mirrors/z3
3
0
Fork 0
mirror of https://github.com/Z3Prover/z3 synced 2026-04-07 21:22:48 +00:00
Code Activity

fix nlsat clear() and scoped_numeral_vector copy ctor crashes

Browse source 
Reset polynomial cache and assignments in nlsat::solver:👿:clear()
to prevent use-after-free when the solver is destroyed. The missing
resets caused heap corruption when check_assignment's
compute_linear_explanation created cached polynomials and root atoms
that outlived the solver's other data structures during destruction.

Also fix _scoped_numeral_vector copy constructor to read from other
instead of uninitialized self.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Lev Nachmanson 2026-03-27 11:09:19 -10:00
parent 456b99ced2
commit 481eb0327c
2 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/nlsat/nlsat_solver.cpp
View file

@ -347,6 +347,10 @@ namespace nlsat {
undo_until_size(0); undo_until_size(0);
del_clauses(); del_clauses();
del_unref_atoms(); del_unref_atoms();
m_cache.reset();
m_assignment.reset();
m_lo.reset();
m_hi.reset();
} }
void checkpoint() { void checkpoint() {

2
src/util/scoped_numeral_vector.h
View file

@ -28,7 +28,7 @@ public:
_scoped_numeral_vector(const _scoped_numeral_vector & other) : m_manager(other.m_manager) { _scoped_numeral_vector(const _scoped_numeral_vector & other) : m_manager(other.m_manager) {
for (unsigned i = 0, e = other.size(); i != e; ++i) { for (unsigned i = 0, e = other.size(); i != e; ++i) {
push_back((*this)[i]); push_back(other[i]);
} }
} }