David L. Dill Stanford University. STP: A Decision Procedure for Bit-vectors and Arrays. Software analysis tools present unique challenges for decision procedures. Theories must match programming language semantics Operations are on bit-vectors, not integers
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Identities:
read(write(A, i, v), j) = ite(i = j, v, read(A, j))
STP has a limited theory
No comparison of whole arrays, e.g. write(A, i, v) = write(A, j, w)
This makes things easier (see http://sprout.stanford.edu/PAPERS/LICS-SBDL-2001.pdf
if you don’t like “easier”).
Input Formula
Substitutions
Simplifications
Linear Solving
Array Abstraction
BitBlast
CNF Coversion
Refinement Loop
SAT Solver
Result
v0 = t0
v1 = t1
.
.
.
vn = tn
(i1=i0) => v1=v0
(i2=i0) => v2=v0
(i2=i1) => v2=v1
…
Replace array reads
with fresh variables
and axioms
Read(A,i0) = t0
Read(A,i1) = t1
.
.
.
Read(A,in) = tn
Input
After Abstraction
Read(A,0)=0
Read(A,i)=1
v0 = 0
vi = 1
SATSolver
Counterexample
i = 0
v0 = 0
vi = 1
Refinement Step:
Add Axiom
(i=0) => vi = 0
Rerun SATSolver
i=1
vi=1
Check Input
on Assignment
False:
Read(A,0)=0
Read(A,0)=1
Works well, even in satisfiable cases
read(write(A, i, v), j) =
ite(i=j, v, read(A, i)) <- “if-then-else”
causes term blow-up
= decision procedures
R
R
j
k
W
W
i1
v1
A
i0
The Problem with Array WritesIf (i1=j) v1
elsif (i0=j) v0
else R(A,j)
If (i1=k) v1
elsif(i0=k) v0
else R(A,j)
R(W(W(A,i0,v0),i1,v1),j) =
R(W(W(A,i0,v0),i1,v1),k)
=
=
ite
ite
=
=
v1
v1
i1
i1
j
k
ite
ite
R
=
=
v0
v0
A
i0
i0
j
k
v0
j
Replace
read(write(A, i, v), j)
with a fresh variable (e.g., v0)
and “axiom”
v0 = ite(i=j, v, read(A, j))
Abstraction omits axiom.
R(W(A,i,v),j)= 0
R(W(A,i,v),k)=1
i = j /= k
v /= 0
After Abstraction
v1=0
v2=1
i = j /=k
v/=0
SATSolver
v1=0, v2=1
i = j =0, k=1,
v = 1
False:
R(W(A,0,1),0)=0
R(W(A,0,1),1)=1
0 = 0 /= 1
1 /= 0
Refinement Step
Add Axiom to SAT
v1=ite(i=j,v,R(A,j))
UNSAT
Check model
on original
formula
Examples courtesy Dawn Song (CMU) and David Molnar (Berkeley)
(3 bits)
3x + 4y + 2z = 0
2x + 2y + 2 = 0
4y + 2x + 2z = 0
Solve for x in
first eqn:
3-1 mod 8 = 3,
(3 bits)
2y + 4z + 2 = 0
4y + 6z = 0
Substitute x
x = 4y + 2z
All Coeffs Even
No Inverse
(3 bits)
2y + 4z + 2 = 0
4y + 6z = 0
(2 bits)
y[1:0] + 2z[1:0] + 1 = 0
2y[1:0] + 3z[1:0] = 0
Divide by 2
Ignore high-order
bits
(2 bits)
y[1:0] + 2z[1:0] + 1 = 0
2y[1:0] + 3z[1:0] = 0
Solve for y[1:0]
(2 bits)
y[1:0]=2z + 3
(2 bits)
3z[1:0] + 2 = 0
Substitute y[1:0]
(2 bits)
3z[1:0] + 2 = 0
Solve for z[1:0]
Solution (3 bits):
z[1:0] = 2
y[1:0] = 2z[1:0] + 3 = 3
y = y’ @ 2
z = z’ @ 3
x = 4y + 2z
(2 bits)
z[1:0]=2
Many block ciphers consist of a fixed sequence of “rounds”.
Implementations of rounds in two algorithms may vary, but bits “between” rounds are equal.
So, we only have to prove individual rounds are equivalent.
Equal for many test
inputs.
Only try to prove
Equivalence when nodes pass this test.
inputs
Replace b by a
everywhere in DAG.
This makes higher-level expressions more similar.
inputs