Nikolaj Bjørner Leonardo de Moura Nikolai Tillmann Microsoft Research August 11’th 2008.

Slides:



Advertisements
Similar presentations
Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
Advertisements

Satisfiability modulo the Theory of Bit Vectors
Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.
Satisfiability Modulo Theories and Network Verification Nikolaj Bjørner Microsoft Research Formal Methods and Networks Summer School Ithaca, June
Linear real and integer arithmetic. Fixed-size bit-vectors Uninterpreted functions Extensional arrays Quantifiers Model generation Several input formats.
50.530: Software Engineering
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
Satisfiability Modulo Theories (An introduction)
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
SCIP Optimization Suite
Proofs from SAT Solvers Yeting Ge ACSys NYU Nov
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Symbolic execution © Marcelo d’Amorim 2010.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.
Leonardo de Moura and Nikolaj Bjørner Microsoft Research.
1 Constraint Problems in Program Analysis from the sublime to the ridiculous Alex Aiken Stanford University.
Johannes Kepler University Linz, Austria 2008 Leonardo de Moura and Nikolaj Bjørner Microsoft Research.
Introduction to By Mati Yanko. Primary Goals of Java Portable Secured Object Oriented.
Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.
1 Satisfiability Modulo Theories Sinan Hanay. 2 Boolean Satisfiability (SAT) Is there an assignment to the p 1, p 2, …, p n variables such that  evaluates.
Pexxxx White Box Test Generation for
Memory Allocation. Three kinds of memory Fixed memory Stack memory Heap memory.
Nikolaj Bjørner Microsoft Research Lecture 1. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Introduction to encoding problems with Z3.
Yeting Ge Leonardo de Moura New York University Microsoft Research.
Run-Time Storage Organization
Pex White Box Test Generation for.NET Nikolai Tillmann, Microsoft Research SMT 2008.
Program Exploration with Pex Nikolai Tillmann, Peli de Halleux Pex
1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.
Austin, Texas 2011 Theorem Proving Tools for Program Analysis SMT Solvers: Yices & Z3 Austin, Texas 2011 Nikolaj Bjørner 2, Bruno Dutertre 1, Leonardo.
Farzan Fallah Srinivas Devadas Laboratory for Computer Science MIT Farzan Fallah Srinivas Devadas Laboratory for Computer Science MIT Functional Vector.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Leonardo de Moura Microsoft Research. Many approaches Graph-based for difference logic: a – b  3 Fourier-Motzkin elimination: Standard Simplex General.
Deep Dive into Pex How Pex works, implications for design of Code Hunt puzzles Nikolai Tillmann Principal Software Engineering Manager Microsoft, Redmond,
Deciding a Combination of Theories - Decision Procedure - Changki pswlab Combination of Theories Daniel Kroening, Ofer Strichman Presented by Changki.
CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Nikolaj Bjørner, Leonardo de Moura Microsoft Research Bruno Dutertre SRI International.
Leonardo de Moura and Nikolaj Bjørner Microsoft Research.
IT253: Computer Organization Lecture 3: Memory and Bit Operations Tonga Institute of Higher Education.
Addresses in Memory When a variable is declared, enough memory to hold a value of that type is allocated for it at an unused memory location. This is.
Overloading Binary Operators Two ways to overload –As a member function of a class –As a friend function As member functions –General syntax Data Structures.
Binary Search From solving a problem to verifying an answer.
Introduction to Satisfiability Modulo Theories
Leonardo de Moura Microsoft Research. Is formula F satisfiable modulo theory T ? SMT solvers have specialized algorithms for T.
Tao Xie North Carolina State University Nikolai Tillmann, Peli de Halleux, Wolfram Schulte Microsoft Research.
Parameterized Unit Tests By Nikolai Tillmann and Wolfram Schulte Proc. of ESEC/FSE 2005 Presented by Yunho Kim Provable Software Lab, KAIST TexPoint fonts.
C++ Data Types Structured array struct union class Address pointer reference Simple IntegralFloating char short int long enum float double long double.
Data Structures Using C++ 2E Chapter 3 Pointers. Data Structures Using C++ 2E2 Objectives Learn about the pointer data type and pointer variables Explore.
CJAdviser: SMT-based Debugging Support for ContextJ* Shizuka Uchio(Kyushu University, Japan) Naoyasu Ubayashi(Kyushu University, Japan) Yasutaka Kamei(Kyushu.
jFuzz – Java based Whitebox Fuzzing
CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.
School of Computer Science & Information Technology G6DICP - Lecture 4 Variables, data types & decision making.
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.
Daniel Kroening and Ofer Strichman Decision Procedures An Algorithmic Point of View Deciding Combined Theories.
CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,
Logic Engines as a Service Leonardo de Moura and Nikolaj Bjørner Microsoft Research.
Finding Conflicting Instances of Quantified Formulas in SMT Andrew Reynolds Cesare Tinelli Leonardo De Moura July 18, 2014.
Selected Decision Procedures and Techniques for SMT More on combination – theories sharing sets – convex theory Un-interpreted function symbols (quantifier-free.
Nikolaj Bjørner Microsoft Research DTU Winter course January 4 th 2012 Organized by Hanne Riis Nielson, Flemming Nielson.
1 A framework for eager encoding Daniel Kroening ETH, Switzerland Ofer Strichman Technion, Israel (Executive summary) (submitted to: Formal Aspects of.
Symbolic Execution in Software Engineering By Xusheng Xiao Xi Ge Dayoung Lee Towards Partial fulfillment for Course 707.
Satisfiability Modulo Theories and DPLL(T) Andrew Reynolds March 18, 2015.
Satisfiability Modulo Theories
Satisfiability Modulo Theories
LPSAT: A Unified Approach to RTL Satisfiability
SAT-Based Area Recovery in Technology Mapping
The SMT-LIB Initiative
Presentation transcript:

Nikolaj Bjørner Leonardo de Moura Nikolai Tillmann Microsoft Research August 11’th 2008

Bit-level support is critical for program exploration … but this is far from the only useful domain The SMT solver Z3 combines solvers for a variety of domains SMBT

Bits and bytes Numbers Arrays Records Heaps Data-types Object inheritance

ArithmeticArithmetic Arrays Free Functions

Theories Core Theory SAT solver Rewriting Simplification Bit-Vectors Arithmetic Partial orders Tuples E-matching Arrays OCaml Text.NET C C

Pre-processing by simplification Bit-vector operations are compiled into circuits Core Theory propagates equalities between bit- vectors Relevancy propagation used to selectively enable gates for propositional splitting SMBT

Test input generator Pex starts from parameterized unit tests Generated tests are emitted as traditional unit tests Dynamic symbolic execution framework Analysis of.NET instructions (byte-code) Instrumentation happens automatically at JIT time Using SMT-solver Z3 to check satisfiability and generate models = test inputs

How to test this code? (Real code from.NET base class libraries.) 9

10

… in action

Test Inputs Constraint System Execution Path Known Paths Run Test and Monitor Record Path Condition Choose an Uncovered Path Solve Initially, choose Arbitrary

Test Inputs Constraint System Execution Path Known Paths Run Test and Monitor Record Path Condition Choose an Uncovered Path Solve Initially, choose Arbitrary a[0] = 0; a[1] = 0; a[2] = 0; a[3] = 0; … a[0] = 0; a[1] = 0; a[2] = 0; a[3] = 0; …

Test Inputs Constraint System Execution Path Known Paths Run Test and Monitor Record Path Condition Choose an Uncovered Path Solve Initially, choose Arbitrary Path Condition: … ⋀ magicNum != 0x Path Condition: … ⋀ magicNum != 0x

Test Inputs Constraint System Execution Path Known Paths Run Test and Monitor Record Path Condition Choose an Uncovered Path Solve Initially, choose Arbitrary … ⋀ magicNum != 0x … ⋀ magicNum == 0x … ⋀ magicNum != 0x … ⋀ magicNum == 0x

Test Inputs Constraint System Execution Path Known Paths Run Test and Monitor Record Path Condition Choose an Uncovered Path Solve a[0] = 206; a[1] = 202; a[2] = 239; a[3] = 190; a[0] = 206; a[1] = 202; a[2] = 239; a[3] = 190; Initially, choose Arbitrary

Test Inputs Constraint System Execution Path Known Paths Run Test and Monitor Record Path Condition Choose an Uncovered Path Solve Initially, choose Arbitrary

Test Inputs Constraint System Execution Path Known Paths Run Test and Monitor Record Path Condition Choose an Uncovered Path Solve Initially, choose Arbitrary

Bit-vectors Heaps Integers Quantifiers

Is Target reachable? Yes: x = 2 16 … of course SMBT

But used for modeling the.NET type system In Pex: $Type : Object -> Class Object – is an integer Class – is an integer SMBT

Used for constraining values Example: we want to allocate a byte array data Allocate $Length(data) bytes SMBT

Not all models returned by Z3 are useful test inputs. Values used for allocating arrays are preferably small. Otherwise, test runs will just exercise out of memory exceptions and not useful code paths. Approach: use programmatic API with Push/Pop to control context SMBT

int Minimize(TermAst a, int lo, int hi) { while (lo < hi) { int mid = (lo+hi)/2; Console.WriteLine("lo: {0}, hi: {1}, mid: {2}",lo,hi,mid); z3.Push(); z3.AssertCnstr(Num(lo) <= a & a < Num(mid)); TypeSafeModel model = null; if (LBool.True == z3.CheckAndGetModel(ref model)) { hi = model.GetNumeralValueInt(model.Eval(a)); model.Dispose(); } else lo = mid; z3.Pop(); } return lo; }

Rich Combination: Solvers for uninterpreted functions with equalities, linear integer arithmetic, bitvector arithmetic, arrays, tuples Formulas may be a big conjunction Pre-processing step Eliminate variables and simplify input format Universal quantifiers Used to model custom theories, e.g..NET type system Model generation Models used as test inputs Incremental solving Given a formula F, find a model M, that minimizes the value of the variables x 0 … x n Push / Pop of contexts for model minimization Programmatic API For small constraint systems, text through pipes would add huge overhead

Bit-level support is critical for program exploration … but this is far from the only useful domain The SMT solver Z3 combines solvers for a variety of domains SMBT

Test input, generated by Pex 30

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.