Skip to content

Segfault on empty IntConst name #2712

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Egor18 opened this issue Nov 18, 2019 · 0 comments
Closed

Segfault on empty IntConst name #2712

Egor18 opened this issue Nov 18, 2019 · 0 comments

Comments

@Egor18
Copy link
Contributor

Egor18 commented Nov 18, 2019

This code segfaults on win64 (I tried both z3-4.8.4 and z3-4.8.7):

    public static void main(String[] args)
    {
        Context context = new Context();
        Solver solver = context.mkSolver();

        Sort sort = context.mkArraySort(context.getIntSort(), context.mkBitVecSort(64));
        ArrayExpr memoryArray = (ArrayExpr) context.mkFreshConst("bv64_mem_array", sort);

        IntExpr thisPointer = context.mkIntConst(""); // <= put some non-empty string and it will be ok
        solver.add(context.mkDistinct(thisPointer, context.mkInt(0)));

        IntExpr paramPointer = context.mkIntConst("param");

        BitVecExpr x = (BitVecExpr) context.mkSelect(memoryArray, thisPointer);
        BitVecExpr y = (BitVecExpr) context.mkSelect(memoryArray, paramPointer);
        BitVecExpr result = context.mkBVAdd(x, y);

        // (x ^ result) & (y ^ result)) < 0
        Status res = solver.check(context.mkBVSLT(context.mkBVAND(context.mkBVXOR(x, result), context.mkBVXOR(y, result)), context.mkBV(0, 64)));

        System.out.println(res);
    }

#
# A fatal error has been detected by the Java Runtime Environment:
#
#  EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x00007fff04e446e3, pid=12188, tid=0x0000000000002bac
#
# JRE version: Java(TM) SE Runtime Environment (8.0_151-b12) (build 1.8.0_151-b12)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (25.151-b12 mixed mode windows-amd64 compressed oops)
# Problematic frame:
# C  [libz3.dll+0x9c46e3]
#
# Failed to write core dump. Minidumps are not enabled by default on client versions of Windows
#
# An error report file with more information is saved as:
# C:\Users\Egor\IdeaProjects\z3test\hs_err_pid12188.log
#
# If you would like to submit a bug report, please visit:
#   http://bugreport.java.com/bugreport/crash.jsp
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#

Process finished with exit code 1

Surprisingly it crashes only with this particular formula.
It stops crashing if you use some non-empty string for the name, so I fixed my code, but I thought that it would be a good idea to report this.
My guess is that z3 tries to access some element of this string somewhere, but since it is empty we get an access violation.
NikolajBjorner added a commit that referenced this issue Nov 18, 2019
@NikolajBjorner
fix for null symbol #2712
05ad90c 
Signed-off-by: Nikolaj Bjorner <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@NikolajBjorner @Egor18