Applications and Challenges in Satisfiability Modulo Theories

The area of software analysis, testing and verification is no w undergoing a revolution thanks to the use of automated and scalable support for logical meth ods. A well-recognized premise is that at the core of software analysis engines is invariably a component using logical formulas for describing states and transformations between system stat es. One can thus say that symbolic logic is the calculus of computation. The process of using this inf ormation for discovering and checking program properties (including such important properties a s afety and security) amounts to automatic theorem proving. In particular, theorem provers that direc tly support common software constructs offer a compelling basis. Such provers are commonly called s atisfiability modulo theories (SMT) solvers. Z3 is the leading SMT solver. It is developed by the a uthors at Microsoft Research. It can be used to check the satisfiability of logical formulas over o ne r more theories such as arithmetic, bit-vectors, lists, records and arrays. This paper examines three applications of Z3 in the context o f invariant generation. The first lets Z3 infer invariants as a constraint satisfaction problem, t he second application illustrates the use of Z3 for bit-precise analysis and our third application exemp lifies using Z3 for calculations.

[1]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[2]  Thomas A. Henzinger,et al.  Software Verification with BLAST , 2003, SPIN.

[3]  Leonardo Mendonça de Moura,et al.  Complete Instantiation for Quantified Formulas in Satisfiabiliby Modulo Theories , 2009, CAV.

[4]  Nikolaj Bjørner,et al.  Tapas: Theory Combinations and Practical Applications , 2009, FORMATS.

[5]  B. Livshits,et al.  Decision Procedures for Composition and Equivalence of Symbolic Finite State Transducers , 2011 .

[6]  Sumit Gulwani,et al.  VS3: SMT Solvers for Program Verification , 2009, CAV.

[7]  N. Bjørner,et al.  Symbolic Transducers , 2011 .

[8]  Michael Colón,et al.  Schema-Guided Synthesis of Imperative Programs by Constraint Solving , 2004, LOPSTR.

[9]  Margus Veanes,et al.  An Evaluation of Automata Algorithms for String Analysis , 2011, VMCAI.

[10]  Margus Veanes,et al.  Using Satisfiability Modulo Theories to Analyze Abstract State Machines (Abstract) , 2008, ABZ.

[11]  Nikolaj Bjørner,et al.  Foundations of Finite Symbolic Tree Transducers , 2011, Bull. EATCS.

[12]  Nikolaj Bjørner,et al.  An SMT Approach to Bounded Reachability Analysis of Model Programs , 2008, FORTE.

[13]  Chris Hawblitzel,et al.  Safe to the last instruction: automated verification of a type-safe operating system , 2011, CACM.

[14]  K. Rustan M. Leino,et al.  BoogiePL: A typed procedural language for checking object-oriented programs , 2005 .

[15]  Nikolaj Bjørner,et al.  Bugs, Moles and Skeletons: Symbolic Reasoning for Software Development , 2010, IJCAR.

[16]  Thomas A. Henzinger,et al.  SYNERGY: a new algorithm for property checking , 2006, SIGSOFT '06/FSE-14.

[17]  Andrew D. Gordon,et al.  Refinement Types for Secure Implementations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[18]  Erez Petrank,et al.  Automated verification of practical garbage collectors , 2009, POPL '09.

[19]  Nikolaj Bjørner,et al.  Input-Output Model Programs , 2009, ICTAC.

[20]  Nikolaj Bjørner,et al.  Symbolic Tree Transducers , 2011, Ershov Memorial Conference.

[21]  Sumit Gulwani,et al.  The reachability-bound problem , 2010, PLDI '10.

[22]  Shuvendu K. Lahiri,et al.  Unifying type checking and property checking for low-level code , 2009, POPL '09.

[23]  Andrew D. Gordon,et al.  Refinement Types for Secure Implementations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[24]  Zhong Shao,et al.  Proceedings of the 36th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2009, Savannah, GA, USA, January 21-23, 2009 , 2009, POPL.

[25]  Myra B. Cohen,et al.  Interaction Coverage Meets Path Coverage by SMT Constraint Solving , 2009, TestCom/FATES.

[26]  Margus Veanes,et al.  Rex: Symbolic Regular Expression Explorer , 2010, 2010 Third International Conference on Software Testing, Verification and Validation.

[27]  Nikolai Tillmann,et al.  Automating Software Testing Using Program Analysis , 2008, IEEE Software.

[28]  George C. Necula,et al.  Data Structure Specifications via Local Equality Axioms , 2005, CAV.

[29]  Margus Veanes,et al.  On Bounded Reachability of Programs with Set Comprehensions , 2008, LPAR.

[30]  Sumit Gulwani,et al.  Program analysis as constraint solving , 2008, PLDI '08.

[31]  Aditya V. Thakur,et al.  The Yogi Project : Software Property Checking via Static Analysis and Testing , 2009 .

[32]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[33]  Samin Ishtiaq,et al.  SLAyer: Memory Safety for Systems-Level Code , 2011, CAV.

[34]  Ben Zorn,et al.  Proceedings of the 2010 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2010, Toronto, Ontario, Canada, June 5-10, 2010 , 2010, PLDI.

[35]  Shuvendu K. Lahiri,et al.  Static and Precise Detection of Concurrency Errors in Systems Code Using SMT Solvers , 2009, CAV.

[36]  Andreas Blass,et al.  Pairwise Testing , 2002, Bull. EATCS.

[37]  Henny B. Sipma,et al.  What's Decidable About Arrays? , 2006, VMCAI.

[38]  Juan Chen,et al.  Type-preserving compilation of end-to-end verification of security enforcement , 2010, PLDI '10.

[39]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[40]  Nikolaj Bjørner,et al.  Symbolic Bounded Conformance Checking of Model Programs , 2009, Ershov Memorial Conference.

[41]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[42]  Thomas A. Henzinger,et al.  Invariant Synthesis for Combined Theories , 2007, VMCAI.