dissertation committee: eﬃcient sampling of sat and smtrtd/talks/phd_talk.pdf · eﬃcient...

Efficient Sampling of SAT and SMT Solutions for Testing and VerificationRafael Tupynambá DutraEECS DepartmentUC Berkeley

Dissertation committee:Koushik Sen, Jonathan Bachrach, Sanjit Seshia, Theodore SlamanMay 10, 2019 https://events.berkeley.edu/index.php/calendar/sn/eecs.html?event_ID=125634(Last modified September 2019)

https://events.berkeley.edu/index.php/calendar/sn/eecs.html?event_ID=125634

A constraint solver can generate one solution:

Problem definition

Input: SAT (Boolean Satisfiability) or SMT (Satisfiability Modulo Theories)

2

mem[0] mem[1]

σ0

∧(x + y = 4 ∧ x ≥ 0 ∧ x < 4)∧ (mem’[1] < 0 ∨ mem’[1] ≥ 4),wherex = mem[0],y = mem[1],mem’ = store(mem, mem[0], -1 * mem[mem[0]])

1 0 0 0 1 0 0 0

mem ∈ Array(BV[4], BV[4])

Goal: Quickly generate lots of solutions that satisfy the constraint

Problem definition

3

mem[0] mem[1]

σ0

σ1

σ2

σ3

σ4

σ5

1 0 0 0 1 0 0 0

0 0 0 0 1 0 1 0

1 1 0 0 1 0 0 1

1 0 0 0 0 1 0 0

0 1 0 0 1 0 1 1

0 0 0 0 0 1 1 0



Input: SAT (Boolean Satisfiability) or SMT (Satisfiability Modulo Theories)

● Symbolic execution

Motivation

● Thoroughly exercising some target functionality● Constrained-Random Verification

4

int4 x, y, z, w;int4 mem[4] = {x, y, z, w};for (int4 i = 0; i < 4; ++i) {

mem[mem[i]] *= -1;}

i < 4

mem[0] < 0∨ mem[0] ≥ 4

Applications

● Testing○ Uniform Sampling of SAT Solutions for Configurable Systems: Are We There Yet? [ICST 2019]

● Synthesis○ Bug Synthesis: Challenging Bug-Finding Tools with Deep Faults [ESEC/FSE 2018]

● Weighted Sampling○ Current work

5

Example

void main(int4 x, int4 y) {if ((x & y) == 4) {

if (x < y) {interesting(x, y);

}}

}

6



}}

}

Example: SMT formula

7

∧ ((x & y) == 4)∧ (x < y)

Path Constraint



}}

}Bit-blast

Example

8

∧ ((x & y) == 4)∧ (x < y)

Path Constraint

x3 x2 x1 x0

int4 x;

y3 y2 y1 y0

int4 y;



}}

}Bit-blast

Example: SAT formula

∧(¬x0 ∨ ¬y0)∧ (¬x1 ∨ ¬y1)∧ x2∧ y2∧ (¬x3 ∨ ¬y3)∧ ( ∨ (x3 ∧ ¬y3)∧ ( ∨ (x3=y3 ∧ ¬x2 ∧ y2)∧ ( ∨ (x3=y3 ∧ x2=y2 ∧ ¬x1 ∧ y1)∧ ( ∨ (x3=y3 ∧ x2=y2 ∧ x1=y1 ∧ ¬x0 ∧ y0)∧ )

9

∧ ((x & y) == 4)∧ (x < y)

Path Constraint

Boolean formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

x3 x2 x1 x0

int4 x;

y3 y2 y1 y0

int4 y;

Example: SAT formula

∧(¬x0 ∨ ¬y0)∧ (¬x1 ∨ ¬y1)∧ x2∧ y2∧ (¬x3 ∨ ¬y3)∧ ( ∨ (x3 ∧ ¬y3)∧ ( ∨ (x3=y3 ∧ ¬x2 ∧ y2)∧ ( ∨ (x3=y3 ∧ x2=y2 ∧ ¬x1 ∧ y1)∧ ( ∨ (x3=y3 ∧ x2=y2 ∧ x1=y1 ∧ ¬x0 ∧ y0)∧ )

10

Boolean formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

SMT: Satisfiability Modulo Theories

11

SMT formula φ

∧(mem[0] ≥ 0 ∧ mem[0] < 4)∧ (mem’[1] < 0 ∨ mem’[1] ≥ 4),wheremem’ = store(mem, mem[0], -1 * mem[mem[0]])




12

SMT formula φBit-vector



13

SMT formula φBit-vector

Array



State of the art

● Markov Chain Monte Carlo (MCMC)○ Works for linear constraints and can generate biased solutions

● Constraint solver heuristics○ Can be expensive, requiring one solver call per solution

● Universal hashing○ Expensive, but can guarantee uniform sampling

14

QuickSampler

15

Rafael Dutra, Kevin Laeufer, Jonathan Bachrach, and Koushik Sen. 2018. Efficient Sampling of SAT Solutions for Testing. In ICSE’18.

QuickSampler

Our goals:

● Samples should satisfy the formula >50% of the times

● Generate samples >100x faster than other techniques

● Sampling should be close to uniform

Our approach:

● Compute patterns of bit flips which preserve satisfiability

● Combine those bit flip patterns to generate lots of samples

16

QuickSampler

Our goals:

● Samples should satisfy the formula >50% of the times

● Generate samples >100x faster than other techniques

● Sampling should be close to uniform

Our approach:

● Compute patterns of bit flips which preserve satisfiability

● Combine those bit flip patterns to generate lots of samples

17

QuickSampler Algorithm

● Start by generating a random assignment σ’

Random assignment

σ′

18

σ



● Use MAX-SAT to find the closest solution σ to σ’

Random assignment

Base solution

σ′

19

σ1

σ0

σ




● From σ, use MAX-SAT to find the closest solutions that flip some bits (such as σ0 and σ1)

Random assignment

Base solution

Closest solutions

σ′

20

σ1

σ01

σ0

σ




● From σ, use MAX-SAT to find the closest solutions that flip some bits (such as σ0 and σ1)

● Combine those mutation to generate new samples (such as σ01)

Random assignment

Base solution

Closest solutions

Generated samples

σ′

21

22

Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

23


0 0 1 0 1 1 0 0Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

24


Solution σ 0 0 1 0 1 1 1 0


MAX-SAT

MAX-SAT

25


Solution σ 0 0 1 0 1 1 1 0


MAX-SAT

σ0

MAX-SAT

26


Solution σ

1 0 1 0 0 1 1 0

0 0 1 0 1 1 1 0


MAX-SAT

σ0

MAX-SAT

27


Solution σ

1 0 1 0 0 1 1 0

0 0 1 0 1 1 1 0


MAX-SAT

σ0

MAX-SAT

28


Solution σ

1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0

0 0 1 0 1 1 1 0


MAX-SAT

σ1

σ0

MAX-SAT

29


Solution σ

1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0

0 0 1 0 1 1 1 0


MAX-SAT

σ1

σ0

MAX-SAT

30


Solution σ

1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0

0 0 1 0 1 1 1 0


MAX-SAT

σ1

σ0

MAX-SAT

31


Solution σ

1 0 1 0 0 1 1 0UNSAT

0 1 1 1 1 0 1 0

0 0 1 0 1 1 1 0


MAX-SAT

σ1

σ0

MAX-SAT

32


Solution σ

1 0 1 0 0 1 1 0UNSAT

0 1 1 1 1 0 1 0

0 0 1 0 1 1 1 0


MAX-SAT

σ1

σ0

MAX-SAT

33


Solution σ

1 0 1 0 0 1 1 0UNSAT

0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0

0 0 1 0 1 1 1 0


MAX-SAT

σ1 σ3

σ0

MAX-SAT

34


Solution σ

1 0 1 0 0 1 1 0UNSAT

0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0

0 0 1 0 1 1 1 0


MAX-SAT

...

σ1 σ3

σ0

MAX-SAT

35


Solution σ

1 0 1 0 0 1 1 0UNSAT

0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0

0 0 1 0 1 1 1 0


MAX-SAT

0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

...

σ1 σ3

δ31 0 0 0 1 0 0 0 δ1δ0

= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3

δ01

σ0

MAX-SAT

36


Solution σ

1 0 1 0 0 1 1 0UNSAT

0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0

0 0 1 0 1 1 1 0


MAX-SAT

0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

...

σ1 σ3

δ31 0 0 0 1 0 0 0 δ1δ0

1 1 0 1 1 1 0 0

= δ0 ∨ δ1

σ01

δ01

σ0

MAX-SAT

37


Solution σ

1 0 1 0 0 1 1 0UNSAT

0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0

0 0 1 0 1 1 1 0


MAX-SAT

0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

...

σ1 σ3

δ31 0 0 0 1 0 0 0 δ1δ0

1 1 0 1 1 1 0 0

1 1 1 1 0 0 1 0

= σ ⊕ δ01

σ01

δ01

σ0

MAX-SAT

38


Solution σ

1 0 1 0 0 1 1 0UNSAT

0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0

0 0 1 0 1 1 1 0


MAX-SAT

0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

...

σ1 σ3

δ31 0 0 0 1 0 0 0 δ1δ0

1 1 0 1 1 1 0 0

1 1 1 1 0 0 1 0

= σ ⊕ δ01

Why does it work?● δ0 and δ1 are a minimal set of bits that can be

flipped and preserve the satisfiability of the formula● It’s likely that the formula has some clauses

establishing a relation between those bits● Those clauses will likely still be satisfied when

flipping both the bits in δ0 and δ1

σ01

δ01 δ03

σ0

MAX-SAT

39


Solution σ

1 0 1 0 0 1 1 0UNSAT

0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0

0 0 1 0 1 1 1 0


MAX-SAT

0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

...

1 0 0 1 1 0 0 0

σ1 σ3

δ31 0 0 0 1 0 0 0 δ1δ0

1 1 0 1 1 1 0 0

1 1 1 1 0 0 1 0 = δ0 ∨ δ3

σ01

δ01 δ03

σ03

σ0

MAX-SAT

40


Solution σ

1 0 1 0 0 1 1 0UNSAT

0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0

0 0 1 0 1 1 1 0


MAX-SAT

0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

...

1 0 0 1 1 0 0 0

1 0 1 1 0 1 1 0

σ1 σ3

δ31 0 0 0 1 0 0 0 δ1δ0

1 1 0 1 1 1 0 0

1 1 1 1 0 0 1 0

= σ ⊕ δ03

σ01

δ01 δ03 δ13

σ03

σ0

MAX-SAT

41


Solution σ

1 0 1 0 0 1 1 0UNSAT

0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0

0 0 1 0 1 1 1 0


MAX-SAT

0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

...

1 0 0 1 1 0 0 0

1 0 1 1 0 1 1 0

σ1 σ3

δ31 0 0 0 1 0 0 0 δ1δ0

1 1 0 1 1 1 0 0

1 1 1 1 0 0 1 0

0 1 0 1 0 1 0 0

= δ1 ∨ δ3

σ01

δ01 δ03 δ13

σ03

σ0

MAX-SAT

42


Solution σ

1 0 1 0 0 1 1 0UNSAT

0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0

0 0 1 0 1 1 1 0


MAX-SAT

0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

...

1 0 0 1 1 0 0 0

1 0 1 1 0 1 1 0

σ1 σ3

δ31 0 0 0 1 0 0 0 δ1δ0

1 1 0 1 1 1 0 0

1 1 1 1 0 0 1 0

0 1 0 1 0 1 0 0

= δ1 ∨ δ3

σ01

δ01 δ03 δ013

σ03

σ0

MAX-SAT

43


Solution σ

1 0 1 0 0 1 1 0UNSAT

0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0

0 0 1 0 1 1 1 0


MAX-SAT

0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

...

1 0 0 1 1 0 0 0

1 0 1 1 0 1 1 0

σ1 σ3

δ31 0 0 0 1 0 0 0 δ1δ0

1 1 0 1 1 1 0 0

1 1 1 1 0 0 1 0

1 1 0 1 1 1 0 0

= δ0 ∨ δ1 ∨ δ3

σ01

δ01 δ03 δ013

σ03

σ0

MAX-SAT

44


Solution σ

1 0 1 0 0 1 1 0UNSAT

0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0

0 0 1 0 1 1 1 0


MAX-SAT

0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

...

1 0 0 1 1 0 0 0

1 0 1 1 0 1 1 0

σ1 σ3

δ31 0 0 0 1 0 0 0 δ1δ0

1 1 0 1 1 1 0 0

1 1 1 1 0 0 1 0

1 1 0 1 1 1 0 0

= δ0 ∨ δ1 ∨ δ3

σ01

δ01 δ03

σ03

σ0

MAX-SAT

45


Solution σ

1 0 1 0 0 1 1 0UNSAT

0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0

0 0 1 0 1 1 1 0


MAX-SAT

0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

...

1 0 0 1 1 0 0 0

1 0 1 1 0 1 1 0

σ1 σ3

δ31 0 0 0 1 0 0 0 δ1δ0

1 1 0 1 1 1 0 0

1 1 1 1 0 0 1 0

σ01

δ01 δ03

σ03

σ0

MAX-SAT

46


Solution σ

1 0 1 0 0 1 1 0UNSAT

0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0

0 0 1 0 1 1 1 0


MAX-SAT

0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

...

1 0 0 1 1 0 0 0

1 0 1 1 0 1 1 0

σ1 σ3

δ31 0 0 0 1 0 0 0 δ1δ0

1 1 0 1 1 1 0 0

1 1 1 1 0 0 1 0

At most ngenerate atomic mutations

=O(n6)mutations: NO MAX-SAT ( ) n

6 samples by combining

MAX-SAT calls to

σ01

δ01 δ03

σ03

σ0

MAX-SAT

47


Solution σ

1 0 1 0 0 1 1 0UNSAT

0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0

0 0 1 0 1 1 1 0


MAX-SAT

0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

...

1 0 0 1 1 0 0 0

1 0 1 1 0 1 1 0

σ1 σ3

δ31 0 0 0 1 0 0 0 δ1δ0

1 1 0 1 1 1 0 0

1 1 1 1 0 0 1 0

At most 50generate atomic mutations

15 890 700mutations: NO MAX-SAT

samples by combining

MAX-SAT calls to

σ01

δ01 δ03

σ03

σ0

MAX-SAT

48


Solution σ

1 0 1 0 0 1 1 0UNSAT

0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0

0 0 1 0 1 1 1 0


MAX-SAT

0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

...

1 0 0 1 1 0 0 0

1 0 1 1 0 1 1 0

σ1 σ3

δ31 0 0 0 1 0 0 0 δ1δ0

1 1 0 1 1 1 0 0

1 1 1 1 0 0 1 0

σ01

δ01 δ03

σ03

σ0

MAX-SAT

49


Solution σ

1 0 1 0 0 1 1 0UNSAT

0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0

0 0 1 0 1 1 1 0


MAX-SAT

0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

...

1 0 0 1 1 0 0 0

1 0 1 1 0 1 1 0

σ1 σ3

δ31 0 0 0 1 0 0 0 δ1δ0

1 1 0 1 1 1 0 0

1 1 1 1 0 0 1 0

Implementation

● Implemented in C++ using Z3 as the constraint solver● https://github.com/RafaelTupynamba/quicksampler

Optimizations:

● Eager generation of samples● Independent support● Unsatisfiable variables

50

https://github.com/RafaelTupynamba/quicksampler

Experiments

We evaluated QuickSampler on 163 industrial benchmarks.

51

Largest 6 Benchmarks # Variables # Clauses

tutorial3.sk_4_31 486193 2598178

diagStencilClean.sk_41_36 378131 2110471

karatsuba.sk_7_41 19594 82417

enqueueSeqSK.sk_10_42 16466 58515

20.sk_1_51 15475 60994

77.sk_3_44 14535 27573

Experiments

We compared QuickSampler against two state-of-the-art samplers:● UniGen2 [1]

○ Uses universal hashing to partition the solution space and produce provably uniform samples

● SearchTreeSampler [2]○ Generates pseudo-solutions: partial assignments that can be completed to full solutions

[1] Supratik Chakraborty, Daniel J Fremont, Kuldeep S Meel, Sanjit A Seshia, and Moshe Y Vardi. 2015. On Parallel Scalable Uniform SAT Witness Generation. In TACAS 2015.[2] Stefano Ermon, Carla P Gomes, and Bart Selman. 2012. Uniform solution sampling using a constraint solver as an oracle. In UAI 2012.

52

Experiments: Correctness

53

# of Atomic Mutations combined

Average Samples generated

% of Valid Samples

0 1 100%

1 32 100%

2 511 96%

3 5 619 93%

4 47 493 89%

5 346 367 82%

6 2 143 385 73%

Total 2 543 409 75%

● QuickSampler generates valid solutions

○ 102.5±0.8 times faster than SearchTreeSampler

○ 104.7±1.0 times faster than UniGen2● QuickSampler generates unique valid solutions

○ 102.3±0.7 times faster than SearchTreeSampler

○ 104.4±1.1 times faster than UniGen254

Experiments: Speed

55

Higher is betterNumber ofvalid solutionsper time

Experiments: Unique Solutions

56

Higher is betterNumber of uniquevalid solutionsper time


57

Higher is better

Experiments: Uniformity

58

Challenges

Problems of encoding SMT into SAT

● Converting into SAT loses high-level SMT structure● SMT structure can be used for faster solving● High level structure can also help generate diverse solutions

● Diversity of samples: (x ≥ 4) ∨ φ(x, y, z)

59

SMTSampler

60

Rafael Dutra, Jonathan Bachrach and Koushik Sen. 2018. SMTSampler: Efficient Stimulus Generation from Complex SMT Constraints. In ICCAD’18.

SMTSampler

Our goals:

● Allow efficient sampling from large and complex SMT constraints

● Generate millions of unique solutions in minutes

● Achieve high coverage of the constraint space

Our approach:

● Extend QuickSampler technique to work over SMT formulas with:○ Bit-vectors○ Arrays○ Uninterpreted functions

61

SMTSampler

Our goals:

● Allow efficient sampling from large and complex SMT constraints

● Generate millions of unique solutions in minutes

● Achieve high coverage of the constraint space

Our approach:

● Extend QuickSampler technique to work over SMT formulas with:○ Bit-vectors○ Arrays○ Uninterpreted functions

62

Types of variables

63

Improvements over QuickSampler

● Extend the mutations to work over bit-vectors, arrays and uninterpreted functions

● Output only valid and unique solutions● Adaptive generation of solutions based on accuracy● Improved scalability for more complex formulas

64

65

Formula φ

(mem[0] ≥ 0 ∧ mem[0] < 4) ∧ (mem’[1] < 0 ∨ mem’[1] ≥ 4), where mem’ = store(mem, mem[0], -1* mem[mem[0]])

66

Formula φx = mem[0]y = mem[1]



67

Solution σ 1 0 0 0 1 0 0 0


MAX-SMT



68

Solution σ 1 0 0 0 1 0 0 0


MAX-SMT

MAX-SMT



69

Solution σ 1 0 0 0 1 0 0 0


MAX-SMT

MAX-SMT

Hard constraints● φ● x0 ≠ 1

Soft constraints● x1 = 0● x2 = 0● x3 = 0● y0 = 1● y1 = 0● y2 = 0● y3 = 0



SMTbit

70

Solution σ 1 0 0 0 1 0 0 0


MAX-SMT

MAX-SMT

Hard constraints● φ● x0 ≠ 1

Soft constraints● y = 1000



SMTbv

σ0

71

Solution σ

0 0 0 0 1 0 1 0

1 0 0 0 1 0 0 0


MAX-SMT

MAX-SMT



σ0

72

Solution σ

0 0 0 0 1 0 1 0

1 0 0 0 1 0 0 0


MAX-SMT

MAX-SMT



σ0

73

Solution σ

0 0 0 0 1 0 1 0 1 1 0 0 1 0 0 1

1 0 0 0 1 0 0 0


σ1

MAX-SMT

MAX-SMT



σ0

74

Solution σ

0 0 0 0 1 0 1 0 1 1 0 0 1 0 0 1

1 0 0 0 1 0 0 0


σ1

MAX-SMT

MAX-SMT



σ0

75

Solution σ

0 0 0 0 1 0 1 0 1 1 0 0 1 0 0 1

1 0 0 0 1 0 0 0


σ1

MAX-SMT

MAX-SMT

1



σ0

76

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1

1 0 0 0 1 0 0 0


σ1

MAX-SMT

MAX-SMT



σ0

77

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1

1 0 0 0 1 0 0 0


σ1

MAX-SMT

MAX-SMT



σ0

78

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1

1 0 0 0 1 0 0 0


σ1

MAX-SMT

MAX-SMT

1



σ0

79

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1

1 0 0 0 1 0 0 0


σ1

MAX-SMT

MAX-SMT



σ0

80

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1

1 0 0 0 1 0 0 0


σ1

MAX-SMT

MAX-SMT



σ0

81

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 0

1 0 0 0 1 0 0 0


σ1 σ4

MAX-SMT

MAX-SMT



...

σ0

82

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 0

1 0 0 0 1 0 0 0


σ1 σ4

MAX-SMT

MAX-SMT



σ0

83

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 0

1 0 0 0 1 0 0 0


0 1 0 0 0 0 0 1 0 0 0 0 1 1 0 0

...

σ1 σ4

δ41 0 0 0 0 0 1 0 δ1δ0

MAX-SMT

MAX-SMT

= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ4



δ01

σ0

84

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 0

1 0 0 0 1 0 0 0


0 1 0 0 0 0 0 1 0 0 0 0 1 1 0 0

...

σ1 σ4

δ41 0 0 0 0 0 1 0 δ1δ0

1 1 0 0 0 0 1 1

MAX-SMT

MAX-SMT

= δ0 ∨ δ1



σ01

δ01

σ0

85

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 0

1 0 0 0 1 0 0 0


0 1 0 0 0 0 0 1 0 0 0 0 1 1 0 0

...

σ1 σ4

δ41 0 0 0 0 0 1 0 δ1δ0

1 1 0 0 0 0 1 1

0 1 0 0 1 0 1 1

MAX-SMT

MAX-SMT

= σ ⊕ δ01



σ01

δ01 δ04

σ0

86

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 0

1 0 0 0 1 0 0 0


0 1 0 0 0 0 0 1 0 0 0 0 1 1 0 0

...

1 0 0 0 1 1 1 0

σ1 σ4

δ41 0 0 0 0 0 1 0 δ1δ0

1 1 0 0 0 0 1 1

0 1 0 0 1 0 1 1

MAX-SMT

MAX-SMT

= δ0 ∨ δ4



σ01

δ01 δ04

σ04

σ0

87

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 0

1 0 0 0 1 0 0 0


0 1 0 0 0 0 0 1 0 0 0 0 1 1 0 0

...

1 0 0 0 1 1 1 0

0 0 0 0 0 1 1 0

σ1 σ4

δ41 0 0 0 0 0 1 0 δ1δ0

1 1 0 0 0 0 1 1

0 1 0 0 1 0 1 1

MAX-SMT

MAX-SMT

= σ ⊕ δ04



σ01

δ01 δ04 δ14

σ04

σ0

88

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 0

1 0 0 0 1 0 0 0


0 1 0 0 0 0 0 1 0 0 0 0 1 1 0 0

...

1 0 0 0 1 1 1 0

0 0 0 0 0 1 1 0

σ1 σ4

δ41 0 0 0 0 0 1 0 δ1δ0

1 1 0 0 0 0 1 1

0 1 0 0 1 0 1 1

0 1 0 0 1 1 0 1

MAX-SMT

MAX-SMT

= δ1 ∨ δ4



σ01

δ01 δ04 δ14

σ04

σ0

89

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 0

1 0 0 0 1 0 0 0


0 1 0 0 0 0 0 1 0 0 0 0 1 1 0 0

...

1 0 0 0 1 1 1 0

0 0 0 0 0 1 1 0

σ1 σ4

δ41 0 0 0 0 0 1 0 δ1δ0

1 1 0 0 0 0 1 1

0 1 0 0 1 0 1 1

0 1 0 0 1 1 0 1

MAX-SMT

MAX-SMT

σ141 1 0 0 0 1 0 1

= σ ⊕ δ14



σ01 σ04

σ0

90

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 0

1 0 0 0 1 0 0 0


...

0 0 0 0 0 1 1 0

σ1 σ4

0 1 0 0 1 0 1 1

MAX-SMT

MAX-SMT

σ141 1 0 0 0 1 0 1



σ01 σ04

σ0

91

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 0

1 0 0 0 1 0 0 0


...

0 0 0 0 0 1 1 0

σ1 σ4

0 1 0 0 1 0 1 1

MAX-SMT

MAX-SMT

σ141 1 0 0 0 1 0 1

17 / 18 valid solutions



σ01 σ04

σ0

92

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 0

1 0 0 0 1 0 0 0


...

0 0 0 0 0 1 1 0

σ1 σ4

0 1 0 0 1 0 1 1

MAX-SMT

MAX-SMT

σ141 1 0 0 0 1 0 1

σ0140 1 0 0 0 1 1 1



σ01 σ04

σ0

93

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 0

1 0 0 0 1 0 0 0


...

0 0 0 0 0 1 1 0

σ1 σ4

0 1 0 0 1 0 1 1

MAX-SMT

MAX-SMT

σ141 1 0 0 0 1 0 1

σ0140 1 0 0 0 1 1 1 6 / 8 valid solutions



σ01 σ04

σ0

94

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 0

1 0 0 0 1 0 0 0


...

0 0 0 0 0 1 1 0

σ1 σ4

0 1 0 0 1 0 1 1

MAX-SMT

MAX-SMT

σ141 1 0 0 0 1 0 1

σ0140 1 0 0 0 1 1 1

0 new solutions



σ01 σ04

σ0

95

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 0

1 0 0 0 1 0 0 0


...

0 0 0 0 0 1 1 0

σ1 σ4

0 1 0 0 1 0 1 1

MAX-SMT

MAX-SMT

σ141 1 0 0 0 1 0 1

σ0140 1 0 0 0 1 1 1



σ01 σ04

σ0

96

Solution σ

0 0 0 0 1 0 1 0UNSAT

1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 0

1 0 0 0 1 0 0 0


...

0 0 0 0 0 1 1 0

σ1 σ4

0 1 0 0 1 0 1 1

MAX-SMT

MAX-SMT

σ141 1 0 0 0 1 0 1

σ0140 1 0 0 0 1 1 1



Implementation

● Implemented in C++ using Z3 as the constraint solver● https://github.com/RafaelTupynamba/SMTsampler

97

https://github.com/RafaelTupynamba/quicksampler

Experiments on SMT-LIB

We evaluated SMTSampler on 213 industrial benchmarks from 22 classes.

98

Benchmark Class Average # Nodes Average # Bits

QF_AUFBV/ecc 291 2785

QF_ABV/bmc-arrays 855 53

QF_ABV/stp_samples 1139 192

QF_BV/bmc-bv-svcomp14 7518 7607

QF_BV/tacas07 8812 16620

QF_BV/sage/app8 978 1047

Experiments

We compared two approaches for SMT sampling against the SAT-based QuickSampler● SMTbit

○ One soft constraint per bit

● SMTbv○ One soft constraint per bit-vector

● QuickSampler○ Our prior work that generates solutions to SAT formulas (Boolean constraints)

99


100

Higher is betterNumber of uniquesolutionsper time


101

Higher is betterNumber of uniquesolutionsper time

Measuring Coverage of a Formula

● Look at values of internal nodes○ Check if each bit has received values 0 and 1

in the test cases

● Analogous to internal wires in a circuit

102

Experiments: Coverage

103

Higher is betterCoverageof the formula

Experiments: Coverage

104

Higher is betterCoverageof the formula

Results

● The SMT-based approaches outperformed the SAT-based approach both in terms of solutions generated and coverage of the formula

○ If considering total execution time, the difference is accentuated

● SMTbit generally performs better than SMTbv due to more fine-grain soft constraints

● But SMTbv is more robust for formulas where MAX-SMT queries are harder to solve

105

Challenges

● Coverage of the formula might still not be ideal even using the SMT-based approaches

● User might be interested in a specific notion of coverage for the produced solutions

106

GuidedSampler

107

Rafael Dutra, Jonathan Bachrach and Koushik Sen. 2019. GuidedSampler: Coverage-guided Sampling of SMT Solutions. In FMCAD’19.

Goal: Generate solutions to φ such that the predicates ψ1, ψ2, …, ψn are covered uniformly

Problem definition

108

mem[0] mem[1]

σ0

σ1

σ2

σ3

σ4

σ5

1 0 0 0 1 0 0 0

0 0 0 0 1 0 1 0

1 1 0 0 1 0 0 1

1 0 0 0 0 1 0 0

0 1 0 0 1 0 1 1

0 0 0 0 0 1 1 0


mem’[1] < 0

Input: SMT formula φ

Input: Coverage predicates ψ1, ψ2, …, ψn

mem’[1] ≥ 4 mem’[0] < 0

Goal: Generate solutions to φ such that the predicates ψ1, ψ2, …, ψn are covered uniformly

Problem definition

109

mem[0] mem[1] ψ1 ψ2 ψ3

σ0

σ1

σ2

σ3

σ4

σ5

1 0 0 0 1 0 0 0

0 0 0 0 1 0 1 0

1 1 0 0 1 0 0 1

1 0 0 0 0 1 0 0

0 1 0 0 1 0 1 1

0 0 0 0 0 1 1 0


mem’[1] < 0

Input: SMT formula φ

0 1 0

1 0 0

0 0 1

1 1 1

0 1 1

1 1 0

Input: Coverage predicates ψ1, ψ2, …, ψn

mem’[1] ≥ 4 mem’[0] < 0

● Explore all states

Motivation

● User-specified coverage metrics

110

Coverage-guided Sampling

Our goals:

● Sample solutions from a formula φ, but have the distribution determined by the coverage predicates ψ1, ψ2, …, ψn

● Uniformly sample solutions from the different coverage classes

● Uniformly sample within each coverage class

Our approach extends SMTSampler by:

● Randomizing coverage class of initial base solution

● Flipping coverage predicates to compute neighboring solutions

● Discarding new solutions that repeat a previously seen coverage class

111

Modifications

Random assignment

σ′

112

σ

Modifications

● In the MAX-SMT query to generate σ, set coverage predicates to random values

Random assignment

Base solution

σ′

113

σ1

σ0

σ

Modifications


● Find neighboring solutions that flip coverage predicates

Random assignment

Base solution

Closest solutions

σ′

114

σ1

σ01

σ0

σ

Modifications


● Find neighboring solutions that flip coverage predicates

● Whenever generating a new sample, discard it if it’s from a repeated coverage class

Random assignment

Base solution

Closest solutions

Generated samples

σ′

115

Experiments: Unique Coverage Classes

116

Higher is better

GuidedSampler vs. SMTSampler

Number of uniquecoverage classesper time

Experiments: Unique Coverage Classes

117

Higher is better

S3 = GuidedSamplerS0 = SMTSamplerBS, BH: baselines

Number of uniquecoverage classesper time

Experiments: Uniformity over Coverage Classes

118

S3 = GuidedSamplerS0 = SMTSamplerBS, BH: baselines

→ GuidedSampler generated > 100 000 classes

Conclusion

● Generate solutions efficiently given a SAT or SMT formula

● Generate millions of solutions with tens of solver calls

● Achieve better coverage of the constraint space, even for user-defined coverage classes

119

σ01 = σ ⊕ δ01

δ01 = δ0 ∨ δ1

σ0

Solution σ

0 0 0 0 1 0 1 0 1 1 0 0 1 0 0 1

1 0 0 0 1 0 0 0

0 1 0 0 0 0 0 1

σ1

1 0 0 0 0 0 1 0 δ1δ0

1 1 0 0 0 0 1 1

0 1 0 0 1 0 1 1

MAX-SMT

Acknowledgements

120

Acknowledgements

121

Acknowledgements

122

dissertation committee: eﬃcient sampling of sat and smtrtd/talks/phd_talk.pdf · eﬃcient...

Documents