Outline Outline Incremental conflict detection Outline Outline

Outline Outline Incremental conflict detection Outline Outline www.phwiki.com

Outline Outline Incremental conflict detection Outline Outline

Fox, Jay, Morning Show Host has reference to this Academic Journal, PHwiki organized this Journal Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT in addition to its Application in Software Verification What is SMT Satisfiability Modulo Theories (SMT) Decision problem as long as logic as long as mulas expressed in classical first-order logic with equality, with respect to combinations of some background theories It is a generalization of SAT, where some Boolean variables are replaced by predicates from a variety of underlying theories. Boolean Satisfiability (SAT) or in addition to not or in addition to or p2 p1 pn Is there an assignment to the p1, p2, , pn variables such that evaluates to 1

The Manchester Metropolitan University GB www.phwiki.com

This Particular University is Related to this Particular Journal

Satisfiability Modulo Theories (SMT) p2 p1 pn Is there an assignment to the x, y, z, w variables s.t. evaluates to 1 x + 2 z <1 x % 26 = v w & 0xFFFF = x x = y or in addition to not or in addition to or SMT Solvers: A Brief History Early work in the late 1970s Nelson in addition to Oppen, Shostak, Boyer in addition to Moore Modern SMT solvers started in the late 1990s Attempts to build scalable solvers Influenced by SAT solvers (GRASP in addition to Chaff) Last few years: tremendous progress Efficient SMT solvers (SMT-LIB benchmarks, SMT-COMP solver competition) Wide-spread applications Many of its Applications Verification systems HOL, Isabelle, in addition to PVS, etc. ACL2, Caduceus, SAL, UCLID, etc. Extended static checkers in addition to model checkers Boogie, ESC/Java 2, etc. BLAST, Eureka, MAGIC, SLAM, F-Soft, etc. Certifying compliers Touchstone, TVOC, etc. Test case generation DART, EXE, CUTE, PEX, etc. Outline What’s SMT Some Useful Theories Inside SMT Solvers How to Use It Application in Software Verification First-Order Logic (quantifier-free) Logical Symbols Propositional connectives: AND, OR, NEGATION,etc. Boolean variables: v1, v2, Non-logical symbols/Parameters Equality: = Functions: +, -, %, bit-wise &, f(), concat, Predicates: ·, is-substring, Constant symbols: 0, 1.0, null, Some Useful Theories QF-UF: Theory of equality (with uninterpreted functions) QF-LIA, QF-LIR: Theories of linear arithmetic (over Q or Z) QF-IDL, QF-RDL: Theories of difference logic (over Q or Z) QF-BV: Theories of fixed-size bit-vectors QF-A, QF-AX: Theory of arrays (with in addition to w/o extensionality) Misc.: Non-linear arithmetic, Example: QF-UF Formula (x = y) & (y = z) & (f(x) f(z)) Transitivity: (x = y) & (y = z) (x = z) Congruence: (x = z) (f(x) = f(z)) QF-UF in Processor Verification (datapath) Common Operations 1 0 x y p ITE(p, x, y) If-then-else x y x = y = Test as long as equality QF-UF in Equivalence Checking int fun1(int y) { int x, z; z = y; y = x; x = z; return xx; } int fun2(int y) { return yy; } SMT as long as mula Satisfiable not equivalent ( z = y & y1 = x & x1 = z & ret1 = x1x1) & ( ret2 = yy ) & ( ret1 ret2 ) Using SAT to check equivalence (w/ Minisat) 32 bits as long as y: Did not finish in over 5 hours 16 bits as long as y: 37 sec. 8 bits as long as y: 0.5 sec. Using EUF solver: 0.01 sec. By Sanjit Seshia, UC Berkeley Bit-Vector Arithmetic (QF-BV) Fixed width data words Can model int, short, long, etc. Arithmetic operations E.g., add/subtract/multiply/divide & comparisons Two’s complement in addition to unsigned operations Bit-wise logical operations E.g., in addition to /or/xor, shift/extract in addition to equality Boolean connectives (define b1::(bitvector 32)) (define b2::(bitvector 32)) (assert ( in addition to (= (bv-add b1 (mk-bv 32 1)) b2) (/= (bv-add (mk-bv 32 0) (bv-add (mk-bv 32 1) b1)) b2))) (check) Linear Arithmetic (QF-LRA, QF-LIA) Boolean combination of linear constraints (a1 x1 + a2 x2 + + an xn <= b) where xi’s could be in Q or Z Many applications, including: Verification of analog circuits Software verification, e.g., of array bounds Difference Logic (QF-IDL, QF-RDL) Boolean combination of linear constraints xi – xj <= cij where xi, xj, cij, are in Q or Z Applications: Software verification (most linear constraints are of this as long as m) Processor data-path verification Job shop scheduling Theory of Arrays (QF-AX) Two interpreted functions: select in addition to store select(A,i) Read from array A at index i store(A,i,d) Write d to array A at index i Two main axioms: select( store(A,i,d), I ) = d select( store(A,i,d), j ) = select(A,j) as long as i j Extentionality axiom: ( as long as all index i. select(A,i) = select(B,i)) (A = B) C. Barrett & S. A. Seshia Example: QF-AX in Equivalence Checking int fun1(int y) { int x[2]; x[0] = y; y = x[1]; x[1] = x[0]; return x[1]x[1]; } int fun2(int y) { return yy; } SMT as long as mula x1 = store( x,0,y ) & y1 = select( x1,1 ) & x2 = store( x1,1,select(x1,0) ) & ret1 = sq( select(x2,1) ) & ret2 = sq(y) & ( ret1 ret2 ) Outline What’s SMT Some Useful Theories Inside SMT Solvers How to Use It Application in Software Verification SMT Solvers: “Eager” vs. “Lazy” Eager approach: Translating input as long as mula into an “equi-satisfable” Boolean as long as mula using enough consequences of the underlying theory Lazy approach: Writing a dedicated “theory solver” as long as conjunction of literals in the underlying theory, embedded as a submodule into a Boolean SAT solver Example: Solvers as long as difference logic Eager approach Small domain encoding Per constraint encoding [Pnueli et al. 2002], [Shtrichman et al. 2002] [Seshia et al. 2003] Lazy approach Sateen, Z3, Yices Top-3 in 2009 competition Integer Difference Logic (IDL) Logic to model systems at the “word-level” Subset of a quantifier-free first-order logic Boolean connectives + predicates like (x – y c) Formal verification applications Pipelined processors, timed systems, embedded software e.g., back-end of the UCLID Verifier IDL Preliminaries Difference logic as long as mula Difference predicates Boolean skeleton Constraint graph as long as assignment (A,¬B,C,D) A: ( x – y 2 ) ¬ B: ( z – x -7 ) C: ( y - z 3 ) D: ( w - y 10 ) A: ( x – y 2 ), B: ( z – x -7 ) C: ( y - z 3 ), D: ( w - y 10 ) Theory Solver: minimal requirement For the theory solver Input: a conjunction set of literals Output: consistent or inconsistent A: ( x – y 2 ) ¬ B: ( z – x -7 ) C: ( y - z 3 ) D: ( w - y 10 ) Fox, Jay WGAD-AM Morning Show Host www.phwiki.com

Theory Solver: can be more helpful Conflict analysis: why inconsistent Negative weighted cycle Theory conflict add a Lemma or blocking clause trigger a Boolean conflict A: ( x – y 2 ) ¬ B: ( z – x -7 ) C: ( y – z 3 ) D: ( w – y 10 ) Conflicting clause: (false + false + false) Theory Solver: can be even more helpful Deriving Theory Implications: look-ahead If adding an edge creates a negative cycle negated edge is implied Theory implication var assignment Boolean implication (BCP) A: ( x – y 2 ) ¬ B: ( z – x -7 ) C: ( y – z 3 ) D: ( w – y 10 ) Theory Solver: other desired features Model generation Conflict set generation Deduction of unassigned literals Incremental don’t start from scratch as long as each call Backtrackable can “undo” steps to a previous state Deduction of interface equalities (eij-deduction)

Negative Cycle Detection (st in addition to ard) Bellman-Ford shortest-paths algorithm Detect negative cycles as by-product Take O(nm) time sounds good! However, inside SMT Theory solver will be invoked many times, Each time on a very similar sub-problem Bellman-Ford Algorithm relax (u,v) { if (d[v] > d[u] + w[u,v]) d[v] = d[u] + w[u,v]; } Bellman-Ford ( ) { as long as each node v, initialize d[v] = 0; as long as (i=1; i d[u] + w[u,v] ) return NEGATIVE-CYCLE; return; } A: ( x – y 2 ) ¬ B: ( z – x -7 ) C: ( y – z 3 ) D: ( w – y 10 ) u,v nodes in graph d[u] node score d[v] node score 0 0 Incremental Algorithm // after adding the edge (u,v) if ( d[v] > d[u] + w[u,v] ) { relax (u,v) enqueue (v) } while ( (x=dequeu()) != null) { as long as each edge (x,y) { if (d[y] > d[x] + w[x,y] ) { relax (x,y) if (u==x && v==y) return NEGATIVE-CYCLE; else enqueue (y); } } } return; u v Keep relaxing till it stablize But be as long as e that, if node v is relaxed again, there is a cycle!

Conclusions New method: symbolic predictive analysis Coverage: subsumes known causal models (MCM) Efficiency: SAT-based search vs. explicit enumeration Highlights CTP (Concurrent Trace Program) CSSA (Concurrent Static Single Assignment) SAT-based context bounding Future work Predicting atomicity violations References SMT “Satisfiability Modulo Theories” (book chapter) Clark Barrett, Roberto Sebastiani, Sanjit A. Seshia, in addition to Cesare Tinelli. In the H in addition to book of Satisfiability, IOS Press, 2009. (available from the authors’ web pages) Concurrent Software Verification “Symbolic Predictive Analysis as long as Concurrent Programs”, FM 2009 Chao Wang, Sudipta Kundu, Malay Ganai, in addition to Aarti Gupta “Trace based Symbolic Analysis as long as Atomicity Violations”, TACAS 2010 Chao Wang, Rhishikesh Limaye, Malay Ganai, in addition to Aarti Gupta (available from the authors’ web pages)

Fox, Jay Morning Show Host

Fox, Jay is from United States and they belong to WGAD-AM and they are from  Gadsden, United States got related to this Particular Journal. and Fox, Jay deal with the subjects like Celebrities; Entertainment; Music

Journal Ratings by The Manchester Metropolitan University

This Particular Journal got reviewed and rated by The Manchester Metropolitan University and short form of this particular Institution is GB and gave this Journal an Excellent Rating.