mirrors/z3
3
0
Fork 0
mirror of https://github.com/Z3Prover/z3 synced 2025-04-23 09:05:31 +00:00
Code Activity

fix a couple hundred deref-after-free bugs due to .c_str() on a temporary string

Browse source
This commit is contained in:
Nuno Lopes 2020-07-11 20:24:45 +01:00
parent 48a9defb0d
commit 23e6adcad3
64 changed files with 248 additions and 229 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/muz/base/dl_context.cpp
View file

@ -422,7 +422,7 @@ namespace datalog {
if (!e) {
std::stringstream name_stm;
name_stm << '#' << arg_index;
return symbol(name_stm.str().c_str());
return symbol(name_stm.str());
}
SASSERT(arg_index < e->get_data().m_value.size());
return e->get_data().m_value[arg_index];
@ -1183,11 +1183,11 @@ namespace datalog {
out << " :named ";
while (fresh_names.contains(nm)) {
std::ostringstream s;
s << nm << "!";
nm = symbol(s.str().c_str());
s << nm << '!';
nm = symbol(s.str());
}
fresh_names.add(nm);
display_symbol(out, nm) << ")";
display_symbol(out, nm) << ')';
}
out << ")\n";
}

2
src/muz/base/dl_rule.cpp
View file

@ -587,7 +587,7 @@ namespace datalog {
std::stringstream _name;
_name << c;
if (j > 0) _name << j;
symbol name(_name.str().c_str());
symbol name(_name.str());
if (!us.contains(name)) {
names.push_back(name);
++i;

3
src/muz/base/hnf.cpp
View file

@ -405,7 +405,8 @@ private:
}
}
func_decl_ref f(m);
f = m.mk_fresh_func_decl(m_name.str().c_str(), "", sorts1.size(), sorts1.c_ptr(), m.mk_bool_sort());
auto str = m_name.str();
f = m.mk_fresh_func_decl(str.c_str(), "", sorts1.size(), sorts1.c_ptr(), m.mk_bool_sort());
m_fresh_predicates.push_back(f);
return app_ref(m.mk_app(f, args.size(), args.c_ptr()), m);
}

46
src/muz/bmc/dl_bmc_engine.cpp
View file

@ -188,7 +188,7 @@ namespace datalog {
expr_ref mk_q_var(func_decl* pred, sort* s, unsigned rule_id, unsigned idx) {
std::stringstream _name;
_name << pred->get_name() << "#" << rule_id << "_" << idx;
symbol nm(_name.str().c_str());
symbol nm(_name.str());
var_ref var = mk_index_var();
return expr_ref(m.mk_app(m.mk_func_decl(nm, mk_index_sort(), s), var), m);
}
@ -197,7 +197,7 @@ namespace datalog {
SASSERT(idx < pred->get_arity());
std::stringstream _name;
_name << pred->get_name() << "#" << idx;
symbol nm(_name.str().c_str());
symbol nm(_name.str());
expr_ref var(mk_index_var(), m);
if (!is_current) {
var = m_bv.mk_bv_sub(var, mk_q_one());
@ -216,14 +216,14 @@ namespace datalog {
func_decl_ref mk_q_func_decl(func_decl* f) {
std::stringstream _name;
_name << f->get_name() << "#";
symbol nm(_name.str().c_str());
symbol nm(_name.str());
return func_decl_ref(m.mk_func_decl(nm, mk_index_sort(), f->get_range()), m);
}
func_decl_ref mk_q_rule(func_decl* f, unsigned rule_id) {
std::stringstream _name;
_name << f->get_name() << "#" << rule_id;
symbol nm(_name.str().c_str());
symbol nm(_name.str());
return func_decl_ref(m.mk_func_decl(nm, mk_index_sort(), m.mk_bool_sort()), m);
}
@ -396,7 +396,7 @@ namespace datalog {
for (unsigned i = 0; i < level_p->get_arity(); ++i) {
std::stringstream _name;
_name << query_pred->get_name() << "#" << level << "_" << i;
symbol nm(_name.str().c_str());
symbol nm(_name.str());
vars.push_back(m.mk_const(nm, level_p->get_domain(i)));
}
return expr_ref(m.mk_app(level_p, vars.size(), vars.c_ptr()), m);
@ -569,14 +569,14 @@ namespace datalog {
func_decl_ref mk_level_predicate(func_decl* p, unsigned level) {
std::stringstream _name;
_name << p->get_name() << "#" << level;
symbol nm(_name.str().c_str());
symbol nm(_name.str());
return func_decl_ref(m.mk_func_decl(nm, p->get_arity(), p->get_domain(), m.mk_bool_sort()), m);
}
func_decl_ref mk_level_rule(func_decl* p, unsigned rule_idx, unsigned level) {
std::stringstream _name;
_name << "rule:" << p->get_name() << "#" << level << "_" << rule_idx;
symbol nm(_name.str().c_str());
symbol nm(_name.str());
return func_decl_ref(m.mk_func_decl(nm, p->get_arity(), p->get_domain(), m.mk_bool_sort()), m);
}
@ -627,7 +627,7 @@ namespace datalog {
func_decl_ref mk_body_func(rule& r, ptr_vector<sort> const& args, unsigned index, sort* s) {
std::stringstream _name;
_name << r.get_decl()->get_name() << "@" << index;
symbol name(_name.str().c_str());
symbol name(_name.str());
func_decl* f = m.mk_func_decl(name, args.size(), args.c_ptr(), s);
return func_decl_ref(f, m);
}
@ -775,7 +775,7 @@ namespace datalog {
func_decl_ref mk_predicate(func_decl* pred) {
std::stringstream _name;
_name << pred->get_name() << "#";
symbol nm(_name.str().c_str());
symbol nm(_name.str());
sort* pred_trace_sort = m_pred2sort.find(pred);
return func_decl_ref(m.mk_func_decl(nm, pred_trace_sort, m_path_sort, m.mk_bool_sort()), m);
}
@ -783,7 +783,7 @@ namespace datalog {
func_decl_ref mk_rule(func_decl* p, unsigned rule_idx) {
std::stringstream _name;
_name << "rule:" << p->get_name() << "#" << rule_idx;
symbol nm(_name.str().c_str());
symbol nm(_name.str());
sort* pred_trace_sort = m_pred2sort.find(p);
return func_decl_ref(m.mk_func_decl(nm, pred_trace_sort, m_path_sort, m.mk_bool_sort()), m);
}
@ -791,7 +791,7 @@ namespace datalog {
expr_ref mk_var(func_decl* pred, sort*s, unsigned idx, expr* path_arg, expr* trace_arg) {
std::stringstream _name;
_name << pred->get_name() << "#V_" << idx;
symbol nm(_name.str().c_str());
symbol nm(_name.str());
func_decl_ref fn(m);
fn = m.mk_func_decl(nm, m_pred2sort.find(pred), m_path_sort, s);
return expr_ref(m.mk_app(fn, trace_arg, path_arg), m);
@ -801,7 +801,7 @@ namespace datalog {
SASSERT(idx < pred->get_arity());
std::stringstream _name;
_name << pred->get_name() << "#X_" << idx;
symbol nm(_name.str().c_str());
symbol nm(_name.str());
func_decl_ref fn(m);
fn = m.mk_func_decl(nm, m_pred2sort.find(pred), m_path_sort, pred->get_domain(idx));
return expr_ref(m.mk_app(fn, trace_arg, path_arg), m);
@ -971,15 +971,15 @@ namespace datalog {
unsigned idx = pred_idx.find(q);
std::stringstream _name;
_name << pred->get_name() << "_" << q->get_name() << j;
symbol name(_name.str().c_str());
symbol name(_name.str());
type_ref tr(idx);
accs.push_back(mk_accessor_decl(m, name, tr));
}
std::stringstream _name;
_name << pred->get_name() << "_" << i;
symbol name(_name.str().c_str());
_name << "?";
symbol is_name(_name.str().c_str());
_name << pred->get_name() << '_' << i;
symbol name(_name.str());
_name << '?';
symbol is_name(_name.str());
cnstrs.push_back(mk_constructor_decl(name, is_name, accs.size(), accs.c_ptr()));
}
dts.push_back(mk_datatype_decl(dtu, pred->get_name(), 0, nullptr, cnstrs.size(), cnstrs.c_ptr()));
@ -1020,9 +1020,9 @@ namespace datalog {
for (unsigned i = 0; i + 1 < max_arity; ++i) {
std::stringstream _name;
_name << "succ#" << i;
symbol name(_name.str().c_str());
symbol name(_name.str());
_name << "?";
symbol is_name(_name.str().c_str());
symbol is_name(_name.str());
std::stringstream _name2;
_name2 << "get_succ#" << i;
ptr_vector<accessor_decl> accs;
@ -1313,7 +1313,7 @@ namespace datalog {
expr_ref mk_level_predicate(symbol const& name, unsigned level) {
std::stringstream _name;
_name << name << "#" << level;
symbol nm(_name.str().c_str());
symbol nm(_name.str());
return expr_ref(m.mk_const(nm, m.mk_bool_sort()), m);
}
@ -1321,21 +1321,21 @@ namespace datalog {
SASSERT(idx < pred->get_arity());
std::stringstream _name;
_name << pred->get_name() << "#" << level << "_" << idx;
symbol nm(_name.str().c_str());
symbol nm(_name.str());
return expr_ref(m.mk_const(nm, pred->get_domain(idx)), m);
}
expr_ref mk_level_var(func_decl* pred, sort* s, unsigned rule_id, unsigned idx, unsigned level) {
std::stringstream _name;
_name << pred->get_name() << "#" << level << "_" << rule_id << "_" << idx;
symbol nm(_name.str().c_str());
symbol nm(_name.str());
return expr_ref(m.mk_const(nm, s), m);
}
expr_ref mk_level_rule(func_decl* p, unsigned rule_idx, unsigned level) {
std::stringstream _name;
_name << "rule:" << p->get_name() << "#" << level << "_" << rule_idx;
symbol nm(_name.str().c_str());
symbol nm(_name.str());
return expr_ref(m.mk_const(nm, m.mk_bool_sort()), m);
}

10
src/muz/rel/check_relation.cpp
View file

@ -280,7 +280,7 @@ namespace datalog {
std::ostringstream strm;
strm << "x" << j;
bound.push_back(sig[i]);
names.push_back(symbol(strm.str().c_str()));
names.push_back(symbol(strm.str()));
vars.push_back(m.mk_var(j, sig[i]));
++j;
}
@ -400,8 +400,8 @@ namespace datalog {
var_subst sub(m, false);
for (unsigned i = 0; i < sig.size(); ++i) {
std::stringstream strm;
strm << "x" << i;
vars.push_back(m.mk_const(symbol(strm.str().c_str()), sig[i]));
strm << 'x' << i;
vars.push_back(m.mk_const(symbol(strm.str()), sig[i]));
}
fml1 = sub(fml1, vars.size(), vars.c_ptr());
fml2 = sub(fml2, vars.size(), vars.c_ptr());
@ -448,8 +448,8 @@ namespace datalog {
var_subst sub(m, false);
for (unsigned i = 0; i < sig.size(); ++i) {
std::stringstream strm;
strm << "x" << i;
vars.push_back(m.mk_const(symbol(strm.str().c_str()), sig[i]));
strm << 'x' << i;
vars.push_back(m.mk_const(symbol(strm.str()), sig[i]));
}
fml1 = sub(fml1, vars.size(), vars.c_ptr());
fml2 = sub(fml2, vars.size(), vars.c_ptr());

3
src/muz/rel/dl_base.cpp
View file

@ -373,7 +373,8 @@ namespace datalog {
std::ostringstream buffer;
buffer << "creating large table of size " << upper_bound;
if (p) buffer << " for relation " << p->get_name();
warning_msg("%s", buffer.str().c_str());
auto str = buffer.str();
warning_msg("%s", str.c_str());
}
for (table_element i = 0; i < upper_bound; i++) {

2
src/muz/rel/dl_lazy_table.cpp
View file

@ -29,7 +29,7 @@ namespace datalog {
symbol lazy_table_plugin::mk_name(table_plugin& p) {
std::ostringstream strm;
strm << "lazy_" << p.get_name();
return symbol(strm.str().c_str());
return symbol(strm.str());
}
table_base * lazy_table_plugin::mk_empty(const table_signature & s) {

11
src/muz/spacer/spacer_context.cpp
View file

@ -716,7 +716,7 @@ app_ref pred_transformer::mk_extend_lit() {
app_ref v(m);
std::stringstream name;
name << m_head->get_name () << "_ext0";
v = m.mk_const (symbol(name.str().c_str()), m.mk_bool_sort());
v = m.mk_const (symbol(name.str()), m.mk_bool_sort());
return app_ref(m.mk_not (m.mk_const (pm.get_n_pred (v->get_decl ()))), m);
}
@ -780,7 +780,7 @@ void pred_transformer::init_sig()
std::stringstream name_stm;
name_stm << m_head->get_name() << '_' << i;
func_decl_ref stm(m);
stm = m.mk_func_decl(symbol(name_stm.str().c_str()), 0, (sort*const*)nullptr, arg_sort);
stm = m.mk_func_decl(symbol(name_stm.str()), 0, (sort*const*)nullptr, arg_sort);
m_sig.push_back(pm.get_o_pred(stm, 0));
}
}
@ -1025,7 +1025,7 @@ app_ref pred_transformer::mk_fresh_rf_tag ()
func_decl_ref decl(m);
name << head ()->get_name () << "#reach_tag_" << m_reach_facts.size ();
decl = m.mk_func_decl (symbol (name.str ().c_str ()), 0,
decl = m.mk_func_decl (symbol(name.str()), 0,
(sort*const*)nullptr, m.mk_bool_sort ());
return app_ref(m.mk_const (pm.get_n_pred (decl)), m);
}
@ -1628,7 +1628,7 @@ void pred_transformer::init_rules(decl2rel const& pts) {
for (auto &kv : m_pt_rules) {
pt_rule &r = *kv.m_value;
std::string name = head()->get_name().str() + "__tr" + std::to_string(i);
tag = m.mk_const(symbol(name.c_str()), m.mk_bool_sort());
tag = m.mk_const(symbol(name), m.mk_bool_sort());
m_pt_rules.set_tag(tag, r);
m_transition_clause.push_back(tag);
transitions.push_back(m.mk_implies(r.tag(), r.trans()));
@ -1823,7 +1823,8 @@ app* pred_transformer::extend_initial (expr *e)
app_ref v(m);
std::stringstream name;
name << m_head->get_name() << "_ext";
v = m.mk_fresh_const (name.str ().c_str (),
auto str = name.str ();
v = m.mk_fresh_const (str.c_str(),
m.mk_bool_sort ());
v = m.mk_const (pm.get_n_pred (v->get_decl ()));

2
src/muz/spacer/spacer_manager.cpp
View file

@ -180,7 +180,7 @@ func_decl * manager::get_n_pred(func_decl* s) {
app* mk_zk_const(ast_manager &m, unsigned idx, sort *s) {
std::stringstream name;
name << "sk!" << idx;
return m.mk_const(symbol(name.str().c_str()), s);
return m.mk_const(symbol(name.str()), s);
}
namespace find_zk_const_ns {

3
src/muz/spacer/spacer_prop_solver.cpp
View file

@ -79,7 +79,8 @@ void prop_solver::add_level()
unsigned idx = level_cnt();
std::stringstream name;
name << m_name << "#level_" << idx;
func_decl * lev_pred = m.mk_fresh_func_decl(name.str().c_str(), 0, nullptr, m.mk_bool_sort());
auto str = name.str();
func_decl * lev_pred = m.mk_fresh_func_decl(str.c_str(), 0, nullptr, m.mk_bool_sort());
m_level_preds.push_back(lev_pred);
app_ref pos_la(m.mk_const(lev_pred), m);

2
src/muz/transforms/dl_mk_rule_inliner.cpp
View file

@ -116,7 +116,7 @@ namespace datalog {
SASSERT(tail.size()==tail_neg.size());
std::ostringstream comb_name;
comb_name << tgt.name().str() << ";" << src.name().str();
symbol combined_rule_name = symbol(comb_name.str().c_str());
symbol combined_rule_name(comb_name.str());
res = m_rm.mk(new_head, tail.size(), tail.c_ptr(), tail_neg.c_ptr(), combined_rule_name, m_normalize);
res->set_accounting_parent_object(m_context, const_cast<rule*>(&tgt));
TRACE("dl",

2
src/muz/transforms/dl_mk_unbound_compressor.cpp
View file

@ -71,7 +71,7 @@ namespace datalog {
std::stringstream name_suffix;
name_suffix << "compr_arg_" << arg_index;
func_decl * cpred = m_context.mk_fresh_head_predicate(parent_name, symbol(name_suffix.str().c_str()),
func_decl * cpred = m_context.mk_fresh_head_predicate(parent_name, symbol(name_suffix.str()),
arity, domain.c_ptr(), pred);
m_pinned.push_back(cpred);
m_pinned.push_back(pred);