vera test --json reports verified/ok for a postcondition failure caught by vera verify --json

[rzyns]

Hi! First, thank you for the useful verifier diagnostics here. I may be misunderstanding the intended relationship between vera test and vera verify, but I found a small case where vera test --json reports success/verified for a program that vera verify --json rejects and vera run fails on at runtime.

Version: vera 0.0.155, repo HEAD 08c1197d4d701fc429cc448abb89a8d08b2f7b7c.

Minimal repro

public fn double(@Int -> @Int)
  requires(true)
  ensures(@Int.result == @Int.0 + @Int.0)
  effects(pure)
{
  @Int.0 + @Int.0 + 1
}

public fn main(@Unit -> @Int)
  requires(true)
  ensures(@Int.result == 42)
  effects(pure)
{
  double(21)
}

Observed behavior

vera check --json wrong_double_initial.vera succeeds:

{"ok": true, "diagnostics": [], "warnings": []}

vera verify --json wrong_double_initial.vera exits 1:

{
  "ok": false,
  "diagnostics": [
    {"error_code": "E500", "description": "Postcondition does not hold in function 'double'."}
  ],
  "verification": {"tier1_verified": 3, "tier3_runtime": 0, "total": 3}
}

This looks expected: the body returns x + x + 1, while the postcondition claims x + x.

vera run wrong_double_initial.vera exits 1:

Error: Postcondition violation in double(@Int -> @Int)
  ensures(@Int.result == @Int.0 + @Int.0) failed

vera test --json wrong_double_initial.vera exits 0:

{
  "ok": true,
  "functions": [
    {"name": "double", "category": "verified", "reason": "Tier 1 (proved)", "trials_run": 0},
    {"name": "main", "category": "verified", "reason": "Tier 1 (proved)", "trials_run": 0}
  ],
  "summary": {"verified": 2, "tested": 0, "total_trials": 0, "total_failures": 0}
}

Expected behavior

I would expect vera test --json not to return a green ok: true / verified result for a program whose contract verification fails with vera verify --json.

Possible ways to avoid the false-green signal:

• test --json invokes/reuses the same verification gate and returns nonzero with the E500 diagnostic; or
• test --json reports these functions as unverified/failed/skipped rather than category: "verified"; or
• if test intentionally has narrower semantics than verify, the JSON output makes that boundary explicit so downstream automation does not treat this as proof success.

Why this matters

JSON status is likely to be consumed mechanically by CI pipelines and downstream tooling. A false-green ok: true from test --json, especially with category: "verified" and reason: "Tier 1 (proved)", can cause a build step to accept a contract-incorrect program even though verify --json correctly rejects it.

Question

I am treating vera verify --json as the authoritative contract/proof gate. If vera test is intentionally meant to skip or only partially reuse verification in this situation, the bug may be in my expectation or in the JSON wording (verified / Tier 1 (proved)) rather than in the underlying test behavior.

Would you expect vera test --json to be a safe green gate for contract correctness, or should downstream tools always run vera verify --json separately and treat test --json as corroborating/runtime evidence only?

[aallan]

Hi @rzyns — thank you for this report and the follow-up #675. Both are well above the bar for a first-time external contribution: clean reproducers, exact-string source-grep, repro against a pinned HEAD, and (in #675) sketch of the diff and test assertion shape. Particularly appreciated that you stayed scoped — "this note does not propose changing verification semantics" makes a maintainer's evaluation much cheaper.

Confirming the bug: reproduced exactly on HEAD 08c1197 (v0.0.155). The classifier at vera/tester.py::_classify_functions (line 393) only harvests severity == "warning" codes in the Tier 3 set (E520–E525); severity == "error" codes (E500, E501, E502) flow past untouched and the function falls through to the default ("verified", "Tier 1 (proved)", decl) branch at line 474.

A separate strategic-mode review session I ran on 2026-05-18 surfaced the same bug independently and I filed it as #681 — without realising your report had been sitting here for three days. That was a process failure on my side; I should have searched open issues before filing. #681 is closed as a duplicate of #674. Yours came first and is the better-written report (the @Int + @Int + 1 repro is cleaner than my @Nat * 2 + 1, and the CI-consumes-JSON failure-mode framing is exactly the right way to make the severity obvious).

KNOWN_ISSUES.md is updated to reference this issue rather than my dupe in PR #684.

On your design question

Would you expect vera test --json to be a safe green gate for contract correctness, or should downstream tools always run vera verify --json separately and treat test --json as corroborating/runtime evidence only?

The intended semantics: vera test --json should be a safe green gate. The current behaviour is a bug, not a deliberate narrower scope.

Reasoning: vera test is supposed to run the verifier first (which gives it the "verified" / Tier 1 (proved)" category for functions Z3 statically proves correct), and then for functions that fall to Tier 3 it generates Z3-derived inputs and executes them at runtime. The Tier 3 codes the classifier looks for are Z3-can't-decide warnings, not Z3-refuted errors — the latter (E500 / E501 / E502) should rightly be treated as "failed" and propagate to a non-zero exit and a JSON entry that downstream CI would notice. The current code path silently drops those errors because the classifier was only written for the can't-decide case.

The fix:

• Add a second harvest pass for severity == "error" codes in {E500, E501, E502}
• Introduce a new classification category "failed" that takes precedence over "verified" and "tier3"
• In text output: print FAILED with the verifier counterexample inlined
• In JSON output: "category": "failed" carrying the diagnostic; TestSummary.failed: int field
• Exit code is non-zero when failed > 0
• New regression test in tests/test_tester.py pinning all four behaviours

I'd estimate half a day. If you want to submit the PR yourself I'd be happy to review — your write-up suggests you've already done the diagnostic work; the fix is mechanical from there. If you'd prefer I take it, that's fine too; just say.

Either way, until the fix lands: yes, treat vera verify --json as the authoritative contract gate and vera test --json as corroborating/runtime evidence only. The bug is exactly where you suspected it was.

Thanks again for the report.

[aallan]

Quick status update — a few things landed since my first reply:

Done:

• vera test reports buggy_double as VERIFIED when verifier emits E500 (correctness, unsafe direction) #681 closed as a duplicate of this issue (your report came first and is better-written)
• PR Docs sweep: address compiler-review findings 2026-05-18 (5 issues filed) #684 updates KNOWN_ISSUES.md to reference vera test --json reports verified/ok for a postcondition failure caught by vera verify --json #674 with your cleaner reproducer + the CI-failure-mode framing
• Your related E500 postcondition diagnostic fix text should mention implementation repair #675 (E500 fix-text wording) fixed inline in the same PR (commit 77445b6) — diagnostic now names all three repair classes neutrally, implementation-repair first

Still open here: the actual vera test classifier fix. That's queued as a separate ~half-day PR:

1. Extend vera/tester.py::_classify_functions to harvest severity == "error" codes (E500, E501, E502) alongside the existing Tier 3 warning codes
2. New "failed" category that takes precedence over "verified" and "tier3"
3. TestSummary.failed: int field surfaced in text + JSON output
4. Non-zero exit code when failed > 0
5. Regression test pinning all four behaviours

Letting you know in case you want first refusal on the PR (you've already done the diagnostic work; the fix is mechanical from there). Either way, no urgency from my side — happy to take it tomorrow if you'd rather not, or to review yours.

[rzyns]

Thanks again for the detailed confirmation and for clarifying the intended vera test --json semantics.

I took the first-refusal path and opened PR #685: #685

The PR implements the classifier/summary/exit-code fix you outlined:

• harvests verifier severity == "error" diagnostics for E500/E501/E502,
• adds a "failed" category that takes precedence over "verified" / Tier 3 classification,
• surfaces TestSummary.failed in JSON and text output,
• returns non-zero / JSON ok: false when verifier errors are present,
• and adds regression coverage for the false-green case.

I also covered a few edge cases that came up while tightening the behavior:

• E501 is attributed to the caller/call site rather than the callee,
• --fn keeps displayed rows filtered but still fails closed on whole-file verifier errors,
• private/non-displayed verifier failures are surfaced in diagnostics,
• Tier 3 E700 runtime contract failures are not counted as verifier errors,
• and multiple verifier diagnostics on one displayed failed function are not double-counted as unlisted verifier errors in the human summary.

Local verification:

pytest tests/test_tester.py tests/test_tester_coverage.py tests/test_cli.py -q
276 passed

pytest tests/ -q
3886 passed, 14 skipped, 16 deselected

mypy vera/
Success: no issues found in 59 source files

python scripts/check_conformance.py
All 86 conformance programs pass.

python scripts/check_examples.py
All 34 examples pass (check + verify).

pytest tests/test_conformance.py -q
416 passed, 14 skipped

Happy to adjust the exact JSON/text shape if you want the failed summary or diagnostic presentation tuned differently.