SMT2: fix pointer arithmetic

kroening · kroening · commit 01cddb00f8e8 · 2022-11-13T19:00:39.000Z
This fixes the encoding of pointer arithmetic in the SMT2 backend.  Addition
now no longer overflows from the offset into the object part.
diff --git a/regression/cbmc/Pointer24/test.desc b/regression/cbmc/Pointer24/test.desc
@@ -1,4 +1,4 @@
-CORE broken-smt-backend
+CORE
 main.c
 --pointer-check
 ^EXIT=0$
diff --git a/src/solvers/smt2/smt2_conv.cpp b/src/solvers/smt2/smt2_conv.cpp
@@ -3645,21 +3645,35 @@ void smt2_convt::convert_plus(const plus_exprt &expr)
         element_size = *element_size_opt;
       }
 
-      out << "(bvadd ";
+      // First convert the pointer operand
+      out << "(let ((?pointerop ";
       convert_expr(p);
-      out << " ";
+      out << ")) ";
+
+      // The addition is done on the offset part only.
+      const std::size_t pointer_width = boolbv_width(p.type());
+      const std::size_t offset_bits =
+        pointer_width - config.bv_encoding.object_bits;
+
+      out << "(concat ";
+      out << "((_ extract " << pointer_width - 1 << ' ' << offset_bits
+          << ") ?pointerop) ";
+      out << "(bvadd ((_ extract " << offset_bits - 1 << " 0) ?pointerop) ";
 
       if(element_size >= 2)
       {
-        out << "(bvmul ";
+        out << "(bvmul ((_ extract " << offset_bits - 1 << " 0) ";
         convert_expr(i);
-        out << " (_ bv" << element_size << " " << boolbv_width(expr.type())
-            << "))";
+        out << ") (_ bv" << element_size << " " << offset_bits << "))";
       }
       else
+      {
+        out << "((_ extract " << offset_bits - 1 << " 0) ";
         convert_expr(i);
+        out << ')'; // extract
+      }
 
-      out << ')';
+      out << ")))"; // bvadd, concat, let
     }
     else
     {

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-CORE broken-smt-backend`
	`1`	`+CORE`
`2`	`2`	`main.c`
`3`	`3`	`--pointer-check`
`4`	`4`	`^EXIT=0$`