← nischoy.ai

libxml2 Verification

SMT2 formal verification of security-critical code paths

ALL VERIFIED
Overall
14
Properties Checked
14
Verified
0
Failed

Entity Expansion Depth Limit (0-40)

🌳 tree-sitter (partial) VERIFIED

Function: xmlStringLenDecodeEntities · Z3 solved in 0.1ms

Entity expansion depth ≤ 40 to prevent billion-laughs attacks. From xmlStringLenDecodeEntities() in parser.c.

View SMT2 Constraints 
; benchmark generated from python API
(set-info :status unknown)
(declare-fun depth () Int)
(assert
 (<= depth 40))
(assert
 (>= depth 0))
(assert
 (or (< depth 0) (> depth 40)))
(check-sat)

Attribute Count Per Element Bounds (0-10000)

🌳 tree-sitter (partial) VERIFIED

Function: xmlParseStartTag2 · Z3 solved in 0.0ms

Attribute count per element bounded. From xmlParseStartTag2() in parser.c.

View SMT2 Constraints 
; benchmark generated from python API
(set-info :status unknown)
(declare-fun nb_attributes () Int)
(assert
 (<= nb_attributes 10000))
(assert
 (>= nb_attributes 0))
(assert
 (or (< nb_attributes 0) (> nb_attributes 10000)))
(check-sat)

Element/Attribute Name Length Bounds (1-50000)

🌳 tree-sitter (partial) VERIFIED

Function: xmlParseName · Z3 solved in 0.0ms

Element/attribute name length bounded. From xmlParseName() in parser.c.

View SMT2 Constraints 
; benchmark generated from python API
(set-info :status unknown)
(declare-fun name_len () Int)
(assert
 (<= name_len 50000))
(assert
 (>= name_len 1))
(assert
 (or (< name_len 1) (> name_len 50000)))
(check-sat)

Namespace URI Length Bounds (1-8192)

🌳 tree-sitter (partial) VERIFIED

Function: xmlParseStartTag2 · Z3 solved in 0.0ms

Namespace URI length bounded to prevent memory exhaustion. From xmlParseStartTag2().

View SMT2 Constraints 
; benchmark generated from python API
(set-info :status unknown)
(declare-fun ns_uri_len () Int)
(assert
 (<= ns_uri_len 8192))
(assert
 (>= ns_uri_len 1))
(assert
 (or (< ns_uri_len 1) (> ns_uri_len 8192)))
(check-sat)

Encoding Declaration Length Bounds (1-40)

🌳 tree-sitter (partial) VERIFIED

Function: xmlParseEncodingDecl · Z3 solved in 0.0ms

Encoding declaration length bounded. From xmlParseEncodingDecl() in parser.c.

View SMT2 Constraints 
; benchmark generated from python API
(set-info :status unknown)
(declare-fun encoding_decl_len () Int)
(assert
 (<= encoding_decl_len 40))
(assert
 (>= encoding_decl_len 1))
(assert
 (or (< encoding_decl_len 1) (> encoding_decl_len 40)))
(check-sat)

Entity Value Length Bounds (0-10000000)

🌳 tree-sitter (partial) VERIFIED

Function: xmlParseEntityValue · Z3 solved in 0.0ms

Entity value length bounded by XML_MAX_TEXT_LENGTH to prevent memory bomb via large inline entities. From xmlParseEntityValue() in parser.c.

View SMT2 Constraints 
; benchmark generated from python API
(set-info :status unknown)
(declare-fun entity_value_len () Int)
(assert
 (<= entity_value_len 10000000))
(assert
 (>= entity_value_len 0))
(assert
 (or (< entity_value_len 0) (> entity_value_len 10000000)))
(check-sat)

Comment Content Length Bounds (0-10000000)

🌳 tree-sitter (partial) VERIFIED

Function: xmlParseCommentComplex · Z3 solved in 0.0ms

Comment content length bounded by XML_MAX_TEXT_LENGTH to prevent memory exhaustion via giant comments. From xmlParseCommentComplex() in parser.c.

View SMT2 Constraints 
; benchmark generated from python API
(set-info :status unknown)
(declare-fun comment_len () Int)
(assert
 (<= comment_len 10000000))
(assert
 (>= comment_len 0))
(assert
 (or (< comment_len 0) (> comment_len 10000000)))
(check-sat)

PI Target Name Length Bounds (1-50000)

🌳 tree-sitter (partial) VERIFIED

Function: xmlParsePITarget · Z3 solved in 0.0ms

PI target name length bounded by XML_MAX_NAME_LENGTH to prevent dictionary interning exhaustion via oversized processing instruction names. From xmlParsePITarget() in parser.c.

View SMT2 Constraints 
; benchmark generated from python API
(set-info :status unknown)
(declare-fun pi_target_name_len () Int)
(assert
 (<= pi_target_name_len 50000))
(assert
 (>= pi_target_name_len 1))
(assert
 (or (< pi_target_name_len 1) (> pi_target_name_len 50000)))
(check-sat)

PI Content Length Bounds (0-10000000)

🌳 tree-sitter (partial) VERIFIED

Function: xmlParsePI · Z3 solved in 0.0ms

PI content length bounded by XML_MAX_TEXT_LENGTH to prevent memory exhaustion via oversized processing instruction content. From xmlParsePI() in parser.c.

View SMT2 Constraints 
; benchmark generated from python API
(set-info :status unknown)
(declare-fun pi_content_len () Int)
(assert
 (<= pi_content_len 10000000))
(assert
 (>= pi_content_len 0))
(assert
 (or (< pi_content_len 0) (> pi_content_len 10000000)))
(check-sat)

CDATA Section Length Bounds (0-10000000)

🌳 tree-sitter (partial) VERIFIED

Function: xmlParseCDSect · Z3 solved in 0.0ms

CDATA section length bounded by XML_MAX_TEXT_LENGTH to prevent memory exhaustion via oversized CDATA sections. From xmlParseCDSect() in parser.c.

View SMT2 Constraints 
; benchmark generated from python API
(set-info :status unknown)
(declare-fun cdata_section_len () Int)
(assert
 (<= cdata_section_len 10000000))
(assert
 (>= cdata_section_len 0))
(assert
 (or (< cdata_section_len 0) (> cdata_section_len 10000000)))
(check-sat)

PubidLiteral Length Bounds (1-50000)

🌳 tree-sitter (partial) VERIFIED

Function: xmlParsePubidLiteral · Z3 solved in 0.0ms

PubidLiteral length bounded by XML_MAX_NAME_LENGTH to prevent oversized public identifiers in DTD PUBLIC declarations. From xmlParsePubidLiteral() in parser.c.

View SMT2 Constraints 
; benchmark generated from python API
(set-info :status unknown)
(declare-fun pubid_literal_len () Int)
(assert
 (<= pubid_literal_len 50000))
(assert
 (>= pubid_literal_len 1))
(assert
 (or (< pubid_literal_len 1) (> pubid_literal_len 50000)))
(check-sat)

Notation Name Length Bounds (1-50000)

🌳 tree-sitter (partial) VERIFIED

Function: xmlParseNotationDecl · Z3 solved in 0.0ms

Notation name length bounded by XML_MAX_NAME_LENGTH to prevent oversized notation names in DTD NOTATION declarations. From xmlParseNotationDecl() in parser.c.

View SMT2 Constraints 
; benchmark generated from python API
(set-info :status unknown)
(declare-fun notation_name_len () Int)
(assert
 (<= notation_name_len 50000))
(assert
 (>= notation_name_len 1))
(assert
 (or (< notation_name_len 1) (> notation_name_len 50000)))
(check-sat)

AttValue Default Length Bounds (0-10000000)

🌳 tree-sitter (partial) VERIFIED

Function: xmlParseAttValueInternal · Z3 solved in 0.0ms

Attribute default value length bounded by XML_MAX_TEXT_LENGTH to prevent memory exhaustion via oversized default values in DTD ATTLIST declarations. From xmlParseAttValueInternal() in parser.c.

View SMT2 Constraints 
; benchmark generated from python API
(set-info :status unknown)
(declare-fun attvalue_default_len () Int)
(assert
 (<= attvalue_default_len 10000000))
(assert
 (>= attvalue_default_len 0))
(assert
 (or (< attvalue_default_len 0) (> attvalue_default_len 10000000)))
(check-sat)

SystemLiteral Length Bounds (1-50000)

🌳 tree-sitter (partial) VERIFIED

Function: xmlParseSystemLiteral · Z3 solved in 0.0ms

SystemLiteral length bounded by XML_MAX_NAME_LENGTH to prevent oversized external IDs in DTD SYSTEM/PUBLIC declarations. From xmlParseSystemLiteral() in parser.c.

View SMT2 Constraints 
; benchmark generated from python API
(set-info :status unknown)
(declare-fun system_literal_len () Int)
(assert
 (<= system_literal_len 50000))
(assert
 (>= system_literal_len 1))
(assert
 (or (< system_literal_len 1) (> system_literal_len 50000)))
(check-sat)

Last verified: 2026-03-25 00:01:50 UTC · Solver: Z3 4.16.0