bit-vector rewriting with automatic rule generation

BIT-VECTOR REWRITING WITH AUTOMATIC RULE GENERATIONAlexander NadelIntel Haifa, Israel

CAV 2014Vienna, AustriaJuly 22th, 2014

2

Agenda• Introduction to Bit-Vector Solving and Rewriting• Automatic Rewriting-based Preprocessing• Experimental Results

3

Bit-Vector (BV) Language• Variables and constants are bit-vectors of user-defined width:

• width 1 (Bool): 0• width 8: [01011110]• width 30: [010111100100011101000011001101]

• Operators:• Core: =, , if-then-else• Bit-wise: ~, &, |, ^, …• Arithmetic: +, -, *, /, …• Comparison: <, , >, • Bit-propagating: concat, extract, <<, >>, …

• Assertions: a Boolean literal must hold

4

BV Formula Examplea = 1

Assertions

Widths: w(a) = 1; w(v {b,c,d,e,f,g,h,i,j,k,l}) = 4

c b f j

xnord

=

a

+e

+g

-h

/i

-1=[1111]

&k

0=[0000]

<<l

op1

op1

op2

op2

Input DAG

op1 op2

BV solving is widely used (in SW and HW validation; scheduling; number theory; automatic configuration; …)

5

BV Solver Architecture

Preprocessing

SAT DPLL(BV)

Eager Lazy

6

BV Solver Architecture

PreprocessingRewriting: preprocessor’s bread and button

SAT DPLL(BV)

Eager Lazy

7

xnor

Rewriting ExampleDAG Rewriting

RulesPremise Conclusion

y+0 y0+z z1*z zy*1 yy*2 y<<1

y<<0 yy[w]<<(nw) 0

y | -1 -1y & -1 y-1 & z z

hundreds of rules in practice!

c b f j

=

a

+e

+g

-h

/i

-1=[1111]

&k

0=[0000]

<<l

op1

op1

op2

op2

Input DAG

op1 op2

a = 1Assertions

d

8



y+0 y0+z z1*z zy*1 yy*2 y<<1

y<<0 yy[w]<<(nw) 0

y | -1 -1y & -1 y-1 & z z


op1 op2

a = 1Assertions

c b f j

=

a

+e

+g

-h

/i

-1=[1111]

&k

0=[0000]

<<l

op1

op1

op2

op2

Input DAG

op1 op2

dxnor

9



y+0 y0+z z1*z zy*1 yy*2 y<<1

y<<0 yy[w]<<(nw) 0

y | -1 -1y & -1 y-1 & z z


a = 1Assertions

c b f j

=

a

+e

+g

-h

/i

-1=[1111]

&k

op1

op1

op2

op2

Input DAG

dxnor

10



y+0 y0+z z1*z zy*1 yy*2 y<<1

y<<0 yy[w]<<(nw) 0

y | -1 -1y & -1 y-1 & z z


a = 1Assertions

c b f

=

a

+e

+g

-h

/i

-1=[1111]

&k

op1

op2

op2

Input DAG

j

op1

dxnor

11



y+0 y0+z z1*z zy*1 yy*2 y<<1

y<<0 yy[w]<<(nw) 0

y | -1 -1y & -1 y-1 & z z


a = 1Assertions

c b f

=

a

+e

+g

-h

/i

op1

op2

op2

Input DAG

d

j

op1

xnor

12

Common Approach

Our Approach Our approach: comments

When are the rules created? Offline Run-time Algorithm starts with an empty set of

rules

How are the rules generated? Manually Automatically A SAT-based procedure

Where are the rules stored? Hard-coded Hash table

Are the rules instance-specific No Yes

- Generates rules only for operators & widths appearing in the instance

- Won’t miss width-specific rules, e.g.: y+2 = y–2 for width 2

Rewriting framework

DAG-based rewriting 0-saturation

- 0-saturation: - equivalence & constant

propagation, we extend from propositional to BV reasoning

- applied after the DAG is ready our approach can be applied after the common approach

13

Common Approach



rules






Rewriting framework





14

Common Approach



rules






Rewriting framework





15

Common Approach



rules






Rewriting framework





16

Common Approach



rules






Rewriting framework





17

Common Approach



rules






Rewriting framework





18

Next: the New Algorithm in Action

19

d = b xnor c

a = b == c

g = e + d

h = f - g

e = f + d

i = j / h

Triplets (a triplet: x = y op z)

Generating Input to 0-saturation Input to 0-saturation

w(a) = 1; w(v {b,c,d,e,f,g,h,i,j}) = 4

c b f j

xnord=

a

+e

+g -

h \i

Input DAG (potentially after rewriting)

a = 1

Assertions

op2

op2

op1op1

w(a) = 1; w(v {b,c,d,e,f,g,h,i,j}) = 4

20

a = b == c

Evaluation Queue Bindings

d = b xnor c

g = e + d

h = f - g

e = f + d

i = j / h

a = 11 = b == c

21

d = b xnor c

1 = b == c

g = e + d

h = f - g

Evaluation Queue Active Triplets Bindings Rules

e = f + d

i = j / h

Triplets to be evaluated

• Evaluation of a triplet may yield new bindings or a contradiction.

• An evaluated triplet either moves to the “active” state or becomes a tautology and removed

Active triplets• Evaluated non-tautological triplets become

active

• Any triplet one of whose variables is bound (replaced by another) is moved back to the evaluation queue

• Active triplets comprise the output of 0-saturation

Bindings

• Equivalences entailed by the formula

22

d = b xnor c

1 = b == c

g = e + d

h = f - g


e = f + d

i = j / h

Rules

• Automatically generated rules for evaluating triplets

• Empty in the beginning

• Instance-specific rules are generated on-the-fly

• A rule: premise conclusion per concrete operation and width

• Premise: a condition that must hold for the triplet to apply the rule

• Conclusion is either:• A set of bindings• A contradiction• Empty

23

d = b xnor c

1 = b == c

g = e + d

h = f - g


e = f + d

i = j / h

24

d = b xnor c

1 = b == c

g = e + d

h = f - g


e = f + d

i = j / h

25

d = b xnor c

1 = b == c

g = e + d

h = f - g


e = f + d

i = j / h

Given a triplet x = y op z, look for a rule if:

any v {x,y,z} is a rewriting constant or a rewriting function of u v {x,y,z}

Premise Detection:

Rewriting constants0 = [00…000]-1 = [11…111]1 = [00…001]-2 = [11…110]2 = [00…010]

Rewriting functionsEquivalence:

f1(v) = vUnary minus:

f6(v) = −vNegation:

f7(v) = −v − 1 = v∼Neighbors:

f2(v) = v − 1 = −v∼f3(v) = v − 2 = − −v∼ ∼f4(v) = v + 1 = − v∼f5(v) = v + 2 = − − v∼ ∼

Unary minus neighbors:f8(v) = −v − 2 = − v∼ ∼f9(v) = −v + 1 = − −v∼f10(v) = −v + 2 = − − −v∼ ∼

26

d = b xnor c

1 = b == c

g = e + d

h = f - g


e = f + d

i = j / h

1. Premise detection is successful: x is the rewriting constant 1!

2. Do any rules with this premise exist?1. Yes apply the rule2. No generate a conclusion

27

1 = y == z

Check if at least one of v {x,y,z} is a rewriting constant or a rewriting function of u v {x,y,z} and generate the corresponding bindings

Conclusion Generation Example

Generate a CNF corresponding to the formula:

y=0?

Add clauses for y 0 with a selector s 𝑦 0❑∨ 𝑦1❑∨𝑦 2❑∨ 𝑦3❑∨¬𝑠

Solve all the clauses under the assumption s with incremental SAT

Satisfiable: no rule can be learnt

w(x) = 1; w(y)=w(z)=4

28

1 = y == z

y=z?

Add clauses for y z with a selector:

Solve all the clauses under the assumption s with incremental SAT

Unsatisfiable; rule learnt: x=1 y=z for operation ==; width 4

Conclusion Generation Example

Generate a CNF corresponding to the formula:

w(x) = 1; w(y)=w(z)=4

Check if at least one of v {x,y,z} is a rewriting constant or a rewriting function of u v {x,y,z} and generate the corresponding bindings

29

d = b xnor c

1 = b == c

g = e + d

h = f - g


e = f + d

i = j / h

Op W Prem. Concl.

== 4 x=1 y=z

b = c

30

d = b xnor b

g = e + d

h = f - g


e = f + d

i = j / h

b = cOp W Prem. Concl.

== 4 x=1 y=z

31

d = b xnor b

g = e + d

h = f - g


e = f + d

i = j / h


== 4 x=1 y=z

32

d = b xnor b

g = e + d

h = f - g


e = f + d

i = j / h

1. Premise detection is successful: y is the rewriting function f1(v)=v of z!

2. Do any rules with this premise exist?• No generate a conclusion with

incremental SAT


== 4 x=1 y=z

33

d = b xnor b

g = e + d

h = f - g


e = f + d

i = j / h

d=-1


== 4 x=1 y=zxnor 4 y=z x=-1

34

g = e - 1

h = f - g


e = f - 1

i = j / h

d=-1


== 4 x=1 y=zxnor 4 y=z x=-1

35

g = e - 1

h = f - g


e = f - 1

i = j / h

d=-1


== 4 x=1 y=zxnor 4 y=z x=-1

36

g = e - 1

h = f - g


e = f - 1

i = j / h

1. Premise detection is successful: z is the rewriting constant 1

1. Do any rules with this premise exist?• No generate a conclusion with

incremental SAT

d=-1


== 4 x=1 y=zxnor 4 y=z x=-1

37

Op W Prem. Concl.

== 4 x=1 y=zxnor 4 y=z x=-1

- 4 z=1 x=y-1 ~x=-yg = e - 1

h = f - g


e = f - 1

i = j / h

d=-1

b = c

~e=-f

38

g = e - 1

h = f - g


i = j / h

d=-1

b = c

~e=-f

Op W Prem. Concl.

== 4 x=1 y=zxnor 4 y=z x=-1

- 4 z=1 x=y-1 ~x=-y

39

g = e - 1

h = f - g


i = j / h

d=-1

b = c

~e=-f

Op W Prem. Concl.

== 4 x=1 y=zxnor 4 y=z x=-1

- 4 z=1 x=y-1 ~x=-y

40

g = e - 1

h = f - g


i = j / h

d=-1

b = c

~e=-f

1. Premise detection is successful: z is the rewriting constant 1

1. Do any rules with this premise exist?• Yes apply the rule

Op W Prem. Concl.

== 4 x=1 y=zxnor 4 y=z x=-1

- 4 z=1 x=y-1 ~x=-y

41

g = e - 1

h = f - g


i = j / h

d=-1

b = c

~e=-f~g=-e

Op W Prem. Concl.

== 4 x=1 y=zxnor 4 y=z x=-1

- 4 z=1 x=y-1 ~x=-y

42

h = f - g


i = j / h

d=-1

b = c

~e=-f~g=-e

Op W Prem. Concl.

== 4 x=1 y=zxnor 4 y=z x=-1

- 4 z=1 x=y-1 ~x=-y

43

h = f - g


i = j / h

d=-1

b = c

~e=-f~g=-e

Op W Prem. Concl.

== 4 x=1 y=zxnor 4 y=z x=-1

- 4 z=1 x=y-1 ~x=-y

44

h = f - g


i = j / h

d=-1

b = c

~e=-f~g=-e

1. Premise detection is successful: -~-~g = -~-(-e) = -~e = -(-f) = f,thus g = ~-~-f = f-2• Discovered in O(1) based on bindings

2. Do any rules with this premise exist?• No generate a conclusion with incremental

SAT

Op W Prem. Concl.

== 4 x=1 y=zxnor 4 y=z x=-1

- 4 z=1 x=y-1 ~x=-y

45

Op W Prem. Concl.

== 4 x=1 y=zxnor 4 y=z x=-1

- 4 z=1 x=y-1 ~x=-y

- 4 z=y-2 x=2h = f - g


i = j / h

d=-1

b = c

~e=-f~g=-e

h=2

46


i = j / 2

d=-1

b = c

~e=-f~g=-e

h=2

Op W Prem. Concl.

== 4 x=1 y=zxnor 4 y=z x=-1

- 4 z=1 x=y-1 ~x=-y

- 4 z=y-2 x=2

47


i = j / 2

d=-1

b = c

~e=-f~g=-e

h=2

Op W Prem. Concl.

== 4 x=1 y=zxnor 4 y=z x=-1

- 4 z=1 x=y-1 ~x=-y

- 4 z=y-2 x=2

48


i = j / 2

d=-1

b = c

~e=-f~g=-e

h=2

1. Premise detection is successful: z=2

2. Do any rules with this premise exist?• No generate a conclusion using

incremental SAT solving

Op W Prem. Concl.

== 4 x=1 y=zxnor 4 y=z x=-1

- 4 z=1 x=y-1 ~x=-y

- 4 z=y-2 x=2

49

Op W Prem. Concl.

== 4 x=1 y=zxnor 4 y=z x=-1

- 4 z=1 x=y-1 ~x=-y

- 4 z=y-2 x=2

/ 4 z=2 empty


i = j / 2

d=-1

b = c

~e=-f~g=-e

h=2

1. Premise detection is successful: z=2

2. Do any rules with this premise exist?• No generate a conclusion with incremental

SAT

50

1. 0-saturation is completed

2. In eager BV solving, the active triplets are bit-blasted to CNF and solved with SAT


i = j / 2 d=-1

b = c

~e=-f~g=-e

h=2

Op W Prem. Concl.

== 4 x=1 y=zxnor 4 y=z x=-1

- 4 z=1 x=y-1 ~x=-y

- 4 z=y-2 x=2

/ 4 z=2 empty

51

Experimental Results• Solvers:

• Hazel: Intel’s eager BV solver • Base Hazel: Hazel without the new approach• New Hazel: Hazel with the new approach

• Boolector (version 1.6.0)• Mathsat (version 5.2.10; SMT’11 config.)

• Benchmarks:• 23 families of the ASP category of SMT-LIB• 11 difficult instances from Intel’s HW validation flow

• Time-out: • 20 min. for SMT-LIB• 40 min. for industrial instances

52

New Hazel outperforms base Hazel on 20/23 ASP families

ASP FamilyNew Hazel Base Hazel Boolector Mathsat

# Time TO's Time TO's Time TO's Time TO'sDisjunctiveScheduling 4 515 0 4800 4 3582 2 2523 2Solitaire 23 2200 1 27600 23 5825 1 24802 18Labyrinth 10 6996 0 10342 8 12000 10 12000 10EdgeMatching 29 5345 0 25073 19 30693 23 32391 24WeightBoundedDominatingSet 29 2591 0 25625 16 5550 2 20228 10Sudoku 8 3229 0 5918 4 7213 6 7213 6GraphColouring 12 3362 1 4952 4 2771 1 5674 4GraphPartitioning 7 205 0 2514 1 1418 0 2939 2Fastfood 17 1152 0 4272 2 3869 0 6487 3HamiltonianPath 29 2694 1 3678 3 271 0 4036 3Sokoban 29 833 0 2662 0 872 0 15700 8HierarchicalClustering 12 56 0 123 0 1165 0 267 015Puzzle 15 168 0 359 0 477 0 2654 0Hanoi 15 101 0 200 0 1345 0 1584 0GeneralizedSlitherlink 29 220 0 352 0 1226 0 506 0ChannelRouting 8 12 0 18 0 117 0 60 0KnightTour 3 1280 1 1798 1 67 0 1347 1BlockedNQueens 29 11737 5 16213 5 1023 0 30521 22SchurNumbers 29 6643 3 6938 3 1053 0 8061 4WireRouting 19 8567 5 8712 5 6330 0 16511 12TravellingSalesperson 29 34800 29 34800 29 6449 0 33339 26ConnectedDominatingSet 21 499 0 382 0 294 0 612 0MazeGeneration 29 3543 1 2518 0 879 0 2610 0

53



New Hazel outperforms base Hazel significantly on 13/23 ASP families: it either solves more instances or is at least 2x faster

54



New Hazel outperforms all the other solvers on 14/23 ASP families

55



New Hazel outperforms all the other solvers significantly on 10/23 ASP families: it either solves more instances or is at least 2x faster

56

Experimental Results over 23 ASP Families: Observations Summary• Few rules with non-empty conclusion are generated, but

are applied very frequently• 2-12 rules are generated on average per family• Rules are applied almost 200,000 times on average

• 0-saturation run-time overhead is negligible• 1% on average overall• <5% is the worst result per family

57

New Hazel vs. Base Hazel vs. Boolector on Industrial Benchmarks

BenchmarkNew Hazel Base Hazel Boolector

Time TO? Time TO? Time TO?1 6.052 0 7.828 0 41.266 02 53.147 0 65.196 0 19.269 03 49.919 0 52.063 0 53.287 04 54.891 0 66.64 0 2400 15 113.371 0 46.974 0 16.797 06 118.799 0 87.061 0 11.1 07 99.97 0 91.125 0 16.945 08 172.486 0 25.953 0 20.125 09 174.942 0 2400 1 2400 1

10 23.353 0 2400 1 3.504 011 648.708 0 2400 1 84.885 0

Grand Total 1515.638 0 7642.84 3 5067.178 2

59

Interesting Rules (that is, Rules with a Non-Empty Conclusion) Number per ASP Family

0 1 2 3 4 5 6 7 8 9 10 11 12 13 140

2

4

6

8

10

12

14

Speed-up of New Hazel vs. Base Hazel

Inte

rest

ing

Rul

es

60

Interesting Rules Application Number per ASP Family

0 1 2 3 4 5 6 7 8 9 10 11 12 13 141000

10000

100000

1000000

10000000


Inte

rest

ing

Rule

s A

pplic

atio

ns

61

0-saturation Average Run-time per ASP Family (Including Rule Generation) as Function of Speed-Up of New Hazel vs. Base Hazel

0 1 2 3 4 5 6 7 8 9 10 11 12 13 140.00%

0.50%

1.00%

1.50%

2.00%

2.50%

3.00%

3.50%

4.00%

4.50%

5.00%


0-sa

tura

tion

frac

tion

62

Percentage of CNF Clauses per ASP Family in New Hazel w.r.t Base Hazel

0 1 2 3 4 5 6 7 8 9 10 11 12 13 140.0%

20.0%

40.0%

60.0%

80.0%

100.0%

120.0%


Redu

ctio

n in

the

num

ber o

f cla

uses

63

BV Solving• BV theory: a powerful and flexible language which

encompasses C language operators

• Wide-spread usage: • SW validation• HW validation• Number theory• Combinatorial problems• Automated configuration• Scheduling• …

• Many solvers: Boolector, STP, CVC, Z3, Mathsat, Intel’s Hazel, …

64



New Hazel outperforms Mathsat on 21/23 ASP families (while base Hazel outperforms Mathsat on 18/23 ASP families)

65



New Hazel outperforms Boolector on 14/23 ASP families (while base Hazel outperforms Boolector on 8/23 ASP families only)

bit-vector rewriting with automatic rule generation

Documents

defined width

israel cav

hold34bv formula examplea

boolean literal

vectors of user