Automatically Testing String Solvers

SMT solvers are at the basis of many applications, such as program verification, program synthesis, and test case generation. For all these applications to provide reliable results, SMT solvers must answer queries correctly. However, since they are complex, highly-optimized software systems, ensuring their correctness is challenging. In particular, state-of-the-art testing techniques do not reliably detect when an SMT solver is unsound. In this paper, we present an automatic approach for generating test cases that reveal soundness errors in the implementations of string solvers, as well as potential completeness and performance issues. We synthesize input formulas that are satisfiable or unsatisfiable by construction and use this ground truth as test oracle. We automatically apply satisfiability-preserving transformations to generate increasingly-complex formulas, which allows us to detect many errors with simple inputs and, thus, facilitates debugging. The experimental evaluation shows that our technique effectively reveals bugs in the implementation of widely-used SMT solvers and applies also to other types of solvers, such as automata-based solvers. We focus on strings here, but our approach carries over to other theories and their combinations.

[1]  Yunhui Zheng,et al.  ZSstrS: A string solver with theory-aware heuristics , 2017, 2017 Formal Methods in Computer Aided Design (FMCAD).

[2]  Armin Biere,et al.  Model-Based API Testing for SMT Solvers , 2017, SMT.

[3]  Nikolaj Bjørner,et al.  Efficient E-Matching for SMT Solvers , 2007, CADE.

[4]  Stéphane Lescuyer,et al.  A Reflexive Formalization of a SAT Solver in Coq , 2008 .

[5]  Armin Biere,et al.  Fuzzing and delta-debugging SMT solvers , 2009, SMT '09.

[6]  Xiangyu Zhang,et al.  Z3-str: a z3-based string solver for web application analysis , 2013, ESEC/FSE 2013.

[7]  W. M. McKeeman,et al.  Differential Testing for Software , 1998, Digit. Tech. J..

[8]  Shweta Shinde,et al.  A model counter for constraints over unbounded strings , 2014, PLDI.

[9]  M. Veanes,et al.  An SMT-LIB Format for Sequences and Regular Expressions , 2012 .

[10]  Cesare Tinelli,et al.  SMT proof checking using a logical framework , 2013, Formal Methods Syst. Des..

[11]  Armin Biere,et al.  Model-Based Testing for Verification Back-Ends , 2013, TAP@STAF.

[12]  Natarajan Shankar,et al.  Formal Verification of a Combination Decision Procedure , 2002, CADE.

[13]  Alexander Serebrenik,et al.  Survey of Approaches for Handling Static Analysis Alarms , 2016, 2016 IEEE 16th International Working Conference on Source Code Analysis and Manipulation (SCAM).

[14]  Federico Mora,et al.  StringFuzz: A Fuzzer for String Solvers , 2018, CAV.

[15]  Fang Yu,et al.  Parameterized model counting for string and numeric constraints , 2018, ESEC/SIGSOFT FSE.

[16]  Toby Walsh,et al.  Handbook of Satisfiability: Volume 185 Frontiers in Artificial Intelligence and Applications , 2009 .

[17]  Nikolaj Bjørner,et al.  SMT-LIB Sequences and Regular Expressions , 2012, SMT@IJCAR.

[18]  Jean-Christophe Filliâtre,et al.  Why3 - Where Programs Meet Provers , 2013, ESOP.

[19]  Sascha Böhme,et al.  Fast LCF-Style Proof Reconstruction for Z3 , 2010, ITP.

[20]  Filip Maric,et al.  Formal verification of a modern SAT solver by shallow embedding into Isabelle/HOL , 2010, Theor. Comput. Sci..

[21]  Andreas Zeller,et al.  Simplifying and Isolating Failure-Inducing Input , 2002, IEEE Trans. Software Eng..

[22]  Armin Biere,et al.  Automated Testing and Debugging of SAT and QBF Solvers , 2010, SAT.

[23]  David Detlefs,et al.  Simplify: a theorem prover for program checking , 2005, JACM.

[24]  Clark W. Barrett,et al.  The SMT-LIB Standard Version 2.0 , 2010 .

[25]  Cesare Tinelli,et al.  An efficient SMT solver for string constraints , 2016, Formal Methods Syst. Des..

[26]  Tevfik Bultan,et al.  Automata-Based Model Counting for String Constraints , 2015, CAV.

[27]  Sharad Malik,et al.  Validating SAT solvers using an independent resolution-based checker: practical implementations and other applications , 2003, 2003 Design, Automation and Test in Europe Conference and Exhibition.

[28]  Pascal Fontaine,et al.  Revisiting Enumerative Instantiation , 2018, TACAS.