On Solving Quantified Bit-Vectors using Invertibility Conditions

We present a novel approach for solving quantified bit-vector formulas in Satisfiability Modulo Theories (SMT) based on computing symbolic inverses of bit-vector operators. We derive conditions that precisely characterize when bit-vector constraints are invertible for a representative set of bit-vector operators commonly supported by SMT solvers. We utilize syntax-guided synthesis techniques to aid in establishing these conditions and verify them independently by using several SMT solvers. We show that invertibility conditions can be embedded into quantifier instantiations using Hilbert choice expressions, and give experimental evidence that a counterexample-guided approach for quantifier instantiation utilizing these techniques leads to performance improvements with respect to state-of-the-art solvers for quantified bit-vector constraints.


Introduction
Many applications in hardware and software verification rely on Satisfiability Modulo Theories (SMT) solvers for bit-precise reasoning. In recent years, the quantifier-free fragment of the theory of fixed-size bit-vectors has received a lot of interest, as witnessed by the number of applications that generate problems in that fragment and by the high, and increasing, number of solvers that participate in the corresponding division of the annual SMT competition. Modeling properties of programs and circuits, e.g., universal safety properties and program invariants, however, often requires the use of quantified bit-vector formulas. Despite a multitude of applications, reasoning efficiently about such formulas is still a challenge in the automated reasoning community.
The majority of solvers that support quantified bit-vector logics employ instantiation-based techniques [24,21,8,20], which aim to find conflicting ground instances of quantified formulas. For that, it is crucial to select good instantiations for the universal variables, or else the solver may be overwhelmed by the number of ground instances generated. For example, consider a quantified formula ψ = ∀x. (x + s ≈ t) where x, s and t denote bit-vectors of size 32. To prove that ψ is unsatisfiable we can instantiate x with all 2 32 possible bit-vector values. However, ideally, we would like to find a proof that requires much fewer instantiations. In this example, if we instantiate x with the symbolic term t − s (the inverse of x + s ≈ t when solved for x), we can immediately conclude that ψ is unsatisfiable since (t − s) + s ≈ t simplifies to false.
Operators in the theory of bit-vectors are not always invertible. However, we observe it is possible to identify quantifier-free conditions that precisely characterize when they are. We do that for a representative set of operators in the standard theory of bitvectors supported by SMT solvers. For example, we have proven that the constraint x · s ≈ t is solvable for x if and only if (−s | s) & t ≈ t is satisfiable. Using this observation, we develop a novel approach for solving quantified bit-vector formulas that utilizes invertibility conditions to generate symbolic instantiations. We show that invertibility conditions can be embedded into quantifier instantiations using Hilbert choice functions in a sound manner. This approach has compelling advantages with respect to previous approaches, which we demonstrate in our experiments.
More specifically, this paper makes the following contributions.
-We derive and present invertibility conditions for a representative set of bit-vector operators that allow us to model all bit-vector constraints in SMT-LIB [3]. -We provide details on how invertibility conditions can be automatically synthesized using syntax-guided synthesis (SyGuS) [1] techniques, and make public 162 available challenge problems for SyGuS solvers that are encodings of this task. -We prove that our approach can efficiently reduce a class of quantified formulas, which we call unit linear invertible, to quantifier-free constraints. -Leveraging invertibility conditions, we implement a novel quantifier instantiation scheme as an extension of the SMT solver CVC4 [2], which shows improvements with respect to state-of-the-art solvers for quantified bit-vector constraints.
Related work Quantified bit-vector logics are currently supported by the SMT solvers Boolector [16], CVC4 [2], Yices [7], and Z3 [6] and a Binary Decision Diagram (BDD)based tool called Q3B [14]. Out of these, only CVC4 and Z3 provide support for combining quantified bit-vectors with other theories, e.g., the theories of arrays or real arithmetic. Arbitrarily nested quantifiers are handled by all but Yices, which only supports bit-vector formulas of the form ∃x∀y. Q[x, y] [8]. For quantified bit-vectors, CVC4 employs counterexample-guided quantifier instantiation (CEGQI) [21], where concrete models of a set of ground instances and the negation of the input formula (the counterexamples) serve as instantiations for the universal variables. In Z3, model-based quantifier instantiation (MBQI) [10] is combined with a template-based model finding procedure [24]. In contrast to CVC4, Z3 not only relies on concrete counterexamples as candidates for quantifier instantiation but generalizes these counterexamples to generate symbolic instantiations by selecting ground terms with the same model value. Boolector employs a syntax-guided synthesis approach to synthesize interpretations for Skolem functions based on a set of ground instances of the formula, and uses a counterexample refinement loop similar to MBQI [20]. Other counterexample-guided approaches for quantified formulas in SMT solvers have been considered by Bjørner and Janota [4] and by Reynolds et al. [22], but they have mostly targeted quantified linear arithmetic and do not specifically address bit-vectors. Quantifier elimination for a fragment of bitvectors that covers modular linear arithmetic has been recently addressed by John and Chakraborty [13], although we do not explore that direction in this paper.

Preliminaries
We assume the usual notions and terminology of many-sorted first-order logic with equality (denoted by ≈). Let S be a set of sort symbols, and for every sort σ ∈ S let X σ be an infinite set of variables of sort σ. We assume that sets X σ are pairwise disjoint and define X as the union of sets X σ . Let Σ be a signature consisting of a set Σ s ⊆ S of sort symbols and a set Σ f of interpreted (and sorted) function symbols f σ1···σnσ with arity n ≥ 0 and σ 1 , ..., σ n , σ ∈ Σ s . We assume that a signature Σ includes a Boolean sort Bool and the Boolean constants (true) and ⊥ (false). Let I be a Σinterpretation that maps: each σ ∈ Σ s to a non-empty set σ I (the domain of I), with Bool I = { , ⊥}; each x ∈ X σ to an element x I ∈ σ I ; and each f σ1···σnσ ∈ Σ f to a total function f I : σ I 1 × ... × σ I n → σ I if n > 0, and to an element in σ I if n = 0. If x ∈ X σ and v ∈ σ I , we denote by I[x → v] the interpretation that maps x to v and is otherwise identical to I. We use the usual inductive definition of a satisfiability relation |= between Σ-interpretations and Σ-formulas.
We assume the usual definition of well-sorted terms, literals, and formulas as Bool terms with variables in X and symbols in Σ, and refer to them as Σ-terms, Σ-atoms, and so on. A ground term/formula is a Σ-term/formula without variables. We define x = (x 1 , ..., x n ) as a tuple of variables and write Qxϕ with Q ∈ {∀, ∃} for a quantified formula Qx 1 · · · Qx n ϕ. We use Lit(ϕ) to denote the set of Σ-literals of Σ-formula ϕ. For a Σ-term or Σ-formula e, we denote the free variables of e (defined as usual) as F V(e) and use e[x] to denote that the variables in x occur free in e. For a tuple of Σ-terms t = (t 1 , ..., t n ), we write e[t] for the term or formula obtained from e by simultaneously replacing each occurrence of x i in e by t i . Given a Σ-formula ϕ[x] with x ∈ X σ , we use Hilbert's choice operator ε [12] to describe properties of x. We define a choice function εx. ϕ[x] as a term where x is bound by ε. In every interpretation I, A theory T is a pair (Σ, I), where Σ is a signature and I is a non-empty class of Σinterpretations (the models of T ) that is closed under variable reassignment, i.e., every Σ-interpretation that only differs from an I ∈ I in how it interprets variables is also in I. A Σ-formula ϕ is T -satisfiable (resp. T -unsatisfiable) if it is satisfied by some (resp. no) interpretation in I; it is T -valid if it is satisfied by all interpretations in I. We say T is a complete theory if for all closed Σ-formulas ϕ, ϕ is either T -valid or We refer to a term t as ε-(T -)valid if all occurrences of choice functions in t are (T -)valid. We will sometimes omit T when the theory is understood from context. We will focus on the theory T BV = (Σ BV , I BV ) of fixed-size bit-vectors as defined by the SMT-LIB 2 standard [3]. The signature Σ BV includes a unique sort for each positive bit-vector width n, denoted here as σ [n] . Similarly, X [n] is the set of bitvector variables of sort σ [n] , and X BV is the union of all sets X [n] . We assume that Σ BV includes all bit-vector constants of sort σ [n] for each n, represented as bit-strings. However, to simplify the notation we will sometimes denote them by the corresponding natural number in {0, . . . , 2 n−1 }. All interpretations I ∈ I BV are identical except for the value they assign to variables. They interpret sort and function symbols as specified in SMT-LIB 2. All function symbols in Σ f BV are overloaded for every σ [n] ∈ Σ s BV . We denote a Σ BV -term (or bit-vector term) t of width n as t [n] when we want to specify its bit-width explicitly. We use max s[n] or min s[n] for the maximum or minimum signed Symbol SMT-LIB Syntax Sort ≈, <u, >u, <s, >s =, bvult, bvugt, bvslt, bvsgt value of width n, e.g., max s [4] = 0111 and min s [4] = 1000. The width of a bit-vector sort or term is given by the function κ, e.g., κ(σ [n] ) = n and κ(t [n] ) = n. Without loss of generality, we consider a restricted set of bit-vector function symbols (or bit-vector operators) Σ f BV as listed in Table 1. The selection of operators in this set is arbitrary but complete in the sense that it suffices to express all bit-vector operators defined in SMT-LIB 2.

Invertibility Conditions for Bit-Vector Constraints
This section formally introduces the concept of an invertibility condition and shows that such conditions can be used to construct symbolic solutions for a class of quantifier-free bit-vector constraints that have a linear shape.
Consider a bit-vector literal x + s ≈ t and assume that we want to solve for x. If the literal is linear in x, that is, has only one occurrence of x, a general solution for x is given by the inverse of bit-vector addition over equality: x = t − s. Computing the inverse of a bit-vector operation, however, is not always possible. For example, for x · s ≈ t, an inverse always exists only if s always evaluates to an odd bit-vector. Otherwise, there are values for s and t where no such inverse exists, e.g., x · 2 ≈ 3. However, even if there is no unconditional inverse for the general case, we can identify the condition under which a bit-vector operation is invertible. For the bit-vector multiplication constraint x · s ≈ t with x / ∈ F V(s) ∪ F V(t), the invertibility condition for x can be expressed by the formula (−s | s) & t ≈ t.
An invertibility condition for a literal [x] provides the exact conditions under which [x] is solvable for x. We call it an "invertibility" condition because we can use Hilbert choice functions to express all such conditional solutions with a single symbolic term, that is, a term whose possible values are exactly the solutions for x in [x]. Recall that a choice function εy. ϕ[y] represents a solution for a formula ϕ[x] if there exists one, and represents an arbitrary value otherwise. We may use a choice function to describe inverse solutions for a literal [x] with invertibility condition φ c as εy. (φ c ⇒ [y]). For example, for the general case of bit-vector multiplication over equality the choice function is defined as εy.
Let Now, suppose that Σ BV -literal is again linear in x but that x occurs arbitrarily deep in . Consider, for example, a literal s 1 · (s 2 + x) ≈ t where x does not occur in s 1 , s 2 or t. We can solve this literal for x by recursively computing the (possibly conditional) inverses of all bit-vector operations that involve x. That is, first we solve s 1 · x ≈ t for x , where x is a fresh variable abstracting s 2 + x, which yields the choice function x = εy. Figure 1 describes in pseudo code the procedure to solve for x in an arbitrary literal [x] = e[x] t that is linear in x. We assume that e[x] is built over the set of bit-vector operators listed in Table 1 has the form (e 1 , . . . , e n ) with n > 0, x must occur in exactly one of the subterms e 1 , . . . , e n given that e is linear in x. Let d be the term obtained from e by replacing e i (the subterm containing x) with a fresh variable x . We solve for subterm e i [x] (treating it as a variable x ) and compute an inverse getInverse(x , d[x ] ≈ t), if it exists. Note that for a disequality e[x] ≈ t, it suffices to compute the inverse over equality and propagate the disequality down. (For example, for t exists, we first determine the invertibility condition , and set it equal to e i [x], before recursively solving for x. If e[x] = x and the given literal is an equality, we have reached the base case and return t as the solution for x. Note that in Figure 1, for simplicity we omitted one case for which an inverse can be determined, namely x · c ≈ t where c is an odd constant.
We show all statements of the Theorem by structural induction on the term e[x].
Consider the case when In both cases, by definition of getInverse and getIC, we have that t i is ε-valid due to Lemma 2 and since [x] is ε-valid. Also in both cases, we have that t is ε-valid and linear with respect to x and x ∈ F V(t i ), the literal e i [x] i t i is ε-valid and linear with respect to x as well. Thus, by the induction hypothesis, we have that t. In the case that ∈ {≈, ≈} and ∈ {∼ , −, +}, we have that i is and t holds in all models of T BV . Now, consider any model t by assumption and t holds in all models of T BV .

Tables 2-3 list the invertibility conditions for bit-vector operators
Due to space restrictions we omit the conditions for signed inequalities since they can be expressed in terms of unsigned inequality. We omit the invertibility conditions over {≤ u , ≥ u } since they can generally be constructed by combining the corresponding conditions for equality and inequalityalthough there might be more succinct equivalent conditions. Table 4 shows the rules for inverse computation for bit-vector operators {−, ∼ , +, ·} over equality. Tables 5-8 list the remaining invertibility conditions for x t and bit-vector operators {∼, −, The idea of computing the inverse of bit-vector operators has been used successfully in a recent local search approach for solving quantifier-free bit-vector constraints by Niemetz et al. [17]. There, target values are propagated via inverse value computation. In contrast, our approach does not determine single inverse values based on concrete assignments but aims at finding symbolic solutions through the generation of conditional inverses. In an extended version of that work [18], the same authors present rules for inverse value computation over equality but they provide no proof of correctness for them. We define invertibility conditions not only over equality but also disequality and (un)signed inequality, and verify their correctness up to a certain bit-width.

Synthesizing Invertibility Conditions
We have defined invertibility conditions for all bit-vector operators in Σ BV where no general inverse exists (162 in total). A noteworthy aspect of this work is that we were able to leverage syntax-guided synthesis (SyGuS) technology [1] to help identify these conditions. The problem of finding invertibility conditions for a literal of the form x s t (or, dually, s x t) linear in x can be recast as a SyGuS problem by asking whether there exists a binary Boolean function C such that the (second-order) formula ∃C∀s∀t. ((∃x. x s t) ⇔ C(s, t)) is satisfiable. If a SyGuS solver is able to synthesize the function C, then C can be used as the invertibility condition for x s t.
To simplify the SyGuS problem we chose a bit-width of 4 for x, s, and t and eliminated the quantification over x in the formula above by by expanding it to Since the search space for SyGuS solvers heavily depends on the input grammar (which defines the solution space for C), we decided to use two grammars with the same set of Boolean connectives but different sets of bit-vector operators: The selection of constants in the grammar turned out to be crucial for finding solutions, e.g., by adding min s and max s we were able to synthesize substantially more invertibility conditions for signed inequalities. For each of the two sets of operators, we generated 140 SyGuS problems 3 , one for each combination of bit-vector operator ∈ {·, mod, and used the SyGuS extension of the CVC4 solver [21] to solve these problems. Using operators O r (O g ) we were able to synthesize 98 (116) out of 140 invertibility conditions, with 118 unique solutions overall. When we found more than one solution for a condition (either with operators O r and O g , or manually) we chose the one that involved the smallest number of bit-vector operators. Thus, we ended up using 79 out of 118 synthesized conditions and 83 manually crafted conditions.
In some cases, the SyGuS approach was able to synthesize invertibility conditions that were smaller than those we had manually crafted. For example, we manually defined the invertibility condition for x·s ≈ t as For some other cases, however, the synthesized solution involved more bit-vector operators than needed. For example, for x mod s ≈ t we manually defined the invertibility condition (s ≈ 1) ∨ (t ≈ 0), whereas SyGuS produced the solution ∼(−s) | t ≈ 0. For the majority of invertibility conditions, finding a solution did not require more than one hour of CPU time on an Intel Xeon E5-2637 with 3.5GHz. Interestingly, the most time-consuming synthesis task (over 107 hours of CPU time) was finding condition Table 4. Inverse computation for bit-vector operators {−, ∼ , +, ·} over ≈. Those for + and · are given modulo commutativity of those operators. [x] <u >u <s >s ≤u, ≥u, ≤s, ≥s Table 5. Conditions for the invertibility for x t and bit-vector operators {−, ∼ , +} over inequality. The one for + given modulo commutativity of +.
≤u ≥u x > >a s t s > >a x t s <u mins ∨ t ≥u s s ≥u ∼s ∨ s ≥u t Table 6. Conditions for the invertibility of bit-vector operators over ≤u and ≥u. Those for ·, & and | are given modulo commutativity of those operators.
s mod x t s <s t ∨ 0 <s t (s ≥s 0 ⇒ s >s t) ∧ (s <s 0 ⇒ ((s − 1) >> 1) >s t) x ÷ s t t ≤s 0 ⇒ mins ÷ s <s t ∼0 ÷ s >s t ∨ maxs ÷ s >s t s ÷ x t s <s t ∨ t ≥s 0 x > >a s t mins > >a s <s t t <s maxs >> s s > >a x t s <s t ∨ 0 <s t t <s s & maxs ∧ t <s s | maxs x < < s t (mins > > s) < < s <s t t <s (maxs << s) & maxs s < < x t mins < < s <u t + mins Table 7. Conditions for the invertibility of bit-vector operators over <s and >s. Those for ·, & and | are given modulo commutativity of those operators.

[x]
≤s ≥s x > >a s t t ≥s ∼(maxs >> s) maxs >> s ≥s t s > >a x t t ≥s 0 ∨ t ≥s s t ≥u ∼t ∨ s ≥s t  s mod x ≈ t. A small number of synthesized solutions were only correct for a bit-width of 4, e.g, solution (∼s << s) < < s < s t for x ÷ s < s t. In total, we found 6 widthdependent synthesized solutions, all of them for bit-vector operators ÷ and mod. For those, we used the manually crafted invertibility conditions instead.

Verifying Invertibility Conditions
We verified the correctness of all 162 invertibility conditions for bit-widths from 1 to 65 by checking for each bit-width the T BV -unsatisfiability of the formula ¬(φ c ⇔ ∃x. [x]) where ranges over the literals in Tables 2-3 with s and t replaced by fresh constants, and φ c is the corresponding invertibility condition.
In total, we generated 12,980 verification problems and used all participating solvers of the quantified bit-vector division of SMT-competition 2017 to verify them. For each solver/benchmark pair we used a CPU time limit of one hour and a memory limit of 8GB on the same machines as those mentioned in the previous section. We consider an invertibility condition to be verified for a certain bit-width if at least one of the solvers was able to report unsatisfiable for the corresponding formula within the given time limit. Out of the 12,980 instances, we were able to verify 12,277 (94.6%).
Overall, all verification tasks (including timeouts) required a total of 275 days of CPU time. The success rate of each individual solver was 91.4% for Boolector, 85.0% for CVC4, 50.8% for Q3B, and 92% for Z3. We observed that on 30.6% of the problems, Q3B exited with a Python exception without returning any result. For bit-vector operators {∼ , −, +, &, |, >>, > > a , < <, •}, over all relations, and for operators {·, ÷, mod} over relations { ≈, ≤ u , ≤ s }, we were able to verify all invertibility conditions for all bit-widths in the range 1-65. Interestingly, no solver was able to verify the invertibility conditions for x mod s < s t with a bit-width of 54 and s mod x < u t with bit-widths 35-37 within the allotted time. We attribute this to the underlying heuristics used by the SAT solvers in these systems. All other conditions for < s and < u were verified for all bit-vector operators up to bit-width 65. The remaining conditions for operators {·, ÷, mod} over relations {≈, > u , ≥ u , > s , ≥ s } were verified up to at least a bit-width of 14. We discovered 3 conditions for s ÷ x t with ∈ { ≈, > s , ≥ s } that were not correct for a bit-width of 1. For each of these cases, we added an additional invertibility condition that correctly handles that case.
We leave to future work the task of formally proving that our invertibility conditions are correct for all bit-widths. Since this will most likely require the development of an interactive proof, we could leverage some recent work by Ekici et al. [9] that includes a formalization in the Coq proof assistant of the SMT-LIB theory of bit-vectors.

Counterexample-Guided Instantiation for Bit-Vectors
In this section, we leverage techniques from the previous section for constructing symbolic solutions to bit-vector constraints to define a novel instantiation-based technique for quantified bit-vector formulas. At a high level, we use a counterexample-guided approach for quantifier instantiation that adds new instances to a set of quantifier-free  clauses based on models for the negated input formula. The procedure terminates if it finds a set of instances that is unsatisfiable or entails the negation of the input formula. We use a counterexample-guided approach for quantifier instantiation, as given by procedure CEGQI S in Figure 2. To simplify the exposition here, we focus on input problems expressed as a single formula in prenex normal form and with up to one quantifier alternation. We stress, though, that the approach applies in general to arbitrary sets of quantified formulas in some Σ-theory T with a decidable quantifier-free fragment. The procedure checks via instantiation the T -satisfiability of a quantified input formula ϕ of the form ∃y∀x. ψ[x, y] where ψ is quantifier-free and x and y are possibly empty sequences of variables. It maintains an evolving set Γ , initially empty, of quantifier-free instances of the input formula. During each iteration of the procedure's loop, there are three possible cases: 1) if Γ is T -unsatisfiable, the input formula ϕ is also T -unsatisfiable and "unsat" is returned; 2) if Γ is T -satisfiable but not together with with ¬ψ[y, x], the negated body of ϕ, then Γ entails ϕ in T , hence ϕ is T -satisfiable and "sat" is returned. 3) If neither of previous cases holds, the procedure adds to Γ an instance of ψ obtained by replacing the variables x with some terms t, and continues. The procedure CEGQI is parametrized by a selection function S that generates the terms t. Procedure CEGQI S is refutation-sound and model-sound for any selection function S, and terminating for selection functions that are finite and monotonic.
Theorem 6 (Correctness of CEGQI S ). Let S be a selection function and let ϕ = ∃y∀x. ψ[y, x] be a legal input for CEGQI S . Then the following hold.
3. If S is finite and monotonic for x and ψ, then CEGQI S (ϕ) terminates.
Proof. We show each part of the theorem below. Note that by the definition of CEGQI S and since S is a selection function, all inputs I and Γ given to S in the loop of this function are legal inputs. Also note that for the first two parts, we have that CEGQI S (ϕ) terminates in a state where Γ is a set of formulas of the form ψ[y, t] where, since S is a selection function, t is a tuple of ε-valid terms and F V(t) ⊆ y.
Part 1) By definition of CEGQI S , if CEGQI S (ϕ) returns "unsat", then Γ is Tunsatisfiable. By the definition of CEGQI S , we have that Γ is a set of formulas of the form ψ[y, t]. For each ψ[y, t] ∈ Γ , we have that t is ε-valid since S is a selection function, and hence ∀xψ[y, x] ⇒ ψ[y, t] holds in all models of T . Since Γ is T -unsatisfiable, ∀xψ[y, x] is T -unsatisfiable, and hence ϕ is as well.
Part 3) Assume S is monotonic and finite for ψ[y, x]. Since it is finite, let S * be a finite set such that S(x, ψ, I, Γ ) ∈ S * for all valid inputs I, Γ . Since it is monotonic, each iteration of the loop adds a new formula from S * to Γ . Since S * is finite, the number of iterations of this loop is bounded by the size of S * . Hence, CEGQI S (ϕ) terminates.
Thanks to this theorem, to define a T -satisfiability procedure for quantified Σ-formulas, it suffices to define a selection function satisfying the criteria of Definition 4. We do that in the following section for T BV .

Selection functions for bit-vectors
In Figure 3    If the set N i is non-empty, the selection function heuristically chooses a literal from N i (indicated in Figure 3 with choose(N i )). It then computes a solved form t i for x i by solving the chosen literal for x i with the function solve described in the previous section. If N i is empty, we let t i is simply the value of x i in the given model I. After that, x i is eliminated from all the previous terms t 1 , . . . , t i−1 by replacing it with t i . After processing all n variables of x, the tuple (t 1 , . . . , t n ) is returned. b it maps equalities to themselves and inequalities and disequalities to an equality corresponding to a boundary point of the relation between s and t based on the current model. Specifically, it adds one to t if s is greater than t in I, it subtracts one if s is smaller than t, and returns s ≈ t if their value is the same. These two configurations are inspired by quantifier elimination techniques for linear arithmetic [5,15]. In the following, we provide an end-to-end example of our technique for quantifier instantiation that makes use of selection function S BV c . config In each case, S BV c returns the tuple (t 1 ), and we add the instance Since t 1 is ε-valid, due to the semantics of ε, this instance is equivalent to: for fresh variable k. This formula is T BV -satisfiable if and only if ¬(a < u −b | b) is T BV -satisfiable. In the second iteration of the loop in CEGQI S BV c , set Γ contains formula (1) above. We have two possible outcomes: Then (1) and hence Γ are T BV -unsatisfiable, and the procedure terminates with "unsat".
ii) ¬(a < u −b | b) is satisfied by some model J of T BV . Then ∃z.z · a ≤ u b is false in J since the invertibility condition of z · a ≤ u b is false in J . Hence, Γ = Γ ∪ {x 1 · a > u b} is unsatisfiable, and the algorithm terminates with "sat".
In fact, we argue later that quantified bit-vector formulas like ϕ above, which contain only one occurrence of a universal variable, require at most one instantiation before CEGQI S BV k terminates. The same guarantee does not hold with the other configurations. In particular, configuration m generates the instantiation where t 1 is 1, which simplifies to a ≤ u b. This may not be sufficient to show that Γ or Γ is unsatisfiable in the second iteration of the loop and the algorithm may resort to enumerating a repeating pattern of instantiations, such as x 1 → 1, 2, 3, . . . and so on. This obviously does not scale for problems with large bit-widths.
Example 10. As the last example demonstrates, CEGQI S BV k may terminate with at most one instance for input formulas whose body has just one literal and a single occurrence of each universal variable. However, consider extending the quantified formula from the previous example to a disjunction of two literals: Assume that our selection function chooses the same t 1 as in the previous example. The corresponding instance is equivalent to: In contrast to the previous example, the second iteration of the loop from Figure 2 is not guaranteed to terminate for this example. The above formula may be satisfied by a model J where k · a > u b and [k] hold. Notice that J may also satisfy a < u −b | b, meaning it may still be the case that x 1 · a ≤ u b together with the above instance is satisfied by J . In such a case, we may invoke CEGQI S BV k again, which may produce the same solved form for x 1 if it constructs a solved form for x 1 again based on the literal x 1 · a ≤ u b. Hence, by the terminology from Definition 5, the selection function S BV k is not monotonic for quantified formulas with more than one occurrence of a universal variable.
Similarly, if the literals of the input formula have multiple occurrences of x 1 , then multiple instances may be returned by the selection function since the literals returned by linearize in Figure 3 depend on the model value of x 1 , and hence more than one possible instance may be considered in loop in Figure 2.
The following theorem summarizes the properties of our selection functions. In the following, we say a quantified formula is unit linear invertible if it is of the form ∀x. [x] where is linear in x and has an invertibility condition for x. We say a selection function is n-finite for a quantified formula ψ if the number of possible instantiations it returns is at most n for some positive integer n. Proof. Let x = (x 1 , . . . , x n ) be a tuple of variables and let ϕ be a quantifier-free T BV -formula. We show each part for the case where n = 1; the arguments below can be lifted to n > 1 in a straightforward way. Let Γ be a set of formulas such that x 1 ∈ F V(Γ ), let I be a model of T BV such that I |= Γ ∪ {¬ϕ}, and let t 1 be S BV c ((x 1 ), I, Γ ). Part 1) To show that S BV c is a selection function, we must show that t 1 is ε-valid and F V(t 1 ) ⊆ F V(ϕ) \ {x 1 }. Notice that for all configurations, the value (t 1 ) returned by S BV c is either of the form x I 1 or solve(x 1 , ) for some ∈ Lit(Γ ). In the former case, we have that t 1 is clearly ε-valid and F V(t 1 ) = ∅. In the latter case, as a consequence of Theorem 3, we have that t 1 is ε-valid and F V(t 1 ) ⊆ F V( ). We have that ∈ Lit(ϕ) and thus F V( ) ⊆ F V(ϕ). Thus, in either case, we have F V(t 1 ) ⊆ F V(ϕ) \ {x 1 }. Hence, S BV c is a selection function for c = m, k, s, b. To show these selection functions are finite for ϕ, note that the number of terms of form x I 1 is finite. Also note that the number of literals in Lit(ϕ) is finite. For each c and ∈ Lit(ϕ), set of literals of the form project c (I, ), call this set N , is finite. For each literal ∈ N , the set of literals returned by linearize(x i , I, ), call this set N , is also finite. Since it is either the case that t 1 = solve(x 1 , ) for some ∈ N or t 1 = x I 1 , the number of possible return values of S BV c is finite for (x 1 ) and ϕ for c = m, k, s, b. Part 2) Since x 1 ∈ F V( ) for any literal returned by project m (I, ), it must be the case that t 1 = x I 1 . Assume that project m was not monotonic for (x 1 ) and ϕ = ¬ψ[x 1 ]. Since project m is a selection function by Part 1 and I, Γ is a legal input to project m , then without loss of generality we may assume that ψ[t 1 ] ∈ Γ . However, ¬ψ[x 1 ] ∈ Γ , I |= Γ and since t I 1 = x I 1 , it must instead be the case that ϕ[t 1 ] ∈ Γ . Hence, project m is monotonic for ϕ.
Part 3) Assume ϕ is the unit linear invertible formula . By definition of project k , linearize, and since by definition is linear with respect to x 1 and I |= ¬ , we have that t 1 must be the term returned by solve(x 1 , ¬ ). Hence, S BV k has only one possible return value and hence is 1-finite. This theorem implies that counterexample-guided instantiation using configuration S BV m is a decision procedure for quantified bit-vectors. However, in practice the worst-case number of instances considered by this configuration for a variable x [n] is proportional to the number of its possible values (2 n ), which is practically infeasible for sufficiently large n. More interestingly, counterexample-guided instantiation using S BV k is a decision procedure for quantified formulas that are unit linear invertible, and moreover has the guarantee that at most one instantiation is returned by this selection function. Hence, formulas in this fragment can be effectively reduced to quantifier-free bit-vector constraints in at most two iterations of the loop of procedure CEGQI S in Figure 2.

Implementation
We implemented the new instantiation techniques described in this section as an extension of CVC4, which is a DPLL(T )-based SMT solver [19] that supports quantifier-free bit-vector constraints, (arbitrarily nested) quantified formulas, and support for choice expressions. For the latter, all choice expressions εx. ϕ[x] are eliminated from assertions by replacing them with a fresh variable k of the same type and adding ϕ[k] as a new assertion, which notice is sound since all choice expressions we consider are ε-valid. In the remainder of the paper, we will refer to our extension of the solver as cegqi. In the following, we discuss important implementation details of the extension. are not guaranteed to be monotonic, neither is S BV k for quantified formulas that contain more than one occurrence of universal variables. Hence, when applying these strategies to arbitrary quantified formulas, we use a two-tiered strategy that invokes S BV m as a second resort if the instance for the terms returned by a selection function already exists in Γ .
Linearizing Rewrites Our selection function in Figure 3 uses the function linearize to compute literals that are linear in the variable x i to solve for. The way we presently implement linearize makes those literals dependent on the value of x i in the current model I, with the risk of overfitting to that model. To address this limitation, we use a set of equivalence-preserving rewrite rules whose goal is to reduce the number of occurrences of x i to one when possible, by applying basic algebraic manipulations. As a trivial example, a literal like x i + x i ≈ a is rewritten first to 2 · x i ≈ a which is linear in x i if a does not contain x i . In that case, this literal, and so the original one, has an invertibility condition as discussed in Section 3.

Variable Elimination
We use procedure solve from Section 3 not only for selecting quantifier instantiations, but also for eliminating variables from quantified formulas. In particular, for a quantified formula of the form ∀xy. ⇒ ϕ[x, y], if is linear in x and solve(x, ) returns a term s containing no ε-expressions, we can replace this formula by ∀y. ϕ[s, y]. When is an equality, this is sometimes called destructive equality resolution (DER) and is an important implementation-level optimization in state-of-the-art bit-vector solvers [24]. In our approach, to increase the likelihood that solve returns a term that contains no ε-expressions, we include several optimizations that determine when it can be determined that has a unique solution for x. A common example is an equality that involves multiplication by an odd constant, i.e. x · c ≈ t where c is an odd constant. The only solution for x in this case is c −1 · t where c −1 denotes the (unique) multiplicative inverse of c modulo the bit-width of the type of c, which can be computed by Euclid's algorithm.
Handling Extract Consider formula ∀x [32] . (x[31 : 16] ≈ a [16] ∨ x[15 : 0] ≈ b [16] ). Since all invertibility conditions for the extract operator are , rather than producing choice expressions we have found it more effective to eliminate extracts via rewriting. As a consequence, we independently solve constraints for regions of quantified variables when they appear underneath applications of extract operations. In this example, we let the solved form of x be y [16] • z [16] where y and z are fresh variables, and subsequently solve for these variables in y ≈ a and z ≈ b. Hence, we may instantiate x with a • b, a term that we would not have found by considering the two literals independently in the negated body of the formula above.
Handling Propositional Structure and Nested Quantifiers Notice that Figure 2 describes counterexample-guided quantifier instantiation for an input formula with one level of quantifier alternation. In practice, our technique can be used for problems containing more than one level of quantifier alternation and that are not in prenex normal form. A thoroughout description of this technique is beyond the scope of the paper; we provide some high level details here. Recall that in the DPLL(T ) setting, the SMT solver incrementally builds a truth assignment in the form of a set of literals, with the goal of finding a set that propositionally satisfies all clauses in Γ and is consistent with respect to the background theory. In this setting, we consider all quantified formulas ∀x.ϕ[x] in the current set M . For each of these formulas, we may add clauses of three forms: instantiation lemmas of the form (¬A ∨ ϕ[t]), Skolemization lemmas of the form (¬B ∨ ¬ϕ[k]) where k are fresh constants of the same type as x, and the connecting clauses (∀x.ϕ[x] ⇒ A) and (¬∀x.ϕ[x] ⇒ B) Here, A and B are fresh Boolean constants which we call the positive and negative guard of ∀x.ϕ[x] respectively. The second and third clauses are added once at the time when the quantified formula first occurs in an assignment M . We detect when the negation of a quantified formula along with the current set of clauses Γ is unsatisfiable by checking which negative guards B must be assigned to false. In practice, this is determined by a decision heuristic which insists that negative guards must be decided with positive polarity first. If a quantified formula and its corresponding negative guard are both asserted true, then we add an instantiation lemma to Γ based on the selection function from Figure 3. We terminate as usual when the set Γ is unsatisfiable, or we find a consistent satisfying assignment where no quantified formula and its negative guard are both asserted. This scheme allows the SMT solver to handle multiple quantified formulas simultaneously, as well as handling quantified formulas with arbitrary nesting. Above, notice that ϕ[k] may contain quantifiers, which are recursively handled by introducing instantiation and Skolemization lemmas for quantified formulas that appear in subsequent satisfying assignments.
Negating the Input Formula Our version of counterexample-guided quantifier instantiation is most effective for input formulas that are closed and universal. Thus, when an input formula is of the form ∃x. ϕ where x is non-empty and ϕ may contain quantifiers, we consider its negation ∀x. ¬ϕ instead. The latter formula may be significantly easier to solve since our quantifier instantiation techniques may find an instantiation for x that quickly leads to a proof of unsatisfiability, whereas instantiating x is not possible for the former. Since the theory of bit-vectors is a complete theory, it follows that the original formula is satisfiable if and only if this formula is unsatisfiable.
Rewrite Rules for Quantifier-Free Constraints Finally, we have found that in a DPLL(T )based SMT solver, the quantifier-free bit-vector solver is often the bottleneck when solving quantified bit-vector constraints. For this reason, we use aggressive rewriting techniques for quantifier-free bit-vector constraints with the goal of replacing constraints with expensive propositional encodings with those with simpler encodings.

Evaluation
We implemented our techniques in the solver cegqi and considered four configurations cegqi c , where c is one of {m, k, s, b}, corresponding to the four selection function configurations described in Section 4. Out of these four configurations, cegqi m is the only one that does not employ our new techniques but uses only model values for instantiation. It can thus be considered our base configuration. All configurations enable the optimizations described in Section 4.2 when applicable. We compared them against all entrants of the quantified bit-vector division of the 2017 SMT competition SMT-COMP: Boolector [16], CVC4 [2], Q3B [14] and Z3 [6]. With the exception of Q3B, all solvers are related to our approach since they are instantiation-based. However, none of these solvers utilizes invertibility conditions when constructing instantiations. We ran all experiments on the StarExec logic solving service [23] with a 300 second CPU and wall clock time limit and 100 GB memory limit.  Table 9. Results on satisfiable and unsatisfiable benchmarks with a 300 second timeout.
We evaluated our approach on all 5,151 benchmarks from the quantified bit-vector logic (BV) of SMT-LIB [3]. The results are summarized in Table 9. Configuration cegqi b solves the highest number of unsatisfiable benchmarks (4, 399), which is 30 more than the next best configuration cegqi s and 37 more than the next best external solver, Z3. Compared to the instantiation-based solvers Boolector, CVC4 and Z3, the performance of cegqi b is particularly strong on the h-uauto family, which are verification conditions from the Ultimate Automizer tool [11]. For satisfiable benchmarks, Boolector solves the most (581), which is 36 more than our best configuration cegqi b .
Overall, our best configuration cegqi b solved 335 more benchmarks than our base configuration cegqi m . A more detailed runtime comparison between the two is provided by the scatter plot in Figure 4. Moreover, cegqi b solved 24 more benchmarks than the best external solver, Z3. In terms of uniquely solved instances, cegqi b was able to solve 139 benchmarks that were not solved by Z3, whereas Z3 solved 115 benchmarks that cegqi b did not. Overall, cegqi b was able to solve 21 of the 79 benchmarks (26.6%) not solved by any of the other solvers. For 18 of these 21 benchmarks, it terminated after considering no more than 4 instantiations. These cases indicate that using symbolic terms for instantiation solves problems for which other techniques, such as those that enumerate instantiations based on model values, do not scale.
Interestingly, configuration cegqi k , despite having the strong guarantees given by Theorem 11, performed relatively poorly on this set (with 4, 571 solved instances overall). We attribute this to the fact that most of the quantified formulas in this set are not unit linear invertible. In total, we found that only 25.6% of the formulas consid-ered during solving were unit linear invertible. However, only a handful of benchmarks were such that all quantified formulas in the problem were unit linear invertible. This might explain the superior performance of cegqi s and cegqi b which use invertibility conditions but in a less monolithic way. For some intuition on this, consider the problem ∀x. (x > a∨x < b) where a and b are such that a > b is T BV -valid. Intuitively, to show that this formula is unsatisfiable requires the solver to find an x between b and a. This is apparent when considering the dual problem ∃x. (x ≤ a ∧ x ≥ b). Configuration cegqi b is capable of finding such an x, for instance, by considering the instantiation x → a when solving for the boundary point of the first disjunct. Configuration cegqi k , on the other hand, would instead consider the instantiation of x for two terms that witness ε-expressions: some k 1 that is never smaller than a, and some k 2 that is never greater that b. Neither of these terms necessarily resides in between a and b since the solver may subsequently consider models where k 1 > b and k 2 < a. This points to a potential use for invertibility conditions that solve multiple literals simultaneously, something we are currently investigating.

Conclusion
We have presented a new class of strategies for solving quantified bit-vector formulas based on invertibility conditions. We have derived invertibility conditions for the majority of operators in a standard theory of fixed-width bit-vectors. An implementation based on this approach solves over 25% of previously unsolved verification benchmarks from SMT LIB, and outperforms all other state-of-the-art bit-vector solvers overall.
In future work, we plan to develop a framework in which the correctness of invertibility conditions can be formally established independently of bit-width. We are working on deriving invertibility conditions that are optimal for linear constraints, in the sense of admitting the simplest propositional encoding. We also are investigating conditions that cover additional bit-vector operators, some cases of non-linear literals, as well as those that cover multiple constraints. While this is a challenging task, we believe efficient syntax-guided synthesis solvers can continue to help push progress in this direction. Finally, we plan to investigate the use of invertibility conditions for performing quantifier elimination on bit-vector constraints. This will require a procedure for deriving concrete witnesses from choice expressions.