challenges in bit precise reasoning
play

Challenges in Bit-Precise Reasoning Armin Biere Johannes Kepler - PowerPoint PPT Presentation

Aug 31, 2022 •227 likes •567 views

Challenges in Bit-Precise Reasoning Armin Biere Johannes Kepler University Linz, Austria based on joined work with Aina Niemetz, Andreas Fr ohlich, Gergely Kov asznai, Mathias Preiner FMCAD 2014 EPFL, Lausanne, Switzerland Tuesday, 21

  1. Challenges in Bit-Precise Reasoning Armin Biere Johannes Kepler University Linz, Austria based on joined work with Aina Niemetz, Andreas Fr¨ ohlich, Gergely Kov´ asznai, Mathias Preiner FMCAD 2014 EPFL, Lausanne, Switzerland Tuesday, 21 October, 2014

  4. Almost All Binary Search Implementations are Broken 3/32 int bsearch (int * a, int n, int e) { int l = 0, r = n; if (!n) return 0; int main (void) { while (l + 1 < r) { int n = INT_MAX; printf ("l=%d r=%d\n", l, r); int * a = calloc (n, 4); int m = (l + r) / 2; (void) bsearch (a, n, 1); if (e < a[m]) r = m; } else l = m; } $ ./bsearch return a[l] == e; l=0 r=2147483647 } l=1073741823 r=2147483647 Segmentation fault Challenges in Bit-Precise Reasoning @ FMCAD’14

  5. Syntax 4/32 common “word-level” operators QF BV standard SMTLIB2 format constants: 0x7fffffff , variables: fixed size bit vectors bool x[32] equality “ x = y ”, inequality “ x ≤ y ” predicates: (signed & unsigned) bit-wise logical ops: negation , conjunction , xor ˜x x & y x ˆ y word operators: slicing “ x [ l : r ] ”, concatenation “ x ◦ y ” conditional operator or if-then-else operator “ c ? t : e ” zero extension and sign extension shift operators: left shift , arithmetic/logical right shift , rotation basic arithmetic operators: negation (1-complement), addition , multiplication overflow checking for addition and multiplication derived arith. ops: unary minus (2-complement), substraction , division , modulo extended word-level operators (QF )[A][UF]BV uninterpreted functions “UF”, arrays “A” with read / write operators with quantifiers (no “QF ”) Challenges in Bit-Precise Reasoning @ FMCAD’14

  6. Modelling with Bit-Vectors 5/32 allows to capture bit-precise semantics precisely RTL-level / word-level for HW assembler or C level for SW but beware: int in Java has 2-complement semantics arrays used to model memories in HW or pointers in SW low-level (flat) memory model “writable” extension of uninterpreted functions (UF ⊆ A) extensional arrays: check satisfiability assuming equality of (updated) arrays a = write (b, j, v) ∧ read (a, j) � = v in this example extensionality could be removed by substitution quantifiers (and lambdas) are even more powerful than arrays typical scenario symbolic execution of a program bounded model checking of an RTL model Challenges in Bit-Precise Reasoning @ FMCAD’14

  7. Bit-Blasting of 4-Bit Addition 6/32 s = x + y addition of 4-bit numbers x , y with result s also 4-bit: [ s 3 , s 2 , s 1 , s 0 ] 4 = [ x 3 , x 2 , x 1 , x 0 ] 4 +[ y 3 , y 2 , y 1 , y 0 ] 4 [ s 3 , · ] 2 = FullAdder ( x 3 , y 3 , c 2 ) [ s 2 , c 2 ] 2 = FullAdder ( x 2 , y 2 , c 1 ) [ s 1 , c 1 ] 2 = FullAdder ( x 1 , y 1 , c 0 ) [ s 0 , c 0 ] 2 = FullAdder ( x 0 , y 0 , 0 ) where [ s , o ] 2 = FullAdder ( x , y , i ) with = s x ˆ y ˆ i = ( x ∧ y ) ∨ ( x ∧ i ) ∨ ( y ∧ i ) = (( x + y + i ) ≥ 2 ) o Challenges in Bit-Precise Reasoning @ FMCAD’14

  8. And-Inverter-Graphs (AIG) 7/32 widely adopted bit-level intermediate representation see for instance our AIGER format http://fmv.jku.at/aiger used in Hardware Model Checking Competition (HWMCC) also used in the structural track in (ancient) SAT competitions many companies use similar techniques basic logical operators: conjunction and negation DAGs: nodes are conjunctions, negation/sign as edge attribute bit stuffing: signs are compactly stored as LSB in pointer automatic sharing of isomorphic graphs, constant time (peep hole) simplifications or even SAT sweeping, full reduction, etc ... see ABC system from Berkeley Challenges in Bit-Precise Reasoning @ FMCAD’14

  9. XOR as AIG 8/32 x y negation/sign are edge attributes not part of node x ˆ y ≡ ( x ∧ y ) ∨ ( x ∧ y ) ≡ ( x ∧ y ) ∧ ( x ∧ y ) Challenges in Bit-Precise Reasoning @ FMCAD’14

  10. Bit-Stuffing Techniques for AIGs in C 9/32 typedef struct AIG AIG; struct AIG { enum Tag tag; /* AND, VAR */ void *data[2]; int mark, level; /* traversal */ AIG *next; /* hash collision chain */ }; #define sign_aig(aig) (1 & ( unsigned ) aig) #define not_aig(aig) ((AIG*)(1 ^ ( unsigned ) aig)) #define strip_aig(aig) ((AIG*)(~1 & ( unsigned ) aig)) #define false_aig ((AIG*) 0) #define true_aig ((AIG*) 1) assumption for correctness: sizeof(unsigned) == sizeof(void*) Challenges in Bit-Precise Reasoning @ FMCAD’14

  11. O0 O0 50 106 ��ΦΜΞ�ΕΗΗΙς O1 102 104 O1 46 48 110 94 100 O2 108 92 98 96 54 38 44 114 86 90 32 30 O2 52 36 42 40 O3 112 84 88 34 2[0] 1[0] 118 78 82 2 4 O3 58 30 34 14 16 O4 116 76 80 36 1[1] 2[1] 122 70 74 6 8 62 56 28 32 18 1[0] 2[0] O5 120 68 72 38 1[2] 2[2] 60 22 26 4 2 126 62 66 10 12 O6 124 60 64 40 1[3] 2[3] 10 12 24 20 2[1] 1[1] O7 130 54 58 16 14 134 128 52 56 42 2[4] 1[4] 1[3] 2[3] 6 8 132 46 50 20 18 1[2] 2[2] 26 28 48 44 2[5] 1[5] ��ΦΜΞ�ΕΗΗΙς 1[7] 2[7] 22 24 1[6] 2[6]

  12. O0 O6 O1 O2 O7 O4 O5 O3 130 O8 334 216 O14 O9 254 348 O10 306 O15 320 O12 292 O13 O11 84 174 328 236 300 128 350 314 332 362 342 274 214 352 252 346 354 364 304 358 318 290 360 356 82 172 234 298 312 326 272 126 330 340 2 212 250 344 302 316 288 60 80 150 170 224 294 232 308 322 296 262 270 104 336 310 324 2[0] 194 124 244 338 248 210 282 286 58 148 222 78 168 230 260 102 268 4 192 242 246 280 208 284 122 48 56 138 146 218 220 68 76 256 166 158 226 228 264 258 92 266 100 2[1] 182 190 238 240 276 278 112 202 206 120 46 136 54 144 66 74 164 156 90 6 180 98 188 110 200 204 118 42 44 132 134 50 52 140 142 62 64 72 160 152 162 86 70 154 88 2[2] 176 178 94 96 184 186 106 108 196 198 114 116 8 12 14 16 18 24 20 26 10 22 28 30 32 34 36 38 40 1[0] 1[1] 1[2] 1[3] 1[4] 1[7] 1[5] 1[8] 2[3] 1[6] 1[9] 1[10] 1[11] 1[12] 1[13] 1[14] 1[15] bit-vector of length 16 shifted by bit-vector of length 4

  13. O0 402 400 398 394 396 392 390 32 388 2[0] 386 384 O1 380 382 406 378 376 298 404 374 300 294 296 370 372 290 292 O2 28 366 368 288 410 2[1] 362 364 284 286 214 408 360 302 280 282 212 356 358 276 278 24 210 352 354 274 216 2[2] 350 348 270 272 206 208 O3 346 304 266 268 204 414 344 342 262 264 200 202 146 412 340 338 260 218 196 198 144 334 336 256 258 192 194 20 142 332 306 252 254 190 148 2[3] 328 330 248 250 186 188 138 140 O4 324 326 246 220 182 184 136 418 322 320 242 244 178 180 132 134 94 416 308 238 240 176 150 128 130 92 234 236 172 174 124 126 16 90 318 232 222 168 170 122 96 2[4] 314 316 228 230 164 166 118 120 86 O5 88 310 312 224 162 152 114 116 84 422 30 26 158 160 110 112 80 82 420 58 1[0] 226 1[1] 154 108 98 76 78 56 22 104 106 72 12 74 54 1[2] 156 100 70 2[5] 60 O6 18 102 66 68 50 52 426 1[3] 62 48 38 424 O7 14 64 44 46 36 428 1[4] 40 42 34 6 8 4 10 2 1[7] 2[6] 2[7] 1[5] 1[6]

  14. Tseitin Transformation: Encode Circuit to CNF 13/32 CNF y o ∧ ( x ↔ a ∧ c ) ∧ x ( y ↔ b ∨ x ) ∧ o ( u ↔ a ∨ b ) ∧ u a ( v ↔ b ∨ c ) ∧ ( w ↔ u ∧ v ) ∧ b w ( o ↔ y ⊕ w ) w v c o ∧ ( x → a ) ∧ ( x → c ) ∧ ( x ← a ∧ c ) ∧ ... o ∧ ( x ∨ a ) ∧ ( x ∨ c ) ∧ ( x ∨ a ∨ c ) ∧ ... Challenges in Bit-Precise Reasoning @ FMCAD’14

  15. Boolector Architecture 14/32 BTOR subst Expr parse O2 SMT2 Expr synthesize slice rewrite norm O1 AIG(Vec) SMT1 O3 O1 = bottom up simplification encode O2 = global but almost linear O3 = normalizing (often non−linear) [default] CNF SAT Solver Lingeling / PicoSAT / MiniSAT Challenges in Bit-Precise Reasoning @ FMCAD’14

  16. Internal Expression Types 15/32 enum BtorNodeKind { BTOR_BV_CONST_NODE = 1, BTOR_SLL_NODE = 11, BTOR_BV_VAR_NODE = 2, BTOR_SRL_NODE = 12, BTOR_PARAM_NODE = 3, BTOR_UDIV_NODE = 13, BTOR_SLICE_NODE = 4, BTOR_UREM_NODE = 14, BTOR_AND_NODE = 5, BTOR_CONCAT_NODE = 15, BTOR_BEQ_NODE = 6, BTOR_APPLY_NODE = 16, BTOR_FEQ_NODE = 7, BTOR_LAMBDA_NODE = 17, BTOR_ADD_NODE = 8, BTOR_BCOND_NODE = 18, BTOR_MUL_NODE = 9, BTOR_ARGS_NODE = 19, BTOR_ULT_NODE = 10, BTOR_UF_NODE = 20, BTOR_PROXY_NODE = 21 }; Challenges in Bit-Precise Reasoning @ FMCAD’14

  17. Further Boolector Rewriting Internals 16/32 fast parallel substitution collects top-level variable assignments (equalities) collects boolean (bit-width 1) top-level constraints (embedded constraints) normalize arithmetic equalities and try to isolate variables (Gauss) one pass substitution restricted to output-cone of substituted variables needs occurrence check, equalities between non-variable terms not used so only partially simulates congruence closure but works nice for typical SSA form encodings boolean skeleton preprocessing encode boolean (bit-width 1) part into SAT solver use SAT preprocessing to extract forced units (backbone) replace sliced variables by new variables eliminate unconstrained sub-expressions optionally perform full beta reduction these expensive global rewriting steps iterated until completion Challenges in Bit-Precise Reasoning @ FMCAD’14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Optimal Prices in the Towards a Precise . . . Towards a Precise . . . Presence of Discounts:

Optimal Prices in the Towards a Precise . . . Towards a Precise . . . Presence of Discounts:

Practical Situation: . . . How to Describe . . . Formulation of the . . . Optimal Prices in the Towards a Precise . . . Towards a Precise . . . Presence of Discounts: Precise Optimization . . . A New Economic Main result Proof: Part I

449 views • 12 slides
Quantitative Reasoning + Skills Reasoning (QR): what + why Challenges New Faculty Winter

Quantitative Reasoning + Skills Reasoning (QR): what + why Challenges New Faculty Winter

2/7/20 Outline Quantitative Quantitative Reasoning + Skills Reasoning (QR): what + why Challenges New Faculty Winter Workshop 2019 Teaching Strategies Lin Winton, Quantitative Resource Center Resources Quantitative Resource

335 views • 4 slides
Automated Reasoning: Some Successes and New Challenges Predrag Jani ci c

Automated Reasoning: Some Successes and New Challenges Predrag Jani ci c

What is this talk about? What is automated reasoning? Automated reasoning in propositional logic Automated reasoning in first-order logic Automated reasoning in higher-order logic Automated reasoning in geometry Conclusions Automated

806 views • 52 slides
Precise Performance LTD Jake Yarranton jake@precise-performance.co.uk 07468 465754 Precise

Precise Performance LTD Jake Yarranton jake@precise-performance.co.uk 07468 465754 Precise

Precise Performance LTD Jake Yarranton jake@precise-performance.co.uk 07468 465754 Precise Performance LTD Independent Bike fitting and coaching specialists Our main focus is to help cyclists of every ability improve Experts in

388 views • 15 slides
Operational Semantics This course Why semantics? y := 1; precise specification of software

Operational Semantics This course Why semantics? y := 1; precise specification of software

Operational Semantics This course Why semantics? y := 1; precise specification of software and while ( x = 1) do ( y := x y ; x := x 1) hardware First we assign 1 to y , then we test whether facilitate reasoning about systems:

355 views • 10 slides
Machining Expert Precise In Dimensions Precise In Deliveries Flexible In Business

Machining Expert Precise In Dimensions Precise In Deliveries Flexible In Business

Machining Expert Precise In Dimensions Precise In Deliveries Flexible In Business Volume Customer Oriented In Costs 2 We Are Proud Of Our History 1978 Mr. M. Ergun Alanyal established Mapar 1980 First Supply To Automotive

348 views • 20 slides
QUO VADIS, SLD? REASONING ABOUT THE TRENDS AND CHALLENGES OF SYSTEM LEVEL DESIGN Alberto

QUO VADIS, SLD? REASONING ABOUT THE TRENDS AND CHALLENGES OF SYSTEM LEVEL DESIGN Alberto

1 QUO VADIS, SLD? REASONING ABOUT THE TRENDS AND CHALLENGES OF SYSTEM LEVEL DESIGN Alberto Sangiovanni-Vincentelli Presentation by Michael Zimmer September 21 st , 2010 Current Problems 2 Exponentially rising complexity in circuits and

703 views • 44 slides
CHAPTER-4 1 LOGIC AND REASONING ! Knowledge and ! Reasoning in Knowledge- Reasoning Based

CHAPTER-4 1 LOGIC AND REASONING ! Knowledge and ! Reasoning in Knowledge- Reasoning Based

CHAPTER-4 1 LOGIC AND REASONING ! Knowledge and ! Reasoning in Knowledge- Reasoning Based Systems ! syntax and semantics ! shallow and deep reasoning ! validity and satisfiability ! forward and backward ! logic languages chaining ! alternative

616 views • 23 slides
Precise Gauging &amp; Automation Technology Address:PRECISE GAUGING &amp; AUTOMATION TECHNOLOGY

Precise Gauging &amp; Automation Technology Address:PRECISE GAUGING &amp; AUTOMATION TECHNOLOGY

Precise Gauging &amp; Automation Technology Address:PRECISE GAUGING &amp; AUTOMATION TECHNOLOGY S No 24/2B , Opposite Konark Eureka , Old Mundhwa Road , Sainath Nagar , Kharadi , Pune 411014 INDIA Who we are? A professionally managed

1.38k views • 27 slides
Effectiveness of Career Development? Ask a Precise Question if You Want a Precise Answer Peter

Effectiveness of Career Development? Ask a Precise Question if You Want a Precise Answer Peter

1 Effectiveness of Career Development? Ask a Precise Question if You Want a Precise Answer Peter McIlveen University of Southern Queensland Career development practitioners are challenged to provide evidence of the relevance of their research,

335 views • 6 slides
Probabilistic Reasoning; Probabilistic Reasoning; Network-based reasoning Network-based

Probabilistic Reasoning; Probabilistic Reasoning; Network-based reasoning Network-based

Probabilistic Reasoning; Probabilistic Reasoning; Network-based reasoning Network-based reasoning COMPSCI 276, Fall 2014 Set 1: Introduction and Background Rina Dechter (Reading: Pearl chapter 1-2, Darwiche chapters 1,3) 1 Why/What/How

700 views • 45 slides
Evidential and Causal Reasoning Much reasoning in AI can be seen as evidential reasoning ,

Evidential and Causal Reasoning Much reasoning in AI can be seen as evidential reasoning ,

Evidential and Causal Reasoning Much reasoning in AI can be seen as evidential reasoning , (observations to a theory) followed by causal reasoning (theory to predictions). Diagnosis Given symptoms, evidential reasoning leads to hypotheses about

243 views • 8 slides
Precise Garbage Collection in C PANKHURI February 16, 2011 Agenda Problem Statement. Precise /

Precise Garbage Collection in C PANKHURI February 16, 2011 Agenda Problem Statement. Precise /

Precise Garbage Collection in C PANKHURI February 16, 2011 Agenda Problem Statement. Precise / Conservative Garbage Collection. What will Magpie do ? C semantics and Precise GC. When will Magpie fail ? Design and Implementation. Results.

467 views • 15 slides
Challenges and Opportunities for Automated Reasoning John Harrison Intel Corporation 10th

Challenges and Opportunities for Automated Reasoning John Harrison Intel Corporation 10th

Challenges and Opportunities for Automated Reasoning John Harrison Intel Corporation 10th October 2012 (15:5016:35) Summary of talk Motivation: the need for dependable proof LCF-style theorem proving Intel verification work

1.1k views • 76 slides
MQTT Protocol for Real Time GNSS Data and Correction Distribution Precise Positioning Precise

MQTT Protocol for Real Time GNSS Data and Correction Distribution Precise Positioning Precise

MQTT Protocol for Real Time GNSS Data and Correction Distribution Precise Positioning Precise P Precise Positioning sitioning Real-Time Kinematic (RTK) positioning Precise Point Positioning (PPP) Requires additional correction!

340 views • 14 slides
Precise Electroweak Tests at LHC Fernando Marroquim Universidade Federal do Rio de Janeiro April

Precise Electroweak Tests at LHC Fernando Marroquim Universidade Federal do Rio de Janeiro April

Precise Electroweak Tests at LHC Fernando Marroquim Universidade Federal do Rio de Janeiro April 2006 Introduction Precise W Mass Measurement Precise Top Mass Measurements Single Top Production Triple gauge boson couplings

164 views • 14 slides
English Language - IGCSE Touching the Void (I) Viewpoint 1 st person account vs 3 rd person

English Language - IGCSE Touching the Void (I) Viewpoint 1 st person account vs 3 rd person

English Language - IGCSE Touching the Void (I) Viewpoint 1 st person account vs 3 rd person account 2 nd person accounts are normally instructional 1 st and 3 rd person accounts may contain 2 nd person passages biographical vs

1.57k views • 144 slides
Data Transmission Surasak Sanguanpong nguan@ku.ac.th http://www.cpe.ku.ac.th/~nguan Last

Data Transmission Surasak Sanguanpong nguan@ku.ac.th http://www.cpe.ku.ac.th/~nguan Last

Data Communications and Computer Networks 1/10 Data Transmission Surasak Sanguanpong nguan@ku.ac.th http://www.cpe.ku.ac.th/~nguan Last updated: Feb 8 2001 Applied Network Research Group Department of Computer

328 views • 9 slides
Information Retrieval 70: :

Information Retrieval 70: :

Introduction to Information Retrieval Introduction to Information Retrieval Introduction to Information Retrieval 70: : 9:

609 views • 46 slides
Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Some recent attacks 2 A game changer The Internet

1.17k views • 87 slides
A floating body approach to Feffermans surface area David Barrett Chapel Hill 25

A floating body approach to Feffermans surface area David Barrett Chapel Hill 25

A floating body approach to Feffermans surface area David Barrett Chapel Hill 25 October 2003 1 Plan of talk (1) Real affine geometry (2) Complex analogue (3) My contribution (4) Questions / further directions 2 Plane curves

302 views • 12 slides
Webinar Bradley Merrill Thompson Kim Tyrrell-Knott Epstein Becker &amp; Green 1 Agenda 1.

Webinar Bradley Merrill Thompson Kim Tyrrell-Knott Epstein Becker &amp; Green 1 Agenda 1.

Clinical Decision Support Software Proposed FDA Regulatory Framework Webinar Bradley Merrill Thompson Kim Tyrrell-Knott Epstein Becker &amp; Green 1 Agenda 1. Overview of Clinical Decision Support (CDS) Software 2. CDS Regulatory Framework

491 views • 28 slides
MAV Annual Conference 2018 Further Maths exams: using the CAS calculator efficiently and

MAV Annual Conference 2018 Further Maths exams: using the CAS calculator efficiently and

MAV Annual Conference 2018 Further Maths exams: using the CAS calculator efficiently and effectively Presenter: Kevin McMenamin | e: kxm@mentonegrammar.net Core: Data analysis (Examination 1) The dot plot below displays the difference in travel

118 views • 11 slides
Heat Transfer Mechanisms Conduction Convection Radiation Homework Conduction

Heat Transfer Mechanisms Conduction Convection Radiation Homework Conduction

Heat Transfer Mechanisms Conduction Convection Radiation Homework Conduction Conduction is energy transfer due to an exchange of kinetic energy between molecules Less energetic molecules gain energy by

375 views • 9 slides

More recommend