Proof instability, also called brittleness [ 14 ], the butterfly efect [ 15 ] and solver explosion [ 10 ], is a commonly experienced and acknowledged problem with SMT-based verifiers. While there is no universally agreed-upon definition, in this paper we use “instability” to broadly refer to solver behavior that is unpredictable and inconsistent from the user’s perspective. This includes disproportionate performance variations caused by minor changes to input queries, proofs breaking after solver or verifier upgrades, as well as sensitivity to redundant constraints, seemingly trivial simplifications, or reseeding. Existing work quantifies instability by fuzzing queries with syntactic mutations [ 1 ] and random seeds [ 13 ], and measuring variations in performance or outcome. These techniques detect a wide range of unstable queries, but not all. As shown in the rest of this paper, they are not perfect metrics, and certain kinds of instability are out of their reach.

Recent work has proposed various measures to reduce instability. One general direction is to pre-process queries, to simplify [ 16 ], prune [ 6 ], or canonicalize [ 5 ] them. Another is to restrict the verifier’s SMT encoding to simpler theories [ 10, 17, 18, 19 ], often at the cost of limiting expressivity or automation. Some verifiers ofer language features that let users control the encoding for specific code sections [ 7, 20 ], confining the use of theories and axioms believed to cause instability. A common thread to these techniques is that they aim to mitigate rather than fix instability. The mitigations have empirically been shown to work, but it is not clear whether they address root causes or whether the tradeofs they impose are strictly necessary.

This section presents an overview of Z3’s architecture and operation, using the following query as a running example:

( < 0) ∧ ( < 0) ∧ (( + > 0) ∨ ( · < 0))

Z3 comprises a CDCL(T) core, and a set of theories. The former is essentially a SAT solver that treats theory atoms (e.g., ( < 0), ( + > 0)) as independent boolean variables and aims to construct a boolean model that satisfies the propositional constraints (e.g., {( < 0) :− true, ( < 0) :− true, ( + > 0) :− false, ( · < 0) :− true}). Theories are mainly responsible for ensuring that the set of propositional assignments in the model is consistent with respect to theory semantics. For this model, the theory of arithmetic would raise a conflict: ( < 0) :− true, ( < 0) :− true, and ( · < 0) :− true cannot simultaneously hold.

The CDCL(T) core makes decisions on propositional assignments one by one, either through boolean constraint propagation (BCP) or by branching. After each round of decisions, it performs theory propagation to see if the current (partial) model is consistent with the theories. In this example, before any branching, it decides that any model must have ( < 0) :− true and ( < 0) :− true through BCP, as these appear as unit clauses. Then, it propagates both assignments to the theory of arithmetic, which says that the model is consistent. When there is no unit clause left to be propagated, Z3 branches on a decision, creating a backtracking point. Let’s assume that it first decides to explore the case where ( + > 0) := true. As soon as this decision is theory-propagated, the theory of arithmetic raises a conflict. In response, the CDCL(T) core backtracks to the previous partial model, and augments it with ( + > 0) := false. Finally, the CDCL(T) core decides ( · < 0) :− true (through BCP), which causes another arithmetic conflict. As the CDCL(T) core cannot backtrack anymore, it decides that the query is unsat.

Z3 refines the basic CDCL(T) architecture with many heuristics and optimizations. One that is particularly important in the context of this paper is relevancy filtering [ 12 ]: in order to minimize the load on theories, the CDCL(T) core theory-propagates only a subset of the current assignments, those it deems relevant to the current branch of the proof. For instance, in the last round of theory propagation in our example, ( + > 0) := false would be filtered out, as ( + > 0) only appears in the query within a disjunction, and the fact that it has been assigned to false has no consequence on the truth value of the disjunction.

Another important mechanism to highlight is trigger-based quantifier instantiation , also called E-matching. We do not present E-matching here, and instead refer to prior literature [ 15 ]. We do, however, note that the CDCL(T) core treats the E-matching engine like any theory in the context of relevancy filtering: it keeps ground terms that only appear in irrelevant atoms from matching any triggers. Previous work [ 15 ] has explored the contribution of matching loops to instability. We do not discuss matching loops further, as they did not turn out to be the root cause for any of our case studies.

TPot raw [ 24 ] TPot april2nd [ 26 ] TPot ofset [ 28 ] TPot bv_rewrite [ 29 ] Forum/Dafny issue_7444 [ 30 ] Forum/Dafny IfNorm0 Forum/Verus root0 Forum/Ivy thing2 [ 31 ] Mariposa [ 23 ] set_bit_to_0_self_uint64 Mariposa set_bit_to_1_self_uint64 Mariposa lemma_2toX Issue solver bug solver bug solver bug misconfiguration wrong expectations wrong expectations wrong expectations solver bug solver bug solver bug misconfiguration Solution patch-dynack [ 25 ] patch-fixedeq [ 27 ] patch-fixedeq tactic.default_tactic=smt rewrite triggers remove extraneous quantifier rewrite triggers patch-mbqi [ 32 ] patch-dynack patch-dynack smt.qi.eager_threshold=200

We discovered the bug related to patch-dynack while experimenting with an early version of TPot, when the solver got stuck on the raw query. This was an instance of instability: raw mostly comprised the same assertions as previous queries TPot made on the same symbolic execution path, and used the same logic (quantifier-free bitvectors and arrays), so we expected Z3 to discharge the query with similar reasoning.

Fig. 1 presents a simplified (and still unstable) version of the query, along with the context that produced it and the sketch of an intended proof. The original query included 86 assertions spanning 3600 lines of SMT2. The proof sketch justifies why we expect the query to be easily solvable, and helps explain how the bug leads to explosion. We have found writing pen-and-paper proof sketches to be helpful for debugging as well.

Dynamic Ackermannization [ 34 ] is a technique used by Z3 to significantly speed up reasoning about transitivity of equality and congruence. In the intended proof, the Ackermann axiom in step 5 is essential. Without it, the solver would have to discover the same fact through congruence closure, which results in producing much weaker lemmas [ 35 ].

While Ackermannization itself worked as expected for the query, a Z3 bug related to the interaction between Ackermannization and relevancy filtering kept step (6) from proceeding: Ackermannization would create fresh literals for step (5) (e.g., p == addr_arr) without marking them as relevant. This efectively made the Ackermann clauses invisible to the theories, so the theory of arithmetic would not learn that assuming p == addr_arr propagates loc(p) == loc(addr_arr). Consequently, it would not learn that p != addr_arr.

When Z3 backtracks it will retain certain axioms (i.e., theory lemmas, including Ackermann axioms) but forget about their relevancy. So the lifetime of the lemma is not scope-bound, but its relevancy is. This essentially results in the axioms only participating in propositional propagation (within the CDCL(T) core), but not theory propagation. This behavior is intended if the solver creates theory axioms using existing literals, but works against leveraging theory axioms with fresh literals across backtracking points.

bv_rewrite.smt2 is a minimized (to 14 lines) version of an unstable query that was produced by TPot. It involves 4 variables, all of which are bitvectors of size 32. As shown in Fig. 2, the time it takes Z3 to solve bv_rewrite.smt2 depends heavily on a bitvector coeficient ( elem_sz) appearing only in an assertion that is redundant and therefore should be inconsequential.

With the default configuration, Z3 determines that the query only involves quantifier-free constraints over bitvectors, and so it is essentially a boolean satisfiability problem. Then Z3 decides to bit-blast the query, representing each bit with a boolean variable, and discharge it using the built-in SAT solver (which is separate from the CDCL(T) core), without ever involving the actual SMT solver. Using the command line argument tactic.default_tactic=smt prevents this from happening and makes Z3 terminate instantly irrespective of the coeficient.

lemma_2toX.smt2 is a query produced by Dafny to prove the lemma in Fig. 3, as a part of the IronFleet [ 36 ] project. The query is unstable with variable outcome: depending on the random seed, Z3 may quickly return either unsat or unknown.

In the SMT encoding, Dafny represents power2 with an uninterpreted function, and provides the usual [ 37 ] recursive definition ( ∀.power2() = ITE( = 0, 1, 2 · power2( − 1)))) as a quantified axiom. For each ensures statement in Fig. 3, Dafny expects Z3 to unfold the recursive definition times to compute power2().

The problem is that the global threshold Dafny sets on quantifier instantiation depth (smt.qi.eager_threshold=100) is too small to fully unfold power2(64). We have empirically observed using SMTScope [ 38 ], the latest version of the Axiom Profiler [ 39 ], that it does not allow power2 to be unrolled more than 32 times. So, Z3 can not close the branches of the proof involving power2(64) and power2(60).

The misconfiguration here is obvious in hindsight. In practice, it was not easily noticable as it made the query unstable, not consistently unknown. This is because when we get lucky, Z3 reuses unfoldings that were used to close branches corresponding to the last five ensures to close the first two as well. So whether Z3 returns unsat or unknown depends on the order in which it explores diferent branches. Setting the threshold to 200 allows all branches to close in isolation and stabilizes the query.

One may also configure Z3 such that quantifier instances are efectively shared across branches, by disabling relevancy filtering ( smt.relevancy=0). Doing so indeed stabilizes this particular query, but makes most other Dafny queries to explode, due to Dafny’s quantifer-heavy encoding.

Consider the query in Fig. 4. The query is clearly unsat, as instantiating the quantifier with :− 0 trivially contradicts the first assertion. The conventional understanding of triggers, as described by Leino and Pit-Claudel [ 15 ], dictates that the ground term (A 0) would match the trigger and produce the expected instance, and Z3 would return unsat. Surprisingly, in the presence of relevancy filtering, Z3 may return unknown depending on the branching order, precisely 50% of the time. We explain this frequency in §4.3.2.

The core of the problem is that there is a branch of the proof that does not close itself; it depends on the quantifier instance but does not trigger instantiation. In the branch where (0) is false and (0) is true, Z3 considers (0) to be an irrelevant disjunct in (or (A 0) (B 0)), as its truth value does not afect the value of the disjunction. Therefore, Z3 keeps the assignment (0) :− false from being propagated to any theory, including the E-matching engine. So, the branch only closes if Z3 visits one of the branches that triggers instantiation (e.g., (0) :− true, (0) :− false) before this one and reuses the instance.

Another way to understand the problem is to realize that relevancy filtering efectively simulates tableau-search, whereby the solver structurally branches on the problem. In this example, the solver looks at the first assertion and branches on satisfying (0) versus (0). The latter branch is essentially equivalent to solving a version of the query with (0) omitted from the first assertion, and that version should be unknown according to Leino and Pit-Claudel’s description.

The query’s success depends purely on the branching order and 50% of branching orders lead to success. We experimented with 8 variants of the query, changing the polarities of (0) and (0), and toggling the pattern between () and ().

Some of these seemed to be consistently unsat or unknown irrespective of the random seed, suggesting that these variations play a role in the query’s success. On closer look, some variations may fix a branching order with Z3’s default configuration: Z3 will always guess false for the first atom it branches on irrespectively of the random seed (the actual guessing process - phase caching - is somewhat more involved, but the caches are initialized to false). Also, the way Z3 chooses the first atom to branch on involves randomness but it is not uniformly random. To work around these issues, we made a surgical modification on Z3’s source code to set the frequency of randomized case splits to 1.00 (the default is 0.01). This frequency is hard-coded and is not configurable through the command line. We then ran Z3 with smt.phase_selection=5 (random).

Assignment 1 branch? literal relevant?

Assignment 2 branch? literal relevant? yes

A(0) ¬A(0) B(0) ¬B(0) yes no yes no no yes no

B(0) A(0) ¬A(0) A(0) yes no no yes Total:

Result unsat unknown unknown unknown unsat unsat unknown

Probability 1/4 1/4 1/8 1/8 1/4 1/2 1/2

In §4.3.2, we describe how certain variations on the query in Fig. 4 seem to have implications on stability, when in fact all they do is resample a random distribution that is unafected by the random seed. For this query, the order of disjuncts, and the symmetric choice of the trigger term between the two disjuncts, are sources of randomness. This is an example of how having multiple sources of randomness can lead to confusion while identifying and debugging instability.

Another such example is the IfNorm0 query. The original query produced by Dafny succeeds with all random seeds, but asking Dafny to normalize the names of functions and variables (through a Dafny command line option) makes the query explode with all random seeds. This pattern is confusing, as it suggests that normalization is to blame for instability. The pattern occurs because Z3 reorders disjunctions using a name-dependent order and Dafny sets the smt.case_split=3 parameter, which orders case splits structurally, starting from the leftmost disjunct. This makes the case split order insensitive to the random seed, but sensitive to variable and function names.

Ensuring that all randomness is controllable through an explicit random seed would be a step towards making instability easier to identify and address.

Existing approaches to examining Z3 traces [ 39 ] are based on statistical measures (e.g., number of instances of each axiom, length of instantiation chains, heuristic cost assignments to axioms). For many of our examples, root causes lie with individual events that throw the solver of. Identifying such events is hard, and to the best of our knowledge there currently is no debugging tool that helps do so.

We adopted a methodology, which we think can be largely automated, based on comparing solver traces using standard text dif tools. Given an unstable query, we could often find a “good” configuration (of solver parameters, variable names, etc.) that produces the expected behavior. When a good configuration does not appear organically, we had success with parameter fuzzing or randomness fuzzing through Mariposa. We then difed the trace from a good run against one from a bad run, identified the first point of divergence, and made surgical modifications on the Z3 source to unify the solver’s behavior over the two. Of course, the first point of divergence usually was not itself related to the root cause, but repeating this process until both configurations succeed allowed us to discover particularly elusive bugs.

This methodology would be greatly simplified if we were able to modify and replay solver traces. This would allow us to unify behavior without having to modify the solver’s source code. Beyond trace difs, replaying traces would make it much easier to test hypotheses of the form “had been done diferently, the query would not have exploded”.

We also note that we used the tracing mechanism built into Z3, which was built for VCC, and not tailored for our purpose. There are many relevant steps that do not get logged (e.g. theory propagations, the state of the egraph, relevancy), which sometimes hides root causes and makes it hard to unify the next point of divergence. 5.3. Proof sketches §4.1.1 uses a proof sketch to explain the root cause of instability for a simplified version of the raw query; we wrote similar sketches for most case studies. In our experience, writing down such pen-and-paper proof sketches and trying to identify what keeps the solver from finding them has been useful for debugging, as well as explaining root causes after the fact to convince oneself that the “right problem” was fixed. We believe debugging tools that ingest proof sketches along with solver traces and pinpoint the missing proof step would have greatly simplified our case studies.

Debugging instability through proof sketches mimics how one debugs functional correctness problems in most classes of software: by having a clear picture of the expected behavior and iteratively narrowing down where the program departs from it. Without proof sketches, this is only possible for SMT solvers at two extreme granularities, neither practical. On one extreme, one may say the expected behavior is simply “the solver must return unsat quickly”. This does not allow for iteratively narrowing down on the problem beyond the solver’s interface. Debugging at the interface by giving the solver iteratively simplified/reduced versions of the query and trying to deduce which simplification step caused the problem often leads to ill-informed and misleading conclusions. On the other extreme, one may examine solver traces. This requires the developer to be intimately familiar with the solver’s internals and even then they are often too large and too low-level to be practically understood by humans. Importantly, traces also mostly consist of “dead ends”, i.e., branches explored and axioms instantiated by the solver as part of proof search that ultimately do not make progress towards the expected proof, and are uninteresting in pinpointing the divergence from expected behavior.

Proof sketches can be written at arbitrary granularity, and deepened only in steps that need to be narrowed down on (e.g., Fig. 1 elides the bitvector and arithmetic axioms that need to be involved for steps (8) and (10); the solver follows these steps as expected so the user does not need more detail). This makes proof-sketch debugging scale well with the size of the query being debugged. The original raw query spans 55× the number of SMT lines the simplified version in Fig. 1 does, but its proof sketch still consists of 10 (considerably bigger) steps.