1 / 96

Z3: A Decision Engine for Software

Z3: A Decision Engine for Software. Nikolaj Bjørner and Leonardo de Moura Microsoft Research TCN Programming Languages event, January 31 st. Slides: http ://my/sites/redmond_nbjorner /. RiSE. RiSE – a primer Symbolic Reasoning Engines using Z3 What is SMT? Little Engines of Proof

colum
Download Presentation

Z3: A Decision Engine for Software

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Z3: A Decision Engine for Software Nikolaj Bjørner and Leonardo de Moura Microsoft Research TCN Programming Languages event, January 31st Slides: http://my/sites/redmond_nbjorner/

  2. RiSE RiSE – a primer Symbolic Reasoning Engines using Z3 What is SMT? Little Engines of Proof Solver: Interaction Directions Extra: Nuts and Bolts Microsoft Research Redmond

  3. RiSE: Research in Software Engineering http://rise4fun.com/AGL/rise

  4. AGL – Automatic Graph Layout Lev Nachmanson Tim Dwyer Ted Hart Alexander Holroyd • Applications: • Dev10 Progression • Dev11Tuvalu • SpecExplorer • Many others

  5. CCI and ER CCI2: Common Compiler Infrastructure v2 Herman Venter ER: Extended ReflectionNikolai Tillmann HeapDbg uses CCI+AGL Manuel Fändrich Mark Marron SMT@Microsoft

  6. Cuzz: Concurrency Fuzzing Child Parent void* p = 0; CallCuzz(); CreateThd(child); CallCuzz(); p = malloc(…); void* p = 0; CreateThd(child); p = malloc(…); void* p = 0; RandDelay(); CreateThd(child); RandDelay(); p = malloc(…); void* p = 0; RandDelay(); CreateThd(child); • Instrument calls to Cuzz • Insert random delays • Use the Cuzz algorithm to determine when and by how much to delay Init(); RandDelay(); DoMoreWork(); RandDelay(); p->f ++; Init(); RandDelay(); DoMoreWork(); Init(); DoMoreWork(); p->f ++; Init(); CallCuzz(); DoMoreWork(); CallCuzz(); p->f ++; RandDelay(); p = malloc(…); RandDelay(); p->f ++; This is where all the magic (probabilistic analysis) is • Cuzz by MadanMusuvathi, Sebastian Burckhardt- in AppVerifier, used to find bugs in SQL, IE, ACPI, Kernel

  7. Symbolic Reasoning RiSE- a primer Symbolic Reasoning Engines using Z3 What is SMT? Little Engines of Proof Solver: Interaction Directions Extra: Nuts and Bolts

  8. Tools using the Z3 Decision Engine http://research.microsoft.com/projects/z3

  9. Symbolic Reasoning • Verification/Analysis tools need some form of Symbolic Reasoning

  10. What is logic? • Logic is the science of effective symbolic reasoning. • How can we draw general and reliable conclusions from a collection of facts? • Formal logic: Precise, syntactic characterizations of well-formed expressions and valid deductions. • Formal logic makes it possible to calculate consequences at the symbolic level. • Computers can be used to automate such symbolic calculations.

  11. Symbolic Reasoning Logic is “The Calculus of Computer Science” (Z. Manna). Succinct: High computational complexity Undecidable (FOL + LA) Semi-decidable (First-order logic) NEXPTime-complete (EPR) PSpace-complete (QBF) NP-complete (Propositional logic) P-time (Equality)

  12. Symbolic Engines: SAT, FTP and SMT • SAT: Propositional Satisfiability. (Tie  Shirt)  (Tie Shirt)  (Tie  Shirt) • FTP: First-order Theorem Proving. X,Y,Z [X*(Y*Z) = (X*Y)*Z] X [X*inv(X) = e] X [X*e = e] • SMT: Satisfiability Modulo background Theoriesb + 2 = c  A[3]≠ A[c-b+1]

  13. SAT - Milestones Problems impossible 10 years ago are trivial today Concept 2002 2010 Millions of variables from HW designs

  14. FTP - Milestones • Some successstories: • Open Problems (of 25 years):XCB: X  ((X  Y)  (Z  Y))  Z)is a single axiom for equivalence • Knowledge Ontologies GBs of formulas Courtesy Andrei Voronkov, Manchester U

  15. SMT - Milestones Z3 (of ’07) Time On BoogieRegression 1sec Simplify (of ’01) time Z3 Time On VCC Regression Includes progress from SAT: 15KLOC + 215KLOC = Z3 Nov 08 March 09

  16. Z3 participates in and wins SMT competitions

  17. Engines Using Z3 RiSE- a primer Symbolic Reasoning Engines using Z3 What is SMT? Little Engies of Proof Solver: Interaction Directions Extra: Nuts and Bolts

  18. Microsoft Researchers using Symbolic Logic Engines

  19. Applications

  20. Some Microsoft Engines using Z3 • SDV: The Static Driver Verifier • Pex: Program EXploration for .NET • SAGE: Scalable Automated Guided Execution • Spec#: C# + contracts • VCC: Verifying C Compiler for the Viridian Hyper-Visor • HAVOC: Heap-Aware Verification of C-code • SpecExplorer: Model-based testing of protocol specs • Yogi: Dynamic symbolic execution + abstraction • FORMULA: Model-based Design • PREfix: The Static Analysis Engine for C/C++ • F7: Refinement types for security protocols • Rex: Regular Expressions and formal languages • VS3: Abstract interpretation and Synthesis • VERVE: Verified operating system • FINE: Proof carrying certified code • SLAyer: Separation Logic-based Static Analysis

  21. Test case generation unsigned GCD(x, y) { requires(y > 0); while (true) { unsigned m = x % y; if (m == 0) return y; x = y; y = m; } } (y0 > 0) and (m0 = x0 % y0) and not (m0 = 0) and (x1 = y0) and (y1 = m0) and (m1 = x1 % y1) and (m1 = 0) • x0 = 2 • y0 = 4 • m0 = 2 • x1 = 4 • y1 = 2 • m1 = 0 SSA Solver We want a trace where the loop is executed twice.

  22. Pex – Program Exploration

  23. Rex – Regular Expression Exploration

  24. Bek – Symbolic Transducers

  25. FINE: F# with Refinement Types Signature: div : int, { x : int | x  0 }  int Subtype Call site: • if a  1 and a  b then • return div(a, b) Verification condition • a  1 and a  b implies b  0

  26. FORMULA: Design Space Exploration Use Design Space Exploration to identify valid candidate architectures

  27. Extended Static Checking and Verification Hyper-V Boogie VCC HAVOC Verification condition NTFS, SymDiff Bug path F7/FINE

  28. What is SMT? RiSE- a primer Symbolic Reasoning Engines using Z3 What is SMT? Little Engines of Proof Solver: Interaction Solver: Nuts and Bolts Directions

  29. Satisfiability Modulo Theories (SMT) • b + 2 = c and f(read(write(a,b,3), c-2)) ≠ f(c-b+1)

  30. Satisfiability Modulo Theories (SMT) • b + 2 = c and f(read(write(a,b,3), c-2)) ≠ f(c-b+1) Arithmetic

  31. Satisfiability Modulo Theories (SMT) • b + 2 = c and f(read(write(a,b,3), c-2)) ≠ f(c-b+1) Array Theory Arithmetic

  32. Satisfiability Modulo Theories (SMT) • b + 2 = c and f(read(write(a,b,3), c-2)) ≠ f(c-b+1) Uninterpreted Functions Array Theory Arithmetic

  33. Satisfiability Modulo Theories (SMT) • b + 2 = c and f(read(write(a,b,3), c-2)) ≠ f(c-b+1) • Substituting c by b+2

  34. Satisfiability Modulo Theories (SMT) • b + 2 = c and f(read(write(a,b,3), b+2-2)) ≠ f(b+2-b+1) • Simplifying

  35. Satisfiability Modulo Theories (SMT) • b + 2 = c and f(read(write(a,b,3), b)) ≠ f(3)

  36. Satisfiability Modulo Theories (SMT) • b + 2 = c and f(read(write(a,b,3), b)) ≠ f(3) • Applying array theory axiom • foralla,i,v: read(write(a,i,v), i) = v

  37. Satisfiability Modulo Theories (SMT) • b + 2 = c and f(3) ≠ f(3) • Inconsistent/Unsatisfiable

  38. SMT by Example: Job Shop Scheduling Machines Tasks Jobs P = NP? Laundry

  39. Job Shop Scheduling Constraints: Precedence: between two tasks of the same job Resource: Machines execute at most one job at a time 3 1 2 4

  40. Job Shop Scheduling Constraints: Encoding: Precedence: - start time of job 2 on mach 3 - duration of job 2 on mach 3 Resource: 3 1 2 4 Notconvex

  41. Job Shop Scheduling

  42. From ConstraintsToModels

  43. Little Engines of Proof RiSE- a primer Symbolic Reasoning Engines using Z3 What is SMT? Little Engines of Proof Solver: Interaction Directions Extra: Nuts and Bolts

  44. Little Engines of Proof An SMT Solver is a collection of Little Engines of Proof

  45. Little Engines of Proof An SMT Solver is a collection of Little Engines of Proof Examples: SAT Solver Equality solver Arithmetic solver

  46. SMT : Basic Architecture • Equality + UF • Arithmetic • Bit-vectors • Data-types • … Case Analysis 15KLOC + 215KLOC = Z3

  47. Theories • Uninterpretedfunctions • Arithmetic (linear) • Bit-vectors • Algebraic data-types • Arrays • User-defined

  48. Theories • Uninterpreted functions • Arithmetic (linear) • Bit-vectors • Algebraic data-types • Arrays • User-defined

  49. Theories • Uninterpreted functions • Arithmetic (linear) • Bit-vectors • Algebraic data-types • Arrays • User-defined

  50. Theories • Uninterpreted functions • Arithmetic (linear) • Bit-vectors • Algebraic data-types • Arrays • User-defined

More Related