def refine(self, v):
logging.debug("Refining: " + str(v))
if v.location not in self.cfa.panic:
return
if models(v.label, BoolVal(False)):
return
v_pi, u_pi = v.ancestors_path, v.transition_path
assert (len(v_pi) == len(u_pi) + 1)
u_pi_, times = timeshift(u_pi)
assert (len(u_pi) == len(u_pi_))
try:
a_hat = z3.sequence_interpolant(u_pi_)
except z3.ModelRef as model:
self.mark_unsafe(v, model)
return
a_hat.push(BoolVal(False))
assert (len(v_pi) == len(a_hat) + 1)
for i in range(len(a_hat)):
phi = untimeshift(a_hat[i], times)
if not models(v_pi[i + 1].label, phi):
for (x, y) in self.covering.copy():
if y == v_pi[i + 1]:
self.covering.discard((x, y))
v_pi[i + 1].label = z3.simplify(And(v_pi[i + 1].label, phi))
def gen_var_list(cls):
"""Generate var_list by alphabet and k."""
cls.var_list.append(BoolVal(True))
number = cls.get_number()
number = number * number + 1
for i in range(1, number):
v_name = "A_{}".format(i)
cls.var_list.append(Bool(v_name))
cls.var_list.append(BoolVal(False))
def as_formula(self):
if self.is_top():
return BoolVal(True)
if self.is_bottom():
return BoolVal(False)
constraints = []
for var in self.dict.keys():
interval = self.dict[var]
if not interval.is_high_inf():
constraints.append(Int(var) <= IntVal(interval.high.n))
if not interval.is_low_minf():
constraints.append(Int(var) >= IntVal(interval.low.n))
return And(constraints)
def count_cells(
symbol_grid: SymbolGrid,
start: Point,
direction: Direction,
count: Callable[[ArithRef], ArithRef] = lambda c: IntVal(1),
stop: Callable[[ArithRef], BoolRef] = lambda c: BoolVal(False)
) -> ArithRef:
"""Returns a count of cells along a sightline through a grid.
Args:
symbol_grid (grilops.grids.SymbolGrid): The grid to check against.
start (grilops.geometry.Point): The location of the cell where the
sightline should begin. This is the first cell checked.
direction (grilops.geometry.Direction): The direction to advance to reach
the next cell in the sightline.
count (Callable[[ArithRef], ArithRef]): A function that accepts
a symbol as an argument and returns the integer value to add to the count
when this symbol is encountered. By default, each symbol will count with
a value of one.
stop (Callable[[ArithRef], BoolRef]): A function that accepts a
symbol as an argument and returns True if we should stop following the
sightline when this symbol is encountered. By default, the sightline will
continue to the edge of the grid.
Returns:
An `ArithRef` for the count of cells along the sightline through the grid.
"""
return reduce_cells(symbol_grid, start, direction,
cast(ArithRef, IntVal(0)), lambda a, c: a + count(c),
lambda a, c: stop(c))
def _get_goal_def_formula(self):
if self.settings.inline_goal:
return BoolVal(True)
return And([
self.env.forall(
self.goal_expr == self.input_program.goal),
self.goal_expr == self.input_program.goal
])
def _get_formulas_hash(self, aag_lines, in_lits, next_state_lits, out_lits,
prev_state_lits):
formulas = {lit: Bool(str(lit)) for lit in in_lits + prev_state_lits}
formulas[0] = BoolVal(False)
formulas[1] = BoolVal(True)
first_and_line_idx = next(
(i
for i in xrange(len(aag_lines)) if len(aag_lines[i].split()) == 3
and int(aag_lines[i].split()[0]) != int(aag_lines[i].split()[2])
and int(aag_lines[i].split()[2]) != 1), len(aag_lines))
aag_from_and = aag_lines[first_and_line_idx:]
first_and_lit = int(
aag_from_and[0].split()[0]) if aag_from_and else None
[
self._dfs(formulas, lit_to_calc, aag_from_and, first_and_lit)
for lit_to_calc in next_state_lits + out_lits
]
return formulas
def GetValFromType(typ, raw_val):
srt = GetSortFromType(typ)
if srt == IntSort():
return IntVal(raw_val)
elif srt == BoolSort():
return BoolVal(raw_val)
elif is_bv_sort(srt):
sz = srt.size()
return BitVecVal(raw_val, sz)
else:
raise SynthException('Unknown sort')
def simplify(self, condition):
visit_result = self.visit(condition)
if visit_result.sort().name() != "Bool":
return visit_result
result = Tactic("ctx-solver-simplify")(visit_result)[0]
if len(result) == 0:
return BoolVal(True)
if len(result) < 2:
return result[0]
return And(*result)
def reduce_cells( # pylint: disable=R0913
symbol_grid: SymbolGrid,
start: Point,
direction: Direction,
initializer: Accumulator,
accumulate: Callable[[Accumulator, ArithRef], Accumulator],
stop: Callable[[Accumulator, ArithRef],
BoolRef] = lambda a, c: BoolVal(False)) -> Accumulator:
"""Returns a computation of a sightline through a grid.
Args:
symbol_grid (grilops.grids.SymbolGrid): The grid to check against.
start (grilops.geometry.Point): The location of the cell where the
sightline should begin. This is the first cell checked.
direction (grilops.geometry.Direction): The direction to advance to reach
the next cell in the sightline.
initializer (Accumulator): The initial value for the accumulator.
accumulate (Callable[[Accumulator, ArithRef], Accumulator]): A function
that accepts an accumulated value and a symbol as arguments, and returns
a new accumulated value. This function is used to determine a new
accumulated value for each cell along the sightline, based on the
accumulated value from the previously encountered cells as well as the
symbol in the current cell.
stop (Callable[[Accumulator, ArithRef], BoolRef]): A function that accepts
an accumulated value and a symbol as arguments, and returns True if we
should stop following the sightline when this symbol is encountered. By
default, the sightline will continue to the edge of the grid.
Returns:
The accumulated value.
"""
stop_terms = []
acc_terms = [initializer]
p = start
while p in symbol_grid.grid:
cell = symbol_grid.grid[p]
acc_term = accumulate(acc_terms[-1], cell)
acc_terms.append(acc_term)
stop_terms.append(stop(acc_term, cell))
p = p.translate(direction.vector)
expr = acc_terms.pop()
for stop_term, acc_term in zip(reversed(stop_terms), reversed(acc_terms)):
expr = If(stop_term, acc_term, expr)
return expr
def __init__(
self,
parent,
transition,
location,
owner,
):
self.num = UnwindingVertex.next_num
UnwindingVertex.next_num += 1
self.parent = parent
if self.parent is not None:
self.parent.children.add(self)
self.transition = transition # \( T \)
self.location = location # \( M_v(self) \)
# \( M_e(self.parent, self) \)
self.children = set()
self.label = BoolVal(True) # \( \psi(self) \)
self.owner = owner
def generate_fomula(sen_pos, sen_neg):
# deterministic formula
d_formula = ST.gen_deterministic_formula()
# postive sentences -> constraint
for s in sen_pos:
st = ST(s)
st.gen_sentence_constraint(False)
ST.print_global_table_count()
formula_pos = ST.generate_global_constraint()
# negative sentences -> constraint
formula_neg_list = [BoolVal(True)]
for s in sen_neg:
st = ST(s)
st_const = st.gen_sentence_constraint()
formula_neg_list.append(Not(st_const))
formula_neg = And(formula_neg_list)
# all constraint
formula = And(d_formula, formula_pos, formula_neg)
return formula
def generalize_cube(z3_formula, model, all_vars):
assigned_vars = set([_v for _v in all_vars if model[_v] is not None])
my_model = MyModel({v: model[v] for v in assigned_vars})
go_over_vars = list(assigned_vars)
for _var in go_over_vars:
model_tag = MyModel(dict(my_model.assignment))
model_tag[_var] = BoolVal(is_false(my_model[_var]))
z3_assigned = simplify(
substitute(z3_formula,
*[(_v, model_tag[_v]) for _v in assigned_vars]))
if is_false(z3_assigned):
continue
s = SatSolverSelector.SatSolverCtor()
res = s.add(z3_assigned)
if res and s.check():
assigned_vars -= {_var}
my_model.unassign(_var)
return my_model
#
# Author: ThanhVu (Vu) Nguyen
############################################
from vu_common import vset
from z3 import \
(is_expr, ctypes,
Z3_OP_UNINTERPRETED, Z3_OP_AND, Z3_OP_OR,
Z3_OP_NOT, Z3_OP_IMPLIES, Z3_OP_IFF, Z3_OP_ITE, Z3_OP_XOR,
Z3_REAL_SORT, Z3_INT_SORT, Z3_BOOL_SORT, Z3_DATATYPE_SORT,
Const, Bool, BoolVal, Int, Real,
Or, And, Implies, Not,
is_app, is_app_of, is_const, is_bool, is_not,
Solver, unsat, sat, unknown, ModelRef)
FALSE = BoolVal(False)
TRUE = BoolVal(True)
def get_z3_version(as_str=False):
import z3
print(
'WARN: deprecated, use z3.get_version() or z3.get_version_string() directly'
)
return z3.get_version_string() if as_str else z3.get_version()
def fhash(v):
"""
Return a 'stronger' hash result than the default hash() method.
The result from hash() is not enough to distinguish between 2
def xor_all(l):
if not l: return BoolVal(False)
return reduce(Xor, l)
def int_vec_to_z3(int_vec):
return [BoolVal(val == 1) for val in int_vec]
from __future__ import annotations
from functools import reduce
from z3 import And, Bool, Tactic, BoolVal
from binaryninja import (MediumLevelILBasicBlock, MediumLevelILInstruction,
MediumLevelILOperation, log_debug, log_info)
from . import mlil_ast
_true_condition = BoolVal(True)
class MediumLevelILAstNode(object):
def __init__(self, ast: mlil_ast.MediumLevelILAst):
self._type = None
self._ast = ast
@property
def type(self):
return self._type
@property
def ast(self):
return self._ast
@property
def start(self):
return None
def model(self):
raw_model = self._solver.get_model()
model = MyModel({self._num_to_name[val]: BoolVal(val > 0) for val in raw_model})
return model
def visit_MLIL_CONST(self, expr):
if expr.size == 0 and expr.constant in (0, 1):
return BoolVal(True) if expr.constant else BoolVal(False)
return BitVecVal(expr.constant, expr.size * 8)
def reduce_cells( # pylint: disable=R0913
symbol_grid: SymbolGrid,
start: Point,
direction: Direction,
initializer: Accumulator,
accumulate: AccumulateCallback,
stop: StopCallback = lambda a, c: BoolVal(False)
) -> Accumulator:
"""Returns a computation of a sightline through a grid.
Args:
symbol_grid (grilops.grids.SymbolGrid): The grid to check against.
start (grilops.geometry.Point): The location of the cell where the
sightline should begin. This is the first cell checked.
direction (grilops.geometry.Direction): The direction to advance to reach
the next cell in the sightline.
initializer (Accumulator): The initial value for the accumulator.
accumulate (AccumulateCallback): A function that accepts an accumulated
value, a symbol, and (optionally) a point as arguments, and returns a new
accumulated value. This function is used to determine a new accumulated
value for each cell along the sightline, based on the accumulated value
from the previously encountered cells as well as the point and/or symbol
of the current cell.
stop (StopCallback): A function that accepts an accumulated value, a
symbol, and (optionally) a point as arguments, and returns True if we
should stop following the sightline when this symbol or point is
encountered. By default, the sightline will continue to the edge of the
grid.
Returns:
The accumulated value.
Raises:
ValueError: If the accumulate or stop callback doesn't accept the correct
number of arguments.
"""
num_accumulate_args = len(signature(accumulate).parameters)
num_stop_args = len(signature(stop).parameters)
stop_terms = []
acc_terms = [initializer]
p = start
while p in symbol_grid.grid:
cell = symbol_grid.grid[p]
if num_accumulate_args == 3:
acc_term = accumulate(acc_terms[-1], cell, p) # type: ignore[call-arg]
elif num_accumulate_args == 2:
acc_term = accumulate(acc_terms[-1], cell) # type: ignore[call-arg]
else:
raise ValueError("wrong number of accumulate callback args")
acc_terms.append(acc_term)
if num_stop_args == 3:
stop_terms.append(stop(acc_term, cell, p)) # type: ignore[call-arg]
elif num_stop_args == 2:
stop_terms.append(stop(acc_term, cell)) # type: ignore[call-arg]
else:
raise ValueError("wrong number of stop callback args")
p = p.translate(direction.vector)
expr = acc_terms.pop()
for stop_term, acc_term in zip(reversed(stop_terms), reversed(acc_terms)):
expr = If(stop_term, acc_term, expr)
return expr
def is_leaf(self):
return (len(self.children)
== 0) and (not self.owner.cfa.loc_exit == self.location) and (
not models(self.label, BoolVal(False)))
def to_formula(self, times=None):
return BoolVal(False)
def translate_expression(self, variables,
prism_expr: stormpy.Expression) -> z3.ExprRef:
# Translate primitive types.
# TODO: missing types!
if isinstance(prism_expr, bool):
# Note: the order of comparing bool and int types is significant,
# as bool is a subtype of int in Python.
return BoolVal(prism_expr)
elif isinstance(prism_expr, int):
cache_hit = self._int_cache.get(prism_expr)
if cache_hit is not None:
return cache_hit
z3intval = INTVAL_CTOR(prism_expr)
self._int_cache[prism_expr] = z3intval
return z3intval
# If we have a variable from the environment, look up its z3 variable.
elif prism_expr.is_variable() and variables[prism_expr.identifier()]:
return variables[prism_expr.identifier()].variable
# Otherwise, evaluate the value if it is a variable or a literal.
elif prism_expr.is_variable() or prism_expr.is_literal():
if prism_expr.has_boolean_type():
return BoolVal(prism_expr.evaluate_as_bool())
elif prism_expr.has_integer_type():
intval = prism_expr.evaluate_as_int()
cache_hit = self._int_cache.get(intval)
if cache_hit is not None:
return cache_hit
z3intval = INTVAL_CTOR(intval)
self._int_cache[intval] = z3intval
return z3intval
elif prism_expr.has_rational_type():
rational_value = prism_expr.evaluate_as_rational()
return RealVal(
Fraction(Fraction(str(rational_value.numerator)),
Fraction(str(rational_value.denominator))))
# special case for sot.Divide: we intentionally only support division for constant values
elif prism_expr.is_function_application and prism_expr.operator == stormpy.OperatorType.Divide:
return Fraction(
Fraction(prism_expr.get_operand(0).evaluate_as_int()),
Fraction(prism_expr.get_operand(1).evaluate_as_int()))
# Lastly, handle function applications.
elif prism_expr.is_function_application:
sot = stormpy.OperatorType
operators = {
sot.And:
And,
sot.Or:
Or,
sot.Xor:
operator.xor,
sot.Implies:
z3.Implies,
sot.Iff:
operator.eq,
sot.Plus:
operator.add,
sot.Minus:
operator.sub,
sot.Times:
operator.mul,
# sot.Divide is handled above
# sot.Min: z3.Min,
# sot.Max: z3.Max,
# TODO: Power, Modulo missing
sot.Equal:
operator.eq,
sot.NotEqual:
operator.ne,
sot.Less:
operator.lt,
sot.LessOrEqual:
operator.le,
sot.Greater:
operator.gt,
sot.GreaterOrEqual:
operator.ge,
sot.Not:
operator.neg,
# TODO: Floor and Ceil missing
sot.Ite:
z3.If
}
op_fn = operators[prism_expr.operator]
operands = (_translate_expression(variables,
prism_expr.get_operand(i))
for i in range(prism_expr.arity))
return op_fn(*operands)
raise NotImplementedError()
def _get_not_in_range_phi_zero_formula(self):
return BoolVal(True) # TODO: is this necessary?