def __extractSATModel(self):
z3Model = self.SATsolver.model()
convIFModel = [
z3.is_true(z3Model[bConv]) for bConv in self.convIFClauses
]
bModel = [z3.is_true(z3Model[b]) for b in self.bVars]
return convIFModel, bModel
def solve_z3(target, steps=64):
s = z3.Solver()
bits = [((target >> x) & 1) for x in range(steps - 1, -1, -1)]
z3_target_bits = [z3.BoolVal(bool(bit)) for bit in bits]
z3_source_bits = [z3.Bool('b-%02d' % x) for x in xrange(steps)]
for k, v in enumerate(z3_target_bits):
s.add(v == z3.Not(
z3.Or(
z3.And(z3_source_bits[(k - 1) % steps], z3_source_bits[k],
z3_source_bits[(k + 1) % steps]),
z3.And(z3.Not(z3_source_bits[(k - 1) % steps]),
z3.Not(z3_source_bits[k]),
z3.Not(z3_source_bits[(k + 1) % steps])))))
possible_solutions = []
while s.check() == z3.sat:
m = s.model()
temp_solution = [z3.is_true(m[x]) for x in z3_source_bits]
s.add(z3.Not(z3.And([x == z3.is_true(m[x]) for x in z3_source_bits])))
bits_s = map(int, temp_solution)
n = 0
for bit in bits_s:
n = (n << 1) | bit
# possible_solutions.append(n)
print(hex(n))
return possible_solutions
def visit_MLIL_VAR_PHI(self, expr):
# For simplicity assume phi statements do not have control flow dependencies.
assert (not expr.branch_dependence)
# Again, for simplicity, assume phi statements only have two input sources.
assert (len(expr.src) == 2)
# Visit source vars definitions.
for var in expr.src:
var_def = self.func.get_ssa_var_definition(var)
if var not in self.visited:
self.to_visit.append(var_def)
phi_srcs = [CreateBitVec(var) for var in expr.src]
phi_deps = [
self.VariableControlFlowDependency(var) for var in expr.src
]
# If only one of phi's sources has a control flow dependency,
# model the other with the negation of the dependency.
# See function comment above.
if z3.is_true(phi_deps[0]) and not z3.is_true(phi_deps[1]):
phi_deps[0] = z3.Not(phi_deps[1])
elif not z3.is_true(phi_deps[0]) and z3.is_true(phi_deps[1]):
phi_deps[1] = z3.Not(phi_deps[0])
dest = CreateBitVec(expr.dest)
phi_expr = functools.reduce(lambda i, j: z3.Or(i, j), [
z3.And((dest == src), dep)
for (src, dep) in zip(phi_srcs, phi_deps)
])
self.solver.add(phi_expr)
self.visited.add(expr.dest)
def test_translate(self):
fp = z3.Fixedpoint()
atom1 = ast.Atom('p', [
ast.NumConstant(2, 'int4'),
ast.NumConstant(3, 'int4'),
ast.Variable('X', 'int4')
])
atom2 = ast.Atom('p', [
ast.NumConstant(2, 'int4'),
ast.NumConstant(3, 'int4'),
ast.Variable('Y', 'int4')
])
int4 = z3.BitVecSort(4)
p = z3.Function('p', int4, int4, int4, z3.BoolSort())
a0 = z3.BitVecVal(2, int4)
a1 = z3.BitVecVal(3, int4)
a2 = z3.Const('X', int4)
a3 = z3.Const('Y', int4)
args1 = [a0, a1, a2]
args2 = [a0, a1, a3]
project = projection.Projection([], None)
project.grounded = {'p': (0, 1)}
project.items = {'p': {}}
project.relations = {'p': p}
result = project.translate(fp, atom1, args1)
self.assertIn((0, 1), project.items['p'])
self.assertIn((a0, a1), project.items['p'][(0, 1)])
p0 = project.items['p'][(0, 1)][(a0, a1)]
self.assertIs(True, z3.is_true(z3.simplify(p0(a2) == result)))
result2 = project.translate(fp, atom2, args2)
self.assertIs(True, z3.is_true(z3.simplify(p0(a3) == result2)))
def is_simple_query(self):
"""Returns true if query is a simple.
A simple query is an application of an uninterpreted predicate
"""
if not self.is_query():
return False
if self.uninterp_size() != 1:
return False
predicate = self.body()[0]
if predicate.num_args() > 0:
return False
_body = self.body()[1:]
if len(_body) == 0:
return True
if len(_body) == 1:
return z3.is_true(_body[0])
_body = z3.simplify(z3.And(*_body, self._ctx))
return z3.is_true(_body)
def _extract_value(value, uct_sort):
"""
Converts the value of a concrete constant represented as a z3.ExprRef into a simple python type
that can be explicitly manipulated.
The explicit conversion scheme is as follows:
fgsort -> int
fgsetsort -> set of int
intsort -> int
intsetsort -> set of int
boolsort -> bool
:param value: z3.ExprRef
:param uct_sort: uct.UCTSort
:return: any
"""
# value assumed to be such that value.decl().arity == 0
if uct_sort == boolsort:
# value is either BoolVal(True) or BoolVal(False)
return z3.is_true(value)
elif uct_sort == fgsort or uct_sort == intsort:
# value is an IntVal(v) for some number v
return value.as_long()
elif uct_sort == fgsetsort or uct_sort == intsetsort:
# value is a set of integers.
# model.compact has been disabled (see top of file). ArrayRef should not have lambdas in it.
if not isinstance(value, z3.ArrayRef):
raise ValueError(
'Something is wrong. Model is returning lambdas instead of arrays.'
)
# iteratively deconstruct the expression to build the set of python numbers.
extracted_set = set()
value = value.__deepcopy__()
while True:
if z3.is_K(value):
# Base case. Either full set or empty set.
if z3.simplify(value[0]):
# Full set of integers. Raise exception.
raise ValueError(
'Model assigned infinite sets to some interpretations. Unsupported.'
)
else:
return extracted_set
elif z3.is_store(value):
remaining_set, entry, if_belongs = value.children()
value = remaining_set
extracted_set = extracted_set | (
{entry.as_long()} if z3.is_true(if_belongs) else {})
else:
raise ValueError(
'ArrayRef is constructed with neither Store nor K. Possible multidimensional arrays. '
'Unsupported.')
else:
raise ValueError(
'UCT Sort type not supported for extraction of models.')
def check_and_interpret (self):
"""Synthesize configuration based on current parameters"""
#result = self.solver.check()
for i in xrange(1, len(self.previously_unallowed) + 1):
solver.push()
solver.append(self.new_rules < i)
result = solver.check()
if result == z3.sat:
print "Found a result at %d"%(i)
break
else:
solver.pop()
print "Trying with %d rule changes"%(i)
if result != z3.sat:
print "Failed to check" # Really in this case we should be extracting the unsat core and trying to figure out
# what is conflicting. This seems useful for users (also maybe allows us to deal with
# deletions).
return
model = self.solver.model()
solver.pop()
fixes = []
for (sg1, sg2) in self.previously_unallowed:
if z3.is_true(model.evaluate(self.d_reach(self.nodes[sg1], self.nodes[sg2]))):
print "Result will connect %s ---> %s directly"%(sg1, sg2)
fixes.append(self.configuration.direct_connection_fix_sg(sg1, sg2, self.port))
print "Fix is thus\n\t%s"%('\n\t'.join(map(str, fixes)))
def true(value):
"""Syntactic sugar for `z3.is_true(simplify(value))`.
i.e., return True iff `value` statically simplifies to True.
"""
return z3.is_true(simplify(value))
def elim_bool_ite(exp):
if z3.is_quantifier(exp):
(qvars, matrix) = strip_qblock(exp)
matrix = elim_bool_ite(matrix)
if exp.is_forall():
e = z3.ForAll(qvars, matrix)
else:
e = z3.Exists(qvars, matrix)
return e
if not z3.is_bool(exp): return exp
if z3.is_true(exp) or z3.is_false(exp): return exp
assert z3.is_app(exp)
decl = exp.decl()
args = map(elim_bool_ite, exp.children())
# need to worry about And and Or because they can take >2 args and
# decl(*args) doesn't seem to work with the py interface
if z3.is_and(exp):
return z3.And(*args)
elif z3.is_or(exp):
return z3.Or(*args)
elif is_ite(exp):
impl1 = z3.Implies(args[0], args[1])
impl2 = z3.Implies(z3.Not(args[0]), args[2])
return z3.And(impl1, impl2)
else:
return decl(*args)
def __init__(self,
name,
announcement_sort,
announcements_var_map,
permitted_fun,
prev_ctxs=None):
if prev_ctxs is None:
prev_ctxs = []
for ctx in prev_ctxs:
assert isinstance(ctx, SMTPermittedWrapper)
eval_fun = lambda model, val: z3.is_true(model.eval(val))
getter = lambda ann: ann.permitted
def setter(ann, value):
"""Set the local pref value in the Announcement"""
ann.permitted = value
return ann
super(SMTPermittedWrapper, self).__init__(name,
'permitted',
announcement_sort,
announcements_var_map,
permitted_fun,
z3.BoolSort(),
None,
eval_fun=eval_fun,
getter=getter,
setter=setter,
prev_ctxs=prev_ctxs)
def __init__(self,
name,
community,
announcement_sort,
announcements_var_map,
community_fun,
prev_ctxs=None):
if prev_ctxs is None:
prev_ctxs = []
for ctx in prev_ctxs:
assert isinstance(ctx, SMTCommunityWrapper)
eval_fun = lambda model, val: z3.is_true(model.eval(val))
getter = lambda ann: ann.communities[community]
def setter(ann, value):
"""Set the community value in the Announcement"""
ann.communities[community] = value
return ann
super(SMTCommunityWrapper, self).__init__(name,
'Has_%s' % community.name,
announcement_sort,
announcements_var_map,
community_fun,
z3.BoolSort(),
None,
eval_fun=eval_fun,
getter=getter,
setter=setter,
prev_ctxs=prev_ctxs)
self.community = community
def separate(
self,
pos: Collection[int] = (),
neg: Collection[int] = (),
) -> Optional[Expr]:
assert all(0 <= i < len(self.states) for i in chain(pos, neg))
assumptions = tuple(
chain(
(self.state_v(i) for i in sorted(pos)),
(z3.Not(self.state_v(i)) for i in sorted(neg)),
))
res = self.solver.check(*assumptions)
assert res in (z3.sat, z3.unsat), f'{res}\n\n{self.solver}'
if res == z3.unsat:
return None
else:
m = self.solver.model()
# bias toward strongest separator, but no minimization for now
assignment: Dict[Tuple[int, Expr], bool] = {
k: z3.is_true(m[x])
for k, x in self.lit_vs.items()
}
return Forall(
self.vs,
And(*(Or(*(lit for lit in self.literals if assignment[i, lit]))
for i in range(self.n_clauses))))
def get_true_boolean_features_from_model(model):
ls = []
for decl in model.decls():
if z3.is_true(model[decl]):
if not "!" in decl.__repr__():
ls.append(decl.__repr__())
return ls
def is_true(a: Bool) -> bool:
"""Returns whether the provided bool can be simplified to true.
:param a:
:return:
"""
return z3.is_true(a.raw)
def val(self, exp):
'''Evaluate a z3 ref to a python value based on this solution.
'''
v = self.model.eval(exp)
if z3.is_true(v):
return True
if z3.is_false(v):
return False
if z3.is_algebraic_value(v):
v = v.approx(20)
if z3.is_int_value(v):
return v.as_long()
if z3.is_rational_value(v):
return v.numerator_as_long() / v.denominator_as_long()
return z3.is_true(v)
def order_regions(self):
for header, node in sorted(
list(self._regions.items()),
key=cmp_to_key(lambda i, j: 1 if self.reaching_conditions.get(
(i[0], j[0])) is None else -1)):
reaching_constraint = self._reaching_constraints.get(
(self._function.basic_blocks[0], header))
if is_true(reaching_constraint):
reaching_constraint = None
elif not self._function[node.start].branch_dependence:
reaching_constraint = None
if node.acyclic:
node = self.convert_region_to_seq(node)
else:
node = self.convert_region_to_loop(node)
if reaching_constraint is not None:
new_region_node = MediumLevelILAstCondNode(
self, reaching_constraint,
self._function.basic_blocks[0][-1].address)
new_region_node[True] = node
else:
new_region_node = node
self._regions[header] = new_region_node
def find_if_else_for_node(self, header: MediumLevelILBasicBlock,
nodes: list):
nodes_to_check = list(nodes)
nodes_to_remove = []
while nodes_to_check:
ni = nodes_to_check.pop()
if not isinstance(ni, MediumLevelILAstCondNode):
continue
for nj in nodes_to_check:
if not isinstance(nj, MediumLevelILAstCondNode):
continue
if ni.start == nj.start:
continue
cni = ni.condition
cnj = nj.condition
if is_true(simplify(cni == Not(cnj))):
if cni.decl().name() == 'not':
self._make_if_else(nj, ni)
nodes_to_check.remove(nj)
nodes_to_remove.append(ni)
else:
self._make_if_else(ni, nj)
nodes_to_check.remove(nj)
nodes_to_remove.append(nj)
break
return nodes_to_remove
def is_true(self) -> bool:
"""Specifies whether this variable can be simplified to true.
:return:
"""
self.simplify()
return z3.is_true(self.raw)
def num_clauses(formula):
if z3.is_and(formula):
return len(formula.children())
elif formula == True or z3.is_true(formula) or \
formula == False or z3.is_false(formula):
return 0
else:
return 1
def is_bool_or_int_value(value):
if z3.is_int_value(value):
return True
if value.sort() == z3.BoolSort():
if z3.is_true(value) or z3.is_false(value):
return True
else:
return False
def _state_id_to_prism_variable_to_value(self, state_id):
"""
Returns a dict from prism variables to z3 values representing the valuation of state_id.
:param state_id:
:return:
"""
state_valuation = self.state_graph.get_state_valuation(state_id)
return {input_variable.get_prism_variable(): z3.is_true(z3_value) for input_variable, z3_value in state_valuation.items() if not (z3.is_int_value(z3_value) or z3.is_rational_value(z3_value))}, {input_variable.get_prism_variable() : z3_value.as_long() for input_variable, z3_value in state_valuation.items() if (z3.is_int_value(z3_value) or z3.is_rational_value(z3_value))}
def _is_literal(z3ast):
if z3.is_int(z3ast):
return z3.is_int_value(z3ast)
if z3.is_bool(z3ast):
return z3.is_true(z3ast) or z3.is_false(z3ast)
if z3ast.sort_kind() == z3.Z3_UNINTERPRETED_SORT:
return z3.is_const(z3ast) and '!' in str(z3ast)
raise NotImplementedError('Don\'t know how to literal-check %s' % z3ast)
def _synthesize(self, m):
for bi, ci in itertools.izip(self.choiceBools, self.choices):
v = z3.is_true(m[bi])
if v:
ci_ = ci.synthesize(m)
return ci_
ci_ = self.choices[-1].synthesize(m)
return ci_
def num_clauses(formula):
if z3.is_and(formula):
return len(formula.children())
elif formula == True or z3.is_true(formula) or \
formula == False or z3.is_false(formula):
return 0
else:
return 1
def _is_literal(z3ast):
if z3.is_int(z3ast):
return z3.is_int_value(z3ast)
if z3.is_bool(z3ast):
return z3.is_true(z3ast) or z3.is_false(z3ast)
if z3ast.sort_kind() == z3.Z3_UNINTERPRETED_SORT:
return z3.is_const(z3ast) and '!' in str(z3ast)
raise NotImplementedError('Don\'t know how to literal-check %s' % z3ast)
def update_unknown(self):
self.model = self.s.model()
new_unknown = set([])
for x in self.unknown:
if z3.is_true(self.model[x]):
self.mss.append(x)
else:
new_unknown.add(x)
self.unknown = new_unknown
def try_bool(b):
b = try_simplify(b)
# HACK: z3 python interface has bug/weird behavior where (x == y) is
# always False for unknown x and y, so use is_true and is_false instead
if z3.is_true(b):
return True
if z3.is_false(b):
return False
return None
def combine_solutions(self, models):
""" Generates the count of models in which each player is an impostor from a
list of models that satisfy the constraints """
counts = [0 for _ in range(self.n_players)]
for model in models:
for i in range(self.n_players):
if z3.is_true(model[self.impostor[i]]):
counts[i] += 1
return counts, len(models)
def get(self, v):
assert self._model is not None
assert type(v) is Z3BoolRef
v = self._model.eval(v.val, model_completion=True)
assert z3.is_bool(v)
t = z3.is_true(v)
f = z3.is_false(v)
assert t or f, f'bad {v}'
return int(t)
def z3ToPoint(self, point):
res = []
# get the variables corresponding to the axis names
for idx, i in enumerate(self.axis_names):
locals()[i] = Globals.z3variables[i]
if i in Globals.z3types: # non-numeric points -> coord to value
value = Globals.z3types[i][point[locals()[i]].as_long()]
elif None == point[locals()[i]]:
info("no value for %s, take %r (incomplete model)" %
(self.axis_names[idx], self.axis_val_ranges[idx][0]))
value = self.axis_val_ranges[idx][0]
elif z3.is_int_value(point[locals()[i]]):
value = point[locals()[i]].as_long()
elif z3.is_true(point[locals()[i]]) or z3.is_false(
point[locals()[i]]):
value = z3.is_true(point[locals()[i]])
res.append(value)
return res
def l_get(self, ast):
val = self.solver.model().eval(ast.ast)
if val == None:
return esbmc.solve.tvt(esbmc.solve.tvt_enum.unknown)
elif z3.is_true(val):
return esbmc.solve.tvt(esbmc.solve.tvt_enum.true)
elif z3.is_false(val):
return esbmc.solve.tvt(esbmc.solve.tvt_enum.false)
else:
raise Exception("Unknown model eval value from l_get")
def l_get(self, ast):
val = self.solver.model().eval(ast.ast)
if val == None:
return esbmc.solve.tvt(esbmc.solve.tvt_enum.unknown)
elif z3.is_true(val):
return esbmc.solve.tvt(esbmc.solve.tvt_enum.true)
elif z3.is_false(val):
return esbmc.solve.tvt(esbmc.solve.tvt_enum.false)
else:
raise Exception("Unknown model eval value from l_get")
def get_value(r):
# https://stackoverflow.com/questions/12598408/z3-python-getting-python-values-from-model/12600208
"""
Convert from Z3 to python values.
"""
if z3.is_true(r):
return z3.is_true(r)
elif z3.is_false(r):
return z3.is_false(r)
elif z3.is_int_value(r):
return r.as_long()
elif z3.is_algebraic_value(r):
return round(num(r.approx(15)), 10)
elif z3.is_rational_value(r):
return r.as_decimal(20)
elif r is None:
None
else:
return num(r)
def modelToSolution(self, solverModel):
solution = {}
# Build a structure parallel to self.taskVars, which instead
# of each variable holds the current mapping of that variable.
for key, varTable in self.taskVars.items():
solution[key] = {}
for index, var in varTable.items():
solution[key][index] = z3.is_true(solverModel[var])
solution["waitBefores"] = {}
for t in range(len(self.tasks)):
solution["waitBefores"][t] = solverModel[self.waitBefores[t]].as_long()
return solution
def ee_vars(self, qr):
"""
Given a query get entry and exit vars
"""
body = qr.body()
ch = body.children()
i = 0
true_vars = list()
for c in ch:
if z3.is_true(c):
true_vars.append(i)
i+=1
return true_vars
def getVars(self, idxs, pred_vars, qr):
"""
given a list of indexes return var names
"""
vars = list()
for idx in idxs:
v = pred_vars[idx]
if z3.is_true(v):
new_v = z3.Bool("__r"+str(idx)+"_0", qr.ctx)
vars.append(new_v)
else:
vars.append(v)
return vars
def reconstructBoard(board, model):
"""Reconstructs the board."""
chars = []
for row in board:
rowChars = []
for alphabets in row:
for idx, c in enumerate(alphabets):
if z3.is_true(model.eval(c)):
rowChars.append(chr(ord('A') + idx))
chars.append(rowChars)
return chars
def get_model_constant(m, t):
s = t.get_sort()
if isinstance(s, ivy_logic.EnumeratedSort) and not use_z3_enums:
for v in s.defines():
w = ivy_logic.Constant(ivy_logic.Symbol(v, s))
if z3.is_true(m.eval(encode_equality(t, w))):
return w
# print "model: {}".format(m.sexpr())
# print "term: {}".format(t)
res = ivy_logic.Constant(ivy_logic.Symbol(s.defines()[0], s))
print "warning: model doesn't give a value for enumerated term {}. returning {}.".format(t, res)
return res
# assert False # model doesn't give a value for enumerated term
return constant_from_z3(s, m.eval(term_to_z3(t), model_completion=True))
def fp_add_cover (fp, pred, lemma, level=-1):
# no trivial lemmas
if z3.is_true (lemma): return
assert (z3.is_app (pred))
sub = []
for i in range (0, pred.num_args ()):
arg = pred.arg (i)
sub.append ((arg,
z3.Var (i, arg.decl ().range ())))
tlemma = z3.substitute (lemma, sub)
if verbose:
print "Lemma for ", pred.decl (), ": ", tlemma
fp.add_cover (level, pred.decl (), tlemma)
def clause_model_simp(m, c):
""" Simplify a clause by dropping literals while maintaining its truth in a model. """
res = []
for l in c:
if not is_ground_lit(l):
res.append(l)
continue
# if isinstance(l.atom,ivy_logic.And):
# print "clause_model_simp: {}".format(c)
v = m.eval(literal_to_z3(l))
if z3.is_true(v):
return [l]
if not z3.is_false(v):
res.append(l)
return res
def tfFlags(self, pred, flags_len):
"""
return two lists, one for true and one false flags
"""
false_idxs = list()
true_idxs = list ()
if debug_cex: print "Get list of failing flags from : ", pred
ch = pred.children()
i=0
for val in ch[0:flags_len]:
if z3.is_false(val):
false_idxs.append(i)
i+=1
elif z3.is_true(val):
true_idxs.append(i)
i+=1
else: i+=1
return true_idxs, false_idxs
def mk_const(self, c):
if z3.is_int_value(c):
return ii(c.as_long())
if z3.is_rational_value(c):
# TODO: what should we convert a rational to?
return rr(Fraction(c.numerator_as_long(), \
c.denominator_as_long()))
elif z3.is_true(c):
return true
elif z3.is_false(c):
return false
else:
try:
return self.context.decls[str(c)]
except KeyError:
#Constant is not found in the context
typ = self.mk_sort(c.sort())
return const(str(c), typ)
def z3_to_val(z3_expr):
"""Send a z3 expression to it's value
as a python expression, if it has one,
otherwise return the expresson itself.
Arguments:
- `z3_expr`: a z3 AST
"""
if z3.is_int_value(z3_expr):
return z3_expr.as_long()
if z3.is_rational_value(z3_expr):
return Fraction(z3_expr.numerator_as_long(), \
z3_expr.denominator_as_long())
elif z3.is_true(z3_expr):
return True
elif z3.is_false(z3_expr):
return False
elif isinstance(z3_expr, z3.FuncInterp):
return z3_to_fun(z3_expr)
else:
return z3_expr
def check(self, fmla):
""" Return the set of satisfying assignments to the free variables in fmla. Returns
a table in the format (vars,rows), where each row is a tuple of values of the
variables in vars.
"""
vs = list(variables_ast(fmla))
s = self.solver
m = self.model
ranges = [self.constants[x.sort] for x in vs]
z3_fmla = literal_to_z3(fmla)
# print "z3_fmla = {}".format(z3_fmla)
z3_vs = [term_to_z3(v) for v in vs]
insts = []
for tup in itertools.product(*ranges):
interp = zip(z3_vs, tup)
fact = substitute(z3_fmla, *interp)
fact_val = m.eval(fact, model_completion=True)
# print "%s = %s" % (fact,fact_val)
if z3.is_true(fact_val):
args = [constant_from_z3(v.sort, y) for v, y in zip(vs, tup)]
insts.append(args)
return (vs, insts)
def solve(self, extra_constraints=None):
"""Return a solution to the constraint system, including all conditions
in `extra_constraints` (which are variable assignments when called from
`Constraints` after ``@always``.)
"""
self.solver.push()
try:
if extra_constraints:
self.solver.add(extra_constraints)
self.solver.add(*self.soft_constraints.values())
check = self.solver.check()
if check == z3.sat:
solution = self.solver.model()
# deleted_bindings = [
self.soft_constraints = {s: k for s, k
in self.soft_constraints.items()
if z3.is_true(solution[s])}
return solution
else:
raise ConstraintError(self.solver, extra_constraints)
finally:
self.solver.pop()
def _get_output_assignment(output_function):
state_sort = self._template_function.state_sort
return {state_name:
is_true(self.model.evaluate(
output_function(getattr(state_sort, state_name))))
for state_name in self.states}
z3.main_ctx()
z3.set_param('auto_config', False)
z3.set_param('smt.mbqi', True)
z3.set_param('model.compact', True)
z3.set_param('smt.pull_nested_quantifiers', True)
z3.set_param('smt.mbqi.max_iterations', 10000)
z3.set_param('smt.random_seed', random.SystemRandom().randint(0, sys.maxint))
print "Running simple trivial test"
ResetZ3 ()
start = time.time()
out = Trivial()
result = out.check.CheckIsolationProperty(out.a, out.b)
assert z3.sat == result.result, \
"Trivial Check Failed"
assert is_true(result.model.eval(out.ctx.send(out.a.z3Node, out.b.z3Node, result.violating_packet))), \
"Whoa the packet was never sent"
stop = time.time()
print stop - start
print "Running timing tests"
print "Two Learning Firewalls"
ResetZ3 ()
start = time.time()
(eh, check) = TwoLearningFw()
c1 = check.CheckIsolationProperty(eh[0], eh[2])
assert z3.unsat == c1.result, \
"Should be unsat; the firewall drops all packets from A -> C"
print c1.result
c2 = check.CheckIsolationProperty(eh[1], eh[3])
assert z3.unsat == c2.result,\
def _back_single_term(self, expr, args, model=None):
assert z3.is_expr(expr)
if z3.is_quantifier(expr):
raise NotImplementedError(
"Quantified back conversion is currently not supported")
res = None
if z3.is_and(expr):
res = self.mgr.And(args)
elif z3.is_or(expr):
res = self.mgr.Or(args)
elif z3.is_add(expr):
res = self.mgr.Plus(args)
elif z3.is_div(expr):
res = self.mgr.Div(args[0], args[1])
elif z3.is_eq(expr):
if self._get_type(args[0]).is_bool_type():
res = self.mgr.Iff(args[0], args[1])
else:
res = self.mgr.Equals(args[0], args[1])
elif z3.is_iff(expr):
res = self.mgr.Iff(args[0], args[1])
elif z3.is_xor(expr):
res = self.mgr.Xor(args[0], args[1])
elif z3.is_false(expr):
res = self.mgr.FALSE()
elif z3.is_true(expr):
res = self.mgr.TRUE()
elif z3.is_gt(expr):
res = self.mgr.GT(args[0], args[1])
elif z3.is_ge(expr):
res = self.mgr.GE(args[0], args[1])
elif z3.is_lt(expr):
res = self.mgr.LT(args[0], args[1])
elif z3.is_le(expr):
res = self.mgr.LE(args[0], args[1])
elif z3.is_mul(expr):
res = self.mgr.Times(args[0], args[1])
elif z3.is_uminus(expr):
tp = self._get_type(args[0])
if tp.is_real_type():
minus_one = self.mgr.Real(-1)
else:
assert tp.is_int_type()
minus_one = self.mgr.Int(-1)
res = self.mgr.Times(args[0], minus_one)
elif z3.is_sub(expr):
res = self.mgr.Minus(args[0], args[1])
elif z3.is_not(expr):
res = self.mgr.Not(args[0])
elif z3.is_implies(expr):
res = self.mgr.Implies(args[0], args[1])
elif z3.is_quantifier(expr):
raise NotImplementedError
elif z3.is_const(expr):
if z3.is_rational_value(expr):
n = expr.numerator_as_long()
d = expr.denominator_as_long()
f = Fraction(n, d)
res = self.mgr.Real(f)
elif z3.is_int_value(expr):
n = expr.as_long()
res = self.mgr.Int(n)
elif z3.is_bv_value(expr):
n = expr.as_long()
w = expr.size()
res = self.mgr.BV(n, w)
elif z3.is_as_array(expr):
if model is None:
raise NotImplementedError("As-array expressions cannot be" \
" handled as they are not " \
"self-contained")
else:
interp_decl = z3.get_as_array_func(expr)
interp = model[interp_decl]
default = self.back(interp.else_value(), model=model)
assign = {}
for i in xrange(interp.num_entries()):
e = interp.entry(i)
assert e.num_args() == 1
idx = self.back(e.arg_value(0), model=model)
val = self.back(e.value(), model=model)
assign[idx] = val
arr_type = self._z3_to_type(expr.sort())
res = self.mgr.Array(arr_type.index_type, default, assign)
elif z3.is_algebraic_value(expr):
# Algebraic value
return self.mgr._Algebraic(Numeral(expr))
else:
# it must be a symbol
res = self.mgr.get_symbol(str(expr))
elif z3.is_ite(expr):
res = self.mgr.Ite(args[0], args[1], args[2])
elif z3.is_function(expr):
res = self.mgr.Function(self.mgr.get_symbol(expr.decl().name()), args)
elif z3.is_to_real(expr):
res = self.mgr.ToReal(args[0])
elif z3.is_bv_and(expr):
res = self.mgr.BVAnd(args[0], args[1])
elif z3.is_bv_or(expr):
res = self.mgr.BVOr(args[0], args[1])
elif z3.is_bv_xor(expr):
res = self.mgr.BVXor(args[0], args[1])
elif z3.is_bv_not(expr):
res = self.mgr.BVNot(args[0])
elif z3.is_bv_neg(expr):
res = self.mgr.BVNeg(args[0])
elif z3.is_bv_concat(expr):
res = self.mgr.BVConcat(args[0], args[1])
elif z3.is_bv_ult(expr):
res = self.mgr.BVULT(args[0], args[1])
elif z3.is_bv_uleq(expr):
res = self.mgr.BVULE(args[0], args[1])
elif z3.is_bv_slt(expr):
res = self.mgr.BVSLT(args[0], args[1])
elif z3.is_bv_sleq(expr):
res = self.mgr.BVSLE(args[0], args[1])
elif z3.is_bv_ugt(expr):
res = self.mgr.BVUGT(args[0], args[1])
elif z3.is_bv_ugeq(expr):
res = self.mgr.BVUGE(args[0], args[1])
elif z3.is_bv_sgt(expr):
res = self.mgr.BVSGT(args[0], args[1])
elif z3.is_bv_sgeq(expr):
res = self.mgr.BVSGE(args[0], args[1])
elif z3.is_bv_extract(expr):
end = z3.get_payload(expr, 0)
start = z3.get_payload(expr, 1)
res = self.mgr.BVExtract(args[0], start, end)
elif z3.is_bv_add(expr):
res = self.mgr.BVAdd(args[0], args[1])
elif z3.is_bv_mul(expr):
res = self.mgr.BVMul(args[0], args[1])
elif z3.is_bv_udiv(expr):
res = self.mgr.BVUDiv(args[0], args[1])
elif z3.is_bv_sdiv(expr):
res = self.mgr.BVSDiv(args[0], args[1])
elif z3.is_bv_urem(expr):
res = self.mgr.BVURem(args[0], args[1])
elif z3.is_bv_srem(expr):
res = self.mgr.BVSRem(args[0], args[1])
elif z3.is_bv_lshl(expr):
res = self.mgr.BVLShl(args[0], args[1])
elif z3.is_bv_lshr(expr):
res = self.mgr.BVLShr(args[0], args[1])
elif z3.is_bv_ashr(expr):
res = self.mgr.BVAShr(args[0], args[1])
elif z3.is_bv_sub(expr):
res = self.mgr.BVSub(args[0], args[1])
elif z3.is_bv_rol(expr):
amount = z3.get_payload(expr, 0)
res = self.mgr.BVRol(args[0], amount)
elif z3.is_bv_ror(expr):
amount = z3.get_payload(expr, 0)
res = self.mgr.BVRor(args[0], amount)
elif z3.is_bv_ext_rol(expr):
amount = args[1].bv_unsigned_value()
res = self.mgr.BVRol(args[0], amount)
elif z3.is_bv_ext_ror(expr):
amount = args[1].bv_unsigned_value()
res = self.mgr.BVRor(args[0], amount)
elif z3.is_bv_sext(expr):
amount = z3.get_payload(expr, 0)
res = self.mgr.BVSExt(args[0], amount)
elif z3.is_bv_zext(expr):
amount = z3.get_payload(expr, 0)
res = self.mgr.BVZExt(args[0], amount)
elif z3.is_array_select(expr):
res = self.mgr.Select(args[0], args[1])
elif z3.is_array_store(expr):
res = self.mgr.Store(args[0], args[1], args[2])
elif z3.is_const_array(expr):
arr_ty = self._z3_to_type(expr.sort())
k = args[0]
res = self.mgr.Array(arr_ty.index_type, k)
elif z3.is_power(expr):
res = self.mgr.Pow(args[0], args[1])
if res is None:
raise ConvertExpressionError(message=("Unsupported expression: %s" %
str(expr)),
expression=expr)
return res
def crack(text, lang, top=5, iterations=300):
text = text.lower()
d = get_dict(lang)
patterns = get_pattern_dict(lang)
words = get_words(text)
lang_freq = default_frequencies(lang)
#text_freq = frequencies(text, lang_freq)
#top_text = sorted(text_freq, key=lambda x: text_freq[x])
#top_lang = sorted(lang_freq, key=lambda x: lang_freq[x])
#print(top_text)
#print(top_lang)
#top_in_text = top_text[-1]
#top_in_lang = top_lang[-1]
#print("%s -> %s" % (top_in_text, top_in_lang))
#text_pattern = [ get_pattern(word) for word in words ]
#candidates = [ patterns[pattern] for pattern in text_pattern ]
input_letters = set("".join(words))
output_letters = set([ c for w in d for c in w ])
def encode_word(w):
return "".join([ get_letter(l) for l in w ])
smt = []
# define variables
for li in input_letters:
for lo in output_letters:
smt += ["(declare-const %sto%s Bool)" % (get_letter(li),
get_letter(lo))]
# unknown words
for w in set(words):
smt += ["(declare-const no-%s Bool)" % encode_word(w)]
# define top frequency "constraint"
#smt += ["(assert %sto%s)" % (get_letter(top_in_text),
# get_letter(top_in_lang))]
# define word constraints
for word in set(words):
word_formulas = []
pattern = get_pattern(word)
if not pattern in patterns:
print("'%s' (%s) not in pattern db!" % (word, pattern))
continue
candidates = patterns[pattern]
for candidate in candidates:
word_formula = []
for letter in word:
literal = "%sto%s" % (get_letter(letter),
get_letter(get_replacement(word,
candidate, letter)))
word_formula += [ literal ]
f = "(and %s)" % " ".join(word_formula)
word_formulas += [ f ]
word_formulas += [ "no-%s" % encode_word(word) ]
f = "(or %s)" % " ".join(word_formulas)
smt += ["(assert %s)" % f]
# one-hot requirement: one input to at most one output
for li in input_letters:
smt += [ "(assert %s)" % distinct([ "%sto%s" % \
(get_letter(li), get_letter(lo)) \
for lo in output_letters ]) ]
# only one mapping per letter allowed (kill things like a->c & b->c)
for lo in output_letters:
smt += [ "(assert (=> (or %s) %s))" % (" ".join([ "%sto%s" % \
(get_letter(li), get_letter(lo)) \
for li in input_letters ]),
distinct([ "%sto%s" % \
(get_letter(li), get_letter(lo)) \
for li in input_letters ])) ]
# allow no unknown words initially
smt += ["(assert (and %s))" % " ".join([ "(not no-%s)" % encode_word(w)\
for w in set(words) ])]
#smt += ["(check-sat)", "(get-model)"]
smt2 = "\n".join(smt)
solver = z3.Solver()
solver.reset()
solver.add(z3.parse_smt2_string(smt2))
result = solver.check()
translations = []
quality = {}
n = 0
# allow one unknown word, if it is unsat otherwise
if result != z3.sat:
smt[-1] = "(assert %s)" % distinct([ "no-%s" % encode_word(w) \
for w in set(words)])
smt2 = "\n".join(smt)
solver.reset()
solver.add(z3.parse_smt2_string(smt2))
result = solver.check()
while result == z3.sat:
model = solver.model()
decls = model.decls()
mvars = { d.name(): d for d in decls }
mappings = [ v for v in mvars if z3.is_true(model[mvars[v]]) ]
get_from = lambda x: chr(int(x.split("to")[0][1:]))
get_to = lambda x: chr(int(x.split("to")[1][1:]))
trans = { get_from(m): get_to(m) for m in mappings \
if not m.startswith("no-") }
translations += [ trans ]
t = "".join([ trans[c] if c in trans else c for c in text ])
c = cost(t, lang_freq)
quality[c] = trans
n += 1
if n >= iterations:
break
block = [ d() != model[d] for d in model ]
solver.add(z3.Or(block))
result = solver.check()
if len(quality) < top:
top = len(quality)
best = sorted(quality.keys())[:top]
return [ quality[i] for i in best ]
def _back_single_term(self, expr, args):
assert z3.is_expr(expr)
if z3.is_quantifier(expr):
raise NotImplementedError(
"Quantified back conversion is currently not supported")
res = None
if z3.is_and(expr):
res = self.mgr.And(args)
elif z3.is_or(expr):
res = self.mgr.Or(args)
elif z3.is_add(expr):
res = self.mgr.Plus(args)
elif z3.is_div(expr):
res = self.mgr.Div(args[0], args[1])
elif z3.is_eq(expr):
if self._get_type(args[0]).is_bool_type():
res = self.mgr.Iff(args[0], args[1])
else:
res = self.mgr.Equals(args[0], args[1])
elif z3.is_iff(expr):
res = self.mgr.Iff(args[0], args[1])
elif z3.is_xor(expr):
res = self.mgr.Xor(args[0], args[1])
elif z3.is_false(expr):
res = self.mgr.FALSE()
elif z3.is_true(expr):
res = self.mgr.TRUE()
elif z3.is_gt(expr):
res = self.mgr.GT(args[0], args[1])
elif z3.is_ge(expr):
res = self.mgr.GE(args[0], args[1])
elif z3.is_lt(expr):
res = self.mgr.LT(args[0], args[1])
elif z3.is_le(expr):
res = self.mgr.LE(args[0], args[1])
elif z3.is_mul(expr):
res = self.mgr.Times(args[0], args[1])
elif z3.is_uminus(expr):
tp = self._get_type(args[0])
if tp.is_real_type():
minus_one = self.mgr.Real(-1)
else:
assert tp.is_int_type()
minus_one = self.mgr.Int(-1)
res = self.mgr.Times(args[0], minus_one)
elif z3.is_sub(expr):
res = self.mgr.Minus(args[0], args[1])
elif z3.is_not(expr):
res = self.mgr.Not(args[0])
elif z3.is_implies(expr):
res = self.mgr.Implies(args[0], args[1])
elif z3.is_quantifier(expr):
raise NotImplementedError
elif z3.is_const(expr):
if z3.is_rational_value(expr):
n = expr.numerator_as_long()
d = expr.denominator_as_long()
f = Fraction(n, d)
res = self.mgr.Real(f)
elif z3.is_int_value(expr):
n = expr.as_long()
res = self.mgr.Int(n)
elif z3.is_bv_value(expr):
n = expr.as_long()
w = expr.size()
res = self.mgr.BV(n, w)
else:
# it must be a symbol
res = self.mgr.get_symbol(str(expr))
elif z3.is_ite(expr):
res = self.mgr.Ite(args[0], args[1], args[2])
elif z3.is_function(expr):
res = self.mgr.Function(self.mgr.get_symbol(expr.decl().name()), args)
elif z3.is_to_real(expr):
res = self.mgr.ToReal(args[0])
elif z3.is_bv_and(expr):
res = self.mgr.BVAnd(args[0], args[1])
elif z3.is_bv_or(expr):
res = self.mgr.BVOr(args[0], args[1])
elif z3.is_bv_xor(expr):
res = self.mgr.BVXor(args[0], args[1])
elif z3.is_bv_not(expr):
res = self.mgr.BVNot(args[0])
elif z3.is_bv_neg(expr):
res = self.mgr.BVNeg(args[0])
elif z3.is_bv_concat(expr):
res = self.mgr.BVConcat(args[0], args[1])
elif z3.is_bv_ult(expr):
res = self.mgr.BVULT(args[0], args[1])
elif z3.is_bv_uleq(expr):
res = self.mgr.BVULE(args[0], args[1])
elif z3.is_bv_slt(expr):
res = self.mgr.BVSLT(args[0], args[1])
elif z3.is_bv_sleq(expr):
res = self.mgr.BVSLE(args[0], args[1])
elif z3.is_bv_ugt(expr):
res = self.mgr.BVUGT(args[0], args[1])
elif z3.is_bv_ugeq(expr):
res = self.mgr.BVUGE(args[0], args[1])
elif z3.is_bv_sgt(expr):
res = self.mgr.BVSGT(args[0], args[1])
elif z3.is_bv_sgeq(expr):
res = self.mgr.BVSGE(args[0], args[1])
elif z3.is_bv_extract(expr):
end = z3.get_payload(expr, 0)
start = z3.get_payload(expr, 1)
res = self.mgr.BVExtract(args[0], start, end)
elif z3.is_bv_add(expr):
res = self.mgr.BVAdd(args[0], args[1])
elif z3.is_bv_mul(expr):
res = self.mgr.BVMul(args[0], args[1])
elif z3.is_bv_udiv(expr):
res = self.mgr.BVUDiv(args[0], args[1])
elif z3.is_bv_sdiv(expr):
res = self.mgr.BVSDiv(args[0], args[1])
elif z3.is_bv_urem(expr):
res = self.mgr.BVURem(args[0], args[1])
elif z3.is_bv_srem(expr):
res = self.mgr.BVSRem(args[0], args[1])
elif z3.is_bv_lshl(expr):
res = self.mgr.BVLShl(args[0], args[1])
elif z3.is_bv_lshr(expr):
res = self.mgr.BVLShr(args[0], args[1])
elif z3.is_bv_ashr(expr):
res = self.mgr.BVAShr(args[0], args[1])
elif z3.is_bv_sub(expr):
res = self.mgr.BVSub(args[0], args[1])
elif z3.is_bv_rol(expr):
amount = z3.get_payload(expr, 0)
res = self.mgr.BVRol(args[0], amount)
elif z3.is_bv_ror(expr):
amount = z3.get_payload(expr, 0)
res = self.mgr.BVRor(args[0], amount)
elif z3.is_bv_ext_rol(expr):
amount = args[1].bv_unsigned_value()
res = self.mgr.BVRol(args[0], amount)
elif z3.is_bv_ext_ror(expr):
amount = args[1].bv_unsigned_value()
res = self.mgr.BVRor(args[0], amount)
elif z3.is_bv_sext(expr):
amount = z3.get_payload(expr, 0)
res = self.mgr.BVSExt(args[0], amount)
elif z3.is_bv_zext(expr):
amount = z3.get_payload(expr, 0)
res = self.mgr.BVZExt(args[0], amount)
if res is None:
raise ConvertExpressionError(message=("Unsupported expression: %s" %
str(expr)),
expression=expr)
return res
def __call__(self, x, y):
interp = zip(self.vs, (x, y))
fact = substitute(self.order, *interp)
fact_val = self.model.eval(fact)
# print "order: %s = %s" % (fact,fact_val)
return -1 if z3.is_true(fact_val) else 1
'east',
'north',
'west',
)
def _generate_cards_for_player(player):
for suit in suits:
for rank in ranks:
yield z3.Int('%s_%s_%s' % (player.key, suit.key, rank.key))
def _cards_for_player(player):
return list(_generate_cards_for_player(player))
hands = map(_cards_for_player, players)
axioms = []
axioms += [z3.Or(card == 0, card == 1) for card in sum(hands, [])]
axioms += [sum(cards) == 1 for cards in zip(*hands)]
axioms += [sum(cards) == 13 for cards in hands]
solver = z3.Solver()
solver.add(axioms)
solver.check()
model = solver.model()
for cards in hands:
for card in cards:
if z3.is_true(model.eval(card == 1)):
print card
def _state_matches_guard(t, i):
expr = And([func_call(t) == func_res
for func_call, func_res in guard_output_funcs[i]])
return is_true(model.eval(expr))
def constant_from_z3(sort, c):
if z3.is_true(c):
return ivy_logic.And()
if z3.is_false(c):
return ivy_logic.Or()
return ivy_logic.Constant(ivy_logic.Symbol(repr(c), sort))
def evaluate(self, t):
s = self.solver.model().eval(t.z3Node())
assert z3.is_true(s) or z3.is_false(s)
return z3.is_true(s)
def get_bool(self, ast):
val = self.solver.model().eval(ast.ast)
val = z3.is_true(val)
return esbmc.expr.constant_bool.make(val)
