Model-Counting Approaches for Nonlinear Numerical Constraints

  • Mateus BorgesEmail author
  • Quoc-Sang Phan
  • Antonio Filieri
  • Corina S. Păsăreanu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10227)


Model counting is of central importance in quantitative reasoning about systems. Examples include computing the probability that a system successfully accomplishes its task without errors, and measuring the number of bits leaked by a system to an adversary in Shannon entropy. Most previous work in those areas demonstrated their analysis on programs with linear constraints, in which cases model counting is polynomial time. Model counting for nonlinear constraints is notoriously hard, and thus programs with nonlinear constraints are not well-studied. This paper surveys state-of-the-art techniques and tools for model counting with respect to SMT constraints, modulo the bitvector theory, since this theory is decidable, and it can express nonlinear constraints that arise from the analysis of computer programs. We integrate these techniques within the Symbolic Pathfinder platform and evaluate them on difficult nonlinear constraints generated from the analysis of cryptographic functions.


Model counting modulo theories Bitvector arithmetic Nonlinear constraints Cryptographic functions 



This work was funded in part by the National Science Foundation (NSF Grant Nos. CCF-1319858, CCF-1549161) and also by DARPA under agreement number FA8750-15-2-0087. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. Mateus Borges is funded by an Imperial College PhD Scholarship.


  1. 1.
    ISSTAC: Integrated Symbolic Execution for Space-Time Analysis of Code.
  2. 2.
    Backes, M., Kopf, B., Rybalchenko, A.: Automatic discovery and quantification of information leaks. In: SP 2009, pp. 141–153 (2009)Google Scholar
  3. 3.
    Bang, L., Aydin, A., Phan, Q.S., Păsăreanu, C.S., Bultan, T.: String analysis for side channels with segmented oracles. In: FSE 2016, pp. 193–204. ACM (2016)Google Scholar
  4. 4.
    Borges, M., Filieri, A., d’Amorim, M., Păsăreanu, C.S., Visser, W.: Compositional solution space quantification for probabilistic software analysis. In: PLDI, pp. 123–132. ACM (2014)Google Scholar
  5. 5.
    Brickenstein, M., Dreyer, A.: PolyBoRi: a framework for gröbner-basis computations with boolean polynomials. J. Symb. Comput. 44(9), 1326–1345 (2009)CrossRefzbMATHGoogle Scholar
  6. 6.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. In: SSYM 2003, pp. 1–1. USENIX Association (2003)Google Scholar
  7. 7.
    Chakraborty, S., Meel, K.S., Mistry, R., Vardi, M.Y.: Approximate probabilistic inference via word-level counting. In: AAAI 2016, pp. 3218–3224 (2016)Google Scholar
  8. 8.
    Chistikov, D., Dimitrova, R., Majumdar, R.: Approximate counting in SMT and value estimation for probabilistic programs. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 320–334. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46681-0_26 Google Scholar
  9. 9.
    Cimatti, A., Griggio, A., Schaafsma, B.J., Sebastiani, R.: The MathSAT5 SMT solver. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013. LNCS, vol. 7795, pp. 93–107. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-36742-7_7 CrossRefGoogle Scholar
  10. 10.
    Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-78800-3_24 CrossRefGoogle Scholar
  11. 11.
    Filieri, A., Păsăreanu, C.S., Visser, W.: Reliability analysis in symbolic pathfinder. In: ICSE, pp. 622–631. IEEE Press (2013)Google Scholar
  12. 12.
    Gao, S.: Counting zeros over finite fields using Gröbner bases. Master’s thesis, Carnegie Mellon University (2009)Google Scholar
  13. 13.
    Grumberg, O., Schuster, A., Yadgar, A.: Memory efficient all-solutions SAT solver and its application for reachability analysis. In: Hu, A.J., Martin, A.K. (eds.) FMCAD 2004. LNCS, vol. 3312, pp. 275–289. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30494-4_20 CrossRefGoogle Scholar
  14. 14.
    King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Klebanov, V., Manthey, N., Muise, C.: SAT-based analysis and quantification of information flow in programs. In: Joshi, K., Siegle, M., Stoelinga, M., D’Argenio, P.R. (eds.) QEST 2013. LNCS, vol. 8054, pp. 177–192. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40196-1_16 CrossRefGoogle Scholar
  16. 16.
    Klebanov, V., Weigl, A., Weisbarth, J.: Sound probabilistic #SAT with projection. In: QAPL 2016, pp. 15–29 (2016)Google Scholar
  17. 17.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). doi: 10.1007/3-540-68697-5_9 Google Scholar
  18. 18.
    Loera, J.A.D., Hemmecke, R., Tauzer, J., Yoshida, R.: Effective lattice point counting in rational convex polytopes. J. Symb. Comput. 38(4), 1273–1302 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Malacaria, P.: Algebraic foundations for quantitative information flow. Math. Struct. Comput. Sci. 25, 404–428 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Muise, C., McIlraith, S.A., Beck, J.C., Hsu, E.I.: Dsharp: fast d-DNNF compilation with sharpSAT. In: Kosseim, L., Inkpen, D. (eds.) AI 2012. LNCS (LNAI), vol. 7310, pp. 356–361. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-30353-1_36 CrossRefGoogle Scholar
  21. 21.
    Phan, Q.S.: Model counting modulo theories. Ph.D. thesis, Queen Mary University of London (2015)Google Scholar
  22. 22.
    Phan, Q.S., Malacaria, P.: All-solution satisfiability modulo theories: applications, algorithms and benchmarks. In: ARES 2015, pp. 100–109 (2015)Google Scholar
  23. 23.
    Phan, Q.S., Malacaria, P., Păsăreanu, C.S., d’Amorim, M.: Quantifying information leaks using reliability analysis. In: SPIN 2014, pp. 105–108. ACM (2014)Google Scholar
  24. 24.
    Păsăreanu, C.S., Phan, Q.S., Malacaria, P.: Multi-run side-channel analysis using Symbolic Execution and Max-SMT. In: CSF 2016, pp. 387–400, June 2016Google Scholar
  25. 25.
    Păsăreanu, C.S., Visser, W., Bushnell, D., Geldenhuys, J., Mehlitz, P., Rungta, N.: Symbolic PathFinder: integrating symbolic execution with model checking for Java bytecode analysis. Autom. Softw. Eng. 20, 1–35 (2013)CrossRefGoogle Scholar
  26. 26.
    Rubinstein, R.: Stochastic enumeration method for counting NP-hard problems. Methodol. Comput. Appl. Probab. 15(2), 249–291 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Somenzi, F.: CUDD: CU decision diagram package release 3.0.0 (2015)Google Scholar
  28. 28.
    Thurley, M.: sharpSAT – Counting models with advanced component caching and implicit BCP. In: Biere, A., Gomes, C.P. (eds.) SAT 2006. LNCS, vol. 4121, pp. 424–429. Springer, Heidelberg (2006). doi: 10.1007/11814948_38 CrossRefGoogle Scholar
  29. 29.
    Tran, Q., Vardi, M.Y.: Groebner bases computation in boolean rings for symbolic model checking. In: MOAS, pp. 440–445. ACTA Press (2007)Google Scholar
  30. 30.
    Tseitin, G.S.: On the complexity of derivation in propositional calculus. In: Siekmann, J.H., Wrightson, G. (eds.) Automation of Reasoning: 2: Classical Papers on Computational Logic, pp. 466–483. Springer, Heidelberg (1983)CrossRefGoogle Scholar
  31. 31.
    Wei, W., Selman, B.: A new approach to model counting. In: Bacchus, F., Walsh, T. (eds.) SAT 2005. LNCS, vol. 3569, pp. 324–339. Springer, Heidelberg (2005). doi: 10.1007/11499107_24 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Mateus Borges
    • 1
    Email author
  • Quoc-Sang Phan
    • 2
  • Antonio Filieri
    • 1
  • Corina S. Păsăreanu
    • 2
    • 3
  1. 1.Imperial College LondonLondonUK
  2. 2.Carnegie Mellon University Silicon ValleyMountain ViewUSA
  3. 3.NASA AmesMountain ViewUSA

Personalised recommendations