search

Z3Prover / z3

The Z3 Theorem Prover
Other
10.29k stars 1.48k forks source link

Consolidated bugs in arithmetic logics #4532

Closed wintered closed 3 years ago

wintered commented 4 years ago

The following trace shows a genuinely invalid model bug on a QF_NRA formula. 

[556] % z3-4.8.8 rewriter.flat=false model_validate=true small.smt2
sat
(model 
 (define-fun c () Real
  (/ 1.0 8.0))
 (define-fun b () Real
  1.0)
 (define-fun d () Real
  (/ 1.0 4096.0))
 (define-fun e () Real
  5.0)
 (define-fun a () Real
  (/ 2561.0 1024.0))
)
[557] % z3release rewriter.flat=false model_validate=true small.smt2
sat
(error "line 9 column 10: an invalid model was generated")
(model 
 (define-fun e () Real
  (/ 9232379240400289791.0 4611686016279904256.0))
 (define-fun a () Real
  (- (/ 2143289343.0 2147483648.0)))
 (define-fun c () Real
  (/ 1.0 8.0))
 (define-fun d () Real
  (/ 50440315803061452800000000.0 631185189288030893469201889.0))
 (define-fun b () Real
  1.0)
)
[558] % 
[558] % cat small.smt2
(declare-fun a () Real)
(declare-fun b () Real)
(declare-fun c () Real)
(declare-fun d () Real)
(declare-fun e () Real)
(assert (> (* d (+ (- 117.293372755 c) (* (- (- b 117.293372755) e) 
(* (- (- b) e) (- (- b) e))))) (+ e (* (- a e) (- a (* c (* c c)))))))
(assert (>= b 0))
(assert (> d 0))
(check-sat)
(get-model)
[559] %

OS: Ubuntu 18.04 Commit: 3b11493 Does not repro in 6ced699

muchang commented 4 years ago

Invalid model on incremental QF_UFLIA formula

[590] % z3release model_validate=true small.smt2
sat
sat
sat
(error "line 8 column 10: an invalid model was generated")
(model 
 (define-fun a () Int
  0)
 (define-fun c ((x!0 Int)) Bool
  true)
 (define-fun b ((x!0 Int)) Bool
  false)
)
[591] % 
[591] % cat small.smt2
(declare-fun a () Int)
(declare-fun b (Int) Bool)
(declare-fun c (Int) Bool)
(assert (= a 1))
(check-sat (b 1))
(check-sat)
(assert (c 2))
(check-sat)
(get-model)
[592] %

OS: Ubuntu 18.04 Commit: ae7d767

muchang commented 4 years ago

Another invalid model bug on incremental QF_UFLIA formula 

[512] % z3release model_validate=true small.smt2
sat
sat
(error "line 47 column 10: an invalid model was generated")
(model 
 (define-fun a () Int
  0)
 (define-fun f ((x!0 Int)) Int
  0)
 (define-fun l ((x!0 Int)) Bool
  false)
 (define-fun i ((x!0 Int)) Bool
  false)
 (define-fun n ((x!0 Int)) Int
  0)
 (define-fun h ((x!0 Int)) Bool
  true)
 (define-fun g ((x!0 Int)) Int
  0)
 (define-fun c ((x!0 Int)) Bool
  true)
 (define-fun b ((x!0 Int)) Bool
  false)
 (define-fun d ((x!0 Int)) Bool
  false)
 (define-fun m ((x!0 Int)) Bool
  false)
 (define-fun k ((x!0 Int)) Bool
  false)
 (define-fun e ((x!0 Int)) Bool
  false)
 (define-fun j ((x!0 Int)) Bool
  false)
)
[513] % 
[513] % cat small.smt2
(declare-fun a () Int)
(declare-fun b (Int) Bool)
(declare-fun c (Int) Bool)
(declare-fun d (Int) Bool)
(declare-fun e (Int) Bool)
(declare-fun f (Int) Int)
(declare-fun g (Int) Int)
(declare-fun h (Int) Bool)
(declare-fun i (Int) Bool)
(declare-fun j (Int) Bool)
(declare-fun k (Int) Bool)
(declare-fun l (Int) Bool)
(declare-fun m (Int) Bool)
(declare-fun n (Int) Int)
(check-sat)
(assert (= (= (g 0) 1) (l 0)))
(assert (= (n 1) 0))
(assert
 (let ((n (g 1)))
 (let ((r (+ 2 n)) (s 0) (m (l 0)))
 (let ((ab (ite m 0 n)) (t (e 0)))
 (let ((u (ite t ab s)) (v 0) (w (j 0)))
 (let ((x (ite w v n)) (y (d 0)))
 (let ((z (ite y x u)) (ac (i 0)))
 (let ((ad (ite ac r n)) (ae (c 0)))
 (let ((af (ite ae ad z)) (ag (= a 0)))
 (let ((ah (ite ag 0 af)) (ai (g 2)))
  (= ai ah)))))))))))
(assert
 (let ((aj (n 0)) (ak 0) (al 0) (am (k 0)))
 (let ((an (ite am al aj)) (ao (m 0)))
 (let ((ap (ite ao an ak)) (aq 0) (ar (d 1)))
 (let ((ay (ite ar aq ap)) (bj 0) (at (b 0)))
 (let ((au (ite at bj ay)) (av (= a (- 1))))
 (let ((aw (ite av 7 au)) (ax (n 0)))
  (= ax aw))))))))
(assert (<= 1 (n 0)))
(assert
 (let ((az (f 0)))
 (let ((ba (<= 1 az)))
 (let ((bb (and ba)) (bc (g 0)))
 (let ((bd (= bc 0)))
 (let ((be (and bd bb)) (aj (n 2)))
 (let ((bf (= aj 0)))
 (let ((bg (and bf be)) (bh (h 0)))
  (= bh bg)))))))))
(check-sat)
(get-model)
[514] %

OS: Ubuntu 18.04 Commit: ae7d767

muchang commented 4 years ago

Invalid model bug on incremental QF_LIA formula

[643] % z3release model_validate=true small.smt2
sat
sat
sat
(error "line 7 column 10: an invalid model was generated")
(model 
 (define-fun b () Int
  1)
 (define-fun a () Int
  0)
)
[644] % 
[644] % cat small.smt2
(declare-fun a () Int)
(declare-fun b () Int)
(check-sat)
(assert (= a 1))
(check-sat)
(assert (distinct b 2))
(check-sat)
(get-model)
[645] %

OS: Ubuntu 18.04 Commit: ae7d767

muchang commented 4 years ago

z3 solution unsoundness (and the error from 4.8.8 is strange)

[532] % z3-4.8.7 small.smt2
unsat
[533] % z3-4.8.8 small.smt2
(error "line 2 column 23: unknown function/constant b")
sat
[534] % z3release small.smt2
sat
[535] % 
[535] % cat small.smt2
(define-fun b ((c Int)) Int 0)
(assert (= 1 (b (/ 1 1))))
(check-sat)
[536] %

Commit: 72d407a

muchang commented 3 years ago

Segmentation fault with smt.threads=2 on NIRA formula

[578] % z3release smt.threads=2 small.smt2
Segmentation fault
[579] % 
[579] % cat small.smt2
(assert (forall ((a Real) (b Real)) (xor (is_int a) (<= (/ 1 a (* (div 5 0) b)) (* (+ 2 a) (/ 0 b))))))
(check-sat)
[580] %

Commit: d0d06c2

muchang commented 3 years ago

Segmentation fault on the formula with seq

[531] % z3-4.8.8 small.smt2 
sat
[532] % z3release small.smt2 
Segmentation fault
[533] % 
[533] % cat small.smt2 
(declare-fun x () (Seq Int))
(declare-fun y () (Seq Int))
(declare-fun f ((Seq Int)) (Seq Bool))
(assert (distinct x y))
(assert (= (f x) (f y)))
(check-sat)
[534] %

Commit: cb4e519

muchang commented 3 years ago

Segmentation fault on the formula with declare-datatypes

[542] % z3-4.8.8 small.smt2
sat
[543] % z3release small.smt2
Segmentation fault
[544] % 
[544] % cat small.smt2
(declare-datatypes ((a 0)) (((b (g Int)))))
(declare-sort c 0)
(declare-datatypes ((d 0)) (((o (r Bool) (e Int) (f c)))))
(declare-datatypes ((h 0)) (((i))))
(declare-datatypes ((j 0)) (((k (l h)))))
(declare-fun m (j) c)
(declare-sort p 0)
(declare-fun q (p d a) Bool)
(declare-fun v (d Int) p)
(declare-const w Int)
(declare-const aa Bool)
(declare-const n Int)
(declare-const x h)
(define-fun s () d (o aa w (m (k x))))
(assert (forall ((t d) (u a)) (distinct (q (v s n) t u) (= 0 (g u)))))
(check-sat)
[545] %

Commit: 49a0266

muchang commented 3 years ago

(purify-arith default) Invalid model for NIRA formula 

[584] % z3release model_validate=true small.smt2
sat
(error "line 10 column 44: an invalid model was generated")
(
 (define-fun h () Real
  0.0)
 (define-fun d () Real
  (- 1.0))
 (define-fun c () Real
  2.0)
 (define-fun e () Real
  (- 1.0))
 (define-fun b () Real
  0.0)
 (define-fun f () Real
  0.0)
 (define-fun a () Real
  1.0)
 (define-fun div0 ((x!0 Int) (x!1 Int)) Int
  0)
 (define-fun mod0 ((x!0 Int) (x!1 Int)) Int
  0)
)
[585] % cat small.smt2
(declare-fun a () Real)
(declare-fun b () Real)
(declare-fun c () Real)
(declare-fun d () Real)
(declare-fun e () Real)
(declare-fun f () Real)
(declare-fun h () Real)
(assert (forall ((g Real)) (xor (<= 0.0 (div (to_int g) (to_int h)) (mod 0 (to_int d)) e) (= c 2.0))))
(assert (= a (div (to_int b) (to_int f))))
(check-sat-using (then purify-arith default))
(get-model)
[586] %

Commit: 621e992

muchang commented 3 years ago

(purify-arith ufbv) Invalid model for NIRA formula

[571] % z3release model_validate=true small.smt2
sat
(error "line 12 column 41: an invalid model was generated")
( 
 (define-fun f () Real
  0.0)
 (define-fun b () Real
  (- 1.0))
 (define-fun a () Real
  0.0)
 (define-fun d () Real
  0.0)
 (define-fun h () Real
  (- 2.0))
 (define-fun c () Real
  0.0)
 (define-fun g () Real
  0.0)
 (define-fun e () Real
  (- 1.0))
 (define-fun div0 ((x!0 Int) (x!1 Int)) Int
  (ite (and (= x!0 1) (= x!1 (- 1))) (- 1)
  (ite (and (= x!0 4) (= x!1 0)) 1
   0)))
 (define-fun mod0 ((x!0 Int) (x!1 Int)) Int
  (ite (and (= x!0 4) (= x!1 0)) (- 1)
   0))
)
[572] %
[572] % cat small.smt2
(declare-fun a () Real)
(declare-fun b () Real)
(declare-fun c () Real)
(declare-fun d () Real)
(declare-fun e () Real)
(declare-fun f () Real)
(declare-fun g () Real)
(declare-fun h () Real)
(assert (not (exists ((m Real)) (and (= 0 0) (<= 0.0 (mod (to_int f) (to_int m))) (= d 2.0)))))
(assert (> (div 4 (to_int a) (to_int b)) h))
(assert (= e (mod (to_int c) (to_int g))))
(check-sat-using (then purify-arith ufbv))
(get-model)
[573] %

Commit: 621e992

NikolajBjorner commented 3 years ago

bugs with qffd + arithmetic are 'wont-fix' (rocket) bugs that touch nlsat are treated as duplicates (rocket) many bugs are now seen as fixed (eyes) several other without eyes/rocket are seen as duplicates (after triaging a sufficient number of instances). Refine a new consolidated if there is a miss.