Satisfiability Modulo Bit-Precise Theories for Program Exploration

The Satisfiability Modulo Theories solver Z3 is used in several program analysis and verification tools at Microsoft Research. Some of these tools require bit-precise reasoning for accurately modeling machine arithmetic instructions. But this alone is rarely sufficient, and an integration with other theories is required. The Pex tool performs program exploration of .NET programs by generating and solving path conditions corresponding to paths that get explored during concrete execution. The path conditions reflect directly the executed instructions, including ones involving machine arithmetic supported by the CLR. The path conditions include also operations on heaps and structures. Pex relies on Z3's ability to produce models for satisfiable path conditions, the models must reflect the combination of the involved theories: bit-vectors, arrays, and tuples.