1 / 115

SMT@Microsoft Midwest Verification Day, Iowa, 2009

SMT@Microsoft Midwest Verification Day, Iowa, 2009. Leonardo de Moura Microsoft Research. Symbolic Reasoning. Verification/Analysis tools need some form of Symbolic Reasoning. Symbolic Reasoning. Logic is “The Calculus of Computer Science” (Z. Manna). High computational complexity.

olin
Télécharger la présentation

SMT@Microsoft Midwest Verification Day, Iowa, 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SMT@MicrosoftMidwest Verification Day, Iowa, 2009 Leonardo de Moura Microsoft Research

  2. Symbolic Reasoning • Verification/Analysis tools need some form of Symbolic Reasoning SMT@Microsoft

  3. Symbolic Reasoning • Logic is “The Calculus of Computer Science” (Z. Manna). • High computational complexity Undecidable (FOL + LA) Semi-decidable (First-order logic) NEXPTime-complete (EPR) PSpace-complete (QBF) NP-complete (Propositional logic) P-time (Equality) SMT@Microsoft

  4. Applications SMT@Microsoft

  5. Some Applications @ Microsoft HAVOC Terminator T-2 Hyper-V VCC NModel Vigilante SpecExplorer F7 SAGE SMT@Microsoft

  6. Test case generation unsigned GCD(x, y) { requires(y > 0); while (true) { unsigned m = x % y; if (m == 0) return y; x = y; y = m; } } (y0 > 0) and (m0 = x0 % y0) and not (m0 = 0) and (x1 = y0) and (y1 = m0) and (m1 = x1 % y1) and (m1 = 0) • x0 = 2 • y0 = 4 • m0 = 2 • x1 = 4 • y1 = 2 • m1 = 0 SSA Solver We want a trace where the loop is executed twice. SMT@Microsoft

  7. Type checking Signature: div : int, { x : int | x  0 }  int Subtype Call site: • if a  1 and a  b then • return div(a, b) Verification condition • a  1 and a  b implies b  0 SMT@Microsoft

  8. Satisfiability Modulo Theories (SMT) • Is formula Fsatisfiable modulo theory T ? SMT solvers have specialized algorithms for T SMT@Microsoft

  9. Satisfiability Modulo Theories (SMT) • b + 2 = c and f(read(write(a,b,3), c-2) ≠ f(c-b+1) SMT@Microsoft

  10. Satisfiability Modulo Theories (SMT) • b + 2 = c and f(read(write(a,b,3), c-2) ≠ f(c-b+1) Arithmetic SMT@Microsoft

  11. Satisfiability Modulo Theories (SMT) • b + 2 = c and f(read(write(a,b,3), c-2) ≠ f(c-b+1) Array Theory Arithmetic SMT@Microsoft

  12. Satisfiability Modulo Theories (SMT) • b + 2 = c and f(read(write(a,b,3), c-2) ≠ f(c-b+1) Uninterpreted Functions Array Theory Arithmetic SMT@Microsoft

  13. SMT@Microsoft: Solver • Z3 is a new solver developed at Microsoft Research. • Development/Research driven by internal customers. • Free for academic research. • Interfaces: • http://research.microsoft.com/projects/z3 SMT@Microsoft

  14. Ground formulas For most SMT solvers: F is a set of ground formulas • Many Applications • Bounded Model Checking • Test-Case Generation SMT@Microsoft

  15. Little Engines of Proof An SMT Solver is a collection of Little Engines of Proof SMT@Microsoft

  16. Deciding Equality a = b, b = c, d = e, b = s, d = t, a e, a s a b c d e s t SMT@Microsoft

  17. Deciding Equality a = b, b = c, d = e, b = s, d = t, a e, a s a,b a b c d e s t SMT@Microsoft

  18. Deciding Equality a = b, b = c, d = e, b = s, d = t, a e, a s a,b,c a,b c d e s t SMT@Microsoft

  19. Deciding Equality a = b,b = c, d = e, b = s, d = t, a e, a s a,b,c d,e d e s t SMT@Microsoft

  20. Deciding Equality a = b,b = c, d = e, b = s, d = t, a e, a s a,b,c,s a,b,c d,e s t SMT@Microsoft

  21. Deciding Equality a = b,b = c, d = e, b = s, d = t, a e, a s a,b,c,s d,e,t d,e t SMT@Microsoft

  22. Deciding Equality a = b,b = c, d = e, b = s, d = t, a e, a s a,b,c,s d,e,t SMT@Microsoft

  23. Deciding Equality a = b,b = c, d = e, b = s, d = t, a e, a s a,b,c,s d,e,t Unsatisfiable SMT@Microsoft

  24. Deciding Equality a = b,b = c, d = e, b = s, d = t, a e a,b,c,s d,e,t Model |M| = { 0, 1 } M(a) = M(b) = M(c) = M(s) = 0 M(d) = M(e) = M(t) = 1 SMT@Microsoft

  25. Deciding Equality + (uninterpreted) Functions a = b,b = c, d = e, b = s, d = t, f(a, g(d))  f(b, g(e)) f(b,g(e)) f(a,g(d)) a,b,c,s d,e,t g(e) g(d) Congruence Rule: • x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn) SMT@Microsoft

  26. Deciding Equality + (uninterpreted) Functions a = b,b = c, d = e, b = s, d = t, f(a, g(d))  f(b, g(e)) f(b,g(e)) f(a,g(d)) g(d),g(e) a,b,c,s d,e,t g(e) g(d) Congruence Rule: • x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn) SMT@Microsoft

  27. Deciding Equality + (uninterpreted) Functions a = b,b = c, d = e, b = s, d = t, f(a, g(d))  f(b, g(e)) f(a,g(d)),f(b,g(e)) f(b,g(e)) f(a,g(d)) g(d),g(e) a,b,c,s d,e,t Congruence Rule: • x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn) SMT@Microsoft

  28. Deciding Equality + (uninterpreted) Functions a = b,b = c, d = e, b = s, d = t, f(a, g(d))  f(b, g(e)) f(a,g(d)),f(b,g(e)) g(d),g(e) a,b,c,s d,e,t Unsatisfiable SMT@Microsoft

  29. Deciding Equality + (uninterpreted) Functions (fully shared) DAGs for representing terms Union-find data-structure + Congruence Closure O(n log n) SMT@Microsoft

  30. In practice, we need a combination of theory solvers. Nelson-Oppen combination method. Reduction techniques. Model-based theory combination. Combining Solvers SMT@Microsoft

  31. SAT (propositional checkers): Case Analysis p  q, p  q, p  q, p  q SMT@Microsoft

  32. SAT (propositional checkers):Case Analysis p  q, p  q, p  q, p  q Assignment: p = false, q = false SMT@Microsoft

  33. SAT (propositional checkers):Case Analysis p  q, p  q, p  q, p  q Assignment: p = false, q = true SMT@Microsoft

  34. SAT (propositional checkers):Case Analysis p  q, p  q, p  q, p  q Assignment: p = true, q = false SMT@Microsoft

  35. SAT (propositional checkers): Case Analysis p  q, p  q, p  q, p  q Assignment: p = true, q = true SMT@Microsoft

  36. M | F DPLL Partial model Set of clauses SMT@Microsoft

  37. Guessing DPLL • p | p  q, q  r p, q | p  q, q  r SMT@Microsoft

  38. Deducing DPLL • p | p  q, p  s p, s| p  q, p  s SMT@Microsoft

  39. Backtracking DPLL • p, s, q | p  q, s  q, p q p, s| p  q, s  q, p q SMT@Microsoft

  40. Efficient indexing (two-watch literal) Non-chronological backtracking (backjumping) Lemma learning … Modern DPLL SMT@Microsoft

  41. Efficient decision procedures for conjunctions of ground literals. Solvers = DPLL + Decision Procedures • a=b, a<5 | a=b  f(a)=f(b), a < 5  a > 10 SMT@Microsoft

  42. Theory Conflicts • a=b, a > 0, c > 0, a + c < 0 | F • backtrack SMT@Microsoft

  43. Naïve recipe? SMT Solver = DPLL + Decision Procedure Standard question: Why don’t you use CPLEX for handling linear arithmetic? SMT@Microsoft

  44. Efficient SMT solvers Decision Procedures must be: Incremental & Backtracking Theory Propagation • a=b, a<5 | … a<6  f(a) = a • a=b, a<5, a<6 | … a<6  f(a) = a SMT@Microsoft

  45. Efficient SMT solvers Decision Procedures must be: Incremental & Backtracking Theory Propagation Precise (theory) lemma learning • a=b, a > 0, c > 0, a + c < 0 | F • Learn clause: • (a=b)  (a > 0)  (c > 0)  (a + c < 0) • Imprecise! • Precise clause: • a > 0  c > 0  a + c < 0 SMT@Microsoft

  46. SMT x SAT • For some theories, SMT can be reduced to SAT • Higher level of abstraction • bvmul32(a,b) = bvmul32 (b,a) SMT@Microsoft

  47. SMT x First-order provers T may not have a finite axiomatization SMT@Microsoft

  48. SMT: Some Applications SMT@Microsoft

  49. SMT: Some Applications SMT@Microsoft

  50. Test-case generation • Test (correctness + usability) is 95% of the deal: • Dev/Test is 1-1 in products. • Developers are responsible for unit tests. • Tools: • Annotations and static analysis (SAL + ESP) • File Fuzzing • Unit test case generation SMT@Microsoft

More Related