ddSMT: A Delta Debugger for the SMT-LIB v2 Format Aina Niemetz and - - PowerPoint PPT Presentation

ddsmt a delta debugger for the smt lib v2 format
SMART_READER_LITE
LIVE PREVIEW

ddSMT: A Delta Debugger for the SMT-LIB v2 Format Aina Niemetz and - - PowerPoint PPT Presentation

Apr 14, 2023 166 likes •601 views

ddSMT: A Delta Debugger for the SMT-LIB v2 Format Aina Niemetz and Armin Biere Institute for Formal Models and Verification (FMV) Johannes Kepler University, Linz, Austria http://fmv.jku.at/ SMT Workshop 2013 July 8 - 9, 2013 Helsinki,

slide-1
SLIDE 1

ddSMT: A Delta Debugger for the SMT-LIB v2 Format

Aina Niemetz and Armin Biere

Institute for Formal Models and Verification (FMV) Johannes Kepler University, Linz, Austria http://fmv.jku.at/

SMT Workshop 2013 July 8 - 9, 2013 Helsinki, Finland

slide-2
SLIDE 2

Motivation

Why delta debugging?

1 (s❡t✲❧♦❣✐❝ UFNIA) 2 (❞❡❝❧❛r❡✲s♦rt sort1 0) 3 (❞❡❝❧❛r❡✲❢✉♥ x () sort1) 4 (❞❡❝❧❛r❡✲❢✉♥ y () sort1) 5 (❛ss❡rt (❂ x y )) 6 (♣✉s❤ 1) 7 (❞❡❢✐♥❡✲s♦rt sort2 () Bool) 8 (❞❡❝❧❛r❡✲❢✉♥ x () sort2) 9 (❞❡❝❧❛r❡✲❢✉♥ y () sort2) 10 (❛ss❡rt (❛♥❞ (❛s x Bool) (❛s y Bool ))) 11 (❛ss❡rt (! (not (❛s x Bool )) :named z)) 12 (❛ss❡rt z) 13 (♣♦♣ 1) 14 (❛ss❡rt (❢♦r❛❧❧ ((z Int)) (❡①✐sts ((zz Int)) (❂ z zz )))) 15 (❝❤❡❝❦✲s❛t) 16 (❣❡t✲✈❛❧✉❡ ((let ((x 1) (y 1)) (❂ x y)))) 17 (❡①✐t) 1 ( s e t − l o g i c UFNIA) 2 ( get−value ( f a l s e )) 3 ( e x i t )

slide-3
SLIDE 3

Motivation

Why delta debugging?

1 (s❡t✲❧♦❣✐❝ UFNIA) 2 (❞❡❝❧❛r❡✲s♦rt sort1 0) 3 (❞❡❝❧❛r❡✲❢✉♥ x () sort1) 4 (❞❡❝❧❛r❡✲❢✉♥ y () sort1) 5 (❛ss❡rt (❂ x y )) 6 (♣✉s❤ 1) 7 (❞❡❢✐♥❡✲s♦rt sort2 () Bool) 8 (❞❡❝❧❛r❡✲❢✉♥ x () sort2) 9 (❞❡❝❧❛r❡✲❢✉♥ y () sort2) 10 (❛ss❡rt (❛♥❞ (❛s x Bool) (❛s y Bool ))) 11 (❛ss❡rt (! (not (❛s x Bool )) :named z)) 12 (❛ss❡rt z) 13 (♣♦♣ 1) 14 (❛ss❡rt (❢♦r❛❧❧ ((z Int)) (❡①✐sts ((zz Int)) (❂ z zz )))) 15 (❝❤❡❝❦✲s❛t) 16 (❣❡t✲✈❛❧✉❡ ((let ((x 1) (y 1)) (❂ x y)))) 17 (❡①✐t) 1 ( s e t − l o g i c UFNIA) 2 ( get−value ( f a l s e )) 3 ( e x i t )

slide-4
SLIDE 4

Motivation

What delta debugging?

1 (s❡t✲❧♦❣✐❝ UFNIA) 2 (❞❡❝❧❛r❡✲s♦rt sort1 0) 3 (❞❡❝❧❛r❡✲❢✉♥ x () sort1) 4 (❞❡❝❧❛r❡✲❢✉♥ y () sort1) 5 (❛ss❡rt (❂ x y )) 6 (♣✉s❤ 1) 7 (❞❡❢✐♥❡✲s♦rt sort2 () Bool) 8 (❞❡❝❧❛r❡✲❢✉♥ x () sort2) 9 (❞❡❝❧❛r❡✲❢✉♥ y () sort2) 10 (❛ss❡rt (❛♥❞ (❛s x Bool) (❛s y Bool ))) 11 (❛ss❡rt (! (not (❛s x Bool )) :named z)) 12 (❛ss❡rt z) 13 (♣♦♣ 1) 14 (❛ss❡rt (❢♦r❛❧❧ ((z Int)) (❡①✐sts ((zz Int)) (❂ z zz )))) 15 (❝❤❡❝❦✲s❛t) 16 (❣❡t✲✈❛❧✉❡ ((let ((x 1) (y 1)) (❂ x y)))) 17 (❡①✐t) 1 (s❡t✲❧♦❣✐❝ UFNIA) 2 (❣❡t✲✈❛❧✉❡ (false )) 3 (❡①✐t)

slide-5
SLIDE 5

Motivation

What delta debugging?

1 (s❡t✲❧♦❣✐❝ UFNIA) 2 (❞❡❝❧❛r❡✲s♦rt sort1 0) 3 (❞❡❝❧❛r❡✲❢✉♥ x () sort1) 4 (❞❡❝❧❛r❡✲❢✉♥ y () sort1) 5 (❛ss❡rt (❂ x y )) 6 (♣✉s❤ 1) 7 (❞❡❢✐♥❡✲s♦rt sort2 () Bool) 8 (❞❡❝❧❛r❡✲❢✉♥ x () sort2) 9 (❞❡❝❧❛r❡✲❢✉♥ y () sort2) 10 (❛ss❡rt (❛♥❞ (❛s x Bool) (❛s y Bool ))) 11 (❛ss❡rt (! (not (❛s x Bool )) :named z)) 12 (❛ss❡rt z) 13 (♣♦♣ 1) 14 (❛ss❡rt (❢♦r❛❧❧ ((z Int)) (❡①✐sts ((zz Int)) (❂ z zz )))) 15 (❝❤❡❝❦✲s❛t) 16 (❣❡t✲✈❛❧✉❡ ((let ((x 1) (y 1)) (❂ x y)))) 17 (❡①✐t) 1 (s❡t✲❧♦❣✐❝ UFNIA) 2 (❣❡t✲✈❛❧✉❡ (false )) 3 (❡①✐t)

− → easier to debug − → in a time efficient manner

slide-6
SLIDE 6

Preliminaries

What is Delta Debugging?

Delta Debugging = input minimization − → originally introduced by R. Hildebrandt and A. Zeller in [HZ00] − → related work: shrinking in QuickCheck [CH00] Basic Idea: Given executable Ex, failure-inducing input I:

  • Minimize (simplify) I −

→ Isimp

  • Isimp still triggers the original faulty behavior

Original minimization strategy:

  • divide-and-conquer (binary)
  • remove parts irrelevant to the original faulty behavior

− → highly customizable, wide range of applications

slide-7
SLIDE 7

Preliminaries

Related Work

deltaSMT

  • introduced by our group in [BB09]
  • tailored to the SMT-LIB v1 format
  • does not support quantifiers
  • implements hierarchical delta debugging strategy
  • nodes are substituted one-by-one in a breadth-first-search (BFS) manner

by simpler nodes or their children

− → bottleneck in the worst case − → cases, where deltaSMT struggled or unable to minimize input

deltaSMT2

  • recent and independent update of deltaSMT for SMT-LIB v2
  • by P. F. Dobal and P. Fontaine at INRIA
  • syntactically extends deltaSMT for SMT-LIB v2 compliance
  • no full support for SMT-LIB v2
  • still work-in-progress
slide-8
SLIDE 8

Preliminaries

Related Work

deltaSMT

  • introduced by our group in [BB09]
  • tailored to the SMT-LIB v1 format
  • does not support quantifiers
  • implements hierarchical delta debugging strategy
  • nodes are substituted one-by-one in a breadth-first-search (BFS) manner

by simpler nodes or their children

− → bottleneck in the worst case − → cases, where deltaSMT struggled or unable to minimize input

deltaSMT2

  • recent and independent update of deltaSMT for SMT-LIB v2
  • by P. F. Dobal and P. Fontaine at INRIA
  • syntactically extends deltaSMT for SMT-LIB v2 compliance
  • no full support for SMT-LIB v2
  • still work-in-progress
slide-9
SLIDE 9

ddSMT

Overview

ddSMT

  • input minimizer for the SMT-LIB v2 format
  • based on the exit code of a given executable
  • supports all SMT-LIB v2 logics
  • not based on deltaSMT
  • implements divide-and-conquer delta debugging strategy
  • employs simplification strategies for
  • macros (command define-fun)
  • command-level scopes (commands push and pop)
  • named annotations (attribute :named)
  • especially effective in combination with fuzz testing

Technical Side Notes

  • implemented in Python 3
  • provides a dedicated, modular, standalone SMT-LIB v2 parser
slide-10
SLIDE 10

ddSMT

General Workflow

Command-Level Scope Substitution Command Substitution Term Substitution Constant 0 Bit Vector Fresh Variables (bvor ( bv0 1) term ) (bvand ( bv1 1) term ) Integer Constant 0 Fresh Variables Real Constant 0 Fresh Variables let Boolean Constant false (or false term ) Constant true (and true term ) Fresh Variables store ite (left child) ite (right child)

slide-11
SLIDE 11

ddSMT

General Workflow

Command-Level Scope Substitution Command Substitution Term Substitution Constant 0 Bit Vector Fresh Variables (bvor ( bv0 1) term ) (bvand ( bv1 1) term ) Integer Constant 0 Fresh Variables Real Constant 0 Fresh Variables let Boolean Constant false (or false term ) Constant true (and true term ) Fresh Variables store ite (left child) ite (right child)

slide-12
SLIDE 12

ddSMT

General Workflow

Command-Level Scope Substitution Command Substitution Term Substitution Constant 0 Bit Vector Fresh Variables (bvor ( bv0 1) term ) (bvand ( bv1 1) term ) Integer Constant 0 Fresh Variables Real Constant 0 Constant 0 Fresh Variables let Boolean Constant false (or false term ) Constant true (and true term ) Fresh Variables store ite (left child) ite (right child)

slide-13
SLIDE 13

ddSMT

General Workflow

Command-Level Scope Substitution Command Substitution Term Substitution Constant 0 Bit Vector Fresh Variables (bvor ( bv0 1) term ) (bvand ( bv1 1) term ) Integer Constant 0 Fresh Variables Real Constant 0 Fresh Variables let Boolean Constant false (or false term ) Constant true (and true term ) Fresh Variables store ite (left child) ite (right child)

for each set of define-fun, assert and get-value commands

slide-14
SLIDE 14

ddSMT

General Workflow

Command-Level Scope Substitution Command Substitution Term Substitution Constant 0 Bit Vector Fresh Variables (bvor ( bv0 1) term ) (bvand ( bv1 1) term ) Integer Constant 0 Fresh Variables Real Constant 0 Fresh Variables let Boolean Constant false (or false term ) Constant true (and true term ) Fresh Variables store ite (left child) ite (right child)

slide-15
SLIDE 15

ddSMT

General Workflow

Command-Level Scope Substitution Command Substitution Term Substitution Constant 0 Bit Vector Fresh Variables (bvor ( bv0 1) term ) (bvand ( bv1 1) term ) Integer Constant 0 Fresh Variables Real Constant 0 Fresh Variables let Boolean Constant false (or false term ) Constant true (and true term ) Fresh Variables store ite (left child) ite (right child)

slide-16
SLIDE 16

ddSMT

General Workflow

Command-Level Scope Substitution Command Substitution Term Substitution Constant 0 Bit Vector Fresh Variables (bvor ( bv0 1) term ) (bvand ( bv1 1) term ) Integer Constant 0 Fresh Variables Real Constant 0 Fresh Variables let Boolean Constant false (or false term ) Constant true (and true term ) Fresh Variables store ite (left child) ite (right child)

slide-17
SLIDE 17

ddSMT

General Workflow

Command-Level Scope Substitution Command Substitution Term Substitution Constant 0 Bit Vector Fresh Variables (bvor ( bv0 1) term ) (bvand ( bv1 1) term ) Integer Constant 0 Fresh Variables Real Constant 0 Fresh Variables let Boolean Constant false (or false term ) Constant true (and true term ) Fresh Variables store ite (left child) ite (right child)

slide-18
SLIDE 18

ddSMT

General Workflow

Command-Level Scope Substitution Command Substitution Term Substitution Constant 0 Bit Vector Fresh Variables (bvor ( bv0 1) term ) (bvand ( bv1 1) term ) Integer Constant 0 Fresh Variables Real Constant 0 Fresh Variables let Boolean Constant false (or false term ) Constant true (and true term ) Fresh Variables store ite (left child) ite (right child)

slide-19
SLIDE 19

ddSMT

General Workflow

Command-Level Scope Substitution Command Substitution Term Substitution Constant 0 Bit Vector Fresh Variables (bvor ( bv0 1) term ) (bvand ( bv1 1) term ) Integer Constant 0 Fresh Variables Real Constant 0 Fresh Variables let Boolean Constant false (or false term ) Constant true (and true term ) Fresh Variables store ite (left child) ite (right child)

slide-20
SLIDE 20

ddSMT

General Workflow

Command-Level Scope Substitution Command Substitution Term Substitution Constant 0 Bit Vector Fresh Variables (bvor ( bv0 1) term ) (bvand ( bv1 1) term ) Integer Constant 0 Fresh Variables Real Constant 0 Fresh Variables let Boolean Constant false (or false term ) Constant true (and true term ) Fresh Variables store ite (left child) ite (right child)

slide-21
SLIDE 21

ddSMT

Core Substitution Algorithm

1 filter nodes by some criteria and collect into list superset 2 substitute: 1 divide superset into n := ⌈len(superset)/g⌉ subsets,

start with granularity g := len(superset), n = 1

2 for each subset in subsets:

  • substitute all not substituted items in subset with simpler expression or None
  • test current configuration
  • if successful keep substitution of subset, subsets := subsets\subset
  • else reset substitutions of current subset

3 g := g/2 4 k := len(subsets), superset := k i=1 subseti

slide-22
SLIDE 22

Example

Original Input

1 (s❡t✲❧♦❣✐❝ UFNIA) 2 (❞❡❝❧❛r❡✲s♦rt sort1 0) 3 (❞❡❝❧❛r❡✲❢✉♥ x () sort1) 4 (❞❡❝❧❛r❡✲❢✉♥ y () sort1) 5 (❛ss❡rt (❂ x y )) 6 (♣✉s❤ 1) 7 (❞❡❢✐♥❡✲s♦rt sort2 () Bool) 8 (❞❡❝❧❛r❡✲❢✉♥ x () sort2) 9 (❞❡❝❧❛r❡✲❢✉♥ y () sort2) 10 (❛ss❡rt (❛♥❞ (❛s x Bool) (❛s y Bool))) 11 (❛ss❡rt (✦ (♥♦t (❛s x Bool)) :named z)) 12 (❛ss❡rt z) 13 (♣♦♣ 1) 14 (❛ss❡rt (❢♦r❛❧❧ ((z Int)) (❡①✐sts ((zz Int)) (❂ z zz)))) 15 (❝❤❡❝❦✲s❛t) 16 (❣❡t✲✈❛❧✉❡ ((❧❡t ((x 1) (y 1)) (❂ x y)))) 17 (❡①✐t)

slide-23
SLIDE 23

Example

Executable

1 #!/ bin/sh 2 3 ✐❢ [ ‘grep -c "\<get -value\>" $1 ‘ -ne 0 ]; 4 t❤❡♥ ❡①✐t 1 5 ❢✐ 6 7 ❡①✐t 0

− → simulates: SMT Solver does not support get-value commands

slide-24
SLIDE 24

Example

Command-Level Scope Substitution

1 (s❡t✲❧♦❣✐❝ UFNIA) 2 (❞❡❝❧❛r❡✲s♦rt sort1 0) 3 (❞❡❝❧❛r❡✲❢✉♥ x () sort1) 4 (❞❡❝❧❛r❡✲❢✉♥ y () sort1) 5 (❛ss❡rt (❂ x y )) 6 (♣✉s❤ 1) 7 (❞❡❢✐♥❡✲s♦rt sort2 () Bool) 8 (❞❡❝❧❛r❡✲❢✉♥ x () sort2) 9 (❞❡❝❧❛r❡✲❢✉♥ y () sort2) 10 (❛ss❡rt (❛♥❞ (❛s x Bool) (❛s y Bool))) 11 (❛ss❡rt (✦ (not (❛s x Bool)) :named z)) 12 (❛ss❡rt z) 13 (♣♦♣ 1) 14 (❛ss❡rt (❢♦r❛❧❧ ((z Int)) (❡①✐sts ((zz Int)) (❂ z zz)))) 15 (❝❤❡❝❦✲s❛t) 16 (❣❡t✲✈❛❧✉❡ ((❧❡t ((x 1) (y 1)) (❂ x y)))) 17 (❡①✐t)

redundant

slide-25
SLIDE 25

Example

Command-Level Scope Substitution

1 (s❡t✲❧♦❣✐❝ UFNIA) 2 (❞❡❝❧❛r❡✲s♦rt sort1 0) 3 (❞❡❝❧❛r❡✲❢✉♥ x () sort1) 4 (❞❡❝❧❛r❡✲❢✉♥ y () sort1) 5 (❛ss❡rt (❂ x y )) 6 (push 1) 7 (define-sort sort2 () Bool) 8 (declare-fun x () sort2) 9 (declare-fun y () sort2) 10 (assert (and (as x Bool) (as y Bool))) 11 (assert (! (not (as x Bool)) :named z)) 12 (assert z) 13 (pop 1) 14 (❛ss❡rt (❢♦r❛❧❧ ((z Int)) (❡①✐sts ((zz Int)) (❂ z zz)))) 15 (❝❤❡❝❦✲s❛t) 16 (❣❡t✲✈❛❧✉❡ ((❧❡t ((x 1) (y 1)) (❂ x y)))) 17 (❡①✐t)

slide-26
SLIDE 26

Example

Command Substitution

1 (s❡t✲❧♦❣✐❝ UFNIA) 2 (❞❡❝❧❛r❡✲s♦rt sort1 0) 3 (❞❡❝❧❛r❡✲❢✉♥ x () sort1) 4 (❞❡❝❧❛r❡✲❢✉♥ y () sort1) 5 (❛ss❡rt (❂ x y )) 6 (push 1) 7 (define-sort sort2 () Bool) 8 (declare-fun x () sort2) 9 (declare-fun y () sort2) 10 (assert (and (as x Bool) (as y Bool))) 11 (assert (! (not (as x Bool)) :named z)) 12 (assert z) 13 (pop 1) 14 (❛ss❡rt (❢♦r❛❧❧ ((z Int)) (❡①✐sts ((zz Int)) (❂ z zz)))) 15 (❝❤❡❝❦✲s❛t) 16 (❣❡t✲✈❛❧✉❡ ((❧❡t ((x 1) (y 1)) (❂ x y)))) 17 (❡①✐t)

redundant

slide-27
SLIDE 27

Example

Command Substitution

1 (s❡t✲❧♦❣✐❝ UFNIA) 2 (❞❡❝❧❛r❡✲s♦rt sort1 0) 3 (❞❡❝❧❛r❡✲❢✉♥ x () sort1) 4 (❞❡❝❧❛r❡✲❢✉♥ y () sort1) 5 (assert (= x y )) 6 (push 1) 7 (define-sort sort2 () Bool) 8 (declare-fun x () sort2) 9 (declare-fun y () sort2) 10 (assert (and (as x Bool) (as y Bool))) 11 (assert (! (not (as x Bool)) :named z)) 12 (assert z) 13 (pop 1) 14 (❛ss❡rt (❢♦r❛❧❧ ((z Int)) (❡①✐sts ((zz Int)) (❂ z zz)))) 15 (❝❤❡❝❦✲s❛t) 16 (❣❡t✲✈❛❧✉❡ ((❧❡t ((x 1) (y 1)) (❂ x y)))) 17 (❡①✐t)

slide-28
SLIDE 28

Example

Term Substitution

Int with Constant 0

1 (s❡t✲❧♦❣✐❝ UFNIA) 2 (❞❡❝❧❛r❡✲s♦rt sort1 0) 3 (❞❡❝❧❛r❡✲❢✉♥ x () sort1) 4 (❞❡❝❧❛r❡✲❢✉♥ y () sort1) 5 (assert (= x y )) 6 (push 1) 7 (define-sort sort2 () Bool) 8 (declare-fun x () sort2) 9 (declare-fun y () sort2) 10 (assert (and (as x Bool) (as y Bool))) 11 (assert (! (not (as x Bool)) :named z)) 12 (assert z) 13 (pop 1) 14 (❛ss❡rt (❢♦r❛❧❧ ((z Int)) (❡①✐sts ((zz Int)) (❂ z zz)))) 15 (❝❤❡❝❦✲s❛t) 16 (❣❡t✲✈❛❧✉❡ ((❧❡t ((x 1) (y 1)) (❂ ① ②)))) 17 (❡①✐t)

non-constant Int terms

slide-29
SLIDE 29

Example

Term Substitution

Int with Constant 0

1 (s❡t✲❧♦❣✐❝ UFNIA) 2 (❞❡❝❧❛r❡✲s♦rt sort1 0) 3 (❞❡❝❧❛r❡✲❢✉♥ x () sort1) 4 (❞❡❝❧❛r❡✲❢✉♥ y () sort1) 5 (assert (= x y )) 6 (push 1) 7 (define-sort sort2 () Bool) 8 (declare-fun x () sort2) 9 (declare-fun y () sort2) 10 (assert (and (as x Bool) (as y Bool))) 11 (assert (! (not (as x Bool)) :named z)) 12 (assert z) 13 (pop 1) 14 (❛ss❡rt (❢♦r❛❧❧ ((z Int)) (❡①✐sts ((zz Int)) (❂ z zz)))) 15 (❝❤❡❝❦✲s❛t) 16 (❣❡t✲✈❛❧✉❡ ((❧❡t ((x 1) (y 1)) (❂ ✵ ✵)))) 17 (❡①✐t)

slide-30
SLIDE 30

Example

Term Substitution

let with Child Term

1 (s❡t✲❧♦❣✐❝ UFNIA) 2 (❞❡❝❧❛r❡✲s♦rt sort1 0) 3 (❞❡❝❧❛r❡✲❢✉♥ x () sort1) 4 (❞❡❝❧❛r❡✲❢✉♥ y () sort1) 5 (assert (= x y )) 6 (push 1) 7 (define-sort sort2 () Bool) 8 (declare-fun x () sort2) 9 (declare-fun y () sort2) 10 (assert (and (as x Bool) (as y Bool))) 11 (assert (! (not (as x Bool)) :named z)) 12 (assert z) 13 (pop 1) 14 (❛ss❡rt (❢♦r❛❧❧ ((z Int)) (❡①✐sts ((zz Int)) (❂ z zz)))) 15 (❝❤❡❝❦✲s❛t) 16 (❣❡t✲✈❛❧✉❡ ((❧❡t ((x 1) (y 1)) (❂ ✵ ✵)))) 17 (❡①✐t)

all variable bindings substituted

slide-31
SLIDE 31

Example

Term Substitution

let with Child Term

1 (s❡t✲❧♦❣✐❝ UFNIA) 2 (❞❡❝❧❛r❡✲s♦rt sort1 0) 3 (❞❡❝❧❛r❡✲❢✉♥ x () sort1) 4 (❞❡❝❧❛r❡✲❢✉♥ y () sort1) 5 (assert (= x y )) 6 (push 1) 7 (define-sort sort2 () Bool) 8 (declare-fun x () sort2) 9 (declare-fun y () sort2) 10 (assert (and (as x Bool) (as y Bool))) 11 (assert (! (not (as x Bool)) :named z)) 12 (assert z) 13 (pop 1) 14 (❛ss❡rt (❢♦r❛❧❧ ((z Int)) (❡①✐sts ((zz Int)) (❂ z zz)))) 15 (❝❤❡❝❦✲s❛t) 16 (❣❡t✲✈❛❧✉❡ (✭❂ ✵ ✵✮)) 17 (❡①✐t)

slide-32
SLIDE 32

Example

Term Substitution

Bool with Constant false

1 (s❡t✲❧♦❣✐❝ UFNIA) 2 (❞❡❝❧❛r❡✲s♦rt sort1 0) 3 (❞❡❝❧❛r❡✲❢✉♥ x () sort1) 4 (❞❡❝❧❛r❡✲❢✉♥ y () sort1) 5 (assert (= x y )) 6 (push 1) 7 (define-sort sort2 () Bool) 8 (declare-fun x () sort2) 9 (declare-fun y () sort2) 10 (assert (and (as x Bool) (as y Bool))) 11 (assert (! (not (as x Bool)) :named z)) 12 (assert z) 13 (pop 1) 14 (❛ss❡rt (❢♦r❛❧❧ ((z Int)) (❡①✐sts ((zz Int)) (❂ z zz)))) 15 (❝❤❡❝❦✲s❛t) 16 (❣❡t✲✈❛❧✉❡ (✭❂ ✵ ✵✮)) 17 (❡①✐t)

non-constant Boolean term

slide-33
SLIDE 33

Example

Term Substitution

Bool with Constant false

1 (s❡t✲❧♦❣✐❝ UFNIA) 2 (❞❡❝❧❛r❡✲s♦rt sort1 0) 3 (❞❡❝❧❛r❡✲❢✉♥ x () sort1) 4 (❞❡❝❧❛r❡✲❢✉♥ y () sort1) 5 (assert (= x y )) 6 (push 1) 7 (define-sort sort2 () Bool) 8 (declare-fun x () sort2) 9 (declare-fun y () sort2) 10 (assert (and (as x Bool) (as y Bool))) 11 (assert (! (not (as x Bool)) :named z)) 12 (assert z) 13 (pop 1) 14 (❛ss❡rt (❢♦r❛❧❧ ((z Int)) (❡①✐sts ((zz Int)) (❂ z zz)))) 15 (❝❤❡❝❦✲s❛t) 16 (❣❡t✲✈❛❧✉❡ (❢❛❧s❡)) 17 (❡①✐t)

slide-34
SLIDE 34

Example

Command Substitution

1 (s❡t✲❧♦❣✐❝ UFNIA) 2 (❞❡❝❧❛r❡✲s♦rt sort1 0) 3 (❞❡❝❧❛r❡✲❢✉♥ x () sort1) 4 (❞❡❝❧❛r❡✲❢✉♥ y () sort1) 5 (assert (= x y )) 6 (push 1) 7 (define-sort sort2 () Bool) 8 (declare-fun x () sort2) 9 (declare-fun y () sort2) 10 (assert (and (as x Bool) (as y Bool))) 11 (assert (! (not (as x Bool)) :named z)) 12 (assert z) 13 (pop 1) 14 (❛ss❡rt (❢♦r❛❧❧ ((z Int)) (❡①✐sts ((zz Int)) (❂ z zz)))) 15 (❝❤❡❝❦✲s❛t) 16 (❣❡t✲✈❛❧✉❡ (false)) 17 (❡①✐t)

redundant

slide-35
SLIDE 35

Example

Final Result

1 (s❡t✲❧♦❣✐❝ UFNIA) 2 (declare-sort sort1 0) 3 (declare-fun x () sort1) 4 (declare-fun y () sort1) 5 (assert (= x y )) 6 (push 1) 7 (define-sort sort2 () Bool) 8 (declare-fun x () sort2) 9 (declare-fun y () sort2) 10 (assert (and (as x Bool) (as y Bool))) 11 (assert (! (not (as x Bool)) :named z)) 12 (assert z) 13 (pop 1) 14 (❛ss❡rt (❢♦r❛❧❧ ((z Int)) (❡①✐sts ((zz Int)) (❂ z zz)))) 15 (❝❤❡❝❦✲s❛t) 16 (❣❡t✲✈❛❧✉❡ (false)) 17 (❡①✐t)

slide-36
SLIDE 36

Experimental Evaluation

First Results Setup: 3.4 GHz Intel Core i7-2600, 16GB RAM, on a 64 Bit Arch Linux OS

TS Files

  • Red. [%]

Time [s] Runs

  • Mem. [MB]

avg min max avg min max avg min max avg min max deltaSMT 1 2 257 14 500 4051 655 7446 113 108 117 SMT-LIB v1 2 95 94.0 99.9 49 0.1 1738 599 5 7296 111 33 153 3 5 66.6 93.8 12 3 34 608 262 1297 107 76 126 4 53 99.6 98.8 99.9 8 0.6 20 463 4 852 128 52 142 5

  • ddSMT

1 2 90.0 83.9 96.0 44 9 79 1412 782 2041 13 10 16 SMT-LIB v2 2 95 94.7 68.2 99.9 92 0.1 1594 1499 2 3790 15 10 24 3 5 80.4 66.8 87.2 23 14 35 1533 1171 1764 11 10 12 4 53 99.8 99.3 99.9 57 1 246 431 13 1240 28 15 42 5 5 97.4 95.7 98.3 12 5 16 247 215 371 39 10 59

slide-37
SLIDE 37

Experimental Evaluation

First Results

TS Files

  • Red. [%]

Time [s] Runs

  • Mem. [MB]

avg min max avg min max avg min max avg min max deltaSMT 1 2 257 14 500 4051 655 7446 113 108 117 SMT-LIB v1 2 95 94.0 99.9 49 0.1 1738 599 5 7296 111 33 153 3 5 66.6 93.8 12 3 34 608 262 1297 107 76 126 4 53 99.6 98.8 99.9 8 0.6 20 463 4 852 128 52 142 5

  • ddSMT

1 2 90.0 83.9 96.0 44 9 79 1412 782 2041 13 10 16 SMT-LIB v2 2 95 94.7 68.2 99.9 92 0.1 1594 1499 2 3790 15 10 24 3 5 80.4 66.8 87.2 23 14 35 1533 1171 1764 11 10 12 4 53 99.8 99.3 99.9 57 1 246 431 13 1240 28 15 42 5 5 97.4 95.7 98.3 12 5 16 247 215 371 39 10 59

Originally SMT-LIB v1 input (QF AUFBV), no SMT-LIB v2-specific features, SMT Solver: Boolector

slide-38
SLIDE 38

Experimental Evaluation

First Results

TS Files

  • Red. [%]

Time [s] Runs

  • Mem. [MB]

avg min max avg min max avg min max avg min max deltaSMT 1 2 257 14 500 4051 655 7446 113 108 117 SMT-LIB v1 2 95 94.0 99.9 49 0.1 1738 599 5 7296 111 33 153 3 5 66.6 93.8 12 3 34 608 262 1297 107 76 126 4 53 99.6 98.8 99.9 8 0.6 20 463 4 852 128 52 142 5

  • ddSMT

1 2 90.0 83.9 96.0 44 9 79 1412 782 2041 13 10 16 SMT-LIB v2 2 95 94.7 68.2 99.9 92 0.1 1594 1499 2 3790 15 10 24 3 5 80.4 66.8 87.2 23 14 35 1533 1171 1764 11 10 12 4 53 99.8 99.3 99.9 57 1 246 431 13 1240 28 15 42 5 5 97.4 95.7 98.3 12 5 16 247 215 371 39 10 59

Originally SMT-LIB v1 input (QF AUFBV), no SMT-LIB v2-specific features, SMT Solver: Boolector Originally SMT-LIB v2 input (AUFLIRA), no push and pop, SMT Solver: CVC4

slide-39
SLIDE 39

Experimental Evaluation

First Results

TS Files

  • Red. [%]

Time [s] Runs

  • Mem. [MB]

avg min max avg min max avg min max avg min max deltaSMT 1 2 257 14 500 4051 655 7446 113 108 117 SMT-LIB v1 2 95 94.0 99.9 49 0.1 1738 599 5 7296 111 33 153 3 5 66.6 93.8 12 3 34 608 262 1297 107 76 126 4 53 99.6 98.8 99.9 8 0.6 20 463 4 852 128 52 142 5

  • ddSMT

1 2 90.0 83.9 96.0 44 9 79 1412 782 2041 13 10 16 SMT-LIB v2 2 95 94.7 68.2 99.9 92 0.1 1594 1499 2 3790 15 10 24 3 5 80.4 66.8 87.2 23 14 35 1533 1171 1764 11 10 12 4 53 99.8 99.3 99.9 57 1 246 431 13 1240 28 15 42 5 5 97.4 95.7 98.3 12 5 16 247 215 371 39 10 59

slide-40
SLIDE 40

Experimental Evaluation

First Results

TS Files

  • Red. [%]

Time [s] Runs

  • Mem. [MB]

avg min max avg min max avg min max avg min max deltaSMT 1 2 257 14 500 4051 655 7446 113 108 117 SMT-LIB v1 2 95 94.0 99.9 49 0.1 1738 599 5 7296 111 33 153 3 5 66.6 93.8 12 3 34 608 262 1297 107 76 126 4 53 99.6 98.8 99.9 8 0.6 20 463 4 852 128 52 142 5

  • ddSMT

1 2 90.0 83.9 96.0 44 9 79 1412 782 2041 13 10 16 SMT-LIB v2 2 95 94.7 68.2 99.9 92 0.1 1594 1499 2 3790 15 10 24 3 5 80.4 66.8 87.2 23 14 35 1533 1171 1764 11 10 12 4 53 99.8 99.3 99.9 57 1 246 431 13 1240 28 15 42 5 5 97.4 95.7 98.3 12 5 16 247 215 371 39 10 59

slide-41
SLIDE 41

Conclusion

ddSMT

  • an input minimizer for the SMT-LIB v2 format
  • with support for all SMT-LIB v2 logics
  • simplification strategies for
  • macros
  • command-level scopes
  • named annotations
  • based on a divide-and-conquer delta debugging strategy
  • especially effective in combination with fuzz testing

Future Work

  • further simplification strategies for annotations (other than :named)
  • hybrid approach: selective hierarchical delta debugging strategies
  • comparison with model-based delta debugging on the API level
slide-42
SLIDE 42

References

Robert Brummayer and Armin Biere. Fuzzing and Delta-Debugging SMT Solvers. In Proc. 7th Intl. Workshop on Satisfiability Modulo Theories (SMT’09), page 5. ACM, 2009. Koen Claessen and John Hughes. Quickcheck: a lightweight tool for random testing of haskell programs. In Martin Odersky and Philip Wadler, editors, ICFP, pages 268–279. ACM, 2000. Ralf Hildebrandt and Andreas Zeller. Simplifying failure-inducing input. In ISSTA, pages 135–145, 2000.