Abstract. Many SMT solvers implement efficient SAT-based procedures for solving fixed-size bit-vector formulas. These approaches, however, cannot be used directly to reason about bit-vectors of symbolic bit-width. To address this shortcoming, we propose a translation from bit-vector formulas with parametric bit-width to formulas in a logic supported by SMT solvers that includes non-linear integer arithmetic, uninterpreted functions, and universal quantification. While this logic is undecidable, this approach can still solve many formulas by capitalizing on advances in SMT solving for non-linear arithmetic and universally quantified formulas. We provide several case studies in which we have applied this approach with promising results, including the bit-width independent verification of invertibility conditions, compiler optimizations, and bit-vector rewrites.
Introduction
Satisfiability Modulo Theories (SMT) solving for the theory of fixed-size bit-vectors has received a lot of interest in recent years. Many applications rely on bit-precise reasoning as provided by SMT solvers, and the number of solvers that participate in the corresponding divisions of the annual SMT competition is high and increasing. Although theoretically difficult (e.g., [14] ), bit-vector solvers are in practice highly efficient and typically implement SAT-based procedures. Reasoning about fixed-size bitvectors suffices for many applications. In hardware verification, the size of a circuit is usually known in advance, and in software verification, machine integers are treated as fixed-size bit-vectors, where the width depends on the underlying architecture. Current solving approaches, however, do not generalize beyond this limitation, i.e., they cannot reason about parametric circuits or machine integers of arbitrary size. This is a serious limitation when one wants to prove properties that are bit-width independent.
To address this limitation we propose a general method for reasoning about bitvector formulas with parametric bit-width. The essence of the method is to replace the translation from fixed-size bit-vectors to propositional logic (which is at the core of state-of-the-art bit-vector solvers) with a translation to the quantified theories of integer arithmetic and uninterpreted functions. We obtain a fully automated verification process by capitalizing on recent advances in SMT solving for these theories.
The reliability of our approach depends on the correctness of the SMT solvers in use. Interactive theorem provers, or proof assistants, such as Isabelle and Coq [19, 27] , on the other hand, target applications where trust is of higher importance than automation, although substantial progress towards increasing the latter has been made in recent years [5] . Our long-term goal is an efficient automated framework for proving bit-width independent properties within a trusted proof assistant, which requires both a formalization of such properties in the language of the proof assistant and the development of efficient automated techniques to reason about these properties. This work shows that state-of-the-art SMT solving combined with our encoding techniques make the latter feasible. The next steps towards this goal are described in the final section of this paper.
Translating a formula from the theory of fixed-size bit-vectors to the theory of integer arithmetic is not straightforward. This is due to the fact that the semantics of bit-vector operators are defined modulo the bit-width n, which must be expressed using exponentiation terms 2 n when translated to integer arithmetic. Most SMT solvers, however, do not support unrestricted exponentiation. Furthermore, bit-wise operators such as bit-wise and , or , and left and right shift do not have a natural representation in integer arithmetic. While they are definable in the theory of integer arithmetic using β-function encodings (e.g., [10] ), such a translation is expensive as it requires an encoding of sequences into natural numbers. Instead, we introduce an uninterpreted function (UF) for each of the problematic operators and axiomatize them with quantified formulas, which shifts some of the burden from arithmetic to UF reasoning. We consider two alternative axiomatizations: a complete one relaying on induction, and a partial (hand-crafted) one that can be understood as an under-approximation.
To evaluate the potential of our approach, we examine three case studies that arise from real applications where reasoning about bit-width independent properties is essential. Niemetz et al. [18] defined invertibility conditions for bit-vector operators, which they then used to solve quantified bit-vector formulas. However, correctness of the conditions was only checked for specific bit-widths: from 1 to 65. As a first case study, we consider the bit-width independent verification of these invertibility conditions, which [18] left to future work. As a second case study, we examine the bit-width independent verification of compiler optimizations in LLVM. For that, we use the Alive tool [16] , which generates verification conditions for such optimizations in the theory of fixed-size bit-vectors. Proving the correctness of these optimizations for arbitrary bit-widths would ensure their correctness for any language and underlying architecture rather than specific ones. As a third case study, we consider the bit-width independent verification of rewrite rules for the theory of fixed-size bit-vectors. SMT solvers for this theory heavily rely on such rules to simplify the input. Verifying their correctness is essential and is typically done by hand, which is both tedious and error-prone.
To summarize, this paper makes the following contributions.
-In Section 3, we study complete and incomplete encodings of bit-vector formulas with parametric bit-width into integer arithmetic. -In Section 4, we evaluate the effectiveness of both encodings in three case studies.
-As part of the invertibility condition case study in Section 4, we introduce conditional inverses for bit-vector constraints, thus augmenting the invertibility conditions from [18] with more concrete parametric solutions. Related Work Bit-width independent bit-vector formulas were studied by Picora [21] , who introduced a formal language for bit-vectors of parametric width, along with a semantics and a decision procedure. The language we use here can be seen as a simplified variant of that language. A unification-based algorithm for fixed-sized bit-vectors is discussed by Bjørner and Picora [4] , and extended to handle symbolic lengths for some common cases. Bit-width independent formulas are related to parametric Boolean functions and circuits. An inductive approach for reasoning about such formalisms was developed by Gupta and Fisher [12, 11] by considering a Boolean function for the base case of a circuit and another one for its inductive step. Reasoning about equivalence of such circuits can be embedded in the framework of parametric-width bit-vectors [21] .
Preliminaries
We briefly review the usual notions and terminology of many-sorted first-order logic with equality (denoted by ≈). See [10, 28] for more detailed information. Let S be a set of sort symbols, and for every sort σ ∈ S, let X σ be an infinite set of variables of sort σ. We assume that sets X σ are pairwise disjoint and define X as the union of sets X σ . A signature Σ consists of a set Σ s ⊆ S of sort symbols and a set Σ f of function symbols. Arities of function symbols are defined in the usual way. Constants are treated as 0-ary functions. We assume that Σ includes a Boolean sort Bool and the Boolean constants ⊤ (true) and ⊥ (false). Functions returning Bool are also called predicates.
We assume the usual definitions of well-sorted terms, literals, and formulas, and refer to them as Σ-terms, Σ-literals, and Σ-formulas, respectively. We define x = (x 1 , ..., x n ) as a tuple of variables and write Qxϕ with Q ∈ {∀, ∃} for a quantified formula Qx 1 · · · Qx n ϕ. For a Σ-term or Σ-formula e, we denote the free variables of e (defined as usual) as FV(e) and use e[x] to denote that the variables in x occur free in e. For a tuple of Σ-terms t = (t 1 , ..., t n ) and a tuple of Σ-variables x = (x 1 , . . . , x n ), we write e {x → t} for the term or formula obtained from e by simultaneously replacing each occurrence of x i in e by t i .
A Σ-interpretation I maps: each σ ∈ Σ s to a distinct non-empty set of values σ I (the domain of σ in I); each x ∈ X σ to an element x I ∈ σ I ; and each f σ1···σnσ ∈ Σ f to a total function f I : σ
n → σ I if n > 0, and to an element in σ I if n = 0. We use the usual inductive definition of a satisfiability relation |= between Σ-interpretations and Σ-formulas.
A theory T is a pair (Σ, I), where Σ is a signature and I is a non-empty class of Σ-interpretations that is closed under variable reassignment, i.e., if interpretation I ′ only differs from an I ∈ I in how it interprets variables, then also I ′ ∈ I. A Σ-formula ϕ is T -satisfiable (resp. T -unsatisfiable) if it is satisfied by some (resp. no) interpretation in I; it is T -valid if it is satisfied by all interpretations in I. We will sometimes omit T when the theory is understood from context.
The theory T BV = (Σ BV , I BV ) of fixed-size bit-vectors as defined in the SMT-LIB 2 standard [3] consists of the class of interpretations I BV and signature Σ BV , which includes a unique sort for each positive integer n (representing the bit-vector width), denoted here as σ [n] . For a given positive integer n, the domain σ [n] I of sort σ [n] in I is the set of all bit-vectors of size n. We assume that Σ BV includes all bit-vector constants of sort σ [n] for each n, represented as bit-strings. However, to simplify the notation we will sometimes denote them by the corresponding natural number in {0, . . . , 2 n − 1}. All interpretations I ∈ I BV are identical except for the value they assign to variables. They interpret sort and function symbols as specified in SMT-LIB 2. All function symbols (of non-zero arity) in Σ f BV are overloaded for every σ [n] ∈ Σ s BV . We denote a Σ BV -term (or bit-vector term) t of width n as t [n] when we want to specify its bit-width explicitly. We refer to the i-th bit of t [n] as t[i] with 0 ≤ i < n. We interpret t[0] as the least significant bit (LSB), and t[n − 1] as the most significant bit (MSB), and denote bit ranges over k from index j down to i as t[j : i]. The unsigned interpretation of a bit-vector t [n] as a natural number is given by
i , and its signed interpretation as an integer is given by [4] = 1000. The theory T IA = (Σ IA , I IA ) of integer arithmetic is also defined as in the SMT-LIB 2 standard. The signature Σ IA includes a single sort Int, function and predicate symbols {+, −, ·, div, mod, |...|, <, ≤, >, ≥}, and a constant symbol for every integer value. We further extend Σ IA to include exponentiation, denoted in the usual way as a b . All interpretations I ∈ I IA are identical except for the values they assign to variables. We write T UFIA to denote the (combined) theory of uninterpreted functions with integer arithmetic. Its signature is the union of the signature of T IA with a signature containing a set of (freely interpreted) function symbols, called uninterpreted functions.
Parametric Bit-Vector Formulas
We are interested in reasoning about (classes of) Σ BV -formulas that hold independently of the sorts assigned to their variables or terms. We formalize the notion of parametric Σ BV -formulas in the following.
We fix two sets X * and Z * of variable and constant symbols, respectively, of bitvector sort of undetermined bit-width. The bit-width is provided by the first component of a separate function pair ω = (ω b , ω N ) which maps symbols x ∈ X * ∪ Z * to Σ IAterms. We refer to ω b (x) as the symbolic bit-width assigned by ω to x. The second component of ω is a map ω N from symbols z ∈ Z * to Σ IA -terms. We call ω N (z) the symbolic value assigned by ω to z. Let v = FV(ω) be the set of (integer) free variables occurring in the range of either ω b or ω N . We say that ω is admissible if for every interpretation I ∈ I IA that interprets each variable in v as a positive integer, and for every x ∈ X * ∪ Z * , I also interprets ω b (x) as a positive integer. Let ϕ be a formula built from the function symbols of Σ BV and X * ∪ Z * , ignoring their sorts. We refer to ϕ as a parametric Σ BV -formula. One can interpret ϕ as a class of fixed-size bit-vector formulas as follows. For each symbol x ∈ X * and integer n > 0, we associate a unique variable x n of (fixed) bit-vector sort σ [n] . Given an admissible ω with v = FV(ω) and an interpretation I that maps each variable in v to a positive integer, let ϕ| ω[I] be the result of replacing all symbols x ∈ X * in ϕ by the corresponding bit-vector variable x k and all symbols x ∈ Z * in ϕ by the bit-vector constant of sort
I mod 2 k , where in both cases k is the value of ω b (x) I . We say a formula ϕ is well sorted under ω if ω is admissible and ϕ| ω[I] is a well-sorted Σ BV -formula for all I that map variables in v to positive integers. Example 1. Let X * be the set {x} and Z * be the set {z 0 , z 1 }, where ω N (z 0 ) = 0 and
is not a well sorted Σ BV -formula whenever a
Notice that symbolic constants such as the maximum unsigned constant of a symbolic length w can be represented by introducing z ∈ Z * with ω b (z) = w and ω N (z) = 2 w − 1. Furthermore, recall that signature Σ BV includes the bit-vector extract operator, which is parameterized by two natural numbers u and l. We do not lift the above definitions to handle extract operations having symbolic ranges, e.g., where u and l are Σ IAterms. This is for simplicity and comes at no loss of expressive power, since constraints involving extract can be equivalently expressed using constraints involving concatenation. For example, showing that every instance of a constraint
We may reason about a formula involving a symbolic range {l, . . . , u} of t by considering a parametric bit-vector formula that encodes a formula of the latter form, where the appropriate symbolic bit-widths are assigned to symbols introduced for y 1 , y 2 , y 3 .
We assume the above definitions for parametric Σ BV -formulas are applied to parametric Σ BV -terms as well. Furthermore, for any admissible ω, we assume ω can be extended to terms t of bit-vector sort that are well sorted under ω such that t| ω[I] has sort σ [ω b (t) I ] for all I that map variables in FV(ω) to positive integers. Such an extension of ω to terms can be easily computed in a bottom-up fashion by computing ω for each child and then applying the typing rules of the operators in Σ BV . For example, we may assume ω b (t) = ω b (t 2 ) if t is of the form t 1 + BV t 2 and is well sorted under ω, and
Finally, we extend the notion of validity to parametric bit-vector formulas. Given a formula ϕ that is well sorted under ω, we say ϕ is T BV -valid under ω if ϕ| ω[I] is T BV -valid for all I that that map variables in FV(ω) to positive integers.
Encoding Parametric Bit-Vector Formulas in SMT
Current SMT solvers do not support reasoning about parametric bit-vector formulas. In this section, we present a technique for encoding such formulas as formulas involving non-linear integer arithmetic, uninterpreted functions, and universal quantifiers. In SMT parlance, these are formulas in the UFNIA logic. Given a formula ϕ that is well sorted under some mapping ω, we describe this encoding in terms of a translation T , which returns a formula ψ that is valid in the theory of uninterpreted functions with integer arithmetic only if ϕ is T BV -valid under ω. We describe several variations on this translation and discuss their relative strengths and weaknesses. Overall Approach At a high level, our translation produces an implication whose antecedent requires the integer variables to be in the correct ranges (e.g., k > 0 for every bit-width variable k), and whose conclusion is the result of converting each (parametric) bit-vector term of bit-width k to an integer term. Operations on parametric bit-vector terms are converted to operations on the integers modulo 2 k , where k can be a symbolic constant. We first introduce uninterpreted functions that will be used in our translation. Note that SMT solvers may not support the full set of functions in our extended signature Σ IA , since they typically do not support exponentiation. Since translation requires a limited form of exponentiation we introduce an uninterpreted function symbol pow2 of sort Int → Int, whose intended semantics is the function λx.2
x when the argument x is non-negative. Second, for each (non-predicate) n-ary (with n > 0) function f BV of sort σ 1 × . . . × σ n → σ in the signature of fixed-size bit-vectors Σ BV (excluding bit-vector extraction), we introduce an uninterpreted function f N of arity n + 1 and sort Int × Int × . . . × Int → Int, where the extra argument is used to specify the bitwidth. For example, for
In its intended semantics, this function adds the second and third arguments, both integers, and returns the result modulo 2 k , where k is the first argument. The signature Σ BV contains one function, bit-vector concatenation • BV , whose two arguments may have different sorts. For this case, the first argument of • N indicates the bit-width of the third argument, i.e., • N (k, x, y) is interpreted as the concatenation of x and y, where y is an integer that encodes a bit-vector of bit-width k; the bit-width for x is not specified by an argument, as it is not needed for the elimination of this operator we perform later. We introduce uninterpreted functions for each bit-vector predicate in a similar fashion. For instance, ≥ u N has sort Int × Int × Int → Bool and encodes whether its second argument is greater than or equal to its third argument, when these two arguments are interpreted as unsigned bit-vector values whose bit-width is given by its first argument. Depending on the variation of the encoding, our translation will either introduce quantified formulas that fully axiomatize the behavior of these uninterpreted functions or add (quantified) lemmas that state key properties about them, or both. Figure 1 defines our translation function T A , which is parameterized by an axiomatization mode A. Given an input formula ϕ that is well sorted under TA(ϕ, ω):
Translation Function
CONV (e, ω):
Match e: ω, it returns the implication whose antecedant is an axiomatization formula AX A (ϕ, σ) and whose conclusion is the result of converting ϕ to its encoded version via the conversion function CONV. The former is dependent upon the axiomatization mode A which we discuss later. We assume without loss of generality that ϕ contains no applications of bit-vector extract, which can be eliminated as described in the previous section, nor does it contain concrete bit-vector constants, since these can be equivalently represented by introducing a symbol in Z * with the appropriate concrete mappings in ω b and ω N .
In the translation, we use an auxiliary function CONV which converts parametric bitvector expressions into integer expressions with uninterpreted functions. Parametric bitvector variables x (that is, symbols from X * ) are replaced by unique integer variables of type Int, where we assume a mapping χ maintains this correspondence, such that range of χ does not include any variable that occurs in FV(ω). Parametric bit-vector constants z (that is, symbols from set Z * ) are replaced by the term ω N (z) mod pow2(ω b (z)). The ranges of the maps in ω may contain arbitrary Σ IA -terms. In practice, our translation handles only cases where these terms contain symbols supported by the SMT solver, as well as terms of the form 2 t , which we assume are replaced by pow2(t) during this translation. For instance, if ω b (z) = w + v and ω N (z) = 2 w − 1, then CONV(z) returns (pow2(w) − 1) mod pow2(w + v). Equalities are processed by recursively running the translation on both sides. The next case handles symbols from the signature Σ BV , where symbols f BV are replaced with the corresponding uninterpreted function f N . We take as the first argument ω b (t n ), indicating the symbolic bit-width of the last argument of e, and recursively call CONV on t 1 , . . . , t n . In all cases, ω b (t n ) corresponds to the bit-width that the uninterpreted function f N expects based on its intended semantics (the bit-width of the second argument for bit-vector concatenation, or of an arbitrary argument for all other functions and predicates). Finally, if the top symbol of e is a Boolean connective we apply the conversion function recursively to all its children.
We run ELIM for all applications of uninterpreted functions f N introduced during the conversion, which eliminates functions that correspond to a majority of the bitvector operators. These functions can be equivalently expressed using integer arithmetic and pow2. The ternary addition operation + N , that represents addition of two bit-vectors with their width k specified as the first argument, is translated to integer addition modulo pow2(k). Similar considerations are applied for − N and · N . For div N and mod N , our translation handles the special case where the second argument is zero, where the return value in this case is the maximum value for the given bit-width, i.e. pow2(k) − 1. The integer operators corresponding to unary (arithmetic) negation and bit-wise negation can be eliminated in a straightforward way. The semantics of various bitwise shift operators can be defined arithmetically using division and multiplication with pow2(k). Concatenation can be eliminated by multiplying its first argument x by pow2(k), where recall k is the bit-width of the second arugment y. In other words, it has the effect of shifting x left by k bits, as expected. The unsigned relation symbols can be directly converted to the corresponding integer relation. For the elimination of signed relation symbols we use an auxiliary helper uts (unsigned to signed), defined in Figure 1 , which returns the interpretation of its argument when seen as a signed value. The definition of uts can be derived based on the semantics for signed and unsigned bit-vector values in the SMT LIB standard. Based on this definition, we have that integers v and u that encode bit-vectors of bit-width k satisfy < s N (k, u, v) if and only if uts k (u) < uts k (v). As an example of our translation, let ϕ = (x +
, χ(x))), 1 mod pow2(a))) ≈ 0 mod pow2(a). After applying ELIM and simplifying, we get (χ(x) + χ(x) + 1) mod pow2(a) ≈ 0.
Thanks to ELIM, we can assume that all formulas generated by CONV contain only uninterpreted function symbols in the set {pow2, & N , | N , ⊕ N }. Thus, we restrict our attention to these symbols only in our axiomatization AX A , described next.
Axiomatization Modes
We consider four different axiomatization modes A, which we call full, partial, combined, and qf (quantifier-free). For each of these axiomatizations, we define AX A (ϕ, ω) as the conjunction:
The first conjunction states that all integer variables introduced for parametric bit-vector variables x reside in the range specified by their bit-width. The second conjunction states that all free variables in ω (denoting bit-widths) are positive. The remaining four conjuncts denote the axiomatizations for the four uninterpreted functions that may occur in the output of the conversion function. The definitions of these formulas are given in Tables 2 and 3 for full and partial respectively. For each axiom, i, j, k denote bit-widths and x, y denote integers that encode bit-vectors of size k. We assume guards on all quantified formulas (omitted for brevity) that constrain i, j, k to be positive and x, y to be in the range {0, . . . , pow2(k) − 1}. Each table entry lists a set of formulas (interpreted conjunctively) that state properties about the intended semantics of these operators. The formulas for axiomatization mode full assert the intended semantics of these operators, whereas those for partial assert several properties of them. Mode combined asserts both, and mode qf takes only the formulas in partial that are quantifier-free. In particular, AX pow2 qf corresponds to the base cases listed in partial, and AX ⋄ qf for the other operators is simply ⊤. The partial axiomatization of these operations mainly includes natural properties of them. For example, we include some base cases for each operation, and also the ranges of its inputs and output. For some proofs, these are sufficient. For & N , | N and ⊕ N , we also included their behavior for specific cases, e.g., & N (k, a, 0) = 0 and its variants. Other axioms (e.g., "never even") were added after analyzing specific benchmarks to identify sufficient axioms for their proofs.
Our translation satisfies the following key properties.
Theorem 2. Let ϕ be a parameteric bit-vector formula that is well sorted under ω and has no occurrences of bit-vector extract or concrete bit-vector constants. Then: 1. ϕ is T BV -valid under ω if and only if
T full (ϕ, ω) is T UFIA -valid.
ϕ is T BV -valid under ω if and only if
The proof of Property 1 is carried out by translating every interpretation IBV of T BV into a corresponding interpretation IN of T UFIA such that IBV satisfies ϕ iff IN satisfies T full (ϕ). The converse translation can be achieved similarly, where appropriate bit-widths are determined by the range axioms 0 ≤ χ(x) < pow2(ω b (x)) that occur in T full (ϕ, ω). The rest of the properties follow from Property 1, by showing that the axioms in Table 3 are valid in every interpretation of T UFIA that satisfies AX full (ϕ, ω).
Case Studies
We apply the techniques from Section 3 to three case studies: (i) verification of invertibility conditions from Niemetz et al. [18] ; (ii) verification of compiler optimizations as generated by Alive [16] ; and (iii) verification of rewrite rules that are used in SMTsolvers. For these case studies, we consider a set of verification conditions that originally use fixed-size bit-vectors, and exclude formulas involving multiple bit-widths.
For each formula φ, we first extract a parametric version ϕ by replacing each variable in φ by a fresh x ∈ X * and each (concrete) bit-vector constant by a fresh z ∈ Z * . We define ω b (x) = ω b (z) = k for a fresh integer variable k, and let ω N (z) be the integer value corresponding to the bit-vector constant it replaced. Notice that, although omitted from the presentation, our translation can be easily extended to handle quantified bit-vector formulas, which appear in some of the case studies. We then define ω = (ω b , ω N ) and invoke our translation from Section 3 on the parametric bit-vector formula ϕ. If the resulting formula is valid, the original verification condition holds independent of the original bit-width. In each case study, we report on the success rates of determining the validity of these formulas for axiomatization modes full, partial, combined, and qf. Overall, axiomatization mode combined yields the best results.
All experiments described below require tools with support for the SMT logic UF-NIA. We used all three participants in the UFNIA division of the 2018 SMT competition: CVC4 [2] (GitHub master 6eb492f6), Z3 [8] (version 4.8.4), and Vampire [13] (GitHub master d0ea236). Z3 and CVC4 use various strategies and techniques for quantifier instantiation including E-matching [17] , and enumerative [23] and conflictbased [26] instantiation. For non-linear integer arithmetic, CVC4 uses an approach based on incremental linearization [7, 6, 25] . Vampire is a superposition-based theorem prover for first-order logic based on the AVATAR framework [29] , which has been extended also to support some theories including integer arithmetic [22] . We performed all experiments on a cluster with Intel Xeon E5-2637 CPUs with 3.5GHz and 32GB of memory and used a time limit of 300 seconds (wallclock) and a memory limit of 4GB for each solver/benchmark pair. We consider a bit-width independent property to be proved if at least one solver proved it for at least one of the axiomatization modes. 3 
Verifying Invertibility Conditions
Niemetz et al. [18] Table 1 , excluding extraction, as the invertibility condition for the latter is trivially ⊤. A considerable number of these conditions were determined by leveraging syntax-guided synthesis (SyGuS) techniques [1] . The authors further verified the correctness of all conditions for bit-widths 1 to 65. However, a bit-width-independent formal proof of correctness of these conditions was left to future work. In the following, we apply the techniques of Section 3 to tackle this problem. Note that for this case study, we exclude operators involving multiple bit-widths, namely bit-vector extraction and concatenation. For the former, all invertibility conditions are ⊤, and for the latter a hand-written proof of the correctness of its invertibility conditions can be achieved easily.
Proving Invertibility Conditions Let ℓ[x] be a bit-vector literal of the form ⋄x ⊲⊳ t or x ⋄ s ⊲⊳ t (dually, s ⋄ x ⊲⊳ t) with operators ⋄ and relations ⊲⊳ as defined in Table 1 . To prove the correctness of an invertibility condition φ c for x independent of the bit-width, we have to prove the validity of the formula:
where occurrences of s and t are implicitly universally quantified. We then want to prove that Equation (1) is T BV -valid under ω. Considering the two directions of (1) separately, we get:
The validity of (rtl) is equivalent to the unsatisfiability of the quantifier-free formula:
Eliminating the quantifier in (ltr) is much trickier. It typically amounts to finding a symbolic value for x such that ℓ[x, s, t] holds provided that φ c [s, t] holds. We refer to such a symbolic value as a conditional inverse.
Conditional Inverses Given an invertibility condition φ c for x in bit-vector literal ℓ[x], we say that a term α c is a conditional inverse for
Clearly, (ltr') implies (ltr). However, the converse may not hold, i.e., if (ltr') is refuted, (ltr) is not necessarily refuted. Notice that if the invertibility condition for x is ⊤, the conditional inverse is in fact unconditional. The problem of finding a conditional inverse for a bit-vector literal x⋄s ⊲⊳ t (dually, s⋄x ⊲⊳ t) can be defined as a SyGuS problem by asking whether there exists a binary bit-vector function C such that the (second-order) formula ∃C∀s∀t.φ c ⇒ C(s, t) ⋄ s ⊲⊳ t is satisfiable. If such a function C is found, then it is in fact a conditional inverse for x in ℓ[x]. We synthesized conditional inverses for x in ℓ[x] for bit-width 4 with variants of the grammars used in [18] to synthesize invertibility conditions. For each grammar we generated 160 SyGuS problems, one for each combination of bit-vector operator and relation from Table 1 (excluding extraction and concatenation), counting commutative cases only once. We used the SyGuS feature of the SMT solver CVC4 [24] to solve these problems, and out of 160, we were able to synthesize candidate conditional inverses for 143 invertibility conditions. For 12 out of these 143, we found that the synthesized terms were not conditional inverses for every bit-width, by checking (ltr') for bit-widths up to 64.
Results Table 4 provides detailed information on the results for the axiomatization modes full, partial, and qf discussed in Section 3. We use → and → to indicate that only direction left-to-right (ltr or ltr') or right-to-left (rtl'), respectively, were proved, and and ✕ to indicate that both or none, respectively, of the directions were proved. Additionally, we use →α c (resp. →no αc ) to indicate that for direction left-to-right, formula (ltr') (resp. (ltr)) was proved with (resp. without) plugging in a conditional inverse.
Overall, out of 160 invertibility conditions, we were able to fully prove 110, and for 19 (17) conditions we were able to prove only direction rtl' (ltr'). For direction rightto-left, 129 formulas (rtl') overall were successfully proved to be unsatisfiable. Out of these 129, 32 formulas were actually trivial since the invertibility condition φ c was ⊤. For direction left-to-right, overall, 127 formulas were proved successfully, and out of these, 102 (94) were proved using (resp. not using) a conditional inverse. Furthermore, 33 formulas could only be proved when using a conditional inverse. Thus, using conditional inverses was helpful for proving the correctness of invertibility conditions.
Considering the different axiomatization modes, overall, with 104 fully proved and only 17 unproved instances, combined performed best. Interestingly, even though axiomatization qf only includes some of the base cases of axiomatization partial, it still performs well. This may be due to the fact that in many cases, the correctness of the invertibility condition does not rely on any particular property of the operators involved. For example, the invertibility condition φ c for literal x & Table 4 . Invertibility condition verification using axiomatization modes combined, full, partial, and qf. Column →α c (→ no αc ) counts left-to-right proved with (without) conditional inverse.
for
Proving the correctness of φ c relies on axioms regarding & BV and ∼ BV . Specifically, we have found that from partial, it suffices to keep "min" and "idempotence" to prove φ c . Overall, from the 2696 problems that this case study included, CVC4 proved 50.3%, Vampire proved 31.4%, and Z3 proved 33.8%, while 23.5% of the problems were proved by all solvers.
Verifying Alive Optimizations
Lopes et al. [16] introduces Alive, a tool for proving the correctness of compiler peephole optimizations. Alive has a high-level language for specifying optimizations. The tool takes as input a description of an optimization in this high-level language and then automatically verifies that applying the optimization to an arbitrary piece of source code produces optimized target code that is equivalent under a given precondition. It can also automatically translate verified optimizations into C++ code that can be linked into LLVM [15] . For each optimization, Alive generates four constraints that encode the following properties, assuming that the precondition of the optimization holds:
1. Memory Source and Target yield the same state of memory after execution. 2. Definedness The target is well-defined whenever the source is. From these verification tasks, Alive can generate benchmarks in SMT-LIB 2 format in the theory of fixed-size bit-vectors, with and without quantifiers. For each task, types are instantiated with all possible valid type assignments (for integer types up to a default bound of 64 bits). In the following, we apply our techniques from Section 3 to prove Alive verification tasks independently from the bit-width. For this, as in the Alive paper, we consider the set of optimizations from the instcombine optimization pass of LLVM, provided as Alive translations (433 total). 4 Of these 433 optimizations, 113 are dependent on a specific bit-width; thus we focus on the remaining 320. We further exclude optimizations that do not comply with the following criteria:
-In each generated SMT-LIB 2 file, only a single bit-width is used.
-All SMT-LIB 2 files generated for a property (instantiated for all possible valid type assignments) must be identical modulo the bit-width (excluding, e.g., bit-width dependent constants other than 0, 1, (un)signed min/max, and the bit-width). Table 5 . Alive optimizations verification using axiomatizations combined, full, partial and qf.
As a useful exception to the first criterion, we included instances where all terms of bitwidth 1 can be interpreted as Boolean terms. Overall, we consider bit-width independent verification conditions 1-4 for 180 out of 320 optimizations. None of these include memory operations or poison values, and only some have definedness constraints (and those are simple). Hence, the generated verification conditions 1-3 are trivial. We thus only consider the equivalence verification conditions for these 180 optimizations.
Results Table 5 summarizes the results of verifying the equivalence constraints for the selected 180 optimizations from the instcombine LLVM optimization pass. It first lists all families, showing the number of bit-width independent optimizations per family (320 total). The next column indicates how many in each family were in the set of 180 considered optimizations, and the remaining columns show how many of those considered were proved with each axiomatization mode. Overall, out of 180 equivalence verification conditions, we were able to prove 88. Our techniques were most successful for the AndOrXor family. This is not too surprising, since many verification conditions of this family require only Boolean reasoning and basic properties of ordering relations that are already included in the theory T IA . For example, given bit-vector term a and bit-vector constants C 1 and C 2 , optimization AndOrXor:979 essentially rewrites (a < s BV C 1 ∧ a < s BV C 2 ) to a < s BV C 1 , provided that precondition C 1 < s BV C 2 holds. To prove its correctness, it suffices to apply the transitivity of < s BV with Boolean reasoning. The same holds when lifting this equivalence to the integers, deducing the transitivity of < s N from that of the builtin < relation of T IA . None of the 9 benchmarks from the Shifts family were proven. These benchmarks are more complicated than others. They combine bit-wise and arithmetical operations and thus rely on their axiomatization. Solving these benchmarks is an interesting challenge for future work. Adding specialized axioms to partial is one promising approach.
Interestingly, for this case study, the results from the different axiomatization modes are very similar. This can again be explained by the fact that many optimizations rely on properties of the integers that are already included in T IA , without requiring any particular property of functions pow2, & N , | N and ⊕ N (as in the above example). Note that we have also tried using our approach for proving the equivalence verification conditions for up to a bit-width of 64. However, all optimizations that were proven correct this way were already proven correct for arbitrary bit-widths, which suggests that this restriction did not make the benchmarks easier. Overall, from the 720 problems in this case study, CVC4 proved 42.6%, Vampire proved 36.2%, and Z3 proved 37.9%, while 32.5% of the problems were proved by all solvers.
BV Rewriting
SMT solvers for the theory of fixed-size bit-vectors heavily rely on rewriting to reduce the size of the input formula prior to solving the problem. Since these rewrite rules are usually implemented independently of the bit-width, verifying that they hold for any bit-width is crucial for the soundness of the solver. For this case study, we used a feature of the SyGuS solver in CVC4 that allows us to enumerate equivalent bitvector terms/formulas (rewrite candidates) for a certain bit-width up to a certain term depth (nesting level of operators) [20] . We generated 1575 pairs of equivalent bit-vector terms of depth three and 431 equivalent pairs of formulas of depth two for bit-width 4 and translated them to integer problems with axiomatization modes full, partial, qf, and combined, resulting in 6300 + 1724 = 8024 benchmarks in total. Since rewrites that have been proved can be used to further axiomatize the integer translation, we collected all proven rewrites after each run, added them as axioms to the initial problems and reran the experiments. This was repeated until we reached a fixpoint, i.e., no further rewrites were proved. With this approach, we were able to prove 409 out of the 435 formula equivalences (94%), reaching a fixpoint at the first iteration. For the equivalent terms, we initially proved 878 out of the 1575 equivalences, which increased to 935 (59%) after adding all axioms from the first run, reaching a fixpoint after two iterations. Overall, from the 8024 problems, CVC4 proved 64.2%, Vampire proved 66.5%, and Z3 proved 64.2%, while 63.8% of the problems were proved by all solvers.
Conclusion and Further Research
We have studied several translations from bit-vector formulas with parametric bit-width to the theories of integer arithmetic and uninterpreted functions. The translations differ in the way that the operator 2 ( ) and bitwise logical operators are axiomatized, namely, fully (using induction) or partially (using some of their key properties). Our empirical results show that state-of-the-art SMT solvers are capable of solving the translated formulas for various benchmarks that originate from the verification of invertibility conditions, LLVM optimizations, and rewriting rules for fixed-size bit-vectors.
In future research, we plan to investigate a translation of our results to a proof assistant such as Coq, for which a bit-vector library was recently developed [9] . This will involve supporting proofs in the SMT solver for non-linear arithmetic and quantifiers. We believe that our promising experimental results with an integer encoding indicate that this is a viable approach for automating bit-width independent proofs. We also plan to explore satisfiable benchmarks, and to extend our approach for translating models.
