SMT Provers

Satisfiability Modulo Theorys - SMT Provers

An important type class of theorem provers are called SMT provers. A SMT prover combines satifiability (over boolean formulas) with other theories (such as theories of linear arithmetic, arrays, lists, etc.). These have many applications in areas such has hardware design and software verification.

Overview

In this lecture we will do three things

Get an overview of how SMT provers work. Using the notes of Johannes Kanig.
Get an introduction to using a real SMT solver Yices.
Apply Yices to a real problem, test generation, in a toy domain (a while language), that illustrates how SMT provers are used to analyze software.

http://yices.csl.sri.com/language.shtml

Basic Skills

In order to use a SMT-prover, you will need to understand how to do the following basic tasks:

Inrtroduce variables and function symbols
Assert formulae
Check for satisfiability
Extract assingments and counter examples.

In my experience there were two invaluable resources for learning to do this.

The Yices library of small examples.
The Yices "input language" help pages.

I suggest you study these, and the example we will look at in the lecture.

Installing and using Yices.

We will be using Yices as our SMT-prover. Basic tasks and skills you will need to accompish.

Download and install Yices on your machine.
1. Go to the download page and follow the instructions for your type of machine.
2. On windows, I simply downloaded the standalone distribution (no cygwin required, with the statically linked GMP). I unzipped it and used a command line argument to start execution of the yices.exe in the bin directory. You may want to add yices to your path.
3. If you have problems, or wish to add notes about installing on other kinds of machines, let me know, and I will add directions here.
Learn the basic modes of using Yices.
1. Command line invocation ( yices -tc -e file.ys )
2. Interactive mode ( yices -tc -i -e )
3. Including files from inside interactive mode ( (include "file.ys") )
4. Cabal package for embedding Yices SMT-Lib calls in Haskell.
Resources I found helpful
1. The Yices wiki page.
2. The Yices tutorial.

Generating input parameters to increase test coverage.

The Problem: (summarized from a talk by Leonardo de Moura and Nikolaj Bjørner.

Given program with a set of input parameters.
Generate inputs that maximize code coverage.

Example

Input x, y;
{z = x + y;
 If z > x - y Then
    Return z
 Else
    Error "bad"
}

What inputs must I choose to guarantee that I test a path that executes the Return z? or the Error
For Return z Solve: z = x + y /\ z > x - y
solution: x = 1, y = 1
For Error "bad" Solve: z = x + y /\ ¬(z > x - y)
solution: x = 1, y = -1

SMT-Lib

SMT-COMP is an annual competition that challenges the developers of SMT solvers to improve their solvers. In order to allow multiple solvers to solve a common set of problems, a standard language, SMT-LIB, has been developed that competing solvers must support. The input and output to SMT solvers usually conforms to this standard. A reference for users who wish to learn how to format SMT input in the SMT-LIB format is the SMT-LIB tutorial. More information about resources available for SMT-LIB can be found here.

I couldn't get the SMT-LIB interface to Yices working. I suggest you stick to the Yices-specific input language, which is described here.

Back to the class web-page.
Back to the Course Schedule.