Validity of simple existential pattern over map not proven

[tothtamas28]

Bug report

Z3 version 4.8.7 - 64 bit

K version:    5.1.226
Build date:   Tue Oct 12 02:23:45 CEST 2021

kompile --backend haskell assign.k && kprove --def-module VERIFICATION spec.k

assign.k

module ASSIGN-SYNTAX
  imports INT-SYNTAX
  imports ID-SYNTAX

  syntax Stmt ::= Id "=" Int
endmodule

module ASSIGN
  imports ASSIGN-SYNTAX
  imports INT
  imports MAP

  configuration
    <T>
      <k>
        $PGM:Stmt
      </k>
      <env>
        .Map
      </env>
    </T>

  rule <k> X:Id = V:Int => . ... </k>
       <env> M => M [X <- V] </env>
endmodule

spec.k

requires "assign.k"

module SPEC-SYNTAX
  imports ASSIGN-SYNTAX

  syntax Id ::= "$x" [token]
endmodule

module VERIFICATION
  imports SPEC-SYNTAX
  imports ASSIGN
endmodule

module SPEC
  imports VERIFICATION

  claim <k> $x = A:Int => . ... </k>
        <env> M => M [ $x <- ?B:Int ] </env>
    ensures A <=Int ?B
endmodule

Expected output

#Top

Actual output

  #Not ( #Exists ?B . {
      M [ $x <- ?B:Int ]
    #Equals
      M [ $x <- A:Int ]
    }
  #And
    {
      true
    #Equals
      A <=Int ?B
    } )
#And
  <T>
    <k>
      _DotVar2
    </k>
    <env>
      M [ $x <- A:Int ]
    </env>
  </T>

Note: The claim is proven if the property is strengthened to equality, i.e. with ensures A ==Int ?B.

[ana-pantilie]

@dopamane believes this is indeed a bug, and I agree.

I would expect the rewrite rule to apply, and then, when checking the implication, the A and ?B should unify. It's trivial to show that A <=Int A. This requires investigation.

[virgil-serbanuta]

FWIW, Map[KItem] is function, but not functional, so any term containing it is not sent to the SMT.

[ana-pantilie]

Sorry @virgil-serbanuta , I just saw your comment. So, you think this behavior isn't a bug?

[virgil-serbanuta]

Hm, I am sorry, it seems that I misread the original bug report. To be more precise, it seemed to me very similar to something I encountered, so I misread M [ ?B:Int ] instead of M [ $x <- ?B:Int ]. My previous comment was invalid, since Map[KItem <- KItem] is functional.

Even if it would have been valid, my comment was meant to provide a shortcut for understanding the issue, I didn't mean to say anything about this being a bug. I certainly wish that the proof would work, but that's something else.

Since I wasted your time with that comment, let me try again, hopefully I won't make any mistakes this time (but please don't trust me, since I didn't work on the Haskell backend in a long time):

1. Would the following function be sent to the SMT? It does not have a smtlib argument, so M [ $x <- ?B:Int ] and M [ $x <- A:Int ] might get replaced by variables, which means that the SMT can't actually solve the predicate in the bug report. This should be easy to fix, if needed.

  syntax Map ::= Map "[" key: KItem "<-" value: KItem "]"           [function, functional, klabel(Map:update), symbol, hook(MAP.update), prefer]

2. I think that Ints (e.g. A and ?B) are injected into KItem, and I think that the Haskell backend does not send injections to the SMT solver, which means that, even if Map[KItem <- KItem] would, in principle, be sent to the SMT solver, the actual terms in the bug report, M [ $x <- ?B:Int ] and M [ $x <- A:Int ], might not be sent, at least not in the expected way (i.e., if they are actually sent, A and ?B will probably be replaced with opaque KItem variables), making the clause unsolvable by the SMT solver.

[ana-pantilie]

Thank you @virgil-serbanuta ! You're definitely not wasting my time, your insight is very helpful! I think the current team's knowledge of what and how we send to the SMT is a bit shaky at the moment, and this gives us a path to follow for investigating this issue.

[Sereja313]

@ana-pantilie I managed to reproduce this error.
backend version:

Kore version 0.60.0.0
Git:
  revision:	74bc7a963a825d0f0f034b5d3412dc59448e51bb (dirty)
  branch:	master
  last commit:	Tue Feb 7 05:02:49 2023 -0700