Pointer arithmetic overflow is overflow on integer representation

tautschnig · tautschnig · commit 2d03d27c170d · 2021-02-10T23:38:05.000Z
At a bare minimum, we should report an overflow when performing pointer arithmetic that would result in an overflow on the underlying integer representation. As future work, we may want to expand on those checks by reporting overflows when exceeding object bounds, as discussed in diffblue#5426. Fixes: diffblue#5284
diff --git a/regression/cbmc/pointer-overflow2/test.desc b/regression/cbmc/pointer-overflow2/test.desc
@@ -1,4 +1,4 @@
-KNOWNBUG
+CORE
 main.c
 --pointer-overflow-check
 ^EXIT=0$
diff --git a/src/analyses/goto_check.cpp b/src/analyses/goto_check.cpp
@@ -1157,8 +1157,13 @@ void goto_checkt::pointer_overflow_check(
     expr.operands().size() == 2,
     "pointer arithmetic expected to have exactly 2 operands");
 
+  // check for address space overflow by checking for overflow on integers
   exprt overflow("overflow-" + expr.id_string(), bool_typet());
-  overflow.operands() = expr.operands();
+  for(const auto &op : expr.operands())
+  {
+    overflow.add_to_operands(
+      typecast_exprt::conditional_cast(op, pointer_diff_type()));
+  }
 
   add_guarded_property(
     not_exprt(overflow),

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-KNOWNBUG`
	`1`	`+CORE`
`2`	`2`	`main.c`
`3`	`3`	`--pointer-overflow-check`
`4`	`4`	`^EXIT=0$`