3
0
Fork 0
mirror of https://github.com/Z3Prover/z3 synced 2026-07-05 14:56:11 +00:00
z3/src/model
Nikolaj Bjorner 3d29d81607 Fix TPTP polymorphism crashes in final-check and model checking
Root-caused and fixed 261 debug-assertion crashes found by running Z3
across the TPTP benchmarks (-tptp -T:5 model_validate=true):

1. theory_polymorphism::final_check_eh returned FC_DONE after assigning
   the negation of its (already-true) theory assumption, which creates a
   conflict. Returning FC_DONE reported l_true while the context was
   inconsistent, tripping SASSERT(status != l_true || !inconsistent())
   in context::restart. Return FC_CONTINUE so conflict resolution turns
   it into l_false and the normal research loop runs.

2. model_evaluator::get_macro, polymorphic branch: def = subst(def)
   assigned an expr_ref temporary to a raw expr*&; the temporary freed
   the freshly substituted term, leaving def dangling (use-after-free
   during model evaluation). Pin the substituted def in m_pinned, as the
   as-array path already does.

3. smt_model_checker::add_instance: relax stale
   SASSERT(!m.is_model_value(sk_term)); get_inv may legitimately return a
   model value in polymorphic settings, already handled downstream by
   get_type_compatible_term.

Unit tests: 92 passed, 0 failed. All 261 assertion crashes resolved;
the 3 remaining files are controlled ERR_PARSER (exit 103) rejections.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-03 20:32:04 -07:00
..
array_factory.cpp Standardize for-loop increments to prefix form (++i) (#8199) 2026-02-18 20:57:29 -08:00
array_factory.h Remove empty leaf destructors. (#6211) 2022-07-30 10:07:03 +01:00
char_factory.h fix a few more warnings 2021-02-19 12:16:05 +00:00
CMakeLists.txt rename finite_set_value_factor to finite_set_factory. Fix type bugs when creating unions of values 2025-10-17 15:09:12 +02:00
datatype_factory.cpp Prevent special treatment of non-recursive siblings (#9903) 2026-06-19 10:08:30 -06:00
datatype_factory.h Remove empty leaf destructors. (#6211) 2022-07-30 10:07:03 +01:00
finite_set_factory.cpp rename finite_set_value_factor to finite_set_factory. Fix type bugs when creating unions of values 2025-10-17 15:09:12 +02:00
finite_set_factory.h rename finite_set_value_factor to finite_set_factory. Fix type bugs when creating unions of values 2025-10-17 15:09:12 +02:00
fpa_factory.h Fix unused parameter warnings in empty override functions by omitting parameter names (#8174) 2026-02-18 20:57:11 -08:00
func_interp.cpp add init-table for common sub-expressions 2026-06-19 10:07:46 -07:00
func_interp.h add init-table for common sub-expressions 2026-06-19 10:07:46 -07:00
model.cpp Add finite_set_value_factory for creating finite set values in model generation (#7981) 2026-02-18 20:53:44 -08:00
model.h remove theory_str and classes that are only used by it 2025-08-07 21:05:12 -07:00
model2expr.cpp call it data instead of c_ptr for approaching C++11 std::vector convention. 2021-04-13 18:17:35 -07:00
model2expr.h Remove redundant default constructors when they're the only constructor (#8461) 2026-02-18 20:58:01 -08:00
model_core.cpp disable test in tptp, move to native lambdas 2026-06-02 10:38:51 -07:00
model_core.h Update model_core.h 2026-06-01 19:47:40 -07:00
model_evaluator.cpp Fix TPTP polymorphism crashes in final-check and model checking 2026-07-03 20:32:04 -07:00
model_evaluator.h remove theory_str and classes that are only used by it 2025-08-07 21:05:12 -07:00
model_evaluator_params.pyg model evaluator: cleanup cache when model_eval param changes 2019-03-02 16:42:18 +00:00
model_implicant.cpp Standardize for-loop increments to prefix form (++i) (#8199) 2026-02-18 20:57:29 -08:00
model_implicant.h Centralize and document TRACE tags using X-macros (#7657) 2025-05-28 14:31:25 +01:00
model_macro_solver.cpp Term enumeration (#9908) 2026-06-20 18:14:44 -06:00
model_macro_solver.h Use = default for virtual constructors. 2022-08-05 18:11:46 +03:00
model_params.pyg set default to true to avoid regression failures 2022-03-23 12:20:53 -07:00
model_pp.cpp Standardize for-loop increments to prefix form (++i) (#8199) 2026-02-18 20:57:29 -08:00
model_pp.h remove '#include <iostream>' from headers and from unneeded places 2022-06-17 14:10:19 +01:00
model_smt2_pp.cpp Standardize for-loop increments to prefix form (++i) (#8199) 2026-02-18 20:57:29 -08:00
model_smt2_pp.h booyah 2020-07-04 15:56:30 -07:00
model_v2_pp.cpp Standardize for-loop increments to prefix form (++i) (#8199) 2026-02-18 20:57:29 -08:00
model_v2_pp.h remove '#include <iostream>' from headers and from unneeded places 2022-06-17 14:10:19 +01:00
numeral_factory.cpp remove default destructors 2024-10-02 22:20:12 +01:00
numeral_factory.h remove default destructors 2024-10-02 22:20:12 +01:00
seq_factory.h remove symbol -> zstring -> symbol round-trips 2021-05-22 13:12:49 -07:00
struct_factory.cpp restructure base class struct_factory so that enumeration of values for a sort comes together with hash-table access. This allows to use the enumeration view during value creations for finite sets 2025-10-16 13:15:23 +02:00
struct_factory.h restructure base class struct_factory so that enumeration of values for a sort comes together with hash-table access. This allows to use the enumeration view during value creations for finite sets 2025-10-16 13:15:23 +02:00
value_factory.cpp remove default destructors 2024-10-02 22:20:12 +01:00
value_factory.h Fix unused parameter warnings in empty override functions by omitting parameter names (#8174) 2026-02-18 20:57:11 -08:00