Satisfiability Modulo Theorys - SMT Provers

An important type class of theorem provers are called SMT provers. A SMT prover combines satifiability (over boolean formulas) with other theories (such as theories of linear arithmetic, arrays, lists, etc.). These have many applications in areas such has hardware design and software verification.

### Overview

In this lecture we will do three things
1. Get an overview of how SMT provers work. Using the notes of Johannes Kanig.
2. Get an introduction to using a real SMT solver Yices.
3. Apply Yices to a real problem, test generation, in a toy domain (a while language), that illustrates how SMT provers are used to analyze software.

http://yices.csl.sri.com/language.shtml

### Basic Skills

In order to use a SMT-prover, you will need to understand how to do the following basic tasks:

• Inrtroduce variables and function symbols
• Assert formulae
• Check for satisfiability
• Extract assingments and counter examples.

In my experience there were two invaluable resources for learning to do this.

I suggest you study these, and the example we will look at in the lecture.

### Installing and using Yices.

We will be using Yices as our SMT-prover. Basic tasks and skills you will need to accompish.
2. On windows, I simply downloaded the standalone distribution (no cygwin required, with the statically linked GMP). I unzipped it and used a command line argument to start execution of the yices.exe in the bin directory. You may want to add yices to your path.
3. If you have problems, or wish to add notes about installing on other kinds of machines, let me know, and I will add directions here.
• Learn the basic modes of using Yices.
1. Interactive use
```\$ /cygdrive/d/FreyaDownloads/yices/yices-2.2.2/bin/yices
yices> (include "queens.ys")
yices> (check)
sat
yices> (show-model)
(= Bx 3)
(= Cy 1)
(= Dy 3)
(= Cx 2)
(= Dx 1)
(= By 4)
(= Ax 4)
(= Ay 2)
yices>
```
2. Batch use. Include (check) and (show-model) commands in the file and then redirect output to a file.
```\$ rm sol.sol
\$ more sol.sol
sat
(= Bx 3)
(= Cy 1)
(= Dy 3)
(= Cx 2)
(= Dx 1)
(= By 4)
(= Ax 4)
(= Ay 2)
```
3. Cabal package for embedding Yices SMT-Lib calls in Haskell.

1. The Yices wiki page.
2. The Yices tutorial.

### Generating input parameters to increase test coverage.

The Problem: (summarized from a talk by Leonardo de Moura and Nikolaj Bjørner.

• Given program with a set of input parameters.
• Generate inputs that maximize code coverage.
• Example
```Input x, y;
{z = x + y;
If z > x - y Then
Return z
Else