From 89b08f2e68933e1da033f827ea1f10cd8ee224e9 Mon Sep 17 00:00:00 2001 From: Tim King Date: Fri, 9 Dec 2016 14:28:23 -0800 Subject: [PATCH] Fixing a use after free bug in Polynomial::denominatorLCM. --- src/theory/arith/normal_form.cpp | 7 +++---- src/theory/arith/simplex.cpp | 4 ++-- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/src/theory/arith/normal_form.cpp b/src/theory/arith/normal_form.cpp index d7c580395..ec396b24e 100644 --- a/src/theory/arith/normal_form.cpp +++ b/src/theory/arith/normal_form.cpp @@ -528,14 +528,13 @@ Integer Polynomial::numeratorGCD() const { Integer Polynomial::denominatorLCM() const { Integer tmp(1); - for(iterator i=begin(), e=end(); i!=e; ++i){ - const Constant& c = (*i).getConstant(); - tmp = tmp.lcm(c.getValue().getDenominator()); + for (iterator i = begin(), e = end(); i != e; ++i) { + const Integer denominator = (*i).getConstant().getValue().getDenominator(); + tmp = tmp.lcm(denominator); } return tmp; } - Constant Polynomial::getCoefficient(const VarList& vl) const{ //TODO improve to binary search... for(iterator iter=begin(), myend=end(); iter != myend; ++iter){ diff --git a/src/theory/arith/simplex.cpp b/src/theory/arith/simplex.cpp index fecb06811..66f878b1a 100644 --- a/src/theory/arith/simplex.cpp +++ b/src/theory/arith/simplex.cpp @@ -30,7 +30,8 @@ namespace arith { SimplexDecisionProcedure::SimplexDecisionProcedure(LinearEqualityModule& linEq, ErrorSet& errors, RaiseConflict conflictChannel, TempVarMalloc tvmalloc) - : d_conflictVariables() + : d_pivots(0), + d_conflictVariables() , d_linEq(linEq) , d_variables(d_linEq.getVariables()) , d_tableau(d_linEq.getTableau()) @@ -43,7 +44,6 @@ SimplexDecisionProcedure::SimplexDecisionProcedure(LinearEqualityModule& linEq, , d_zero(0) , d_posOne(1) , d_negOne(-1) - , d_pivots(0) { d_heuristicRule = options::arithErrorSelectionRule(); d_errorSet.setSelectionRule(d_heuristicRule); -- 2.30.2