A fuzzing framework for SMT solvers. Given a set of seed SMT formulas, yinyang generates mutant formulas to stress-test SMT solvers. yinyang can be used to robustify SMT solvers. It already found 1,500+ bugs in the two state-of-the-art SMT solvers Z3 and CVC4.
To install a stable version of yinyang use:
pip3 install yinyang
To install the most recent version, check out the repository:
git clone https://github.com/testsmt/yinyang.git
pip3 install antlr4-python3-runtime==4.9.2 ffg
Note that you may want to add yinyang/bin
to your PATH, for running yinyang conveniently without prefix.
-
Get SMT-LIB 2 benchmarks. Edit
scripts/SMT-LIB-clone.sh
to select the logics for testing. Run./scripts/SMT-LIB-clone.sh
to download the corresponding SMT-LIB 2 benchmarks. Alternatively, you can download benchmarks directly from the SMT-LIB website or supply your own benchmarks. -
Get and build SMT solvers for testing. Install two or more SMT solvers that support the SMT-LIB 2 format. You may find it convenient to add them to your PATH.
-
Run yinyang on the benchmarks e.g. with Z3 and CVC4.
typefuzz "z3 model_validate=true;cvc4 --check-models -m -i -q" benchmarks
yinyang will by default randomly select formulas from the folder ./benchmarks
and generate 300 mutants per seed formula. If a bug has been found, the bug trigger is stored in ./bugs
. yinyang will run in an infinite loop. You can use the shortcut CTRL+C to terminate yinyang manually.
For bugs/issues/questions/feature requests please file an issue. We are always happy to receive your feedback or help you adjust yinyang to the needs of your custom solver, help you build on yinyang, etc.
- Citing yinyang
- Project website with bug statistics, talk videos, etc.
- Google Open Source Peer Bonus 🏆
- Amazon Research Awards 🏆