avoid access to exprt::opX

This avoids out-of-bounds accesses to the operands() vector.

Author: Daniel Kroening

src/goto-programs/adjust_float_expressions.cpp

@@ -118,7 +118,7 @@ void adjust_float_expressions(exprt &expr, const exprt &rounding_mode)
                                 irep_idt());
 
       expr.operands().resize(3);
-      expr.op2()=rounding_mode;
+      to_ieee_float_op_expr(expr).rounding_mode() = rounding_mode;
     }
   }
 
@@ -138,7 +138,7 @@ void adjust_float_expressions(exprt &expr, const exprt &rounding_mode)
       // the representation.
       expr.id(ID_floatbv_typecast);
       expr.operands().resize(2);
-      expr.op1()=rounding_mode;
+      to_floatbv_typecast_expr(expr).rounding_mode() = rounding_mode;
     }
     else if(
       dest_type.id() == ID_floatbv &&
@@ -148,7 +148,7 @@ void adjust_float_expressions(exprt &expr, const exprt &rounding_mode)
       // casts from integer to float-type might round
       expr.id(ID_floatbv_typecast);
       expr.operands().resize(2);
-      expr.op1()=rounding_mode;
+      to_floatbv_typecast_expr(expr).rounding_mode() = rounding_mode;
     }
     else if(
       dest_type.id() == ID_floatbv &&
@@ -174,7 +174,7 @@ void adjust_float_expressions(exprt &expr, const exprt &rounding_mode)
        */
       expr.id(ID_floatbv_typecast);
       expr.operands().resize(2);
-      expr.op1()=
+      to_floatbv_typecast_expr(expr).rounding_mode() =
         from_integer(ieee_floatt::ROUND_TO_ZERO, rounding_mode.type());
     }
   }

src/goto-programs/builtin_functions.cpp

@@ -567,10 +567,7 @@ void goto_convertt::cpp_new_initializer(
 exprt goto_convertt::get_array_argument(const exprt &src)
 {
   if(src.id()==ID_typecast)
-  {
-    assert(src.operands().size()==1);
-    return get_array_argument(src.op0());
-  }
+    return get_array_argument(to_typecast_expr(src).op());
 
   if(src.id()!=ID_address_of)
   {
@@ -579,25 +576,25 @@ exprt goto_convertt::get_array_argument(const exprt &src)
     throw 0;
   }
 
-  assert(src.operands().size()==1);
+  const auto &address_of_expr = to_address_of_expr(src);
 
-  if(src.op0().id()!=ID_index)
+  if(address_of_expr.object().id() != ID_index)
   {
     error().source_location=src.find_source_location();
     error() << "expected array-element as argument" << eom;
     throw 0;
   }
 
-  assert(src.op0().operands().size()==2);
+  const auto &index_expr = to_index_expr(address_of_expr.object());
 
-  if(src.op0().op0().type().id() != ID_array)
+  if(index_expr.array().type().id() != ID_array)
   {
     error().source_location=src.find_source_location();
     error() << "expected array as argument" << eom;
     throw 0;
   }
 
-  return src.op0().op0();
+  return index_expr.array();
 }
 
 void goto_convertt::do_array_op(
@@ -633,10 +630,12 @@ exprt make_va_list(const exprt &expr)
     return make_va_list(to_typecast_expr(expr).op());
 
   // if it's an address of an lvalue, we take that
-  if(expr.id()==ID_address_of &&
-     expr.operands().size()==1 &&
-     is_lvalue(expr.op0()))
-    return expr.op0();
+  if(expr.id() == ID_address_of)
+  {
+    const auto &address_of_expr = to_address_of_expr(expr);
+    if(is_lvalue(address_of_expr.object()))
+      return address_of_expr.object();
+  }
 
   return expr;
 }

src/goto-programs/goto_clean_expr.cpp

@@ -363,16 +363,20 @@ void goto_convertt::clean_expr(
         expr.operands().size() == 2,
         "side-effect assignment expressions must have two operands");
 
-      if(expr.op1().id()==ID_side_effect &&
-         to_side_effect_expr(expr.op1()).get_statement()==ID_function_call)
+      auto &side_effect_assign = to_side_effect_expr_assign(expr);
+
+      if(
+        side_effect_assign.rhs().id() == ID_side_effect &&
+        to_side_effect_expr(side_effect_assign.rhs()).get_statement() ==
+          ID_function_call)
       {
-        clean_expr(expr.op0(), dest, mode);
-        exprt lhs=expr.op0();
+        clean_expr(side_effect_assign.lhs(), dest, mode);
+        exprt lhs = side_effect_assign.lhs();
 
         // turn into code
         code_assignt assignment;
         assignment.lhs()=lhs;
-        assignment.rhs()=expr.op1();
+        assignment.rhs() = side_effect_assign.rhs();
         assignment.add_source_location()=expr.source_location();
         convert_assign(assignment, dest, mode);
 
@@ -423,7 +427,7 @@ void goto_convertt::clean_expr(
     // This is simply replaced by the literal
     DATA_INVARIANT(
       expr.operands().size() == 1, "ID_compound_literal has a single operand");
-    expr=expr.op0();
+    expr = to_unary_expr(expr).op();
   }
 }
 
@@ -439,8 +443,8 @@ void goto_convertt::clean_expr_address_of(
   {
     DATA_INVARIANT(
       expr.operands().size() == 1, "ID_compound_literal has a single operand");
-    clean_expr(expr.op0(), dest, mode);
-    expr = make_compound_literal(expr.op0(), dest, mode);
+    clean_expr(to_unary_expr(expr).op(), dest, mode);
+    expr = make_compound_literal(to_unary_expr(expr).op(), dest, mode);
   }
   else if(expr.id()==ID_string_constant)
   {

src/goto-programs/goto_convert_class.h

@@ -119,7 +119,7 @@ class goto_convertt:public messaget
     const irep_idt &mode,
     bool result_is_used);
   void remove_function_call(
-    side_effect_exprt &expr,
+    side_effect_expr_function_callt &expr,
     goto_programt &dest,
     const irep_idt &mode,
     bool result_is_used);

src/goto-programs/goto_convert_side_effect.cpp

@@ -44,13 +44,14 @@ void goto_convertt::remove_assignment(
 
   if(statement==ID_assign)
   {
-    exprt new_lhs = skip_typecast(expr.op0());
+    auto &old_assignment = to_side_effect_expr_assign(expr);
+    exprt new_lhs = skip_typecast(old_assignment.lhs());
     exprt new_rhs =
-      typecast_exprt::conditional_cast(expr.op1(), new_lhs.type());
-    code_assignt assign(std::move(new_lhs), std::move(new_rhs));
-    assign.add_source_location() = expr.source_location();
+      typecast_exprt::conditional_cast(old_assignment.rhs(), new_lhs.type());
+    code_assignt new_assignment(std::move(new_lhs), std::move(new_rhs));
+    new_assignment.add_source_location() = expr.source_location();
 
-    convert_assign(assign, dest, mode);
+    convert_assign(new_assignment, dest, mode);
   }
   else if(statement==ID_assign_plus ||
           statement==ID_assign_minus ||
@@ -285,38 +286,28 @@ void goto_convertt::remove_post(
 }
 
 void goto_convertt::remove_function_call(
-  side_effect_exprt &expr,
+  side_effect_expr_function_callt &expr,
   goto_programt &dest,
   const irep_idt &mode,
   bool result_is_used)
 {
-  INVARIANT_WITH_DIAGNOSTICS(
-    expr.operands().size() == 2,
-    "function_call expects two operands",
-    expr.find_source_location());
-
   if(!result_is_used)
   {
-    code_function_callt call(expr.op0(), expr.op1().operands());
+    code_function_callt call(expr.function(), expr.arguments());
     call.add_source_location()=expr.source_location();
     convert_function_call(call, dest, mode);
     expr.make_nil();
     return;
   }
 
   // get name of function, if available
-
-  INVARIANT_WITH_DIAGNOSTICS(
-    expr.id() == ID_side_effect && expr.get(ID_statement) == ID_function_call,
-    "expects function call",
-    expr.find_source_location());
-
   std::string new_base_name = "return_value";
   irep_idt new_symbol_mode = mode;
 
-  if(expr.op0().id()==ID_symbol)
+  if(expr.function().id() == ID_symbol)
   {
-    const irep_idt &identifier = to_symbol_expr(expr.op0()).get_identifier();
+    const irep_idt &identifier =
+      to_symbol_expr(expr.function()).get_identifier();
     const symbolt &symbol = ns.lookup(identifier);
 
     new_base_name+='_';
@@ -341,7 +332,7 @@ void goto_convertt::remove_function_call(
   {
     goto_programt tmp_program2;
     code_function_callt call(
-      new_symbol.symbol_expr(), expr.op0(), expr.op1().operands());
+      new_symbol.symbol_expr(), expr.function(), expr.arguments());
     call.add_source_location()=new_symbol.location;
     convert_function_call(call, dest, mode);
   }
@@ -395,7 +386,7 @@ void goto_convertt::remove_cpp_delete(
 
   codet tmp(expr.get_statement());
   tmp.add_source_location()=expr.source_location();
-  tmp.copy_to_operands(expr.op0());
+  tmp.copy_to_operands(to_unary_expr(expr).op());
   tmp.set(ID_destructor, expr.find(ID_destructor));
 
   convert_cpp_delete(tmp, dest);
@@ -451,7 +442,8 @@ void goto_convertt::remove_temporary_object(
 
   if(expr.operands().size()==1)
   {
-    const code_assignt assignment(new_symbol.symbol_expr(), expr.op0());
+    const code_assignt assignment(
+      new_symbol.symbol_expr(), to_unary_expr(expr).op());
 
     convert(assignment, dest, mode);
   }
@@ -559,7 +551,8 @@ void goto_convertt::remove_side_effect(
   const irep_idt &statement=expr.get_statement();
 
   if(statement==ID_function_call)
-    remove_function_call(expr, dest, mode, result_is_used);
+    remove_function_call(
+      to_side_effect_expr_function_call(expr), dest, mode, result_is_used);
   else if(statement==ID_assign ||
           statement==ID_assign_plus ||
           statement==ID_assign_minus ||

src/goto-programs/goto_inline_class.cpp

@@ -165,9 +165,11 @@ void goto_inlinet::replace_return(
   {
     if(it->is_return())
     {
+      const auto &code_return = it->get_return();
+
       if(lhs.is_not_nil())
       {
-        if(it->code.operands().size()!=1)
+        if(!code_return.has_return_value())
         {
           warning().source_location=it->code.find_source_location();
           warning() << "return expects one operand!\n"
@@ -178,14 +180,16 @@ void goto_inlinet::replace_return(
         // a typecast may be necessary if the declared return type at the call
         // site differs from the defined return type
         it->code = code_assignt(
-          lhs, typecast_exprt::conditional_cast(it->code.op0(), lhs.type()));
+          lhs,
+          typecast_exprt::conditional_cast(
+            code_return.return_value(), lhs.type()));
         it->type=ASSIGN;
 
         it++;
       }
-      else if(!it->code.operands().empty())
+      else if(code_return.has_return_value())
       {
-        it->code=code_expressiont(it->code.op0());
+        it->code = code_expressiont(code_return.return_value());
         it->type=OTHER;
         it++;
       }