Bit Vector
Daniel Kroening and Ofer Strichman
Decision Procedure
1/23
Bit Vector
Changki Hong @ PSWLAB
Decision procedures

Decision procedures which we learnt..





SAT Solver
BDDs
Decision procedure for equality logic
…
However, what kind of logic do we need to express bitwise operations and bit-wise arithmetic?


Logics which we covered can not express those kind of
operations.
We need bit-vector logic.
2/23
Bit Vector
Changki Hong @ PSWLAB
We need bit-vector logic

We need bit-vector logic


Bit-wise operators : bit-wise AND, shift …
Bit-wise arithmetic : bit addition, bit multiplication …


Since bit-vector has finite domain, so we need to consider overflow
problem which can not be happened in unbounded type operations,
such as integer domain.
We want to verify large formulas

Program analysis tools that generate bit-vector formulas:




3/23
CBMC
SATABS
F-Soft
…
Bit Vector
Changki Hong @ PSWLAB
Contents




Introduction to bit-vector logic
Syntax
Semantics
Decision procedures for bit-vector logic



Flattening bit-vector logic
Incremental flattening
Conclusion
4/23
Bit Vector
Changki Hong @ PSWLAB
Bit-vector logic syntax

Bit-vector logic syntax
5/23
Bit Vector
Changki Hong @ PSWLAB
Semantics

Following formula obviously holds over the integer
domain:
( x  y  0)  ( x  y )

However, this equivalence no longer holds over the bitvectors.


Subtraction operation may generate an overflow.
Example
3  (2)  5  3  2
011
010
101
6/23
Bit Vector
Changki Hong @ PSWLAB
Width and Encoding

The meaning of a bit-vector formula obviously depends
on
1.
2.

the width of the expression in bits
the encoding - whether it is signed or unsigned
Typical encodings:

Binary encoding - unsigned
l 1
 x  :  ai  2i

Two’s complement - signed
i 0
l 2
[ x] : -2 n-1  an-1   ai  2i
i 0
7/23
Bit Vector
Changki Hong @ PSWLAB
Examples

The width of the expression in bits

unsatisfiable for one bit wide bit vectors, but satisfiable for larger widths.
x yx z y  z

The encoding
 11001000 means different with respect to each encoding schemes.
 11001000   200
[11001000]  128  64 8  56

Notation to clarify width and encoding
x[ 32] S
width in bits
8/23
U: unsigned binary encoding
S : signed two’s complement
Bit Vector
Changki Hong @ PSWLAB
Definition of bit-vector

Definition. A bit vector b is a vector of bits with a given
length l (or dimension) :
b : {0, ... , l  1}  {0,1}

The i-th bit of the bit vector b is denoted by bi
bl 1
bl 2
…
b2
b1
b0
l bits
9/23
Bit Vector
Changki Hong @ PSWLAB
λ - Notation for bit-vectors

A lambda expression for a bit vector with l bits has the
form
i  {0, ... , l  1}. f (i )


f (i ) is an expression that denotes the value of the i-th bit.
Example
i {0, ... ,7}.

0 : i is even
1 : otherwise
The expression above denotes the bit vector 10101010.
10/23
Bit Vector
Changki Hong @ PSWLAB
Examples (cond.)

The vector of length l that consists of zeros:
i {0, ... , l  1}.0

A function that inverts a bit vector:
bv  invert ( x) : i {0, ... , l  1}.xi

A bit-wise OR:
bv  or ( x, y) : i {0, ... , l  1}.( xi  yi )
11/23
Bit Vector
Changki Hong @ PSWLAB
Semantics for arithmetic operators (1/3)

What is the answer for the below C program ?

On 8 bits architectures, this is 44 which is not 300.

Therefore, Bit vector arithmetic uses modular arithmetic.
12/23
Bit Vector
Changki Hong @ PSWLAB
Semantics for arithmetic operators (2/3)

Semantics for addition and subtraction:

Semantics for relational operators:
13/23
Bit Vector
Changki Hong @ PSWLAB
Semantics for arithmetic operators (3/3)

Semantics for shift :

logical left shift

logical right shift

arithmetic right shift - the sign bit of a is replicated
14/23
Bit Vector
Changki Hong @ PSWLAB
Decision procedure for bit-vector

Bit-vector flattening



Most commonly used decision procedure
Transform bit-vector logic to propositional logic, which is then
passed to SAT solver.
Algorithm
Input : A formula in bit-vector arithmetic
Output : An equisatisfiable Boolean formula
1.
2.
3.
4.
Convert each term into new Boolean variable
Set each bit of each term to a new Boolean variable
Add constraint for each atom
Add constraint for each term
15/23
Bit Vector
Changki Hong @ PSWLAB
Example

Bit-vector formula c  a |[l ] b
1.
Convert each term into new Boolean variable
c  a |[l ] b  u (t1 )  u (t 2 )
2.
Set each bit of each term to a new Boolean variable
u (t1 )  u (t1 ) 0  u (t1 )1  ...  u (t1 )l 1
u (t 2 )  u (t 2 ) 0  u (t 2 )1  ...  u (t2 )l 1
3.
Add constraint for each atom

l 1
i 0
4.
(u (t1 ) i  u (t 2 ) i )
Add constraint for each term

l 1
i 0
16/23
(u (t 2 ) i  (ai  bi ))
Bit Vector
Changki Hong @ PSWLAB
Example (l-bit Adder)

1-bit adder can be defined as follows:
sum(a, b, cin )  (a  b)  cin
carry (a, b, cin )  (a  b)  (( a  b)  cin )

Carry bit can be defined as follows:
ci 
17/23
cin
:i  0
carry (ai 1 , bi 1 , ci 1 )
: otherwise
Bit Vector
Changki Hong @ PSWLAB
Example (l-bit Adder)

l-bit Adder can be defined as follows:
add (a, b, cin )   result , cout 
result i  sum(ai , bi , ci )
for i {0, ... , l  1}
cout  cn

The constraints generated by algorithm for the formula t  x  y
is following:

l 1
i 0
18/23
(add ( x, y,0).result i  u (t1 )i )
Bit Vector
Changki Hong @ PSWLAB
Incremental bit flattening

(1/4)
Some arithmetic operation result in very hard formulas

Multiplication

Multiplier is defined recursively for s  {1, ... , n  1} , where n denotes the
width of the second operand:
mul (a, b,1)  0
mul (a, b, s )  mul(a, b, s  1)  (bs ?(a  s ) : 0)

Therefore, we want to check satisfiability of a given formula
without checking satisfiability of sub-formulas which have
complicated arithmetic operations such as multiplication.
19/23
Bit Vector
Changki Hong @ PSWLAB
Incremental bit flattening

(2/4)
Example
a b  c  b  a  c  a  b  x  y  x  y

This formula is obviously unsatisfiable



Since first two conjuncts are inconsistent and last two conjuncts are
also inconsistent.
SAT solver wants to make a decision of first two conjuncts because a
and b are used frequently than x and y.
However, this decision isn’t good because last two conjuncts are
rather easy to check satisfiability since relation bit-vector operation is
less complicate than multiplication bit-vector operation.
20/23
Bit Vector
Changki Hong @ PSWLAB
Incremental bit flattening
(3/4)
Pick ‘easy’ part
 f : b , F : {}
Pick F'  (I\F)
convert to CNF
F : F  F '
 f : b  Constraint ( F )
I  {}
Is  f SAT?
YES
Compute I
I  {}
SAT
UNSAT
 b : Boolean part of 
F : set of terms that encoded to CNF formula
I : set of terms that are inconsistent with the current satisfying assignment
21/23
Bit Vector
Changki Hong @ PSWLAB
Incremental bit flattening



(4/4)
Idea : add ‘easy’ parts of the formula first
Only add hard parts when needed
 f only gets stronger - that’s why it is incremental
22/23
Bit Vector
Changki Hong @ PSWLAB
Conclusion

We can compute bit-wise operations and arithmetics
using bit-vector logic.

There are decision procedures which check satisfiability
of given bit-vector logic formula.
23/23
Bit Vector
Changki Hong @ PSWLAB