heap-use-after-free on String formula at smt/theory_seq.h:171 (smt.threads 4, rewriter.sort_sums, rewriter.local_ctx, smt.arith.propagate_eqs false, rewriter.elim_and) #4085
Description
For the following formula,
uaf.txt
z3 7597396 throws a uaf
=================================================================
==177561==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000086568 at pc 0x0000014ee2e7 bp 0x7ff46cb1d220 sp 0x7ff46cb1d210
READ of size 8 at 0x614000086568 thread T1
#0 0x14ee2e6 in smt::theory_seq::eq::dep() const ../src/smt/theory_seq.h:171
#1 0x1580f91 in smt::theory_seq::branch_ternary_variable2(smt::theory_seq::eq const&, bool) ../src/smt/seq_eq_solver.cpp:1033
#2 0x157ce37 in smt::theory_seq::branch_ternary_variable1() ../src/smt/seq_eq_solver.cpp:755
#3 0x1578737 in smt::theory_seq::branch_variable() ../src/smt/seq_eq_solver.cpp:470
#4 0x14be502 in smt::theory_seq::final_check_eh() ../src/smt/theory_seq.cpp:411
#5 0xfc7119 in smt::context::final_check() ../src/smt/smt_context.cpp:3856
#6 0xfc6122 in smt::context::bounded_search() ../src/smt/smt_context.cpp:3772
#7 0xfc385e in smt::context::search() ../src/smt/smt_context.cpp:3599
#8 0xfc1dd7 in smt::context::check(unsigned int, expr* const*, bool) ../src/smt/smt_context.cpp:3482
#9 0x1132d1d in smt::parallel::operator()(ref_vector<expr, ast_manager> const&)::{lambda(int)#3}::operator()(int) const (/home/peisen/test/tofuzz/z3-debug/build/z3+0x1132d1d)
#10 0x1133971 in smt::parallel::operator()(ref_vector<expr, ast_manager> const&)::{lambda()#4}::operator()() const (/home/peisen/test/tofuzz/z3-debug/build/z3+0x1133971)
#11 0x1136c63 in _M_invoke<> /usr/include/c++/5/functional:1531
#12 0x1136b77 in operator() /usr/include/c++/5/functional:1520
#13 0x1136b07 in _M_run /usr/include/c++/5/thread:115
#14 0x7ff4702c0b8d (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xd0b8d)
#15 0x7ff4705da6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#16 0x7ff46fa0c41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)