Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with check_sat_cc #5

Open
hgvk94 opened this issue Nov 5, 2020 · 1 comment
Open

Issue with check_sat_cc #5

hgvk94 opened this issue Nov 5, 2020 · 1 comment

Comments

@hgvk94
Copy link
Owner

hgvk94 commented Nov 5, 2020

Instance
commit
Running z3 with default options causes it to either seg fault:

    frame #0: 0x00000000016eec8b z3`smt::conflict_resolution::process_justifications(this=0x0000000002512f48) at smt_conflict_resolution.cpp:204:21
   201 	            while (m_todo_js_qhead < sz) {
   202 	                justification * js = m_todo_js[m_todo_js_qhead];
   203 	                m_todo_js_qhead++;
-> 204 	                js->get_antecedents(*this);
   205 	            }
   206 	            while (!m_todo_eqs.empty()) {
   207 	                enode_pair p = m_todo_eqs.back();
(lldb) bt
* thread #1, name = 'z3', stop reason = signal SIGSEGV: invalid address (fault address: 0xff20)
  * frame #0: 0x00000000016eec8b z3`smt::conflict_resolution::process_justifications(this=0x0000000002512f48) at smt_conflict_resolution.cpp:204:21
    frame #1: 0x00000000016eec02 z3`smt::conflict_resolution::justification2literals_core(this=0x0000000002512f48, js=0x0000000002721388, result=0x0000000002513090) at smt_conflict_resolution.cpp:195:9
    frame #2: 0x00000000016eef5c z3`smt::conflict_resolution::justification2literals(this=0x0000000002512f48, js=0x0000000002721388, result=0x0000000002513090) at smt_conflict_resolution.cpp:241:9
    frame #3: 0x00000000016ef19a z3`smt::conflict_resolution::get_justification_max_lvl(this=0x0000000002512f48, js=0x0000000002721388) at smt_conflict_resolution.cpp:264:9
    frame #4: 0x00000000016ef4cb z3`smt::conflict_resolution::get_max_lvl(this=0x0000000002512f48, consequent=(m_val = 1), js=(m_data = 0x0000000002707058)) at smt_conflict_resolution.cpp:298:33
    frame #5: 0x00000000016eff97 z3`smt::conflict_resolution::initialize_resolve(this=0x0000000002512f48, conflict=(m_data = 0x0000000002707058), not_l=(m_val = -2), js=0x00007fffffff75d8, consequent=0x00007fffffff75d0) at smt_conflict_resolution.cpp:398:31
    frame #6: 0x00000000016f2c1c z3`smt::conflict_resolution::resolve(this=0x0000000002512f48, conflict=(m_data = 0x0000000002707058), not_l=(m_val = -2)) at smt_conflict_resolution.cpp:486:14
    frame #7: 0x000000000172d840 z3`smt::context::resolve_conflict(this=0x000000000251aaa8) at smt_context.cpp:4079:36
    frame #8: 0x000000000171cddb z3`smt::context::decide_clause(this=0x000000000251aaa8) at smt_context.cpp:3320:13
    frame #9: 0x000000000171be58 z3`smt::context::decide(this=0x000000000251aaa8) at smt_context.cpp:1761:21
    frame #10: 0x000000000172b185 z3`smt::context::bounded_search(this=0x000000000251aaa8) at smt_context.cpp:3909:18
    frame #11: 0x0000000001729997 z3`smt::context::search(this=0x000000000251aaa8) at smt_context.cpp:3745:22
    frame #12: 0x000000000172a566 z3`smt::context::check(this=0x000000000251aaa8, cube=0x000000000252c6d0, clauses=0x00007fffffff8bd0) at smt_context.cpp:3650:17
    frame #13: 0x000000000177cc55 z3`smt::kernel::imp::check(this=0x000000000251aaa8, cube=0x000000000252c6d0, clause=0x00007fffffff8bd0) at smt_kernel.cpp:120:29
    frame #14: 0x000000000177bda8 z3`smt::kernel::check(this=0x000000000252c9f0, cube=0x000000000252c6d0, clauses=0x00007fffffff8bd0) at smt_kernel.cpp:336:23
    frame #15: 0x00000000017f546e z3`(anonymous namespace)::smt_solver::check_sat_cc_core(this=0x000000000252c698, cube=0x000000000252c6d0, clauses=0x00007fffffff8bd0) at smt_solver.cpp:200:30
    frame #16: 0x00000000012e06db z3`solver_na2as::check_sat_cc(this=0x000000000252c698, assumptions=0x00000000025358d0, clauses=0x00007fffffff8bd0) at solver_na2as.cpp:73:12
    frame #17: 0x00000000012e3345 z3`pool_solver::check_sat_cc_core(this=0x0000000002535898, cube=0x00000000025358d0, clauses=0x00007fffffff8bd0) at solver_pool.cpp:191:29
    frame #18: 0x00000000012e06db z3`solver_na2as::check_sat_cc(this=0x0000000002535898, assumptions=0x00000000025e0140, clauses=0x00007fffffff8bd0) at solver_na2as.cpp:73:12
    frame #19: 0x000000000210d440 z3`spacer::iuc_solver::check_sat_cc(this=0x00000000025e0098, cube=0x00007fffffff8c00, clauses=0x00007fffffff8bd0) at spacer_iuc_solver.cpp:137:37
    frame #20: 0x00000000020b0c46 z3`spacer::prop_solver::maxsmt(this=0x00000000024d67a8, hard=0x00007fffffff8c00, soft=0x00007fffffff8e50, clauses=0x00007fffffff8bd0) at spacer_prop_solver.cpp:242:24
    frame #21: 0x00000000020b1176 z3`spacer::prop_solver::internal_check_assumptions(this=0x00000000024d67a8, hard_atoms=0x00007fffffff8c00, soft_atoms=0x00007fffffff8e50, clauses=0x00007fffffff8bd0) at spacer_prop_solver.cpp:308:20
    frame #22: 0x00000000020b1a82 z3`spacer::prop_solver::check_assumptions(this=0x00000000024d67a8, _hard=0x00007fffffff9258, soft=0x00007fffffff8e50, clause=0x0000000002523470, num_bg=2, bg=0x000000000271c6b0, solver_id=1) at spacer_prop_solver.cpp:386:17
    frame #23: 0x000000000206d0fa z3`spacer::pred_transformer::check_inductive(this=0x0000000002523388, level=0, state=0x00007fffffff9258, uses_level=0x00007fffffff9334, weakness=0) at spacer_context.cpp:1553:27
    frame #24: 0x00000000020a82ab z3`spacer::lemma_bool_inductive_generalizer::operator(this=0x00000000026ad018, lemma=0x00007fffffffa7c8)(ref<spacer::lemma>&) at spacer_generalizers.cpp:97:16

or throw an assertion violation at file: src/ast/ast.cpp, line 3170:

frame #1: 0x0000000000abbbe8 z3`ast_manager::mk_unit_resolution(this=0x00000000023dab38, num_proofs=4, proofs=0x00007fffffff6cc0, new_fact=0x00000000023dd208) at ast.cpp:3170:9
    frame #2: 0x00000000016f8750 z3`smt::conflict_resolution::get_proof(this=0x0000000002537578, l=(m_val = 1), js=(m_data = 0x00000000026ef3f8)) at smt_conflict_resolution.cpp:1041:24
    frame #3: 0x00000000016f0f8e z3`smt::conflict_resolution::mk_conflict_proof(this=0x0000000002537578, conflict=(m_data = 0x00000000026ef3f8), not_l=(m_val = -2)) at smt_conflict_resolution.cpp:1327:18
    frame #4: 0x00000000016f03c7 z3`smt::conflict_resolution::initialize_resolve(this=0x0000000002537578, conflict=(m_data = 0x00000000026ef3f8), not_l=(m_val = -2), js=0x00007fffffff75a8, consequent=0x00007fffffff75a0) at smt_conflict_resolution.cpp:417:17
    frame #5: 0x00000000016f2c1c z3`smt::conflict_resolution::resolve(this=0x0000000002537578, conflict=(m_data = 0x00000000026ef3f8), not_l=(m_val = -2)) at smt_conflict_resolution.cpp:486:14
    frame #6: 0x000000000172d840 z3`smt::context::resolve_conflict(this=0x000000000251e6e8) at smt_context.cpp:4079:36
    frame #7: 0x000000000171cddb z3`smt::context::decide_clause(this=0x000000000251e6e8) at smt_context.cpp:3320:13
    frame #8: 0x000000000171be58 z3`smt::context::decide(this=0x000000000251e6e8) at smt_context.cpp:1761:21
    frame #9: 0x000000000172b185 z3`smt::context::bounded_search(this=0x000000000251e6e8) at smt_context.cpp:3909:18
    frame #10: 0x0000000001729997 z3`smt::context::search(this=0x000000000251e6e8) at smt_context.cpp:3745:22
    frame #11: 0x000000000172a566 z3`smt::context::check(this=0x000000000251e6e8, cube=0x000000000251b8a0, clauses=0x00007fffffff8ba0) at smt_context.cpp:3650:17
    frame #12: 0x000000000177cc55 z3`smt::kernel::imp::check(this=0x000000000251e6e8, cube=0x000000000251b8a0, clause=0x00007fffffff8ba0) at smt_kernel.cpp:120:29
    frame #13: 0x000000000177bda8 z3`smt::kernel::check(this=0x000000000251bbc0, cube=0x000000000251b8a0, clauses=0x00007fffffff8ba0) at smt_kernel.cpp:336:23
    frame #14: 0x00000000017f546e z3`(anonymous namespace)::smt_solver::check_sat_cc_core(this=0x000000000251b868, cube=0x000000000251b8a0, clauses=0x00007fffffff8ba0) at smt_solver.cpp:200:30
    frame #15: 0x00000000012e06db z3`solver_na2as::check_sat_cc(this=0x000000000251b868, assumptions=0x000000000251d710, clauses=0x00007fffffff8ba0) at solver_na2as.cpp:73:12
    frame #16: 0x00000000012e3345 z3`pool_solver::check_sat_cc_core(this=0x000000000251d6d8, cube=0x000000000251d710, clauses=0x00007fffffff8ba0) at solver_pool.cpp:191:29
    frame #17: 0x00000000012e06db z3`solver_na2as::check_sat_cc(this=0x000000000251d6d8, assumptions=0x00000000025e2b70, clauses=0x00007fffffff8ba0) at solver_na2as.cpp:73:12
    frame #18: 0x000000000210d440 z3`spacer::iuc_solver::check_sat_cc(this=0x00000000025e2ac8, cube=0x00007fffffff8bd0, clauses=0x00007fffffff8ba0) at spacer_iuc_solver.cpp:137:37
    frame #19: 0x00000000020b0c46 z3`spacer::prop_solver::maxsmt(this=0x00000000025149c8, hard=0x00007fffffff8bd0, soft=0x00007fffffff8e20, clauses=0x00007fffffff8ba0) at spacer_prop_solver.cpp:242:24
    frame #20: 0x00000000020b1176 z3`spacer::prop_solver::internal_check_assumptions(this=0x00000000025149c8, hard_atoms=0x00007fffffff8bd0, soft_atoms=0x00007fffffff8e20, clauses=0x00007fffffff8ba0) at spacer_prop_solver.cpp:308:20
    frame #21: 0x00000000020b1a82 z3`spacer::prop_solver::check_assumptions(this=0x00000000025149c8, _hard=0x00007fffffff9228, soft=0x00007fffffff8e20, clause=0x00000000025259b0, num_bg=2, bg=0x00000000026d8cb0, solver_id=1) at spacer_prop_solver.cpp:386:17
    frame #22: 0x000000000206d0fa z3`spacer::pred_transformer::check_inductive(this=0x00000000025258c8, level=0, state=0x00007fffffff9228, uses_level=0x00007fffffff9304, weakness=0) at spacer_context.cpp:1553:27
    frame #23: 0x00000000020a82ab z3`spacer::lemma_bool_inductive_generalizer::operator(this=0x00000000026b8268, lemma=0x00007fffffffa798)(ref<spacer::lemma>&) at spacer_generalizers.cpp:97:16

The behaviour change is random. Sometimes, the behaviour change happens when changing random seeds, sometimes it happens when enabling certain traces.

I have also observed unsoundness in the query right before the query which produces this issue. However, I cannot reproduce unsoundness at the moment.
@hgvk94
Copy link
Owner Author

hgvk94 commented Nov 5, 2020

Update:
To reproduce unsoundness issue, run this commit on this instance with the option -tr:spacer.ind_gen. It should throw an assertion violation inside solver_pool.cpp. It will dump many benchmarks. The trace file will contain the name of the dumped benchmarks and models for SAT queries.

The dumped benchmark pool_solver_vsolver#1_5.smt2 is an UNSAT instance. If this benchmark is run from the command line, z3 does not terminate. When this benchmark is run from within Spacer, the check-sat-cc function is called with the assumption (or Inv_ext0_n Inv__tr0 Inv__tr1). This call to check-sat-cc will return SAT with a model that falsifies the assumption clause.

hgvk94 pushed a commit that referenced this issue Aug 4, 2023
@mtzguido
bool_rewriter: fix possible segfault when disabling rewriter.sort_dis…
7c380fd 
…junctions (Z3Prover#6779)

After introducing the rewriter.sort_disjunctions option (Z3Prover#6774), I
noticed a segfault in a Z3 run that was working fine for me before the
PR.

I traced the difference to a slight discrepancy between the first patch
I submitted and the one we ended up merging: my first version would skip
sorting the disjuncts in mk_nflat_core, but still return BR_DONE, while
the patch in master returns BR_FAILED instead.

This patch fixes that problem, and it makes slightly more sense to me to
return a BR_DONE since, if `s` is true, some disjunct (e.g. a `false`
or a repeat) might have been simplified away. However I don't fully
understand this code.

... and I can't say I understand why the segfault happens. Perhaps that
is a separate issue?

This is the file to reproduce:
 https://gist.github.com/mtzguido/b7360c74d3d2e42d89f1bd9149ad26f6

Here's a stack trace of the failure, mk_nflat_or_core is not involved.
```
 (gdb) where
 #0  0x0000555555b98497 in smt::context::get_lit_assignment(unsigned int) const ()
 #1  0x0000555555b984cb in smt::context::get_assignment(sat::literal) const ()
 #2  0x0000555555b98504 in smt::context::get_assignment(unsigned int) const ()
 #3  0x0000555555ca83b8 in smt::context::get_assignment_core(expr*) const ()
 #4  0x0000555555c9af5a in smt::context::get_assignment(expr*) const ()
 #5  0x0000555555d7bd1d in (anonymous namespace)::has_child_assigned_to(smt::context&, app*, lbool, expr*&, unsigned int) ()
 #6  0x0000555555d7c413 in (anonymous namespace)::rel_case_split_queue::next_case_split_core(ptr_vector<expr>&, unsigned int&, unsigned int&, lbool&) ()
 #7  0x0000555555d7c589 in (anonymous namespace)::rel_case_split_queue::next_case_split(unsigned int&, lbool&) ()
 #8  0x0000555555c9c1b7 in smt::context::decide() ()
 #9  0x0000555555ca39fd in smt::context::bounded_search() ()
 #10 0x0000555555ca30c2 in smt::context::search() ()
 Z3Prover#11 0x0000555555ca273d in smt::context::check(unsigned int, expr* const*, bool) ()
 Z3Prover#12 0x0000555555cb166a in smt::kernel::check(unsigned int, expr* const*) ()
 Z3Prover#13 0x0000555555cb9695 in (anonymous namespace)::smt_solver::check_sat_core2(unsigned int, expr* const*) ()
 Z3Prover#14 0x00005555560dc0c6 in solver_na2as::check_sat_core(unsigned int, expr* const*) ()
 Z3Prover#15 0x00005555560d73f3 in combined_solver::check_sat_core(unsigned int, expr* const*) ()
 Z3Prover#16 0x00005555560d34e3 in solver::check_sat(unsigned int, expr* const*) ()
 Z3Prover#17 0x0000555556097b26 in cmd_context::check_sat(unsigned int, expr* const*) ()
 Z3Prover#18 0x0000555556082ff0 in smt2::parser::parse_check_sat() ()
 Z3Prover#19 0x0000555556084dc0 in smt2::parser::parse_cmd() ()
 Z3Prover#20 0x00005555560861b6 in smt2::parser::operator()() ()
 Z3Prover#21 0x00005555560757e6 in parse_smt2_commands(cmd_context&, std::basic_istream<char, std::char_traits<char> >&, bool, params_ref const&, char const*) ()
 Z3Prover#22 0x00005555555e8f68 in read_smtlib2_commands(char const*) ()
 Z3Prover#23 0x00005555555ee6f6 in main ()
 (gdb)
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hgvk94