fix nlsat clear() and scoped_numeral_vector copy ctor crashes

Reset polynomial cache and assignments in nlsat::solver:👿:clear() to prevent use-after-free when the solver is destroyed. The missing resets caused heap corruption when check_assignment's compute_linear_explanation created cached polynomials and root atoms that outlived the solver's other data structures during destruction. Also fix _scoped_numeral_vector copy constructor to read from other instead of uninitialized self. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-03-31 08:39:01 +00:00 · 2026-03-27 11:09:19 -10:00 · 2026-03-27 11:09:19 -10:00 · 75baedb314
commit 75baedb314
parent 00418e7368
2 changed files with 5 additions and 1 deletions
--- a/src/nlsat/nlsat_solver.cpp
+++ b/src/nlsat/nlsat_solver.cpp
@ -347,6 +347,10 @@ namespace nlsat {
            undo_until_size(0);
            del_clauses();
            del_unref_atoms();
+            m_cache.reset();
+            m_assignment.reset();
+            m_lo.reset();
+            m_hi.reset();
        }

        void checkpoint() {
--- a/src/util/scoped_numeral_vector.h
+++ b/src/util/scoped_numeral_vector.h
@ -28,7 +28,7 @@ public:

    _scoped_numeral_vector(const _scoped_numeral_vector & other) : m_manager(other.m_manager) {
        for (unsigned i = 0, e = other.size(); i != e; ++i) {
-            push_back((*this)[i]);
+            push_back(other[i]);
        }
    }