Skip to content

heap-use-after-free on String formula at smt/theory_seq.h:171 (smt.threads 4, rewriter.sort_sums, rewriter.local_ctx, smt.arith.propagate_eqs false, rewriter.elim_and) #4085

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rainoftime opened this issue Apr 24, 2020 · 0 comments
Closed

heap-use-after-free on String formula at smt/theory_seq.h:171 (smt.threads 4, rewriter.sort_sums, rewriter.local_ctx, smt.arith.propagate_eqs false, rewriter.elim_and) #4085

rainoftime opened this issue Apr 24, 2020 · 0 comments

Comments

@rainoftime
Copy link
Contributor

rainoftime commented Apr 24, 2020
edited
Loading

For the following formula,
uaf.txt

z3 7597396 throws a uaf

=================================================================
==177561==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000086568 at pc 0x0000014ee2e7 bp 0x7ff46cb1d220 sp 0x7ff46cb1d210
READ of size 8 at 0x614000086568 thread T1
    #0 0x14ee2e6 in smt::theory_seq::eq::dep() const ../src/smt/theory_seq.h:171
    #1 0x1580f91 in smt::theory_seq::branch_ternary_variable2(smt::theory_seq::eq const&, bool) ../src/smt/seq_eq_solver.cpp:1033
    #2 0x157ce37 in smt::theory_seq::branch_ternary_variable1() ../src/smt/seq_eq_solver.cpp:755
    #3 0x1578737 in smt::theory_seq::branch_variable() ../src/smt/seq_eq_solver.cpp:470
    #4 0x14be502 in smt::theory_seq::final_check_eh() ../src/smt/theory_seq.cpp:411
    #5 0xfc7119 in smt::context::final_check() ../src/smt/smt_context.cpp:3856
    #6 0xfc6122 in smt::context::bounded_search() ../src/smt/smt_context.cpp:3772
    #7 0xfc385e in smt::context::search() ../src/smt/smt_context.cpp:3599
    #8 0xfc1dd7 in smt::context::check(unsigned int, expr* const*, bool) ../src/smt/smt_context.cpp:3482
    #9 0x1132d1d in smt::parallel::operator()(ref_vector<expr, ast_manager> const&)::{lambda(int)#3}::operator()(int) const (/home/peisen/test/tofuzz/z3-debug/build/z3+0x1132d1d)
    #10 0x1133971 in smt::parallel::operator()(ref_vector<expr, ast_manager> const&)::{lambda()#4}::operator()() const (/home/peisen/test/tofuzz/z3-debug/build/z3+0x1133971)
    #11 0x1136c63 in _M_invoke<> /usr/include/c++/5/functional:1531
    #12 0x1136b77 in operator() /usr/include/c++/5/functional:1520
    #13 0x1136b07 in _M_run /usr/include/c++/5/thread:115
    #14 0x7ff4702c0b8d  (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xd0b8d)
    #15 0x7ff4705da6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #16 0x7ff46fa0c41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
@rainoftime rainoftime changed the title heap-use-after-free on String formula at smt/theory_seq.h:171 (smt.threads 4, rewriter.sort_sums, rewriter.local_ctx, smt.arith.propagate_eqs false, rewriter.elim_and, heap-use-after-free on String formula at smt/theory_seq.h:171 (smt.threads 4, rewriter.sort_sums, rewriter.local_ctx, smt.arith.propagate_eqs false, rewriter.elim_and) Apr 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rainoftime