Научно-технический семинар «Microsoft Z3: Как научить компьютер доказывать теоремы и тестировать программы», 2 октября 2012 г.
Николай Бьернер, старший научный сотрудник Microsoft Research.
Cайт. Зачем он и каким должен быть, Алексей Иванов, лекция в Школе вебмастеро...
Николай Бьернер «Program Analysis and Testing using Efficient Satisfiability Modulo Theories Solvers»
1. Program Analysis and Testing
using Satisfiability Modulo Theories
Yandex
2 October 2012, Moscow
Nikolaj Bjørner
Senior Researcher
Microsoft Research
1
2. Agenda
Context: Software Engineering Research @ Microsoft
Propaganda: Software Engineering Research Tools
Application: Fuzzing and Test Case Generation
Application: Program Verification & Bit precise Analysis
Application: String analysis - Formal Language Theory for Security
Technology: Z3 – An Efficient SMT Solver - Basics and Research
2
3. Takeaways
Context: Awareness about Microsoft Research
Propaganda: Cool software engineering research projects
Applications: Logic is the Calculus of Computation
Programs analysis tools use logic at their core
Technology: Z3 – An Efficient SMT Solver.
Modern SAT/SMT solver search in one slide and the
dichotomies of modern constraint search engines.
I rather address questions during talk and tune the highlighted
material according to interest (there are 3x too many slides )
3
4. Context
Team An Efficient SMT Solver
Leonardo de Moura, Nikolaj Bjørner, Christoph Wintersteiger
4
5. Context
Research in Software Engineering
Group Improve Software Development Productivity 5
7. Context
Microsoft Research Labs
Research :1%
Sales,
Support,
R&D
Marketing
~40000
~50000
Company 7
8. Propaganda
Core Expertise
Empirical Foundations:
Software Engineering Logic
Program Analysis:
Programming Languages
Performance, Reliability,
Design & Implementation
Security
8
9. Propaganda
Core Expertise
Empirical Foundations:
Software Engineering Logic
Program Analysis:
Programming Languages
Performance, Reliability,
Design & Implementation
Security
9
10. Propaganda
Core Expertise
Empirical Foundations:
Software Engineering Logic
Program Analysis:
Programming Languages
Performance, Reliability,
Design & Implementation
Security
10
11. Propaganda
Core Expertise
Empirical Foundations:
Software Engineering Logic
Program Analysis:
Programming Languages
Performance, Reliability,
Design & Implementation
Security
11
12. Propaganda
Core Expertise
Empirical Software Engineering:
Analytics: what code is prone to bugs
(what code should I be testing)
for VS 2012 Team Foundation Server
12
16. Application
Fuzzing and Test Case Generation
SAGE
Internal. For Security Fuzzing External. For Developers
Runs on x86 instructions Runs on .NET code
Try it on: http://pex4fun.com
Finding security bugs before the hackers
black hat 16
17. Application: Fuzzing and Testing
Fuzzing and Test Case Generation
Dr. Strangelove?
Bug: ***433
SAGE “2/29/2012 3:41 PM Edited by *****
SubStatus -> Local Fix
I think the fuzzers are starting to become sentient.
We must crush them before it is too late.
Internal. For Security Fuzzing External. For Developers
In this case, the fuzzer figured out that if
[X was between A and B then Y would get
Runs on x86 instructionsto Z triggeringRuns onto happen……]
set U and V
.NET code
…..
And if this fuzzer asks on:the nuclear launch
Try it for http://pex4fun.com
codes, don’t tell it what they are …”
Finding security bugs before the hackers
black hat 17
18. Application: Fuzzing and Testing
SAGE by numbers
100s CPU-years - largest dedicated fuzz lab in the world
100s apps - fuzzed using SAGE
100s previously unknown bugs found
Billion+ computers updated with bug fixes
Millions of $ saved for Users and Microsoft
10s of related tools (incl. Pex), 100s DART citations
3+ Billion constraints - largest usage for any SMT solver
18
Adapted from [Patrice Godefroid, ISSTA 2010]
19. Application
Test case generation
unsigned GCD(x, y) {
requires(y > 0);
while (true) {
unsigned m = x % y;
if (m == 0) return y;
x = y;
y = m;
}
}
19
20. Application
Test case generation
unsigned GCD(x, y) {
requires(y > 0); (y0 > 0) and
while (true) { (m0 = x0 % y0) and
unsigned m = x % y;
SSA
not (m0 = 0) and
if (m == 0) return y; (x1 = y0) and
x = y; (y1 = m0) and
y = m; (m1 = x1 % y1) and
} (m1 = 0)
} We want a trace where the loop is
executed twice.
20
21. Application
Test case generation
unsigned GCD(x, y) {
requires(y > 0); (y0 > 0) and x0 = 2
while (true) { (m0 = x0 % y0) and y0 = 4
unsigned m = x % y;
SSA
not (m0 = 0) and Solver
m0 = 2
if (m == 0) return y; (x1 = y0) and x1 = 4
x = y; (y1 = m0) and y1 = 2
y = m; (m1 = x1 % y1) and m1 = 0
} (m1 = 0)
} We want a trace where the loop is
executed twice.
21
22. Application: Fuzzing and Testing
Test Case Generation Procedure
Run Test and Monitor Execution Path Condition
Path
Test
seed Known
Inputs
Paths
New input
Constraint
System
Solve Unexplored path
22
23. Application: Scalable bit-precise analysis
What is wrong here?
-INT_MIN=
INT_MIN
(INT_MAX+1)/2 +
(INT_MAX+1)/2
int binary_search(int[] arr, int low, void itoa(int n, char* s) {
= INT_MIN
int high, int key) if (n < 0) {
while (low <= high) *s++ = ‘-’;
{ n = -n;
// Find middle value
}
int mid = (low + high) / 2;
// Add digits to s
int val = arr[mid];
if (val == key) return mid; ….
if (val < key) low = mid+1;
else high = mid-1;
}
return -1;
} Book: Kernighan and Ritchie
Package: java.util.Arrays
Function: itoa (integer to ascii)
Function: binary_search
25. Application: Verification
Hypervisor Verification (2007 – 2010) with
Partners:
• European Microsoft Innovation Center
Hypervisor
• Microsoft Research
Hardware
• Microsoft’s Windows Division
• Universität des Saarlandes
co-funded by the
German Ministry of Education and Research
http://www.verisoftxt.de
25
27. Application: Verification
SAT/SMT progress driven by applications:
VCC Performance Trends Nov 08 – Mar 09
1000
Modification in invariant
checking
Switch to Z3 v2
100
Z3 v2 update
10
1
Attempt to improve
Switch to Boogie2 Boogie/Z3 interaction
0.1
28. Application: Verification
Verification Attempt Time vs.
Satisfaction and Productivity
By Michal Moskal (VCC Designer and Software Verification Expert),
Language quiz: “loose” or “lose” ?
41. Technology
SMT: Satisfiability Modulo Theories
Solution/Model
1 7
𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1 sat, 𝑥 = , 𝑦=
8 8
𝑥 2 + 𝑦 2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 1 unsat, Proof
Is execution path P feasible? Is assertion X violated?
SAGE
Is Formula F Satisfiable (over Theory of Reals)? 41
42. Technology
SMT: Satisfiability Modulo Theories
Solution/Model
1 7
𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1 sat, 𝑥 = , 𝑦=
8 8
𝑥 2 + 𝑦 2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 1 unsat, Proof
Is execution path P feasible? Is assertion X violated?
W
I
SAGE T
N
E
S
S
Is Formula F Satisfiable (over Theory of Reals)? 42
47. Technology
Job Shop Scheduling
Machines
Tasks
Jobs
1
P = NP? Laundry 𝜁 𝑠 =0⇒ 𝑠= + 𝑖𝑟
2
48. Technology
Job Shop Scheduling
Constraints:
Precedence: between two tasks of the same
job
3 1
2
4
Resource: Machines execute at most one job
at a time
𝑠𝑡𝑎𝑟𝑡2,2 . . 𝑒𝑛𝑑2,2 ∩ 𝑠𝑡𝑎𝑟𝑡4,2 . . 𝑒𝑛𝑑4,2 = ∅
52. Technology
Microsoft Tools using
Z3 is used by many research groups
More than 19k downloads
Z3 places 1st in most categories in SMT competitions
SAGE HAVOC
Vigilante
52
53. Technology
Microsoft Tools using
Z3 is used by many research groups
More than 19k downloads
Z3 places 1st in most categories in SMT competitions
SAGE HAVOC
Z3 solved more than 3 billion Vigilante
constraints created by SAGE
Checking Win8 and Office.
53
54. Technology
Microsoft Tools using
Z3 is used by many research groups
More than 19k downloads
Z3 places 1st in most categories in SMT competitions
SAGE HAVOC
Z3 solved more than 3 billion Vigilante
Z3 ships in
constraints created by SAGE Windows Server with the
Checking Win8 and Office. Static Driver Verifier
54
55. Technology
Microsoft Tools using
Z3 is used by many research groups
More than 19k downloads
Z3 places 1st in most categories in SMT competitions
SAGE HAVOC used to check
Z3
Azure Firewall Policies
Z3 solved more than 3 billion Vigilante
Z3 ships in
constraints created by SAGE Windows Server with the
Checking Win8 and Office. Static Driver Verifier
55
56. Technology
Research Areas
Algorithms Decidable Fragments
Heuristics
56
Logic is “The Calculus of Computer Science” Zohar Manna
57. Technology
Research Areas
Undecidable (FOL + LIA)
Semi Decidable (FOL)
Algorithms NEXPTIME (EPR)
PSPACE (QBF)
NP (SAT)
Heuristics
57
Logic is “The Calculus of Computer Science” Zohar Manna
58. Technology
Research Areas
Undecidable (FOL + LIA)
Semi Decidable (FOL)
Essentially Uninterpreted Formulas
Algorithms Decidable Fragments
NEXPTIME (EPR)
Quantified Bit-Vector Logic
PSPACE (QBF)
NP (SAT)
Generalized array theory
Heuristics
58
Logic is “The Calculus of Computer Science” Zohar Manna
59. Technology
Researchstructure that can be exploited.
Areas
Practical problems often have
Undecidable (FOL + LIA)
Semi Decidable (FOL)
Essentially Uninterpreted Formulas
Algorithms Decidable Fragments
NEXPTIME (EPR)
Quantified Bit-Vector Logic
PSPACE (QBF)
NP (SAT)
Generalized array theory
Heuristics
59
Logic is “The Calculus of Computer Science” Zohar Manna
60. Technology
Little Engines of Proof
Freely available from http://research.microsoft.com/projects/z3
60
61. Technology
Research around Z3
Decision Procedures
Modular Difference Logic is Hard TR 08 B, Blass Gurevich, Muthuvathi.
Linear Functional Fixed-points. CAV 09 B. & Hendrix.
A Priori Reductions to Zero for Strategy-Independent Gröbner Bases SYNASC 09 M& Passmore.
Efficient, Generalized Array Decision Procedures FMCAD 09 M & B
Quantifier Elimination as an Abstract Decision Procedure IJCAR 10, B
Cutting to the Chase CADE 11, Jojanovich, M
Polynomials IJCAR 12, Jojanovich, M
Combining Decision Procedures
Model-based Theory Combination SMT 07 M & B. .
Proofs, Refutations and Z3 IWIL 08 M & B
On Locally Minimal Nullstellensatz Proofs. SMT 09 M & Passmore.
A Concurrent Portfolio Approach to SMT Solving CAV 09 Wintersteiger, Hamadi & M
Conflict Directed Theory Resolution Cambridge Univ. Press 12, M & B
Quantifiers, quantifiers, quantifiers
Efficient E-matching for SMT Solvers. CADE 07 M & B.
Relevancy Propagation. TR 07 M & B.
.Deciding Effectively Propositional Logic using DPLL and substitution sets IJCAR 08 M & B.
.Engineering DPLL(T) + saturation. IJCAR 08 M & B.
Complete instantiation for quantified SMT formulas CAV 09 Ge & M.
.On deciding satisfiability by DPLL(+ T) and unsound theorem proving. CADE 09 Bonachina, M & Lynch.
Generalized PDR SAT 12 Hoder & B..
65. Technology
Core Engine in Z3:
Modern DPLL/CDCL
Initialize 𝜖| 𝐹 One 𝐹 𝑖𝑠 𝑎 expert𝑐𝑙𝑎𝑢𝑠𝑒𝑠
SAT 𝑠𝑒𝑡 𝑜𝑓 to another:
“It took me a year to
Decide 𝑀 𝐹 ⟹ 𝑀, ℓ 𝐹 ℓ 𝑖𝑠 𝑢𝑛𝑎𝑠𝑠𝑖𝑔𝑛𝑒𝑑
understand the Mini-SAT
FUIP code”
Propagate 𝑀 𝐹, 𝐶 ∨ ℓ ⟹ 𝑀, ℓ 𝐶∨ℓ 𝐹, 𝐶 ∨ ℓ 𝐶 𝑖𝑠 𝑓𝑎𝑙𝑠𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀
Mate Soos to
Sat 𝑀 |𝐹 ⟹ 𝑀 Niklas 𝑡𝑟𝑢𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀
𝐹 Sörenson
over ice-cream
Conflict 𝑀 𝐹, 𝐶 ⟹ 𝑀 𝐹, 𝐶 | 𝐶 𝐶 𝑖𝑠 𝑓𝑎𝑙𝑠𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀
at SAT 2012 in Trento
Learn 𝑀 𝐹| 𝐶⟹ 𝑀 𝐹, 𝐶 | 𝐶
Unsat 𝑀 𝐹 ∅ ⟹ 𝑈𝑛𝑠𝑎𝑡
Backjump 𝑀𝑀′ 𝐹 | 𝐶 ∨ ℓ ⟹ 𝑀ℓ 𝐶∨ℓ 𝐹 𝐶 ⊆ 𝑀, ¬ℓ ∈ 𝑀′
Resolve 𝑀 𝐹 | 𝐶′ ∨ ¬ℓ ⟹ 𝑀 𝐹 | 𝐶′ ∨ 𝐶 ℓ 𝐶∨ℓ ∈ 𝑀
Forget 𝑀 𝐹, 𝐶 ⟹ 𝑀 𝐹 𝐶 is a learned clause
Restart 𝑀 𝐹⟹ 𝜖 𝐹 [Nieuwenhuis, Oliveras, Tinelli J.ACM 06] customized
66. Technology
Mile High: Modern SMT procedures
Efficiently
Backtrack A way to
Backjump
certify
to equi-
satisfiability
satisfiable
values to satisfy
state
Models
formula
Learn new
fact that
prune as
Conflict Lemmas
many dead
branches as Efficient
Proofs
possible indexing for
propagating
Propagate
consequences
A way to certify
unsatisfiability
68. Technology
Research: SolvingR Efficiently
A key idea: Use partial solution to guide the search
Feasible Region 𝑥 3 + 2𝑥 2 + 3𝑦 2 − 5 < 0
Starting search
−4𝑥𝑦 − 4𝑥 + 𝑦 > 1
Partial solution:
𝑥 = 0.5
What is the core?
𝑥2 + 𝑦2 < 1 Can we extend it to 𝑦?
68
Dejan Jojanovich & Leonardo de Moura, IJCAR 2012
69. Takeaways
Context: Awareness about Microsoft Research
Propaganda: Cool software engineering research
projects.
Applications: Logic is the Calculus of Computation.
Programs analysis tools use logic at their core.
Technology: Z3 – An Efficient SMT Solver.
Modern SAT/SMT solver search in one slide
dichotomies of modern constraint search engines.
69
70. Summary
An outline of – an efficient SMT solver
Efficient logic solver for SE tools tackling intractable problems
http://research.microsoft.com/projects/z3
Software Engineering Research @ Microsoft
http://rise4fun.com
Academic internships
http://research.microsoft.com/en-us/jobs/intern
Contact
http://research.microsoft.com/~nbjorner
70
nbjorner@microsoft.com