
The Z3 Theorem Prover released under MIT license - dahlia
https://github.com/Z3Prover/z3
======
tomp
Amazing!

When I was prototyping a programming language with support for _contracts_ (or
_refined types_ , e.g. `x : int if x > 0`), I tested a few different SMT
solvers, including AltErgo, CVC and Yices (these seemed to be the most used
open source solvers).

However, none of them were nearly as useful as Z3. In particular, they had no
concept of a _stack_ that allows the user to define different assertions
_locally_ , and then cancel them later. Without the stack, one would need to
restart the solver and re-declare all variables (with all their constraints)
for every function call with a constraint, compared to a single SMT script for
each function verified in Z3.

Also, Z3 supports much more theories, in particular it supports non-linear
integer arithmetics (which is an undecidable, incomplete theory), either by
using some heuristics, or by translating the statements into the theory of
real arithmetics (which is complete and decidable).

------
panic
For one example of why Z3 is cool, check out this application to "peephole"
compiler optimizations:
[http://blog.regehr.org/archives/1170](http://blog.regehr.org/archives/1170)

Also take a look at the "licensing" section to see why switching to the MIT
license is a big deal. Even open source software projects like LLVM have had
to worry about whether using Z3 was OK or not. Now they don't any more!

------
pavpanchekha
I'm working with Z3 now, and it's been a real joy. One of the biggest advances
in programming languages in recent years, perhaps. Glad to see it open-sourced
and moved to Github.

~~~
andrepd
Can you elaborate on what exactly do you do with it, and how?

~~~
microarchitect
I am not the OP, but I'm using Z3 in my research to help with the formal
verification of hardware and firmware.

My problem is as follows. I have a microcontroller which runs firmware. I want
to verify various things about the hardware+firmware combination. For
instance, I may be interested in proving that user mode firmware cannot change
the MMU configuration.

There are many parts to this problem. First is verifying that the kernel
doesn't expose routines that let you do these kinds of things. This is a kind
of s/w verification problem, somewhat well studied. Second, you want to make
sure there are no h/w bugs in the microcontroller itself which the user mode
software can exploit to do bad stuff. This is traditional h/w verification,
also well-studied. The third is that there aren't weird corners of the
microcontroller ISA specification itself which can be exploited. This is also
a kind of h/w bug albeit a specification bug.

The third part is where Z3 comes in because often, there isn't any
specification, and if there is, it's a bunch of PDFs or word documents. What
we want is to generate a formal specification, which you can examine using
formal tools to prove that it satisfies certain properties. And then we want
to prove that our implementation conforms to this specification. We're using
some techniques from program synthesis with Z3 as the solver for this.

~~~
asb
Hi, I can't see an email address in your profile so sorry for the public
message. With the lowRISC project [http://lowrisc.org/](http://lowrisc.org/)
and related research at University of Cambridge we're becoming very interested
in formal verification of hw+sw. I found this work out of Kaiserslautern
interesting <[http://www-eda.eit.uni-
kl.de/eis/research/publications/paper...](http://www-eda.eit.uni-
kl.de/eis/research/publications/papers/DAC2011.pdf>). Could you say any more
about your research? I'd be very interested in an email conversation - I'm at
alex.bradbury@cl.cam.ac.uk

------
tsomctl
Note that the Z3 source code has been available for a while, but a commercial
license was $10,000.

~~~
wslh
$ 10,000 seems like a magic number. Another Microsoft Research project,
Detours [1] costs $ 9,999.95.

[1]
[http://www.microsoftstore.com/store/msus/en_AU/pdp/Microsoft...](http://www.microsoftstore.com/store/msus/en_AU/pdp/Microsoft-
Research-Detours-v3-Professional/productID.254378300)

~~~
raverbashing
Yes

It's cheap enough for a company to buy it without many signatures, but also on
the upper scale of what people who "don't want Open Source" can pay.

------
hokkos
I hope they will open source Microsoft.Automata too, it was very useful for a
project where I had to generate samples of strings that had to conform to
multiple regex :

[http://research.microsoft.com/en-
us/projects/automata/](http://research.microsoft.com/en-us/projects/automata/)

~~~
porges
There are potentially patents on the code, e.g.
[https://www.google.co.nz/patents/US8515891](https://www.google.co.nz/patents/US8515891)
which discusses PEX + regex (mentioning SMT solvers).

------
tluyben2
Great project by MS research: good to see they picked a great license! See
[http://rise4fun.com](http://rise4fun.com) for more great projects like that.

------
fit2rule
Could someone who knows about these things, compare Z3 with the Google or-
tools? ([https://code.google.com/p/or-tools/](https://code.google.com/p/or-
tools/))

Pro's/Con's of the two?

------
jrapdx3
z3 is something I didn't know about until encountering it here. Spent the last
few hours playing with the solver, it's quite interesting especially since
I've had a fair amount of exposure to Scheme. Felt right at home after getting
it up and running.

Glitch-free compiling and installing under FreeBSD. The only problem was
finding documentation. Rise4fun.com is mentioned in another post, the exact
URL for getting started is
[http://rise4fun.com/Z3/tutorial/guide](http://rise4fun.com/Z3/tutorial/guide).
Also, very useful information here-- [http://www.smt-lib.org/](http://www.smt-
lib.org/)

------
harperlee
Could please someone informed explain how is this more restricted to only
prove theorems, instead of being a more general prolog-like system?

From the Microsoft Research page, I read:

> _Z3 is a high-performance theorem prover being developed at Microsoft
> Research. Z3 supports linear real and integer arithmetic, fixed-size bit-
> vectors, extensional arrays, uninterpreted functions, and quantifiers. Z3 is
> integrated with a number of program analysis, testing, and verification
> tools from Microsoft Research._

And with my current knowledge (which is low on the matter) I can't reconcile
arithmetic, arrays, quantifiers, etc. with general program verification...

~~~
eslaught
Z3 is an SMT solver
([https://en.wikipedia.org/wiki/Satisfiability_modulo_theories](https://en.wikipedia.org/wiki/Satisfiability_modulo_theories)).
You can think of it like a SAT solver with extra optimizations for certain
domains, so that it doesn't need to do bit-blasting to e.g. compare integers.
SMT is NP-complete, just like SAT, but it is decidable (so the solver will
"eventually" give you a yes/no answer, though "eventually" could be a long
time).

This is in pretty stark contrast to Prolog, which includes features which make
it undecidable. Therefore you can make Prolog loop infinitely, while that is
not possible in an SMT solver.

~~~
poizan42
Uhm you can throw diophantine equations after Z3 which certainly isn't a
decideable problem. I have no idea whether it errs on the side of termination
(i.e. not giving an answer) or non-termination (i.e. running forever).

~~~
deckar01
The very first example on Github show that checking a conjecture results in
one of 3 outcomes:

\- Unsatisfied (unsat)

\- Satisified (sat)

\- Unknown (unknown)

------
csl
I've used model checkers before, but never SMT solvers. Looks really cool!

Anyway, here's a great post on solving a Project Euler problem using Z3/SMT-
lib, which may be inspiring for other novices like myself:

[http://blogs.teamb.com/craigstuntz/2014/07/07/38818/](http://blogs.teamb.com/craigstuntz/2014/07/07/38818/)

------
frik
I heard Microsoft uses provers to check (automated verification) third party
kernel mode device drivers. Is that the Z3 proofer? I searched on Google and
got several results but the meaning of the term "kernel" is overloaded and
means different things in operating systems and proofers/solvers.

~~~
jonjacky
This page says that the driver verifier uses the SLAM verification engine - I
am not sure whether/how that is related to Z3:

[http://research.microsoft.com/en-
us/projects/slam/](http://research.microsoft.com/en-us/projects/slam/)

~~~
gsnedders
SLAM2 uses Z3 for a few things, AIUI.

------
1ris
This is really huge.

Maybe Idris or Coq integrate Z3.

~~~
javra
One of the main devs of Z3, Leonardo de Moura, is acutally working on a new,
dependently typed, theorem prover called "Lean":
[http://leanprover.github.io/](http://leanprover.github.io/)

~~~
NotableAlamode
Is Lean an LCF system or Curry-Howard based? It seems to be the latter, but if
so, what's it's main advantage over the many other Curry-Howard based systems?

------
fugyk
You can try Z3 online here: [http://rise4fun.com/Z3/](http://rise4fun.com/Z3/)

------
cjdrake
This is a really great library. Thanks to Microsoft :).

------
bbcbasic
I wonder, does Code Contracts use Z3?

~~~
ygra
Code Contracts are just assertions. Pex can use them though and is built on
Z3, iirc.

~~~
bbcbasic
They seem to be more than assertions. You get warnings at build time and
clearly some proving engine must be in use.

