Merge pull request diffblue#5128 from romainbrenguier/bugfix/negative-size-arrays

romainbrenguier · web-flow · commit ed2936406ef8 · 2019-09-26T09:44:23.000+01:00
[TG-9313] Fix invariant failure in case of negative size arrays
diff --git a/jbmc/regression/jbmc/array-cell-sensitivity-negative-size/Test.class b/jbmc/regression/jbmc/array-cell-sensitivity-negative-size/Test.class
diff --git a/jbmc/regression/jbmc/array-cell-sensitivity-negative-size/Test.java b/jbmc/regression/jbmc/array-cell-sensitivity-negative-size/Test.java
@@ -0,0 +1,11 @@
+public class Test {
+  public static void check(Integer t) {
+    if (t != null)
+      try {
+        Integer[] arr = new Integer[-7];
+        assert false;
+      } catch (NegativeArraySizeException e) {
+        assert false;
+      }
+  }
+}
diff --git a/jbmc/regression/jbmc/array-cell-sensitivity-negative-size/test.desc b/jbmc/regression/jbmc/array-cell-sensitivity-negative-size/test.desc
@@ -0,0 +1,9 @@
+CORE
+Test.class
+--function Test.check
+line 5 Array size should be >= 0: FAILURE
+^EXIT=10$
+^SIGNAL=0$
+--
+--
+Test that defining an array with negative size does not crash JBMC
diff --git a/src/goto-symex/field_sensitivity.cpp b/src/goto-symex/field_sensitivity.cpp
@@ -180,14 +180,15 @@ exprt field_sensitivityt::get_fields(
 #ifdef ENABLE_ARRAY_FIELD_SENSITIVITY
   else if(
     ssa_expr.type().id() == ID_array &&
-    to_array_type(ssa_expr.type()).size().id() == ID_constant &&
-    numeric_cast_v<mp_integer>(
-      to_constant_expr(to_array_type(ssa_expr.type()).size())) <=
-      max_field_sensitivity_array_size)
+    to_array_type(ssa_expr.type()).size().id() == ID_constant)
   {
+    const mp_integer mp_array_size = numeric_cast_v<mp_integer>(
+      to_constant_expr(to_array_type(ssa_expr.type()).size()));
+    if(mp_array_size < 0 || mp_array_size > max_field_sensitivity_array_size)
+      return ssa_expr;
+
     const array_typet &type = to_array_type(ssa_expr.type());
-    const std::size_t array_size =
-      numeric_cast_v<std::size_t>(to_constant_expr(type.size()));
+    const std::size_t array_size = numeric_cast_v<std::size_t>(mp_array_size);
 
     array_exprt result(type);
     result.reserve_operands(array_size);
diff --git a/src/solvers/flattening/boolbv_width.cpp b/src/solvers/flattening/boolbv_width.cpp
@@ -141,7 +141,10 @@ const boolbv_widtht::entryt &boolbv_widtht::get_entry(const typet &type) const
       if(total>(1<<30)) // realistic limit
         throw analysis_exceptiont("array too large for flattening");
 
-      entry.total_width = numeric_cast_v<std::size_t>(total);
+      if(total < 0)
+        entry.total_width = 0;
+      else
+        entry.total_width = numeric_cast_v<std::size_t>(total);
     }
   }
   else if(type_id==ID_vector)

Original file line number	Diff line number	Diff line change
`@@ -141,7 +141,10 @@ const boolbv_widtht::entryt &boolbv_widtht::get_entry(const typet &type) const`
`141`	`141`	`if(total>(1<<30)) // realistic limit`
`142`	`142`	`throw analysis_exceptiont("array too large for flattening");`
`143`	`143`
`144`		`- entry.total_width = numeric_cast_v<std::size_t>(total);`
	`144`	`+ if(total < 0)`
	`145`	`+ entry.total_width = 0;`
	`146`	`+ else`
	`147`	`+ entry.total_width = numeric_cast_v<std::size_t>(total);`
`145`	`148`	`}`
`146`	`149`	`}`
`147`	`150`	`else if(type_id==ID_vector)`