Presentation is loading. Please wait.

Presentation is loading. Please wait.

Leonardo de Moura Microsoft Research. Applications and Challenges in Satisfiability Modulo Theories Verification/Analysis tools need some form of Symbolic.

Published byHector Milton Mason Modified over 8 years ago

Similar presentations

Presentation on theme: "Leonardo de Moura Microsoft Research. Applications and Challenges in Satisfiability Modulo Theories Verification/Analysis tools need some form of Symbolic."— Presentation transcript:

1 Leonardo de Moura Microsoft Research

2 Applications and Challenges in Satisfiability Modulo Theories Verification/Analysis tools need some form of Symbolic Reasoning

3 Applications and Challenges in Satisfiability Modulo Theories Test case generationVerifying CompilersPredicate Abstraction Invariant Generation Type Checking Model Based Testing

4 VCC Hyper-V Terminator T-2 NModel HAVOC F7 SAGE Vigilante SpecExplorer Applications and Challenges in Satisfiability Modulo Theories

5 unsigned GCD(x, y) { requires(y > 0); while (true) { unsigned m = x % y; if (m == 0) return y; x = y; y = m; } We want a trace where the loop is executed twice. (y 0 > 0) and (m 0 = x 0 % y 0 ) and not (m 0 = 0) and (x 1 = y 0 ) and (y 1 = m 0 ) and (m 1 = x 1 % y 1 ) and (m 1 = 0) SolverSolver x 0 = 2 y 0 = 4 m 0 = 2 x 1 = 4 y 1 = 2 m 1 = 0 SSASSA Applications and Challenges in Satisfiability Modulo Theories

6 Is formula F satisfiable modulo theory T ? SMT solvers have specialized algorithms for T

7 b + 2 = c and f(read(write(a,b,3), c-2) ≠ f(c-b+1) Applications and Challenges in Satisfiability Modulo Theories

8 ArithmeticArithmetic b + 2 = c and f(read(write(a,b,3), c-2) ≠ f(c-b+1) Applications and Challenges in Satisfiability Modulo Theories

9 ArithmeticArithmetic Array Theory b + 2 = c and f(read(write(a,b,3), c-2) ≠ f(c-b+1) Applications and Challenges in Satisfiability Modulo Theories

10 ArithmeticArithmetic Array Theory Uninterpreted Functions b + 2 = c and f(read(write(a,b,3), c-2) ≠ f(c-b+1) Applications and Challenges in Satisfiability Modulo Theories

11 A Theory is a set of sentences Alternative definition: A Theory is a class of structures Applications and Challenges in Satisfiability Modulo Theories

12 Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for academic research. Interfaces: http://research.microsoft.com/projects/z3 Z3 TextC/C++.NETOCaml Applications and Challenges in Satisfiability Modulo Theories

13 For some theories, SMT can be reduced to SAT bvmul 32 (a,b) = bvmul 32 (b,a) Higher level of abstraction Applications and Challenges in Satisfiability Modulo Theories

14 F  TF  T First-order Theorem Prover T may not have a finite axiomatization Applications and Challenges in Satisfiability Modulo Theories

15 For most SMT solvers: F is a set of ground formulas Many Applications Bounded Model Checking Test-Case Generation Applications and Challenges in Satisfiability Modulo Theories

16 M | F Partial model Set of clauses Applications and Challenges in Satisfiability Modulo Theories

17 Guessing (case-splitting) p,  q | p  q,  q  r p | p  q,  q  r Applications and Challenges in Satisfiability Modulo Theories

18 Deducing p, s| p  q,  p  s p | p  q,  p  s Applications and Challenges in Satisfiability Modulo Theories

19 Backtracking p, s| p  q, s  q,  p   q p,  s, q | p  q, s  q,  p   q Applications and Challenges in Satisfiability Modulo Theories

20 Efficient indexing (two-watch literal) Non-chronological backtracking (backjumping) Lemma learning … Applications and Challenges in Satisfiability Modulo Theories

21 Efficient decision procedures for conjunctions of ground atoms. a=b, a 10 Difference LogicBelmann-Ford Uninterpreted functionsCongruence closure Linear arithmeticSimplex Efficient algorithms Applications and Challenges in Satisfiability Modulo Theories

22 a=b, a > 0, c > 0, a + c < 0 | F backtrack

23 Applications and Challenges in Satisfiability Modulo Theories SMT Solver = DPLL + Decision Procedure Standard question: Why don’t you use CPLEX for handling linear arithmetic? Standard question: Why don’t you use CPLEX for handling linear arithmetic?

24 Applications and Challenges in Satisfiability Modulo Theories Decision Procedures must be: Incremental & Backtracking Theory Propagation a=b, a<5 | … a<6  f(a) = a a=b, a<5, a<6 | … a<6  f(a) = a

25 Applications and Challenges in Satisfiability Modulo Theories Decision Procedures must be: Incremental & Backtracking Theory Propagation Precise (theory) lemma learning a=b, a > 0, c > 0, a + c < 0 | F Learn clause:  (a=b)   (a > 0)   (c > 0)   (a + c < 0) Imprecise! Precise clause:  a > 0   c > 0   a + c < 0

26 Annotated Program Verification Condition F pre/post conditions invariants and other annotations pre/post conditions invariants and other annotations

27 class C { private int a, z; invariant z > 0 public void M() requires a != 0 { z = 100/a; }

28 … terminates diverges goes wrong

29 State Cartesian product of variables Execution trace Nonempty finite sequence of states Infinite sequence of states Nonempty finite sequence of states followed by special error state … (x: int, y: int, z: bool)

30 x := E x := x + 1 x := 10 havoc x assert P assume P P ¬P¬P P

31 … x := E x := x + 1 x := 10 havoc x S ; T assert P assume P P ¬P¬P P …

32 x := E x := x + 1 x := 10 havoc x S ; T assert P assume P S  T P ¬P¬P P …

33 Hoare triple{ P } S { Q }says that every terminating execution trace of S that starts in a state satisfying P does not go wrong, and terminates in a state satisfying Q

34 Hoare triple{ P } S { Q }says that every terminating execution trace of S that starts in a state satisfying P does not go wrong, and terminates in a state satisfying Q Given S and Q, what is the weakest P’ satisfying {P’} S {Q} ? P' is called the weakest precondition of S with respect to Q, written wp(S, Q) to check {P} S {Q}, check P  P’

35 wp( x := E, Q ) = wp( havoc x, Q ) = wp( assert P, Q ) = wp( assume P, Q ) = wp( S ; T, Q ) = wp( S  T, Q ) = Q[ E / x ] (  x  Q ) P  Q P  Q wp( S, wp( T, Q )) wp( S, Q )  wp( T, Q )

36 if E then S else T end = assume E; S  assume ¬E; T

37 if E  S | F  T fi = assert E  F; ( assume E; S  assume F; T )

38 while E invariant J do S end =assert J; havoc x; assume J; (assume E; S; assert J; assume false  assume ¬ E ) where x denotes the assignment targets of S “fast forward” to an arbitrary iteration of the loop check that the loop invariant holds initially check that the loop invariant is maintained by the loop body

39 BIG and-or tree (ground) BIG and-or tree (ground)  Axioms ( (non-ground)  Axioms ( (non-ground) Control & Data Flow

40 Meta OS: small layer of software between hardware and OS Mini: 60K lines of non-trivial concurrent systems C code Critical: must provide functional resource abstraction Trusted: a verification grand challenge Hardware Hypervisor

41 VCs have several Mb Thousands of non ground clauses Developers are willing to wait at most 5 min per VC Applications and Challenges in Satisfiability Modulo Theories

42 Partial solutions Automatic generation of: Loop Invariants Houdini-style automatic annotation generation Applications and Challenges in Satisfiability Modulo Theories

43 Quantifiers, quantifiers, quantifiers, … Modeling the runtime  h,o,f: IsHeap(h)  o ≠ null  read(h, o, alloc) = t  read(h,o, f) = null  read(h, read(h,o,f),alloc) = t Applications and Challenges in Satisfiability Modulo Theories

44 Quantifiers, quantifiers, quantifiers, … Modeling the runtime Frame axioms  o, f: o ≠ null  read(h 0, o, alloc) = t  read(h 1,o,f) = read(h 0,o,f)  (o,f)  M Applications and Challenges in Satisfiability Modulo Theories

45 Quantifiers, quantifiers, quantifiers, … Modeling the runtime Frame axioms User provided assertions  i,j: i  j  read(a,i)  read(b,j) Applications and Challenges in Satisfiability Modulo Theories

46 Quantifiers, quantifiers, quantifiers, … Modeling the runtime Frame axioms User provided assertions Theories  x: p(x,x)  x,y,z: p(x,y), p(y,z)  p(x,z)  x,y: p(x,y), p(y,x)  x = y Applications and Challenges in Satisfiability Modulo Theories

47 Quantifiers, quantifiers, quantifiers, … Modeling the runtime Frame axioms User provided assertions Theories Solver must be fast in satisfiable instances. We want to find bugs! Applications and Challenges in Satisfiability Modulo Theories

48 There is no sound and refutationally complete procedure for linear integer arithmetic + free function symbols Applications and Challenges in Satisfiability Modulo Theories

49 Heuristic quantifier instantiationCombining SMT with Saturation proversComplete quantifier instantiationDecidable fragmentsModel based quantifier instantiation Applications and Challenges in Satisfiability Modulo Theories

50 SMT solvers use heuristic quantifier instantiation. E-matching (matching modulo equalities). Example:  x: f(g(x)) = x { f(g(x)) } a = g(b), b = c, f(a)  c Trigger Applications and Challenges in Satisfiability Modulo Theories

51 SMT solvers use heuristic quantifier instantiation. E-matching (matching modulo equalities). Example:  x: f(g(x)) = x { f(g(x)) } a = g(b), b = c, f(a)  c x=b f(g(b)) = b Equalities and ground terms come from the partial model M Applications and Challenges in Satisfiability Modulo Theories

52 Integrates smoothly with DPLL. Efficient for most VCs Decides useful theories: Arrays Partial orders … Applications and Challenges in Satisfiability Modulo Theories

53 E-matching is NP-Hard. In practice Applications and Challenges in Satisfiability Modulo Theories

54 Trigger: f(x1, g(x1, a), h(x2), b) Trigger: f(x1, g(x1, a), h(x2), b) Instructions: 1.init(f, 2) 2.check(r4, b, 3) 3.bind(r2, g, r5, 4) 4.compare(r1, r5, 5) 5.check(r6, a, 6) 6.bind(r3, h, r7, 7) 7.yield(r1, r7) Instructions: 1.init(f, 2) 2.check(r4, b, 3) 3.bind(r2, g, r5, 4) 4.compare(r1, r5, 5) 5.check(r6, a, 6) 6.bind(r3, h, r7, 7) 7.yield(r1, r7) CompilerCompiler Similar triggers share several instructions. Combine code sequences in a code tree Applications and Challenges in Satisfiability Modulo Theories

55 Is the axiomatization of the runtime consistent? False implies everything E-matching doesn’t work No ground terms to instantiate clauses Partial solution: SMT + Saturation Provers Found many bugs using this approach Applications and Challenges in Satisfiability Modulo Theories

56 Tight integration: DPLL + Saturation solver. BIG and-or tree (ground) BIG and-or tree (ground) Axioms ( (non-ground) Axioms ( (non-ground) Saturation Solver SMT Applications and Challenges in Satisfiability Modulo Theories

57 Inference rule: DPLL(  ) is parametric. Examples: Resolution Superposition calculus … Applications and Challenges in Satisfiability Modulo Theories

58 DPLL + Theories DPLL + Theories Saturation Solver Saturation Solver Ground literals Ground clauses Applications and Challenges in Satisfiability Modulo Theories

59 Standard complain “I made a small modification in my Spec, and Z3 is timingout” This also happens with SAT solvers (NP-complete) In our case, the problems are undecidable Partial solution: parallelization Applications and Challenges in Satisfiability Modulo Theories

60 Joint work with Y. Hamadi (MSRC) and C. Wintersteiger Multi-core & Multi-node (HPC) Different strategies in parallel Collaborate exchanging lemmas Strategy 1 Strategy 2 Strategy 3 Strategy 4 Strategy 5 Applications and Challenges in Satisfiability Modulo Theories

61 Non-linear arithmetic is necessary for verifying embedded and hybrid systems Non-linear integer arithmetic is undecidable Many approaches for non linear real arithmetic Cylindrical Algebraic Decomposition Doubly exponential procedure Grobner Basis + “extensions” Heuristics Applications and Challenges in Satisfiability Modulo Theories

62

63 http://research.microsoft.com/slam/ SLAM/SDV is a software model checker. Application domain: device drivers. Architecture: c2bp C program → boolean program (predicate abstraction). bebop Model checker for boolean programs. newton Model refinement (check for path feasibility) SMT solvers are used to perform predicate abstraction and to check path feasibility. c2bp makes several calls to the SMT solver. The formulas are relatively small. Applications and Challenges in Satisfiability Modulo Theories

64 Given a C program P and F = {p 1, …, p n }. Produce a Boolean program B(P, F) Same control flow structure as P. Boolean variables {b 1, …, b n } to match {p 1, …, p n }. Properties true in B(P, F) are true in P. Each p i is a pure Boolean expression. Each p i represents set of states for which p i is true. Performs modular abstraction. Applications and Challenges in Satisfiability Modulo Theories

65 Implies F (e) Best Boolean function over F that implies e. ImpliedBy F (e) Best Boolean function over F that is implied by e. ImpliedBy F (e) = not Implies F (not e) Applications and Challenges in Satisfiability Modulo Theories

66 ImpliedBy F (e) e Implies F (e)

67 minterm m = l 1 ∧... ∧ l n, where l i = p i, or l i = not p i. Implies F (e): disjunction of all minterms that imply e. Naive approach Generate all 2 n possible minterms. For each minterm m, use SMT solver to check validity of m ⇒ e. Many possible optimizations Applications and Challenges in Satisfiability Modulo Theories

68 F = { x < y, x = 2} e : y > 1 Minterms over F !x 1 x 1 !x 1 x 1 Implies F (y>1) = x<y  x=2 Implies F (y>1) = b 1  b 2 Applications and Challenges in Satisfiability Modulo Theories

69 All-SAT Better (more precise) Predicate Abstraction Unsatisfiable cores Why the abstract path is not feasible? Fast Predicate Abstraction Applications and Challenges in Satisfiability Modulo Theories

70 Let S be an unsatisfiable set of formulas. S’  S is an unsatisfiable core of S if: S’ is also unsatisfiable, and There is not S’’  S’ that is also unsatisfiable. Computing Implies F (e) with F = {p 1, p 2, p 3, p 4 } Assume p 1, p 2, p 3, p 4  e is valid That is p 1, p 2, p 3, p 4,  e is unsat Now assume p 1, p 3,  e is the unsatisfiable core Then it is unnecessary to check: p 1,  p 2, p 3, p 4  e p 1,  p 2, p 3,  p 4  e p 1, p 2, p 3,  p 4  e

71  while (c) { S } Post How to find loop invariant I ?

72 I is a Boolean combination of F = {p 1, …, p n } Unknown invariant on the LHS constraints how weak I can be I(x)   c(x)  Post(x) I(x)   c(x)  Post(x) Unknown invariant on the RHS constraints how strong I can be  (x)  I(x) More details: Constraint-based Invariant Inference over Predicate Abstraction, S. Gulwani et al, VMCAI 2009 Applications and Challenges in Satisfiability Modulo Theories

73

74 unsigned GCD(x, y) { requires(y > 0); while (true) { unsigned m = x % y; if (m == 0) return y; x = y; y = m; } (y 0 > 0) and (m 0 = x 0 % y 0 ) and not (m 0 = 0) and (x 1 = y 0 ) and (y 1 = m 0 ) and (m 1 = x 1 % y 1 ) and (m 1 = 0) SolverSolver x 0 = 2 y 0 = 4 m 0 = 2 x 1 = 4 y 1 = 2 m 1 = 0 SSASSA Applications and Challenges in Satisfiability Modulo Theories

75 Most solvers use bit-blasting bvmul 32 (a,b) is converted into a multiplier circuit Solvers may run out of memory “Smart” algorithms are usually less efficient than bit-blasting Applications and Challenges in Satisfiability Modulo Theories

76 I’m unaware of any SMT solver for floating point arithmetic Approximate using Reals Unsound! Incomplete! Applications and Challenges in Satisfiability Modulo Theories

77 Logic as a platform Most verification/analysis tools need symbolic reasoning SMT is a hot area Many applications & challenges http://research.microsoft.com/projects/z3 Thank You! Applications and Challenges in Satisfiability Modulo Theories

Download ppt "Leonardo de Moura Microsoft Research. Applications and Challenges in Satisfiability Modulo Theories Verification/Analysis tools need some form of Symbolic."

Similar presentations

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
SMELS: Sat Modulo Equality with Lazy Superposition Christopher Lynch – Clarkson Duc-Khanh Tran - MPI.

SMELS: Sat Modulo Equality with Lazy Superposition Christopher Lynch – Clarkson Duc-Khanh Tran - MPI.
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
50.530: Software Engineering

50.530: Software Engineering
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀

SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Verification of Functional Programs in Scala Philippe Suter (joint work w/ Ali Sinan Köksal and Viktor Kuncak) ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE,

Verification of Functional Programs in Scala Philippe Suter (joint work w/ Ali Sinan Köksal and Viktor Kuncak) ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE,
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.

© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.
Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.

Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.
Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Similar presentations

Ads by Google