Daniel Kroening and Ofer Strichman Decision Procedure Bit Vector Daniel Kroening and Ofer Strichman Decision Procedure

Decision procedures Decision procedures which we learnt.. SAT Solver BDDs Decision procedure for equality logic … However, what kind of logic do we need to express bit- wise operations and bit-wise arithmetic? Logics which we covered can not express those kind of operations. We need bit-vector logic.

We need bit-vector logic Bit-wise operators : bit-wise AND, shift … Bit-wise arithmetic : bit addition, bit multiplication … Since bit-vector has finite domain, so we need to consider overflow problem which can not be happened in unbounded type operations, such as integer domain. We want to verify large formulas Program analysis tools that generate bit-vector formulas: CBMC SATABS F-Soft …

Contents Introduction to bit-vector logic Syntax Semantics Decision procedures for bit-vector logic Flattening bit-vector logic Incremental flattening Conclusion

Bit-vector logic syntax

Semantics Following formula obviously holds over the integer domain: However, this equivalence no longer holds over the bit- vectors. Subtraction operation may generate an overflow. Example

Width and Encoding The meaning of a bit-vector formula obviously depends on the width of the expression in bits the encoding - whether it is signed or unsigned Typical encodings: Binary encoding - unsigned Two’s complement - signed

Examples The width of the expression in bits The encoding unsatisfiable for one bit wide bit vectors, but satisfiable for larger widths. The encoding means different with respect to each encoding schemes. Notation to clarify width and encoding width in bits U: unsigned binary encoding S : signed two’s complement

Definition of bit-vector Definition. A bit vector b is a vector of bits with a given length l (or dimension) : The i-th bit of the bit vector is denoted by … bits

λ - Notation for bit-vectors A lambda expression for a bit vector with bits has the form is an expression that denotes the value of the i-th bit. Example The expression above denotes the bit vector 10101010.

Examples (cond.) The vector of length l that consists of zeros: A function that inverts a bit vector: A bit-wise OR:

Semantics for arithmetic operators (1/3) What is the answer for the below C program ? On 8 bits architectures, this is 44 which is not 300. Therefore, Bit vector arithmetic uses modular arithmetic.

Semantics for arithmetic operators (2/3) Semantics for addition and subtraction: Semantics for relational operators:

Semantics for arithmetic operators (3/3) Semantics for shift : logical left shift logical right shift arithmetic right shift - the sign bit of a is replicated

Decision procedure for bit-vector Bit-vector flattening Most commonly used decision procedure Transform bit-vector logic to propositional logic, which is then passed to SAT solver. Algorithm Input : A formula in bit-vector arithmetic Output : An equisatisfiable Boolean formula Convert each term into new Boolean variable Set each bit of each term to a new Boolean variable Add constraint for each atom Add constraint for each term

Example Bit-vector formula Convert each term into new Boolean variable Set each bit of each term to a new Boolean variable Add constraint for each atom Add constraint for each term

Example (l-bit Adder) 1-bit adder can be defined as follows: Carry bit can be defined as follows:

Example (l-bit Adder) l-bit Adder can be defined as follows: The constraints generated by algorithm for the formula is following:

Incremental bit flattening (1/4) Some arithmetic operation result in very hard formulas Multiplication Multiplier is defined recursively for , where denotes the width of the second operand: Therefore, we want to check satisfiability of a given formula without checking satisfiability of sub-formulas which have complicated arithmetic operations such as multiplication.

Incremental bit flattening (2/4) Example This formula is obviously unsatisfiable Since first two conjuncts are inconsistent and last two conjuncts are also inconsistent. SAT solver wants to make a decision of first two conjuncts because a and b are used frequently than x and y. However, this decision isn’t good because last two conjuncts are rather easy to check satisfiability since relation bit-vector operation is less complicate than multiplication bit-vector operation.

Incremental bit flattening (3/4) UNSAT SAT YES Pick ‘easy’ part convert to CNF : Boolean part of : set of terms that encoded to CNF formula : set of terms that are inconsistent with the current satisfying assignment

Incremental bit flattening (4/4) Idea : add ‘easy’ parts of the formula first Only add hard parts when needed only gets stronger - that’s why it is incremental

Conclusion We can compute bit-wise operations and arithmetics using bit-vector logic. There are decision procedures which check satisfiability of given bit-vector logic formula.