Open mikhailramalho opened 8 years ago
What's the reference code here, [1] isn't obvious.
Hi,
Reconstructed irep on the rhs of the assignment looks like this:
address_of
* pointer_obj : index
* source_value : constant_array
* members :
0: dereference
* pointer : symbol
* name : c::test::main::2::p
* renamelev : Level 0
* level1_num : 0
* level2_num : 0
* thread_num : 0
* node_num : 0
* type : pointer
* subtype : signedbv
* width : 32
* type : signedbv
* width : 32
1: constant_int
* constant_value : 0
* type : signedbv
* width : 32
* type : array
* subtype : signedbv
* width : 32
* array_size : constant_int
* constant_value : 2
* type : signedbv
* width : 32
* size_is_infinite : false
* index : constant_int
* constant_value : 0
* type : signedbv
* width : 32
* type : signedbv
* width : 32
* type : pointer
* subtype : signedbv
* width : 32
The issue seems to be that we're not expecting an unevaluated dereference to crop up /inside/ the contents of the constant array. The dereference code, in the case of an index, is currently geared for resolving a dereference in the index-operand (here zero) or the array source, i.e. resolving what foo is in "p->foo[0]". It doesn't expect to be handed an array of raw values -- it assumes that the contents have already had any dereferences resolved in a previous assignment instruction that initialized the array being accessed.
We could hack it to consider this case; CBMC however creates a new variable to represent the temporary array, avoiding this problem by having a separate instruction in which the dereferences are flushed out. In addition, this resolves a memory uncertainty: you're taking the address of a temporary literal (which seems bad) and that should be seen as a local variable to that function (so that, for example, it's pointer could be invalidated when it goes out of scope). The current way you're doing it, by taking the address of a constant array, won't achieve that (and may lead to explosions later down the model checking chain, not certain).
IMO that's the best solution: create a new temporary array and assign values to it, then perform the assignment to p in a different instruction.
This..... is still an issue as of 2017. Curses.
Stale issue message
Stale issue message
OBS: the new llvm frontend is required in order to reproduce this error.
The program in [1] causes esbmc to hang during symbolic execution. Maybe an infinite loop.
Symex trace shows: