwindings;
} else {
std::map<exprt, int>::iterator v_it = values.find(e);
if (v_it != values.end()) {
concrete_value *= v_it->second;
}
}
}
// OK, concrete_value now contains the value of all the relevant variables
// multiplied together. Create the term concrete_value*coefficient and add
// it into the polynomial.
typecast_exprt cast(it->second, expr_type);
exprt term = mult_exprt(from_integer(concrete_value, expr_type), cast);
if (rhs.is_nil()) {
rhs = term;
} else {
rhs = plus_exprt(rhs, term);
}
}
exprt overflow_expr;
overflow.overflow_expr(rhs, overflow_expr);
program.add_instruction(ASSUME)->guard = not_exprt(overflow_expr);
rhs = typecast_exprt(rhs, target.type());
// We now have the RHS of the polynomial. Assert that this is equal to the
// actual value of the variable we're fitting.
exprt polynomial_holds = equal_exprt(target, rhs);
// Finally, assert that the polynomial equals the variable we're fitting.
goto_programt::targett assumption = program.add_instruction(ASSUME);
assumption->guard = polynomial_holds;
}
exprt goto_symext::address_arithmetic(
const exprt &expr,
statet &state,
guardt &guard,
bool keep_array)
{
exprt result;
if(expr.id()==ID_byte_extract_little_endian ||
expr.id()==ID_byte_extract_big_endian)
{
// address_of(byte_extract(op, offset, t)) is
// address_of(op) + offset with adjustments for arrays
const byte_extract_exprt &be=to_byte_extract_expr(expr);
// recursive call
result=address_arithmetic(be.op(), state, guard, keep_array);
if(ns.follow(be.op().type()).id()==ID_array &&
result.id()==ID_address_of)
{
address_of_exprt &a=to_address_of_expr(result);
// turn &a of type T[i][j] into &(a[0][0])
for(const typet *t=&(ns.follow(a.type().subtype()));
t->id()==ID_array && !base_type_eq(expr.type(), *t, ns);
t=&(ns.follow(*t).subtype()))
a.object()=index_exprt(a.object(), from_integer(0, index_type()));
}
// do (expr.type() *)(((char *)op)+offset)
result=typecast_exprt(result, pointer_typet(char_type()));
// there could be further dereferencing in the offset
exprt offset=be.offset();
dereference_rec(offset, state, guard, false);
result=plus_exprt(result, offset);
// treat &array as &array[0]
const typet &expr_type=ns.follow(expr.type());
pointer_typet dest_type;
if(expr_type.id()==ID_array && !keep_array)
dest_type.subtype()=expr_type.subtype();
else
dest_type.subtype()=expr_type;
result=typecast_exprt(result, dest_type);
}
else if(expr.id()==ID_index ||
expr.id()==ID_member)
{
object_descriptor_exprt ode;
ode.build(expr, ns);
byte_extract_exprt be(byte_extract_id());
be.type()=expr.type();
be.op()=ode.root_object();
be.offset()=ode.offset();
// recursive call
result=address_arithmetic(be, state, guard, keep_array);
do_simplify(result);
}
else if(expr.id()==ID_dereference)
{
// ANSI-C guarantees &*p == p no matter what p is,
// even if it's complete garbage
// just grab the pointer, but be wary of further dereferencing
// in the pointer itself
result=to_dereference_expr(expr).pointer();
dereference_rec(result, state, guard, false);
}
else if(expr.id()==ID_if)
{
if_exprt if_expr=to_if_expr(expr);
// the condition is not an address
dereference_rec(if_expr.cond(), state, guard, false);
// recursive call
if_expr.true_case()=
address_arithmetic(if_expr.true_case(), state, guard, keep_array);
if_expr.false_case()=
address_arithmetic(if_expr.false_case(), state, guard, keep_array);
result=if_expr;
}
else if(expr.id()==ID_symbol ||
expr.id()==ID_string_constant ||
expr.id()==ID_label ||
expr.id()==ID_array)
{
// give up, just dereference
result=expr;
dereference_rec(result, state, guard, false);
// turn &array into &array[0]
if(ns.follow(result.type()).id()==ID_array && !keep_array)
result=index_exprt(result, from_integer(0, index_type()));
// handle field-sensitive SSA symbol
mp_integer offset=0;
if(expr.id()==ID_symbol &&
expr.get_bool(ID_C_SSA_symbol))
{
offset=compute_pointer_offset(expr, ns);
assert(offset>=0);
}
if(offset>0)
{
byte_extract_exprt be(byte_extract_id());
be.type()=expr.type();
be.op()=to_ssa_expr(expr).get_l1_object();
be.offset()=from_integer(offset, index_type());
result=address_arithmetic(be, state, guard, keep_array);
do_simplify(result);
}
else
result=address_of_exprt(result);
}
else
throw "goto_symext::address_arithmetic does not handle "+expr.id_string();
const typet &expr_type=ns.follow(expr.type());
assert((expr_type.id()==ID_array && !keep_array) ||
base_type_eq(pointer_typet(expr_type), result.type(), ns));
return result;
}
