fix exprt::opX accesses in simplifier

Daniel Kroening · Daniel Kroening · commit c4240b45e4c3 · 2019-08-04T18:41:26.000+01:00
This improves type safety.
diff --git a/src/util/simplify_expr.cpp b/src/util/simplify_expr.cpp
@@ -547,13 +547,12 @@ simplify_exprt::simplify_typecast(const typecast_exprt &expr)
   // (void*)(intX)expr -> (void*)expr
   if(
     expr_type.id() == ID_pointer && expr.op().id() == ID_typecast &&
-    expr.op().operands().size() == 1 &&
     (op_type.id() == ID_signedbv || op_type.id() == ID_unsignedbv) &&
     to_bitvector_type(op_type).get_width() >=
       to_bitvector_type(expr_type).get_width())
   {
     auto new_expr = expr;
-    new_expr.op() = expr.op().op0();
+    new_expr.op() = to_typecast_expr(expr.op()).op();
     return changed(simplify_typecast(new_expr)); // rec. call
   }
 
@@ -634,10 +633,10 @@ simplify_exprt::simplify_typecast(const typecast_exprt &expr)
   // (T1 *)(T2 *)x -> (T1 *)x
   if(
     expr_type.id() == ID_pointer && expr.op().id() == ID_typecast &&
-    op_type.id() == ID_pointer && expr.op().operands().size() == 1)
+    op_type.id() == ID_pointer)
   {
     auto new_expr = expr;
-    new_expr.op() = expr.op().op0();
+    new_expr.op() = to_typecast_expr(expr.op()).op();
     return changed(simplify_typecast(new_expr)); // recursive call
   }
 
@@ -1360,25 +1359,27 @@ simplify_exprt::resultt<> simplify_exprt::simplify_object(const exprt &expr)
       const exprt &casted_expr = typecast_expr.op();
       if(casted_expr.id() == ID_plus && casted_expr.operands().size() == 2)
       {
-        const exprt &cand = casted_expr.op0().id() == ID_typecast
-                              ? casted_expr.op0()
-                              : casted_expr.op1();
+        const auto &plus_expr = to_plus_expr(casted_expr);
 
-        if(cand.id()==ID_typecast &&
-           cand.operands().size()==1 &&
-           cand.op0().id()==ID_address_of)
-        {
-          return cand.op0();
-        }
-        else if(cand.id()==ID_typecast &&
-                cand.operands().size()==1 &&
-                cand.op0().id()==ID_plus &&
-                cand.op0().operands().size()==2 &&
-                cand.op0().op0().id()==ID_typecast &&
-                cand.op0().op0().operands().size()==1 &&
-                cand.op0().op0().op0().id()==ID_address_of)
+        const exprt &cand = plus_expr.op0().id() == ID_typecast
+                              ? plus_expr.op0()
+                              : plus_expr.op1();
+
+        if(cand.id() == ID_typecast)
         {
-          return cand.op0().op0().op0();
+          const auto &typecast_op = to_typecast_expr(cand).op();
+
+          if(typecast_op.id() == ID_address_of)
+          {
+            return typecast_op;
+          }
+          else if(
+            typecast_op.id() == ID_plus && typecast_op.operands().size() == 2 &&
+            typecast_op.op0().id() == ID_typecast &&
+            to_typecast_expr(typecast_op.op0()).op().id() == ID_address_of)
+          {
+            return cand.op0().op0().op0();
+          }
         }
       }
     }
diff --git a/src/util/simplify_expr_array.cpp b/src/util/simplify_expr_array.cpp
@@ -9,6 +9,7 @@ Author: Daniel Kroening, kroening@kroening.com
 #include "simplify_expr_class.h"
 
 #include "arith_tools.h"
+#include "byte_operators.h"
 #include "namespace.h"
 #include "pointer_offset_size.h"
 #include "replace_expr.h"
@@ -163,6 +164,8 @@ simplify_exprt::simplify_index(const index_exprt &expr)
   else if(array.id()==ID_byte_extract_little_endian ||
           array.id()==ID_byte_extract_big_endian)
   {
+    const auto &byte_extract_expr = to_byte_extract_expr(array);
+
     if(array.type().id() == ID_array || array.type().id() == ID_vector)
     {
       optionalt<typet> subtype;
@@ -179,12 +182,13 @@ simplify_exprt::simplify_index(const index_exprt &expr)
         return unchanged(expr);
 
       // add offset to index
-      mult_exprt offset(from_integer(*sub_size, array.op1().type()), index);
-      plus_exprt final_offset(array.op1(), offset);
+      mult_exprt offset(
+        from_integer(*sub_size, byte_extract_expr.offset().type()), index);
+      plus_exprt final_offset(byte_extract_expr.offset(), offset);
       simplify_node(final_offset);
 
       exprt result_expr(array.id(), expr.type());
-      result_expr.add_to_operands(array.op0(), final_offset);
+      result_expr.add_to_operands(byte_extract_expr.op(), final_offset);
 
       return changed(simplify_rec(result_expr));
     }
diff --git a/src/util/simplify_expr_boolean.cpp b/src/util/simplify_expr_boolean.cpp
@@ -136,10 +136,9 @@ simplify_exprt::resultt<> simplify_exprt::simplify_boolean(const exprt &expr)
 
     // search for a and !a
     for(const exprt &op : new_operands)
-      if(op.id()==ID_not &&
-         op.operands().size()==1 &&
-         op.type().id()==ID_bool &&
-         expr_set.find(op.op0())!=expr_set.end())
+      if(
+        op.id() == ID_not && op.type().id() == ID_bool &&
+        expr_set.find(to_not_expr(op).op()) != expr_set.end())
       {
         return make_boolean_expr(expr.id() == ID_or);
       }
diff --git a/src/util/simplify_expr_pointer.cpp b/src/util/simplify_expr_pointer.cpp
@@ -313,7 +313,8 @@ simplify_exprt::simplify_pointer_offset(const unary_exprt &expr)
              tmp.op0().operands().size()==1 &&
              tmp.op0().op0().id()==ID_address_of)
           {
-            auto new_expr = typecast_exprt::conditional_cast(tmp.op1(), type);
+            auto new_expr =
+              typecast_exprt::conditional_cast(to_plus_expr(tmp).op1(), type);
 
             simplify_node(new_expr);
             return new_expr;
diff --git a/src/util/simplify_expr_struct.cpp b/src/util/simplify_expr_struct.cpp
@@ -130,6 +130,8 @@ simplify_exprt::simplify_member(const member_exprt &expr)
   else if(op.id()==ID_byte_extract_little_endian ||
           op.id()==ID_byte_extract_big_endian)
   {
+    const auto &byte_extract_expr = to_byte_extract_expr(op);
+
     if(op_type.id()==ID_struct)
     {
       // This rewrites byte_extract(s, o, struct_type).member
@@ -151,20 +153,20 @@ simplify_exprt::simplify_member(const member_exprt &expr)
       if(!offset_int.has_value())
         return unchanged(expr);
 
-      const exprt &struct_offset=op.op1();
+      const exprt &struct_offset = byte_extract_expr.offset();
       exprt member_offset = from_integer(*offset_int, struct_offset.type());
       plus_exprt final_offset(struct_offset, member_offset);
       simplify_node(final_offset);
 
-      byte_extract_exprt result(op.id(), op.op0(), final_offset, expr.type());
+      byte_extract_exprt result(
+        op.id(), byte_extract_expr.op(), final_offset, expr.type());
 
       return changed(simplify_rec(result)); // recursive call
     }
     else if(op_type.id() == ID_union)
     {
       // rewrite byte_extract(X, 0).member to X
       // if the type of X is that of the member
-      const auto &byte_extract_expr = to_byte_extract_expr(op);
       if(byte_extract_expr.offset().is_zero())
       {
         const union_typet &union_type = to_union_type(op_type);
@@ -204,12 +206,14 @@ simplify_exprt::simplify_member(const member_exprt &expr)
   }
   else if(op.id() == ID_typecast)
   {
+    const auto &typecast_expr = to_typecast_expr(op);
+
     // Try to look through member(cast(x)) if the cast is between structurally
     // identical types:
-    if(op_type == op.op0().type())
+    if(op_type == typecast_expr.op().type())
     {
       auto new_expr = expr;
-      new_expr.struct_op() = op.op0();
+      new_expr.struct_op() = typecast_expr.op();
       return changed(simplify_member(new_expr));
     }
 
@@ -224,7 +228,7 @@ simplify_exprt::simplify_member(const member_exprt &expr)
       if(requested_offset.has_value())
       {
         auto equivalent_member = get_subexpression_at_offset(
-          op.op0(), *requested_offset, expr.type(), ns);
+          typecast_expr.op(), *requested_offset, expr.type(), ns);
 
         // Guess: turning this into a byte-extract operation is not really an
         // optimisation.

Original file line number	Diff line number	Diff line change
`@@ -136,10 +136,9 @@ simplify_exprt::resultt<> simplify_exprt::simplify_boolean(const exprt &expr)`
`136`	`136`
`137`	`137`	`// search for a and !a`
`138`	`138`	`for(const exprt &op : new_operands)`
`139`		`- if(op.id()==ID_not &&`
`140`		`- op.operands().size()==1 &&`
`141`		`- op.type().id()==ID_bool &&`
`142`		`- expr_set.find(op.op0())!=expr_set.end())`
	`139`	`+ if(`
	`140`	`+ op.id() == ID_not && op.type().id() == ID_bool &&`
	`141`	`+ expr_set.find(to_not_expr(op).op()) != expr_set.end())`
`143`	`142`	`{`
`144`	`143`	`return make_boolean_expr(expr.id() == ID_or);`
`145`	`144`	`}`
Original file line number	Diff line number	Diff line change
`@@ -313,7 +313,8 @@ simplify_exprt::simplify_pointer_offset(const unary_exprt &expr)`
`313`	`313`	`tmp.op0().operands().size()==1 &&`
`314`	`314`	`tmp.op0().op0().id()==ID_address_of)`
`315`	`315`	`{`
`316`		`- auto new_expr = typecast_exprt::conditional_cast(tmp.op1(), type);`
	`316`	`+ auto new_expr =`
	`317`	`+ typecast_exprt::conditional_cast(to_plus_expr(tmp).op1(), type);`
`317`	`318`
`318`	`319`	`simplify_node(new_expr);`
`319`	`320`	`return new_expr;`
Original file line number	Diff line number	Diff line change
`@@ -130,6 +130,8 @@ simplify_exprt::simplify_member(const member_exprt &expr)`
`130`	`130`	`else if(op.id()==ID_byte_extract_little_endian \|\|`
`131`	`131`	`op.id()==ID_byte_extract_big_endian)`
`132`	`132`	`{`
	`133`	`+ const auto &byte_extract_expr = to_byte_extract_expr(op);`
	`134`	`+`
`133`	`135`	`if(op_type.id()==ID_struct)`
`134`	`136`	`{`
`135`	`137`	`// This rewrites byte_extract(s, o, struct_type).member`
`@@ -151,20 +153,20 @@ simplify_exprt::simplify_member(const member_exprt &expr)`
`151`	`153`	`if(!offset_int.has_value())`
`152`	`154`	`return unchanged(expr);`
`153`	`155`
`154`		`- const exprt &struct_offset=op.op1();`
	`156`	`+ const exprt &struct_offset = byte_extract_expr.offset();`
`155`	`157`	`exprt member_offset = from_integer(*offset_int, struct_offset.type());`
`156`	`158`	`plus_exprt final_offset(struct_offset, member_offset);`
`157`	`159`	`simplify_node(final_offset);`
`158`	`160`
`159`		`- byte_extract_exprt result(op.id(), op.op0(), final_offset, expr.type());`
	`161`	`+ byte_extract_exprt result(`
	`162`	`+ op.id(), byte_extract_expr.op(), final_offset, expr.type());`
`160`	`163`
`161`	`164`	`return changed(simplify_rec(result)); // recursive call`
`162`	`165`	`}`
`163`	`166`	`else if(op_type.id() == ID_union)`
`164`	`167`	`{`
`165`	`168`	`// rewrite byte_extract(X, 0).member to X`
`166`	`169`	`// if the type of X is that of the member`
`167`		`- const auto &byte_extract_expr = to_byte_extract_expr(op);`
`168`	`170`	`if(byte_extract_expr.offset().is_zero())`
`169`	`171`	`{`
`170`	`172`	`const union_typet &union_type = to_union_type(op_type);`
`@@ -204,12 +206,14 @@ simplify_exprt::simplify_member(const member_exprt &expr)`
`204`	`206`	`}`
`205`	`207`	`else if(op.id() == ID_typecast)`
`206`	`208`	`{`
	`209`	`+ const auto &typecast_expr = to_typecast_expr(op);`
	`210`	`+`
`207`	`211`	`// Try to look through member(cast(x)) if the cast is between structurally`
`208`	`212`	`// identical types:`
`209`		`- if(op_type == op.op0().type())`
	`213`	`+ if(op_type == typecast_expr.op().type())`
`210`	`214`	`{`
`211`	`215`	`auto new_expr = expr;`
`212`		`- new_expr.struct_op() = op.op0();`
	`216`	`+ new_expr.struct_op() = typecast_expr.op();`
`213`	`217`	`return changed(simplify_member(new_expr));`
`214`	`218`	`}`
`215`	`219`
`@@ -224,7 +228,7 @@ simplify_exprt::simplify_member(const member_exprt &expr)`
`224`	`228`	`if(requested_offset.has_value())`
`225`	`229`	`{`
`226`	`230`	`auto equivalent_member = get_subexpression_at_offset(`
`227`		`- op.op0(), *requested_offset, expr.type(), ns);`
	`231`	`+ typecast_expr.op(), *requested_offset, expr.type(), ns);`
`228`	`232`
`229`	`233`	`// Guess: turning this into a byte-extract operation is not really an`
`230`	`234`	`// optimisation.`