I would like to simulate fixed-size memory buffers and their access operations in Z3. Buffers can range in size from a few bytes to hundreds of bytes. The standard method used by several existing tools (for example, KLEE) is to create array variables by domain and range of bitvectors. Each memory buffer receives such an array, and read / write to the memory is encoded using select/ operations store.
Alas, in my tests, when using this approach, Z3 (*) looks consistently slower than STP. Before analyzing the queries in more detail to find out what was going on, I wanted to make sure that I was using the “correct” approach to coding memory operations in Z3 (since, admittedly, STP was specifically designed for use with arrays and bitvectors).
So what is the most efficient way to represent memory buffers in Z3? So far I am considering a couple of alternatives:
- Use statements to indicate the initial values of the memory buffer, instead of using the nested
store-s. However, in my preliminary tests, this slows down the Z3 even more. - Use bitvectors to encode buffers. However, the resulting bitvectors can be quite large (~ 1000 bits), and I'm not sure if Z3 or any other solver can handle this effectively.
- Create separate bitvector variables for each byte of memory and use nested expressions
ite to route access to the corresponding variables. However, I am afraid that this will greatly complicate the model and present the need for quantifiers. - Use uninterpreted functions instead of arrays, but this requires redefining the axioms of an array in a way that may be less efficient than Z3's own built-in theory of arrays.
Are there any better approaches that I am missing?
(*) Non-incremental default solver, branch Z3 unstable@aba79802cfb5