Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yeting Ge Leonardo de Moura New York University Microsoft Research.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Yeting Ge Leonardo de Moura New York University Microsoft Research."— Presentation transcript:

1 Yeting Ge Leonardo de Moura New York University Microsoft Research

2 Complete Instantiation – CAV 2009 a > 3, (a = b  a = b + 1), f(a) = 0, f(b) = 1

3 Dynamic symbolic execution (DART) Extended static checking Test-case generation Bounded model checking (BMC) Equivalence checking … Complete Instantiation – CAV 2009

4 A theory T is a set of sentences. F is satisfiable modulo T iff T  F is satisfiable. Complete Instantiation – CAV 2009

5 Array Theory:  a,i,v: read(write(a,i,v), i) = v  a,i,v: i = j  read(write(a,i,v), j) = read(a,j) Linear Arithmetic Bit-vectors Inductive datatypes …

6 a > 3, (a = b  a = b + 1), f(a) = 0, f(b) = 1 Complete Instantiation – CAV 2009 f,g,hUninterpreted functions a,b,cUninterpreted constants +,-,<, ,0,1,… Interpreted symbols

7 a > 3, (a = b  a = b + 1), f(a) = 0, f(b) = 1 Complete Instantiation – CAV 2009 Model/Structure: a  4 b  3 f  { 4  0, 3  1, … }

8 a > 3, (a = b  a = b + 1), f(a) = 0, f(b) = 1 Complete Instantiation – CAV 2009 Model M: M(a) = 4 M(b) = 3 M(f) = { 4  0, 3  1, … }

9 Many SMT Solvers: Barcelogic, Beaver, Boolector, CVC3, MathSAT, OpenSMT, Sateen, Yices, Z3, … They are very efficient for quantifier-free formulas. Complete Instantiation – CAV 2009

10 Modeling the runtime  h,o,f: IsHeap(h)  o ≠ null  read(h, o, alloc) = t  read(h,o, f) = null  read(h, read(h,o,f),alloc) = t Complete Instantiation – CAV 2009

11 Modeling the runtime User provided assertions  i,j: i  j  read(a,i)  read(b,j) Complete Instantiation – CAV 2009

12 Modeling the runtime User provided assertions Unsupported theories  x: p(x,x)  x,y,z: p(x,y), p(y,z)  p(x,z)  x,y: p(x,y), p(y,x)  x = y Complete Instantiation – CAV 2009

13 Modeling the runtime User provided assertions Unsupported theories Solver must be fast in satisfiable instances. Complete Instantiation – CAV 2009 We want to find bugs!

14 Superposition Calculus + SMT. Instantiation Based Methods Implemented on top of “regular” SMT solvers. Heuristic quantifier instantiation (E-Matching). Complete quantifier instantiation. Complete Instantiation – CAV 2009

15 Bernays-Schönfinkel class. Stratified Many-Sorted Logic. Array Property Fragment. Local theory extensions. Complete Instantiation – CAV 2009

16  x 1, x 2 :  p(x 1, x 2 )  f(x 1 ) = f(x 2 ) + 1, p(a,b), a < b + 1

17 Complete Instantiation – CAV 2009  p(x 1, x 2 )  f(x 1 ) = f(x 2 ) + 1, p(a,b), a < b + 1

18 Variables appear only as arguments of uninterpreted symbols. Complete Instantiation – CAV 2009 f(g(x 1 ) + a) < g(x 1 )  h(f(x 1 ), x 2 ) = 0 f(x 1 +x 2 )  f(x 1 ) + f(x 2 )

19 Given a set of formulas F, build an equisatisfiable set of quantifier-free formulas F* Complete Instantiation – CAV 2009 Suppose 1. We have a clause C[f(x)] containing f(x). 2. We have f(t).  Instantiate x with t: C[f(t)]. “Domain” of f is the set of ground terms A f t  A f if there is a ground term f(t)

20 Complete Instantiation – CAV 2009 g(x 1, x 2 ) = 0  h(x 2 ) = 0, g(f(x 1 ),b) + 1  f(x 1 ), h(c) = 1, f(a) = 0 FF*

21 Complete Instantiation – CAV 2009 g(x 1, x 2 ) = 0  h(x 2 ) = 0, g(f(x 1 ),b) + 1  f(x 1 ), h(c) = 1, f(a) = 0 FF* h(c) = 1, f(a) = 0 Copy quantifier-free formulas “Domains”: A f : { a } A g : { } A h : { c }

22 Complete Instantiation – CAV 2009 g(x 1, x 2 ) = 0  h(x 2 ) = 0, g(f(x 1 ),b) + 1  f(x 1 ), h(c) = 1, f(a) = 0 FF* h(c) = 1, f(a) = 0, “Domains”: A f : { a } A g : { } A h : { c }

23 Complete Instantiation – CAV 2009 g(x 1, x 2 ) = 0  h(x 2 ) = 0, g(f(x 1 ),b) + 1  f(x 1 ), h(c) = 1, f(a) = 0 FF* h(c) = 1, f(a) = 0, g(f(a),b) + 1  f(a) “Domains”: A f : { a } A g : { [f(a), b] } A h : { c }

24 Complete Instantiation – CAV 2009 g(x 1, x 2 ) = 0  h(x 2 ) = 0, g(f(x 1 ),b) + 1  f(x 1 ), h(c) = 1, f(a) = 0 FF* h(c) = 1, f(a) = 0, g(f(a),b) + 1  f(a), “Domains”: A f : { a } A g : { [f(a), b] } A h : { c }

25 Complete Instantiation – CAV 2009 g(x 1, x 2 ) = 0  h(x 2 ) = 0, g(f(x 1 ),b) + 1  f(x 1 ), h(c) = 1, f(a) = 0 FF* h(c) = 1, f(a) = 0, g(f(a),b) + 1  f(a), g(f(a), b) = 0  h(b) = 0 “Domains”: A f : { a } A g : { [f(a), b] } A h : { c, b }

26 Complete Instantiation – CAV 2009 g(x 1, x 2 ) = 0  h(x 2 ) = 0, g(f(x 1 ),b) + 1  f(x 1 ), h(c) = 1, f(a) = 0 FF* h(c) = 1, f(a) = 0, g(f(a),b) + 1  f(a), g(f(a), b) = 0  h(b) = 0 “Domains”: A f : { a } A g : { [f(a), b]} A h : { c, b }

27 Complete Instantiation – CAV 2009 g(x 1, x 2 ) = 0  h(x 2 ) = 0, g(f(x 1 ),b) + 1  f(x 1 ), h(c) = 1, f(a) = 0 FF* h(c) = 1, f(a) = 0, g(f(a),b) + 1  f(a), g(f(a), b) = 0  h(b) = 0, g(f(a), c) = 0  h(c) = 0 “Domains”: A f : { a } A g : { [f(a), b], [f(a), c] } A h : { c, b }

28 Complete Instantiation – CAV 2009 g(x 1, x 2 ) = 0  h(x 2 ) = 0, g(f(x 1 ),b) + 1  f(x 1 ), h(c) = 1, f(a) = 0 FF* h(c) = 1, f(a) = 0, g(f(a),b) + 1  f(a), g(f(a), b) = 0  h(b) = 0, g(f(a), c) = 0  h(c) = 0 a  2, b  2, c  3 f  { 2  0, …} h  { 2  0, 3  1, …} g  { [0,2]  -1, [0,3]  0, …} M

29 Given a model M for F*, Build a model M  for F Complete Instantiation – CAV 2009 Define a projection function  f s.t. range of  f is M(A f ), and  f (v) = v if v  M(A f ) Then, M  (f)(v) = M(f)(  f (v))

30 Complete Instantiation – CAV 2009 M(A f ) M(f(A f )) M(A f ) M(f(A f )) M(f) M(A f ) ff M(f) M  (f)

31 Given a model M for F*, Build a model M  for F Complete Instantiation – CAV 2009 In our example, we have: h(b) and h(c)  A h = { b, c }, and M(A h ) = { 2, 3 }  h = { 2  2, 3  3, else  3 } M(h) { 2  0, 3  1, …} M  (h) { 2  0, 3  1, else  1} M  (h) = x. if(x=2, 0, 1)

32 Complete Instantiation – CAV 2009 g(x 1, x 2 ) = 0  h(x 2 ) = 0, g(f(x 1 ),b) + 1  f(x 1 ), h(c) = 1, f(a) = 0 FF* h(c) = 1, f(a) = 0, g(f(a),b) + 1  f(a), g(f(a), b) = 0  h(b) = 0, g(f(a), c) = 0  h(c) = 0 MM a  2, b  2, c  3 f  x. 2 h  x. if(x=2, 0, 1) g  x,y. if(x=0  y=2,-1, 0) M a  2, b  2, c  3 f  { 2  0, …} h  { 2  0, 3  1, …} g  { [0,2]  -1, [0,3]  0, …}

33 Complete Instantiation – CAV 2009 MM a  2, b  2, c  3 f  x. 2 h  x. if(x=2, 0, 1) g  x,y. if(x=0  y=2,-1, 0)  x 1, x 2 : if(x 1 =0  x 2 =2,-1,0) = 0  if(x 2 =2,0,1) = 0 is valid Does M  satisfies?  x 1, x 2 : g(x 1, x 2 ) = 0  h(x 2 ) = 0  x 1, x 2 : if(x 1 =0  x 2 =2,-1,0)  0  if(x 2 =2,0,1)  0 is unsat if(s 1 =0  s 2 =2,-1,0)  0  if(s 2 =2,0,1)  0 is unsat

34 Suppose M  does not satisfy C[f(x)]. Complete Instantiation – CAV 2009 Then for some value v, M  {x  v} falsifies C[f(x)]. M  {x  f (v)} also falsifies C[f(x)]. But, there is a term t  A f s.t. M(t) =  f (v) Moreover, we instantiated C[f(x)] with t. So, M must not satisfy C[f(t)]. Contradiction: M is a model for F*.

35 F* may be very big (or infinite). Lazy-construction Build F* incrementally, F* is the limit of the sequence F 0  F 1  …  F k  … If F k is unsat then F is unsat. If F k is sat, then build (candidate) M  If M  satisfies all quantifiers in F then return sat. Complete Instantiation – CAV 2009

36 Suppose M  does not satisfy a clause C[f(x)] in F. Complete Instantiation – CAV 2009 Add an instance C[f(t)] which “blocks” this spurious model. Issue: how to find t? Use model checking, and the “inverse” mapping  f -1 from values to terms (in A f ).  f -1 (v) = t if M  (t) =  f (v)

37 Complete Instantiation – CAV 2009 F  x 1 : f(x 1 ) < 0, f(a) = 1, f(b) = -1 F 0 f(a) = 1, f(b) = -1 M  a  2, b  3 f  x. if(x = 2, 1, -1) Model Checking  x 1 : f(x 1 ) < 0 not if(s 1 = 2, 1, -1) < 0 s 1  2  f -1 (2) = a F 1 f(a) = 1, f(b) = -1 f(a) < 0 unsat

38 Is our procedure refutationally complete? FOL Compactness A set of sentences is unsatisfiable iff it contains an unsatisfiable finite subset. A theory T is a set of sentences, then apply compactness to F*  T Complete Instantiation – CAV 2009

39 F  x 1 : f(x 1 ) < f(f(x 1 )),  x 1 : f(x 1 ) < a, 1 < f(0). F* f(0) < f(f(0)), f(f(0)) < f(f(f(0))), … f(0) < a, f(f(0)) < a, … 1 < f(0) Every finite subset of F* is satisfiable. Unsatisfiable

40 Complete Instantiation – CAV 2009 Theory of linear arithmetic T Z is the set of all first-order sentences that are true in the standard structure Z. T z has non-standard models. F and F* are satisfiable in a non-standard model. Alternative: a theory is a class of structures. Compactness does not hold. F and F* are still equisatisfiable.

41 Complete Instantiation – CAV 2009 Given a clause C k [x 1, …, x n ] Let S k,i be the set of ground terms used to instantiate x i in clause C k [x 1, …, x n ] How to characterize S k,i ? F j-th argument of f in C k  F system of set constraints a ground term t t  A f,j t[x 1, …, x n ] t[S k,1, …, S k,n ]  A f,j xixi S k,i = A f,j

42 Complete Instantiation – CAV 2009 g(x 1, x 2 ) = 0  h(x 2 ) = 0, g(f(x 1 ),b) + 1  f(x 1 ), h(c) = 1, f(a) = 0 F S 1,1 = A g,1, S 1,2 = A g,2, S 1,2 = A h,1 S 2,1 = A f,1, f(S 2,1 )  A g,1, b  A g,2 c  A h,1 a  A f,1 FF S 1,1 = { f(a) }, S 1,2 = { b, c } S 2,1 = { a }  F : least solution Use  F to generate F*

43 Complete Instantiation – CAV 2009  F is stratified then the least solution (and F*) is finite New decidable fragment: NEXPTIME-Hard. The least solution of  F is exponential in the worst case. a  S 1, b  S 1, f 1 (S 1, S 1 )  S 2, …, f n (S n, S n )  S n+1 F* can be doubly exponential in the size of F. t[S k,1, …, S k,n ]  A f,j level(S k,i ) < level(A f,j ) S k,i = A f,j level(S k,i ) = level(A f,j )

44 Complete Instantiation – CAV 2009 Arithmetical literals:  f must be monotonic. Offsets: Literal of C k FF  (x i  x j ) S k,i = S k,j  (x i  t),  (t  x i )t  S k,i x i = t {t+1, t-1}  S k,i j-th argument of f in C k FF x i + r S k,i +r  A f,j A f,j +(-r)  S k,i

45 Complete Instantiation – CAV 2009 Shifting  (0  x 1 )   (x 1  n)  f(x 1 ) = g(x 1 +2)

46 Complete Instantiation – CAV 2009 Many-sorted logic Pseudo-Macros 0  g(x 1 )  f(g(x 1 )) = x 1, 0  g(x 1 )  h(g(x 1 )) = 2x 1, g(a) < 0

47 Complete Instantiation – CAV 2009 SMT solvers usually return unsat or unknown for quantified SMT formulas. Z3 was the only SMT-solver in SMT-COMP’08 to correctly answer satisfiable quantified formulas. New decidable fragments. Model-based instantiation and Model checking. Conditions for refutationally complete procedures. Future work: more efficient model checking techniques. Thank you!

Download ppt "Yeting Ge Leonardo de Moura New York University Microsoft Research."

Similar presentations

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
SMELS: Sat Modulo Equality with Lazy Superposition Christopher Lynch – Clarkson Duc-Khanh Tran - MPI.

SMELS: Sat Modulo Equality with Lazy Superposition Christopher Lynch – Clarkson Duc-Khanh Tran - MPI.
Completeness and Expressiveness

Completeness and Expressiveness
Satisfiability Modulo Theories and Network Verification Nikolaj Bjørner Microsoft Research Formal Methods and Networks Summer School Ithaca, June 10-14.

Satisfiability Modulo Theories and Network Verification Nikolaj Bjørner Microsoft Research Formal Methods and Networks Summer School Ithaca, June
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀

SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
Verification of Functional Programs in Scala Philippe Suter (joint work w/ Ali Sinan Köksal and Viktor Kuncak) ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE,

Verification of Functional Programs in Scala Philippe Suter (joint work w/ Ali Sinan Köksal and Viktor Kuncak) ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE,
CSC 685 Logic Review. Logic: Modeling Human Reasoning syllogistic logic Syllogistic Logic (Aristotle). all/some X are/not Y Propositional Logic (Boole).

CSC 685 Logic Review. Logic: Modeling Human Reasoning syllogistic logic Syllogistic Logic (Aristotle). all/some X are/not Y Propositional Logic (Boole).
Leonardo de Moura and Nikolaj Bjørner Microsoft Research.

Leonardo de Moura and Nikolaj Bjørner Microsoft Research.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Leonardo de Moura Microsoft Research. Satisfiability Modulo Theories: A Calculus of Computation Verification/Analysis tools need some form of Symbolic.

Leonardo de Moura Microsoft Research. Satisfiability Modulo Theories: A Calculus of Computation Verification/Analysis tools need some form of Symbolic.
Plan for today Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search.

Plan for today Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
The Model Evolution Calculus Peter Baumgartner, MPI Saarbruecken and U Koblenz Cesare Tinelli, U Iowa.

The Model Evolution Calculus Peter Baumgartner, MPI Saarbruecken and U Koblenz Cesare Tinelli, U Iowa.
Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.

Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.
1 Satisfiability Modulo Theories Sinan Hanay. 2 Boolean Satisfiability (SAT) Is there an assignment to the p 1, p 2, …, p n variables such that  evaluates.

1 Satisfiability Modulo Theories Sinan Hanay. 2 Boolean Satisfiability (SAT) Is there an assignment to the p 1, p 2, …, p n variables such that  evaluates.
1 2. Constraint Databases Next level of data abstraction: Constraint level – finitely represents by constraints the logical level.

1 2. Constraint Databases Next level of data abstraction: Constraint level – finitely represents by constraints the logical level.
1 Constraint Programming Maurizio Gabbrielli Universita’ di Bologna Slides by: K. Marriott.

1 Constraint Programming Maurizio Gabbrielli Universita’ di Bologna Slides by: K. Marriott.
1 Chapter 1: Constraints What are they, what do they do and what can I use them for.

1 Chapter 1: Constraints What are they, what do they do and what can I use them for.

Similar presentations

Ads by Google