z3str3 a string solver with theory aware heuristics
play

Z3str3: A String Solver with Theory-Aware Heuristics Murphy Berzish - PowerPoint PPT Presentation

Apr 06, 2023 •555 likes •798 views

Z3str3: A String Solver with Theory-Aware Heuristics Murphy Berzish 1 , Yunhui Zheng 2 , Vijay Ganesh 1 1 University of Waterloo 2 IBM Research Outline l Background and overview l The Z3str3 string solver l New heuristics Theory-aware branching

  1. Z3str3: A String Solver with Theory-Aware Heuristics Murphy Berzish 1 , Yunhui Zheng 2 , Vijay Ganesh 1 1 University of Waterloo 2 IBM Research

  2. Outline l Background and overview l The Z3str3 string solver l New heuristics Theory-aware branching - Theory-aware case split optimization - l Experimental results l Future work and conclusions THE Z3STR3 STRING SOLVER PAGE 2

  3. Overview l String SMT solvers increasingly used for security applications and analysis of string-intensive programs l Many tools developed to address these challenges and applications: Z3str2, CVC4, Norn, S3, Stranger l Need for more efficient solvers and heuristics: complex semantics, easy to create undecidable theories, crossover with strings and other theories (arithmetic, bit-vector) THE Z3STR3 STRING SOLVER PAGE 3

  4. Known Theoretical Results In 1946, Quine showed that the fully-quantified theory of word equations is l undecidable In 1940’s Markov suggested using word equations to settle Hilbert’s Tenth l Problem In 1968, Matiyasevich showed a reduction from word equations+length to l Diophantine In 1977, Makanin showed that the quantifier-free theory of word equations is l decidable In 2012, word equations with single quantifier-alternation was shown to be l undecidable [GRSM 2012] In 2016, word equations, length, string-integer conversion shown undecidable l [GB 2016] Matiyasevich’s challenge remains open l THE Z3STR3 STRING SOLVER PAGE 4

  5. Input Language of Z3str3 String and integer constants “abc”, “new\nline”, 123 String concatenation (str.++ “abc” “def”) String length (str.len “abcdef”) Integer arithmetic (+ 2 2) String equality (= X “abc”) Integer comparison (= X 42), (<= A 100) Regular language membership (str.in.re “aaa” (re.* (str.to.re “a”))) High-level string operations (str.prefixof “abc” “abcdef”), (str.contains X “abc”), ... THE Z3STR3 STRING SOLVER PAGE 5

  6. The Z3str3 String Solver l Successor to Z3-str and Z3str2 l Native first-class theory solver in Z3 SMT solver framework l Primary string solver in Z3 official release l Reasoning about strings, length, regular expressions, and high- level string operations l Direct access to the core solver of Z3 has enabled new heuristics THE Z3STR3 STRING SOLVER PAGE 6

  7. Architecture of Z3str3 THE Z3STR3 STRING SOLVER PAGE 7

  8. How Z3str3 Solves Word Equations l Given an equality between string terms, identify all possible arrangements of subterms l Generate smaller equations implied by the equality l Recursively split until the problem is directly solvable THE Z3STR3 STRING SOLVER PAGE 8

  9. Solving String Equations v Basic idea § Recursively split equations into smaller ones until they are directly solvable § Given an equation, identify all possible arrangements § Given an arrangement, generate smaller equations X . Y = M . N T X Y M N • Keep splitting until solved M = X . T Y = T . N Smaller • If conflicts detected, Equations rollback, try another arrangement

  10. Sync with Integer Theory v Consistent solutions in both theories § Z3str2 asserts new length constraints during search X . Y = M . N Len(T) > 0 Len(M) = Len(X) + Len(T) T Len(Y) = Len(T) + Len(N) X Y Z3 ok Z3str2 M N conflicts M = X . T Y = T . N • Keep splitting • Rollback. Try another arrangement

  11. Theory-Aware Branching l Traditional DPLL(T) architecture separates core (Boolean) solver from theory solvers l Theory solvers have contextual information which core solver doesn't know l Idea: use this to improve performance in core by preferring “easier” or “more important” literals THE Z3STR3 STRING SOLVER PAGE 11

  12. Theory-Aware Branching l Activity-based branching heuristic (similar to VSIDS): branch on literal with highest activity Activity increased by conflicts, decays over time - l Theory solvers can increase or decrease activity of literals l Advantage: give the core solver information regarding the relative importance of each branch , allowing the theory solver to exert additional control over the search . THE Z3STR3 STRING SOLVER PAGE 12

  13. Theory-Aware Branching l Consider the case where the string solver learns X . Y = A . B (for non-constant terms A, B, X, Y) l The solver considers three possible arrangements: - X = A, Y = B - X = A . s 1 , s 1 . Y = B for a fresh non-empty string s 1 - X . s 2 = A, Y = s 2 . B for a fresh non-empty string s 2 l The first arrangement is the simplest to check : no new variables l Theory solver adds activity to the literal corresponding to this arrangement; this prioritizes checking it THE Z3STR3 STRING SOLVER PAGE 13

  14. Theory-Aware Case Split l A different way to use information from theory solvers to guide search in the core l Theory solver can create disjunctions of Boolean literals which are pairwise mutual exclusive l We refer to this as a “theory case split” THE Z3STR3 STRING SOLVER PAGE 14

  15. Theory-Aware Case Split l Consider the case where the string solver learns: X . Y = s = c 1 c 2 c 3 ...c n for variables X, Y and where each c i is a single character in the string constant s l There are n+1 possible ways in which we can split s over X and Y l Each arrangement represents a mutually exclusive case THE Z3STR3 STRING SOLVER PAGE 15

  16. Theory-Aware Case Split l The Boolean abstraction hides the fact that these are mutually exclusive cases l Naive solution encodes O(n 2 ) extra mutual exclusion clauses l Congruence closure can “discover” this fact, but this can result in unnecessary backtracking l Previous work has investigated alternate encodings, e.g. totalizers and lazy cardinality l Our heuristic implements this mutual exclusion in the inner loop of Z3's core solver in a theory-aware manner THE Z3STR3 STRING SOLVER PAGE 16

  17. Theory-Aware Case Split l Theory solver provides a set S of mutually-exclusive literals to the core solver l During branching, core solver checks whether the current branching literal is in some set S. If yes, that literal is assigned true and all other literals in S are assigned false. l During propagation, if the core solver assigns a literal in some set S, the solver must check whether any two literals L 1 , L 2 in S have both been assigned true. If so, the core solver generates conflict clause (not L 1 or not L 2 ) THE Z3STR3 STRING SOLVER PAGE 17

  18. Experimental Results Kaluza benchmark results. Timeout = 20 seconds. THE Z3STR3 STRING SOLVER PAGE 18

  19. Experimental Results Input Z3str3 Z3str2 CVC4 S3 result time (s) result time (s) result time (s) result time (s) pisa-000.smt2 sat 0.03 sat 0.25 sat 0.08 sat 0.07 pisa-001.smt2 sat 0.05 sat 0.19 sat 0.00 sat 0.07 pisa-002.smt2 sat 0.03 sat 0.10 sat 0.00 sat 0.05 pisa-003.smt2 unsat 0.02 unsat 0.02 unsat 0.01 unsat 0.02 pisa-004.smt2 unsat 0.02 unsat 0.05 unsat 0.39 unsat 0.05 pisa-005.smt2 sat 0.02 sat 0.14 sat 0.02 sat 0.04 pisa-006.smt2 unsat 0.03 unsat 0.05 unsat 0.32 unsat 0.05 pisa-007.smt2 unsat 0.02 unsat 0.05 unsat 0.37 unsat 0.05 pisa-008.smt2 sat 0.43 timeout 20.00 timeout 20.00 unsat X 4.73 pisa-009.smt2 sat 0.60 sat 0.62 sat 0.00 timeout 20.00 pisa-010.smt2 sat 0.02 sat 0.09 sat 0.00 unsat X 0.02 pisa-011.smt2 sat 0.03 sat 0.06 sat 0.00 unsat X 0.02 PISA benchmark results. Timeout = 20 seconds. X = incorrect response. THE Z3STR3 STRING SOLVER PAGE 19

  20. Experimental Results Input Z3str3 Z3str2 CVC4 S3 result time (s) result time (s) result time (s) result time (s) t01.smt2 sat 0.18 sat 1.31 sat 0.01 sat 0.23 t02.smt2 sat 0.17 sat 0.38 sat 0.01 unknown 0.04 t03.smt2 sat 0.27 sat 9.54 sat 3.82 sat X 0.14 t04.smt2 sat 0.73 sat 4.45 timeout 20.00 sat X 0.10 t05.smt2 sat 0.57 sat 16.84 sat 3.87 sat X 0.55 t06.smt2 sat 0.02 sat 0.15 sat 0.01 sat 0.13 t07.smt2 sat 2.18 sat 0.25 sat 0.00 unknown 0.02 t08.smt2 sat 0.03 sat 0.25 sat 0.17 sat X 0.03 IBM AppScan benchmark results. Timeout = 20 seconds. X = incorrect response. THE Z3STR3 STRING SOLVER PAGE 20

  21. Experimental Results No heuristics Theory-aware Theory-aware Both heuristics branching case split sat 35079 35147 35092 35147 unsat 11799 11799 11799 11799 unknown 221 230 223 223 timeout 185 108 170 115 Total time (s) 6252.26 6055.04 5027.35 4939.52 Performance comparison with individual heuristics. Times taken over Kaluza benchmark. Timeout = 20 seconds. Total time includes all solved, timeout, and unknown instances. THE Z3STR3 STRING SOLVER PAGE 21

  22. Future Work l Improved heuristics for mutually referential terms (“overlapping variables”) l String + bit-vector reasoning l Regular expression support l CFG support THE Z3STR3 STRING SOLVER PAGE 22

  23. Conclusions l We present the Z3str3 string solver, newest in the Z3-str line l Primary string solver used by Z3 official release l Improved performance over predecessor and competitors on majority of industrial benchmarks l Heuristics are broadly applicable to SMT solvers https://sites.google.com/site/z3strsolver https://github.com/Z3prover/Z3 THE Z3STR3 STRING SOLVER PAGE 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

String Theory Ideology Or Tool Box Plan What is string theory? Unification ideology.

String Theory Ideology Or Tool Box Plan What is string theory? Unification ideology.

String Theory Ideology Or Tool Box Plan What is string theory? Unification ideology. What is duality in physics? Open-Closed string duality, the bridge between string theory and quantum field theory. String theory as a

514 views • 40 slides
What Is String Theory? An Introduction for Data Scientists Tom Rudelius IAS String Data 2017

What Is String Theory? An Introduction for Data Scientists Tom Rudelius IAS String Data 2017

What Is String Theory? An Introduction for Data Scientists Tom Rudelius IAS String Data 2017 Financial Support: Carl Feinberg Illustration Credit: Aliisa Lee Bocarsly Outline I. Illustrated Introduction to String Theory II. The String

816 views • 54 slides
Symmetry and Geometry in String Theory Symmetry and Extra Dimensions String/M Theory Rich

Symmetry and Geometry in String Theory Symmetry and Extra Dimensions String/M Theory Rich

Symmetry and Geometry in String Theory Symmetry and Extra Dimensions String/M Theory Rich theory, novel duality symmetries and exotic structures Supergravity limit - misses stringy features Infinite set of fields: misses dualities

613 views • 34 slides
String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Tuesday, May 1, 12 String

String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Tuesday, May 1, 12 String

String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Tuesday, May 1, 12 String Theory in the LHC Era 1. Electromagnetism and 5. Physics Beyond the Standard Model Special Relativity and Supersymmetry 2. The Quantum World 6.

1.2k views • 78 slides
Gaugino masses from string loops problem: m 1 / 2 = 0 to lowest order generated by string

Gaugino masses from string loops problem: m 1 / 2 = 0 to lowest order generated by string

I. Antoniadis CERN Gaugino masses from string loops problem: m 1 / 2 = 0 to lowest order generated by string loop corrections Framework: type I string theory effective field theory: may be still tree-level closed string gravity

419 views • 14 slides
String Matching II Algorithm : Design &amp; Analysis [19] In the last class Simple String

String Matching II Algorithm : Design &amp; Analysis [19] In the last class Simple String

String Matching II Algorithm : Design &amp; Analysis [19] In the last class Simple String Matching KMP Flowchart Construction Jump at Fail KMP Scan String Matching II Boyer-Moores heuristics Skipping unnecessary

705 views • 22 slides
String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Friday, April 27, 12 String

String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Friday, April 27, 12 String

String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Friday, April 27, 12 String Theory in the LHC Era 1. Electromagnetism and 5. Supersymmetry Special Relativity 2. The Quantum World 6. Einsteins Gravity 3. Why do we need

826 views • 70 slides
String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Tuesday, April 3, 12 String

String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Tuesday, April 3, 12 String

String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Tuesday, April 3, 12 String Theory in the LHC Era 1. Electromagnetism and 5. Supersymmetry Special Relativity 2. The Quantum World 6. Einsteins Gravity 3. Why do we need

953 views • 68 slides
String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Friday, April 20, 12 String

String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Friday, April 20, 12 String

String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Friday, April 20, 12 String Theory in the LHC Era 1. Electromagnetism and 5. Supersymmetry Special Relativity 2. The Quantum World 6. Einsteins Gravity 3. Why do we need

853 views • 73 slides
String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Thursday, April 12, 12 String

String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Thursday, April 12, 12 String

String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Thursday, April 12, 12 String Theory in the LHC Era 1. Electromagnetism and 5. Supersymmetry Special Relativity 2. The Quantum World 6. Einsteins Gravity 3. Why do we need

1.07k views • 81 slides
Double Field Theory, String Field Theory and T -Duality CMH &amp; Barton Zwiebach What is

Double Field Theory, String Field Theory and T -Duality CMH &amp; Barton Zwiebach What is

Double Field Theory, String Field Theory and T -Duality CMH &amp; Barton Zwiebach What is string theory? Supergravity limit - misses stringy features Winding modes, T -duality, cocycles, algebraic structure not Lie algebra,... On

431 views • 22 slides
Aspects of string phenomenology I. Antoniadis CERN New Perspectives in String Theory: opening

Aspects of string phenomenology I. Antoniadis CERN New Perspectives in String Theory: opening

Aspects of string phenomenology I. Antoniadis CERN New Perspectives in String Theory: opening conference Galileo Galilei Institute, Florence, 6-8 April 2009 main questions and list of possibilities 1 phenomenology of low string scale 2

866 views • 27 slides
String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Tuesday, July 10, 12 String

String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Tuesday, July 10, 12 String

String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Tuesday, July 10, 12 String Theory in the LHC Era 5. Physics Beyond the Standard Model 1. Electromagnetism and and Supersymmetry (4/28) Special Relativity (3/31) 6.

695 views • 68 slides
Symmetries of String Theory and Early Introduction Universe Cosmology T-Duality: Key Symmetry

Symmetries of String Theory and Early Introduction Universe Cosmology T-Duality: Key Symmetry

String Cosmology R. Branden- berger Symmetries of String Theory and Early Introduction Universe Cosmology T-Duality: Key Symmetry of String Theory String Gas Cosmology Robert Brandenberger Structure Physics Department, McGill

1.22k views • 97 slides
Some Applications of String Field Theory Dealing with Infrared Issues Ashoke Sen Harish-Chandra

Some Applications of String Field Theory Dealing with Infrared Issues Ashoke Sen Harish-Chandra

Some Applications of String Field Theory Dealing with Infrared Issues Ashoke Sen Harish-Chandra Research Institute, Allahabad, India Kyoto, August 2016 1 Plan 1. Review of divergences in string theory 2. Use of string field theory in

863 views • 45 slides
Query-aware Test Generation Using a Relational Constraint Solver SHADI ABDUL KHALEK, BASSEM

Query-aware Test Generation Using a Relational Constraint Solver SHADI ABDUL KHALEK, BASSEM

Query-aware Test Generation Using a Relational Constraint Solver SHADI ABDUL KHALEK, BASSEM ELKARABLIEH, YAI O. LALEYE, SARFRAZ KHURSHID ASE08 PRESENTED BY: YUSHAN ZHANG 1 http://ieeexplore.ieee.org/document/4639327/ 2020/10/8 Blackbox

434 views • 18 slides
Informed Search A* Algorithm CE417: Introduction to Artificial Intelligence Sharif University of

Informed Search A* Algorithm CE417: Introduction to Artificial Intelligence Sharif University of

Informed Search A* Algorithm CE417: Introduction to Artificial Intelligence Sharif University of Technology Spring 2018 Soleymani Artificial Intelligence: A Modern Approach , Chapter 3 Most slides have been adopted from Klein and

1.2k views • 89 slides
Heuristic Search 1/25/17 Generic search algorithm add start to frontier while frontier not

Heuristic Search 1/25/17 Generic search algorithm add start to frontier while frontier not

Heuristic Search 1/25/17 Generic search algorithm add start to frontier while frontier not empty get state from frontier if state is goal return end if for neighbor of state add neighbor to frontier end for end while Uninformed Search

110 views • 10 slides
Revisiting Graph Coloring Register Allocation A Study of the Chaitin-Briggs and Callahan-Koblenz

Revisiting Graph Coloring Register Allocation A Study of the Chaitin-Briggs and Callahan-Koblenz

Revisiting Graph Coloring Register Allocation A Study of the Chaitin-Briggs and Callahan-Koblenz Algorithms Keith Cooper, Anshuman Dasgupta, Jason Eckhardt Presenter: Anshuman Dasgupta Register Allocation Process of mapping values in the

746 views • 26 slides
Heuristics Dr Matthew Hyde mvh@cs.nott.ac.uk Prof Edmund Burke, Prof Graham Kendall, Dr John

Heuristics Dr Matthew Hyde mvh@cs.nott.ac.uk Prof Edmund Burke, Prof Graham Kendall, Dr John

The Genetic and Evolutionary Computation Conference GECCO 2011 Human Competitive Awards Evolving Two Dimensional Strip Packing Heuristics Dr Matthew Hyde mvh@cs.nott.ac.uk Prof Edmund Burke, Prof Graham Kendall, Dr John Woodward University of

388 views • 18 slides
Feasibility Pump Heuristics for Column Generation Approaches Ruslan Sadykov 2 Pierre Pesneau 1 , 2

Feasibility Pump Heuristics for Column Generation Approaches Ruslan Sadykov 2 Pierre Pesneau 1 , 2

Feasibility Pump Heuristics for Column Generation Approaches Ruslan Sadykov 2 Pierre Pesneau 1 , 2 Francois Vanderbeck 1 , 2 1 University Bordeaux I 2 INRIA Bordeaux Sud-Ouest SEA 2012 Bordeaux, France, June 9, 2012 1 / 29 Outline Generic

427 views • 29 slides
Local Search Heuristics for Facility Location Problems Rohit Khandekar Dept. of Computer Science

Local Search Heuristics for Facility Location Problems Rohit Khandekar Dept. of Computer Science

Local Search Heuristics for Facility Location Problems Rohit Khandekar Dept. of Computer Science and Engineering, Indian Institute of Technology Delhi Joint work with: Vijay Arya, Naveen Garg, Vinayaka Pandit Kamesh Munagala, Adam Meyerson

999 views • 84 slides
Heuristic Search Heuristic Search Romania: Arad Bucharest (for example) Romania:

Heuristic Search Heuristic Search Romania: Arad Bucharest (for example) Romania:

Bookkeeping Informed Search AI Class 5 (Ch. 3.5-3.7) Next lecture: Python for AI Eight decades of AI (okay, 4) Based on slides by Dr. Marie desJardin. Some material also adapted from slides by Dr. Matuszek @ Villanova University,

381 views • 10 slides
CPSC 213 Introduction to Computer Systems Unit 1d Static Control Flow 1 Reading Companion

CPSC 213 Introduction to Computer Systems Unit 1d Static Control Flow 1 Reading Companion

CPSC 213 Introduction to Computer Systems Unit 1d Static Control Flow 1 Reading Companion 2.7.1-2.7.3, 2.7.5-2.7.6 Textbook 3.6.1-3.6.5 2 Control Flow The flow of control is the sequence of instruction executions

541 views • 21 slides

More recommend