merge writes beyond array maximum length

Author: jezhiggins

src/analyses/variable-sensitivity/full_array_abstract_object.cpp

@@ -22,6 +22,7 @@ struct eval_index_resultt
 {
   bool is_good;
   mp_integer value;
+  bool overrun;
 };
 
 static mp_integer max_array_index = 10;
@@ -275,7 +276,8 @@ abstract_object_pointert full_array_abstract_objectt::write_sub_element(
     auto const existing_value = map_find_or_top(index.value, environment, ns);
     result->map_put(
       index.value,
-      environment.write(existing_value, value, stack, ns, merging_write));
+      environment.write(existing_value, value, stack, ns, merging_write),
+      index.overrun);
     result->set_not_top();
     DATA_INVARIANT(result->verify(), "Structural invariants maintained");
     return result;
@@ -337,7 +339,7 @@ abstract_object_pointert full_array_abstract_objectt::write_leaf_element(
     }
     else
     {
-      result->map_put(index.value, value);
+      result->map_put(index.value, value, index.overrun);
       result->set_not_top();
 
       DATA_INVARIANT(result->verify(), "Structural invariants maintained");
@@ -353,14 +355,24 @@ abstract_object_pointert full_array_abstract_objectt::write_leaf_element(
 
 void full_array_abstract_objectt::map_put(
   mp_integer index_value,
-  const abstract_object_pointert &value)
+  const abstract_object_pointert &value,
+  bool overrun)
 {
   auto old_value = map.find(index_value);
 
-  if(old_value.has_value())
-    map.replace(index_value, value);
-  else
+  if(!old_value.has_value())
     map.insert(index_value, value);
+  else
+  {
+    // if we're over the max_index, merge with existing value
+    auto replacement_value =
+      overrun
+        ? abstract_objectt::merge(old_value.value(), value, widen_modet::no)
+            .object
+        : value;
+
+    map.replace(index_value, replacement_value);
+  }
 }
 
 abstract_object_pointert full_array_abstract_objectt::map_find_or_top(
@@ -455,8 +467,7 @@ static eval_index_resultt eval_index(
   mp_integer out_index;
   bool result = to_integer(to_constant_expr(value), out_index);
 
-  if(out_index > max_array_index)
-    out_index = max_array_index;
+  bool overrun = (out_index > max_array_index);
 
-  return {!result, out_index};
+  return {!result, overrun ? max_array_index : out_index, overrun};
 }

src/analyses/variable-sensitivity/full_array_abstract_object.h

@@ -203,7 +203,10 @@ class full_array_abstract_objectt : public abstract_aggregate_objectt<
 
   shared_array_mapt map;
 
-  void map_put(mp_integer index, const abstract_object_pointert &value);
+  void map_put(
+    mp_integer index,
+    const abstract_object_pointert &value,
+    bool overrun);
   abstract_object_pointert map_find_or_top(
     mp_integer index,
     const abstract_environmentt &env,

unit/analyses/variable-sensitivity/full_array_abstract_object/maximum_length.cpp

@@ -86,8 +86,8 @@ SCENARIO(
         EXPECT_INDEX(updated, 0, 1, environment, ns);
         EXPECT_INDEX(updated, 1, 2, environment, ns);
         EXPECT_INDEX(updated, 2, 3, environment, ns);
-        EXPECT_EMPTY_INDEX(updated, 3, environment, ns);
-        EXPECT_EMPTY_INDEX(updated, 4, environment, ns);
+        EXPECT_INDEX_TOP(updated, 3, environment, ns);
+        EXPECT_INDEX_TOP(updated, 4, environment, ns);
         EXPECT_INDEX(updated, 5, 99, environment, ns);
       }
     }
@@ -109,4 +109,53 @@ SCENARIO(
       }
     }
   }
+  WHEN("array = {1, 2, 3}, reads beyond maximum size mapped to max_size")
+  {
+    WHEN("a[max] = 4")
+    {
+      auto array = build_array({1, 2, 3}, environment, ns);
+
+      auto updated = write_array(array, 99, 4, environment, ns);
+
+      for(int i = 10; i <= 30; i += 5)
+        THEN("array[" + std::to_string(i) + "] = 4}")
+        {
+          EXPECT_INDEX(updated, i, 4, environment, ns);
+        }
+    }
+  }
+  WHEN("array = {1, 2, 3}, writes beyond maximum size are merged")
+  {
+    WHEN("array[98] = 3, array[99] = 4")
+    {
+      auto array = build_array({1, 2, 3}, environment, ns);
+
+      auto updated = write_array(array, 99, 4, environment, ns);
+      updated = write_array(updated, 98, 3, environment, ns);
+
+      THEN("array equals {1, 2, 3, ..., [10] = TOP}")
+      {
+        EXPECT_INDEX(updated, 0, 1, environment, ns);
+        EXPECT_INDEX(updated, 1, 2, environment, ns);
+        EXPECT_INDEX(updated, 2, 3, environment, ns);
+        EXPECT_INDEX(updated, 10, {3, 4}, environment, ns);
+      }
+    }
+    WHEN("array[99] = 3, array[99] = 4, array[100] = 5")
+    {
+      auto array = build_array({1, 2, 3}, environment, ns);
+
+      auto updated = write_array(array, 100, 5, environment, ns);
+      updated = write_array(updated, 99, 4, environment, ns);
+      updated = write_array(updated, 98, 3, environment, ns);
+
+      THEN("array equals {1, 2, 3, ..., [10] = TOP}")
+      {
+        EXPECT_INDEX(updated, 0, 1, environment, ns);
+        EXPECT_INDEX(updated, 1, 2, environment, ns);
+        EXPECT_INDEX(updated, 2, 3, environment, ns);
+        EXPECT_INDEX(updated, 10, {3, 4, 5}, environment, ns);
+      }
+    }
+  }
 }

unit/analyses/variable-sensitivity/full_array_abstract_object/merge.cpp

@@ -84,8 +84,8 @@ SCENARIO(
         REQUIRE_FALSE(result.object->is_top());
         REQUIRE_FALSE(result.object->is_bottom());
         EXPECT_INDEX(result.object, 0, val1[0], environment, ns);
-        EXPECT_EMPTY_INDEX(result.object, 1, environment, ns);
-        EXPECT_EMPTY_INDEX(result.object, 1, environment, ns);
+        EXPECT_INDEX_TOP(result.object, 1, environment, ns);
+        EXPECT_INDEX_TOP(result.object, 1, environment, ns);
 
         // Since it has modified, we definitely shouldn't be reusing the pointer
         REQUIRE_FALSE(result.object == op1);
@@ -107,7 +107,7 @@ SCENARIO(
         REQUIRE(result.object->is_top());
         REQUIRE_FALSE(result.object->is_bottom());
         for(int i = 0; i != 3; ++i)
-          EXPECT_EMPTY_INDEX(result.object, i, environment, ns);
+          EXPECT_INDEX_TOP(result.object, i, environment, ns);
 
         // We can't reuse the abstract object as the value has changed
         REQUIRE(result.object != op1);
@@ -151,7 +151,7 @@ SCENARIO(
         REQUIRE(result.object->is_top());
         REQUIRE_FALSE(result.object->is_bottom());
         for(int i = 0; i != 3; ++i)
-          EXPECT_EMPTY_INDEX(result.object, i, environment, ns);
+          EXPECT_INDEX_TOP(result.object, i, environment, ns);
 
         // Is optimal
         REQUIRE(result.object == op1);
@@ -173,7 +173,7 @@ SCENARIO(
         REQUIRE(result.object->is_top());
         REQUIRE_FALSE(result.object->is_bottom());
         for(int i = 0; i != 3; ++i)
-          EXPECT_EMPTY_INDEX(result.object, i, environment, ns);
+          EXPECT_INDEX_TOP(result.object, i, environment, ns);
 
         // Is optimal
         REQUIRE(result.object == op1);
@@ -195,7 +195,7 @@ SCENARIO(
         REQUIRE(result.object->is_top());
         REQUIRE_FALSE(result.object->is_bottom());
         for(int i = 0; i != 3; ++i)
-          EXPECT_EMPTY_INDEX(result.object, i, environment, ns);
+          EXPECT_INDEX_TOP(result.object, i, environment, ns);
 
         // Is optimal
         REQUIRE(result.object == op1);
@@ -239,7 +239,7 @@ SCENARIO(
         REQUIRE(result.object->is_top());
         REQUIRE_FALSE(result.object->is_bottom());
         for(int i = 0; i != 3; ++i)
-          EXPECT_EMPTY_INDEX(result.object, i, environment, ns);
+          EXPECT_INDEX_TOP(result.object, i, environment, ns);
 
         // Is optimal
         REQUIRE(result.object != op1);

unit/analyses/variable-sensitivity/variable_sensitivity_test_helpers.cpp

@@ -140,7 +140,8 @@ as_interval(const abstract_object_pointert &aop)
 std::shared_ptr<const value_set_abstract_objectt>
 as_value_set(const abstract_object_pointert &aop)
 {
-  return std::dynamic_pointer_cast<const value_set_abstract_objectt>(aop);
+  return std::dynamic_pointer_cast<const value_set_abstract_objectt>(
+    aop->unwrap_context());
 }
 
 bool set_contains(const std::vector<exprt> &set, const exprt &val)
@@ -272,10 +273,7 @@ void EXPECT(
   REQUIRE(values.size() == expected_values.size());
 
   for(auto &ev : expected_values)
-  {
-    INFO("Expect " + value_string + " to match " + expected_string);
     REQUIRE(set_contains(values, ev));
-  }
 }
 
 void EXPECT(
@@ -313,19 +311,39 @@ void EXPECT_INDEX(
   REQUIRE(expr_to_str(expr) == expr_to_str(expected_expr));
 }
 
-void EXPECT_EMPTY_INDEX(
+void EXPECT_INDEX(
   std::shared_ptr<const abstract_objectt> &result,
   int index,
+  std::vector<int> expected,
   abstract_environmentt &environment,
   namespacet &ns)
 {
   auto type = signedbv_typet(32);
   auto index_expr = index_exprt(nil_exprt(), from_integer(index, type));
-  auto expr = result->expression_transform(index_expr, {}, environment, ns)
-                ->to_constant();
+  auto value =
+    as_value_set(result->expression_transform(index_expr, {}, environment, ns));
+
+  auto expected_exprs = std::vector<exprt>{};
+  for(int e : expected)
+    expected_exprs.push_back(from_integer(e, type));
+  INFO(
+    "Expect array[" + std::to_string(index) +
+    "] == " + exprs_to_str(expected_exprs));
+  EXPECT(value, expected_exprs);
+}
+
+void EXPECT_INDEX_TOP(
+  std::shared_ptr<const abstract_objectt> &result,
+  int index,
+  abstract_environmentt &environment,
+  namespacet &ns)
+{
+  auto type = signedbv_typet(32);
+  auto index_expr = index_exprt(nil_exprt(), from_integer(index, type));
+  auto value = result->expression_transform(index_expr, {}, environment, ns);
 
-  INFO("Expect array[" + std::to_string(index) + "] to be empty");
-  REQUIRE(expr_to_str(expr) == expr_to_str(nil_exprt()));
+  INFO("Expect array[" + std::to_string(index) + "] to be TOP");
+  REQUIRE(value->is_top());
 }
 
 void EXPECT_UNMODIFIED(

unit/analyses/variable-sensitivity/variable_sensitivity_test_helpers.h

@@ -90,7 +90,13 @@ void EXPECT_INDEX(
   int expected,
   abstract_environmentt &environment,
   namespacet &ns);
-void EXPECT_EMPTY_INDEX(
+void EXPECT_INDEX(
+  std::shared_ptr<const abstract_objectt> &result,
+  int index,
+  std::vector<int> expected,
+  abstract_environmentt &environment,
+  namespacet &ns);
+void EXPECT_INDEX_TOP(
   std::shared_ptr<const abstract_objectt> &result,
   int index,
   abstract_environmentt &environment,