Download presentation

Presentation is loading. Please wait.

Published byAbbie Darcey Modified over 2 years ago

1
HANDLING BIT-PROPAGATING OPERATIONS IN BIT-VECTOR REASONING Alexander Nadel, Intel, Israel SMT’13 Workshop Helsinki, Finland July 8 th, 2013

2
Outline We identify and define a class of Bit-Vector (BV) operations, called Bit-Propagating (BP) We propose an algorithm for efficiently handling BP operations during online preprocessing in eager BV solving We demonstrate a performance boost when our algorithms are applied over SMT-LIB 2.0 instances

3
Bit-Vector (BV) Reasoning Bit-vector reasoning is widely applied for HW and SW formal validation and other domains. Over 48% out of more than 93,000 benchmarks in SMT- LIB are BV-based, that is either: Plain bit-vector (QF_BV), or Bit-vectors and arrays combined (QF_ABV) Some BV Solvers: Boolector, Mathsat, STP, CVC, Z3, Intel’s new solver Hazel, …

4
BV Operations in SMT-LIB 2.0 Core =/bvcomp distinct ite Bit-wise and**/bvand or**/bvor xor**/bvxor =>** bvnot bvnand bvnor bvxnor bvneg Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right Arithmetic bvadd bvmul bvudiv bvurem bvsub bvsdiv bvsrem bvsmod bvshl* bvlshr* bvashr* Comparison bvult bvule bvugt bvuge bvslt bvsle bvsgt bvsge * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic ** We consider Bool’s to be bit-vectors of width 1

5
Eager BV Solving 1. Apply word-level preprocessing (rewriting, constant propagation, …) Local/online: applied once a new operation is fed into the solver Global: applied after the whole formula is fed into the solver 2. Optionally, bit-blast to bit-level AIG and apply AIG simplifications 3. Bit-blast to CNF and solve with a SAT solver

6
(define-fun v4 () ( BitVec 2) (bvadd v3 (_ bv0 2))) Eager BV Solving Example SMT Engine (declare-fun v1 () ( BitVec 2)) v1v1 (declare-fun v2 () ( BitVec 2)) v2v2 v 3 : bvadd (define-fun v3 () ( BitVec 2) (bvadd v1 v2)) v 3,v 4 : bvadd (assert (v4 (_ bv0 2)) 0 (check-sat) SAT Engine SAT! Online Preprocessing

7
Bit-Propagating (BP) Operations We define an operation to be bit-propagating iff: Each output bit is either a bit of one of the inputs or a constant, and The mapping can be computed at the time the operation is applied. v = [v [3], v [2], v [1], v [0] ] u = bvshl(v,2) = [v [1], v [0],0,0] t = bvshl(v,s)

8
BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic

9
BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right v = [v [3], v [2], v [1], v [0] ] u = concat(v,y) = [v [3], v [2], v [1], v [0], y [1], y [0] ] y = [y [1], y [0] ]

10
BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right v = [v [3], v [2], v [1], v [0] ] u = extract(v,2,1) = [v [2], v [1] ]

11
BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic v = [v [3], v [2], v [1], v [0] ] u = bvshl(v,2) = [v [1], v [0],0,0]

12
BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic v = [v [3], v [2], v [1], v [0] ] u = bvlshr(v,2) = [0,0,v [3], v [2] ]

13
BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic v = [v [3], v [2], v [1], v [0] ] u = bvashr(v,2) = [v [3],v [3],v [3], v [2] ]

14
BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right v = [v [3], v [2], v [1], v [0] ] u = repeat(v,2) = [v [3],v [2],v [1], v [0], v [3],v [2],v [1], v [0] ]

15
BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right v = [v [3], v [2], v [1], v [0] ] u = zero_extend(v,2) = [0,0,v [3],v [2],v [1], v [0] ]

16
BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right v = [v [3], v [2], v [1], v [0] ] u = sign_extend(v,2) = [v [3], v [3],v [3],v [2],v [1], v [0] ]

17
BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right v = [v [3], v [2], v [1], v [0] ] u = rotate_left(v,1) = [v [2],v [1],v [0],v [3] ]

18
BP Operations in SMT-LIB 2.0 Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right v = [v [3], v [2], v [1], v [0] ] u = rotate_right(v,1) = [v [0],v [3],v [2],v [1] ]

19
Family Bench’s BP Ops in % uclid/tcas261 calypto2356 sage/app1161150 bruttomesso/core67249 bench_ab28544 sage/app105142 bruttomesso/lfsr24038 brummayerbiere26537 uum836 check535 crafted2135 sage/app624534 sage/app12578429 Pipe125 wienand-cav2008/Booth 625 stp_samples42624 sage/app2141722 check2621 sage/app7866319 brummayerbiere52 17 sage/app51103 16 sage/app82756 16 sage/app93301 16 Family Bench’s BP Ops in % galois414 spear/openldap_v2.3.35814 sage/app1267614 bruttomesso/simple_processor6413 uclid_contrib_smtcomp09713 spear/inn_v2.4.32198 spear/samba_v3.0.2413868 spear/wget_v1.10.2428 wienand-cav2008/Commute68 uclid4167 wienand-cav2008/Distrib67 spear/xinetd_v2.3.1426 brummayerbiere3795 spear/zebra_v0.95a95 stp15 rubik74 spear/cvs_v1.11.22293 brummayerbiere4102 dwp_formulas3321 asp5010 gulwani-pldi0860 tacas0750 VS3110 The Portion of BP Operations in SMT-LIB 2.0 Families in QF_BV Logic

20
Our Approach to Handling BP Ops Handle BP Operations explicitly during online preprocessing using Bit-Propagating Normal Form (BPNF)- based reasoning Each variable is associated with a BPNF: a sequence of segments, where each segment is either: A constant, or A bit-range over a non-propagating variable Goals: Word-level hashing: one word-level variable per BPNF CNF minimization: CNF variables are created only for non-BP ops

21
BPNF Usage Example u 1 ={u 1 [3:0] }, where |u 1 |=4 v 1 = bvadd(u 1, u 2 )={v 1 [3:0] } u 2 ={u 2 [3:0] }, where |u 2 |=4 v 3 = extract(v 2, 2, 1)={v 1 [1-0] } v 4 = repeat(v 1, 2)={v 1 [3-0], v 1 [3-0] } v 5 = extract(v 4, 5, 4)={v 1 [1-0] } Online Preprocessing v 2 = bvshl(v 1,1)={v 1 [2-0],0} v 6 = extract(v 4, 6, 5)={v 1 [2-1] } v 7 = concat(v 6, v 5 )={v 1 [2-1],v 1 [1-0] } Not a BPNF, mergeable! v 7 = concat(v 6, v 5 )={v 1 [2-0] } v 8 = extract(v 2, 3, 1)={v 1 [2-0] } v 8 = v 7 = concat(v 6, v 5 )={v 1 [2-0] } Merging was essential for proper hashing! (assert (v 8 (_ bv0 3)) (check-sat) The CNF: v 1 [0] v 1 [1] v 1 [2] No CNF clauses/vars required! v 5 = v 3 =extract(v 2, 2, 1)={v 1 [1-0] } Bit-blasted addition Segments s 2 and s 1 (in the specified order) are mergeable if Both s 2 and s 1 are constants, or Both s 2 and s 1 are bit-ranges, such that s 2 = v [k:j+1] and s 1 = v [j:i] BPNF: a sequence of non-mergeable segments The new neighbor pair of segments was merged!

22
Implementation Tips: Segment Threshold Maintaining too many segments might inflate the memory and lead to a performance degradation Solution: impose a user-given threshold T on a number of segments in BPNF A variable with too many segments in BPNF is considered non-BP. New CNF variables are created to represent it in the SAT solver

23
Implementation Tips: Rewriting assert- based Definitions Using assert to define new variables is incompatible with BPNF reasoning

24
Rewriting assert-based Definitions: Problem Example SMT Engine (declare-fun u () ( BitVec 32)) u = {u [31-0] } (declare-fun v () ( BitVec 64)) v = {v [63-0] } (assert (= v (repeat u 2)) t = repeat(u,2)={u [31-0],u [31-0] }z = (v=t)={z [0-0] } 0 v = repeat(u,2)={u [31-0],u [31-0] } u = {u [31-0] }

25
Implementation Tips: Rewriting Assert- based Definitions Using assert to define new variables is incomparable with BPNF reasoning Solution: rewrite assert-based definitions into define-fun- based definitions (using look-ahead): Our example: (declare-fun u () Type) (declare-fun v () Type) (assert (= (v (f u)))) (declare-fun u () Type) (define-fun v (f u)) (declare-fun u () ( BitVec 32)) (declare-fun v () ( BitVec 64)) (assert (= (v (repeat u 2)))) (declare-fun u () ( BitVec 32)) (define-fun v (repeat u 2))

26
Implementation Tips: Apply Constant Propagation Constant propagation is a commonly applied preprocessing technique Essential in our setting in order not to miss shifts by constants Example: (declare-fun u () ( BitVec 32)) (define-fun x () ( BitVec 32)) (assert (= x (bvadd (_ bv3 32) (_ bv2 32)))) (define-fun v (bvshl u x)) (declare-fun u () ( BitVec 32)) (define-fun v (bvshl u (_ bv5 32)))

27
Experimental Results We implemented BPNF reasoning on top of a new Intel’s eager SMT solver Hazel Main experiment: show the impact of BPNF reasoning on Hazel performance We used 37 SMT-LIB families having at least 5% BP operations Families solved in less than 1 sec. and most of the (huge) sage sub-families were dismissed We used different values for the segments threshold in BPNF The base version creates a new CNF variable for every word-level variable Secondary experiment: demonstrate that Hazel can compete with state- of-the-art solvers over families where BPNF reasoning is the most helpful Environment: machines with Intel® Xeon® processors, 3Ghz CPU frequency, 32Gb of memory. Time-out: 600 sec.

28
Family Run-timeTime RatioSolved BaseThr. 10Thr. 1000 10 to Base 1000 to BaseBaseThr. 10Thr. 1000 spear/openldap_v2.3.351800600193.00096.774578 pipe6001556003.8721.000010 brummayerbiere16497097112.3262.3214041 wienand-cav2008/Booth4326 1.6431.626222 uum1812 1.5351.534222 brutomesso/simple_proces sor374266 1.4041.40564 uclid_contrib_smtcomp092262001691.1301.340777 uclid/catchconv9871.1151.312414 brummayerbiere32921260028851.1231.01242 brutomesso/lfsr8039743574391.081 230227 spear/samba_v3.0.243516335934331.0471.0241386 spear/inn_v2.4.36246077081.0270.880219 stp1110111.0231.000111 spear/wget_v1.10.23083193060.9661.00642 brummayerbiere27198017990.8990.9013233 calypto2132542530.8380.84311 brutomesso/core1935524307 0.796 933925

29
Family Run-timeTime RatioSolved BaseThr. 10Thr. 1000 10 to Base 1000 to BaseBaseThr. 10Thr. 1000 spear/openldap_v2.3.351800600193.00096.774578 pipe6001556003.8721.000010 brummayerbiere16497097112.3262.3214041 wienand-cav2008/Booth4326 1.6431.626222 uum1812 1.5351.534222 brutomesso/simple_proces sor374266 1.4041.40564 uclid_contrib_smtcomp092262001691.1301.340777 uclid/catchconv9871.1151.312414 brummayerbiere32921260028851.1231.01242 brutomesso/lfsr8039743574391.081 230227 spear/samba_v3.0.243516335934331.0471.0241386 spear/inn_v2.4.36246077081.0270.880219 stp1110111.0231.000111 spear/wget_v1.10.23083193060.9661.00642 brummayerbiere27198017990.8990.9013233 calypto2132542530.8380.84311 brutomesso/core1935524307 0.796 933925 8 families with at least 30% speed-up

30
Family Base Segment Thr. 10Segment Thr. 1000 SMT Ops CNF Clss CNF Vars Opt Ratio Clss Ratio Vars RatioOpt Ratio Clss Ratio Vars Ratio spear/openldap_v2.3.35124693.86M0.93M1.02361.09861.25931.02361.10121.2661 pipe10480.19M924781.00292.73502.97641.06403.29863.6959 brummayerbiere3535114.5M6.86M1.00121.23731.29941.00121.23811.3004 wienand-cav2008/Booth5421347133931.00001.51581.32181.00001.51991.3280 uum10761260559321.00001.38121.38731.00001.38121.3873 brutomesso/simple_processor417361.66M0.58M1.00001.37261.63261.00001.37261.6326 uclid_contrib_smtcomp09461561.84M0.61M1.00571.05841.09061.00681.07201.1125 uclid/catchconv5.03M63.5M34.8M1.00021.07111.06191.00021.07481.0631 brummayerbiere3242892.46M0.83M1.00001.01441.01371.00001.01691.0175 brutomesso/lfsr0.8M71.9M28.7M1.00001.23671.31531.00381.23991.3188 spear/samba_v3.0.249.4M993M338M1.00001.03221.04801.00001.03801.0568 spear/inn_v2.4.30.11M216M46.4M1.00481.00241.00551.00671.00401.0071 stp0.32M5.2M3.39M1.00001.00251.00211.00001.00251.0021 spear/wget_v1.10.21536485.8M19.6M1.00001.00061.00131.00171.00531.0019 brummayerbiere26256471.9M12.8M1.00001.36391.00381.00001.36391.0038 calypto117860.74M0.29M1.04481.38391.43211.04481.39631.4375 brutomesso/core6.49M106M40.9M1.01111.34421.49201.03701.37881.5262 -Significant reduction in CNF size -Marginal reduction in the ops num. => hints that word-level hashing may not be critical -Correlation between the CNF size and performance is not absolute

31
Family Run-time in secondsSolved Instances BoolectorMathsatSTPHazel 10 Hazel 1000 BoolectorMathsatSTPHazel 10 Hazel 1000 spear/openldap_v 2.3.351924120012046001956678 pipe325600 15560010010 brummayerbiere907499473670971141364041 wienand- cav2008/Booth21194526 22222 uum16291512 22222 brutomesso/simpl e_processor1908224885156266 64295964 uclid_contrib_smt comp0978326877020016977777 uclid/catchconv90152011987414

32
Related Work Normal forms for concat/extract are well-known (see ref’s in the paper) Our work identifies and defines the class of BP operations; our approach is integrated into a modern eager SMT solver A DPLL(T) theory solver for extract, concat and equality applied within lazy SMT solving was proposed in ICCAD’09, Brottomesso&Sharygina Our algorithms are integrated into an eager SMT solver; we define and handle 10 BP ops, but not equalities. Bit-level sharing of CNF variables for concat/extract is known in the community and applied by various solvers, but AFAIK not published Any bit-level solution lacks the word-level hashing ability Essential algorithms used in BV preprocessing are often unpublished

33
Conclusion We identified and defined a class of Bit-Vector (BV) operations, called Bit-Propagating (BP) We proposed an algorithm for handling BP operations efficiently during online preprocessing in eager BV solving We demonstrated a performance boost across various SMT-LIB families

35
Bit-Propagating Normal Form (BPNF) A variable is bit-propagating iff it was created by a bit- propagating operation, otherwise it’s non-bit-propagating A segment is either A constant, e.g., 0100100, or A bit-range, that is a sequence of consecutive bits of a non-bit- propagating variable, e.g., v [3:1] =[v [3], v [2], v [1] ] Segments s 2 and s 1 (in the specified order) are mergeable if Both s 2 and s 1 are constants, or Both s 2 and s 1 are bit-ranges, such that s 2 = v [k:j+1] and s 1 = v [j:i] BPNF(v) is a sequence of segments, where each pair of neighbor segments is non-mergeable

36
Calculating a BPNF for BP Operations Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u=concat(v,y)={v s(v),…,v 1,M(v 0,y s(y) ), y s(y)-1 …,y 1, y 0 } y = {y s(y),…,y 1, y 0 }v = {v s(v),…,v 1, v 0 } Merge operation M(s,t) = s,t for non-mergeable s,t M(c 1, c 2 ) = concat(c 1, c 2 ) if c 1,c 2 are constants e.g., M(10,01) = 1001 M(v [k:j+1], v [j:i] ) = v [k,i]

37
Calculating a BPNF for BP Operations Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right v = {v s(v),…,v 1, v 0 } u=extract(v,j,i)={v sn(j) [sb(j):0],v sn(j)-1,…,v sn(i)+1,v sn(i) [end:sb(i)] } The segment number of bit i The number of bit i in its segment The last defined bit in v sn(i)

38
Calculating a BPNF for BP Operations Bit-prop. concat extract bvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right The remaining operations can be reduced to concat/extract (see the paper for details) * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google