1/23 Bit Vector Changki Hong @ PSWLAB
Bit Vector
Daniel Kroening and Ofer Strichman
Decision Procedure
2/23 Bit Vector Changki Hong @ PSWLAB
Decision procedures Decision procedures which we learnt..
SAT Solver BDDs Decision procedure for equality logic …
However, what kind of logic do we need to express bit-wise operations and bit-wise arithmetic? Logics which we covered can not express those
kind of operations. We need bit-vector logic.
3/23 Bit Vector Changki Hong @ PSWLAB
We need bit-vector logic We need bit-vector logic
Bit-wise operators : bit-wise AND, shift … Bit-wise arithmetic : bit addition, bit multiplication
… Since bit-vector has finite domain, so we need to con-
sider overflow problem which can not be happened in unbounded type operations, such as integer domain.
We want to verify large formulas Program analysis tools that generate bit-vector formu-
las: CBMC SATABS F-Soft …
4/23 Bit Vector Changki Hong @ PSWLAB
Contents Introduction to bit-vector logic Syntax Semantics Decision procedures for bit-vector logic
Flattening bit-vector logic Incremental flattening
Conclusion
5/23 Bit Vector Changki Hong @ PSWLAB
Bit-vector logic syntax Bit-vector logic syntax
6/23 Bit Vector Changki Hong @ PSWLAB
Semantics Following formula obviously holds over the in-
teger domain:
However, this equivalence no longer holds over the bit-vectors. Subtraction operation may generate an overflow. Example
)( )0( yxyx
101
010
011
235)2(3
7/23 Bit Vector Changki Hong @ PSWLAB
Width and Encoding The meaning of a bit-vector formula obviously
depends on 1. the width of the expression in bits2. the encoding - whether it is signed or unsigned
Typical encodings: Binary encoding - unsigned
Two’s complement - signed
1
0
2 : l
i
iiax
2
01
1 22: ][l
i
iin-
n- aa -x
8/23 Bit Vector Changki Hong @ PSWLAB
Examples The width of the expression in bits
unsatisfiable for one bit wide bit vectors, but satisfiable for larger widths.
The encoding means different with respect to each encod-
ing schemes.
Notation to clarify width and encoding
zyzxyx
11001000
200 11001000 56864128 ]11001000[
Sx ]32[
width in bits
U: unsigned binary encodingS : signed two’s complement
9/23 Bit Vector Changki Hong @ PSWLAB
Definition of bit-vector Definition. A bit vector b is a vector of bits with a
given length l (or dimension) :
The i-th bit of the bit vector is denoted by
}1,0{ }1, ... ,0{: lb
ibb
…1lb 2lb 2b 1b 0b
bitsl
10/23 Bit Vector Changki Hong @ PSWLAB
λ - Notation for bit-vectors A lambda expression for a bit vector with bits
has the form
is an expression that denotes the value of the i-th bit.
Example
The expression above denotes the bit vector 10101010.
l
)(}.1, ... ,0{ ifli
)(if
}.7, ... ,0{iotherwise:1
even is :0 i
11/23 Bit Vector Changki Hong @ PSWLAB
Examples (cond.) The vector of length l that consists of zeros:
A function that inverts a bit vector:
A bit-wise OR:
0}.1, ... ,0{ li
ixlixinvertbv }.1, ... ,0{ : )(
)}.(1, ... ,0{ : ),( ii yxliyxorbv
12/23 Bit Vector Changki Hong @ PSWLAB
Semantics for arithmetic operators (1/3) What is the answer for the below C program ?
On 8 bits architectures, this is 44 which is not 300.
Therefore, Bit vector arithmetic uses modular arith-metic.
13/23 Bit Vector Changki Hong @ PSWLAB
Semantics for arithmetic operators (2/3) Semantics for addition and subtraction:
Semantics for relational operators:
14/23 Bit Vector Changki Hong @ PSWLAB
Semantics for arithmetic operators (3/3) Semantics for shift :
logical left shift
logical right shift
arithmetic right shift - the sign bit of a is replicated
15/23 Bit Vector Changki Hong @ PSWLAB
Decision procedure for bit-vector Bit-vector flattening
Most commonly used decision procedure Transform bit-vector logic to propositional logic, which
is then passed to SAT solver.
Algorithm
Input : A formula in bit-vector arithmeticOutput : An equisatisfiable Boolean formula
1. Convert each term into new Boolean variable 2. Set each bit of each term to a new Boolean variable3. Add constraint for each atom 4. Add constraint for each term
16/23 Bit Vector Changki Hong @ PSWLAB
Example Bit-vector formula
1. Convert each term into new Boolean variable
2. Set each bit of each term to a new Boolean variable
3. Add constraint for each atom
4. Add constraint for each term
bac l ][|
)()( | 21][ tutubac l
)(...)()( )(
)(...)()( )(
1212022
1111011
l
l
tutututu
tutututu
))()(( 2
1
0 iii
l
ibatu
))()(( 21
1
0 ii
l
itutu
17/23 Bit Vector Changki Hong @ PSWLAB
Example (l-bit Adder) 1-bit adder can be defined as follows:
Carry bit can be defined as follows:
))(()(),,(
)(),,(
cinbabacinbacarry
cinbacinbasum
icotherwisecbacarry
icin
iii : ),,(
0:
111
18/23 Bit Vector Changki Hong @ PSWLAB
l-bit Adder can be defined as follows:
The constraints generated by algorithm for the formula is following:
Example (l-bit Adder)
n
iiii
ccout
liforcbasumresult
coutresultcinbaadd
}1, ... ,0{ ),,(
, ),,(
yxt
))().0,,(( 1
1
0 ii
l
ituresultyxadd
19/23 Bit Vector Changki Hong @ PSWLAB
Incremental bit flattening (1/4) Some arithmetic operation result in very hard
formulas Multiplication
Multiplier is defined recursively for , where denotes the width of the second operand:
Therefore, we want to check satisfiability of a given formula without checking satisfiability of sub-formulas which have complicated arithmetic operations such as multiplication.
}1, ... ,1{ ns n
)0:)?(()1,,(),,(
0)1,,(
sabsbamulsbamul
bamul
s
20/23 Bit Vector Changki Hong @ PSWLAB
Incremental bit flattening (2/4) Example
This formula is obviously unsatisfiable Since first two conjuncts are inconsistent and last two
conjuncts are also inconsistent. SAT solver wants to make a decision of first two con-
juncts because a and b are used frequently than x and y. However, this decision isn’t good because last two con-
juncts are rather easy to check satisfiability since rela-tion bit-vector operation is less complicate than multi-plication bit-vector operation.
yxyxbacabcba
21/23 Bit Vector Changki Hong @ PSWLAB
Incremental bit flattening (3/4)
{}:,: Fbf
)( Constraint: Fbf ':
Pick
FFF
(I\F)F'
{}I
{}I
SAT? Is f
UNSAT SAT
YESI Compute
: Boolean part of : set of terms that encoded to CNF formula : set of terms that are inconsistent with the current satisfy-ing assignment
b FI
Pick ‘easy’ part
convert to CNF
22/23 Bit Vector Changki Hong @ PSWLAB
Incremental bit flattening (4/4) Idea : add ‘easy’ parts of the formula first Only add hard parts when needed only gets stronger - that’s why it is incre-
mentalf
23/23 Bit Vector Changki Hong @ PSWLAB
Conclusion We can compute bit-wise operations and
arithmetics using bit-vector logic.
There are decision procedures which check satisfiability of given bit-vector logic formula.