Formal verification of hardware and software is important in the case of critical systems, as shown by several accidents due to such problems as overflow, rounding error, etc. Bit-precise reasoning over bit-vectors is a fundamental tool for attacking such verification problems. But how hard is reasoning over bit-vector logics? It is essential to answer this question before inventing solving approaches for bit-vector logics.
Introduction
Why does humanity still struggle with errors in computer systems? Or in other words, why so many bugs in our software and hardware? Do there not exist sophisticated development tools for avoiding such bugs already?
Yes, there does but today's tools do not necessarily scale to future systems. The main reason for that is that the complexity of our systems increases by time.
A well-known example is chip complexity which follows Moore's law. While we are currently capable to detect bugs in hardware designs such as the infamous floating-point division bug in 1994's Intel Pentium (see Section 2) , which contained ca. 3 million transistors, it is much more difficult to do the same in today's processors which can contain ca. 3 billion transistors. Regarding software, the trend is similar in terms of complexity, not to mention that nowadays we need to debug distributed software systems. From the point of view of software developers, there is less and less time to write fault-tolerant code since the average development cycle time decreases. For instance, it took 1.5 years to release Mozilla Firefox 2.0 after version 1.0, nowadays new versions are released in ca. every 2 months.
In Section 2, we are going to get acquainted with a couple of historically infamous hardware and software bugs that caused a tremendous loss of money and, sometimes, a loss of human lives. Section 3 introduces bit-precise verification as a powerful tool for avoiding bugs. Of course, it is an important question if verifying hardware and software systems is feasible and, therefore, we are going to summarize in Section 4 what we currently know about the computational complexity of bit-precise reasoning in different settings.
Historical Accidents Caused by Bugs
There exist well-known historical accidents due to bugs in hardware or software. In this section, let us introduce a few of those.
Let us start with the infamous accident of NASA's Mars Climate Orbiter. This spacecraft was launched on December 11, 1998 , and was scheduled to land on Mars on September 23, 1999. Shortly after starting the engines for landing, the signal was lost, 49 seconds earlier than predicted, and could not reacquired later on. The lander unit was lost, and probably burnt, in Mars' atmosphere. The investigation on the causes of the accident determined that the root cause was that a team of engineers used English units in preparing the data file for the software which, however, used metric units. Subsequent processing of the data by the navigation software underestimated the effect on the spacecraft trajectory
1
. The mission costed $125 million [20] .
Another well-known accident from space industry is the explosion of the Ariane 5 launcher. After only 40 seconds of flight, at an altitude of 3700 m, the launcher veered off its flight path, broke up and exploded. The European Space Agency (ESA) set up an Inquiry Board to investigate what caused the failure. The board found that the root cause was an integer overflow in the software: a 64-bit floating point value was converted to a 16-bit signed integer, causing a value greater than what could be represented as a 16-bit integer 2 . The launcher was on its first voyage, after a decade of development costing $7 billion. The destroyed rocket and its cargo were valued at $500 million. The recovery of the debris and the rocket fuel scattered over an area of 12 km 2 required lots of efforts as well. A similar case from the recent past (2015) is an overflow bug in the software of Boeing Model 787. During laboratory testing, Boeing identified an issue with an internal counter in the software: if the electric generator control unit was continuously powered up during 248 days, it went to failsafe mode, resulting in a loss of electric power, regardless of flight phase. The investigation of the Federal Aviation Administration (FAA) found that the issue was caused by integer overflow 3 . Note that 2
11
hundredths of a second equals to 248 days. Fortunately, the problem was discovered before any accident happened.
In the following accident, unfortunately, there were some casualties as well. The Instituto Oncológico Nacional in Panama provided treatment for cancer patients using radiotherapy. A computerized treatment planning system was used to calculate the resulting dose distributions and determine treatment times. As was found later, at least one of the ways in which the data were entered for the software resulted a treatment time two times longer than it should have been 4 . The result was that patients received a proportionately higher dose than that prescribed. The erroneous treatment protocol was used for 28 patients. By the time of the investigation, 8 patients had already died, among which at least 5 of the deaths were probably radiation related. Most of the 20 surviving patients suffered intestinal injuries.
The last accident that I am willing to mention did not cause casualties, to the best of my knowledge, but cost $450 million. In 1994, Intel discovered a flaw in the floating-point division circuitry of the early Pentium processors
5
. The cause of the error was the use of a lookup table with some cells being empty, resulting in slightly less precise numbers than the correct answer [13] . Although Intel claimed that the bug encountered for typical spreadsheet users once in 27 000 years, the company finally recalled the defective processors, costing ca. $450 million.
Such bugs and, as unfortunate consequences, accidents could be avoided if companies invested more on applicable techniques. In fact, this is exactly what the largest companies already do in order to prevent product recalls and, most importantly, loss of money and prestige. As the example of Boeing shows, testing is such a powerful technique. However, testing does not provide 100 % guarantee since executing the system being tested for all the possible inputs is typically infeasible. Verification, on the other hand, can provide such a guarantee for the types of bugs which you can define in advance.
Bit-Precise Verification
In computer science, satisfiability can be considered to be one of the most fundamental questions to ask: given a formal description of a statement, also called a formula, does there exist a model (or interpretation) for the syntactical elements in the formula such that the formula is true. The formula is considered to be satisfiable (SAT) if such a model exists, otherwise it is considered to be unsatisfiable (UNSAT).
In real life, for instance in industrial use cases, satisfiability checking and model finding is an extremely important tool for verifying systems. Given a system described as a formula S and a (safety) condition C to check on the system, one might want to check if C always holds for S, under any circumstances, i.e., under any models. This check can be done by checking the satisfiability of S ∧ ¬C, where ¬ denotes logical not or negation, and ∧ logical and or conjunction. Similar Boolean operators are ∨ as logical or or disjunction, ⇒ as implication, ⇔ as equivalence, etc. If S ∧ ¬C is satisfiable, then there exists a model, which gives us the exact circumstances in the system S under which the condition C is violated. This makes model finding an excellent tool for debugging.
Another example could be equivalence checking in hardware industry. Given an original circuit design described as a formula D 1 , let us suppose that engineers do some optimization and get a new design D 2 . It is important to check if the new design provides the same functionality as the old one. For this, the satisfiability of the formula
It is a matter of the logic we choose, what syntactical elements build up a formula and what semantical rules to follow for evaluating a formula. The most simple logic is called the Boolean logic, also known as propositional logic, where syntactical elements are the (Boolean) variables and the model is an assignment of values to those variables. A value can be either false or true, or alternatively, 0 or 1. In fact, Boolean variables represent bits in a hardware and software being modeled as a Boolean formula.
The SAT problem is meant the satisfiability checking of Boolean formulas. Although Boolean logic seems extremely simple, the computation complexity of SAT is very high. In fact, SAT was the first computational problem that was shown to be NP-complete by encoding any polynomial time-bounded non-deterministic Turing machine as a SAT instance [7] . Assuming P = NP, SAT cannot be solved by a polynomial time (deterministic) algorithm in general.
Due to combinatorial explosion, naive SAT solving approaches might already fail for small formulas with a few hundreds of variables. Therefore, for a long time, it seemed that SAT solving was computationally intractable in practice. However, with the advent of heuristic SAT solvers and, especially, of the DPLL-based solvers that apply conflict-driven clause learning (CDCL), state-of-the-art SAT solvers are able to solver huge formulas with several million of variables. Formulas of such extent are sufficient for encoding industrial problems and, therefore, modern SAT solvers are widely used in industry. Nice examples are, for instance, the verifica-182 tion of the Intel Core i7 processor design [15] and the analysis of cryptographic cyphers [23] by the help of SAT solvers.
It is a fairly natural idea to extend SAT solving with background theories such as integer or real arithmetic, or arrays. Needless to say that such an extension would have clear practical value since it would let our logical formulas contain atoms which, for instance, might evaluate some arithmetic expression over numbers or might check the value of array elements. Satisfiability Modulo Theories (SMT) is the decision problem of satisfiability checking of Boolean formulas with respect to some background theory and logic. The most common examples of theories are the integer numbers, the real numbers, the fixed-size bit-vectors, and the arrays. The logics that one could use might differ from each other in the linearity or non-linearity of arithmetic, the presence or absence of quantifiers, or in the presence or absence of uninterpreted functions. The SMT-LIB format [2] , as the common input format for SMT solvers, defines the syntax for several such logics 6 , such as QF_UFLIA as the quantifier-free logic of linear integer arithmetic with uninterpreted functions, or LRA as the logic of linear real arithmetic allowing quantification, or AUFLIA as the logic of linear integer arithmetic with quantifiers, uninterpreted functions and arrays.
In this paper, we are focusing on the background theory of fixed-size bit-vectors, also known as words or sequences of bits, i.e., Boolean values. The fundamental building blocks of bit-vector formulas are the bit-vector variables x [n] and constants c [n] of certain bit-widths n. To those variables and constants, different kinds of bitvector operators can be applied [2, 1, 3, 4, 8, 11, 18] , such as bitwise operators (negation, and, or, xor, etc.), relational operators (equality, unsigned/signed less than, unsigned/signed less than or equal, etc.), arithmetic operators (addition, subtraction, multiplication, unsigned/signed division, unsigned/signed remainder, etc.), shifts (left shift, logical/arithmetic right shift), extraction, concatenation, zero/sign extension, etc. For a detailed introduction into the syntax and semantics of bitvector operators, we recommend the relevant parts of [18] .
Bit-vector logics play an important role in many practical applications of computer science, most prominently in hardware and software verification, due to the fact that every piece of data in hardware or software has a given bit-width. Notable example are, for instance, the verification of Windows device drivers [19] and also of communication protocols of wireless sensor networks [10] .
In hardware verification, the quantifier-free bit-vector logic QF_BV is commonly used in practice. If synthesis is also addressed, uninterpreted functions are added to this logic in order to allow to introduce custom signatures of function symbols on demand; the resulting logic is denoted by QF_UFBV.
In software verification where, for instance, loops are crucial components of the model to verify, quantifiers play an important role. BV denotes the bit-vector logic that allows quantification over the bit-vector variables. To be able to tackle verification tasks such as the termination analysis of loops and invariant synthesis, uninterpreted functions are also essential, resulting in the logic of UFBV.
Compared to other theories, bit-vector logics can be considered to be the closest to Boolean logic. A bit-vector formula can always be directly translated into a Boolean formula by using the circuit representation of bit-vector operations, as realized in hardware. This approach is called bit-blasting and used by most stateof-the-art bit-vector solvers, which then feed the resulting Boolean formula into a SAT solver.
The computational complexity of bit-blasting for the common bit-vector logics had not been clear for long time, although it is necessary to investigate for the sake of proving the membership of bit-vector logics in certain complexity classes. It is even more difficult to prove their hardness to those complexity classes, for the sake of investigating the precise characterization of the computation complexity of bit-vector logics.
Complexity of Bit-Vector Logics
The vast majority of bit-vector solvers rely on bit-blasting. This is a technique to translate a bit-vector formula to a Boolean formula whose Boolean variables represent the individual bits of the bit-vectors. Bit-blasting is known to be a polynomial reduction in the bit-width of the bit-vectors (regarding the commonly used bit-vector operators). Therefore it seems logical to say that bit-blasting is polynomial, and thus the satisfiability problem of a bit-vector logic is in the same complexity class as the underlying Boolean satisfiability problem. For instance, QF_BV should be in NP since SAT is in NP. It turned out that this reasoning failed in general. The reason for that originates in the way of how bit-widths, as scalars, are encoded in bit-vector formulas. In practice, they are encoded as decimal numbers in the input formula, i.e., they employ exponentially succinct encoding, and, therefore, bit-blasting could be exponential.
There exist a few complexity results for bit-vector logics in the literature, out of which some hold, but some do not. [3] correctly states that QF_BV is NPhard and, similarly, [4] claims that QF_BV has an NP-complete sublogic, also known as a fragment. On the other hand, [5] incorrectly claims that the full fragment of QF_BV is NP-complete. For bit-vector logics with quantification, [24, 25] incorrectly propose that UFBV is NExpTime-complete. All those complexity results hold only if bit-widths are assumed to be encoded as unary numbers, which is, of course, neither the common nor the general case.
We showed for the first time that the commonly used bit-vector logics have higher complexity in general than the verification community had though before [16] . The higher complexity is due to the exponentially succinct, logarithmic encoding used in practice to represent the bit-widths of bit-vectors in the input formulas. In the paper, we investigate how complexity varies if we consider a logarithmic w.l.o.g. binary encoding. The paper shows that the binary encoding of bit-widths has at least as much expressive power as quantification. Table 1 summarizes our new complexity results in this paper [16] , complemented by a result provided later by [14] . Table 1 : Completeness results for common bit-vector logics [16] [16] proves that QF_BV with binary encoding is NExpTime-hard. For this, we picked an NExpTime-hard decision problem, the satisfiability problem of Dependency Quantified Boolean Formulas DQBF [21, 22] , and gave a polynomial reduction from it to QF_BV. The proof cannot be done in a trivial way since the exponential many bits of bit-vectors should be somehow handled in a polynomial way. For this, we need to split the bit-vectors of bit-width 2 n into polynomial many chunks of exponential size. This can be done by applying the following special bitmasks, also known as the binary magic numbers [12] :
Such a binary magic number can be calculated as 16, 18] show that that bit-mask can be "generated" by the following bit-vector expression of polynomial size:
Adding uninterpreted functions to QF_BV results in the logic QF_UFBV. As [16] proves, QF_UFBV has the same complexity as QF_BV, since all uninterpreted functions can be polynomially eliminated by introducing new bit-vector variables and Ackermann constraints.
Regarding quantified bit-vectors, [16] also proves that UFBV with binary encoding is 2-NExpTime-hard. The 2-NExpTime-hard decision problem we reduced to UFBV was the 2
-square tiling problem [6] . The f (n)-square tiling problem is about to place dominos on an f (n) × f (n) board, respecting certain horizontal and vertical matching conditions H and V , respectively. Any instance of the 2
-square tiling problem can be expressed as a UFBV formula
How Hard is Bit-Precise Reasoning?
The formula contains two universally quantified bit-vector variable, i and j. The uninterpreted function λ(i, j) represents the type of the tile in the cell at row index i and column index j. It is crucial to see that although the formula contains exponential bit-widths 2 n , they are encoded as binary numbers, i.e., by using n digits. Furthermore, the double-exponential scalars 2
. Thus, we gave a polynomial reduction of the 2
-square tiling problem to UFBV.
What happens with complexity if we do not allow the use of uninterpreted functions with quantified bit-vectors, i.e., what is the complexity of BV? It is fairly easy to see that BV is NExpTime-hard and is in ExpSpace, but we have never been able to prove if BV is complete for any of the complexity classes. Finally in 2016, Jonáš and Strejček proved that BV is complete for AEXP(poly) in [14] , as shown in Table 1 .
Fragments
After proving the computation complexity of certain logics, the natural question arises: Are there any practically reasonable fragments which have lower complexity? [17, 18] investigates how the set of bit-vector operators used in formulas affects the computational complexity. We defined three fragments:
QF_BV c : only bitwise operators, equality, and shift by any constant c are allowed;
QF_BV 1 : only bitwise operators, equality, and shift by c = 1 are allowed;
QF_BV bw : only bitwise operators and equality are allowed.
We proved all those fragments to be complete for certain complexity classes.
• The NExpTime-completeness of QF_BV c directly follows from the proof of QF_BV being NExpTime-hard in [16] , since the reduction we gave in that proof used only bitwise operations, equality and shift by constant.
• It is interesting that restricting shifts to be used only with c = 1 causes the complexity to drop to PSpace-completeness, as being proved for QF_BV 1 in [17] .
• Finally, if no shifts are allowed to use, the resulting fragment QF_BV bw becomes NP-complete [17] .
Our paper [18] investigates possible extensions of the aforementioned fragments and their alternative characterizations. Speaking of QF_BV bw , it turns out that the set of bitwise operations and equality can be extended by indexing and relational operations without pulling out the fragment from NP. In a similar manner, QF_BV 1 stays in PSpace even if we extend the set of bitwise operations, equality, and left shift by 1 with any of the operations in Figure 1 . It is even more interesting, as the figure shows, that the operations right shift by 1, addition, subtraction, and multiplication by constant can be used as alternative base operations instead of left shift by 1. QF_BV c stays in NExpTime even if we extend bitwise operations, equality, and left shift by constant with any of the operations in Figure 2 . Any of right shift by constant, extraction, concatenation, and multiplication can serve as an alternative base operation instead of left shift by constant. [18] proposes new complexity results for fragments of quantified bit-vector logics as well. We already proved in [16] that UFBV is 2-NExpTime-complete, therefore the fragment UFBV c , and all its alternative characterizations, have the same complexity. Interestingly, if we restrict shifts to be applied only by 1, the complexity How Hard is Bit-Precise Reasoning?
does not change, as opposed to the quantifier-free case. That is, both UFBV c and UFBV 1 are 2-NExpTime-complete.
We also address two fragments that are important in practice and have something to do with quantification:
BV log : In this fragment, the bit-width of the universally quantified variables must not exceed the logarithm of the bit-width of the existentially quantified variables. This fragment is of special practical interest since it relates to the theory of arrays. In practice, if an array is expressed as a bit-vector, array indices are of logarithmic bit-width and are often quantified universally. We proved that BV log and UFBV log are NExpTime-complete.
QF_UFBV M : In the SMT-LIB, non-recursive macros are basic tools. Such a macro provides an uninterpreted function and assigns a functional definition to it. We can formalize a QF_UFBV formula Φ with non-recursive macros as follows: Here, f 0 , . . . , f m are the macros as uninterpreted functions and d 0 , . . . , d m are their functional definitions as bit-vector terms. Note that the macros' parameters are universally quantified variables and, therefore, the fragment QF_UFBV M is basically a quantified bit-vector logic. We proved however that using non-recursive macros does not increase the complexity of QF_UFBV, i.e., QF_UFBV M is NExpTime-complete.
Summary
We gave reasons and, also, historical evidences to show that the verification of software and hardware systems is of great importance. Bit-precise verification can verify systems on the bit-level and, therefore, is a powerful tool for avoiding lowlevel bugs such as overflow, arithmetic errors, rounding errors, indexing errors, etc., as well as higher-level ones such as infinite loops or infinite recursion in software.
We gave a detailed survey on the computational complexity of satisfiability checking in different bit-vector logics. Furthermore, we summarized what we currently know about practically interesting fragments of those logics and in what extent computational complexity decreases for them, compared to the corresponding full fragments.
188
G. Kovásznai
