STP is a constraint solver for the theory of quantifier-free bit-vectors that can solve many kinds of problems generated by program analysis tools, theorem provers, automated bug finders, cryptographic algorithms, intelligent fuzzers and model checkers.
For Debian-like platforms first install the prerequisites:
Then install minisat:
1 2 3 4 5 6
Then install STP:
1 2 3 4 5
For windows-like environments: you will need to first install the zlib library then install minisat and stp exactly like above, using cmake to create Visual Studio project files, e.g.
cmake .. -G "Visual Studio 10 Win64" and then building with Visual Studio.
The file based input formats that STP reads are the: CVC, SMT-LIB1, and SMT-LIB2 formats. The SMT-LIB2 format is the recommended file format, because it is parsed by all modern bitvector solvers. STP implements a subset of the SMT-LIB2 language; not all SMT-LIB2 features are implemented.
1 2 3 4 5 6 7 8 9 10 11 12
Signed division of -1/-2 = 0, should be satisfiable.
1 2 3 4
C library usage
When STP is built it generates a
lib/libstp.a static library which can be used with one of two header files, depending on the preferred language:
include/stp/c_interface.hfor a C interface to STP
include/stp/cpp_interface.hfor a C++ interface to STP
An example C header usage can be as simple as:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
If you use CMake as the build system for your project it is easy to use STP as an external project. An example can be found in the sources under
- STP placed 2nd in the bitvector category in the SMTCOMP 2014, just after the proprietary Boolector system
- STP placed 2nd in the bitvector category in the SMTCOMP 2011
- STP won the bit-vector category at SMTCOMP 2010
- STP won the SMTCOMP 2006 competition (Bit-vector category) in 2006
- KLEE symbolic fuzzer is using STP at its core (Professor Cristian Cadar’s group at Imperial College, London, and Professor Dawson Engler’s group at Stanford University)
- Souper project at the University of Utah and Google
- S2E at EPFL
- Mayhem fuzzer, which found over 1000 bugs in mainline Debian is using KLEE and hence STP
- Binary Analysis Platform (BAP) is using STP for analysis, by the CMU
- EXE is a symbolic-execution based bug-finding tool that reads your C program and tries to automatically crash it (Stanford University)
- MINESWEEPER is a tool that automatically analyzes certain malicious behavior in unix utilities and malware. (Carnegie Mellon University)
- CATCHCONV is a bug finding tool that tries to find bugs due to type mismatch in C programs. (University of California, Berkeley)
- Backward path-sensitive analysis of C programs to find bugs by Tim Leek from MIT Lincoln Labs
- Bug finding in Verilog code (a major microprocessor company)
- JPF-SE is a symbolic execution extension to the Java PathFinder model checker . (NASA Ames Research Center)
- Avalanche bug-finding tool (Institute of Systems Programming, Moscow, Russia)
- Low-level Bounded Model Checker - LLBMC (Karlsruhe Institute of Technology (KIT), Germany)
- FuzzGrind (ESEC Lab)
- In conjunction with ACL2 to formally verify implementation of encryption algorithms in Java (Stanford University)
- Hampi : A solver for string constraints used to automatically construct SQL injection and XSS exploits (MIT)
- Automatic configuration: Tvl2STP (University of Namur in Belgium)
STP is an efficient decision procedure for the validity (or satisfiability) of formulas from a quantifier-free many-sorted theory of fixed-width bitvectors and (non-extensional) one-dimensional arrays. The functions in STP’s input language include concatenation, extraction, left/right shift, sign-extension, unary minus, addition, multiplication, (signed) modulo/division, bitwise Boolean operations, if-then-else terms, and array reads and writes. The predicates in the language include equality and (signed) comparators between bitvector terms.
The basic architecture of STP essentially follows the idea of word-level preprocessing followed by translation to SAT (We use MINISAT and CRYPTOMINISAT). In particular, we introduce several new heuristics for the preprocessing step, including abstraction-refinement in the context of arrays, a new bitvector linear arithmetic equation solver, and some interesting simplifications. These heuristics help us achieve several magnitudes of order performance over other tools, and also over straight-forward translation to SAT. STP has been heavily tested on thousands of examples sourced from various real-world applications such as program analysis and bug-finding tools like EXE, and equivalence checking tools and theorem-provers.
History and authors
The initial versions of STP were written primarily by Vijay Ganesh as part of his PhD thesis, and the project was later maintained by Trevor Hansen. The current primary maintainers are Mate Soos, Dan Liew, and Ryan Govostes who have improved it in many ways. STP is based on the following papers:
- A Decision Procedure for Bit-vectors and Arrays by Vijay Ganesh and David L. Dill. In Proceedings of the International Conference in Computer Aided Verification (CAV 2007), Berlin, Germany, July 2007
- EXE: Automatically Generating Inputs of Death by Cristian Cadar, Vijay Ganesh, Peter Pawlowski, Dawson Engler, David Dill. In Proceedings of ACM Conference on Computer and Communications Security 2006 (CCS 2006), Alexandria, Virginia, October, 2006
Past contributors: Khoo Yit Phang, Ed Schwartz, Mike Katelman (PhD Student, University of Illinois, Urbana-Champaign, IL, USA), Philip Guo (Student, Stanford University, Stanford, CA, USA), David L. Dill (Professor, Stanford University, Stanford, CA, USA), Tim King (Student, Stanford University and NYU). Please note that everyone working on the project is doing so out of hobby or as a way to help them in their work/study projects.