diff options
| author | Andres Noetzli <andres.noetzli@gmail.com> | 2018-04-13 18:22:11 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-04-13 18:22:11 -0700 |
| commit | 84ead159cfbb76c8a6195ed2a64102529a84bdac (patch) | |
| tree | 740621df486464fc6284f4d19326c79705d9080d /src/theory/bv/bitblast/eager_bitblaster.h | |
| parent | 10c36f53033aadb6e2f3bf16f2d7305b793fd0e4 (diff) | |
Fix use-after-free in eager bitblaster (#1772)
There was a use-after-free in the eager bitblaster: the context used by
the SAT solver was destroyed before the solver. This lead to a
use-after-free in the destructor of the SAT solver when destroying
context-dependent objects. This commit fixes the issue by changing the
desctruction order such that the context is destroyed after the SAT
solver.
Note: This issue was introduced in commit
a917cc2ab4956b542b1f565abf0e62b197692f8d because d_nullContext and
d_satSolver were changed to be std::unique_ptrs.
Diffstat (limited to 'src/theory/bv/bitblast/eager_bitblaster.h')
| -rw-r--r-- | src/theory/bv/bitblast/eager_bitblaster.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/theory/bv/bitblast/eager_bitblaster.h b/src/theory/bv/bitblast/eager_bitblaster.h index 8610d0181..bea275c67 100644 --- a/src/theory/bv/bitblast/eager_bitblaster.h +++ b/src/theory/bv/bitblast/eager_bitblaster.h @@ -55,11 +55,12 @@ class EagerBitblaster : public TBitblaster<Node> void setProofLog(BitVectorProof* bvp); private: + std::unique_ptr<context::Context> d_nullContext; + typedef std::unordered_set<TNode, TNodeHashFunction> TNodeSet; // sat solver used for bitblasting and associated CnfStream std::unique_ptr<prop::SatSolver> d_satSolver; std::unique_ptr<BitblastingRegistrar> d_bitblastingRegistrar; - std::unique_ptr<context::Context> d_nullContext; std::unique_ptr<prop::CnfStream> d_cnfStream; TheoryBV* d_bv; |