Program Analysis and Testing using Satisfiability Modulo Theories

Yandex2 October 2012, Moscow

Nikolaj Bjørner

Senior Researcher

Microsoft Research1

Agenda

Context: Software Engineering Research @ Microsoft

Propaganda: Software Engineering Research Tools

Application: Fuzzing and Test Case Generation

Application: Program Verification & Bit precise Analysis

Application: String analysis - Formal Language Theory for Security

Technology: Z3 – An Efficient SMT Solver - Basics and Research

2

Takeaways

Context: Awareness about Microsoft Research

Propaganda: Cool software engineering research projects

Applications: Logic is the Calculus of ComputationPrograms analysis tools use logic at their core

Technology: Z3 – An Efficient SMT Solver. Modern SAT/SMT solver search in one slide and the dichotomies of modern constraint search engines.

I rather address questions during talk and tune the highlighted material according to interest (there are 3x too many slides )

3

An Efficient SMT SolverLeonardo de Moura, Nikolaj Bjørner, Christoph Wintersteiger

Team

Context

4

Research in Software EngineeringImprove Software Development ProductivityGroup

Context

5

Context

Organization Microsoft Research6

Microsoft Research Labs

Sales,

Support,

Marketing

~50000

R & D

~40000

Research :1%

Context

7Company

Core Expertise

Empirical Software Engineering

Foundations:Logic

Program Analysis:Performance, Reliability,

Security

Programming LanguagesDesign & Implementation

Propaganda

8

Core Expertise

Empirical Software Engineering

Foundations:Logic

Program Analysis:Performance, Reliability,

Security

Programming LanguagesDesign & Implementation

Propaganda

9

Core Expertise

Empirical Software Engineering

Foundations:Logic

Program Analysis:Performance, Reliability,

Security

Programming LanguagesDesign & Implementation

Propaganda

10

Core Expertise

Empirical Software Engineering

Foundations:Logic

Program Analysis:Performance, Reliability,

Security

Programming LanguagesDesign & Implementation

Propaganda

11

Core Expertise

Empirical Software Engineering:

Analytics: what code is prone to bugs (what code should I be testing)

for VS 2012 Team Foundation Server

Propaganda

12

.comPropaganda

13

14

http://rise4fun.com/z3py

Academic InternsPropaganda

15

Fuzzing and Test Case Generation

SAGE

Internal. For Security Fuzzing

Runs on x86 instructions

External. For Developers

Runs on .NET code

Try it on: http://pex4fun.com

Finding security bugs before the hackers

black hat

Application

16

Fuzzing and Test Case Generation

SAGE

Internal. For Security Fuzzing

Runs on x86 instructions

External. For Developers

Runs on .NET code

Try it on: http://pex4fun.com

Finding security bugs before the hackers

black hat

Dr. Strangelove?

Bug: ***433

“2/29/2012 3:41 PM Edited by *****

SubStatus -> Local Fix

I think the fuzzers are starting to become sentient.

We must crush them before it is too late.

In this case, the fuzzer figured out that if

[X was between A and B then Y would get

set to Z triggering U and V to happen……]

…..

And if this fuzzer asks for the nuclear launch

codes, don’t tell it what they are …”

Application: Fuzzing and Testing

17

SAGE by numbers100s CPU-years - largest dedicated fuzz lab in the world

100s apps - fuzzed using SAGE

100s previously unknown bugs found

Billion+ computers updated with bug fixes

Millions of $ saved for Users and Microsoft

10s of related tools (incl. Pex), 100s DART citations

3+ Billion constraints - largest usage for any SMT solver

Adapted from [Patrice Godefroid, ISSTA 2010]18

Application: Fuzzing and Testing

Test case generation

unsigned GCD(x, y) {requires(y > 0);while (true) {

unsigned m = x % y;if (m == 0) return y;x = y;y = m;

}}

Application

19

Test case generation

unsigned GCD(x, y) {requires(y > 0);while (true) {

unsigned m = x % y;if (m == 0) return y;x = y;y = m;

}} We want a trace where the loop is

executed twice.

(y0 > 0) and

(m0 = x0 % y0) and

not (m0 = 0) and

(x1 = y0) and

(y1 = m0) and

(m1 = x1 % y1) and

(m1 = 0)

SSA

Application

20

Test case generation

unsigned GCD(x, y) {requires(y > 0);while (true) {

unsigned m = x % y;if (m == 0) return y;x = y;y = m;

}} We want a trace where the loop is

executed twice.

(y0 > 0) and

(m0 = x0 % y0) and

not (m0 = 0) and

(x1 = y0) and

(y1 = m0) and

(m1 = x1 % y1) and

(m1 = 0)

Solver

x0 = 2

y0 = 4

m0 = 2

x1 = 4

y1 = 2

m1 = 0

SSA

Application

21

Execution Path

Run Test and Monitor Path Condition

Unexplored pathSolve

seed

New input

TestInputs

Constraint System

KnownPaths

Test Case Generation Procedure

22

Application: Fuzzing and Testing

int binary_search(int[] arr, int low, int high, int key)

while (low <= high)

{

// Find middle value

int mid = (low + high) / 2;

int val = arr[mid];

if (val == key) return mid;

if (val < key) low = mid+1;

else high = mid-1;

}

return -1;

}

void itoa(int n, char* s) {

if (n < 0) {

*s++ = ‘-’;

n = -n;

}

// Add digits to s

….

-INT_MIN=

INT_MIN

(INT_MAX+1)/2 +

(INT_MAX+1)/2

= INT_MIN

Package: java.util.Arrays

Function: binary_search

Book: Kernighan and Ritchie

Function: itoa (integer to ascii)

What is wrong here?Application: Scalable bit-precise analysis

Modular arithmetic

Bit-wise operations

1 0 1 0 1 1 0 1 1 0 0 1

1 0 1 0 1 1 0 1 1 0 0 1

=

Concatenation

1 0 1 0 1 1 [4:2] = 0 1 0

1 0 1 0 1 1

0 1 1 0 0 1

0 0 1 0 0 1

=

1 0 1 0 1 1

0 1 1 0 0 1

+

0 0 0 1 0 0

=

Extraction

Bit-wise and

AdditionVector

Segments

Vector Segments

Bit-precise analysisApplication: Scalable bit-precise analysis

Partners:

• European Microsoft Innovation Center

• Microsoft Research

• Microsoft’s Windows Division

• Universität des Saarlandes

co-funded by the

German Ministry of Education and Research

http://www.verisoftxt.de

Hypervisor Verification (2007 – 2010) with

Hardware

Hypervisor

Application: Verification

25

Microsoft Verifying C Compiler

26

Application: Verification

SAT/SMT progress driven by applications:VCC Performance Trends Nov 08 – Mar 09

0.1

1

10

100

1000

Attempt to improve Boogie/Z3 interaction

Modification in invariant checking

Switch to Boogie2

Switch to Z3 v2

Z3 v2 update

Application: Verification

Verification Attempt Time vs.Satisfaction and Productivity

By Michal Moskal (VCC Designer and Software Verification Expert),

Language quiz: “loose” or “lose” ?

Application: Verification

The Importance of SpeedApplication: Verification

The Importance of SpeedApplication: Verification

Building VerveV

erifie

d

C# compiler

Kernel.cs

Boogie/Z3

Translator/Assembler

TAL checker

Linker/ISO generator

Verve.iso

Source file

Compilation toolVerification tool

Nucleus.bpl (x86) Kernel.obj (x86)

9 person-months

Application: Verification

31

Safe to the Last Instruction / Jean Yang & Chris Hawbliztl PLDI 2010

Why string analysis?(motivating scenario)

Tomcat v. < 6.0.18

req = http://www.x.com/%c0%ae%c0%ae/%c0%ae%c0%ae/private/

Windows 2000 vulnerability: http://www.sans.org/security-resources/malwarefaq/wnt-unicode.php

Apache Tomcat vulnerability: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2938

1) security check: reqmust not contain "../"

2) dir = utf8decode("%c0%ae%c0%ae/%c0%ae%c0%ae/private/") = "../../private/"

access granted to "../../private/"

Analysis question:Does utf8decode reject overlong

utf8-encodings such as "%C0%AE" for '.'?

Application: String Analysis

Relativized Formal Language Theory

Classical Word Transducers(e.g. decoding automata,

rational transductions)

Classical I/O Automata(e.g. Mealy machine)

ClassicalWord Acceptors

(NFA, DFA)

Application: String Analysis

Symbolic Word Transducers

Relativized Formal Language Theory

Classical Word Transducers(e.g. decoding automata,

rational transductions)

Classical I/O Automata(e.g. Mealy machine)

ClassicalWord Acceptors

(NFA, DFA)

Symbolic Word Acceptors

regex matching

string transformation

Classical Word Acceptors modulo Th()

Classical Word Transducers modulo Th()

Application: String Analysis

Rex & Bek – Symbolic RegEx &

Transducers

Margus Veanes

Application: String Analysis

Symbolic Finite Transducer (SFT)

• Classical transducer modulo a rich label theory

• Core Idea: represent labels with guarded transformation functions– Separation of concerns: finite graph / theory of labels

Concrete transitions:

p

q

Symbolic transition:

‘\x80’/“\xC2\x80”

… ‘\x7FF’/“\xDF\xBF”

q

p

x. 8016 ≤ x ≤ 7FF16/[C016|x10,6, 8016|x5,0]

guard

bitvector operations

1920transitions

Application: String Analysis

SMT: Satisfiability Modulo Theories

𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1

Technology

SMT: Satisfiability Modulo Theories

𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1 sat, 𝑥 =1

8, 𝑦 =

7

8

Solution/Model

Technology

SMT: Satisfiability Modulo Theories

𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1 sat, 𝑥 =1

8, 𝑦 =

7

8

𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 1

Solution/Model

Technology

SMT: Satisfiability Modulo Theories

𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1 sat, 𝑥 =1

8, 𝑦 =

7

8

𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 1 unsat, Proof

Solution/Model

Technology

SMT: Satisfiability Modulo Theories

𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1 sat, 𝑥 =1

8, 𝑦 =

7

8

𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 1 unsat, Proof

Is execution path P feasible? Is assertion X violated?

SAGE

Is Formula F Satisfiable (over Theory of Reals)?

Solution/Model

Technology

41

SMT: Satisfiability Modulo Theories

𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1 sat, 𝑥 =1

8, 𝑦 =

7

8

𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 1 unsat, Proof

Is execution path P feasible? Is assertion X violated?

SAGE

Is Formula F Satisfiable (over Theory of Reals)?

WITNESS

Solution/Model

Technology

42

𝑥 + 2 = 𝑦 ⇒ 𝑓 𝑠𝑒𝑙𝑒𝑐𝑡 𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑥, 3 , 𝑦 − 2 = 𝑓(𝑦 − 𝑥 + 1)

SMT: Satisfiability Modulo Theories

Technology

43

Arithmetic

𝑥 + 2 = 𝑦 ⇒ 𝑓 𝑠𝑒𝑙𝑒𝑐𝑡 𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑥, 3 , 𝑦 − 2 = 𝑓(𝑦 − 𝑥 + 1)

SMT: Satisfiability Modulo Theories

Technology

44

ArithmeticArray Theory

𝑠𝑒𝑙𝑒𝑐𝑡(𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑖, 𝑣 , 𝑖) = 𝑣𝑖 ≠ 𝑗 ⇒ 𝑠𝑒𝑙𝑒𝑐𝑡(𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑖, 𝑣 , 𝑗) = 𝑠𝑒𝑙𝑒𝑐𝑡(𝑎, 𝑗)

𝑥 + 2 = 𝑦 ⇒ 𝑓 𝑠𝑒𝑙𝑒𝑐𝑡 𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑥, 3 , 𝑦 − 2 = 𝑓(𝑦 − 𝑥 + 1)

SMT: Satisfiability Modulo Theories

Technology

45

ArithmeticArray TheoryUninterpreted

Functions

𝑠𝑒𝑙𝑒𝑐𝑡(𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑖, 𝑣 , 𝑖) = 𝑣𝑖 ≠ 𝑗 ⇒ 𝑠𝑒𝑙𝑒𝑐𝑡(𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑖, 𝑣 , 𝑗) = 𝑠𝑒𝑙𝑒𝑐𝑡(𝑎, 𝑗)

𝑥 + 2 = 𝑦 ⇒ 𝑓 𝑠𝑒𝑙𝑒𝑐𝑡 𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑥, 3 , 𝑦 − 2 = 𝑓(𝑦 − 𝑥 + 1)

SMT: Satisfiability Modulo Theories

Technology

46

Job Shop Scheduling

Machines

Jobs

P = NP? Laundry 𝜁 𝑠 = 0 ⇒ 𝑠 =1

2+ 𝑖𝑟

Tasks

Technology

Constraints:

Precedence: between two tasks of the same job

Resource: Machines execute at most one job at a time

4

132

𝑠𝑡𝑎𝑟𝑡2,2. . 𝑒𝑛𝑑2,2 ∩ 𝑠𝑡𝑎𝑟𝑡4,2. . 𝑒𝑛𝑑4,2 = ∅

Job Shop SchedulingTechnology

Constraints: Encoding:

Precedence: 𝑡2,3 - start time of job 2 on mach 3

𝑑2,3 - duration ofjob 2 on mach 3

𝑡2,3 + 𝑑2,3 ≤ 𝑡2,4Resource:

4

132

𝑠𝑡𝑎𝑟𝑡2,2. . 𝑒𝑛𝑑2,2 ∩ 𝑠𝑡𝑎𝑟𝑡4,2. . 𝑒𝑛𝑑4,2 = ∅

𝑡2,2 + 𝑑2,2 ≤ 𝑡4,2∨

𝑡4,2 + d4,2 ≤ 𝑡2,2

Not convex

Job Shop SchedulingTechnology

Job Shop SchedulingTechnology

Job Shop Scheduling

case split

case split

Efficient solvers:

- Floyd-Warshal algorithm

- Ford-Fulkerson algorithm

𝑧 − 𝑧 = 5 – 2 – 3 – 2 = −2 < 0

Technology

Microsoft Tools using

HAVOCSAGE

Vigilante

Z3 is used by many research groups More than 19k downloadsZ3 places 1st in most categories in SMT competitions

Technology

52

Microsoft Tools using

HAVOCSAGE

Vigilante

Z3 is used by many research groups More than 19k downloadsZ3 places 1st in most categories in SMT competitions

Z3 solved more than 3 billionconstraints created by SAGEChecking Win8 and Office.

Technology

53

Microsoft Tools using

HAVOCSAGE

Vigilante

Z3 is used by many research groups More than 19k downloadsZ3 places 1st in most categories in SMT competitions

Z3 solved more than 3 billionconstraints created by SAGEChecking Win8 and Office.

Z3 ships in Windows Server with the

Static Driver Verifier

Technology

54

Microsoft Tools using

HAVOCSAGE

Vigilante

Z3 is used by many research groups More than 19k downloadsZ3 places 1st in most categories in SMT competitions

Z3 solved more than 3 billionconstraints created by SAGEChecking Win8 and Office.

Z3 ships in Windows Server with the

Static Driver Verifier

Z3 used to check Azure Firewall Policies

Technology

55

Research Areas

Algorithms

Heuristics

Logic is “The Calculus of Computer Science” Zohar Manna

Technology

56

Decidable Fragments

Research Areas

Algorithms

Heuristics

Undecidable (FOL + LIA)

Semi Decidable (FOL)

NEXPTIME (EPR)

PSPACE (QBF)

NP (SAT)

Logic is “The Calculus of Computer Science” Zohar Manna

Technology

57

Research Areas

Algorithms Decidable Fragments

Heuristics

Undecidable (FOL + LIA)

Semi Decidable (FOL)

NEXPTIME (EPR)

PSPACE (QBF)

NP (SAT)Generalized array theory

Essentially Uninterpreted Formulas

Quantified Bit-Vector Logic

Logic is “The Calculus of Computer Science” Zohar Manna

Technology

58

Research Areas

Algorithms Decidable Fragments

Heuristics

Undecidable (FOL + LIA)

Semi Decidable (FOL)

NEXPTIME (EPR)

PSPACE (QBF)

NP (SAT)Generalized array theory

Essentially Uninterpreted Formulas

Quantified Bit-Vector Logic

Practical problems often have structure that can be exploited.

Logic is “The Calculus of Computer Science” Zohar Manna

Technology

59

Little Engines of Proof

Freely available from http://research.microsoft.com/projects/z3

Technology

60

Research around Z3

.

.

.

Decision ProceduresModular Difference Logic is Hard TR 08 B, Blass Gurevich, Muthuvathi.Linear Functional Fixed-points. CAV 09 B. & Hendrix. A Priori Reductions to Zero for Strategy-Independent Gröbner Bases SYNASC 09 M& Passmore. Efficient, Generalized Array Decision Procedures FMCAD 09 M & BQuantifier Elimination as an Abstract Decision Procedure IJCAR 10, BCutting to the Chase CADE 11, Jojanovich, MPolynomials IJCAR 12, Jojanovich, M

Combining Decision ProceduresModel-based Theory Combination SMT 07 M & B. . Proofs, Refutations and Z3 IWIL 08 M & BOn Locally Minimal Nullstellensatz Proofs. SMT 09 M & Passmore. A Concurrent Portfolio Approach to SMT Solving CAV 09 Wintersteiger, Hamadi & MConflict Directed Theory Resolution Cambridge Univ. Press 12, M & B

Quantifiers, quantifiers, quantifiersEfficient E-matching for SMT Solvers. CADE 07 M & B. Relevancy Propagation. TR 07 M & B. Deciding Effectively Propositional Logic using DPLL and substitution sets IJCAR 08 M & B.Engineering DPLL(T) + saturation. IJCAR 08 M & B. Complete instantiation for quantified SMT formulas CAV 09 Ge & M. On deciding satisfiability by DPLL(+ T) and unsound theorem proving. CADE 09 Bonachina, M & Lynch. Generalized PDR SAT 12 Hoder & B..

Technology

Introductory Background Reading

September 2011

Pro

ofs

Co

nflic

t Cla

use

s

Mod

els

lite

ral a

ssig

nm

en

tsB

ackju

mp

Pro

pa

gate

Mile High: Modern SAT/SMT searchTechnology

Core Engine in Z3: Modern DPLL/CDCL

Initialize 𝜖| 𝐹 𝐹 𝑖𝑠 𝑎 𝑠𝑒𝑡 𝑜𝑓 𝑐𝑙𝑎𝑢𝑠𝑒𝑠

Decide 𝑀 𝐹 ⟹ 𝑀, ℓ 𝐹 ℓ 𝑖𝑠 𝑢𝑛𝑎𝑠𝑠𝑖𝑔𝑛𝑒𝑑

Propagate 𝑀 𝐹, 𝐶 ∨ ℓ ⟹ 𝑀, ℓ𝐶∨ℓ 𝐹, 𝐶 ∨ ℓ 𝐶 𝑖𝑠 𝑓𝑎𝑙𝑠𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀

Sat 𝑀 |𝐹 ⟹ 𝑀 𝐹 𝑡𝑟𝑢𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀

Conflict 𝑀 𝐹, 𝐶 ⟹ 𝑀 𝐹, 𝐶 | 𝐶 𝐶 𝑖𝑠 𝑓𝑎𝑙𝑠𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀

Learn 𝑀 𝐹 | 𝐶 ⟹ 𝑀 𝐹, 𝐶 | 𝐶

Unsat 𝑀 𝐹 ∅ ⟹ 𝑈𝑛𝑠𝑎𝑡

Backjump 𝑀𝑀′ 𝐹 | 𝐶 ∨ ℓ ⟹ 𝑀ℓ𝐶∨ℓ 𝐹 𝐶 ⊆ 𝑀,¬ℓ ∈ 𝑀′

Resolve 𝑀 𝐹 | 𝐶′ ∨ ¬ℓ ⟹ 𝑀 𝐹 | 𝐶′ ∨ 𝐶 ℓ𝐶∨ℓ ∈ 𝑀

Forget 𝑀 𝐹, 𝐶 ⟹ 𝑀 𝐹 𝐶 is a learned clause

Restart 𝑀 𝐹 ⟹ 𝜖 𝐹 [Nieuwenhuis, Oliveras, Tinelli J.ACM 06] customized

Technology

Core Engine in Z3: Modern DPLL/CDCL

Initialize 𝜖| 𝐹 𝐹 𝑖𝑠 𝑎 𝑠𝑒𝑡 𝑜𝑓 𝑐𝑙𝑎𝑢𝑠𝑒𝑠

Decide 𝑀 𝐹 ⟹ 𝑀, ℓ 𝐹 ℓ 𝑖𝑠 𝑢𝑛𝑎𝑠𝑠𝑖𝑔𝑛𝑒𝑑

Propagate 𝑀 𝐹, 𝐶 ∨ ℓ ⟹ 𝑀, ℓ𝐶∨ℓ 𝐹, 𝐶 ∨ ℓ 𝐶 𝑖𝑠 𝑓𝑎𝑙𝑠𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀

Sat 𝑀 |𝐹 ⟹ 𝑀 𝐹 𝑡𝑟𝑢𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀

Conflict 𝑀 𝐹, 𝐶 ⟹ 𝑀 𝐹, 𝐶 | 𝐶 𝐶 𝑖𝑠 𝑓𝑎𝑙𝑠𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀

Learn 𝑀 𝐹 | 𝐶 ⟹ 𝑀 𝐹, 𝐶 | 𝐶

Unsat 𝑀 𝐹 ∅ ⟹ 𝑈𝑛𝑠𝑎𝑡

Backjump 𝑀𝑀′ 𝐹 | 𝐶 ∨ ℓ ⟹ 𝑀ℓ𝐶∨ℓ 𝐹 𝐶 ⊆ 𝑀,¬ℓ ∈ 𝑀′

Resolve 𝑀 𝐹 | 𝐶′ ∨ ¬ℓ ⟹ 𝑀 𝐹 | 𝐶′ ∨ 𝐶 ℓ𝐶∨ℓ ∈ 𝑀

Forget 𝑀 𝐹, 𝐶 ⟹ 𝑀 𝐹 𝐶 is a learned clause

Restart 𝑀 𝐹 ⟹ 𝜖 𝐹 [Nieuwenhuis, Oliveras, Tinelli J.ACM 06] customized

One SAT expert to another:

“It took me a year to

understand the Mini-SAT

FUIP code”

Mate Soos to

Niklas Sörenson

over ice-cream

at SAT 2012 in Trento

Technology

Pro

ofs

Co

nflic

t Le

mm

as

Mod

els

va

lue

sto

sa

tisfy

form

ula

Backju

mp

Pro

pa

gate

Mile High: Modern SMT proceduresTechnology

EfficientlyBacktrack

to equi-satisfiable

state

Learn new fact that prune as

many dead branches as

possible

Efficient indexing for propagating

consequences

A way to certify

satisfiability

A way to certifyunsatisfiability

mc(x) = x-10 if x > 100

mc(x) = mc(mc(x+11)) if x 100

assert (x ≤ 101 mc(x) = 91)

Research: Solving Horn Clauses

∀𝑿. 𝑿 > 𝟏𝟎𝟎 mc(𝑿,𝑿 − 𝟏𝟎)

∀𝑿, 𝒀, 𝑹. 𝑿 ≤ 𝟏𝟎𝟎 mc(𝑿 + 𝟏𝟏, 𝒀) mc(𝒀,𝑹) mc(𝑿,𝑹)

∀𝑿,𝑹. mc(𝑿,𝑹) ∧ 𝑿 ≤ 𝟏𝟎𝟏 → 𝑹 = 𝟗𝟏

Solver finds solution for mc Krystof Hoder & Nikolaj Bjorner, SAT 2012Bjorner, McMillan, Rybalchenko, SMT 2012

Technology

67

Research: SolvingR Efficiently

A key idea: Use partial solution to guide the search

𝑥3 + 2𝑥2 + 3𝑦2 − 5 < 0

𝑥2 + 𝑦2 < 1

−4𝑥𝑦 − 4𝑥 + 𝑦 > 1

Feasible Region

Starting searchPartial solution:𝑥 = 0.5

Can we extend it to 𝑦?

What is the core?

Dejan Jojanovich & Leonardo de Moura, IJCAR 2012

Technology

68

Takeaways

Context: Awareness about Microsoft Research

Propaganda: Cool software engineering research projects.

Applications: Logic is the Calculus of Computation. Programs analysis tools use logic at their core.

Technology: Z3 – An Efficient SMT Solver. Modern SAT/SMT solver search in one slide

dichotomies of modern constraint search engines.69

Summary

An outline of – an efficient SMT solverEfficient logic solver for SE tools tackling intractable problemshttp://research.microsoft.com/projects/z3

Software Engineering Research @ Microsoft http://rise4fun.com

Academic internshipshttp://research.microsoft.com/en-us/jobs/intern

Contacthttp://research.microsoft.com/~nbjornernbjorner@microsoft.com 70