Fix pointer subtraction semantics

[tautschnig]

(Please review commit-by-commit.)

Subtracting pointers over the same object is subtraction of the offset
(divided by the element size). Subtracting pointers over different
objects should yield a non-deterministic result.

• Each commit message has a non-empty body, explaining why the change was made.
• n/a Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
• n/a The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
• Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
• n/a My commit message includes data points confirming performance improvements (if claimed).
• My PR is restricted to a single feature or bugfix.
• n/a White-space or formatting changes outside the feature-related changed lines are in commits of their own.

[kroening]

While at it, if both pointers are null, the result should also be nondeterministic.

[codecov]

Codecov Report

Merging #5838 (5b8028a) into develop (dbbe1da) will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@           Coverage Diff            @@
##           develop    #5838   +/-   ##
========================================
  Coverage    72.86%   72.87%           
========================================
  Files         1421     1421           
  Lines       154173   154207   +34     
========================================
+ Hits        112337   112371   +34     
  Misses       41836    41836           

Impacted Files	Coverage Δ
src/analyses/goto_check.cpp	88.24% <100.00%> (+0.13%)	⬆️
src/solvers/flattening/bv_pointers.cpp	82.00% <100.00%> (+0.82%)	⬆️
src/solvers/flattening/bv_utils.h	85.71% <0.00%> (+1.09%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 751c986...5b8028a. Read the comment docs.

[tautschnig]

While at it, if both pointers are null, the result should also be nondeterministic.

More generally, I believe this should be the case whenever pointers aren't valid, unless just one byte (or element?) beyond the object?

[martin-cs]

If you can add the tests it would be nice.

[martin-cs]

I like this test for non-determinism.

[martin-cs]

Would I be awful to request...

__CPROVER_assert(((char *)(&array[3])) - ((char *)(&array[1])) == 2*sizeof(int), "casting works");

and

int *p = &array[3];
++p;
__CPROVER_assert(p - &array[0] == 4, "end plus one works");
__CPROVER_assert(p - &array[0] != 3, "end plus one works");
++p;
_Bool nondet_branch;
if (nondet_branch)
  __CPROVER_assert(p - &array[0] == 5, "end plus 2 is nondet");
else
  __CPROVER_assert(p - &array[0] != 5, "end plus 2 is nondet");

[tautschnig]

Done, thanks!

[tautschnig]

While at it, if both pointers are null, the result should also be nondeterministic.

More generally, I believe this should be the case whenever pointers aren't valid, unless just one byte (or element?) beyond the object?

That's now covered, which required fixing one of our regression tests...