Beyond First-Order Satisfaction: Fixed Points, Interpolants, Automata and Polynomials

In the last decade, advances in satisfiability-modulo-theories (SMT) solvers have powered a new generation of software tools for verification and testing. These tools transform various program analysis problems into the problem of satisfiability of formulas in propositional or first-order logic, where they are discharged by SMT solvers, such as Z3 from Microsoft Research. This paper briefly summarizes four initiatives from Microsoft Research that build upon Z3 and move beyond first-order satisfaction: Fixed points--μZ is a scalable, efficient engine for discharging fixed point queries over recursive predicates with logical constraints, integrated in Z3; Interpolants--Interpolating Z3 uses Z3's proof generation capability to generate Craig interpolants in the first-order theory of uninterpreted functions, arrays and linear arithmetic; Automata--The symbolic automata toolkit lifts classical automata analyses to work modulo symbolic constraints on alphabets; Polynomials--a new decision procedure for the existential theory of the reals allows efficient solving of systems of non-linear arithmetic constraints.

[1]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[2]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[3]  S. Rajamani,et al.  A decade of software model checking with SLAM , 2011, Commun. ACM.

[4]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[5]  Sharad Malik,et al.  Chaff: engineering an efficient SAT solver , 2001, Proceedings of the 38th Design Automation Conference (IEEE Cat. No.01CH37232).

[6]  Dejan Jovanović,et al.  Solving Non-linear Arithmetic , 2012, IJCAR.

[7]  Margus Veanes,et al.  An Evaluation of Automata Algorithms for String Analysis , 2011, VMCAI.

[8]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[9]  Kenneth L. McMillan,et al.  Quantified Invariant Generation Using an Interpolating Saturation Prover , 2008, TACAS.

[10]  A. Tarski A Decision Method for Elementary Algebra and Geometry , 2023 .

[11]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[12]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[13]  Kenneth L. McMillan,et al.  Symbolic model checking: an approach to the state explosion problem , 1992 .

[14]  Thomas A. Henzinger,et al.  Abstractions from proofs , 2004, SIGP.

[15]  Margus Veanes,et al.  Rex: Symbolic Regular Expression Explorer , 2010, 2010 Third International Conference on Software Testing, Verification and Validation.

[16]  Nikolaj Bjørner,et al.  Symbolic finite state transducers: algorithms and applications , 2012, POPL '12.

[17]  Wolfram Schulte,et al.  Model Generation for Horn Logic with Stratified Negation , 2008, FORTE.

[18]  Benjamin Livshits,et al.  Fast and Precise Sanitizer Analysis with BEK , 2011, USENIX Security Symposium.

[19]  Frank Wolter,et al.  Monodic fragments of first-order temporal logics: 2000-2001 A.D , 2001, LPAR.

[20]  Kenneth L. McMillan,et al.  Interpolants from Z3 proofs , 2011, 2011 Formal Methods in Computer-Aided Design (FMCAD).

[21]  Frank D. Valencia,et al.  Formal Methods for Components and Objects , 2002, Lecture Notes in Computer Science.

[22]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[23]  Nikolai Tillmann,et al.  Automating Software Testing Using Program Analysis , 2008, IEEE Software.

[24]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[25]  Juan Chen,et al.  Self-certification: bootstrapping certified typecheckers in F* with Coq , 2012, POPL '12.

[26]  George E. Collins,et al.  Hauptvortrag: Quantifier elimination for real closed fields by cylindrical algebraic decomposition , 1975, Automata Theory and Formal Languages.

[27]  Kenneth L. McMillan,et al.  Symbolic model checking , 1992 .

[28]  A Pettorossi Automata theory and formal languages , 2008 .

[29]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[30]  George E. Collins,et al.  Quantifier elimination for real closed fields by cylindrical algebraic decomposition , 1975 .

[31]  Nikolaj Bjørner,et al.  Symbolic Automata: The Toolkit , 2012, TACAS.

[32]  Teruo Higashino,et al.  Formal Techniques for Networked and Distributed Systems - FORTE 2008, 28th IFIP WG 6.1 International Conference, Tokyo, Japan, June 10-13, 2008, Proceedings , 2008, FORTE.

[33]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[34]  Sriram K. Rajamani,et al.  The YogiProject: Software Property Checking via Static Analysis and Testing , 2009, TACAS.

[35]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[36]  Cesare Tinelli,et al.  Solving SAT and SAT Modulo Theories: From an abstract Davis--Putnam--Logemann--Loveland procedure to DPLL(T) , 2006, JACM.

[37]  Nikolaj Bjørner,et al.  μZ- An Efficient Engine for Fixed Points with Constraints , 2011, CAV.

[38]  David Aspinall,et al.  Formalising Java's Data Race Free Guarantee , 2007, TPHOLs.

[39]  Shuvendu K. Lahiri,et al.  Towards Scalable Modular Checking of User-Defined Properties , 2010, VSTTE.