Make pointers-to-member work

Change the memory-analyze to produce correct member expressions. Iterate over
the offset from gdb, e.g. `st+4` means jump to the second member component
inside `st`.

Author: Petr Bauch

src/memory-analyzer/analyze_symbol.cpp

@@ -35,10 +35,13 @@ Author: Malte Mues <[email protected]>
 #include <util/expr_initializer.h>
 #include <util/irep.h>
 #include <util/mp_arith.h>
+#include <util/pointer_offset_size.h>
 #include <util/std_code.h>
 #include <util/std_expr.h>
 #include <util/std_types.h>
 #include <util/string_constant.h>
+#include <util/string_utils.h>
+#include <util/string2int.h>
 
 symbol_analyzert::symbol_analyzert(
   const symbol_tablet &symbol_table,
@@ -191,6 +194,43 @@ exprt symbol_analyzert::get_char_pointer_value(
   }
 }
 
+exprt symbol_analyzert::get_pointer_to_member_value(
+  const exprt &expr,
+  const pointer_valuet &pointer_value,
+  const source_locationt &location)
+{
+  PRECONDITION(expr.type().id() == ID_pointer);
+  PRECONDITION(!is_c_char(expr.type().subtype()));
+  std::string memory_location = pointer_value.address;
+  PRECONDITION(memory_location != "0x0");
+  PRECONDITION(!pointer_value.pointee.empty());
+
+  std::string struct_name;
+  size_t member_offset;
+  if(pointer_value.pointee.find("+") != std::string::npos)
+  {
+    std::string member_offset_string;
+    split_string(
+      pointer_value.pointee, '+', struct_name, member_offset_string, true);
+    member_offset = safe_string2size_t(member_offset_string);
+  }
+  else
+  {
+    struct_name = pointer_value.pointee;
+    member_offset = 0;
+  }
+
+  const symbolt *struct_symbol = symbol_table.lookup(struct_name);
+  DATA_INVARIANT(struct_symbol != nullptr, "unknown struct");
+
+  const auto maybe_member_expr = get_subexpression_at_offset(
+    struct_symbol->symbol_expr(), member_offset, expr.type().subtype(), ns);
+  if(maybe_member_expr.has_value())
+    return *maybe_member_expr;
+
+  UNREACHABLE;
+}
+
 exprt symbol_analyzert::get_non_char_pointer_value(
   const exprt &expr,
   const std::string memory_location,
@@ -236,6 +276,24 @@ exprt symbol_analyzert::get_non_char_pointer_value(
   }
 }
 
+bool symbol_analyzert::points_to_member(
+  const pointer_valuet &pointer_value) const
+{
+  if(pointer_value.pointee.find("+") != std::string::npos)
+    return true;
+
+  const symbolt *pointee_symbol = symbol_table.lookup(pointer_value.pointee);
+  if(pointee_symbol == nullptr)
+    return false;
+  const auto pointee_type = pointee_symbol->type;
+  if(
+    pointee_type.id() == ID_struct_tag || pointee_type.id() == ID_union_tag ||
+    pointee_type.id() == ID_array || pointee_type.id() == ID_struct ||
+    pointee_type.id() == ID_union)
+    return true;
+  return false;
+}
+
 exprt symbol_analyzert::get_pointer_value(
   const exprt &expr,
   const exprt &zero_expr,
@@ -260,7 +318,9 @@ exprt symbol_analyzert::get_pointer_value(
     else
     {
       const exprt target_expr =
-        get_non_char_pointer_value(expr, memory_location, location);
+        points_to_member(value)
+          ? get_pointer_to_member_value(expr, value, location)
+          : get_non_char_pointer_value(expr, memory_location, location);
 
       if(target_expr.id() == ID_nil)
       {

src/memory-analyzer/analyze_symbol.h

@@ -145,6 +145,18 @@ class symbol_analyzert
     const exprt &zero_expr,
     const source_locationt &location);
 
+  /// Call \ref get_subexpression_at_offset to get the correct member
+  ///   expression.
+  /// \param expr: the input pointer expression (needed to get the right type)
+  /// \param pointer_value: pointer value with structure name and offset as the
+  ///   pointee member
+  /// \param location: the source location
+  /// \return \ref member_exprt that the \p pointer_value points to
+  exprt get_pointer_to_member_value(
+    const exprt &expr,
+    const pointer_valuet &pointer_value,
+    const source_locationt &location);
+
   /// Similar to \ref get_char_pointer_value. Doesn't re-call
   ///   \ref gdb_apit::get_memory, calls \ref get_expr_value on _dereferenced_
   ///   \p expr (the result of which is assigned to a new symbol).
@@ -174,6 +186,12 @@ class symbol_analyzert
 
   /// Call \ref add_assignment for each pair in \ref outstanding_assignments
   void process_outstanding_assignments();
+
+  /// Analyzes the \p pointer_value to decide if it point to a struct or a
+  ///   union (or array)
+  /// \param pointer_value: pointer value to be analyzed
+  /// \return true if pointing to a member
+  bool points_to_member(const pointer_valuet &pointer_value) const;
 };
 
 #endif // CPROVER_MEMORY_ANALYZER_ANALYZE_SYMBOL_H