CSVSA: tolerate unreachable function calls

If a function call instruction exists but can't be reached (for example, because
according to CSVSA's analysis we must throw a null-pointer exception before
reaching the target callsite) then it will not exist in CSVSA's callee map. In
this case simply rewrite the callsite to an ASSUME FALSE.

Author: smowton

src/driver/csvsa_specializer.cpp

@@ -438,6 +438,17 @@ goto_programt::targett csvsa_specializert::specialize_instruction(
   const auto &callee_map = context.get_callee_map();
 
   // Replace virtual function calls with specific dispatch tables:
+  auto child_nodes_it = callee_map.find(it->location_number);
+  if(child_nodes_it == callee_map.end())
+  {
+    // This instruction was never examined by CSVSA -- it must be
+    // unreachable.
+    it->make_assumption(false_exprt());
+    return it;
+  }
+
+  const auto &child_nodes = child_nodes_it->second;
+
   auto &function = to_code_function_call(instruction.code).function();
   if(function.id() == ID_virtual_function)
   {
@@ -487,7 +498,6 @@ goto_programt::targett csvsa_specializert::specialize_instruction(
   {
     // Static function call -- simply replace by the target specialization.
     auto &function_symbol = expr_dynamic_cast<symbol_exprt>(function);
-    const auto &child_nodes = callee_map.at(it->location_number);
     INVARIANT(
       child_nodes.size() <= 1, "Non-virtual calls should have a single target");
     // If there are no children, this is a stub -- leave the call alone.