pointer-overflow-check: support >2 operands

tautschnig · tautschnig · commit 4ad5c545d7b2 · 2018-04-16T07:40:16.000+01:00
diff --git a/src/analyses/goto_check.cpp b/src/analyses/goto_check.cpp
@@ -13,6 +13,8 @@ Author: Daniel Kroening, kroening@kroening.com
 
 #include <algorithm>
 
+#include <util/c_types.h>
+#include <util/invariant.h>
 #include <util/simplify_expr.h>
 #include <util/array_name.h>
 #include <util/ieee_float.h>
@@ -900,23 +902,56 @@ void goto_checkt::pointer_overflow_check(
   if(!enable_pointer_overflow_check)
     return;
 
-  if(expr.id()==ID_plus ||
-     expr.id()==ID_minus)
+  if(expr.id() != ID_plus && expr.id() != ID_minus)
+    return;
+
+  if(expr.operands().size() > 2)
   {
-    if(expr.operands().size()==2)
+    // The overflow checks are binary!
+    // We break these up.
+
+    for(std::size_t i = 1; i < expr.operands().size(); i++)
     {
-      exprt overflow("overflow-"+expr.id_string(), bool_typet());
-      overflow.operands()=expr.operands();
+      exprt tmp;
 
-      add_guarded_claim(
-        not_exprt(overflow),
-        "pointer arithmetic overflow on "+expr.id_string(),
-        "overflow",
-        expr.find_source_location(),
-        expr,
-        guard);
+      if(i == 1)
+        tmp = expr.op0();
+      else
+      {
+        tmp = expr;
+        tmp.operands().resize(i);
+      }
+
+      exprt tmp2 = expr;
+      tmp2.operands().resize(2);
+      tmp2.op0() = tmp;
+      tmp2.op1() = expr.operands()[i];
+
+      pointer_overflow_check(tmp2, guard);
     }
   }
+  else
+  {
+    DATA_INVARIANT(
+      expr.operands().size() == 2,
+      "overflow-" + expr.id_string() + " takes 2 operands");
+
+    exprt overflow("overflow-" + expr.id_string(), bool_typet());
+    overflow.operands() = expr.operands();
+
+    // this is overflow over integers
+    overflow.op0().make_typecast(size_type());
+    if(overflow.op1().type() != size_type())
+      overflow.op1().make_typecast(size_type());
+
+    add_guarded_claim(
+      not_exprt(overflow),
+      "pointer arithmetic overflow on " + expr.id_string(),
+      "overflow",
+      expr.find_source_location(),
+      expr,
+      guard);
+  }
 }
 
 void goto_checkt::pointer_validity_check(
