A soundness bug in SMT encoding of pointer objects

[SaswatPadhi]

CBMC version: develop

Operating system: Mac OS 10.15.7

Test case:

#include <assert.h>
#include <stdbool.h>
#include <stdlib.h>

bool validate(const char *data, unsigned allocated)
{
    bool check_1 = (data == NULL ==> allocated == 0);
    bool check_2 = (allocated != 0 ==> __CPROVER_r_ok(data, allocated));
    return check_1 && check_2;
}

void main()
{
    char *data;
    unsigned allocated;

    data = (allocated == 0) ? NULL : malloc(allocated);
    
    __CPROVER_assume(validate(data, allocated));

    assert(validate(data, allocated));
}

Exact command line resulting in the issue:
Either cbmc --smt2 test.c or cbmc --cprover-smt2 test.c.
[Note that z3 is required with the --smt2 flag.]

What behaviour did you expect:
Same behaviour as without the --smt2 flag -- CBMC should be able to establish the assertion.

What happened instead:
CBMC fails to verify the assertion.

$ cbmc test.c | tail
** Results:
<builtin-library-malloc> function malloc
[malloc.assertion.1] line 26 max allocation size exceeded: SUCCESS
[malloc.assertion.2] line 31 max allocation may fail: SUCCESS

test.c function main
[main.assertion.1] line 21 assertion validate(data, allocated): SUCCESS

** 0 of 3 failed (1 iterations)
VERIFICATION SUCCESSFUL

$ cbmc --smt2 test.c | tail
** Results:
<builtin-library-malloc> function malloc
[malloc.assertion.1] line 26 max allocation size exceeded: SUCCESS
[malloc.assertion.2] line 31 max allocation may fail: SUCCESS

test.c function main
[main.assertion.1] line 21 assertion validate(data, allocated): FAILURE

** 1 of 3 failed (2 iterations)
VERIFICATION FAILED

[SaswatPadhi]

cc: @feliperodri

[derived from s2n_blob validation checks]

[SaswatPadhi]

Making data and allocated global, or inlining the validate function in main, resolves this issue.

So there's probably some SMT translation error with function call parameters.

[hannes-steffenhagen-diffblue]

So there's probably some SMT translation error with function call parameters.

That seems unlikely. By the time we reach the backend function parameters don't really look significantly different from other types of variables and variable assignments anymore.

[danielsn]

there is an r_ok in assume context. Does --pointer-primitive-check pass for this?

[SaswatPadhi]

I just checked -- yes it does:

CBMC output

$ cbmc --pointer-primitive-check test.c
CBMC version 5.25.0 (cbmc-5.25.0-142-g5d83cc462) 64-bit x86_64 macos
Parsing test.c
Converting
Type-checking test
Generating GOTO Program
Adding CPROVER library (x86_64)
Removal of function pointers and virtual functions
Generic Property Instrumentation
Running with 8 object bits, 56 offset bits (default)
Starting Bounded Model Checking
Runtime Symex: 0.0204325s
size of program expression: 131 steps
simple slicing removed 2 assignments
Generated 11 VCC(s), 11 remaining after simplification
Runtime Postprocess Equation: 3.3989e-05s
Passing problem to propositional reduction
converting SSA
Runtime Convert SSA: 0.00377948s
Running propositional reduction
Post-processing
Runtime Post-process: 0.00062816s
Solving with MiniSAT 2.2.1 with simplifier
1407 variables, 2780 clauses
SAT checker: instance is UNSATISFIABLE
Runtime Solver: 0.00942859s
Runtime decision procedure: 0.0133539s

** Results:
<builtin-library-malloc> function malloc
[malloc.assertion.1] line 26 max allocation size exceeded: SUCCESS
[malloc.assertion.2] line 31 max allocation may fail: SUCCESS

test.c function main
[main.assertion.1] line 21 assertion validate(data, allocated): SUCCESS

test.c function validate
[validate.pointer_primitives.1] line 8 pointer invalid in R_OK((const void *)data, (__CPROVER_size_t)allocated): SUCCESS
[validate.pointer_primitives.2] line 8 deallocated dynamic object in R_OK((const void *)data, (__CPROVER_size_t)allocated): SUCCESS
[validate.pointer_primitives.3] line 8 dead object in R_OK((const void *)data, (__CPROVER_size_t)allocated): SUCCESS
[validate.pointer_primitives.4] line 8 pointer outside dynamic object bounds in R_OK((const void *)data, (__CPROVER_size_t)allocated): SUCCESS
[validate.pointer_primitives.5] line 8 pointer outside object bounds in R_OK((const void *)data, (__CPROVER_size_t)allocated): SUCCESS

** 0 of 8 failed (1 iterations)
VERIFICATION SUCCESSFUL

[thomasspriggs]

I have confirmed locally that the results of this example are different depending on whether using the default option of using SAT solving vs using a SMT solver. I have also been able to reproduce this using a more minimal example. This example does not use function calls or __CPROVER_r_ok inside an assume -

#include <assert.h>
#include <stdlib.h>

void main()
{
    char *data;
    unsigned allocated;
    __CPROVER_assume(allocated == 1 || allocated == 2);
    data = (allocated == 0) ? NULL : malloc(allocated);
    assert(data != NULL);
    assert(!__CPROVER_is_invalid_pointer(data));
    assert(__CPROVER_r_ok(data, allocated));
}

Output running cbmc.

$ cbmc ./reduced_example.c --smt2
CBMC version 5.25.0 (cbmc-5.25.0-63-g4f4df4cb2-dirty) 64-bit x86_64 linux
Parsing ./reduced_example.c
Converting
Type-checking reduced_example
Generating GOTO Program
Adding CPROVER library (x86_64)
Removal of function pointers and virtual functions
Generic Property Instrumentation
Running with 8 object bits, 56 offset bits (default)
Starting Bounded Model Checking
Runtime Symex: 0.00229157s
size of program expression: 99 steps
simple slicing removed 2 assignments
Generated 3 VCC(s), 3 remaining after simplification
Runtime Postprocess Equation: 1.2301e-05s
Passing problem to SMT2 QF_AUFBV using Z3
converting SSA
Runtime Convert SSA: 0.000373029s
Running SMT2 QF_AUFBV using Z3
Runtime Solver: 0.0103765s
Runtime decision procedure: 0.010809s
Running SMT2 QF_AUFBV using Z3
Runtime Solver: 0.00928149s
Runtime decision procedure: 0.00931552s

** Results:
./reduced_example.c function main
[main.assertion.1] line 10 assertion data != NULL: SUCCESS
[main.assertion.2] line 11 assertion !__CPROVER_is_invalid_pointer(data): SUCCESS
[main.assertion.3] line 12 assertion __CPROVER_r_ok(data, allocated): FAILURE

<builtin-library-malloc> function malloc
[malloc.assertion.1] line 26 max allocation size exceeded: SUCCESS
[malloc.assertion.2] line 31 max allocation may fail: SUCCESS

** 1 of 5 failed (2 iterations)
VERIFICATION FAILED

[thomasspriggs]

@SaswatPadhi How urgent is resolving this issue for you? Does it block other work which you are currently trying to get done?

[SaswatPadhi]

Thanks for looking into this @thomasspriggs.

We recently removed all instances of __CPROVER_r_ok within assume contexts from the s2n project. After that, I didn't encounter this bug for 2 of the harnesses that I was looking into, so it's not super urgent for now. Although from your example it's clear that the issue persists even without r_ok within assume.

Getting Z3 running on the CI is a higher priority than this issue.

[thomasspriggs]

The cause of this issue is likely to be an issue converting from the program form to SMT. Therefore I am going to attach below the --program-only and SMT for reference.

cbmc ./reduced_example.c --smt2 --program-only

CBMC version 5.25.0 (cbmc-5.25.0-63-g4f4df4cb2-dirty) 64-bit x86_64 linux
Parsing ./reduced_example.c
Converting
Type-checking reduced_example
Generating GOTO Program
Adding CPROVER library (x86_64)
Removal of function pointers and virtual functions
Generic Property Instrumentation
Running with 8 object bits, 56 offset bits (default)
Starting Bounded Model Checking
Runtime Symex: 0.00243037s
size of program expression: 99 steps
simple slicing removed 2 assignments
Generated 3 VCC(s), 3 remaining after simplification
Runtime Postprocess Equation: 1.9621e-05s

Program constraints:
// 91 
// 91 
// 21 file <built-in-additions> line 20
(1) SHARED_WRITE(__CPROVER_alloca_object#1)
// 21 file <built-in-additions> line 20
(2) __CPROVER_alloca_object#1 == NULL
// 22 file <built-in-additions> line 14
(3) SHARED_WRITE(__CPROVER_dead_object#1)
// 22 file <built-in-additions> line 14
(4) __CPROVER_dead_object#1 == NULL
// 23 file <built-in-additions> line 13
(5) SHARED_WRITE(__CPROVER_deallocated#1)
// 23 file <built-in-additions> line 13
(6) __CPROVER_deallocated#1 == NULL
// 24 file <built-in-additions> line 23
(7) SHARED_WRITE(__CPROVER_malloc_failure_mode_assert_then_assume#1)
// 24 file <built-in-additions> line 23
(8) __CPROVER_malloc_failure_mode_assert_then_assume#1 == 2
// 25 file <built-in-additions> line 22
(9) SHARED_WRITE(__CPROVER_malloc_failure_mode_return_null#1)
// 25 file <built-in-additions> line 22
(10) __CPROVER_malloc_failure_mode_return_null#1 == 1
// 26 file <built-in-additions> line 17
(11) SHARED_WRITE(__CPROVER_malloc_is_new_array#1)
// 26 file <built-in-additions> line 17
(12) __CPROVER_malloc_is_new_array#1 == FALSE
// 27 file <built-in-additions> line 15
(13) SHARED_WRITE(__CPROVER_malloc_object#1)
// 27 file <built-in-additions> line 15
(14) __CPROVER_malloc_object#1 == NULL
// 28 file <built-in-additions> line 16
(15) SHARED_WRITE(__CPROVER_malloc_size#1)
// 28 file <built-in-additions> line 16
(16) __CPROVER_malloc_size#1 == 0ul
// 29 file <built-in-additions> line 24
(17) SHARED_WRITE(__CPROVER_max_malloc_size#1)
// 29 file <built-in-additions> line 24
(18) __CPROVER_max_malloc_size#1 == 36028797018963968ul
// 30 file <built-in-additions> line 18
(19) SHARED_WRITE(__CPROVER_memory_leak#1)
// 30 file <built-in-additions> line 18
(20) __CPROVER_memory_leak#1 == NULL
// 31 file <built-in-additions> line 8
(21) SHARED_WRITE(__CPROVER_next_thread_id#1)
// 31 file <built-in-additions> line 8
(22) __CPROVER_next_thread_id#1 == 0ul
// 32 file <built-in-additions> line 11
(23) __CPROVER_next_thread_key!0#1 == 0ul
// 33 file <built-in-additions> line 38
(24) SHARED_WRITE(__CPROVER_pipe_count#1)
// 33 file <built-in-additions> line 38
(25) __CPROVER_pipe_count#1 == 0u
// 34 file <built-in-additions> line 29
(26) __CPROVER_rounding_mode!0#1 == 0
// 35 file <built-in-additions> line 6
(27) __CPROVER_thread_id!0#1 == 0ul
// 36 file <built-in-additions> line 10
(28) __CPROVER_thread_key_dtors!0#1 == ARRAY_OF(((const void (*)(const void *))NULL))
// 37 file <built-in-additions> line 9
(29) __CPROVER_thread_keys!0#1 == ARRAY_OF(NULL)
// 38 file <built-in-additions> line 7
(30) SHARED_WRITE(__CPROVER_threads_exited#1)
// 38 file <built-in-additions> line 7
(31) __CPROVER_threads_exited#1 == ARRAY_OF(FALSE)
// 39 
(32) SHARED_WRITE(__CPROVER_malloc_may_fail#1)
// 39 
(33) __CPROVER_malloc_may_fail#1 == FALSE
// 40 
(34) SHARED_WRITE(__CPROVER_malloc_failure_mode#1)
// 40 
(35) __CPROVER_malloc_failure_mode#1 == 0
// 41 
// 92 file ./reduced_example.c line 4
// 92 file ./reduced_example.c line 4
// 0 file ./reduced_example.c line 6 function main
// 1 file ./reduced_example.c line 7 function main
// 2 file ./reduced_example.c line 8 function main
(36) ASSUME(allocated!0@1#1 == 1u || allocated!0@1#1 == 2u)
// 3 file ./reduced_example.c line 9 function main
// 4 file ./reduced_example.c line 9 function main
// 4 file ./reduced_example.c line 9 function main
(37) \guard#1 == (allocated!0@1#1 == 0u)
// 5 file ./reduced_example.c line 9 function main
(38) tmp_if_expr!0@1#2 == NULL
     guard: \guard#1
// 6 file ./reduced_example.c line 9 function main
// 7 file ./reduced_example.c line 9 function main
// 8 file ./reduced_example.c line 9 function main
// 8 file ./reduced_example.c line 9 function main
// 8 file ./reduced_example.c line 9 function main
(39) malloc_size!0@1#1 == (__CPROVER_size_t)allocated!0@1#1
     guard: !\guard#1
// 42 file <builtin-library-malloc> line 12 function malloc
// 55 file <builtin-library-malloc> line 22 function malloc
// 66 file <builtin-library-malloc> line 37 function malloc
// 67 file <builtin-library-malloc> line 38 function malloc
// 68 file <builtin-library-malloc> line 38 function malloc
(40) dynamic_object_size1!0#1 == malloc_size!0@1#1
     guard: !\guard#1
// 68 file <builtin-library-malloc> line 38 function malloc
(41) SHARED_WRITE(dynamic_object1#1)
     guard: !\guard#1
// 68 file <builtin-library-malloc> line 38 function malloc
(42) dynamic_object1#1 == nondet_symbol(symex::nondet0)
     guard: !\guard#1
// 68 file <builtin-library-malloc> line 38 function malloc
(43) malloc_value!0@1#2 == (const void *)dynamic_object1
     guard: !\guard#1
// 69 file <builtin-library-malloc> line 38 function malloc
(44) malloc_res!0@1#2 == (const void *)dynamic_object1
     guard: !\guard#1
// 70 file <builtin-library-malloc> line 41 function malloc
(45) SHARED_WRITE(__CPROVER_deallocated#2)
     guard: !\guard#1
// 70 file <builtin-library-malloc> line 41 function malloc
(46) __CPROVER_deallocated#2 == NULL
     guard: !\guard#1
// 71 file <builtin-library-malloc> line 45 function malloc
// 72 file <builtin-library-malloc> line 45 function malloc
// 73 file <builtin-library-malloc> line 45 function malloc
(47) return_value___VERIFIER_nondet___CPROVER_bool$1!0@1#2 == nondet_symbol(symex::nondet1)
     guard: !\guard#1
// 74 file <builtin-library-malloc> line 45 function malloc
(48) record_malloc!0@1#2 == return_value___VERIFIER_nondet___CPROVER_bool$1!0@1#2
     guard: !\guard#1
// 75 file <builtin-library-malloc> line 46 function malloc
(49) SHARED_WRITE(__CPROVER_malloc_object#2)
     guard: !\guard#1
// 75 file <builtin-library-malloc> line 46 function malloc
(50) __CPROVER_malloc_object#2 == (record_malloc!0@1#2 ? (const void *)dynamic_object1 : NULL)
     guard: !\guard#1
// 76 file <builtin-library-malloc> line 48 function malloc
(51) SHARED_WRITE(__CPROVER_malloc_size#2)
     guard: !\guard#1
// 76 file <builtin-library-malloc> line 48 function malloc
(52) __CPROVER_malloc_size#2 == (record_malloc!0@1#2 ? malloc_size!0@1#1 : 0ul)
     guard: !\guard#1
// 77 file <builtin-library-malloc> line 49 function malloc
(53) SHARED_WRITE(__CPROVER_malloc_is_new_array#2)
     guard: !\guard#1
// 77 file <builtin-library-malloc> line 49 function malloc
(54) __CPROVER_malloc_is_new_array#2 == FALSE
     guard: !\guard#1
// 78 file <builtin-library-malloc> line 53 function malloc
// 79 file <builtin-library-malloc> line 53 function malloc
// 80 file <builtin-library-malloc> line 53 function malloc
(55) return_value___VERIFIER_nondet___CPROVER_bool$2!0@1#2 == nondet_symbol(symex::nondet2)
     guard: !\guard#1
// 81 file <builtin-library-malloc> line 53 function malloc
(56) record_may_leak!0@1#2 == return_value___VERIFIER_nondet___CPROVER_bool$2!0@1#2
     guard: !\guard#1
// 82 file <builtin-library-malloc> line 54 function malloc
(57) SHARED_WRITE(__CPROVER_memory_leak#2)
     guard: !\guard#1
// 82 file <builtin-library-malloc> line 54 function malloc
(58) __CPROVER_memory_leak#2 == (record_may_leak!0@1#2 ? (const void *)dynamic_object1 : NULL)
     guard: !\guard#1
// 83 file <builtin-library-malloc> line 56 function malloc
(59) malloc#return_value!0#1 == (const void *)dynamic_object1
     guard: !\guard#1
// 90 file <builtin-library-malloc> line 57 function malloc
// 9 file ./reduced_example.c line 9 function main
(60) return_value_malloc!0@1#2 == (const void *)dynamic_object1
     guard: !\guard#1
// 11 file ./reduced_example.c line 9 function main
(61) tmp_if_expr!0@1#3 == (const void *)dynamic_object1
     guard: !\guard#1
// 12 file ./reduced_example.c line 9 function main
(62) allocated!0@1#3 == (\guard#1 ? 0u : allocated!0@1#1)
// 12 file ./reduced_example.c line 9 function main
(63) __CPROVER_memory_leak#3 == (\guard#1 ? NULL : __CPROVER_memory_leak#2)
// 12 file ./reduced_example.c line 9 function main
(64) __CPROVER_malloc_is_new_array#3 == FALSE
// 12 file ./reduced_example.c line 9 function main
(65) __CPROVER_malloc_size#3 == (\guard#1 ? 0ul : __CPROVER_malloc_size#2)
// 12 file ./reduced_example.c line 9 function main
(66) __CPROVER_malloc_object#3 == (\guard#1 ? NULL : __CPROVER_malloc_object#2)
// 12 file ./reduced_example.c line 9 function main
(67) tmp_if_expr!0@1#4 == (\guard#1 ? NULL : (const void *)dynamic_object1)
// 12 file ./reduced_example.c line 9 function main
(68) __CPROVER_deallocated#3 == NULL
// 12 file ./reduced_example.c line 9 function main
(69) return_value_malloc!0@1#3 == (const void *)dynamic_object1
// 12 file ./reduced_example.c line 9 function main
(70) dynamic_object_size1!0#2 == dynamic_object_size1!0#1
// 12 file ./reduced_example.c line 9 function main
(71) dynamic_object1#2 == dynamic_object1#1
// 12 file ./reduced_example.c line 9 function main
(72) data!0@1#2 == (char *)tmp_if_expr!0@1#4
// 13 file ./reduced_example.c line 10 function main
(73) ASSERT(!(data!0@1#2 == ((char *)NULL)))
// 14 file ./reduced_example.c line 11 function main
(74) ASSERT(!IS_INVALID_POINTER(data!0@1#2))
// 15 file ./reduced_example.c line 12 function main
(75) ASSERT(!(POINTER_OBJECT(data!0@1#2) == POINTER_OBJECT(NULL)) && !IS_INVALID_POINTER(data!0@1#2) && (!IS_DYNAMIC_OBJECT(data!0@1#2) || POINTER_OFFSET(data!0@1#2) >= 0l && OBJECT_SIZE(data!0@1#2) >= (__CPROVER_size_t)POINTER_OFFSET(data!0@1#2) + (__CPROVER_size_t)allocated!0@1#3) && (IS_DYNAMIC_OBJECT(data!0@1#2) || POINTER_OFFSET(data!0@1#2) >= 0l && OBJECT_SIZE(data!0@1#2) >= (__CPROVER_size_t)POINTER_OFFSET(data!0@1#2) + (__CPROVER_size_t)allocated!0@1#3) && (!(POINTER_OBJECT(NULL) == POINTER_OBJECT(data!0@1#2)) || data!0@1#2 == ((char *)NULL)))
// 20 file ./reduced_example.c line 13 function main
// 93 

SMT output

; SMT 2
(set-info :source "Generated by CBMC 5.25.0 (cbmc-5.25.0-63-g4f4df4cb2-dirty)")
(set-option :produce-models true)
(set-logic QF_AUFBV)

; find_symbols
(declare-fun |goto_symex::&92;guard#1| () Bool)
; convert
(define-fun |B0| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B1| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B2| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B3| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B4| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B5| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B6| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B7| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B8| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B9| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B10| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B11| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B12| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B13| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B14| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B15| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B16| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B17| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B18| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B19| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B20| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B21| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B22| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B23| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B24| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B25| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B26| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B27| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B28| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B29| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B30| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B31| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B32| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B33| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B34| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B35| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B36| () Bool (not |goto_symex::&92;guard#1|))

; set_to true (equal)
(define-fun |__CPROVER_alloca_object#1| () (_ BitVec 64) (_ bv0 64))

; set_to true (equal)
(define-fun |__CPROVER_dead_object#1| () (_ BitVec 64) (_ bv0 64))

; set_to true (equal)
(define-fun |__CPROVER_deallocated#1| () (_ BitVec 64) (_ bv0 64))

; set_to true (equal)
(define-fun |__CPROVER_malloc_failure_mode_assert_then_assume#1| () (_ BitVec 32) (_ bv2 32))

; set_to true (equal)
(define-fun |__CPROVER_malloc_failure_mode_return_null#1| () (_ BitVec 32) (_ bv1 32))

; set_to true (equal)
(define-fun |__CPROVER_malloc_is_new_array#1| () Bool false)

; set_to true (equal)
(define-fun |__CPROVER_malloc_object#1| () (_ BitVec 64) (_ bv0 64))

; set_to true (equal)
(define-fun |__CPROVER_malloc_size#1| () (_ BitVec 64) (_ bv0 64))

; set_to true (equal)
(define-fun |__CPROVER_max_malloc_size#1| () (_ BitVec 64) (_ bv36028797018963968 64))

; set_to true (equal)
(define-fun |__CPROVER_memory_leak#1| () (_ BitVec 64) (_ bv0 64))

; set_to true (equal)
(define-fun |__CPROVER_next_thread_id#1| () (_ BitVec 64) (_ bv0 64))

; set_to true (equal)
(define-fun |__CPROVER_next_thread_key!0#1| () (_ BitVec 64) (_ bv0 64))

; set_to true (equal)
(define-fun |__CPROVER_pipe_count#1| () (_ BitVec 32) (_ bv0 32))

; set_to true (equal)
(define-fun |__CPROVER_rounding_mode!0#1| () (_ BitVec 32) (_ bv0 32))

; set_to true (equal)
(define-fun |__CPROVER_thread_id!0#1| () (_ BitVec 64) (_ bv0 64))

; the following is a substitute for lambda i. x
(declare-fun array_of.0 () (Array (_ BitVec 64) (_ BitVec 64)))
; set_to true (equal)
(define-fun |__CPROVER_thread_key_dtors!0#1| () (Array (_ BitVec 64) (_ BitVec 64)) array_of.0)

; the following is a substitute for lambda i. x
(declare-fun array_of.1 () (Array (_ BitVec 64) (_ BitVec 64)))
; set_to true (equal)
(define-fun |__CPROVER_thread_keys!0#1| () (Array (_ BitVec 64) (_ BitVec 64)) array_of.1)

; the following is a substitute for lambda i. x
(declare-fun array_of.2 () (Array (_ BitVec 64) (_ BitVec 1)))
; set_to true (equal)
(define-fun |__CPROVER_threads_exited#1| () (Array (_ BitVec 64) (_ BitVec 1)) array_of.2)

; set_to true (equal)
(define-fun |__CPROVER_malloc_may_fail#1| () Bool false)

; set_to true (equal)
(define-fun |__CPROVER_malloc_failure_mode#1| () (_ BitVec 32) (_ bv0 32))

; find_symbols
(declare-fun |main::1::allocated!0@1#1| () (_ BitVec 32))
; set_to true
(assert (= |goto_symex::&92;guard#1| (= |main::1::allocated!0@1#1| (_ bv0 32))))

; set_to true (equal)
(define-fun |main::$tmp::tmp_if_expr!0@1#2| () (_ BitVec 64) (_ bv0 64))

; set_to true (equal)
(define-fun |malloc::malloc_size!0@1#1| () (_ BitVec 64) ((_ zero_extend 32) |main::1::allocated!0@1#1|))

; set_to true (equal)
(define-fun |symex_dynamic::dynamic_object_size1!0#1| () (_ BitVec 64) |malloc::malloc_size!0@1#1|)

; find_symbols
(declare-fun |nondet_symex::nondet0| () (Array (_ BitVec 64) (_ BitVec 8)))
; set_to true (equal)
(define-fun |symex_dynamic::dynamic_object1#1| () (Array (_ BitVec 64) (_ BitVec 8)) |nondet_symex::nondet0|)

; find_symbols
(declare-fun |symex_dynamic::dynamic_object1| () (Array (_ BitVec 64) (_ BitVec 8)))
; set_to true (equal)
(define-fun |malloc::$tmp::malloc_value!0@1#2| () (_ BitVec 64) (concat (_ bv2 8) (_ bv0 56)))

; set_to true (equal)
(define-fun |malloc::1::malloc_res!0@1#2| () (_ BitVec 64) (concat (_ bv2 8) (_ bv0 56)))

; set_to true (equal)
(define-fun |__CPROVER_deallocated#2| () (_ BitVec 64) (_ bv0 64))

; find_symbols
(declare-fun |nondet_symex::nondet1| () Bool)
; set_to true (equal)
(define-fun |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@1#2| () Bool |nondet_symex::nondet1|)

; set_to true (equal)
(define-fun |malloc::1::record_malloc!0@1#2| () Bool |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@1#2|)

; set_to true (equal)
(define-fun |__CPROVER_malloc_object#2| () (_ BitVec 64) (ite |malloc::1::record_malloc!0@1#2| (concat (_ bv2 8) (_ bv0 56)) (_ bv0 64)))

; set_to true (equal)
(define-fun |__CPROVER_malloc_size#2| () (_ BitVec 64) (ite |malloc::1::record_malloc!0@1#2| |malloc::malloc_size!0@1#1| (_ bv0 64)))

; set_to true (equal)
(define-fun |__CPROVER_malloc_is_new_array#2| () Bool false)

; find_symbols
(declare-fun |nondet_symex::nondet2| () Bool)
; set_to true (equal)
(define-fun |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@1#2| () Bool |nondet_symex::nondet2|)

; set_to true (equal)
(define-fun |malloc::1::record_may_leak!0@1#2| () Bool |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@1#2|)

; set_to true (equal)
(define-fun |__CPROVER_memory_leak#2| () (_ BitVec 64) (ite |malloc::1::record_may_leak!0@1#2| (concat (_ bv2 8) (_ bv0 56)) (_ bv0 64)))

; set_to true (equal)
(define-fun |malloc#return_value!0#1| () (_ BitVec 64) (concat (_ bv2 8) (_ bv0 56)))

; set_to true (equal)
(define-fun |main::$tmp::return_value_malloc!0@1#2| () (_ BitVec 64) (concat (_ bv2 8) (_ bv0 56)))

; set_to true (equal)
(define-fun |main::$tmp::tmp_if_expr!0@1#3| () (_ BitVec 64) (concat (_ bv2 8) (_ bv0 56)))

; set_to true (equal)
(define-fun |__CPROVER_memory_leak#3| () (_ BitVec 64) (ite |goto_symex::&92;guard#1| (_ bv0 64) |__CPROVER_memory_leak#2|))

; set_to true (equal)
(define-fun |__CPROVER_malloc_is_new_array#3| () Bool false)

; set_to true (equal)
(define-fun |__CPROVER_malloc_size#3| () (_ BitVec 64) (ite |goto_symex::&92;guard#1| (_ bv0 64) |__CPROVER_malloc_size#2|))

; set_to true (equal)
(define-fun |main::$tmp::tmp_if_expr!0@1#4| () (_ BitVec 64) (ite |goto_symex::&92;guard#1| (_ bv0 64) (concat (_ bv2 8) (_ bv0 56))))

; set_to true (equal)
(define-fun |__CPROVER_malloc_object#3| () (_ BitVec 64) (ite |goto_symex::&92;guard#1| (_ bv0 64) |__CPROVER_malloc_object#2|))

; set_to true (equal)
(define-fun |__CPROVER_deallocated#3| () (_ BitVec 64) (_ bv0 64))

; set_to true (equal)
(define-fun |main::1::allocated!0@1#3| () (_ BitVec 32) (ite |goto_symex::&92;guard#1| (_ bv0 32) |main::1::allocated!0@1#1|))

; set_to true (equal)
(define-fun |symex_dynamic::dynamic_object_size1!0#2| () (_ BitVec 64) |symex_dynamic::dynamic_object_size1!0#1|)

; set_to true (equal)
(define-fun |symex_dynamic::dynamic_object1#2| () (Array (_ BitVec 64) (_ BitVec 8)) |symex_dynamic::dynamic_object1#1|)

; set_to true (equal)
(define-fun |main::$tmp::return_value_malloc!0@1#3| () (_ BitVec 64) (concat (_ bv2 8) (_ bv0 56)))

; set_to true (equal)
(define-fun |main::1::data!0@1#2| () (_ BitVec 64) |main::$tmp::tmp_if_expr!0@1#4|)

; find_symbols
(declare-fun |main::1::data!0@1#1| () (_ BitVec 64))
; convert
(define-fun |B37| () Bool (= |main::1::data!0@1#1| |main::1::data!0@1#1|))

; convert
(define-fun |B38| () Bool (= |main::1::allocated!0@1#1| |main::1::allocated!0@1#1|))

; find_symbols
(declare-fun |main::$tmp::tmp_if_expr!0@1#1| () (_ BitVec 64))
; convert
(define-fun |B39| () Bool (= |main::$tmp::tmp_if_expr!0@1#1| |main::$tmp::tmp_if_expr!0@1#1|))

; find_symbols
(declare-fun |main::$tmp::return_value_malloc!0@1#1| () (_ BitVec 64))
; convert
(define-fun |B40| () Bool (= |main::$tmp::return_value_malloc!0@1#1| |main::$tmp::return_value_malloc!0@1#1|))

; find_symbols
(declare-fun |malloc::1::malloc_res!0@1#1| () (_ BitVec 64))
; convert
(define-fun |B41| () Bool (= |malloc::1::malloc_res!0@1#1| |malloc::1::malloc_res!0@1#1|))

; find_symbols
(declare-fun |malloc::$tmp::malloc_value!0@1#1| () (_ BitVec 64))
; convert
(define-fun |B42| () Bool (= |malloc::$tmp::malloc_value!0@1#1| |malloc::$tmp::malloc_value!0@1#1|))

; find_symbols
(declare-fun |malloc::1::record_malloc!0@1#1| () Bool)
; convert
(define-fun |B43| () Bool (= |malloc::1::record_malloc!0@1#1| |malloc::1::record_malloc!0@1#1|))

; find_symbols
(declare-fun |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@1#1| () Bool)
; convert
(define-fun |B44| () Bool (= |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@1#1| |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@1#1|))

; find_symbols
(declare-fun |malloc::1::record_may_leak!0@1#1| () Bool)
; convert
(define-fun |B45| () Bool (= |malloc::1::record_may_leak!0@1#1| |malloc::1::record_may_leak!0@1#1|))

; find_symbols
(declare-fun |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@1#1| () Bool)
; convert
(define-fun |B46| () Bool (= |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@1#1| |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@1#1|))

; convert
(define-fun |B47| () Bool (or (= |main::1::allocated!0@1#1| (_ bv1 32)) (= |main::1::allocated!0@1#1| (_ bv2 32))))

; convert
(define-fun |B48| () Bool (not (= |main::1::allocated!0@1#1| (_ bv0 32))))

; find_symbols
(declare-fun |symex::args::0| () (_ BitVec 64))
; set_to true
(assert (= ((_ zero_extend 32) |main::1::allocated!0@1#1|) |symex::args::0|))

; convert
(define-fun |B49| () Bool (=> (and true |B47|) (not (= |main::1::data!0@1#2| (_ bv0 64)))))

; convert
(define-fun |B50| () Bool (=> (and true |B47|) (not (= ((_ extract 63 56) |main::1::data!0@1#2|) (_ bv1 8)))))

(declare-fun object_size.0 () (_ BitVec 64))
; convert
(define-fun |B51| () Bool (=> (and true |B47|) (and (not (= ((_ zero_extend 56) ((_ extract 63 56) |main::1::data!0@1#2|)) ((_ zero_extend 56) ((_ extract 63 56) (_ bv0 64))))) (not (= ((_ extract 63 56) |main::1::data!0@1#2|) (_ bv1 8))) (or (not (let ((?obj ((_ extract 63 56) |main::1::data!0@1#2|))) (= (_ bv2 8) ?obj))) (and (bvsge ((_ zero_extend 8) ((_ extract 55 0) |main::1::data!0@1#2|)) (_ bv0 64)) (bvuge object_size.0 (bvadd ((_ zero_extend 8) ((_ extract 55 0) |main::1::data!0@1#2|)) ((_ zero_extend 32) |main::1::allocated!0@1#3|))))) (or (let ((?obj ((_ extract 63 56) |main::1::data!0@1#2|))) (= (_ bv2 8) ?obj)) (and (bvsge ((_ zero_extend 8) ((_ extract 55 0) |main::1::data!0@1#2|)) (_ bv0 64)) (bvuge object_size.0 (bvadd ((_ zero_extend 8) ((_ extract 55 0) |main::1::data!0@1#2|)) ((_ zero_extend 32) |main::1::allocated!0@1#3|))))) (or (not (= ((_ zero_extend 56) ((_ extract 63 56) (_ bv0 64))) ((_ zero_extend 56) ((_ extract 63 56) |main::1::data!0@1#2|)))) (= |main::1::data!0@1#2| (_ bv0 64))))))

; set_to true
(assert (or (not |B49|) (not |B50|) (not |B51|)))

; convert
(define-fun |B52| () Bool (not |B49|))

; convert
(define-fun |B53| () Bool (not |B50|))

; convert
(define-fun |B54| () Bool (not |B51|))

; set_to true
(assert (or |B52| |B53| |B54|))

(check-sat)

(get-value (|B0|))
(get-value (|B1|))
(get-value (|B10|))
(get-value (|B11|))
(get-value (|B12|))
(get-value (|B13|))
(get-value (|B14|))
(get-value (|B15|))
(get-value (|B16|))
(get-value (|B17|))
(get-value (|B18|))
(get-value (|B19|))
(get-value (|B2|))
(get-value (|B20|))
(get-value (|B21|))
(get-value (|B22|))
(get-value (|B23|))
(get-value (|B24|))
(get-value (|B25|))
(get-value (|B26|))
(get-value (|B27|))
(get-value (|B28|))
(get-value (|B29|))
(get-value (|B3|))
(get-value (|B30|))
(get-value (|B31|))
(get-value (|B32|))
(get-value (|B33|))
(get-value (|B34|))
(get-value (|B35|))
(get-value (|B36|))
(get-value (|B37|))
(get-value (|B38|))
(get-value (|B39|))
(get-value (|B4|))
(get-value (|B40|))
(get-value (|B41|))
(get-value (|B42|))
(get-value (|B43|))
(get-value (|B44|))
(get-value (|B45|))
(get-value (|B46|))
(get-value (|B47|))
(get-value (|B48|))
(get-value (|B49|))
(get-value (|B5|))
(get-value (|B50|))
(get-value (|B51|))
(get-value (|B52|))
(get-value (|B53|))
(get-value (|B54|))
(get-value (|B6|))
(get-value (|B7|))
(get-value (|B8|))
(get-value (|B9|))
(get-value (|__CPROVER_alloca_object#1|))
(get-value (|__CPROVER_dead_object#1|))
(get-value (|__CPROVER_deallocated#1|))
(get-value (|__CPROVER_deallocated#2|))
(get-value (|__CPROVER_deallocated#3|))
(get-value (|__CPROVER_malloc_failure_mode#1|))
(get-value (|__CPROVER_malloc_failure_mode_assert_then_assume#1|))
(get-value (|__CPROVER_malloc_failure_mode_return_null#1|))
(get-value (|__CPROVER_malloc_is_new_array#1|))
(get-value (|__CPROVER_malloc_is_new_array#2|))
(get-value (|__CPROVER_malloc_is_new_array#3|))
(get-value (|__CPROVER_malloc_may_fail#1|))
(get-value (|__CPROVER_malloc_object#1|))
(get-value (|__CPROVER_malloc_object#2|))
(get-value (|__CPROVER_malloc_object#3|))
(get-value (|__CPROVER_malloc_size#1|))
(get-value (|__CPROVER_malloc_size#2|))
(get-value (|__CPROVER_malloc_size#3|))
(get-value (|__CPROVER_max_malloc_size#1|))
(get-value (|__CPROVER_memory_leak#1|))
(get-value (|__CPROVER_memory_leak#2|))
(get-value (|__CPROVER_memory_leak#3|))
(get-value (|__CPROVER_next_thread_id#1|))
(get-value (|__CPROVER_next_thread_key!0#1|))
(get-value (|__CPROVER_pipe_count#1|))
(get-value (|__CPROVER_rounding_mode!0#1|))
(get-value (|__CPROVER_thread_id!0#1|))
(get-value (|__CPROVER_thread_key_dtors!0#1|))
(get-value (|__CPROVER_thread_keys!0#1|))
(get-value (|__CPROVER_threads_exited#1|))
(get-value (|goto_symex::&92;guard#1|))
(get-value (|main::$tmp::return_value_malloc!0@1#1|))
(get-value (|main::$tmp::return_value_malloc!0@1#2|))
(get-value (|main::$tmp::return_value_malloc!0@1#3|))
(get-value (|main::$tmp::tmp_if_expr!0@1#1|))
(get-value (|main::$tmp::tmp_if_expr!0@1#2|))
(get-value (|main::$tmp::tmp_if_expr!0@1#3|))
(get-value (|main::$tmp::tmp_if_expr!0@1#4|))
(get-value (|main::1::allocated!0@1#1|))
(get-value (|main::1::allocated!0@1#3|))
(get-value (|main::1::data!0@1#1|))
(get-value (|main::1::data!0@1#2|))
(get-value (|malloc#return_value!0#1|))
(get-value (|malloc::$tmp::malloc_value!0@1#1|))
(get-value (|malloc::$tmp::malloc_value!0@1#2|))
(get-value (|malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@1#1|))
(get-value (|malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@1#2|))
(get-value (|malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@1#1|))
(get-value (|malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@1#2|))
(get-value (|malloc::1::malloc_res!0@1#1|))
(get-value (|malloc::1::malloc_res!0@1#2|))
(get-value (|malloc::1::record_malloc!0@1#1|))
(get-value (|malloc::1::record_malloc!0@1#2|))
(get-value (|malloc::1::record_may_leak!0@1#1|))
(get-value (|malloc::1::record_may_leak!0@1#2|))
(get-value (|malloc::malloc_size!0@1#1|))
(get-value (|nondet_symex::nondet0|))
(get-value (|nondet_symex::nondet1|))
(get-value (|nondet_symex::nondet2|))
(get-value (|symex::args::0|))
(get-value (|symex_dynamic::dynamic_object1|))
(get-value (|symex_dynamic::dynamic_object1#1|))
(get-value (|symex_dynamic::dynamic_object1#2|))
(get-value (|symex_dynamic::dynamic_object_size1!0#1|))
(get-value (|symex_dynamic::dynamic_object_size1!0#2|))

(exit)
; end of SMT2 file

Given that getting Z3 running in CI is a higher priority, I am going to park my work on this for the moment. At least until after the CI changes are done.

[SaswatPadhi]

Thanks @thomasspriggs.
I was able to reduce it a bit more:

#include <assert.h>
#include <stdlib.h>

void main()
{
    char *data;
    data = nondet() ? malloc(1) : malloc(2);
    assert(__CPROVER_OBJECT_SIZE(data) <= 2);
}

This generates a much simpler SMT file:

SMT2 file sent to Z3

; SMT 2
; Generated for Z3
(set-info :source "Generated by CBMC 5.26.0 (cbmc-5.26.0-dirty)")
(set-option :produce-models true)

; find_symbols
(declare-fun |goto_symex::&92;guard#1| () Bool)
; convert
(define-fun |B0| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B1| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B2| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B3| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B4| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B5| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B6| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B7| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B8| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B9| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B10| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B11| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B12| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B13| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B14| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B15| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B16| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B17| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B18| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B19| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B20| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B21| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B22| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B23| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B24| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B25| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B26| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B27| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B28| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B29| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B30| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B31| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B32| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B33| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B34| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B35| () Bool |goto_symex::&92;guard#1|)

; convert
(define-fun |B36| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B37| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B38| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B39| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B40| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B41| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B42| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B43| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B44| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B45| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B46| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B47| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B48| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B49| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B50| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B51| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B52| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B53| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B54| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B55| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B56| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B57| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B58| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B59| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B60| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B61| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B62| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B63| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B64| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B65| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B66| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B67| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B68| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B69| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B70| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B71| () Bool (not |goto_symex::&92;guard#1|))

; convert
(define-fun |B72| () Bool (not |goto_symex::&92;guard#1|))

; set_to true (equal)
(define-fun |__CPROVER_alloca_object#1| () (_ BitVec 64) (_ bv0 64))

; set_to true (equal)
(define-fun |__CPROVER_dead_object#1| () (_ BitVec 64) (_ bv0 64))

; set_to true (equal)
(define-fun |__CPROVER_deallocated#1| () (_ BitVec 64) (_ bv0 64))

; set_to true (equal)
(define-fun |__CPROVER_malloc_failure_mode_assert_then_assume#1| () (_ BitVec 32) (_ bv2 32))

; set_to true (equal)
(define-fun |__CPROVER_malloc_failure_mode_return_null#1| () (_ BitVec 32) (_ bv1 32))

; set_to true (equal)
(define-fun |__CPROVER_malloc_is_new_array#1| () Bool false)

; set_to true (equal)
(define-fun |__CPROVER_malloc_object#1| () (_ BitVec 64) (_ bv0 64))

; set_to true (equal)
(define-fun |__CPROVER_malloc_size#1| () (_ BitVec 64) (_ bv0 64))

; set_to true (equal)
(define-fun |__CPROVER_max_malloc_size#1| () (_ BitVec 64) (_ bv36028797018963968 64))

; set_to true (equal)
(define-fun |__CPROVER_memory_leak#1| () (_ BitVec 64) (_ bv0 64))

; set_to true (equal)
(define-fun |__CPROVER_next_thread_id#1| () (_ BitVec 64) (_ bv0 64))

; set_to true (equal)
(define-fun |__CPROVER_next_thread_key!0#1| () (_ BitVec 64) (_ bv0 64))

; set_to true (equal)
(define-fun |__CPROVER_pipe_count#1| () (_ BitVec 32) (_ bv0 32))

; set_to true (equal)
(define-fun |__CPROVER_rounding_mode!0#1| () (_ BitVec 32) (_ bv0 32))

; set_to true (equal)
(define-fun |__CPROVER_thread_id!0#1| () (_ BitVec 64) (_ bv0 64))

; the following is a substitute for lambda i. x
(declare-fun array_of.0 () (Array (_ BitVec 64) (_ BitVec 64)))
; set_to true (equal)
(define-fun |__CPROVER_thread_key_dtors!0#1| () (Array (_ BitVec 64) (_ BitVec 64)) array_of.0)

; the following is a substitute for lambda i. x
(declare-fun array_of.1 () (Array (_ BitVec 64) (_ BitVec 64)))
; set_to true (equal)
(define-fun |__CPROVER_thread_keys!0#1| () (Array (_ BitVec 64) (_ BitVec 64)) array_of.1)

; the following is a substitute for lambda i. x
(declare-fun array_of.2 () (Array (_ BitVec 64) Bool))
; set_to true (equal)
(define-fun |__CPROVER_threads_exited#1| () (Array (_ BitVec 64) Bool) array_of.2)

; set_to true (equal)
(define-fun |__CPROVER_malloc_may_fail#1| () Bool false)

; set_to true (equal)
(define-fun |__CPROVER_malloc_failure_mode#1| () (_ BitVec 32) (_ bv0 32))

; find_symbols
(declare-fun |nondet_symex::nondet0| () (_ BitVec 32))
; set_to true (equal)
(define-fun |main::$tmp::return_value_nondet!0@1#2| () (_ BitVec 32) |nondet_symex::nondet0|)

; set_to true
(assert (= |goto_symex::&92;guard#1| (not (= |main::$tmp::return_value_nondet!0@1#2| (_ bv0 32)))))

; set_to true (equal)
(define-fun |malloc::malloc_size!0@1#1| () (_ BitVec 64) (_ bv1 64))

; find_symbols
(declare-fun |nondet_symex::nondet1| () (Array (_ BitVec 64) (_ BitVec 8)))
; set_to true (equal)
(define-fun |symex_dynamic::dynamic_object1#1| () (Array (_ BitVec 64) (_ BitVec 8)) |nondet_symex::nondet1|)

; set_to true (equal)
(define-fun |symex_dynamic::dynamic_object1#1[[0]]| () (_ BitVec 8) (select |symex_dynamic::dynamic_object1#1| (_ bv0 64)))

; find_symbols
(declare-fun |symex_dynamic::dynamic_object1| () (Array (_ BitVec 64) (_ BitVec 8)))
; set_to true (equal)
(define-fun |malloc::$tmp::malloc_value!0@1#2| () (_ BitVec 64) (concat (_ bv2 8) (_ bv0 56)))

; set_to true (equal)
(define-fun |malloc::1::malloc_res!0@1#2| () (_ BitVec 64) (concat (_ bv2 8) (_ bv0 56)))

; set_to true (equal)
(define-fun |__CPROVER_deallocated#2| () (_ BitVec 64) (_ bv0 64))

; find_symbols
(declare-fun |nondet_symex::nondet2| () Bool)
; set_to true (equal)
(define-fun |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@1#2| () Bool |nondet_symex::nondet2|)

; set_to true (equal)
(define-fun |malloc::1::record_malloc!0@1#2| () Bool |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@1#2|)

; set_to true (equal)
(define-fun |__CPROVER_malloc_object#2| () (_ BitVec 64) (ite |malloc::1::record_malloc!0@1#2| (concat (_ bv2 8) (_ bv0 56)) (_ bv0 64)))

; set_to true (equal)
(define-fun |__CPROVER_malloc_size#2| () (_ BitVec 64) (ite |malloc::1::record_malloc!0@1#2| (_ bv1 64) (_ bv0 64)))

; set_to true (equal)
(define-fun |__CPROVER_malloc_is_new_array#2| () Bool false)

; find_symbols
(declare-fun |nondet_symex::nondet3| () Bool)
; set_to true (equal)
(define-fun |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@1#2| () Bool |nondet_symex::nondet3|)

; set_to true (equal)
(define-fun |malloc::1::record_may_leak!0@1#2| () Bool |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@1#2|)

; set_to true (equal)
(define-fun |__CPROVER_memory_leak#2| () (_ BitVec 64) (ite |malloc::1::record_may_leak!0@1#2| (concat (_ bv2 8) (_ bv0 56)) (_ bv0 64)))

; set_to true (equal)
(define-fun |malloc#return_value!0#1| () (_ BitVec 64) (concat (_ bv2 8) (_ bv0 56)))

; set_to true (equal)
(define-fun |main::$tmp::return_value_malloc!0@1#2| () (_ BitVec 64) (concat (_ bv2 8) (_ bv0 56)))

; set_to true (equal)
(define-fun |main::$tmp::tmp_if_expr!0@1#2| () (_ BitVec 64) (concat (_ bv2 8) (_ bv0 56)))

; set_to true (equal)
(define-fun |malloc::malloc_size!0@2#1| () (_ BitVec 64) (_ bv2 64))

; find_symbols
(declare-fun |nondet_symex::nondet4| () (Array (_ BitVec 64) (_ BitVec 8)))
; set_to true (equal)
(define-fun |symex_dynamic::dynamic_object2#1| () (Array (_ BitVec 64) (_ BitVec 8)) |nondet_symex::nondet4|)

; set_to true (equal)
(define-fun |symex_dynamic::dynamic_object2#1[[0]]| () (_ BitVec 8) (select |symex_dynamic::dynamic_object2#1| (_ bv0 64)))

; set_to true (equal)
(define-fun |symex_dynamic::dynamic_object2#1[[1]]| () (_ BitVec 8) (select |symex_dynamic::dynamic_object2#1| (_ bv1 64)))

; find_symbols
(declare-fun |symex_dynamic::dynamic_object2| () (Array (_ BitVec 64) (_ BitVec 8)))
; set_to true (equal)
(define-fun |malloc::$tmp::malloc_value!0@2#2| () (_ BitVec 64) (concat (_ bv3 8) (_ bv0 56)))

; set_to true (equal)
(define-fun |malloc::1::malloc_res!0@2#2| () (_ BitVec 64) (concat (_ bv3 8) (_ bv0 56)))

; set_to true (equal)
(define-fun |__CPROVER_deallocated#3| () (_ BitVec 64) (_ bv0 64))

; find_symbols
(declare-fun |nondet_symex::nondet5| () Bool)
; set_to true (equal)
(define-fun |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@2#2| () Bool |nondet_symex::nondet5|)

; set_to true (equal)
(define-fun |malloc::1::record_malloc!0@2#2| () Bool |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@2#2|)

; set_to true (equal)
(define-fun |__CPROVER_malloc_object#3| () (_ BitVec 64) (ite |malloc::1::record_malloc!0@2#2| (concat (_ bv3 8) (_ bv0 56)) (_ bv0 64)))

; set_to true (equal)
(define-fun |__CPROVER_malloc_size#3| () (_ BitVec 64) (ite |malloc::1::record_malloc!0@2#2| (_ bv2 64) (_ bv0 64)))

; set_to true (equal)
(define-fun |__CPROVER_malloc_is_new_array#3| () Bool false)

; find_symbols
(declare-fun |nondet_symex::nondet6| () Bool)
; set_to true (equal)
(define-fun |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@2#2| () Bool |nondet_symex::nondet6|)

; set_to true (equal)
(define-fun |malloc::1::record_may_leak!0@2#2| () Bool |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@2#2|)

; set_to true (equal)
(define-fun |__CPROVER_memory_leak#3| () (_ BitVec 64) (ite |malloc::1::record_may_leak!0@2#2| (concat (_ bv3 8) (_ bv0 56)) (_ bv0 64)))

; set_to true (equal)
(define-fun |malloc#return_value!0#2| () (_ BitVec 64) (concat (_ bv3 8) (_ bv0 56)))

; set_to true (equal)
(define-fun |main::$tmp::return_value_malloc$0!0@1#2| () (_ BitVec 64) (concat (_ bv3 8) (_ bv0 56)))

; set_to true (equal)
(define-fun |main::$tmp::tmp_if_expr!0@1#3| () (_ BitVec 64) (concat (_ bv3 8) (_ bv0 56)))

; set_to true (equal)
(define-fun |__CPROVER_memory_leak#4| () (_ BitVec 64) (ite |goto_symex::&92;guard#1| |__CPROVER_memory_leak#2| |__CPROVER_memory_leak#3|))

; set_to true (equal)
(define-fun |__CPROVER_malloc_is_new_array#4| () Bool false)

; set_to true (equal)
(define-fun |main::$tmp::tmp_if_expr!0@1#4| () (_ BitVec 64) (ite |goto_symex::&92;guard#1| (concat (_ bv2 8) (_ bv0 56)) (concat (_ bv3 8) (_ bv0 56))))

; set_to true (equal)
(define-fun |__CPROVER_malloc_size#4| () (_ BitVec 64) (ite |goto_symex::&92;guard#1| |__CPROVER_malloc_size#2| |__CPROVER_malloc_size#3|))

; set_to true (equal)
(define-fun |__CPROVER_malloc_object#4| () (_ BitVec 64) (ite |goto_symex::&92;guard#1| |__CPROVER_malloc_object#2| |__CPROVER_malloc_object#3|))

; set_to true (equal)
(define-fun |symex_dynamic::dynamic_object1#2[[0]]| () (_ BitVec 8) |symex_dynamic::dynamic_object1#1[[0]]|)

; set_to true (equal)
(define-fun |__CPROVER_deallocated#4| () (_ BitVec 64) (_ bv0 64))

; set_to true (equal)
(define-fun |main::$tmp::return_value_malloc!0@1#3| () (_ BitVec 64) (concat (_ bv2 8) (_ bv0 56)))

; set_to true (equal)
(define-fun |main::$tmp::return_value_nondet!0@1#4| () (_ BitVec 32) (ite |goto_symex::&92;guard#1| |main::$tmp::return_value_nondet!0@1#2| (_ bv0 32)))

; set_to true (equal)
(define-fun |symex_dynamic::dynamic_object2#2[[0]]| () (_ BitVec 8) |symex_dynamic::dynamic_object2#1[[0]]|)

; set_to true (equal)
(define-fun |main::$tmp::return_value_malloc$0!0@1#3| () (_ BitVec 64) (concat (_ bv3 8) (_ bv0 56)))

; set_to true (equal)
(define-fun |symex_dynamic::dynamic_object2#2[[1]]| () (_ BitVec 8) |symex_dynamic::dynamic_object2#1[[1]]|)

; set_to true (equal)
(define-fun |main::1::data!0@1#2| () (_ BitVec 64) |main::$tmp::tmp_if_expr!0@1#4|)

; find_symbols
(declare-fun |main::1::data!0@1#1| () (_ BitVec 64))
; convert
(define-fun |B73| () Bool (= |main::1::data!0@1#1| |main::1::data!0@1#1|))

; find_symbols
(declare-fun |main::$tmp::return_value_nondet!0@1#1| () (_ BitVec 32))
; convert
(define-fun |B74| () Bool (= |main::$tmp::return_value_nondet!0@1#1| |main::$tmp::return_value_nondet!0@1#1|))

; find_symbols
(declare-fun |main::$tmp::tmp_if_expr!0@1#1| () (_ BitVec 64))
; convert
(define-fun |B75| () Bool (= |main::$tmp::tmp_if_expr!0@1#1| |main::$tmp::tmp_if_expr!0@1#1|))

; find_symbols
(declare-fun |main::$tmp::return_value_malloc!0@1#1| () (_ BitVec 64))
; convert
(define-fun |B76| () Bool (= |main::$tmp::return_value_malloc!0@1#1| |main::$tmp::return_value_malloc!0@1#1|))

; find_symbols
(declare-fun |malloc::1::malloc_res!0@1#1| () (_ BitVec 64))
; convert
(define-fun |B77| () Bool (= |malloc::1::malloc_res!0@1#1| |malloc::1::malloc_res!0@1#1|))

; find_symbols
(declare-fun |malloc::$tmp::malloc_value!0@1#1| () (_ BitVec 64))
; convert
(define-fun |B78| () Bool (= |malloc::$tmp::malloc_value!0@1#1| |malloc::$tmp::malloc_value!0@1#1|))

; find_symbols
(declare-fun |malloc::1::record_malloc!0@1#1| () Bool)
; convert
(define-fun |B79| () Bool (= |malloc::1::record_malloc!0@1#1| |malloc::1::record_malloc!0@1#1|))

; find_symbols
(declare-fun |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@1#1| () Bool)
; convert
(define-fun |B80| () Bool (= |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@1#1| |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@1#1|))

; find_symbols
(declare-fun |malloc::1::record_may_leak!0@1#1| () Bool)
; convert
(define-fun |B81| () Bool (= |malloc::1::record_may_leak!0@1#1| |malloc::1::record_may_leak!0@1#1|))

; find_symbols
(declare-fun |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@1#1| () Bool)
; convert
(define-fun |B82| () Bool (= |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@1#1| |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@1#1|))

; find_symbols
(declare-fun |main::$tmp::return_value_malloc$0!0@1#1| () (_ BitVec 64))
; convert
(define-fun |B83| () Bool (= |main::$tmp::return_value_malloc$0!0@1#1| |main::$tmp::return_value_malloc$0!0@1#1|))

; find_symbols
(declare-fun |malloc::1::malloc_res!0@2#1| () (_ BitVec 64))
; convert
(define-fun |B84| () Bool (= |malloc::1::malloc_res!0@2#1| |malloc::1::malloc_res!0@2#1|))

; find_symbols
(declare-fun |malloc::$tmp::malloc_value!0@2#1| () (_ BitVec 64))
; convert
(define-fun |B85| () Bool (= |malloc::$tmp::malloc_value!0@2#1| |malloc::$tmp::malloc_value!0@2#1|))

; find_symbols
(declare-fun |malloc::1::record_malloc!0@2#1| () Bool)
; convert
(define-fun |B86| () Bool (= |malloc::1::record_malloc!0@2#1| |malloc::1::record_malloc!0@2#1|))

; find_symbols
(declare-fun |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@2#1| () Bool)
; convert
(define-fun |B87| () Bool (= |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@2#1| |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@2#1|))

; find_symbols
(declare-fun |malloc::1::record_may_leak!0@2#1| () Bool)
; convert
(define-fun |B88| () Bool (= |malloc::1::record_may_leak!0@2#1| |malloc::1::record_may_leak!0@2#1|))

; find_symbols
(declare-fun |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@2#1| () Bool)
; convert
(define-fun |B89| () Bool (= |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@2#1| |malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@2#1|))

; convert
(define-fun |B90| () Bool (= |main::$tmp::return_value_nondet!0@1#2| (_ bv0 32)))

(declare-fun object_size.0 () (_ BitVec 64))
; set_to true
(assert (bvuge object_size.0 (_ bv3 64)))

; convert
(define-fun |B91| () Bool (not false))

; set_to true
(assert |B91|)

(check-sat)

(get-value (|B0|))
(get-value (|B1|))
(get-value (|B10|))
(get-value (|B11|))
(get-value (|B12|))
(get-value (|B13|))
(get-value (|B14|))
(get-value (|B15|))
(get-value (|B16|))
(get-value (|B17|))
(get-value (|B18|))
(get-value (|B19|))
(get-value (|B2|))
(get-value (|B20|))
(get-value (|B21|))
(get-value (|B22|))
(get-value (|B23|))
(get-value (|B24|))
(get-value (|B25|))
(get-value (|B26|))
(get-value (|B27|))
(get-value (|B28|))
(get-value (|B29|))
(get-value (|B3|))
(get-value (|B30|))
(get-value (|B31|))
(get-value (|B32|))
(get-value (|B33|))
(get-value (|B34|))
(get-value (|B35|))
(get-value (|B36|))
(get-value (|B37|))
(get-value (|B38|))
(get-value (|B39|))
(get-value (|B4|))
(get-value (|B40|))
(get-value (|B41|))
(get-value (|B42|))
(get-value (|B43|))
(get-value (|B44|))
(get-value (|B45|))
(get-value (|B46|))
(get-value (|B47|))
(get-value (|B48|))
(get-value (|B49|))
(get-value (|B5|))
(get-value (|B50|))
(get-value (|B51|))
(get-value (|B52|))
(get-value (|B53|))
(get-value (|B54|))
(get-value (|B55|))
(get-value (|B56|))
(get-value (|B57|))
(get-value (|B58|))
(get-value (|B59|))
(get-value (|B6|))
(get-value (|B60|))
(get-value (|B61|))
(get-value (|B62|))
(get-value (|B63|))
(get-value (|B64|))
(get-value (|B65|))
(get-value (|B66|))
(get-value (|B67|))
(get-value (|B68|))
(get-value (|B69|))
(get-value (|B7|))
(get-value (|B70|))
(get-value (|B71|))
(get-value (|B72|))
(get-value (|B73|))
(get-value (|B74|))
(get-value (|B75|))
(get-value (|B76|))
(get-value (|B77|))
(get-value (|B78|))
(get-value (|B79|))
(get-value (|B8|))
(get-value (|B80|))
(get-value (|B81|))
(get-value (|B82|))
(get-value (|B83|))
(get-value (|B84|))
(get-value (|B85|))
(get-value (|B86|))
(get-value (|B87|))
(get-value (|B88|))
(get-value (|B89|))
(get-value (|B9|))
(get-value (|B90|))
(get-value (|B91|))
(get-value (|__CPROVER_alloca_object#1|))
(get-value (|__CPROVER_dead_object#1|))
(get-value (|__CPROVER_deallocated#1|))
(get-value (|__CPROVER_deallocated#2|))
(get-value (|__CPROVER_deallocated#3|))
(get-value (|__CPROVER_deallocated#4|))
(get-value (|__CPROVER_malloc_failure_mode#1|))
(get-value (|__CPROVER_malloc_failure_mode_assert_then_assume#1|))
(get-value (|__CPROVER_malloc_failure_mode_return_null#1|))
(get-value (|__CPROVER_malloc_is_new_array#1|))
(get-value (|__CPROVER_malloc_is_new_array#2|))
(get-value (|__CPROVER_malloc_is_new_array#3|))
(get-value (|__CPROVER_malloc_is_new_array#4|))
(get-value (|__CPROVER_malloc_may_fail#1|))
(get-value (|__CPROVER_malloc_object#1|))
(get-value (|__CPROVER_malloc_object#2|))
(get-value (|__CPROVER_malloc_object#3|))
(get-value (|__CPROVER_malloc_object#4|))
(get-value (|__CPROVER_malloc_size#1|))
(get-value (|__CPROVER_malloc_size#2|))
(get-value (|__CPROVER_malloc_size#3|))
(get-value (|__CPROVER_malloc_size#4|))
(get-value (|__CPROVER_max_malloc_size#1|))
(get-value (|__CPROVER_memory_leak#1|))
(get-value (|__CPROVER_memory_leak#2|))
(get-value (|__CPROVER_memory_leak#3|))
(get-value (|__CPROVER_memory_leak#4|))
(get-value (|__CPROVER_next_thread_id#1|))
(get-value (|__CPROVER_next_thread_key!0#1|))
(get-value (|__CPROVER_pipe_count#1|))
(get-value (|__CPROVER_rounding_mode!0#1|))
(get-value (|__CPROVER_thread_id!0#1|))
(get-value (|__CPROVER_thread_key_dtors!0#1|))
(get-value (|__CPROVER_thread_keys!0#1|))
(get-value (|__CPROVER_threads_exited#1|))
(get-value (|goto_symex::&92;guard#1|))
(get-value (|main::$tmp::return_value_malloc!0@1#1|))
(get-value (|main::$tmp::return_value_malloc!0@1#2|))
(get-value (|main::$tmp::return_value_malloc!0@1#3|))
(get-value (|main::$tmp::return_value_malloc$0!0@1#1|))
(get-value (|main::$tmp::return_value_malloc$0!0@1#2|))
(get-value (|main::$tmp::return_value_malloc$0!0@1#3|))
(get-value (|main::$tmp::return_value_nondet!0@1#1|))
(get-value (|main::$tmp::return_value_nondet!0@1#2|))
(get-value (|main::$tmp::return_value_nondet!0@1#4|))
(get-value (|main::$tmp::tmp_if_expr!0@1#1|))
(get-value (|main::$tmp::tmp_if_expr!0@1#2|))
(get-value (|main::$tmp::tmp_if_expr!0@1#3|))
(get-value (|main::$tmp::tmp_if_expr!0@1#4|))
(get-value (|main::1::data!0@1#1|))
(get-value (|main::1::data!0@1#2|))
(get-value (|malloc#return_value!0#1|))
(get-value (|malloc#return_value!0#2|))
(get-value (|malloc::$tmp::malloc_value!0@1#1|))
(get-value (|malloc::$tmp::malloc_value!0@1#2|))
(get-value (|malloc::$tmp::malloc_value!0@2#1|))
(get-value (|malloc::$tmp::malloc_value!0@2#2|))
(get-value (|malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@1#1|))
(get-value (|malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@1#2|))
(get-value (|malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@2#1|))
(get-value (|malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$1!0@2#2|))
(get-value (|malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@1#1|))
(get-value (|malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@1#2|))
(get-value (|malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@2#1|))
(get-value (|malloc::$tmp::return_value___VERIFIER_nondet___CPROVER_bool$2!0@2#2|))
(get-value (|malloc::1::malloc_res!0@1#1|))
(get-value (|malloc::1::malloc_res!0@1#2|))
(get-value (|malloc::1::malloc_res!0@2#1|))
(get-value (|malloc::1::malloc_res!0@2#2|))
(get-value (|malloc::1::record_malloc!0@1#1|))
(get-value (|malloc::1::record_malloc!0@1#2|))
(get-value (|malloc::1::record_malloc!0@2#1|))
(get-value (|malloc::1::record_malloc!0@2#2|))
(get-value (|malloc::1::record_may_leak!0@1#1|))
(get-value (|malloc::1::record_may_leak!0@1#2|))
(get-value (|malloc::1::record_may_leak!0@2#1|))
(get-value (|malloc::1::record_may_leak!0@2#2|))
(get-value (|malloc::malloc_size!0@1#1|))
(get-value (|malloc::malloc_size!0@2#1|))
(get-value (|nondet_symex::nondet0|))
(get-value (|nondet_symex::nondet1|))
(get-value (|nondet_symex::nondet2|))
(get-value (|nondet_symex::nondet3|))
(get-value (|nondet_symex::nondet4|))
(get-value (|nondet_symex::nondet5|))
(get-value (|nondet_symex::nondet6|))
(get-value (|symex_dynamic::dynamic_object1|))
(get-value (|symex_dynamic::dynamic_object1#1|))
(get-value (|symex_dynamic::dynamic_object1#1[[0]]|))
(get-value (|symex_dynamic::dynamic_object1#2[[0]]|))
(get-value (|symex_dynamic::dynamic_object2|))
(get-value (|symex_dynamic::dynamic_object2#1|))
(get-value (|symex_dynamic::dynamic_object2#1[[0]]|))
(get-value (|symex_dynamic::dynamic_object2#1[[1]]|))
(get-value (|symex_dynamic::dynamic_object2#2[[0]]|))
(get-value (|symex_dynamic::dynamic_object2#2[[1]]|))

(exit)
; end of SMT2 file

The last constraint looks like the incorrect constraint:

(assert (bvuge object_size.0 (_ bv3 64)))

object_size.0 is unrelated to any allocation however!

Inspecting the constraints before SMT2 translation:

$ cbmc --smt2 test.c --program-only | tail
// 17 file test.c line 6 function main
(96) dynamic_object2#2[[0]] == dynamic_object2#1[[0]]
// 17 file test.c line 6 function main
(97) return_value_malloc$0!0@1#3 == (const void *)dynamic_object2
// 17 file test.c line 6 function main
(98) data!0@1#2 == (char *)tmp_if_expr!0@1#4
// 18 file test.c line 7 function main
(99) ASSERT(!(OBJECT_SIZE(data!0@1#2) >= 3ul))
// 24 file test.c line 8 function main
// 97 

Replacing object_size.0 with |__CPROVER_malloc_size#4| in the last SMT2 constraints works as expected.

I'll try to create a PR for this.