STP constraint solver

Simple Theorem Prover SMT solver

Overview

STP is a constraint solver for the theory of quantifier-free bit-vectors that can solve many kinds of problems generated by program analysis tools, theorem provers, automated bug finders, cryptographic algorithms, intelligent fuzzers and model checkers.

A somewhat technical PPT presentation about STP is here and a somewhat newer PDF presentation is here.

Install instructions

For Debian-like platforms first install the prerequisites:

1
apt-get install cmake g++ zlib1g-dev libboost-all-dev flex bison

Then install minisat:

1
2
3
4
5
6
git clone https://github.com/stp/minisat.git`
cd minisat && mkdir build && cd build
cmake ..
make
sudo make install
cd ../..

Then install STP:

1
2
3
4
5
git clone https://github.com/stp/stp.git
cd stp && mkdir build && cd build
cmake ..
make
sudo make install

For windows-like environments: you will need to first install the zlib library then install minisat and stp exactly like above, using cmake to create Visual Studio project files, e.g. cmake .. -G "Visual Studio 10 Win64" and then building with Visual Studio.

Languages parsed

The file based input formats that STP reads are the: CVC, SMT-LIB1, and SMT-LIB2 formats. The SMT-LIB2 format is the recommended file format, because it is parsed by all modern bitvector solvers. STP implements a subset of the SMT-LIB2 language; not all SMT-LIB2 features are implemented.

Python usage

1
2
3
4
5
6
7
8
9
10
11
12
import stp
s = stp.Solver()
a = s.bitvec('a', 32)
b = s.bitvec('b', 32)
c = s.bitvec('c', 32)
s.add(a == 5)
s.add(b == 6)
s.add(a + b == c)
s.check()
-> True
s.model()
-> {'a': 5L, 'b': 6L, 'c': 11L}

SMT-LIBv2 Usage

Signed division of -1/-2 = 0, should be satisfiable.

1
2
3
4
(set-logic QF_BV)
(assert (= (bvsdiv (_ bv3 2) (_ bv2 2)) (_ bv0 2)))
(check-sat)
(exit)

C library usage

When STP is built it generates a lib/libstp.a static library which can be used with one of two header files, depending on the preferred language:

  • include/stp/c_interface.h for a C interface to STP
  • include/stp/cpp_interface.hfor a C++ interface to STP

An example C header usage can be as simple as:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#include "stp/c_interface.h"
#include <assert.h>

int main(int argc, char **argv) {
  VC vc = vc_createValidityChecker();

  // 32-bit variable 'c'
  Expr c = vc_varExpr(vc, "c", vc_bvType(vc, 32));

  // 32 bit constant value 5
  Expr a = vc_bvConstExprFromInt(vc, 32, 5);

  // 32 bit constant value 6
  Expr b = vc_bvConstExprFromInt(vc, 32, 6);

  // a+b!=c
  Expr xp1 = vc_bvPlusExpr(vc, 32, a, b);
  Expr eq = vc_eqExpr(vc, xp1, c);
  Expr eq2 = vc_notExpr(vc, eq);

  //Is a+b!=c always correct?
  int ret = vc_query(vc, eq2);

  //No, c=a+b is a counterexample
  assert(ret == false);

  //print c = 11 counterexample
  vc_printCounterExample(vc);

  //Delete validity checker
  vc_Destroy(vc);

  return 0;
}

If you use CMake as the build system for your project it is easy to use STP as an external project. An example can be found in the sources under examples/simple.

Awards

Use cases

  • KLEE symbolic fuzzer is using STP at its core (Professor Cristian Cadar’s group at Imperial College, London, and Professor Dawson Engler’s group at Stanford University)
  • Souper project at the University of Utah and Google
  • S2E at EPFL
  • Mayhem fuzzer, which found over 1000 bugs in mainline Debian is using KLEE and hence STP
  • Binary Analysis Platform (BAP) is using STP for analysis, by the CMU
  • EXE is a symbolic-execution based bug-finding tool that reads your C program and tries to automatically crash it (Stanford University)
  • MINESWEEPER is a tool that automatically analyzes certain malicious behavior in unix utilities and malware. (Carnegie Mellon University)
  • CATCHCONV is a bug finding tool that tries to find bugs due to type mismatch in C programs. (University of California, Berkeley)
  • Backward path-sensitive analysis of C programs to find bugs by Tim Leek from MIT Lincoln Labs
  • Bug finding in Verilog code (a major microprocessor company)
  • JPF-SE is a symbolic execution extension to the Java PathFinder model checker . (NASA Ames Research Center)
  • Avalanche bug-finding tool (Institute of Systems Programming, Moscow, Russia)
  • Low-level Bounded Model Checker - LLBMC (Karlsruhe Institute of Technology (KIT), Germany)
  • FuzzGrind (ESEC Lab)
  • In conjunction with ACL2 to formally verify implementation of encryption algorithms in Java (Stanford University)
  • Hampi : A solver for string constraints used to automatically construct SQL injection and XSS exploits (MIT)
  • Automatic configuration: Tvl2STP (University of Namur in Belgium)

Architecture

STP is an efficient decision procedure for the validity (or satisfiability) of formulas from a quantifier-free many-sorted theory of fixed-width bitvectors and (non-extensional) one-dimensional arrays. The functions in STP’s input language include concatenation, extraction, left/right shift, sign-extension, unary minus, addition, multiplication, (signed) modulo/division, bitwise Boolean operations, if-then-else terms, and array reads and writes. The predicates in the language include equality and (signed) comparators between bitvector terms.

The basic architecture of STP essentially follows the idea of word-level preprocessing followed by translation to SAT (We use MINISAT and CRYPTOMINISAT). In particular, we introduce several new heuristics for the preprocessing step, including abstraction-refinement in the context of arrays, a new bitvector linear arithmetic equation solver, and some interesting simplifications. These heuristics help us achieve several magnitudes of order performance over other tools, and also over straight-forward translation to SAT. STP has been heavily tested on thousands of examples sourced from various real-world applications such as program analysis and bug-finding tools like EXE, and equivalence checking tools and theorem-provers.

History and authors

The initial versions of STP were written primarily by Vijay Ganesh as part of his PhD thesis, and the project was later maintained by Trevor Hansen. The current primary maintainers are Mate Soos, Dan Liew, and Ryan Govostes who have improved it in many ways. STP is based on the following papers:

Past contributors: Khoo Yit Phang, Ed Schwartz, Mike Katelman (PhD Student, University of Illinois, Urbana-Champaign, IL, USA), Philip Guo (Student, Stanford University, Stanford, CA, USA), David L. Dill (Professor, Stanford University, Stanford, CA, USA), Tim King (Student, Stanford University and NYU). Please note that everyone working on the project is doing so out of hobby or as a way to help them in their work/study projects.