symex_allocate: only use alloc_size when set

tautschnig · tautschnig · commit b5c07f4f37f3 · 2019-02-21T01:12:35.000Z
When alloc_size isn't set but the other conditions in the earlier branch are not
satisfied we must not use alloc_size. Fall back to building an array of
characters instead.
diff --git a/regression/cbmc/Malloc25/main.c b/regression/cbmc/Malloc25/main.c
@@ -0,0 +1,7 @@
+#include <stdlib.h>
+
+int main(int argc, char *argv[])
+{
+  int *p = malloc((size_t)argc * (size_t)argc * sizeof(int));
+  return 0;
+}
diff --git a/regression/cbmc/Malloc25/test.desc b/regression/cbmc/Malloc25/test.desc
@@ -0,0 +1,8 @@
+CORE
+main.c
+
+^EXIT=0$
+^SIGNAL=0$
+^VERIFICATION SUCCESSFUL$
+--
+^warning: ignoring
diff --git a/src/goto-symex/symex_builtin_functions.cpp b/src/goto-symex/symex_builtin_functions.cpp
@@ -102,7 +102,7 @@ void goto_symext::symex_allocate(
 
           object_type = array_typet(*tmp_type, s);
         }
-        else
+        else if(alloc_size.has_value())
         {
           if(*alloc_size == *elem_size)
             object_type = *tmp_type;

Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,7 @@ void goto_symext::symex_allocate(`
`102`	`102`
`103`	`103`	`object_type = array_typet(*tmp_type, s);`
`104`	`104`	`}`
`105`		`- else`
	`105`	`+ else if(alloc_size.has_value())`
`106`	`106`	`{`
`107`	`107`	`if(alloc_size == elem_size)`
`108`	`108`	`object_type = *tmp_type;`