cbmc/value__set__dereference_8cpp_source.html

/*******************************************************************\


Module: Symbolic Execution of ANSI-C


Author: Daniel Kroening, kroening@kroening.com


\*******************************************************************/


#include "value_set_dereference.h"


#ifdef DEBUG

#include <iostream>

#endif


#include <util/arith_tools.h>

#include <util/byte_operators.h>

#include <util/c_types.h>

#include <util/config.h>

#include <util/cprover_prefix.h>

#include <util/expr_iterator.h>

#include <util/expr_util.h>

#include <util/format_expr.h>

#include <util/fresh_symbol.h>

#include <util/json.h>

#include <util/message.h>

#include <util/namespace.h>

#include <util/pointer_expr.h>

#include <util/pointer_offset_size.h>

#include <util/pointer_predicates.h>

#include <util/range.h>

#include <util/simplify_expr.h>

#include <util/symbol.h>


#include "dereference_callback.h"


#include <deque>


static bool should_use_local_definition_for(const exprt &expr)

{

  bool seen_symbol = false;

  for(auto it = expr.depth_begin(), itend = expr.depth_end(); it != itend; ++it)

  {

    if(it->id() == ID_symbol)

    {

      if(seen_symbol)

        return true;

      else

        seen_symbol = true;

    }

  }


  return false;

}

static bool should_use_local_definition_for(const exprt &expr) {…}


static json_objectt value_set_dereference_stats_to_json(

  const exprt &pointer,

  const std::vector<exprt> &points_to_set,

  const std::vector<exprt> &retained_values,

  const exprt &value)

{

  json_objectt json_result;

  json_result["Pointer"] = json_stringt{format_to_string(pointer)};

  json_result["PointsToSetSize"] =

    json_numbert{std::to_string(points_to_set.size())};


  json_arrayt points_to_set_json;

  for(const auto &object : points_to_set)

  {

    points_to_set_json.push_back(json_stringt{format_to_string(object)});

  }


  json_result["PointsToSet"] = points_to_set_json;


  json_result["RetainedValuesSetSize"] =

    json_numbert{std::to_string(points_to_set.size())};


  json_arrayt retained_values_set_json;

  for(auto &retained_value : retained_values)

  {

    retained_values_set_json.push_back(

      json_stringt{format_to_string(retained_value)});

  }


  json_result["RetainedValuesSet"] = retained_values_set_json;


  json_result["Value"] = json_stringt{format_to_string(value)};


  return json_result;

}

static json_objectt value_set_dereference_stats_to_json( {…}


static std::optional<exprt>


try_add_offset_to_indices(const exprt &expr, const exprt &offset_elements)

{

  if(const auto *index_expr = expr_try_dynamic_cast<index_exprt>(expr))

  {

    return index_exprt{

      index_expr->array(),

      plus_exprt{index_expr->index(),

                 typecast_exprt::conditional_cast(

                   offset_elements, index_expr->index().type())}};

  }

  else if(const auto *if_expr = expr_try_dynamic_cast<if_exprt>(expr))

  {

    const auto true_case =

      try_add_offset_to_indices(if_expr->true_case(), offset_elements);

    if(!true_case)

      return {};

    const auto false_case =

      try_add_offset_to_indices(if_expr->false_case(), offset_elements);

    if(!false_case)

      return {};

    return if_exprt{if_expr->cond(), *true_case, *false_case};

  }

  else if(can_cast_expr<typecast_exprt>(expr))

  {

    // the case of a type cast is _not_ handled here, because that would require

    // doing arithmetic on the offset, and may result in an offset into some

    // sub-element

    return {};

  }

  else

  {

    return {};

  }

}

try_add_offset_to_indices(const exprt &expr, const exprt &offset_elements) {…}


exprt value_set_dereferencet::dereference(

  const exprt &pointer,

  bool display_points_to_sets)

{

  PRECONDITION_WITH_DIAGNOSTICS(

    pointer.type().id() == ID_pointer,

    "dereference expected pointer type, but got " + pointer.type().pretty());


  // we may get ifs due to recursive calls

  if(pointer.id()==ID_if)

  {

    const if_exprt &if_expr=to_if_expr(pointer);

    exprt true_case = dereference(if_expr.true_case(), display_points_to_sets);

    exprt false_case =

      dereference(if_expr.false_case(), display_points_to_sets);

    return if_exprt(if_expr.cond(), true_case, false_case);

  }

  else if(pointer.id() == ID_typecast)

  {

    const exprt *underlying = &pointer;

    // Note this isn't quite the same as skip_typecast, which would also skip

    // things such as int-to-ptr typecasts which we shouldn't ignore

    while(underlying->id() == ID_typecast &&

          underlying->type().id() == ID_pointer)

    {

      underlying = &to_typecast_expr(*underlying).op();

    }


    if(underlying->id() == ID_if && underlying->type().id() == ID_pointer)

    {

      const auto &if_expr = to_if_expr(*underlying);

      return if_exprt(

        if_expr.cond(),

        dereference(

          typecast_exprt(if_expr.true_case(), pointer.type()),

          display_points_to_sets),

        dereference(

          typecast_exprt(if_expr.false_case(), pointer.type()),

          display_points_to_sets));

    }

  }

  else if(pointer.id() == ID_plus && pointer.operands().size() == 2)

  {

    // Try to improve results for *(p + i) where p points to known offsets but

    // i is non-constant-- if `p` points to known positions in arrays or array-members

    // of structs then we can add the non-constant expression `i` to the index

    // instead of using a byte-extract expression.


    exprt pointer_expr = to_plus_expr(pointer).op0();

    exprt offset_expr = to_plus_expr(pointer).op1();


    if(can_cast_type<pointer_typet>(offset_expr.type()))

      std::swap(pointer_expr, offset_expr);


    if(

      can_cast_type<pointer_typet>(pointer_expr.type()) &&

      pointer_expr.id() != ID_typecast &&

      !can_cast_type<pointer_typet>(offset_expr.type()) &&

      !can_cast_expr<constant_exprt>(offset_expr))

    {

      exprt derefd_pointer = dereference(pointer_expr);

      if(

        auto derefd_with_offset =

          try_add_offset_to_indices(derefd_pointer, offset_expr))

        return *derefd_with_offset;


      // If any of this fails, fall through to use the normal byte-extract path.

    }

  }


  return handle_dereference_base_case(pointer, display_points_to_sets);

}

exprt value_set_dereferencet::dereference( {…}


exprt value_set_dereferencet::handle_dereference_base_case(

  const exprt &pointer,

  bool display_points_to_sets)

{ // type of the object

  const typet &type = to_pointer_type(pointer.type()).base_type();


  // collect objects the pointer may point to

  const std::vector<exprt> points_to_set =

    dereference_callback.get_value_set(pointer);


  // get the values of these

  const std::vector<exprt> retained_values =

    make_range(points_to_set).filter([&](const exprt &value) {

      return !should_ignore_value(value, exclude_null_derefs, language_mode);

    });


  exprt compare_against_pointer = pointer;


  if(retained_values.size() >= 2 && should_use_local_definition_for(pointer))

  {

    symbolt fresh_binder = get_fresh_aux_symbol(

      pointer.type(),

      "derefd_pointer",

      "derefd_pointer",

      pointer.find_source_location(),

      language_mode,

      new_symbol_table);


    compare_against_pointer = fresh_binder.symbol_expr();

  }


  auto values =

    make_range(retained_values)

      .map([&](const exprt &value) {

        return build_reference_to(value, compare_against_pointer, ns);

      })

      .collect<std::deque<valuet>>();


  const bool may_fail =

    values.empty() ||

    std::any_of(values.begin(), values.end(), [](const valuet &value) {

      return value.value.is_nil();

    });


  if(may_fail)

  {

    values.push_front(get_failure_value(pointer, type));

  }


  // now build big case split, but we only do "good" objects


  exprt result_value = nil_exprt{};


  for(const auto &value : values)

  {

    if(value.value.is_not_nil())

    {

      if(result_value.is_nil()) // first?

        result_value = value.value;

      else

        result_value = if_exprt(value.pointer_guard, value.value, result_value);

    }

  }


  if(compare_against_pointer != pointer)

    result_value =

      let_exprt(to_symbol_expr(compare_against_pointer), pointer, result_value);


  if(display_points_to_sets)

  {

    messaget log{message_handler};

    log.status() << value_set_dereference_stats_to_json(

      pointer, points_to_set, retained_values, result_value);

  }


  return result_value;

}

exprt value_set_dereferencet::handle_dereference_base_case( {…}


value_set_dereferencet::valuet value_set_dereferencet::get_failure_value(

  const exprt &pointer,

  const typet &type)

{

  // first see if we have a "failed object" for this pointer

  exprt failure_value;


  if(

    const symbolt *failed_symbol =

      dereference_callback.get_or_create_failed_symbol(pointer))

  {

    // yes!

    failure_value = failed_symbol->symbol_expr();

    failure_value.set(ID_C_invalid_object, true);

  }

  else

  {

    // else: produce new symbol

    symbolt &symbol = get_fresh_aux_symbol(

      type,

      "symex",

      "invalid_object",

      pointer.source_location(),

      language_mode,

      new_symbol_table);


    // make it a lvalue, so we can assign to it

    symbol.is_lvalue = true;


    failure_value = symbol.symbol_expr();

    failure_value.set(ID_C_invalid_object, true);

  }


  valuet result{};

  result.value = failure_value;

  result.pointer_guard = true_exprt();

  return result;

}

value_set_dereferencet::valuet value_set_dereferencet::get_failure_value( {…}


bool value_set_dereferencet::dereference_type_compare(

  const typet &object_type,

  const typet &dereference_type,

  const namespacet &ns)

{

  const typet *object_unwrapped = &object_type;

  const typet *dereference_unwrapped = &dereference_type;

  while(object_unwrapped->id() == ID_pointer &&

        dereference_unwrapped->id() == ID_pointer)

  {

    object_unwrapped = &to_pointer_type(*object_unwrapped).base_type();

    dereference_unwrapped =

      &to_pointer_type(*dereference_unwrapped).base_type();

  }

  if(dereference_unwrapped->id() == ID_empty)

  {

    return true;

  }

  else if(dereference_unwrapped->id() == ID_pointer &&

          object_unwrapped->id() != ID_pointer)

  {

#ifdef DEBUG

    std::cout << "value_set_dereference: the dereference type has "

                 "too many ID_pointer levels"

              << std::endl;

    std::cout << " object_type: " << object_type.pretty() << std::endl;

    std::cout << " dereference_type: " << dereference_type.pretty()

              << std::endl;

#endif

  }


  if(object_type == dereference_type)

    return true; // ok, they just match


  // check for struct prefixes

  const typet &ot_base = object_type.id() == ID_struct_tag

                           ? ns.follow_tag(to_struct_tag_type(object_type))

                           : object_type;

  const typet &dt_base = dereference_type.id() == ID_struct_tag

                           ? ns.follow_tag(to_struct_tag_type(dereference_type))

                           : dereference_type;


  if(ot_base.id()==ID_struct &&

     dt_base.id()==ID_struct)

  {

    if(to_struct_type(dt_base).is_prefix_of(

         to_struct_type(ot_base)))

      return true; // ok, dt is a prefix of ot

  }


  // we are generous about code pointers

  if(dereference_type.id()==ID_code &&

     object_type.id()==ID_code)

    return true;


  // bitvectors of same width are ok

  if((dereference_type.id()==ID_signedbv ||

      dereference_type.id()==ID_unsignedbv) &&

     (object_type.id()==ID_signedbv ||

      object_type.id()==ID_unsignedbv) &&

     to_bitvector_type(dereference_type).get_width()==

     to_bitvector_type(object_type).get_width())

    return true;


  // really different


  return false;

}

bool value_set_dereferencet::dereference_type_compare( {…}


bool value_set_dereferencet::should_ignore_value(

  const exprt &what,

  bool exclude_null_derefs,

  const irep_idt &language_mode)

{

  if(what.id() == ID_unknown || what.id() == ID_invalid)

  {

    return false;

  }


  const object_descriptor_exprt &o = to_object_descriptor_expr(what);


  const exprt &root_object = o.root_object();

  if(root_object.id() == ID_null_object)

  {

    return exclude_null_derefs;

  }

  else if(root_object.id() == ID_integer_address)

  {

    return language_mode == ID_java;

  }


  return false;

}

bool value_set_dereferencet::should_ignore_value( {…}


value_set_dereferencet::valuet value_set_dereferencet::build_reference_to(

  const exprt &what,

  const exprt &pointer_expr,

  const namespacet &ns)

{

  const pointer_typet &pointer_type =

    type_checked_cast<pointer_typet>(pointer_expr.type());

  const typet &dereference_type = pointer_type.base_type();


  if(what.id()==ID_unknown ||

     what.id()==ID_invalid)

  {

    return valuet();

  }


  PRECONDITION_WITH_DIAGNOSTICS(

    what.id() == ID_object_descriptor,

    "unknown points-to: " + what.id_string());


  const object_descriptor_exprt &o=to_object_descriptor_expr(what);


  const exprt &root_object=o.root_object();

  const exprt &object=o.object();


  #if 0

  std::cout << "O: " << format(root_object) << '\n';

  #endif


  if(root_object.id() == ID_null_object)

  {

    if(!o.offset().is_zero())

      return {};


    valuet result;

    result.pointer = null_pointer_exprt{pointer_type};

    return result;

  }

  else if(root_object.id()==ID_dynamic_object)

  {

    valuet result;


    // constraint that it actually is a dynamic object

    // this is also our guard

    result.pointer_guard = is_dynamic_object_exprt(pointer_expr);


    // can't remove here, turn into *p

    result.value = dereference_exprt{pointer_expr};

    result.pointer = pointer_expr;


    return result;

  }

  else if(root_object.id()==ID_integer_address)

  {

    // This is stuff like *((char *)5).

    // This is turned into an access to __CPROVER_memory[...].


    const symbolt &memory_symbol=ns.lookup(CPROVER_PREFIX "memory");

    const symbol_exprt symbol_expr(memory_symbol.name, memory_symbol.type);


    if(to_array_type(memory_symbol.type).element_type() == dereference_type)

    {

      // Types match already, what a coincidence!

      // We can use an index expression.


      const index_exprt index_expr(

        symbol_expr,

        typecast_exprt::conditional_cast(

          pointer_offset(pointer_expr),

          to_array_type(memory_symbol.type).index_type()),

        to_array_type(memory_symbol.type).element_type());


      valuet result;

      result.value=index_expr;

      result.pointer = address_of_exprt{index_expr};

      return result;

    }

    else if(dereference_type_compare(

              to_array_type(memory_symbol.type).element_type(),

              dereference_type,

              ns))

    {

      const index_exprt index_expr(

        symbol_expr,

        typecast_exprt::conditional_cast(

          pointer_offset(pointer_expr),

          to_array_type(memory_symbol.type).index_type()),

        to_array_type(memory_symbol.type).element_type());


      valuet result;

      result.value=typecast_exprt(index_expr, dereference_type);

      result.pointer =

        typecast_exprt{address_of_exprt{index_expr}, pointer_type};

      return result;

    }

    else

    {

      // We need to use byte_extract.

      // Won't do this without a commitment to an endianness.


      if(config.ansi_c.endianness==configt::ansi_ct::endiannesst::NO_ENDIANNESS)

        return {};


      valuet result;

      result.value = make_byte_extract(

        symbol_expr, pointer_offset(pointer_expr), dereference_type);

      result.pointer = address_of_exprt{result.value};

      return result;

    }

  }

  else

  {

    valuet result;


    // something generic -- really has to be a symbol

    address_of_exprt object_pointer(object);


    if(o.offset().is_zero())

    {

      result.pointer_guard = equal_exprt(

        typecast_exprt::conditional_cast(pointer_expr, object_pointer.type()),

        object_pointer);

    }

    else

    {

      result.pointer_guard=same_object(pointer_expr, object_pointer);

    }


    const typet &object_type = object.type();

    const typet &root_object_type = root_object.type();


    if(

      dereference_type_compare(object_type, dereference_type, ns) &&

      o.offset().is_zero())

    {

      // The simplest case: types match, and offset is zero!

      // This is great, we are almost done.


      result.value = typecast_exprt::conditional_cast(object, dereference_type);

      result.pointer =

        typecast_exprt::conditional_cast(object_pointer, pointer_type);


      return result;

    }


    // this is relative to the root object

    exprt offset;

    if(o.offset().is_constant())

      offset = o.offset();

    else

      offset = simplify_expr(pointer_offset(pointer_expr), ns);


    if(

      root_object_type.id() == ID_array &&

      dereference_type_compare(

        to_array_type(root_object_type).element_type(), dereference_type, ns) &&

      pointer_offset_bits(to_array_type(root_object_type).element_type(), ns) ==

        pointer_offset_bits(dereference_type, ns) &&

      offset.is_constant())

    {

      // We have an array with a subtype that matches

      // the dereferencing type.


      // are we doing a byte?

      auto element_size =

        pointer_offset_size(to_array_type(root_object_type).element_type(), ns);

      CHECK_RETURN(element_size.has_value());

      CHECK_RETURN(*element_size > 0);


      const auto offset_int =

        numeric_cast_v<mp_integer>(to_constant_expr(offset));


      if(offset_int % *element_size == 0)

      {

        index_exprt index_expr{

          root_object,

          from_integer(

            offset_int / *element_size,

            to_array_type(root_object_type).index_type())};

        result.value =

          typecast_exprt::conditional_cast(index_expr, dereference_type);

        result.pointer = typecast_exprt::conditional_cast(

          address_of_exprt{index_expr}, pointer_type);


        return result;

      }

    }


    // try to build a member/index expression - do not use byte_extract

    auto subexpr = get_subexpression_at_offset(

      root_object, o.offset(), dereference_type, ns);

    if(subexpr.has_value())

      simplify(subexpr.value(), ns);

    if(

      subexpr.has_value() &&

      subexpr.value().id() != ID_byte_extract_little_endian &&

      subexpr.value().id() != ID_byte_extract_big_endian)

    {

      // Successfully found a member, array index, or combination thereof

      // that matches the desired type and offset:

      result.value = subexpr.value();

      result.pointer = typecast_exprt::conditional_cast(

        address_of_exprt{skip_typecast(subexpr.value())}, pointer_type);

      return result;

    }


    // we extract something from the root object

    result.value = o.root_object();

    result.pointer = typecast_exprt::conditional_cast(

      address_of_exprt{skip_typecast(o.root_object())}, pointer_type);


    if(memory_model(result.value, dereference_type, offset, ns))

    {

      // set pointer correctly

      result.pointer = typecast_exprt::conditional_cast(

        plus_exprt(

          typecast_exprt(

            result.pointer,

            pointer_typet(char_type(), pointer_type.get_width())),

          offset),

        pointer_type);

    }

    else

    {

      return {}; // give up, no way that this is ok

    }


    return result;

  }

}

value_set_dereferencet::valuet value_set_dereferencet::build_reference_to( {…}


static bool is_a_bv_type(const typet &type)

{

  return type.id()==ID_unsignedbv ||

         type.id()==ID_signedbv ||

         type.id()==ID_bv ||

         type.id()==ID_fixedbv ||

         type.id()==ID_floatbv ||

         type.id()==ID_c_enum_tag;

}

static bool is_a_bv_type(const typet &type) {…}


bool value_set_dereferencet::memory_model(

  exprt &value,

  const typet &to_type,

  const exprt &offset,

  const namespacet &ns)

{

  // we will allow more or less arbitrary pointer type cast


  const typet from_type=value.type();


  // first, check if it's really just a type coercion,

  // i.e., both have exactly the same (constant) size,

  // for bit-vector types or pointers


  if(

    (is_a_bv_type(from_type) && is_a_bv_type(to_type)) ||

    (from_type.id() == ID_pointer && to_type.id() == ID_pointer))

  {

    if(pointer_offset_bits(from_type, ns) == pointer_offset_bits(to_type, ns))

    {

      // avoid semantic conversion in case of

      // cast to float or fixed-point,

      // or cast from float or fixed-point


      if(

        to_type.id() != ID_fixedbv && to_type.id() != ID_floatbv &&

        from_type.id() != ID_fixedbv && from_type.id() != ID_floatbv)

      {

        value = typecast_exprt::conditional_cast(value, to_type);

        return true;

      }

    }

  }


  // otherwise, we will stitch it together from bytes


  return memory_model_bytes(value, to_type, offset, ns);

}

bool value_set_dereferencet::memory_model( {…}


bool value_set_dereferencet::memory_model_bytes(

  exprt &value,

  const typet &to_type,

  const exprt &offset,

  const namespacet &ns)

{

  const typet from_type=value.type();


  // We simply refuse to convert to/from code.

  if(from_type.id()==ID_code || to_type.id()==ID_code)

    return false;


  // We won't do this without a commitment to an endianness.

  if(config.ansi_c.endianness==configt::ansi_ct::endiannesst::NO_ENDIANNESS)

    return false;


  // But everything else we will try!

  // We just rely on byte_extract to do the job!


  exprt result;


  // See if we have an array of bytes already,

  // and we want something byte-sized.

  auto from_type_element_type_size =

    from_type.id() == ID_array

      ? pointer_offset_size(to_array_type(from_type).element_type(), ns)

      : std::optional<mp_integer>{};


  auto to_type_size = pointer_offset_size(to_type, ns);


  if(

    from_type.id() == ID_array && from_type_element_type_size.has_value() &&

    *from_type_element_type_size == 1 && to_type_size.has_value() &&

    *to_type_size == 1 &&

    is_a_bv_type(to_array_type(from_type).element_type()) &&

    is_a_bv_type(to_type))

  {

    // yes, can use 'index', but possibly need to convert

    result = typecast_exprt::conditional_cast(

      index_exprt(

        value,

        typecast_exprt::conditional_cast(

          offset, to_array_type(from_type).index_type()),

        to_array_type(from_type).element_type()),

      to_type);

  }

  else

  {

    // no, use 'byte_extract'

    result = make_byte_extract(value, offset, to_type);

  }


  value=result;


  return true;

}

bool value_set_dereferencet::memory_model_bytes( {…}

config
configt config
Definition config.cpp:25

from_integer
constant_exprt from_integer(const mp_integer &int_value, const typet &type)
Definition arith_tools.cpp:99

arith_tools.h

to_bitvector_type
const bitvector_typet & to_bitvector_type(const typet &type)
Cast a typet to a bitvector_typet.
Definition bitvector_types.h:32

make_byte_extract
byte_extract_exprt make_byte_extract(const exprt &_op, const exprt &_offset, const typet &_type)
Construct a byte_extract_exprt with endianness and byte width matching the current configuration.
Definition byte_operators.cpp:48

byte_operators.h
Expression classes for byte-level operators.

pointer_type
pointer_typet pointer_type(const typet &subtype)
Definition c_types.cpp:235

char_type
bitvector_typet char_type()
Definition c_types.cpp:106

c_types.h

address_of_exprt
Operator to return the address of an object.
Definition pointer_expr.h:540

ait
ait supplies three of the four components needed: an abstract interpreter (in this case handling func...
Definition ai.h:562

bitvector_typet::get_width
std::size_t get_width() const
Definition std_types.h:925

configt::ansi_c
struct configt::ansi_ct ansi_c

dereference_callbackt::get_or_create_failed_symbol
virtual const symbolt * get_or_create_failed_symbol(const exprt &expr)=0

dereference_callbackt::get_value_set
virtual std::vector< exprt > get_value_set(const exprt &expr) const =0

dereference_exprt
Operator to dereference a pointer.
Definition pointer_expr.h:834

dstringt
dstringt has one field, an unsigned integer no which is an index into a static table of strings.
Definition dstring.h:38

equal_exprt
Equality.
Definition std_expr.h:1366

exprt
Base class for all expressions.
Definition expr.h:56

exprt::find_source_location
const source_locationt & find_source_location() const
Get a source_locationt from the expression or from its operands (non-recursively).
Definition expr.cpp:147

exprt::depth_end
depth_iteratort depth_end()
Definition expr.cpp:249

exprt::depth_begin
depth_iteratort depth_begin()
Definition expr.cpp:247

exprt::is_zero
bool is_zero() const
Return whether the expression is a constant representing 0.
Definition expr.cpp:47

exprt::is_constant
bool is_constant() const
Return whether the expression is a constant.
Definition expr.h:212

exprt::type
typet & type()
Return the type of the expression.
Definition expr.h:84

exprt::operands
operandst & operands()
Definition expr.h:94

exprt::source_location
const source_locationt & source_location() const
Definition expr.h:231

if_exprt
The trinary if-then-else operator.
Definition std_expr.h:2497

index_exprt
Array index operator.
Definition std_expr.h:1470

irept::pretty
std::string pretty(unsigned indent=0, unsigned max_indent=0) const
Definition irep.cpp:482

irept::is_not_nil
bool is_not_nil() const
Definition irep.h:372

irept::id_string
const std::string & id_string() const
Definition irep.h:391

irept::id
const irep_idt & id() const
Definition irep.h:388

irept::is_nil
bool is_nil() const
Definition irep.h:368

is_dynamic_object_exprt
Evaluates to true if the operand is a pointer to a dynamic object.
Definition pointer_expr.h:335

json_arrayt
Definition json.h:165

json_numbert
Definition json.h:289

json_objectt
Definition json.h:298

json_stringt
Definition json.h:270

let_exprt
A let expression.
Definition std_expr.h:3331

messaget
Class that provides messages with a built-in verbosity 'level'.
Definition message.h:154

namespacet
A namespacet is essentially one or two symbol tables bound together, to allow for symbol lookups in t...
Definition namespace.h:91

nil_exprt
The NIL expression.
Definition std_expr.h:3208

null_pointer_exprt
The null pointer constant.
Definition pointer_expr.h:909

object_descriptor_exprt
Split an expression into a base object and a (byte) offset.
Definition pointer_expr.h:181

object_descriptor_exprt::offset
exprt & offset()
Definition pointer_expr.h:223

object_descriptor_exprt::root_object
static const exprt & root_object(const exprt &expr)
Definition pointer_expr.cpp:186

object_descriptor_exprt::object
exprt & object()
Definition pointer_expr.h:207

plus_exprt
The plus expression Associativity is not specified.
Definition std_expr.h:1002

pointer_typet
The pointer type These are both 'bitvector_typet' (they have a width) and 'type_with_subtypet' (they ...
Definition pointer_expr.h:24

pointer_typet::base_type
const typet & base_type() const
The type of the data what we point to.
Definition pointer_expr.h:35

symbol_exprt
Expression to hold a symbol (variable)
Definition std_expr.h:131

symbolt
Symbol table entry.
Definition symbol.h:28

symbolt::symbol_expr
class symbol_exprt symbol_expr() const
Produces a symbol_exprt for a symbol.
Definition symbol.cpp:121

symbolt::is_lvalue
bool is_lvalue
Definition symbol.h:72

true_exprt
The Boolean constant true.
Definition std_expr.h:3190

typecast_exprt
Semantic type conversion.
Definition std_expr.h:2073

typecast_exprt::conditional_cast
static exprt conditional_cast(const exprt &expr, const typet &type)
Definition std_expr.h:2081

typet
The type of an expression, extends irept.
Definition type.h:29

value_set_dereferencet::valuet
Return value for build_reference_to; see that method for documentation.
Definition value_set_dereference.h:59

value_set_dereferencet::valuet::pointer
exprt pointer
Definition value_set_dereference.h:62

value_set_dereferencet::valuet::pointer_guard
exprt pointer_guard
Definition value_set_dereference.h:63

value_set_dereferencet::valuet::value
exprt value
Definition value_set_dereference.h:61

value_set_dereferencet::memory_model_bytes
static bool memory_model_bytes(exprt &value, const typet &type, const exprt &offset, const namespacet &ns)
Replace value by an expression of type to_type corresponding to the value at memory address value + o...
Definition value_set_dereference.cpp:755

value_set_dereferencet::get_failure_value
valuet get_failure_value(const exprt &pointer, const typet &type)
Definition value_set_dereference.cpp:294

value_set_dereferencet::handle_dereference_base_case
exprt handle_dereference_base_case(const exprt &pointer, bool display_points_to_sets)
Definition value_set_dereference.cpp:216

value_set_dereferencet::exclude_null_derefs
const bool exclude_null_derefs
Flag indicating whether value_set_dereferencet::dereference should disregard an apparent attempt to d...
Definition value_set_dereference.h:107

value_set_dereferencet::new_symbol_table
symbol_table_baset & new_symbol_table
Definition value_set_dereference.h:100

value_set_dereferencet::dereference_type_compare
static bool dereference_type_compare(const typet &object_type, const typet &dereference_type, const namespacet &ns)
Check if the two types have matching number of ID_pointer levels, with the dereference type eventuall...
Definition value_set_dereference.cpp:341

value_set_dereferencet::message_handler
message_handlert & message_handler
Definition value_set_dereference.h:108

value_set_dereferencet::dereference_callback
dereference_callbackt & dereference_callback
Definition value_set_dereference.h:101

value_set_dereferencet::dereference
exprt dereference(const exprt &pointer, bool display_points_to_sets=false)
Dereference the given pointer-expression.
Definition value_set_dereference.cpp:143

value_set_dereferencet::language_mode
const irep_idt language_mode
language_mode: ID_java, ID_C or another language identifier if we know the source language in use,...
Definition value_set_dereference.h:104

value_set_dereferencet::build_reference_to
static valuet build_reference_to(const exprt &what, const exprt &pointer, const namespacet &ns)
Definition value_set_dereference.cpp:460

value_set_dereferencet::should_ignore_value
static bool should_ignore_value(const exprt &what, bool exclude_null_derefs, const irep_idt &language_mode)
Determine whether possible alias what should be ignored when replacing a pointer by its referees.
Definition value_set_dereference.cpp:423

value_set_dereferencet::ns
const namespacet & ns
Definition value_set_dereference.h:99

value_set_dereferencet::memory_model
static bool memory_model(exprt &value, const typet &type, const exprt &offset, const namespacet &ns)
Replace value by an expression of type to_type corresponding to the value at memory address value + o...
Definition value_set_dereference.cpp:708

config.h

cprover_prefix.h

CPROVER_PREFIX
#define CPROVER_PREFIX
Definition cprover_prefix.h:14

dereference_callback.h
Pointer Dereferencing.

expr_iterator.h
Forward depth-first search iterators These iterators' copy operations are expensive,...

skip_typecast
const exprt & skip_typecast(const exprt &expr)
find the expression nested inside typecasts, if any
Definition expr_util.cpp:193

expr_util.h
Deprecated expression utility functions.

format
static format_containert< T > format(const T &o)
Definition format.h:37

format_to_string
std::string format_to_string(const T &o)
Definition format.h:43

format_expr.h

get_fresh_aux_symbol
symbolt & get_fresh_aux_symbol(const typet &type, const std::string &name_prefix, const std::string &basename_prefix, const source_locationt &source_location, const irep_idt &symbol_mode, const namespacet &ns, symbol_table_baset &symbol_table)
Installs a fresh-named symbol with respect to the given namespace ns with the requested name pattern ...
Definition fresh_symbol.cpp:32

fresh_symbol.h
Fresh auxiliary symbol creation.

json.h

from_type
std::string from_type(const namespacet &ns, const irep_idt &identifier, const typet &type)
Definition language_util.cpp:52

log
double log(double x)
Definition math.c:2449

namespace.h

pointer_expr.h
API to expression classes for Pointers.

to_object_descriptor_expr
const object_descriptor_exprt & to_object_descriptor_expr(const exprt &expr)
Cast an exprt to an object_descriptor_exprt.
Definition pointer_expr.h:252

to_pointer_type
const pointer_typet & to_pointer_type(const typet &type)
Cast a typet to a pointer_typet.
Definition pointer_expr.h:93

pointer_offset_size
std::optional< mp_integer > pointer_offset_size(const typet &type, const namespacet &ns)
Compute the size of a type in bytes, rounding up to full bytes.
Definition pointer_offset_size.cpp:91

get_subexpression_at_offset
std::optional< exprt > get_subexpression_at_offset(const exprt &expr, const mp_integer &offset_bytes, const typet &target_type_raw, const namespacet &ns)
Definition pointer_offset_size.cpp:560

pointer_offset_bits
std::optional< mp_integer > pointer_offset_bits(const typet &type, const namespacet &ns)
Definition pointer_offset_size.cpp:102

pointer_offset_size.h
Pointer Logic.

pointer_offset
exprt pointer_offset(const exprt &pointer)
Definition pointer_predicates.cpp:38

same_object
exprt same_object(const exprt &p1, const exprt &p2)
Definition pointer_predicates.cpp:28

pointer_predicates.h
Various predicates over pointers in programs.

range.h
Ranges: pair of begin and end iterators, which can be initialized from containers,...

make_range
ranget< iteratort > make_range(iteratort begin, iteratort end)
Definition range.h:522

simplify
bool simplify(exprt &expr, const namespacet &ns)
Definition simplify_expr.cpp:3246

simplify_expr
exprt simplify_expr(exprt src, const namespacet &ns)
Definition simplify_expr.cpp:3251

simplify_expr.h

PRECONDITION_WITH_DIAGNOSTICS
#define PRECONDITION_WITH_DIAGNOSTICS(CONDITION,...)
Definition invariant.h:464

CHECK_RETURN
#define CHECK_RETURN(CONDITION)
Definition invariant.h:495

message.h

to_typecast_expr
const typecast_exprt & to_typecast_expr(const exprt &expr)
Cast an exprt to a typecast_exprt.
Definition std_expr.h:2107

to_plus_expr
const plus_exprt & to_plus_expr(const exprt &expr)
Cast an exprt to a plus_exprt.
Definition std_expr.h:1041

to_if_expr
const if_exprt & to_if_expr(const exprt &expr)
Cast an exprt to an if_exprt.
Definition std_expr.h:2577

to_constant_expr
const constant_exprt & to_constant_expr(const exprt &expr)
Cast an exprt to a constant_exprt.
Definition std_expr.h:3172

to_symbol_expr
const symbol_exprt & to_symbol_expr(const exprt &expr)
Cast an exprt to a symbol_exprt.
Definition std_expr.h:272

to_struct_type
const struct_typet & to_struct_type(const typet &type)
Cast a typet to a struct_typet.
Definition std_types.h:308

to_struct_tag_type
const struct_tag_typet & to_struct_tag_type(const typet &type)
Cast a typet to a struct_tag_typet.
Definition std_types.h:518

to_array_type
const array_typet & to_array_type(const typet &type)
Cast a typet to an array_typet.
Definition std_types.h:888

configt::ansi_ct::endiannesst::NO_ENDIANNESS
@ NO_ENDIANNESS

symbol.h
Symbol table entry.

try_add_offset_to_indices
static std::optional< exprt > try_add_offset_to_indices(const exprt &expr, const exprt &offset_elements)
If expr is of the form (c1 ? e1[o1] : c2 ? e2[o2] : c3 ? ...) then return c1 ? e1[o1 + offset] : e2[o...
Definition value_set_dereference.cpp:108

is_a_bv_type
static bool is_a_bv_type(const typet &type)
Definition value_set_dereference.cpp:690

value_set_dereference_stats_to_json
static json_objectt value_set_dereference_stats_to_json(const exprt &pointer, const std::vector< exprt > &points_to_set, const std::vector< exprt > &retained_values, const exprt &value)
Definition value_set_dereference.cpp:68

should_use_local_definition_for
static bool should_use_local_definition_for(const exprt &expr)
Returns true if expr is complicated enough that a local definition (using a let expression) is prefer...
Definition value_set_dereference.cpp:51

value_set_dereference.h
Pointer Dereferencing.