1/23 Bit Vector Changki Hong @ PSWLAB

Bit Vector

Daniel Kroening and Ofer Strichman

Decision Procedure

2/23 Bit Vector Changki Hong @ PSWLAB

Decision procedures Decision procedures which we learnt..

SAT Solver BDDs Decision procedure for equality logic …

However, what kind of logic do we need to express bit-wise operations and bit-wise arithmetic? Logics which we covered can not express those

kind of operations. We need bit-vector logic.

3/23 Bit Vector Changki Hong @ PSWLAB

We need bit-vector logic We need bit-vector logic

Bit-wise operators : bit-wise AND, shift … Bit-wise arithmetic : bit addition, bit multiplication

… Since bit-vector has finite domain, so we need to con-

sider overflow problem which can not be happened in unbounded type operations, such as integer domain.

We want to verify large formulas Program analysis tools that generate bit-vector formu-

las: CBMC SATABS F-Soft …

4/23 Bit Vector Changki Hong @ PSWLAB

Contents Introduction to bit-vector logic Syntax Semantics Decision procedures for bit-vector logic

Flattening bit-vector logic Incremental flattening

Conclusion

5/23 Bit Vector Changki Hong @ PSWLAB

Bit-vector logic syntax Bit-vector logic syntax

6/23 Bit Vector Changki Hong @ PSWLAB

Semantics Following formula obviously holds over the in-

teger domain:

However, this equivalence no longer holds over the bit-vectors. Subtraction operation may generate an overflow. Example

)( )0( yxyx

101

010

011

235)2(3

7/23 Bit Vector Changki Hong @ PSWLAB

Width and Encoding The meaning of a bit-vector formula obviously

depends on 1. the width of the expression in bits2. the encoding - whether it is signed or unsigned

Typical encodings: Binary encoding - unsigned

Two’s complement - signed

1

0

2 : l

i

iiax

2

01

1 22: ][l

i

iin-

n- aa -x

8/23 Bit Vector Changki Hong @ PSWLAB

Examples The width of the expression in bits

unsatisfiable for one bit wide bit vectors, but satisfiable for larger widths.

The encoding means different with respect to each encod-

ing schemes.

Notation to clarify width and encoding

zyzxyx

11001000

200 11001000 56864128 ]11001000[

Sx ]32[

width in bits

U: unsigned binary encodingS : signed two’s complement

9/23 Bit Vector Changki Hong @ PSWLAB

Definition of bit-vector Definition. A bit vector b is a vector of bits with a

given length l (or dimension) :

The i-th bit of the bit vector is denoted by

}1,0{ }1, ... ,0{: lb

ibb

…1lb 2lb 2b 1b 0b

bitsl

10/23 Bit Vector Changki Hong @ PSWLAB

λ - Notation for bit-vectors A lambda expression for a bit vector with bits

has the form

is an expression that denotes the value of the i-th bit.

Example

The expression above denotes the bit vector 10101010.

l

)(}.1, ... ,0{ ifli

)(if

}.7, ... ,0{iotherwise:1

even is :0 i

11/23 Bit Vector Changki Hong @ PSWLAB

Examples (cond.) The vector of length l that consists of zeros:

A function that inverts a bit vector:

A bit-wise OR:

0}.1, ... ,0{ li

ixlixinvertbv }.1, ... ,0{ : )(

)}.(1, ... ,0{ : ),( ii yxliyxorbv

12/23 Bit Vector Changki Hong @ PSWLAB

Semantics for arithmetic operators (1/3) What is the answer for the below C program ?

On 8 bits architectures, this is 44 which is not 300.

Therefore, Bit vector arithmetic uses modular arith-metic.

13/23 Bit Vector Changki Hong @ PSWLAB

Semantics for arithmetic operators (2/3) Semantics for addition and subtraction:

Semantics for relational operators:

14/23 Bit Vector Changki Hong @ PSWLAB

Semantics for arithmetic operators (3/3) Semantics for shift :

logical left shift

logical right shift

arithmetic right shift - the sign bit of a is replicated

15/23 Bit Vector Changki Hong @ PSWLAB

Decision procedure for bit-vector Bit-vector flattening

Most commonly used decision procedure Transform bit-vector logic to propositional logic, which

is then passed to SAT solver.

Algorithm

Input : A formula in bit-vector arithmeticOutput : An equisatisfiable Boolean formula

1. Convert each term into new Boolean variable 2. Set each bit of each term to a new Boolean variable3. Add constraint for each atom 4. Add constraint for each term

16/23 Bit Vector Changki Hong @ PSWLAB

Example Bit-vector formula

1. Convert each term into new Boolean variable

2. Set each bit of each term to a new Boolean variable

3. Add constraint for each atom

4. Add constraint for each term

bac l ][|

)()( | 21][ tutubac l

)(...)()( )(

)(...)()( )(

1212022

1111011

l

l

tutututu

tutututu

))()(( 2

1

0 iii

l

ibatu

))()(( 21

1

0 ii

l

itutu

17/23 Bit Vector Changki Hong @ PSWLAB

Example (l-bit Adder) 1-bit adder can be defined as follows:

Carry bit can be defined as follows:

))(()(),,(

)(),,(

cinbabacinbacarry

cinbacinbasum

icotherwisecbacarry

icin

iii : ),,(

0:

111

18/23 Bit Vector Changki Hong @ PSWLAB

l-bit Adder can be defined as follows:

The constraints generated by algorithm for the formula is following:

Example (l-bit Adder)

n

iiii

ccout

liforcbasumresult

coutresultcinbaadd

}1, ... ,0{ ),,(

, ),,(

yxt

))().0,,(( 1

1

0 ii

l

ituresultyxadd

19/23 Bit Vector Changki Hong @ PSWLAB

Incremental bit flattening (1/4) Some arithmetic operation result in very hard

formulas Multiplication

Multiplier is defined recursively for , where denotes the width of the second operand:

Therefore, we want to check satisfiability of a given formula without checking satisfiability of sub-formulas which have complicated arithmetic operations such as multiplication.

}1, ... ,1{ ns n

)0:)?(()1,,(),,(

0)1,,(

sabsbamulsbamul

bamul

s

20/23 Bit Vector Changki Hong @ PSWLAB

Incremental bit flattening (2/4) Example

This formula is obviously unsatisfiable Since first two conjuncts are inconsistent and last two

conjuncts are also inconsistent. SAT solver wants to make a decision of first two con-

juncts because a and b are used frequently than x and y. However, this decision isn’t good because last two con-

juncts are rather easy to check satisfiability since rela-tion bit-vector operation is less complicate than multi-plication bit-vector operation.

yxyxbacabcba

21/23 Bit Vector Changki Hong @ PSWLAB

Incremental bit flattening (3/4)

{}:,: Fbf

)( Constraint: Fbf ':

Pick

FFF

(I\F)F'

{}I

{}I

SAT? Is f

UNSAT SAT

YESI Compute

: Boolean part of : set of terms that encoded to CNF formula : set of terms that are inconsistent with the current satisfy-ing assignment

b FI

Pick ‘easy’ part

convert to CNF

22/23 Bit Vector Changki Hong @ PSWLAB

Incremental bit flattening (4/4) Idea : add ‘easy’ parts of the formula first Only add hard parts when needed only gets stronger - that’s why it is incre-

mentalf

23/23 Bit Vector Changki Hong @ PSWLAB

Conclusion We can compute bit-wise operations and

arithmetics using bit-vector logic.

There are decision procedures which check satisfiability of given bit-vector logic formula.