1 / 78

Nikolaj Bjørner Senior Researcher Microsoft Research Redmond

Nikolaj Bjørner Senior Researcher Microsoft Research Redmond. Modern Satisfiability Modulo Theories Solvers in Program Analysis. Lectures. Wednesday 10:45–12:15 An Introduction to Z3 with Applications Thursday August 30 th 15:45–17:15 Introduction to SAT and SMT Friday 10:30–10:45

Download Presentation

Nikolaj Bjørner Senior Researcher Microsoft Research Redmond

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Nikolaj Bjørner Senior Researcher Microsoft Research Redmond Modern Satisfiability Modulo Theories Solvers in Program Analysis

  2. Lectures Wednesday10:45–12:15 An Introduction to Z3 with Applications Thursday August 30th15:45–17:15 Introduction to SAT and SMT Friday 10:30–10:45 Theories and Solving Algorithms Friday 15:45–17:15 Advanced & Summary: Quantifiers, Arrays, Fixed-points

  3. Plan • Introduction to Z3 – An Efficient SMT Solver • Architecture • Interaction – Input formats • Theories • Introduction to Applications • Basic examples of SMT solving • A selection of applications using Z3/SMT.

  4. Takeaways: • Many program analysis, verification and test tools solve problems that can be reduced to logical formulas and transformations between logical formulas at their core. • Modern SMT solvers are a often good fit. • Handle domains found in programs directly. • The selected examples are intended to show instances where sub-tasks are reduced to SMT/Z3.

  5. Z3 – An Efficient SMT solver http://research.microsoft.com/projects/z3

  6. What is Z3? Theories Simplify OCaml Arrays Bit-Vectors .NET SMT-LIB Lin-arithmetic Nonlin-arithmetic C Recursive Datatypes Floating points Native Free (uninterpreted) functions F# quote Python Quantifiers: E-matching Model Generation: Finite/parametric Quantifiers: Super-position Proof objects Assumption tracking Tactics By Leonardo de Moura, Nikolaj Bjørner, Christoph Wintersteiger

  7. Z3 is Cutting Edge Z3 is Free Software for research http://smtcomp.org

  8. Z3: Little Engines of Proof Freely available from http://research.microsoft.com/projects/z3

  9. Input Formats

  10. Input Formats • Text: • SMT-LIB2 - main exchange format for SMT solvers • Log - low-level log for replay • Datalog - a Datalog format for the fixed-point engine • DIMACS - a format for propositional SAT • Programmatic: • C - API functions exposed for C • Ocaml - Ocaml wrapper around C API • .NET - .NET wrapper around C API • Python - Try it on http://rise4fun.com/z3py • Scala - by PhillipeSuter

  11. A Primer on SMT-LIB2 Online interactive tutorial http://rise4fun.com/z3/tutorial

  12. Theories

  13. Theories Uninterpretedfunctions

  14. Theories Uninterpreted functions Arithmetic (linear)

  15. Theories Uninterpreted functions Arithmetic (linear) Bit-vectors

  16. Theories Uninterpreted functions Arithmetic (linear) Bit-vectors Algebraic data-types

  17. Theories Uninterpreted functions Arithmetic (linear) Bit-vectors Algebraic data-types Arrays

  18. Theories Uninterpreted functions Arithmetic (linear) Bit-vectors Algebraic data-types Arrays Polynomial Arithmetic

  19. Theories Uninterpreted functions Arithmetic (linear) Bit-vectors Algebraic data-types Arrays Polynomial Arithmetic

  20. User-interaction and Guidance

  21. Interaction Logical Formula Sat/Model

  22. Interaction Logical Formula Unsat/Proof

  23. Interaction Logical Formula Simplify

  24. Interaction Logical Formula • x and y are equal • z + y and x + z are equal Implied Equalities

  25. Interaction Logical Formula Quantifier Elimination

  26. Interaction Logical Formula Unsat. Core

  27. Applications of Z3

  28. A Decision Engine for Software Some Microsoft engines: • SDV: The Static Driver Verifier • PREfix: The Static Analysis Engine for C/C++. • Pex: Program EXploration for .NET. • SAGE: Scalable Automated Guided Execution • Spec#: C# + contracts • VCC: Verifying C Compiler for the Viridian Hyper-Visor • HAVOC: Heap-Aware Verification of C-code. • SpecExplorer: Model-based testing of protocol specs. • Yogi: Dynamic symbolic execution + abstraction. • FORMULA: Model-based Design • F7: Refinement types for security protocols • M3: Model Program Modeling • VS3: Abstract interpretation and Synthesis They all use the SMT solver Z3. Hyper-V

  29. Applications

  30. Theorem Provers/Satisfiability Checkers A formula F is valid Iff F is unsatisfiable Satisfiable Model Theorem Prover/ Satisfiability Checker F Unsatisfiable Proof

  31. Theorem Provers/Satisfiability Checkers A formula F is valid Iff F is unsatisfiable Satisfiable Model Theorem Prover/ Satisfiability Checker F Unsatisfiable Proof Memout Timeout

  32. Verification/Analysis Tool: “Template” Problem Verification/Analysis Tool Logical Formula Theorem Prover/ Satisfiability Checker Unsatisfiable Satisfiable (Counter-example)

  33. Basic SMT Example

  34. Satisfiability Modulo Theories (SMT) Is formula satisfiable modulo theory T ? SMT solvers have specialized algorithms for T

  35. Satisfiability Modulo Theories (SMT) Array Theory Arithmetic Uninterpreted Functions

  36. Job Shop Scheduling SMT Example

  37. Job Shop Scheduling Machines Tasks Jobs P = NP? Laundry

  38. Job Shop Scheduling Constraints: Precedence: between two tasks of the same job Resource: Machines execute at most one job at a time 3 1 2 4

  39. Job Shop Scheduling Constraints: Encoding: Precedence: - start time of job 2 on mach 3 - duration of job 2 on mach 3 Resource: 3 1 2 4 Not convex

  40. Job Shop Scheduling

  41. Job Shop Scheduling Efficient solvers: - Floyd-Warshal algorithm - Ford-Fulkerson algorithm case split case split

  42. Follow-on to lectures by Hoare and Petersen Example Exercises

  43. Basic Arithmetic True or false? SMT-LIB2 formulation: (define-fun Max ((x Int) (y Int)) Int (if (> x y) x y)) (define-fun ominus ((x Int) (y Int)) Int (Max 0 (- x y))) (declare-const x Int) (declare-const a Int) (assert (not (<= (+ (ominus x a) a) x))) (check-sat) (get-model)

  44. Follow on Exercises Prove the other properties for WP Prove Axioms for Hoare and Milner calculi

  45. Test case generation SMT Application

  46. Test generation tools SAGE External. For Developers Runs on .NET code Try it on: http://pex4fun.com Internal. For Security Fuzzing Runs on x86 instructions Finding security bugs before the hackers black hat

  47. Static Analysis SMT Application Integrating Z3 with PREfix static analyzer. Yannick Moy, David Selaff, B

  48. What is wrong here? -INT_MIN= INT_MIN (INT_MAX+1)/2 +(INT_MAX+1)/2 = INT_MIN void itoa(int n, char* s) { if (n < 0) { *s++ = ‘-’; n = -n; } // Add digits to s …. intbinary_search(int[] arr,intlow, inthigh, int key) while (low <= high) { // Find middle value int mid = (low + high) / 2; intval = arr[mid];if (val == key) return mid;if (val < key) low = mid+1; else high = mid-1; }return -1; } Book: Kernighan and Ritchie Function: itoa (integer to ascii) Package: java.util.Arrays Function: binary_search

More Related