[smt_convt] Fix comparison of invalid pointers

SaswatPadhi · SaswatPadhi · commit aa04475268bf · 2021-04-16T16:39:25.000-04:00
The SMT conversion routines crashed on encoding of comparisons over invalid
pointers.
This change fixes this behavior by ignoring comparisons against invalid
pointers.
diff --git a/regression/cbmc/memset_null/main.c b/regression/cbmc/memset_null/main.c
@@ -0,0 +1,9 @@
+#include <stdlib.h>
+#include <string.h>
+
+void main()
+{
+  char *data = nondet() ? NULL : malloc(8);
+  memset(data, 0, 8);
+  memset(data, 0, 8);
+}
diff --git a/regression/cbmc/memset_null/test.desc b/regression/cbmc/memset_null/test.desc
@@ -0,0 +1,12 @@
+CORE
+main.c
+
+^\[main.precondition_instance.1\] line .* memset destination region writeable: FAILURE$
+^\[main.precondition_instance.2\] line .* memset destination region writeable: FAILURE$
+^EXIT=10$
+^SIGNAL=0$
+^VERIFICATION FAILED$
+--
+--
+This test case checks that byte operations (e.g. memset) oninvalid and `NULL`
+pointers are correctly encoded in SMT2.
diff --git a/src/solvers/smt2/smt2_conv.cpp b/src/solvers/smt2/smt2_conv.cpp
@@ -4247,6 +4247,11 @@ void smt2_convt::set_to(const exprt &expr, bool value)
   if(expr.id() == ID_equal && value)
   {
     const equal_exprt &equal_expr=to_equal_expr(expr);
+    if(equal_expr.lhs().type().id() == ID_empty)
+    {
+      // ignore equality checking on pointers with empty type
+      return;
+    }
 
     if(equal_expr.lhs().id()==ID_symbol)
     {

Original file line number	Diff line number	Diff line change
`@@ -4247,6 +4247,11 @@ void smt2_convt::set_to(const exprt &expr, bool value)`
`4247`	`4247`	`if(expr.id() == ID_equal && value)`
`4248`	`4248`	`{`
`4249`	`4249`	`const equal_exprt &equal_expr=to_equal_expr(expr);`
	`4250`	`+ if(equal_expr.lhs().type().id() == ID_empty)`
	`4251`	`+ {`
	`4252`	`+ // ignore equality checking on pointers with empty type`
	`4253`	`+ return;`
	`4254`	`+ }`
`4250`	`4255`
`4251`	`4256`	`if(equal_expr.lhs().id()==ID_symbol)`
`4252`	`4257`	`{`