Николай Бьернер «program analysis and testing using efficient satisfiability modulo...
DESCRIPTION
Научно-технический семинар «Microsoft Z3: Как научить компьютер доказывать теоремы и тестировать программы», 2 октября 2012 г. Николай Бьернер, старший научный сотрудник Microsoft Research.TRANSCRIPT
Program Analysis and Testing using Satisfiability Modulo Theories
Yandex2 October 2012, Moscow
Nikolaj Bjørner
Senior Researcher
Microsoft Research1
Agenda
Context: Software Engineering Research @ Microsoft
Propaganda: Software Engineering Research Tools
Application: Fuzzing and Test Case Generation
Application: Program Verification & Bit precise Analysis
Application: String analysis - Formal Language Theory for Security
Technology: Z3 – An Efficient SMT Solver - Basics and Research
2
Takeaways
Context: Awareness about Microsoft Research
Propaganda: Cool software engineering research projects
Applications: Logic is the Calculus of ComputationPrograms analysis tools use logic at their core
Technology: Z3 – An Efficient SMT Solver. Modern SAT/SMT solver search in one slide and the dichotomies of modern constraint search engines.
I rather address questions during talk and tune the highlighted material according to interest (there are 3x too many slides )
3
An Efficient SMT SolverLeonardo de Moura, Nikolaj Bjørner, Christoph Wintersteiger
Team
Context
4
Research in Software EngineeringImprove Software Development ProductivityGroup
Context
5
Context
Organization Microsoft Research6
Microsoft Research Labs
Sales,
Support,
Marketing
~50000
R & D
~40000
Research :1%
Context
7Company
Core Expertise
Empirical Software Engineering
Foundations:Logic
Program Analysis:Performance, Reliability,
Security
Programming LanguagesDesign & Implementation
Propaganda
8
Core Expertise
Empirical Software Engineering
Foundations:Logic
Program Analysis:Performance, Reliability,
Security
Programming LanguagesDesign & Implementation
Propaganda
9
Core Expertise
Empirical Software Engineering
Foundations:Logic
Program Analysis:Performance, Reliability,
Security
Programming LanguagesDesign & Implementation
Propaganda
10
Core Expertise
Empirical Software Engineering
Foundations:Logic
Program Analysis:Performance, Reliability,
Security
Programming LanguagesDesign & Implementation
Propaganda
11
Core Expertise
Empirical Software Engineering:
Analytics: what code is prone to bugs (what code should I be testing)
for VS 2012 Team Foundation Server
Propaganda
12
.comPropaganda
13
Academic InternsPropaganda
15
Fuzzing and Test Case Generation
SAGE
Internal. For Security Fuzzing
Runs on x86 instructions
External. For Developers
Runs on .NET code
Try it on: http://pex4fun.com
Finding security bugs before the hackers
black hat
Application
16
Fuzzing and Test Case Generation
SAGE
Internal. For Security Fuzzing
Runs on x86 instructions
External. For Developers
Runs on .NET code
Try it on: http://pex4fun.com
Finding security bugs before the hackers
black hat
Dr. Strangelove?
Bug: ***433
“2/29/2012 3:41 PM Edited by *****
SubStatus -> Local Fix
I think the fuzzers are starting to become sentient.
We must crush them before it is too late.
In this case, the fuzzer figured out that if
[X was between A and B then Y would get
set to Z triggering U and V to happen……]
…..
And if this fuzzer asks for the nuclear launch
codes, don’t tell it what they are …”
Application: Fuzzing and Testing
17
SAGE by numbers100s CPU-years - largest dedicated fuzz lab in the world
100s apps - fuzzed using SAGE
100s previously unknown bugs found
Billion+ computers updated with bug fixes
Millions of $ saved for Users and Microsoft
10s of related tools (incl. Pex), 100s DART citations
3+ Billion constraints - largest usage for any SMT solver
Adapted from [Patrice Godefroid, ISSTA 2010]18
Application: Fuzzing and Testing
Test case generation
unsigned GCD(x, y) {requires(y > 0);while (true) {
unsigned m = x % y;if (m == 0) return y;x = y;y = m;
}}
Application
19
Test case generation
unsigned GCD(x, y) {requires(y > 0);while (true) {
unsigned m = x % y;if (m == 0) return y;x = y;y = m;
}} We want a trace where the loop is
executed twice.
(y0 > 0) and
(m0 = x0 % y0) and
not (m0 = 0) and
(x1 = y0) and
(y1 = m0) and
(m1 = x1 % y1) and
(m1 = 0)
SSA
Application
20
Test case generation
unsigned GCD(x, y) {requires(y > 0);while (true) {
unsigned m = x % y;if (m == 0) return y;x = y;y = m;
}} We want a trace where the loop is
executed twice.
(y0 > 0) and
(m0 = x0 % y0) and
not (m0 = 0) and
(x1 = y0) and
(y1 = m0) and
(m1 = x1 % y1) and
(m1 = 0)
Solver
x0 = 2
y0 = 4
m0 = 2
x1 = 4
y1 = 2
m1 = 0
SSA
Application
21
Execution Path
Run Test and Monitor Path Condition
Unexplored pathSolve
seed
New input
TestInputs
Constraint System
KnownPaths
Test Case Generation Procedure
22
Application: Fuzzing and Testing
int binary_search(int[] arr, int low, int high, int key)
while (low <= high)
{
// Find middle value
int mid = (low + high) / 2;
int val = arr[mid];
if (val == key) return mid;
if (val < key) low = mid+1;
else high = mid-1;
}
return -1;
}
void itoa(int n, char* s) {
if (n < 0) {
*s++ = ‘-’;
n = -n;
}
// Add digits to s
….
-INT_MIN=
INT_MIN
(INT_MAX+1)/2 +
(INT_MAX+1)/2
= INT_MIN
Package: java.util.Arrays
Function: binary_search
Book: Kernighan and Ritchie
Function: itoa (integer to ascii)
What is wrong here?Application: Scalable bit-precise analysis
Modular arithmetic
Bit-wise operations
1 0 1 0 1 1 0 1 1 0 0 1
1 0 1 0 1 1 0 1 1 0 0 1
=
Concatenation
1 0 1 0 1 1 [4:2] = 0 1 0
1 0 1 0 1 1
0 1 1 0 0 1
0 0 1 0 0 1
=
1 0 1 0 1 1
0 1 1 0 0 1
+
0 0 0 1 0 0
=
Extraction
Bit-wise and
AdditionVector
Segments
Vector Segments
Bit-precise analysisApplication: Scalable bit-precise analysis
Partners:
• European Microsoft Innovation Center
• Microsoft Research
• Microsoft’s Windows Division
• Universität des Saarlandes
co-funded by the
German Ministry of Education and Research
http://www.verisoftxt.de
Hypervisor Verification (2007 – 2010) with
Hardware
Hypervisor
Application: Verification
25
Microsoft Verifying C Compiler
26
Application: Verification
SAT/SMT progress driven by applications:VCC Performance Trends Nov 08 – Mar 09
0.1
1
10
100
1000
Attempt to improve Boogie/Z3 interaction
Modification in invariant checking
Switch to Boogie2
Switch to Z3 v2
Z3 v2 update
Application: Verification
Verification Attempt Time vs.Satisfaction and Productivity
By Michal Moskal (VCC Designer and Software Verification Expert),
Language quiz: “loose” or “lose” ?
Application: Verification
The Importance of SpeedApplication: Verification
The Importance of SpeedApplication: Verification
Building VerveV
erifie
d
C# compiler
Kernel.cs
Boogie/Z3
Translator/Assembler
TAL checker
Linker/ISO generator
Verve.iso
Source file
Compilation toolVerification tool
Nucleus.bpl (x86) Kernel.obj (x86)
9 person-months
Application: Verification
31
Safe to the Last Instruction / Jean Yang & Chris Hawbliztl PLDI 2010
Why string analysis?(motivating scenario)
Tomcat v. < 6.0.18
req = http://www.x.com/%c0%ae%c0%ae/%c0%ae%c0%ae/private/
Windows 2000 vulnerability: http://www.sans.org/security-resources/malwarefaq/wnt-unicode.php
Apache Tomcat vulnerability: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2938
1) security check: reqmust not contain "../"
2) dir = utf8decode("%c0%ae%c0%ae/%c0%ae%c0%ae/private/") = "../../private/"
access granted to "../../private/"
Analysis question:Does utf8decode reject overlong
utf8-encodings such as "%C0%AE" for '.'?
Application: String Analysis
Relativized Formal Language Theory
Classical Word Transducers(e.g. decoding automata,
rational transductions)
Classical I/O Automata(e.g. Mealy machine)
ClassicalWord Acceptors
(NFA, DFA)
Application: String Analysis
Symbolic Word Transducers
Relativized Formal Language Theory
Classical Word Transducers(e.g. decoding automata,
rational transductions)
Classical I/O Automata(e.g. Mealy machine)
ClassicalWord Acceptors
(NFA, DFA)
Symbolic Word Acceptors
regex matching
string transformation
Classical Word Acceptors modulo Th()
Classical Word Transducers modulo Th()
Application: String Analysis
Rex & Bek – Symbolic RegEx &
Transducers
Margus Veanes
Application: String Analysis
Symbolic Finite Transducer (SFT)
• Classical transducer modulo a rich label theory
• Core Idea: represent labels with guarded transformation functions– Separation of concerns: finite graph / theory of labels
Concrete transitions:
p
q
Symbolic transition:
‘\x80’/“\xC2\x80”
… ‘\x7FF’/“\xDF\xBF”
q
p
x. 8016 ≤ x ≤ 7FF16/[C016|x10,6, 8016|x5,0]
guard
bitvector operations
1920transitions
Application: String Analysis
SMT: Satisfiability Modulo Theories
𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1
Technology
SMT: Satisfiability Modulo Theories
𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1 sat, 𝑥 =1
8, 𝑦 =
7
8
Solution/Model
Technology
SMT: Satisfiability Modulo Theories
𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1 sat, 𝑥 =1
8, 𝑦 =
7
8
𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 1
Solution/Model
Technology
SMT: Satisfiability Modulo Theories
𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1 sat, 𝑥 =1
8, 𝑦 =
7
8
𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 1 unsat, Proof
Solution/Model
Technology
SMT: Satisfiability Modulo Theories
𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1 sat, 𝑥 =1
8, 𝑦 =
7
8
𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 1 unsat, Proof
Is execution path P feasible? Is assertion X violated?
SAGE
Is Formula F Satisfiable (over Theory of Reals)?
Solution/Model
Technology
41
SMT: Satisfiability Modulo Theories
𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1 sat, 𝑥 =1
8, 𝑦 =
7
8
𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 1 unsat, Proof
Is execution path P feasible? Is assertion X violated?
SAGE
Is Formula F Satisfiable (over Theory of Reals)?
WITNESS
Solution/Model
Technology
42
𝑥 + 2 = 𝑦 ⇒ 𝑓 𝑠𝑒𝑙𝑒𝑐𝑡 𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑥, 3 , 𝑦 − 2 = 𝑓(𝑦 − 𝑥 + 1)
SMT: Satisfiability Modulo Theories
Technology
43
Arithmetic
𝑥 + 2 = 𝑦 ⇒ 𝑓 𝑠𝑒𝑙𝑒𝑐𝑡 𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑥, 3 , 𝑦 − 2 = 𝑓(𝑦 − 𝑥 + 1)
SMT: Satisfiability Modulo Theories
Technology
44
ArithmeticArray Theory
𝑠𝑒𝑙𝑒𝑐𝑡(𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑖, 𝑣 , 𝑖) = 𝑣𝑖 ≠ 𝑗 ⇒ 𝑠𝑒𝑙𝑒𝑐𝑡(𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑖, 𝑣 , 𝑗) = 𝑠𝑒𝑙𝑒𝑐𝑡(𝑎, 𝑗)
𝑥 + 2 = 𝑦 ⇒ 𝑓 𝑠𝑒𝑙𝑒𝑐𝑡 𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑥, 3 , 𝑦 − 2 = 𝑓(𝑦 − 𝑥 + 1)
SMT: Satisfiability Modulo Theories
Technology
45
ArithmeticArray TheoryUninterpreted
Functions
𝑠𝑒𝑙𝑒𝑐𝑡(𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑖, 𝑣 , 𝑖) = 𝑣𝑖 ≠ 𝑗 ⇒ 𝑠𝑒𝑙𝑒𝑐𝑡(𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑖, 𝑣 , 𝑗) = 𝑠𝑒𝑙𝑒𝑐𝑡(𝑎, 𝑗)
𝑥 + 2 = 𝑦 ⇒ 𝑓 𝑠𝑒𝑙𝑒𝑐𝑡 𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑥, 3 , 𝑦 − 2 = 𝑓(𝑦 − 𝑥 + 1)
SMT: Satisfiability Modulo Theories
Technology
46
Job Shop Scheduling
Machines
Jobs
P = NP? Laundry 𝜁 𝑠 = 0 ⇒ 𝑠 =1
2+ 𝑖𝑟
Tasks
Technology
Constraints:
Precedence: between two tasks of the same job
Resource: Machines execute at most one job at a time
4
132
𝑠𝑡𝑎𝑟𝑡2,2. . 𝑒𝑛𝑑2,2 ∩ 𝑠𝑡𝑎𝑟𝑡4,2. . 𝑒𝑛𝑑4,2 = ∅
Job Shop SchedulingTechnology
Constraints: Encoding:
Precedence: 𝑡2,3 - start time of job 2 on mach 3
𝑑2,3 - duration ofjob 2 on mach 3
𝑡2,3 + 𝑑2,3 ≤ 𝑡2,4Resource:
4
132
𝑠𝑡𝑎𝑟𝑡2,2. . 𝑒𝑛𝑑2,2 ∩ 𝑠𝑡𝑎𝑟𝑡4,2. . 𝑒𝑛𝑑4,2 = ∅
𝑡2,2 + 𝑑2,2 ≤ 𝑡4,2∨
𝑡4,2 + d4,2 ≤ 𝑡2,2
Not convex
Job Shop SchedulingTechnology
Job Shop SchedulingTechnology
Job Shop Scheduling
case split
case split
Efficient solvers:
- Floyd-Warshal algorithm
- Ford-Fulkerson algorithm
𝑧 − 𝑧 = 5 – 2 – 3 – 2 = −2 < 0
Technology
Microsoft Tools using
HAVOCSAGE
Vigilante
Z3 is used by many research groups More than 19k downloadsZ3 places 1st in most categories in SMT competitions
Technology
52
Microsoft Tools using
HAVOCSAGE
Vigilante
Z3 is used by many research groups More than 19k downloadsZ3 places 1st in most categories in SMT competitions
Z3 solved more than 3 billionconstraints created by SAGEChecking Win8 and Office.
Technology
53
Microsoft Tools using
HAVOCSAGE
Vigilante
Z3 is used by many research groups More than 19k downloadsZ3 places 1st in most categories in SMT competitions
Z3 solved more than 3 billionconstraints created by SAGEChecking Win8 and Office.
Z3 ships in Windows Server with the
Static Driver Verifier
Technology
54
Microsoft Tools using
HAVOCSAGE
Vigilante
Z3 is used by many research groups More than 19k downloadsZ3 places 1st in most categories in SMT competitions
Z3 solved more than 3 billionconstraints created by SAGEChecking Win8 and Office.
Z3 ships in Windows Server with the
Static Driver Verifier
Z3 used to check Azure Firewall Policies
Technology
55
Research Areas
Algorithms
Heuristics
Logic is “The Calculus of Computer Science” Zohar Manna
Technology
56
Decidable Fragments
Research Areas
Algorithms
Heuristics
Undecidable (FOL + LIA)
Semi Decidable (FOL)
NEXPTIME (EPR)
PSPACE (QBF)
NP (SAT)
Logic is “The Calculus of Computer Science” Zohar Manna
Technology
57
Research Areas
Algorithms Decidable Fragments
Heuristics
Undecidable (FOL + LIA)
Semi Decidable (FOL)
NEXPTIME (EPR)
PSPACE (QBF)
NP (SAT)Generalized array theory
Essentially Uninterpreted Formulas
Quantified Bit-Vector Logic
Logic is “The Calculus of Computer Science” Zohar Manna
Technology
58
Research Areas
Algorithms Decidable Fragments
Heuristics
Undecidable (FOL + LIA)
Semi Decidable (FOL)
NEXPTIME (EPR)
PSPACE (QBF)
NP (SAT)Generalized array theory
Essentially Uninterpreted Formulas
Quantified Bit-Vector Logic
Practical problems often have structure that can be exploited.
Logic is “The Calculus of Computer Science” Zohar Manna
Technology
59
Little Engines of Proof
Freely available from http://research.microsoft.com/projects/z3
Technology
60
Research around Z3
.
.
.
Decision ProceduresModular Difference Logic is Hard TR 08 B, Blass Gurevich, Muthuvathi.Linear Functional Fixed-points. CAV 09 B. & Hendrix. A Priori Reductions to Zero for Strategy-Independent Gröbner Bases SYNASC 09 M& Passmore. Efficient, Generalized Array Decision Procedures FMCAD 09 M & BQuantifier Elimination as an Abstract Decision Procedure IJCAR 10, BCutting to the Chase CADE 11, Jojanovich, MPolynomials IJCAR 12, Jojanovich, M
Combining Decision ProceduresModel-based Theory Combination SMT 07 M & B. . Proofs, Refutations and Z3 IWIL 08 M & BOn Locally Minimal Nullstellensatz Proofs. SMT 09 M & Passmore. A Concurrent Portfolio Approach to SMT Solving CAV 09 Wintersteiger, Hamadi & MConflict Directed Theory Resolution Cambridge Univ. Press 12, M & B
Quantifiers, quantifiers, quantifiersEfficient E-matching for SMT Solvers. CADE 07 M & B. Relevancy Propagation. TR 07 M & B. Deciding Effectively Propositional Logic using DPLL and substitution sets IJCAR 08 M & B.Engineering DPLL(T) + saturation. IJCAR 08 M & B. Complete instantiation for quantified SMT formulas CAV 09 Ge & M. On deciding satisfiability by DPLL(+ T) and unsound theorem proving. CADE 09 Bonachina, M & Lynch. Generalized PDR SAT 12 Hoder & B..
Technology
Introductory Background Reading
September 2011
Pro
ofs
Co
nflic
t Cla
use
s
Mod
els
lite
ral a
ssig
nm
en
tsB
ackju
mp
Pro
pa
gate
Mile High: Modern SAT/SMT searchTechnology
Core Engine in Z3: Modern DPLL/CDCL
Initialize 𝜖| 𝐹 𝐹 𝑖𝑠 𝑎 𝑠𝑒𝑡 𝑜𝑓 𝑐𝑙𝑎𝑢𝑠𝑒𝑠
Decide 𝑀 𝐹 ⟹ 𝑀, ℓ 𝐹 ℓ 𝑖𝑠 𝑢𝑛𝑎𝑠𝑠𝑖𝑔𝑛𝑒𝑑
Propagate 𝑀 𝐹, 𝐶 ∨ ℓ ⟹ 𝑀, ℓ𝐶∨ℓ 𝐹, 𝐶 ∨ ℓ 𝐶 𝑖𝑠 𝑓𝑎𝑙𝑠𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀
Sat 𝑀 |𝐹 ⟹ 𝑀 𝐹 𝑡𝑟𝑢𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀
Conflict 𝑀 𝐹, 𝐶 ⟹ 𝑀 𝐹, 𝐶 | 𝐶 𝐶 𝑖𝑠 𝑓𝑎𝑙𝑠𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀
Learn 𝑀 𝐹 | 𝐶 ⟹ 𝑀 𝐹, 𝐶 | 𝐶
Unsat 𝑀 𝐹 ∅ ⟹ 𝑈𝑛𝑠𝑎𝑡
Backjump 𝑀𝑀′ 𝐹 | 𝐶 ∨ ℓ ⟹ 𝑀ℓ𝐶∨ℓ 𝐹 𝐶 ⊆ 𝑀,¬ℓ ∈ 𝑀′
Resolve 𝑀 𝐹 | 𝐶′ ∨ ¬ℓ ⟹ 𝑀 𝐹 | 𝐶′ ∨ 𝐶 ℓ𝐶∨ℓ ∈ 𝑀
Forget 𝑀 𝐹, 𝐶 ⟹ 𝑀 𝐹 𝐶 is a learned clause
Restart 𝑀 𝐹 ⟹ 𝜖 𝐹 [Nieuwenhuis, Oliveras, Tinelli J.ACM 06] customized
Technology
Core Engine in Z3: Modern DPLL/CDCL
Initialize 𝜖| 𝐹 𝐹 𝑖𝑠 𝑎 𝑠𝑒𝑡 𝑜𝑓 𝑐𝑙𝑎𝑢𝑠𝑒𝑠
Decide 𝑀 𝐹 ⟹ 𝑀, ℓ 𝐹 ℓ 𝑖𝑠 𝑢𝑛𝑎𝑠𝑠𝑖𝑔𝑛𝑒𝑑
Propagate 𝑀 𝐹, 𝐶 ∨ ℓ ⟹ 𝑀, ℓ𝐶∨ℓ 𝐹, 𝐶 ∨ ℓ 𝐶 𝑖𝑠 𝑓𝑎𝑙𝑠𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀
Sat 𝑀 |𝐹 ⟹ 𝑀 𝐹 𝑡𝑟𝑢𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀
Conflict 𝑀 𝐹, 𝐶 ⟹ 𝑀 𝐹, 𝐶 | 𝐶 𝐶 𝑖𝑠 𝑓𝑎𝑙𝑠𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀
Learn 𝑀 𝐹 | 𝐶 ⟹ 𝑀 𝐹, 𝐶 | 𝐶
Unsat 𝑀 𝐹 ∅ ⟹ 𝑈𝑛𝑠𝑎𝑡
Backjump 𝑀𝑀′ 𝐹 | 𝐶 ∨ ℓ ⟹ 𝑀ℓ𝐶∨ℓ 𝐹 𝐶 ⊆ 𝑀,¬ℓ ∈ 𝑀′
Resolve 𝑀 𝐹 | 𝐶′ ∨ ¬ℓ ⟹ 𝑀 𝐹 | 𝐶′ ∨ 𝐶 ℓ𝐶∨ℓ ∈ 𝑀
Forget 𝑀 𝐹, 𝐶 ⟹ 𝑀 𝐹 𝐶 is a learned clause
Restart 𝑀 𝐹 ⟹ 𝜖 𝐹 [Nieuwenhuis, Oliveras, Tinelli J.ACM 06] customized
One SAT expert to another:
“It took me a year to
understand the Mini-SAT
FUIP code”
Mate Soos to
Niklas Sörenson
over ice-cream
at SAT 2012 in Trento
Technology
Pro
ofs
Co
nflic
t Le
mm
as
Mod
els
va
lue
sto
sa
tisfy
form
ula
Backju
mp
Pro
pa
gate
Mile High: Modern SMT proceduresTechnology
EfficientlyBacktrack
to equi-satisfiable
state
Learn new fact that prune as
many dead branches as
possible
Efficient indexing for propagating
consequences
A way to certify
satisfiability
A way to certifyunsatisfiability
mc(x) = x-10 if x > 100
mc(x) = mc(mc(x+11)) if x 100
assert (x ≤ 101 mc(x) = 91)
Research: Solving Horn Clauses
∀𝑿. 𝑿 > 𝟏𝟎𝟎 mc(𝑿,𝑿 − 𝟏𝟎)
∀𝑿, 𝒀, 𝑹. 𝑿 ≤ 𝟏𝟎𝟎 mc(𝑿 + 𝟏𝟏, 𝒀) mc(𝒀,𝑹) mc(𝑿,𝑹)
∀𝑿,𝑹. mc(𝑿,𝑹) ∧ 𝑿 ≤ 𝟏𝟎𝟏 → 𝑹 = 𝟗𝟏
Solver finds solution for mc Krystof Hoder & Nikolaj Bjorner, SAT 2012Bjorner, McMillan, Rybalchenko, SMT 2012
Technology
67
Research: SolvingR Efficiently
A key idea: Use partial solution to guide the search
𝑥3 + 2𝑥2 + 3𝑦2 − 5 < 0
𝑥2 + 𝑦2 < 1
−4𝑥𝑦 − 4𝑥 + 𝑦 > 1
Feasible Region
Starting searchPartial solution:𝑥 = 0.5
Can we extend it to 𝑦?
What is the core?
Dejan Jojanovich & Leonardo de Moura, IJCAR 2012
Technology
68
Takeaways
Context: Awareness about Microsoft Research
Propaganda: Cool software engineering research projects.
Applications: Logic is the Calculus of Computation. Programs analysis tools use logic at their core.
Technology: Z3 – An Efficient SMT Solver. Modern SAT/SMT solver search in one slide
dichotomies of modern constraint search engines.69
Summary
An outline of – an efficient SMT solverEfficient logic solver for SE tools tackling intractable problemshttp://research.microsoft.com/projects/z3
Software Engineering Research @ Microsoft http://rise4fun.com
Academic internshipshttp://research.microsoft.com/en-us/jobs/intern
Contacthttp://research.microsoft.com/[email protected] 70