void goto_convertt::do_array_equal(
const exprt &lhs,
const exprt &function,
const exprt::operandst &arguments,
goto_programt &dest)
{
if(arguments.size()!=2)
{
err_location(function);
throw "array_equal expects two arguments";
}
const typet &arg0_type=ns.follow(arguments[0].type());
const typet &arg1_type=ns.follow(arguments[1].type());
if(arg0_type.id()!=ID_pointer ||
arg1_type.id()!=ID_pointer)
{
err_location(function);
throw "array_equal expects pointer arguments";
}
if(lhs.is_not_nil())
{
code_assignt assignment;
// add dereferencing here
dereference_exprt lhs_array, rhs_array;
lhs_array.op0()=arguments[0];
rhs_array.op0()=arguments[1];
lhs_array.type()=arg0_type.subtype();
rhs_array.type()=arg1_type.subtype();
assignment.lhs()=lhs;
assignment.rhs()=binary_exprt(
lhs_array, ID_array_equal, rhs_array, lhs.type());
convert(assignment, dest);
}
}
bool simplify_exprt::simplify_floatbv_typecast(exprt &expr)
{
// These casts usually reduce precision, and thus, usually round.
assert(expr.operands().size()==2);
const typet &dest_type=ns.follow(expr.type());
const typet &src_type=ns.follow(expr.op0().type());
// eliminate redundant casts
if(dest_type==src_type)
{
expr=expr.op0();
return false;
}
exprt op0=expr.op0();
exprt op1=expr.op1(); // rounding mode
// We can soundly re-write (float)((double)x op (double)y)
// to x op y. True for any rounding mode!
#if 0
if(op0.id()==ID_floatbv_div ||
op0.id()==ID_floatbv_mult ||
op0.id()==ID_floatbv_plus ||
op0.id()==ID_floatbv_minus)
{
if(op0.operands().size()==3 &&
op0.op0().id()==ID_typecast &&
op0.op1().id()==ID_typecast &&
op0.op0().operands().size()==1 &&
op0.op1().operands().size()==1 &&
ns.follow(op0.op0().type())==dest_type &&
ns.follow(op0.op1().type())==dest_type)
{
exprt result(op0.id(), expr.type());
result.operands().resize(3);
result.op0()=op0.op0().op0();
result.op1()=op0.op1().op0();
result.op2()=op1;
simplify_node(result);
expr.swap(result);
return false;
}
}
#endif
// constant folding
if(op0.is_constant() && op1.is_constant())
{
mp_integer rounding_mode;
if(!to_integer(op1, rounding_mode))
{
if(src_type.id()==ID_floatbv)
{
if(dest_type.id()==ID_floatbv) // float to float
{
ieee_floatt result(to_constant_expr(op0));
result.rounding_mode=(ieee_floatt::rounding_modet)integer2size_t(rounding_mode);
result.change_spec(to_floatbv_type(dest_type));
expr=result.to_expr();
return false;
}
else if(dest_type.id()==ID_signedbv ||
dest_type.id()==ID_unsignedbv)
{
if(rounding_mode==ieee_floatt::ROUND_TO_ZERO)
{
ieee_floatt result(to_constant_expr(op0));
result.rounding_mode=(ieee_floatt::rounding_modet)integer2size_t(rounding_mode);
mp_integer value=result.to_integer();
expr=from_integer(value, dest_type);
return false;
}
}
}
else if(src_type.id()==ID_signedbv ||
src_type.id()==ID_unsignedbv)
{
mp_integer value;
if(!to_integer(op0, value))
{
if(dest_type.id()==ID_floatbv) // int to float
{
ieee_floatt result;
result.rounding_mode=(ieee_floatt::rounding_modet)integer2size_t(rounding_mode);
result.spec=to_floatbv_type(dest_type);
result.from_integer(value);
expr=result.to_expr();
return false;
}
}
}
}
}
#if 0
// (T)(a?b:c) --> a?(T)b:(T)c
if(expr.op0().id()==ID_if &&
expr.op0().operands().size()==3)
{
exprt tmp_op1=binary_exprt(expr.op0().op1(), ID_floatbv_typecast, expr.op1(), dest_type);
exprt tmp_op2=binary_exprt(expr.op0().op2(), ID_floatbv_typecast, expr.op1(), dest_type);
simplify_floatbv_typecast(tmp_op1);
simplify_floatbv_typecast(tmp_op2);
expr=if_exprt(expr.op0().op0(), tmp_op1, tmp_op2, dest_type);
simplify_if(expr);
return false;
}
#endif
return true;
}
value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(
const exprt &what,
const modet mode,
const exprt &pointer_expr,
const guardt &guard)
{
const typet &dereference_type=
ns.follow(pointer_expr.type()).subtype();
if(what.id()==ID_unknown ||
what.id()==ID_invalid)
{
invalid_pointer(pointer_expr, guard);
return valuet();
}
if(what.id()!=ID_object_descriptor)
throw "unknown points-to: "+what.id_string();
const object_descriptor_exprt &o=to_object_descriptor_expr(what);
const exprt &root_object=o.root_object();
const exprt &object=o.object();
#if 0
std::cout << "O: " << from_expr(ns, "", root_object) << '\n';
#endif
valuet result;
if(root_object.id()=="NULL-object")
{
if(options.get_bool_option("pointer-check"))
{
guardt tmp_guard(guard);
if(o.offset().is_zero())
{
tmp_guard.add(null_pointer(pointer_expr));
dereference_callback.dereference_failure(
"pointer dereference",
"NULL pointer", tmp_guard);
}
else
{
tmp_guard.add(null_object(pointer_expr));
dereference_callback.dereference_failure(
"pointer dereference",
"NULL plus offset pointer", tmp_guard);
}
}
}
else if(root_object.id()==ID_dynamic_object)
{
// const dynamic_object_exprt &dynamic_object=
// to_dynamic_object_expr(root_object);
// the object produced by malloc
exprt malloc_object=
ns.lookup(CPROVER_PREFIX "malloc_object").symbol_expr();
exprt is_malloc_object=same_object(pointer_expr, malloc_object);
// constraint that it actually is a dynamic object
exprt dynamic_object_expr(ID_dynamic_object, bool_typet());
dynamic_object_expr.copy_to_operands(pointer_expr);
// this is also our guard
result.pointer_guard=dynamic_object_expr;
// can't remove here, turn into *p
result.value=dereference_exprt(pointer_expr, dereference_type);
if(options.get_bool_option("pointer-check"))
{
// if(!dynamic_object.valid().is_true())
{
// check if it is still alive
guardt tmp_guard(guard);
tmp_guard.add(deallocated(pointer_expr, ns));
dereference_callback.dereference_failure(
"pointer dereference",
"dynamic object deallocated",
tmp_guard);
}
if(options.get_bool_option("bounds-check"))
{
if(!o.offset().is_zero())
{
// check lower bound
guardt tmp_guard(guard);
tmp_guard.add(is_malloc_object);
tmp_guard.add(
dynamic_object_lower_bound(
pointer_expr,
ns,
nil_exprt()));
dereference_callback.dereference_failure(
"pointer dereference",
"dynamic object lower bound", tmp_guard);
}
{
// check upper bound
// we check SAME_OBJECT(__CPROVER_malloc_object, p) &&
// POINTER_OFFSET(p)+size>__CPROVER_malloc_size
guardt tmp_guard(guard);
tmp_guard.add(is_malloc_object);
tmp_guard.add(
dynamic_object_upper_bound(
pointer_expr,
dereference_type,
ns,
size_of_expr(dereference_type, ns)));
dereference_callback.dereference_failure(
"pointer dereference",
"dynamic object upper bound", tmp_guard);
}
}
}
}
else if(root_object.id()==ID_integer_address)
{
// This is stuff like *((char *)5).
// This is turned into an access to __CPROVER_memory[...].
if(language_mode==ID_java)
{
result.value=nil_exprt();
return result;
}
const symbolt &memory_symbol=ns.lookup(CPROVER_PREFIX "memory");
exprt symbol_expr=symbol_exprt(memory_symbol.name, memory_symbol.type);
if(base_type_eq(
ns.follow(memory_symbol.type).subtype(),
dereference_type, ns))
{
// Types match already, what a coincidence!
// We can use an index expression.
exprt index_expr=index_exprt(symbol_expr, pointer_offset(pointer_expr));
index_expr.type()=ns.follow(memory_symbol.type).subtype();
result.value=index_expr;
}
else if(dereference_type_compare(
ns.follow(memory_symbol.type).subtype(),
dereference_type))
{
exprt index_expr=index_exprt(symbol_expr, pointer_offset(pointer_expr));
index_expr.type()=ns.follow(memory_symbol.type).subtype();
result.value=typecast_exprt(index_expr, dereference_type);
}
else
{
// We need to use byte_extract.
// Won't do this without a commitment to an endianness.
if(config.ansi_c.endianness==configt::ansi_ct::endiannesst::NO_ENDIANNESS)
{
}
else
{
exprt byte_extract(byte_extract_id(), dereference_type);
byte_extract.copy_to_operands(
symbol_expr, pointer_offset(pointer_expr));
result.value=byte_extract;
}
}
}
else
{
// something generic -- really has to be a symbol
address_of_exprt object_pointer(object);
if(o.offset().is_zero())
{
equal_exprt equality(pointer_expr, object_pointer);
if(ns.follow(equality.lhs().type())!=ns.follow(equality.rhs().type()))
equality.lhs().make_typecast(equality.rhs().type());
result.pointer_guard=equality;
}
else
{
result.pointer_guard=same_object(pointer_expr, object_pointer);
}
guardt tmp_guard(guard);
tmp_guard.add(result.pointer_guard);
valid_check(object, tmp_guard, mode);
const typet &object_type=ns.follow(object.type());
const exprt &root_object=o.root_object();
const typet &root_object_type=ns.follow(root_object.type());
exprt root_object_subexpression=root_object;
if(dereference_type_compare(object_type, dereference_type) &&
o.offset().is_zero())
{
// The simplest case: types match, and offset is zero!
// This is great, we are almost done.
result.value=object;
if(object_type!=ns.follow(dereference_type))
result.value.make_typecast(dereference_type);
}
else if(root_object_type.id()==ID_array &&
dereference_type_compare(
root_object_type.subtype(),
dereference_type))
{
// We have an array with a subtype that matches
// the dereferencing type.
// We will require well-alignedness!
exprt offset;
// this should work as the object is essentially the root object
if(o.offset().is_constant())
offset=o.offset();
else
offset=pointer_offset(pointer_expr);
exprt adjusted_offset;
// are we doing a byte?
mp_integer element_size=
dereference_type.id()==ID_empty?
pointer_offset_size(char_type(), ns):
pointer_offset_size(dereference_type, ns);
if(element_size==1)
{
// no need to adjust offset
adjusted_offset=offset;
}
else if(element_size<=0)
{
throw "unknown or invalid type size of:\n"+dereference_type.pretty();
}
else
{
exprt element_size_expr=
from_integer(element_size, offset.type());
adjusted_offset=binary_exprt(
offset, ID_div, element_size_expr, offset.type());
// TODO: need to assert well-alignedness
}
index_exprt index_expr=
index_exprt(root_object, adjusted_offset, root_object_type.subtype());
bounds_check(index_expr, tmp_guard);
result.value=index_expr;
if(ns.follow(result.value.type())!=ns.follow(dereference_type))
result.value.make_typecast(dereference_type);
}
else if(get_subexpression_at_offset(
root_object_subexpression,
o.offset(),
dereference_type,
ns))
{
// Successfully found a member, array index, or combination thereof
// that matches the desired type and offset:
result.value=root_object_subexpression;
}
else
{
// we extract something from the root object
result.value=o.root_object();
// this is relative to the root object
const exprt offset=pointer_offset(pointer_expr);
if(memory_model(result.value, dereference_type, tmp_guard, offset))
{
// ok, done
}
else
{
if(options.get_bool_option("pointer-check"))
{
std::string msg="memory model not applicable (got `";
msg+=from_type(ns, "", result.value.type());
msg+="', expected `";
msg+=from_type(ns, "", dereference_type);
msg+="')";
dereference_callback.dereference_failure(
"pointer dereference",
msg, tmp_guard);
}
return valuet(); // give up, no way that this is ok
}
}
}
return result;
}
exprt dereferencet::read_object(
const exprt &object,
const exprt &offset,
const typet &type)
{
const typet &object_type=ns.follow(object.type());
const typet &dest_type=ns.follow(type);
// is the object an array with matching subtype?
exprt simplified_offset=simplify_expr(offset, ns);
// check if offset is zero
if(simplified_offset.is_zero())
{
// check type
if(base_type_eq(object_type, dest_type, ns))
{
return object; // trivial case
}
else if(type_compatible(object_type, dest_type))
{
// the type differs, but we can do this with a typecast
return typecast_exprt(object, dest_type);
}
}
if(object.id()==ID_index)
{
const index_exprt &index_expr=to_index_expr(object);
exprt index=index_expr.index();
// multiply index by object size
exprt size=size_of_expr(object_type, ns);
if(size.is_nil())
throw "dereference failed to get object size for index";
index.make_typecast(simplified_offset.type());
size.make_typecast(index.type());
exprt new_offset=plus_exprt(simplified_offset, mult_exprt(index, size));
return read_object(index_expr.array(), new_offset, type);
}
else if(object.id()==ID_member)
{
const member_exprt &member_expr=to_member_expr(object);
const typet &compound_type=
ns.follow(member_expr.struct_op().type());
if(compound_type.id()==ID_struct)
{
const struct_typet &struct_type=
to_struct_type(compound_type);
exprt member_offset=member_offset_expr(
struct_type, member_expr.get_component_name(), ns);
if(member_offset.is_nil())
throw "dereference failed to get member offset";
member_offset.make_typecast(simplified_offset.type());
exprt new_offset=plus_exprt(simplified_offset, member_offset);
return read_object(member_expr.struct_op(), new_offset, type);
}
else if(compound_type.id()==ID_union)
{
// Unions are easy: the offset is always zero,
// so simply pass down.
return read_object(member_expr.struct_op(), offset, type);
}
}
// check if we have an array with the right subtype
if(object_type.id()==ID_array &&
base_type_eq(object_type.subtype(), dest_type, ns))
{
// check proper alignment
exprt size=size_of_expr(dest_type, ns);
if(size.is_not_nil())
{
mp_integer size_constant, offset_constant;
if(!to_integer(simplify_expr(size, ns), size_constant) &&
!to_integer(simplified_offset, offset_constant) &&
(offset_constant%size_constant)==0)
{
// Yes! Can use index expression!
mp_integer index_constant=offset_constant/size_constant;
exprt index_expr=from_integer(index_constant, size.type());
return index_exprt(object, index_expr, dest_type);
}
}
}
// give up and use byte_extract
return binary_exprt(object, byte_extract_id(), simplified_offset, dest_type);
}
bool simplify_exprt::simplify_pointer_offset(exprt &expr)
{
if(expr.operands().size()!=1) return true;
exprt &ptr=expr.op0();
if(ptr.id()==ID_if && ptr.operands().size()==3)
{
if_exprt if_expr=lift_if(expr, 0);
simplify_pointer_offset(if_expr.true_case());
simplify_pointer_offset(if_expr.false_case());
simplify_if(if_expr);
expr.swap(if_expr);
return false;
}
if(ptr.type().id()!=ID_pointer) return true;
if(ptr.id()==ID_address_of)
{
if(ptr.operands().size()!=1) return true;
mp_integer offset=compute_pointer_offset(ptr.op0(), ns);
if(offset!=-1)
{
expr=from_integer(offset, expr.type());
return false;
}
}
else if(ptr.id()==ID_typecast) // pointer typecast
{
if(ptr.operands().size()!=1) return true;
const typet &op_type=ns.follow(ptr.op0().type());
if(op_type.id()==ID_pointer)
{
// Cast from pointer to pointer.
// This just passes through, remove typecast.
exprt tmp=ptr.op0();
ptr=tmp;
// recursive call
simplify_node(expr);
return false;
}
else if(op_type.id()==ID_signedbv ||
op_type.id()==ID_unsignedbv)
{
// Cast from integer to pointer, say (int *)x.
if(ptr.op0().is_constant())
{
// (T *)0x1234 -> 0x1234
exprt tmp=ptr.op0();
tmp.make_typecast(expr.type());
simplify_node(tmp);
expr.swap(tmp);
return false;
}
else
{
// We do a bit of special treatment for (TYPE *)(a+(int)&o),
// which is re-written to 'a'.
typet type=ns.follow(expr.type());
exprt tmp=ptr.op0();
if(tmp.id()==ID_plus && tmp.operands().size()==2)
{
if(tmp.op0().id()==ID_typecast &&
tmp.op0().operands().size()==1 &&
tmp.op0().op0().id()==ID_address_of)
{
expr=tmp.op1();
if(type!=expr.type())
expr.make_typecast(type);
simplify_node(expr);
return false;
}
else if(tmp.op1().id()==ID_typecast &&
tmp.op1().operands().size()==1 &&
tmp.op1().op0().id()==ID_address_of)
{
expr=tmp.op0();
if(type!=expr.type())
expr.make_typecast(type);
simplify_node(expr);
return false;
}
}
}
}
}
else if(ptr.id()==ID_plus) // pointer arithmetic
{
exprt::operandst ptr_expr;
exprt::operandst int_expr;
for(const auto & op : ptr.operands())
{
if(op.type().id()==ID_pointer)
ptr_expr.push_back(op);
else if(!op.is_zero())
{
exprt tmp=op;
if(tmp.type()!=expr.type())
{
tmp.make_typecast(expr.type());
simplify_node(tmp);
}
int_expr.push_back(tmp);
}
}
if(ptr_expr.size()!=1 || int_expr.empty())
return true;
typet pointer_type=ptr_expr.front().type();
mp_integer element_size=
pointer_offset_size(pointer_type.subtype(), ns);
if(element_size==0) return true;
// this might change the type of the pointer!
exprt pointer_offset(ID_pointer_offset, expr.type());
pointer_offset.copy_to_operands(ptr_expr.front());
simplify_node(pointer_offset);
exprt sum;
if(int_expr.size()==1)
sum=int_expr.front();
else
{
sum=exprt(ID_plus, expr.type());
sum.operands()=int_expr;
}
simplify_node(sum);
exprt size_expr=
from_integer(element_size, expr.type());
binary_exprt product(sum, ID_mult, size_expr, expr.type());
simplify_node(product);
expr=binary_exprt(pointer_offset, ID_plus, product, expr.type());
simplify_node(expr);
return false;
}
else if(ptr.id()==ID_constant &&
ptr.get(ID_value)==ID_NULL)
{
expr=gen_zero(expr.type());
simplify_node(expr);
return false;
}
return true;
}
