3
0
Fork 0
mirror of https://github.com/Z3Prover/z3 synced 2026-07-04 22:36:10 +00:00
No description
Find a file
Lev Nachmanson 2a8f66f22b
[snapshot-regression-fix] Keep symbolic re.range non-empty; fix soundness regression on range membership (#10017)
## Summary

Fixes a **soundness regression** in the sequence/regex rewriter: a
symbolic character range such as `(re.range x x)` was unsoundly
collapsed to `re.empty`, causing a satisfiable membership constraint to
be reported `unsat`.

This was surfaced by the `snapshot-regression` corpus in
`Z3Prover/bench`.

- **Originating discussion:**
https://github.com/Z3Prover/bench/discussions/2761
- **Benchmark:** `iss-5873/bug-2.smt2` (in `Z3Prover/bench`, under
`inputs/issues/iss-5873/`)
- **z3 under test at capture:** `z3-4.17.0-x64-glibc-2.39` (Nightly)

## Divergence

The recorded oracle expects `sat`; current z3 returns `unsat`:

```diff
--- bug-2.expected.out (expected)
+++ produced (current z3)
@@ -1,3 +1,4 @@
-sat
-((tmp_str0 "\u{0}"))
+unsat
+(error "line 12 column 10: check annotation that says sat")
+(error "line 14 column 22: model is not available")
 (:reason-unknown "")
```

The benchmark asserts (simplified):

```smt2
(assert (= (str.in_re (str.replace tmp_str0 tmp_str0 tmp_str0)
                      (re.range tmp_str0 tmp_str0))
           (str.contains tmp_str0 tmp_str0)))
```

`str.contains x x` is always true and `str.replace x x x = x`, so this
requires `str.in_re x (re.range x x)` to hold, which is satisfiable
exactly when `x` is a single character (`len(x) = 1`).

## Root cause

`seq_rewriter::mk_re_range` treated any bound that is not a concrete
single-character literal as making the whole range **empty**:

```cpp
if (str().is_string(lo, slo) && slo.length() == 1) clo = slo[0];
else if (str().is_unit(lo, lo1) && m_util.is_const_char(lo1, clo)) ;
else is_empty = true;   // unsound for a symbolic bound
```

For a symbolic bound this is unsound: `(re.range x x)` denotes `{x}`
whenever `x` is a single character, not `∅`. Collapsing it to `re.empty`
makes `str.in_re x (re.range x x)` false, contradicting the (true)
`str.contains x x`, so the solver derives an unsound `unsat`.

`git blame` attributes this unsound collapse to z3 commit `15f33f458d`
("Derive with ranges (#9965)"), which post-dates the oracle capture.

## Fix

Two surgical changes in `src/ast/rewriter/seq_rewriter.cpp`:

1. **`mk_re_range`** no longer assumes emptiness for symbolic bounds. It
concludes `re.empty` only when it can *prove* emptiness — a bound whose
length can never be 1, or two concrete bounds with `lo > hi`. When a
bound is symbolic it returns `BR_FAILED` and keeps the range. Concrete
single-character ranges keep their existing handling (`lo == hi →
str.to_re`, inverted → `re.empty`).

2. **`mk_str_in_regexp`** reduces membership in a range that has a
symbolic bound to the equivalent length/order constraints, which are
sound and complete under SMT-LIB `re.range` semantics:

`str.in_re e (re.range lo hi)` ⟶ `len(lo)=1 ∧ len(hi)=1 ∧ len(e)=1 ∧ lo
≤ e ∧ e ≤ hi`

(using `str.<=`). The derivative engine only unfolds ranges whose bounds
are concrete characters, so without this reduction a symbolic-bound
range would otherwise be left unsolved.

## Validation

Rebuilt z3 from this branch on the workflow runner (`./configure && make
-C build -j$(nproc)`) and re-ran the failing benchmark with the same
option the snapshot capture uses (`-T:20`):

```
$ z3 -T:20 inputs/issues/iss-5873/bug-2.smt2
sat
((tmp_str0 "A"))
(:reason-unknown "")
```

The verdict is now **`sat`** (was `unsat`) — the soundness regression is
resolved. A correctness battery over concrete and symbolic ranges all
returns the expected results, e.g.:

- `(str.in_re "b" (re.range "a" "c"))` → `sat`, `(str.in_re "d"
(re.range "a" "c"))` → `unsat`
- `(str.in_re x (re.range x x))` → `sat`; with `(= (str.len x) 2)` →
`unsat`
- `(str.in_re "b" (re.range x y))` → `sat`; with `(str.< y x)` → `unsat`
- `(str.in_re "" (re.range x y))` → `unsat`; `(str.in_re "ab" (re.range
"a" "c"))` → `unsat`

The pre-existing concrete-range derivative fast path is unchanged.

### Note on the model value (benign, unrelated to this fix)

The model value differs from the recorded oracle: current z3 prints
`((tmp_str0 "A"))` whereas the oracle recorded `((tmp_str0 "\u{0}"))`.
Both are valid single-character models (the formula has many). This
difference is **pre-existing and unrelated to this fix**: even a bare
`(assert (= (str.len x) 1))` yields `"A"` on current z3. It stems from
the seq/char theory's default character assignment for
otherwise-unconstrained characters (`theory_char.cpp` assigns fresh
characters starting from `'A'`), not from range handling. I deliberately
did **not** force the character to `\u{0}` — adding `x = "\u{0}"` would
be unsound over-constraining, and changing the global default character
is out of scope for this soundness fix and would perturb unrelated
models. The output is therefore semantically equivalent to the oracle
(same `sat` verdict and reason-unknown) but not byte-identical.

---
*Draft for human review. Diagnosed and fixed by the
`snapshot-regression-fixer` maintenance workflow.*




> Generated by [Fix a Z3 snapshot-regression
divergence](https://github.com/Z3Prover/bench/actions/runs/28502614658)
· 890.7 AIC · ⌖ 46.8 AIC · ⊞ 9K ·
[◷](https://github.com/search?q=repo%3AZ3Prover%2Fz3+%22gh-aw-workflow-id%3A+snapshot-regression-fixer%22&type=pullrequests)

<!-- gh-aw-agentic-workflow: Fix a Z3 snapshot-regression divergence,
engine: copilot, version: 1.0.63, model: claude-opus-4.8, id:
28502614658, workflow_id: snapshot-regression-fixer, run:
https://github.com/Z3Prover/bench/actions/runs/28502614658 -->

<!-- gh-aw-workflow-id: snapshot-regression-fixer -->
<!-- gh-aw-workflow-call-id: Z3Prover/bench/snapshot-regression-fixer
-->

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
2026-07-02 14:00:51 -07:00
.github Fix OCaml static build: ensure stublibs dir is in ld.conf after ocamlfind install (#10003) 2026-06-30 08:43:02 -07:00
a3 update a3-python to fix issues 2026-02-18 08:16:56 -08:00
agentics fix: create missing agentics/qf-s-benchmark.md agent prompt (#8989) 2026-03-14 12:42:11 -07:00
cmake Remove unnecessary semicolons (Attempt 2) (#10020) 2026-07-02 12:47:29 -07:00
codeql/custom_queries add analysis 2025-09-28 13:02:05 +03:00
contrib tiny fix to qprofdiff (#6497) 2022-12-30 15:25:01 -08:00
doc Remove unnecessary blank lines in mk_genfile_common.py and mk_api_doc.py 2026-02-19 17:52:11 +00:00
docker Update docker-image.yml (#5739) 2021-12-25 17:33:35 -08:00
examples Bump dotnet example target framework from netcoreapp2.0 to net8.0 (#9531) 2026-05-14 15:17:41 -07:00
noarch follow instructions from #1879 2018-10-15 11:44:47 -07:00
resources Publishing SNK file private key for reproducible builds 2019-11-18 12:24:39 -08:00
scripts dotnet: force PlatformTarget=AnyCPU to fix arm64 host load failure (#9868) 2026-06-16 09:52:04 -06:00
src [snapshot-regression-fix] Keep symbolic re.range non-empty; fix soundness regression on range membership (#10017) 2026-07-02 14:00:51 -07:00
.bazelrc Expose z3_static target for Bazel build (#7660) 2025-06-03 11:51:18 +02:00
.clang-format update clang format 2025-10-02 10:39:37 -07:00
.dockerignore [TravisCI] Implement TravisCI build and testing infrastructure for Linux 2017-07-01 11:51:30 +01:00
.gitattributes Merge with branch lws (#8498) 2026-02-04 09:52:02 -08:00
.gitignore Derive with ranges (#9965) 2026-06-26 08:44:13 -06:00
BUILD.bazel Add versioned shared object names in Bazel rules (#9838) 2026-06-16 11:35:21 -06:00
build_z3.bat git bindings v1.0 2026-02-15 21:24:40 -08:00
CMakeLists.txt python: build a PyPI-publishable Pyodide (PEP 783) wheel (#9891) 2026-06-18 13:05:03 -06:00
configure restore exec bit on configure & scripts/*.sh 2020-05-16 20:07:36 +01:00
LICENSE.txt update license for space/quotes per #982 2017-04-24 13:34:10 -07:00
MODULE.bazel update version 2026-02-18 20:37:48 -08:00
README-CMake.md git bindings v1.0 2026-02-15 21:24:40 -08:00
README.md Refresh README build badges to active GitHub Actions workflows (#9936) 2026-06-23 19:58:43 -06:00
RELEASE_NOTES.md Handle SIGXCPU like a regular timeout (#9697) 2026-06-03 07:26:38 -07:00
Z3-AGENT.md add per-skill @z3 usage examples to agent readme 2026-03-12 00:16:06 +00:00
z3.pc.cmake.in Fix z3.pc file template (#4693) 2020-09-18 12:39:12 -07:00
z3guide.jpeg add picture of z3guide 2024-11-18 13:21:35 -08:00

Z3

Z3 is a theorem prover from Microsoft Research. It is licensed under the MIT license. Windows binary distributions include C++ runtime redistributables

If you are not familiar with Z3, you can start here.

Pre-built binaries for stable and nightly releases are available here.

Z3 can be built using Visual Studio, a Makefile, using CMake, using vcpkg, or using Bazel. It provides bindings for several programming languages.

See the release notes for notes on various stable releases of Z3.

Try the online Z3 Guide

Build status

Pull Request & Push Workflows

WASM Build Windows Build CI OCaml Binding
WASM Build Windows CI OCaml Binding CI

Scheduled Workflows

Open Bugs Android Build Pyodide Wheel (PyPI) Nightly Build Cross Build
Open Issues Android Build Pyodide Wheel (PyPI) Nightly Build RISC V and PowerPC 64
MSVC Static MSVC Clang-CL Build Z3 Cache Memory Safety Mark PRs Ready
MSVC Static Build MSVC Clang-CL Static Build Build and Cache Z3 Memory Safety Analysis Mark PRs Ready for Review

Manual & Release Workflows

Documentation Release Build WASM Release NuGet Build
Documentation Release Build WebAssembly Publish Build NuGet Package

Specialized Workflows

Nightly Validation Copilot Setup Agentics Maintenance
Nightly Build Validation Copilot Setup Steps Agentics Maintenance

Agentic Workflows

API Coherence Code Simplifier Release Notes Workflow Suggestion Academic Citation
API Coherence Checker Code Simplifier Release Notes Updater Workflow Suggestion Agent Academic Citation Tracker
Issue Backlog Memory Safety Report QF-S Benchmark Specbot Crash Analyzer SMTLIB Benchmark Finder
Issue Backlog Processor Memory Safety Report ZIPT String Solver Benchmark Specbot Crash Analyzer SMTLIB Benchmark Finder
TPTP Benchmark
TPTP Front-End Benchmark

Building Z3 on Windows using Visual Studio Command Prompt

For 32-bit builds, start with:

python scripts/mk_make.py

or instead, for a 64-bit build:

python scripts/mk_make.py -x

then run:

cd build
nmake

Z3 uses C++20. The recommended version of Visual Studio is therefore VS2019 or later.

Security Features (MSVC): When building with Visual Studio/MSVC, a couple of security features are enabled by default for Z3:

  • Control Flow Guard (/guard:cf) - enabled by default to detect attempts to compromise your code by preventing calls to locations other than function entry points, making it more difficult for attackers to execute arbitrary code through control flow redirection
  • Address Space Layout Randomization (/DYNAMICBASE) - enabled by default for memory layout randomization, required by the /GUARD:CF linker option
  • These can be disabled using python scripts/mk_make.py --no-guardcf (Python build) or cmake -DZ3_ENABLE_CFG=OFF (CMake build) if needed

Building Z3 using make and GCC/Clang

Execute:

python scripts/mk_make.py
cd build
make
sudo make install

Note by default g++ is used as C++ compiler if it is available. If you prefer to use Clang, change the mk_make.py invocation to:

CXX=clang++ CC=clang python scripts/mk_make.py

Note that Clang < 3.7 does not support OpenMP.

You can also build Z3 for Windows using Cygwin and the Mingw-w64 cross-compiler. In that case, make sure to use Cygwin's own Python and not some Windows installation of Python.

For a 64-bit build (from Cygwin64), configure Z3's sources with

CXX=x86_64-w64-mingw32-g++ CC=x86_64-w64-mingw32-gcc AR=x86_64-w64-mingw32-ar python scripts/mk_make.py

A 32-bit build should work similarly (but is untested); the same is true for 32/64 bit builds from within Cygwin32.

By default, it will install z3 executables at PREFIX/bin, libraries at PREFIX/lib, and include files at PREFIX/include, where the PREFIX installation prefix is inferred by the mk_make.py script. It is usually /usr for most Linux distros, and /usr/local for FreeBSD and macOS. Use the --prefix= command-line option to change the install prefix. For example:

python scripts/mk_make.py --prefix=/home/leo
cd build
make
make install

To uninstall Z3, use

sudo make uninstall

To clean Z3, you can delete the build directory and run the mk_make.py script again.

Building Z3 using CMake

Z3 has a build system using CMake. Read the README-CMake.md file for details. It is recommended for most build tasks, except for building OCaml bindings.

Building Z3 using vcpkg

vcpkg is a full platform package manager. To install Z3 with vcpkg, execute:

git clone https://github.com/microsoft/vcpkg.git
./bootstrap-vcpkg.bat # For powershell
./bootstrap-vcpkg.sh # For bash
./vcpkg install z3

Building Z3 using Bazel

Z3 can be built using Bazel. This is known to work on Ubuntu with Clang (but may work elsewhere with other compilers):

bazel build //...

Dependencies

Z3 itself has only few dependencies. It uses C++ runtime libraries, including pthreads for multi-threading. It is optionally possible to use GMP for multi-precision integers, but Z3 contains its own self-contained multi-precision functionality. Python is required to build Z3. Building Java, .NET, OCaml and Julia APIs requires installing relevant toolchains.

Z3 bindings

Z3 has bindings for various programming languages.

.NET

You can install a NuGet package for the latest release Z3 from nuget.org.

Use the --dotnet command line flag with mk_make.py to enable building these.

See examples/dotnet for examples.

C

These are always enabled.

See examples/c for examples.

C++

These are always enabled.

See examples/c++ for examples.

Java

Use the --java command line flag with mk_make.py to enable building these.

For IDE setup instructions (Eclipse, IntelliJ IDEA, Visual Studio Code) and troubleshooting, see the Java IDE Setup Guide.

See examples/java for examples.

Go

Use the --go command line flag with mk_make.py to enable building these. Note that Go bindings use CGO and require a Go toolchain (Go 1.20 or later) to build.

With CMake, use the -DZ3_BUILD_GO_BINDINGS=ON option.

See examples/go for examples and src/api/go/README.md for complete API documentation.

OCaml

Use the --ml command line flag with mk_make.py to enable building these.

See examples/ml for examples.

Python

You can install the Python wrapper for Z3 for the latest release from pypi using the command:

   pip install z3-solver

Use the --python command line flag with mk_make.py to enable building these.

Note that it is required on certain platforms that the Python package directory (site-packages on most distributions and dist-packages on Debian-based distributions) live under the install prefix. If you use a non-standard prefix you can use the --pypkgdir option to change the Python package directory used for installation. For example:

python scripts/mk_make.py --prefix=/home/leo --python --pypkgdir=/home/leo/lib/python-2.7/site-packages

If you do need to install to a non-standard prefix, a better approach is to use a Python virtual environment and install Z3 there. Python packages also work for Python3. Under Windows, recall to build inside the Visual C++ native command build environment. Note that the build/python/z3 directory should be accessible from where Python is used with Z3 and it requires libz3.dll to be in the path.

virtualenv venv
source venv/bin/activate
python scripts/mk_make.py --python
cd build
make
make install
# You will find Z3 and the Python bindings installed in the virtual environment
venv/bin/z3 -h
...
python -c 'import z3; print(z3.get_version_string())'
...

See examples/python for examples.

Julia

The Julia package Z3.jl wraps the C API of Z3. A previous version of it wrapped the C++ API: Information about updating and building the Julia bindings can be found in src/api/julia.

WebAssembly / TypeScript / JavaScript

A WebAssembly build with associated TypeScript typings is published on npm as z3-solver. Information about building these bindings can be found in src/api/js.

Smalltalk (Pharo / Smalltalk/X)

Project MachineArithmetic provides a Smalltalk interface to Z3's C API. For more information, see MachineArithmetic/README.md.

AIX

Build settings for AIX are described here.

System Overview

System Diagram

Interfaces

Power Tools