# BDDs and their application in SMT solving 

Jan Strejček<br>Masaryk University<br>Brno, Czechia

MOVEP 2024

## Outline

1 binary decision diagrams (BDDs)

2 theory of bitvectors (BV)

3 BDD-based SMT solving of BV

## Outline

1 binary decision diagrams (BDDs)

- definition
- operations on BDDs
- libraries and applications

2 theory of bitvectors (BV)

3 BDD-based SMT solving of BV

Binary decision diagrams (BDDs)

investigated by Randal Bryant since 1986

investigated by Randal Bryant since 1986
"one of the only really fundamental data structures that came out in the last twenty-five years"

Donald Knuth, 2008


## Binary decision diagrams (BDDs)

A binary decision diagram (BDD) is a finite rooted directed acyclic graph with two kinds of nodes and two kinds of edges:

■ each terminal node is labeled with 0 or 1 ,
■ each nonterminal node is labeled with a Boolean variable and has a low successor and a high successor.


## Binary decision diagrams (BDDs)

A binary decision diagram (BDD) is a finite rooted directed acyclic graph with two kinds of nodes and two kinds of edges:

■ each terminal node is labeled with 0 or 1 ,
■ each nonterminal node is labeled with a Boolean variable and has a low successor and a high successor.


## Semantics of BDDs

■ a BDD with variables $x_{1}, \ldots, x_{n}$ describes a Boolean function $f\left(x_{1}, \ldots, x_{n}\right)$
$\square$ the value of $f\left(x_{1}, \ldots, x_{n}\right)$ is the value of the terminal node reached from the root by following the high successor whenever the current variable is 1 and the low successor otherwise


## Semantics of BDDs

$\square$ a BDD with variables $x_{1}, \ldots, x_{n}$ describes a Boolean function $f\left(x_{1}, \ldots, x_{n}\right)$
$\square$ the value of $f\left(x_{1}, \ldots, x_{n}\right)$ is the value of the terminal node reached from the root by following the high successor whenever the current variable is 1 and the low successor otherwise


$$
f(x, y, z)=\left\{\begin{array}{ll}
1 & \text { for } x=1, y=1, z=1 \\
\text { or } x=1, y=0, z=0 \\
\text { or } x=0, z=0, y=1
\end{array}, \begin{array}{ll}
\text { otherwise }
\end{array}\right.
$$

■ alternatively, a BDD can represent the set of assignments leading to node

## Ordered BDD

A BDD is ordered if there exists a linear ordering <on its Boolean variables such that the variables on each path from the root to a terminal node respect the order.


## Ordered BDD

A BDD is ordered if there exists a linear ordering <on its Boolean variables such that the variables on each path from the root to a terminal node respect the order.


## Ordered BDD

A BDD is ordered if there exists a linear ordering <on its Boolean variables such that the variables on each path from the root to a terminal node respect the order.


## Ordered BDD

A BDD is ordered if there exists a linear ordering <on its Boolean variables such that the variables on each path from the root to a terminal node respect the order.


## Reduced BDD

A BDD is reduced if it does not contain any nonterminal node with identical low and high child and any isomorphic subgraphs.


A BDD is reduced if it does not contain any nonterminal node with identical low and high child and any isomorphic subgraphs.

a BDD can be reduced by merging all terminal nodes with the same label and repeated applications of the following steps
1 remove each nonterminal node with identical low and high child and redirect all incomming edges to the child
2 merge all nodes that have the same low child and the same high child

A BDD is reduced if it does not contain any nonterminal node with identical low and high child and any isomorphic subgraphs.

a BDD can be reduced by merging all terminal nodes with the same label and repeated applications of the following steps
1 remove each nonterminal node with identical low and high child and redirect all incomming edges to the child
2 merge all nodes that have the same low child and the same high child

A BDD is reduced if it does not contain any nonterminal node with identical low and high child and any isomorphic subgraphs.

a BDD can be reduced by merging all terminal nodes with the same label and repeated applications of the following steps
1 remove each nonterminal node with identical low and high child and redirect all incomming edges to the child
2 merge all nodes that have the same low child and the same high child

■ we assume that all BDDs are reduced and ordered
■ for a fixed variable order, BDDs are a canonical representation of Boolean functions, i.e., two Boolean functions are equivalent (regardless their description) iff the corresponding BDDs are isomorphic

■ we assume that all BDDs are reduced and ordered
■ for a fixed variable order, BDDs are a canonical representation of Boolean functions, i.e., two Boolean functions are equivalent (regardless their description) iff the corresponding BDDs are isomorphic
■ BDD size heavily depends on the considered variable order


■ we assume that all BDDs are reduced and ordered
■ for a fixed variable order, BDDs are a canonical representation of Boolean functions, i.e., two Boolean functions are equivalent (regardless their description) iff the corresponding BDDs are isomorphic
■ BDD size heavily depends on the considered variable order


■ some BDDs are exponential in the number of variables regardless their order, e.g., BDDs representing the $\lfloor n / 2\rfloor$-th bit of the product of two $n$-bit numbers

## Construction of BDDs

BDDs for basic Boolean functions

$$
\text { true } \longrightarrow \quad 1 \quad \text { false } \longrightarrow 0
$$



## Construction of BDDs

BDDs for basic Boolean functions
true $\longrightarrow 1$ false $\longrightarrow 0$


## negation $\neg B$

- replace 1 with 0 and vice versa



## Construction of BDDs

BDDs for basic Boolean functions
true $\rightarrow 0$ false $\longrightarrow 0$


## negation $\neg B$

- replace 1 with 0 and vice versa



## Operations on BDDs

binary operation $B \star D$ for $\star \in\{\wedge, \vee$, xor,$\ldots\}$

## Operations on BDDs

binary operation $B \star D$ for $\star \in\{\wedge, \vee$, xor,$\ldots\}$
$1 \quad b * d$ where $b, d \in\{0,1\} \longrightarrow b \not \square d$

## Operations on BDDs

binary operation $B \star D$ for $\star \in\{\wedge, \vee$, xor,$\ldots\}$
$1 \quad b \star d$ where $b, d \in\{0,1\} \quad \longrightarrow \quad b \star d$

2


## Operations on BDDs

binary operation $B \star D$ for $\star \in\{\wedge, \vee$, xor,$\ldots\}$
$1 \quad b \star d$ where $b, d \in\{0,1\} \quad \longrightarrow \quad b \star d$


## Operations on BDDs

binary operation $B \star D$ for $\star \in\{\wedge, \vee$, xor,$\ldots\}$
$1 \quad b \star d$ where $b, d \in\{0,1\} \quad \longrightarrow \quad b \star d$

2

$\longrightarrow B_{1} \star D_{1}^{\infty}$


4


5 reduce the resulting BDD

## Example



## Example



## Example



## Example



## Example



## Example



## Example



## Example



## Example



## Example



## Example



## Example




## Operations on BDDs

variable instantiation $B\left[x_{i} \leftarrow b\right]$
1 if the root is labeled with $x_{i}$, then take the high successor as the root if $b=1$ and the low successor otherwise
2 going from top to bottom, each edge leading to a node labeled with $x_{i}$ is reconnected to its high successor if $b=1$ and its low successor otherwise
3 unreachable nodes are removed and BDD is reduced

## Operations on BDDs

variable instantiation $B\left[x_{i} \leftarrow b\right]$
1 if the root is labeled with $x_{i}$, then take the high successor as the root if $b=1$ and the low successor otherwise
2 going from top to bottom, each edge leading to a node labeled with $x_{i}$ is reconnected to its high successor if $b=1$ and its low successor otherwise
3 unreachable nodes are removed and BDD is reduced

set $z$ to 1

## Operations on BDDs

variable instantiation $B\left[x_{i} \leftarrow b\right]$
1 if the root is labeled with $x_{i}$, then take the high successor as the root if $b=1$ and the low successor otherwise
2 going from top to bottom, each edge leading to a node labeled with $x_{i}$ is reconnected to its high successor if $b=1$ and its low successor otherwise
3 unreachable nodes are removed and BDD is reduced

set $z$ to 1

## Operations on BDDs

variable instantiation $B\left[x_{i} \leftarrow b\right]$
1 if the root is labeled with $x_{i}$, then take the high successor as the root if $b=1$ and the low successor otherwise
2 going from top to bottom, each edge leading to a node labeled with $x_{i}$ is reconnected to its high successor if $b=1$ and its low successor otherwise
3 unreachable nodes are removed and BDD is reduced

set $z$ to 1

## Operations on BDDs

quantifiers

- $\exists x . B \equiv B[x \leftarrow 1] \vee B[x \leftarrow 0]$
- $\forall x . B \equiv B[x \leftarrow 1] \wedge B[x \leftarrow 0]$


## Operations on BDDs

quantifiers
■ $\exists x \cdot B \equiv B[x \leftarrow 1] \vee B[x \leftarrow 0]$
■ $\forall x . B \equiv B[x \leftarrow 1] \wedge B[x \leftarrow 0]$

## complexity and implementation

- all the mentioned operations need only polynomial time when applied to BDDs with the same variable order (and when cache is used)


## Operations on BDDs

## quantifiers

■ $\exists x \cdot B \equiv B[x \leftarrow 1] \vee B[x \leftarrow 0]$
■ $\forall x \cdot B \equiv B[x \leftarrow 1] \wedge B[x \leftarrow 0]$

## complexity and implementation

- all the mentioned operations need only polynomial time when applied to BDDs with the same variable order (and when cache is used)
■ in implementations, each node in represented BDDs is stored only once



## Operations on BDDs

## quantifiers

■ $\exists x \cdot B \equiv B[x \leftarrow 1] \vee B[x \leftarrow 0]$
■ $\forall x \cdot B \equiv B[x \leftarrow 1] \wedge B[x \leftarrow 0]$

## complexity and implementation

■ all the mentioned operations need only polynomial time when applied to BDDs with the same variable order (and when cache is used)
■ in implementations, each node in represented BDDs is stored only once
■ equivalence check is constant

- a formula is satisfiable iff the corresponding BDD is not 0



## Libraries for BDDs and their applications

## libraries

- implementations use also negation flags on edges (increases the number of isomorphic subgraphs)
- optimized BDD libraries BuDDy, CUDD, Sylvan, Adiar,. . .

■ offer algorithms for automatic improvement of variable order (sifting)
■ support of other diagrams, e.g., zero-suppressed decision diagrams (ZDD)

## Libraries for BDDs and their applications

## libraries

- implementations use also negation flags on edges (increases the number of isomorphic subgraphs)
■ optimized BDD libraries BuDDy, CUDD, Sylvan, Adiar,...
■ offer algorithms for automatic improvement of variable order (sifting)
■ support of other diagrams, e.g., zero-suppressed decision diagrams (ZDD)


## applications

■ symbolic model checking
■ synthesis of logical circuits
■ used in other highly efficient libraries, e.g., in $\omega$-automata library Spot
■ SAT and SMT solving

## Outline

11 binary decision diagrams (BDDs)

- definition
- operations on BDDs
- libraries and applications

2 theory of bitvectors (BV)
■ the theory

- applications

■ standard approach to SMT solving
3 BDD-based SMT solving of BV

## Satisfiability solving

## SAT solving

- satisfiability of propositional formulae

■ Is $((x \wedge \neg y \wedge \neg z) \vee(\neg x \wedge \neg y)) \wedge(z \vee y)$ satisfiable?

## Satisfiability solving

## SAT solving

■ satisfiability of propositional formulae
■ Is $((x \wedge \neg y \wedge \neg z) \vee(\neg x \wedge \neg y)) \wedge(z \vee y)$ satisfiable?
$■$ YES: $x=0, y=0, z=1$
■ decidable, NP-complete

## Satisfiability solving

## SAT solving

■ satisfiability of propositional formulae
■ Is $((x \wedge \neg y \wedge \neg z) \vee(\neg x \wedge \neg y)) \wedge(z \vee y)$ satisfiable?
■ YES: $x=0, y=0, z=1$
■ decidable, NP-complete

## SMT solving

■ satisfiability of predicate formulae
■ Is $\forall y(y \geq 0 \Longrightarrow \exists x \cdot y=x \cdot x)$ satisfiable/valid?

## Satisfiability solving

## SAT solving

■ satisfiability of propositional formulae
$■$ Is $((x \wedge \neg y \wedge \neg z) \vee(\neg x \wedge \neg y)) \wedge(z \vee y)$ satisfiable?
$\square$ YES: $x=0, y=0, z=1$
■ decidable, NP-complete

## SMT solving

- satisfiability of predicate formulae

■ Is $\forall y(y \geq 0 \Longrightarrow \exists x \cdot y=x \cdot x)$ satisfiable/valid?

- NO for integers, YES for reals

■ SMT = satisfiability modulo theory
$■$ decidability and complexity depends on the theory

Theory of fixed-size bitvectors

- BV = theory of bitvectors / bitvector logic
- multi-sorted first-order logic

■ for each $n>0$, sort $[n]=$ bitvectors of length $n$

■ BV = theory of bitvectors / bitvector logic

- multi-sorted first-order logic

■ for each $n>0$, sort $[n]=$ bitvectors of length $n$

■ functions
■ constants: $0_{[n]}, 1_{[n]}, \ldots$

- bit-wise logic operations: not $_{[n]}$, and $_{[n]}$, or $_{[n]}$
- arithmetic operations with overflows: $+_{[n]}, *_{[n]}, /_{[n]}^{s}, /_{[n]}^{u} \ldots$

■ bit-wise left/right shift: $\operatorname{shl}_{[n]}, \operatorname{shr}_{[n]}$

- concatenation: concat ${ }_{[m, n]}$

■ extraction: extract ${ }_{[m, i, j]}$

- [uninterpretted functions]

■ BV = theory of bitvectors / bitvector logic

- multi-sorted first-order logic

■ for each $n>0$, sort $[n]=$ bitvectors of length $n$

■ functions
■ constants: $0_{[n]}, 1_{[n]}, \ldots$

- bit-wise logic operations: not $_{[n]}$, and $_{[n]}$, or $_{[n]}$
- arithmetic operations with overflows: $+_{[n]}, *_{[n]}, /_{[n]}^{s}, /_{[n]}^{u} \ldots$
- bit-wise left/right shift: $\operatorname{shl}_{[n]}, \operatorname{shr}_{[n]}$
- concatenation: concat ${ }_{[m, n]}$

■ extraction: extract ${ }_{[m, i, \lambda]}$

- [uninterpretted functions]

■ predicates
■ equality: ${ }_{[n]}$

- signed/unsigned less than (or equal): $<_{[n]}^{s},<_{[n]}^{u}, \leq_{[n]}^{s}, \leq_{[n]}^{u}$


## Applications of the theory

```
unsigned char x = input();
if (x > 100) {
    unsigned char y = 4 * x + 1;
    assert (x < y);
}
```

the assertion can be violated

$$
x_{[8]} \gg_{[8]}^{u} 100_{[8]} \wedge \neg\left(x_{[8]} \ll_{[8]}^{u} 4_{[8]} *_{[8]} x_{[8]}+{ }_{[8]} 1_{[8]}\right) \text { is satisfiable }
$$

## Applications of the theory

```
unsigned char x = input();
if (x > 100) {
    unsigned char y = 4 * x + 1;
    assert(x < y);
}
```

the assertion can be violated

$$
x>^{u} 100 \wedge \neg\left(x<^{u} 4 * x+1\right) \text { is satisfiable }
$$

## Applications of the theory

```
unsigned char x = input();
if (x > 100) {
    unsigned char y = 4 * x + 1;
    assert(x < y);
}
```

the assertion can be violated $\qquad$

$$
x>^{u} 100 \wedge \neg\left(x<^{u} 4 * x+1\right) \text { is satisfiable }
$$

■ QF_BV = quantifier-free fragment of BV

- verification of safety properties

■ automatic test generation

## Applications of the theory

```
unsigned char x = input();
while (x != 0) {
    x = x - 3;
}
```

the program always terminates

$$
\forall x_{[8]} \exists y_{[8]} \cdot x_{[8]}-{ }_{[8]} 3_{[8]} *_{[8]} y_{[8]}={ }_{[8]} 0_{[8]} \text { is satisfiable/valid }
$$

## Applications of the theory

```
unsigned char x = input();
while (x != 0) {
    x = x - 3;
}
```

the program always terminates


$$
\forall x \exists y \cdot x-3 * y=0 \text { is satisfiable/valid }
$$

## Applications of the theory

```
unsigned char x = input();
while (x != 0) {
    x = x - 3;
}
```

the program always terminates


$$
\forall x \exists y \cdot x-3 * y=0 \text { is satisfiable/valid }
$$

- proving termination

■ computation and application of loop summaries

- program synthesis

■...

## Complexity of SMT solving of BV

|  | uninterpreted functions | encoding of bitvector lengths |  |
| :---: | :---: | :---: | :---: |
|  |  | unary | binary |
| QF_BV | no | NP | NEXPTIME |
|  | yes | NP | NEXPTIME |
| BV | no | PSPACE | AEXP(poly) |
|  | yes | NEXPTIME | 2-NEXPTIME |

■ -complete in all cases
■ AEXP(poly) = problems solvable by alternating Turing machines with polynomial number of alternations in exponential time
■ NEXPTIME $\subseteq$ AEXP(poly) $\subseteq$ EXPSPACE

■ bit-blasting and SAT solving
$■$ each bitvector variable $x_{[n]}$ can be seen as a sequence of $n$ Boolean variables $x_{n-1} x_{n-2} \ldots x_{1} x_{0}$

- bitvector functions and relations can be transformed into Boolean operations



## Traditional approach to SMT solving of BV

quantifier instantiation

$$
\psi=\forall x \exists y . \varphi(x, y)
$$

## Traditional approach to SMT solving of BV

quantifier instantiation

$$
\begin{gathered}
\psi=\forall x \exists y \cdot \varphi(x, y) \\
\forall x \cdot \varphi\left(x, f_{y}(x)\right)
\end{gathered}
$$

## Traditional approach to SMT solving of BV

quantifier instantiation


## Traditional approach to SMT solving of BV

quantifier instantiation


## Traditional approach to SMT solving of BV

quantifier instantiation


## Traditional approach to SMT solving of BV



## Traditional approach to SMT solving of BV



## Traditional approach to SMT solving of BV



## Outline

1 binary decision diagrams (BDDs)

- definition
- operations on BDDs

■ libraries and applications
2 theory of bitvectors (BV)
$\square$ the theory

- applications

■ standard approach to SMT solving
3 BDD-based SMT solving of BV

- naïve algorithm
- algorithm improvements
- Q3B
- based on joint work with Martin Jonáš [SAT'16, SAT'17, ICTAC'18, IPL'18, CAV'19]


1 translate BV formula $\varphi$ to $\mathrm{BDD} B_{\varphi}$ representing its models
2 check if $B_{\varphi}$ represents some model, i.e., $B_{\varphi} \neq 0$
YES: $\varphi$ is satisfiable
NO: $\varphi$ is unsatisfiable
a translate each term of type [ $n$ ] into a vector of $n$ of BDDs that represents the function given by the term
a translate each term of type [ $n$ ] into a vector of $n$ of BDDs that represents the function given by the term


BV formula to BDD bottom-up translation
a translate each term of type $[n]$ into a vector of $n$ of BDDs that represents the function given by the term


BV formula to BDD bottom-up translation
a translate each term of type $[n]$ into a vector of $n$ of BDDs that represents the function given by the term

$$
\begin{gathered}
x_{[3]}+[3] \\
y_{[3]} \\
" x_{2} x_{1} x_{0}+y_{2} y_{1} y_{0} \text { " }
\end{gathered}
$$


b translate each atomic subformula to a single BDD representing its models
b translate each atomic subformula to a single BDD representing its models

$$
t_{[3]}
$$


$t_{[3]}^{\prime}$

| $B_{2}$ | $B_{1}$ | $B_{0}^{\prime}$ |
| :--- | :--- | :--- |

$$
t_{[3]}=[3] t_{[3]}^{\prime}
$$

b translate each atomic subformula to a single BDD representing its models


BV formula to BDD bottom-up translation
b translate each atomic subformula to a single BDD representing its models


$$
5_{[3]}=x_{[3]}
$$


c apply logical connectives and quantifiers of the formula to BDDs corresponding to subformulae

$$
\forall x_{[3]} \cdot \psi \text { process as } \forall x_{2} \forall x_{1} \forall x_{0} \cdot B_{\psi}
$$

## Observations

- the algorithm works well as long as the constructed BDDs are small
- quantification of variables usually reduces the BDD size

sizes of BDDs corresponding to all quantified subformulas in SMT-LIB benchmarks for BV logic


## Algorithm improvements

## GOAL: reduce the size of constructed BDDs

■ modification of the input formula

- move quantifiers downwards
- eliminate variables or lower their bitwidth
- simplify the formula

■ approximations using less Boolean variables
■ abstractions of bitvector operations with BDDs of limited size

## Algorithm improvements: modifications of input formula

- push quantifiers in the formula downwards (miniscoping)

$$
\begin{array}{ll}
\forall x . \varphi(x) \vee \psi \rightsquigarrow \forall x(\varphi(x)) \vee \psi & \forall x . \varphi(x) \wedge \psi(x) \rightsquigarrow \forall x(\varphi(x)) \wedge \forall x(\psi(x)) \\
\exists x . \varphi(x) \wedge \psi \rightsquigarrow \exists x(\varphi(x)) \wedge \psi & \exists x . \varphi(x) \vee \psi(x) \rightsquigarrow \exists x(\varphi(x)) \vee \exists x(\psi(x))
\end{array}
$$

## Algorithm improvements: modifications of input formula

- push quantifiers in the formula downwards (miniscoping)

$$
\begin{array}{ll}
\forall x . \varphi(x) \vee \psi \rightsquigarrow \forall x(\varphi(x)) \vee \psi & \forall x . \varphi(x) \wedge \psi(x) \rightsquigarrow \forall x(\varphi(x)) \wedge \forall x(\psi(x)) \\
\exists x . \varphi(x) \wedge \psi \rightsquigarrow \exists x(\varphi(x)) \wedge \psi & \exists x . \varphi(x) \vee \psi(x) \rightsquigarrow \exists x(\varphi(x)) \vee \exists x(\psi(x))
\end{array}
$$

■ eliminate variables in the formula by equality resolution

$$
\forall x . \neg(x=t) \vee \varphi(x) \rightsquigarrow \varphi(t) \quad \exists x \cdot x=t \wedge \varphi(x) \rightsquigarrow \varphi(t)
$$

## Algorithm improvements: modifications of input formula

- push quantifiers in the formula downwards (miniscoping)

$$
\begin{array}{ll}
\forall x . \varphi(x) \vee \psi \rightsquigarrow \forall x(\varphi(x)) \vee \psi & \forall x . \varphi(x) \wedge \psi(x) \rightsquigarrow \forall x(\varphi(x)) \wedge \forall x(\psi(x)) \\
\exists x . \varphi(x) \wedge \psi \rightsquigarrow \exists x(\varphi(x)) \wedge \psi & \exists x . \varphi(x) \vee \psi(x) \rightsquigarrow \exists x(\varphi(x)) \vee \exists x(\psi(x))
\end{array}
$$

■ eliminate variables in the formula by equality resolution

$$
\forall x . \neg(x=t) \vee \varphi(x) \rightsquigarrow \varphi(t) \quad \exists x \cdot x=t \wedge \varphi(x) \rightsquigarrow \varphi(t)
$$

- simplify the formula with unconstrained or partly constrained terms
- unconstrained term = term that can have an arbitrary value
- let $u$ be a free or existentially quantified unconstrained variable
- let $v$ be a fresh variable

$$
u+5 *(y+z) \rightsquigarrow v
$$

$$
u_{[n]} *_{[n]} 4_{[n]} \rightsquigarrow \operatorname{concat}_{[n-2,2]}\left(v_{[n-2]}, 0_{[2]}\right)
$$

## Algorithm improvements: modifications of input formula

- push quantifiers in the formula downwards (miniscoping)

$$
\begin{array}{ll}
\forall x . \varphi(x) \vee \psi \rightsquigarrow \forall x(\varphi(x)) \vee \psi & \forall x . \varphi(x) \wedge \psi(x) \rightsquigarrow \forall x(\varphi(x)) \wedge \forall x(\psi(x)) \\
\exists x . \varphi(x) \wedge \psi \rightsquigarrow \exists x(\varphi(x)) \wedge \psi & \exists x . \varphi(x) \vee \psi(x) \rightsquigarrow \exists x(\varphi(x)) \vee \exists x(\psi(x))
\end{array}
$$

■ eliminate variables in the formula by equality resolution

$$
\forall x . \neg(x=t) \vee \varphi(x) \rightsquigarrow \varphi(t) \quad \exists x \cdot x=t \wedge \varphi(x) \rightsquigarrow \varphi(t)
$$

■ simplify the formula with unconstrained or partly constrained terms

- unconstrained term = term that can have an arbitrary value
- let $u$ be a free or existentially quantified unconstrained variable
- let $v$ be a fresh variable

$$
u+5 *(y+z) \rightsquigarrow v \quad u_{[n]} *_{[n]} 4_{[n]} \rightsquigarrow \operatorname{concat}_{[n-2,2]}\left(v_{[n-2]}, 0_{[2]}\right)
$$

■ let $u$ be universally quantified unconstrained variable

$$
t<^{u} u \rightsquigarrow \text { false } \quad t \leq^{u} u \rightsquigarrow t=0
$$

## Algorithm improvements: approximations

■ approximate bitvector variables by using less Boolean variables
$\square$ reduce the number of propositional variables representing $x_{[n]}$

$$
\begin{aligned}
& x_{n-1} x_{n-2} \ldots x_{3} x_{2} x_{1} x_{0} \rightsquigarrow 00 \ldots 0 x_{2} x_{1} x_{0} \quad \text { zero-extension } \\
& x_{n-1} x_{n-2} \ldots x_{3} x_{2} x_{1} x_{0} \rightsquigarrow x_{2} x_{2} \ldots x_{2} x_{2} x_{1} x_{0} \quad \text { sign-extension }
\end{aligned}
$$

## Algorithm improvements: approximations

■ approximate bitvector variables by using less Boolean variables
■ reduce the number of propositional variables representing $x_{[n]}$

$$
\begin{array}{ll}
x_{n-1} x_{n-2} \ldots x_{3} x_{2} x_{1} x_{0} \rightsquigarrow 00 \ldots 0 x_{2} x_{1} x_{0} & \text { zero-extension } \\
x_{n-1} x_{n-2} \ldots x_{3} x_{2} x_{1} x_{0} \rightsquigarrow x_{2} x_{2} \ldots x_{2} x_{2} x_{1} x_{0} & \text { sign-extension }
\end{array}
$$

■ underapproximation
$\underline{\varphi}=$ formula $\varphi$ with reduced existentially quantified variables
$\underline{\varphi}$ is satisfiable $\Longrightarrow \varphi$ is satisfiable

## Algorithm improvements: approximations

■ approximate bitvector variables by using less Boolean variables
■ reduce the number of propositional variables representing $x_{[n]}$

$$
\begin{aligned}
& x_{n-1} x_{n-2} \ldots x_{3} x_{2} x_{1} x_{0} \rightsquigarrow 00 \ldots 0 x_{2} x_{1} x_{0} \quad \text { zero-extension } \\
& x_{n-1} x_{n-2} \ldots x_{3} x_{2} x_{1} x_{0} \rightsquigarrow x_{2} x_{2} \ldots x_{2} x_{2} x_{1} x_{0} \quad \text { sign-extension }
\end{aligned}
$$

■ underapproximation
$\underline{\varphi}=$ formula $\varphi$ with reduced existentially quantified variables

$$
\varphi \text { is satisfiable } \Longrightarrow \varphi \text { is satisfiable }
$$

■ overapproximation
$\bar{\varphi}=$ formula $\varphi$ with reduced universally quantified variables
$\bar{\varphi}$ is unsatisfiable $\Longrightarrow \varphi$ is unsatisfiable

## Algorithm improvements: abstractions of bitvector operations

■ satisfiability can be sometimes decided without costly computations
■ abstract bitvector operations by computing only BDDs under a given node limit


## Algorithm improvements: abstractions of bitvector operations

■ satisfiability can be sometimes decided without costly computations
■ abstract bitvector operations by computing only BDDs under a given node limit


## Algorithm improvements: abstractions of bitvector operations

■ satisfiability can be sometimes decided without costly computations
■ abstract bitvector operations by computing only BDDs under a given node limit
■ adopt BDD operations to handle ? correctly

$$
? \wedge B=\left\{\begin{array}{cl}
0 & \text { if } B=0 \\
? & \text { otherwise }
\end{array}\right.
$$

## Algorithm improvements: abstractions of bitvector operations

■ satisfiability can be sometimes decided without costly computations
■ abstract bitvector operations by computing only BDDs under a given node limit

- two modes for evaluation of atomic subformulae



## Algorithm improvements: abstractions of bitvector operations

■ satisfiability can be sometimes decided without costly computations
■ abstract bitvector operations by computing only BDDs under a given node limit

- two modes for evaluation of atomic subformulae



## Algorithm improvements: abstractions of bitvector operations

■ satisfiability can be sometimes decided without costly computations
■ abstract bitvector operations by computing only BDDs under a given node limit

- two modes for evaluation of atomic subformulae

- pesimist claims satisfiability $\Longrightarrow$ formula is satisfiable optimist claims unsatisfiability $\Longrightarrow$ formula is unsatisfiable

- results from 2019
- CPU time limit 20 minutes and memory limit 16 GiB per formula

|  |  | solved by |  |  |  |
| :--- | ---: | ---: | ---: | ---: | ---: |
| family | total | Boolector | CVC4 | Q3B | Z3 |
| 2017-Preiner-keymaera | 4035 | 4019 | 3996 | 4009 | $\mathbf{4 0 3 1}$ |
| 2017-Preiner-psyco | 194 | 193 | 190 | 182 | $\mathbf{1 9 4}$ |
| 2017-Preiner-scholl-smt08 | 374 | 306 | 248 | $\mathbf{3 1 7}$ | 272 |
| 2017-Preiner-tptp | 73 | 69 | 73 | 73 | 73 |
| 2017-Preiner-UAutomizer | 153 | 152 | 151 | $\mathbf{1 5 3}$ | $\mathbf{1 5 3}$ |
| 20170501-Heizmann-UAutomizer | 131 | 30 | 128 | 124 | 32 |
| 2018-Preiner-cav18 | 600 | 549 | 565 | 565 | 550 |
| wintersteiger | 191 | 162 | 174 | $\mathbf{1 8 2}$ | 163 |
| Total | 5751 | 5480 | 5525 | $\mathbf{5 6 0 5}$ | 5468 |

## Evaluation of SMT solvers for BV


$20161^{\text {st }}$ in the Main Track of the BV division in Sequential Performance and Parallel Performance
$20171^{\text {st }}$ in the Main Track of the BV division in Sequential Performance and Parallel Performance
2019 2 $^{\text {nd }}$ in the Single Query Track of the BV division in Sequential Performance, Parallel Performance, SAT Performance, and 24 seconds Performance
$20222^{\text {nd }}$ in the Single Query Track of the BV division
in Sequential Performance, Parallel Performance, SAT Performance, UNSAT Performance, and
$1^{\text {st }}$ in 24 seconds Performance

## Ongoing research and development of Q3B

■ improved caching and static analysis of BV formulae

- advanced sifting algorithms

■ use of partial BDDs

## Ongoing research and development of Q3B

- improved caching and static analysis of BV formulae

■ advanced sifting algorithms
■ use of partial BDDs


## Conclusions and references

■ BDDs have known limitations, but also great advantages and efficient libraries

- in the context of SAT/SMT-solving, BDDs like quantifiers


## Conclusions and references

■ BDDs have known limitations, but also great advantages and efficient libraries

- in the context of SAT/SMT-solving, BDDs like quantifiers
- BDDs have known limitations, but also great advantages and efficient libraries
- in the context of SAT/SMT-solving, BDDs like quantifiers
[SAT'16] M. Jonáš and J. S.: Solving Quantified Bit-Vector Formulas Using Binary Decision Diagrams, SAT 2016.
[SAT'17] M. Jonáš and J. S.: On Simplification of Formulas with Unconstrained Variables and Quantifiers, SAT 2017.
[ICTAC'18] M. Jonáš and J. S.: Abstraction of Bit-Vector Operations for BDD-Based SMT Solvers, ICTAC 2018.
[IPL'18] M. Jonás and J. S.: On the Complexity of the Quantified Bit-Vector Arithmetic with Binary Encoding, Inf. Process. Lett. 135:57-61, 2018.
[CAV'19] M. Jonáš and J. S.: Q3B: An Efficient BDD-Based SMT Solver for Quantified Bit-Vectors, CAV 2019.

