Article

A decision procedure for bit-vectors and arrays

Authors:

Vijay Ganesh and

David L. DillAuthors Info & Claims

CAV'07: Proceedings of the 19th international conference on Computer aided verification

July 2007

Pages 519 - 531

Published: 03 July 2007 Publication History

Abstract

STP is a decision procedure for the satisfiability of quantifier-free formulas in the theory of bit-vectors and arrays that has been optimized for large problems encountered in software analysis applications. The basic architecture of the procedure consists of word-level pre-processing algorithms followed by translation to SAT. The primary bottlenecks in software verification and bug finding applications are large arrays and linear bit-vector arithmetic. New algorithms based on the abstraction-refinement paradigm are presented for reasoning about large arrays. A solver for bit-vector linear arithmetic is presented that eliminates variables and parts of variables to enable other transformations, and reduce the size of the problem that is eventually received by the SAT solver.

These and other algorithms have been implemented in STP, which has been heavily tested over thousands of examples obtained from several real-world applications. Experimental results indicate that the above mix of algorithms along with the overall architecture is far more effective, for a variety of applications, than a direct translation of the original formula to SAT or other comparable decision procedures.

References

[1]

SMTLIB website: http://www.csl.sri.com/users/demoura/smt-comp/

[2]

Barrett, C., Berezin, S.: CVC Lite: A new implementation of the cooperating validity checker. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, Springer, Heidelberg (2004).

[3]

Barrett, C., Dill, D., Levitt, J.: Validity checking for combinations of theories with equality (Palo Alto, California, November 6-8). In: Srivas, M., Camilleri, A. (eds.) FMCAD 1996. LNCS, vol. 1166, pp. 187-201. Springer, Heidelberg (1996).

Digital Library

[4]

Barrett, C.W., Dill, D.L., Levitt, J.R.: A decision procedure for bit-vector arithmetic. In: Proceedings of the 35th Design Automation Conference, San Francisco, CA (June 1998).

Digital Library

[5]

Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D., Yin, H.: Towards automatically identifying trigger-based behavior in malware using symbolic execution and binary analysis. Technical Report CMU-CS-07-105, Carnegie Mellon University School of Computer Science (January 2007).

[6]

Bryant, R.E., Kroening, D., Ouaknine, J., Seshia, S.A., Strichman, O., Brady, B.: Deciding bit-vector arithmetic with abstraction. In: 13th Intl. Conference on Tools and Algorithms for the Construction of Systems (TACAS) (2007).

Digital Library

[7]

Cadar, C., Ganesh, V., Pawlowski, P., Dill, D., Engler, D.: EXE: Automatically generating inputs of death. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, ACM Press, New York (October-November 2006).

Digital Library

[8]

Cormen, T.H., Leiserson, C.E., Rivest, R.L.: Introduction to Algorithms (chapter 11), pp. 820-825. MIT Press, Cambridge (1998).

Digital Library

[9]

Dutertre, B., de Moura, L.: A Fast Linear-Arithmetic Solver for DPLL(T). In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 81-94. Springer, Heidelberg (2006).

Digital Library

[10]

Een, N., Sorensson, N.: An extensible sat-solver. In: Proc. Sixth International Conference on Theory and Applications of Satisfiability Testing, May 2003, pp. 78-92 (May 2003).

[11]

Ganzinger, H., Hagen, G., Nieuwenhuis, R., Oliveras, A., Tinelli, C.: Dpll(t): Fast decision procedures (2004).

[12]

Huang, C., Cheng, K.: Assertion checking by combined word-level atpg and modular arithmetic constraint-solving techniques. In: Design Automation Conference (DAC), pp. 118-123 (2001).

Digital Library

[13]

Lahiri, S.K., Seshia, S.A.: The uclid decision procedure. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 475-478. Springer, Heidelberg (2004).

[14]

Molnar, D., Wagner, D., Seshia, S.A.: Catchconv: A tool for catching conversion errors. Personal Communications (2007).

[15]

Nelson, G., Oppen, D.C.: Simplification by cooperating decision procedures. ACM Transactions on Programming Languages and Systems 1(2), 245-257 (1979).

Digital Library

[16]

Newsome, J., Brumley, D., Franklin, J., Song, D.: Replayer: Automatic protocol replay by binary analysis. In: The Proceedings of the 13th ACM Conference on Computer and and Communications Security (CCS), ACM Press, New York (2006).

Digital Library

[17]

Stump, A., Barrett, C., Dill, D., Levitt, J.: A Decision Procedure for an Extensional Theory of Arrays. In: 16th IEEE Symposium on Logic in Computer Science, pp. 29-37. IEEE Computer Society Press, Los Alamitos (2001).

Digital Library

[18]

Stump, A., Barrett, C.W., Dill, D.L.: Cvc: A cooperating validity checker. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 500-504. Springer, Heidelberg (2002).

Digital Library

Cited By

Trabish DRinetzky NShoham SSharma VChandra SBlincoe KTonella P(2023)State Merging with Quantifiers in Symbolic ExecutionProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616287(1140-1152)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616287
Candea GGodefroid P(2022)Automated Software Test Generation: Some Challenges, Solutions, and Recent AdvancesComputing and Software Science10.1007/978-3-319-91908-9_24(505-531)Online publication date: 11-Mar-2022
https://dl.acm.org/doi/10.1007/978-3-319-91908-9_24
Yao PShi QHuang HZhang C(2021)Program analysis via efficient symbolic abstractionProceedings of the ACM on Programming Languages10.1145/34854955:OOPSLA(1-32)Online publication date: 15-Oct-2021
https://dl.acm.org/doi/10.1145/3485495
Show More Cited By

Recommendations

Decision procedures for bit-vectors, arrays and integers
Read More
An abstraction-based decision procedure for bit-vector arithmetic

We present a new decision procedure for finite-precision bit-vector arithmetic with arbitrary bit-vector operations. Such decision procedures are essential components of verifications systems, whether the domain of interest is hardware, such as in word-...
Read More
Towards Satisfiability Modulo Parametric Bit-vectors
Abstract
Many SMT solvers implement efficient SAT-based procedures for solving fixed-size bit-vector formulas. These techniques, however, cannot be used directly to reason about bit-vectors of symbolic bit-width. To address this shortcoming, we propose a ...
Read More

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

CAV'07: Proceedings of the 19th international conference on Computer aided verification

July 2007

562 pages

ISBN:9783540733676

Editors:
Werner Damm
Carl von Ossietzky University Oldenburg, Department of Computer Science, Oldenburg, Germany
,
Holger Hermanns
Saarland University, Department of Computer Science, Saarbrücken, Germany

Sponsors

German Science Foundation
Artist2 Network of Excellence
Cadence Design Systems
Informatik Saarland
IBM: IBM

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 03 July 2007

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

196
Total Citations
View Citations
3
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Other Metrics

View Author Metrics

Citations

Cited By

Trabish DRinetzky NShoham SSharma VChandra SBlincoe KTonella P(2023)State Merging with Quantifiers in Symbolic ExecutionProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616287(1140-1152)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616287
Candea GGodefroid P(2022)Automated Software Test Generation: Some Challenges, Solutions, and Recent AdvancesComputing and Software Science10.1007/978-3-319-91908-9_24(505-531)Online publication date: 11-Mar-2022
https://dl.acm.org/doi/10.1007/978-3-319-91908-9_24
Yao PShi QHuang HZhang C(2021)Program analysis via efficient symbolic abstractionProceedings of the ACM on Programming Languages10.1145/34854955:OOPSLA(1-32)Online publication date: 15-Oct-2021
https://dl.acm.org/doi/10.1145/3485495
Inverso OTomasco EFischer BLa Torre SParlato G(2021)Bounded Verification of Multi-threaded Programs via Lazy SequentializationACM Transactions on Programming Languages and Systems10.1145/347853644:1(1-50)Online publication date: 9-Dec-2021
https://dl.acm.org/doi/10.1145/3478536
Trabish DItzhaky SRinetzky NSpinellis DGousios GChechik MDi Penta M(2021)A bounded symbolic-size model for symbolic executionProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468596(1190-1201)Online publication date: 20-Aug-2021
https://dl.acm.org/doi/10.1145/3468264.3468596
Yao PHuang HTang WShi QWu RZhang CSpinellis DGousios GChechik MDi Penta M(2021)Skeletal approximation enumeration for SMT solver testingProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468540(1141-1153)Online publication date: 20-Aug-2021
https://dl.acm.org/doi/10.1145/3468264.3468540
Kang QXing JQiu YChen ASherwood TBerger EKozyrakis C(2021)Probabilistic profiling of stateful data planes for adversarial testingProceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3445814.3446764(286-301)Online publication date: 19-Apr-2021
https://dl.acm.org/doi/10.1145/3445814.3446764
Cao CGuan LMing JLiu P(2020)Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral EmulationProceedings of the 36th Annual Computer Security Applications Conference10.1145/3427228.3427280(746-759)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3427228.3427280
Trabish DRinetzky NKhurshid SPăsăreanu C(2020)Relocatable addressing model for symbolic executionProceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3395363.3397363(51-62)Online publication date: 18-Jul-2020
https://dl.acm.org/doi/10.1145/3395363.3397363
Iyer RPedrosa LZaostrovnykh APirelli SArgyraki KCandea GLorch JYu M(2019)Performance contracts for software network functionsProceedings of the 16th USENIX Conference on Networked Systems Design and Implementation10.5555/3323234.3323277(517-530)Online publication date: 26-Feb-2019
https://dl.acm.org/doi/10.5555/3323234.3323277
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents