[Consolidated] segfaults on various formulas

[zhendongsu]

Commit: 28328e6

[519] % z3release small.smt2
Segmentation fault
[520] % z3debug small.smt2
Segmentation fault
[521] % z3san small.smt2
ASAN:DEADLYSIGNAL
=================================================================
==20593==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd3259cfc0 (pc 0x55c5658b71e6 bp 0x7ffd3259d040 sp 0x7ffd3259cfb0 T0)
    #0 0x55c5658b71e5 in ast_manager::get_plugin(int) const ../src/ast/ast.cpp:1634
    #1 0x55c565663c73 in arith_util::init_plugin() ../src/ast/arith_decl_plugin.cpp:749
    #2 0x55c565663c73 in arith_util::plugin() const ../src/ast/arith_decl_plugin.h:374
    #3 0x55c565663c73 in arith_util::is_considered_uninterpreted(func_decl*, unsigned int, expr* const*, obj_ref<func_decl, ast_manager>&) ../src/ast/arith_decl_plugin.cpp:831
    #4 0x55c5645a3ecf in mev::evaluator_cfg::evaluate_partial_theory_func(func_decl*, unsigned int, expr* const*, obj_ref<expr, ast_manager>&, obj_ref<app, ast_manager>&) ../src/model/model_evaluator.cpp:352
    #5 0x55c5645ab361 in mev::evaluator_cfg::reduce_app_core(func_decl*, unsigned int, expr* const*, obj_ref<expr, ast_manager>&, obj_ref<app, ast_manager>&) ../src/model/model_evaluator.cpp:249
    #6 0x55c5645b3c34 in mev::evaluator_cfg::reduce_app(func_decl*, unsigned int, expr* const*, obj_ref<expr, ast_manager>&, obj_ref<app, ast_manager>&) ../src/model/model_evaluator.cpp:150
    #7 0x55c5645b3c34 in bool rewriter_tpl<mev::evaluator_cfg>::process_const<false>(app*) ../src/ast/rewriter/rewriter_def.h:83
    #8 0x55c5645b43a5 in bool rewriter_tpl<mev::evaluator_cfg>::visit<false>(expr*, unsigned int) ../src/ast/rewriter/rewriter_def.h:195
    #9 0x55c5645a67e4 in void rewriter_tpl<mev::evaluator_cfg>::process_app<false>(app*, rewriter_core::frame&) ../src/ast/rewriter/rewriter_def.h:265
    #10 0x55c5645a881d in void rewriter_tpl<mev::evaluator_cfg>::resume_core<false>(obj_ref<expr, ast_manager>&, obj_ref<app, ast_manager>&) ../src/ast/rewriter/rewriter_def.h:774
    #11 0x55c5645a9701 in void rewriter_tpl<mev::evaluator_cfg>::main_loop<false>(expr*, obj_ref<expr, ast_manager>&, obj_ref<app, ast_manager>&) ../src/ast/rewriter/rewriter_def.h:733
    #12 0x55c56459205b in rewriter_tpl<mev::evaluator_cfg>::operator()(expr*, obj_ref<expr, ast_manager>&, obj_ref<app, ast_manager>&) ../src/ast/rewriter/rewriter_def.h:813
    #13 0x55c56459205b in rewriter_tpl<mev::evaluator_cfg>::operator()(expr*, obj_ref<expr, ast_manager>&) ../src/ast/rewriter/rewriter.h:356
    #14 0x55c56459205b in model_evaluator::operator()(expr*, obj_ref<expr, ast_manager>&) ../src/model/model_evaluator.cpp:686
    #15 0x55c564593481 in model_evaluator::operator()(expr*) ../src/model/model_evaluator.cpp:694
    #16 0x55c5645ab0dc in mev::evaluator_cfg::reduce_app_core(func_decl*, unsigned int, expr* const*, obj_ref<expr, ast_manager>&, obj_ref<app, ast_manager>&) ../src/model/model_evaluator.cpp:269
    #17 0x55c5645b3c34 in mev::evaluator_cfg::reduce_app(func_decl*, unsigned int, expr* const*, obj_ref<expr, ast_manager>&, obj_ref<app, ast_manager>&) ../src/model/model_evaluator.cpp:150
    #18 0x55c5645b3c34 in bool rewriter_tpl<mev::evaluator_cfg>::process_const<false>(app*) ../src/ast/rewriter/rewriter_def.h:83
...
SUMMARY: AddressSanitizer: stack-overflow ../src/ast/ast.cpp:1634 in ast_manager::get_plugin(int) const
==20593==ABORTING
[522] % 
[522] % cat small.smt2
(set-option :model_evaluator.completion true)
(set-option :rewriter.expand_nested_stores true)
(declare-fun a () (Array (_ BitVec 2) (_ BitVec 2)))
(declare-fun b () (Array (_ BitVec 2) (_ BitVec 2)))
(declare-fun c () (Array (_ BitVec 2) (_ BitVec 2)))
(assert
 (= (_ bv1 1)
  (bvsdiv (_ bv1 1)
   (bvand
    (ite (= a (store (store (store b (_ bv0 2) (_ bv0 2)) (_ bv1 2) (_ bv1 2)) (_ bv0 2) (_ bv0 2)))
     (_ bv1 1)
     (_ bv0 1))
    (bvcomp (_ bv0 1)
     (ite (= a (store (store (store c (_ bv1 2) (_ bv1 2)) (_ bv0 2) (_ bv1 2)) (_ bv1 2) (_ bv0 2)))
      (_ bv1 1)
      (_ bv0 1)))))))
(check-sat)
[523] % 

[zhendongsu]

[535] % z3release small.smt2
Segmentation fault
[536] % z3debug small.smt2
Segmentation fault
[537] % z3san small.smt2
ASAN:DEADLYSIGNAL
=================================================================
==16062==ERROR: AddressSanitizer: stack-overflow on address 0x7ffebe99fff8 (pc 0x7febde5e058c bp 0x000000000020 sp 0x7ffebe9a0000 T0)
    #0 0x7febde5e058b  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x10358b)
    #1 0x7febde5e00e7  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x1030e7)
    #2 0x7febde505271  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x28271)
    #3 0x7febde5bbb0a in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb0a)
    #4 0x55b310470dfd in memory::allocate(unsigned long) ../src/util/memory_manager.cpp:273
    #5 0x55b30f138450 in vector<expr*, false, unsigned int>::expand_vector() ../src/util/vector.h:183
    #6 0x55b30f138450 in vector<expr*, false, unsigned int>::push_back(expr* const&) ../src/util/vector.h:533
    #7 0x55b30f138450 in ref_vector_core<expr, ref_manager_wrapper<expr, ast_manager> >::push_back(expr*) ../src/util/ref_vector.h:105
    #8 0x55b30f138450 in var_shifter::process_var(var*) ../src/ast/rewriter/rewriter.cpp:391
    #9 0x55b30f13e7f9 in var_shifter_core::visit(expr*) ../src/ast/rewriter/rewriter.cpp:256
    #10 0x55b30f1416dc in var_shifter_core::main_loop(expr*, obj_ref<expr, ast_manager>&) ../src/ast/rewriter/rewriter.cpp:333
    #11 0x55b30f1416dc in var_shifter::operator()(expr*, unsigned int, unsigned int, unsigned int, obj_ref<expr, ast_manager>&) ../src/ast/rewriter/rewriter.cpp:377
    #12 0x55b30ebbf626 in var_shifter::operator()(expr*, unsigned int, obj_ref<expr, ast_manager>&) ../src/ast/rewriter/rewriter.h:161
    #13 0x55b30ebbf626 in void rewriter_tpl<mev::evaluator_cfg>::process_var<false>(var*) ../src/ast/rewriter/rewriter_def.h:59
    #14 0x55b30ebce5d2 in bool rewriter_tpl<mev::evaluator_cfg>::visit<false>(expr*, unsigned int) ../src/ast/rewriter/rewriter_def.h:205
    #15 0x55b30ebc07e4 in void rewriter_tpl<mev::evaluator_cfg>::process_app<false>(app*, rewriter_core::frame&) ../src/ast/rewriter/rewriter_def.h:265
    #16 0x55b30ebc281d in void rewriter_tpl<mev::evaluator_cfg>::resume_core<false>(obj_ref<expr, ast_manager>&, obj_ref<app, ast_manager>&) ../src/ast/rewriter/rewriter_def.h:774
    #17 0x55b30ebc3701 in void rewriter_tpl<mev::evaluator_cfg>::main_loop<false>(expr*, obj_ref<expr, ast_manager>&, obj_ref<app, ast_manager>&) ../src/ast/rewriter/rewriter_def.h:733
    #18 0x55b30ebac05b in rewriter_tpl<mev::evaluator_cfg>::operator()(expr*, obj_ref<expr, ast_manager>&, obj_ref<app, ast_manager>&) ../src/ast/rewriter/rewriter_def.h:813
    #19 0x55b30ebac05b in rewriter_tpl<mev::evaluator_cfg>::operator()(expr*, obj_ref<expr, ast_manager>&) ../src/ast/rewriter/rewriter.h:356
    #20 0x55b30ebac05b in model_evaluator::operator()(expr*, obj_ref<expr, ast_manager>&) ../src/model/model_evaluator.cpp:686
    #21 0x55b30ebad481 in model_evaluator::operator()(expr*) ../src/model/model_evaluator.cpp:694
    #22 0x55b30ebc50dc in mev::evaluator_cfg::reduce_app_core(func_decl*, unsigned int, expr* const*, obj_ref<expr, ast_manager>&, obj_ref<app, ast_manager>&) ../src/model/model_evaluator.cpp:269
    #23 0x55b30ebcdc34 in mev::evaluator_cfg::reduce_app(func_decl*, unsigned int, expr* const*, obj_ref<expr, ast_manager>&, obj_ref<app, ast_manager>&) ../src/model/model_evaluator.cpp:150
    #24 0x55b30ebcdc34 in bool rewriter_tpl<mev::evaluator_cfg>::process_const<false>(app*) ../src/ast/rewriter/rewriter_def.h:83
...
SUMMARY: AddressSanitizer: stack-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x10358b) 
==16062==ABORTING
[538] % 
[538] % cat small.smt2
(set-option :model_evaluator.completion true)
(declare-fun a () Real)
(declare-fun b () (Array Int Real))
(declare-fun c () (Array Int Real))
(declare-fun g () (Array Int Real))
(assert (forall ((d Int)) (= (select b d) a)))
(assert (forall ((e Int)) (= (select c e) a)))
(assert (forall ((f Int)) (distinct (select g f) a)))
(check-sat)
[539] % 

[zhendongsu]

[544] % z3-4.8.8 small.smt2
unknown
[545] % z3-4.8.10 small.smt2
Segmentation fault
[546] % z3release small.smt2
Segmentation fault
[547] % z3debug small.smt2
ASSERTION VIOLATION
File: ../src/sat/tactic/goal2sat.cpp
Line: 580
t->get_num_args() == 2
(C)ontinue, (A)bort, (S)top, (T)hrow exception, Invoke (G)DB
a
[548] % 
[548] % cat small.smt2
(assert xor)
(check-sat)
[549] % 

[zhendongsu]

[555] % z3release small.smt2
Segmentation fault
[556] % z3debug small.smt2
Segmentation fault
[557] % z3san small.smt2
ASAN:DEADLYSIGNAL
=================================================================
==29547==ERROR: AddressSanitizer: stack-overflow on address 0x7ffea453bff8 (pc 0x7fed12592bf4 bp 0x7ffea453c870 sp 0x7ffea453c000 T0)
    #0 0x7fed12592bf3  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xeebf3)
    #1 0x7fed12582b67 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb67)
    #2 0x55ffb32b8dfd in memory::allocate(unsigned long) ../src/util/memory_manager.cpp:273
    #3 0x55ffb1f7e780 in vector<rewriter_core::scope, false, unsigned int>::expand_vector() ../src/util/vector.h:183
    #4 0x55ffb1f7e780 in vector<rewriter_core::scope, false, unsigned int>::push_back(rewriter_core::scope&&) ../src/util/vector.h:549
    #5 0x55ffb1f7e780 in rewriter_core::begin_scope() ../src/ast/rewriter/rewriter.cpp:110
    #6 0x55ffb1a17a1b in rewriter_tpl<mev::evaluator_cfg>::begin_scope() ../src/ast/rewriter/rewriter.h:297
    #7 0x55ffb1a17a1b in void rewriter_tpl<mev::evaluator_cfg>::process_quantifier<false>(quantifier*, rewriter_core::frame&) ../src/ast/rewriter/rewriter_def.h:522
    #8 0x55ffb1a0a555 in void rewriter_tpl<mev::evaluator_cfg>::resume_core<false>(obj_ref<expr, ast_manager>&, obj_ref<app, ast_manager>&) ../src/ast/rewriter/rewriter_def.h:777
    #9 0x55ffb1a0b701 in void rewriter_tpl<mev::evaluator_cfg>::main_loop<false>(expr*, obj_ref<expr, ast_manager>&, obj_ref<app, ast_manager>&) ../src/ast/rewriter/rewriter_def.h:733
    #10 0x55ffb19f405b in rewriter_tpl<mev::evaluator_cfg>::operator()(expr*, obj_ref<expr, ast_manager>&, obj_ref<app, ast_manager>&) ../src/ast/rewriter/rewriter_def.h:813
    #11 0x55ffb19f405b in rewriter_tpl<mev::evaluator_cfg>::operator()(expr*, obj_ref<expr, ast_manager>&) ../src/ast/rewriter/rewriter.h:356
    #12 0x55ffb19f405b in model_evaluator::operator()(expr*, obj_ref<expr, ast_manager>&) ../src/model/model_evaluator.cpp:686
    #13 0x55ffb19f5481 in model_evaluator::operator()(expr*) ../src/model/model_evaluator.cpp:694
    #14 0x55ffb1a0d0dc in mev::evaluator_cfg::reduce_app_core(func_decl*, unsigned int, expr* const*, obj_ref<expr, ast_manager>&, obj_ref<app, ast_manager>&) ../src/model/model_evaluator.cpp:269
    #15 0x55ffb1a15c34 in mev::evaluator_cfg::reduce_app(func_decl*, unsigned int, expr* const*, obj_ref<expr, ast_manager>&, obj_ref<app, ast_manager>&) ../src/model/model_evaluator.cpp:150
    #16 0x55ffb1a15c34 in bool rewriter_tpl<mev::evaluator_cfg>::process_const<false>(app*) ../src/ast/rewriter/rewriter_def.h:83
...
SUMMARY: AddressSanitizer: stack-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xeebf3) 
==29547==ABORTING
[558] % 
[558] % cat small.smt2
(set-option :model_evaluator.completion true)
(declare-fun a () Real)
(declare-fun b () (Array Int Real))
(declare-fun c () (Array Int (Array Int Real)))
(declare-fun k () (Array Int Real))
(declare-fun d () (Array Int Real))
(assert
 (xor
  (and (forall ((e Int) (f Int)) (= 0 a))
   (forall ((l Int)) (= (select b l) a))
   (forall ((g Int)) (= (select k g) a))
   (forall ((h Int)) (= (= h 0) (= (select d h) a))))
  (forall ((i Int) (j Int)) (= (select (select c i) j) a))))
(check-sat)
[559] %