Fix static analysis issues: null dereferences, unsafe casts, branch clones, uninitialized members (#9424)

Agent-Logs-Url: https://github.com/Z3Prover/z3/sessions/6e64242e-78e5-4807-8369-02baaf405a70

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com>

src/smt/arith_eq_solver.cpp

@@ -53,10 +53,7 @@ void arith_eq_solver::prop_mod_const(expr * e, unsigned depth, numeral const& k,
     numeral n;
     bool is_int;
 
-    if (depth == 0) {
-        result = e;
-    }
-    else if (m_util.is_add(e) || m_util.is_mul(e)) {
+    if (depth != 0 && (m_util.is_add(e) || m_util.is_mul(e))) {
         expr_ref_vector args(m);
         expr_ref tmp(m);
         app* a = to_app(e);
@@ -66,7 +63,7 @@ void arith_eq_solver::prop_mod_const(expr * e, unsigned depth, numeral const& k,
         }
         m_arith_rewriter.mk_app(a->get_decl(), args.size(), args.data(), result);
     }
-    else if (m_util.is_numeral(e, n, is_int) && is_int) {
+    else if (depth != 0 && m_util.is_numeral(e, n, is_int) && is_int) {
         result = m_util.mk_numeral(mod(n, k), true);
     }
     else {

src/smt/expr_context_simplifier.cpp

@@ -401,10 +401,7 @@ void expr_strong_context_simplifier::simplify_basic(expr* fml, expr_ref& result)
                     args.push_back(arg);
                 }
             }
-            else if (!m.is_bool(arg)) {
-                args.push_back(arg);
-            }
-            else if (!n2) {                
+            else if (!n2 && m.is_bool(arg)) {                
                 n2 = m.mk_app(m_fn, m_arith.mk_numeral(rational(id++), true));
                 todo.push_back(arg);
                 parent_ids.push_back(self_pos);
@@ -677,10 +674,7 @@ void expr_strong_context_simplifier::simplify_model_based(expr* fml, expr_ref& r
                     args.push_back(arg);
                 }
             }
-            else if (!m.is_bool(arg)) {
-                args.push_back(arg);
-            }
-            else if (!n2) {                
+            else if (!n2 && m.is_bool(arg)) {                
                 n2 = m.mk_app(m_fn, m_arith.mk_numeral(rational(id++), true));
                 todo.push_back(arg);
                 parent_ids.push_back(self_pos);

src/smt/mam.cpp

@@ -1115,7 +1115,8 @@ namespace {
                     }
                 }
                 m_mp_already_processed[best_j] = true;
-                SASSERT(best != 0);
+                if (best == nullptr)
+                    continue;
                 app * p                 = best;
                 func_decl * lbl         = p->get_decl();
                 unsigned short num_args = p->get_num_args();
@@ -1225,7 +1226,11 @@ namespace {
 
             SASSERT(head->m_next == 0);
 
-            m_seq.push_back(m_ct_manager.mk_yield(m_qa, m_mp, m_qa->get_num_decls(), reinterpret_cast<unsigned*>(m_vars.begin())));
+            unsigned num_decls = m_qa->get_num_decls();
+            unsigned_vector var_regs(num_decls);
+            for (unsigned i = 0; i < num_decls; ++i)
+                var_regs[i] = static_cast<unsigned>(m_vars[i]);
+            m_seq.push_back(m_ct_manager.mk_yield(m_qa, m_mp, num_decls, var_regs.data()));
 
             for (instruction* curr : m_seq) {
                 head->m_next = curr;