fix a couple hundred deref-after-free bugs due to .c_str() on a temporary string

src/smt/theory_arith_aux.h

@@ -1125,7 +1125,7 @@ namespace smt {
         ast_manager& m = get_manager();
         std::ostringstream strm;
         strm << val << " <= " << mk_pp(get_enode(v)->get_owner(), get_manager());
-        app* b = m.mk_const(symbol(strm.str().c_str()), m.mk_bool_sort());
+        app* b = m.mk_const(symbol(strm.str()), m.mk_bool_sort());
         expr_ref result(b, m);
         TRACE("opt", tout << result << "\n";);
         if (!ctx.b_internalized(b)) {

src/smt/theory_lra.cpp

@@ -1995,7 +1995,7 @@ public:
     expr_ref var2expr(lpvar v) {
         std::ostringstream name;
         name << "v" << lp().local_to_external(v);
-        return expr_ref(m.mk_const(symbol(name.str().c_str()), a.mk_int()), m);
+        return expr_ref(m.mk_const(symbol(name.str()), a.mk_int()), m);
     }
 
     expr_ref multerm(rational const& r, expr* e) {

src/smt/theory_seq.cpp

@@ -1949,7 +1949,7 @@ public:
                     else {
                         strm << val;
                     }
-                    zstring zs(strm.str().c_str());
+                    zstring zs(strm.str());
                     add_buffer(sbuffer, zs);
                     break;
                 }

src/smt/theory_str.cpp

@@ -988,7 +988,7 @@ namespace smt {
             }
         }
         if (constOK) {
-            TRACE("str", tout << "flattened to \"" << flattenedString.encode().c_str() << "\"" << std::endl;);
+            TRACE("str", tout << "flattened to \"" << flattenedString.encode() << '"' << std::endl;);
             expr_ref constStr(mk_string(flattenedString), m);
             expr_ref axiom(ctx.mk_eq_atom(a_cat, constStr), m);
             assert_axiom(axiom);
@@ -1073,7 +1073,7 @@ namespace smt {
 
             zstring strconst;
             u.str.is_string(str->get_owner(), strconst);
-            TRACE("str", tout << "instantiating constant string axioms for \"" << strconst.encode().c_str() << "\"" << std::endl;);
+            TRACE("str", tout << "instantiating constant string axioms for \"" << strconst.encode() << '"' << std::endl;);
             unsigned int l = strconst.length();
             expr_ref len(m_autil.mk_numeral(rational(l), true), m);
 
@@ -8177,7 +8177,7 @@ namespace smt {
             if (!Ival.is_minus_one()) {
                 rational Slen;
                 if (get_len_value(S, Slen)) {
-                    zstring Ival_str(Ival.to_string().c_str());
+                    zstring Ival_str(Ival.to_string());
                     if (rational(Ival_str.length()) <= Slen) {
                         zstring padding;
                         for (rational i = rational::zero(); i < Slen - rational(Ival_str.length()); ++i) {
@@ -8301,7 +8301,7 @@ namespace smt {
                     conclusion = expr_ref(ctx.mk_eq_atom(a, mk_string("")), m);
                 } else {
                     // non-negative argument -> convert to string of digits
-                    zstring Nval_str(Nval.to_string().c_str());
+                    zstring Nval_str(Nval.to_string());
                     conclusion = expr_ref(ctx.mk_eq_atom(a, mk_string(Nval_str)), m);
                 }
                 expr_ref axiom(rewrite_implication(premise, conclusion), m);
@@ -8885,19 +8885,6 @@ namespace smt {
         return FC_CONTINUE; // since by this point we've added axioms
     }
 
-    inline zstring int_to_string(int i) {
-        std::stringstream ss;
-        ss << i;
-        std::string str = ss.str();
-        return zstring(str.c_str());
-    }
-
-    inline std::string longlong_to_string(long long i) {
-        std::stringstream ss;
-        ss << i;
-        return ss.str();
-    }
-
     void theory_str::get_concats_in_eqc(expr * n, std::set<expr*> & concats) {
 
         expr * eqcNode = n;
@@ -9016,7 +9003,7 @@ namespace smt {
             TRACE("str", tout << "WARNING: failed to find a concrete value, falling back" << std::endl;);
             std::ostringstream unused;
             unused << "**UNUSED**" << (m_unused_id++);
-            return alloc(expr_wrapper_proc, to_app(mk_string(unused.str().c_str())));
+            return alloc(expr_wrapper_proc, to_app(mk_string(unused.str())));
         }
     }
 

src/smt/theory_str.h

@@ -65,7 +65,7 @@ public:
             while (true) {
                 std::ostringstream strm;
                 strm << delim << std::hex << (m_next++) << std::dec << delim;
-                symbol sym(strm.str().c_str());
+                symbol sym(strm.str());
                 if (m_strings.contains(sym)) continue;
                 m_strings.insert(sym);
                 return u.str.mk_string(sym);
@@ -343,7 +343,8 @@ class theory_str : public theory {
     typedef map<rational, expr*, obj_hash<rational>, default_eq<rational> > rational_map;
     struct zstring_hash_proc {
         unsigned operator()(zstring const & s) const {
-            return string_hash(s.encode().c_str(), static_cast<unsigned>(s.length()), 17);
+            auto str = s.encode();
+            return string_hash(str.c_str(), static_cast<unsigned>(s.length()), 17);
         }
     };
     typedef map<zstring, expr*, zstring_hash_proc, default_eq<zstring> > string_map;

src/smt/theory_str_mc.cpp

@@ -32,19 +32,6 @@
 
 namespace smt {
 
-    inline zstring int_to_string(int i) {
-        std::stringstream ss;
-        ss << i;
-        std::string str = ss.str();
-        return zstring(str.c_str());
-    }
-
-    inline std::string longlong_to_string(long long i) {
-        std::stringstream ss;
-        ss << i;
-        return ss.str();
-    }
-
     /*
      * Use the current model in the arithmetic solver to get the length of a term.
      * Returns true if this could be done, placing result in 'termLen', or false otherwise.
@@ -780,7 +767,7 @@ namespace smt {
                     return false;
                 }
                 // convert iValue to a constant
-                zstring iValue_str = zstring(iValue.to_string().c_str());
+                zstring iValue_str(iValue.to_string());
                 for (unsigned idx = 0; idx < iValue_str.length(); ++idx) {
                     expr_ref chTerm(bitvector_character_constants.get(iValue_str[idx]), sub_m);
                     eqc_chars.push_back(chTerm);
@@ -1135,7 +1122,7 @@ namespace smt {
                         TRACE("str_fl", tout << "integer theory assigns " << ival << " to " << mk_pp(e, get_manager()) << std::endl;);
                         // if ival is non-negative, because we know the length of arg, we can add a character constraint for arg
                         if (ival.is_nonneg()) {
-                            zstring ival_str(ival.to_string().c_str());
+                            zstring ival_str(ival.to_string());
                             zstring padding;
                             for (rational i = rational::zero(); i < slen - rational(ival_str.length()); ++i) {
                                 padding = padding + zstring("0");
@@ -1176,7 +1163,7 @@ namespace smt {
                             ival_str = zstring("");
                         } else {
                             // e must be equal to the string representation of ival
-                            ival_str = zstring(ival.to_string().c_str());
+                            ival_str = zstring(ival.to_string());
                         }
                         // Add (arg == ival) as a precondition.
                         precondition.push_back(m.mk_eq(arg, mk_int(ival)));

src/smt/theory_utvpi_def.h

@@ -234,9 +234,10 @@ namespace smt {
             return;
         }
         std::stringstream msg;
-        msg << "found non utvpi logic expression:\n" << mk_pp(n, m) << "\n";
-        TRACE("utvpi", tout << msg.str(););
-        warning_msg("%s", msg.str().c_str());
+        msg << "found non utvpi logic expression:\n" << mk_pp(n, m) << '\n';
+        auto str = msg.str();
+        TRACE("utvpi", tout << str;);
+        warning_msg("%s", str.c_str());
         ctx.push_trail(value_trail<context, bool>(m_non_utvpi_exprs));
         m_non_utvpi_exprs = true;        
     }