bit vector

1/23 Bit Vector Changki Hong @ PSWLAB

Bit Vector Daniel Kroening and Ofer Strichman

Decision Procedure


Decision procedures Decision procedures which we learnt..

SAT Solver BDDs Decision procedure for equality logic …

However, what kind of logic do we need to express bit-wise operations and bit-wise arithmetic? Logics which we covered can not express those

kind of operations. We need bit-vector logic.


We need bit-vector logic We need bit-vector logic

Bit-wise operators : bit-wise AND, shift … Bit-wise arithmetic : bit addition, bit multiplication

… Since bit-vector has finite domain, so we need to con-

sider overflow problem which can not be happened in unbounded type operations, such as integer domain.

We want to verify large formulas Program analysis tools that generate bit-vector formu-

las: CBMC SATABS F-Soft …


Contents Introduction to bit-vector logic Syntax Semantics Decision procedures for bit-vector logic

Flattening bit-vector logic Incremental flattening

Conclusion


Bit-vector logic syntax Bit-vector logic syntax


Semantics Following formula obviously holds over the in-

teger domain:

However, this equivalence no longer holds over the bit-vectors. Subtraction operation may generate an overflow. Example

)( )0( yxyx

101010011

235)2(3


Width and Encoding The meaning of a bit-vector formula obviously

depends on 1. the width of the expression in bits2. the encoding - whether it is signed or unsigned

Typical encodings: Binary encoding - unsigned

Two’s complement - signed

1

0

2 : l

i

iiax

2

01

1 22: ][l

i

iin-

n- aa -x


Examples The width of the expression in bits

unsatisfiable for one bit wide bit vectors, but satisfiable for larger widths.

The encoding means different with respect to each encod-

ing schemes.

Notation to clarify width and encoding

zyzxyx

11001000

200 11001000 56864128 ]11001000[

Sx ]32[

width in bits

U: unsigned binary encodingS : signed two’s complement


Definition of bit-vector Definition. A bit vector b is a vector of bits with a

given length l (or dimension) :

The i-th bit of the bit vector is denoted by

}1,0{ }1, ... ,0{: lb

ibb

…1lb 2lb 2b 1b 0b

bitsl


λ - Notation for bit-vectors A lambda expression for a bit vector with bits

has the form

is an expression that denotes the value of the i-th bit.

Example

The expression above denotes the bit vector 10101010.

l

)(}.1, ... ,0{ ifli

)(if

}.7, ... ,0{i otherwise:1even is :0 i


Examples (cond.) The vector of length l that consists of zeros:

A function that inverts a bit vector:

A bit-wise OR:

0}.1, ... ,0{ li

ixlixinvertbv }.1, ... ,0{ : )(

)}.(1, ... ,0{ : ),( ii yxliyxorbv


Semantics for arithmetic operators (1/3) What is the answer for the below C program ?

On 8 bits architectures, this is 44 which is not 300.

Therefore, Bit vector arithmetic uses modular arith-metic.


Semantics for arithmetic operators (2/3) Semantics for addition and subtraction:

Semantics for relational operators:


Semantics for arithmetic operators (3/3) Semantics for shift :

logical left shift

logical right shift

arithmetic right shift - the sign bit of a is replicated


Decision procedure for bit-vector Bit-vector flattening

Most commonly used decision procedure Transform bit-vector logic to propositional logic, which

is then passed to SAT solver.

AlgorithmInput : A formula in bit-vector arithmeticOutput : An equisatisfiable Boolean formula

1. Convert each term into new Boolean variable 2. Set each bit of each term to a new Boolean variable3. Add constraint for each atom 4. Add constraint for each term


Example Bit-vector formula

1. Convert each term into new Boolean variable

2. Set each bit of each term to a new Boolean variable

3. Add constraint for each atom

4. Add constraint for each term

bac l ][|

)()( | 21][ tutubac l

)(...)()( )( )(...)()( )(

1212022

1111011

l

l

tutututututututu

))()(( 21

0 iiil

i batu

))()(( 211

0 iil

i tutu


Example (l-bit Adder) 1-bit adder can be defined as follows:

Carry bit can be defined as follows:

))(()(),,()(),,(

cinbabacinbacarrycinbacinbasum

icotherwisecbacarryicin

iii : ),,(0:

111


l-bit Adder can be defined as follows:

The constraints generated by algorithm for the formula is following:

Example (l-bit Adder)

n

iiii

ccoutliforcbasumresult

coutresultcinbaadd

}1, ... ,0{ ),,(

, ),,(

yxt

))().0,,(( 11

0 iil

ituresultyxadd


Incremental bit flattening (1/4) Some arithmetic operation result in very hard

formulas Multiplication

Multiplier is defined recursively for , where denotes the width of the second operand:

Therefore, we want to check satisfiability of a given formula without checking satisfiability of sub-formulas which have complicated arithmetic operations such as multiplication.

}1, ... ,1{ ns n

)0:)?(()1,,(),,(0)1,,(

sabsbamulsbamulbamul

s


Incremental bit flattening (2/4) Example

This formula is obviously unsatisfiable Since first two conjuncts are inconsistent and last two

conjuncts are also inconsistent. SAT solver wants to make a decision of first two con-

juncts because a and b are used frequently than x and y. However, this decision isn’t good because last two con-

juncts are rather easy to check satisfiability since rela-tion bit-vector operation is less complicate than multi-plication bit-vector operation.

yxyxbacabcba


Incremental bit flattening (3/4)

{}:,: Fbf

)( Constraint: Fbf ':

Pick FFF

(I\F)F'

{}I

{}I

SAT? Is f

UNSAT SAT

YES I Compute

: Boolean part of : set of terms that encoded to CNF formula : set of terms that are inconsistent with the current satisfy-ing assignment

b FI

Pick ‘easy’ part

convert to CNF


Incremental bit flattening (4/4) Idea : add ‘easy’ parts of the formula first Only add hard parts when needed only gets stronger - that’s why it is incre-

mentalf


Conclusion We can compute bit-wise operations and

arithmetics using bit-vector logic.

There are decision procedures which check satisfiability of given bit-vector logic formula.

bit vector

Documents