Z3 | 易学教程

SMT solver with custom theories?

阅读更多关于 SMT solver with custom theories?

问题 I'm looking at doing some verification work where I've got regular tree grammars as an underlying theory. Z3 lets you define your own stuff with uninterpreted functions, but that doesn't tend to work well any time your decision procedures are recursive. They used to allow for plugins but that has been depricated, I think. I'm wondering, does anybody have a recommendation of a decent SMT solver that allows you to write decision procedures for custom theories? 回答1: There are several options

How to loop over array in Z3Py

阅读更多关于 How to loop over array in Z3Py

问题 As part of a reverse engineering exercise, I'm trying to write a Z3 solver to find a username and password that satisfy the program below. This is especially tough because the z3py tutorial that everyone refers to (rise4fun) is down. #include <iostream> #include <string> using namespace std; int main() { string name, pass; cout << "Name: "; cin >> name; cout << "Pass: "; cin >> pass; int sum = 0; for (size_t i = 0; i < name.size(); i++) { char c = name[i]; if (c < 'A') { cout << "Lose: char

Building z3 on mac os x

阅读更多关于 Building z3 on mac os x

问题 I'm trying to build Z3 on mac os x. Following README file, I just executed autoconf ./configure make to get an error "omp.h" file not found. I copied the omp.h file from /usr/llvm-gcc-4.2/lib/gcc/i686-apple-darwin11/4.2.1/include to lib directory to solve this issue. Then, I got lib/buffer.h:243:13: error: use of undeclared identifier 'push_back' error in building the code. What could be the solution? I have gcc version 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2336.11.00) on Mac OS

Avoiding quantifiers in Z3

阅读更多关于 Avoiding quantifiers in Z3

问题 I am experimenting with Z3 where I combine the theories of arithmetic, quantifiers and equality. This does not seem to be very efficient, in fact it seems to be more efficient to replace the quantifiers with all instantiated ground instances when possible. Consider the following example, in which I have encoded the unique names axiom for a function f that takes two arguments of sort Obj and returns an interpreted sort S . This axiom states that each unique list of arguments to f returns a

Does Z3 support Real-to-Int conversions?

阅读更多关于 Does Z3 support Real-to-Int conversions?

问题 In Z3 you have to_real to obtain the Real equivalent of an Int. Is there some support to the inverse conversions, i.e., to truncation, rounding or like? In the negative case, what could be the most Z3-friendly way of defining them, if any? Many thanks to everyone will answer. 回答1: Yes, Z3 has a to_int function that converts a Real into an integer. The semantics of to_int is defined in the SMT 2.0 standard. Here is an example: http://rise4fun.com/Z3/uJ3J (declare-fun x () Real) (assert (= (to

Z3 quantifier support

阅读更多关于 Z3 quantifier support

问题 I need a theorem prover for some simple linear arithmetic problems. However, I can't get Z3 to work even on simple problems. I'm aware that it is incomplete, however it should be able to handle this simple example: (assert (forall ((t Int)) (= t 5))) (check-sat) I'm not sure if i'm overlooking something, but this should be trivial to disprove. I even tried this simpler example: (assert (forall ((t Bool)) (= t true))) (check-sat) That should be solvable by making an exhaustive search, since

Multi-threaded Z3?

阅读更多关于 Multi-threaded Z3?

问题 I'm working on a Python project, where I'm currently trying to speed things up in some horrible ways: I set up my Z3 solvers, then I fork the process, and have Z3 perform the solve in the child process and pass a pickle-able representation of the model back to the parent. This works great, and represents the first stage of what I'm trying to do: the parent process is now no longer CPU-bound. The next step is to multi-thread the parent, so that we can solve multiple Z3 solvers in parallel. I'm

What are the limits of reasoning in quantified arithmetic in SMT?

阅读更多关于 What are the limits of reasoning in quantified arithmetic in SMT?

问题 I have tried several SMT solvers (CVC3, CVC4 and Z3) on the following seemingly trivial benchmark: (set-logic LIA) (set-info :smt-lib-version 2.0) (assert (forall (( x Int)) (forall ((y Int)) (= y x)))) (check-sat) (exit) The solvers all return unknown. I understand that this is an undecidable fragment (well non-linear) but I was expecting there would be some simple instantiation heuristics that could solve it. I also tried adding some extra assertions with constants but it didn't help. Is

z3 behaviour changing on request for unsat core

阅读更多关于 z3 behaviour changing on request for unsat core

I have several SMTLIB2 examples which z3 normally finds unsat in 10s of milliseconds, yet, when I add in a request for it to generate unsat cores, the check-sat keeps going for minutes without returning. Is this behaviour to be expected? Does requesting unsat cores do more than just switch on instrumentation recording dependencies, and change which procedures and options z3 runs with? Is it possible to set further options so I see the same behaviour when I'm using unsat core generation as I see when I'm not using it? I'm using Z3 4.3.1 (stable branch) on Scientific Linux 6.3. The examples are

for all quantifier in Z3

阅读更多关于 for all quantifier in Z3

问题 I would like to see an example of C-API Z3_mk_forall_const() in Z3. I am trying to encode - (define-fun max_integ ((x Int) (y Int)) Int (ite (< x y) y x)) What I tried is following, but I get type error #include <stdio.h> #include <stdlib.h> #include <z3.h> void error_handler(Z3_context c, Z3_error_code e) { printf("Error code: %d\n", e); printf("Error msg : %s\n", Z3_get_error_msg(e)); exit(0); } Z3_context mk_context_custom(Z3_config cfg, Z3_error_handler err) { Z3_context ctx; Z3_set_param