Overview ======== STP is a constraint solver for the theory of quantifier-free bitvectors that can solve many kinds of problems generated by program analysis tools, theorem provers, automated bug finders, cryptographic algorithms, intelligent fuzzers and model checkers. Research bibtex reference can be found `here `__. .. raw:: html Install instructions ==================== For Debian-like platforms first install the prerequisites: .. code-block:: bash apt-get install cmake g++ zlib1g-dev libboost-all-dev flex bison Then install minisat: .. code-block:: bash git clone https://github.com/stp/minisat.git cd minisat && mkdir build && cd build cmake .. make sudo make install cd ../.. Then install STP: .. code-block:: bash git clone https://github.com/stp/stp.git cd stp && mkdir build && cd build cmake .. make sudo make install For windows-like environments: you will need to first install the zlib library then install minisat and stp exactly like above, using cmake to create Visual Studio project files, e.g. ``cmake .. -G "Visual Studio 10 Win64"`` and then building with Visual Studio. Languages parsed ================ The SMT-LIB2 format is the recommended file format for use with STP, in part because it is parsed by all modern bitvector solvers. STP implements a subset of the SMT-LIB2 language; not all SMT-LIB2 features are implemented. .. toctree:: :maxdepth: 1 smt-input-language Python usage ============ .. code-block:: python import stp s = stp.Solver() a = s.bitvec('a', 32) b = s.bitvec('b', 32) c = s.bitvec('c', 32) s.add(a == 5) s.add(b == 6) s.add(a + b == c) s.check() >>> True s.model() >>> {'a': 5L, 'b': 6L, 'c': 11L} SMT-LIB2 Usage =============== Signed division of -1/-2 = 0, should be satisfiable. .. code-block:: lisp (set-logic QF_BV) (assert (= (bvsdiv (_ bv3 2) (_ bv2 2)) (_ bv0 2))) (check-sat) (exit) C library usage =============== When STP is built it generates a ``lib/libstp.a`` static library which can be used with one of two header files, depending on the preferred language: - ``include/stp/c_interface.h`` for a C interface to STP - ``include/stp/cpp_interface.h`` for a C++ interface to STP An example C header usage can be as simple as: .. code-block:: c #include "stp/c_interface.h" #include int main(int argc, char **argv) { VC vc = vc_createValidityChecker(); // 32-bit variable 'c' Expr c = vc_varExpr(vc, "c", vc_bvType(vc, 32)); // 32 bit constant value 5 Expr a = vc_bvConstExprFromInt(vc, 32, 5); // 32 bit constant value 6 Expr b = vc_bvConstExprFromInt(vc, 32, 6); // a+b!=c Expr xp1 = vc_bvPlusExpr(vc, 32, a, b); Expr eq = vc_eqExpr(vc, xp1, c); Expr eq2 = vc_notExpr(vc, eq); //Is a+b!=c always correct? int ret = vc_query(vc, eq2); //No, c=a+b is a counterexample assert(ret == false); //print c = 11 counterexample vc_printCounterExample(vc); //Delete validity checker vc_Destroy(vc); return 0; } If you use CMake as the build system for your project it is easy to use STP as an external project. An example can be found in the sources under |examples|_. .. |examples| replace:: ``examples/simple`` .. _examples: https://github.com/stp/stp/tree/master/examples/simple Awards ====== - STP won the incremental competition in the QF_BV category in the `SMTCOMP 2021`. - STP placed `2nd in the bitvector category `__ in the SMTCOMP 2014, just after the `Boolector `__ system - STP placed 2nd in the bitvector category in the SMTCOMP 2011 - STP won the bitvector category at `SMTCOMP 2010 `__ - STP won the `SMTCOMP 2006 `__ competition (Bitvector category) in 2006 Use cases ========= - `KLEE symbolic fuzzer `__ is using STP at its core (Professor Cristian Cadar’s group at Imperial College, London, and Professor Dawson Engler’s group at Stanford University) - `Souper project `__ at the University of Utah and Google - `S2E `__ at EPFL - Mayhem fuzzer, which `found over 1000 bugs `__ in mainline Debian is using KLEE and hence STP - `Binary Analysis Platform (BAP) `__ is using STP for analysis, by the CMU - `EXE `__ is a symbolic-execution based bug-finding tool that reads your C program and tries to automatically crash it (Stanford University) - `MINESWEEPER `__ is a tool that automatically analyzes certain malicious behavior in unix utilities and malware. (Carnegie Mellon University) - `CATCHCONV `__ is a bug finding tool that tries to find bugs due to type mismatch in C programs. (University of California, Berkeley) - Backward path-sensitive analysis of C programs to find bugs by Tim Leek from MIT Lincoln Labs - Bug finding in Verilog code (a major microprocessor company) - `JPF-SE `__ is a symbolic execution extension to the Java PathFinder model checker . (NASA Ames Research Center) - `Avalanche `__ bug-finding tool (Institute of Systems Programming, Moscow, Russia) - `Low-level Bounded Model Checker - LLBMC `__ (Karlsruhe Institute of Technology (KIT), Germany) - `FuzzGrind `__ (ESEC Lab) - In conjunction with `ACL2 `__ to formally verify implementation of encryption algorithms in Java (Stanford University) - `Hampi `__ : A solver for string constraints used to automatically construct SQL injection and XSS exploits (MIT) - Automatic configuration: Tvl2STP (University of Namur in Belgium) Architecture ============ STP is an efficient decision procedure for the validity (or satisfiability) of formulas from a quantifier-free many-sorted theory of fixed-width bitvectors and (non-extensional) one-dimensional arrays. The functions in STP’s input language include concatenation, extraction, left/right shift, sign-extension, unary minus, addition, multiplication, (signed) modulo/division, bitwise Boolean operations, if-then-else terms, and array reads and writes. The predicates in the language include equality and (signed) comparators between bitvector terms. The basic architecture of STP essentially follows the idea of word-level preprocessing followed by translation to SAT (We use MINISAT and CRYPTOMINISAT). In particular, we introduce several new heuristics for the preprocessing step, including abstraction-refinement in the context of arrays, a new bitvector linear arithmetic equation solver, and some interesting simplifications. These heuristics help us achieve several magnitudes of order performance over other tools, and also over straight-forward translation to SAT. STP has been heavily tested on thousands of examples sourced from various real-world applications such as program analysis and bug-finding tools like EXE, and equivalence checking tools and theorem-provers. History and authors =================== The initial versions of STP were written primarily by Vijay Ganesh as part of his PhD thesis, and the project was later maintained by Trevor Hansen. The current primary maintainers are Mate Soos, Dan Liew, and Ryan Govostes who have improved it in many ways. STP is based on the following papers: - `A Decision Procedure for Bit-Vectors and Arrays `__ by Vijay Ganesh and David L. Dill. In Proceedings of the International Conference in Computer Aided Verification (CAV 2007), Berlin, Germany, July 2007 - `EXE: Automatically Generating Inputs of Death `__ by Cristian Cadar, Vijay Ganesh, Peter Pawlowski, Dawson Engler, David Dill. In Proceedings of ACM Conference on Computer and Communications Security 2006 (CCS 2006), Alexandria, Virginia, October, 2006 Past contributors: Khoo Yit Phang, Ed Schwartz, Mike Katelman (PhD Student, University of Illinois, Urbana-Champaign, IL, USA), Philip Guo (Student, Stanford University, Stanford, CA, USA), David L. Dill (Professor, Stanford University, Stanford, CA, USA), Tim King (Student, Stanford University and NYU). Please note that everyone working on the project is doing so out of hobby or as a way to help them in their work/study projects.