Showing papers by "Leonardo de Moura published in 2010"

Deciding Effectively Propositional Logic Using DPLL and Substitution Sets

Abstract: We introduce a DPLL calculus that is a decision procedure for the Bernays-Schonfinkel class, also known as EPR. Our calculus allows combining techniques for efficient propositional search with data-structures, such as Binary Decision Diagrams, that can efficiently and succinctly encode finite sets of substitutions and operations on these. In the calculus, clauses comprise of a sequence of literals together with a finite set of substitutions; truth assignments are also represented using substitution sets. The calculus works directly at the level of sets, and admits performing simultaneous constraint propagation and decisions, resulting in potentially exponential speedups over existing approaches.

Efficiently solving quantified bit-vector formulas

Abstract: In recent years, bit-precise reasoning has gained importance in hardware and software verification. Of renewed interest is the use of symbolic reasoning for synthesising loop invariants, ranking functions, or whole program fragments and hardware circuits. Solvers for the quantifier-free fragment of bit-vector logic exist and often rely on SAT solvers for efficiency. However, many techniques require quantifiers in bit-vector formulas to avoid an exponential blow-up during construction. Solvers for quantified formulas usually flatten the input to obtain a quantified Boolean formula, losing much of the word-level information in the formula. We present a new approach based on a set of effective word-level simplifications that are traditionally employed in automated theorem proving, heuristic quantifier instantiation methods used in SMT solvers, and model finding techniques based on skeletons/templates. Experimental results on two different types of benchmarks indicate that our method outperforms the traditional flattening approach by multiple orders of magnitude of runtime.

Symbolic automata constraint solving

Abstract: Constraints over regular and context-free languages are common in the context of string-manipulating programs. Efficient solving of such constraints, often in combination with arithmetic and other theories, has many useful applications in program analysis and testing. We introduce and evaluate a method for symbolically expressing and solving constraints over automata, including subset constraints. Our method uses techniques present in the state-of-the-art SMT solver Z3.

The SMT-LIB initiative and the rise of SMT (HVC 2010 award talk)

Abstract: Satisfiability modulo theories (SMT) is a branch of automated reasoning that builds on advances in propositional satisfiability and on decision procedures for first-order reasoning. Its defining feature is the use of reasoning methods specific to logical theories of interest in target applications. Advances in SMT research and technology have led in the last few years to the development of very powerful satisfiability solvers and to an explosion of applications. SMT solvers are now used for processor verification, equivalence checking, bounded and unbounded model checking, predicate abstraction, static analysis, automated test case generation, extended static checking, scheduling and optimization. While the roots of SMT go back to work in the late 1970s and early 1980s on using decision procedures in formal methods, the field was born in the late 1990s with various independent attempts to harness the power of modern SAT solvers, reaching the current level of sophistication with the research and development advances of the last decade. Major enablers for these advances were SMT-LIB, a standardization and benchmark collection initiative supported by a large number of SMT researchers and users world-wide, and its offsprings: the SMT workshop, an international workshop bringing together SMT researchers and users of SMT applications or techniques; SMT-COMP, an international competition for SMT solvers supporting the SMT-LIB input format; and SMT-EXEC, a public execution service allowing researchers to configure and execute benchmarking experiments on SMT solvers. This talk provides historical perspectives on the development of the field and on the SMT-LIB initiative and its offsprings. It highlights the initiative's milestones and main achievements, and the role of the authors and other major contributors in it. It then concludes with a brief discussion of a few promising directions for future research in SMT.

Bugs, moles and skeletons: symbolic reasoning for software development

Abstract: Symbolic reasoning is in the core of many software development tools such as: bug-finders, test-case generators, and verifiers. Of renewed interest is the use of symbolic reasoning for synthesing code, loop invariants and ranking functions. Satisfiability Modulo Theories (SMT) solvers have been the focus of increased recent attention thanks to technological advances and an increasing number of applications. In this paper we review some of these applications that use software verifiers as bug-finders “on steroids” and suggest that new model finding techniques are needed to increase the set of applications supported by these solvers.

Efficient evaluation of pointer predicates with Z3 SMT Solver in SLAM2

Abstract: Static Driver Verier ( SDV) is a verication tool included in the Windows 7 Driver Kit (WDK). SDV uses SLAM as the program analysis engine. SDV 2.0 released with Windows 7 uses a re-designed SLAM2 engine. SLAM2 improves the precision and performance of pred- icate evaluation by using Z3 SMT solver. To handle predicates with pointers in SLAM2, we propose a novel set of axioms that denes a logical memory model, which is one of the underlying concepts and limi- tations of SLAM. We also designed an algorithm of encoding predicates passed to Z3 with uninterpreted functions over integers. In this paper, we present the axioms and the encoding. We also show how the axioms can be modied to achieve a better precision by rening the memory model. Our proling of SDV runs on real device drivers conrms that the axioms and the encoding allowed SLAM2 to achieve a good balance between the precision required by the logical memory model, and Z3 performance on complex predicates. Our presentation of the axioms and the encoding in this paper is decoupled from SLAM2, such that they could be utilized by other static analysis tools when dealing with pointer predicates - often a bottleneck in such tools.

Gröbner Basis Construction Algorithms Based on Theorem Proving Saturation Loops

Abstract: We present novel Gr"obner basis algorithms based on saturation loops used by modern superposition theorem provers. We illustrate the practical value of the algorithms through an experimental implementation within the Z3 SMT solver.

Applications and Challenges in Satisfiability Modulo Theories.

Abstract: The area of software analysis, testing and verification is no w undergoing a revolution thanks to the use of automated and scalable support for logical meth ods. A well-recognized premise is that at the core of software analysis engines is invariably a component using logical formulas for describing states and transformations between system stat es. One can thus say that symbolic logic is the calculus of computation. The process of using this inf ormation for discovering and checking program properties (including such important properties a s afety and security) amounts to automatic theorem proving. In particular, theorem provers that direc tly support common software constructs offer a compelling basis. Such provers are commonly called s atisfiability modulo theories (SMT) solvers. Z3 is the leading SMT solver. It is developed by the a uthors at Microsoft Research. It can be used to check the satisfiability of logical formulas over o ne r more theories such as arithmetic, bit-vectors, lists, records and arrays. This paper examines three applications of Z3 in the context o f invariant generation. The first lets Z3 infer invariants as a constraint satisfaction problem, t he second application illustrates the use of Z3 for bit-precise analysis and our third application exemp lifies using Z3 for calculations.