Научно-технический семинар «Microsoft Z3: Как научить компьютер доказывать теоремы и тестировать программы», 2 октября 2012 г. Николай Бьернер, старший научный сотрудник Microsoft Research.

1. Program Analysis and Testing
using Satisfiability Modulo Theories
Yandex
2 October 2012, Moscow
Nikolaj Bjørner
Senior Researcher
Microsoft Research
1

2. Agenda
Context: Software Engineering Research @ Microsoft
Propaganda: Software Engineering Research Tools
Application: Fuzzing and Test Case Generation
Application: Program Verification & Bit precise Analysis
Application: String analysis - Formal Language Theory for Security
Technology: Z3 – An Efficient SMT Solver - Basics and Research
2

3. Takeaways
Context: Awareness about Microsoft Research
Propaganda: Cool software engineering research projects
Applications: Logic is the Calculus of Computation
Programs analysis tools use logic at their core
Technology: Z3 – An Efficient SMT Solver.
Modern SAT/SMT solver search in one slide and the
dichotomies of modern constraint search engines.
I rather address questions during talk and tune the highlighted
material according to interest (there are 3x too many slides )
3

4. Context
Team An Efficient SMT Solver
Leonardo de Moura, Nikolaj Bjørner, Christoph Wintersteiger
4

5. Context
Research in Software Engineering
Group Improve Software Development Productivity 5

6. Context
Organization Microsoft Research 6

7. Context
Microsoft Research Labs
Research :1%
Sales,
Support,
R&D
Marketing
~40000
~50000
Company 7

8. Propaganda
Core Expertise
Empirical Foundations:
Software Engineering Logic
Program Analysis:
Programming Languages
Performance, Reliability,
Design & Implementation
Security
8

9. Propaganda
Core Expertise
Empirical Foundations:
Software Engineering Logic
Program Analysis:
Programming Languages
Performance, Reliability,
Design & Implementation
Security
9

10. Propaganda
Core Expertise
Empirical Foundations:
Software Engineering Logic
Program Analysis:
Programming Languages
Performance, Reliability,
Design & Implementation
Security
10

11. Propaganda
Core Expertise
Empirical Foundations:
Software Engineering Logic
Program Analysis:
Programming Languages
Performance, Reliability,
Design & Implementation
Security
11

12. Propaganda
Core Expertise
Empirical Software Engineering:
Analytics: what code is prone to bugs
(what code should I be testing)
for VS 2012 Team Foundation Server
12

13. Propaganda
.com
13

14. http://rise4fun.com/z3py
14

15. Propaganda
Academic Interns
15

16. Application
Fuzzing and Test Case Generation
SAGE
Internal. For Security Fuzzing External. For Developers
Runs on x86 instructions Runs on .NET code
Try it on: http://pex4fun.com
Finding security bugs before the hackers
black hat 16

17. Application: Fuzzing and Testing
Fuzzing and Test Case Generation
Dr. Strangelove?
Bug: ***433
SAGE “2/29/2012 3:41 PM Edited by *****
SubStatus -> Local Fix
I think the fuzzers are starting to become sentient.
We must crush them before it is too late.
Internal. For Security Fuzzing External. For Developers
In this case, the fuzzer figured out that if
[X was between A and B then Y would get
Runs on x86 instructionsto Z triggeringRuns onto happen……]
set U and V
.NET code
…..
And if this fuzzer asks on:the nuclear launch
Try it for http://pex4fun.com
codes, don’t tell it what they are …”
Finding security bugs before the hackers
black hat 17

18. Application: Fuzzing and Testing
SAGE by numbers
100s CPU-years - largest dedicated fuzz lab in the world
100s apps - fuzzed using SAGE
100s previously unknown bugs found
Billion+ computers updated with bug fixes
Millions of $ saved for Users and Microsoft
10s of related tools (incl. Pex), 100s DART citations
3+ Billion constraints - largest usage for any SMT solver
18
Adapted from [Patrice Godefroid, ISSTA 2010]

19. Application
Test case generation
unsigned GCD(x, y) {
requires(y > 0);
while (true) {
unsigned m = x % y;
if (m == 0) return y;
x = y;
y = m;
}
}
19

20. Application
Test case generation
unsigned GCD(x, y) {
requires(y > 0); (y0 > 0) and
while (true) { (m0 = x0 % y0) and
unsigned m = x % y;
SSA
not (m0 = 0) and
if (m == 0) return y; (x1 = y0) and
x = y; (y1 = m0) and
y = m; (m1 = x1 % y1) and
} (m1 = 0)
} We want a trace where the loop is
executed twice.
20

21. Application
Test case generation
unsigned GCD(x, y) {
requires(y > 0); (y0 > 0) and x0 = 2
while (true) { (m0 = x0 % y0) and y0 = 4
unsigned m = x % y;
SSA
not (m0 = 0) and Solver
m0 = 2
if (m == 0) return y; (x1 = y0) and x1 = 4
x = y; (y1 = m0) and y1 = 2
y = m; (m1 = x1 % y1) and m1 = 0
} (m1 = 0)
} We want a trace where the loop is
executed twice.
21

22. Application: Fuzzing and Testing
Test Case Generation Procedure
Run Test and Monitor Execution Path Condition
Path
Test
seed Known
Inputs
Paths
New input
Constraint
System
Solve Unexplored path
22

23. Application: Scalable bit-precise analysis
What is wrong here?
-INT_MIN=
INT_MIN
(INT_MAX+1)/2 +
(INT_MAX+1)/2
int binary_search(int[] arr, int low, void itoa(int n, char* s) {
= INT_MIN
int high, int key) if (n < 0) {
while (low <= high) *s++ = ‘-’;
{ n = -n;
// Find middle value
}
int mid = (low + high) / 2;
// Add digits to s
int val = arr[mid];
if (val == key) return mid; ….
if (val < key) low = mid+1;
else high = mid-1;
}
return -1;
} Book: Kernighan and Ritchie
Package: java.util.Arrays
Function: itoa (integer to ascii)
Function: binary_search

24. Application: Scalable bit-precise analysis
Bit-precise analysis
1 0 1 0 1 1
1 0 1 0 1 1  0 1 1 0 0 1
= 
0 1 1 0 0 1
1 0 1 0 1 1 0 1 1 0 0 1
=
0 0 1 0 0 1
Vector Bit-wise
Segments Concatenation operations Bit-wise and
1 0 1 0 1 1
+
1 0 1 0 1 1 0 1 0 0 1 1 0 0 1
[4:2] =
=
0 0 0 1 0 0
Vector Modular
Segments Extraction arithmetic Addition

25. Application: Verification
Hypervisor Verification (2007 – 2010) with
Partners:
• European Microsoft Innovation Center
Hypervisor
• Microsoft Research
Hardware
• Microsoft’s Windows Division
• Universität des Saarlandes
co-funded by the
German Ministry of Education and Research
http://www.verisoftxt.de
25

26. Application: Verification
Microsoft Verifying C Compiler
26

27. Application: Verification
SAT/SMT progress driven by applications:
VCC Performance Trends Nov 08 – Mar 09
1000
Modification in invariant
checking
Switch to Z3 v2
100
Z3 v2 update
10
1
Attempt to improve
Switch to Boogie2 Boogie/Z3 interaction
0.1

28. Application: Verification
Verification Attempt Time vs.
Satisfaction and Productivity
By Michal Moskal (VCC Designer and Software Verification Expert),
Language quiz: “loose” or “lose” ?

29. Application: Verification
The Importance of Speed

30. Application: Verification
The Importance of Speed

31. Application: Verification
Building Verve 9 person-months
Source file Kernel.cs
Verification tool
Compilation tool C# compiler
Verified
Nucleus.bpl (x86) Kernel.obj (x86)
Boogie/Z3 TAL checker
Translator/
Linker/ISO generator
Assembler
Safe to the Last Instruction / Jean Yang & Chris Verve.iso
Hawbliztl PLDI 2010 31

32. Application: String Analysis
Why string analysis?
(motivating scenario)
Tomcat
v. < 6.0.18
req = http://www.x.com/%c0%ae%c0%ae/%c0%ae%c0%ae/private/
1) security check: req
must not contain
Analysis question: "../"
Does utf8decode 2) dir =
reject overlong utf8decode("%c0%ae
utf8-encodings such %c0%ae/%c0%ae%c
as "%C0%AE" for '.'? 0%ae/private/")
= "../../private/"
access granted to "../../private/"
Windows 2000 vulnerability: http://www.sans.org/security-resources/malwarefaq/wnt-unicode.php
Apache Tomcat vulnerability: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2938

33. Application: String Analysis
Relativized Formal Language Theory
Classical Word Transducers
(e.g. decoding automata,
rational transductions)
Classical I/O Automata
(e.g. Mealy machine)
Classical
Word Acceptors
(NFA, DFA)

34. Application: String Analysis
Relativized Formal Language Theory
string transformation
Symbolic Word Transducers

Classical Word Transducers modulo Th()
Classical Word Transducers
(e.g. decoding automata,
rational transductions)
Classical I/O Automata
(e.g. Mealy machine)
Symbolic Word Acceptors
Classical

Classical WordAcceptors modulo Th()
Word Acceptors
(NFA, DFA)
regex matching

35. Rex & Bek – Symbolic RegEx & String Analysis
Application:
Transducers
Margus Veanes

36. Application: String Analysis
Symbolic Finite Transducer (SFT)
• Classical transducer modulo a rich label theory
• Core Idea: represent labels with guarded
transformation functions
– Separation of concerns: finite graph / theory of labels
Concrete transitions: Symbolic transition:
p 1920 guard
p
transitions
 x. 8016 ≤ x ≤ 7FF16/
‘x80’/ … ‘x7FF’/ [C016|x10,6, 8016|x5,0]
“xC2x80” “xDFxBF”
q q bitvector
operations

37. Technology
SMT: Satisfiability Modulo Theories
𝑥 2 + 𝑦 2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1

38. Technology
SMT: Satisfiability Modulo Theories
Solution/Model
1 7
𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1 sat, 𝑥 = , 𝑦=
8 8

39. Technology
SMT: Satisfiability Modulo Theories
Solution/Model
1 7
𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1 sat, 𝑥 = , 𝑦=
8 8
𝑥 2 + 𝑦 2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 1

40. Technology
SMT: Satisfiability Modulo Theories
Solution/Model
1 7
𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1 sat, 𝑥 = , 𝑦=
8 8
𝑥 2 + 𝑦 2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 1 unsat, Proof

41. Technology
SMT: Satisfiability Modulo Theories
Solution/Model
1 7
𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1 sat, 𝑥 = , 𝑦=
8 8
𝑥 2 + 𝑦 2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 1 unsat, Proof
Is execution path P feasible? Is assertion X violated?
SAGE
Is Formula F Satisfiable (over Theory of Reals)? 41

42. Technology
SMT: Satisfiability Modulo Theories
Solution/Model
1 7
𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1 sat, 𝑥 = , 𝑦=
8 8
𝑥 2 + 𝑦 2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 1 unsat, Proof
Is execution path P feasible? Is assertion X violated?
W
I
SAGE T
N
E
S
S
Is Formula F Satisfiable (over Theory of Reals)? 42

43. Technology
SMT: Satisfiability Modulo Theories
𝑥 + 2 = 𝑦 ⇒ 𝑓 𝑠𝑒𝑙𝑒𝑐𝑡 𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑥, 3 , 𝑦 − 2 = 𝑓(𝑦 − 𝑥 + 1)
43

44. Technology
SMT: Satisfiability Modulo Theories
𝑥 + 2 = 𝑦 ⇒ 𝑓 𝑠𝑒𝑙𝑒𝑐𝑡 𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑥, 3 , 𝑦 − 2 = 𝑓(𝑦 − 𝑥 + 1)
Arithmetic
44

45. Technology
SMT: Satisfiability Modulo Theories
𝑥 + 2 = 𝑦 ⇒ 𝑓 𝑠𝑒𝑙𝑒𝑐𝑡 𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑥, 3 , 𝑦 − 2 = 𝑓(𝑦 − 𝑥 + 1)
Array Theory Arithmetic
𝑠𝑒𝑙𝑒𝑐𝑡(𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑖, 𝑣 , 𝑖) = 𝑣
𝑖 ≠ 𝑗 ⇒ 𝑠𝑒𝑙𝑒𝑐𝑡(𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑖, 𝑣 , 𝑗) = 𝑠𝑒𝑙𝑒𝑐𝑡(𝑎, 𝑗)
45

46. Technology
SMT: Satisfiability Modulo Theories
𝑥 + 2 = 𝑦 ⇒ 𝑓 𝑠𝑒𝑙𝑒𝑐𝑡 𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑥, 3 , 𝑦 − 2 = 𝑓(𝑦 − 𝑥 + 1)
Uninterpreted
Array Theory Arithmetic
Functions
𝑠𝑒𝑙𝑒𝑐𝑡(𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑖, 𝑣 , 𝑖) = 𝑣
𝑖 ≠ 𝑗 ⇒ 𝑠𝑒𝑙𝑒𝑐𝑡(𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑖, 𝑣 , 𝑗) = 𝑠𝑒𝑙𝑒𝑐𝑡(𝑎, 𝑗)
46

47. Technology
Job Shop Scheduling
Machines
Tasks
Jobs
1
P = NP? Laundry 𝜁 𝑠 =0⇒ 𝑠= + 𝑖𝑟
2

48. Technology
Job Shop Scheduling
Constraints:
Precedence: between two tasks of the same
job
3 1
2
4
Resource: Machines execute at most one job
at a time
𝑠𝑡𝑎𝑟𝑡2,2 . . 𝑒𝑛𝑑2,2 ∩ 𝑠𝑡𝑎𝑟𝑡4,2 . . 𝑒𝑛𝑑4,2 = ∅

49. Technology
Job Shop Scheduling
Constraints: Encoding:
Precedence: 𝑡2,3 - start time of
job 2 on mach 3
3 1
2 𝑑2,3 - duration of
4
job 2 on mach 3
𝑡2,3 + 𝑑2,3 ≤ 𝑡2,4
Resource:
Not convex
𝑡2,2 + 𝑑2,2 ≤ 𝑡4,2
∨
𝑠𝑡𝑎𝑟𝑡2,2 . . 𝑒𝑛𝑑2,2 ∩ 𝑠𝑡𝑎𝑟𝑡4,2 . . 𝑒𝑛𝑑4,2 = ∅ 𝑡4,2 + d4,2 ≤ 𝑡2,2

50. Technology
Job Shop Scheduling

51. Technology
Job Shop Scheduling
Efficient solvers:
- Floyd-Warshal algorithm
case split - Ford-Fulkerson algorithm
case split
𝑧 − 𝑧 = 5 – 2 – 3 – 2 = −2 < 0

52. Technology
Microsoft Tools using
Z3 is used by many research groups
More than 19k downloads
Z3 places 1st in most categories in SMT competitions
SAGE HAVOC
Vigilante
52

53. Technology
Microsoft Tools using
Z3 is used by many research groups
More than 19k downloads
Z3 places 1st in most categories in SMT competitions
SAGE HAVOC
Z3 solved more than 3 billion Vigilante
constraints created by SAGE
Checking Win8 and Office.
53

54. Technology
Microsoft Tools using
Z3 is used by many research groups
More than 19k downloads
Z3 places 1st in most categories in SMT competitions
SAGE HAVOC
Z3 solved more than 3 billion Vigilante
Z3 ships in
constraints created by SAGE Windows Server with the
Checking Win8 and Office. Static Driver Verifier
54

55. Technology
Microsoft Tools using
Z3 is used by many research groups
More than 19k downloads
Z3 places 1st in most categories in SMT competitions
SAGE HAVOC used to check
Z3
Azure Firewall Policies
Z3 solved more than 3 billion Vigilante
Z3 ships in
constraints created by SAGE Windows Server with the
Checking Win8 and Office. Static Driver Verifier
55

56. Technology
Research Areas
Algorithms Decidable Fragments
Heuristics
56
Logic is “The Calculus of Computer Science” Zohar Manna

57. Technology
Research Areas
Undecidable (FOL + LIA)
Semi Decidable (FOL)
Algorithms NEXPTIME (EPR)
PSPACE (QBF)
NP (SAT)
Heuristics
57
Logic is “The Calculus of Computer Science” Zohar Manna

58. Technology
Research Areas
Undecidable (FOL + LIA)
Semi Decidable (FOL)
Essentially Uninterpreted Formulas
Algorithms Decidable Fragments
NEXPTIME (EPR)
Quantified Bit-Vector Logic
PSPACE (QBF)
NP (SAT)
Generalized array theory
Heuristics
58
Logic is “The Calculus of Computer Science” Zohar Manna

59. Technology
Researchstructure that can be exploited.
Areas
Practical problems often have
Undecidable (FOL + LIA)
Semi Decidable (FOL)
Essentially Uninterpreted Formulas
Algorithms Decidable Fragments
NEXPTIME (EPR)
Quantified Bit-Vector Logic
PSPACE (QBF)
NP (SAT)
Generalized array theory
Heuristics
59
Logic is “The Calculus of Computer Science” Zohar Manna

60. Technology
Little Engines of Proof
Freely available from http://research.microsoft.com/projects/z3
60

61. Technology
Research around Z3
Decision Procedures
Modular Difference Logic is Hard TR 08 B, Blass Gurevich, Muthuvathi.
Linear Functional Fixed-points. CAV 09 B. & Hendrix.
A Priori Reductions to Zero for Strategy-Independent Gröbner Bases SYNASC 09 M& Passmore.
Efficient, Generalized Array Decision Procedures FMCAD 09 M & B
Quantifier Elimination as an Abstract Decision Procedure IJCAR 10, B
Cutting to the Chase CADE 11, Jojanovich, M
Polynomials IJCAR 12, Jojanovich, M
Combining Decision Procedures
Model-based Theory Combination SMT 07 M & B. .
Proofs, Refutations and Z3 IWIL 08 M & B
On Locally Minimal Nullstellensatz Proofs. SMT 09 M & Passmore.
A Concurrent Portfolio Approach to SMT Solving CAV 09 Wintersteiger, Hamadi & M
Conflict Directed Theory Resolution Cambridge Univ. Press 12, M & B
Quantifiers, quantifiers, quantifiers
Efficient E-matching for SMT Solvers. CADE 07 M & B.
Relevancy Propagation. TR 07 M & B.
.Deciding Effectively Propositional Logic using DPLL and substitution sets IJCAR 08 M & B.
.Engineering DPLL(T) + saturation. IJCAR 08 M & B.
Complete instantiation for quantified SMT formulas CAV 09 Ge & M.
.On deciding satisfiability by DPLL(+ T) and unsound theorem proving. CADE 09 Bonachina, M & Lynch.
Generalized PDR SAT 12 Hoder & B..

62. Introductory Background Reading
September 2011

63. Technology
Mile High: Modern SAT/SMT search
Backjump
literal assignments
Models
Conflict Clauses
Proofs
Propagate

64. Technology
Core Engine in Z3:
Modern DPLL/CDCL
Initialize 𝜖| 𝐹 𝐹 𝑖𝑠 𝑎 𝑠𝑒𝑡 𝑜𝑓 𝑐𝑙𝑎𝑢𝑠𝑒𝑠
Decide 𝑀 𝐹 ⟹ 𝑀, ℓ 𝐹 ℓ 𝑖𝑠 𝑢𝑛𝑎𝑠𝑠𝑖𝑔𝑛𝑒𝑑
Propagate 𝑀 𝐹, 𝐶 ∨ ℓ ⟹ 𝑀, ℓ 𝐶∨ℓ 𝐹, 𝐶 ∨ ℓ 𝐶 𝑖𝑠 𝑓𝑎𝑙𝑠𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀
Sat 𝑀 |𝐹 ⟹ 𝑀 𝐹 𝑡𝑟𝑢𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀
Conflict 𝑀 𝐹, 𝐶 ⟹ 𝑀 𝐹, 𝐶 | 𝐶 𝐶 𝑖𝑠 𝑓𝑎𝑙𝑠𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀
Learn 𝑀 𝐹| 𝐶⟹ 𝑀 𝐹, 𝐶 | 𝐶
Unsat 𝑀 𝐹 ∅ ⟹ 𝑈𝑛𝑠𝑎𝑡
Backjump 𝑀𝑀′ 𝐹 | 𝐶 ∨ ℓ ⟹ 𝑀ℓ 𝐶∨ℓ 𝐹 𝐶 ⊆ 𝑀, ¬ℓ ∈ 𝑀′
Resolve 𝑀 𝐹 | 𝐶′ ∨ ¬ℓ ⟹ 𝑀 𝐹 | 𝐶′ ∨ 𝐶 ℓ 𝐶∨ℓ ∈ 𝑀
Forget 𝑀 𝐹, 𝐶 ⟹ 𝑀 𝐹 𝐶 is a learned clause
Restart 𝑀 𝐹⟹ 𝜖 𝐹 [Nieuwenhuis, Oliveras, Tinelli J.ACM 06] customized

65. Technology
Core Engine in Z3:
Modern DPLL/CDCL
Initialize 𝜖| 𝐹 One 𝐹 𝑖𝑠 𝑎 expert𝑐𝑙𝑎𝑢𝑠𝑒𝑠
SAT 𝑠𝑒𝑡 𝑜𝑓 to another:
“It took me a year to
Decide 𝑀 𝐹 ⟹ 𝑀, ℓ 𝐹 ℓ 𝑖𝑠 𝑢𝑛𝑎𝑠𝑠𝑖𝑔𝑛𝑒𝑑
understand the Mini-SAT
FUIP code”
Propagate 𝑀 𝐹, 𝐶 ∨ ℓ ⟹ 𝑀, ℓ 𝐶∨ℓ 𝐹, 𝐶 ∨ ℓ 𝐶 𝑖𝑠 𝑓𝑎𝑙𝑠𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀
Mate Soos to
Sat 𝑀 |𝐹 ⟹ 𝑀 Niklas 𝑡𝑟𝑢𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀
𝐹 Sörenson
over ice-cream
Conflict 𝑀 𝐹, 𝐶 ⟹ 𝑀 𝐹, 𝐶 | 𝐶 𝐶 𝑖𝑠 𝑓𝑎𝑙𝑠𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀
at SAT 2012 in Trento
Learn 𝑀 𝐹| 𝐶⟹ 𝑀 𝐹, 𝐶 | 𝐶
Unsat 𝑀 𝐹 ∅ ⟹ 𝑈𝑛𝑠𝑎𝑡
Backjump 𝑀𝑀′ 𝐹 | 𝐶 ∨ ℓ ⟹ 𝑀ℓ 𝐶∨ℓ 𝐹 𝐶 ⊆ 𝑀, ¬ℓ ∈ 𝑀′
Resolve 𝑀 𝐹 | 𝐶′ ∨ ¬ℓ ⟹ 𝑀 𝐹 | 𝐶′ ∨ 𝐶 ℓ 𝐶∨ℓ ∈ 𝑀
Forget 𝑀 𝐹, 𝐶 ⟹ 𝑀 𝐹 𝐶 is a learned clause
Restart 𝑀 𝐹⟹ 𝜖 𝐹 [Nieuwenhuis, Oliveras, Tinelli J.ACM 06] customized

66. Technology
Mile High: Modern SMT procedures
Efficiently
Backtrack A way to
Backjump
certify
to equi-
satisfiability
satisfiable
values to satisfy
state
Models
formula
Learn new
fact that
prune as
Conflict Lemmas
many dead
branches as Efficient
Proofs
possible indexing for
propagating
Propagate
consequences
A way to certify
unsatisfiability

67. Technology
Research: Solving Horn Clauses
mc(x) = x-10 if x > 100
mc(x) = mc(mc(x+11)) if x  100
assert (x ≤ 101  mc(x) = 91)
∀𝑿. 𝑿 > 𝟏𝟎𝟎  mc(𝑿, 𝑿 − 𝟏𝟎)
∀𝑿, 𝒀, 𝑹. 𝑿 ≤ 𝟏𝟎𝟎  mc(𝑿 + 𝟏𝟏, 𝒀)  mc(𝒀, 𝑹)  mc(𝑿, 𝑹)
∀𝑿, 𝑹. mc(𝑿, 𝑹) ∧ 𝑿 ≤ 𝟏𝟎𝟏 → 𝑹 = 𝟗𝟏
Solver finds solution for mc Krystof Hoder & Nikolaj Bjorner, SAT67
2012
Bjorner, McMillan, Rybalchenko, SMT 2012

68. Technology
Research: SolvingR Efficiently
A key idea: Use partial solution to guide the search
Feasible Region 𝑥 3 + 2𝑥 2 + 3𝑦 2 − 5 < 0
Starting search
−4𝑥𝑦 − 4𝑥 + 𝑦 > 1
Partial solution:
𝑥 = 0.5
What is the core?
𝑥2 + 𝑦2 < 1 Can we extend it to 𝑦?
68
Dejan Jojanovich & Leonardo de Moura, IJCAR 2012

69. Takeaways
Context: Awareness about Microsoft Research
Propaganda: Cool software engineering research
projects.
Applications: Logic is the Calculus of Computation.
Programs analysis tools use logic at their core.
Technology: Z3 – An Efficient SMT Solver.
Modern SAT/SMT solver search in one slide
dichotomies of modern constraint search engines.
69

70. Summary
An outline of – an efficient SMT solver
Efficient logic solver for SE tools tackling intractable problems
http://research.microsoft.com/projects/z3
Software Engineering Research @ Microsoft
http://rise4fun.com
Academic internships
http://research.microsoft.com/en-us/jobs/intern
Contact
http://research.microsoft.com/~nbjorner
70
nbjorner@microsoft.com