U.S. Pat. No. 7,207,065, entitled “Apparatus and Method for Developing Secure Software” describes techniques for the static analysis of source code. The patent is owned by the assignee of the current invention and its contents are incorporated herein by reference.
Boolean satisfiability, often referred to as SAT, is a decision problem defined with Boolean operators and variables. Boolean satisfiability determines whether for a given expression there is some assignment of a true or false value to the variables that will make the entire expression true. A formula of propositional logic is said to be satisfiable if logical values can be assigned to its variables in a way that makes the formula true.
Consider formulas built from variables including the conjunction operator (+), disjunction operator (&), and the negation operator (−). For example, the formula (a+b) & −c is read as “a or b and not c”. A SAT solver or Boolean satisfiability engine is a set of computer executable instructions that accepts a Boolean equation and responds in one of three ways:                1. Satisfiable. The SAT solver has found a set of variable assignments such that the equation evaluates to true.        2. Unsatisfiable. There is no set of variable assignments that cause the equation to evaluate to true.        3. Failed. The SAT solver cannot determine whether or not a satisfying assignment exists.If the SAT solver reports that the formula is satisfiable, it also returns a set of variable assignments that satisfy the formula. For example, the formula (a+b) & −c is satisfied by the assignments (a=false, b=true, c=false).        
By convention, SAT solvers accept formulas in Conjunctive Normal Form (CNF). CNF formulas comprise a set of clauses where every clause is the disjunction of a set of variables or negations of the variables. The formula is the conjunction of all of the clauses. By convention, CNF formulas are written with one clause per line. For example, the formula (a+b) & −c can be expressed in CNF notation as:(a+b)(−c)For this example, the shortest unsatisfiable CNF formula is:(a)(−a)The kinds of CNF formulas that are useful for solving real-world problems are often very large. They may contain thousands or millions of clauses and thousands or hundreds of thousands of variables. Generally speaking, the larger a CNF formula is the more time the SAT solver will take to produce a result. Effective use of a SAT solver requires generating formulas that are as compact as possible while still expressing the essence of the problem at hand.
Because they operate on Boolean variables, SAT solvers efficiently process problems that are modeled at the bit level. The price for this precision is that higher-level operations must all be represented in bitwise form. Such operations include addition and subtraction, mathematical comparisons, and conversion between data types.
It would be desirable to employ a SAT solver or Boolean satisfiability engine in the static analysis of source code. More particularly, it would be desirable to utilize a Boolean satisifiability engine in connection with solving particular static analysis issues, such as path analysis or the analysis of memory operations.