Presentation is loading. Please wait.

Presentation is loading. Please wait.

HANDLING BIT-PROPAGATING OPERATIONS IN BIT-VECTOR REASONING Alexander Nadel, Intel, Israel SMT’13 Workshop Helsinki, Finland July 8 th, 2013.

Similar presentations


Presentation on theme: "HANDLING BIT-PROPAGATING OPERATIONS IN BIT-VECTOR REASONING Alexander Nadel, Intel, Israel SMT’13 Workshop Helsinki, Finland July 8 th, 2013."— Presentation transcript:

1 HANDLING BIT-PROPAGATING OPERATIONS IN BIT-VECTOR REASONING Alexander Nadel, Intel, Israel SMT’13 Workshop Helsinki, Finland July 8 th, 2013

2 Outline We identify and define a class of Bit-Vector (BV) operations, called Bit-Propagating (BP) We propose an algorithm for efficiently handling BP operations during online preprocessing in eager BV solving We demonstrate a performance boost when our algorithms are applied over SMT-LIB 2.0 instances

3 Bit-Vector (BV) Reasoning Bit-vector reasoning is widely applied for HW and SW formal validation and other domains. Over 48% out of more than 93,000 benchmarks in SMT- LIB are BV-based, that is either: Plain bit-vector (QF_BV), or Bit-vectors and arrays combined (QF_ABV) Some BV Solvers: Boolector, Mathsat, STP, CVC, Z3, Intel’s new solver Hazel, …

4 BV Operations in SMT-LIB 2.0 Core =/bvcomp distinct ite Bit-wise and**/bvand or**/bvor xor**/bvxor =>** bvnot bvnand bvnor bvxnor bvneg Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right Arithmetic bvadd bvmul bvudiv bvurem bvsub bvsdiv bvsrem bvsmod bvshl* bvlshr* bvashr* Comparison bvult bvule bvugt bvuge bvslt bvsle bvsgt bvsge * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic ** We consider Bool’s to be bit-vectors of width 1

5 Eager BV Solving 1. Apply word-level preprocessing (rewriting, constant propagation, …) Local/online: applied once a new operation is fed into the solver Global: applied after the whole formula is fed into the solver 2. Optionally, bit-blast to bit-level AIG and apply AIG simplifications 3. Bit-blast to CNF and solve with a SAT solver

6 (define-fun v4 () ( BitVec 2) (bvadd v3 (_ bv0 2))) Eager BV Solving Example SMT Engine (declare-fun v1 () ( BitVec 2)) v1v1 (declare-fun v2 () ( BitVec 2)) v2v2 v 3 : bvadd (define-fun v3 () ( BitVec 2) (bvadd v1 v2)) v 3,v 4 : bvadd (assert (v4 (_ bv0 2)) 0 (check-sat) SAT Engine SAT! Online Preprocessing

7 Bit-Propagating (BP) Operations We define an operation to be bit-propagating iff: Each output bit is either a bit of one of the inputs or a constant, and The mapping can be computed at the time the operation is applied. v = [v [3], v [2], v [1], v [0] ] u = bvshl(v,2) = [v [1], v [0],0,0] t = bvshl(v,s)

8 BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic

9 BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right v = [v [3], v [2], v [1], v [0] ] u = concat(v,y) = [v [3], v [2], v [1], v [0], y [1], y [0] ] y = [y [1], y [0] ]

10 BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right v = [v [3], v [2], v [1], v [0] ] u = extract(v,2,1) = [v [2], v [1] ]

11 BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic v = [v [3], v [2], v [1], v [0] ] u = bvshl(v,2) = [v [1], v [0],0,0]

12 BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic v = [v [3], v [2], v [1], v [0] ] u = bvlshr(v,2) = [0,0,v [3], v [2] ]

13 BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic v = [v [3], v [2], v [1], v [0] ] u = bvashr(v,2) = [v [3],v [3],v [3], v [2] ]

14 BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right v = [v [3], v [2], v [1], v [0] ] u = repeat(v,2) = [v [3],v [2],v [1], v [0], v [3],v [2],v [1], v [0] ]

15 BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right v = [v [3], v [2], v [1], v [0] ] u = zero_extend(v,2) = [0,0,v [3],v [2],v [1], v [0] ]

16 BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right v = [v [3], v [2], v [1], v [0] ] u = sign_extend(v,2) = [v [3], v [3],v [3],v [2],v [1], v [0] ]

17 BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right v = [v [3], v [2], v [1], v [0] ] u = rotate_left(v,1) = [v [2],v [1],v [0],v [3] ]

18 BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right v = [v [3], v [2], v [1], v [0] ] u = rotate_right(v,1) = [v [0],v [3],v [2],v [1] ]

19 Family Bench’s BP Ops in % uclid/tcas261 calypto2356 sage/app bruttomesso/core67249 bench_ab28544 sage/app bruttomesso/lfsr24038 brummayerbiere26537 uum836 check535 crafted2135 sage/app sage/app Pipe125 wienand-cav2008/Booth 625 stp_samples42624 sage/app check2621 sage/app brummayerbiere52 17 sage/app sage/app sage/app Family Bench’s BP Ops in % galois414 spear/openldap_v sage/app bruttomesso/simple_processor6413 uclid_contrib_smtcomp09713 spear/inn_v spear/samba_v spear/wget_v wienand-cav2008/Commute68 uclid4167 wienand-cav2008/Distrib67 spear/xinetd_v brummayerbiere3795 spear/zebra_v0.95a95 stp15 rubik74 spear/cvs_v brummayerbiere4102 dwp_formulas3321 asp5010 gulwani-pldi0860 tacas0750 VS3110 The Portion of BP Operations in SMT-LIB 2.0 Families in QF_BV Logic

20 Our Approach to Handling BP Ops Handle BP Operations explicitly during online preprocessing using Bit-Propagating Normal Form (BPNF)- based reasoning Each variable is associated with a BPNF: a sequence of segments, where each segment is either: A constant, or A bit-range over a non-propagating variable Goals: Word-level hashing: one word-level variable per BPNF CNF minimization: CNF variables are created only for non-BP ops

21 BPNF Usage Example u 1 ={u 1 [3:0] }, where |u 1 |=4 v 1 = bvadd(u 1, u 2 )={v 1 [3:0] } u 2 ={u 2 [3:0] }, where |u 2 |=4 v 3 = extract(v 2, 2, 1)={v 1 [1-0] } v 4 = repeat(v 1, 2)={v 1 [3-0], v 1 [3-0] } v 5 = extract(v 4, 5, 4)={v 1 [1-0] } Online Preprocessing v 2 = bvshl(v 1,1)={v 1 [2-0],0} v 6 = extract(v 4, 6, 5)={v 1 [2-1] } v 7 = concat(v 6, v 5 )={v 1 [2-1],v 1 [1-0] } Not a BPNF, mergeable! v 7 = concat(v 6, v 5 )={v 1 [2-0] } v 8 = extract(v 2, 3, 1)={v 1 [2-0] } v 8 = v 7 = concat(v 6, v 5 )={v 1 [2-0] } Merging was essential for proper hashing! (assert (v 8 (_ bv0 3)) (check-sat) The CNF:  v 1 [0]  v 1 [1]  v 1 [2] No CNF clauses/vars required! v 5 = v 3 =extract(v 2, 2, 1)={v 1 [1-0] } Bit-blasted addition Segments s 2 and s 1 (in the specified order) are mergeable if Both s 2 and s 1 are constants, or Both s 2 and s 1 are bit-ranges, such that s 2 = v [k:j+1] and s 1 = v [j:i] BPNF: a sequence of non-mergeable segments The new neighbor pair of segments was merged!

22 Implementation Tips: Segment Threshold Maintaining too many segments might inflate the memory and lead to a performance degradation Solution: impose a user-given threshold T on a number of segments in BPNF A variable with too many segments in BPNF is considered non-BP. New CNF variables are created to represent it in the SAT solver

23 Implementation Tips: Rewriting assert- based Definitions Using assert to define new variables is incompatible with BPNF reasoning

24 Rewriting assert-based Definitions: Problem Example SMT Engine (declare-fun u () ( BitVec 32)) u = {u [31-0] } (declare-fun v () ( BitVec 64)) v = {v [63-0] } (assert (= v (repeat u 2)) t = repeat(u,2)={u [31-0],u [31-0] }z = (v=t)={z [0-0] } 0 v = repeat(u,2)={u [31-0],u [31-0] } u = {u [31-0] }

25 Implementation Tips: Rewriting Assert- based Definitions Using assert to define new variables is incomparable with BPNF reasoning Solution: rewrite assert-based definitions into define-fun- based definitions (using look-ahead): Our example: (declare-fun u () Type) (declare-fun v () Type) (assert (= (v (f u)))) (declare-fun u () Type) (define-fun v (f u)) (declare-fun u () ( BitVec 32)) (declare-fun v () ( BitVec 64)) (assert (= (v (repeat u 2)))) (declare-fun u () ( BitVec 32)) (define-fun v (repeat u 2))

26 Implementation Tips: Apply Constant Propagation Constant propagation is a commonly applied preprocessing technique Essential in our setting in order not to miss shifts by constants Example: (declare-fun u () ( BitVec 32)) (define-fun x () ( BitVec 32)) (assert (= x (bvadd (_ bv3 32) (_ bv2 32)))) (define-fun v (bvshl u x)) (declare-fun u () ( BitVec 32)) (define-fun v (bvshl u (_ bv5 32)))

27 Experimental Results We implemented BPNF reasoning on top of a new Intel’s eager SMT solver Hazel Main experiment: show the impact of BPNF reasoning on Hazel performance We used 37 SMT-LIB families having at least 5% BP operations Families solved in less than 1 sec. and most of the (huge) sage sub-families were dismissed We used different values for the segments threshold in BPNF The base version creates a new CNF variable for every word-level variable Secondary experiment: demonstrate that Hazel can compete with state- of-the-art solvers over families where BPNF reasoning is the most helpful Environment: machines with Intel® Xeon® processors, 3Ghz CPU frequency, 32Gb of memory. Time-out: 600 sec.

28 Family Run-timeTime RatioSolved BaseThr. 10Thr to Base 1000 to BaseBaseThr. 10Thr spear/openldap_v pipe brummayerbiere wienand-cav2008/Booth uum brutomesso/simple_proces sor uclid_contrib_smtcomp uclid/catchconv brummayerbiere brutomesso/lfsr spear/samba_v spear/inn_v stp spear/wget_v brummayerbiere calypto brutomesso/core

29 Family Run-timeTime RatioSolved BaseThr. 10Thr to Base 1000 to BaseBaseThr. 10Thr spear/openldap_v pipe brummayerbiere wienand-cav2008/Booth uum brutomesso/simple_proces sor uclid_contrib_smtcomp uclid/catchconv brummayerbiere brutomesso/lfsr spear/samba_v spear/inn_v stp spear/wget_v brummayerbiere calypto brutomesso/core families with at least 30% speed-up

30 Family Base Segment Thr. 10Segment Thr SMT Ops CNF Clss CNF Vars Opt Ratio Clss Ratio Vars RatioOpt Ratio Clss Ratio Vars Ratio spear/openldap_v M0.93M pipe M brummayerbiere M6.86M wienand-cav2008/Booth uum brutomesso/simple_processor M0.58M uclid_contrib_smtcomp M0.61M uclid/catchconv5.03M63.5M34.8M brummayerbiere M0.83M brutomesso/lfsr0.8M71.9M28.7M spear/samba_v M993M338M spear/inn_v M216M46.4M stp0.32M5.2M3.39M spear/wget_v M19.6M brummayerbiere M12.8M calypto M0.29M brutomesso/core6.49M106M40.9M Significant reduction in CNF size -Marginal reduction in the ops num. => hints that word-level hashing may not be critical -Correlation between the CNF size and performance is not absolute

31 Family Run-time in secondsSolved Instances BoolectorMathsatSTPHazel 10 Hazel 1000 BoolectorMathsatSTPHazel 10 Hazel 1000 spear/openldap_v pipe brummayerbiere wienand- cav2008/Booth uum brutomesso/simpl e_processor uclid_contrib_smt comp uclid/catchconv

32 Related Work Normal forms for concat/extract are well-known (see ref’s in the paper) Our work identifies and defines the class of BP operations; our approach is integrated into a modern eager SMT solver A DPLL(T) theory solver for extract, concat and equality applied within lazy SMT solving was proposed in ICCAD’09, Brottomesso&Sharygina Our algorithms are integrated into an eager SMT solver; we define and handle 10 BP ops, but not equalities. Bit-level sharing of CNF variables for concat/extract is known in the community and applied by various solvers, but AFAIK not published Any bit-level solution lacks the word-level hashing ability Essential algorithms used in BV preprocessing are often unpublished 

33 Conclusion We identified and defined a class of Bit-Vector (BV) operations, called Bit-Propagating (BP) We proposed an algorithm for handling BP operations efficiently during online preprocessing in eager BV solving We demonstrated a performance boost across various SMT-LIB families

34

35 Bit-Propagating Normal Form (BPNF) A variable is bit-propagating iff it was created by a bit- propagating operation, otherwise it’s non-bit-propagating A segment is either A constant, e.g., , or A bit-range, that is a sequence of consecutive bits of a non-bit- propagating variable, e.g., v [3:1] =[v [3], v [2], v [1] ] Segments s 2 and s 1 (in the specified order) are mergeable if Both s 2 and s 1 are constants, or Both s 2 and s 1 are bit-ranges, such that s 2 = v [k:j+1] and s 1 = v [j:i] BPNF(v) is a sequence of segments, where each pair of neighbor segments is non-mergeable

36 Calculating a BPNF for BP Operations Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u=concat(v,y)={v s(v),…,v 1,M(v 0,y s(y) ), y s(y)-1 …,y 1, y 0 } y = {y s(y),…,y 1, y 0 }v = {v s(v),…,v 1, v 0 } Merge operation M(s,t) = s,t for non-mergeable s,t M(c 1, c 2 ) = concat(c 1, c 2 ) if c 1,c 2 are constants e.g., M(10,01) = 1001 M(v [k:j+1], v [j:i] ) = v [k,i]

37 Calculating a BPNF for BP Operations Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right v = {v s(v),…,v 1, v 0 } u=extract(v,j,i)={v sn(j) [sb(j):0],v sn(j)-1,…,v sn(i)+1,v sn(i) [end:sb(i)] } The segment number of bit i The number of bit i in its segment The last defined bit in v sn(i)

38 Calculating a BPNF for BP Operations Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right The remaining operations can be reduced to concat/extract (see the paper for details) * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic


Download ppt "HANDLING BIT-PROPAGATING OPERATIONS IN BIT-VECTOR REASONING Alexander Nadel, Intel, Israel SMT’13 Workshop Helsinki, Finland July 8 th, 2013."

Similar presentations


Ads by Google