z3: a decision engine for software

Title of Presentation

Z3: A Decision Engine for SoftwareNikolaj Bjrner and Leonardo de MouraMicrosoft ResearchTCN Programming Languages event, January 31st Slides: http://my/sites/redmond_nbjorner/ 1/31/2011 10:43 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

1

RiSERiSE a primerSymbolic ReasoningEngines using Z3What is SMT?Little Engines of ProofSolver: InteractionDirections

Extra: Nuts and BoltsMicrosoft Research RedmondRiSE: Research in Software Engineering

http://rise4fun.com/AGL/rise

AGL Automatic Graph Layout

Lev NachmansonTim DwyerTed HartAlexander HolroydApplications:Dev10 ProgressionDev11TuvaluSpecExplorerMany others

CCI and ERSMT@Microsoft

HeapDbg uses CCI+AGLManuel FndrichMark MarronCCI2:Common Compiler Infrastructure v2Herman Venter

ER: Extended ReflectionNikolai TillmannCuzz: Concurrency Fuzzingvoid* p = 0; CreateThd(child);p = malloc();Init();DoMoreWork();p->f ++;ParentChildInstrument calls to Cuzz

Insert random delays

Use the Cuzz algorithm to determine when and by how much to delay

void* p = 0;CallCuzz(); CreateThd(child);CallCuzz();p = malloc();Init();CallCuzz();DoMoreWork();CallCuzz();p->f ++;void* p = 0;RandDelay(); CreateThd(child);RandDelay();p = malloc();Init();RandDelay();DoMoreWork();RandDelay();p->f ++;void* p = 0;RandDelay(); CreateThd(child);RandDelay();p = malloc();Init();RandDelay();DoMoreWork();RandDelay();p->f ++;

This is where all the magic (probabilistic analysis) isCuzz by Madan Musuvathi, Sebastian Burckhardt- in AppVerifier, used to find bugs in SQL, IE, ACPI, Kernel6SymbolicReasoningRiSE - a primerSymbolic ReasoningEngines using Z3What is SMT?Little Engines of ProofSolver: InteractionDirections

Extra: Nuts and BoltsTools using the Z3 Decision Engine

http://research.microsoft.com/projects/z3 Symbolic ReasoningVerification/Analysis tools need some form of Symbolic Reasoning1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9What is logic?Logic is the science of effective symbolic reasoning.How can we draw general and reliable conclusions from a collection of facts?Formal logic: Precise, syntactic characterizations of well-formed expressions and valid deductions.Formal logic makes it possible to calculate consequences at the symbolic level.

Computers can be used to automate such symbolic calculations.Symbolic ReasoningPSpace-complete(QBF)Semi-decidable(First-order logic)NP-complete(Propositional logic)NEXPTime-complete(EPR)P-time(Equality)Logic is The Calculus of Computer Science (Z. Manna).

Succinct: High computational complexityUndecidable(FOL + LA)11Symbolic Engines: SAT, FTP and SMT SAT: Propositional Satisfiability.(Tie Shirt) (Tie Shirt) (Tie Shirt)

FTP: First-order Theorem Proving.X,Y,Z [X*(Y*Z) = (X*Y)*Z] X [X*inv(X) = e] X [X*e = e]

SMT: Satisfiability Modulo background Theoriesb + 2 = c A[3] A[c-b+1]SAT - MilestonesyearMilestone1960Davis-Putnam procedure1962Davis-Logeman-Loveland1984Binary Decision Diagrams 1992DIMACS SAT challenge1994SATO: clause indexing1997GRASP: conflict clause learning1998Search Restarts2001zChaff: 2-watch literal, VSIDS2005Preprocessing techniques2007Phase caching2008Cache optimized indexing2009In-processing, clause management2010Blocked clause elimination

20022010Problems impossible 10 years ago are trivial todayConceptMillions of variables from HW designsFTP - MilestonesYearMilestoneWhoYearMilestoneWho1930 Hebrand's theorem Herbrand1970 Completion and saturation procedures many people and provers1934 Sequent calculi Gentzen1970 Knuth-Bendix ordering Knuth; Bendix1934 Inverse method Gentzen1971 Selection function Kowalski; Kuehner1955 Semantic tableaux Beth1972 Built-in equational theories Plotkin1960 Herbrand-based theorem proving Wang Hao1972 Prolog Colmerauer1960 Ordered resolution Davis; Putnam1974 Saturation algorithms Overbeek1962 DLL Davis; Logemann; Loveland1975 Completeness of paramodulation Brand1963 First-order inverse method Maslov1975 AC-unification Stickel1965 Unification J. Robinson1976 Resolution as a decision procedure Joyner1965 First-order resolution J. Robinson1979 Basic paramodulation Degtyarev1965 Subsumption J. Robinson1980 Lexicographic path orderings Kamin; Levy1967 Orderings Slagle1985 Theory resolution Stickel1967 Demodulation or rewriting Wos; G. Robinson; Carson; Shalla1986 Definitional clause form transformation Plaisted; Greenbaum1968 Model elimination Loveland1988 Superposition Zhang1969 Paramodulation G. Robinson; Wos1988 Model construction Zhang1989 Term indexing Stickel; Overbeek1990 General theory of redundancy Bachmair; Ganzinger1992 Basic superposition Nieuwenhuis; Rubio1993 First instance-based methods Billon; Plaisted1993 Discount saturation algorithm Avenhaus; Denzinger1998 Finite model finding using SAT McCune2000 First-order DPLL Baumgartner2003 iProver method Ganzinger; Korovin2008 Sine selection HoderSome success stories:Open Problems (of 25 years):XCB: X ((X Y) (Z Y)) Z)is a single axiom for equivalenceKnowledge Ontologies GBs of formulas

Courtesy Andrei Voronkov, Manchester USMT - MilestonesyearMilestone1977Efficient Equality Reasoning1979Theory Combination Foundations1979Arithmetic + Functions 1982Combining Canonizing Solvers1992-8Systems: PVS, Simplify, STeP, SVC2002Theory Clause Learning2005SMT competition2006Efficient SAT + Simplex2007Efficient Equality Matching2009Combinatory Array Logic, 15KLOC + 215KLOC = Z3 Includes progress from SAT:

Simplify (of 01) time1secZ3TimeOn VCCRegressionNov 08March 09Z3(of 07)TimeOn BoogieRegressionZ3 participates in and wins SMT competitions

Engines UsingZ3RiSE - a primerSymbolic ReasoningEngines using Z3What is SMT?Little Engies of ProofSolver: InteractionDirections

Extra: Nuts and Bolts

Microsoft Researchers using Symbolic Logic Engines

Domains from programsBits and bytes

Numbers

Arrays

Records

Heaps

Data-types

Object inheritance

Applications1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20Some Microsoft Engines using Z3SDV: The Static Driver VerifierPex: Program EXploration for .NETSAGE: Scalable Automated Guided Execution Spec#: C# + contractsVCC: Verifying C Compiler for the Viridian Hyper-VisorHAVOC: Heap-Aware Verification of C-codeSpecExplorer: Model-based testing of protocol specsYogi: Dynamic symbolic execution + abstractionFORMULA:Model-based DesignPREfix: The Static Analysis Engine for C/C++F7: Refinement types for security protocolsRex: Regular Expressions and formal languagesVS3:Abstract interpretation and SynthesisVERVE: Verified operating system FINE: Proof carrying certified codeSLAyer: Separation Logic-based Static Analysis

Test case generationunsigned GCD(x, y) { requires(y > 0); while (true) {unsigned m = x % y; if (m == 0) return y; x = y; y = m; }}We want a trace where the loop is executed twice.(y0 > 0) and(m0 = x0 % y0) andnot (m0 = 0) and(x1 = y0) and(y1 = m0) and(m1 = x1 % y1) and(m1 = 0)Solverx0 = 2y0 = 4m0 = 2x1 = 4y1 = 2m1 = 0SSA22Pex Program Exploration

Rex Regular Expression Exploration

Bek Symbolic Transducers

FINE: F# with Refinement Types Signature:div : int, { x : int | x 0 } intSubtypeCall site:if a 1 and a b thenreturn div(a, b)Verification conditiona 1 and a b implies b 026FORMULA: Design Space Exploration

Use Design Space Exploration to identify valid candidate architecturesExtended Static Checking and VerificationVCCBoogie

Hyper-VNTFS, SymDiffVerification conditionBug path

HAVOCF7/FINE1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28What isSMT?RiSE - a primerSymbolic ReasoningEngines using Z3What is SMT?Little Engines of ProofSolver: InteractionSolver: Nuts and BoltsDirections

Satisfiability Modulo Theories (SMT)b + 2 = c and f(read(write(a,b,3), c-2)) f(c-b+1)1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30Satisfiability Modulo Theories (SMT)Arithmeticb + 2 = c and f(read(write(a,b,3), c-2)) f(c-b+1)1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31Satisfiability Modulo Theories (SMT)ArithmeticArray Theoryb + 2 = c and f(read(write(a,b,3), c-2)) f(c-b+1)1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32Satisfiability Modulo Theories (SMT)ArithmeticArray TheoryUninterpreted Functionsb + 2 = c and f(read(write(a,b,3), c-2)) f(c-b+1)1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33Satisfiability Modulo Theories (SMT)b + 2 = c and f(read(write(a,b,3), c-2)) f(c-b+1)

Substituting c by b+21/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34Satisfiability Modulo Theories (SMT)b + 2 = c and f(read(write(a,b,3), b+2-2)) f(b+2-b+1)

Simplifying1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35Satisfiability Modulo Theories (SMT)b + 2 = c and f(read(write(a,b,3), b)) f(3)

1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36Satisfiability Modulo Theories (SMT)b + 2 = c and f(read(write(a,b,3), b)) f(3)

Applying array theory axiom forall a,i,v: read(write(a,i,v), i) = v


37Satisfiability Modulo Theories (SMT)b + 2 = c and f(3) f(3)

Inconsistent/Unsatisfiable


38SMT by Example: Job Shop Scheduling

MachinesJobs

P = NP?Laundry

TasksJob Shop SchedulingConstraints:Precedence: between two tasks of the same job

Resource: Machines execute at most one job at a time4132Job Shop Scheduling4132Not convexJob Shop Scheduling

From Constraints

ToModelsLittleEngines of ProofRiSE - a primerSymbolic ReasoningEngines using Z3What is SMT?Little Engines of ProofSolver: InteractionDirections

Extra: Nuts and BoltsLittle Engines of ProofAn SMT Solver is a collection ofLittle Engines of Proof

45Little Engines of ProofAn SMT Solver is a collection ofLittle Engines of Proof

Examples:SAT SolverEquality solverArithmetic solver

46SMT : Basic ArchitectureEquality + UFArithmeticBit-vectorsData-types Case Analysis15KLOC + 215KLOC = Z31/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

47TheoriesUninterpreted functionsArithmetic (linear)Bit-vectorsAlgebraic data-typesArraysUser-defined

Uninterpreted functionsArithmetic (linear)Bit-vectorsAlgebraic data-typesArraysUser-defined

TheoriesTheoriesUninterpreted functionsArithmetic (linear)Bit-vectorsAlgebraic data-typesArraysUser-defined

TheoriesUninterpreted functionsArithmetic (linear)Bit-vectorsAlgebraic data-typesArraysUser-defined

TheoriesUninterpreted functionsArithmetic (linear)Bit-vectorsAlgebraic data-typesArraysUser-defined

Solver:InteractionRiSE - a primerSymbolic ReasoningEngines using Z3What is SMT?Little Engines of ProofSolver: InteractionDirections


InteractionText: SMT-LIB1.2SMT-LIB2Native Z3 (low-level)SimplifyProgrammatic APIs: C.NET, F#, LINQOcamlPython, ..open Microsoft.Z3open Microsoft.Z3.Quotations

do Solver.prove not ((t11 >= 0I) && (t12 >= t11 + 2I) && (t12 + 1I = 0I) && (t22 >= t21 + 3I) && (t32 + 1I = 0I) && (t32 >= t31 + 2I) && (t32 + 3I = t21 + 3I || t21 >= t11 + 2I) && (t11 >= t31 + 2I || t31 >= t11 + 2I) && (t21 >= t31 + 2I || t31 >= t21 + 3I) && (t12 >= t22 + 1I || t22 >= t12 + 1I) && (t12 >= t32 + 3I || t32 >= t12 + 1I) && (t22 >= t32 + 3I || t32 >= t22 + 1I) ) ) @>Example: Quotations in F#Interaction - modelsLogical FormulaSat/Model

Interaction proof objectsLogical FormulaUnsat/Proof

Interaction - simplification

SimplifyLogical FormulaInteraction - equalitiesImpliedEqualities

x and y are equalz + y and x + z are equalLogical FormulaInteraction quantifier eliminationQuantifierEliminationLogical Formula

Interaction unsat coresLogical FormulaUnsat. Core

DirectionsRiSE - a primerSymbolic ReasoningEngines using Z3What is SMT?Little Engines of ProofSolver: InteractionDirections

Extra: Nuts and BoltsResearch around Z3. . . Decision ProceduresModular Difference Logic is Hard TR 08 B, Blass Gurevich, Muthuvathi.Linear Functional Fixed-points. CAV 09 B. & Hendrix. A Priori Reductions to Zero for Strategy-Independent Grbner Bases SYNASC 09 M& Passmore. Efficient, Generalized Array Decision Procedures FMCAD 09 M & BCombining Decision ProceduresModel-based Theory Combination SMT 07 M & B. . Accelerating Lemma learning using DPLL(U)LPAR 08 B, Dutetre & MProofs, Refutations and Z3IWIL 08 M & BOn Locally Minimal Nullstellensatz Proofs.SMT 09 M & Passmore. A Concurrent Portfolio Approach to SMT SolvingCAV 09 Wintersteiger, Hamadi & MQuantifiers, quantifiers, quantifiersEfficient E-matching for SMT Solvers. . CADE 07 M & B. Relevancy Propagation. TR 07 M & B. Deciding Effectively Propositional Logic using DPLL(Sx) IJCAR 08 M & B.Engineering DPLL(T) + saturation. IJCAR 08 M & B. Complete instantiation for quantified SMT formulasCAV 09 Ge & M. On deciding satisfiability by DPLL(+ T). CADE 09 Bonachina, M & Lynch.Linear Quantifier Elimination as Abstract Decision Proc.IJCAR 10, B. Efficiently Solving Quantified Bit-Vector FormulasFMCAD 10, Wintersteiger, Hamadi, M.Current EffortsModel-based Quantifier Elimination

Theories + Quantifiers from ModelsZ An Efficient Engine For Fixed-points

Datalog + Abstract Constraints

Points-to analysis, Knowledge bases, ..

ConclusionsSMT solvers are a great fit for software tools

Current main applications:Test-case generation.Verifying compilers.Model Checking & Predicate Abstraction.Model-based testing and development

New applications keep appearing:Synthesis, Compiler optimization, Trace-based optimization,..Extra:Nuts and BoltsRiSE - a primerSymbolic ReasoningEngines using Z3What is SMT?Little Engines of ProofSolver: InteractionDirections


Model-based Theory Combination1979 Nelson, Oppen - Framework

1996 Tinelli & Harindi. N.O Fix

2000 Barrett et.al N.O + Rewriting

2002 Zarba & Manna. Nice Theories

2004 Ghilardi et.al. N.O. Generalized2007 de Moura & B. Model-based Theory Combination2006 Bruttomesso et.al. Delayed Theory Combination1984 Shostak. Theory solvers

1996 Cyrluk et.al Shostak Fix #1

1998 B. Shostak with Constraints

2001 Rue & Shankar Shostak Fix #2

2004 Ranise et.al. N.O + SuperpositionFoundationsEfficiency using rewriting2001: Moskewicz et.al. Efficient DPLL made guessing cheap2010 Jovanovic & Barrett. Sharing is CaringCombinatory Array LogicA basis of operations

[FMCAD 2009]Efficient E-graph Matching Match: read(write(A,I,V),I) = read(write(a,g(c),c),f(d,a))AssumingE = { g(a) = f(b, c), b = d, a = c }

Efficiency through:Code trees: Runtime program specialization.Inverted path indexing: When new equality enters, walk from sub-terms upwards to roots in index.[CADE 2007]Efficient E-graph Matching Match: read(write(A,I,V),I) = read(write(a,g(c),c),f(b,a))AssumingE = { g(a) = f(b, c), b = d, a = c }

Efficiency through:Code trees: Runtime program specialization.Inverted path indexing: When new equality enters, walk from sub-terms upwards to roots in index.[CADE 2007]Efficient E-graph Matching Match: read(write(A,I,V),I) = read(write(a,g(c),c),f(b,c))AssumingE = { g(a) = f(b, c), b = d, a = c }

Efficiency through:Code trees: Runtime program specialization.Inverted path indexing: When new equality enters, walk from sub-terms upwards to roots in index.[CADE 2007]Efficient E-graph Matching Match: read(write(A,I,V),I) = read(write(a,g(c),c),g(a))AssumingE = { g(a) = f(b, c), b = d, a = c }

Efficiency through:Code trees: Runtime program specialization.Inverted path indexing: When new equality enters, walk from sub-terms upwards to roots in index.[CADE 2007]Efficient E-graph Matching Match: read(write(A,I,V),I) = read(write(a,g(c),c),g(c))AssumingE = { g(a) = f(b, c), b = d, a = c }

Efficiency through:Code trees: Runtime program specialization.Inverted path indexing: When new equality enters, walk from sub-terms upwards to roots in index.[CADE 2007]Linear quantifier Elimination as an Abstract Decision ProcedureSMT for QE has some appeal:Just use SMT(LA/LIA) for closed formulas.Algorithms:

[IJCAR 2010]FourierMotzkinOmega TestLoos-WeispheningCooperResolutionCase split+ Virtual substAbstract Decision ProcAbstract Decision ProcCase split+ ResolutionDPLLM | F

Partial modelSet of clauses1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

74DPLLGuessing p, q | p q, q r p | p q, q r


75DPLLDeducing p, s| p q, p s p | p q, p s


76DPLLBacktracking p, s| p q, s q, p q p, s, q | p q, s q, p q


77Modern DPLLEfficient indexing (two-watch literal)Non-chronological backtracking (backjumping)Lemma learning


78SAT + Theory solversBasic Ideax 0, y = x + 1, (y > 2 y < 1) p1, p2, (p3 p4)Abstract (aka naming atoms)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

79SAT + Theory solversBasic Ideax 0, y = x + 1, (y > 2 y < 1) p1, p2, (p3 p4)Abstract (aka naming atoms)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)SAT Solver1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

80SAT + Theory solversBasic Ideax 0, y = x + 1, (y > 2 y < 1) p1, p2, (p3 p4)Abstract (aka naming atoms)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)SAT SolverAssignmentp1, p2, p3, p41/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

81SAT + Theory solversBasic Ideax 0, y = x + 1, (y > 2 y < 1) p1, p2, (p3 p4)Abstract (aka naming atoms)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)SAT SolverAssignmentp1, p2, p3, p4x 0, y = x + 1, (y > 2), y < 11/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

82SAT + Theory solversBasic Ideax 0, y = x + 1, (y > 2 y < 1) p1, p2, (p3 p4)Abstract (aka naming atoms)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)SAT SolverAssignmentp1, p2, p3, p4x 0, y = x + 1, (y > 2), y < 1TheorySolverUnsatisfiablex 0, y = x + 1, y < 11/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

83SAT + Theory solversBasic Ideax 0, y = x + 1, (y > 2 y < 1) p1, p2, (p3 p4)Abstract (aka naming atoms)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)SAT SolverAssignmentp1, p2, p3, p4x 0, y = x + 1, (y > 2), y < 1TheorySolverUnsatisfiablex 0, y = x + 1, y < 1New Lemmap1p2p4


84SAT + Theory solversTheorySolverUnsatisfiablex 0, y = x + 1, y < 1New Lemmap1p2p4

AKATheory conflict1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

85SAT + Theory solvers: Main loopprocedure SmtSolver(F)(Fp, M) := Abstract(F)loop(R, A) := SAT_solver(Fp)if R = UNSAT then return UNSATS := Concretize(A, M)(R, S) := Theory_solver(S)if R = SAT then return SATL := New_Lemma(S, M)Add L to Fp1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

86SAT + Theory solversBasic IdeaF: x 0, y = x + 1, (y > 2 y < 1) Fp : p1, p2, (p3 p4)Abstract (aka naming atoms)M: p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)SAT SolverA: Assignmentp1, p2, p3, p4S: x 0, y = x + 1, (y > 2), y < 1TheorySolverS: Unsatisfiablex 0, y = x + 1, y < 1L: New Lemmap1p2p4


87SAT + Theory solversF: x 0, y = x + 1, (y > 2 y < 1) Fp : p1, p2, (p3 p4)Abstract (aka naming atoms)M: p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)SAT SolverA: Assignmentp1, p2, p3, p4S: x 0, y = x + 1, (y > 2), y < 1TheorySolverS: Unsatisfiablex 0, y = x + 1, y < 1L: New Lemmap1p2p4

procedure SMT_Solver(F)(Fp, M) := Abstract(F)loop(R, A) := SAT_solver(Fp)if R = UNSAT then return UNSATS = Concretize(A, M)(R, S) := Theory_solver(S)if R = SAT then return SATL := New_Lemma(S, M)Add L to FpLazy translation to DNF1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

88SAT + Theory solversState-of-the-art SMT solvers implement many improvements.1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

89SAT + Theory solversIncrementalitySend the literals to the Theory solver as they are assigned by the SAT solverp1, p2, p4 | p1, p2, (p3 p4), (p5 p4)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1), p5 (x < 2), Partial assignment is already Theory inconsistent.1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

90SAT + Theory solversEfficient BacktrackingWe dont want to restart from scratch after each backtracking operation.1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

91SAT + Theory solversEfficient Lemma Generation (computing a small S)Avoid lemmas containing redundant literals.p1, p2, p3, p4 | p1, p2, (p3 p4), (p5 p4)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1), p5 (x < 2), p1p2 p3 p4Imprecise Lemma1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

92SAT + Theory solversTheory PropagationIt is the SMT equivalent of unit propagation.p1, p2 | p1, p2, (p3 p4), (p5 p4)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1), p5 (x < 2), p1, p2 imply p4 by theory propagationp1, p2 , p4 | p1, p2, (p3 p4), (p5 p4)1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

93SAT + Theory solversTheory PropagationIt is the SMT equivalent of unit propagation.p1, p2 | p1, p2, (p3 p4), (p5 p4)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1), p5 (x < 2), p1, p2 imply p4 by theory propagationp1, p2 , p4 | p1, p2, (p3 p4), (p5 p4)Tradeoff between precision performance.1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

94Core An Architecture: the coreSAT SolverEqualityUninterpreted FunctionsArithmeticBit-VectorsScalar Values95Core An Architecture: the coreSAT SolverEqualityUninterpreted FunctionsArithmeticBit-VectorsScalar ValuesCase Analysis96Core An Architecture: the coreSAT SolverEqualityUninterpreted FunctionsArithmeticBit-VectorsScalar ValuesBlackboard:equalities, disequalities,predicates97

z3: a decision engine for software

Documents

microsoft heapdbg

title of presentation

windows vista

z3 decision engine http

interactiondirections

little engines of proofsolver

product names

informational purposes