On Solving Quantified Bit-Vectors using Invertibility Conditions by Niemetz, Aina et al.
Solving Quantified Bit-Vectors
using Invertibility Conditions
Aina Niemetz1, Mathias Preiner1, Andrew Reynolds2,
Clark Barrett1, and Cesare Tinelli2
1 Stanford University
2 The University of Iowa
Abstract. We present a novel approach for solving quantified bit-vector formu-
las in Satisfiability Modulo Theories (SMT) based on computing symbolic in-
verses of bit-vector operators. We derive conditions that precisely characterize
when bit-vector constraints are invertible for a representative set of bit-vector op-
erators commonly supported by SMT solvers. We utilize syntax-guided synthesis
techniques to aid in establishing these conditions and verify them independently
by using several SMT solvers. We show that invertibility conditions can be em-
bedded into quantifier instantiations using Hilbert choice expressions, and give
experimental evidence that a counterexample-guided approach for quantifier in-
stantiation utilizing these techniques leads to performance improvements with
respect to state-of-the-art solvers for quantified bit-vector constraints.
1 Introduction
Many applications in hardware and software verification rely on Satisfiability Modulo
Theories (SMT) solvers for bit-precise reasoning. In recent years, the quantifier-free
fragment of the theory of fixed-size bit-vectors has received a lot of interest, as wit-
nessed by the number of applications that generate problems in that fragment and by
the high, and increasing, number of solvers that participate in the corresponding divi-
sion of the annual SMT competition. Modeling properties of programs and circuits, e.g.,
universal safety properties and program invariants, however, often requires the use of
quantified bit-vector formulas. Despite a multitude of applications, reasoning efficiently
about such formulas is still a challenge in the automated reasoning community.
The majority of solvers that support quantified bit-vector logics employ instantiat-
ion-based techniques [24,21,8,20], which aim to find conflicting ground instances of
quantified formulas. For that, it is crucial to select good instantiations for the universal
variables, or else the solver may be overwhelmed by the number of ground instances
generated. For example, consider a quantified formula ψ = ∀x. (x+ s 6≈ t) where x, s
and t denote bit-vectors of size 32. To prove that ψ is unsatisfiable we can instantiate x
with all 232 possible bit-vector values. However, ideally, we would like to find a proof
that requires much fewer instantiations. In this example, if we instantiate x with the
symbolic term t− s (the inverse of x+ s ≈ t when solved for x), we can immediately
conclude that ψ is unsatisfiable since (t− s) + s 6≈ t simplifies to false.
Operators in the theory of bit-vectors are not always invertible. However, we ob-
serve it is possible to identify quantifier-free conditions that precisely characterize when
ar
X
iv
:1
80
4.
05
02
5v
2 
 [c
s.L
O]
  1
1 M
ay
 20
18
they are. We do that for a representative set of operators in the standard theory of bit-
vectors supported by SMT solvers. For example, we have proven that the constraint
x · s ≈ t is solvable for x if and only if (−s | s) & t ≈ t is satisfiable. Using this ob-
servation, we develop a novel approach for solving quantified bit-vector formulas that
utilizes invertibility conditions to generate symbolic instantiations. We show that invert-
ibility conditions can be embedded into quantifier instantiations using Hilbert choice
functions in a sound manner. This approach has compelling advantages with respect to
previous approaches, which we demonstrate in our experiments.
More specifically, this paper makes the following contributions.
– We derive and present invertibility conditions for a representative set of bit-vector
operators that allow us to model all bit-vector constraints in SMT-LIB [3].
– We provide details on how invertibility conditions can be automatically synthe-
sized using syntax-guided synthesis (SyGuS) [1] techniques, and make public 162
available challenge problems for SyGuS solvers that are encodings of this task.
– We prove that our approach can efficiently reduce a class of quantified formulas,
which we call unit linear invertible, to quantifier-free constraints.
– Leveraging invertibility conditions, we implement a novel quantifier instantiation
scheme as an extension of the SMT solver CVC4 [2], which shows improvements
with respect to state-of-the-art solvers for quantified bit-vector constraints.
Related work Quantified bit-vector logics are currently supported by the SMT solvers
Boolector [16], CVC4 [2], Yices [7], and Z3 [6] and a Binary Decision Diagram (BDD)-
based tool called Q3B [14]. Out of these, only CVC4 and Z3 provide support for com-
bining quantified bit-vectors with other theories, e.g., the theories of arrays or real arith-
metic. Arbitrarily nested quantifiers are handled by all but Yices, which only supports
bit-vector formulas of the form ∃x∀y. Q[x,y] [8]. For quantified bit-vectors, CVC4
employs counterexample-guided quantifier instantiation (CEGQI) [21], where concrete
models of a set of ground instances and the negation of the input formula (the coun-
terexamples) serve as instantiations for the universal variables. In Z3, model-based
quantifier instantiation (MBQI) [10] is combined with a template-based model finding
procedure [24]. In contrast to CVC4, Z3 not only relies on concrete counterexamples as
candidates for quantifier instantiation but generalizes these counterexamples to generate
symbolic instantiations by selecting ground terms with the same model value. Boolector
employs a syntax-guided synthesis approach to synthesize interpretations for Skolem
functions based on a set of ground instances of the formula, and uses a counterexample
refinement loop similar to MBQI [20]. Other counterexample-guided approaches for
quantified formulas in SMT solvers have been considered by Bjørner and Janota [4]
and by Reynolds et al. [22], but they have mostly targeted quantified linear arithmetic
and do not specifically address bit-vectors. Quantifier elimination for a fragment of bit-
vectors that covers modular linear arithmetic has been recently addressed by John and
Chakraborty [13], although we do not explore that direction in this paper.
2 Preliminaries
We assume the usual notions and terminology of many-sorted first-order logic with
equality (denoted by≈). Let S be a set of sort symbols, and for every sort σ ∈ S let Xσ
2
be an infinite set of variables of sort σ. We assume that sets Xσ are pairwise disjoint
and define X as the union of sets Xσ . Let Σ be a signature consisting of a set Σs⊆ S
of sort symbols and a set Σf of interpreted (and sorted) function symbols fσ1···σnσ
with arity n ≥ 0 and σ1, ..., σn, σ ∈ Σs. We assume that a signature Σ includes a
Boolean sort Bool and the Boolean constants > (true) and ⊥ (false). Let I be a Σ-
interpretation that maps: each σ ∈ Σs to a non-empty set σI (the domain of I), with
BoolI = {>,⊥}; each x ∈ Xσ to an element xI ∈ σI ; and each fσ1···σnσ ∈ Σf to a
total function fI : σI1 × ... × σIn → σI if n > 0, and to an element in σI if n = 0. If
x ∈ Xσ and v ∈ σI , we denote by I[x 7→ v] the interpretation that maps x to v and is
otherwise identical to I. We use the usual inductive definition of a satisfiability relation
|= between Σ-interpretations and Σ-formulas.
We assume the usual definition of well-sorted terms, literals, and formulas as Bool
terms with variables in X and symbols in Σ, and refer to them as Σ-terms, Σ-atoms,
and so on. A ground term/formula is a Σ-term/formula without variables. We define
x = (x1, ..., xn) as a tuple of variables and writeQxϕ withQ ∈ {∀,∃} for a quantified
formula Qx1 · · ·Qxnϕ. We use Lit(ϕ) to denote the set of Σ-literals of Σ-formula ϕ.
For a Σ-term or Σ-formula e, we denote the free variables of e (defined as usual)
as FV(e) and use e[x] to denote that the variables in x occur free in e. For a tuple
of Σ-terms t = (t1, ..., tn), we write e[t] for the term or formula obtained from e by
simultaneously replacing each occurrence of xi in e by ti. Given aΣ-formula ϕ[x] with
x ∈ Xσ , we use Hilbert’s choice operator ε [12] to describe properties of x. We define
a choice function εx. ϕ[x] as a term where x is bound by ε. In every interpretation I,
εx. ϕ[x] denotes some value v ∈ σI such that I[x 7→ v] satisfies ϕ[x] if such values
exist, and denotes an arbitrary element of σI otherwise. This means that the formula
∃x. ϕ[x]⇔ ϕ[εx. ϕ[x]] is satisfied by every interpretation.
A theory T is a pair (Σ, I), where Σ is a signature and I is a non-empty class of Σ-
interpretations (the models of T ) that is closed under variable reassignment, i.e., every
Σ-interpretation that only differs from an I ∈ I in how it interprets variables is also
in I . A Σ-formula ϕ is T -satisfiable (resp. T -unsatisfiable) if it is satisfied by some
(resp. no) interpretation in I; it is T -valid if it is satisfied by all interpretations in I .
We say T is a complete theory if for all closed Σ-formulas ϕ, ϕ is either T -valid or
T -unsatisfiable. A choice function εx. ϕ[x] is (T -)valid if ∃x. ϕ[x] is (T -)valid. We
refer to a term t as ε-(T -)valid if all occurrences of choice functions in t are (T -)valid.
We will sometimes omit T when the theory is understood from context.
We will focus on the theory TBV = (ΣBV , IBV ) of fixed-size bit-vectors as de-
fined by the SMT-LIB 2 standard [3]. The signature ΣBV includes a unique sort for
each positive bit-vector width n, denoted here as σ[n]. Similarly, X[n] is the set of bit-
vector variables of sort σ[n], and XBV is the union of all sets X[n]. We assume that
ΣBV includes all bit-vector constants of sort σ[n] for each n, represented as bit-strings.
However, to simplify the notation we will sometimes denote them by the corresponding
natural number in {0, . . . , 2n−1}. All interpretations I ∈ IBV are identical except for
the value they assign to variables. They interpret sort and function symbols as specified
in SMT-LIB 2. All function symbols in ΣfBV are overloaded for every σ[n]∈ ΣsBV . We
denote a ΣBV -term (or bit-vector term) t of width n as t[n] when we want to specify
its bit-width explicitly. We use maxs[n] or mins[n] for the maximum or minimum signed
3
Symbol SMT-LIB Syntax Sort
≈, <u, >u, <s, >s =, bvult, bvugt, bvslt, bvsgt σ[n] × σ[n] → Bool
∼ , − bvnot, bvneg σ[n] → σ[n]
&, |, <<, >>, >>a bvand, bvor, bvshl, bvlshr, bvashr σ[n] × σ[n] → σ[n]
+, ·, mod, ÷ bvadd, bvmul, bvurem, bvudiv σ[n] × σ[n] → σ[n]
◦ concat σ[n] × σ[m] → σ[n+m]
[u : l] extract σ[n] → σ[u−l+1], 0 ≤ l ≤ u < n
Table 1. Set of considered bit-vector operators with corresponding SMT-LIB 2 syntax.
value of width n, e.g., maxs[4] = 0111 and mins[4] = 1000. The width of a bit-vector
sort or term is given by the function κ, e.g., κ(σ[n]) = n and κ(t[n]) = n.
Without loss of generality, we consider a restricted set of bit-vector function sym-
bols (or bit-vector operators) ΣfBV as listed in Table 1. The selection of operators in
this set is arbitrary but complete in the sense that it suffices to express all bit-vector
operators defined in SMT-LIB 2.
3 Invertibility Conditions for Bit-Vector Constraints
This section formally introduces the concept of an invertibility condition and shows that
such conditions can be used to construct symbolic solutions for a class of quantifier-free
bit-vector constraints that have a linear shape.
Consider a bit-vector literal x + s ≈ t and assume that we want to solve for x. If
the literal is linear in x, that is, has only one occurrence of x, a general solution for
x is given by the inverse of bit-vector addition over equality: x = t − s. Computing
the inverse of a bit-vector operation, however, is not always possible. For example, for
x · s ≈ t, an inverse always exists only if s always evaluates to an odd bit-vector. Other-
wise, there are values for s and t where no such inverse exists, e.g., x · 2 ≈ 3. However,
even if there is no unconditional inverse for the general case, we can identify the con-
dition under which a bit-vector operation is invertible. For the bit-vector multiplication
constraint x · s ≈ t with x /∈ FV(s) ∪ FV(t), the invertibility condition for x can be
expressed by the formula (−s | s) & t ≈ t.
Definition 1. (Invertibility Condition) Let `[x] be aΣBV -literal. A quantifier-freeΣBV -
formula φc is an invertibility condition for x in `[x] if x 6∈ FV(φc) and φc ⇔ ∃x. `[x]
is TBV -valid.
An invertibility condition for a literal `[x] provides the exact conditions under which
`[x] is solvable for x. We call it an “invertibility” condition because we can use Hilbert
choice functions to express all such conditional solutions with a single symbolic term,
that is, a term whose possible values are exactly the solutions for x in `[x]. Recall that
a choice function εy. ϕ[y] represents a solution for a formula ϕ[x] if there exists one,
and represents an arbitrary value otherwise. We may use a choice function to describe
inverse solutions for a literal `[x] with invertibility condition φc as εy. (φc ⇒ `[y]).
For example, for the general case of bit-vector multiplication over equality the choice
function is defined as εy. ((−s | s) & t ≈ t ⇒ y · s ≈ t).
4
solve(x, e[x] ./ t):
If e = x
If ./ ∈ {≈} then return t
else return εy. (getIC(x, x ./ t) ⇒ y ./ t).
else e = (e1, . . . , ei[x], . . . , en) with n > 0 and x 6∈ FV(ej) for all j 6= i.
Let d[x′] = (e1, . . . , ei−1, x′, ei+1, . . . , en) where x′ is a fresh variable.
If ./ ∈ {≈, 6≈} and  ∈ {∼ ,−,+}
then let t′ = getInverse(x′, d[x′] ≈ t) and return solve(x, ei ./ t′)
else let φc = getIC(x′, d[x′] ./ t) and return solve(x, ei ≈ εy. (φc ⇒ d[y] ./ t)).
Fig. 1. Function solve for constructing a symbolic solution for x given a linear literal e[x] ./ t.
Lemma 2. If φc is an invertibility condition for an ε-valid ΣBV -literal `[x] and r is
the term εy. (φc ⇒ `[y]), then r is ε-valid and `[r]⇔ ∃x. `[x] is TBV -valid.
Proof. First we show that r = εy. (φc ⇒ `[y]) is ε-valid, where φc is an invertibility
condition for y in `[y]. To do so, since `[y] is ε-valid, we must show ∃y. φc ⇒ `[y]
holds in all models of TBV . Since φc is an invertibility condition for `[y], we have that
y 6∈ FV(φc) and hence this formula is equivalent to φc ⇒ ∃y. `[y]. Let I be any model
of TBV that satisfies φc. Since φc is an invertibility condition for `[y], by Definition 1,
I satisfies ∃y. `[y] as well. Thus, ∃y. φc ⇒ `[y] holds in all models of TBV and hence
r is ε-valid.
To show `[r]⇔ ∃x. `[x]where r is εy. (φc ⇒ `[y]), first consider direction ∃x. `[x]⇒
`[r]. Let I be any model of TBV that satisfies ∃x. `[x]. By definition of ε, I also sat-
isfies `[εy. `[y]]. Since φc is an invertibility condition for `[x], from Def. 1 we have
that φc ⇔ ∃y. `[y] holds in all models of TBV , and thus I also satisfies φc. Hence,
since I satisfies `[εy. `[y]], it also satifies `[εy. (φc ⇒ `[y])], which is `[r]. Thus,
∃x. `[x] ⇒ `[r] is TBV -valid. The other direction `[r] ⇒ ∃x. `[x] trivially holds in
all models of TBV . uunionsq
Intuitively, the lemma states that when `[x] is satisfiable (under condition φc), any
value returned by the choice function εy. (φc ⇒ `[y]) is a solution of `[x] (and thus
∃x. `[x] holds). Conversely, if there exists a value v for x that makes `[x] true, then
there is a model of TBV that interprets εy. (φc ⇒ `[y]) as v.
Now, suppose that ΣBV -literal ` is again linear in x but that x occurs arbitrarily
deep in `. Consider, for example, a literal s1 · (s2 + x) ≈ t where x does not occur
in s1, s2 or t. We can solve this literal for x by recursively computing the (possibly
conditional) inverses of all bit-vector operations that involve x. That is, first we solve
s1 ·x′ ≈ t for x′, where x′ is a fresh variable abstracting s2+x, which yields the choice
function x′ = εy. ((−s1 | s1) & t ≈ t ⇒ s1 · y ≈ t). Then, we solve s2 + x ≈ x′ for
x, which yields the solution x = x′− s2 = εy. ((−s1 | s1) & t ≈ t⇒ s1 · y ≈ t)− s2.
Figure 1 describes in pseudo code the procedure to solve for x in an arbitrary literal
`[x] = e[x] ./ t that is linear in x. We assume that e[x] is built over the set of bit-vector
operators listed in Table 1. Function solve recursively constructs a symbolic solution
by computing (conditional) inverses as follows. Let function getInverse(x, `[x]) return
a term t′ that is the inverse of x in `[x], i.e., such that `[x] ⇔ x ≈ t′. Furthermore,
5
let function getIC(x, `[x]) return the invertibility condition φc for x in `[x]. If e[x]
has the form (e1, . . . , en) with n > 0, x must occur in exactly one of the subterms
e1, . . . , en given that e is linear in x. Let d be the term obtained from e by replacing ei
(the subterm containing x) with a fresh variable x′. We solve for subterm ei[x] (treat-
ing it as a variable x′) and compute an inverse getInverse(x′, d[x′] ≈ t), if it exists.
Note that for a disequality e[x] 6≈ t, it suffices to compute the inverse over equality
and propagate the disequality down. (For example, for ei[x] + s 6≈ t, we compute the
inverse t′ = getInverse(x′, x′ + s ≈ t) = t − s and recurse on ei[x] 6≈ t′.) If no
inverse for e[x] ./ t exists, we first determine the invertibility condition φc for d[x′]
via getIC(x′, d[x′] ./ t), construct the choice function εy. (φc ⇒ d[y] ./ t), and set it
equal to ei[x], before recursively solving for x. If e[x] = x and the given literal is an
equality, we have reached the base case and return t as the solution for x. Note that in
Figure 1, for simplicity we omitted one case for which an inverse can be determined,
namely x · c ≈ t where c is an odd constant.
Theorem 3. Let `[x] be an ε-valid ΣBV -literal linear in x, and let r = solve(x, `[x]).
Then r is ε-valid, FV(r) ⊆ FV(`) \ {x} and `[r]⇔ ∃x. `[x] is TBV -valid.
Proof. We assume without loss of generality that `[x] is of the form e[x] ./ t. Since
`[x] is linear with respect to x, we have that x 6∈ FV(t). We show all statements of the
Theorem by structural induction on the term e[x].
Consider the case when e[x] is x. If ./ is≈, then r is t. We have that r is ε-valid, x 6∈
FV(r) since x 6∈ FV(t) and t ≈ t⇔ ∃x. x ≈ t holds in all models of TBV . Otherwise,
when ./ is not ≈, we have that r is εy. (ψ ⇒ y ./ t) where ψ is getIC(x′, x′ ./ t).
By definition of getIC, we have that FV(ψ) ⊆ FV(t), and hence FV(r) is a subset
of FV(t), which is equal to FV(`[x]) \ {x}. Furthermore, since ψ is an invertibility
condition for x′ in x′ ./ t, by Lemma 2, r is ε-valid and r ./ t⇔ ∃x. x ./ t.
Otherwise, e[x] must be of the form (e1, ..., ei[x], ..., en) for n > 0, where x 6∈
FV(ej) for each i 6= j. Let d[x′] be (e1, ..., ei−1, x′, ei+1, ...en) where notice that
x 6∈ FV(d[x′]). We have that r is solve(x, ei[x] ./i ti) for some relation ./i and term
ti, where ti is either getInverse(x′, d[x′] ≈ t) or εy. (getIC(x′, d[x′] ./ t)⇒ d[y] ./ t).
In both cases, by definition of getInverse and getIC, we have that ti is ε-valid due to
Lemma 2 and since `[x] is ε-valid. Also in both cases, we have that FV(ti) ⊆ FV(t)∪
FV(d[x′]) \ {x′} ⊆ FV(`[x]) \ {x}. Since e[x] ./ t is ε-valid and linear with respect to
x and x 6∈ FV(ti), the literal ei[x] ./i ti is ε-valid and linear with respect to x as well.
Thus, by the induction hypothesis, we have that r is ε-valid, FV(r) ⊆ FV(ei[x] ./i
ti) \ {x} and the formula ei[r] ./i ti ⇔ ∃x. ei[x] ./i ti holds in all models of TBV .
Since FV(r) ⊆ FV(ei[x] ./i ti) \ {x} and since FV(ei[x]) ⊆ FV(`[x]) and
FV(ti) ⊆ FV(`[x]), we have that FV(r) ⊆ FV(`[x]) \ {x}.
It remains to show e[r] ./ t ⇔ ∃x. e[x] ./ t. In the case that ./ ∈ {≈, 6≈} and
 ∈ {∼ ,−,+}, we have that ./i is ./ and ti is getInverse(x′, d[x′] ≈ t). By definition
of getInverse and since ./ ∈ {≈, 6≈}, we have that ei[x] ./ ti and d[ei[x]] ./ t are
equivalent. Since d[ei[x]] = e[x], the latter literal is e[x] ./ t. Thus, since ei[r] ./ ti ⇔
∃x. ei[x] ./ ti, we have that e[r] ./ t ⇔ ∃x. e[x] ./ t. Otherwise, we have that ./i is
≈ and ti is εy. (getIC(x′, d[x′] ./ t) ⇒ d[y] ./ t). Since ψ is an invertibility condition
for x′ in d[x′] ./ t, by Lemma 2, we have that d[ti] ./ t ⇔ ∃xi. d[xi] ./ t holds in all
6
models of TBV . Clearly e[r] ./ t ⇒ ∃x. e[x] ./ t holds in all models of TBV . Now,
consider any model I of TBV that satisfies ∃x. e[x] ./ t. Since e[x] = d[ei[x]], we
have that I satisfies ∃xi. d[xi] ./ t as well. Thus, since d[ti] ./ t ⇔ ∃xi. d[xi] ./ t
holds in all models of TBV , we have that I satisfies d[ti] ./ t. Notice that I satisfies
∃x. d[ei[x]] ./ t by assumption and I satisfies d[ti] ./ t. Thus, since ti is εy. (ψ ⇒
d[y] ./ t), we have that ∃xi. ei[xi] ≈ ti. Since by the induction hypothesis ei[r] ≈
ti ⇔ ∃x. ei[x] ≈ ti holds in all models of TBV , we have that I satisfies ei[r] ≈ ti.
Thus, since I satisfies d[ti] ./ t, we have that I also satisfies d[ei[r]] ./ t, which is
e[r] ./ t. Thus, e[r] ./ t⇐ ∃x. e[x] ./ t holds in all models of TBV . uunionsq
Tables 2-3 list the invertibility conditions for bit-vector operators {·, mod, ÷, &,
|, >>, >>a, <<, ◦} over relations {≈, 6≈, <u, >u}. Due to space restrictions we omit
the conditions for signed inequalities since they can be expressed in terms of unsigned
inequality. We omit the invertibility conditions over {≤u, ≥u} since they can generally
be constructed by combining the corresponding conditions for equality and inequality—
although there might be more succinct equivalent conditions.
Table 4 shows the rules for inverse computation for bit-vector operators {−, ∼ , +,
·} over equality. Tables 5-8 list the remaining invertibility conditions for x ./ t and
bit-vector operators {∼, −, +, ·, mod, ÷, &, |, >>, >>a, <<, ◦}.
The idea of computing the inverse of bit-vector operators has been used successfully
in a recent local search approach for solving quantifier-free bit-vector constraints by
Niemetz et al. [17]. There, target values are propagated via inverse value computation.
In contrast, our approach does not determine single inverse values based on concrete as-
signments but aims at finding symbolic solutions through the generation of conditional
inverses. In an extended version of that work [18], the same authors present rules for
inverse value computation over equality but they provide no proof of correctness for
them. We define invertibility conditions not only over equality but also disequality and
(un)signed inequality, and verify their correctness up to a certain bit-width.
3.1 Synthesizing Invertibility Conditions
We have defined invertibility conditions for all bit-vector operators in ΣBV where no
general inverse exists (162 in total). A noteworthy aspect of this work is that we were
able to leverage syntax-guided synthesis (SyGuS) technology [1] to help identify these
conditions. The problem of finding invertibility conditions for a literal of the form
x  s ./ t (or, dually, s  x ./ t) linear in x can be recast as a SyGuS problem by
asking whether there exists a binary Boolean function C such that the (second-order)
formula ∃C∀s∀t. ((∃x. x  s ./ t)⇔ C(s, t)) is satisfiable. If a SyGuS solver is able to
synthesize the functionC, thenC can be used as the invertibility condition for xs ./ t.
To simplify the SyGuS problem we chose a bit-width of 4 for x, s, and t and eliminated
the quantification over x in the formula above by by expanding it to
∃C∀s∀t. (
15∨
i=0
i  s ./ t)⇔ C(s, t)
Since the search space for SyGuS solvers heavily depends on the input grammar (which
defines the solution space for C), we decided to use two grammars with the same set of
7
`[x] ≈ 6≈
x · s ./ t (−s | s) & t ≈ t s 6≈ 0 ∨ t 6≈ 0
x mod s ./ t ∼(−s) ≥u t s 6≈ 1 ∨ t 6≈ 0
s mod x ./ t (t+ t− s) & s ≥u t s 6≈ 0 ∨ t 6≈ 0
x÷ s ./ t (s · t)÷ s ≈ t s 6≈ 0 ∨ t 6≈ ∼0
s÷ x ./ t s÷ (s÷ t) ≈ t
{
s & t ≈ 0 for κ(s) = 1
> otherwise
x & s ./ t t & s ≈ t s 6≈ 0 ∨ t 6≈ 0
x | s ./ t t | s ≈ t s 6≈ ∼0 ∨ t 6≈ ∼0
x>>s ./ t (t<<s)>>s ≈ t t 6≈ 0 ∨ s <u κ(s)
s>>x ./ t
κ(s)∨
i=0
s>> i ≈ t s 6≈ 0 ∨ t 6≈ 0
x>>a s ./ t (s <u κ(s) ⇒ (t<<s)>>a s ≈ t) ∧ >
(s ≥u κ(s) ⇒ (t ≈ ∼0 ∨ t ≈ 0))
s>>a x ./ t
κ(s)∨
i=0
s>>a i ≈ t (t 6≈ 0 ∨ s 6≈ 0) ∧
(t 6≈ ∼0 ∨ s 6≈ ∼0)
x<<s ./ t (t>>s)<<s ≈ t t 6≈ 0 ∨ s <u κ(s)
s<<x ./ t
κ(s)∨
i=0
s<< i ≈ t s 6≈ 0 ∨ t 6≈ 0
x ◦ s ./ t s ≈ t[κ(s)− 1 : 0] >
s ◦ x ./ t s ≈ t[κ(t)− 1 : κ(t)− κ(s)] >
Table 2. Conditions for the invertibility of bit-vector operators over (dis)equality. Those for ·, &
and | are given modulo commutativity of those operators.
Boolean connectives but different sets of bit-vector operators:
Or = {¬,∧,≈, <u, <s, 0,mins,maxs, s, t,∼ ,−,&, |}
Og = {¬,∧,∨,≈, <u, <s,≥u,≥s, 0,mins,maxs, s, t,∼ ,+,−,&, |, >>,<<}
The selection of constants in the grammar turned out to be crucial for finding solutions,
e.g., by adding mins and maxs we were able to synthesize substantially more invertibil-
ity conditions for signed inequalities. For each of the two sets of operators, we generated
140 SyGuS problems3, one for each combination of bit-vector operator  ∈ {·, mod,
÷, &, |, >>, >>a, <<} over relation ./ ∈ {≈, 6≈, <u, ≤u, >u, ≥u, <s, ≤s, >s, ≥s},
and used the SyGuS extension of the CVC4 solver [21] to solve these problems.
Using operatorsOr (Og) we were able to synthesize 98 (116) out of 140 invertibility
conditions, with 118 unique solutions overall. When we found more than one solution
for a condition (either with operators Or and Og , or manually) we chose the one that
3 Available at https://cvc4.cs.stanford.edu/papers/CAV2018-QBV/
8
`[x] <u >u
x · s ./ t t 6≈ 0 t <u −s | s
x mod s ./ t t 6≈ 0 t <u ∼(−s)
s mod x ./ t t 6≈ 0 t <u s
x÷ s ./ t 0 <u s ∧ 0 <u t ∼0÷ s >u t
s÷ x ./ t 0 <u ∼(−t & s) ∧ 0 <u t t <u ∼0
x & s ./ t t 6≈ 0 t <u s
x | s ./ t s <u t t <u ∼0
x>>s ./ t t 6≈ 0 t <u ∼s>>s
s>>x ./ t t 6≈ 0 t <u s
x>>a s ./ t t 6≈ 0 t <u ∼0
s>>a x ./ t (s <u t ∨ s ≥s 0) ∧ t 6≈ 0 s <s (s>>∼t) ∨ t <u s
x<<s ./ t t 6≈ 0 t <u ∼0<<s
s<<x ./ t t 6≈ 0
κ(s)∨
i=0
(s<< i) >u t
x ◦ s ./ t tx ≈ 0 ⇒ s <u ts tx ≈ ∼0 ⇒ s >u ts
where tx = t[κ(t)− 1 : κ(t)− κ(x)], ts = t[κ(s)− 1 : 0]
s ◦ x ./ t s ≤u ts ∧ (s ≈ ts ⇒ tx 6≈ 0) s ≥u ts ∧ s ≈ ts ⇒ tx 6≈ ∼0
where tx = t[κ(x)− 1 : 0], ts = t[κ(t)− 1 : κ(t)− κ(s)]
Table 3. Conditions for the invertibility of bit-vector operators over unsigned inequality. Those
for ·, & and | are given modulo commutativity of those operators.
involved the smallest number of bit-vector operators. Thus, we ended up using 79 out
of 118 synthesized conditions and 83 manually crafted conditions.
In some cases, the SyGuS approach was able to synthesize invertibility conditions
that were smaller than those we had manually crafted. For example, we manually de-
fined the invertibility condition for x·s ≈ t as (t ≈ 0)∨ ((t & −t) ≥u (s & −s)∧ (s 6≈
0)). With SyGuS we obtained ((−s | s) & t) ≈ t. For some other cases, however,
the synthesized solution involved more bit-vector operators than needed. For example,
for x mod s 6≈ t we manually defined the invertibility condition (s 6≈ 1) ∨ (t 6≈ 0),
whereas SyGuS produced the solution ∼(−s) | t 6≈ 0. For the majority of invertibil-
ity conditions, finding a solution did not require more than one hour of CPU time on
an Intel Xeon E5-2637 with 3.5GHz. Interestingly, the most time-consuming synthesis
task (over 107 hours of CPU time) was finding condition ((t + t) − s) & s ≥u t for
`[x] −x ≈ t ∼x ≈ t x+ s ≈ t x · s ≈ t with s const
getInverse(x, `[x]) −t ∼t t− s t · s−1 with s · s−1 ≈ 1
Table 4. Inverse computation for bit-vector operators {−, ∼ , +, ·} over ≈. Those for + and ·
are given modulo commutativity of those operators.
9
`[x] <u >u <s >s ≤u,≥u,≤s,≥s
x ./ t
t 6≈ 0 t 6≈ ∼0 t 6≈ mins t 6≈ maxs >−x ./ t∼x ./ t
x+ s ./ t
Table 5. Conditions for the invertibility for x ./ t and bit-vector operators {−, ∼ , +} over
inequality. The one for + given modulo commutativity of +.
`[x] ≤u ≥u
x · s ./ t > −s | s ≥u t
x mod s ./ t > ∼(−s) ≥u t
s mod x ./ t > (t+ t− s) & s ≥u t ∨ t <u s
x÷ s ./ t s | t ≥u ∼(−s) (s · t)÷ t & s ≈ s
s÷ x ./ t 0 <u ∼s | t >
x & s ./ t > s ≥u t
x | s ./ t t ≥u s >
x>>s ./ t > (t<<s)>>s ≈ t
s>>x ./ t > s ≥u t
x>>a s ./ t > >
s>>a x ./ t s <u mins ∨ t ≥u s s ≥u ∼s ∨ s ≥u t
x<<s ./ t > ∼0<<s ≥u t
s<<x ./ t >
κ(s)∨
i=0
(s<< i) ≥u t
x ◦ s ./ t tx ≈ 0 ⇒ s ≤u ts tx ≈ ∼0 ⇒ s ≥u ts
where tx = t[κ(t)− 1 : κ(t)− κ(x)], ts = t[κ(s)− 1 : 0]
s ◦ x ./ t s ≤u ts s ≥u ts
where tx = t[κ(x)− 1 : 0], ts = t[κ(t)− 1 : κ(t)− κ(s)]
Table 6. Conditions for the invertibility of bit-vector operators over ≤u and ≥u. Those for ·, &
and | are given modulo commutativity of those operators.
10
`[x] <s >s
x · s ./ t ∼(−t) & (−s | s) <s t t <s t− ((s | t) | −s)
x mod s ./ t ∼t <s (−s | −t) (s >s 0 ⇒ t <s ∼(−s)) ∧
(s ≤s 0 ⇒ t 6≈ maxs) ∧
(t 6≈ 0 ∨ s 6≈ 1)
s mod x ./ t s <s t ∨ 0 <s t (s ≥s 0 ⇒ s >s t) ∧
(s <s 0 ⇒ ((s− 1)>> 1) >s t)
x÷ s ./ t t ≤s 0 ⇒ mins ÷ s <s t ∼0÷ s >s t ∨ maxs ÷ s >s t
s÷ x ./ t s <s t ∨ t ≥s 0

s >s t for κ(s) = 1
(s ≥s 0 ⇒ s >s t) ∧ otherwise
(s <s 0 ⇒ s>> 1 >s t)
x & s ./ t ∼(−t) & s <s t t <s s & maxs
x | s ./ t ∼(s− t) | s <s t t <s (s | maxs)
s | x ./ t
x>>s ./ t ∼(−t)>>s <s t t <s (maxs<<s)>>s
s>>x ./ t s <s t ∨ 0 <s t (s <s 0 ⇒ s>> 1 >s t) ∧
(s ≥s 0 ⇒ s >s t)
x>>a s ./ t mins>>a s <s t t <s maxs>>s
s>>a x ./ t s <s t ∨ 0 <s t t <s s & maxs ∧ t <s s | maxs
x<<s ./ t (mins>>s)<<s <s t t <s (maxs<<s) & maxs
s<<x ./ t mins<<s <u t+ mins
κ(s)∨
i=0
(s<< i) >s t
x ◦ s ./ t tx ≈ mins ⇒ s <u ts tx ≈ maxs ⇒ s >u ts
where tx = t[κ(t)− 1 : κ(t)− κ(x)], ts = t[κ(s)− 1 : 0]
s ◦ x ./ t (s ≤s ts) ∧ (s ≈ ts ⇒ tx 6≈ 0) (s ≥s ts) ∧ (s ≈ ts ⇒ tx 6≈ ∼0)
where tx = t[κ(x)− 1 : 0], ts = t[κ(t)− 1 : κ(t)− κ(s)]
Table 7. Conditions for the invertibility of bit-vector operators over <s and >s. Those for ·, &
and | are given modulo commutativity of those operators.
11
`[x] ≤s ≥s
x · s ./ t ∼(s ≈ 0 ∧ t <s s) (−s | s) & maxs ≥s t
x mod s ./ t ∼0 <s −s & t t <s s ∨ 0 ≥s s
s mod x ./ t t <u mins ∨ t ≥s s (s ≥s 0 ⇒ s ≥s t) ∧
((s <s 0 ∧ t ≥s 0) ⇒ s− t >u t)
x÷ s ./ t ((s · t)÷ s ≈ t) ∨ (∼0÷ s ≥s t) ∨ (maxs ÷ s ≥s t)
(t ≤s 0 ⇒ mins ÷ s <s t)
s÷ x ./ t t ≥s ∼0 ∨ t ≥s s (s ≥s 0 ⇒ s ≥s t) ∧
(s <s 0 ⇒ s>> 1 ≥s t)
x & s ./ t s ≥u t & mins s & t ≈ t ∨ t <s (t− s) & s
x | s ./ t t ≥s s | mins s & t
x>>s ./ t t ≥s t>>s s 6≈ 0 ⇒ ∼0>>s ≥s t
s>>x ./ t t <u mins ∨ t ≥s s (s <s 0 ⇒ s>> 1 ≥s t) ∧
(s ≥s 0 ⇒ s ≥s t)
x>>a s ./ t t ≥s ∼(maxs>>s) maxs>>s ≥s t
s>>a x ./ t t ≥s 0 ∨ t ≥s s t ≥u ∼t ∨ s ≥s t
x<<s ./ t t>>(t>>s) <u mins (maxs<<s) & maxs ≥s t
s<<x ./ t t>>s <u mins
κ(s)∨
i=0
(s<< i) ≥s t
x ◦ s ./ t tx ≈ mins ⇒ s ≤u ts tx ≈ maxs ⇒ s ≥u ts
where tx = t[κ(t)− 1 : κ(t)− κ(x)], ts = t[κ(s)− 1 : 0]
s ◦ x ./ t s ≤s ts s ≥s ts
where tx = t[κ(x)− 1 : 0], ts = t[κ(t)− 1 : κ(t)− κ(s)]
Table 8. Conditions for the invertibility of bit-vector operators over ≤s and ≥s. Those for ·, &
and | are given modulo commutativity of those operators.
12
s mod x ≈ t. A small number of synthesized solutions were only correct for a bit-width
of 4, e.g, solution (∼s<<s)<<s <s t for x ÷ s <s t. In total, we found 6 width-
dependent synthesized solutions, all of them for bit-vector operators ÷ and mod. For
those, we used the manually crafted invertibility conditions instead.
3.2 Verifying Invertibility Conditions
We verified the correctness of all 162 invertibility conditions for bit-widths from 1
to 65 by checking for each bit-width the TBV -unsatisfiability of the formula ¬(φc ⇔
∃x. `[x]) where ` ranges over the literals in Tables 2–3 with s and t replaced by fresh
constants, and φc is the corresponding invertibility condition.
In total, we generated 12,980 verification problems and used all participating solvers
of the quantified bit-vector division of SMT-competition 2017 to verify them. For each
solver/benchmark pair we used a CPU time limit of one hour and a memory limit of
8GB on the same machines as those mentioned in the previous section. We consider an
invertibility condition to be verified for a certain bit-width if at least one of the solvers
was able to report unsatisfiable for the corresponding formula within the given time
limit. Out of the 12,980 instances, we were able to verify 12,277 (94.6%).
Overall, all verification tasks (including timeouts) required a total of 275 days of
CPU time. The success rate of each individual solver was 91.4% for Boolector, 85.0%
for CVC4, 50.8% for Q3B, and 92% for Z3. We observed that on 30.6% of the prob-
lems, Q3B exited with a Python exception without returning any result. For bit-vector
operators {∼ , −, +, &, |, >>, >>a, <<, ◦}, over all relations, and for operators {·, ÷,
mod} over relations {6≈,≤u,≤s}, we were able to verify all invertibility conditions
for all bit-widths in the range 1–65. Interestingly, no solver was able to verify the in-
vertibility conditions for x mod s <s t with a bit-width of 54 and s mod x <u t with
bit-widths 35-37 within the allotted time. We attribute this to the underlying heuristics
used by the SAT solvers in these systems. All other conditions for <s and <u were
verified for all bit-vector operators up to bit-width 65. The remaining conditions for
operators {·, ÷, mod} over relations {≈, >u, ≥u, >s, ≥s} were verified up to at least
a bit-width of 14. We discovered 3 conditions for s÷x ./ t with ./ ∈ {6≈, >s,≥s} that
were not correct for a bit-width of 1. For each of these cases, we added an additional
invertibility condition that correctly handles that case.
We leave to future work the task of formally proving that our invertibility conditions
are correct for all bit-widths. Since this will most likely require the development of an
interactive proof, we could leverage some recent work by Ekici et al. [9] that includes a
formalization in the Coq proof assistant of the SMT-LIB theory of bit-vectors.
4 Counterexample-Guided Instantiation for Bit-Vectors
In this section, we leverage techniques from the previous section for constructing sym-
bolic solutions to bit-vector constraints to define a novel instantiation-based technique
for quantified bit-vector formulas. At a high level, we use a counterexample-guided
approach for quantifier instantiation that adds new instances to a set of quantifier-free
13
CEGQIS(∃y∀x. ψ[y,x])
Γ := ∅
Repeat:
1. If Γ is T -unsatisfiable, then return “unsat”.
2. Otherwise, if Γ ′ = Γ ∪ {¬ψ[y,x]} is T -unsatisfiable, then return “sat”.
3. Otherwise, let I be a model of T and Γ ′ and t = S(x, ψ, I, Γ ). Γ := Γ∪{ψ[y, t]}.
Fig. 2. A counterexample-guided quantifier instantiation procedure CEGQIS , parameterized by a
selection function S, for determining the T -satisfiability of ∃y∀x. ψ[y,x] with ψ quantifier-free
and FV(ψ) = y ∪ x.
clauses based on models for the negated input formula. The procedure terminates if it
finds a set of instances that is unsatisfiable or entails the negation of the input formula.
We use a counterexample-guided approach for quantifier instantiation, as given by
procedure CEGQIS in Figure 2. To simplify the exposition here, we focus on input
problems expressed as a single formula in prenex normal form and with up to one
quantifier alternation. We stress, though, that the approach applies in general to arbi-
trary sets of quantified formulas in some Σ-theory T with a decidable quantifier-free
fragment. The procedure checks via instantiation the T -satisfiability of a quantified in-
put formula ϕ of the form ∃y∀x. ψ[x,y] where ψ is quantifier-free and x and y are
possibly empty sequences of variables. It maintains an evolving set Γ , initially empty,
of quantifier-free instances of the input formula. During each iteration of the proce-
dure’s loop, there are three possible cases: 1) if Γ is T -unsatisfiable, the input formula
ϕ is also T -unsatisfiable and “unsat” is returned; 2) if Γ is T -satisfiable but not to-
gether with with ¬ψ[y,x], the negated body of ϕ, then Γ entails ϕ in T , hence ϕ is
T -satisfiable and “sat” is returned. 3) If neither of previous cases holds, the procedure
adds to Γ an instance of ψ obtained by replacing the variables x with some terms t,
and continues. The procedure CEGQI is parametrized by a selection function S that
generates the terms t.
Definition 4. (Selection Function) A selection function takes as input a tuple of vari-
ables x, a model I of T , a quantifier-free Σ-formula ψ[x], and a set Γ of Σ-formulas
such that x 6∈ FV(Γ ) and I |= Γ ∪ {¬ψ}. It returns a tuple of ε-valid terms t of the
same type as x such that FV(t) ⊆ FV(ψ) \ x.
Definition 5. Let ψ[x] be a quantifier-free Σ-formula. A selection function is:
1. Finite for x and ψ if there is a finite set S∗ such that S(x, ψ, I, Γ ) ∈ S∗ for all
legal inputs I and Γ .
2. Monotonic for x and ψ if for all legal inputs I and Γ , S(x, ψ, I, Γ ) = t only if
ψ[t] 6∈ Γ .
Procedure CEGQIS is refutation-sound and model-sound for any selection function
S, and terminating for selection functions that are finite and monotonic.
Theorem 6 (Correctness of CEGQIS ). Let S be a selection function and let ϕ =
∃y∀x. ψ[y,x] be a legal input for CEGQIS . Then the following hold.
14
1. If CEGQIS(ϕ) returns “unsat”, then ϕ is T -unsatisfiable.
2. IfCEGQIS(ϕ) returns “sat” for some final Γ , thenϕ is T -equivalent to ∃y.
∧
γ∈Γ γ.
3. If S is finite and monotonic for x and ψ, then CEGQIS(ϕ) terminates.
Proof. We show each part of the theorem below. Note that by the definition of CEGQIS
and since S is a selection function, all inputs I and Γ given to S in the loop of this
function are legal inputs. Also note that for the first two parts, we have that CEGQIS(ϕ)
terminates in a state where Γ is a set of formulas of the form ψ[y, t] where, since S is
a selection function, t is a tuple of ε-valid terms and FV(t) ⊆ y.
Part 1) By definition of CEGQIS , if CEGQIS(ϕ) returns “unsat”, then Γ is T -
unsatisfiable. By the definition of CEGQIS , we have that Γ is a set of formulas of
the form ψ[y, t]. For each ψ[y, t] ∈ Γ , we have that t is ε-valid since S is a selec-
tion function, and hence ∀xψ[y,x] ⇒ ψ[y, t] holds in all models of T . Since Γ is
T -unsatisfiable, ∀xψ[y,x] is T -unsatisfiable, and hence ϕ is as well.
Part 2) By definition of CEGQIS , if CEGQIS(ϕ) returns “sat”, the Γ is T -satisfiable
and Γ ′ = Γ ∪ {¬ψ[y,x]} is T -unsatisfiable. For each ψ[y, t] ∈ Γ , we have that
FV(t) ⊆ y and henceFV(Γ ) ⊆ y. Sincex 6∈ FV(Γ ), we have that Γ∪{∃x.¬ψ[y,x]}
is also T -unsatisfiable. Let I be an arbitrary model of Γ . Since Γ ′ is unsatisfiable, it
must be that I 6|= ∃x.¬ψ[y,x] and hence I |= ∀x. ψ[y,x]. Thus Γ ⇒ ∃x.¬ψ[y,x]
and hence ∃y. Γ ⇒ ϕ holds in all models of T . By the same reasoning as Part 1, we
have that ϕ⇒ ∃y. Γ holds in all models as well. Thus, ϕ is equivalent to ∃y. Γ .
Part 3) Assume S is monotonic and finite for ψ[y,x]. Since it is finite, let S∗ be a
finite set such that S(x, ψ, I, Γ ) ∈ S∗ for all valid inputs I, Γ . Since it is monotonic,
each iteration of the loop adds a new formula from S∗ to Γ . Since S∗ is finite, the
number of iterations of this loop is bounded by the size of S∗. Hence, CEGQIS(ϕ)
terminates. uunionsq
Thanks to this theorem, to define a T -satisfiability procedure for quantifiedΣ-formulas,
it suffices to define a selection function satisfying the criteria of Definition 4. We do that
in the following section for TBV .
4.1 Selection functions for bit-vectors
In Figure 3, we define a (class of) selection functions SBVc for quantifier-free bit-vector
formulas, which is parameterized by a configuration c, a value of the enumeration type
{m, k, s, b}. The selection function collects in the set M all the literals occurring in
Γ ′ that are satisfied by I. Then, it collects in the set N a projected form of each literal
in M . This form is computed by the function projectc parameterized by configuration
c. That function transforms its input literal into a form suitable for function solve from
Figure 1. We discuss the intuition for projection operations in more detail below.
Example 7. Consider the ΣBV -literal a ≥u b and the interpretation I where aI = 5
and bI = 3. We have that projectc returns > for c = m, a ≥u b for c = k, a ≈
b+ (5− 3) for c = s, and a ≈ b+ 1 for c = b. 4
After constructing set N , the selection function computes a term ti for each variable
xi in tuple x, which we call the solved form of xi. To do that, it first constructs a set
15
SBVc (x, ψ, I, Γ ) where c ∈ {m,k, s,b}
Let M = {` | I |= `, ` ∈ Lit(ψ)}, N = {projectc(I, `) | ` ∈M}.
For i = 1, . . . , n where x = (x1, . . . , xn):
Let Ni =
⋃
`[x1,...,xi−1]∈N linearize(xi, I, `[t1, . . . , ti−1]).
Let ti =
{
solve(xi, choose(Ni)) if Ni is non-empty
xIi otherwise
tj := tj{xi 7→ ti} for each j < i.
Return (t1, . . . , tn).
projectm(I, s ./ t) : return > projects(I, s ./ t) : return s ≈ t+ (s− t)I
projectk(I, s ./ t) : return s ./ t projectb(I, s ./ t) : return

s ≈ t if sI = tI
s ≈ t+ 1 if sI > tI
s ≈ t− 1 if sI < tI
Fig. 3. Selection functions SBVc for quantifier-free bit-vector formulas. The procedure is parame-
terized by a configuration c, one of either m (model value), k (keep), s (slack), or b (boundary).
of literals Ni all linear in xi. It considers literals ` from N and replaces all previously
solved variables x1, . . . , xi−1 by their respective solved forms to obtain the literal `′ =
`[t1, . . . , ti−1]. It then calls function linearize on literal `′ which returns a set of literals,
each obtained by replacing all but one occurrence of xi in ` with the value of xi in I.4
Example 8. Consider an interpretation I where xI = 1, and ΣBV -terms a and b with
x 6∈ FV(a) ∪ FV(b). We have that linearize(x, I, x · (x + a) ≈ b) returns the set
{1 · (x + a) ≈ b, x · (1 + a) ≈ b}; linearize(x, I, x ≥u a) returns the singleton set
{x ≥u a}; linearize(x, I, a 6≈ b) returns the empty set. 4
If the set Ni is non-empty, the selection function heuristically chooses a literal from
Ni (indicated in Figure 3 with choose(Ni)). It then computes a solved form ti for xi
by solving the chosen literal for xi with the function solve described in the previous
section. If Ni is empty, we let ti is simply the value of xi in the given model I. After
that, xi is eliminated from all the previous terms t1, . . . , ti−1 by replacing it with ti.
After processing all n variables of x, the tuple (t1, . . . , tn) is returned.
The configurations of selection function SBVc determine how literals inM are mod-
ified by the projectc function prior to computing solved forms, based on the current
model I. With the model value configurationm, the selection function effective ignores
the structure of all literals in M and (because the set Ni is empty) ends up choosing the
value xIi as the solved form variable xi, for each i. On the other end of the spectrum,
the configuration k keeps all literals in M unchanged. The remaining two configura-
tions have an effect on how disequalities and inequalities are handled by projectc. With
configuration s projectc normalizes any kind of literal (equality, inequality or disequal-
ity) s ./ t to an equality by adding the slack value (s − t)I to t. With configuration
4 This is a simple heuristic to generate literals that can be solved for xi. More elaborate heuris-
tics could be used in practice.
16
b it maps equalities to themselves and inequalities and disequalities to an equality cor-
responding to a boundary point of the relation between s and t based on the current
model. Specifically, it adds one to t if s is greater than t in I, it subtracts one if s is
smaller than t, and returns s ≈ t if their value is the same. These two configurations are
inspired by quantifier elimination techniques for linear arithmetic [5,15]. In the follow-
ing, we provide an end-to-end example of our technique for quantifier instantiation that
makes use of selection function SBVc .
Example 9. Consider formula ϕ = ∃y.∀x1. (x1 ·a ≤u b) where a and b are terms with
no free occurrences of x1. To determine the satisfiability of ϕ, we invoke CEGQISBVc
on ϕ for some configuration c. Say that in the first iteration of the loop, we find that
Γ ′ = Γ ∪{x1 ·a >u b} is satisfied by some model I of TBV such that xI1 = 1, aI = 1,
and bI = 0. We invoke SBVc ((x1), I, Γ ′) and first compute M = {x1 ·a >u b}, the set
of literals of Γ ′ that are satisfied by I. The table below summarizes the values of the
internal variables of SBVc for the various configurations:
config N1 t1
m ∅ 1
k {x1 · a >u b} εz. (a <u −b | b)⇒ z · a >u b
s,b {x1 · a ≈ b+ 1} εz. ((−a | a) & b+ 1 ≈ b+ 1)⇒ z · a ≈ b+ 1
In each case, SBVc returns the tuple (t1), and we add the instance t1 · a ≤u b to Γ .
Consider configuration k where t1 is the choice expression εz. ((a <u −b | b) ⇒
z · a >u b). Since t1 is ε-valid, due to the semantics of ε, this instance is equivalent to:
((a <u −b | b)⇒ k · a >u b) ∧ k · a ≤u b (1)
for fresh variable k. This formula is TBV -satisfiable if and only if ¬(a <u −b | b)
is TBV -satisfiable. In the second iteration of the loop in CEGQISBVc , set Γ contains
formula (1) above. We have two possible outcomes:
i)¬(a <u −b | b) is TBV -unsatisfiable. Then (1) and hence Γ are TBV -unsatisfiable,
and the procedure terminates with “unsat”.
ii) ¬(a <u −b | b) is satisfied by some model J of TBV . Then ∃z.z · a ≤u b is
false in J since the invertibility condition of z · a ≤u b is false in J . Hence, Γ ′ =
Γ ∪ {x1 · a >u b} is unsatisfiable, and the algorithm terminates with “sat”.
In fact, we argue later that quantified bit-vector formulas like ϕ above, which con-
tain only one occurrence of a universal variable, require at most one instantiation before
CEGQISBVk terminates. The same guarantee does not hold with the other configurations.
In particular, configurationm generates the instantiation where t1 is 1, which simplifies
to a ≤u b. This may not be sufficient to show that Γ or Γ ′ is unsatisfiable in the second
iteration of the loop and the algorithm may resort to enumerating a repeating pattern
of instantiations, such as x1 7→ 1, 2, 3, . . . and so on. This obviously does not scale for
problems with large bit-widths. 4
Example 10. As the last example demonstrates, CEGQISBVk may terminate with at most
one instance for input formulas whose body has just one literal and a single occurrence
of each universal variable. However, consider extending the quantified formula from
17
the previous example to a disjunction of two literals: ∃y∀x1. (x1 · a ≤u b ∨ `[x1]).
Assume that our selection function chooses the same t1 as in the previous example. The
corresponding instance is equivalent to:
((a <u −b | b)⇒ k · a >u b) ∧ (k · a ≤u b ∨ `[k]) (2)
In contrast to the previous example, the second iteration of the loop from Figure 2 is
not guaranteed to terminate for this example. The above formula may be satisfied by a
model J where k · a >u b and `[k] hold. Notice that J may also satisfy a <u −b | b,
meaning it may still be the case that x1 · a ≤u b together with the above instance is
satisfied by J . In such a case, we may invoke CEGQISBVk again, which may produce
the same solved form for x1 if it constructs a solved form for x1 again based on the
literal x1 · a ≤u b. Hence, by the terminology from Definition 5, the selection function
SBVk is not monotonic for quantified formulas with more than one occurrence of a
universal variable. 4
Similarly, if the literals of the input formula have multiple occurrences of x1, then
multiple instances may be returned by the selection function since the literals returned
by linearize in Figure 3 depend on the model value of x1, and hence more than one
possible instance may be considered in loop in Figure 2.
The following theorem summarizes the properties of our selection functions. In the
following, we say a quantified formula is unit linear invertible if it is of the form ∀x.`[x]
where ` is linear in x and has an invertibility condition for x. We say a selection function
is n-finite for a quantified formula ψ if the number of possible instantiations it returns
is at most n for some positive integer n.
Theorem 11. Let ψ[x] be a quantifier-free formula in the signature of TBV .
1. SBVc is a finite selection function for x and ψ for all c ∈ {m,k, s,b}.
2. SBVm is monotonic.
3. SBVk is 1-finite if ψ is unit linear invertible.
4. SBVk is monotonic if ψ is unit linear invertible.
Proof. Let x = (x1, . . . , xn) be a tuple of variables and let ϕ be a quantifier-free
TBV -formula. We show each part for the case where n = 1; the arguments below
can be lifted to n > 1 in a straightforward way. Let Γ be a set of formulas such
that x1 6∈ FV(Γ ), let I be a model of TBV such that I |= Γ ∪ {¬ϕ}, and let t1
be SBVc ((x1), I, Γ ).
Part 1) To show that SBVc is a selection function, we must show that t1 is ε-valid
and FV(t1) ⊆ FV(ϕ) \ {x1}. Notice that for all configurations, the value (t1) returned
by SBVc is either of the form xI1 or solve(x1, `) for some ` ∈ Lit(Γ ). In the former case,
we have that t1 is clearly ε-valid and FV(t1) = ∅. In the latter case, as a consequence of
Theorem 3, we have that t1 is ε-valid and FV(t1) ⊆ FV(`). We have that ` ∈ Lit(ϕ)
and thus FV(`) ⊆ FV(ϕ). Thus, in either case, we have FV(t1) ⊆ FV(ϕ) \ {x1}.
Hence, SBVc is a selection function for c =m, k, s,b. To show these selection functions
are finite for ϕ, note that the number of terms of form xI1 is finite. Also note that the
number of literals in Lit(ϕ) is finite. For each c and ` ∈ Lit(ϕ), set of literals of the
18
form projectc(I, `), call this set N , is finite. For each literal `′ ∈ N , the set of literals
returned by linearize(xi, I, `′), call this set N ′, is also finite. Since it is either the case
that t1 = solve(x1, `′′) for some `′′ ∈ N ′ or t1 = xI1 , the number of possible return
values of SBVc is finite for (x1) and ϕ for c =m, k, s, b.
Part 2) Since x1 6∈ FV(`) for any literal returned by projectm(I, `), it must be the
case that t1 = xI1 . Assume that projectm was not monotonic for (x1) and ϕ = ¬ψ[x1].
Since projectm is a selection function by Part 1 and I, Γ is a legal input to projectm,
then without loss of generality we may assume that ψ[t1] ∈ Γ . However, ¬ψ[x1] ∈ Γ ,
I |= Γ and since tI1 = xI1 , it must instead be the case that ϕ[t1] 6∈ Γ . Hence, projectm
is monotonic for ϕ.
Part 3) Assume ϕ is the unit linear invertible formula `. By definition of projectk,
linearize, and since by definition ` is linear with respect to x1 and I |= ¬`, we have
that t1 must be the term returned by solve(x1,¬`). Hence, SBVk has only one possible
return value and hence is 1-finite.
Part 4) Assume ϕ is a unit linear invertible formula `[x1]. The return value of SBVk
is the tuple (t1), where by the reasoning in Part 3, we have that t1 is the term returned
by solve(x1,¬`[x1]). Thus by Theorem 3, we have that ¬`[t1] ⇔ ∃z.¬`[z] holds in
all models of TBV . Now, assume that projectk was not monotonic for (x1) and `[x1].
Since projectk is a selection function by Part 1 and I, Γ is a legal input to projectk,
then without loss of generality we may assume that `[t1] ∈ Γ . Since I |= Γ , and since
¬`[t1]⇐ ∃z.¬`[z] holds in all models of TBV , we have that I must satisfy ¬∃z.¬`[z],
which is ∀z. `[z]. However, we also have that by assumption ¬`[x1] ∈ Γ . Hence, it
must instead be the case that ϕ[t1] 6∈ Γ and thus projectk is monotonic for ϕ. uunionsq
This theorem implies that counterexample-guided instantiation using configuration SBVm
is a decision procedure for quantified bit-vectors. However, in practice the worst-case
number of instances considered by this configuration for a variable x[n] is proportional
to the number of its possible values (2n), which is practically infeasible for sufficiently
large n. More interestingly, counterexample-guided instantiation using SBVk is a de-
cision procedure for quantified formulas that are unit linear invertible, and moreover
has the guarantee that at most one instantiation is returned by this selection function.
Hence, formulas in this fragment can be effectively reduced to quantifier-free bit-vector
constraints in at most two iterations of the loop of procedure CEGQIS in Figure 2.
4.2 Implementation
We implemented the new instantiation techniques described in this section as an exten-
sion of CVC4, which is a DPLL(T )-based SMT solver [19] that supports quantifier-free
bit-vector constraints, (arbitrarily nested) quantified formulas, and support for choice
expressions. For the latter, all choice expressions εx. ϕ[x] are eliminated from asser-
tions by replacing them with a fresh variable k of the same type and adding ϕ[k] as
a new assertion, which notice is sound since all choice expressions we consider are
ε-valid. In the remainder of the paper, we will refer to our extension of the solver as
cegqi. In the following, we discuss important implementation details of the extension.
Handling Duplicate Instantiations The selection functions SBVs and SBVb are not guar-
anteed to be monotonic, neither is SBVk for quantified formulas that contain more than
19
one occurrence of universal variables. Hence, when applying these strategies to arbi-
trary quantified formulas, we use a two-tiered strategy that invokes SBVm as a second
resort if the instance for the terms returned by a selection function already exists in Γ .
Linearizing Rewrites Our selection function in Figure 3 uses the function linearize to
compute literals that are linear in the variable xi to solve for. The way we presently
implement linearize makes those literals dependent on the value of xi in the current
model I, with the risk of overfitting to that model. To address this limitation, we use
a set of equivalence-preserving rewrite rules whose goal is to reduce the number of
occurrences of xi to one when possible, by applying basic algebraic manipulations. As
a trivial example, a literal like xi+ xi ≈ a is rewritten first to 2 · xi ≈ a which is linear
in xi if a does not contain xi. In that case, this literal, and so the original one, has an
invertibility condition as discussed in Section 3.
Variable Elimination We use procedure solve from Section 3 not only for selecting
quantifier instantiations, but also for eliminating variables from quantified formulas. In
particular, for a quantified formula of the form ∀xy. `⇒ ϕ[x,y], if ` is linear in x and
solve(x, `) returns a term s containing no ε-expressions, we can replace this formula by
∀y. ϕ[s,y]. When ` is an equality, this is sometimes called destructive equality reso-
lution (DER) and is an important implementation-level optimization in state-of-the-art
bit-vector solvers [24]. In our approach, to increase the likelihood that solve returns
a term that contains no ε-expressions, we include several optimizations that determine
when it can be determined that ` has a unique solution for x. A common example is
an equality that involves multiplication by an odd constant, i.e. x · c ≈ t where c is
an odd constant. The only solution for x in this case is c−1 · t where c−1 denotes the
(unique) multiplicative inverse of c modulo the bit-width of the type of c, which can be
computed by Euclid’s algorithm.
Handling Extract Consider formula ∀x[32]. (x[31 : 16] 6≈ a[16] ∨ x[15 : 0] 6≈ b[16]).
Since all invertibility conditions for the extract operator are >, rather than producing
choice expressions we have found it more effective to eliminate extracts via rewriting.
As a consequence, we independently solve constraints for regions of quantified vari-
ables when they appear underneath applications of extract operations. In this example,
we let the solved form of x be y[16] ◦ z[16] where y and z are fresh variables, and subse-
quently solve for these variables in y ≈ a and z ≈ b. Hence, we may instantiate x with
a◦b, a term that we would not have found by considering the two literals independently
in the negated body of the formula above.
Handling Propositional Structure and Nested Quantifiers Notice that Figure 2 describes
counterexample-guided quantifier instantiation for an input formula with one level of
quantifier alternation. In practice, our technique can be used for problems containing
more than one level of quantifier alternation and that are not in prenex normal form.
A thoroughout description of this technique is beyond the scope of the paper; we pro-
vide some high level details here. Recall that in the DPLL(T ) setting, the SMT solver
incrementally builds a truth assignment in the form of a set of literals, with the goal
of finding a set that propositionally satisfies all clauses in Γ and is consistent with
respect to the background theory. In this setting, we consider all quantified formulas
∀x.ϕ[x] in the current set M . For each of these formulas, we may add clauses of three
20
forms: instantiation lemmas of the form (¬A∨ϕ[t]), Skolemization lemmas of the form
(¬B ∨ ¬ϕ[k]) where k are fresh constants of the same type as x, and the connecting
clauses (∀x.ϕ[x] ⇒ A) and (¬∀x.ϕ[x] ⇒ B) Here, A and B are fresh Boolean con-
stants which we call the positive and negative guard of ∀x.ϕ[x] respectively. The second
and third clauses are added once at the time when the quantified formula first occurs
in an assignment M . We detect when the negation of a quantified formula along with
the current set of clauses Γ is unsatisfiable by checking which negative guards B must
be assigned to false. In practice, this is determined by a decision heuristic which insists
that negative guards must be decided with positive polarity first. If a quantified formula
and its corresponding negative guard are both asserted true, then we add an instantiation
lemma to Γ based on the selection function from Figure 3. We terminate as usual when
the set Γ is unsatisfiable, or we find a consistent satisfying assignment where no quan-
tified formula and its negative guard are both asserted. This scheme allows the SMT
solver to handle multiple quantified formulas simultaneously, as well as handling quan-
tified formulas with arbitrary nesting. Above, notice that ϕ[k] may contain quantifiers,
which are recursively handled by introducing instantiation and Skolemization lemmas
for quantified formulas that appear in subsequent satisfying assignments.
Negating the Input Formula Our version of counterexample-guided quantifier instanti-
ation is most effective for input formulas that are closed and universal. Thus, when an
input formula is of the form ∃x. ϕwhere x is non-empty and ϕmay contain quantifiers,
we consider its negation ∀x.¬ϕ instead. The latter formula may be significantly eas-
ier to solve since our quantifier instantiation techniques may find an instantiation for x
that quickly leads to a proof of unsatisfiability, whereas instantiating x is not possible
for the former. Since the theory of bit-vectors is a complete theory, it follows that the
original formula is satisfiable if and only if this formula is unsatisfiable.
Rewrite Rules for Quantifier-Free Constraints Finally, we have found that in a DPLL(T )-
based SMT solver, the quantifier-free bit-vector solver is often the bottleneck when
solving quantified bit-vector constraints. For this reason, we use aggressive rewriting
techniques for quantifier-free bit-vector constraints with the goal of replacing con-
straints with expensive propositional encodings with those with simpler encodings.
5 Evaluation
We implemented our techniques in the solver cegqi and considered four configurations
cegqic, where c is one of {m, k, s, b}, corresponding to the four selection function
configurations described in Section 4. Out of these four configurations, cegqim is the
only one that does not employ our new techniques but uses only model values for in-
stantiation. It can thus be considered our base configuration. All configurations enable
the optimizations described in Section 4.2 when applicable. We compared them against
all entrants of the quantified bit-vector division of the 2017 SMT competition SMT-
COMP: Boolector [16], CVC4 [2], Q3B [14] and Z3 [6]. With the exception of Q3B,
all solvers are related to our approach since they are instantiation-based. However, none
of these solvers utilizes invertibility conditions when constructing instantiations. We ran
all experiments on the StarExec logic solving service [23] with a 300 second CPU and
wall clock time limit and 100 GB memory limit.
21
unsat Boolector CVC4 Q3B Z3 cegqim cegqik cegqis cegqib
h-uauto 14 12 93 24 10 103 105 106
keymaera 3917 3790 3781 3923 3803 3798 3888 3918
psyco 62 62 49 62 62 39 62 61
scholl 57 36 13 67 36 27 36 35
tptp 55 52 56 56 56 56 56 56
uauto 137 72 131 137 72 72 135 137
ws-fixpoint 74 71 75 74 75 74 75 75
ws-ranking 16 8 18 19 15 11 12 11
Total unsat 4332 4103 4216 4362 4129 4180 4369 4399
sat Boolector CVC4 Q3B Z3 cegqim cegqik cegqis cegqib
h-uauto 15 10 17 13 16 17 16 17
keymaera 108 21 24 108 20 13 36 75
psyco 131 132 50 131 132 60 132 129
scholl 232 160 201 204 203 188 208 211
tptp 17 17 17 17 17 17 17 17
uauto 14 14 15 16 14 14 14 14
ws-fixpoint 45 49 54 36 45 51 49 50
ws-ranking 19 15 37 33 33 31 31 32
Total sat 581 418 415 558 480 391 503 545
Total (5151) 4913 4521 4631 4920 4609 4571 4872 4944
Table 9. Results on satisfiable and unsatisfiable benchmarks with a 300 second timeout.
We evaluated our approach on all 5,151 benchmarks from the quantified bit-vector
logic (BV) of SMT-LIB [3]. The results are summarized in Table 9. Configuration
cegqib solves the highest number of unsatisfiable benchmarks (4, 399), which is 30
more than the next best configuration cegqis and 37 more than the next best external
solver, Z3. Compared to the instantiation-based solvers Boolector, CVC4 and Z3, the
performance of cegqib is particularly strong on the h-uauto family, which are verifi-
cation conditions from the Ultimate Automizer tool [11]. For satisfiable benchmarks,
Boolector solves the most (581), which is 36 more than our best configuration cegqib.
Overall, our best configuration cegqib solved 335 more benchmarks than our base
configuration cegqim. A more detailed runtime comparison between the two is pro-
vided by the scatter plot in Figure 4. Moreover, cegqib solved 24 more benchmarks
than the best external solver, Z3. In terms of uniquely solved instances, cegqib was
able to solve 139 benchmarks that were not solved by Z3, whereas Z3 solved 115 bench-
marks that cegqib did not. Overall, cegqib was able to solve 21 of the 79 benchmarks
(26.6%) not solved by any of the other solvers. For 18 of these 21 benchmarks, it ter-
minated after considering no more than 4 instantiations. These cases indicate that using
symbolic terms for instantiation solves problems for which other techniques, such as
those that enumerate instantiations based on model values, do not scale.
Interestingly, configuration cegqik, despite having the strong guarantees given by
Theorem 11, performed relatively poorly on this set (with 4, 571 solved instances over-
all). We attribute this to the fact that most of the quantified formulas in this set are
not unit linear invertible. In total, we found that only 25.6% of the formulas consid-
22
ered during solving were unit linear invertible. However, only a handful of benchmarks
were such that all quantified formulas in the problem were unit linear invertible. This
might explain the superior performance of cegqis and cegqib which use invertibility
conditions but in a less monolithic way.
cegqi_m  Runtime [s]
ce
gq
i_
b 
 R
un
tim
e 
[s]
0.01 0.1 1 10 100
0.01
0.1
1
10
100
10x faster (61) 100x faster (245) 1000x faster (51)
Fig. 4. Configuration cegqim vs. cegqib.
For some intuition on this, consider the
problem ∀x. (x > a∨x < b)where a and
b are such that a > b is TBV -valid. Intu-
itively, to show that this formula is un-
satisfiable requires the solver to find an x
between b and a. This is apparent when
considering the dual problem ∃x. (x ≤
a ∧ x ≥ b). Configuration cegqib is ca-
pable of finding such an x, for instance,
by considering the instantiation x 7→ a
when solving for the boundary point of
the first disjunct. Configuration cegqik,
on the other hand, would instead con-
sider the instantiation of x for two terms
that witness ε-expressions: some k1 that
is never smaller than a, and some k2 that is never greater that b. Neither of these terms
necessarily resides in between a and b since the solver may subsequently consider mod-
els where k1 > b and k2 < a. This points to a potential use for invertibility conditions
that solve multiple literals simultaneously, something we are currently investigating.
6 Conclusion
We have presented a new class of strategies for solving quantified bit-vector formulas
based on invertibility conditions. We have derived invertibility conditions for the ma-
jority of operators in a standard theory of fixed-width bit-vectors. An implementation
based on this approach solves over 25% of previously unsolved verification benchmarks
from SMT LIB, and outperforms all other state-of-the-art bit-vector solvers overall.
In future work, we plan to develop a framework in which the correctness of in-
vertibility conditions can be formally established independently of bit-width. We are
working on deriving invertibility conditions that are optimal for linear constraints, in
the sense of admitting the simplest propositional encoding. We also are investigating
conditions that cover additional bit-vector operators, some cases of non-linear literals,
as well as those that cover multiple constraints. While this is a challenging task, we
believe efficient syntax-guided synthesis solvers can continue to help push progress in
this direction. Finally, we plan to investigate the use of invertibility conditions for per-
forming quantifier elimination on bit-vector constraints. This will require a procedure
for deriving concrete witnesses from choice expressions.
References
1. Alur, R., Bodı´k, R., Juniwal, G., Martin, M.M.K., Raghothaman, M., Seshia, S.A., Singh, R.,
Solar-Lezama, A., Torlak, E., Udupa, A.: Syntax-guided synthesis. In: Formal Methods in
23
Computer-Aided Design, FMCAD 2013, Portland, OR, USA, October 20-23, 2013. pp. 1–8
(2013)
2. Barrett, C., Conway, C.L., Deters, M., Hadarean, L., Jovanovic´, D., King, T., Reynolds,
A., Tinelli, C.: CVC4. In: Proceedings of the 23rd International Conference on Computer
Aided Verification. pp. 171–177. CAV’11, Springer-Verlag (2011), http://dl.acm.
org/citation.cfm?id=2032305.2032319
3. Barrett, C., Stump, A., Tinelli, C.: The SMT-LIB Standard: Version 2.0. In: Gupta, A., Kroen-
ing, D. (eds.) Proceedings of the 8th International Workshop on Satisfiability Modulo Theo-
ries (Edinburgh, UK) (2010)
4. Bjørner, N., Janota, M.: Playing with quantified satisfaction. In: 20th International Confer-
ences on Logic for Programming, Artificial Intelligence and Reasoning - Short Presentations,
LPAR 2015, Suva, Fiji, November 24-28, 2015. pp. 15–27 (2015)
5. Cooper, D.C.: Theorem proving in arithmetic without multiplication. In: Meltzer, B., Michie,
D. (eds.) Machine Intelligence, vol. 7, pp. 91–100. Edinburgh University Press (1972)
6. De Moura, L., Bjørner, N.: Z3: An efficient smt solver. In: Proceedings of the Theory and
Practice of Software, 14th International Conference on Tools and Algorithms for the Con-
struction and Analysis of Systems. pp. 337–340. TACAS’08/ETAPS’08, Springer-Verlag
(2008), http://dl.acm.org/citation.cfm?id=1792734.1792766
7. Dutertre, B.: Yices 2.2. In: Computer Aided Verification - 26th International Conference,
CAV 2014, Held as Part of the Vienna Summer of Logic, VSL 2014, Vienna, Austria, July
18-22, 2014. Proceedings. pp. 737–744 (2014)
8. Dutertre, B.: Solving exists/forall problems in yices. Workshop on Satisfiability Modulo The-
ories (2015)
9. Ekici, B., Mebsout, A., Tinelli, C., Keller, C., Katz, G., Reynolds, A., Barrett, C.: Smtcoq: A
plug-in for integrating smt solvers into coq. In: Majumdar, R., Kuncˇak, V. (eds.) Computer
Aided Verification. Lecture Notes in Computer Science, vol. 10427, pp. 126–133. Springer
International Publishing (2017)
10. Ge, Y., de Moura, L.M.: Complete instantiation for quantified formulas in satisfiabiliby mod-
ulo theories. In: Bouajjani, A., Maler, O. (eds.) Computer Aided Verification, 21st Inter-
national Conference, CAV 2009, Grenoble, France, June 26 - July 2, 2009. Proceedings.
Lecture Notes in Computer Science, vol. 5643, pp. 306–320. Springer (2009), https:
//doi.org/10.1007/978-3-642-02658-4_25
11. Heizmann, M., Chen, Y., Dietsch, D., Greitschus, M., Nutz, A., Musa, B., Scha¨tzle, C.,
Schilling, C., Schu¨ssele, F., Podelski, A.: Ultimate automizer with an on-demand con-
struction of floyd-hoare automata - (competition contribution). In: Legay, A., Margaria, T.
(eds.) Tools and Algorithms for the Construction and Analysis of Systems - 23rd Inter-
national Conference, TACAS 2017, Held as Part of the European Joint Conferences on
Theory and Practice of Software, ETAPS 2017, Uppsala, Sweden, April 22-29, 2017, Pro-
ceedings, Part II. Lecture Notes in Computer Science, vol. 10206, pp. 394–398 (2017),
https://doi.org/10.1007/978-3-662-54580-5_30
12. Hilbert, D., Bernays, P.: Grundlagen der Mathematik. Die Grundlehren der mathematischen
Wissenschaften, Verlag von Julius Springer (1934)
13. John, A.K., Chakraborty, S.: A layered algorithm for quantifier elimination from linear
modular constraints. Formal Methods in System Design 49(3), 272–323 (2016), https:
//doi.org/10.1007/s10703-016-0260-9
14. Jona´s, M., Strejcek, J.: Solving quantified bit-vector formulas using binary decision dia-
grams. In: Theory and Applications of Satisfiability Testing - SAT 2016 - 19th International
Conference, Bordeaux, France, July 5-8, 2016, Proceedings. pp. 267–283 (2016)
15. Loos, R., Weispfenning, V.: Applying linear quantifier elimination (1993)
16. Niemetz, A., Preiner, M., Biere, A.: Boolector 2.0 system description. Journal on Satisfiabil-
ity, Boolean Modeling and Computation 9, 53–58 (2014 (published 2015))
24
17. Niemetz, A., Preiner, M., Biere, A.: Precise and complete propagation based local search for
satisfiability modulo theories. In: Computer Aided Verification - 28th International Confer-
ence, CAV 2016, Toronto, ON, Canada, July 17-23, 2016, Proceedings, Part I. pp. 199–217
(2016)
18. Niemetz, A., Preiner, M., Biere, A.: Propagation based local search for bit-precise reason-
ing. Formal Methods in System Design 51(3), 608–636 (2017), https://doi.org/10.
1007/s10703-017-0295-6
19. Nieuwenhuis, R., Oliveras, A., Tinelli, C.: Solving SAT and SAT Modulo Theories: from
an abstract Davis-Putnam-Logemann-Loveland Procedure to DPLL(T). Journal of the ACM
53(6), 937–977 (Nov 2006)
20. Preiner, M., Niemetz, A., Biere, A.: Counterexample-guided model synthesis. In: Tools and
Algorithms for the Construction and Analysis of Systems - 23rd International Conference,
TACAS 2017, Held as Part of the European Joint Conferences on Theory and Practice of
Software, ETAPS 2017, Uppsala, Sweden, April 22-29, 2017, Proceedings, Part I. pp. 264–
280 (2017)
21. Reynolds, A., Deters, M., Kuncak, V., Tinelli, C., Barrett, C.W.: Counterexample-guided
quantifier instantiation for synthesis in SMT. In: Computer Aided Verification - 27th Inter-
national Conference, CAV 2015, San Francisco, CA, USA, July 18-24, 2015, Proceedings,
Part II. pp. 198–216 (2015)
22. Reynolds, A., King, T., Kuncak, V.: Solving quantified linear arithmetic by counterexample-
guided instantiation. Formal Methods in System Design 51(3), 500–532 (2017), https:
//doi.org/10.1007/s10703-017-0290-y
23. Stump, A., Sutcliffe, G., Tinelli, C.: Starexec: A cross-community infrastructure for logic
solving. In: Demri, S., Kapur, D., Weidenbach, C. (eds.) Proceedings of the 7th International
Joint Conference on Automated Reasoning. Lecture Notes in Computer Science, vol. 8562,
pp. 367–373. Springer (2014)
24. Wintersteiger, C.M., Hamadi, Y., de Moura, L.M.: Efficiently solving quantified bit-vector
formulas. Formal Methods in System Design 42(1), 3–23 (2013)
25
