solution unsoundness on a string formula #6483

zhendongsu · 2021-05-04T08:53:39Z

Commit: 441c53b
OS: Ubuntu 18.04

It also affects cvc4-1.7 and cvc4-1.8, but both can detect the produced invalid model.

[619] % z3release small.smt2
unsat
(error "line 14 column 10: model is not available")
[620] % cvc5 -q --strings-exp --produce-models --check-models small.smt2
sat
(
(define-fun a () String "")
)
[621] % 
[621] % cat small.smt2
(declare-fun a () String)
(assert
 (xor
  (= (= (str.replace "B" (str.replace (str.++ (str.replace "B" a "B") a) "B" "") "B")
      (str.replace "B" (str.replace "B" a (str.++ a "B")) a))
   (not
    (= (str.replace "B" (str.replace a "B" "") "B")
     (str.replace "B" a (str.++ a "B")))))
  (= (str.replace "B" a "")
   (str.replace "B" a
    (ite (not (= (str.replace "" (str.replace a "" a) "") "")) ""
     (str.replace "" (str.replace a "B" "") "B"))))))
(check-sat)
(get-model)
[622] %

The text was updated successfully, but these errors were encountered:

Fixes cvc5#6483. The benchmark in the issue was performing the following incorrect rewrite: ``` Rewrite (str.replace "B" (str.replace (str.++ (str.replace "B" a "B") a) "B" "") "B") to (str.replace "B" a "B") by RPL_X_Y_X_SIMP. ``` The rewrite `RPL_X_Y_X_SIMP` rewrites terms of the form `(str.replace x y x)`, where `x` is of length one and `(= y "")` rewrites to a conjunction of equalities of the form `(= y_i "")` where `y_i` is some term. The function responsible for collecting the terms `y_i` from this conjunction, `collectEmptyEqs()`, returns a `bool` and a vector of `Node`s. The `bool` indicates whether all equalities in the conjunction were of the form `(= y_i "")`. The rewrite `RPL_X_Y_X_SIMP` only applies if this is true. However, `collectEmptyEqs()` had a bug where it would not return false when all of the conjuncts were equalities but not all of them were equalities with the empty string. This commit fixes `collectEmptyEqs()` and adds tests.

Fixes #6483. The benchmark in the issue was performing the following incorrect rewrite: Rewrite (str.replace "B" (str.replace (str.++ (str.replace "B" a "B") a) "B" "") "B") to (str.replace "B" a "B") by RPL_X_Y_X_SIMP. The rewrite RPL_X_Y_X_SIMP rewrites terms of the form (str.replace x y x), where x is of length one and (= y "") rewrites to a conjunction of equalities of the form (= y_i "") where y_i is some term. The function responsible for collecting the terms y_i from this conjunction, collectEmptyEqs(), returns a bool and a vector of Nodes. The bool indicates whether all equalities in the conjunction were of the form (= y_i ""). The rewrite RPL_X_Y_X_SIMP only applies if this is true. However, collectEmptyEqs() had a bug where it would not return false when all of the conjuncts were equalities but not all of them were equalities with the empty string. This commit fixes collectEmptyEqs() and adds tests.

ajreynol self-assigned this May 4, 2021

4tXJ7f self-assigned this May 18, 2021

4tXJ7f mentioned this issue May 18, 2021

Fix collectEmptyEqs() in string utils #6562

Merged

ajreynol closed this as completed in #6562 May 18, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

solution unsoundness on a string formula #6483

solution unsoundness on a string formula #6483

zhendongsu commented May 4, 2021

solution unsoundness on a string formula #6483

solution unsoundness on a string formula #6483

Comments

zhendongsu commented May 4, 2021