Fix off-by-one vulnerabilities: use range-based for on goals; cache loop bound

Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com>

src/ackermannization/ackermannize_bv_tactic.cpp

@@ -38,8 +38,7 @@ public:
         TRACE(goal, g->display(tout << "in\n"););
 
         ptr_vector<expr> flas;
-        const unsigned sz = g->size();
-        for (unsigned i = 0; i < sz; ++i) flas.push_back(g->form(i));
+        for (auto [f, dep, pr] : *g) flas.push_back(f);
         lackr lackr(m, m_p, m_st, flas, nullptr);
 
         // mk result

src/ackermannization/ackr_bound_probe.cpp

@@ -62,10 +62,9 @@ class ackr_bound_probe : public probe {
 public:
     result operator()(goal const & g) override {
         proc p(g.m());
-        unsigned sz = g.size();
         expr_fast_mark1 visited;
-        for (unsigned i = 0; i < sz; ++i) {
-            for_each_expr_core<proc, expr_fast_mark1, true, true>(p, visited, g.form(i));
+        for (auto [curr, dep, pr] : g) {
+            for_each_expr_core<proc, expr_fast_mark1, true, true>(p, visited, curr);
         }
         p.prune_non_select();
         double total = ackr_helper::calculate_lemma_bound(p.m_fun2terms, p.m_sel2terms);

src/ackermannization/ackr_model_converter.cpp

@@ -103,7 +103,7 @@ void ackr_model_converter::convert_constants(model * source, model * destination
     evaluator.set_model_completion(true);
     array_util autil(m);
 
-    for (unsigned i = 0; i < source->get_num_constants(); ++i) {
+    for (unsigned i = 0, n = source->get_num_constants(); i < n; ++i) {
         func_decl * const c = source->get_constant(i);
         app * const term = info->find_term(c);
         expr * value = source->get_const_interp(c);