Merge remote-tracking branch 'origin/calloc-speculating' into dash-dev

karoliineh · karoliineh · commit 92ce93539af5 · 2026-02-03T13:03:02.000Z
diff --git a/src/analyses/base.ml b/src/analyses/base.ml
@@ -2763,7 +2763,10 @@ struct
             let blob_set = Option.map_default (fun heap_var -> [heap_var, TVoid [], VD.Blob (VD.bot (), sizeval, ZeroInit.calloc)]) [] heap_var in
             set_many ~man st ((eval_lv ~man st lv, (Cilfacade.typeOfLval lv), Address addr):: blob_set)
           else
-            let blobsize = ID.mul (ID.cast_to ~kind:Internal ik @@ sizeval) (ID.cast_to ~kind:Internal ik @@ countval) in (* TODO: proper castkind *)
+            let blobsize = (* only speculative during ID.mul *)
+              let@ () = GobRef.wrap AnalysisState.executing_speculative_computations true in
+              ID.mul (ID.cast_to ~kind:Internal ik @@ sizeval) (ID.cast_to ~kind:Internal ik @@ countval) (* TODO: proper castkind *)
+            in
             let offset = `Index (IdxDom.of_int (Cilfacade.ptrdiff_ikind ()) Z.zero, `NoOffset) in
             (* the heap_var is the base address of the allocated memory, but we need to keep track of the offset for the blob *)
             let addr_offset = AD.map (fun a -> Addr.add_offset a offset) addr in
diff --git a/tests/regression/39-signed-overflows/17-calloc-mult-speculating.c b/tests/regression/39-signed-overflows/17-calloc-mult-speculating.c
@@ -0,0 +1,8 @@
+// PARAM: --enable ana.int.interval
+#include <stdlib.h>
+
+int main() {
+  size_t a, b;
+  unsigned char *randomString = (unsigned char *)calloc(a,b); // NOWARN (signed integer overflow in *)
+  return 0;
+}
