mirrors/z3
3
0
Fork 0
mirror of https://github.com/Z3Prover/z3 synced 2025-11-04 05:19:11 +00:00
Code Activity

fix a couple hundred deref-after-free bugs due to .c_str() on a temporary string

Browse source
This commit is contained in:
Nuno Lopes 2020-07-11 20:24:45 +01:00
parent 48a9defb0d
commit 23e6adcad3
64 changed files with 248 additions and 229 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/muz/spacer/spacer_context.cpp
View file

@ -716,7 +716,7 @@ app_ref pred_transformer::mk_extend_lit() {
app_ref v(m);
std::stringstream name;
name << m_head->get_name () << "_ext0";
v = m.mk_const (symbol(name.str().c_str()), m.mk_bool_sort());
v = m.mk_const (symbol(name.str()), m.mk_bool_sort());
return app_ref(m.mk_not (m.mk_const (pm.get_n_pred (v->get_decl ()))), m);
}
@ -780,7 +780,7 @@ void pred_transformer::init_sig()
std::stringstream name_stm;
name_stm << m_head->get_name() << '_' << i;
func_decl_ref stm(m);
stm = m.mk_func_decl(symbol(name_stm.str().c_str()), 0, (sort*const*)nullptr, arg_sort);
stm = m.mk_func_decl(symbol(name_stm.str()), 0, (sort*const*)nullptr, arg_sort);
m_sig.push_back(pm.get_o_pred(stm, 0));
}
}
@ -1025,7 +1025,7 @@ app_ref pred_transformer::mk_fresh_rf_tag ()
func_decl_ref decl(m);
name << head ()->get_name () << "#reach_tag_" << m_reach_facts.size ();
decl = m.mk_func_decl (symbol (name.str ().c_str ()), 0,
decl = m.mk_func_decl (symbol(name.str()), 0,
(sort*const*)nullptr, m.mk_bool_sort ());
return app_ref(m.mk_const (pm.get_n_pred (decl)), m);
}
@ -1628,7 +1628,7 @@ void pred_transformer::init_rules(decl2rel const& pts) {
for (auto &kv : m_pt_rules) {
pt_rule &r = *kv.m_value;
std::string name = head()->get_name().str() + "__tr" + std::to_string(i);
tag = m.mk_const(symbol(name.c_str()), m.mk_bool_sort());
tag = m.mk_const(symbol(name), m.mk_bool_sort());
m_pt_rules.set_tag(tag, r);
m_transition_clause.push_back(tag);
transitions.push_back(m.mk_implies(r.tag(), r.trans()));
@ -1823,7 +1823,8 @@ app* pred_transformer::extend_initial (expr *e)
app_ref v(m);
std::stringstream name;
name << m_head->get_name() << "_ext";
v = m.mk_fresh_const (name.str ().c_str (),
auto str = name.str ();
v = m.mk_fresh_const (str.c_str(),
m.mk_bool_sort ());
v = m.mk_const (pm.get_n_pred (v->get_decl ()));

2
src/muz/spacer/spacer_manager.cpp
View file

@ -180,7 +180,7 @@ func_decl * manager::get_n_pred(func_decl* s) {
app* mk_zk_const(ast_manager &m, unsigned idx, sort *s) {
std::stringstream name;
name << "sk!" << idx;
return m.mk_const(symbol(name.str().c_str()), s);
return m.mk_const(symbol(name.str()), s);
}
namespace find_zk_const_ns {

3
src/muz/spacer/spacer_prop_solver.cpp
View file

@ -79,7 +79,8 @@ void prop_solver::add_level()
unsigned idx = level_cnt();
std::stringstream name;
name << m_name << "#level_" << idx;
func_decl * lev_pred = m.mk_fresh_func_decl(name.str().c_str(), 0, nullptr, m.mk_bool_sort());
auto str = name.str();
func_decl * lev_pred = m.mk_fresh_func_decl(str.c_str(), 0, nullptr, m.mk_bool_sort());
m_level_preds.push_back(lev_pred);
app_ref pos_la(m.mk_const(lev_pred), m);