Satisfiability Modulo Bit-precise Theories for Program Exploration
نویسندگان
چکیده
The Satisfiability Modulo Theories solver Z3 [10] is used in several program analysis and verification tools at Microsoft Research. Some of these tools require bit-precise reasoning for accurately modeling machine arithmetic instructions. But this alone is rarely sufficient, and an integration with other theories is required. The Pex tool [20] performs program exploration of .NET programs by generating and solving path conditions corresponding to paths that get explored during concrete execution. The path conditions reflect directly the executed instructions, including ones involving machine arithmetic supported by the CLR. The path conditions include also operations on heaps and structures. Pex relies on Z3’s ability to produce models for satisfiable path conditions, the models must reflect the combination of the involved theories: bit-vectors, arrays, and tuples. This paper describes the features of Z3 that are used by Pex.
منابع مشابه
Applications and Challenges in Satisfiability Modulo Theories
The area of software analysis, testing and verification is now undergoing a revolution thanks to the use of automated and scalable support for logical methods. A well-recognized premise is that at the core of software analysis engines is invariably a component using logical formulas for describing states and transformations between system states. One can thus say that symbolic logic is the calc...
متن کاملStochastic Local Search for Satisfiability Modulo Theories
Satisfiability Modulo Theories (SMT) is essential for many practical applications, e.g., in hardand software verification, and increasingly also in other scientific areas like computational biology. A large number of applications in these areas benefit from bit-precise reasoning over finite-domain variables. Current approaches in this area translate a formula over bit-vectors to an equisatisfia...
متن کاملSynthesizing Safe Bit-Precise Invariants
Bit-precise software verification is an important and difficult problem. While there has been an amazing progress in SAT solving, Satisfiability Modulo Theory of Bit Vectors, and bit-precise Bounded Model Checking, proving bit-precise safety, i.e. synthesizing a safe inductive invariant, remains a challenge. Although the problem is decidable and is reducible to propositional safety by bit-blast...
متن کاملPrecise and Complete Propagation Based Local Search for Satisfiability Modulo Theories
Satisfiability Modulo Theories (SMT) is essential for many applications in computer-aided verification. A recent SMT solving approach based on stochastic local search for the theory of quantifier-free fixed-size bit-vectors proved to be quite effective on hard satisfiable instances, particularly in the context of symbolic execution. However, it still relies on brute-force randomization and rest...
متن کاملModular Bug-finding for Integer Overflows in the Large: Sound, Efficient, Bit-precise Static Analysis
We describe a methodology and a tool for performing scalable bit-precise static analysis. The tool combines the scalable static analysis engine PREfix [14] and the bit-precise efficient SMT solver Z3 [20]. Since 1999, PREfix has been used at Microsoft to analyze C/C++ production code. It relies on an efficient custom constraint solver, but addresses bit-level semantics only partially. On the ot...
متن کامل