a decision procedure for program analysis and bug finding

A Decision Procedure A Decision Procedure for for

Program Analysis and Bug FindingProgram Analysis and Bug Finding

A Decision Procedure A Decision Procedure for for

Program Analysis and Bug FindingProgram Analysis and Bug Finding

Vijay GaneshVijay GaneshAffiliation: CSAIL, MITAffiliation: CSAIL, MIT

Supported by Lincoln LabsSupported by Lincoln LabsFebruary 7February 7thth, 2008, 2008

Vijay GaneshVijay GaneshAffiliation: CSAIL, MITAffiliation: CSAIL, MIT

Supported by Lincoln LabsSupported by Lincoln LabsFebruary 7February 7thth, 2008, 2008

Motivating ExampleMotivating ExampleMotivating ExampleMotivating Example

Foo(int x){int A[2];int t;

A[0] = 0;A[1] = 1;

if(0 <= x <= 1) {t = 2/(A[x] + x);

} }

STP

SATSAT//UNSATUNSAT

A[0]=0A[1]=10<=x<=1A[x]+x=0

In Theory, Symbolic Execution + DP + Verification Conditions - Unbounded Loops, Gives VerificationIn Theory, Symbolic Execution + DP + Verification Conditions - Unbounded Loops, Gives Verification

Decision ProceduresDecision ProceduresDecision ProceduresDecision Procedures

Examples: Boolean SAT, Real Arithmetic, Bit-vectorsExamples: Boolean SAT, Real Arithmetic, Bit-vectors

Reduction easy for many problemsReduction easy for many problems

Approach better than coming up with special purpose algorithms: Approach better than coming up with special purpose algorithms: More efficient and saves workMore efficient and saves work

AI, program analysis, bug finding, verification,…AI, program analysis, bug finding, verification,…

Examples: Boolean SAT, Real Arithmetic, Bit-vectorsExamples: Boolean SAT, Real Arithmetic, Bit-vectors

Reduction easy for many problemsReduction easy for many problems

Approach better than coming up with special purpose algorithms: Approach better than coming up with special purpose algorithms: More efficient and saves workMore efficient and saves work

AI, program analysis, bug finding, verification,…AI, program analysis, bug finding, verification,…

DecisionProcedureInput FormulaInput Formula

SAT

UNSAT

STPSTPSTPSTP

1.1. DesignDesign and and ArchitectureArchitecture of STP (CAV ‘07, CCS ‘06) of STP (CAV ‘07, CCS ‘06)

2.2. Abstraction-RefinementAbstraction-Refinement based heuristics for Deciding based heuristics for Deciding ArraysArrays

3.3. SolverSolver Algorithm for deciding Linear Bit-vector Algorithm for deciding Linear Bit-vector Arithmetic O(nArithmetic O(n33))

4.4. Experimental ResultsExperimental Results

1.1. DesignDesign and and ArchitectureArchitecture of STP (CAV ‘07, CCS ‘06) of STP (CAV ‘07, CCS ‘06)




Projects using STPProjects using STPProjects using STPProjects using STP Bug FindersBug Finders

EXE by Dawson Engler, Cristian Cadar and others (Stanford)EXE by Dawson Engler, Cristian Cadar and others (Stanford) MINESWEEPER by Dawn Song and her group (CMU)MINESWEEPER by Dawn Song and her group (CMU) CATCHCONV by David Molnar and David Wagner (Berkeley)CATCHCONV by David Molnar and David Wagner (Berkeley) Backward Path Sensitive Analysis by Tim Leek (MIT Lincoln)Backward Path Sensitive Analysis by Tim Leek (MIT Lincoln)

Security ToolsSecurity Tools REPLAYER: Security analysis thru protocol replay (CMU)REPLAYER: Security analysis thru protocol replay (CMU) Smart Fuzzer by Roberto Paleari (University of Milan, Italy)Smart Fuzzer by Roberto Paleari (University of Milan, Italy)

Program AnalysisProgram Analysis by Rupak Majumdar (UCLA)by Rupak Majumdar (UCLA)

Hardware verification Hardware verification Cache coherence protocols by Dill group (Stanford)Cache coherence protocols by Dill group (Stanford) By a chip companyBy a chip company

Software verification of crypto algorithms by Dill group (Stanford)Software verification of crypto algorithms by Dill group (Stanford)

Bug FindersBug Finders EXE by Dawson Engler, Cristian Cadar and others (Stanford)EXE by Dawson Engler, Cristian Cadar and others (Stanford) MINESWEEPER by Dawn Song and her group (CMU)MINESWEEPER by Dawn Song and her group (CMU) CATCHCONV by David Molnar and David Wagner (Berkeley)CATCHCONV by David Molnar and David Wagner (Berkeley) Backward Path Sensitive Analysis by Tim Leek (MIT Lincoln)Backward Path Sensitive Analysis by Tim Leek (MIT Lincoln)

Security ToolsSecurity Tools REPLAYER: Security analysis thru protocol replay (CMU)REPLAYER: Security analysis thru protocol replay (CMU) Smart Fuzzer by Roberto Paleari (University of Milan, Italy)Smart Fuzzer by Roberto Paleari (University of Milan, Italy)

Program AnalysisProgram Analysis by Rupak Majumdar (UCLA)by Rupak Majumdar (UCLA)

Hardware verification Hardware verification Cache coherence protocols by Dill group (Stanford)Cache coherence protocols by Dill group (Stanford) By a chip companyBy a chip company

Software verification of crypto algorithms by Dill group (Stanford)Software verification of crypto algorithms by Dill group (Stanford)

Projects using STP:Projects using STP:Smart Fuzzing thru’ Path SelectionSmart Fuzzing thru’ Path Selection

Projects using STP:Projects using STP:Smart Fuzzing thru’ Path SelectionSmart Fuzzing thru’ Path Selection

Smart Fuzzer by Roberto Paleari (University of Milan, Italy)Smart Fuzzer by Roberto Paleari (University of Milan, Italy)

Do dynamic analysis to determine dependency between input and control transfer (if Do dynamic analysis to determine dependency between input and control transfer (if conditional)conditional)

Collect path conditions Collect path conditions

Feed to STP to find values that drive a pathFeed to STP to find values that drive a path

Feed to STP to find values that drive the ‘other’ pathFeed to STP to find values that drive the ‘other’ path

Smart Fuzzer by Roberto Paleari (University of Milan, Italy)Smart Fuzzer by Roberto Paleari (University of Milan, Italy)

Do dynamic analysis to determine dependency between input and control transfer (if Do dynamic analysis to determine dependency between input and control transfer (if conditional)conditional)

Collect path conditions Collect path conditions

Feed to STP to find values that drive a pathFeed to STP to find values that drive a path

Feed to STP to find values that drive the ‘other’ pathFeed to STP to find values that drive the ‘other’ path

Projects using STP:Projects using STP:Formal Verification of Crypto AlgorithmsFormal Verification of Crypto Algorithms

Projects using STP:Projects using STP:Formal Verification of Crypto AlgorithmsFormal Verification of Crypto Algorithms

Eric Smith and David DillEric Smith and David Dill

TechniqueTechnique

Annotate code with InvariantsAnnotate code with Invariants

Symbolically execute the Java implementation of the Crypto AlgoSymbolically execute the Java implementation of the Crypto Algo

Plug the symbolically executed terms into the invariantsPlug the symbolically executed terms into the invariants

Feed invariants into ACL2 + STPFeed invariants into ACL2 + STP

ACL2 handles any induction + integer related stuff, and STP handles (in)equalities ACL2 handles any induction + integer related stuff, and STP handles (in)equalities over bit-vector termsover bit-vector terms

Eric Smith and David DillEric Smith and David Dill

TechniqueTechnique

Annotate code with InvariantsAnnotate code with Invariants

Symbolically execute the Java implementation of the Crypto AlgoSymbolically execute the Java implementation of the Crypto Algo

Plug the symbolically executed terms into the invariantsPlug the symbolically executed terms into the invariants

Feed invariants into ACL2 + STPFeed invariants into ACL2 + STP

ACL2 handles any induction + integer related stuff, and STP handles (in)equalities ACL2 handles any induction + integer related stuff, and STP handles (in)equalities over bit-vector termsover bit-vector terms

Projects using STP:Projects using STP: Cross Checking, Model Checking, Equivalence Checking(?) Cross Checking, Model Checking, Equivalence Checking(?)

Projects using STP:Projects using STP: Cross Checking, Model Checking, Equivalence Checking(?) Cross Checking, Model Checking, Equivalence Checking(?)

Cross Checking: EXE : Dawson Engler, Cristian Cadar,…Cross Checking: EXE : Dawson Engler, Cristian Cadar,… Different implementations of grep… Do they match?Different implementations of grep… Do they match? Symbolic-simulate Grep1Symbolic-simulate Grep1 Symbolic-simulate Grep2Symbolic-simulate Grep2 Equate the two and feed to STPEquate the two and feed to STP

Model Checking Cache Coherence Protocols: Chang and DillModel Checking Cache Coherence Protocols: Chang and Dill Does model satisfy property P? Does model satisfy property P? Convert to decision problem and feed to STPConvert to decision problem and feed to STP If you are using BDDs, try SAT or STPIf you are using BDDs, try SAT or STP

Cross Checking: EXE : Dawson Engler, Cristian Cadar,…Cross Checking: EXE : Dawson Engler, Cristian Cadar,… Different implementations of grep… Do they match?Different implementations of grep… Do they match? Symbolic-simulate Grep1Symbolic-simulate Grep1 Symbolic-simulate Grep2Symbolic-simulate Grep2 Equate the two and feed to STPEquate the two and feed to STP

Model Checking Cache Coherence Protocols: Chang and DillModel Checking Cache Coherence Protocols: Chang and Dill Does model satisfy property P? Does model satisfy property P? Convert to decision problem and feed to STPConvert to decision problem and feed to STP If you are using BDDs, try SAT or STPIf you are using BDDs, try SAT or STP

Compiler Optimization/Compiler Optimization/Verilog SynthesisVerilog Synthesisf()f() g()g() STPSTP

f()=g()f()=g()

Valid/InvalidValid/Invalid

Projects using STP:Projects using STP: Work by Dawn Song and her group Work by Dawn Song and her group

Projects using STP:Projects using STP: Work by Dawn Song and her group Work by Dawn Song and her group

Automatic discovery of deviations in binary implementations : error detection and fingerprint generation

Protocol Replay: Try to reproduce a dialog between an initiator and a network hostProtocol Replay: Try to reproduce a dialog between an initiator and a network host Auto Generation of modules for honeypots so that they can correctly respond to Auto Generation of modules for honeypots so that they can correctly respond to

connection attempts by wormsconnection attempts by worms

Automatic patch based exploit generation: Using STP to reveal exploit information Automatic patch based exploit generation: Using STP to reveal exploit information from a windows patchfrom a windows patch

Automatic discovery of deviations in binary implementations : error detection and fingerprint generation

Protocol Replay: Try to reproduce a dialog between an initiator and a network hostProtocol Replay: Try to reproduce a dialog between an initiator and a network host Auto Generation of modules for honeypots so that they can correctly respond to Auto Generation of modules for honeypots so that they can correctly respond to

connection attempts by wormsconnection attempts by worms

Automatic patch based exploit generation: Using STP to reveal exploit information Automatic patch based exploit generation: Using STP to reveal exploit information from a windows patchfrom a windows patch

Quantifier-free Theory of Quantifier-free Theory of Bit-vectors and ArraysBit-vectors and Arrays


(x + mem[i] + 0b10 = 0) OR ((x + mem[i] + 0b10 = 0) OR (q[3:1]*0b01 < 0b00)q[3:1]*0b01 < 0b00)

Expressions in STP correspond to Expressions in STP correspond to C/Java… programming language expressionsC/Java… programming language expressions Microprocessor instruction setMicroprocessor instruction set Arrays represent program memory or array data structure in C/Java…Arrays represent program memory or array data structure in C/Java…

Except Except Our bit-vectors are of any fixed lengthOur bit-vectors are of any fixed length No floating pointNo floating point No loopsNo loops

SAT problem for this theory is NP-completeSAT problem for this theory is NP-complete


Expressions in STP correspond to Expressions in STP correspond to C/Java… programming language expressionsC/Java… programming language expressions Microprocessor instruction setMicroprocessor instruction set Arrays represent program memory or array data structure in C/Java…Arrays represent program memory or array data structure in C/Java…

Except Except Our bit-vectors are of any fixed lengthOur bit-vectors are of any fixed length No floating pointNo floating point No loopsNo loops

SAT problem for this theory is NP-completeSAT problem for this theory is NP-complete




Bit-vector TermsBit-vector Terms

Constants: 0b0011Constants: 0b0011 VariablesVariables +, -, *, (signed) div, (signed) mod+, -, *, (signed) div, (signed) mod Concatenation, ExtractionConcatenation, Extraction Left/Right Shift, Sign-extend, bitwise-BooleansLeft/Right Shift, Sign-extend, bitwise-Booleans


Bit-vector TermsBit-vector Terms

Constants: 0b0011Constants: 0b0011 VariablesVariables +, -, *, (signed) div, (signed) mod+, -, *, (signed) div, (signed) mod Concatenation, ExtractionConcatenation, Extraction Left/Right Shift, Sign-extend, bitwise-BooleansLeft/Right Shift, Sign-extend, bitwise-Booleans




Array TermsArray Terms Read (Array, index)Read (Array, index) Write (Array, index, val)Write (Array, index, val) Example : R(W(A, i, 0b00), i) = 0b00Example : R(W(A, i, 0b00), i) = 0b00

Conditional in programming/multiplexors in hardwareConditional in programming/multiplexors in hardware

ite (c, t1, t2) = if ( c ) then t1 else t2 endifite (c, t1, t2) = if ( c ) then t1 else t2 endif

Predicates: =, <=, <=sPredicates: =, <=, <=s


Array TermsArray Terms Read (Array, index)Read (Array, index) Write (Array, index, val)Write (Array, index, val) Example : R(W(A, i, 0b00), i) = 0b00Example : R(W(A, i, 0b00), i) = 0b00

Conditional in programming/multiplexors in hardwareConditional in programming/multiplexors in hardware

ite (c, t1, t2) = if ( c ) then t1 else t2 endifite (c, t1, t2) = if ( c ) then t1 else t2 endif

Predicates: =, <=, <=sPredicates: =, <=, <=s

Features of STPFeatures of STPFeatures of STPFeatures of STP

Can handle very large formulas efficientlyCan handle very large formulas efficiently

Large number of array reads (10Large number of array reads (1055)) Deeply nested array writes (10Deeply nested array writes (1044 deep) deep) Very large number of linear equations (10Very large number of linear equations (1066)) Very large number of variables (10Very large number of variables (1066))

EnabledEnabled several software and hardware applications several software and hardware applications

Won the SMTCOMP 2006 competition in bit-vector category

Can handle very large formulas efficientlyCan handle very large formulas efficiently

Large number of array reads (10Large number of array reads (1055)) Deeply nested array writes (10Deeply nested array writes (1044 deep) deep) Very large number of linear equations (10Very large number of linear equations (1066)) Very large number of variables (10Very large number of variables (1066))

EnabledEnabled several software and hardware applications several software and hardware applications

Won the SMTCOMP 2006 competition in bit-vector category

STP ArchitectureSTP Architecture STP ArchitectureSTP Architecture

ResultResult

Input FormulaInput Formula

Refinement LoopRefinement Loop

SubstitutionsSubstitutions

SimplificationsSimplifications

Linear SolvingLinear Solving

BitBlastBitBlast

CNF ConversionCNF Conversion

Boolean SATBoolean SAT

Array AbstractionArray Abstraction

Alternative ArchitecturesAlternative ArchitecturesAlternative ArchitecturesAlternative Architectures

SATSAT

SimplifierSimplifier

DPDP22DPDP11 DPDPnn…

New Derived ConstraintsNew Derived Constraints


ResultResult

Combination:Combination: NO79,Sho84, RS02NO79,Sho84, RS02

CVC3 (BB04) CVC CVC3 (BB04) CVC (SBD02) z3 (SBD02) z3 (DeMB07) (DeMB07) Yices(DeMB05)Yices(DeMB05)

Others:Others: STP(GD06,GD07)USTP(GD06,GD07)UCLID(BS05) CLID(BS05) BAT(M06) BAT(M06) Cogent(BK05)…Cogent(BK05)…

Alternative ArchitecturesAlternative ArchitecturesAlternative ArchitecturesAlternative Architectures

SAT

Simplifier

DP2DP1 DPn…

New Derived Constraints

Input Formula

Result

Input Formula

Refinement Loop

Substitutions

Simplifications

Linear Solving

BitBlast

CNF Conversion

Boolean SAT

Array Abstraction

STPSTPSTPSTP

1.1. DesignDesign and and ArchitectureArchitecture of STP of STP








Standard Handling of Array readsStandard Handling of Array readsStandard Handling of Array readsStandard Handling of Array reads

• Problem : O(nProblem : O(n22) axioms added, n is number of read indices) axioms added, n is number of read indices

• Lethal, if n is large: n = 10000, # of axioms: ~ 100 million Lethal, if n is large: n = 10000, # of axioms: ~ 100 million • Blowup seems hard to avoid (e.g. UCLID)Blowup seems hard to avoid (e.g. UCLID)

• This is “aliasing” from another perspectiveThis is “aliasing” from another perspective• Key ObservationKey Observation: Most indices don’t alias: Most indices don’t alias

Read(A,iRead(A,i00) = t) = t00

Read(A,iRead(A,i11) = t) = t11

..

..

..Read(A,iRead(A,inn) = t) = tnn

vv00 = t = t00

vv1 1 = t= t11

..

..vvnn = t = tnn

(i(i11=i=i00) => v) => v11=v=v00

(i(i22=i=i00) => v) => v22=v=v00

(i(i22=i=i11) => v) => v22=v=v11

……

Replace array readsReplace array readswith fresh variableswith fresh variables

and axiomsand axioms

Abstraction-Refinement Abstraction-Refinement for Array Readsfor Array Reads


Array TransformArray TransformInputInput

UNSATUNSAT

SATSAT

Assignment is Assignment is CorrectCorrect

IncorrectIncorrect

SATSAT UNSATUNSAT

RefinementRefinementLoopLoop

To SAT SolverTo SAT Solver without Axiomswithout Axioms

Check InputCheck Input on Assignmenton Assignment

Add False AxiomsAdd False Axioms to SAT Solverto SAT Solver



Read(A,i)=0Read(A,i)=0Read(A,k)=1Read(A,k)=1

i=ki=k

InputInput

vvii=0=0vvkk=1=1i=ki=k

AbstractionAbstractionSAT SolverSAT Solver

i=0,k=0i=0,k=0vvii=0=0vvkk=1=1

FalseFalse Check InputCheck Inputon Assignment : on Assignment :

Read(A,0)=0Read(A,0)=0Read(A,0)=1Read(A,0)=1

SATSATAssignmentAssignment

Refinement Step:Refinement Step:

Add AxiomAdd Axiom(i=k) => vi = vk(i=k) => vi = vk

SAT SolverSAT Solver

UNSATUNSAT

Experience with Experience with Read Abstraction-RefinementRead Abstraction-Refinement

Experience with Experience with Read Abstraction-RefinementRead Abstraction-Refinement

Heuristic is RobustHeuristic is Robust In Real SAT In Real SAT

assignment very few assignment very few indices aliasedindices aliased

Few axioms need to Few axioms need to be added during be added during refinementrefinement

~10X speed-up~10X speed-up Important for Important for

software analysissoftware analysis

Heuristic is RobustHeuristic is Robust In Real SAT In Real SAT

assignment very few assignment very few indices aliasedindices aliased

Few axioms need to Few axioms need to be added during be added during refinementrefinement

~10X speed-up~10X speed-up Important for Important for

software analysissoftware analysis

# of# ofTests:8495Tests:8495

OnlyOnlyReadReadRefinementRefinement(sec)(sec)

NoNoReadReadRefinementRefinement(sec)(sec)

Time for all Time for all teststests

624624 33783378

# of timeouts# of timeouts(60 sec)(60 sec)

11 3636

3.2 GHz Pentium, 512Kb Cache, 32 bit machine3.2 GHz Pentium, 512Kb Cache, 32 bit machine

Examples courtesy Dawson EnglerExamples courtesy Dawson Engler

Standard Handling of Array WritesStandard Handling of Array WritesStandard Handling of Array WritesStandard Handling of Array Writes

R(W(W(A,iR(W(W(A,i00,v,v00),i),i11,v,v11),j) ),j) ==

R(W(W(A,iR(W(W(A,i00,v,v00),i),i11,v,v11),k)),k)

If(iIf(i11=j) v=j) v11 elsif (i elsif (i00=j) v=j) v00 else R(A,j) else R(A,j)= =

If(iIf(i11=k) v=k) v11 elsif (i elsif (i00=k) v=k) v00 else R(A,k) else R(A,k)

Sharing of sub-expression in DAGSharing of sub-expression in DAG

Array Writes are deeply nested, shared over many readsArray Writes are deeply nested, shared over many reads

Problem: Standard translation breaks sharing & blowupProblem: Standard translation breaks sharing & blowup

O(n*m) blowup, n = # of levels of writes, m = # of readsO(n*m) blowup, n = # of levels of writes, m = # of reads

n = 10,000, m = 1000 : blow-up ~ 10 million new nodesn = 10,000, m = 1000 : blow-up ~ 10 million new nodes

Key ObservationKey Observation: Not all read indices read from write term: Not all read indices read from write term

The Problem with Array WritesThe Problem with Array WritesThe Problem with Array WritesThe Problem with Array Writes

v0

=

R

j

R

k

W

i0A

W

v1i1

ite=

i0 jv0

=

ite=

i1 k

ite=

i1 jv1 v1

ite=

i0 kv0

RA j

RA k



If(iIf(i11=j) v=j) v11 elsif (i elsif (i00=j) v=j) v00 else R(A,j) else R(A,j)= =

If(iIf(i11=k) v=k) v11 elsif (i elsif (i00=k) v=k) v00 else R(A,k) else R(A,k)

Handling of Array Writes in STPHandling of Array Writes in STPHandling of Array Writes in STPHandling of Array Writes in STP



tt11 = t = t22

Axioms:Axioms:tt11 = ite(i = ite(i11=j,v=j,v11,ite(i,ite(i00=j,v=j,v00,R(A,j)),R(A,j))

tt22 = ite(i = ite(i11=k,v=k,v11,ite(i,ite(i00=k,v=k,v00,R(A,k)),R(A,k))

Avoids O(nAvoids O(n22) DAG blow-up) DAG blow-up

Axioms are added only on a need basisAxioms are added only on a need basis

Unfortunately, worst-case all axioms addedUnfortunately, worst-case all axioms added

Abstraction-Refinement Abstraction-Refinement for Array Writesfor Array Writes


Array TransformArray TransformInputInput

UNSATUNSAT

SATSAT

Assignment is Assignment is CorrectCorrect

IncorrectIncorrect

SATSAT UNSATUNSAT

RefinementRefinementLoopLoop

To SAT SolverTo SAT Solver without Axiomswithout Axioms

Check InputCheck Input on Assignmenton Assignment

Add False AxiomsAdd False Axioms to SAT Solverto SAT Solver



R(W(A,i,v),j)=0R(W(A,i,v),j)=0R(W(A,i,v),k)=1R(W(A,i,v),k)=1i=ji=j≠≠k,vk,v≠≠00

AbstractionAbstraction tt11=0=0tt22=1=1

i=ji=j≠≠k,vk,v≠≠00

SAT SolverSAT Solver

tt11=0,t=0,t22=1,v=1,v=1=1i=j=0,k=1i=j=0,k=1

Check InputCheck Inputon Assignmenton Assignment

R(W(A,0,v),0)=0R(W(A,0,v),0)=0v=1v=1

i=j=0,k=1i=j=0,k=1

FalseFalseRefinement StepRefinement Step

Add Axiom to SATAdd Axiom to SATtt11=ite(i=j,v,R(A,j))=ite(i=j,v,R(A,j))

UNSATUNSAT

Experimental ResultsExperimental ResultsArray WritesArray Writes

Experimental ResultsExperimental ResultsArray WritesArray Writes

Testcase (# of unique nodes)Testcase (# of unique nodes) ResultResult WriteWriteAbstractionAbstraction

(sec)(sec)

NO WriteNO WriteAbstractionAbstraction

(sec)(sec)610dd9dc (15k)610dd9dc (15k) SatSat 3737 101101

Grep0084 (69K)Grep0084 (69K) SatSat 1818 506506

Grep0106 (69K)Grep0106 (69K) SatSat 227227 TOTO

Grep0117 (70K)Grep0117 (70K) SatSat 258258 TOTO

Testcase20 (1.2M)Testcase20 (1.2M) SatSat 5656 MOMO

3.2 GHz Pentium, 512 Kb cache, 32 bit machine, MO @ 3.2 GB, TO @ 30 minutes3.2 GHz Pentium, 512 Kb cache, 32 bit machine, MO @ 3.2 GB, TO @ 30 minutes

Examples courtesy Dawn Song (CMU) and David Molnar (Berkeley)Examples courtesy Dawn Song (CMU) and David Molnar (Berkeley)

STPSTPSTPSTP









Algorithm for SolvingAlgorithm for SolvingLinear Bit-vector EquationsLinear Bit-vector Equations

Algorithm for SolvingAlgorithm for SolvingLinear Bit-vector EquationsLinear Bit-vector Equations

Previous WorkPrevious Work Mostly Variants of Gaussian EliminationMostly Variants of Gaussian Elimination

Unsuitable for Online Decision ProceduresUnsuitable for Online Decision Procedures

Basic Idea in STPBasic Idea in STP Solve for a variable and substitute it awaySolve for a variable and substitute it away

Online AlgorithmOnline Algorithm Enables other algebraic simplificationsEnables other algebraic simplifications

If cannot isolate a whole variable, If cannot isolate a whole variable, Then isolate part of bit-vector variable, Then isolate part of bit-vector variable, Solve, and substitute it awaySolve, and substitute it away

Previous WorkPrevious Work Mostly Variants of Gaussian EliminationMostly Variants of Gaussian Elimination

Unsuitable for Online Decision ProceduresUnsuitable for Online Decision Procedures

Basic Idea in STPBasic Idea in STP Solve for a variable and substitute it awaySolve for a variable and substitute it away

Online AlgorithmOnline Algorithm Enables other algebraic simplificationsEnables other algebraic simplifications

If cannot isolate a whole variable, If cannot isolate a whole variable, Then isolate part of bit-vector variable, Then isolate part of bit-vector variable, Solve, and substitute it awaySolve, and substitute it away

Purpose of Linear SolverPurpose of Linear SolverPurpose of Linear SolverPurpose of Linear Solver

Helps eliminate lots of redundant variablesHelps eliminate lots of redundant variables

Makes problem much easier for SATMakes problem much easier for SAT

Essential for many real-word large examplesEssential for many real-word large examples

Helps eliminate lots of redundant variablesHelps eliminate lots of redundant variables

Makes problem much easier for SATMakes problem much easier for SAT

Essential for many real-word large examplesEssential for many real-word large examples

Importance of Importance of Online Linear SolverOnline Linear Solver

Importance of Importance of Online Linear SolverOnline Linear Solver

Online Solving enables algebraic Simplifications

ResultResult


Refinement LoopRefinement Loop

SubstitutionsSubstitutions

SimplificationsSimplifications

Linear SolvingLinear Solving

BitBlastBitBlast

CNF ConversionCNF Conversion

Boolean SATBoolean SAT

Array AbstractionArray Abstraction

Algorithm for Solving Algorithm for Solving Linear Bit-vector EquationsLinear Bit-vector Equations


(mod 8)(mod 8)

3x + 4y + 2z = 03x + 4y + 2z = 02x + 2y + 2 = 02x + 2y + 2 = 04y + 2x + 2z = 04y + 2x + 2z = 0

Isolate 3x inIsolate 3x infirst equation:first equation:

MultiplicativeMultiplicativeInverse exists,Inverse exists,

Solve for xSolve for x

x = 4y + 2zx = 4y + 2z(mod 8)(mod 8)

2y + 4z + 2 = 02y + 4z + 2 = 04y + 6z = 04y + 6z = 0

Substitute xSubstitute x

(mod 8)(mod 8)

2y + 4z + 2 = 02y + 4z + 2 = 04y + 6z = 04y + 6z = 0

All Coeffs EvenAll Coeffs Even

No InverseNo Inverse

Divide by 2Divide by 2

(mod 4)(mod 4)

y[1:0] + 2z[1:0] + 1 = 0y[1:0] + 2z[1:0] + 1 = 0

2y[1:0] + 3z[1:0] = 02y[1:0] + 3z[1:0] = 0

Key Idea: Solve Key Idea: Solve for bits of for bits of variablesvariables





(mod 4)(mod 4)

y[1:0] + 2z[1:0] + 1 = 0y[1:0] + 2z[1:0] + 1 = 0

2y[1:0] + 3z[1:0] = 02y[1:0] + 3z[1:0] = 0

Solve for y[1:0]Solve for y[1:0]

(mod 4)(mod 4)

y[1:0]=2z[1:0] + 3y[1:0]=2z[1:0] + 3

Substitute y[1:0]Substitute y[1:0](mod 4)(mod 4)

3z[1:0] + 2 = 03z[1:0] + 2 = 0



(mod 4)(mod 4)

3z[1:0] + 2 = 03z[1:0] + 2 = 0 Solve for z[1:0]Solve for z[1:0]

(mod 4)(mod 4)

z[1:0]=2z[1:0]=2

Solution (mod8, 3 bits)Solution (mod8, 3 bits)

x = 4(y’@3) + 2(z’@2)x = 4(y’@3) + 2(z’@2)

y = y’ @ 3y = y’ @ 3

y[1:0] = 3y[1:0] = 3

z = z’ @ 2z = z’ @ 2

z[1:0] = 2z[1:0] = 2

Experimental Results: Experimental Results: Solver for Linear EquationsSolver for Linear Equations

Experimental Results: Experimental Results: Solver for Linear EquationsSolver for Linear Equations

Testcase Testcase (# of Unique Nodes)(# of Unique Nodes)

ResultResult Solver OnSolver On(sec)(sec)

Solver OffSolver Off(sec)(sec)

Test15 (0.9M)Test15 (0.9M) SatSat 6666 MOMO

Test16 (0.9M)Test16 (0.9M) SatSat 6767 MOMO

Thumb1 (2.7M)Thumb1 (2.7M) SatSat 840840 MOMO




Examples courtesy David Molnar (Berkeley)Examples courtesy David Molnar (Berkeley)

STPSTPSTPSTP









STP v. Existing ToolsSTP v. Existing Tools(Hardest Examples: SMT Comp, 2007)(Hardest Examples: SMT Comp, 2007)

STP v. Existing ToolsSTP v. Existing Tools(Hardest Examples: SMT Comp, 2007)(Hardest Examples: SMT Comp, 2007)

Testcase (# of Unique Nodes)Testcase (# of Unique Nodes) ResultResult STP STP (sec)(sec)

Z3Z3(sec)(sec)

YicesYices(sec)(sec)

610dd9c (15k)610dd9c (15k) SatSat 3737 TOTO MOMO

Grep65 (60k)Grep65 (60k) UnSatUnSat 44 0.30.3 TOTO

Grep84 (69k)Grep84 (69k) SatSat 1818 176176 TOTO

Grep106 (69k)Grep106 (69k) SatSat 227227 130130 TOTO

Blaster4 (262k)Blaster4 (262k) UnsatUnsat 1010 MOMO MOMO

Testcase20 (1.2M)Testcase20 (1.2M) SatSat 5656 MOMO MOMO

Testcase21 (1.2M)Testcase21 (1.2M) SatSat 4343 MOMO MOMO


Examples courtesy Dawn Song (CMU) and David Molnar (Berkeley)Examples courtesy Dawn Song (CMU) and David Molnar (Berkeley)

Lessons LearntLessons Learnt

Abstraction Refinement will remain important for DPs for many applications

Reduction to Boolean SAT

Identify polynomial pieces and nail them

Successful DPs highly application driven

Abstraction Refinement will remain important for DPs for many applications

Reduction to Boolean SAT

Identify polynomial pieces and nail them

Successful DPs highly application driven

Future WorkFuture WorkFuture WorkFuture Work

Make STP more efficient forMake STP more efficient for DisjunctionsDisjunctions Non-linear Arithmetic (*, /, %)Non-linear Arithmetic (*, /, %)

QuantifiersQuantifiers

Boolean SAT tuning for structured inputBoolean SAT tuning for structured input

More theories More theories Uninterpreted Functions, Datatypes, Reals, Integers, …Uninterpreted Functions, Datatypes, Reals, Integers, …

Make STP more efficient forMake STP more efficient for DisjunctionsDisjunctions Non-linear Arithmetic (*, /, %)Non-linear Arithmetic (*, /, %)

QuantifiersQuantifiers

Boolean SAT tuning for structured inputBoolean SAT tuning for structured input

More theories More theories Uninterpreted Functions, Datatypes, Reals, Integers, …Uninterpreted Functions, Datatypes, Reals, Integers, …

Other Projects at StanfordOther Projects at StanfordOther Projects at StanfordOther Projects at Stanford

Software CVC

Decision Procedure for Mixed Real and Integer Linear Arithmetic

CVC Lite Decision Procedure for Bit-vectors

Collaborated on EXE STP, Capturing C semantics in STP

Theory Lifted Ghilardi’s Combination Result to Many-Sorted

Logic

Software CVC

Decision Procedure for Mixed Real and Integer Linear Arithmetic

CVC Lite Decision Procedure for Bit-vectors

Collaborated on EXE STP, Capturing C semantics in STP

Theory Lifted Ghilardi’s Combination Result to Many-Sorted

Logic

AcknowledgementsAcknowledgementsAcknowledgementsAcknowledgements

Prof. David L. Dill, Stanford CS Department

(Ph.D. Advisor)

STP users and Stanford community

Prof. Martin Rinard (Host)

Lincoln Labs and Tim Leek (Support)

Prof. David L. Dill, Stanford CS Department

(Ph.D. Advisor)

STP users and Stanford community

Prof. Martin Rinard (Host)

Lincoln Labs and Tim Leek (Support)

QUESTIONSQUESTIONSQUESTIONSQUESTIONS

http://people.csail.mit.edu/vganesh/stp.htmlhttp://people.csail.mit.edu/vganesh/stp.htmlhttp://people.csail.mit.edu/vganesh/stp.htmlhttp://people.csail.mit.edu/vganesh/stp.html

a decision procedure for program analysis and bug finding

Documents