I successfully wrote a verified Dafny program that given an integer array, returns the length of the longest monotone prefix. The permalink is here. I want to be able to examine the SMT file Dafny used, even though there were no errors. I tried various flag options like:
$ dafny example_longest_monotone.dfy /useSmtOutputFormat /printModelToFile:smt_file.smt
But none seem to work? Am I wrong thinking that there must be some underlying SMT query that returned unsat in the case where Dafny succeeds?
The command line flag to output the prover input is /proverLog:<file>.
You can also print the Boogie file that Dafny produces using /print:<file>.
Related
I'm trying to inspect a simple looping program that finds the maximal element in an integer array. Here is the permalink here. Everything works fine, but I'm really interested in
the resulting SMT file, so I extracted it using:
$ dafny /compile:3 /proverLog:./mySMT.smt myCode.dfy
Then ran with z3 as follows:
$ z3 ./mySMT.smt
I got 3 unsat responses and I was wondering what are the corresponding 3 queries?
I looked at the *.smt file and found 11K of machine-generated SMT.
Any tips on deciphering the smt file? thanks!
If you want the resulting SMT file, then that 11K file is your answer. I imagine that looking at it will lead you to the conclusion that you don't actually want to look at the resulting SMT file.
So, I don't know what it is that you want to accomplish. If you want to learn more about your program, then the best way is to work (only) from the Dafny program text. For example, you can add more assert statements to, essentially, ask the verifier if the given condition is provable at the location of the statement.
If you're interested in how Dafny encodes its verification conditions (that is, if you yourself are a tool developer and want to learn how to generate good verification conditions), then I suggest you use the /print switch to generate the Boogie program that Dafny generates. With some understanding of the Boogie intermediate verification language, the Boogie code is readable. For a more tutorial account of how to encode a Dafny-like language into Boogie, I recommend:
"Specification and verification of object-oriented software",
K. Rustan M. Leino.
Lecture note, Marktoberdorf 2008.
Rustan
PS. Unless you insist on particular formatting, you can print your array elements without using a loop if you first convert the array's element to a sequence:
print "a = ", a[..], "\n";
I am trying to use z3 from the command line as a SAT solver, but I can't figure out how to make it generate a proof of unsatisfiability. No matter what I do, it just prints "unsat" with no explanation, and nothing I can find online has helped. I tried passing proof=true on the command line, but nothing changed.
../z3-4.8.6-x64-ubuntu-16.04/bin/z3 proof=true unsat_core=true test_tx.cnf
unsat
z3 can generate proofs in SMTLib mode (though the proof format is rather unspecified.) I'm not sure if it can even generate proofs in the CNF mode at all, though it certainly should be possible. Your best bet might be to file an issue at https://github.com/Z3Prover/z3/issues and see if this is supported.
Using Z3's Horn clause solver:
If the answer is SAT, one can get a satisfying assignment to the unknown predicates (which, in most applications, correspond to inductive invariants of some kind of transition system or procedure call system).
If the answer is unsat, then this means the exists an unfolding of the Horn clauses and an assignment to the universally quantified variables in the Horn clauses such that at least one of the safety conditions (the clauses with a false head) is violated. This constitutes a concrete witness why the system had no solution.
I suspect that if Z3 can conclude unsat, then it has some form of such witness internally (and this anyway is the case in PDR, if I remember well). Is there a way to print it out?
Maybe I badly read the documentation, but I can't find a way. (get-proof) prints something unreadable, and, besides, (set-option :produce-proofs true) makes some problems intractable.
The refutation that Z3 produces for HORN logic problems is in the form of a tree of unit-resulting resolution steps. The counterexample you're looking for is hiding in the conclusions of the unit-resolution steps. These conclusions (the last arguments of the rules) are ground facts that correspond to program states (or procedure summaries or whatever) in the counterexample. The variable bindings that produce these facts can be found in "quant-inst" rules.
Obviously, this is not human readable, and actually is pretty hard to read by machine. For Boogie I implemented a more regular format, but it is currently only available with the duality engine and only for the fixedpoint format using "rule" and "query". You can get this using the following command.
(query :engine duality :print-certificate true)
I just downloaded the benchmarks for seq and regexp sorts (using z3-4.3.2). What could be the problem when I get unknown as result after running "membership_1.smt2"?
I did not specify any further command line options. According to the benchmark it should result in sat, but unknown is printed without any model.
Thank you
edit:
I noticed further, that "re-begin" is not recognized. Has this to do with the version of z3 or did u just forgot a command line option?
Firstly, I don't know where the OP or commenter found the "membership_1.smt2" example input. I checked the SMT-LIB benchmarks, and the source of Z3, S3, and Z3-str, and couldn't find it.
In any case, the problem was that the OP was testing a benchmark written either for S3 or Z3-str and running it against an unmodified version of Z3. S3 and Z3-str require a modified version of Z3 to handle these extensions. This is described on the S3 website [S3: A Symbolic String Solver for Web Security Analysis, http://www.comp.nus.edu.sg/~trinhmt/S3/, accessed Aug. 4, 2016]:
Modified Version of Z3 Solver
The source code of the modified Z3 is available here.
We modify Z3 to have the interaction between String theory and Arithmetic theory.
These newly-added API methods allows us to query the length of a string variable, and relationship between the length of different
string variables, as shown in our CCS'14 paper.
Our modified version of Z3 is also used by Z3-str GROUP for integer/string theory integration.
Grepping the (unmodified) Z3 source shows no matches for "re-begin" or "re-concat". Grepping the modified version shows that these tokes are defined in lib/seq_decl_plugin.cpp of z3-source-060115.zip.
I need a complete model of an SMTLIB2 formula:
http://pastebin.com/KiwFJTrK
Z3 (version 3.2 and 4.0) returns values for all variables but not for var4. I tried some configuration settings like
MODEL_COMPLETION = true
but it did not seem to work. Does anybody have a suggestion? CVC3 in comparison returns a model (including var4), so it is not an issue of SMTLIB or my example.
The reason I need this is explained here in detail. In short: I want to use the C API for incremental solving. For this reason I have to use the function Z3_parse_smtlib2_string multiple times. This function needs previously declared functions and constants as parameters. I am unable to get this information via Z3_get_smtlib_decl because these kind of functions work just when z3_parse_smtlib_string is called, not Z3_parse_smtlib2_string.
You can avoid this problem by adding the following option in the beginning of your script.
(set-option :auto-config false)
I will fix it for the next release.
Here is a short explanation of what is going on.
Z3 has a solver for 0-1 integer problems. After preprocessing, your script is tagged as a 0-1 integer problem by Z3. The value of var4 is a "don't care" when the problem is viewed as a 0-1 problem, but it is not a "don't care" when the problem is viewed as an integer problem (var4 must be 0 or 1). By default, Z3 will not display the value of "don't care" variables.
The MODEL_COMPLETION=true will complete the model as you request values for constants that are not included in the model. For example, if we execute (eval var4), Z3 will produce an interepretation for var4.