smtlectures.2

Satisﬁability Modulo Theories
Lezione 2 - An Eager Approach: Solving Bit-Vectors
(slides revision: Saturday 14th
March, 2015, 11:46)
Roberto Bruttomesso
Seminario di Logica Matematica
(Corso Prof. Silvio Ghilardi)
27 Ottobre 2011
R. Bruttomesso (SMT) Bit-Vectors 27 Ottobre 2011 1 / 27

Recall from last lecture . . .
Approaches to solve SMT formulæ are based on the observation that
SMT can be reduced to SAT, i.e., the purely Boolean Satisﬁability
Problem

Recall from last lecture . . .
Approaches to solve SMT formulæ are based on the observation that
SMT can be reduced to SAT, i.e., the purely Boolean Satisﬁability
Problem
sat / unsat
SMT formula ϕ
ψ
Encoder SAT-solver

Outline
1 Bit-Vectors
Syntax
Semantic
Examples
2 Solving Bit-Vectors
Bit-Blasting
Simpliﬁcations

Introduction
Bit-Vectors are extremely useful data structures, used to symbolically
represent hardware and software constructs (see later)

Introduction
The world of Bit-Vectors is a ﬁnite world, i.e., with Bit-Vectors it is
not possible to represent/handle arbitrarily large numbers

Introduction
Indeed, when speaking about Bit-Vectors we always associate a width
(which is usually a power of 2, often 32 or 64)

Introduction
The width speciﬁes the (maximum) number of bits used to represent
variables and terms

Introduction
The width speciﬁes the (maximum) number of bits used to represent
variables and terms
Bit-Vector formulæ are mathematically characterized by the theory of
Bit-Vectors BV

Bit-Vectors
A bit-vector is an array of bits
0
1 1 0 0 1 1
a[3] b[3]
2 1 0 2 1

Bit-Vectors
0
1 1 0 0 1 1
a[3] b[3]
2 1 0 2 1
Selection (or Extraction): a[3][1 : 0]
1 0
1 0

Bit-Vectors
0
1 1 0 0 1 1
a[3] b[3]
2 1 0 2 1
1 0
1 0
Notice that
a[n][i : j] returns a Bit-Vector of width i − j + 1 (0 ≤ j ≤ i ≤ n − 1)

Bit-Vectors
0
1 1 0 0 1 1
a[3] b[3]
2 1 0 2 1
1 0
1 0
Notice that
a[n][n − 1 : 0]

Bit-Vectors
0
1 1 0 0 1 1
a[3] b[3]
2 1 0 2 1
1 0
1 0
Notice that
a[n][n − 1 : 0] = a[n]

Bit-Vectors
0
1 1 0 0 1 1
a[3] b[3]
2 1 0 2 1
1 0
1 0
Notice that
a[n][n − 1 : 0] = a[n]
Selection has precedence over any other operator

Bit-Vectors
0
1 1 0 0 1 1
a[3] b[3]
2 1 0 2 1
Concatenation a[3] :: b[3]
1 1 0
5 34
0 1 1
2 1 0

Bit-Vectors
0
1 1 0 0 1 1
a[3] b[3]
2 1 0 2 1
1 1 0
5 34
0 1 1
2 1 0
Notice that
a[n] :: b[m] returns a Bit-Vector of width n + m

Bit-Vectors
0
1 1 0 0 1 1
a[3] b[3]
2 1 0 2 1
1 1 0
5 34
0 1 1
2 1 0
Notice that
a[n][n − 1 : i] :: a[n][i − 1 : 0]

Bit-Vectors
0
1 1 0 0 1 1
a[3] b[3]
2 1 0 2 1
1 1 0
5 34
0 1 1
2 1 0
Notice that
a[n][n − 1 : i] :: a[n][i − 1 : 0] = a[n][n − 1 : 0]

Bit-Vectors
0
1 1 0 0 1 1
a[3] b[3]
2 1 0 2 1
1 1 0
5 34
0 1 1
2 1 0
Notice that
a[n][n − 1 : i] :: a[n][i − 1 : 0] = a[n][n − 1 : 0] = a[n]

Bit-Vectors
0
1 1 0 0 1 1
a[3] b[3]
2 1 0 2 1
Arithmetic a[3] + b[3]
0 0 1
2 1 0
1

Bit-Vectors
0
1 1 0 0 1 1
a[3] b[3]
2 1 0 2 1
Arithmetic a[3] + b[3]
0 0 1
2 1 0
1
Notice that
To be precise, we should have written a[3] +[3] b[3] (widths must be
the same)
Semantic is that of modular arithmetic

Bit-Vectors
0
1 1 0 0 1 1
a[3] b[3]
2 1 0 2 1
Bitwise a[3] AND b[3]
0 1 0
2 1 0

Bit-Vectors
0
1 1 0 0 1 1
a[3] b[3]
2 1 0 2 1
Bitwise a[3] AND b[3]
0 1 0
2 1 0
Notice that
Again, to be precise, we should have written a[3] AND [3]b[3]
(widths must be the same)
Used to compute bit-mask operations

A (non-exhaustive) list of operators and predicates
Each Bit-Vector term of width n, is associated with a sort BV[n] (n ≥ 1)

Name Symb Type Signature
Selection [i : j]
Core
BV[n] → BV[i−j+1]
Concatenation :: BV[n] × BV[m] → BV[n+m]
Addition +
Arith.
BV[n] × BV[n] → BV[n]
Subtraction − BV[n] × BV[n] → BV[n]
Multiplication ∗ BV[n] × BV[n] → BV[n]
Less than (signed) <s BV[n] × BV[n] → Bool
Less than (unsigned) <u BV[n] × BV[n] → Bool
Bitwise and AND
Bitwise
Bitwise or OR BV[n] × BV[n] → BV[n]
Bitwise not NOT BV[n] → BV[n]

Name Symb Type Signature
Selection [i : j]
Core
BV[n] → BV[i−j+1]
Concatenation :: BV[n] × BV[m] → BV[n+m]
Addition +
Arith.
Subtraction − BV[n] × BV[n] → BV[n]
Multiplication ∗ BV[n] × BV[n] → BV[n]
Less than (signed) <s BV[n] × BV[n] → Bool
Less than (unsigned) <u BV[n] × BV[n] → Bool
Bitwise and AND
Bitwise
Bitwise or OR BV[n] × BV[n] → BV[n]
Bitwise not NOT BV[n] → BV[n]
Moreover, we have constants, e.g., 101101[6]

Bit-Vector semantic
Each sort BV[n] is associated with a domain Dn = {0, 1, . . . , 2n−1}

Bit-Vector semantic
For example BV[4] is associated with D4 = {0, 1, . . . , 15}

Bit-Vector semantic
As usual, the semantic for the other terms depends on a particular assignment to the
variables

Bit-Vector semantic
variables
Each variable x[n] is associated with a function [[x[n]]] of type Dn → {0, 1}

Bit-Vector semantic
variables
[[x[3]]]: 1 0 0 0
2
1
0
1
[[x[3]]]:
nat3([[x[3]]]): 4

Bit-Vector semantic
variables
[[x[3]]]: 1 0 0 0
2
1
0
1
[[x[3]]]:
nat3([[x[3]]]): 4
natn( ) is a helper meta-function, to facilitate the presentation

Bit-Vector semantic
[[c[n]]] := λx ∈ [0, n − 1].
0 if the x-th bit is 0
1 otherwise
[[t[l] :: s[k]]] := λx ∈ [0, . . . , l + k − 1].
[[s[n]]](x) if x < l
[[t[n]]](x − l) otherwise
[[t[n][i : j]]] := λx ∈ [0, i − j + 1]. [[t[n]]](x + j)
[[t[n] + s[n]]] := nat−1
n (natn([[t[n]]]) + natn([[s[n]]])) % 2n
[[t[n] AND s[n]]] := λx ∈ [0, n − 1].



0 if [[t[n]]](x) = 0
0 if [[s[n]]](x) = 0
1 otherwise
[[t[n] <u s[n]]] :=
if natn([[t[n]]]) <u natn([[s[n]]])
⊥ otherwise

Example 1: C code
Pseudo-code
i := 1
while ( i > 0 )
i := i + 1

Example 1: C code
Pseudo-code
i := 1
while ( i > 0 )
i := i + 1
C equivalent
unsigned i = 1;
while ( i > 0 )
i = i + 1;

Example 2: C code
Evaluation of BV[32] with C
unsigned a = 0xFFFF0000;
unsigned b = 0x0000FFFF;
printf( "a + b : %8Xn", a + b );
printf( "a * b : %8Xn", a * b );
printf( "a AND b : %8Xn", a & b );
printf( "a OR b : %8Xn", a | b );

Example 3: Circuit
module counter(clk, count);
input clk ;
output [2:0] count ;
wire cin ;
reg [2:0] count ;
assign cin = ~count [0] & ~count [1] & ~count [2];
initial begin
count = 3’b0;
end
always @ ( posedge clk )
begin
count [0] <= cin;
count [1] <= count [0];
count [2] <= count [1];
end
end module
100000 001 010

Outline
1 Bit-Vectors
Syntax
Semantic
Examples
2 Solving Bit-Vectors
Bit-Blasting
Simpliﬁcations

Bit-Blasting
Our goal is to devise an automatic decision procedure (SMT-solver) to
check the satisﬁability of a given Bit-Vector formula

Bit-Blasting
State-of-the-art techniques are based on reduction to SAT. It is called
bit-blasting

Bit-Blasting
bit-blasting
the formula is seen as a circuit, in which variables and constants
are inputs, while other terms are intermediate nodes. The
outermost Boolean connective or predicate represents the output

Bit-Blasting
bit-blasting
each variable is assigned to a vector of Boolean variables (n
variables for a variable of sort BV[n])

Bit-Blasting
bit-blasting
each variable is assigned to a vector of Boolean variables (n
variables for a variable of sort BV[n])
each intermediate node is assigned to a vector of Boolean formulæ
(n formulæ for a term of sort BV[n])

Bit-Blasting
(a[2] AND b[4][1 : 0]) = (c[2] + d[2])
[1 : 0]
+
=
AND
out[1]
int3[2]int2[2]
int1[2]
d[2]c[2]b[4]a[2]

Bit-Blasting
(a[2] AND b[4][1 : 0]) = (c[2] + d[2])
[1 : 0]
a1
a0
+
=
AND
out[1]
int3[2]int2[2]
int1[2]
d[2]c[2]b[4]

Bit-Blasting
(a[2] AND b[4][1 : 0]) = (c[2] + d[2])
[1 : 0]
a1
a0
b3
b2
b1
b0
+
=
AND
out[1]
int3[2]int2[2]
int1[2]
d[2]c[2]

Bit-Blasting
(a[2] AND b[4][1 : 0]) = (c[2] + d[2])
[1 : 0]
a1
a0
b3
b2
b1
b0
c1
c0
+
=
AND
out[1]
int3[2]int2[2]
int1[2]
d[2]

Bit-Blasting
(a[2] AND b[4][1 : 0]) = (c[2] + d[2])
[1 : 0]
a1
a0
b3
b2
b1
b0
c1
c0
d1
d0
+
=
AND
out[1]
int3[2]int2[2]
int1[2]

Bit-Blasting
(a[2] AND b[4][1 : 0]) = (c[2] + d[2])
[1 : 0]
a1
a0
b3
b2
b1
b0
c1
c0
d1
d0
+
=
b1
b0
AND
out[1]
int3[2]int2[2]

Bit-Blasting
(a[2] AND b[4][1 : 0]) = (c[2] + d[2])
[1 : 0]
a1
a0
b3
b2
b1
b0
c1
c0
d1
d0
+
=
b1
b0
b1
∧ a1
b0
∧ a0
AND
out[1]
int3[2]

Bit-Blasting
(a[2] AND b[4][1 : 0]) = (c[2] + d[2])
[1 : 0]
a1
a0
b3
b2
b1
b0
c1
c0
d1
d0
+
=
b1
b0
c0
⊕ d0
c1
⊕ d1
⊕
(c0
∧ d0
)b1
∧ a1
b0
∧ a0
AND
out[1]

Bit-Blasting
(a[2] AND b[4][1 : 0]) = (c[2] + d[2])
[1 : 0]
a1
a0
b3
b2
b1
b0
c1
c0
d1
d0
+
=
b1
b0
c0
⊕ d0
c1
⊕ d1
⊕
(c0
∧ d0
)b1
∧ a1
b0
∧ a0
((b1
∧ a1
) ↔ (c1
⊕ . . .))∧
((b0
∧ a0
) ↔ (c0
⊕ d0
))
AND

Bit-Blasting
(a[2] AND b[4][1 : 0]) = (c[2] + d[2])
[1 : 0]
a1
a0
b3
b2
b1
b0
c1
c0
d1
d0
+
=
b1
b0
c0
⊕ d0
c1
⊕ d1
⊕
(c0
∧ d0
)b1
∧ a1
b0
∧ a0
((b1
∧ a1
) ↔ (c1
⊕ . . .))∧
((b0
∧ a0
) ↔ (c0
⊕ d0
))
AND
((b1 ∧ a1) ↔ (c1 ⊕ d1 ⊕ (c0 ∧ d0))) ∧ ((b0 ∧ a0) ↔ (c0 ⊕ d0))

Bit-Blasing Algorithm (1)
BB := {}, C := {}
Procedure Bit-Blast-Term( t : BV[n] term )
if ( t ∈ C ) return; // If already in cache, skip
else C := C ∪ t // Put in cache

BB := {}, C := {}
if ( t is a BV[n] variable )
// Let x be the name of the variable
BB := BB ∪ {x → [xn−1
, . . . , x0
]}
// where xi
are fresh Boolean variables

BB := {}, C := {}
BB := BB ∪ {x → [xn−1
, . . . , x0
]}
// where xi
else if ( t is a BV[n] constant )
// Let c be the constant
BB := BB ∪ {c → [cn−1
, . . . , c0
]}
// where ci
is ⊥ if the i-th bit of c is 0, otherwise

BB := {}, C := {}
BB := BB ∪ {x → [xn−1
, . . . , x0
]}
// where xi
else if ( t is a BV[n] constant )
// Let c be the constant
BB := BB ∪ {c → [cn−1
, . . . , c0
]}
// where ci
is ⊥ if the i-th bit of c is 0, otherwise
else if ( t is (t1 AND t2), and t1, t2 are BV[n] terms )
Bit-Blast-Term( t1 )
BB := BB ∪ {t → [BB(t1, n − 1) ∧ BB(t2, n − 1), . . . , BB(t1, 0) ∧ BB(t2, 0)]}
. . .
where BB(t, i) means:
1 retrieve the correspondence t → [tn
− 1, . . . , t0
], and
2 return ti

Procedure Bit-Blast( ϕ : BV[n] formula )
if ( ϕ is (t1 = t2), and t1, t2 are BV[n] terms )
BB := BB ∪ {ϕ → ((BB(t1, n − 1) ↔ BB(t2, n − 1)) ∧ . . . ∧ (BB(t1, 0) ↔ BB(t2, 0)))}

else if ( ϕ is (t1 <u t2), and t1, t2 are BV[n] terms )
BB := BB ∪ {. . .}

else if ( ϕ is (t1 <u t2), and t1, t2 are BV[n] terms )
BB := BB ∪ {. . .}
else if ( ϕ is ϕ1 ∧ ϕ2 are BV[n] formula )
Bit-Blast( ϕ1 )
Bit-Blast( ϕ2 )
BB := BB ∪ {ϕ → (BB(ϕ1) ∧ BB(ϕ2))}
. . .
where BB(ϕ) means:
1 retrieve the correspondence ϕ → ψ, and
2 return ψ

SMT via Bit-Blasing
sat / unsat
SMT formula ϕ
ψ
Bit-Blaster SAT-solver

Bit-Blasing pros and cons
Pros
Very easy to write, if compared to write a native Bit-Vector solver

Pros
Boolean model from SAT can be mapped back to a model for each Bit-Vector
variable. If x[n] was bit-blasted as xn−1, . . . , x0
retrieve SAT assignment for each xi
(e.g., x0
= , x1
= ⊥)
construct actual value for x[n] by mapping to 1 and ⊥ to 0 (e.g.,
x[2] = 01)

Pros
(e.g., x0
= , x1
= ⊥)
x[2] = 01)
Cons
Does not scale very well. Consider the formula
¬(x[n] = 0[32]) ∧ (x[n] AND y[n]) = (x[n] + y[n]). It is unsat for every n.

Pros
(e.g., x0
= , x1
= ⊥)
x[2] = 01)
Cons
¬(x[n] = 0[32]) ∧ (x[n] AND y[n]) = (x[n] + y[n]). It is unsat for every n. But to
prove it for n = 32 requires 64 Boolean variables, to prove it with n = 1024 requires
2048 Boolean variables

Pros
(e.g., x0
= , x1
= ⊥)
x[2] = 01)
Cons
¬(x[n] = 0[32]) ∧ (x[n] AND y[n]) = (x[n] + y[n]). It is unsat for every n. But to
prove it for n = 32 requires 64 Boolean variables, to prove it with n = 1024 requires
2048 Boolean variables
It destroys the structure of the formula. In the encoding x[32] is not seen as a “single
object” but each xi is unrelated and independent

Simplifications
We use simplification rules to fight the two problems in previous slide, before bit-blasting
everything

Simpliﬁcations
everything
ψ
SMT formula ϕ
SAT-solver
sat / unsat
Bit-Blaster
Simpliﬁcations

Simplifications
everything
ψ
SMT formula ϕ
SAT-solver
sat / unsat
Bit-Blaster
Simplifications
Simplifications exploit properties of Bit-Vectors to try to reduce the complexity of the
formula. We see here some examples, but many more rules do exist. Also, it is very
important the way they are combined together

Trivial Simpliﬁcations
The following are trivial consequences of the semantic of Bit-Vectors
and formulæ in general

Bit-Vectors trivial simpliﬁcations
t = t ⇒ for a generic term
c = d ⇒ ⊥ for two diﬀerent constants c and d
t AND 0 . . . 0 ⇒ 0 . . . 0 for a generic term
. . .

Bit-Vectors trivial simpliﬁcations
t = t ⇒ for a generic term
c = d ⇒ ⊥ for two diﬀerent constants c and d
t AND 0 . . . 0 ⇒ 0 . . . 0 for a generic term
. . .
ϕ ∧ ϕ ⇒ ϕ for a generic formula
ϕ ∧ ⇒ ϕ for a generic formula
ϕ ∨ ⇒ for a generic formula
. . .

Ground Term evaluation
If a term is ground, i.e., it contains no variables, then it can be always
simpliﬁed to a single constant

Ground Term evaluation
If a term is ground, i.e., it contains no variables, then it can be always
simpliﬁed to a single constant
Examples:
0000 :: 1000 ⇒ 00001000
0010[1 : 0] ⇒ 10
0100 + 0101 ⇒ 1001

Variable Elimination Rule
Suppose that the input formula ϕ is of the kind
ϕ ∧ (x[n] = t[n])
where x[n] is a variable, and t[n] is a term not containing x[n]

ϕ ∧ (x[n] = t[n])
then we can rewrite ϕ as
ϕ [t[n]/x[n]]
i.e., we replace every occurrence of x[n] by t[n].

ϕ ∧ (x[n] = t[n])
then we can rewrite ϕ as
ϕ [t[n]/x[n]]
i.e., we replace every occurrence of x[n] by t[n]. We save n Boolean
variables in the reduction to SAT

Concatenation Elimination Rule
Suppose that we have the equality
t[n] :: s[m] = r[n] :: u[m]
then, because the concatenations match, we can rewrite it as

Concatenation Elimination Rule
Suppose that we have the equality
t[n] :: s[m] = r[n] :: u[m]
then, because the concatenations match, we can rewrite it as
(t[n] = r[n]) ∧ (s[m] = u[m])
this rewriting may give more opportunity for applications of previous
rules

Exercizes
1 Complete the missing cases in procedures Bit-Blast-Term and
Bit-Blast
2 Bit-Blast the formula ¬(x[3] = 000) ∧ (x[3] AND y[3]) = (x[3] + y[3])
3 Simplify the formula (x[4] :: y[4]) = (z[4] :: x[4]) ∧ ¬(y[4] = z[4])

smtlectures.2

Recommandé

Recommandé

Contenu connexe

Plus de Roberto Bruttomesso

Plus de Roberto Bruttomesso (10)

Dernier

Dernier (20)

smtlectures.2