Solving Quantified BitVectors Using Invertibility Conditions
Abstract
We present a novel approach for solving quantified bitvector formulas in Satisfiability Modulo Theories (SMT) based on computing symbolic inverses of bitvector operators. We derive conditions that precisely characterize when bitvector constraints are invertible for a representative set of bitvector operators commonly supported by SMT solvers. We utilize syntaxguided synthesis techniques to aid in establishing these conditions and verify them independently by using several SMT solvers. We show that invertibility conditions can be embedded into quantifier instantiations using Hilbert choice expressions, and give experimental evidence that a counterexampleguided approach for quantifier instantiation utilizing these techniques leads to performance improvements with respect to stateoftheart solvers for quantified bitvector constraints.
1 Introduction
Many applications in hardware and software verification rely on Satisfiability Modulo Theories (SMT) solvers for bitprecise reasoning. In recent years, the quantifierfree fragment of the theory of fixedsize bitvectors has received a lot of interest, as witnessed by the number of applications that generate problems in that fragment and by the high, and increasing, number of solvers that participate in the corresponding division of the annual SMT competition. Modeling properties of programs and circuits, e.g., universal safety properties and program invariants, however, often requires the use of quantified bitvector formulas. Despite a multitude of applications, reasoning efficiently about such formulas is still a challenge in the automated reasoning community.
The majority of solvers that support quantified bitvector logics employ instantiationbased techniques [8, 21, 22, 25], which aim to find conflicting ground instances of quantified formulas. For that, it is crucial to select good instantiations for the universal variables, or else the solver may be overwhelmed by the number of ground instances generated. For example, consider a quantified formula \(\psi = \forall x.\,(x + {s} \not \approx t) \) where x, s and t denote bitvectors of size 32. To prove that \(\psi \) is unsatisfiable we can instantiate x with all \(2^{32}\) possible bitvector values. However, ideally, we would like to find a proof that requires much fewer instantiations. In this example, if we instantiate x with the symbolic term \(t  s\) (the inverse of \(x + s \approx t \) when solved for x), we can immediately conclude that \(\psi \) is unsatisfiable since \((t  s) + {s} \not \approx t \) simplifies to false.
Operators in the theory of bitvectors are not always invertible. However, we observe it is possible to identify quantifierfree conditions that precisely characterize when they are. We do that for a representative set of operators in the standard theory of bitvectors supported by SMT solvers. For example, we have proven that the constraint \(x \cdot s \approx t\) is solvable for x if and only if \( ( s \mid s) \mathrel { \& } t \approx t\) is satisfiable. Using this observation, we develop a novel approach for solving quantified bitvector formulas that utilizes invertibility conditions to generate symbolic instantiations. We show that invertibility conditions can be embedded into quantifier instantiations using Hilbert choice functions in a sound manner. This approach has compelling advantages with respect to previous approaches, which we demonstrate in our experiments.
More specifically, this paper makes the following contributions.

We derive and present invertibility conditions for a representative set of bitvector operators that allow us to model all bitvector constraints in SMTLIB [3].

We provide details on how invertibility conditions can be automatically synthesized using syntaxguided synthesis (SyGuS) [1] techniques, and make public 162 available challenge problems for SyGuS solvers that are encodings of this task.

We prove that our approach can efficiently reduce a class of quantified formulas, which we call unit linear invertible, to quantifierfree constraints.

Leveraging invertibility conditions, we implement a novel quantifier instantiation scheme as an extension of the SMT solver CVC4 [2], which shows improvements with respect to stateoftheart solvers for quantified bitvector constraints.
2 Preliminaries
We assume the usual notions and terminology of manysorted firstorder logic with equality (denoted by \(\approx \)). Let \(S\) be a set of sort symbols, and for every sort \({\sigma \in S}\) let \(X _{\sigma }\) be an infinite set of variables of sort \(\sigma \). We assume that sets \(X _{\sigma }\) are pairwise disjoint and define \(X\) as the union of sets \(X _{\sigma }\). Let \(\varSigma \) be a signature consisting of a set \(\varSigma ^s \!\subseteq S \) of sort symbols and a set \(\varSigma ^f \) of interpreted (and sorted) function symbols \(f^{\sigma _1 \cdots \sigma _n \sigma }\) with arity \(n \ge 0\) and \(\sigma _1, ..., \sigma _n, \sigma \in \varSigma ^s \). We assume that a signature \(\varSigma \) includes a Boolean sort \(\mathsf {Bool}\) and the Boolean constants \(\top \) (true) and \(\bot \) (false). Let \({\mathcal {I}}\) be a \(\varSigma \) interpretation that maps: each \(\sigma \in \varSigma ^s \) to a nonempty set \(\sigma ^{\mathcal {I}} \) (the domain of \({\mathcal {I}}\)), with \(\mathsf {Bool} ^{\mathcal {I}} = \{ \top , \bot \}\); each \(x \in X _{\sigma } \) to an element \({x^{\mathcal {I}} \in \sigma ^{\mathcal {I}} }\); and each \(f^{\sigma _1 \cdots \sigma _n \sigma } \in \varSigma ^f \) to a total function \(f^{\mathcal {I}} \!\!: \sigma _1^{\mathcal {I}} \times ... \times \sigma _n^{\mathcal {I}} \rightarrow \sigma ^{\mathcal {I}} \) if \(n > 0\), and to an element in \(\sigma ^{\mathcal {I}} \) if \(n = 0\). If \(x \in X_\sigma \) and \(v \in \sigma ^{\mathcal {I}} \), we denote by \({\mathcal {I}} [x \mapsto v]\) the interpretation that maps x to v and is otherwise identical to \({\mathcal {I}} \). We use the usual inductive definition of a satisfiability relation \(\models \) between \(\varSigma \)interpretations and \(\varSigma \)formulas.
We assume the usual definition of wellsorted terms, literals, and formulas as \(\mathsf {Bool}\) terms with variables in \(X\) and symbols in \(\varSigma \), and refer to them as \(\varSigma \)terms, \(\varSigma \)atoms, and so on. A ground term/formula is a \(\varSigma \)term/formula without variables. We define \(\varvec{x} = (x_1, ..., x_n)\) as a tuple of variables and write \(Q\varvec{x} \varphi \) with \(Q \in \{ \forall , \exists \}\) for a quantified formula \(Qx_1 \cdots Qx_n \varphi \). We use \(\mathrm {Lit}(\varphi )\) to denote the set of \(\varSigma \)literals of \(\varSigma \)formula \(\varphi \). For a \(\varSigma \)term or \(\varSigma \)formula e, we denote the free variables of e (defined as usual) as \({FV}(e)\) and use \(e[\varvec{x} ]\) to denote that the variables in \(\varvec{x}\) occur free in e. For a tuple of \(\varSigma \)terms \(\varvec{t} = (t_1, ..., t_n)\), we write \(e[\varvec{t} ]\) for the term or formula obtained from e by simultaneously replacing each occurrence of \(x_i\) in e by \(t_i\). Given a \(\varSigma \)formula \(\varphi [x]\) with \({x \in X _{\sigma }}\), we use Hilbert’s choice operator \(\varepsilon \) [12] to describe properties of x. We define a choice function \(\varepsilon x.\,\varphi [x]\) as a term where x is bound by \(\varepsilon \). In every interpretation \({\mathcal {I}} \), \(\varepsilon x.\,\varphi [x]\) denotes some value \(v \in \sigma ^{\mathcal {I}} \) such that \({\mathcal {I}} [x \mapsto v]\) satisfies \(\varphi [x]\) if such values exist, and denotes an arbitrary element of \(\sigma ^{\mathcal {I}} \) otherwise. This means that the formula \(\exists x.\,\varphi [x] \Leftrightarrow \varphi [\varepsilon x.\,\varphi [x] ]\) is satisfied by every interpretation.
A theory T is a pair \((\varSigma , {I})\), where \(\varSigma \) is a signature and \({I}\) is a nonempty class of \(\varSigma \)interpretations (the models of T) that is closed under variable reassignment, i.e., every \(\varSigma \)interpretation that only differs from an \({{\mathcal {I}} \in {I}}\) in how it interprets variables is also in \({I}\). A \(\varSigma \)formula \(\varphi \) is Tsatisfiable (resp. Tunsatisfiable) if it is satisfied by some (resp. no) interpretation in \({I}\); it is Tvalid if it is satisfied by all interpretations in \({I}\). A choice function \(\varepsilon x.\,\varphi [x]\) is (T)valid if \(\exists x.\,\varphi [x]\) is (T)valid. We refer to a term t as \(\varepsilon \) (T)valid if all occurrences of choice functions in t are (T)valid. We will sometimes omit T when the theory is understood from context.
We will focus on the theory \(T_{BV} = (\varSigma _{BV}, {I} _{BV})\) of fixedsize bitvectors as defined by the SMTLIB 2 standard [3]. The signature \(\varSigma _{BV} \) includes a unique sort for each positive bitvector width n, denoted here as \(\sigma _{[n]} \). Similarly, \(X _{[n]}\) is the set of bitvector variables of sort \(\sigma _{[n]} \), and \(X _{BV} \) is the union of all sets \(X _{[n]}\). We assume that \(\varSigma _{BV}\) includes all bitvector constants of sort \(\sigma _{[n]} \) for each n, represented as bitstrings. However, to simplify the notation we will sometimes denote them by the corresponding natural number in \(\{0, \ldots , 2^{n1}\}\). All interpretations \({\mathcal {I}} \in {I} _{BV}\) are identical except for the value they assign to variables. They interpret sort and function symbols as specified in SMTLIB 2. All function symbols in \(\varSigma ^f _{BV}\) are overloaded for every \(\sigma _{[n]} \! \in \varSigma ^s _{BV}\). We denote a \(\varSigma _{BV}\)term (or bitvector term) t of width n as \(t_{[n]}\) when we want to specify its bitwidth explicitly. We use \(\text {max}_{s{[n]}}\) or \(\text {min}_{s{[n]}}\) for the maximum or minimum signed value of width n, e.g., \(\text {max}_{s{[4]}} = 0111\) and \(\text {min}_{s{[4]}}=1000\). The width of a bitvector sort or term is given by the function \(\kappa \), e.g., \(\kappa (\sigma _{[n]}) = n\) and \(\kappa (t_{[n]}) = n\).
Set of considered bitvector operators with corresponding SMTLIB 2 syntax.
Symbol  SMTLIB syntax  Sort 

\(\approx \), \(<_u\), \(>_u\), \(<_s\), \(>_s\)  =, bvult, bvugt, bvslt, bvsgt  \(\sigma _{[n]} \times \sigma _{[n]} \rightarrow \mathsf {Bool} \) 
\({\sim }\,\), \(\)  bvnot, bvneg  \(\sigma _{[n]} \rightarrow \sigma _{[n]}\) 
\( \mathrel { \& }\), \(\mid \), \(\mathop {<<}\), \(\mathop {>>}\), \(\mathop {>>_a}\)  bvand, bvor, bvshl, bvlshr, bvashr  \(\sigma _{[n]} \times \sigma _{[n]} \rightarrow \sigma _{[n]}\) 
\(+\), \(\cdot \), \(\bmod \), \(\div \)  bvadd, bvmul, bvurem, bvudiv  \(\sigma _{[n]} \times \sigma _{[n]} \rightarrow \sigma _{[n]}\) 
\(\circ \)  concat  \(\sigma _{[n]} \times \sigma _{[m]} \rightarrow \sigma _{[n+m]}\) 
\([u:l]\)  extract  \(\sigma _{[n]} \rightarrow \sigma _{[ul+1]}\), \(0 \le l \le u < n\) 
3 Invertibility Conditions for BitVector Constraints
This section formally introduces the concept of an invertibility condition and shows that such conditions can be used to construct symbolic solutions for a class of quantifierfree bitvector constraints that have a linear shape.
Consider a bitvector literal \(x + s \approx t\) and assume that we want to solve for x. If the literal is linear in x, that is, has only one occurrence of x, a general solution for x is given by the inverse of bitvector addition over equality: \(x = t  s \). Computing the inverse of a bitvector operation, however, is not always possible. For example, for \(x \cdot s \approx t\), an inverse always exists only if s always evaluates to an odd bitvector. Otherwise, there are values for s and t where no such inverse exists, e.g., \(x \cdot 2 \approx 3\). However, even if there is no unconditional inverse for the general case, we can identify the condition under which a bitvector operation is invertible. For the bitvector multiplication constraint \(x \cdot s \approx t\) with \(x \notin {FV}(s) \cup {FV}(t) \), the invertibility condition for x can be expressed by the formula \( ( s \mid s) \mathrel { \& } t \approx t\).
Definition 1
(Invertibility Condition). Let \(\ell [x]\) be a \(\varSigma _{BV}\)literal. A quantifierfree \(\varSigma _{BV}\)formula \(\phi _\mathrm {c}\) is an invertibility condition for x in \(\ell [x]\) if \(x \not \in {FV}(\phi _\mathrm {c}) \) and \(\phi _\mathrm {c}\Leftrightarrow \exists x.\,\ell [x] \) is \(T_{BV}\)valid.
An invertibility condition for a literal \(\ell [x]\) provides the exact conditions under which \(\ell [x]\) is solvable for x. We call it an “invertibility” condition because we can use Hilbert choice functions to express all such conditional solutions with a single symbolic term, that is, a term whose possible values are exactly the solutions for x in \(\ell [x]\). Recall that a choice function \(\varepsilon y.\,\varphi [y]\) represents a solution for a formula \(\varphi [x]\) if there exists one, and represents an arbitrary value otherwise. We may use a choice function to describe inverse solutions for a literal \(\ell [x]\) with invertibility condition \(\phi _\mathrm {c}\) as \(\varepsilon y.\,(\phi _\mathrm {c}\Rightarrow \ell [y])\). For example, for the general case of bitvector multiplication over equality the choice function is defined as \( \varepsilon y.\,(( s \mid s) \mathrel { \& } t \approx t \;\Rightarrow \; y \cdot s \approx t)\).
Lemma 2
If \(\phi _\mathrm {c}\) is an invertibility condition for an \(\varepsilon \)valid \(\varSigma _{BV}\)literal \(\ell [x]\) and r is the term \(\varepsilon y.\,(\phi _\mathrm {c}\Rightarrow \ell [y]) \), then r is \(\varepsilon \)valid and \(\ell [r] \Leftrightarrow \exists x.\,\ell [x] \) is \(T_{BV}\)valid.^{1}
Intuitively, the lemma states that when \(\ell [x]\) is satisfiable (under condition \(\phi _\mathrm {c}\)), any value returned by the choice function \(\varepsilon y.\,(\phi _\mathrm {c}\Rightarrow \ell [y]) \) is a solution of \(\ell [x]\) (and thus \(\exists x.\,\ell [x] \) holds). Conversely, if there exists a value v for x that makes \(\ell [x]\) true, then there is a model of \(T_{BV}\) that interprets \(\varepsilon y.\,(\phi _\mathrm {c}\Rightarrow \ell [y]) \) as v.
Figure 1 describes in pseudo code the procedure to solve for x in an arbitrary literal \(\ell [x] = e[x] \bowtie t\) that is linear in x. We assume that e[x] is built over the set of bitvector operators listed in Table 1. Function \(\mathsf {solve}\) recursively constructs a symbolic solution by computing (conditional) inverses as follows. Let function \(\mathsf {getInverse} (x, \ell [x])\) return a term \(t'\) that is the inverse of x in \(\ell [x]\), i.e., such that \(\ell [x] \Leftrightarrow x \approx t' \). Furthermore, let function \(\mathsf {getIC} (x, \ell [x])\) return the invertibility condition \(\phi _\mathrm {c}\) for x in \(\ell [x]\). If e[x] has the form \(\diamond (e_1, \ldots , e_n)\) with \(n > 0\), x must occur in exactly one of the subterms \(e_1, \ldots , e_n\) given that e is linear in x. Let d be the term obtained from e by replacing \(e_i\) (the subterm containing x) with a fresh variable \(x'\). We solve for subterm \(e_i[x]\) (treating it as a variable \(x'\)) and compute an inverse \(\mathsf {getInverse} (x', d[x'] \approx t)\), if it exists. Note that for a disequality \(e[x] \not \approx t\), it suffices to compute the inverse over equality and propagate the disequality down. (For example, for \(e_i[x] + s \not \approx t\), we compute the inverse \(t' = \mathsf {getInverse} (x', x'+ s \approx t) = t  s\) and recurse on \(e_i[x] \not \approx t' \).) If no inverse for \(e[x] \bowtie t\) exists, we first determine the invertibility condition \(\phi _\mathrm {c}\) for \(d[x']\) via \(\mathsf {getIC} (x', d[x'] \bowtie t)\), construct the choice function \(\varepsilon y.\,(\phi _\mathrm {c}\Rightarrow d[y] \bowtie t)\), and set it equal to \(e_i[x]\), before recursively solving for x. If \(e[x] = x\) and the given literal is an equality, we have reached the base case and return t as the solution for x. Note that in Fig. 1, for simplicity we omitted one case for which an inverse can be determined, namely \(x \cdot c \approx t\) where c is an odd constant.
Theorem 3
Let \(\ell [x]\) be an \(\varepsilon \)valid \(\Sigma _{BV}\)literal linear in x, and let \(r = \mathsf {solve} (x,\ell [x]) \). Then r is \(\varepsilon \)valid, \({FV}(r) \subseteq {FV}(\ell ) \setminus \{ x \}\) and \(\ell [r] \Leftrightarrow \exists x.\,\ell [x] \) is \(T_{BV}\)valid.
Tables 2 and 3 list the invertibility conditions for bitvector operators \(\{\cdot \), \(\bmod \), \(\div \), \( \mathrel { \& }\), \(\mid \), \(\mathop {>>}\), \(\mathop {>>_a}\), \(\mathop {<<}\), \(\circ \}\) over relations \(\{\) \(\approx \), \(\not \approx \), \(<_u\), \(>_u \}\). Due to space restrictions we omit the conditions for signed inequalities since they can be expressed in terms of unsigned inequality. We omit the invertibility conditions over \(\{\le _u \), \(\ge _u \}\) since they can generally be constructed by combining the corresponding conditions for equality and inequality—although there might be more succinct equivalent conditions. Finally, we omit the invertibility conditions for operators \(\{{\sim }\, \), \(\), \(+ \}\) and literals \(x \bowtie t\) over inequality since they are basic bounds checks, e.g., for \(x <_s t\) we have \(t \not \approx \min \). The invertibility condition for \(x \not \approx t\) and for the extract operator is \(\top \).^{2}
The idea of computing the inverse of bitvector operators has been used successfully in a recent local search approach for solving quantifierfree bitvector constraints by Niemetz et al. [17]. There, target values are propagated via inverse value computation. In contrast, our approach does not determine single inverse values based on concrete assignments but aims at finding symbolic solutions through the generation of conditional inverses. In an extended version of that work [18], the same authors present rules for inverse value computation over equality but they provide no proof of correctness for them. We define invertibility conditions not only over equality but also disequality and (un)signed inequality, and verify their correctness up to a certain bitwidth.
3.1 Synthesizing Invertibility Conditions
Conditions for the invertibility of bitvector operators over (dis)equality. Those for \(\cdot \), \( \mathrel { \& }\) and \(\mid \) are given modulo commutativity of those operators.
\(\ell [x]\)  \(\approx \)  \(\not \approx \) 

\(x \cdot s \bowtie t\)  \( ( s \mid s) \mathrel { \& } t \approx t\)  \(s \not \approx 0 \,\vee \,t \not \approx 0 \) 
\(x \bmod s \bowtie t\)  \({\sim }\, \!( s) \ge _u t\)  \(s \not \approx 1 \,\vee \,t \not \approx 0 \) 
\(s \bmod x \bowtie t\)  \( (t + t  s) \mathrel { \& } s \ge _u t\)  \(s \not \approx 0 \,\vee \,t \not \approx 0 \) 
\(x \div s \bowtie t\)  \((s \cdot t) \div s \approx t\)  \(s \not \approx 0 \,\vee \,t \not \approx {\sim }\, \!0 \) 
\(s \div x \bowtie t\)  \(s \div (s \div t) \approx t\)  \( {\left\{ \begin{array}{ll} s \mathrel { \& } t \approx 0 &{} \text {for } \kappa (s) = 1\\ \top &{} \text {otherwise} \end{array}\right. }\) 
\( x \mathrel { \& } s \bowtie t\)  \( t \mathrel { \& } s \approx t\)  \(s \not \approx 0 \,\vee \,t \not \approx 0 \) 
\(x \mid s \bowtie t\)  \(t \mid s \approx t\)  \(s \not \approx {\sim }\, \!0 \,\vee \,t \not \approx {\sim }\, \!0 \) 
\(x \mathop {>>} s \bowtie t\)  \((t \mathop {<<} s) \mathop {>>} s \approx t\)  \(t \not \approx 0 \,\vee \,s <_u \kappa (s) \) 
\(s \mathop {>>} x \bowtie t\)  \(\bigvee \limits _{i=0}^{\kappa (s)} s \mathop {>>} i \approx t \)  \(s \not \approx 0 \,\vee \,t \not \approx 0 \) 
\(x \mathop {>>_a} s \bowtie t\)  \(\begin{array}{l}(s<_u \kappa (s) \Rightarrow (t \mathop {<<} s) \mathop {>>_a} s \approx t )\;\wedge \\ (s \ge _u \kappa (s) \Rightarrow (t \approx {\sim }\, \!0 \,\vee \,t \approx 0 )) \end{array}\)  \(\top \) 
\(s \mathop {>>_a} x \bowtie t\)  \(\bigvee \limits _{i=0}^{\kappa (s)} s \mathop {>>_a} i \approx t \)  \(\begin{array}{l}(t \not \approx 0 \,\vee \,s \not \approx 0 )\;\wedge \\ (t \not \approx {\sim }\, \!0 \,\vee \,s \not \approx {\sim }\, \!0 ) \end{array}\) 
\(x \mathop {<<} s \bowtie t\)  \((t \mathop {>>} s) \mathop {<<} s \approx t\)  \(t \not \approx 0 \,\vee \,s <_u \kappa (s) \) 
\(s \mathop {<<} x \bowtie t\)  \(\bigvee \limits _{i=0}^{\kappa (s)} s \mathop {<<} i \approx t \)  \(s \not \approx 0 \,\vee \,t \not \approx 0 \) 
\(x \circ s \bowtie t\)  \(s \approx t[\kappa (s)1:0] \)  \(\top \) 
\( s \circ x \bowtie t\)  \(s \approx t[\kappa (t)1:\kappa (t)\kappa (s) ] \)  \(\top \) 
Conditions for the invertibility of bitvector operators over unsigned inequality. Those for \(\cdot \), \( \mathrel { \& }\) and \(\mid \) are given modulo commutativity of those operators.
\(\ell [x]\)  \(<_u\)  \(>_u\) 

\(x \cdot s \bowtie t\)  \(t \not \approx 0\)  \(t <_u  s \mid s \) 
\(x \bmod s \bowtie t\)  \(t \not \approx 0\)  \(t <_u {\sim }\, \!( s) \) 
\(s \bmod x \bowtie t\)  \(t \not \approx 0\)  \(t <_u s\) 
\(x \div s \bowtie t\)  \(0<_u s \,\wedge \,0 <_u t \)  \({\sim }\, \!0 \div s >_u t\) 
\(s \div x \bowtie t\)  \( 0<_u {\sim }\, \!( t \mathrel { \& } s) \,\wedge \,0 <_u t \)  \(t <_u {\sim }\, \!0 \) 
\( x \mathrel { \& } s \bowtie t\)  \(t \not \approx 0\)  \(t <_u s\) 
\(x \mid s \bowtie t\)  \(s <_u t\)  \(t <_u {\sim }\, \!0 \) 
\(x \mathop {>>} s \bowtie t\)  \(t \not \approx 0\)  \(t <_u {\sim }\, \!s \mathop {>>} s \) 
\(s \mathop {>>} x \bowtie t\)  \(t \not \approx 0\)  \(t <_u s\) 
\(x \mathop {>>_a} s \bowtie t\)  \(t \not \approx 0\)  \(t <_u {\sim }\, \!0 \) 
\(s \mathop {>>_a} x \bowtie t\)  \((s <_u t \,\vee \,s \ge _s 0 )\,\wedge \,t \not \approx 0 \)  \(s<_s (s \mathop {>>} \!{\sim }\, \!t ) \,\vee \,t <_u s \) 
\(x \mathop {<<} s \bowtie t\)  \(t \not \approx 0\)  \(t<_u {\sim }\, \!0 \mathop {<<} s \) 
\(s \mathop {<<} x \bowtie t\)  \(t \not \approx 0\)  \(\bigvee \limits _{i=0}^{\kappa (s)}(s \mathop {<<} i) >_u t \) 
\(x \circ s \bowtie t\)  \(t_x \approx 0 \Rightarrow s <_u t_s \)  \(t_x \approx {\sim }\, \!0 \Rightarrow s >_u t_s \) 
\(\text {where}\, t_x = t[\kappa (t)1:\kappa (t)\kappa (x) ] \text {, } t_s = t[\kappa (s)1:0] \)  
\(s \circ x\) \(\bowtie \) t  \(s \le _u t_s \,\wedge \,(s \approx t_s \Rightarrow t_x \not \approx 0 )\)  \(s \ge _u t_s \,\wedge \,s \approx t_s \Rightarrow t_x \not \approx {\sim }\, \!0 \) 
\(\text {where}\,\, t_x = t[\kappa (x)1:0],\, t_s = t[\kappa (t)1:\kappa (t)\kappa (s) ] \) 
The selection of constants in the grammar turned out to be crucial for finding solutions, e.g., by adding \(\text {min}_s\) and \(\text {max}_s\) we were able to synthesize substantially more invertibility conditions for signed inequalities. For each of the two sets of operators, we generated 140 SyGuS problems^{3}, one for each combination of bitvector operator \(\diamond \in \) {\(\cdot \), \(\bmod \), \(\div \), \( \mathrel { \& }\), \(\mid \), \(\mathop {>>}\), \(\mathop {>>_a}\), \(\mathop {<<} \}\) over relation \(\bowtie \;\in \) {\(\approx \), \(\not \approx \), \(<_u\), \(\le _u\), \(>_u\), \(\ge _u\), \(<_s\), \(\le _s\), \(>_s\), \(\ge _s \}\), and used the SyGuS extension of the CVC4 solver [22] to solve these problems.
Using operators \(O_r\) (\(O_g\)) we were able to synthesize 98 (116) out of 140 invertibility conditions, with 118 unique solutions overall. When we found more than one solution for a condition (either with operators \(O_r\) and \(O_g\), or manually) we chose the one that involved the smallest number of bitvector operators. Thus, we ended up using 79 out of 118 synthesized conditions and 83 manually crafted conditions.
In some cases, the SyGuS approach was able to synthesize invertibility conditions that were smaller than those we had manually crafted. For example, we manually defined the invertibility condition for \(x \cdot s \approx t\) as \( (t \approx 0)\,\vee \,( (t \mathrel { \& }  t ) \ge _u (s \mathrel { \& }  s ) \,\wedge \,(s \not \approx 0)) \). With SyGuS we obtained \( (( s \mid s) \mathrel { \& } t) \approx t\). For some other cases, however, the synthesized solution involved more bitvector operators than needed. For example, for \({x \bmod s \not \approx t}\) we manually defined the invertibility condition \({(s \not \approx 1)\,\vee \,(t \not \approx 0)}\), whereas SyGuS produced the solution \({\sim }\, \!( s) \mid t \not \approx 0\). For the majority of invertibility conditions, finding a solution did not require more than one hour of CPU time on an Intel Xeon E52637 with 3.5 GHz. Interestingly, the most timeconsuming synthesis task (over 107 h of CPU time) was finding condition \( ((t + t)  s) \mathrel { \& } s \ge _u t \) for \({s \bmod x \approx t}\). A small number of synthesized solutions were only correct for a bitwidth of 4, e.g., solution \(({\sim }\, \!s \mathop {<<} s) \mathop {<<} s <_s t \) for \(x \div s <_s t \). In total, we found 6 widthdependent synthesized solutions, all of them for bitvector operators \(\div \) and \(\bmod \). For those, we used the manually crafted invertibility conditions instead.
3.2 Verifying Invertibility Conditions
We verified the correctness of all 162 invertibility conditions for bitwidths from 1 to 65 by checking for each bitwidth the \(T_{BV}\)unsatisfiability of the formula \(\lnot (\phi _\mathrm {c}\Leftrightarrow \exists x.\,\ell [x]) \) where \(\ell \) ranges over the literals in Tables 2 and 3 with s and t replaced by fresh constants, and \(\phi _\mathrm {c}\) is the corresponding invertibility condition.
In total, we generated 12,980 verification problems and used all participating solvers of the quantified bitvector division of SMTcompetition 2017 to verify them. For each solver/benchmark pair we used a CPU time limit of one hour and a memory limit of 8 GB on the same machines as those mentioned in the previous section. We consider an invertibility condition to be verified for a certain bitwidth if at least one of the solvers was able to report unsatisfiable for the corresponding formula within the given time limit. Out of the 12,980 instances, we were able to verify 12,277 (94.6%).
Overall, all verification tasks (including timeouts) required a total of 275 days of CPU time. The success rate of each individual solver was 91.4% for Boolector, 85.0% for CVC4, 50.8% for Q3B, and 92% for Z3. We observed that on 30.6% of the problems, Q3B exited with a Python exception without returning any result. For bitvector operators {\({\sim }\,\), \(\), \(+\), \( \mathrel { \& }\), \(\mid \), \(\mathop {>>}\), \(\mathop {>>_a}\), \(\mathop {<<}\), \(\circ \}\), over all relations, and for operators {\(\cdot \), \(\div \), \(\bmod \}\) over relations \(\{\not \approx , \le _u, \le _s \}\), we were able to verify all invertibility conditions for all bitwidths in the range 1–65. Interestingly, no solver was able to verify the invertibility conditions for \(x \bmod s <_s t \) with a bitwidth of 54 and \(s \bmod x <_u t \) with bitwidths 35–37 within the allotted time. We attribute this to the underlying heuristics used by the SAT solvers in these systems. All other conditions for \(<_s\) and \(<_u\) were verified for all bitvector operators up to bitwidth 65. The remaining conditions for operators {\(\cdot \), \(\div \), \(\bmod \}\) over relations {\(\approx \), \(>_u\), \(\ge _u\), \(>_s\), \(\ge _s \}\) were verified up to at least a bitwidth of 14. We discovered 3 conditions for \(s \div x \bowtie t\) with \(\bowtie \;\in \{\not \approx , >_s, \ge _s \}\) that were not correct for a bitwidth of 1. For each of these cases, we added an additional invertibility condition that correctly handles that case.
We leave to future work the task of formally proving that our invertibility conditions are correct for all bitwidths. Since this will most likely require the development of an interactive proof, we could leverage some recent work by Ekici et al. [9] that includes a formalization in the Coq proof assistant of the SMTLIB theory of bitvectors.
4 CounterexampleGuided Instantiation for BitVectors
In this section, we leverage techniques from the previous section for constructing symbolic solutions to bitvector constraints to define a novel instantiationbased technique for quantified bitvector formulas. We first briefly present the overall theoryindependent procedure we use for quantifier instantiation and then show how it can be specialized to quantified bitvectors using invertibility conditions.
Definition 4
(Selection Function). A selection function takes as input a tuple of variables \(\varvec{x} \), a model \({\mathcal {I}} \) of T, a quantifierfree \(\Sigma \)formula \(\psi [\varvec{x} ]\), and a set \(\varGamma \) of \(\Sigma \)formulas such that \(\varvec{x} \not \in {FV}(\varGamma ) \) and \({\mathcal {I}} \models \varGamma \cup \{ \lnot \psi \}\). It returns a tuple of \(\varepsilon \)valid terms \(\varvec{t}\) of the same type as \(\varvec{x}\) such that \({FV}(\varvec{t}) \subseteq {FV}(\psi ) \setminus \varvec{x} \).
Definition 5
 1.
Finite for \(\varvec{x} \) and \(\psi \) if there is a finite set \(\mathcal {S}^*\) such that \(\mathcal {S}( \varvec{x}, \psi , {\mathcal {I}}, \varGamma ) \in \mathcal {S}^*\) for all legal inputs \({\mathcal {I}} \) and \(\varGamma \).
 2.
Monotonic for \(\varvec{x} \) and \(\psi \) if for all legal inputs \({\mathcal {I}} \) and \(\varGamma \), \(\mathcal {S}(\varvec{x}, \psi , {\mathcal {I}}, \varGamma ) = \varvec{t} \) only if \(\psi [ \varvec{t} ] \not \in \varGamma \).
Procedure \(\mathsf {CEGQI}_{\mathcal {S}}\) is refutationsound and modelsound for any selection function \(\mathcal {S}\), and terminating for selection functions that are finite and monotonic.
Theorem 6
(Correctness of \(\mathsf {CEGQI}_{\mathcal {S}}\)). Let \(\mathcal {S}\) be a selection function and let \(\varphi = \exists \varvec{y} \forall \varvec{x}.\,\psi [ \varvec{y}, \varvec{x} ] \) be a legal input for \(\mathsf {CEGQI}_{\mathcal {S}}\). Then the following hold.
 1.
If \(\mathsf {CEGQI}_{\mathcal {S}}( \varphi )\) returns “unsat”, then \(\varphi \) is Tunsatisfiable.
 2.
If \(\mathsf {CEGQI}_{\mathcal {S}}( \varphi )\) returns “sat” for some final \(\varGamma \), then \(\varphi \) is Tequivalent to \(\exists \varvec{y}.\,\bigwedge _{\gamma \in \varGamma } \gamma \).
 3.
If \(\mathcal {S}\) is finite and monotonic for \(\varvec{x} \) and \(\psi \), then \(\mathsf {CEGQI}_{\mathcal {S}}( \varphi )\) terminates.
4.1 Selection Functions for BitVectors
In Fig. 3, we define a (class of) selection functions \(\mathcal {S}^{BV}_{c} \) for quantifierfree bitvector formulas, which is parameterized by a configuration c, a value of the enumeration type {\(\mathbf {m}\), \(\mathbf {k}\), \(\mathbf {s}\), \(\mathbf {b}\}\). The selection function collects in the set M all the literals occurring in \(\varGamma '\) that are satisfied by \({\mathcal {I}} \). Then, it collects in the set N a projected form of each literal in M. This form is computed by the function \(\mathsf {project}_{c} \) parameterized by configuration c. That function transforms its input literal into a form suitable for function \(\mathsf {solve} \) from Fig. 1. We discuss the intuition for projection operations in more detail below.
After constructing set N, the selection function computes a term \(t_i\) for each variable \(x_i\) in tuple \(\varvec{x}\), which we call the solved form of \(x_i\). To do that, it first constructs a set of literals \(N_i\) all linear in \(x_i\). It considers literals \(\ell \) from N and replaces all previously solved variables \(x_1, \ldots , x_{i1}\) by their respective solved forms to obtain the literal \(\ell ' = \ell [ t_1, \ldots , t_{i1} ]\). It then calls function \(\mathsf {linearize}\) on literal \(\ell '\) which returns a set of literals, each obtained by replacing all but one occurrence of \(x_i\) in \(\ell \) with the value of \(x_i\) in \({\mathcal {I}} \).^{4}
Example 7
Consider an interpretation \({\mathcal {I}} \) where \(x^{\mathcal {I}} = 1\), and \(\Sigma _{BV}\)terms a and b with \(x \not \in {FV}(a) \cup {FV}(b) \). We have that \(\mathsf {linearize}(x, {\mathcal {I}}, x \cdot ( x + a ) \approx b) \) returns the set \(\{ 1 \cdot ( x + a ) \approx b, x \cdot ( 1 + a ) \approx b \}\); \(\mathsf {linearize}(x, {\mathcal {I}}, x \ge _u a) \) returns the singleton set \(\{ x \ge _u a \}\); \(\mathsf {linearize}(x, {\mathcal {I}}, a \not \approx b) \) returns the empty set. \(\triangle \)
If the set \(N_i\) is nonempty, the selection function heuristically chooses a literal from \(N_i\) (indicated in Fig. 3 with \(\mathsf {choose}(N_i)\)). It then computes a solved form \(t_i\) for \(x_i\) by solving the chosen literal for \(x_i\) with the function \(\mathsf {solve} \) described in the previous section. If \(N_i\) is empty, we let \(t_i\) is simply the value of \(x_i\) in the given model \({\mathcal {I}} \). After that, \(x_i\) is eliminated from all the previous terms \(t_1, \ldots , t_{i1}\) by replacing it with \(t_i\). After processing all n variables of \(\varvec{x} \), the tuple \(( t_1, \ldots , t_n )\) is returned.
The configurations of selection function \(\mathcal {S}^{BV}_{c}\) determine how literals in M are modified by the \(\mathsf {project}_{c}\) function prior to computing solved forms, based on the current model \({\mathcal {I}} \). With the model value configuration \(\mathbf {m}\), the selection function effective ignores the structure of all literals in M and (because the set \(N_i\) is empty) ends up choosing the value \(x_i^{\mathcal {I}} \) as the solved form variable \(x_i\), for each i. On the other end of the spectrum, the configuration \(\mathbf {k}\) keeps all literals in M unchanged. The remaining two configurations have an effect on how disequalities and inequalities are handled by \(\mathsf {project}_{c}\). With configuration \(\mathbf {s}\) \(\mathsf {project}_{c}\) normalizes any kind of literal (equality, inequality or disequality) \(s \bowtie t\) to an equality by adding the slack value \((s  t)^{\mathcal {I}} \) to t. With configuration \(\mathbf {b}\) it maps equalities to themselves and inequalities and disequalities to an equality corresponding to a boundary point of the relation between s and t based on the current model. Specifically, it adds one to t if s is greater than t in \({\mathcal {I}} \), it subtracts one if s is smaller than t, and returns \(s \approx t\) if their value is the same. These two configurations are inspired by quantifier elimination techniques for linear arithmetic [5, 15]. In the following, we provide an endtoend example of our technique for quantifier instantiation that makes use of selection function \(\mathcal {S}^{BV}_{c}\) .
Example 8
Config  \(N_1\)  \(t_1\) 

\(\mathbf {m}\)  \(\emptyset \)  1 
\(\mathbf {k}\)  {\(x_1 \cdot a>_u b\)}  \(\varepsilon z.\,(a <_u  b \mid b ) \Rightarrow z \cdot a >_u b \) 
\(\mathbf {s}\), \(\mathbf {b}\)  {\(x_1 \cdot a\approx b+1\)}  \( \varepsilon z.\,(( a \mid a) \mathrel { \& } b+1 \approx b+1) \Rightarrow z \cdot a \approx b+1 \) 
 (i)
\(\lnot (a <_u  b \mid b )\) is \(T_{BV}\)unsatisfiable. Then (1) and hence \(\varGamma \) are \(T_{BV}\)unsatisfiable, and the procedure terminates with “unsat”.
 (ii)
\(\lnot (a <_u  b \mid b )\) is satisfied by some model \({\mathcal {J}} \) of \(T_{BV}\). Then \(\exists z. z \cdot a \le _u b \) is false in \({\mathcal {J}} \) since the invertibility condition of \(z \cdot a \le _u b \) is false in \({\mathcal {J}} \). Hence, \(\varGamma ' = \varGamma \cup \{ x_1 \cdot a>_u b \}\) is unsatisfiable, and the algorithm terminates with “sat”.
In fact, we argue later that quantified bitvector formulas like \(\varphi \) above, which contain only one occurrence of a universal variable, require at most one instantiation before \(\mathsf {CEGQI}_{\mathcal {S}^{BV}_{\mathbf {k}}}\) terminates. The same guarantee does not hold with the other configurations. In particular, configuration \(\mathbf {m}\) generates the instantiation where \(t_1\) is 1, which simplifies to \(a \le _u b\). This may not be sufficient to show that \(\varGamma \) or \(\varGamma '\) is unsatisfiable in the second iteration of the loop and the algorithm may resort to enumerating a repeating pattern of instantiations, such as \(x_1 \mapsto 1, 2, 3, \ldots \) and so on. This obviously does not scale for problems with large bitwidths. \(\triangle \)
More generally, we note that \(\mathsf {CEGQI}_{\mathcal {S}^{BV}_{\mathbf {k}}}\) terminates with at most one instance for input formulas whose body has just one literal and a single occurrence of each universal variable. The same guarantee does not hold for instance for quantified formulas whose body has multiple disjuncts. For some intuition, consider extending the second conjunct of (1) with an additional disjunct, i.e. \(( k \cdot a \le _u b \vee \ell [k] )\). A model can be found for this formula in which the invertibility condition \((a <_u  b \mid b )\) is still satisfied, and hence we are not guaranteed to terminate on the second iteration of the loop. Similarly, if the literals of the input formula have multiple occurrences of \(x_1\), then multiple instances may be returned by the selection function since the literals returned by \(\mathsf {linearize}\) in Fig. 3 depend on the model value of \(x_1\), and hence more than one possible instance may be considered in loop in Fig. 2.
The following theorem summarizes the properties of our selection functions. In the following, we say a quantified formula is unit linear invertible if it is of the form \(\forall x. \ell [x]\) where \(\ell \) is linear in x and has an invertibility condition for x. We say a selection function is nfinite for a quantified formula \(\psi \) if the number of possible instantiations it returns is at most n for some positive integer n.
Theorem 9
Let \(\psi [\varvec{x} ]\) be a quantifierfree formula in the signature of \(T_{BV}\).
 1.
\(\mathcal {S}^{BV}_{c} \) is a finite selection function for \(\varvec{x} \) and \(\psi \) for all \(c \in \{\mathbf {m}, \mathbf {k}, \mathbf {s}, \mathbf {b}\}\).
 2.
\(\mathcal {S}^{BV}_{\mathbf {m}} \) is monotonic.
 3.
\(\mathcal {S}^{BV}_{\mathbf {k}} \) is 1finite if \(\psi \) is unit linear invertible.
 4.
\(\mathcal {S}^{BV}_{\mathbf {k}} \) is monotonic if \(\psi \) is unit linear invertible.
This theorem implies that counterexampleguided instantiation using configuration \(\mathcal {S}^{BV}_{\mathbf {m}} \) is a decision procedure for quantified bitvectors. However, in practice the worstcase number of instances considered by this configuration for a variable \(x_{[n]} \) is proportional to the number of its possible values (\(2^n\)), which is practically infeasible for sufficiently large n. More interestingly, counterexampleguided instantiation using \(\mathcal {S}^{BV}_{\mathbf {k}} \) is a decision procedure for quantified formulas that are unit linear invertible, and moreover has the guarantee that at most one instantiation is returned by this selection function. Hence, formulas in this fragment can be effectively reduced to quantifierfree bitvector constraints in at most two iterations of the loop of procedure \(\mathsf {CEGQI}_{\mathcal {S}}\) in Fig. 2.
4.2 Implementation
We implemented the new instantiation techniques described in this section as an extension of CVC4, which is a DPLL\((T)\)based SMT solver [20] that supports quantifierfree bitvector constraints, (arbitrarily nested) quantified formulas, and support for choice expressions. For the latter, all choice expressions \(\varepsilon x.\,\varphi [x] \) are eliminated from assertions by replacing them with a fresh variable k of the same type and adding \(\varphi [k]\) as a new assertion, which notice is sound since all choice expressions we consider are \(\varepsilon \)valid. In the remainder of the paper, we will refer to our extension of the solver as \(\mathbf {cegqi}\). In the following, we discuss important implementation details of the extension.
Handling Duplicate Instantiations. The selection functions \(\mathcal {S}^{BV}_{\mathbf {s}} \) and \(\mathcal {S}^{BV}_{\mathbf {b}} \) are not guaranteed to be monotonic, neither is \(\mathcal {S}^{BV}_{\mathbf {k}} \) for quantified formulas that contain more than one occurrence of universal variables. Hence, when applying these strategies to arbitrary quantified formulas, we use a twotiered strategy that invokes \(\mathcal {S}^{BV}_{\mathbf {m}} \) as a second resort if the instance for the terms returned by a selection function already exists in \(\varGamma \).
Linearizing Rewrites. Our selection function in Fig. 3 uses the function \(\mathsf {linearize}\) to compute literals that are linear in the variable \(x_i\) to solve for. The way we presently implement \(\mathsf {linearize}\) makes those literals dependent on the value of \(x_i\) in the current model \({\mathcal {I}} \), with the risk of overfitting to that model. To address this limitation, we use a set of equivalencepreserving rewrite rules whose goal is to reduce the number of occurrences of \(x_i\) to one when possible, by applying basic algebraic manipulations. As a trivial example, a literal like \(x_i + x_i \approx a\) is rewritten first to \(2 \cdot x_i \approx a\) which is linear in \(x_i\) if a does not contain \(x_i\). In that case, this literal, and so the original one, has an invertibility condition as discussed in Sect. 3.
Variable Elimination. We use procedure \(\mathsf {solve}\) from Sect. 3 not only for selecting quantifier instantiations, but also for eliminating variables from quantified formulas. In particular, for a quantified formula of the form \(\forall x \varvec{y}.\,\ell \Rightarrow \varphi [x, \varvec{y} ] \), if \(\ell \) is linear in x and \(\mathsf {solve} ( x, \ell )\) returns a term s containing no \(\varepsilon \)expressions, we can replace this formula by \(\forall \varvec{y}.\,\varphi [s,\varvec{y} ] \). When \(\ell \) is an equality, this is sometimes called destructive equality resolution (DER) and is an important implementationlevel optimization in stateoftheart bitvector solvers [25]. As shown in Fig. 1, we use the \(\mathsf {getInverse} \) function to increase the likelihood that \(\mathsf {solve} \) returns a term that contains no \(\varepsilon \)expressions.
Handling Extract. Consider formula \(\forall x_{[32]}.\,(x[31:16] \not \approx a_{[16]} \vee x[15:0] \not \approx b_{[16]}) \). Since all invertibility conditions for the extract operator are \(\top \), rather than producing choice expressions we have found it more effective to eliminate extracts via rewriting. As a consequence, we independently solve constraints for regions of quantified variables when they appear underneath applications of extract operations. In this example, we let the solved form of x be \(y_{[16]} \circ z_{[16]} \) where y and z are fresh variables, and subsequently solve for these variables in \(y \approx a \) and \(z \approx b \). Hence, we may instantiate x with \(a \circ b\), a term that we would not have found by considering the two literals independently in the negated body of the formula above.
5 Evaluation
Results on satisfiable and unsatisfiable benchmarks with a 300 s timeout.
unsat  \(\mathrm{Boolector}\)  \(\mathrm{CVC4}\)  \(\mathrm{Q3B}\)  \(\mathrm{Z3}\)  \({\mathbf{{cegqi}}_{\mathbf {m}}}\)  \({\mathbf{{cegqi}}_{\mathbf {k}}}\)  \({\mathbf{{cegqi}}_{\mathbf {s}}}\)  \({\mathbf{{cegqi}}_{\mathbf {b}}}\) 

huauto  14  12  93  24  10  103  105  106 
keymaera  3917  3790  3781  3923  3803  3798  3888  3918 
psyco  62  62  49  62  62  39  62  61 
scholl  57  36  13  67  36  27  36  35 
tptp  55  52  56  56  56  56  56  56 
uauto  137  72  131  137  72  72  135  137 
wsfixpoint  74  71  75  74  75  74  75  75 
wsranking  16  8  18  19  15  11  12  11 
Total unsat  4332  4103  4216  4362  4129  4180  4369  4399 
sat  \(\mathrm{Boolector}\)  \(\mathrm{CVC4}\)  \(\mathrm{Q3B}\)  \(\mathrm{Z3}\)  \({\mathbf{{cegqi}}_{\mathbf {m}}}\)  \({\mathbf{{cegqi}}_{\mathbf {k}}}\)  \({\mathbf{{cegqi}}_{\mathbf {s}}}\)  \({\mathbf{{cegqi}}_{\mathbf {b}}}\) 

huauto  15  10  17  13  16  17  16  17 
keymaera  108  21  24  108  20  13  36  75 
psyco  131  132  50  131  132  60  132  129 
scholl  232  160  201  204  203  188  208  211 
tptp  17  17  17  17  17  17  17  17 
uauto  14  14  15  16  14  14  14  14 
wsfixpoint  45  49  54  36  45  51  49  50 
wsranking  19  15  37  33  33  31  31  32 
Total sat  581  418  415  558  480  391  503  545 
Total (5151)  4913  4521  4631  4920  4609  4571  4872  4944 
We evaluated our approach on all 5,151 benchmarks from the quantified bitvector logic (BV) of SMTLIB [3]. The results are summarized in Table 4. Configuration \(\mathbf{{cegqi}}_{\mathbf {b}}\) solves the highest number of unsatisfiable benchmarks (4, 399), which is 30 more than the next best configuration \(\mathbf{{cegqi}}_{\mathbf {s}}\) and 37 more than the next best external solver, Z3. Compared to the instantiationbased solvers Boolector, CVC4 and Z3, the performance of \(\mathbf{{cegqi}}_{\mathbf {b}}\) is particularly strong on the huauto family, which are verification conditions from the Ultimate Automizer tool [11]. For satisfiable benchmarks, Boolector solves the most (581), which is 36 more than our best configuration \(\mathbf{{cegqi}}_{\mathbf {b}}\).
Interestingly, configuration \(\mathbf{{cegqi}}_{\mathbf {k}}\), despite having the strong guarantees given by Theorem 9, performed relatively poorly on this set (with 4, 571 solved instances overall). We attribute this to the fact that most of the quantified formulas in this set are not unit linear invertible. In total, we found that only 25.6% of the formulas considered during solving were unit linear invertible. However, only a handful of benchmarks were such that all quantified formulas in the problem were unit linear invertible. This might explain the superior performance of \(\mathbf{{cegqi}}_{\mathbf {s}}\) and \(\mathbf {\mathbf{{cegqi}}_{\mathbf {b}}}\) which use invertibility conditions but in a less monolithic way. For some intuition on this, consider the problem \(\forall x.\,(x > a \vee x < b)\) where a and b are such that \(a>b\) is \(T_{BV}\)valid. Intuitively, to show that this formula is unsatisfiable requires the solver to find an x between b and a. This is apparent when considering the dual problem \(\exists x.\,(x \le a \wedge x \ge b)\). Configuration \(\mathbf{{cegqi}}_{\mathbf {b}}\) is capable of finding such an x, for instance, by considering the instantiation \(x \mapsto a\) when solving for the boundary point of the first disjunct. Configuration \(\mathbf{{cegqi}}_{\mathbf {k}}\), on the other hand, would instead consider the instantiation of x for two terms that witness \(\varepsilon \)expressions: some \(k_1\) that is never smaller than a, and some \(k_2\) that is never greater that b. Neither of these terms necessarily resides in between a and b since the solver may subsequently consider models where \(k_1 > b\) and \(k_2 < a\). This points to a potential use for invertibility conditions that solve multiple literals simultaneously, something we are currently investigating.
6 Conclusion
We have presented a new class of strategies for solving quantified bitvector formulas based on invertibility conditions. We have derived invertibility conditions for the majority of operators in a standard theory of fixedwidth bitvectors. An implementation based on this approach solves over 25% of previously unsolved verification benchmarks from SMT LIB, and outperforms all other stateoftheart bitvector solvers overall.
In future work, we plan to develop a framework in which the correctness of invertibility conditions can be formally established independently of bitwidth. We are working on deriving invertibility conditions that are optimal for linear constraints, in the sense of admitting the simplest propositional encoding. We also are investigating conditions that cover additional bitvector operators, some cases of nonlinear literals, as well as those that cover multiple constraints. While this is a challenging task, we believe efficient syntaxguided synthesis solvers can continue to help push progress in this direction. Finally, we plan to investigate the use of invertibility conditions for performing quantifier elimination on bitvector constraints. This will require a procedure for deriving concrete witnesses from choice expressions.
Footnotes
 1.
All proofs can be found in an extended version of this paper [19].
 2.
All the omitted invertibility conditions can be found in the extended version of this paper [19].
 3.
Available at https://cvc4.cs.stanford.edu/papers/CAV2018QBV/.
 4.
This is a simple heuristic to generate literals that can be solved for \(x_i\). More elaborate heuristics could be used in practice.
References
 1.Alur, R., Bodík, R., Juniwal, G., Martin, M.M.K., Raghothaman, M., Seshia, S.A., Singh, R., SolarLezama, A., Torlak, E., Udupa, A.: Syntaxguided synthesis. In: Formal Methods in ComputerAided Design, FMCAD 2013, Portland, OR, USA, 20–23 October 2013, pp. 1–8 (2013)Google Scholar
 2.Barrett, C., et al.: CVC4. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 171–177. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642221101_14. http://dl.acm.org/citation.cfm?id=2032305.2032319CrossRefGoogle Scholar
 3.Barrett, C., Stump, A., Tinelli, C.: The SMTLIB standard: version 2.0. In: Gupta, A., Kroening, D. (eds.) Proceedings of the 8th International Workshop on Satisfiability Modulo Theories, Edinburgh, UK (2010)Google Scholar
 4.Bjørner, N., Janota, M.: Playing with quantified satisfaction. In: 20th International Conferences on Logic for Programming, Artificial Intelligence and Reasoning  Short Presentations, LPAR 2015, Suva, Fiji, 24–28 November 2015, pp. 15–27 (2015)Google Scholar
 5.Cooper, D.C.: Theorem proving in arithmetic without multiplication. In: Meltzer, B., Michie, D. (eds.) Machine Intelligence, vol. 7, pp. 91–100. Edinburgh University Press (1972)Google Scholar
 6.de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540788003_24. http://dl.acm.org/citation.cfm?id=1792734.1792766CrossRefGoogle Scholar
 7.Dutertre, B.: Yices 2.2. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 737–744. Springer, Cham (2014). https://doi.org/10.1007/9783319088679_49CrossRefGoogle Scholar
 8.Dutertre, B.: Solving exists/forall problems in yices. In: Workshop on Satisfiability Modulo Theories (2015)Google Scholar
 9.Ekici, B., et al.: SMTCoq: a plugin for integrating SMT solvers into Coq. In: Majumdar, R., Kunčak, V. (eds.) CAV 2017. LNCS, vol. 10427, pp. 126–133. Springer, Cham (2017). https://doi.org/10.1007/9783319633909_7CrossRefGoogle Scholar
 10.Ge, Y., de Moura, L.: Complete instantiation for quantified formulas in satisfiabiliby modulo theories. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 306–320. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642026584_25CrossRefGoogle Scholar
 11.Heizmann, M., et al.: Ultimate automizer with an ondemand construction of FloydHoare automata. In: Legay, A., Margaria, T. (eds.) TACAS 2017. LNCS, vol. 10206, pp. 394–398. Springer, Heidelberg (2017). https://doi.org/10.1007/9783662545805_30CrossRefGoogle Scholar
 12.Hilbert, D., Bernays, P.: Grundlagen der Mathematik. Die Grundlehren der mathematischen Wissenschaften. Verlag von Julius Springer, Berlin (1934)zbMATHGoogle Scholar
 13.John, A.K., Chakraborty, S.: A layered algorithm for quantifier elimination from linear modular constraints. Formal Methods Syst. Des. 49(3), 272–323 (2016). https://doi.org/10.1007/s1070301602609CrossRefzbMATHGoogle Scholar
 14.Jonáš, M., Strejček, J.: Solving quantified bitvector formulas using binary decision diagrams. In: Creignou, N., Le Berre, D. (eds.) SAT 2016. LNCS, vol. 9710, pp. 267–283. Springer, Cham (2016). https://doi.org/10.1007/9783319409702_17CrossRefGoogle Scholar
 15.Loos, R., Weispfenning, V.: Applying linear quantifier elimination (1993)Google Scholar
 16.Niemetz, A., Preiner, M., Biere, A.: Boolector 2.0 system description. J. Satisfiability Boolean Model. Comput. 9, 53–58 (2014). (published 2015)Google Scholar
 17.Niemetz, A., Preiner, M., Biere, A.: Precise and complete propagation based local search for satisfiability modulo theories. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9779, pp. 199–217. Springer, Cham (2016). https://doi.org/10.1007/9783319415284_11CrossRefGoogle Scholar
 18.Niemetz, A., Preiner, M., Biere, A.: Propagation based local search for bitprecise reasoning. Formal Methods Syst. Des. 51(3), 608–636 (2017). https://doi.org/10.1007/s1070301702956CrossRefzbMATHGoogle Scholar
 19.Niemetz, A., Preiner, M., Reynolds, A., Barrett, C., Tinelli, C.: On solving quantified bitvectors using invertibility conditions. eprint arXiv:cs.LO/1804.05025 (2018)
 20.Nieuwenhuis, R., Oliveras, A., Tinelli, C.: Solving SAT and SAT modulo theories: from an abstract DavisPutnamLogemannLoveland Procedure to DPLL(T). J. ACM 53(6), 937–977 (2006)MathSciNetCrossRefGoogle Scholar
 21.Preiner, M., Niemetz, A., Biere, A.: Counterexampleguided model synthesis. In: Tools and Algorithms for the Construction and Analysis of Systems  23rd International Conference, TACAS 2017, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2017, Uppsala, Sweden, 22–29 April 2017, Proceedings, Part I, pp. 264–280 (2017)Google Scholar
 22.Reynolds, A., Deters, M., Kuncak, V., Tinelli, C., Barrett, C.: Counterexampleguided quantifier instantiation for synthesis in SMT. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9207, pp. 198–216. Springer, Cham (2015). https://doi.org/10.1007/9783319216683_12CrossRefGoogle Scholar
 23.Reynolds, A., King, T., Kuncak, V.: Solving quantified linear arithmetic by counterexampleguided instantiation. Formal Methods Syst. Des. 51(3), 500–532 (2017). https://doi.org/10.1007/s107030170290yCrossRefzbMATHGoogle Scholar
 24.Stump, A., Sutcliffe, G., Tinelli, C.: StarExec: a crosscommunity infrastructure for logic solving. In: Demri, S., Kapur, D., Weidenbach, C. (eds.) IJCAR 2014. LNCS (LNAI), vol. 8562, pp. 367–373. Springer, Cham (2014). https://doi.org/10.1007/9783319085876_28CrossRefGoogle Scholar
 25.Wintersteiger, C.M., Hamadi, Y., de Moura, L.M.: Efficiently solving quantified bitvector formulas. Formal Methods Syst. Des. 42(1), 3–23 (2013)CrossRefGoogle Scholar
Copyright information
<SimplePara><Emphasis Type="Bold">Open Access</Emphasis>This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License(http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.</SimplePara><SimplePara>The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.</SimplePara>