380 likes | 570 Views
Handling Bit-Propagating Operations in Bit-Vector Reasoning. Alexander Nadel, Intel, Israel SMT’13 Workshop Helsinki, Finland July 8 th , 2013. Outline. We identify and define a class of Bit-Vector (BV) operations, called Bit-Propagating (BP)
E N D
Handling Bit-Propagating Operations inBit-Vector Reasoning Alexander Nadel, Intel, Israel SMT’13 Workshop Helsinki, Finland July 8th, 2013
Outline • We identify and define a class of Bit-Vector (BV) operations, called Bit-Propagating (BP) • We propose an algorithm for efficiently handling BP operations during online preprocessing in eager BV solving • We demonstrate a performance boost when our algorithms are applied over SMT-LIB 2.0 instances
Bit-Vector (BV) Reasoning • Bit-vector reasoning is widely applied for HW and SW formal validation and other domains. • Over 48% out of more than 93,000 benchmarks in SMT-LIB are BV-based, that is either: • Plain bit-vector (QF_BV), or • Bit-vectors and arrays combined (QF_ABV) • Some BV Solvers: Boolector, Mathsat, STP, CVC, Z3, Intel’s new solver Hazel, …
BV Operations in SMT-LIB 2.0 Core Bit-wise Arithmetic Comparison Bit-prop. =/bvcomp distinct ite and**/bvand or**/bvor xor**/bvxor =>** bvnot bvnand bvnor bvxnor bvneg bvadd bvmul bvudiv bvurem bvsub bvsdiv bvsrem bvsmod bvshl* bvlshr* bvashr* bvult bvule bvugt bvuge bvslt bvsle bvsgt bvsge concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic** We consider Bool’s to be bit-vectors of width 1
Eager BV Solving • Apply word-level preprocessing (rewriting, constant propagation, …) • Local/online: applied once a new operation is fed into the solver • Global: applied after the whole formula is fed into the solver • Optionally, bit-blast to bit-level AIG and apply AIG simplifications • Bit-blast to CNF and solve with a SAT solver
Eager BV Solving Example (declare-fun v1 () ( BitVec 2)) (define-fun v3 () ( BitVec 2) (bvadd v1 v2)) (declare-fun v2 () ( BitVec 2)) (check-sat) (define-fun v4 () ( BitVec 2) (bvadd v3 (_ bv0 2))) (assert (v4 (_ bv0 2)) SAT! Online Preprocessing SAT Engine 0 v3,v4: bvadd SMT Engine v3: bvadd v1 v2
Bit-Propagating (BP) Operations • We define an operation to be bit-propagating iff: • Each output bit is either a bit of one of the inputs or a constant, and • The mapping can be computed at the time the operation is applied. u = bvshl(v,2) = [v[1], v[0],0,0] t = bvshl(v,s) v = [v[3],v[2], v[1], v[0]]
BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic
BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = concat(v,y) = [v[3], v[2], v[1], v[0], y[1], y[0]] v = [v[3],v[2], v[1], v[0]] y = [y[1], y[0]]
BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = extract(v,2,1) = [v[2], v[1]] v = [v[3],v[2], v[1], v[0]]
BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = bvshl(v,2) = [v[1], v[0],0,0] v = [v[3],v[2], v[1], v[0]] * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic
BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = bvlshr(v,2) = [0,0,v[3], v[2]] v = [v[3],v[2], v[1], v[0]] * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic
BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = bvashr(v,2) = [v[3],v[3],v[3], v[2]] v = [v[3],v[2], v[1], v[0]] * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic
BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = repeat(v,2) = [v[3],v[2],v[1], v[0], v[3],v[2],v[1], v[0]] v = [v[3],v[2], v[1], v[0]]
BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = zero_extend(v,2) = [0,0,v[3],v[2],v[1], v[0]] v = [v[3],v[2], v[1], v[0]]
BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = sign_extend(v,2) = [v[3],v[3],v[3],v[2],v[1], v[0]] v = [v[3],v[2], v[1], v[0]]
BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = rotate_left(v,1) = [v[2],v[1],v[0],v[3]] v = [v[3],v[2], v[1], v[0]]
BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = rotate_right(v,1) = [v[0],v[3],v[2],v[1]] v = [v[3],v[2], v[1], v[0]]
The Portion of BP Operations in SMT-LIB 2.0 Families in QF_BV Logic
Our Approach to Handling BP Ops • Handle BP Operations explicitly during online preprocessing using Bit-Propagating Normal Form (BPNF)-based reasoning • Each variable is associated with a BPNF: a sequence of segments, where each segment is either: • A constant, or • A bit-range over a non-propagating variable • Goals: • Word-level hashing: one word-level variable per BPNF • CNF minimization: CNF variables are created only for non-BP ops
BPNF Usage Example (assert (v8(_ bv0 3)) (check-sat) Not a BPNF, mergeable! The new neighbor pair of segments was merged! Merging was essential for proper hashing! • Segments s2 and s1 (in the specified order) are mergeableif • Both s2 and s1 are constants, or • Both s2 and s1 are bit-ranges, such that s2 = v[k:j+1] and s1 = v[j:i] • BPNF: a sequence of non-mergeable segments Online Preprocessing The CNF: v1[0] v1[1] v1[2] v7 = concat(v6, v5)={v1[2-1],v1[1-0]} v8 =v7 = concat(v6, v5)={v1[2-0]} v7 = concat(v6, v5)={v1[2-0]} No CNF clauses/vars required! Bit-blasted addition v6= extract(v4, 6, 5)={v1[2-1]} v8= extract(v2, 3, 1)={v1[2-0]} v3= extract(v2, 2, 1)={v1[1-0]} v5 = v3=extract(v2, 2, 1)={v1[1-0]} v5 = extract(v4, 5, 4)={v1[1-0]} v2= bvshl(v1,1)={v1[2-0],0} v4= repeat(v1, 2)={v1[3-0], v1[3-0]} v1= bvadd(u1, u2)={v1[3:0]} u2={u2[3:0]}, where|u2|=4 u1={u1[3:0]}, where|u1|=4
Implementation Tips: Segment Threshold • Maintaining too many segments might inflate the memory and lead to a performance degradation • Solution: impose a user-given threshold T on a number of segments in BPNF • A variable with too many segments in BPNF is considered non-BP. • New CNF variables are created to represent it in the SAT solver
Implementation Tips: Rewriting assert-based Definitions • Using assert to define new variables is incompatible with BPNF reasoning
Rewriting assert-based Definitions: Problem Example v = repeat(u,2)={u[31-0],u[31-0]} • (declare-fun v () ( BitVec64)) • (assert (= v (repeat u 2)) • (declare-fun u () ( BitVec 32)) u = {u[31-0]} 0 SMT Engine u = {u[31-0]} v = {v[63-0]} t = repeat(u,2)={u[31-0],u[31-0]} z = (v=t)={z[0-0]}
Implementation Tips: Rewriting Assert-based Definitions • Using assert to define new variables is incomparable with BPNF reasoning • Solution: rewrite assert-based definitions into define-fun-based definitions (using look-ahead): • Our example: (declare-fun u () Type) • (declare-fun v () Type) (assert (= (v (f u)))) (declare-fun u () Type) (define-fun v (f u)) (declare-fun u () ( BitVec 32)) • (declare-fun v () ( BitVec64)) (assert (= (v (repeat u 2)))) (declare-fun u () ( BitVec 32)) (define-fun v (repeat u 2))
Implementation Tips: Apply Constant Propagation • Constant propagation is a commonly applied preprocessing technique • Essential in our setting in order not to miss shifts by constants • Example: (declare-fun u () ( BitVec 32)) (define-fun x () ( BitVec 32)) (assert (= x (bvadd (_ bv3 32) (_ bv2 32)))) (define-fun v (bvshl u x)) (declare-fun u () ( BitVec 32)) (define-fun v (bvshl u (_ bv5 32)))
Experimental Results • We implemented BPNF reasoning on top of a new Intel’s eager SMT solver Hazel • Main experiment: show the impact of BPNF reasoning on Hazel performance • We used 37 SMT-LIB families having at least 5% BP operations • Families solved in less than 1 sec. and most of the (huge) sage sub-families were dismissed • We used different values for the segments threshold in BPNF • The base version creates a new CNF variable for every word-level variable • Secondary experiment: demonstrate that Hazel can compete with state-of-the-art solvers over families where BPNF reasoning is the most helpful • Environment: machines with Intel® Xeon® processors, 3Ghz CPU frequency, 32Gb of memory. • Time-out: 600 sec.
Significant reduction in CNF size • Marginal reduction in the ops num. => hints that word-level hashing may not be critical • Correlation between the CNF size and performanceis not absolute
Related Work • Normal forms for concat/extractare well-known (see ref’s in the paper) • Our work identifies and defines the class of BP operations; our approach is integrated into a modern eager SMT solver • A DPLL(T) theory solver for extract, concatand equality applied within lazy SMT solving was proposed in ICCAD’09, Brottomesso&Sharygina • Our algorithms are integrated into an eager SMT solver; we define and handle 10 BP ops, but not equalities. • Bit-level sharing of CNF variables for concat/extract is known in the community and applied by various solvers, but AFAIK not published • Any bit-level solution lacks the word-level hashing ability • Essential algorithms used in BV preprocessing are often unpublished
Conclusion • We identified and defined a class of Bit-Vector (BV) operations, called Bit-Propagating (BP) • We proposed an algorithm for handling BP operations efficiently during online preprocessing in eager BV solving • We demonstrated a performance boost across various SMT-LIB families
Bit-Propagating Normal Form (BPNF) • A variable is bit-propagating iff it was created by a bit-propagating operation, otherwise it’s non-bit-propagating • A segment iseither • A constant, e.g., 0100100, or • A bit-range, that is a sequence of consecutive bits of a non-bit-propagating variable, e.g., v[3:1]=[v[3], v[2], v[1]] • Segments s2 and s1 (in the specified order) are mergeableif • Both s2 and s1 are constants, or • Both s2and s1 are bit-ranges, such that s2 = v[k:j+1] and s1 = v[j:i] • BPNF(v) is a sequence of segments, where each pair of neighbor segments is non-mergeable
Calculating a BPNF for BP Operations Bit-prop. • M(s,t) = s,t for non-mergeables,t • M(c1, c2) = concat(c1,c2)if c1,c2 are constants • e.g.,M(10,01) = 1001 • M(v[k:j+1],v[j:i]) = v[k,i] concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right Merge operation u=concat(v,y)={vs(v),…,v1,M(v0,ys(y)),ys(y)-1…,y1, y0} v = {vs(v),…,v1, v0} y = {ys(y),…,y1, y0}
Calculating a BPNF for BP Operations Bit-prop. The number of bit iin its segment concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right The segment number of bit i u=extract(v,j,i)={vsn(j)[sb(j):0],vsn(j)-1,…,vsn(i)+1,vsn(i)[end:sb(i)]} v = {vs(v),…,v1, v0} The last defined bit in vsn(i)
Calculating a BPNF for BP Operations Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right The remaining operations can be reduced to concat/extract (see the paper for details) * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic