Merge pull request #7376 from tautschnig/bugfixes/simp-byte-extract

tautschnig · web-flow · commit e04d0ebf920d · 2022-11-23T20:10:06.000+01:00
Simplify byte extract: fix unconditional read from optional values
diff --git a/src/util/simplify_expr.cpp b/src/util/simplify_expr.cpp
@@ -1680,15 +1680,19 @@ simplify_exprt::simplify_byte_extract(const byte_extract_exprt &expr)
     {
       return op_byte_update.value();
     }
-    else if(
-      el_size.has_value() &&
-      *el_size <= pointer_offset_bits(op_byte_update.value().type(), ns))
+    else if(el_size.has_value())
     {
-      auto tmp = expr;
-      tmp.op() = op_byte_update.value();
-      tmp.offset() = from_integer(0, expr.offset().type());
+      const auto update_bits_opt =
+        pointer_offset_bits(op_byte_update.value().type(), ns);
+
+      if(update_bits_opt.has_value() && *el_size <= *update_bits_opt)
+      {
+        auto tmp = expr;
+        tmp.op() = op_byte_update.value();
+        tmp.offset() = from_integer(0, expr.offset().type());
 
-      return changed(simplify_byte_extract(tmp)); // recursive call
+        return changed(simplify_byte_extract(tmp)); // recursive call
+      }
     }
   }
 
@@ -1706,7 +1710,7 @@ simplify_exprt::simplify_byte_extract(const byte_extract_exprt &expr)
   {
     const byte_update_exprt &bu = to_byte_update_expr(expr.op());
     const auto update_offset = numeric_cast<mp_integer>(bu.offset());
-    if(update_offset.has_value())
+    if(el_size.has_value() && update_offset.has_value())
     {
       if(
         *offset * expr.get_bits_per_byte() + *el_size <=

Original file line number	Diff line number	Diff line change
`@@ -1680,15 +1680,19 @@ simplify_exprt::simplify_byte_extract(const byte_extract_exprt &expr)`
`1680`	`1680`	`{`
`1681`	`1681`	`return op_byte_update.value();`
`1682`	`1682`	`}`
`1683`		`- else if(`
`1684`		`- el_size.has_value() &&`
`1685`		`- *el_size <= pointer_offset_bits(op_byte_update.value().type(), ns))`
	`1683`	`+ else if(el_size.has_value())`
`1686`	`1684`	`{`
`1687`		`- auto tmp = expr;`
`1688`		`- tmp.op() = op_byte_update.value();`
`1689`		`- tmp.offset() = from_integer(0, expr.offset().type());`
	`1685`	`+ const auto update_bits_opt =`
	`1686`	`+ pointer_offset_bits(op_byte_update.value().type(), ns);`
	`1687`	`+`
	`1688`	`+ if(update_bits_opt.has_value() && el_size <= update_bits_opt)`
	`1689`	`+ {`
	`1690`	`+ auto tmp = expr;`
	`1691`	`+ tmp.op() = op_byte_update.value();`
	`1692`	`+ tmp.offset() = from_integer(0, expr.offset().type());`
`1690`	`1693`
`1691`		`- return changed(simplify_byte_extract(tmp)); // recursive call`
	`1694`	`+ return changed(simplify_byte_extract(tmp)); // recursive call`
	`1695`	`+ }`
`1692`	`1696`	`}`
`1693`	`1697`	`}`
`1694`	`1698`
`@@ -1706,7 +1710,7 @@ simplify_exprt::simplify_byte_extract(const byte_extract_exprt &expr)`
`1706`	`1710`	`{`
`1707`	`1711`	`const byte_update_exprt &bu = to_byte_update_expr(expr.op());`
`1708`	`1712`	`const auto update_offset = numeric_cast<mp_integer>(bu.offset());`
`1709`		`- if(update_offset.has_value())`
	`1713`	`+ if(el_size.has_value() && update_offset.has_value())`
`1710`	`1714`	`{`
`1711`	`1715`	`if(`
`1712`	`1716`	`offset expr.get_bits_per_byte() + *el_size <=`