1 / 38

Handling Bit-Propagating Operations in Bit-Vector Reasoning

Handling Bit-Propagating Operations in Bit-Vector Reasoning. Alexander Nadel, Intel, Israel SMT’13 Workshop Helsinki, Finland July 8 th , 2013. Outline. We identify and define a class of Bit-Vector (BV) operations, called Bit-Propagating (BP)

papina
Download Presentation

Handling Bit-Propagating Operations in Bit-Vector Reasoning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Handling Bit-Propagating Operations inBit-Vector Reasoning Alexander Nadel, Intel, Israel SMT’13 Workshop Helsinki, Finland July 8th, 2013

  2. Outline • We identify and define a class of Bit-Vector (BV) operations, called Bit-Propagating (BP) • We propose an algorithm for efficiently handling BP operations during online preprocessing in eager BV solving • We demonstrate a performance boost when our algorithms are applied over SMT-LIB 2.0 instances

  3. Bit-Vector (BV) Reasoning • Bit-vector reasoning is widely applied for HW and SW formal validation and other domains. • Over 48% out of more than 93,000 benchmarks in SMT-LIB are BV-based, that is either: • Plain bit-vector (QF_BV), or • Bit-vectors and arrays combined (QF_ABV) • Some BV Solvers: Boolector, Mathsat, STP, CVC, Z3, Intel’s new solver Hazel, …

  4. BV Operations in SMT-LIB 2.0 Core Bit-wise Arithmetic Comparison Bit-prop. =/bvcomp distinct ite and**/bvand or**/bvor xor**/bvxor =>** bvnot bvnand bvnor bvxnor bvneg bvadd bvmul bvudiv bvurem bvsub bvsdiv bvsrem bvsmod bvshl* bvlshr* bvashr* bvult bvule bvugt bvuge bvslt bvsle bvsgt bvsge concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic** We consider Bool’s to be bit-vectors of width 1

  5. Eager BV Solving • Apply word-level preprocessing (rewriting, constant propagation, …) • Local/online: applied once a new operation is fed into the solver • Global: applied after the whole formula is fed into the solver • Optionally, bit-blast to bit-level AIG and apply AIG simplifications • Bit-blast to CNF and solve with a SAT solver

  6. Eager BV Solving Example (declare-fun v1 () ( BitVec 2)) (define-fun v3 () ( BitVec 2) (bvadd v1 v2)) (declare-fun v2 () ( BitVec 2)) (check-sat) (define-fun v4 () ( BitVec 2) (bvadd v3 (_ bv0 2))) (assert (v4 (_ bv0 2)) SAT! Online Preprocessing SAT Engine 0 v3,v4: bvadd SMT Engine v3: bvadd v1 v2

  7. Bit-Propagating (BP) Operations • We define an operation to be bit-propagating iff: • Each output bit is either a bit of one of the inputs or a constant, and • The mapping can be computed at the time the operation is applied. u = bvshl(v,2) = [v[1], v[0],0,0] t = bvshl(v,s) v = [v[3],v[2], v[1], v[0]]

  8. BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic

  9. BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = concat(v,y) = [v[3], v[2], v[1], v[0], y[1], y[0]] v = [v[3],v[2], v[1], v[0]] y = [y[1], y[0]]

  10. BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = extract(v,2,1) = [v[2], v[1]] v = [v[3],v[2], v[1], v[0]]

  11. BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = bvshl(v,2) = [v[1], v[0],0,0] v = [v[3],v[2], v[1], v[0]] * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic

  12. BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = bvlshr(v,2) = [0,0,v[3], v[2]] v = [v[3],v[2], v[1], v[0]] * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic

  13. BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = bvashr(v,2) = [v[3],v[3],v[3], v[2]] v = [v[3],v[2], v[1], v[0]] * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic

  14. BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = repeat(v,2) = [v[3],v[2],v[1], v[0], v[3],v[2],v[1], v[0]] v = [v[3],v[2], v[1], v[0]]

  15. BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = zero_extend(v,2) = [0,0,v[3],v[2],v[1], v[0]] v = [v[3],v[2], v[1], v[0]]

  16. BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = sign_extend(v,2) = [v[3],v[3],v[3],v[2],v[1], v[0]] v = [v[3],v[2], v[1], v[0]]

  17. BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = rotate_left(v,1) = [v[2],v[1],v[0],v[3]] v = [v[3],v[2], v[1], v[0]]

  18. BP Operations in SMT-LIB 2.0 Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right u = rotate_right(v,1) = [v[0],v[3],v[2],v[1]] v = [v[3],v[2], v[1], v[0]]

  19. The Portion of BP Operations in SMT-LIB 2.0 Families in QF_BV Logic

  20. Our Approach to Handling BP Ops • Handle BP Operations explicitly during online preprocessing using Bit-Propagating Normal Form (BPNF)-based reasoning • Each variable is associated with a BPNF: a sequence of segments, where each segment is either: • A constant, or • A bit-range over a non-propagating variable • Goals: • Word-level hashing: one word-level variable per BPNF • CNF minimization: CNF variables are created only for non-BP ops

  21. BPNF Usage Example (assert (v8(_ bv0 3)) (check-sat) Not a BPNF, mergeable! The new neighbor pair of segments was merged! Merging was essential for proper hashing! • Segments s2 and s1 (in the specified order) are mergeableif • Both s2 and s1 are constants, or • Both s2 and s1 are bit-ranges, such that s2 = v[k:j+1] and s1 = v[j:i] • BPNF: a sequence of non-mergeable segments Online Preprocessing The CNF: v1[0] v1[1] v1[2] v7 = concat(v6, v5)={v1[2-1],v1[1-0]} v8 =v7 = concat(v6, v5)={v1[2-0]} v7 = concat(v6, v5)={v1[2-0]} No CNF clauses/vars required! Bit-blasted addition v6= extract(v4, 6, 5)={v1[2-1]} v8= extract(v2, 3, 1)={v1[2-0]} v3= extract(v2, 2, 1)={v1[1-0]} v5 = v3=extract(v2, 2, 1)={v1[1-0]} v5 = extract(v4, 5, 4)={v1[1-0]} v2= bvshl(v1,1)={v1[2-0],0} v4= repeat(v1, 2)={v1[3-0], v1[3-0]} v1= bvadd(u1, u2)={v1[3:0]} u2={u2[3:0]}, where|u2|=4 u1={u1[3:0]}, where|u1|=4

  22. Implementation Tips: Segment Threshold • Maintaining too many segments might inflate the memory and lead to a performance degradation • Solution: impose a user-given threshold T on a number of segments in BPNF • A variable with too many segments in BPNF is considered non-BP. • New CNF variables are created to represent it in the SAT solver

  23. Implementation Tips: Rewriting assert-based Definitions • Using assert to define new variables is incompatible with BPNF reasoning

  24. Rewriting assert-based Definitions: Problem Example v = repeat(u,2)={u[31-0],u[31-0]} • (declare-fun v () ( BitVec64)) • (assert (= v (repeat u 2)) • (declare-fun u () ( BitVec 32)) u = {u[31-0]} 0 SMT Engine u = {u[31-0]} v = {v[63-0]} t = repeat(u,2)={u[31-0],u[31-0]} z = (v=t)={z[0-0]}

  25. Implementation Tips: Rewriting Assert-based Definitions • Using assert to define new variables is incomparable with BPNF reasoning • Solution: rewrite assert-based definitions into define-fun-based definitions (using look-ahead): • Our example: (declare-fun u () Type) • (declare-fun v () Type) (assert (= (v (f u)))) (declare-fun u () Type) (define-fun v (f u)) (declare-fun u () ( BitVec 32)) • (declare-fun v () ( BitVec64)) (assert (= (v (repeat u 2)))) (declare-fun u () ( BitVec 32)) (define-fun v (repeat u 2))

  26. Implementation Tips: Apply Constant Propagation • Constant propagation is a commonly applied preprocessing technique • Essential in our setting in order not to miss shifts by constants • Example: (declare-fun u () ( BitVec 32)) (define-fun x () ( BitVec 32)) (assert (= x (bvadd (_ bv3 32) (_ bv2 32)))) (define-fun v (bvshl u x)) (declare-fun u () ( BitVec 32)) (define-fun v (bvshl u (_ bv5 32)))

  27. Experimental Results • We implemented BPNF reasoning on top of a new Intel’s eager SMT solver Hazel • Main experiment: show the impact of BPNF reasoning on Hazel performance • We used 37 SMT-LIB families having at least 5% BP operations • Families solved in less than 1 sec. and most of the (huge) sage sub-families were dismissed • We used different values for the segments threshold in BPNF • The base version creates a new CNF variable for every word-level variable • Secondary experiment: demonstrate that Hazel can compete with state-of-the-art solvers over families where BPNF reasoning is the most helpful • Environment: machines with Intel® Xeon® processors, 3Ghz CPU frequency, 32Gb of memory. • Time-out: 600 sec.

  28. 8 families with at least 30% speed-up

  29. Significant reduction in CNF size • Marginal reduction in the ops num. => hints that word-level hashing may not be critical • Correlation between the CNF size and performanceis not absolute

  30. Related Work • Normal forms for concat/extractare well-known (see ref’s in the paper) • Our work identifies and defines the class of BP operations; our approach is integrated into a modern eager SMT solver • A DPLL(T) theory solver for extract, concatand equality applied within lazy SMT solving was proposed in ICCAD’09, Brottomesso&Sharygina • Our algorithms are integrated into an eager SMT solver; we define and handle 10 BP ops, but not equalities. • Bit-level sharing of CNF variables for concat/extract is known in the community and applied by various solvers, but AFAIK not published • Any bit-level solution lacks the word-level hashing ability • Essential algorithms used in BV preprocessing are often unpublished

  31. Conclusion • We identified and defined a class of Bit-Vector (BV) operations, called Bit-Propagating (BP) • We proposed an algorithm for handling BP operations efficiently during online preprocessing in eager BV solving • We demonstrated a performance boost across various SMT-LIB families

  32. Bit-Propagating Normal Form (BPNF) • A variable is bit-propagating iff it was created by a bit-propagating operation, otherwise it’s non-bit-propagating • A segment iseither • A constant, e.g., 0100100, or • A bit-range, that is a sequence of consecutive bits of a non-bit-propagating variable, e.g., v[3:1]=[v[3], v[2], v[1]] • Segments s2 and s1 (in the specified order) are mergeableif • Both s2 and s1 are constants, or • Both s2and s1 are bit-ranges, such that s2 = v[k:j+1] and s1 = v[j:i] • BPNF(v) is a sequence of segments, where each pair of neighbor segments is non-mergeable

  33. Calculating a BPNF for BP Operations Bit-prop. • M(s,t) = s,t for non-mergeables,t • M(c1, c2) = concat(c1,c2)if c1,c2 are constants • e.g.,M(10,01) = 1001 • M(v[k:j+1],v[j:i]) = v[k,i] concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right Merge operation u=concat(v,y)={vs(v),…,v1,M(v0,ys(y)),ys(y)-1…,y1, y0} v = {vs(v),…,v1, v0} y = {ys(y),…,y1, y0}

  34. Calculating a BPNF for BP Operations Bit-prop. The number of bit iin its segment concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right The segment number of bit i u=extract(v,j,i)={vsn(j)[sb(j):0],vsn(j)-1,…,vsn(i)+1,vsn(i)[end:sb(i)]} v = {vs(v),…,v1, v0} The last defined bit in vsn(i)

  35. Calculating a BPNF for BP Operations Bit-prop. concat extractbvshl* bvlshr* bvashr* repeat zero_extend sign_extend rotate_left rotate_right The remaining operations can be reduced to concat/extract (see the paper for details) * Shift by a constant is bit-propagating; shift by a non-constant is arithmetic

More Related