Introduction
Context. Not so long ago, program verification was such an ambitious goal that even brilliant minds decided it was bound to fail []. At the time, the authors concluded their controversial paper saying that if, despite all their reasons, verification still seems an avenue worth exploring, so be it. And so it was. Today, software verification is a well established field of research, and industrial adoption has been achieved is some key areas, such as safety-critical systems.
Since the early 2000s, there is a significant trend in the research community toward reducing verification problems to satisfiability problems of first-order logical formulas over well-chosen theories (e.g. bitvectors, arrays or floating-point arithmetic), leveraging the advances of modern powerful SAT and SMT solvers [].
The problem. While SMT and SAT are the de facto standard in verification, a few teams explore how Constraint Programming (CP) techniques can be used in that setting [].
Yet, currently, there is no good CP-based resolution technique for (the quantifier-free fragment of) the theory of bitvectors [], i.e. fixed-size arrays of bits equipped with standard low-level machine instructions, which is of paramount importance in verification since it allows to encode most of the basic datatypes found in any programming language.
Goal and challenge. We address the challenge of developing efficient Constraint Programming-based approaches for solving formulas over the quantifier-free fragment of the theory of bitvectors (BV). Our goal is to be able to solve many practical problems arising from verification (with the SMTCOMP challenge].
Proposal and contributions. We propose CP(BV), a highly efficient BV resolution technique built on carefully chosen anterior results [] sharpened with key original features such as thorough domain combination or dedicated labeling. Extensive experimental evaluations demonstrate that CP(BV) is much more efficient than previous similar attempts from the CP community, that it is indeed able to solve the majority of the standard verification benchmarks for bitvectors, and that it already complements the standard SMT approaches on several crucial (and industry-relevant) aspects, notably in terms of scalability w.r.t. bit-width, theory combination or intricate mix of non-linear arithmetic and bitwise operators. Our main contributions are the following:
We present CP(BV), an original framework for CP-based resolution of BV problems, which built on anterior results and extend them with several key new features in terms of thorough domain combination or dedicated labeling. This results in a competitive CP-based solver, excelling in key aspects such as scalability w.r.t. bitwidth and combination of theories. A comparison of CP(BV) with previous work is presented in Table .
We perform a systematic and extensive evaluation of the effect of our different CP improvements on the efficiency of our implementation. This compares the options at our disposal and justifies those we retained, establishing a firm ground onto which future improvements can be made. It also shows the advantage of our approach relative to the other CP approaches applied to BV, and that our approach is able to solve a very substantial part of problems from the SMTCOMP challenge.
Finally, we perform an extensive comparison against the best SMT solvers for BV problems, namely: Z3 []. This comparison exhibits the strenghts of CP over SMT approaches on particular instances. Specifically, our implementation surpasses several (and sometimes all ) solvers on some examples involving large bit-vectors and/or combination with floating-point arithmetic.
Table 1.
Overview of our method
| Bardin et al. [] | Michel et al. [] | CP(BV) |
---|
Bitvector domain | + | ++ | ++ [] |
Arithmetic domain | ++ | + | ++ [] |
Domain combination | + | + | ++ |
Simplifications | + | x | ++ |
BV-aware labeling | x | x | ++ |
Implemented | Yes | No | Yes |
Benchmark | Conjunctive formulas 200 formulas | Arbitrary formulas 30,000 formula |
Discussion. Considering that our current CP(BV) approach is far from optimal compared to existing SMT solvers (implemented in Prolog, no learning), we consider this work as an important landmark toward building competitive CP-based verification-oriented solvers. Moreover, our approach clearly challenges the well-accepted belief that bitvector solving is better done through bitblasting, opening the way for a new generation of word-level solvers.
Motivation
The standard (SMT) approach for solving bit-vector problem, called bit-blasting [], we propose a high-level encoding of bitvector problems, seen as Constraint Satisfaction Problems (CSP) over finite (but potentially huge) domains. Each bitvector variable of the original BV problem is now considered as a (CSP) bounded-arithmetic variable, with dedicated domains and propagators.
Now illustrating with concrete examples, we show the kind of problems where our approach can surpass existing SMT solvers. Consider the three following formulas: