3
0
Fork 0
mirror of https://github.com/Z3Prover/z3 synced 2026-02-28 19:01:29 +00:00

Merge pull request #8766 from Z3Prover/copilot/fix-critical-bugs-from-discussion

Fix critical static-analysis true positives: null deref, division by zero, dangling pointer
This commit is contained in:
Nikolaj Bjorner 2026-02-25 09:22:45 -08:00 committed by GitHub
commit c51f45bf5e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 9 additions and 3 deletions

View file

@ -164,7 +164,7 @@ extern "C" {
model::scoped_model_completion _scm(*_m, model_completion); model::scoped_model_completion _scm(*_m, model_completion);
result = (*_m)(to_expr(t)); result = (*_m)(to_expr(t));
mk_c(c)->save_ast_trail(result.get()); mk_c(c)->save_ast_trail(result.get());
*v = of_ast(result.get()); if (v) *v = of_ast(result.get());
RETURN_Z3_model_eval true; RETURN_Z3_model_eval true;
Z3_CATCH_RETURN(false); Z3_CATCH_RETURN(false);
} }

View file

@ -531,6 +531,8 @@ namespace mbp {
} }
arr_vars.shrink(j); arr_vars.shrink(j);
aux_vars.append (m_aux_vars); aux_vars.append (m_aux_vars);
m_mev = nullptr;
M = nullptr;
} }
}; };

View file

@ -834,7 +834,7 @@ namespace pb {
} }
void solver::ineq::divide(unsigned c) { void solver::ineq::divide(unsigned c) {
if (c == 1) return; if (c <= 1) return;
for (unsigned i = size(); i-- > 0; ) { for (unsigned i = size(); i-- > 0; ) {
m_wlits[i].first = (coeff(i) + c - 1) / c; m_wlits[i].first = (coeff(i) + c - 1) / c;
} }
@ -857,7 +857,7 @@ namespace pb {
*/ */
void solver::round_to_one(ineq& ineq, bool_var v) { void solver::round_to_one(ineq& ineq, bool_var v) {
unsigned c = ineq.bv_coeff(v); unsigned c = ineq.bv_coeff(v);
if (c == 1) return; if (c <= 1) return;
unsigned sz = ineq.size(); unsigned sz = ineq.size();
for (unsigned i = 0; i < sz; ++i) { for (unsigned i = 0; i < sz; ++i) {
unsigned ci = ineq.coeff(i); unsigned ci = ineq.coeff(i);

View file

@ -187,11 +187,15 @@ public:
} }
checked_int64& operator/=(checked_int64 const& other) { checked_int64& operator/=(checked_int64 const& other) {
if (CHECK && other.m_value == 0)
throw overflow_exception();
m_value /= other.m_value; m_value /= other.m_value;
return *this; return *this;
} }
checked_int64& operator%=(checked_int64 const& other) { checked_int64& operator%=(checked_int64 const& other) {
if (CHECK && other.m_value == 0)
throw overflow_exception();
m_value %= other.m_value; m_value %= other.m_value;
return *this; return *this;
} }