mirrors/z3
3
0
Fork 0
mirror of https://github.com/Z3Prover/z3 synced 2025-08-06 11:20:26 +00:00
Code Activity

fix a couple hundred deref-after-free bugs due to .c_str() on a temporary string

Browse source
This commit is contained in:
Nuno Lopes 2020-07-11 20:24:45 +01:00
parent 48a9defb0d
commit 23e6adcad3
64 changed files with 248 additions and 229 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/ast/rewriter/bv_elim.cpp
View file

@ -51,12 +51,12 @@ bool bv_elim_cfg::reduce_quantifier(quantifier * q,
for (unsigned j = 0; j < num_bits; ++j) {
std::ostringstream new_name;
new_name << nm.str();
new_name << "_";
new_name << '_';
new_name << j;
var* v = m.mk_var(var_idx++, m.mk_bool_sort());
var* v = m.mk_var(var_idx++, m.mk_bool_sort());
args.push_back(v);
_sorts.push_back(m.mk_bool_sort());
_names.push_back(symbol(new_name.str().c_str()));
_names.push_back(symbol(new_name.str()));
}
bv = m.mk_app(bfid, OP_MKBV, 0, nullptr, args.size(), args.c_ptr());
_subst_map.push_back(bv.get());

6
src/ast/rewriter/pb_rewriter.cpp
View file

@ -158,8 +158,8 @@ expr_ref pb_rewriter::mk_validate_rewrite(app_ref& e1, app_ref& e2) {
}
std::ostringstream strm;
strm << "x" << i;
name = symbol(strm.str().c_str());
strm << 'x' << i;
name = symbol(strm.str());
trail.push_back(m.mk_const(name, a.mk_int()));
expr* x = trail.back();
m.is_not(e,e);
@ -190,7 +190,7 @@ void pb_rewriter::validate_rewrite(func_decl* f, unsigned sz, expr*const* args,
void pb_rewriter::dump_pb_rewrite(expr* fml) {
std::ostringstream strm;
strm << "pb_rewrite_" << (s_lemma++) << ".smt2";
std::ofstream out(strm.str().c_str());
std::ofstream out(strm.str());
ast_smt_pp pp(m());
pp.display_smt2(out, fml);
out.close();

2
src/ast/rewriter/seq_rewriter.cpp
View file

@ -1916,7 +1916,7 @@ br_status seq_rewriter::mk_str_itos(expr* a, expr_ref& result) {
rational r;
if (m_autil.is_numeral(a, r)) {
if (r.is_int() && !r.is_neg()) {
result = str().mk_string(symbol(r.to_string().c_str()));
result = str().mk_string(symbol(r.to_string()));
}
else {
result = str().mk_string(symbol(""));