Automatically testing string solvers
Alexandra Bugariu,Peter Müller +1 more
- 27 Jun 2020
- pp 1470
TL;DR: This paper synthesizes input formulas that are satisfiable or unsatisfiable by construction and automatically applies satisfiability-preserving transformations to generate increasingly-complex formulas, which allows to detect many errors with simple inputs and, thus, facilitates debugging.
read more
Abstract: SMT solvers are at the basis of many applications, such as program verification, program synthesis, and test case generation. For all these applications to provide reliable results, SMT solvers must answer queries correctly. However, since they are complex, highly-optimized software systems, ensuring their correctness is challenging. In particular, state-of-the-art testing techniques do not reliably detect when an SMT solver is unsound. In this paper, we present an automatic approach for generating test cases that reveal soundness errors in the implementations of string solvers, as well as potential completeness and performance issues. We synthesize input formulas that are satisfiable or unsatisfiable by construction and use this ground truth as test oracle. We automatically apply satisfiability-preserving transformations to generate increasingly-complex formulas, which allows us to detect many errors with simple inputs and, thus, facilitates debugging. The experimental evaluation shows that our technique effectively reveals bugs in the implementation of widely-used SMT solvers and applies also to other types of solvers, such as automata-based solvers. We focus on strings here, but our approach carries over to other theories and their combinations.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Figures
Figure 5: A sat formula generated in step 2 through term synthesis, which exposes a soundness bug inZ3str3. tmp_int1 has type Int, tmp_str0 and tmp_str2 have type String. 
Table 7: Overview of our results for MT-ABC 
Table 6: Failed tests on the latest versions of the SMT solvers 
Table 3: Equalities between the string operations and nonconstant and constant strings (NC1–NC7 and C1–C15), integers (NC8 and C16–C31), and booleans (C32–C40) 
Figure 6: Algorithm for synthesizing unsat input formulas. invokeSolver yields the solver’s result on the input formula (i.e., sat, unsat, unknown, timeout or error), a model for sat formulas, and an unsat core for unsat formulas, if available. 
Figure 10: A sat formula generated in step 2 through term synthesis for which the result of Z3-seq depends on the random seeds. tmp_int0 has type Int, tmp_str2 has type String.
Citations
Validating SMT solvers via semantic fusion
Dominik Winterer,Chengyu Zhang,Zhendong Su +2 more
- 11 Jun 2020
TL;DR: Semantic Fusion is introduced, a general, effective methodology for validating Satisfiability Modulo Theory (SMT) solvers that fuse two existing equisatisfiable formulas into a new formula that combines the structures of its ancestors in a novel manner and preserves the satisfiability by construction.
80
Detecting critical bugs in SMT solvers using blackbox mutational fuzzing
Muhammad Numair Mansur,Maria Christakis,Valentin Wüstholz,Fuyuan Zhang +3 more
- 08 Nov 2020
TL;DR: STORM is presented, a novel blackbox mutational fuzzing technique for detecting critical bugs in SMT solvers and is already being used in testing new features of popular solvers before deployment.
43
On the Unusual Effectiveness of Type-Aware Operator Mutations for Testing SMT Solvers
TL;DR: Type-aware operator mutation is proposed, a simple, but unusually effective approach for testing SMT solvers, which is to mutate operators of conforming types within the seed formulas to generate well-typed mutant formulas.
38
Generative type-aware mutation for testing SMT solvers
Jiwon Park,Dominik Winterer,Chengyu Zhang,Zhendong Su +3 more
- 15 Oct 2021
TL;DR: Generative Type-Aware Mutation as discussed by the authors is a hybrid of mutation-based and grammar-based fuzzing and features an infinite mutation space for testing SMT solvers.
31
Metamorphic testing of Datalog engines
Muhammad Numair Mansur,Maria Christakis,Valentin Wüstholz +2 more
- 20 Aug 2021
TL;DR: In this paper, the authors present a metamorphic-testing approach for detecting query bugs in Datalog engines and find 13 previously unknown query bugs, some of which are deep and revealed critical semantic issues.
References
Simplifying and isolating failure-inducing input
Andreas Zeller,R. Hildebrandt +1 more
TL;DR: The delta debugging algorithm generalizes and simplifies the failing test case to a minimal test case that still produces the failure, and isolates the difference between a passing and a failingTest case.
The SMT-LIB Standard Version 2.0
Clark Barrett,Aaron Stump,Cesare Tinelli +2 more
- 01 Jan 2010
TL;DR: This paper introduces Version 2 of the SMT-LIB Standard, a major upgrade of the previous Version 1.2 which, in addition to simplifying and extending the languages of that version, includes a new command language for interfacing with SMT solvers.
Why3: where programs meet provers
Jean-Christophe Filliâtre,Andrei Paskevich +1 more
- 16 Mar 2013
TL;DR: Why3, a tool for deductive program verification, and WhyML, its programming and specification language, are presented, a first-order language with polymorphic types, pattern matching, and inductive predicates.
•Journal Article
Differential Testing for Software.
TL;DR: Quality is not a question of correctness, but rather of how many bugs are fixed and how few are introduced in the ongoing development process, if the bug count is increasing, the software is deteriorating.
570
•Book
Handbook of Satisfiability: Volume 185 Frontiers in Artificial Intelligence and Applications
Armin Biere,Marijn J. H. Heule,H. van Maaren,Toby Walsh +3 more
- 01 Jan 2009
TL;DR: This collection of papers on all theoretical and practical aspects of SAT solving will be extremely useful to both students and researchers and will lead to many further advances in the field.
564
Related Papers (5)
Leonardo de Moura,Nikolaj Bjørner +1 more
- 29 Mar 2008
Dominik Winterer,Chengyu Zhang,Zhendong Su +2 more
- 11 Jun 2020
Aina Niemetz,Mathias Preiner,Armin Biere +2 more
- 01 Jan 2017