Nikolaj Bjørner Microsoft Research Tractability Workshop MSR Cambridge July 5, FSE &

Transcription

1 Nikolaj Bjørner Microsoft Research Tractability Workshop MSR Cambridge July 5, FSE &

2 Z3 An Efficient SMT solver: Overview and Applications. A hands on example of Engineering SMT solvers: Efficient Theory Resolution using DPLL(T).

3 - SDV: The Static Driver Verifier - PREfix: The Static Analysis Engine for C/C++. - Pex: Program EXploration for.net. - SAGE: Scalable Automated Guided Execution - Spec#: C# + contracts - VCC: Verifying C Compiler for the Viridian Hyper-Visor - HAVOC: Heap-Aware Verification of C-code. - SpecExplorer: Model-based testing of protocol specs. - Yogi: Dynamic symbolic Hyper-V execution + abstraction. - FORMULA: Model-based Design - F7: Refinement types for security protocols - M3: Model Program Modeling - VS3: Abstract interpretation and Synthesis - VERVE: Verified operating system - FINE: Proof carrying certified code

4 Slide shamelessly stolen and adapted from [Patrice Godefroid, ISSTA 2010] 100+ CPU-years - largest dedicated fuzz lab in the world 100s apps - fuzzed using SAGE 100s previously unknown bugs found 1,000,000,000+ computers updated with bug fixes Millions of $ saved for Users and Microsoft 10s of related tools (incl. Pex), 100s DART citations 100,000,000+ constraints - largest usage for any SMT solver

5 3(INT_MAX+1)/4 + (INT_MAX+1)/4 int binary_search(int[] arr, int low, int high, = INT_MIN int key) while (low <= high) { // Find middle value int mid = (low + high) / 2; int val = arr[mid]; if (val == key) return mid; if (val < key) low = mid+1; else high = mid-1; } return -1; } Package: java.util.arrays Function: binary_search void itoa(int n, char* s) { if (n < 0) { *s++ = - ; n = -n; } // Add digits to s. Book: Kernighan and Ritchie Function: itoa (integer to ascii) -INT_MIN= INT_MIN

6 ULONG AllocationSize; while (CurrentBuffer!= NULL) { if (NumberOfBuffers > MAX_ULONG / sizeof(mybuffer)) { return NULL; } NumberOfBuffers++; CurrentBuffer = CurrentBuffer->NextBuffer; } AllocationSize = sizeof(mybuffer)*numberofbuffers; UserBuffersHead = malloc(allocationsize); Overflow check Increment and exit from loop Bug is simple and local Overflow((nb+1)*sizeof(MYBUFFER)) within a large program CurrentBuffer == NULL 6/26/2009 nb <= MAX_ULONG/sizeof(MYBUFFER) 6 Possible overflow

7 Building Verve 9 person-months Source file Verification tool Compilation tool Kernel.cs C# compiler Nucleus.bpl (x86) Kernel.obj (x86) Verified Translator/ Assembler Boogie/Z3 TAL checker Linker/ISO generator Safe to the Last Instruction / Jean Yang & Chris Hawbliztl PLDI 2010 Verve.iso

8 x 2 y f ( read( write( a, x,3), y 2)) f ( y x 1) Array Theory Arithmetic Uninterpreted Functions read ( write( a, i, v), i) v i j read ( write( a, i, v), j) read ( a, j) Z3: An Efficient SMT

9 Simplify SMT-LIB Native Bit-Vectors Theory Solvers Arrays Lin-arithmetic Groebner basis Comb. Array Logic Recursive Datatypes Free (uninterpreted) functions OCaml.NET C F# quote SAT core Model Generation: Finite Models Quantifiers: E-matching Quantifiers: Super-position Parallel Z3 Proof objects Cores: Assumption tracking By Leonardo de Moura & Nikolaj Bjørner

10 Constraints from Software Applications are in spite of Constraint language highly intractable Algorithms high worst case complexity Tractable

11 1000 Modification in invariant checking Switch to Z3 v2 100 Z3 v2 update 10 1 Switch to Boogie2 Attempt to improve Boogie/Z3 interaction 0.1

12

13 Constraint languages highly intractable Algorithms high worst case complexity

14 Constraints from Software Applications are Tractable a b b < c c a x y y < z z < u x w x v x 1 x 2 x 3 Unsat a b b c c a x = w x = v x = 1 x 2 x 3 x y y < z z < u a = b = c x, v, w = 1 x = 1 2,3 y,z,u free Proofs are small Models are determined or free

15 What is then important for engineering solvers? Solve tractable parts Strong Simplification Efficient Indexing Avoid getting stuck - efficient theory solvers - reduce the clutter - minimize & reuse work - restarts, parallel search

16 What is then important for engineering solvers? Solve tractable parts Strong Simplification Efficient Indexing Avoid getting stuck - efficient theory solvers [Efficient, Generalized Array Decision Procedures de Moura & B] - reduce the clutter [Z3 An Efficient SMT Solver de Moura & B] - minimize & reuse work [Efficient E-matching de Moura & B] - restarts, parallel search [Parallel Portfolio, Wintersteiger, Hamadi & de Moura]

17 Constraints from Software Applications are Tractable Problem solved, end of talk

18 Constraints from Software Applications are Tractable sometimes quite intractable for existing techniques

19 Poses a challenge to Z3

20 Bit-vector multiplication using SAT a 0 b 3 a 0 b 2 a 0 b 1 a 0 b 0 O(n 2 ) clauses HA a 1 b 2 HA a 1 b 1 HA a 1 b 0 FA a 2 b 1 FA a 2 b 0 SAT solving time increases exponentially. Similar for BDDs. [Bryant, MC25, 08] FA a 3 b 0 Brute-force enumeration + evaluation faster for 20 bits. [Matthews, BPR 08] out 3 out 2 out 1 out 0 out N = a N b N

21 DPLL(T) is Z3 s main core search framework Efficient SAT technologies DPLL + CDCL + Restart = Space Efficient Resolution Efficient integration of incremental theory solvers Theory lemmas (T-Conflicts) Theory propagation (T-Propagation) But we claim Contemporary DPLL(T) < Resolution

22 But DPLL(T) < Resolution Possible remedies: - Forget DPLL(T). Use other core engine. - Adapt DPLL(T). Elaboration here. We call it: Conflict Directed Theory Resolution

23 Conflict Resolve Learn q Conflict p q, p q, p q, p q Propagate p q Backjump q Guess q Propagate q

24 Builds resolution proof General Resolution DPLL + CDCL + Restart (CDCL: Conflict Directed Clause Learning) Space Efficient DPLL does not create intermediary clauses Efficient indexing and heuristics 2-watch literals, Restarts, phase selection, clause minimization

25 Initialize ε F F is a set of clauses Decide M F M, l F l is unassigned Propagate M F, C l M, l C l F, C l C is false under M Conflict M F, C M F, C C C is false under M Resolve M F C l M F C C l C l M Learn M F C M F, C C Backjump M lm F C l Ml C l F C as no literals in M Unsat M F Unsat Sat M F M F true under M Restart M F ε F Adapted and modified from [Nieuwenhuis, Oliveras, Tinelli J.ACM 06]

26 T- Propagate M F, C l M, l C l F, C l C is false under T + M T- Conflict M F M F M M M and M is false under T T- Propagate a > b, b > c F, a c b d a > b, b > c, b d a c b d F, a c b d T- Conflict M F M F, a b b c c < a were a > b, b > c, a c M Introduces no new literals - terminates

27 The Black Diamonds of DPLL(T) 49 (a 1 a 50 ) [ a i b i b i a i+1 (a i c i c i a i+1 )] i=1 Has no short DPLL(T) proof. Has short DPLL(T) proof when using a 1 a 2, a 2 a 3, a 3 a 4,, a 49 a 50 Example from [Rozanov, Strichman, SMT 07]

28 Idea: DPLL( ) [B, Dutertre, de Moura 08] Try branch a 1 b 1 b 1 a 2 Try branch (a 1 b 1 b 1 a 2 ) Implies a 1 b 1 a 2 Implies a 1 c 1 a 2 Collect implied equalities Collect implied equalities Compute the join of the two equalities common equalities are learned Still potentially O(n 2 ) rounds just at base level of search.

29 Single case splits don t suffice Requires 2 case splits to collect implied equalities

30 We now describe an approach we call: Conflict Directed Theory Resolution resolve literals from conflicts simulates resolution proofs. Engineering: Throttle resolution dynamically based on activity.

31 49 (a 1 a 50 ) [ a i b i b i a i+1 (a i c i c i a i+1 )] i=1 Eventually, many conflicts contain: a 1 b 1 b 1 a 2 Use E-resolution, add clause: a 1 b 1 b 1 a 2 a 1 a 2 Then DPLL(T) learns by itself: a 1 a 2

32 N i=1 p i x i v 0 p i x i v 1 p i y i v 0 p i y i v 1 (f x N,, f x 2, x 1 f y N,, f y 2, y 1 ) Eventually, many conflicts contain: Add: N x i u i y i u i u i = v 0 or u i = v 1 for i = 1.. N (f x N,, f x 2, x 1 f y N,, f y 2, y 1 ) ( x i y i ) f x N,, f x 2, x 1 f y N,, f y 2, y 1 i=1

33 a = f(f(a)), a = f(f(f(a))), a f(a) First Step: Naming subterms

34 a = v 2, a = v 3, a v 1, v 1 f a, v 2 f v 1, v 3 f(v 2 ) and merge equalities a, v 2, v 3 v 1

35 a = v 2, a = v 3, a v 1, v 1 f a, v 2 f v 1, v 3 f(v 2 ) Second step. Apply Congruence Rule: x 1 = y 1,, x n = y n implies f(x 1,, x n ) = f(y 1,, y n ) a, v 2, v 3 v 1

36 a = v 2, a = v 3, a v 1, v 1 f a, v 2 f v 1, v 3 f(v 2 ) Second step. Apply Congruence Rule: a v 2 implies f a f v 2 : v 1 v 3 a, v 2, v 3, v 1

37 Dynamic Ackermann Reduction If Congruence Rule repeatedly learns f v, v f w, w Then add clause for SAT core to use v w v w f v, v f w, w Used in Yices and Z3 to find short congruence closure proofs [Yices Tool 06, Dutertre, de Moura] [Model-based Theory Combination 07, de Moura, B]

38 Dynamic Ackermann Reduction If Congruence Rule repeatedly learns f v, v f w, w for literal f v, v f w, w Then add clause for SAT core to use v w v w f v, v f w, w Leo identified the following useful optimization filter heuristic used in Z3 Peel the onion from outside

39 Dynamic Ackermann Reduction If Congruence Rule repeatedly learns f v, v f w, w Then add clause for SAT core to use v w v w f v, v f w, w Dynamic Ackermann Reduction with Transitivity If Equality Transitivity repeatedly learns u w from u v and v w Then add clause for SAT core to use u v v w v w

40 Claim: Ground E-Resolution DPLL(E) + Dynamic Ackermann Reduction with Transitivity Alternative: Static Ackermann Reduction [Singerman, Pnueli, Velev, Bryant, Strichman, Lahiri, Seisha, Bruttomesso,Cimatti, Franzen, Griggio, Santuari, Sebastiani], P-simulates ground E-Resolution. But it has high up-front space overhead Effect on the Diamond Example:. sec

41 a < x 1 a < x 2 x 1 < b x 2 < b b < y 1 b < y 2 y 1 < c y 2 < c c < z 1 c < z 2 z 1 < a z 2 < a x 1 y 1 z 1 a b c a x 2 y 2 z 2

42 x 1 a b c a y 2 z 2

43 x 1 b c a y 2 z 2

44 x 1 b a y 2 z 2 c

45 Top Two Most Active vertices x 1 Add clause a < x 1 < b a < b b y 2 < z 2 a c

46 Z3 supported theories all reduce to one of CDTR Arithmetic Equality Booleans Th(Equalities): Extended Dynamic Ackermann Th(Differences): Cutting loops Th(LRA): Fourier-Motzkin resolution Th(LIA): Perhaps: Integer FM [B. IJCAR 10] CDTR and theory combinations: Theories communicate equalities between shared variables. Build clauses using these equalities.

47 Modern SMT solvers are tuned to but limitations of basic proof calculus shows up. Presented a technique to close the gap Dynamic - to make it practical. Based on applying Resolution to conflicts. Just one of many possible optimizations. The quest for improving search continues e.g. cutting plane proofs, arbitrary cuts (Frege)