An approach based on coverage-guided fuzzing for determining the satisfiability of SMT constraints, particularly those involving floating-point arithmetic.

Overview

We investigate the use of coverage-guided fuzzing as a means of proving satisfiability of SMT formulas over finite variable domains, with specific application to floating-point constraints. We show how an SMT formula can be encoded as a program containing a location that is reachable if and only if the program’s input corresponds to a satisfying assignment to the formula. A coverage-guided fuzzer can then be used to search for an input that reaches the location, yielding a satisfying assignment. We have implemented this idea in a tool, Just Fuzz-it Solver (JFS), and we present a large experimental evaluation showing that JFS is both competitive with and complementary to state-of-the-art SMT solvers with respect to solving floating-point constraints, and that the coverage-guided approach of JFS provides significant benefit over naive fuzzing in the floating-point domain. Applied in a portfolio manner, the JFS approach thus has the potential to complement traditional SMT solvers for program analysis tasks that involve reasoning about floating-point constraints.

Artefact

The code for JFS is available here.

Research Support

This research was supported in part by the UK EPSRC via grants EP/N007166/1, EP/P010040/1 and EP/R006865/1.

Publications

  • Just Fuzz It: Solving Floating-point Constraints Using Coverage-guided Fuzzing

    Daniel Liew, Cristian Cadar, Alastair Donaldson, J. Ryan Stinnett

    European Software Engineering Conference / ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE 2019)