## Efficiently Solving Quantified Bit-Vector Formulas

### Cached

### Download Links

Citations: | 15 - 4 self |

### BibTeX

@MISC{Wintersteiger_efficientlysolving,

author = {Christoph M. Wintersteiger and Youssef Hamadi and Leonardo De Moura},

title = {Efficiently Solving Quantified Bit-Vector Formulas},

year = {}

}

### OpenURL

### Abstract

Abstract—In recent years, bit-precise reasoning has gained importance in hardware and software verification. Of renewed interest is the use of symbolic reasoning for synthesising loop invariants, ranking functions, or whole program fragments and hardware circuits. Solvers for the quantifier-free fragment of bit-vector logic exist and often rely on SAT solvers for efficiency. However, many techniques require quantifiers in bit-vector formulas to avoid an exponential blow-up during construction. Solvers for quantified formulas usually flatten the input to obtain a quantified Boolean formula, losing much of the word-level information in the formula. We present a new approach based on a set of effective word-level simplifications that are traditionally employed in automated theorem proving, heuristic quantifier instantiation methods used in SMT solvers, and model finding techniques based on skeletons/templates. Experimental results on two different types of benchmarks indicate that our method outperforms the traditional flattening approach by multiple orders of magnitude of runtime. I.

### Citations

518 |
Simple word problems in universal algebras
- Knuth, Bendix
- 1970
(Show Context)
Citation Context ... coefficient of x is odd [12]. 5) Rewriting: The idea of using rewriting for performing equational reasoning is not new. It traces back to the work developed in the context of Knuth-Bendix completion =-=[21]-=-. The basic idea is to use unit clauses of the form ∀x. t[x] = r[x] as rewrite rules t[x] ❀ r[x], when t[x] is “bigger than” r[x]. Any instance t[s] of t[x] is then replaced by r[s]. For example, in t... |

357 |
On the synthesis of a reactive module
- Pnueli, Rosner
- 1989
(Show Context)
Citation Context ... reasoning in the area of software verification where low-level languages like C or C++ are concerned. In both areas, hardware and software design, methods of automated synthesis (e.g., LTL synthesis =-=[23]-=-) become more and more tangible with the advent of powerful and efficient decision procedures for various logics, most notably SAT and SMT solvers. In practice, however, synthesis methods are often in... |

146 | A Decision Procedure for Bit-Vectors and Arrays
- Ganesh, Dill
- 2007
(Show Context)
Citation Context ...g step is essentially equivalent to a theory solving step, where t1[x, y] = t2[x, y] is solved for x. In the case of linear bit-vector equations, this can be achieved when the coefficient of x is odd =-=[12]-=-. 5) Rewriting: The idea of using rewriting for performing equational reasoning is not new. It traces back to the work developed in the context of Knuth-Bendix completion [21]. The basic idea is to us... |

121 |
A complete method for the synthesis of linear ranking functions
- Podelski, Rybalchenko
- 2004
(Show Context)
Citation Context ...ing a module that implements a specification [23], [20], while for software this can take different shapes: inferring program invariants [16], finding ranking functions for termination analysis [28], =-=[24]-=-, [8], program fragment synthesis [26], or constructing bugfixes following an error-description [27] are all instances of the general synthesis problem. In this paper, we present a new approach to sol... |

113 | Resolve and expand
- Biere
(Show Context)
Citation Context ...by the input formula size. If the QBV formula is a conjunction of many universally quantified formulas, a more attractive approach is quantifier elimination using BDDs [3] or resolution and expansion =-=[4]-=-.Z3 Z3 [sec] 1k 100 10 1 0.1 0.01 Fig. 2. [sec] 1k 100 10 1 0.1 0.01 Fig. 3. + + ++ + + +++ +++ + + + +++ + + ++ + + + + ++ + + + + + +++ ++++ +++ 0.01 0.1 1 10 100 1k [sec] QuBE + Z3 [sec] 1k 100 10... |

85 |
The Satisfiability Modulo Theories Library (SMT-LIB). http://www.SMT-LIB.org
- Ranise, Tinelli
- 2006
(Show Context)
Citation Context ... variation of model-based quantifier instantiation [13] based on templates. The procedure SMT is an SMT solver for the quantifier-free bit-vector and uninterpreted function theory (QF UFBV in SMT-LIB =-=[1]-=-). The procedure HeuristicInst(φ[x]) creates an initial set of ground instantes of φ[x] using heuristic instantiation. Note that the formula ρ is monotonically increasing in size, so the procedures SM... |

65 | Boolector: An efficient SMT solver for bit-vectors and arrays
- Brummayer, Biere
- 2009
(Show Context)
Citation Context ... interpretations for macros may be used to build an interpretation for f based on the interpretations of f1,0 and f0,1. 8) Other simplifications: As many other SMT solvers for bit-vector theory ([6], =-=[5]-=-, [2]), our QBVF solver implements several bit-vector specific rewriting/simplification rules such as: a − a =⇒ 0. These rules have been proved to be very effective in solving quantifier-free bit-vect... |

54 | From program verification to program synthesis
- Srivastava, Gulwani, et al.
- 2010
(Show Context)
Citation Context ...cation [23], [20], while for software this can take different shapes: inferring program invariants [16], finding ranking functions for termination analysis [28], [24], [8], program fragment synthesis =-=[26]-=-, or constructing bugfixes following an error-description [27] are all instances of the general synthesis problem. In this paper, we present a new approach to solving quantified bit-vector logic. This... |

44 | Efficient e-matching for smt solvers
- Moura, Bjørner
- 2007
(Show Context)
Citation Context ...it-vectors. On satisfiable instances, they will often not terminate or give up. On some unsatisfiable instances, SMT solvers may terminate using techniques based on heuristic-quantifier instantiation =-=[9]-=-. It is not surprising that standard SMT solvers cannot handle these problems; the search space is simply too large. Synthesis tools based on automated reasoning try to constrain the search space usin... |

39 |
Checking a large routine
- Turing
- 1949
(Show Context)
Citation Context ...structing a module that implements a specification [23], [20], while for software this can take different shapes: inferring program invariants [16], finding ranking functions for termination analysis =-=[28]-=-, [24], [8], program fragment synthesis [26], or constructing bugfixes following an error-description [27] are all instances of the general synthesis problem. In this paper, we present a new approach ... |

36 | R.: Optimizations for LTL synthesis
- Jobstmann, Bloem
(Show Context)
Citation Context ... often incomplete, bound to very specific application domains, or simply inefficient. In the case of hardware, synthesis usually amounts to constructing a module that implements a specification [23], =-=[20]-=-, while for software this can take different shapes: inferring program invariants [16], finding ranking functions for termination analysis [28], [24], [8], program fragment synthesis [26], or construc... |

34 |
Evaluating QBFs via symbolic Skolemization
- Benedetti
(Show Context)
Citation Context ...plates are polynomially bounded by the input formula size. If the QBV formula is a conjunction of many universally quantified formulas, a more attractive approach is quantifier elimination using BDDs =-=[3]-=- or resolution and expansion [4].Z3 Z3 [sec] 1k 100 10 1 0.1 0.01 Fig. 2. [sec] 1k 100 10 1 0.1 0.01 Fig. 3. + + ++ + + +++ +++ + + + +++ + + ++ + + + + ++ + + + + + +++ ++++ +++ 0.01 0.1 1 10 100 1k... |

28 | Oracle-guided component-based program synthesis. ICSE
- Jha, Gulwani, et al.
- 2010
(Show Context)
Citation Context ...l QBV logic. Synthesis tools. Finally, there is recent and active interest in using modern SMT solvers in the context of synthesis of inductive loop invariants [25] and synthesis of program fragments =-=[19]-=-, such as sorting, matrix multiplication, decompression, graph, and bit-manipulating algorithms. These applications share a common trait in the way they use their underlying symbolic solver. They sear... |

24 | Complete instantiation for quantified formulas in sat. modulo theories
- Ge, Moura
- 2009
(Show Context)
Citation Context ...ould correspond to a very large function graph. When models are encoded in this fashion, it is straightforward to check whether a universally quantified formula ∀x. ϕ[x] is satisfied by a structure M =-=[13]-=-. Let ϕ M [x] be the formula obtained from ϕ[x] by replacing any term f(r) with M [f(r)], for every uninterpreted function symbol f. A structure M satisfies ∀x. ϕ[x] if and only if ¬ϕ M [s] is unsatis... |

22 | Program verification using templates over predicate abstraction
- Srivastava, Gulwani
- 2009
(Show Context)
Citation Context ...ion of SMT techniques to the more general QBV logic. Synthesis tools. Finally, there is recent and active interest in using modern SMT solvers in the context of synthesis of inductive loop invariants =-=[25]-=- and synthesis of program fragments [19], such as sorting, matrix multiplication, decompression, graph, and bit-manipulating algorithms. These applications share a common trait in the way they use the... |

17 |
QuBE++: an Efficient QBF Solver
- Giunchiglia, Narizzano, et al.
- 2004
(Show Context)
Citation Context ...ll in benchmarks containing bit-vectors and quantifiers. In the past, QBF solvers have been used to attack these problems. We therefore compare to the state-of-the-art QBF solvers sKizzo [3] and QuBE =-=[14]-=-. Formulas in the first set exhibit the structure of fixpoint formulas described in section III. The circuits that we use as benchmarks are derived from a previous evaluation of VCEGAR [18] 3 and were... |

16 | C.M.: Ranking function synthesis for bit-vector relations
- Cook, Kroening, et al.
(Show Context)
Citation Context ...module that implements a specification [23], [20], while for software this can take different shapes: inferring program invariants [16], finding ranking functions for termination analysis [28], [24], =-=[8]-=-, program fragment synthesis [26], or constructing bugfixes following an error-description [27] are all instances of the general synthesis problem. In this paper, we present a new approach to solving ... |

15 | Beyond CNF: A Circuit-Based QBF Solver
- Goultiaeva, Iverson, et al.
(Show Context)
Citation Context ...tal data is provided in Appendix C.One of the potential issues resulting in bad performance may be the prenex clausal form of QBFs. It has thus been proposed to use non-prenex non-clausal form [11], =-=[15]-=-. This has been demonstrated to be beneficial on certain types of formulas, but all known decision procedures fail to exploit any form of word-level information. A further problem with QBF solvers is ... |

13 | Constraint-based invariant inference over predicate abstraction
- Gulwani, Srivastava, et al.
- 2009
(Show Context)
Citation Context ...In the case of hardware, synthesis usually amounts to constructing a module that implements a specification [23], [20], while for software this can take different shapes: inferring program invariants =-=[16]-=-, finding ranking functions for termination analysis [28], [24], [8], program fragment synthesis [26], or constructing bugfixes following an error-description [27] are all instances of the general syn... |

13 |
Handbook of Practical Logic and Automated Reasoning
- Harrison
- 2009
(Show Context)
Citation Context ...in first-order provers. We also propose new rules that are particularly useful in our application domain. 1) Miniscoping: Miniscoping is a well-known technique for minimizing the scope of quantifiers =-=[17]-=-. We apply it after converting the formula to negation normal form. The basic idea is to distribute universal (existential) quantifiers over conjunctions (disjunctions). This transformation is particu... |

13 | Sword: A SAT like prover using word level information
- Wille, Fey, et al.
- 2007
(Show Context)
Citation Context ...of bit-vector logic existed. Usually, those solvers are based on a small set of wordlevel simplifications and subsequent flattening (bit-blasting) to propositional formulas. Some solvers (e.g., SWORD =-=[29]-=-), try to incorporate word-level information while solving the flattened formula. Some tools also have limited support for quantifiers (e.g. BAT [22]), but this is usually restricted to either a singl... |

12 |
Schema-guided synthesis of imperative programs by constraint solving
- Colón
- 2004
(Show Context)
Citation Context ...[x, x ′ ] → ∃y, y ′ .I[y] ∧ T k−1 [y, y ′ ] , where x, x ′ , y, and y ′ are (usually large) bit-vectors. Of renewed interest is the use of symbolic reasoning for synthesing code [26], loop invariants =-=[7]-=-, [16] and ranking functions [8] for finite-state programs. All these applications can be easily encoded in QBVF. To illustrate these ideas, consider the following abstract program: pre while (c ) { T... |

10 | BAT: The bit-level analysis tool
- Manolios, Srinivasan, et al.
- 2007
(Show Context)
Citation Context ... propositional formulas. Some solvers (e.g., SWORD [29]), try to incorporate word-level information while solving the flattened formula. Some tools also have limited support for quantifiers (e.g. BAT =-=[22]-=-), but this is usually restricted to either a single quantifier or a single alternation of quantifiers which may be expanded at feasible cost. Most SMT QF BV solvers support heuristic instantiation of... |

9 |
Fault localization and correction with QBF
- Staber, Bloem
- 2007
(Show Context)
Citation Context ...shapes: inferring program invariants [16], finding ranking functions for termination analysis [28], [24], [8], program fragment synthesis [26], or constructing bugfixes following an error-description =-=[27]-=- are all instances of the general synthesis problem. In this paper, we present a new approach to solving quantified bit-vector logic. This logic allows for a direct mapping of hardware and (finite-sta... |

6 | A solver for QBFs in negation normal form
- Egly, Seidl, et al.
(Show Context)
Citation Context ...erimental data is provided in Appendix C.One of the potential issues resulting in bad performance may be the prenex clausal form of QBFs. It has thus been proposed to use non-prenex non-clausal form =-=[11]-=-, [15]. This has been demonstrated to be beneficial on certain types of formulas, but all known decision procedures fail to exploit any form of word-level information. A further problem with QBF solve... |

3 |
Word-level predicate-abstraction and refinement techniques for verifying RTL verilog
- Jain, Kroening, et al.
- 2008
(Show Context)
Citation Context ...] and QuBE [14]. Formulas in the first set exhibit the structure of fixpoint formulas described in section III. The circuits that we use as benchmarks are derived from a previous evaluation of VCEGAR =-=[18]-=- 3 and were extracted using a customized version of the EBMC bounded Model Checker 4 , which is able to 3 These benchmarks are available at http://www.cprover.org/hardware/ 4 EBMC is available at http... |

1 | Evaluating QBFs via Symbolic Skolemization - Springer |