FSE & Try them online: http://rise4fun.com Margus Veanes - PowerPoint PPT Presentation

Nikolaj Bjørner Microsoft Research Deduction at Scale, Schlo β Ringberg March 7 FSE &

Try them online: http://rise4fun.com

Margus Veanes

Margus Veanes David Molnar

Slide shamelessly stolen and adapted from [Patrice Godefroid, ISSTA 2010] 100+ CPU-years - largest dedicated fuzz lab in the world 100s apps - fuzzed using SAGE 100s previously unknown bugs found 1,000,000,000+ computers updated with bug fixes Millions of $ saved for Users and Microsoft 10s of related tools (incl. Pex), 100s DART citations 100,000,000+ constraints - largest usage for any SMT solver

-INT_MIN= INT_MIN 3(INT_MAX+1)/4 + (INT_MAX+1)/4 void itoa(int n, char* s) { int binary_search(i nt [] arr, int low, = INT_MIN int high, int key) if (n < 0) { *s++ = ‘ - ’; while (low <= high) { n = -n; // Find middle value } sat(and(F(k),and(T, not(next(P))))) int mid = (low + high) / 2; // Add digits to s int val = arr[mid]; …. if (val == key) return mid; if (val < key) low = mid+1; else high = mid-1; } return -1; Package: java.util.Arrays Book: Kernighan and Ritchie } Function: binary_search Function: itoa (integer to ascii) Analysis of millions of lines of Microsoft Code base

1000 Modification in invariant checking Switch to Z3 v2 100 Z3 v2 update sat(and(F(k),and(T, not(next(P))))) 10 1 Attempt to improve Switch to Boogie2 Boogie/Z3 interaction 0.1

Building Verve 9 person-months Source file Kernel.cs Verification tool Compilation tool C# compiler Verified Nucleus.bpl (x86) Kernel.obj (x86) Boogie/Z3 TAL checker Translator/ Linker/ISO generator Assembler Verve.iso Safe to the Last Instruction / Jean Yang & Chris Hawbliztl PLDI 2010

Claim (as I see it): Simplification - lots of junk Structural - not random, (symmetry?) Shallow - unsat core Repertoire - cooperating methods Decomposable - solve simpler problems Abstraction - SAT < SMT Are we there yet? - Improve search methods and solvers, - extend expressiveness, tactics , - precise answers.

Claim (as I see it): Simplification - lots of junk Structural - not random, (symmetry?) Shallow - unsat core Repertoire - cooperating methods Decomposable - solve simpler problems Abstraction - SAT < SMT Are we there yet? - Improve search methods and solvers, - extend expressiveness, tactics , - precise answers.

resolution The Black Diamonds of DPLL(T) 49 ¬(𝑏 1 ≃ 𝑏 50 ) ∧ [ 𝑏 𝑗 ≃ 𝑐 𝑗 ∧ 𝑐 𝑗 ≃ 𝑏 𝑗+1 ∨ (𝑏 𝑗 ≃ 𝑑 𝑗 ∧ 𝑑 𝑗 ≃ 𝑏 𝑗+1 )] 𝑗=1 Has no short DPLL(T) proof. Has short DPLL(T) proof when using 𝑏 1 ≃ 𝑏 2 , 𝑏 2 ≃ 𝑏 3 , 𝑏 3 ≃ 𝑏 4 , … , 𝑏 49 ≃ 𝑏 50 Example from [Rozanov, Strichman, SMT 07]

T- Propagate 𝑁 𝐺, 𝐷 ∨ ℓ ⟹ 𝑁, ℓ 𝐷∨ℓ 𝐺, 𝐷 ∨ ℓ 𝐷 𝑗𝑡 𝑔𝑏𝑚𝑡𝑓 𝑣𝑜𝑒𝑓𝑠 𝑈 + 𝑁 𝑁 ′ ⊆ 𝑁 𝑏𝑜𝑒 𝑁 ′ 𝑗𝑡 𝑔𝑏𝑚𝑡𝑓 𝑣𝑜𝑒𝑓𝑠 𝑈 T- Conflict 𝑁 𝐺 ⟹ 𝑁 𝐺 | ¬𝑁′ 𝑏 > 𝑐, 𝑐 > 𝑑 | 𝐺, 𝑏 ≤ 𝑑 ∨ 𝑐 ≤ 𝑒 ⟹ T- Propagate 𝑏 > 𝑐, 𝑐 > 𝑑, 𝑐 ≤ 𝑒 𝑏≤𝑑∨𝑐≤𝑒 | 𝐺, 𝑏 ≤ 𝑑 ∨ 𝑐 ≤ 𝑒 𝑁 | 𝐺 ⟹ 𝑁 | 𝐺, 𝑏 ≤ 𝑐 ∨ 𝑐 ≤ 𝑑 ∨ 𝑑 < 𝑏 T- Conflict 𝑥ℎ𝑓𝑠𝑓 𝑏 > 𝑐, 𝑐 > 𝑑, 𝑏 ≤ 𝑑 ⊆ 𝑁 Introduces no new literals - terminates

Idea: DPLL( ⊔ ) [B, Dutertre, de Moura 08] Try branch 𝑏 1 ≃ 𝑐 1 ∧ 𝑐 1 ≃ 𝑏 2 Try branch ¬(𝑏 1 ≃ 𝑐 1 ∧ 𝑐 1 ≃ 𝑏 2 ) Implies 𝑏 1 ≃ 𝑐 1 ≃ 𝑏 2 Implies 𝑏 1 ≃ 𝑑 1 ≃ 𝑏 2 Collect implied equalities Collect implied equalities Compute the join ⊔ of the two equalities – common equalities are learned Still potentially O( 𝑜 2 ) rounds just at base level of search.

Single case splits don’t suffice Requires 2 case splits to collect implied equalities

Method: resolve literals in conflict clauses Theorem (for EUF): DPLL + CD E R + Restart  p E- Resolution Informal Claim: DPLL + CD T R + Restart  p Resolution Practical? Method introduces extra literals (= junk) → Throttle resolution dynamically based on activity.

49 ¬(𝑏 1 ≃ 𝑏 50 ) ∧ [ 𝑏 𝑗 ≃ 𝑐 𝑗 ∧ 𝑐 𝑗 ≃ 𝑏 𝑗+1 ∨ (𝑏 𝑗 ≃ 𝑑 𝑗 ∧ 𝑑 𝑗 ≃ 𝑏 𝑗+1 )] 𝑗=1 Eventually, many conflicts contain: 𝑏 1 ≃ 𝑐 1 ∧ 𝑐 1 ≃ 𝑏 2 Use E-resolution, add clause: 𝑏 1 ≃ 𝑐 1 ∧ 𝑐 1 ≃ 𝑏 2 → 𝑏 1 ≃ 𝑏 2 Then DPLL(T) learns by itself: 𝑏 1 ≃ 𝑏 2

𝑂 𝑞 𝑗 ∨ 𝑦 𝑗 ≃ 𝑤 0 ∧ ¬𝑞 𝑗 ∨ 𝑦 𝑗 ≃ 𝑤 1 ∧ 𝑞 𝑗 ∨ 𝑧 𝑗 ≃ 𝑤 0 ∧ ¬𝑞 𝑗 ∨ 𝑧 𝑗 ≃ 𝑤 1 ∧ 𝑗=1 ¬(𝑔 𝑦 𝑂 , … , 𝑔 𝑦 2 , 𝑦 1 … ≃ 𝑔 𝑧 𝑂 , … , 𝑔 𝑧 2 , 𝑧 1 … ) Eventually, many conflicts contain: 𝑦 𝑗 ≃ 𝑣 𝑗 ∧ 𝑧 𝑗 ≃ 𝑣 𝑗 𝑣 𝑗 = 𝑤 0 𝑝𝑠 𝑣 𝑗 = 𝑤 1 𝑔𝑝𝑠 𝑗 = 1. . 𝑂 ≃ 𝑔 𝑧 𝑂 , … , 𝑔 𝑧 2 , 𝑧 1 … ) ¬(𝑔 𝑦 𝑂 , … , 𝑔 𝑦 2 , 𝑦 1 … Add: 𝑂 ≃ 𝑔 𝑧 𝑂 , … , 𝑔 𝑧 2 , 𝑧 1 … ( 𝑦 𝑗 ≃ 𝑧 𝑗 ) → 𝑔 𝑦 𝑂 , … , 𝑔 𝑦 2 , 𝑦 1 … 𝑗=1

Dynamic Ackermann Reduction If Congruence Rule repeatedly learns 𝑔 𝑤, 𝑤 ′ ∼ 𝑔 𝑥, 𝑥 ′ Then add clause for SAT core to use 𝑤 ≃ 𝑥 ∧ 𝑤 ′ ≃ 𝑥 ′ → 𝑔 𝑤, 𝑤 ′ ≃ 𝑔 𝑥, 𝑥 ′ Dynamic Ackermann Reduction with Transitivity If Equality Transitivity repeatedly learns 𝑣 ∼ 𝑥 𝑔𝑠𝑝𝑛 𝑣 ∼ 𝑤 𝑏𝑜𝑒 𝑤 ∼ 𝑥 Then add clause for SAT core to use 𝑣 ≃ 𝑤 ∧ 𝑤 ≃ 𝑥 → 𝑤 ≃ 𝑥

Dynamic Ackermann Reduction If Congruence Rule repeatedly learns 𝑔 𝑤, 𝑤 ′ ∼ 𝑔 𝑥, 𝑥 ′ for literal 𝑔 𝑤, 𝑤 ′ ≃ 𝑔 𝑥, 𝑥 ′ Then add clause for SAT core to use 𝑤 ≃ 𝑥 ∧ 𝑤 ′ ≃ 𝑥 ′ → 𝑔 𝑤, 𝑤 ′ ≃ 𝑔 𝑥, 𝑥 ′ Dynamic Ackermann Reduction with Transitivity If Equality Transitivity repeatedly learns 𝑣 ∼ 𝑥 𝑔𝑠𝑝𝑛 𝑣 ∼ 𝑤 𝑏𝑜𝑒 𝑤 ∼ 𝑥 Then add clause for SAT core to use 𝑣 ≃ 𝑤 ∧ 𝑤 ≃ 𝑥 → 𝑤 ≃ 𝑥

𝑏 < 𝑦 1 ∧ 𝑏 < 𝑦 2 ∧ 𝑦 1 < 𝑐 ∨ 𝑦 2 < 𝑐 ∧ b < 𝑧 1 ∧ 𝑐 < 𝑧 2 ∧ 𝑧 1 < 𝑑 ∨ 𝑧 2 < 𝑑 ∧ c < 𝑨 1 ∧ 𝑑 < 𝑨 2 ∧ 𝑨 1 < 𝑏 ∨ 𝑨 2 < 𝑏 𝑦 1 𝑧 1 𝑨 1 𝑏 𝑐 𝑑 𝑏 ∧ ∧ ∧ ∨ ∨ ∨ 𝑦 2 𝑧 2 𝑨 2

Top Two Most Active vertices 𝑦 1 𝑐 𝑏 < Add clause 𝑏 < 𝑦 1 < 𝑐 → 𝑏 < 𝑐 𝑧 2 𝑨 2 𝑑

Modern SMT solvers find resolution proofs unlike SAT solvers: SMT > p RES Gap is real enough Presented a technique for equalities Based on applying Resolution to conflicts. Dynamic - to address literal introduction junk. Just one of many possible optimizations. e.g. cutting plane proofs, arbitrary cuts (Frege) The devil is in the theory