# Leonardo de MouraMicrosoft · Research in Software Engineering (RiSE)

Leonardo de Moura

PhD in Computer Science

## About

99

Publications

18,121

Reads

**How we measure 'reads'**

A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more

12,355

Citations

Citations since 2016

Introduction

**Skills and Expertise**

## Publications

Publications (99)

Lean is a new open source theorem prover being developed at Microsoft Research and Carnegie Mellon University, with a small trusted kernel based on dependent type theory. It aims to bridge the gap between interactive and automated theorem proving, by situating automated tools and methods in a framework that supports user interaction and the constru...

We describe the elaboration algorithm that is used in Lean, a new interactive
theorem prover based on dependent type theory. To be practical, interactive
theorem provers must provide mechanisms to resolve ambiguities and infer
implicit information, thereby supporting convenient input of expressions and
proofs. Lean's elaborator supports higher-orde...

A system is described for processing predicates in the course of analyzing a program, based on a general-purpose theory of pointers. The system converts location expressions in the predicates into logical formulae that are interpretable by a theorem prover module, producing converted predicates. This conversion associates the location expressions w...

form only given, as follows. Considering the theoretical hardness of SAT, the astonishing adeptness of SAT solvers when attacking practical problems has changed the way we perceive the limits of algorithmic reasoning. Modern SAT solvers are based on the idea of conflict driven clause learning (CDCL). The CDCL algorithm is a combination of an explic...

Recent applications of decision procedures for nonlinear real arithmetic (the theory of real closed fields, or RCF) have presented a need for reasoning not only with polynomials but also with transcendental constants and infinitesimals. In full generality, the algebraic setting for this reasoning consists of real closed transcendental and infinites...

We describe a new algorithm for solving linear integer programming problems. The algorithm performs a DPLL style search for a feasible assignment, while using a novel cut procedure to guide the search away from the conflicting states.

The annual Satisfiability Modulo Theories Competition (SMT-COMP) was initiated in 2005 in order to stimulate the advance of state-of-the-art techniques and tools developed by the Satisfiability Modulo Theories (SMT) community. This paper summarizes the first six editions of the competition. We present the evolution of the competition’s organization...

We present a new calculus where recent model-based deci-sion procedures and techniques can be justified and combined with the standard DPLL(T) approach to satisfiability modulo theories. The new calculus generalizes the ideas found in CDCL-style propositional SAT solvers to the first-order setting.

High-performance SMT solvers contain many tightly inte-grated, hand-crafted heuristic combinations of algorithmic proof meth-ods. While these heuristic combinations tend to be highly tuned for known classes of problems, they may easily perform badly on classes of problems not anticipated by solver developers. This issue is becoming increasingly pre...

In the last decade, advances in satisfiability-modulo-theories (SMT) solvers have powered a new generation of software tools for verification and testing. These tools transform various program analysis problems into the problem of satisfiability of formulas in propositional or first-order logic, where they are discharged by SMT solvers, such as Z3...

MetiTarski [1] is an automatic theorem prover that can prove inequalities involving sin, cos, exp, ln, etc. During its proof search, it generates a series of subproblems in nonlinear polynomial real arithmetic which are reduced to true or false using a decision procedure for the theory of real closed fields (RCF). These calls are often a bottleneck...

We present a new algorithm for deciding satisfiability of non-linear arithmetic constraints. The algorithm performs a Conflict-Driven Clause Learning (CDCL)-style search for a feasible assignment, while using projection operators adapted from cylindrical algebraic decomposition to guide the search away from the conflicting states.

Checking the satisfiability of logical formulas, SMT solvers scale orders of magnitude beyond custom ad hoc solvers.

Applications in software verification often require determining the satisfiability of first-order formulae with respect to
background theories. During development, conjectures are usually false. Therefore, it is desirable to have a theorem prover
that terminates on satisfiable instances. Satisfiability Modulo Theories (SMT) solvers have proven to...

We describe a new algorithm for solving linear integer programming problems. The algorithm performs a DPLL style search for a feasible assignment, while using a novel cut procedure to guide the search away from the conflicting states.

The μZ tool is a scalable, efficient engine for fixed points with constraints. It supports high-level declarative fixed point constraints
over a combination of built-in and plugin domains. The built-in domains include formulas presented to the SMT solver Z3 and
domains known from abstract interpretation. We present the interface to μZ, a number of...

Constraint satisfaction problems arise in many diverse areas including software and hardware verification, type inference, static program analysis, test-case generation, scheduling, planning and graph problems. These areas share a common trait, they include a core component using logical formulas for describing states and transformations between th...

Constraint satisfaction problems arise in many diverse areas including software and hardware verification, type inference, static program analysis, test-case generation, scheduling, planning and graph problems. These areas share a common trait, they include a core component using logical formulas for describing states and transformations between th...

Satisfiability Modulo Theories (SMT) extends Propositional Satisfiability with logical theories that allow us to express relations over various types of variables, such as arithmetic constraints, or equalities over uninterpreted functions. SMT solvers are widely used in areas such as software verification, where they are able to solve surprisingly...

Static Driver Verifier (SDV) is a verification tool included in the Windows 7 Driver Kit (WDK). SDV uses SLAM as the program analysis engine. SDV 2.0 released with Windows 7 uses a re-designed SLAM2 engine. SLAM2 improves the precision and performance of pred- icate evaluation by using Z3 SMT solver. To handle predicates with pointers in SLAM2, we...

We present novel Gröbner basis algorithms based on satura-tion loops used by modern superposition theorem provers. We illustrate the practical value of the algorithms through an experimental implemen-tation within the Z3 SMT solver.

Constraints over regular and context-free languages are common in the context of string-manipulating programs. Efficient solving
of such constraints, often in combination with arithmetic and other theories, has many useful applications in program analysis
and testing. We introduce and evaluate a method for symbolically expressing and solving const...

Symbolic reasoning is in the core of many software development tools such as: bug-finders, test-case generators, and verifiers.
Of renewed interest is the use of symbolic reasoning for synthesing code, loop invariants and ranking functions. Satisfiability
Modulo Theories (SMT) solvers have been the focus of increased recent attention thanks to tech...

We introduce a DPLL calculus that is a decision procedure for the Bernays-Schonfinkel class, also known as EPR. Our calculus al- lows combining techniques for efficient propositional search with data- structures, such as Binary Decision Diagrams, that can efficiently and succinctly encode finite sets of substitutions and operations on these. In the...

In recent years, bit-precise reasoning has gained importance in hardware and software verification. Of renewed interest is the use of symbolic reasoning for synthesising loop invariants, ranking functions, or whole program fragments and hardware circuits. Solvers for the quantifier-free fragment of bit-vector logic exist and often rely on SAT solve...

Satisfiability modulo theories (SMT) is a branch of automated reasoning that builds on advances in propositional satisfiability and on decision procedures for first-order reasoning. Its defining feature is the use of reasoning methods specific to logical theories of interest in target applications. Advances in SMT research and technology have led i...

The theory of arrays is ubiquitous in the context of software and hardware verification and symbolic analysis. The basic array theory was introduced by McCarthy and allows to symbolically representing array updates. In this paper we present combinatory array logic, CAL, using a small, but powerful core of combinators, and reduce it to the theory of...

Using the machinery of proof orders originally introduced by Bachmair and Dershowitz in the context of canonical equational proofs, we give an abstract, strategy-independent presentation of Groebner basis procedures and prove the correctness of two classical criteria for recognising superfluous S-polynomials, Buchberger's criteria 1 and 2, w.r.t. a...

Satisfiability Modulo Theories is about checking the satisfiability of logical formulas over one or more theories. We provide an appetizer of SMT solving, illustrate an application for test-case generation based on dynamic symbolic execution and summarize an array of existing applications, enabling features, challenges and future directions.

Satisfiability Modulo Theories (SMT) is about checking the satis- fiability of logical formulas over one or more theories. The problem draws on a combination of some of the most fundamental areas in computer science. It combines the problem of Boolean satisfiability with domains, such as, those studied in convex optimization and term- manipulating...

Applications in software verification often require determining the satisfiability of first-order formulæ with respect to
some background theories. During development, conjectures are usually false. Therefore, it is desirable to have a theorem
prover that terminates on satisfiable instances. Satisfiability Modulo Theories (SMT) solvers have proven...

Applications in software verification often require determining the satisfiability of first-order formulæ with respect to some background theories. During development, conjectures are usually false. Therefore, it is desirable to have a theorem prover that terminates on satisfiable instances. Satisfiability Modulo Theories (SMT) solvers have proven...

Quantifier reasoning in Satisfiability Modulo Theories (SMT) is a long-standing challenge. The practical method employed in modern SMT solvers is to instantiate quantified formulas based on heuristics, which is not refutationally complete even for pure first-order logic. We present several decidable fragments of first order logic modulo theories. W...

With the availability of multi-core processors and large-scale computing clusters, the study of parallel algorithms has been revived throughout the industry. We present a portfolio approach to deciding the satisability of SMT formulas, based on the recent success of related algorithms for the SAT problem. Our parallel version of Z3 outperforms the...

Effectively Propositional Logic (EPR), also known as the Bernays-Schönfinkel class, allows en-coding problems that are propositional in nature, but EPR encodings can be exponentially more succinct than purely propositional logic encodings. We recently developed a DPLL-based decision procedure that builds on top of efficient SAT solving techniques t...

Hilbert's weak Nullstellensatz guarantees the existence of algebraic proof ob-jects certifying the unsatisfiability of systems of polynomial equations not satisfi-able over any algebraically closed field. Such proof objects take the form of ideal membership identities and can be found algorithmically using Gröbner bases and cofactor-based linear al...

Satisfiability Modulo Theories (SMT) solvers have proven highly scalable, efficient and suitable for integrated theory reasoning. The most efficient SMT solvers rely on refutationally incompletemethods for incorporating quantifier reasoning. We describe a calculus and a system that tightly integrates Superposition and DPLL(T). In the calculus, all...

Traditional methods for combining theory solvers rely on capabilities of the solvers to produce all implied equalities or a pre-processing step that introduces additional literals into the search space. This paper introduces a combination method that incrementally reconciles models maintained by each theory. We evaluate the practicality and efficie...

Satisfiability Modulo Theories (SMT) problem is a decision problem for logical first order formulas with respect to combinations of background theories such as: arithmetic, bit-vectors, arrays,
and uninterpreted functions. Z3 is a new and efficient SMT Solver freely available from Microsoft Research. It is used in
various software verification and...

Z3 (3) is a state-of-the-art Satisfiability Modulo Theories (SMT) solver freely available from Microsoft Research. It solves the decision problem for quantifier-free formulas with respect to com- binations of theories, such as arithmetic, bit-vectors, arrays, and uninterpreted functions. Z3 is used in various software analysis and test-case generat...

The Satisfiability Modulo Theories Competition (SMT-COMP) arose from the SMT-LIB initiative to spur adoption of common, community-designed formats, and to spark further advances in satisfiability modulo theor ies (SMT). The first SMT-COMP was held in 2005 as a satellite event of CAV 2005. SMT -COMP 2006 was held August 17 - 19, 2006, as a satellite...

Satisfiability Modulo Theories (SMT) solvers have proven highly scalable, efficient and suitable for integrating theory reasoning. However, for numerous applications from program analysis and verifi- cation, the ground fragment is insufficient, as proof obligations often include quantifiers. A well known approach for quantifier reasoning uses a mat...

Solvers for satisfiability modulo theories (SMT) check the satisfiability of first-order formulas containing operations from
various theories such as the Booleans, bit-vectors, arithmetic, arrays, and recursive datatypes. SMT solvers are extensions
of Boolean satisfiability solvers (SAT solvers) that check the satisfiability of formulas built from...

We present a new Simplex-based linear arithmetic solver that can be integrated efficiently in the DPLL(T ) framework. The new solver improves over existing approaches by enabling fast backtracking, supporting a priori simplifica- tion to reduce the problem size, and providing an efficient form of theory propa- gation. We also present a new and simp...

SMT stands for Satisfiability Modulo Theories. An SMT solver decides the satisfiability of propositionally complex formulas in theories such as arithmetic and uninterpreted functions with equality. SMT solving has numerous applications in auto-mated theorem proving, in hardware and software verification, and in scheduling and planning problems. Thi...

Yices is a decision procedure for formulas containing uninterpreted function symbols, linear real and integer arithmetic, fixed-size bitvectors, extensional arrays, lambda expressions, tuples, records, quantifiers, scalar types, recursive datatypes, and dependent types. Yices is the main decision procedure used by SAL. It is being integrated to PVS...

Abstract We present a new Simplex-based linear arithmetic solver that can be integrated efficiently in the DPLL(T ) framework. The new solver improves over existing approaches by enabling fast back- tracking, supporting a priori simplification to reduce the problem size, and providing an efficient form of theory propagation. We also present a new a...

The Satisfiability Modulo Theories Competition (SMT-COMP) is intended to spark further advances in the decision procedures field, especially for applications in hardware and software verification. Public competitions are a well-known means of stimulating advance- ment in automated reasoning. Evaluation of SMT solvers entered in SMT-COMP took place...

We consider the problem of finding irredundant bases for inconsistent sets of equalities and disequalities. These are subsets of inconsistent sets which do not contain any literals which do not contribute to the unsatisfiability in an essential way, and can therefore be discarded. The approach we are pursuing here is to decorate derivations with pr...

The eorts of researchers over the past 20 years has yielded an impressive array of verification tools. However, no single tool or method is going to solve the verification problem. An entire spectrum of formal methods and tools are needed ranging from test case generators, static analyzers, and type checkers, to invariant generators, decision pro-...

Abstract We describe sal-atg, a tool for automated test generation that will be distributed as part of the next release of SAL. Given a SAL specification augmented,with Boolean trap variables representing test goals, sal-atg generates an efficient set of tests to drive the trap variables to TRUE; SAL specifications are typically instrumented with t...

We consider the problem of finding irredundant bases for inconsistent sets of equalities and disequalities. These are subsets of inconsistent sets which do not contain any literals which do not contribute to the unsatisfiability in an essential way, and can therefore be discarded. The approach we are pursuing here is to decorate derivations with pr...

SAL (see http://sal.csl.sri.com) is an open suite of tools for analysis of state machines; it constitutes part of our vision for a Symbolic Analysis Laboratory that will eventually encompass SAL, the PVS verification system, the ICS decision procedures, and other tools developed
in our group and elsewhere.
SAL provides a language similar to that o...

There is a large variety of algorithms for ground decision procedures, but their dierences, in particular in terms of experimen- tal performance, are not well studied. We develop maps of the behavior of ground decision procedures by comparing the performance of a va- riety of technologies on benchmark suites with diering characteristics. Based on t...

s, linear arithmetic, and lists. The ground (i.e., quanti er-free) fragment of many combinations is decidable when the fully quanti ed combination is not, and practical experience indicates that automation of the ground case is adequate for most applications. Practical experience also suggests several other desiderata for an eective deductive servi...

The development of an Integrated Canonizer/Solver (ICS) system that can be embedded in applications to provide deductive services is discussed. It is suggested that ICS can be used as a standalone application that reads formulas interactively, and can also be included as a library in any application that requires embedded deduction. ICS returns a j...

It is well-known that counterexamples produced by model checkers can provide a basis for automated generation of test cases. However, when this approach is used to meet a coverage criterion, it generally results in very inefficient test sets having many tests and much redundancy. We describe an improved approach that uses model checkers to generate...

SAL 2 augments the specification language and explicit-state model checker of SAL 1 with high-performance symbolic and bounded model checkers, and with novel infinite bounded and witness model checkers.

SAL 2 augments the specification language and explicit-state model checker of SAL 1 with high-performance symbolic and bounded model checkers, and with novel infinite bounded and witness model checkers. The bounded model checker can use several di#erent SAT solvers, while the infinite bounded model checker similarly can use several different ground...

There is a large variety of algorithms for ground decision procedures, but their di#erences, in particular in terms of experimental performance, are not well studied. We develop maps of the behavior of ground decision procedures by comparing the performance of a variety of technologies on benchmark suites with di#ering characteristics.

Symbolic evaluation is the execution of software and software designs on inputs given as symbolic or explicit constants along with constraints on these inputs. Efficient symbolic evaluation is now feasible due to recent advances in efficient decision procedures and symbolic model checking. Symbolic evaluation can be applied to partially implemented...

It is well-known that counterexamples produced by model checkers can provide a basis for automated generation of test cases. However when this approach is used to meet a coverage criterion, it generally results in very inefficient test sets having many tests and much redundancy. We describe an improved approach that uses model checkers to generate...

Symbolic evaluation is the execution of software and software designs on inputs given as symbolic or explicit constants along with constraints on these inputs. Efficient symbolic evaluation is now feasible due to recent advances in efficient decision procedures and symbolic model checking. Symbolic evaluation can be applied to partially implemented...

Formal analyses can provide valuable assurance for high confidence software and systems. The analyses can range from strong typechecking through test case generation and static analysis to model checking and full verification. In all cases, the tools that support the analyses use formal deduction in some way or other. ICS is a fully automatic, high...

Bluetooth is a short range wireless communication technology that has been designed to eliminate wires between both stationary and mobile devices. As wireless communication is much more vulnerable to attacks, Bluetooth provides authentication and encryption on the link level. However, the employed frequency hopping spread spectrum method can be exp...

Symbolic evaluation is the execution of software and software designs on inputs given as symbolic or explicit constants along with constraints on these inputs. Efficient symbolic evaluation is now feasible due to recent advances in efficient decision procedures and symbolic model checking. Symbolic evaluation can be applied to partially implemented...

We investigate the combination of propositional SAT check- ers with domain-specific theorem provers as a foundation for bounded model checking over infinite domains. Given a program M over an infi- nite state type, a linear temporal logic formula ϕ with domain-specific constraints over program states, and an upper bound k, our procedure determines...

We investigate the combination of propositional SAT checkers with satisfiability procedures for domain-specific theories such as linear arithmetic, arrays, lists and the combination thereof. Our procedure realizes a lazy approach to satisfiability checking of Boolean constraint formulas by iteratively refining Boolean formulas based on lemmas gener...

We investigate the combination of propositional SAT checkers with domain-speci c theorem provers as a foundation for bounded model checking over in nite domains. Given a program M over an in - nite state type, a linear temporal logic formula ' with domain-speci c constraints over program states, and an upper bound k, our procedure determines if the...

We investigate the combination of propositional SAT checkers with satisfiability procedures for domain-specific theories such as linear arithmetic, arrays, lists and the combination thereof. Our procedure realizes a lazy approach to satisfiability checking of Boolean constraint formulas by iteratively refining Boolean formulas based on lemmas gener...

Prior research has shown that high levels of software reuse can be
achieved through the use of object-oriented frameworks. An
object-oriented framework captures the common aspects of a family of
applications, thus allowing the designers and implementers to reuse this
experience at the design and code levels. In spite of being a powerful
design solu...

Visual composition is an interactive development of different applications by the direct manipulation of reusable components. We believe that the visual composition approach deals directly with the complexity of large software systems, making their development easier, more flexible, and easier to be understood. This is accomplished by implementing...

Existing research suggests that a considerable fraction (5-10%) of the source code of large scale computer programs is duplicate code (“clones”). Detection and removal of such clones promises decreased software maintenance costs of possibly the same magnitude. Previous work was limited to detection of either near misses differing only in single lex...

We explore the combination of bounded model checking and induction for proving safety properties of infinite-state systems.
In particular, we define a general k-induction scheme and prove completeness thereof. A main characteristic of our methodology is that strengthened invariants
are generated from failed k-induction proofs. This strengthening st...

Decision procedures for checking satisfiability of logical formulas are crucial for many verification applications (e.g.,[2,6,3]).
Of particular recent interest are solvers for Satisfiability Modulo Theories (SMT). SMT solvers decide logical satisfiability
(or dually, validity) with respect to a background theory in classical first-order logic with...

Constraints over regular expressions are common in programming languages, often in combination with other constraints involving strings. Efficient solving of such constraints has many useful applications in program analysis and testing. We introduce a method for symbolically expressing and analyzing regular constraints using state of the art SMT so...

SMT solvers that perform search over a large set of con-straints need to maintain, update and propagate truth assignments to atomic constraints. Each new truth assignment may lead to additional constraint propagation, which depending on the constraint domain can be costly. Relevancy propagation keeps track of which truth assignments are essential f...

Modern program analysis and model-based tools are increas-ingly complex and multi-faceted software systems. However, at their core is invariably a component using a logic for describing states and transfor-mations between system states. Logic inferences engines are then critical for the functionality of these systems. A commonly adapted approach ha...

The Satisfiability Modulo Theories solver Z3 [10] is used in several program analysis and verification tools at Microsoft Research. Some of these tools require bit-precise reasoning for accurately modeling machine arithmetic instructions. But this alone is rarely sufficient, and an integration with other theories is required. The Pex tool [20] perf...

Abstract The Satisfiability Modulo Theories Competition (SMT-COMP) arose from the SMT-LIB initiative to spur adoption of common, community-designed formats, and to spark further advances,in satisfiability modulo,theor ies (SMT). The first SMT-COMP was,held in 2005 as a satellite event of CAV 2005. SMT -COMP 2006 was held August 17 - 19, 2006, as a...

We present novel Grobner basis algorithms based on satura- tion loops used by modern superposition theorem provers. By combining (i) top-level Grobner basis construction strategies based on the OTTER and DISCOUNT saturation loops, and (ii) sophisticated term indexing techniques derived both from ATP literature and from superfluous S- polynomial cri...

We observe that the decision problem for the 9 theory of real closed elds (RCF) is simply reducible to the decision problem for RCF over a connective-free 8 language in which the only relation symbol is a strict inequality. In particular, every 9 RCF sentence ' can be settled by deciding a proposition of the form \polynomial p (which is a sum of sq...