## Bugs, Moles and Skeletons: Symbolic Reasoning for Software Development

### Cached

### Download Links

Citations: | 1 - 0 self |

### BibTeX

@MISC{Moura_bugs,moles,

author = {Leonardo De Moura and Nikolaj Bjørner},

title = {Bugs, Moles and Skeletons: Symbolic Reasoning for Software Development},

year = {}

}

### OpenURL

### Abstract

Symbolic reasoning is in the core of many software development tools such as: bug-finders, test-case generators, and verifiers. Of renewed interest is the use of symbolic reasoning for synthesing code, loop invariants and ranking functions. Satisfiability Modulo Theories (SMT) solvers have been the focus of increased recent attention thanks to technological advances and an increasing number of applications. In this paper we review some of these applications that use software verifiers as bug-finders “on steroids” and suggest that new model finding techniques are needed to increase the set of applications supported by these solvers.

### Citations

555 | Extended static checking for Java
- Flanagan, Leino, et al.
- 2002
(Show Context)
Citation Context ...ion, but in the more limited context of checking absence of run-time errors. The SMT solver Simplify [7] was developed in the context of the extended static checking systems ESC/Modula 3 and ESC/Java =-=[10]-=-. This work has been the inspiration for several subsequent extended static program checkers, including Why [9] and Boogie [1]. These systems are actively used as bridges from several different front-... |

480 | The Spec# programming system: An overview
- Barnett, Leino, et al.
- 2004
(Show Context)
Citation Context ...ontext of the extended static checking systems ESC/Modula 3 and ESC/Java [10]. This work has been the inspiration for several subsequent extended static program checkers, including Why [9] and Boogie =-=[1]-=-. These systems are actively used as bridges from several different front-ends to SMT solver backends. Boogie, for instance, is used as a backend for systems that verify code from languages, such as a... |

472 | N.S.: Z3: An Efficient SMT Solver
- Moura, Bjørner
- 2008
(Show Context)
Citation Context ...l, but it is more tangible than a proof of correctness. In principle, developers can inspect and test the synthesized code independently of the symbolic reasoner. 2 Symbolic Reasoning at Microsoft Z3 =-=[5]-=- is an SMT solver and the main symbolic reasoning engine used at Microsoft. SMT solvers combine the problem of Boolean Satisfiability with domains, such as, those studied in convex optimization and te... |

381 | Simplify: a theorem prover for program checking
- Detlefs, Nelson, et al.
(Show Context)
Citation Context ...2.3 Software Verification Extended static checking uses the methods developed for program verification, but in the more limited context of checking absence of run-time errors. The SMT solver Simplify =-=[7]-=- was developed in the context of the extended static checking systems ESC/Modula 3 and ESC/Java [10]. This work has been the inspiration for several subsequent extended static program checkers, includ... |

236 | Application of theorem proving to problem solving
- Green
- 1969
(Show Context)
Citation Context ...en these two extremes, bug-finding and verification, there is another application that is undergoing a rennaisance: synthesis. The idea of synthesizing code is not new, it dates back to the late 60’s =-=[12, 16]-=-. Due to the recent advances in first-order theorem proving, SMT and QBF solving, it is becoming more feasible to synthesize non trivial glue code [15], small algorithms [17], ranking functions [4] an... |

101 | VCC: A practical system for verifying concurrent C
- Cohen, Dahlweid, et al.
- 2009
(Show Context)
Citation Context ...s with several hundreds of thousands of lines. This effort relies heavily on some of the automated methods used in software model-checking. A more ambitious project is the Verifying C-Compiler system =-=[8]-=-, which targets functional correctness properties of Microsoft’s Viridian Hyper-Visor. The Hyper-Visor is a relatively small (100K lines) operating system layer, yet correctness properties are challen... |

98 | What’s decidable about arrays
- Bradley, Manna, et al.
- 2006
(Show Context)
Citation Context ...e formulas. However, in industry, we are mainly interested in the satisfiable instances, where a refutationally complete procedure may not even terminate. Some SMT solvers support decidable fragments =-=[2, 6, 20]-=-, unfortunately they are not expressive enough to encode all symbolic reasoning problems found in practice. A pragmatic approach for dealing with the problem above is to produce candidate models. Give... |

54 | From program verification to program synthesis
- Srivastava, Gulwani, et al.
- 2010
(Show Context)
Citation Context ...ted because our example is in the array property decidable fragment [2]. 3.3 Skeleton Based Model Finding & Synthesis Satisfiability solvers have been used to synthesize loop invariants [3, 13], code =-=[19]-=-, and ranking functions [4]. To illustrate these ideas, consider the following abstract program: pre while (c) { T } post In the loop invariant synthesis problem, we want to synthesize a predicate I t... |

53 | Combinatorial sketching for finite programs
- Solar-Lezama, Tancau, et al.
- 2006
(Show Context)
Citation Context ...back to the late 60’s [12, 16]. Due to the recent advances in first-order theorem proving, SMT and QBF solving, it is becoming more feasible to synthesize non trivial glue code [15], small algorithms =-=[17]-=-, ranking functions [4] and procedures [14]. The outcome of a synthesis tool is not as simple to check as the one produced by a bug-finding tool, but it is more tangible than a proof of correctness. I... |

42 | Why: a multi-language multi-prover verification tool, http://www.lri.fr/∼filliatr/ftp/publis/why-tool.ps.gz
- Filliâtre
- 2003
(Show Context)
Citation Context ...eloped in the context of the extended static checking systems ESC/Modula 3 and ESC/Java [10]. This work has been the inspiration for several subsequent extended static program checkers, including Why =-=[9]-=- and Boogie [1]. These systems are actively used as bridges from several different front-ends to SMT solver backends. Boogie, for instance, is used as a backend for systems that verify code from langu... |

38 |
Toward Automatic Program Synthesis
- Manna, Waldinger
- 1971
(Show Context)
Citation Context ...en these two extremes, bug-finding and verification, there is another application that is undergoing a rennaisance: synthesis. The idea of synthesizing code is not new, it dates back to the late 60’s =-=[12, 16]-=-. Due to the recent advances in first-order theorem proving, SMT and QBF solving, it is becoming more feasible to synthesize non trivial glue code [15], small algorithms [17], ranking functions [4] an... |

28 | Oracle-guided component-based program synthesis. ICSE
- Jha, Gulwani, et al.
- 2010
(Show Context)
Citation Context ...recent advances in first-order theorem proving, SMT and QBF solving, it is becoming more feasible to synthesize non trivial glue code [15], small algorithms [17], ranking functions [4] and procedures =-=[14]-=-. The outcome of a synthesis tool is not as simple to check as the one produced by a bug-finding tool, but it is more tangible than a proof of correctness. In principle, developers can inspect and tes... |

25 | Amphion: Automatic programming for scientific subroutine libraries
- Lowry, Philpot, et al.
- 1994
(Show Context)
Citation Context ...e is not new, it dates back to the late 60’s [12, 16]. Due to the recent advances in first-order theorem proving, SMT and QBF solving, it is becoming more feasible to synthesize non trivial glue code =-=[15]-=-, small algorithms [17], ranking functions [4] and procedures [14]. The outcome of a synthesis tool is not as simple to check as the one produced by a bug-finding tool, but it is more tangible than a ... |

22 | Program verification using templates over predicate abstraction
- Srivastava, Gulwani
- 2009
(Show Context)
Citation Context ...fication effort is estimated to be around 60 man-years. 2.4 Synthesis Finally, there is recent and active interest in using modern SMT solvers in the context of synthesis of inductive loop invariants =-=[18]-=- and synthesis of program fragments [14], such as sorting, matrix multiplication, de-compression, graph, and bit-manipulating algorithms. Take for instance the Strassen’s matrix multiplication algorit... |

17 |
Automating Software Testing Using Program Analysis
- Godefroid, Halleux, et al.
(Show Context)
Citation Context ... of dynamic symbolic execution, also called smart white-box fuzzing. There are today several industry applied tools based on dynamic symbolic execution, including CUTE, Exe, DART, SAGE, Pex, and Yogi =-=[11]-=-. These tools collect explored program paths as formulas and use solvers for identifying new test input (moles) that can steer execution into new branches. SMT solvers are a good fit for symbolic exec... |

16 | C.M.: Ranking function synthesis for bit-vector relations - Cook, Kroening, et al. |

15 | N.: Deciding Effectively Propositional Logic Using DPLL and Substitution Sets
- Moura, Bjørner
- 2008
(Show Context)
Citation Context ...e formulas. However, in industry, we are mainly interested in the satisfiable instances, where a refutationally complete procedure may not even terminate. Some SMT solvers support decidable fragments =-=[2, 6, 20]-=-, unfortunately they are not expressive enough to encode all symbolic reasoning problems found in practice. A pragmatic approach for dealing with the problem above is to produce candidate models. Give... |

13 | Constraint-based invariant inference over predicate abstraction
- Gulwani, Srivastava, et al.
- 2009
(Show Context)
Citation Context ...atically computed because our example is in the array property decidable fragment [2]. 3.3 Skeleton Based Model Finding & Synthesis Satisfiability solvers have been used to synthesize loop invariants =-=[3, 13]-=-, code [19], and ranking functions [4]. To illustrate these ideas, consider the following abstract program: pre while (c) { T } post In the loop invariant synthesis problem, we want to synthesize a pr... |

12 |
Schema-guided synthesis of imperative programs by constraint solving
- Colón
- 2004
(Show Context)
Citation Context ...atically computed because our example is in the array property decidable fragment [2]. 3.3 Skeleton Based Model Finding & Synthesis Satisfiability solvers have been used to synthesize loop invariants =-=[3, 13]-=-, code [19], and ranking functions [4]. To illustrate these ideas, consider the following abstract program: pre while (c) { T } post In the loop invariant synthesis problem, we want to synthesize a pr... |

10 |
Complete instantiation for quantified SMT formulas
- Ge, Moura
- 2009
(Show Context)
Citation Context ...e formulas. However, in industry, we are mainly interested in the satisfiable instances, where a refutationally complete procedure may not even terminate. Some SMT solvers support decidable fragments =-=[2, 6, 20]-=-, unfortunately they are not expressive enough to encode all symbolic reasoning problems found in practice. A pragmatic approach for dealing with the problem above is to produce candidate models. Give... |