The examples may assume a z3 solver available in PATH.

Grisette is a tool for performing symbolic evaluation on programs. Symbolic evaluation is a technique that allows us to analyze all possible runs of a program by representing inputs (or the program itself) as symbolic values and evaluating the program to produce symbolic constraints over these values. These constraints can then be used to find concrete assignments to the symbolic values that meet certain criteria, such as triggering a bug in a verification task or satisfying a specification in a synthesis task.

One of the challenges of symbolic evaluation is the well-known path explosion problem, which occurs when traditions symbolic evaluation techniques evaluate and reason about the possible paths one-by-one. This can lead to exponential growth in the number of paths that need to be analyzed, making the process impractical for many tasks. To address this issue, Grisette uses a technique called "path merging". In path merging, symbolic values are merged together in order to reduce the number of paths that need to be explored simultaneously. This can significantly improve the performance of symbolic evaluation, especially for tasks such as program synthesis that are prone to the path explosion problem.

In Grisette, we make a distinction between two kinds of symbolic values: solvable types and unsolvable types. These two types of values are merged differently.

Solvable types are types that are directly supported by the underlying solver and are represented as symbolic formulas. Examples include symbolic Booleans, integers and bit vectors. The values of solvable types can be fully merged into a single value, which can significantly reduce the number of paths that need to be explored.

For example, there are three symbolic Booleans a, b and c, in the following code, and a symbolic Boolean x is defined to be the result of a conditional expression:

x = if a then b else c -- pseudo code, not real Grisette code

The result would be a single symbolic Boolean formula:

-- result: x is (ite a b c)

If we further add 1 to x, we will not have to split to two paths, but we can directly construct a formula with the merged state:

x + 1
-- result (+ 1 (ite a b c))

Unsolvable types, on the other hand, are types that are not directly supported by the solver and cannot be fully merged into a single formula. Examples include lists, algebraic data types, and concrete Haskell integer types. To symbolically evaluate values in unsolvable types, Grisette provides a symbolic union container, which is a set of values guarded by their path conditions. The values of unsolvable types are partially merged in a symbolic union, which is essentially an if-then-else tree.

For example, assume that the lists have the type [SymBool]. In the following example, the result shows that [b] and [c] can be merged together in the same symbolic union because they have the same length:

x = if a then [b] else [c] -- pseudo code, not real Grisette code
-- result: Single [(ite a b c)]

The second example shows that [b] and [c,d] cannot be merged together because they have different lengths:

if a then [b] else [c, d] -- pseudo code, not real Grisette code
-- result: If a (Single [b]) (Single [c,d])

The following example is more complicated. To make the merging efficient, Grisette would maintain a representation invariant of the symbolic unions. In this case, the lists with length 1 should be placed at the then branch, and the lists with length 2 should be placed at the else branch.

if a1 then [b] else if a2 then [c, d] else [f] -- pseudo code, not real Grisette code
-- result: If (|| a1 (! a2)) (Single [(ite a1 b f)]) (Single [c,d])

When we further operate on this partially merged values, we will need to split into multiple paths. For example, when we apply head onto the last result, we will distribute head among the branches:

head (if a1 then [b] else if a2 then [c, d] else [f]) -- pseudo code, not real Grisette code
-- intermediate result: If (|| a1 (! a2)) (Single (head [(ite a1 b f)])) (Single (head [c,d]))
-- intermediate result: If (|| a1 (! a2)) (Single (ite a1 b f)) (Single c)

Then the result would be further merged into a single value:

-- final result: Single (ite (|| a1 (! a2)) (ite a1 b f) c)

Generally, merging the possible branches in a symbolic union can reduce the number of paths to be explored in the future, but can make the path conditions larger and harder to solve. To have a good balance between this, Grisette has built a hierarchical merging algorithm, which is configurable via MergingStrategy. For algebraic data types, we have prebuilt merging strategies via the derivation of the Mergeable type class. You only need to know the details of the merging algorithm if you are going to work with non-algebraic data types.

A solvable type is a type that can be represented as a formula and is directly supported by the underlying constraint solvers. Grisette currently provides an implementation for the following solvable types:

• SymBool or Sym Bool (symbolic Booleans)
• SymInteger or Sym Integer (symbolic unbounded integers)
• SymIntN n or Sym (IntN n) (symbolic signed bit vectors of length n)
• SymWordN n or Sym (WordN n) (symbolic unsigned bit vectors of length n)

Values of a solvable type can consist of concrete values, symbolic constants (placeholders for concrete values that can be assigned by a solver to satisfy a formula), and complex symbolic formulas with symbolic operations. The Solvable type class provides a way to construct concrete values and symbolic constants.

Examples:

>>> import Grisette
>>> con True :: SymBool -- a concrete value
true
>>> ssym "a" :: SymBool -- a symbolic constant
a

With the OverloadedStrings GHC extension enabled, symbolic constants can also be constructed from strings.

>>> :set -XOverloadedStrings
>>> "a" :: SymBool
a

Symbolic operations are provided through a set of type classes, such as SEq, SOrd, and Num. Please check out the documentation for more details.

Examples:

>>> let a = "a" :: SymInteger
>>> let b = "b" :: SymInteger
>>> a ==~ b
(= a b)

There are types that cannot be directly represented as SMT formulas and therefore not supported by the SMT solvers. These types are referred to as unsolvable types. To symbolically evaluate such types, we represent them with symbolic unions. A symbolic union is a set of multiple values from different execution paths, each guarded with a corresponding path condition. The value of a union can be determined by an SMT solver based on the truth value of the path conditions.

In Grisette, the symbolic union type is UnionM. Two constructs are useful in constructing symbolic union values: mrgIf and mrgSingle. mrgSingle unconditionally wraps a value in a symbolic union container, while mrgIf models branching control flow semantics with symbolic conditions. Here are some examples of using mrgSingle and mrgIf:

>>> mrgSingle ["a"] :: UnionM [SymInteger]
{[a]}
>>> mrgIf "a" (mrgSingle ["b"]) (mrgSingle ["c", "d"]) :: UnionM [SymInteger]
{If a [b] [c,d]}

UnionM is a monad, and its bind operation is similar to tree substitution. This means you can then use monadic constructs to model sequential programs. For example, the following pseudo code can be modeled in Grisette with the combinators provided by Grisette, and the do-notation:

x = if a then [b] else [b,c] -- pseudo code, not Grisette code
y = if d then [e] else [e,f]
return (x ++ y :: [SymInteger])

>>> :{
  ret :: UnionM [SymInteger]
  ret = do x <- mrgIf "a" (single ["b"]) (single ["b","c"])
           y <- mrgIf "d" (single ["e"]) (single ["e","f"])
           mrgReturn $ x ++ y -- we will explain mrgReturn later
:}

When this code is evaluated, the result would be as follows:

>>> ret
{If (&& a d) [b,e] (If (|| a d) [b,(ite a e c),(ite a f e)] [b,c,e,f])}

In the result, we can see that the results are reorganized and the two lists with the same length are merged together. This is important for scaling symbolic evaluation to real-world problems.

The mrgReturn function is crucial for ensuring that the results are merged. It resolves the Mergeable constraint, and retrieves a merging strategy for the contained type from the constraint. The merging strategy is then cached in the UnionMBase container to help merge the result of the entire do-block. This is necessary due to the constrained-monad problem, as the return function from the Monad type class cannot resolve extra constraints. Our solution to this problem with merging strategy caching is inspired by the knowledge propagation technique introduced in the blog post by Oleg Kiselyov.

In addition to mrgReturn, Grisette provides many combinators with the mrg prefix. You should use these combinators and always have the result cache the merging strategy. Consider the following code:

>>> return 1 :: UnionM Integer
<1>
>>> mrgReturn 1 :: UnionM Integer
{1}
>>> mrgIf "a" (return 1) (return 2) :: UnionM Integer
{If a 1 2}

In the first example, using return instead of mrgReturn results in a UAny container (printed as <...>), which means that no merging strategy is cached. In the second and third example, using mrgReturn or mrgIf results in a UMrg container (printed as {...}), which means that the merging strategy is cached.

When working with UnionM, it is important to always use the mrg prefixed combinators to ensure that the merging strategy is properly cached. This will enable Grisette to properly merge the results of the entire do-block and scale symbolic evaluation to real-world problems. Those functions that merges the results can also further propagate the cached merging strategy, note that the result is merged:

>>> f x y = mrgIf "f" (return x) (return y)
>>> do; a <- mrgIf "a" (return 1) (return 2); f a (a + 1) :: UnionM Integer
{If (&& a f) 1 (If (|| a f) 2 3)}

For more details of this, see the documentation for UnionMBase and MergingStrategy.

To make a type compatible with the symbolic evaluation and merging in Grisette, you need to implement the Mergeable type class. If you are only working with algebraic data types, you can derive the Mergeable instance automatically For example:

>>> :set -XDerivingStrategies
>>> :set -XDerivingVia
>>> :set -XDeriveGeneric
>>> import GHC.Generics
>>> :{
  data X = X SymInteger Integer
    deriving (Generic, Show)
    deriving (Mergeable) via (Default X)
:}

This allows you to use the UnionM type to represent values of type X, and have them merged with the mrgIf combinator:

>>> mrgIf "c1" (mrgSingle $ X "b" 1) (mrgIf "c2" (mrgSingle $ X "c" 2) (mrgSingle $ X "d" 1)) :: UnionM X
{If (|| c1 (! c2)) (X (ite c1 b d) 1) (X c 2)}

It is also possible to apply monad transformers onto UnionM to extend it with various mechanisms. For example, by applying ExceptT, you can symbolically evaluate a program with error handling. To do this, you will need to define an error type and derive the Mergeable instance for it. Then, you can use the combinators provided by MonadError (and the mrg* variants of them) for error handling, and the mrgIf combinator will also work with transformed UnionM containers.

Here's an example using the ExceptT transformer to model error handling in Grisette:

>>> import Control.Monad.Except
>>> :{
  data Error = Fail
    deriving (Show, Generic)
    deriving (Mergeable) via (Default Error)
:}

>>> mrgIf "a" (throwError Fail) (return "x") :: ExceptT Error UnionM SymInteger
ExceptT {If a (Left Fail) (Right x)}

This will return a symbolic union value representing a program that throws an error in the then branch and returns a value in the else branch.

The following is the details of the merging algorithm. If you are not going to manually configure the system by writing a MergingStrategy and will only use the derived strategies, you can safely ignore the following contents in this section.

In Grisette, the symbolic union has the Ordered Guards (ORG) representation, which can be viewed as a nested if-then-else with some representation invariant.

For example, the following symbolic union represents a symbolic list of symbolic integers with length 1, 2 or 3. The values are kept sorted in the container: the list with length 1 is placed at the first place, the list with length 2 is placed at the second place, and so on.

\[ \left\{\begin{aligned} &\texttt{[a]}&&\mathrm{if}&&\texttt{c1}\\ &\texttt{[b,b]}&&\mathrm{else~if}&&\texttt{c2}\\& \texttt{[a,b,c]}&&\mathrm{otherwise} \end{aligned}\right. \]

In Haskell syntax, the container is represented as the following nested if-then-else tree

If c1 [a] (If c2 [b,b] [a,b,c])

The representations means that when c1 is true, then the value is a list [a], or when c1 is false and c2 is true, the value is a list [b,b], or otherwise the value is [a,b,c].

This representation allows you to use the constructs that are not supported by the underlying solvers freely. For example, when applying head on this structure, we can just distribute the head function through the three branches, and get

\[ \left\{\begin{aligned} &\texttt{head [a]}&&\mathrm{if}&&\texttt{c1}\\ &\texttt{head [b,b]}&&\mathrm{else~if}&&\texttt{c2}\\ &\texttt{head [a,b,c]}&&\mathrm{otherwise} \end{aligned}\right. \]

or, equivalently

\[ \left\{\begin{aligned} &\texttt{a}&&\mathrm{if}&&\texttt{c1}\\ &\texttt{b}&&\mathrm{else~if}&&\texttt{c2}\\ &\texttt{a}&&\mathrm{otherwise} \end{aligned}\right. \]

Further symbolic evaluation will also distribute computations over the branches in this result, and the identical branches will cause redundant computation. To mitigate this, Grisette would try to merge the branches, and the previous result would become

\[ \left\{\begin{aligned} &\texttt{a}&&\mathrm{if}&&\texttt{c1}\vee\neg\texttt{c2}\\ &\texttt{b}&&\mathrm{otherwise}\\ \end{aligned}\right. \]

Note that if the contained type is symbolic Boolean, we may further merge the values into a single formula.

\[ \left\{\begin{aligned}&\texttt{(ite c1 a (ite c2 b a))}&&\mathrm{unconditional}\end{aligned}\right. \]

In Grisette, such merging happens in the mrgIf or unionIf functions, which model the symbolic conditional branching semantics. To keep the merging efficient and generate small constraints, we enforce that the symbolic union maintains the values in a sorted way, and merge the unions with a mergesort-style merging algorithm. In the following example, the two ORG containers passed to the mrgIf are sorted with the natural ordering on the integers. In the result, the values are also organized in a sorted way, and the path conditions are correctly maintained.

\[ \texttt{mrgIf}\left[ \texttt{c}, \left\{\begin{aligned} &\texttt{1}&&\mathrm{if}&&\texttt{c1}\\ &\texttt{3}&&\mathrm{else~if}&&\texttt{c2}\\ &\texttt{4}&&\mathrm{otherwise} \end{aligned}\right., \left\{\begin{aligned} &\texttt{1}&&\mathrm{if}&&\texttt{c3}\\ &\texttt{2}&&\mathrm{else~if}&&\texttt{c4}\\ &\texttt{4}&&\mathrm{otherwise} \end{aligned}\right. \right] =\left\{\begin{aligned} &\texttt{1}&&\mathrm{if}&&\texttt{(ite c c1 c3)}\\ &\texttt{2}&&\mathrm{else~if}&&\texttt{(&& (! c) c3)}\\ &\texttt{3}&&\mathrm{else~if}&&\texttt{(&& c c2)}\\ &\texttt{4}&&\mathrm{otherwise} \end{aligned}\right. \]

So far, we have described ORG as a flat list of values. When the list is long, it is beneficial to partition the values and merge (some or all) partitions into nested ORG values. This hierarchical ORG representation is particularly useful for complex data types, such as tuples, which tend to yield long lists.

In the following example, v* are values, while t* are ORG containers. The values in the containers are first partitioned into three groups: {v11, v12, v13}, {v2}, and {v13}. In each group, the values share some common features, (e.g., they are constructed with the same data constructor). The values in each group are organized in a subtree, e.g., the first group is organized in the subtree t1. The hierarchical representation also keeps a representation invariant: at each level in the hierarchy, the values (or the subtrees) are also sorted by some criteria. Here, in the first level, the values are sorted by the constructor declaration order, and in the second level, the values are sorted by the concrete field in the constructor A. This criteria is given by the MergingStrategy in the Mergeable class, called the root merging strategy of the type.

data X = A Integer SymInteger | B | C

\[ \left\{\begin{aligned} &\texttt{t1}&&\mathrm{if}&&\texttt{c1}\\ &\texttt{B}&&\mathrm{else if}&&\texttt{c2}\\ &\texttt{C}&&\mathrm{otherwise}&& \end{aligned}\right. \hspace{2em}\mathrm{where}\hspace{2em} \texttt{t1} = \left\{\begin{aligned} &\texttt{A 1 a}&&\mathrm{if}&&\texttt{c11}\\ &\texttt{A 3 b}&&\mathrm{else if}&&\texttt{c12}\\ &\texttt{A 4 (&& x y)}&&\mathrm{otherwise}&& \end{aligned}\right. \]

In Haskell syntax, it can be represented as follows:

If      c1    (If c11 (A 1 a) (If c12 (A 3 b) (A 4 (&& x y))))
  (If   c2    B
              C)

All the symbolic unions in Grisette should maintain the hierarchical sorted invariant, and are sorted in the same way, with respect to the same merging strategy (the root merging strategy for the type). We can then merge the containers with a hierarchical merging algorithm: at each level, we align the values and subtrees, and merge the aligned ones. In the following example, mrgIf resolves the root merging strategy s, and calls the function mrgIf', which accepts the merging strategy as an argument. The symbolic union operands to the mrgIf' function must be sorted with the merging strategy passed to the function.

Here we use the name of the subtrees and values to indicate the order of them:

• t1 should be placed before v3 in the then branch,
• t1 and v4 can be aligned with t1' and v4', respectively.

The aligned subtrees will be merged recursively with mrgIf', with a sub-strategy given by the merging strategy s for the subtrees. For example, t1 and t1' will be merged with the sub-strategy s'. The aligned values will be merged with a merging function, also given by the merging strategy s. For example, v4 and v4' will be merged with the merging function f'.

The ordering and the sub-strategies are abstracted with SortedStrategy, and the merging functions will be wrapped in SimpleStrategy. The merging algorithm can then be configured by implementing the merging strategies for the types contained in a symbolic union. See the documentation for MergingStrategy for details.

\[ \begin{aligned} & \texttt{mrgIf}\left[ \texttt{c}, \left\{\begin{aligned} &\texttt{t1}&&\mathrm{if}&&\texttt{c1}\\ &\texttt{v3}&&\mathrm{else~if}&&\texttt{c2}\\ &\texttt{v4}&&\mathrm{otherwise} \end{aligned}\right., \left\{\begin{aligned} &\texttt{t1'}&&\mathrm{if}&&\texttt{c3}\\ &\texttt{t2'}&&\mathrm{else~if}&&\texttt{c4}\\ &\texttt{v4'}&&\mathrm{otherwise} \end{aligned}\right. \right]\\ =~ & \texttt{mrgIf'}\left[ \texttt{s}, \texttt{c}, \left\{\begin{aligned} &\texttt{t1}&&\mathrm{if}&&\texttt{c1}\\ &\texttt{v3}&&\mathrm{else~if}&&\texttt{c2}\\ &\texttt{v4}&&\mathrm{otherwise} \end{aligned}\right., \left\{\begin{aligned} &\texttt{t1'}&&\mathrm{if}&&\texttt{c3}\\ &\texttt{t2'}&&\mathrm{else~if}&&\texttt{c4}\\ &\texttt{v4'}&&\mathrm{otherwise} \end{aligned}\right. \right]\\ =~ & \left\{\begin{aligned} &\texttt{mrgIf' s' c t1 t1'}&&\mathrm{if}&&\texttt{(ite c c1 c3)}\\ &\texttt{t2'}&&\mathrm{else~if}&&\texttt{(&& (! c) c4)}\\ &\texttt{v3}&&\mathrm{else~if}&&\texttt{(&& c c2)}\\ &\texttt{f' c v4 v4'}&&\mathrm{otherwise} \end{aligned}\right. \end{aligned} \]

For more details of the algorithm, please refer to Grisette's paper.