An Introduction to Z3

Size: px

Start display at page:

Download "An Introduction to Z3"

Georgiana Kennedy
6 years ago
Views:

1 An Introduction to Z3 Huixing Fang National Trusted Embedded Software Engineering Technology Research Center April 12, 2017

2 Outline 1 SMT 2 Z3 Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

3 Outline 1 SMT 2 Z3 Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

4 SMT: Satisfiability Modulo Theory 1 Satisfiability is the problem of determining whether a formula ϕ has a model 1 If ϕ is propositional, a model is a truth assignemt to Boolean variables 2 If ϕ is a first-order formula, a model assigns values to variables and interpretations to the function and predicate symbols 2 SAT Solvers: check satisfiability of propositional formulas 3 SMT Solvers: check satisfiability of formulas in a decidable first-order theory (eg, linear arithmetic, array theory, bitvectors) Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

5 Outline 1 SMT 2 Z3 Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

6 Z3 Context Huixing Fang (ECNU) An Introduction Z3 Figure: Contextto View April 12, / 24

7 Z3 Architecture Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

8 Z3 Architecture 1 Simplifier : Input formulas are first processed using an incomplete, but efficient simplification p true p x = 4 q(x) x = 4 q(4) 2 Compiler: The simplified abstract syntax tree representation of the formula is converted into a different data-structure comprising of a set of clauses and congruence-closure nodes 3 Congruence Closure Core: Handles equalities and uninterpreted functions Receives the assignment from the SAT solver, and processed using E-matching Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

9 Basic Commands 1 displays a message: (echo "starting Z3") Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

10 Basic Commands 1 displays a message: (echo "starting Z3") 2 declares a constant of a given type: (declare-const a Int) Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

11 Basic Commands 1 displays a message: (echo "starting Z3") 2 declares a constant of a given type: (declare-const a Int) 3 declares a function : (declare-fun f (Int Bool) Int) Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

12 Basic Commands 1 displays a message: (echo "starting Z3") 2 declares a constant of a given type: (declare-const a Int) 3 declares a function : (declare-fun f (Int Bool) Int) 4 asserts a formula : (assert (> a 10)) Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

13 Basic Commands 1 displays a message: (echo "starting Z3") 2 declares a constant of a given type: (declare-const a Int) 3 declares a function : (declare-fun f (Int Bool) Int) 4 asserts a formula : (assert (> a 10)) 5 defines a function: (define-fun a () Int 100) Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

14 Basic Commands 1 displays a message: (echo "starting Z3") 2 declares a constant of a given type: (declare-const a Int) 3 declares a function : (declare-fun f (Int Bool) Int) 4 asserts a formula : (assert (> a 10)) 5 defines a function: (define-fun a () Int 100) 6 defines a function: (define-fun f ((x Int) (y Bool)) Int (ite (and (= x 11) (= y true)) 0 1)) Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

15 Basic Commands 1 displays a message: (echo "starting Z3") 2 declares a constant of a given type: (declare-const a Int) 3 declares a function : (declare-fun f (Int Bool) Int) 4 asserts a formula : (assert (> a 10)) 5 defines a function: (define-fun a () Int 100) 6 defines a function: (define-fun f ((x Int) (y Bool)) Int (ite (and (= x 11) (= y true)) 0 1)) 7 check: (check-sat) determines whether the current formulas on the Z3 stack are satisfiable or not Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

16 Basic Commands 1 displays a message: (echo "starting Z3") 2 declares a constant of a given type: (declare-const a Int) 3 declares a function : (declare-fun f (Int Bool) Int) 4 asserts a formula : (assert (> a 10)) 5 defines a function: (define-fun a () Int 100) 6 defines a function: (define-fun f ((x Int) (y Bool)) Int (ite (and (= x 11) (= y true)) 0 1)) 7 check: (check-sat) determines whether the current formulas on the Z3 stack are satisfiable or not 8 model: (get-model) is used to retrieve an interpretation that makes all formulas on the Z3 internal stack true Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

17 Basic Commands Basic Building Blocks 1 The basic building blocks of SMT formulas are constants and functions Constants are just functions that take no arguments So everything is really just a function 2 An uninterpreted function or function symbol is one that has no other property than its name and n-ary form Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

18 Basic Commands Basic Building Blocks 1 The basic building blocks of SMT formulas are constants and functions Constants are just functions that take no arguments So everything is really just a function 2 An uninterpreted function or function symbol is one that has no other property than its name and n-ary form Valid and Satisfiable 1 A formula F is valid if F always evaluates to true for any assignment of appropriate values to its uninterpreted function and constant symbols 2 A formula F is satisfiable if there is some assignment of appropriate values to its uninterpreted function and constant symbols under which F evaluates to true Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

19 Propositional Logic The pre-defined sort Bool is the sort (type) of all Boolean propositional expressions Z3 supports the usual Boolean operators and, or, xor, not, => (implication), ite (if-then-else) Example Formulas: ( d e c l a r e c o n s t p Bool ) ( d e c l a r e c o n s t q Bool ) ( d e c l a r e c o n s t r Bool ) ( d e f i n e fun c o n j e c t u r e ( ) Bool (=> ( and (=> p q ) (=> q r ) ) (=> p r ) ) ) ( a s s e r t ( not c o n j e c t u r e ) ) ( check s a t ) Result: unsat Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

20 Uninterpreted functions and constants The basic building blocks of SMT formulas are constants and functions Constants are just functions that take no arguments So everything is really just a function Example Formulas: ( d e c l a r e fun f ( I n t ) I n t ) ( d e c l a r e fun a ( ) I n t ) ; a i s a c o n s t a n t ( d e c l a r e c o n s t b I n t ) ; s y n t a x s u g a r f o r ( d e c l a r e fun b ( ) I n t ) ( a s s e r t (> a 20)) ( a s s e r t (> b a ) ) ( a s s e r t (= ( f 10) 1 ) ) ( check s a t ) ( get model ) Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

21 Arithmetic Z3 has builtin support for integer and real constants These two types (sorts) represent the mathematical integers and reals ( d e c l a r e c o n s t a I n t ) ( d e c l a r e c o n s t b I n t ) ( d e c l a r e c o n s t d Real ) ( d e c l a r e c o n s t e Real ) ( a s s e r t (> a (+ b 2 ) ) ) ( a s s e r t (>= d e ) ) ( check s a t ) ( get model ) s a t ( model ( d e f i n e fun e ( ) Real 0 0 ) ( d e f i n e fun d ( ) Real 0 0 ) ( d e f i n e fun a ( ) I n t 1) ( d e f i n e fun b ( ) I n t ( 2 ) ) ) Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

22 Nonlinear arithmetic 1 A formula is nonlinear if it contains expressions of the form (* t s) where t and s are not numbers 2 Nonlinear real arithmetic is very expensive, and Z3 is not complete for this kind of formula ( d e c l a r e c o n s t a I n t ) ( a s s e r t (> ( a a ) 3 ) ) ( check s a t ) ( get model ) ( d e c l a r e c o n s t b Real ) ( d e c l a r e c o n s t c Real ) ( a s s e r t (= (+ ( b b b ) ( b c ) ) 3 0 ) ) ( check s a t ) s a t ( model ( d e f i n e fun a ( ) I n t ( 8) ) ) unknown Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

23 Bitvectors Bitvector Literals Bitvector literals may be defined using binary, decimal and hexadecimal notation 1 #b010 in binary format is a bitvector of size 3 2 bitvector literal #x0a0 in hexadecimal format is a bitvector of size 12 The size must be specified for bitvector literals in decimal format (_ bv10 32) is a bitvector of size 32 that representes the numeral 10 Z3 supports Bitvectors of arbitrary size (_ BitVec n) is the sort of bitvectors whose length is n Declare 64-bit bitvector constant x as follow: ( d e c l a r e c o n s t x (_ BitVec 64)) Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

24 Basic Bitvector Arithmetic 1 bvadd : a d d i t i o n 2 bvsub : s u b t r a c t i o n 3 bvneg : unary minus 4 bvmul : m u l t i p l i c a t i o n 5 bvurem : u n s i g n e d r e m a i n d e r 6 bvsrem : s i g n e d r e m a i n d e r 7 bvsmod : s i g n e d modulo 8 b v s h l : s h i f t l e f t 9 b v l s h r : u n s i g n e d ( l o g i c a l ) s h i f t r i g h t 10 b v a s h r : s i g n e d ( a r i t h m e t i c a l ) s h i f t r i g h t 11 bvor : b i t w i s e or 12 bvand : b i t w i s e and 13 bvnot : b i t w i s e not 14 bvnand : b i t w i s e nand 15 bvnor : b i t w i s e nor 16 bvxnor : b i t w i s e xnor Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

25 Arrays 1 The expression (select a i) returns the value stored at position i of the array a; 2 and (store a i v) returns a new array identical to a, but on position i it contains the value v ( d e c l a r e c o n s t x I n t ) ( d e c l a r e c o n s t y I n t ) ( d e c l a r e c o n s t a1 ( Array I n t I n t ) ) ( a s s e r t (= ( s e l e c t a1 x ) x ) ) ( a s s e r t (= ( s t o r e a1 x y ) a1 ) ) ( check s a t ) ( get model ) s a t ( model ( d e f i n e fun y ( ) I n t 1) ( d e f i n e fun a1 ( ) ( Array I n t I n t ) (_ as a r r a y k! 0 ) ) ( d e f i n e fun x ( ) I n t 1) ( d e f i n e fun k! 0 ( ( x! 1 I n t ) ) I n t ( i t e (= x! 1 1) 1 0 ) ) ) Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

26 Records A record is specified as a datatype with a single constructor and as many arguments as record elements Example Parametric type Pair, with constructor mk-pair and two arguments that can be accessed using the selector functions first and second ( d e c l a r e d a t a t y p e s (T1 T2) ( ( P a i r (mk p a i r ( f i r s t T1) ( second T2 ) ) ) ) ) ( d e c l a r e c o n s t p1 ( P a i r I n t I n t ) ) ( d e c l a r e c o n s t p2 ( P a i r I n t I n t ) ) ( a s s e r t (= p1 p2 ) ) ( a s s e r t (> ( second p1 ) 20)) ( check s a t ) ( get model ) ( a s s e r t ( not (= ( f i r s t p1 ) ( f i r s t p2 ) ) ) ) ( check s a t ) Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

27 Model-based Quantifier Instantiation The model-based quantifier instantiation (MBQI) is essentially a counter-example based refinement loop, where candidate models are built and checked ( s e t o p t i o n : smt mbqi t r u e ) ( d e c l a r e fun f ( I n t I n t ) I n t ) ( d e c l a r e c o n s t a I n t ) ( d e c l a r e c o n s t b I n t ) ( a s s e r t ( f o r a l l ( ( x I n t ) ) (>= ( f x x ) (+ x a ) ) ) ) ( a s s e r t (< ( f a b ) a ) ) ( a s s e r t (> a 0 ) ) ( check s a t ) ( get model ) ( e v a l ( f (+ a 10) 2 0 ) ) s a t ( model ( d e f i n e fun b ( ) I n t 2) ( d e f i n e fun a ( ) I n t 1) ( d e f i n e fun f ( ( x! 1 I n t ) ( x! 2 I n t ) ) I n t ( i t e ( and (= x! 1 1) (= x! 2 2 ) ) 0 (+ 1 x! 1 ) ) ) ) Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24 12

28 Relations, rules and queries The default fixed-point engine is a bottom-up Datalog engine It works with finite relations and uses finite table representations as hash tables as the default way to represent finite relations ( d e c l a r e r e l a ( ) ) ( d e c l a r e r e l b ( ) ) ( d e c l a r e r e l c ( ) ) ( r u l e (=> b a ) ) ( r u l e (=> c b ) ) ( set o p t i o n : f i x e d p o i n t e n g i n e d a t a l o g ) ( query a ) ( r u l e c ) ( query a : p r i n t answer t r u e ) unsat s a t t r u e Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

29 Engine for Property Directed Reachability The PDR engine is targeted at applications from symbolic model checking of software The systems may be infinite state Example McCarthy s 91 function illustrates a procedure that calls itself recursively twice mc( x ) = i f x > 100 then x 10 e l s e mc(mc( x +11)) ( d e c l a r e r e l mc ( I n t I n t ) ) ( d e c l a r e v a r n I n t ) ( d e c l a r e v a r m I n t ) ( d e c l a r e v a r p I n t ) ( r u l e (=> (> m 100) (mc m ( m 1 0 ) ) ) ) ( r u l e (=> ( and (<= m 100) (mc (+ m 11) p ) (mc p n ) ) (mc m n ) ) ) Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

30 Engine for Property Directed Reachability Example McCarthy s 91 function illustrates a procedure that calls itself recursively twice mc( x ) = i f x > 100 then x 10 e l s e mc(mc( x +11)) ( d e c l a r e r e l mc ( I n t I n t ) ) ( d e c l a r e v a r n I n t ) ( d e c l a r e v a r m I n t ) ( d e c l a r e v a r p I n t ) ( r u l e (=> (> m 100) (mc m ( m 1 0 ) ) ) ) ( r u l e (=> ( and (<= m 100) (mc (+ m 11) p ) (mc p n ) ) (mc m n ) ) ) ( d e c l a r e r e l q ( I n t I n t ) ) ( r u l e (=> ( and (mc m n ) (< n 92)) ( q m n ) ) ) ( query q : p r i n t c e r t i f i c a t e t r u e ) Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

31 Engine for Property Directed Reachability Example McCarthy s 91 function illustrates a procedure that calls itself recursively twice mc( x ) = i f x > 100 then x 10 e l s e mc(mc( x +11)) s a t ( and ( not (<= 92 ( : v a r 5 ) ) ) (mc ( : v a r 4) ( : v a r 5 ) ) (= ( : v a r 5) (+ ( 10) ( : v a r 4 ) ) ) ( not (<= ( : v a r 4) 100)) ) v5 < 92 mc( v4 ) = v5 v5 = v4 10 v4 > 100 Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

32 End Thanks for your attention Huixing Fang (ECNU) An Introduction to Z3 April 12, / 24

Introduction to Z3. Bow-Yaw Wang. December 19, Institute of Information Science Academia Sinica, Taiwan

Introduction to Z3. Bow-Yaw Wang. December 19, Institute of Information Science Academia Sinica, Taiwan Introduction to Z3 Bow-Yaw Wang Institute of Information Science Academia Sinica, Taiwan December 19, 2017 Bow-Yaw Wang (Academia Sinica) Introduction to Z3 December 19, 2017 1 / 26 Outline 1 Introduction