1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software...

1

Chao Wang

NEC Labs, Princeton, NJ

COS 598d

3/5/2010

SMT and its Application in Software Verification

2

What is SMT?

Satisfiability Modulo Theories (SMT) Decision problem for logic formulas expressed in classical first-

order logic with equality, with respect to combinations of some background theories

It is a generalization of SAT, where some Boolean variables are replaced by predicates from a variety of underlying theories.

3

Boolean Satisfiability (SAT)

or

and

not

or

and

or

.

.

.

p2

p1

pn

Is there an assignment to the p1, p2, …, pn variables such that evaluates to 1?

4

Satisfiability Modulo Theories (SMT)

.

.

.

p2

p1

pn

Is there an assignment to the x, y, z, w variables s.t. evaluates to 1?

x + 2 z <1

x % 26 = v

w & 0xFFFF = x

x = y

or

and

not

or

and

or

5

SMT Solvers: A Brief History

Early work in the late 1970s Nelson and Oppen, Shostak, Boyer and Moore

Modern SMT solvers started in the late 1990s Attempts to build scalable solvers Influenced by SAT solvers (GRASP and Chaff)

Last few years: tremendous progress Efficient SMT solvers

(SMT-LIB benchmarks, SMT-COMP solver competition) Wide-spread applications

6

Many of its Applications

Verification systems HOL, Isabelle, and PVS, etc. ACL2, Caduceus, SAL, UCLID, etc.

Extended static checkers and model checkers Boogie, ESC/Java 2, etc. BLAST, Eureka, MAGIC, SLAM, F-Soft, etc.

Certifying compliers Touchstone, TVOC, etc.

Test case generation DART, EXE, CUTE, PEX, etc.

…

7

Outline

What’s SMT?

Some Useful Theories

Inside SMT Solvers

How to Use It?

Application in Software Verification

8

First-Order Logic (quantifier-free)

Logical Symbols Propositional connectives: AND, OR, NEGATION,etc. Boolean variables: v1, v2, . . .

Non-logical symbols/Parameters Equality: = Functions: +, -, %, bit-wise &, f(), concat, … Predicates: ·, is_substring, … Constant symbols: 0, 1.0, null, …

9


QF_UF: Theory of equality (with uninterpreted functions)

QF_LIA, QF_LIR: Theories of linear arithmetic (over Q or Z)

QF_IDL, QF_RDL: Theories of difference logic (over Q or Z)

QF_BV: Theories of fixed-size bit-vectors

QF_A, QF_AX: Theory of arrays (with and w/o extensionality)

Misc.: Non-linear arithmetic, …

10

Example: QF_UF Formula

(x = y) & (y = z) & (f(x) f(z))

Transitivity:

(x = y) & (y = z) (x = z)

Congruence:

(x = z) (f(x) = f(z))

11

x0x1

x2

xn-1

QF_UF in Processor Verification (datapath)

ALU

x

f

Bit-vectors to Abstract Domain (e.g. Z)

Functional units to Uninterpreted Functions a = x & b = y f(a,b) = f(x,y)

Common Operations

1

0

x

y

p

ITE(p, x, y)

If-then-else

x

y x = y=

Test for equality

…

12

QF_UF in Equivalence Checking

int fun1(int y) { int x, z; z = y; y = x; x = z;

return x*x;}

int fun2(int y) { return y*y;}

SMT formulaSatisfiable not equivalent

( z = y & y1 = x & x1 = z & ret1 = x1*x1) &( ret2 = y*y ) &( ret1 ret2 )

Using SAT to check equivalence (w/ Minisat) 32 bits for y: Did not finish in over 5 hours 16 bits for y: 37 sec. 8 bits for y: 0.5 sec. Using EUF solver: 0.01 sec.

By Sanjit Seshia, UC Berkeley

13

Bit-Vector Arithmetic (QF_BV)

Fixed width data words Can model int, short, long, etc.

Arithmetic operations E.g., add/subtract/multiply/divide & comparisons Two’s complement and unsigned operations

Bit-wise logical operations E.g., and/or/xor, shift/extract and equality

Boolean connectives

(define b1::(bitvector 32))

(define b2::(bitvector 32))

(assert (and (= (bv-add b1 (mk-bv 32 1)) b2)

(/= (bv-add (mk-bv 32 0) (bv-add (mk-bv 32 1) b1)) b2)))

(check)

14

Linear Arithmetic (QF_LRA, QF_LIA)

Boolean combination of linear constraints

(a1 x1 + a2 x2 + … + an xn <= b)

where xi’s could be in Q or Z

Many applications, including: Verification of analog circuits Software verification, e.g., of array bounds

15

Difference Logic (QF_IDL, QF_RDL)

Boolean combination of linear constraints

xi – xj <= cij

where xi, xj, cij, are in Q or Z

Applications: Software verification (most linear constraints are of this form) Processor data-path verification Job shop scheduling

16

Theory of Arrays (QF_AX)

Two interpreted functions: select and store select(A,i) Read from array A at index i store(A,i,d) Write d to array A at index i

Two main axioms: select( store(A,i,d), I ) = d select( store(A,i,d), j ) = select(A,j) for i j

Extentionality axiom: (forall index i. select(A,i) = select(B,i)) (A = B)

17C. Barrett & S. A. Seshia

Example: QF_AX in Equivalence Checking

int fun1(int y) { int x[2]; x[0] = y; y = x[1]; x[1] = x[0];

return x[1]*x[1];}

int fun2(int y) { return y*y;}

SMT formula

x1 = store( x,0,y ) & y1 = select( x1,1 ) & x2 = store( x1,1,select(x1,0) ) & ret1 = sq( select(x2,1) ) & ret2 = sq(y) & ( ret1 ret2 )

18

Outline

What’s SMT?


Inside SMT Solvers

How to Use It?


19

SMT Solvers: “Eager” vs. “Lazy”

Eager approach: Translating input formula into an “equi-satisfable” Boolean formula using enough consequences of the underlying theory

Lazy approach: Writing a dedicated “theory solver” for conjunction of literals in the underlying theory, embedded as a submodule into a Boolean SAT solver

20

Example: Solvers for difference logic

Eager approach Small domain encoding Per constraint encoding

[Pnueli et al. 2002], [Shtrichman et al. 2002][Seshia et al. 2003]

Lazy approach Sateen, Z3, Yices

Top-3 in 2009 competition

input formula in IDL

Equi-SAT Boolean Formula(all transitivity constraints are added)

Boolean SAT

Input formula in IDL

Boolean Abstraction

Boolean SAT

Check theory consistency

Add trans. constraint

inconsistent ?

21

Integer Difference Logic (IDL)

Logic to model systems at the “word-level” Subset of a quantifier-free first-order logic Boolean connectives + predicates like (x – y ≤ c)

Formal verification applications Pipelined processors, timed systems, embedded software e.g., back-end of the UCLID Verifier

22

IDL Preliminaries

Difference logic formula

Difference predicates

Boolean skeleton

Constraint graph for assignment (A,¬B,C,D)

x y

wz

A:2

D:10C:3

¬B:-7

A: ( x – y ≤ 2 ) ¬ B: ( z – x ≤ -7 ) C: ( y - z ≤ 3 ) D: ( w - y ≤ 10 )

A: ( x – y ≤ 2 ), B: ( z – x ≤ -7 )C: ( y - z ≤ 3 ), D: ( w - y ≤ 10 )

23

Theory Solver: minimal requirement

For the theory solver

Input: a conjunction set of literals

Output: consistent or inconsistent

x y

wz

A:2

D:10C:3

¬B:-7

A: ( x – y ≤ 2 ) ¬ B: ( z – x ≤ -7 ) C: ( y - z ≤ 3 ) D: ( w - y ≤ 10 )

25

Theory Solver: can be more helpful

Conflict analysis: why inconsistent? Negative weighted cycle Theory conflict add a Lemma or blocking clause trigger a Boolean conflict

A: ( x – y ≤ 2 ) ¬ B: ( z – x ≤ -7 ) C: ( y - z ≤ 3 ) D: ( w - y ≤ 10 )

x y

wz

A:2

D:10C:3

¬B:-7

Lemma learned:

(¬A + B + ¬C)

A:2

C:3

¬B:-7

Conflicting clause: (false + false + false)

26

Theory Solver: can be even more helpful

Deriving Theory Implications: look-ahead If adding an edge creates a negative cycle negated edge is implied Theory implication var assignment Boolean implication (BCP)

A: ( x – y ≤ 2 ) ¬ B: ( z – x ≤ -7 ) C: ( y - z ≤ 3 ) D: ( w - y ≤ 10 )

x y

wz

A:2

D:10C:3

¬B:-7

Theory implication:

A ^ ¬B → (¬C)

C:3

Implied Boolean assignment trigger a series of BCP

27

Theory Solver: other desired features

Model generation

Conflict set generation

Deduction of unassigned literals

Incremental don’t start from scratch for each call

Backtrackable can “undo” steps to a previous state

Deduction of interface equalities (eij-deduction)

…

28

Negative Cycle Detection (standard)

Bellman-Ford shortest-paths algorithm Detect negative cycles as by-product Take O(n*m) time sounds good!

However, inside SMT Theory solver will be invoked many times, Each time on a very similar sub-problem

29

Bellman-Ford Algorithmrelax (u,v) {

if (d[v] > d[u] + w[u,v])

d[v] = d[u] + w[u,v];

}

Bellman_Ford ( ) {

for each node v, initialize d[v] = 0;

for (i=1; i<N; i++) {

for each edge (u,v) relax(u,v);

}

for each edge (u,v)

if ( d[v] > d[u] + w[u,v] )

return NEGATIVE_CYCLE;

return;

}

x y

wz

A:2

D:10C:3

¬B:-7

A: ( x – y ≤ 2 ) ¬ B: ( z – x ≤ -7 ) C: ( y - z ≤ 3 ) D: ( w - y ≤ 10 )

u,v nodes in graphd[u] node score d[v] node score

0

0

30

Incremental Algorithm

//… after adding the edge (u,v)

if ( d[v] > d[u] + w[u,v] ) {

relax (u,v)

enqueue (v)

}

while ( (x=dequeu()) != null) {

for each edge (x,y) {

if (d[y] > d[x] + w[x,y] ) {

relax (x,y)

if (u==x && v==y) return NEGATIVE_CYCLE;

else enqueue (y);

} } }

return;

u

v

Keep relaxing till it stablize…

But before that, if node v is

relaxed again, there is a cycle!

31

0

Incremental conflict detection

Relax (u,v): if (d[v] > d[u]+w[u,v]) { d[v] = d[u]+w[u,v]; pi[v] = u }

x y

wz

2

10

-7

0

-7 0

3

X -4

(z,y) d[y]=-4 pi[y]=z

X 6

(y,w) d[w]=6 pi[w]=y

(y,x) d[x]=-2 pi[x]=y

X -2

(x,z) d[z]=-9 pi[z]=x

X -9

•Add an edge relax, relax, relax, …, till stablization•Remove an edge ???

(z,y) CONFLICT !!!

32

Theory Solver: other desired features

Model generation

Conflict set generation

Deduction of unassigned literals

Incremental

Backtrackable can “undo” steps to a previous state

Deduction of interface equalities (eij-deduction)

…

33

Fast Backtracking (edge removal)

The number of backtracks is very large in practice Should have low runtime overhead can’t start from scratch Should be scalable in terms of memory usage can’t checkpoint

Key Observation { d[v] } remains a solution after removing some edges No need to restore the theory solver’s state

After the edge removal, nothing needs to be done!

Backtracking Cost constant-time!!!

34

Incremental Algorithm: an example[Wang et al. LPAR 2005][Wang et al. DAC 2006]

35

35

Diamonds: with O(2^n) negative cycles

-1

e1 e2

e0

Observations:

With existing predicates (e1,e2,…) exponential number of lemmas

Add new predicates (E1,E2,E3) linear number of lemmas

Previous eager chordal transitivity method used by [Strichmann et al. FMCAD’02]

E1 E2 E3

36

36

Heuristics to add “chordal predicates”

x y wz

Heuristics to choose GOOD predicates (short-cuts)

Nodes that show up frequently in negative cycles

Nodes that are re-convergence points of the graph

E3: x – y <= (d[x] - d[y])

Predicates: E1: x – y < 5 E2: y – x < 5Lemma: ( ! E1 + ! E2 )

37

Outline

What’s SMT?


Inside SMT Solvers The “lazy” approach

The “eager” approach

How to Use It?


38

Remove Functions: QF_UF SAT

Ackermann’s Reduction (1954) For each “function symbol occurrence”, add a new variable xf For each pair (xf1, xf2), add “function consistency constraints”

Input formula: f(a1) & f(a2) & f(a3)

Output formula: xf1 & xf2 & xf3 &

(a1 = a2) (xf1 = xf2) &

(a1 = a3) (xf1 = xf3) &

(a2 = a3) (xf2 = xf3)

39

Remove Functions: QF_UF SAT

Bryant-German-Velev Reduction (2001) Exploits a property of function applications called “positive equality” Eliminate functions using a nested If-Then-Else expressins

Input formula: f(a1) & f(a2) & f(a3)

Output formula: xf1 &

ITE(a2=a1, xf1, xf2) &

ITE(a3=a1, xf1, ITE(a3=a2, xf2, xf3) )

Further Improvement (Lahiri et al. 2004)

40

Small-Domain Encoding: QF_LIA SAT

For Linear Integer Arithmetic

If there is a satisfying solution to a formula, there is one whose size, measured in bits, is polynomially bounded in the problem size

With “bounded” integers, one can translate the LIA formula into a pure Boolean formula

41

Small-Domain Encoding: Example

Equality constraints of the form

(x = y), or (x != y)

For a formula with (n) variables, the solution size (d) is bounded by (n).

42C. Barrett & S. A. Seshia ICCAD 2009 Tutorial42

Summary of Solution Bounds

Logic Solution Bound d

Equality logic n

Difference logic n * ( bmax + 1 )

UTVPI logic (Gen2SAT) 2 * n * ( bmax + 1 )

Full Integer Linear Arithmetic

n *(bmax + 1) * (amaxk * w k)

43

Direct Encoding of Theory Axioms

Alternative to “small-domain” encoding Also called “per-constraint” encoding

For QF_UF (equality logic), Bryant and Velev (2001) Cubic – worst-case formula size

For QF_IDL (difference logic), Strichman et al (2002) Exponential – worst-case formula size

For QF_LIA (integer arithmetic), Strichman (2002) Double-exponential – worst-case formula size

44

Theory Combination: briefly

Problem Statement:

Is it possible to combine theory solvers for several component theories, denoted T1, …, Tn, into a theory solver that decides ground satisfiability modulo their combination?

The answer is negative, in general There are theories with decidable ground satisfiability

problems, whose combination is undecidable…

45


Nelson and Oppen (1979,1980):

It is possible, if one imposes some restrictions on the component theories and their combination…

Sufficient conditions (for theories T1 and T2)1. They are signature-disjoint2. They are both “stably infinite”

46


DTC: Delayed Theory Combination (2005, 2006) Rely on DPLL Boolean SAT Little requirement for Theory Solver

Eij-Deduction does not need to be complete

Delayed Theory Combination vs. Nelson-Oppen for Satisfiability Modulo Theories: a Comparative Analysis, by Bruttomesso et al. in LPAR 2006

47

Outline

What’s SMT?


Inside SMT Solvers

How to Use It?


48

In Practice: the Yices SMT Solver

Features: Producing models, for satisfiable formulas Producing proofs, for unsatisfiable formulas Identifying UNSAT cores

subset of the original formula that is also UNSAT Retracting clauses, MAX-SAT, etc.

Command-lineyices < file.ys or // native input formatyices --smt < file.smt // smt-lib input formula

API (programming interface)

49

Outline

What’s SMT?


Inside SMT Solvers

How to Use It?


50

Chao Wang NEC Labs, Princeton, NJ

Sudipta Kundu UC San Diego

Malay Ganai NEC Labs, Princeton, NJ

Aarti Gupta NEC Labs, Princeton, NJ

Symbolic Predictive Analysis for Concurrent Programs

Related publications

[Wang et al. FM 2009][Wang et al. FSE 2009][Wang et al. TACAS2010]

51

Main thread

Multithreaded C/C++ ProgramHeap (storing shared objects)

Thread 1 Thread 2 Thread 3

Test Input

POSIX Threads Library

(Pthreads)

Rest of the Linux OS

Your expectation: If the program fails the given test, you want to see the bug

The reality:Even if the program may fail (under a certain schedule), you perhaps won’t see it

Why? Thread scheduling is controlled by the OS and the Pthreads library

What is the Problem?

52

Main thread

Multithreaded C/C++ ProgramHeap (storing shared objects)

Thread 1 Thread 2 Thread 3

Test Input

POSIX Threads Library

(Pthreads)

Rest of the Linux OS

Our Solution

FUSION:

our scheduler/ trace logger /dynamic model

checker

Run the test once, and log the execution trace

Check (symbolically) all alternative interleavings of events of that trace

53

Predictive Analysis

Detecting errors by statically analyzing the recorded execution traces of a concurrent program

without re-running the program…

54

Given a concrete trace (logged during execution) some properties (e.g. embedded assertions)

Checking whether the properties hold in all possible interleavings of events of that trace Symbolically, using a SMT solver

55

C program:

multi-threaded, using Pthreads

Execution trace

“assume( c )” means the (c)-branch is taken

56

Execution trace

CTP (concurrent trace program)

Think of abounded, straight-line,

concurrent program

57

Detecting Violations (symbolically)

Build a SAT formula (in some quantifier-free first-order logic)

F_program : any feasible thread interleaving of CTP

F_property : assertion is violated

Solve

( F_program & F_property )

Sat found a real error

Unsat ……

58

Concurrent Static Single Assignment (CSSA)

F_po: HB(t0,t1) & HB(t1,t2) & HB(t2,t3) & HB(t3,t4) & HB(t4,t5)

HB(t0,t11) & HB(t11,t12) & HB(t12,t13) & HB(t13,t14) & HB(t14,15) & HB(t15,t18) & HB(t18,t5)

HB(t1,t21) & HB(t21,t26) & HB(t26,t27) & HB(t27,t28) & HB(t28,t4)

F_vd: (x0=0) & (y0=0) &

(a1=Y_1) & & (b1 = X_1)

(a1=0) & & (b1 != 0)

(x1=1) & & (y1 = 0)

(a2=X_2) &

(x2=a2)

F_property: (X_3 == Y_2)

F_pi: &( (Y_1=y0) & HB(t11,t27) OR

(Y_1=y1) & HB(t27,t11) )

& ( (X_1=x0) & HB(t21,t13) OR

(X_1=x1) & HB(t13,t21) & HB(t21,t15) OR

(X_1=x2) & HB(t15,t21) )

& (X_2=x1)

& (X_3=x2)

& (Y_2=y1)

59

HB (Happens-Before) Constraints

How is HB(t1,t2) implemented? Event t1 happens strictly before t2

HB(t1,t2) := t1 < t2 where t1,t2 are integer variables

60

Outline

Motivation

Symbolic Predictive Analysis

Related Work

Context Bounding (SAT-based)

Experiments

Conclusions

61

Related Work (predicting errors)

Methods that do not miss errors (over-approximate) Lockset methods: e.g. Eraser, RacerX

Problem: False alarms (sometimes, lots of them)

Methods with no bogus errors (under-approximate) Inspired by Lamport’s happens-before causality Recent causal models

Generalized Predictive Analysis [Sen,Rosu,Agha,2005] Parametric and Sliced Causality [Chen,Rosu,2007] Maximal Causal Model [Serbanuta,Chen,Rosu,2008]

– Subsume other causal models

62

Example (MCM works)counting semaphore: l=1 initiallyshared variables: x=y=0 initially

x:= 1 + a

t1: RD(x) = 0

t2: RD(l)=1,WR(l)=0

t3: WR(x) = 1

t4: WR(l)=1

t5: WR(y)=1

t6: RD(l)=1,WR(l)=0

t7: WR(x)=1

t8: WR(l)=1

t9 :

t10: RD(l)=1,WR(l)=0

t11: RD(x)=1

t12: assert(y==1)

t13: WR(l)=1

The View of Maximal Causal Model

observe “events” instead of “statements”

63

Example (MCM works)counting semaphore: l=1 initiallyshared variables: x=y=0 initially

x:= 1 + a

t1: RD(x) = 0

t2: RD(l)=1,WR(l)=0

t3: WR(x) = 1

t4: WR(l)=1

t5: WR(y)=1

t6: RD(l)=1,WR(l)=0

t7: WR(x)=1

t8: WR(l)=1

t9 :

t10: RD(l)=1,WR(l)=0

t11: RD(x)=1

t12: assert(y==1)

t13: WR(l)=1

Why is it feasible to move t11 ahead of t7?

t11 still reads in the value (x==1)

64

Example (MCM works)

t1: RD(x) = 0

t2: RD(l)=0,WR(l)=1

t3: WR(x) = 1

t4: WR(l)=1

t5: WR(y)=1

t6: RD(l)=0,WR(l)=1

t7: WR(x)=1

t8: WR(l)=0

t9 :

t10: RD(l)=0,WR(l)=1

t11: RD(x)=1

t12: assert(y==1)

t13: WR(l)=0

65

Example (MCM will miss real errors)counting semaphore: l=1 initiallyshared variables: x=y=0 initially

t1: RD(x) = 0

t2: RD(l)=0,WR(l)=1

t3: WR(x) = 2

t4: WR(l)=1

t5: WR(y)=1

t6: RD(l)=0,WR(l)=1

t7: WR(x)=1

t8: WR(l)=0

t9 :

t10: RD(l)=0,WR(l)=1

t11: RD(x)=1

t12: assert(y==1)

t13: WR(l)=0

MCM will miss this real error

x:= 1 + a

66

Using CTP (will catch the real error)

67

Outline

Motivation

Symbolic Predictive Analysis

Related Work


Experiments

Conclusions

72

Outline

Motivation

Symbolic Analysis

Related Work


Experiments

Conclusions

73

FUSION: runtime analysis + symbolic analysis

Target Program

test input

API

CSV

Online parsing

CTP building

CTP simplify

Symbolic Encoding

cssa …

Calling the SMTSolver

Static Analysis …

symbolic analysis

Dynamic MC(e.g. INSPECT, CHESS,VeriSoft)

Pick and Runa schedule

DPOR backtracking

sleep set, context bound

Search Stack

socket

Consulting CSV

SAT Check Prunecsv2inspect

74

Experiments

Benchmarks Multithreaded C programs (Linux/Pthreads) With embedded assertions

Details Indexer examples from [Flanagan & Godefroid, POPL 2005]

Multiple threads sharing a hash table 11 threads or less, no hash collision 12 threads or more, heavy hash collision

Bank examples from [Farchi, Nir, Ur, PDPS 2003]

Small programs with pointers, arrays, and structures,

75

Experimental Results

MO: run out of 800 MB memory

76

Conclusions

New method: symbolic predictive analysis Coverage: subsumes known causal models (MCM) Efficiency: SAT-based search vs. explicit enumeration

Highlights CTP (Concurrent Trace Program) CSSA (Concurrent Static Single Assignment) SAT-based context bounding

Future work Predicting atomicity violations

77

References

SMT

“Satisfiability Modulo Theories” (book chapter) Clark Barrett, Roberto Sebastiani, Sanjit A. Seshia, and Cesare Tinelli. In the Handbook of Satisfiability, IOS Press, 2009. (available from the authors’ web pages)

Concurrent Software Verification

“Symbolic Predictive Analysis for Concurrent Programs”, FM 2009 Chao Wang, Sudipta Kundu, Malay Ganai, and Aarti Gupta“Trace based Symbolic Analysis for Atomicity Violations”, TACAS 2010 Chao Wang, Rhishikesh Limaye, Malay Ganai, and Aarti Gupta (available from the authors’ web pages)

1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software...

Documents

Transcript of 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software...