Yakir Vizel Princeton University Alexander Nadel Intel Israel Sharad Malik Princeton University SMT Formula over a theory T SMT Solver for T 3 SAT UNSAT BVMC Formula in QFBV LIA subset ID: 620335
Download Presentation The PPT/PDF document "Solving Constraints over BV with SAT-bas..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Solving Constraints over BV with SAT-based MC
Yakir VizelPrinceton University
Alexander NadelIntel, Israel
Sharad Malik
Princeton UniversitySlide2
SMT
Formula over a theory T
SMT Solver for T3SATUNSATSlide3
BVMC
Formula in QF_BV (LIA subset)
SMT Solver for T4SATUNSAT
Reduce to
Safety Verification
Model Checker
UNSAFE
SAFESlide4
QF_BV
Defined by the following grammar:
Where:
⋈ ∈{<,≤,>,≥,=}
F∈{+, −, ×, ÷,
shl
,
shr
,
concat
, &, |, …}
G∈{
sign_extend
,
zero_extend
}Slide5
QF_BV: LIA subset
Defined by the following grammar:
Where:
⋈ ∈{<,≤,>,≥,=}
Currently, BVMC works for one width for all the BV variables
Can be easily extended to arbitrary widths
BVMC also supports all the bit-wise
operatorsSlide6
Example
Consider the following formula where x,y,z are bit-vectors of size 4:
A traditional BV solver encodes this formula to SAT by means of bit-blasting:
A full-adder: FA(a, b, s, c
i
, c
o
)
Slide7
Example
FA
FA
FA
FA
x
0
y
0
x
1
y
1
x
2
y
2
x
3
y
3
z
1
z
0
z
2
z
3Slide8
Reduction to Safety Verification
9Slide9
Width ⬌ Time
FA
FA
FA
FA
x
0
y
0
x
1
y
1
x
2
y
2
x
3
y
3
z
1
z
0
z
2
z
3Slide10
Width ⬌ Time
Treat bit-vectors as streams of bits over timeStarting from the LSBThe i-th bit is available at the i-th clock cycle
FAxi
y
i
z
i
c
oSlide11
Comparators
a = b: bits should be equal at every cycleSequential circuit: track all bits up to this pointMonotonic: once 0, always 0
abx
=
&Slide12
Comparators
a < b: the sign bit changes at each cycleSequential circuit: unsigned comparisonULT: (¬a∧b
) ⋁ [¬(a∧¬b)∧x]Combinational circuit: take care of the sign bitabx
ULT
MUX
a⋁¬b
a∧¬b
1
0Slide13
Reduction to Safety Verification
A formula 𝜑 is translated to a sequential circuit CAssume 𝜑 is a DAG:For each leaf of sort bit-vector create an input terminalFor each leaf of sort Boolean, create an uninitialized latch xx’ = xFor a leaf of a constant type use a counter
The counter determines the cycleFor each cycle the value is known a-prioriBoolean operations the corresponding logical gatesArithmetic operations and comparators sequential circuitMultiplication by a constant shift-lefts and additionsThe output of C is assigned to true when 𝜑 is satisfiable14Slide14
Reduction to Safety Verification
Find the maximal number of bits required to represent constants in 𝜑 - kmin𝜑 is not well defined for k < kmin
When creating the property, add a guard wminwmin is initialized to false and becomes true after kmin cyclesThe propertyBad := wmin∧C.output()15Slide15
BVMC: the Model Checking-based Algorithm
16Slide16
Safety Verification
A transition system
T=(V, INIT,
Tr
, Bad
)
T
is
UNSAFE
if and only if there exists a path in T from a state in INIT to a state in Bad, or if
T
is
SAFE
if and only if there exists a
safe inductive invariant
Inv
s.t.
Slide17
SAT-based Model Checking (SATMC)
Search for a counterexample for a specific lengthBounded Model Checking (BMC)Checking satisfiability of 𝜇(T,N)
If a counterexample does not exist, generalize the bounded proof into a candidate InvCheck if Inv is a safe inductive invariant18Slide18
BMC vs. Traditional BV Solvers
Time correlates to widthUnrolling depth therefore correlates to width
19FA
x
y
z
c
oSlide19
BMC and Traditional BV Solvers
Time correlates to widthUnrolling depth therefore correlates to width
20FA
FA
FA
FA
x
0
y
0
x
1
y
1
x
2
y
2
x
3
y
3
z
1
z
0
z
2
z
3Slide20
BMC and Traditional BV Solvers
Time correlates to widthUnrolling depth therefore correlates to width
21BMC till target depth ⋍ Eager BV SolverSlide21
Generalization - UNSAT
If 𝜑 is UNSAT when interpreted over bit-vectors of width kCan we generalize this result for bit-vectors of width N > k?
22Slide22
Generalization - UNSAT
If 𝜑 is UNSAT when interpreted over bit-vectors of width kCan we generalize this result for bit-vectors of width N > k?Free lunch for us
: the ability of a MC to generalize a bounded proof to an unbounded proofWhen finding an inductive invariant at depth k, 𝜑 is UNSAT for all N > k23Slide23
“Generalization” - SAT
If 𝜑 is SAT when interpreted over bit-vectors of width kCan we generalize this result for bit-vectors of width N > k?
24Slide24
“Generalization” - SAT
25
For k=2, a satisfying assignment: x=1, y=1, z=-2
x=01, y=01, z=10
For k
=3,
a satisfying assignment:
x=3, y=3,
z=-2
x=011
,
y=011
,
z=110
For k
=4,
a satisfying assignment:
x=7, y=7,
z=-2
x=0111, y=0111
,
z=1110Slide25
Extending a satisfying assignment
If 𝜑 is SAT when interpreted over bit-vectors of width kThen, 𝜇(T,k) is satisfiable
There exists a counterexample of length NSatisfying assignment 𝜋Try to extend it incrementally𝜇(T,k+1) ∧ 𝜋If extension of 𝜋 works till the target depth SATOtherwise continue without 𝜋 from the current depthOther strategies are also possible26Slide26
Experiments
27Slide27
Implementation
LIAMC: supports all bit-wise operation and the LIA subset of QF_BVImplemented on top of ABC and open source SMT-LIB parserBenchmarks – translated all the LIA benchmarks to QF_BVUsing varying bit-vector widths: 32, 64, and 128
28Slide28
29Slide29
30Slide30
31Slide31
32Slide32
33Slide33
Related Work
Fröhlich
, Kovásznai, Biere, “Efficiently solving bit-vector problems using model checkers”, SMT’13Solves a restricted subset of QF_BV with BDD-based model checkingBitwise operators, addition, subtraction, shift by one, indexing and comparatorsTranslates the formula to a circuitKeeps a guard counter to verify the formula only at the target depthOur contribution:The guard counter is not required!Generalization to higher widths for SAT and UNSATSupport multiplication by a constant34Slide34
Future Work
More QF_BV operators:Sign/zero extension and extraction can be added fairly easilyNon-linear: multiplication, division, shl
/shr by variableRecall yesterday's talk by Alberto Griggio on linearizationImprove UNSAT performanceDedicated MC algorithms?Better scalability for LIAOur method works can be extended to LIAPaper accepted to FMCAD’17Less efficient than LIA solvers overall, but solves instances none can solve35Slide35
Conclusion
36A novel decision procedure for an important subset of QF_BV: LIA subset
Important in the context of SW/HW validationSuperior to state-of-the-art BV solvers on satisfiable instancesUnsatisfiable instances: work-in-progressWorking on extending the support for QF_BVSlide36
Thank you for your attention
37Slide37
Backup
38Slide38
Reduction to Safety Verification
A formula 𝜑 is translated to a sequential circuit CAssume 𝜑 is a DAG39Slide39
Extending a satisfying assignment
𝜋 a counterexample of length k
40