• Home
  • Microsoft
  • Research in Software Engineering (RiSE)
  • Leonardo de Moura
Leonardo de Moura

Leonardo de Moura
Microsoft · Research in Software Engineering (RiSE)

PhD in Computer Science

About

99
Publications
18,121
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
12,355
Citations
Citations since 2016
0 Research Items
6776 Citations
201620172018201920202021202202004006008001,000
201620172018201920202021202202004006008001,000
201620172018201920202021202202004006008001,000
201620172018201920202021202202004006008001,000
Additional affiliations
January 2013 - present
Microsoft
Position
  • Principal Investigator
January 2010 - January 2013
Microsoft
Position
  • Senior Researcher
August 2006 - January 2010
Microsoft
Position
  • Researcher

Publications

Publications (99)
Conference Paper
Lean is a new open source theorem prover being developed at Microsoft Research and Carnegie Mellon University, with a small trusted kernel based on dependent type theory. It aims to bridge the gap between interactive and automated theorem proving, by situating automated tools and methods in a framework that supports user interaction and the constru...
Article
Full-text available
We describe the elaboration algorithm that is used in Lean, a new interactive theorem prover based on dependent type theory. To be practical, interactive theorem provers must provide mechanisms to resolve ambiguities and infer implicit information, thereby supporting convenient input of expressions and proofs. Lean's elaborator supports higher-orde...
Patent
Full-text available
A system is described for processing predicates in the course of analyzing a program, based on a general-purpose theory of pointers. The system converts location expressions in the predicates into logical formulae that are interpretable by a theorem prover module, producing converted predicates. This conversion associates the location expressions w...
Conference Paper
form only given, as follows. Considering the theoretical hardness of SAT, the astonishing adeptness of SAT solvers when attacking practical problems has changed the way we perceive the limits of algorithmic reasoning. Modern SAT solvers are based on the idea of conflict driven clause learning (CDCL). The CDCL algorithm is a combination of an explic...
Conference Paper
Recent applications of decision procedures for nonlinear real arithmetic (the theory of real closed fields, or RCF) have presented a need for reasoning not only with polynomials but also with transcendental constants and infinitesimals. In full generality, the algebraic setting for this reasoning consists of real closed transcendental and infinites...
Article
We describe a new algorithm for solving linear integer programming problems. The algorithm performs a DPLL style search for a feasible assignment, while using a novel cut procedure to guide the search away from the conflicting states.
Article
The annual Satisfiability Modulo Theories Competition (SMT-COMP) was initiated in 2005 in order to stimulate the advance of state-of-the-art techniques and tools developed by the Satisfiability Modulo Theories (SMT) community. This paper summarizes the first six editions of the competition. We present the evolution of the competition’s organization...
Conference Paper
Full-text available
We present a new calculus where recent model-based deci-sion procedures and techniques can be justified and combined with the standard DPLL(T) approach to satisfiability modulo theories. The new calculus generalizes the ideas found in CDCL-style propositional SAT solvers to the first-order setting.
Article
High-performance SMT solvers contain many tightly inte-grated, hand-crafted heuristic combinations of algorithmic proof meth-ods. While these heuristic combinations tend to be highly tuned for known classes of problems, they may easily perform badly on classes of problems not anticipated by solver developers. This issue is becoming increasingly pre...
Conference Paper
In the last decade, advances in satisfiability-modulo-theories (SMT) solvers have powered a new generation of software tools for verification and testing. These tools transform various program analysis problems into the problem of satisfiability of formulas in propositional or first-order logic, where they are discharged by SMT solvers, such as Z3...
Conference Paper
Full-text available
MetiTarski [1] is an automatic theorem prover that can prove inequalities involving sin, cos, exp, ln, etc. During its proof search, it generates a series of subproblems in nonlinear polynomial real arithmetic which are reduced to true or false using a decision procedure for the theory of real closed fields (RCF). These calls are often a bottleneck...
Conference Paper
Full-text available
We present a new algorithm for deciding satisfiability of non-linear arithmetic constraints. The algorithm performs a Conflict-Driven Clause Learning (CDCL)-style search for a feasible assignment, while using projection operators adapted from cylindrical algebraic decomposition to guide the search away from the conflicting states.
Article
Checking the satisfiability of logical formulas, SMT solvers scale orders of magnitude beyond custom ad hoc solvers.
Article
Full-text available
Applications in software verification often require determining the satisfiability of first-order formulae with respect to background theories. During development, conjectures are usually false. Therefore, it is desirable to have a theorem prover that terminates on satisfiable instances. Satisfiability Modulo Theories (SMT) solvers have proven to...
Conference Paper
Full-text available
We describe a new algorithm for solving linear integer programming problems. The algorithm performs a DPLL style search for a feasible assignment, while using a novel cut procedure to guide the search away from the conflicting states.
Conference Paper
The μZ tool is a scalable, efficient engine for fixed points with constraints. It supports high-level declarative fixed point constraints over a combination of built-in and plugin domains. The built-in domains include formulas presented to the SMT solver Z3 and domains known from abstract interpretation. We present the interface to μZ, a number of...
Conference Paper
Constraint satisfaction problems arise in many diverse areas including software and hardware verification, type inference, static program analysis, test-case generation, scheduling, planning and graph problems. These areas share a common trait, they include a core component using logical formulas for describing states and transformations between th...
Conference Paper
Constraint satisfaction problems arise in many diverse areas including software and hardware verification, type inference, static program analysis, test-case generation, scheduling, planning and graph problems. These areas share a common trait, they include a core component using logical formulas for describing states and transformations between th...
Article
Satisfiability Modulo Theories (SMT) extends Propositional Satisfiability with logical theories that allow us to express relations over various types of variables, such as arithmetic constraints, or equalities over uninterpreted functions. SMT solvers are widely used in areas such as software verification, where they are able to solve surprisingly...
Article
Full-text available
Static Driver Verifier (SDV) is a verification tool included in the Windows 7 Driver Kit (WDK). SDV uses SLAM as the program analysis engine. SDV 2.0 released with Windows 7 uses a re-designed SLAM2 engine. SLAM2 improves the precision and performance of pred- icate evaluation by using Z3 SMT solver. To handle predicates with pointers in SLAM2, we...
Article
We present novel Gröbner basis algorithms based on satura-tion loops used by modern superposition theorem provers. We illustrate the practical value of the algorithms through an experimental implemen-tation within the Z3 SMT solver.
Conference Paper
Constraints over regular and context-free languages are common in the context of string-manipulating programs. Efficient solving of such constraints, often in combination with arithmetic and other theories, has many useful applications in program analysis and testing. We introduce and evaluate a method for symbolically expressing and solving const...
Conference Paper
Full-text available
Symbolic reasoning is in the core of many software development tools such as: bug-finders, test-case generators, and verifiers. Of renewed interest is the use of symbolic reasoning for synthesing code, loop invariants and ranking functions. Satisfiability Modulo Theories (SMT) solvers have been the focus of increased recent attention thanks to tech...
Conference Paper
We introduce a DPLL calculus that is a decision procedure for the Bernays-Schonfinkel class, also known as EPR. Our calculus al- lows combining techniques for efficient propositional search with data- structures, such as Binary Decision Diagrams, that can efficiently and succinctly encode finite sets of substitutions and operations on these. In the...
Conference Paper
Full-text available
In recent years, bit-precise reasoning has gained importance in hardware and software verification. Of renewed interest is the use of symbolic reasoning for synthesising loop invariants, ranking functions, or whole program fragments and hardware circuits. Solvers for the quantifier-free fragment of bit-vector logic exist and often rely on SAT solve...
Conference Paper
Satisfiability modulo theories (SMT) is a branch of automated reasoning that builds on advances in propositional satisfiability and on decision procedures for first-order reasoning. Its defining feature is the use of reasoning methods specific to logical theories of interest in target applications. Advances in SMT research and technology have led i...
Conference Paper
Full-text available
The theory of arrays is ubiquitous in the context of software and hardware verification and symbolic analysis. The basic array theory was introduced by McCarthy and allows to symbolically representing array updates. In this paper we present combinatory array logic, CAL, using a small, but powerful core of combinators, and reduce it to the theory of...
Article
Using the machinery of proof orders originally introduced by Bachmair and Dershowitz in the context of canonical equational proofs, we give an abstract, strategy-independent presentation of Groebner basis procedures and prove the correctness of two classical criteria for recognising superfluous S-polynomials, Buchberger's criteria 1 and 2, w.r.t. a...
Conference Paper
Satisfiability Modulo Theories is about checking the satisfiability of logical formulas over one or more theories. We provide an appetizer of SMT solving, illustrate an application for test-case generation based on dynamic symbolic execution and summarize an array of existing applications, enabling features, challenges and future directions.
Conference Paper
Satisfiability Modulo Theories (SMT) is about checking the satis- fiability of logical formulas over one or more theories. The problem draws on a combination of some of the most fundamental areas in computer science. It combines the problem of Boolean satisfiability with domains, such as, those studied in convex optimization and term- manipulating...
Conference Paper
Full-text available
Applications in software verification often require determining the satisfiability of first-order formulæ with respect to some background theories. During development, conjectures are usually false. Therefore, it is desirable to have a theorem prover that terminates on satisfiable instances. Satisfiability Modulo Theories (SMT) solvers have proven...
Conference Paper
Full-text available
Applications in software verification often require determining the satisfiability of first-order formulæ with respect to some background theories. During development, conjectures are usually false. Therefore, it is desirable to have a theorem prover that terminates on satisfiable instances. Satisfiability Modulo Theories (SMT) solvers have proven...
Conference Paper
Quantifier reasoning in Satisfiability Modulo Theories (SMT) is a long-standing challenge. The practical method employed in modern SMT solvers is to instantiate quantified formulas based on heuristics, which is not refutationally complete even for pure first-order logic. We present several decidable fragments of first order logic modulo theories. W...
Conference Paper
Full-text available
With the availability of multi-core processors and large-scale computing clusters, the study of parallel algorithms has been revived throughout the industry. We present a portfolio approach to deciding the satisability of SMT formulas, based on the recent success of related algorithms for the SAT problem. Our parallel version of Z3 outperforms the...
Article
Effectively Propositional Logic (EPR), also known as the Bernays-Schönfinkel class, allows en-coding problems that are propositional in nature, but EPR encodings can be exponentially more succinct than purely propositional logic encodings. We recently developed a DPLL-based decision procedure that builds on top of efficient SAT solving techniques t...
Article
Hilbert's weak Nullstellensatz guarantees the existence of algebraic proof ob-jects certifying the unsatisfiability of systems of polynomial equations not satisfi-able over any algebraically closed field. Such proof objects take the form of ideal membership identities and can be found algorithmically using Gröbner bases and cofactor-based linear al...
Conference Paper
Satisfiability Modulo Theories (SMT) solvers have proven highly scalable, efficient and suitable for integrated theory reasoning. The most efficient SMT solvers rely on refutationally incompletemethods for incorporating quantifier reasoning. We describe a calculus and a system that tightly integrates Superposition and DPLL(T). In the calculus, all...
Article
Full-text available
Traditional methods for combining theory solvers rely on capabilities of the solvers to produce all implied equalities or a pre-processing step that introduces additional literals into the search space. This paper introduces a combination method that incrementally reconciles models maintained by each theory. We evaluate the practicality and efficie...
Conference Paper
Full-text available
Satisfiability Modulo Theories (SMT) problem is a decision problem for logical first order formulas with respect to combinations of background theories such as: arithmetic, bit-vectors, arrays, and uninterpreted functions. Z3 is a new and efficient SMT Solver freely available from Microsoft Research. It is used in various software verification and...
Conference Paper
Z3 (3) is a state-of-the-art Satisfiability Modulo Theories (SMT) solver freely available from Microsoft Research. It solves the decision problem for quantifier-free formulas with respect to com- binations of theories, such as arithmetic, bit-vectors, arrays, and uninterpreted functions. Z3 is used in various software analysis and test-case generat...
Article
Full-text available
The Satisfiability Modulo Theories Competition (SMT-COMP) arose from the SMT-LIB initiative to spur adoption of common, community-designed formats, and to spark further advances in satisfiability modulo theor ies (SMT). The first SMT-COMP was held in 2005 as a satellite event of CAV 2005. SMT -COMP 2006 was held August 17 - 19, 2006, as a satellite...
Conference Paper
Satisfiability Modulo Theories (SMT) solvers have proven highly scalable, efficient and suitable for integrating theory reasoning. However, for numerous applications from program analysis and verifi- cation, the ground fragment is insufficient, as proof obligations often include quantifiers. A well known approach for quantifier reasoning uses a mat...
Conference Paper
Full-text available
Solvers for satisfiability modulo theories (SMT) check the satisfiability of first-order formulas containing operations from various theories such as the Booleans, bit-vectors, arithmetic, arrays, and recursive datatypes. SMT solvers are extensions of Boolean satisfiability solvers (SAT solvers) that check the satisfiability of formulas built from...
Conference Paper
We present a new Simplex-based linear arithmetic solver that can be integrated efficiently in the DPLL(T ) framework. The new solver improves over existing approaches by enabling fast backtracking, supporting a priori simplifica- tion to reduce the problem size, and providing an efficient form of theory propa- gation. We also present a new and simp...
Article
SMT stands for Satisfiability Modulo Theories. An SMT solver decides the satisfiability of propositionally complex formulas in theories such as arithmetic and uninterpreted functions with equality. SMT solving has numerous applications in auto-mated theorem proving, in hardware and software verification, and in scheduling and planning problems. Thi...
Article
Yices is a decision procedure for formulas containing uninterpreted function symbols, linear real and integer arithmetic, fixed-size bitvectors, extensional arrays, lambda expressions, tuples, records, quantifiers, scalar types, recursive datatypes, and dependent types. Yices is the main decision procedure used by SAL. It is being integrated to PVS...
Article
Abstract We present a new Simplex-based linear arithmetic solver that can be integrated efficiently in the DPLL(T ) framework. The new solver improves over existing approaches by enabling fast back- tracking, supporting a priori simplification to reduce the problem size, and providing an efficient form of theory propagation. We also present a new a...
Article
Full-text available
The Satisfiability Modulo Theories Competition (SMT-COMP) is intended to spark further advances in the decision procedures field, especially for applications in hardware and software verification. Public competitions are a well-known means of stimulating advance- ment in automated reasoning. Evaluation of SMT solvers entered in SMT-COMP took place...
Article
Full-text available
We consider the problem of finding irredundant bases for inconsistent sets of equalities and disequalities. These are subsets of inconsistent sets which do not contain any literals which do not contribute to the unsatisfiability in an essential way, and can therefore be discarded. The approach we are pursuing here is to decorate derivations with pr...
Article
Full-text available
The eorts of researchers over the past 20 years has yielded an impressive array of verification tools. However, no single tool or method is going to solve the verification problem. An entire spectrum of formal methods and tools are needed ranging from test case generators, static analyzers, and type checkers, to invariant generators, decision pro-...
Article
Abstract We describe sal-atg, a tool for automated test generation that will be distributed as part of the next release of SAL. Given a SAL specification augmented,with Boolean trap variables representing test goals, sal-atg generates an efficient set of tests to drive the trap variables to TRUE; SAL specifications are typically instrumented with t...
Article
We consider the problem of finding irredundant bases for inconsistent sets of equalities and disequalities. These are subsets of inconsistent sets which do not contain any literals which do not contribute to the unsatisfiability in an essential way, and can therefore be discarded. The approach we are pursuing here is to decorate derivations with pr...
Conference Paper
Full-text available
SAL (see http://sal.csl.sri.com) is an open suite of tools for analysis of state machines; it constitutes part of our vision for a Symbolic Analysis Laboratory that will eventually encompass SAL, the PVS verification system, the ICS decision procedures, and other tools developed in our group and elsewhere. SAL provides a language similar to that o...
Conference Paper
Full-text available
There is a large variety of algorithms for ground decision procedures, but their dierences, in particular in terms of experimen- tal performance, are not well studied. We develop maps of the behavior of ground decision procedures by comparing the performance of a va- riety of technologies on benchmark suites with diering characteristics. Based on t...
Article
s, linear arithmetic, and lists. The ground (i.e., quanti er-free) fragment of many combinations is decidable when the fully quanti ed combination is not, and practical experience indicates that automation of the ground case is adequate for most applications. Practical experience also suggests several other desiderata for an eective deductive servi...
Conference Paper
The development of an Integrated Canonizer/Solver (ICS) system that can be embedded in applications to provide deductive services is discussed. It is suggested that ICS can be used as a standalone application that reads formulas interactively, and can also be included as a library in any application that requires embedded deduction. ICS returns a j...
Article
It is well-known that counterexamples produced by model checkers can provide a basis for automated generation of test cases. However, when this approach is used to meet a coverage criterion, it generally results in very inefficient test sets having many tests and much redundancy. We describe an improved approach that uses model checkers to generate...
Article
SAL 2 augments the specification language and explicit-state model checker of SAL 1 with high-performance symbolic and bounded model checkers, and with novel infinite bounded and witness model checkers.
Article
Full-text available
SAL 2 augments the specification language and explicit-state model checker of SAL 1 with high-performance symbolic and bounded model checkers, and with novel infinite bounded and witness model checkers. The bounded model checker can use several di#erent SAT solvers, while the infinite bounded model checker similarly can use several different ground...
Article
There is a large variety of algorithms for ground decision procedures, but their di#erences, in particular in terms of experimental performance, are not well studied. We develop maps of the behavior of ground decision procedures by comparing the performance of a variety of technologies on benchmark suites with di#ering characteristics.
Conference Paper
Symbolic evaluation is the execution of software and software designs on inputs given as symbolic or explicit constants along with constraints on these inputs. Efficient symbolic evaluation is now feasible due to recent advances in efficient decision procedures and symbolic model checking. Symbolic evaluation can be applied to partially implemented...
Conference Paper
Full-text available
It is well-known that counterexamples produced by model checkers can provide a basis for automated generation of test cases. However when this approach is used to meet a coverage criterion, it generally results in very inefficient test sets having many tests and much redundancy. We describe an improved approach that uses model checkers to generate...
Article
Symbolic evaluation is the execution of software and software designs on inputs given as symbolic or explicit constants along with constraints on these inputs. Efficient symbolic evaluation is now feasible due to recent advances in efficient decision procedures and symbolic model checking. Symbolic evaluation can be applied to partially implemented...
Article
Full-text available
Formal analyses can provide valuable assurance for high confidence software and systems. The analyses can range from strong typechecking through test case generation and static analysis to model checking and full verification. In all cases, the tools that support the analyses use formal deduction in some way or other. ICS is a fully automatic, high...
Conference Paper
Full-text available
Bluetooth is a short range wireless communication technology that has been designed to eliminate wires between both stationary and mobile devices. As wireless communication is much more vulnerable to attacks, Bluetooth provides authentication and encryption on the link level. However, the employed frequency hopping spread spectrum method can be exp...
Conference Paper
Full-text available
Symbolic evaluation is the execution of software and software designs on inputs given as symbolic or explicit constants along with constraints on these inputs. Efficient symbolic evaluation is now feasible due to recent advances in efficient decision procedures and symbolic model checking. Symbolic evaluation can be applied to partially implemented...
Conference Paper
We investigate the combination of propositional SAT check- ers with domain-specific theorem provers as a foundation for bounded model checking over infinite domains. Given a program M over an infi- nite state type, a linear temporal logic formula ϕ with domain-specific constraints over program states, and an upper bound k, our procedure determines...
Article
We investigate the combination of propositional SAT checkers with satisfiability procedures for domain-specific theories such as linear arithmetic, arrays, lists and the combination thereof. Our procedure realizes a lazy approach to satisfiability checking of Boolean constraint formulas by iteratively refining Boolean formulas based on lemmas gener...
Article
We investigate the combination of propositional SAT checkers with domain-speci c theorem provers as a foundation for bounded model checking over in nite domains. Given a program M over an in - nite state type, a linear temporal logic formula ' with domain-speci c constraints over program states, and an upper bound k, our procedure determines if the...
Article
Full-text available
We investigate the combination of propositional SAT checkers with satisfiability procedures for domain-specific theories such as linear arithmetic, arrays, lists and the combination thereof. Our procedure realizes a lazy approach to satisfiability checking of Boolean constraint formulas by iteratively refining Boolean formulas based on lemmas gener...
Article
Prior research has shown that high levels of software reuse can be achieved through the use of object-oriented frameworks. An object-oriented framework captures the common aspects of a family of applications, thus allowing the designers and implementers to reuse this experience at the design and code levels. In spite of being a powerful design solu...
Article
Visual composition is an interactive development of different applications by the direct manipulation of reusable components. We believe that the visual composition approach deals directly with the complexity of large software systems, making their development easier, more flexible, and easier to be understood. This is accomplished by implementing...
Conference Paper
Full-text available
Existing research suggests that a considerable fraction (5-10%) of the source code of large scale computer programs is duplicate code (“clones”). Detection and removal of such clones promises decreased software maintenance costs of possibly the same magnitude. Previous work was limited to detection of either near misses differing only in single lex...
Conference Paper
Full-text available
We explore the combination of bounded model checking and induction for proving safety properties of infinite-state systems. In particular, we define a general k-induction scheme and prove completeness thereof. A main characteristic of our methodology is that strengthened invariants are generated from failed k-induction proofs. This strengthening st...
Conference Paper
Full-text available
Decision procedures for checking satisfiability of logical formulas are crucial for many verification applications (e.g.,[2,6,3]). Of particular recent interest are solvers for Satisfiability Modulo Theories (SMT). SMT solvers decide logical satisfiability (or dually, validity) with respect to a background theory in classical first-order logic with...
Article
Constraints over regular expressions are common in programming languages, often in combination with other constraints involving strings. Efficient solving of such constraints has many useful applications in program analysis and testing. We introduce a method for symbolically expressing and analyzing regular constraints using state of the art SMT so...
Article
SMT solvers that perform search over a large set of con-straints need to maintain, update and propagate truth assignments to atomic constraints. Each new truth assignment may lead to additional constraint propagation, which depending on the constraint domain can be costly. Relevancy propagation keeps track of which truth assignments are essential f...
Article
Modern program analysis and model-based tools are increas-ingly complex and multi-faceted software systems. However, at their core is invariably a component using a logic for describing states and transfor-mations between system states. Logic inferences engines are then critical for the functionality of these systems. A commonly adapted approach ha...
Article
The Satisfiability Modulo Theories solver Z3 [10] is used in several program analysis and verification tools at Microsoft Research. Some of these tools require bit-precise reasoning for accurately modeling machine arithmetic instructions. But this alone is rarely sufficient, and an integration with other theories is required. The Pex tool [20] perf...
Article
Abstract The Satisfiability Modulo Theories Competition (SMT-COMP) arose from the SMT-LIB initiative to spur adoption of common, community-designed formats, and to spark further advances,in satisfiability modulo,theor ies (SMT). The first SMT-COMP was,held in 2005 as a satellite event of CAV 2005. SMT -COMP 2006 was held August 17 - 19, 2006, as a...
Article
We present novel Grobner basis algorithms based on satura- tion loops used by modern superposition theorem provers. By combining (i) top-level Grobner basis construction strategies based on the OTTER and DISCOUNT saturation loops, and (ii) sophisticated term indexing techniques derived both from ATP literature and from superfluous S- polynomial cri...
Article
We observe that the decision problem for the 9 theory of real closed elds (RCF) is simply reducible to the decision problem for RCF over a connective-free 8 language in which the only relation symbol is a strict inequality. In particular, every 9 RCF sentence ' can be settled by deciding a proposition of the form \polynomial p (which is a sum of sq...