Fix API bugs exercised by test/deep_api_bugs.cpp

- api_fpa.cpp: add RETURN_Z3(nullptr) after SET_ERROR_CODE in Z3_mk_fpa_sort to prevent fall-through to mk_float_sort with invalid params - api_seq.cpp: add null check for str in Z3_mk_string; add null check for str when sz>0 in Z3_mk_lstring; add lo<=hi validation in Z3_mk_re_loop - api_array.cpp: add explicit n==0 validation in Z3_mk_array_sort_n - api_solver.cpp: rename local variable 'c' to avoid shadowing Z3_context param in Z3_solver_propagate_created/decide/on_binding; move init_solver call inside file-exists branches of Z3_solver_from_file - api_ast.cpp: add null check for target in Z3_translate; add null check for _from/_to arrays when num_exprs>0 in Z3_substitute - api_model.cpp: add CHECK_NON_NULL(m) in Z3_add_func_interp; add CHECK_NON_NULL(a) in Z3_model_get_const_interp; add null check for target in Z3_model_translate - api_opt.cpp: add null check for weight string in Z3_optimize_assert_soft - api_quant.cpp: add num_patterns==0 validation in Z3_mk_pattern Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com>
2026-03-19 03:23:10 +00:00 · 2026-03-12 22:58:53 +00:00 · 2026-03-12 22:58:53 +00:00 · f413a24408
commit f413a24408
parent e6c082e6e8
8 changed files with 48 additions and 8 deletions
--- a/src/api/api_seq.cpp
+++ b/src/api/api_seq.cpp
@ -48,6 +48,10 @@ extern "C" {
        Z3_TRY;
        LOG_Z3_mk_string(c, str);
        RESET_ERROR_CODE();
+        if (!str) {
+            SET_ERROR_CODE(Z3_INVALID_ARG, "null string");
+            RETURN_Z3(nullptr);
+        }
        zstring s(str);
        app* a = mk_c(c)->sutil().str.mk_string(s);
        mk_c(c)->save_ast_trail(a);
@ -59,6 +63,10 @@ extern "C" {
        Z3_TRY;
        LOG_Z3_mk_lstring(c, sz, str);
        RESET_ERROR_CODE();
+        if (sz > 0 && !str) {
+            SET_ERROR_CODE(Z3_INVALID_ARG, "null string buffer");
+            RETURN_Z3(nullptr);
+        }
        unsigned_vector chs;
        for (unsigned i = 0; i < sz; ++i) chs.push_back((unsigned char)str[i]);
        zstring s(sz, chs.data());
@ -314,6 +322,10 @@ extern "C" {
        Z3_TRY;
        LOG_Z3_mk_re_loop(c, r, lo, hi);
        RESET_ERROR_CODE();
+        if (hi != 0 && lo > hi) {
+            SET_ERROR_CODE(Z3_INVALID_ARG, "loop lower bound must not exceed upper bound");
+            RETURN_Z3(nullptr);
+        }
        app* a = hi == 0 ? mk_c(c)->sutil().re.mk_loop(to_expr(r), lo) : mk_c(c)->sutil().re.mk_loop(to_expr(r), lo, hi);
        mk_c(c)->save_ast_trail(a);
        RETURN_Z3(of_ast(a));