mp_integer compute_pointer_offset(
const namespacet &ns,
const exprt &expr)
{
if(expr.id()==ID_symbol)
return 0;
else if(expr.id()==ID_index)
{
assert(expr.operands().size()==2);
const typet &array_type=ns.follow(expr.op0().type());
assert(array_type.id()==ID_array);
mp_integer o=compute_pointer_offset(ns, expr.op0());
if(o!=-1)
{
mp_integer sub_size=
pointer_offset_size(ns, array_type.subtype());
mp_integer i;
if(sub_size!=0 && !to_integer(expr.op1(), i))
return o+i*sub_size;
}
// don't know
}
else if(expr.id()==ID_member)
{
assert(expr.operands().size()==1);
const typet &type=ns.follow(expr.op0().type());
assert(type.id()==ID_struct ||
type.id()==ID_union);
mp_integer o=compute_pointer_offset(ns, expr.op0());
if(o!=-1)
{
if(type.id()==ID_union)
return o;
return o+member_offset(
ns, to_struct_type(type), expr.get(ID_component_name));
}
}
else if(expr.id()==ID_string_constant)
return 0;
return -1; // don't know
}
bool value_sett::eval_pointer_offset(
exprt &expr,
const namespacet &ns) const
{
bool mod=false;
if(expr.id()==ID_pointer_offset)
{
assert(expr.operands().size()==1);
object_mapt reference_set;
get_value_set(expr.op0(), reference_set, ns, true);
exprt new_expr;
mp_integer previous_offset=0;
const object_map_dt &object_map=reference_set.read();
for(object_map_dt::const_iterator
it=object_map.begin();
it!=object_map.end();
it++)
if(!it->second.offset_is_set)
return false;
else
{
const exprt &object=object_numbering[it->first];
mp_integer ptr_offset=compute_pointer_offset(object, ns);
if(ptr_offset<0)
return false;
ptr_offset+=it->second.offset;
if(mod && ptr_offset!=previous_offset)
return false;
new_expr=from_integer(ptr_offset, index_type());
previous_offset=ptr_offset;
mod=true;
}
if(mod)
expr.swap(new_expr);
}
else
{
Forall_operands(it, expr)
mod=eval_pointer_offset(*it, ns) || mod;
}
return mod;
}
void rd_range_domaint::assign(
const namespacet &ns,
locationt from,
const exprt &lhs,
const mp_integer &size)
{
if(lhs.id()==ID_typecast)
assign(ns, from, to_typecast_expr(lhs).op(), size);
else if(lhs.id()==ID_if)
assign_if(ns, from, to_if_expr(lhs), size);
else if(lhs.id()==ID_dereference)
assign_dereference(ns, from, to_dereference_expr(lhs), size);
else if(lhs.id()==ID_byte_extract_little_endian ||
lhs.id()==ID_byte_extract_big_endian)
assign_byte_extract(ns, from, to_byte_extract_expr(lhs), size);
else if(lhs.id()==ID_symbol ||
lhs.id()==ID_index ||
lhs.id()==ID_member)
assign(ns, from, lhs, compute_pointer_offset(ns, lhs), size);
else
throw "assignment to `"+lhs.id_string()+"' not handled";
}
void rd_range_domaint::transform(
const namespacet &ns,
locationt from,
locationt to)
{
if(from->is_dead())
{
const symbol_exprt &symbol=
to_symbol_expr(to_code_dead(from->code).symbol());
values.erase(symbol.get_identifier());
return;
}
else if(!from->is_assign())
return;
const exprt &lhs=to_code_assign(from->code).lhs();
if(lhs.id()==ID_complex_real ||
lhs.id()==ID_complex_imag)
{
assert(lhs.type().id()==ID_complex);
mp_integer offset=compute_pointer_offset(ns, lhs.op0());
mp_integer sub_size=pointer_offset_size(ns, lhs.type().subtype());
assign(
ns,
from,
lhs.op0(),
offset+((offset==-1 || lhs.id()==ID_complex_real) ? 0 : sub_size),
sub_size);
}
else
{
mp_integer size=pointer_offset_size(ns, lhs.type());
assign(ns, from, lhs, size);
}
}
void rd_range_domaint::assign_byte_extract(
const namespacet &ns,
locationt from,
const byte_extract_exprt &be,
const mp_integer &size)
{
assert(size==1);
mp_integer op_offset=compute_pointer_offset(ns, be.op());
mp_integer index;
if(op_offset==-1 || to_integer(be.offset(), index))
assign(ns, from, be.op(), -1, 1);
else
{
endianness_mapt map(
be.op().type(),
be.id()==ID_byte_extract_little_endian,
ns);
assert(index<std::numeric_limits<unsigned>::max());
op_offset+=map.map_byte(integer2long(index));
assign(ns, from, be.op(), op_offset, 1);
}
}
bool simplify_exprt::simplify_pointer_offset(exprt &expr)
{
if(expr.operands().size()!=1) return true;
exprt &ptr=expr.op0();
if(ptr.id()==ID_if && ptr.operands().size()==3)
{
if_exprt if_expr=lift_if(expr, 0);
simplify_pointer_offset(if_expr.true_case());
simplify_pointer_offset(if_expr.false_case());
simplify_if(if_expr);
expr.swap(if_expr);
return false;
}
if(ptr.type().id()!=ID_pointer) return true;
if(ptr.id()==ID_address_of)
{
if(ptr.operands().size()!=1) return true;
mp_integer offset=compute_pointer_offset(ptr.op0(), ns);
if(offset!=-1)
{
expr=from_integer(offset, expr.type());
return false;
}
}
else if(ptr.id()==ID_typecast) // pointer typecast
{
if(ptr.operands().size()!=1) return true;
const typet &op_type=ns.follow(ptr.op0().type());
if(op_type.id()==ID_pointer)
{
// Cast from pointer to pointer.
// This just passes through, remove typecast.
exprt tmp=ptr.op0();
ptr=tmp;
// recursive call
simplify_node(expr);
return false;
}
else if(op_type.id()==ID_signedbv ||
op_type.id()==ID_unsignedbv)
{
// Cast from integer to pointer, say (int *)x.
if(ptr.op0().is_constant())
{
// (T *)0x1234 -> 0x1234
exprt tmp=ptr.op0();
tmp.make_typecast(expr.type());
simplify_node(tmp);
expr.swap(tmp);
return false;
}
else
{
// We do a bit of special treatment for (TYPE *)(a+(int)&o),
// which is re-written to 'a'.
typet type=ns.follow(expr.type());
exprt tmp=ptr.op0();
if(tmp.id()==ID_plus && tmp.operands().size()==2)
{
if(tmp.op0().id()==ID_typecast &&
tmp.op0().operands().size()==1 &&
tmp.op0().op0().id()==ID_address_of)
{
expr=tmp.op1();
if(type!=expr.type())
expr.make_typecast(type);
simplify_node(expr);
return false;
}
else if(tmp.op1().id()==ID_typecast &&
tmp.op1().operands().size()==1 &&
tmp.op1().op0().id()==ID_address_of)
{
expr=tmp.op0();
if(type!=expr.type())
expr.make_typecast(type);
simplify_node(expr);
return false;
}
}
}
}
}
else if(ptr.id()==ID_plus) // pointer arithmetic
{
exprt::operandst ptr_expr;
exprt::operandst int_expr;
for(const auto & op : ptr.operands())
{
if(op.type().id()==ID_pointer)
ptr_expr.push_back(op);
else if(!op.is_zero())
{
exprt tmp=op;
if(tmp.type()!=expr.type())
{
tmp.make_typecast(expr.type());
simplify_node(tmp);
}
int_expr.push_back(tmp);
}
}
if(ptr_expr.size()!=1 || int_expr.empty())
return true;
typet pointer_type=ptr_expr.front().type();
mp_integer element_size=
pointer_offset_size(pointer_type.subtype(), ns);
if(element_size==0) return true;
// this might change the type of the pointer!
exprt pointer_offset(ID_pointer_offset, expr.type());
pointer_offset.copy_to_operands(ptr_expr.front());
simplify_node(pointer_offset);
exprt sum;
if(int_expr.size()==1)
sum=int_expr.front();
else
{
sum=exprt(ID_plus, expr.type());
sum.operands()=int_expr;
}
simplify_node(sum);
exprt size_expr=
from_integer(element_size, expr.type());
binary_exprt product(sum, ID_mult, size_expr, expr.type());
simplify_node(product);
expr=binary_exprt(pointer_offset, ID_plus, product, expr.type());
simplify_node(expr);
return false;
}
else if(ptr.id()==ID_constant &&
ptr.get(ID_value)==ID_NULL)
{
expr=gen_zero(expr.type());
simplify_node(expr);
return false;
}
return true;
}
exprt goto_symext::address_arithmetic(
const exprt &expr,
statet &state,
guardt &guard,
bool keep_array)
{
exprt result;
if(expr.id()==ID_byte_extract_little_endian ||
expr.id()==ID_byte_extract_big_endian)
{
// address_of(byte_extract(op, offset, t)) is
// address_of(op) + offset with adjustments for arrays
const byte_extract_exprt &be=to_byte_extract_expr(expr);
// recursive call
result=address_arithmetic(be.op(), state, guard, keep_array);
if(ns.follow(be.op().type()).id()==ID_array &&
result.id()==ID_address_of)
{
address_of_exprt &a=to_address_of_expr(result);
// turn &a of type T[i][j] into &(a[0][0])
for(const typet *t=&(ns.follow(a.type().subtype()));
t->id()==ID_array && !base_type_eq(expr.type(), *t, ns);
t=&(ns.follow(*t).subtype()))
a.object()=index_exprt(a.object(), from_integer(0, index_type()));
}
// do (expr.type() *)(((char *)op)+offset)
result=typecast_exprt(result, pointer_typet(char_type()));
// there could be further dereferencing in the offset
exprt offset=be.offset();
dereference_rec(offset, state, guard, false);
result=plus_exprt(result, offset);
// treat &array as &array[0]
const typet &expr_type=ns.follow(expr.type());
pointer_typet dest_type;
if(expr_type.id()==ID_array && !keep_array)
dest_type.subtype()=expr_type.subtype();
else
dest_type.subtype()=expr_type;
result=typecast_exprt(result, dest_type);
}
else if(expr.id()==ID_index ||
expr.id()==ID_member)
{
object_descriptor_exprt ode;
ode.build(expr, ns);
byte_extract_exprt be(byte_extract_id());
be.type()=expr.type();
be.op()=ode.root_object();
be.offset()=ode.offset();
// recursive call
result=address_arithmetic(be, state, guard, keep_array);
do_simplify(result);
}
else if(expr.id()==ID_dereference)
{
// ANSI-C guarantees &*p == p no matter what p is,
// even if it's complete garbage
// just grab the pointer, but be wary of further dereferencing
// in the pointer itself
result=to_dereference_expr(expr).pointer();
dereference_rec(result, state, guard, false);
}
else if(expr.id()==ID_if)
{
if_exprt if_expr=to_if_expr(expr);
// the condition is not an address
dereference_rec(if_expr.cond(), state, guard, false);
// recursive call
if_expr.true_case()=
address_arithmetic(if_expr.true_case(), state, guard, keep_array);
if_expr.false_case()=
address_arithmetic(if_expr.false_case(), state, guard, keep_array);
result=if_expr;
}
else if(expr.id()==ID_symbol ||
expr.id()==ID_string_constant ||
expr.id()==ID_label ||
expr.id()==ID_array)
{
// give up, just dereference
result=expr;
dereference_rec(result, state, guard, false);
// turn &array into &array[0]
if(ns.follow(result.type()).id()==ID_array && !keep_array)
result=index_exprt(result, from_integer(0, index_type()));
// handle field-sensitive SSA symbol
mp_integer offset=0;
if(expr.id()==ID_symbol &&
expr.get_bool(ID_C_SSA_symbol))
{
offset=compute_pointer_offset(expr, ns);
assert(offset>=0);
}
if(offset>0)
{
byte_extract_exprt be(byte_extract_id());
be.type()=expr.type();
be.op()=to_ssa_expr(expr).get_l1_object();
be.offset()=from_integer(offset, index_type());
result=address_arithmetic(be, state, guard, keep_array);
do_simplify(result);
}
else
result=address_of_exprt(result);
}
else
throw "goto_symext::address_arithmetic does not handle "+expr.id_string();
const typet &expr_type=ns.follow(expr.type());
assert((expr_type.id()==ID_array && !keep_array) ||
base_type_eq(pointer_typet(expr_type), result.type(), ns));
return result;
}
