Lecture 2: SMT

Preparation

Install Z3. Download the latest release 4.4.1 from https://github.com/Z3Prover/z3/releases.

Make sure the Python binding works. You may need to add the path to Z3’s bin directory to the environment variable PYTHONPATH.

$ python
Python 2.7.10 (default, Oct 14 2015, 16:09:02) 
[GCC 5.2.1 20151010] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from z3 import *
>>> x = Int('x')
>>> prove(x < x + 1)
proved
>>> 

We also suggest you install and try Rosette.

Today’s plan

• overview
• history
• applications
• exercises

Overview

• SAT/SMT
  • determine whether a boolean function can be true
  • interface: return an assignment if SAT, or UNSAT
  • can be considered as a well engineered search
• applications
  • building block of more expressive verification and synthesis
  • bug-finding/model-checking tools
  • compilers/optimizers
  • systems
• high-level workflow
  • encode systems problems into boolean functions
  • invoke the decision procedure - see 507 for impl.
  • compared to Dafny: induction, bitvec, counterexamples

History

• truth table, binary decision tree, binary decision diagram (BDD)
• 1962: DPLL algorithm
• 1971: SAT is NP-complete (The Complexity of Theorem-Proving Procedures, Stephen Cook)
• 1986: BDD (Graph-Based Algorithms for Boolean Function Manipulation, Randal Bryant)
• 2001: zChaff SAT solver
• 200x: SMT (SAT + theories)
• some projects
  • bddbddb
  • Saturn
  • EXE/KLEE
  • Sketch

Applications

• ∃x: P(x)
  • example: can a packet reach A from B
  • example: symbolic model checking (e.g., EXE/KLEE)
    • eliminating infeasible branches
    • finding input to trigger bugs
    • modeling environment
• variant ∀x: P(x)
  • check if ∃x: ¬P(x) is UNSAT
  • example: verify x + x ⇒ x << 1
  • example: would input never trigger a bug at a given program point
• variant ∀x: P(x) = Q(x)
  • example: CheckFence [PLDI’07] - if a concurrent data structure behaves the same on SC and a relaxed memory model
  • example: server fingerprint [USENIX Security’07] - if two web server implementations handle the protocol differently
  • example: STACK [SOSP’13] - if a program behaves the same under two different interpretations of the C standard
• variant ∃y: x ≠ y ∧ P(x) = P(y) for a given x
  • example: privatebug [ASPLOS’08] - generate bug report with better privacy
• find all { x | P(x) }
  • relations can be represented as boolean functions; Datalog
  • approaches: BDD, SAT solver + loop, etc.
  • example: program analysis & bddbddb (e.g., the set of memory locations each pointer can point to)
  • example: header space analysis (e.g., what are all the packets from A to B)
• ∃c∀x: P(c, x)
  • 2QBF; synthesis
  • example: add2.py
  • example: Sketching [PLDI’05, ASPLOS’06]
• design trade-off
  • does your problem really need quantifiers?
  • is SMT expressive enough for your problem?

Exercises

• Z3Py guide
• Assignment: SMT due next Monday
• Find all 32-bit integer x such that x * 4 == x + x.
• Prove the XOR swap algorithm - what’s the limitation? swap.py
• Prove the correctness of the average of two integers, using (x & y) + ((x ^ y) >>u 1), from Hacker’s Delight. avg.py
• Solve the puzzle (C = 8):

   MONEY
  + CASH
  ------
  ANNOYS