Encode a verification condition into SMT-LIB format.
This function encodes the path conditions (P) and obligation (Q) into SMT, then emits check-sat commands to determine satisfiability and/or validity.
When both checks are requested, uses check-sat-assuming for efficiency:
- Satisfiability: (check-sat-assuming (Q)) tests if P ∧ Q is satisfiable
- Validity: (check-sat-assuming ((not Q))) tests if P ∧ ¬Q is satisfiable
When only one check is requested, uses assert + check-sat:
- For satisfiability: (assert Q) (check-sat) tests P ∧ Q
- For validity: (assert (not Q)) (check-sat) tests P ∧ ¬Q
Note: The obligation term Q is encoded without negation. Negation is applied when needed for the validity check (line 64 for check-sat-assuming, line 77 for assert).
Equations
- One or more equations did not get rendered due to their size.
Instances For
Replace characters that are problematic on common filesystems
(parens, quotes, spaces, path separators, and Windows-invalid characters
such as < > : | ? *) with underscores or remove them.
Single-pass over the string.
Equations
- One or more equations did not get rendered due to their size.
Instances For
Instances For
Equations
- Core.SMT.getSolverPrelude "z3" = do Strata.SMT.Solver.setOption "smt.mbqi" "false" Strata.SMT.Solver.setOption "auto_config" "false"
- Core.SMT.getSolverPrelude "cvc5" = pure ()
- Core.SMT.getSolverPrelude x✝ = pure ()
Instances For
Equations
- One or more equations did not get rendered due to their size.
Instances For
Equations
- One or more equations did not get rendered due to their size.
Instances For
A solver log entry recording the SMT result after a specific pipeline phase.
- phase : String
Name of the pipeline phase that produced this entry.
- result : SMT.Result
The SMT result after this phase's validation.
Instances For
Equations
- Core.instReprSolverPhaseLog = { reprPrec := Core.instReprSolverPhaseLog.repr }
Equations
- One or more equations did not get rendered due to their size.
Instances For
Equations
Instances For
Equations
Validate a model against all phases for a given obligation. Phases are recorded top-down, so we reverse them to validate from the last (innermost) phase first. Returns the adjusted result and a log of intermediate results per phase, ordered outermost-first (deepest phase closest to SMT at the end).
Each phase independently validates the model when it has a validator.
A phase with modelToValidate can demote .sat m to .unknown (some m)
(when the model fails validation) or promote .unknown (some m) back to
.sat m (when the model passes validation against the pre-phase
semantics). This means phases are not cascading — each validating
phase makes its own decision based on the model.
Equations
- One or more equations did not get rendered due to their size.
Instances For
Analysis outcome of a verification condition based on two SMT queries:
- satisfiabilityProperty: result of checking P ∧ Q (is the property satisfiable given the path condition?)
- validityProperty: result of checking P ∧ ¬Q (can the property be false given the path condition?)
The 9 possible outcomes and their interpretations. For cover statements, any outcome where P ∧ Q is sat displays as ✅ (cover satisfied). Unreachable covers display as ❌ (error) instead of ⛔ (warning).
Emoji Label P ∧ Q P ∧ ¬Q Reachable Deductive BugFinding BugFinding+Complete Meaning
✅ always true and is reachable sat unsat yes pass pass pass Property always true, reachable from declaration entry ❌ always false and is reachable unsat sat yes error error error Property always false, reachable from declaration entry 🔶 can be both true and false and is reachable sat sat yes error note error Reachable, solver found models for both the property and its negation ⛔ unreachable unsat unsat no warning error error Dead code, path unreachable ➕ can be true and is reachable sat unknown yes error note note Property can be true and is reachable, unknown if always true ✖️ always false if reached unsat unknown unknown error error error Property always false if reached, unknown if reachable ➖ can be false and is reachable unknown sat yes error note error Property can be false and is reachable, unknown if always false ✔️ always true if reached unknown unsat unknown pass pass pass Property always true if reached, unknown if reachable ❓ unknown unknown unknown unknown error note note Both checks inconclusive
- satisfiabilityProperty : SMT.Result
- validityProperty : SMT.Result
- solverLog : Array (Array SolverPhaseLog)
Ordered log of solver results per path. Each inner array is one path's log: the raw solver results followed by per-phase adjusted results (e.g. sat→unknown when a phase cannot validate the model). When outcomes from multiple paths are merged, each path's log is preserved as a separate entry in the outer array. Consumed by future diagnostic and traceability tooling.
When this outcome was produced by merging multiple paths, stores the pre-merge per-path outcomes. Empty for unmerged (single-path) results. Used by the rendering phase to compute per-path classification summaries without storing rendering-mode-dependent strings.
Instances For
Equations
- Core.instReprVCOutcome = { reprPrec := Core.instReprVCOutcome.repr }
Equations
- Core.instInhabitedVCOutcome = { default := { satisfiabilityProperty := Imperative.SMT.Result.unknown, validityProperty := Imperative.SMT.Result.unknown } }
Equations
- o.passAndReachable = match o.satisfiabilityProperty, o.validityProperty with | Imperative.SMT.Result.sat model, Imperative.SMT.Result.unsat => true | x, x_1 => false
Instances For
Equations
- o.alwaysFalseAndReachable = match o.satisfiabilityProperty, o.validityProperty with | Imperative.SMT.Result.unsat, Imperative.SMT.Result.sat model => true | x, x_1 => false
Instances For
Equations
- o.canBeTrueOrFalseAndIsReachable = match o.satisfiabilityProperty, o.validityProperty with | Imperative.SMT.Result.sat model, Imperative.SMT.Result.sat model_1 => true | x, x_1 => false
Instances For
Equations
- o.unreachable = match o.satisfiabilityProperty, o.validityProperty with | Imperative.SMT.Result.unsat, Imperative.SMT.Result.unsat => true | x, x_1 => false
Instances For
Equations
- o.satisfiableValidityUnknown = match o.satisfiabilityProperty, o.validityProperty with | Imperative.SMT.Result.sat model, Imperative.SMT.Result.unknown candidateModel => true | x, x_1 => false
Instances For
Equations
- o.alwaysFalseReachabilityUnknown = match o.satisfiabilityProperty, o.validityProperty with | Imperative.SMT.Result.unsat, Imperative.SMT.Result.unknown candidateModel => true | x, x_1 => false
Instances For
Equations
- o.canBeFalseAndIsReachable = match o.satisfiabilityProperty, o.validityProperty with | Imperative.SMT.Result.unknown candidateModel, Imperative.SMT.Result.sat model => true | x, x_1 => false
Instances For
Equations
- o.passReachabilityUnknown = match o.satisfiabilityProperty, o.validityProperty with | Imperative.SMT.Result.unknown candidateModel, Imperative.SMT.Result.unsat => true | x, x_1 => false
Instances For
Equations
- o.unknown = match o.satisfiabilityProperty, o.validityProperty with | Imperative.SMT.Result.unknown candidateModel, Imperative.SMT.Result.unknown candidateModel_1 => true | x, x_1 => false
Instances For
True when either SMT property is .err (solver returned an error on
a specific check, as opposed to the outer VCResult.outcome being
.error due to an encoding failure).
Equations
- o.hasSMTError = match o.satisfiabilityProperty, o.validityProperty with | Imperative.SMT.Result.err msg, x => true | x, Imperative.SMT.Result.err msg => true | x, x_1 => false
Instances For
The assertion's validity is proven (validity = unsat). True for passAndReachable,
unreachable, and passReachabilityUnknown. Note: this does NOT distinguish
reachable passes from unreachable (dead-code) passes.
Equations
- o.isPass = match o.validityProperty with | Imperative.SMT.Result.unsat => true | x => false
Instances For
The assertion can be true (satisfiability = sat). True for passAndReachable,
canBeTrueOrFalseAndIsReachable, and satisfiableValidityUnknown.
Equations
- o.isSatisfiable = match o.satisfiabilityProperty with | Imperative.SMT.Result.sat model => true | x => false
Instances For
Equations
Instances For
Equations
- o.isAlwaysTrue = o.isPass
Instances For
Equations
Instances For
Success in bug-finding mode: the assertion is satisfiable (can be true on some reachable path), or provably always true with unknown reachability. Does NOT include unreachable paths — dead code in agent-generated code is worth flagging as a potential issue.
Equations
Instances For
Failure in bug-finding mode: the assertion is always false (a definite bug), or the path is unreachable (dead code).
Equations
Instances For
Instances For
Instances For
Instances For
Instances For
Instances For
Instances For
Instances For
Instances For
Instances For
Instances For
Instances For
Instances For
Instances For
Instances For
Equations
- One or more equations did not get rendered due to their size.
Instances For
Equations
- One or more equations did not get rendered due to their size.
Instances For
Compute a per-path classification summary for a merged outcome. Returns a parenthesized string like "(always true if reached on 1 path, always false if reached on 1 path)" when the merged result differs from individual paths. Returns the empty string for unmerged results or when all paths have the same classification as the merged result.
Equations
- One or more equations did not get rendered due to their size.
Instances For
Merge two SMT results, where err dominates sat dominates unknown dominates unsat.
If either result is an error, the merged result is an error.
If either result is sat, the merged result is sat (keeping the first model).
If either is unknown, the merged result is unknown.
Only if both are unsat is the merged result unsat.
Equations
- Core.SMT.Result.merge (Imperative.SMT.Result.err e) b = Imperative.SMT.Result.err e
- a.merge (Imperative.SMT.Result.err e) = Imperative.SMT.Result.err e
- Core.SMT.Result.merge (Imperative.SMT.Result.sat m) b = Imperative.SMT.Result.sat m
- a.merge (Imperative.SMT.Result.sat m) = Imperative.SMT.Result.sat m
- Core.SMT.Result.merge (Imperative.SMT.Result.unknown m) b = Imperative.SMT.Result.unknown m
- a.merge (Imperative.SMT.Result.unknown m) = Imperative.SMT.Result.unknown m
- Core.SMT.Result.merge Imperative.SMT.Result.unsat Imperative.SMT.Result.unsat = Imperative.SMT.Result.unsat
Instances For
Merge two VCOutcomes from different paths to the same assertion.
For each SMT check (satisfiability and validity), sat dominates:
if the assertion is satisfiable on any path, the merged result is sat.
Each path's solverLog is preserved as a separate entry.
Pre-merge per-path outcomes are stored in mergedFrom for rendering.
Equations
- One or more equations did not get rendered due to their size.
Instances For
A model with values lifted to LExpr for display purposes. This is used for formatting models in a human-readable way using Core's expression formatter and for future use as program metadata.
Equations
Instances For
Equations
- One or more equations did not get rendered due to their size.
- Core.LExprModel.format [] = Std.Format.text ""
- Core.LExprModel.format [(id, e)] = Std.format "(" ++ Std.format id ++ Std.format ", " ++ Std.format (Core.formatModelValue✝ e) ++ Std.format ")"
Instances For
Equations
- Core.instToFormatLExprModel = { format := Core.LExprModel.format }
Equations
- Core.instReprVCError = { reprPrec := Core.instReprVCError.repr }
Equations
- One or more equations did not get rendered due to their size.
Instances For
Equations
- Core.instBEqVCError.beq (Core.VCError.encoding a) (Core.VCError.encoding b) = (a == b)
- Core.instBEqVCError.beq (Core.VCError.solverTimeout a) (Core.VCError.solverTimeout b) = (a == b)
- Core.instBEqVCError.beq (Core.VCError.solverCrash a) (Core.VCError.solverCrash b) = (a == b)
- Core.instBEqVCError.beq x✝¹ x✝ = false
Instances For
Equations
Equations
- One or more equations did not get rendered due to their size.
A collection of all information relevant to a verification condition's analysis.
- obligation : Imperative.ProofObligation Expression
- estate : Strata.SMT.EncoderState
- verbose : VerboseMode
- checkLevel : CheckLevel
- checkMode : VerificationMode
- lexprModel : LExprModel
model with values converted from
SMT.Termto CoreLExpr. The contents must be consistent with the outcome, if the outcome was a failure.
Instances For
Mask outcome properties that were not requested.
When the evaluator resolves a check that wasn't requested by the
check mode/level, we set it to .unknown so the label function displays
the appropriate message for the checks that were actually requested.
For example, in minimal deductive mode we only request validity, so if evaluator
also determined satisfiability, we mask it to .unknown.
Equations
- One or more equations did not get rendered due to their size.
Instances For
Equations
- One or more equations did not get rendered due to their size.
Compact single-line outcome string: emoji + label (e.g. "✅ pass", "❌ fail"). Uses the property, check level, and check mode stored in the result.
Equations
- One or more equations did not get rendered due to their size.
Instances For
Deductive-mode success: the assertion's validity is proven (isPass).
Includes unreachable paths (vacuously true). For bug-finding mode,
use isBugFindingSuccess instead.
Instances For
Deductive-mode failure: the assertion can be false on some reachable path.
For bug-finding mode, use isBugFindingFailure instead.
Equations
- One or more equations did not get rendered due to their size.
Instances For
Equations
- vr.isImplementationError = match vr.outcome with | Except.error (Core.VCError.encoding msg) => true | Except.error (Core.VCError.solverCrash msg) => true | x => false
Instances For
Equations
- vr.isTimeout = match vr.outcome with | Except.error (Core.VCError.solverTimeout msg) => true | x => false
Instances For
Equations
- vcResult.isNotSuccess = !vcResult.isSuccess
Instances For
Equations
- vr.isUnreachable = match vr.outcome with | Except.ok o => o.unreachable | Except.error a => false
Instances For
Equations
- vr.isBugFindingSuccess = match vr.outcome with | Except.ok o => o.bugFindingSuccess | Except.error a => false
Instances For
Equations
- vr.isBugFindingFailure = match vr.outcome with | Except.ok o => o.bugFindingFailure | Except.error a => false
Instances For
True when either SMT property inside a successful outcome is .err.
Complements isImplementationError, which covers the outer .error case.
Equations
- vr.hasSMTError = match vr.outcome with | Except.ok o => o.hasSMTError | Except.error a => false
Instances For
Equations
Instances For
Equations
- rs.format = Std.Format.joinSep (Array.map (fun (r : Core.VCResult) => Std.format Std.Format.line ++ Std.format r) rs).toList Std.Format.line
Instances For
Equations
- Core.instToFormatVCResults = { format := Core.VCResults.format }
Equations
- Core.instToStringVCResults = { toString := fun (rs : Core.VCResults) => toString rs.format }
Merge two VCResults from different paths to the same assertion.
Outcomes are merged at the VCOutcome level (sat dominates).
The first result's obligation metadata is preserved.
The model from the result with a sat outcome is preferred.
Equations
- One or more equations did not get rendered due to their size.
Instances For
Merge VCResults that originate from the same assertion (identified by
source location + related locations from inlining). Outcomes are merged
at the VCOutcome level: if a proposition is sat on any path, the merged
result is sat. Preserves first-occurrence order.
When the file range is unknown, each VCResult is kept as-is.
Equations
- One or more equations did not get rendered due to their size.
Instances For
Preprocess a proof obligation using symbolic simulation.
Returns the symbolic results for satisfiability and validity independently.
Each result is some r if evaluator can determine it, none if the solver is needed.
Equations
- One or more equations did not get rendered due to their size.
Instances For
The Core verification pipeline phases. Each entry pairs a program transformation with its per-obligation model validation. The pipeline extracts transforms from this list, and the validation extracts phases, ensuring they stay in sync.
Call elimination always runs as a standalone program-to-program pass.
When procs is provided (targeted verification), the pipeline also
includes filtering and post-transform filter phases.
All filter phases are model-preserving since they only remove
information without introducing over-approximations.
A second FilterProcedures pass runs after CallElim and PrecondElim
to prune any procedures that became unreachable after transforms. This
pass explicitly lists the target procedures and their WF procedures
(via PrecondElim.wfProcName) as targets, and disables noFilter so
that WF procedures for prelude functions are correctly pruned.
loopElimPipelinePhase is placed last because loop elimination happens
during evaluation (not as a program-to-program pass), making it the
closest phase to SMT.
Equations
- One or more equations did not get rendered due to their size.
- Core.transformPipelinePhases = [] ++ [Core.callElimPipelinePhase] ++ [Core.termCheckPipelinePhase] ++ [Core.precondElimPipelinePhase] ++ [] ++ [Core.loopElimPipelinePhase]
Instances For
The full pipeline phases for program-to-program transforms, including type checking, symbolic evaluation, and ANF encoding. ANF encoding runs after symbolic evaluation to extract common subexpressions introduced by partial evaluation inlining.
Equations
- One or more equations did not get rendered due to their size.
Instances For
The abstracted phases derived from the Core pipeline phases.
Equations
- Core.coreAbstractedPhases procs options moreFns = List.map (fun (x : Core.PipelinePhase) => x.phase) (Core.corePipelinePhases procs options moreFns)
Instances For
Adjust an SMT result through pipeline phase validation. A .sat result
may be demoted to .unknown if a phase cannot validate the model, and
an .unknown result may be promoted back to .sat if a phase can
validate the model. Returns the adjusted result and a log of
intermediate results per phase.
Equations
- One or more equations did not get rendered due to their size.
- Core.SMT.Result.adjustForPhases (Imperative.SMT.Result.sat model) phases obligation = Core.AbstractedPhase.validateModel phases (Imperative.SMT.Result.sat model) obligation
- r.adjustForPhases phases obligation = (r, [])
Instances For
Invoke a backend engine and get the analysis result for a given proof obligation.
Equations
- One or more equations did not get rendered due to their size.
Instances For
Equations
- One or more equations did not get rendered due to their size.
Instances For
Run the Strata Core verification pipeline on a program: transform, type-check, partially evaluate, and discharge proof obligations via SMT. All program-wide transformations that occur before any analyses (including type inference) should be placed here.
When keepAllFilesPrefix is provided, the program state after each pipeline
phase is written to {prefix}.{n}.{phaseName}.core.st (numbered from 1).
Equations
- One or more equations did not get rendered due to their size.
Instances For
Equations
- One or more equations did not get rendered due to their size.
Instances For
Equations
- Strata.Core.getProgram p ictx = Strata.TransM.run ictx (Strata.translateProgram p)
Instances For
Front-end phase: any translation from a source language to Core may introduce over-approximations. Until front-ends can validate models or determine that an assertion is unaffected, all sat results are converted to unknown.
Equations
- One or more equations did not get rendered due to their size.
Instances For
Equations
- One or more equations did not get rendered due to their size.
Instances For
Equations
- One or more equations did not get rendered due to their size.
Instances For
- start : Lean.Position
- ending : Lean.Position
- message : String
- type : DiagnosticType
Instances For
Equations
- Strata.instReprDiagnostic = { reprPrec := Strata.instReprDiagnostic.repr }
Equations
- One or more equations did not get rendered due to their size.
Instances For
Equations
Equations
- One or more equations did not get rendered due to their size.
- Strata.instBEqDiagnostic.beq x✝¹ x✝ = false
Instances For
Equations
- One or more equations did not get rendered due to their size.
Instances For
Equations
- Strata.Core.VCResult.toDiagnostic files vcr phases = Option.map (fun (dm : Strata.DiagnosticModel) => Strata.DiagnosticModel.toDiagnostic files dm) (Strata.toDiagnosticModel vcr phases)