Handling Bit-Propagating Operations in Bit-Vector Reasoning

HANDLING BIT-PROPAGATING OPERATIONS INBIT-VECTOR REASONINGAlexander Nadel, Intel, Israel

SMT’13 WorkshopHelsinki, Finland July 8th, 2013

Outline• We identify and define a class of Bit-Vector (BV)

operations, called Bit-Propagating (BP)

• We propose an algorithm for efficiently handling BP operations during online preprocessing in eager BV solving

• We demonstrate a performance boost when our algorithms are applied over SMT-LIB 2.0 instances

Bit-Vector (BV) Reasoning• Bit-vector reasoning is widely applied for HW and SW

formal validation and other domains.

• Over 48% out of more than 93,000 benchmarks in SMT-LIB are BV-based, that is either:• Plain bit-vector (QF_BV), or • Bit-vectors and arrays combined (QF_ABV)

• Some BV Solvers: Boolector, Mathsat, STP, CVC, Z3, Intel’s new solver Hazel, …

BV Operations in SMT-LIB 2.0 Core

=/bvcompdistinctite

Bit-wise

and**/bvandor**/bvorxor**/bvxor=>**bvnotbvnandbvnorbvxnorbvneg

Bit-prop.

concatextractbvshl*bvlshr*bvashr*repeatzero_extendsign_extendrotate_leftrotate_right

Arithmetic

bvaddbvmulbvudivbvurembvsubbvsdivbvsrembvsmodbvshl*bvlshr*bvashr*

Comparison

bvultbvulebvugtbvugebvsltbvslebvsgtbvsge

* Shift by a constant is bit-propagating; shift by a non-constant is arithmetic** We consider Bool’s to be bit-vectors of width 1

Eager BV Solving1. Apply word-level preprocessing (rewriting, constant

propagation, …)• Local/online: applied once a new operation is fed into the solver• Global: applied after the whole formula is fed into the solver

2. Optionally, bit-blast to bit-level AIG and apply AIG simplifications

3. Bit-blast to CNF and solve with a SAT solver

(define-fun v4 () ( BitVec 2) (bvadd v3 (_ bv0 2)))

Eager BV Solving Example

SMT Engine

(declare-fun v1 () ( BitVec 2))

v1

(declare-fun v2 () ( BitVec 2))

v2

v3: bvadd

(define-fun v3 () ( BitVec 2) (bvadd v1 v2))

v3,v4: bvadd

(assert (v4 (_ bv0 2))

0

(check-sat)

SAT Engine

SAT!

Online Preprocessing

Bit-Propagating (BP) Operations• We define an operation to be bit-propagating iff:

• Each output bit is either a bit of one of the inputs or a constant, and• The mapping can be computed at the time the operation is applied.

v = [v[3], v[2], v[1], v[0]]

u = bvshl(v,2) = [v[1], v[0],0,0] t = bvshl(v,s)

BP Operations in SMT-LIB 2.0 Bit-prop.


* Shift by a constant is bit-propagating; shift by a non-constant is arithmetic



v = [v[3], v[2], v[1], v[0]]

u = concat(v,y) = [v[3], v[2], v[1], v[0], y[1], y[0]]

y = [y[1], y[0]]



v = [v[3], v[2], v[1], v[0]]

u = extract(v,2,1) = [v[2], v[1]]




v = [v[3], v[2], v[1], v[0]]

u = bvshl(v,2) = [v[1], v[0],0,0]




v = [v[3], v[2], v[1], v[0]]

u = bvlshr(v,2) = [0,0,v[3], v[2]]




v = [v[3], v[2], v[1], v[0]]

u = bvashr(v,2) = [v[3],v[3],v[3], v[2]]



v = [v[3], v[2], v[1], v[0]]

u = repeat(v,2) = [v[3],v[2],v[1], v[0], v[3],v[2],v[1], v[0]]



v = [v[3], v[2], v[1], v[0]]

u = zero_extend(v,2) = [0,0,v[3],v[2],v[1], v[0]]



v = [v[3], v[2], v[1], v[0]]

u = sign_extend(v,2) = [v[3], v[3],v[3],v[2],v[1], v[0]]



v = [v[3], v[2], v[1], v[0]]

u = rotate_left(v,1) = [v[2],v[1],v[0],v[3]]



v = [v[3], v[2], v[1], v[0]]

u = rotate_right(v,1) = [v[0],v[3],v[2],v[1]]

Family Bench’s BP Ops in % uclid/tcas 2 61calypto 23 56sage/app11 611 50bruttomesso/core 672 49bench_ab 285 44sage/app10 51 42bruttomesso/lfsr 240 38brummayerbiere2 65 37uum 8 36check 5 35crafted 21 35sage/app6 245 34sage/app12 5784 29Pipe 1 25wienand-cav2008/Booth 6 25stp_samples 426 24sage/app2 1417 22check2 6 21sage/app7 8663 19brummayerbiere 52 17sage/app5 1103 16sage/app8 2756 16sage/app9 3301 16

Family Bench’sBP Ops in %galois 4 14spear/openldap_v2.3.35 8 14sage/app1 2676 14bruttomesso/simple_processor 64 13

uclid_contrib_smtcomp09 7 13spear/inn_v2.4.3 219 8spear/samba_v3.0.24 1386 8spear/wget_v1.10.2 42 8wienand-cav2008/Commute 6 8uclid 416 7wienand-cav2008/Distrib 6 7spear/xinetd_v2.3.14 2 6brummayerbiere3 79 5spear/zebra_v0.95a 9 5stp 1 5rubik 7 4spear/cvs_v1.11.22 29 3brummayerbiere4 10 2dwp_formulas 332 1asp 501 0gulwani-pldi08 6 0tacas07 5 0VS3 11 0

The Portion of BP Operations in SMT-LIB 2.0 Families in QF_BV Logic

Our Approach to Handling BP Ops• Handle BP Operations explicitly during online

preprocessing using Bit-Propagating Normal Form (BPNF)-based reasoning

• Each variable is associated with a BPNF: a sequence of segments, where each segment is either:• A constant, or• A bit-range over a non-propagating variable

• Goals:• Word-level hashing: one word-level variable per BPNF• CNF minimization: CNF variables are created only for non-BP ops

BPNF Usage Example

u1={u1[3:0]}, where |u1|=4

v1 = bvadd(u1, u2)={v1[3:0]}

u2={u2[3:0]}, where |u2|=4

v3 = extract(v2, 2, 1)={v1[1-0]}

v4 = repeat(v1, 2)={v1[3-0], v1

[3-0]}

v5 = extract(v4, 5, 4)={v1[1-0]}

Online Preprocessing

v2 = bvshl(v1,1)={v1[2-0],0}

v6 = extract(v4, 6, 5)={v1[2-1]}

v7 = concat(v6, v5)={v1[2-1],v1

[1-0]}

Not a BPNF, mergeable!

v7 = concat(v6, v5)={v1[2-0]}

v8 = extract(v2, 3, 1)={v1[2-0]}

v8 = v7 = concat(v6, v5)={v1[2-0]}

Merging was essential for proper hashing!

(assert (v8 (_ bv0 3))(check-sat)

The CNF:

v1[0]

v1[1]

v1[2] No CNF clauses/vars required!

v5 = v3=extract(v2, 2, 1)={v1[1-0]}

Bit-blasted addition

Segments s2 and s1 (in the specified order) are mergeable if

Both s2 and s1 are constants, orBoth s2 and s1 are bit-ranges, such that s2 = v[k:j+1] and s1 = v[j:i]

BPNF: a sequence of non-mergeable segments

The new neighbor pair of segments was merged!

Implementation Tips: Segment Threshold

• Maintaining too many segments might inflate the memory and lead to a performance degradation

• Solution: impose a user-given threshold T on a number of segments in BPNF

• A variable with too many segments in BPNF is considered non-BP. • New CNF variables are created to represent it in the SAT solver

Implementation Tips: Rewriting assert-based Definitions• Using assert to define new variables is incompatible with

BPNF reasoning

Rewriting assert-based Definitions: Problem Example

SMT Engine

(declare-fun u () ( BitVec 32))

u = {u[31-0]}

(declare-fun v () ( BitVec 64))

v = {v[63-0]}

(assert (= v (repeat u 2))

t = repeat(u,2)={u[31-0],u[31-0]}z = (v=t)={z[0-0]}0

v = repeat(u,2)={u[31-0],u[31-0]}

u = {u[31-0]}

Implementation Tips: Rewriting Assert-based Definitions• Using assert to define new variables is incomparable with

BPNF reasoning

• Solution: rewrite assert-based definitions into define-fun-based definitions (using look-ahead):

• Our example:

(declare-fun u () Type) (declare-fun v () Type) (assert (= (v (f u))))

(declare-fun u () Type) (define-fun v (f u))

(declare-fun u () ( BitVec 32)) (declare-fun v () ( BitVec 64)) (assert (= (v (repeat u 2))))

(declare-fun u () ( BitVec 32)) (define-fun v (repeat u 2))

Implementation Tips: Apply Constant Propagation

• Constant propagation is a commonly applied preprocessing technique

• Essential in our setting in order not to miss shifts by constants

• Example:(declare-fun u () ( BitVec 32)) (define-fun x () ( BitVec 32))(assert (= x (bvadd (_ bv3 32) (_ bv2 32))))(define-fun v (bvshl u x))

(declare-fun u () ( BitVec 32)) (define-fun v (bvshl u (_ bv5 32)))

Experimental Results• We implemented BPNF reasoning on top of a new Intel’s eager SMT solver

Hazel

• Main experiment: show the impact of BPNF reasoning on Hazel performance• We used 37 SMT-LIB families having at least 5% BP operations

• Families solved in less than 1 sec. and most of the (huge) sage sub-families were dismissed• We used different values for the segments threshold in BPNF• The base version creates a new CNF variable for every word-level variable

• Secondary experiment: demonstrate that Hazel can compete with state-of-the-art solvers over families where BPNF reasoning is the most helpful

• Environment: machines with Intel® Xeon® processors, 3Ghz CPU frequency, 32Gb of memory.

• Time-out: 600 sec.

FamilyRun-time Time Ratio Solved

Base Thr. 10 Thr. 100010 to Base

1000 to Base Base Thr. 10 Thr. 1000

spear/openldap_v2.3.35 1800 600 19 3.000 96.774 5 7 8pipe 600 155 600 3.872 1.000 0 1 0brummayerbiere 1649 709 711 2.326 2.321 40 41 41wienand-cav2008/Booth 43 26 26 1.643 1.626 2 2 2uum 18 12 12 1.535 1.534 2 2 2brutomesso/simple_processor 374 266 266 1.404 1.405 64 64 64uclid_contrib_smtcomp09 226 200 169 1.130 1.340 7 7 7uclid/catchconv 9 8 7 1.115 1.312 414 414 414brummayerbiere3 2921 2600 2885 1.123 1.012 42 42 42brutomesso/lfsr 8039 7435 7439 1.081 1.081 230 227 227spear/samba_v3.0.24 3516 3359 3433 1.047 1.024 1386 1386 1386spear/inn_v2.4.3 624 607 708 1.027 0.880 219 219 219stp 11 10 11 1.023 1.000 1 1 1spear/wget_v1.10.2 308 319 306 0.966 1.006 42 42 42brummayerbiere2 719 801 799 0.899 0.901 32 33 33calypto 213 254 253 0.838 0.843 11 11 11brutomesso/core 19355 24307 24307 0.796 0.796 933 925 925

FamilyRun-time Time Ratio Solved

Base Thr. 10 Thr. 100010 to Base

1000 to Base Base Thr. 10 Thr. 1000

spear/openldap_v2.3.35 1800 600 19 3.000 96.774 5 7 8pipe 600 155 600 3.872 1.000 0 1 0brummayerbiere 1649 709 711 2.326 2.321 40 41 41wienand-cav2008/Booth 43 26 26 1.643 1.626 2 2 2uum 18 12 12 1.535 1.534 2 2 2brutomesso/simple_processor 374 266 266 1.404 1.405 64 64 64uclid_contrib_smtcomp09 226 200 169 1.130 1.340 7 7 7uclid/catchconv 9 8 7 1.115 1.312 414 414 414brummayerbiere3 2921 2600 2885 1.123 1.012 42 42 42brutomesso/lfsr 8039 7435 7439 1.081 1.081 230 227 227spear/samba_v3.0.24 3516 3359 3433 1.047 1.024 1386 1386 1386spear/inn_v2.4.3 624 607 708 1.027 0.880 219 219 219stp 11 10 11 1.023 1.000 1 1 1spear/wget_v1.10.2 308 319 306 0.966 1.006 42 42 42brummayerbiere2 719 801 799 0.899 0.901 32 33 33calypto 213 254 253 0.838 0.843 11 11 11brutomesso/core 19355 24307 24307 0.796 0.796 933 925 925

8 families with at least 30% speed-up

FamilyBase Segment Thr. 10 Segment Thr. 1000

SMT Ops

CNF Clss

CNF Vars

Opt Ratio

Clss Ratio

Vars Ratio Opt Ratio

Clss Ratio

Vars Ratio

spear/openldap_v2.3.35 12469 3.86M 0.93M 1.0236 1.0986 1.2593 1.0236 1.1012 1.2661

pipe 1048 0.19M 92478 1.0029 2.7350 2.9764 1.0640 3.2986 3.6959

brummayerbiere 35351 14.5M 6.86M 1.0012 1.2373 1.2994 1.0012 1.2381 1.3004

wienand-cav2008/Booth 542 13471 3393 1.0000 1.5158 1.3218 1.0000 1.5199 1.3280

uum 1076 12605 5932 1.0000 1.3812 1.3873 1.0000 1.3812 1.3873

brutomesso/simple_processor 41736 1.66M 0.58M 1.0000 1.3726 1.6326 1.0000 1.3726 1.6326

uclid_contrib_smtcomp09 46156 1.84M 0.61M 1.0057 1.0584 1.0906 1.0068 1.0720 1.1125

uclid/catchconv 5.03M 63.5M 34.8M 1.0002 1.0711 1.0619 1.0002 1.0748 1.0631

brummayerbiere3 24289 2.46M 0.83M 1.0000 1.0144 1.0137 1.0000 1.0169 1.0175

brutomesso/lfsr 0.8M 71.9M 28.7M 1.0000 1.2367 1.3153 1.0038 1.2399 1.3188

spear/samba_v3.0.24 9.4M 993M 338M 1.0000 1.0322 1.0480 1.0000 1.0380 1.0568

spear/inn_v2.4.3 0.11M 216M 46.4M 1.0048 1.0024 1.0055 1.0067 1.0040 1.0071

stp 0.32M 5.2M 3.39M 1.0000 1.0025 1.0021 1.0000 1.0025 1.0021

spear/wget_v1.10.2 15364 85.8M 19.6M 1.0000 1.0006 1.0013 1.0017 1.0053 1.0019

brummayerbiere2 62564 71.9M 12.8M 1.0000 1.3639 1.0038 1.0000 1.3639 1.0038

calypto 11786 0.74M 0.29M 1.0448 1.3839 1.4321 1.0448 1.3963 1.4375

brutomesso/core 6.49M 106M 40.9M 1.0111 1.3442 1.4920 1.0370 1.3788 1.5262

- Significant reduction in CNF size- Marginal reduction in the ops num. => hints that word-level hashing

may not be critical- Correlation between the CNF size and performance is not absolute

FamilyRun-time in seconds Solved Instances

Boolector Mathsat STP Hazel10 Hazel1000 Boolector Mathsat STP Hazel10 Hazel1000

spear/openldap_v2.3.35 1924 1200 1204 600 19 5 6 6 7 8

pipe 325 600 600 155 600 1 0 0 1 0

brummayerbiere 907 4994 736 709 711 41 36 40 41 41wienand-cav2008/Booth 21 19 45 26 26 2 2 2 2 2

uum 16 29 15 12 12 2 2 2 2 2

brutomesso/simple_processor 1908 22488 5156 266 266 64 29 59 64 64

uclid_contrib_smtcomp09 783 268 770 200 169 7 7 7 7 7

uclid/catchconv 9015 201 19 8 7 414 414 414 414 414

Related Work• Normal forms for concat/extract are well-known (see ref’s in the paper)

• Our work identifies and defines the class of BP operations; our approach is integrated into a modern eager SMT solver

• A DPLL(T) theory solver for extract, concat and equality applied within lazy SMT solving was proposed in ICCAD’09, Brottomesso&Sharygina• Our algorithms are integrated into an eager SMT solver; we define and handle 10

BP ops, but not equalities.

• Bit-level sharing of CNF variables for concat/extract is known in the community and applied by various solvers, but AFAIK not published• Any bit-level solution lacks the word-level hashing ability

• Essential algorithms used in BV preprocessing are often unpublished

Conclusion• We identified and defined a class of Bit-Vector (BV)

operations, called Bit-Propagating (BP)

• We proposed an algorithm for handling BP operations efficiently during online preprocessing in eager BV solving

• We demonstrated a performance boost across various SMT-LIB families

Bit-Propagating Normal Form (BPNF)• A variable is bit-propagating iff it was created by a bit-

propagating operation, otherwise it’s non-bit-propagating• A segment is either

• A constant, e.g., 0100100, or • A bit-range, that is a sequence of consecutive bits of a non-bit-

propagating variable, e.g., v[3:1]=[v[3], v[2], v[1]]

• Segments s2 and s1 (in the specified order) are mergeable if• Both s2 and s1 are constants, or• Both s2 and s1 are bit-ranges, such that s2 = v[k:j+1] and s1 = v[j:i]

• BPNF(v) is a sequence of segments, where each pair of neighbor segments is non-mergeable

Calculating a BPNF for BP Operations

Bit-prop.


u=concat(v,y)={vs(v),…,v1,M(v0,ys(y)), ys(y)-1…,y1, y0}

y = {ys(y),…,y1, y0}v = {vs(v),…,v1, v0}

Merge operation

M(s,t) = s,t for non-mergeable s,t

M(c1, c2) = concat(c1, c2) if c1,c2 are constants e.g., M(10,01) = 1001

M(v[k:j+1], v[j:i]) = v[k,i]


Bit-prop.


v = {vs(v),…,v1, v0}

u=extract(v,j,i)={vsn(j)[sb(j):0]

,vsn(j)-1,…,vsn(i)+1,vsn(i)[end:sb(i)]}

The segment number of bit i

The number of bit i in its segment

The last defined bit in vsn(i)


Bit-prop.


The remaining operations can be reduced to concat/extract (see the paper for details)


Documents

Handling Bit-Propagating Operations in Bit-Vector Reasoning