Presentation is loading. Please wait.

Presentation is loading. Please wait.

Leonardo de Moura and Nikolaj Bjørner Microsoft Research.

Published byLionel Fields Modified over 9 years ago

Similar presentations

Presentation on theme: "Leonardo de Moura and Nikolaj Bjørner Microsoft Research."— Presentation transcript:

1 Leonardo de Moura and Nikolaj Bjørner Microsoft Research

2 Engineering DPLL(T) + Saturation SATTheoriesSMT Arithmetic Bit-vectors Arrays …

3 Engineering DPLL(T) + Saturation ArithmeticArithmetic Array Theory Uninterpreted Functions

4 M | F Engineering DPLL(T) + Saturation Partial model Set of clauses

5 Guessing Engineering DPLL(T) + Saturation p,  q | p  q,  q  r p | p  q,  q  r

6 Deducing Engineering DPLL(T) + Saturation p, s| p  q,  p  s p | p  q,  p  s

7 Backtracking Engineering DPLL(T) + Saturation p, s| p  q, s  q,  p   q p,  s, q | p  q, s  q,  p   q

8 Efficient decision procedures for conjunctions of ground atoms. Engineering DPLL(T) + Saturation a=b, a 10 Examples: Congruence closure Dual Simplex Bellman-Ford …

9 Z3 Test case generation BMC Predicate Abstraction Verifying Compiler Engineering DPLL(T) + Saturation Z3 Test case generation BMC Predicate Abstraction Verifying Compiler

10 A verifying compiler uses automated reasoning to check the correctness of a program that is compiles. Correctness is specified by types, assertions,... and other redundant annotations that accompany the program. Tony Hoare 2004

11 V V Static program verifier (Boogie) MSIL Z3 V.C. generator Verification condition “correct” or list of errors Spec# compiler Spec# C Bytecode translator C Boogie VCC HAVOC

12 BIG and-or tree (ground) BIG and-or tree (ground) Axioms ( (non-ground) Axioms ( (non-ground) Control & Data Flow

13 Quantifiers, quantifiers, quantifiers, … Modeling the runtime  h,o,f: IsHeap(h)  o ≠ null  read(h, o, alloc) = t  read(h,o, f) = null  read(h, read(h,o,f),alloc) = t Engineering DPLL(T) + Saturation

14 Quantifiers, quantifiers, quantifiers, … Modeling the runtime Frame axioms  o, f: o ≠ null  read(h 0, o, alloc) = t  read(h 1,o,f) = read(h 0,o,f)  (o,f)  M Engineering DPLL(T) + Saturation

15 Quantifiers, quantifiers, quantifiers, … Modeling the runtime Frame axioms User provided assertions  i,j: i  j  read(a,i)  read(b,j) Engineering DPLL(T) + Saturation

16 Quantifiers, quantifiers, quantifiers, … Modeling the runtime Frame axioms User provided assertions Theories  x: p(x,x)  x,y,z: p(x,y), p(y,z)  p(x,z)  x,y: p(x,y), p(y,x)  x = y Engineering DPLL(T) + Saturation

17 Quantifiers, quantifiers, quantifiers, … Modeling the runtime Frame axioms User provided assertions Theories Solver must be fast in satisfiable instances. Engineering DPLL(T) + Saturation We want to find bugs!

18 Engineering DPLL(T) + Saturation SMT solvers use heuristic quantifier instantiation. E-matching (matching modulo equalities). Example:  x: f(g(x)) = x { f(g(x)) } a = g(b), b = c, f(a)  c Pattern

19 Engineering DPLL(T) + Saturation SMT solvers use heuristic quantifier instantiation. E-matching (matching modulo equalities). Example:  x: f(g(x)) = x { f(g(x)) } a = g(b), b = c, f(a)  c x=b f(g(b)) = b Equalities and ground terms come from the partial model M: M | F Equalities and ground terms come from the partial model M: M | F

20 Engineering DPLL(T) + Saturation Integrates smoothly with DPLL. Software verification problems are big & shallow. Decides useful theories: Arrays Partial orders …

21 Engineering DPLL(T) + Saturation E-matching needs ground seeds.  x: p(x),  x: not p(x)

22 Engineering DPLL(T) + Saturation E-matching needs ground seeds. Bad user provided patterns:  x: f(g(x))=x { f(g(x)) } g(a) = c, g(b) = c, a  b Pattern is too restrictive

23 Engineering DPLL(T) + Saturation E-matching needs ground seeds. Bad user provided patterns:  x: f(g(x))=x { g(x) } g(a) = c, g(b) = c, a  b More “liberal” pattern More “liberal” pattern

24 Engineering DPLL(T) + Saturation E-matching needs ground seeds. Bad user provided patterns:  x: f(g(x))=x { g(x) } g(a) = c, g(b) = c, a  b, f(g(a)) = a, f(g(b)) = b a=b

25 Engineering DPLL(T) + Saturation E-matching needs ground seeds. Bad user provided patterns. Matching loops:  x: f(x) = g(f(x)) {f(x)}  x: g(x) = f(g(x)) {g(x)} f(a) = c

26 Engineering DPLL(T) + Saturation E-matching needs ground seeds. Bad user provided patterns. Matching loops:  x: f(x) = g(f(x)) {f(x)}  x: g(x) = f(g(x)) {g(x)} f(a) = c f(a) = g(f(a))

27 Engineering DPLL(T) + Saturation E-matching needs ground seeds. Bad user provided patterns. Matching loops:  x: f(x) = g(f(x)) {f(x)}  x: g(x) = f(g(x)) {g(x)} f(a) = c f(a) = g(f(a)) g(f(a)) = f(g(f(a)))

28 Engineering DPLL(T) + Saturation E-matching needs ground seeds. Bad user provided patterns. Matching loops. It is not refutationally complete.

29 Engineering DPLL(T) + Saturation Decidable fragments: EPR (this morning) Array property fragment More coming soon DPLL(  ): DPLL + Saturation (this talk)

30 Engineering DPLL(T) + Saturation Tight integration: DPLL + Saturation solver. BIG and-or tree (ground) BIG and-or tree (ground) Axioms ( (non-ground) Axioms ( (non-ground) Saturation Solver DPLL + Theories

31 Engineering DPLL(T) + Saturation Inference rule: DPLL(  ) is parametric. Examples: Resolution Superposition calculus …

32 Engineering DPLL(T) + Saturation M | F Partial model Set of clauses

33 Engineering DPLL(T) + Saturation p(a) | p(a)  q(a),  x:  p(x)  r(x),  x: p(x)  s(x)

34 Engineering DPLL(T) + Saturation p(a) | p(a)  q(a),  p(x)  r(x), p(x)  s(x)

35 Engineering DPLL(T) + Saturation p(a) | p(a)  q(a),  p(x)  r(x), p(x)  s(x) p(a) | p(a)  q(a),  p(x)  r(x), p(x)  s(x), r(x)  s(x) Resolution

36 Using ground atoms from M: M | F Main issue: backtracking. Hypothetical clauses: H  C Engineering DPLL(T) + Saturation (regular) Clause (hypothesis) Ground literals (hypothesis) Ground literals Track literals from M used to derive C

37 Engineering DPLL(T) + Saturation p(a) | p(a)  q(a),  p(x)  r(x) p(a) | p(a)  q(a),  p(x)  r(x), p(a)  r(a) p(a),  p(x)  r(x) r(a)

38 Engineering DPLL(T) + Saturation p(a), r(a) | p(a)  q(a),  p(a)  r(a), p(a)  r(a), …

39 Engineering DPLL(T) + Saturation p(a), r(a) | p(a)  q(a),  p(a)  r(a), p(a)  r(a), … p(a) is removed from M  p(a) | p(a)  q(a),  p(a)  r(a), …

40 Engineering DPLL(T) + Saturation p(a), r(a) | p(a)  q(a),  p(a)  r(a), p(a)  r(a), … p(a), r(a) | p(a)  q(a),  p(a)  r(a),  p(a)  r(a), …

41 Engineering DPLL(T) + Saturation Saturation solver ignores non-unit ground clauses. p(a) | p(a)  q(a),  p(x)  r(x)

42 Engineering DPLL(T) + Saturation Saturation solver ignores non-unit ground clauses. It is still refutanionally complete if:  has the reduction property. BIG and-or tree (ground) BIG and-or tree (ground) Axioms ( (non-ground) Axioms ( (non-ground) Saturation Solver DPLL + Theories

43 DPLL + Theories DPLL + Theories Saturation Solver Saturation Solver Engineering DPLL(T) + Saturation Saturation solver ignores non-unit ground clauses. It is still refutanionally complete if:  has the reduction property. Ground literals Ground clauses

44 Engineering DPLL(T) + Saturation Contraction rules are very important. Examples: Subsumption Demodulation … Contraction rules with a single premise are easy.

45 Engineering DPLL(T) + Saturation Contraction rules with several premises. Example: p(a)  r(x), r(x)  s(x) r(x) subsumes r(x)  s(x) Problem: p(a)  r(x) can be deleted during backtracking.

46 Engineering DPLL(T) + Saturation Contraction rules with several premises. Example: p(a)  r(x), r(x)  s(x) Naïve solution: use hypothesis elimination.  p(a)  r(x), r(x)  s(x)

47 Engineering DPLL(T) + Saturation Contraction rules with several premises. Example: p(a)  r(x), r(x)  s(x) Solution: disable r(x)  s(x) until p(a) is removed from the partial model M.

48 Engineering DPLL(T) + Saturation Interpreted symtbols  (f(a) > 2), f(x) > 5 Solution: use E-matching for non-ground clauses containing interpreted symbols. Disclaimer: Doesn’t occur very often Disclaimer: Doesn’t occur very often

49 Engineering DPLL(T) + Saturation Transitivity + monotonicity  p(x,y)   p(y,z)  p(x,z)  p(x,y)  p(f(x), f(y)) No satisfactory solution yet. Saturation engine diverges

50 Engineering DPLL(T) + Saturation Ground equations (duplication of work) Superposition Congruence closure Partial solution: E-graph (congruence closure) → canonical set of rewriting rules [17]. Our problems have a huge number of ground equalities

51 Engineering DPLL(T) + Saturation Harvey SPASS + T SMELS LASCA

52 Engineering DPLL(T) + Saturation Better superposition calculus engine Variable inactivity (Bonacina) Assumption: saturated set of non-ground clauses is variable inactive and doesn’t contain interpreted functions. DPLL + Theories DPLL + Theories Saturation Solver Saturation Solver Ground literals Ground clauses

53 Engineering DPLL(T) + Saturation Tight integration: DPLL + Saturation. Non-unit ground clauses are delegated to DPLL. Good for software verification. Detecting unsound set of axioms. Implemented in Z3.2. Z3.2 won all  -divisions in SMT-COMP’08.

Download ppt "Leonardo de Moura and Nikolaj Bjørner Microsoft Research."

Similar presentations

SMELS: Sat Modulo Equality with Lazy Superposition Christopher Lynch – Clarkson Duc-Khanh Tran - MPI.

SMELS: Sat Modulo Equality with Lazy Superposition Christopher Lynch – Clarkson Duc-Khanh Tran - MPI.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Satisfiability Modulo Theories and Network Verification Nikolaj Bjørner Microsoft Research Formal Methods and Networks Summer School Ithaca, June 10-14.

Satisfiability Modulo Theories and Network Verification Nikolaj Bjørner Microsoft Research Formal Methods and Networks Summer School Ithaca, June
Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.

Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.
50.530: Software Engineering

50.530: Software Engineering
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀

SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
Leonardo de Moura and Nikolaj Bjørner Microsoft Research.

Leonardo de Moura and Nikolaj Bjørner Microsoft Research.
Nikolaj Bjørner Microsoft Research Lecture 4. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.

Nikolaj Bjørner Microsoft Research Lecture 4. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.
Proof translation from CVC3 to Hol light Yeting Ge Acsys Mar 5, 2008.

Proof translation from CVC3 to Hol light Yeting Ge Acsys Mar 5, 2008.
Leonardo de Moura Microsoft Research. Satisfiability Modulo Theories: A Calculus of Computation Verification/Analysis tools need some form of Symbolic.

Leonardo de Moura Microsoft Research. Satisfiability Modulo Theories: A Calculus of Computation Verification/Analysis tools need some form of Symbolic.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 International Summer School Marktoberdorf Marktoberdorf,

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 International Summer School Marktoberdorf Marktoberdorf,
Plan for today Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search.

Plan for today Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search.
Johannes Kepler University Linz, Austria 2008 Leonardo de Moura and Nikolaj Bjørner Microsoft Research.

Johannes Kepler University Linz, Austria 2008 Leonardo de Moura and Nikolaj Bjørner Microsoft Research.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
The Model Evolution Calculus Peter Baumgartner, MPI Saarbruecken and U Koblenz Cesare Tinelli, U Iowa.

The Model Evolution Calculus Peter Baumgartner, MPI Saarbruecken and U Koblenz Cesare Tinelli, U Iowa.

Similar presentations

Ads by Google