An important type class of theorem provers are called SMT provers. A SMT prover combines satifiability (over boolean formulas) with other theories (such as theories of linear arithmetic, arrays, lists, etc.). These have many applications in areas such has hardware design and software verification.

- Get an overview of how SMT provers work. Using the notes of Johannes Kanig.
- Get an introduction to using a real SMT solver Yices.
- Apply Yices to a real problem, test generation, in a toy domain (a while language), that illustrates how SMT provers are used to analyze software.

http://yices.csl.sri.com/language.shtml

- Inrtroduce variables and function symbols
- Assert formulae
- Check for satisfiability
- Extract assingments and counter examples.

In my experience there were two invaluable resources for learning to do this.

- The yices 2 manual.
- The Yices library of small examples.
- The Yices "input language" help pages.

I suggest you study these, and the example we will look at in the lecture.

- Download and install Yices on your machine.
- Go to the download page and follow the instructions for your type of machine.
- On windows, I simply downloaded the standalone distribution (no cygwin required, with the statically linked GMP). I unzipped it and used a command line argument to start execution of the yices.exe in the bin directory. You may want to add yices to your path.
- If you have problems, or wish to add notes about installing on other kinds of machines, let me know, and I will add directions here.

- Learn the basic modes of using Yices.
- Interactive use
$ /cygdrive/d/FreyaDownloads/yices/yices-2.2.2/bin/yices yices> (include "queens.ys") yices> (check) sat yices> (show-model) (= Bx 3) (= Cy 1) (= Dy 3) (= Cx 2) (= Dx 1) (= By 4) (= Ax 4) (= Ay 2) yices>

- Batch use. Include
**(check)**and**(show-model)**commands in the file and then redirect output to a file.$ rm sol.sol $ /cygdrive/d/FreyaDownloads/yices/yices-2.2.2/bin/yices queens.ys >> sol.sol $ more sol.sol sat (= Bx 3) (= Cy 1) (= Dy 3) (= Cx 2) (= Dx 1) (= By 4) (= Ax 4) (= Ay 2)

- Cabal package for embedding Yices SMT-Lib calls in Haskell.

- Interactive use
- Resources I found helpful

- Given program with a set of input parameters.
- Generate inputs that maximize code coverage.
- Example
Input x, y; {z = x + y; If z > x - y Then Return z Else Error "bad" }

- What inputs must I choose to guarantee that I test a path that executes the Return z? or the Error
- For Return z Solve: z = x + y /\ z > x - y
- solution: x = 1, y = 1
- For Error "bad" Solve: z = x + y /\ ¬(z > x - y)
- solution: x = 1, y = -1