Skip to content

Commit 0779bbd

Browse files
author
Daniel Kroening
committed
overflow check for pointer arithmetic
1 parent 4da8871 commit 0779bbd

File tree

1 file changed

+52
-2
lines changed

1 file changed

+52
-2
lines changed

src/analyses/goto_check.cpp

+52-2
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,7 @@ class goto_checkt
6969
void mod_by_zero_check(const mod_exprt &expr, const guardt &guard);
7070
void undefined_shift_check(const shift_exprt &expr, const guardt &guard);
7171
void pointer_rel_check(const exprt &expr, const guardt &guard);
72+
void pointer_overflow_check(const exprt &expr, const guardt &guard);
7273
void pointer_validity_check(const dereference_exprt &expr, const guardt &guard);
7374
void integer_overflow_check(const exprt &expr, const guardt &guard);
7475
void float_overflow_check(const exprt &expr, const guardt &guard);
@@ -855,8 +856,11 @@ void goto_checkt::pointer_rel_check(
855856
const exprt &expr,
856857
const guardt &guard)
857858
{
859+
if(!enable_pointer_check)
860+
return;
861+
858862
if(expr.operands().size()!=2)
859-
throw expr.id_string()+" takes one argument";
863+
throw expr.id_string()+" takes two arguments";
860864

861865
if(expr.op0().type().id()==ID_pointer &&
862866
expr.op1().type().id()==ID_pointer)
@@ -880,6 +884,44 @@ void goto_checkt::pointer_rel_check(
880884

881885
/*******************************************************************\
882886
887+
Function: goto_checkt::pointer_overflow_check
888+
889+
Inputs:
890+
891+
Outputs:
892+
893+
Purpose:
894+
895+
\*******************************************************************/
896+
897+
void goto_checkt::pointer_overflow_check(
898+
const exprt &expr,
899+
const guardt &guard)
900+
{
901+
if(!enable_pointer_check)
902+
return;
903+
904+
if(expr.id()==ID_plus ||
905+
expr.id()==ID_minus)
906+
{
907+
if(expr.operands().size()==2)
908+
{
909+
exprt overflow("overflow-"+expr.id_string(), bool_typet());
910+
overflow.operands()=expr.operands();
911+
912+
add_guarded_claim(
913+
not_exprt(overflow),
914+
"pointer arithmetic overflow on "+expr.id_string(),
915+
"overflow",
916+
expr.find_source_location(),
917+
expr,
918+
guard);
919+
}
920+
}
921+
}
922+
923+
/*******************************************************************\
924+
883925
Function: goto_checkt::pointer_validity_check
884926
885927
Inputs:
@@ -1393,13 +1435,21 @@ void goto_checkt::check_rec(
13931435
if(expr.type().id()==ID_signedbv ||
13941436
expr.type().id()==ID_unsignedbv)
13951437
{
1396-
integer_overflow_check(expr, guard);
1438+
if(expr.operands().size()==2 &&
1439+
expr.op0().type().id()==ID_pointer)
1440+
pointer_overflow_check(expr, guard);
1441+
else
1442+
integer_overflow_check(expr, guard);
13971443
}
13981444
else if(expr.type().id()==ID_floatbv)
13991445
{
14001446
nan_check(expr, guard);
14011447
float_overflow_check(expr, guard);
14021448
}
1449+
else if(expr.type().id()==ID_pointer)
1450+
{
1451+
pointer_overflow_check(expr, guard);
1452+
}
14031453
}
14041454
else if(expr.id()==ID_le || expr.id()==ID_lt ||
14051455
expr.id()==ID_ge || expr.id()==ID_gt)

0 commit comments

Comments
 (0)