AliveToolkit · nunoplopes · Dec 17, 2023 · Dec 17, 2023 · Dec 18, 2023 · Dec 18, 2023
diff --git a/ir/instr.cpp b/ir/instr.cpp
@@ -3716,12 +3716,14 @@ StateValue GEP::toSMT(State &s) const {
   auto scalar = [&](const StateValue &ptrval,
                     vector<pair<uint64_t, StateValue>> &offsets) -> StateValue {
     Pointer ptr(s.getMemory(), ptrval.value);
+    Pointer ptr_log = inbounds ? ptr.toLogical().first : ptr;
     AndExpr non_poison(ptrval.non_poison);
     AndExpr inbounds_np;
     AndExpr idx_all_zeros;
 
+    // FIXME: this is only partially implemented for physical pointers
     if (inbounds)
-      inbounds_np.add(ptr.inbounds());
+      inbounds_np.add(ptr_log.inbounds());
 
     for (auto &[sz, idx] : offsets) {
       auto &[v, np] = idx;
@@ -3735,7 +3737,7 @@ StateValue GEP::toSMT(State &s) const {
           non_poison.add(val.sextOrTrunc(v.bits()) == v);
         }
         non_poison.add(multiplier.mul_no_soverflow(val));
-        non_poison.add(ptr.addNoOverflow(inc));
+        non_poison.add(ptr_log.addNoOverflow(inc));
       }
 
 #ifndef NDEBUG
@@ -3747,8 +3749,10 @@ StateValue GEP::toSMT(State &s) const {
       ptr += inc;
       non_poison.add(np);
 
-      if (inbounds)
-        inbounds_np.add(ptr.inbounds());
+      if (inbounds) {
+        ptr_log += inc;
+        inbounds_np.add(ptr_log.inbounds());
+      }
     }
 
     if (inbounds) {

diff --git a/ir/memory.cpp b/ir/memory.cpp
@@ -2161,86 +2161,10 @@ expr Memory::ptr2int(const expr &ptr) const {
   return p.getAddress();
 }
 
-Pointer Memory::searchPointer(const expr &val0) const {
-  DisjointExpr<Pointer> ret;
-  expr val = val0.zextOrTrunc(bits_ptr_address);
-
-  auto add = [&](unsigned limit, bool local) {
-    for (unsigned i = 0; i != limit; ++i) {
-      Pointer p(*this, i, local);
-      Pointer p_end = p + p.blockSize();
-      ret.add(p + (val - p.getAddress()),
-              !local && i == 0 && has_null_block
-                ? val == 0
-                : val.uge(p.getAddress()) && val.ult(p_end.getAddress()));
-    }
-  };
-  add(numLocals(), true);
-  add(numNonlocals(), false);
-  return *std::move(ret)();
-}
-
-expr Memory::int2ptr(const expr &val0) const {
+expr Memory::int2ptr(const expr &val) const {
   assert(!memory_unused() && observesAddresses());
-  if (isAsmMode()) {
-    DisjointExpr<expr> ret(Pointer::mkNullPointer(*this).release());
-    expr val = val0;
-    OrExpr domain;
-    bool processed_all = true;
-
-    // Try to optimize the conversion
-    // Note that the result of int2ptr is always used to dereference the ptr
-    // Hence we can throw away null & OOB pointers
-    // Also, these pointers must have originated from ptr->int type punning
-    // so they must have a (blk_addr bid) expression in them (+ some offset)
-    for (auto [e, cond] : DisjointExpr<expr>(val, 5)) {
-      auto blks = e.get_apps_of("blk_addr", "local_addr!");
-      if (blks.empty()) {
-        expr subst = false;
-        if (cond.isNot(cond))
-          subst = true;
-        val = val.subst(cond, subst);
-        continue;
-      }
-      // There's only one possible bid in this expression
-      if (blks.size() == 1) {
-        auto &fn = *blks.begin();
-        expr bid;
-        if (fn.fn_name().starts_with("local_addr!")) {
-          for (auto &[bid0, addr] : local_blk_addr) {
-            auto blks = addr.get_apps_of("blk_addr", "local_addr!");
-            assert(blks.size() == 1);
-            if (blks.begin()->eq(fn)) {
-              bid = Pointer::mkLongBid(bid0, true);
-              break;
-            }
-          }
-        } else {
-          // non-local block
-          assert(fn.fn_name() == "blk_addr");
-          bid = Pointer::mkLongBid(fn.getFnArg(0), false);
-        }
-        assert(bid.isValid());
-        Pointer base(*this, bid, expr::mkUInt(0, bits_for_offset));
-        expr offset = (e - base.getAddress()).sextOrTrunc(bits_for_offset);
-        ret.add(Pointer(*this, bid, offset).release(), cond);
-      } else {
-        processed_all = false;
-      }
-      domain.add(std::move(cond));
-    }
-    state->addUB(std::move(domain)());
-
-    if (processed_all)
-      return std::move(ret)()->simplify();
-
-    return searchPointer(val.simplify()).release();
-  }
-
-  expr null = Pointer::mkNullPointer(*this).release();
-  expr fn = expr::mkUF("int2ptr", { val0 }, null);
-  state->doesApproximation("inttoptr", fn);
-  return expr::mkIf(val0 == 0, null, fn);
+  return
+    Pointer::mkPhysical(*this, val.zextOrTrunc(bits_ptr_address)).release();
 }
 
 expr Memory::blockValRefined(const Memory &other, unsigned bid, bool local,

diff --git a/ir/memory.h b/ir/memory.h
@@ -337,7 +337,6 @@ class Memory {
 
   smt::expr ptr2int(const smt::expr &ptr) const;
   smt::expr int2ptr(const smt::expr &val) const;
-  Pointer searchPointer(const smt::expr &val) const;
 
   std::tuple<smt::expr, Pointer, std::set<smt::expr>>
     refined(const Memory &other, bool fncall,