1 / 118

Satisfiability Modulo Theories: A Calculus of Computation PUC, Rio de Janeiro, 2009

Symbolic Reasoning. Satisfiability Modulo Theories: A Calculus of Computation. Verification/Analysis tools need some form of Symbolic Reasoning. Symbolic Reasoning. . PSpace-complete(QBF). Semi-decidable(First-order logic). NP-complete(Propositional logic). NEXPTime-complete(EPR). P-time(Equali

psyche
Download Presentation

Satisfiability Modulo Theories: A Calculus of Computation PUC, Rio de Janeiro, 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Satisfiability Modulo Theories: A Calculus of Computation PUC, Rio de Janeiro, 2009 Leonardo de Moura Microsoft Research

    2. Symbolic Reasoning Satisfiability Modulo Theories: A Calculus of Computation

    3. Symbolic Reasoning Logic is The Calculus of Computer Science (Z. Manna). High computational complexity Satisfiability Modulo Theories: A Calculus of Computation

    4. Applications Satisfiability Modulo Theories: A Calculus of Computation

    5. Some Applications @ Microsoft Satisfiability Modulo Theories: A Calculus of Computation

    6. Test case generation unsigned GCD(x, y) { requires(y > 0); while (true) { unsigned m = x % y; if (m == 0) return y; x = y; y = m; } } Satisfiability Modulo Theories: A Calculus of Computation

    7. Type checking Signature: div : int, { x : int | x ? 0 } ? int Satisfiability Modulo Theories: A Calculus of Computation

    8. Satisfiability Modulo Theories (SMT) Satisfiability Modulo Theories: A Calculus of Computation

    9. Satisfiability Modulo Theories (SMT) Satisfiability Modulo Theories: A Calculus of Computation

    10. Satisfiability Modulo Theories (SMT) Satisfiability Modulo Theories: A Calculus of Computation

    11. Satisfiability Modulo Theories (SMT) Satisfiability Modulo Theories: A Calculus of Computation

    12. Satisfiability Modulo Theories (SMT) Satisfiability Modulo Theories: A Calculus of Computation

    13. Theories A Theory is a set of sentences Alternative definition: A Theory is a class of structures Satisfiability Modulo Theories: A Calculus of Computation

    14. SMT@Microsoft: Solver Satisfiability Modulo Theories: A Calculus of Computation

    15. Ground formulas For most SMT solvers: F is a set of ground formulas Satisfiability Modulo Theories: A Calculus of Computation

    16. Little Engines of Proof An SMT Solver is a collection of Little Engines of Proof Satisfiability Modulo Theories: A Calculus of Computation

    17. Deciding Equality a = b, b = c, d = e, b = s, d = t, a? e, a? s Satisfiability Modulo Theories: A Calculus of Computation

    18. Deciding Equality a = b, b = c, d = e, b = s, d = t, a? e, a? s Satisfiability Modulo Theories: A Calculus of Computation

    19. Deciding Equality a = b, b = c, d = e, b = s, d = t, a? e, a? s Satisfiability Modulo Theories: A Calculus of Computation

    20. Deciding Equality a = b, b = c, d = e, b = s, d = t, a? e, a? s Satisfiability Modulo Theories: A Calculus of Computation

    21. Deciding Equality a = b, b = c, d = e, b = s, d = t, a? e, a? s Satisfiability Modulo Theories: A Calculus of Computation

    22. Deciding Equality a = b, b = c, d = e, b = s, d = t, a? e, a? s Satisfiability Modulo Theories: A Calculus of Computation

    23. Deciding Equality a = b, b = c, d = e, b = s, d = t, a? e, a? s Satisfiability Modulo Theories: A Calculus of Computation

    24. Deciding Equality a = b, b = c, d = e, b = s, d = t, a? e, a? s Satisfiability Modulo Theories: A Calculus of Computation

    25. Deciding Equality a = b, b = c, d = e, b = s, d = t, a? e Satisfiability Modulo Theories: A Calculus of Computation

    26. Deciding Equality + (uninterpreted) Functions a = b, b = c, d = e, b = s, d = t, f(a, g(d)) ? f(b, g(e)) Satisfiability Modulo Theories: A Calculus of Computation

    27. Deciding Equality + (uninterpreted) Functions a = b, b = c, d = e, b = s, d = t, f(a, g(d)) ? f(b, g(e)) Satisfiability Modulo Theories: A Calculus of Computation

    28. Deciding Equality + (uninterpreted) Functions a = b, b = c, d = e, b = s, d = t, f(a, g(d)) ? f(b, g(e)) Satisfiability Modulo Theories: A Calculus of Computation

    29. Deciding Equality + (uninterpreted) Functions a = b, b = c, d = e, b = s, d = t, f(a, g(d)) ? f(b, g(e)) Satisfiability Modulo Theories: A Calculus of Computation

    30. Deciding Equality + (uninterpreted) Functions (fully shared) DAGs for representing terms Union-find data-structure + Congruence Closure O(n log n) Satisfiability Modulo Theories: A Calculus of Computation

    31. Deciding Equality + (uninterpreted) Functions Many theories can be reduced to Equality + Uninterpreted functions Arrays, Sets Lists, Tuples Inductive Datatypes Satisfiability Modulo Theories: A Calculus of Computation

    32. Deciding Difference Arithmetic a b = 2 Satisfiability Modulo Theories: A Calculus of Computation

    33. Deciding Difference Arithmetic a b = 2, b c = -3, b d = -1, d a = 4, c a = 0 Satisfiability Modulo Theories: A Calculus of Computation

    34. Deciding Difference Arithmetic a b = 2, b c = -3, b d = -1, d a = 4, c a = 0 Satisfiability Modulo Theories: A Calculus of Computation

    35. Deciding Difference Arithmetic a b = 2, b c = -3, b d = -1, d a = 4, c a = 0 Satisfiability Modulo Theories: A Calculus of Computation

    36. Deciding Difference Arithmetic a b = 2, b c = -3, b d = -1, d a = 4, c a = 0 Satisfiability Modulo Theories: A Calculus of Computation

    37. Deciding Difference Arithmetic a b = 2, b c = -3, b d = -1, d a = 4, c a = 0 Satisfiability Modulo Theories: A Calculus of Computation

    38. Deciding Difference Arithmetic a b = 2, b c = -3, b d = -1, d a = 4, c a = 0 Satisfiability Modulo Theories: A Calculus of Computation

    39. Deciding Difference Arithmetic a b = 2, b c = -3, b d = -1, d a = 4, c a = 0 Satisfiability Modulo Theories: A Calculus of Computation

    40. Deciding Difference Arithmetic Shortest Path Algorithms Bellman-Ford: O(nm) Floyd-Warshall: O(n3) Satisfiability Modulo Theories: A Calculus of Computation

    41. Other Little Engines Satisfiability Modulo Theories: A Calculus of Computation

    42. Deciding Polynomial Equations (over C) Satisfiability Modulo Theories: A Calculus of Computation x2y 1 = 0, xy2 y = 0, xz z + 1 = 0

    43. Deciding Polynomial Equations (over C) Satisfiability Modulo Theories: A Calculus of Computation Polynomial Ideals: Algebraic generalization of zeroness 0 ? I p ? I, q ? I implies p + q ? I p ? I implies pq ? I

    44. Deciding Polynomial Equations (over C) Satisfiability Modulo Theories: A Calculus of Computation The ideal generated by a finite collection of polynomials P = { p1, , pn } is defined as: I(P) = {p1 q1 + + pn qn | q1 , , qn are polynomials}

    45. Deciding Polynomial Equations (over C) Satisfiability Modulo Theories: A Calculus of Computation Hilberts Weak Nullstellensatz p1 = 0, , pn = 0 is unsatisfiable over C iff I({p1, , pn}) contains all polynomials 1 ? I({p1, , pn})

    46. Deciding Polynomial Equations (over C) Satisfiability Modulo Theories: A Calculus of Computation 1st Key Idea: polynomials as rewrite rules. xy2 y = 0 Becomes xy2 ? y

    47. Deciding Polynomial Equations (over C) Satisfiability Modulo Theories: A Calculus of Computation 2nd Key Idea: Completion. xy2 ? y, x2y ? 1

    48. Deciding Polynomial Equations (over C) Satisfiability Modulo Theories: A Calculus of Computation

    49. Combining Solvers In practice, we need a combination of theory solvers. Nelson-Oppen combination method. Reduction techniques. Model-based theory combination. Satisfiability Modulo Theories: A Calculus of Computation

    50. SAT (propositional checkers): Case Analysis Satisfiability Modulo Theories: A Calculus of Computation

    51. SAT (propositional checkers): Case Analysis Satisfiability Modulo Theories: A Calculus of Computation

    52. SAT (propositional checkers): Case Analysis Satisfiability Modulo Theories: A Calculus of Computation

    53. SAT (propositional checkers): Case Analysis Satisfiability Modulo Theories: A Calculus of Computation

    54. SAT (propositional checkers): Case Analysis Satisfiability Modulo Theories: A Calculus of Computation

    55. SAT (propositional checkers): DPLL M | F Satisfiability Modulo Theories: A Calculus of Computation

    56. DPLL Guessing (case-splitting) Satisfiability Modulo Theories: A Calculus of Computation

    57. DPLL Deducing Satisfiability Modulo Theories: A Calculus of Computation

    58. DPLL Backtracking Satisfiability Modulo Theories: A Calculus of Computation

    59. Modern DPLL Efficient indexing (two-watch literal) Non-chronological backtracking (backjumping) Lemma learning Satisfiability Modulo Theories: A Calculus of Computation

    60. Solvers = DPLL + Decision Procedures Efficient decision procedures for conjunctions of ground literals. Satisfiability Modulo Theories: A Calculus of Computation

    61. Theory Conflicts Satisfiability Modulo Theories: A Calculus of Computation

    62. Nave recipe? Satisfiability Modulo Theories: A Calculus of Computation

    63. Efficient SMT solvers Satisfiability Modulo Theories: A Calculus of Computation

    64. Efficient SMT solvers Satisfiability Modulo Theories: A Calculus of Computation

    65. SMT x SAT Satisfiability Modulo Theories: A Calculus of Computation

    66. SMT x First-order provers Satisfiability Modulo Theories: A Calculus of Computation

    67. Test case generation

    68. Test case generation Satisfiability Modulo Theories: A Calculus of Computation

    69. Security is critical Satisfiability Modulo Theories: A Calculus of Computation

    70. Hunting for Security Bugs. Two main techniques used by black hats: Code inspection (of binaries). Black box fuzz testing. Black box fuzz testing: A form of black box random testing. Randomly fuzz (=modify) a well formed input. Grammar-based fuzzing: rules to encode how to fuzz. Heavily used in security testing At MS: several internal tools. Conceptually simple yet effective in practice Satisfiability Modulo Theories: A Calculus of Computation

    71. Directed Automated Random Testing ( DART) Satisfiability Modulo Theories: A Calculus of Computation

    72. DARTish projects at Microsoft Satisfiability Modulo Theories: A Calculus of Computation

    73. What is Pex? Test input generator Pex starts from parameterized unit tests Generated tests are emitted as traditional unit tests Satisfiability Modulo Theories: A Calculus of Computation

    74. ArrayList: The Spec Satisfiability Modulo Theories: A Calculus of Computation

    75. ArrayList: AddItem Test

    76. ArrayList: Starting Pex

    77. ArrayList: Run 1, (0,null)

    78. ArrayList: Run 1, (0,null)

    79. ArrayList: Run 1, (0,null)

    80. ArrayList: Run 1, (0,null)

    81. ArrayList: Picking the next branch to cover

    82. ArrayList: Solve constraints using SMT solver

    83. ArrayList: Run 2, (1, null)

    84. ArrayList: Pick new branch

    85. ArrayList: Run 3, (-1, null)

    86. ArrayList: Run 3, (-1, null)

    87. ArrayList: Run 3, (-1, null)

    88. PEX ? Z3 Satisfiability Modulo Theories: A Calculus of Computation

    89. PEX ? Z3: Incrementality Pex sends several similar formulas to Z3. Plus: backtracking primitives in the Z3 API. push pop Reuse (some) lemmas. Satisfiability Modulo Theories: A Calculus of Computation

    90. PEX ? Z3: Small models Given a set of constraints C, find a model M that minimizes the interpretation for x0, , xn. In the ArrayList example: Why is the model where c = 2147483648 less desirable than the model with c = 1? !(c<0) && 0!=c Simple solution: Assert C while satisfiable Peek xi such that M[xi] is big Assert xi < n, where n is a small constant Return last found model Satisfiability Modulo Theories: A Calculus of Computation

    91. PEX ? Z3: Small models Given a set of constraints C, find a model M that minimizes the interpretation for x0, , xn. In the ArrayList example: Why is the model where c = 2147483648 less desirable than the model with c = 1? !(c<0) && 0!=c Refinement: Eager solution stops as soon as the system becomes unsatisfiable. A bad choice (peek xi) may prevent us from finding a good solution. Use push and pop to retract bad choices. Satisfiability Modulo Theories: A Calculus of Computation

    92. Apply DART to large applications (not units). Start with well-formed input (not random). Combine with generational search (not DFS). Negate 1-by-1 each constraint in a path constraint. Generate many children for each parent run. SAGE Satisfiability Modulo Theories: A Calculus of Computation

    93. Zero to Crash in 10 Generations Starting with 100 zero bytes SAGE generates a crashing test for Media1 parser Satisfiability Modulo Theories: A Calculus of Computation

    94. Zero to Crash in 10 Generations Starting with 100 zero bytes SAGE generates a crashing test for Media1 parser Satisfiability Modulo Theories: A Calculus of Computation

    95. Zero to Crash in 10 Generations Starting with 100 zero bytes SAGE generates a crashing test for Media1 parser Satisfiability Modulo Theories: A Calculus of Computation

    96. Zero to Crash in 10 Generations Starting with 100 zero bytes SAGE generates a crashing test for Media1 parser Satisfiability Modulo Theories: A Calculus of Computation

    97. Zero to Crash in 10 Generations Starting with 100 zero bytes SAGE generates a crashing test for Media1 parser Satisfiability Modulo Theories: A Calculus of Computation

    98. Zero to Crash in 10 Generations Starting with 100 zero bytes SAGE generates a crashing test for Media1 parser Satisfiability Modulo Theories: A Calculus of Computation

    99. Zero to Crash in 10 Generations Starting with 100 zero bytes SAGE generates a crashing test for Media1 parser Satisfiability Modulo Theories: A Calculus of Computation

    100. Zero to Crash in 10 Generations Starting with 100 zero bytes SAGE generates a crashing test for Media1 parser Satisfiability Modulo Theories: A Calculus of Computation

    101. Zero to Crash in 10 Generations Starting with 100 zero bytes SAGE generates a crashing test for Media1 parser Satisfiability Modulo Theories: A Calculus of Computation

    102. Zero to Crash in 10 Generations Starting with 100 zero bytes SAGE generates a crashing test for Media1 parser Satisfiability Modulo Theories: A Calculus of Computation

    103. Zero to Crash in 10 Generations Starting with 100 zero bytes SAGE generates a crashing test for Media1 parser Satisfiability Modulo Theories: A Calculus of Computation

    104. SAGE (cont.) SAGE is very effective at finding bugs. Works on large applications. Fully automated Easy to deploy (x86 analysis any language) Used in various groups inside Microsoft Powered by Z3. Satisfiability Modulo Theories: A Calculus of Computation

    105. SAGE? Z3 Formulas are usually big conjunctions. SAGE uses only the bitvector and array theories. Pre-processing step has a huge performance impact. Eliminate variables. Simplify formulas. Early unsat detection. Satisfiability Modulo Theories: A Calculus of Computation

    106. Verifying Compilers

    107. Annotations: Example

    108. Spec# Approach for a Verifying Compiler Source Language C# + goodies = Spec# Specifications method contracts, invariants, field and type annotations. Program Logic: Dijkstras weakest preconditions. Automatic Verification type checking, verification condition generation (VCG), SMT

    109. Modeling execution traces

    110. States and execution traces State Cartesian product of variables Execution trace Nonempty finite sequence of states Infinite sequence of states Nonempty finite sequence of states followed by special error state

    111. Command language x := E x := x + 1 x := 10 havoc x S ; T assert P assume P S ? T

    112. Reasoning about execution traces Hoare triple { P } S { Q } says that every terminating execution trace of S that starts in a state satisfying P does not go wrong, and terminates in a state satisfying Q

    113. Reasoning about execution traces Hoare triple { P } S { Q } says that every terminating execution trace of S that starts in a state satisfying P does not go wrong, and terminates in a state satisfying Q Given S and Q, what is the weakest P satisfying {P} S {Q} ? P' is called the weakest precondition of S with respect to Q, written wp(S, Q) to check {P} S {Q}, check P ? P

    114. Weakest preconditions wp( x := E, Q ) = wp( havoc x, Q ) = wp( assert P, Q ) = wp( assume P, Q ) = wp( S ; T, Q ) = wp( S ? T, Q ) = Q[ E / x ] (?x ? Q ) P ? Q P ? Q wp( S, wp( T, Q )) wp( S, Q ) ? wp( T, Q )

    115. Structured if statement if E then S else T end = assume E; S ? assume E; T

    116. While loop with loop invariant while E invariant J do S end = assert J; havoc x; assume J; ( assume E; S; assert J; assume false ? assume E )

    117. Verification conditions: Structure

    118. Hypervisor: A Manhattan Project Meta OS: small layer of software between hardware and OS Mini: 60K lines of non-trivial concurrent systems C code Critical: must provide functional resource abstraction Trusted: a verification grand challenge

    119. Hypervisor: Some Statistics VCs have several Mb Thousands of non ground clauses Developers are willing to wait at most 5 min per VC Satisfiability Modulo Theories: A Calculus of Computation

    120. Challenge: annotation burden Partial solutions Automatic generation of: Loop Invariants Houdini-style automatic annotation generation Satisfiability Modulo Theories: A Calculus of Computation

    121. Challenge Quantifiers, quantifiers, quantifiers, Modeling the runtime ? h,o,f: IsHeap(h) ? o ? null ? read(h, o, alloc) = t ? read(h,o, f) = null ? read(h, read(h,o,f),alloc) = t Satisfiability Modulo Theories: A Calculus of Computation

    122. Challenge Quantifiers, quantifiers, quantifiers, Modeling the runtime Frame axioms ? o, f: o ? null ? read(h0, o, alloc) = t ? read(h1,o,f) = read(h0,o,f) ? (o,f) ? M Satisfiability Modulo Theories: A Calculus of Computation

    123. Challenge Quantifiers, quantifiers, quantifiers, Modeling the runtime Frame axioms User provided assertions ? i,j: i ? j ? read(a,i) ? read(b,j) Satisfiability Modulo Theories: A Calculus of Computation

    124. Challenge Quantifiers, quantifiers, quantifiers, Modeling the runtime Frame axioms User provided assertions Theories x: p(x,x) x,y,z: p(x,y), p(y,z) ? p(x,z) x,y: p(x,y), p(y,x) ? x = y Satisfiability Modulo Theories: A Calculus of Computation

    125. Challenge Quantifiers, quantifiers, quantifiers, Modeling the runtime Frame axioms User provided assertions Theories Solver must be fast in satisfiable instances. Satisfiability Modulo Theories: A Calculus of Computation

    126. Bad news Satisfiability Modulo Theories: A Calculus of Computation

    127. Many Approaches Satisfiability Modulo Theories: A Calculus of Computation

    128. Challenge: modeling runtime Satisfiability Modulo Theories: A Calculus of Computation

    129. Challenge: Robustness Satisfiability Modulo Theories: A Calculus of Computation

    130. Parallel Z3 Joint work with Y. Hamadi (MSRC) and C. Wintersteiger Multi-core & Multi-node (HPC) Different strategies in parallel Collaborate exchanging lemmas Satisfiability Modulo Theories: A Calculus of Computation

    131. Conclusion Satisfiability Modulo Theories: A Calculus of Computation

    132. E-matching & Quantifier instantiation Satisfiability Modulo Theories: A Calculus of Computation

    133. E-matching & Quantifier instantiation Satisfiability Modulo Theories: A Calculus of Computation

    134. E-matching: why do we use it? Satisfiability Modulo Theories: A Calculus of Computation

    135. Efficient E-matching Satisfiability Modulo Theories: A Calculus of Computation

    136. E-matching code trees Satisfiability Modulo Theories: A Calculus of Computation

    137. DPLL(?) Satisfiability Modulo Theories: A Calculus of Computation

    138. DPLL(?) Satisfiability Modulo Theories: A Calculus of Computation

    139. DPLL(?) Satisfiability Modulo Theories: A Calculus of Computation

More Related