Merge pull request #5693 from tautschnig/zero-size-objects

kroening · web-flow · commit 92ef21ea07f7 · 2020-12-24T09:22:05.000Z
Offset computation can handle zero-sized objects
diff --git a/regression/cbmc/empty_compound_type2/main.c b/regression/cbmc/empty_compound_type2/main.c
@@ -0,0 +1,15 @@
+struct B
+{
+} b[1];
+struct c
+{
+  void *d;
+} e = {b};
+struct
+{
+  struct c f;
+} * g;
+int main()
+{
+  g->f;
+}
diff --git a/regression/cbmc/empty_compound_type2/test.desc b/regression/cbmc/empty_compound_type2/test.desc
@@ -0,0 +1,13 @@
+CORE broken-smt-backend
+main.c
+--pointer-check
+^EXIT=10$
+^SIGNAL=0$
+^VERIFICATION FAILED$
+--
+^warning: ignoring
+Invariant check failed
+--
+Taking the address of an empty struct resulted in an invariant failure in
+address-of flattening. This test was generated using C-Reduce plus some further
+manual simplification.
diff --git a/regression/cbmc/empty_compound_type3/main.c b/regression/cbmc/empty_compound_type3/main.c
@@ -0,0 +1,13 @@
+#include <string.h>
+
+struct a
+{
+} b()
+{
+  struct a *c;
+  memcpy(c + 2, c, 1);
+}
+int main()
+{
+  b();
+}
diff --git a/src/solvers/flattening/boolbv_get.cpp b/src/solvers/flattening/boolbv_get.cpp
@@ -126,6 +126,10 @@ exprt boolbvt::bv_get_rec(
         dest.operands().swap(op);
         return dest;
       }
+      else
+      {
+        return array_exprt{{}, to_array_type(type)};
+      }
     }
     else if(type.id()==ID_struct_tag)
     {
diff --git a/src/solvers/flattening/bv_pointers.cpp b/src/solvers/flattening/bv_pointers.cpp
@@ -138,7 +138,7 @@ bool bv_pointerst::convert_address_of_rec(
 
     // get size
     auto size = pointer_offset_size(array_type.subtype(), ns);
-    CHECK_RETURN(size.has_value() && *size > 0);
+    CHECK_RETURN(size.has_value() && *size >= 0);
 
     offset_arithmetic(bv, *size, index);
     CHECK_RETURN(bv.size()==bits);
@@ -342,7 +342,7 @@ bvt bv_pointerst::convert_pointer_type(const exprt &expr)
         else
         {
           auto size_opt = pointer_offset_size(pointer_sub_type, ns);
-          CHECK_RETURN(size_opt.has_value() && *size_opt > 0);
+          CHECK_RETURN(size_opt.has_value() && *size_opt >= 0);
           size = *size_opt;
         }
       }
diff --git a/src/util/pointer_offset_size.cpp b/src/util/pointer_offset_size.cpp
@@ -670,13 +670,8 @@ optionalt<exprt> get_subexpression_at_offset(
 
     // no arrays of non-byte-aligned, zero-, or unknown-sized objects
     if(
-      !elem_size_bits.has_value() || *elem_size_bits == 0 ||
-      *elem_size_bits % 8 != 0)
-    {
-      return {};
-    }
-
-    if(*target_size_bits <= *elem_size_bits)
+      elem_size_bits.has_value() && *elem_size_bits > 0 &&
+      *elem_size_bits % 8 == 0 && *target_size_bits <= *elem_size_bits)
     {
       const mp_integer elem_size_bytes = *elem_size_bits / 8;
       const auto offset_inside_elem = offset_bytes % elem_size_bytes;

Original file line number	Diff line number	Diff line change
`@@ -126,6 +126,10 @@ exprt boolbvt::bv_get_rec(`
`126`	`126`	`dest.operands().swap(op);`
`127`	`127`	`return dest;`
`128`	`128`	`}`
	`129`	`+ else`
	`130`	`+ {`
	`131`	`+ return array_exprt{{}, to_array_type(type)};`
	`132`	`+ }`
`129`	`133`	`}`
`130`	`134`	`else if(type.id()==ID_struct_tag)`
`131`	`135`	`{`
Original file line number	Diff line number	Diff line change
`@@ -138,7 +138,7 @@ bool bv_pointerst::convert_address_of_rec(`
`138`	`138`
`139`	`139`	`// get size`
`140`	`140`	`auto size = pointer_offset_size(array_type.subtype(), ns);`
`141`		`- CHECK_RETURN(size.has_value() && *size > 0);`
	`141`	`+ CHECK_RETURN(size.has_value() && *size >= 0);`
`142`	`142`
`143`	`143`	`offset_arithmetic(bv, *size, index);`
`144`	`144`	`CHECK_RETURN(bv.size()==bits);`
`@@ -342,7 +342,7 @@ bvt bv_pointerst::convert_pointer_type(const exprt &expr)`
`342`	`342`	`else`
`343`	`343`	`{`
`344`	`344`	`auto size_opt = pointer_offset_size(pointer_sub_type, ns);`
`345`		`- CHECK_RETURN(size_opt.has_value() && *size_opt > 0);`
	`345`	`+ CHECK_RETURN(size_opt.has_value() && *size_opt >= 0);`
`346`	`346`	`size = *size_opt;`
`347`	`347`	`}`
`348`	`348`	`}`