2 research outputs found
SMT Sampling via Model-Guided Approximation
We investigate the domain of satisfiable formulas in satisfiability modulo
theories (SMT), in particular, automatic generation of a multitude of
satisfying assignments to such formulas. Despite the long and successful
history of SMT in model checking and formal verification, this aspect is
relatively under-explored. Prior work exists for generating such assignments,
or samples, for Boolean formulas and for quantifier-free first-order formulas
involving bit-vectors, arrays, and uninterpreted functions (QF_AUFBV). We
propose a new approach that is suitable for a theory T of integer arithmetic
and to T with arrays and uninterpreted functions. The approach involves
reducing the general sampling problem to a simpler instance of sampling from a
set of independent intervals, which can be done efficiently. Such reduction is
carried out by expanding a single model - a seed - using top-down propagation
of constraints along the original first-order formula
Automated Program Repair Using Formal Verification Techniques
We focus on two different approaches to automatic program repair, based on formal verification methods. Both repair techniques consider infinite-state C-like programs, and consist of a generate-validate loop, in which potentially repaired programs are repeatedly generated and verified. Both approaches are incremental – partial information gathered in previous verification attempts is used in the next steps. However, the settings of both approaches, including their techniques for finding repairs, are quite distinct. The first approach uses syntactic mutations to repair sequential programs with respect to assertions in the code. It is based on a reduction to the problem of finding unsatisfiable sets of constraints, which is addressed using an interplay between SAT and SMT solvers. A novel notion of must-fault-localization enables efficient pruning of the search space, without losing any potential repair. The second approach uses an Assume-Guarantee (AG) style reasoning in order to verify large programs, composed of two concurrent components. The AG reasoning is based on automata-learning techniques. When verification fails, the procedure repeatedly repairs one of the components, until a correct repair is found. Several different repair methods are considered, trading off precision and convergence to a correct repair