Bit Vector Daniel Kroening and Ofer Strichman Decision
Bit Vector Daniel Kroening and Ofer Strichman Decision Procedure 1/23 Bit Vector Changki Hong @ PSWLAB
Decision procedures � Decision procedures which we learnt. . � SAT Solver � BDDs � Decision procedure for equality logic �… � However, what kind of logic do we need to express bit-wise operations and bit-wise arithmetic? � Logics which we covered can not express those kind of operations. � We need bit-vector logic. 2/23 Bit Vector Changki Hong @ PSWLAB
We need bit-vector logic � Bit-wise operators : bit-wise AND, shift … � Bit-wise arithmetic : bit addition, bit multiplication … � Since bit-vector has finite domain, so we need to consider overflow problem which can not be happened in unbounded type operations, such as integer domain. � We want to verify large formulas � Program 3/23 analysis tools that generate bit-vector formulas: CBMC SATABS F-Soft … Bit Vector Changki Hong @ PSWLAB
Contents � Introduction to bit-vector logic � Syntax � Semantics � Decision procedures for bit-vector logic � Flattening bit-vector logic � Incremental flattening � Conclusion 4/23 Bit Vector Changki Hong @ PSWLAB
Bit-vector logic syntax � Bit-vector 5/23 logic syntax Bit Vector Changki Hong @ PSWLAB
Semantics � Following formula obviously holds over the integer domain: � However, this equivalence no longer holds over the bit-vectors. � Subtraction operation may generate an overflow. � Example 6/23 Bit Vector Changki Hong @ PSWLAB
Width and Encoding � The meaning of a bit-vector formula obviously depends on 1. 2. the width of the expression in bits the encoding - whether it is signed or unsigned � Typical encodings: � Binary encoding - unsigned � Two’s complement - signed 7/23 Bit Vector Changki Hong @ PSWLAB
Examples � The � width of the expression in bits unsatisfiable for one bit wide bit vectors, but satisfiable for larger widths. � The encoding means different with respect to each encoding � schemes. � Notation to clarify width and encoding width in bits 8/23 U: unsigned binary encoding S : signed two’s complement Bit Vector Changki Hong @ PSWLAB
Definition of bit-vector � Definition. A bit vector b is a vector of bits with a given length l (or dimension) : � The i-th bit of the bit vector is denoted by … bits 9/23 Bit Vector Changki Hong @ PSWLAB
λ - Notation for bit-vectors �A lambda expression for a bit vector with the form bits has is an expression that denotes the value of the i-th bit. � � Example � The 10/23 expression above denotes the bit vector 1010. Bit Vector Changki Hong @ PSWLAB
Examples (cond. ) � The vector of length l that consists of zeros: �A function that inverts a bit vector: �A bit-wise OR: 11/23 Bit Vector Changki Hong @ PSWLAB
Semantics for arithmetic operators (1/3) � What is the answer for the below C program ? � On 8 bits architectures, this is 44 which is not 300. � Therefore, Bit vector arithmetic uses modular arithmetic. 12/23 Bit Vector Changki Hong @ PSWLAB
Semantics for arithmetic operators (2/3) � Semantics for addition and subtraction: � Semantics for relational operators: 13/23 Bit Vector Changki Hong @ PSWLAB
Semantics for arithmetic operators (3/3) � Semantics for shift : � logical left shift � logical right shift � arithmetic right shift - the sign bit of a is replicated 14/23 Bit Vector Changki Hong @ PSWLAB
Decision procedure for bit-vector � Bit-vector flattening Most commonly used decision procedure � Transform bit-vector logic to propositional logic, which is then passed to SAT solver. � � Algorithm Input : A formula in bit-vector arithmetic Output : An equisatisfiable Boolean formula 1. 2. 3. 4. Convert each term into new Boolean variable Set each bit of each term to a new Boolean variable Add constraint for each atom Add constraint for each term 15/23 Bit Vector Changki Hong @ PSWLAB
Example � Bit-vector formula 1. Convert each term into new Boolean variable 2. Set each bit of each term to a new Boolean variable 3. Add constraint for each atom 4. Add constraint for each term 16/23 Bit Vector Changki Hong @ PSWLAB
Example (l-bit Adder) � 1 -bit adder can be defined as follows: � Carry 17/23 bit can be defined as follows: Bit Vector Changki Hong @ PSWLAB
Example (l-bit Adder) � l-bit Adder can be defined as follows: � The constraints generated by algorithm for the formula is following: 18/23 Bit Vector Changki Hong @ PSWLAB
Incremental bit flattening � Some � (1/4) arithmetic operation result in very hard formulas Multiplication � Multiplier is defined recursively for the width of the second operand: , where denotes � Therefore, we want to check satisfiability of a given formula without checking satisfiability of sub-formulas which have complicated arithmetic operations such as multiplication. 19/23 Bit Vector Changki Hong @ PSWLAB
Incremental bit flattening (2/4) � Example � This formula is obviously unsatisfiable � Since first two conjuncts are inconsistent and last two conjuncts are also inconsistent. � SAT solver wants to make a decision of first two conjuncts because a and b are used frequently than x and y. � However, this decision isn’t good because last two conjuncts are rather easy to check satisfiability since relation bit-vector operation is less complicate than multiplication bit-vector operation. 20/23 Bit Vector Changki Hong @ PSWLAB
Incremental bit flattening (3/4) Pick ‘easy’ part convert to CNF YES SAT UNSAT : Boolean part of : set of terms that encoded to CNF formula : set of terms that are inconsistent with the current satisfying assignment 21/23 Bit Vector Changki Hong @ PSWLAB
Incremental bit flattening (4/4) � Idea : add ‘easy’ parts of the formula first � Only add hard parts when needed � only gets stronger - that’s why it is incremental 22/23 Bit Vector Changki Hong @ PSWLAB
Conclusion � We can compute bit-wise operations and arithmetics using bit-vector logic. � There are decision procedures which check satisfiability of given bit-vector logic formula. 23/23 Bit Vector Changki Hong @ PSWLAB
- Slides: 23