Value Set Abstraction using Incremental SAT Solving

To compute value sets of registers described by a formula ϕ, we apply an iterative algorithm [21, Sect. 3] that derives value set abstractions for bit-vectors. We define:

3 Control Flow Reconstruction using Boolean Logic

Definition 3.2. Let_{h·i : V → N defined as hvi =}Pw−1

i=0 2i·v[i] denote the unsigned

value of a bit-vector v = (v[0], . . . , v[w− 1]). Likewise, let hh·ii : V → Z defined as hhvii = −2w−1· v[i] +Pw−2

i=0 2i· v[i] denote the signed interpretation of v.

Corollary 3.1. Let v = (v[0], . . . , v[w− 1]). Then: • hvi ∈ {0, . . . , 2w_{− 1}}

• hhvii ∈ {−2w−1_{, . . . 2}w−1_{− 1}}

To converge onto the value sets of v, the key idea of the algorithm is to alternately compute interval abstractions of ϕ and ¬ϕ. In what follows, we describe a well- known algorithm to derive intervals (cp. [21, Sect. 2], [39, Sect. 6] and [71, Sect. 3]) and then discuss how interval abstraction is applied during value set analysis.

Interval Abstraction

Before discussing how to compute interval abstractions of bit-vectors, we define the underlying abstract domain of intervals formally:

Definition 3.3. We define the interval abstract domain as the complete lattice (Int,_vint) with

Int = {[`, u] | 0 ≤ ` ≤ u ≤ 2w_{− 1} ∪ {⊥} int}

where ⊥int denotes the empty interval. Naturally, we have >int = [0, 2w−1]. The

partial order _vint is induced by the subset relation.

A procedure maximum : (℘(℘(V ))× V ) → N to compute the value of a concrete bit-vector k that represents the least upper bound of v in the interval domain Int is given in Alg. 1. The key idea of this algorithm is to instantiate single bits of v with true, starting with the most significant bit, and to repeatedly test satisfiability. Then, for instance, satisfiability of a formula ϕ_{∧ v[7] corresponds to the existence} of a model of ϕ such that _{hvi ≥ 128. If satisfiable, the least upper bound hki of hvi} is found in the interval [128, 255], and in [0, 127] otherwise. By instantiating the remaining bits of v one after another, the interval that contains _{hki is incrementally} refined using binary search. Given a bit-vector v = (v[0], . . . , v[w_{− 1]) of length w,} this strategy requires w calls to a SAT solver to compute hki exactly since Boolean formulae are discrete.

Proposition 3.1. Alg. 1 computes the least upper bound of_{hvi subject to ϕ, formally} maximum(ϕ, v) = max_{{u | u ∈ [0, 2}w−1] and ϕ_{∧ (hvi = u) is satisfiable}.}

3.1 Block-Level Abstraction

Algorithm 1 maximum: (℘(℘(V ))_{× V ) → N} Input: formula ϕ_{∈ ℘(℘(V ))}

Input: bit-vector v = (v[0], . . . , v[w− 1]) ∈ V

Output: least upper bound_{hki ∈ N of v subject to ϕ}

1: k_{← hi} 2: while |k| < w do 3: if ϕ_{∧ v[w − 1 − |k|] is satisfiable then} 4: ϕ_{← ϕ ∧ v[w − 1 − |k|]} 5: k← h1i : k 6: else 7: ϕ_{← ϕ ∧ ¬v[w − 1 − |k|]} 8: k← h0i : k 9: end if 10: end while 11: return _hki

The algorithm is adapted to greatest lower bounds of _{hvi as follows. Swap the} occurrences of v[w−1−|k|] and ¬v[w−1−|k|], and likewise swap (1) and (0) in lines 5 and 8 of Alg. 1. We denote this modified procedure minimum : (℘(℘(V ))_{×V ) → N.} Both procedures can be adapted to compute extremal values of signed bit-vectors, too; in that case, the most significant bit, which represents the sign, needs to be handled properly (cp. [21, Sect. 3]).

Definition 3.4. Let ϕ_{∈ ℘(℘(V )) denote a formula over V = {v}1, . . . , vn}. We

define the interval abstraction αint : (℘(℘(V ))× V ) → Int of v ∈ V subject to ϕ as:

αint(ϕ, v) = [minimum(ϕ, v), maximum(ϕ, v)]

We present an example to highlight the internal steps of αint.

Example 3.2. Consider ϕ over y = (y[0], . . . , y[5]) defined as: ϕ =



(_{¬y[1] ∨ y[5]) ∧ (¬y[2] ∨ ¬y[5]) ∧ (y[4] ∨ y[5]) ∧ (y[2] ∨ ¬y[4])∧} (y[3]_{∨ ¬y[5]) ∧ (y[0] ∨ y[5]) ∧ (¬y[0] ∨ ¬y[1]) ∧ (¬y[3] ∨ y[5])} Clearly _{hyi ∈ [0, 63], and hence hki ∈ [0, 63]. To find a least upper bound hki of hyi} subject to ϕ, we apply Alg. 1. In the first iteration, we test ϕ_{∧ y[5] for satisfiability,} which corresponds to searching for a model of ϕ such that hyi ≥ 32; since satisfiable, we deduce _{hki ∈ [32, 63]. In the second iteration, we test ϕ ∧ y[5] ∧ y[4] for} satisfiability. From unsatisfiability, we infer a range [32, 47] for _{hki. After four more} iterations, we find the concrete value hki = 25_{+ 2}3_{+ 2}1_{= 42. The overall progress of}

the algorithm applied to ϕ is highlighted in Fig. 3.2. Applying the converse algorithm to compute the minimum of _{hyi yields 22, which entails α}int(ϕ, y) = [22, 42].

3 Control Flow Reconstruction using Boolean Logic 3.1 Block-Level Abstraction 0 63 0 32 63 0 32 47 63 0 40 47 63 0 40 43 63 0 42 43 63 0 42 63

Figure 3.2: Progress of least upper computation in Ex. 3.1

�l� and �u� for �v� are computed using minimization and maximization as given in Alg. 1, and we set S = {�l�, . . . , �u�}. In a second iteration, an over-approximate range of �v� described by ¬ψ is computed; this range is removed from the value-set S. The third iteration again extends S, etc. until the result stabilizes.

Proposition 3.2. Alg. 2 computes the least abstraction of �v� subject to ϕ:

α_val(ϕ, v) ={v | v ∈ [0, 2w− 1] and ϕ ∧ (�v� = v) is satisfiable}

The most significant difference of Alg. 2 compared to Barrett and King [18, Sect. 3] is found in line 3. Here, the input formula ϕ is projected onto v to given ψ using the projection scheme introduced in the previous chapter. Projection sidesteps the requirement of the original algorithm that ϕ ranges over v only.

Example 3.2. To illustrate, consider again ϕ defined as in Ex. 3.1. In the first iteration of Alg. 2, we obtain �l� = 22 and �u� = 42, which gives S = {22, . . . , 42}. Then, in the second iteration, the formula ¬ϕ restricted to �l� ≤ �y� ≤ �u� is

analyzed to give new bounds 23 and 39, which updates S as S \ {23, . . . , 39} = {22, 40, 41, 42}. Further restricting ϕ yields an unsatisfiable formula, and thus, the output is αval(ϕ, y) ={22, 40, 41, 42}.

Figure 3.2: Progress of least upper computation in Ex. 3.2

Value Set Abstraction

The (unsigned) value set domain consists of (possibly non-contiguous) subsets of {0, . . . , 2w_{− 1} for each bit-vector v, with a partial order induced by the ⊆-relation.}

Definition 3.5. Let Zw ={0, . . . , 2w− 1}. Then, (Val, vval) with Val = ℘(Zw) and

a_vval b⇔ a ⊆ b is called the value set abstract domain.

The join_tval : (Val× Val) → Val of two value sets can straightforwardly be defined

as the union of sets, likewise for the meet uval : (Val× Val) → Val. A procedure

to compute value sets of v rather than intervals is given in Alg. 2. The procedure takes as input a formula ϕ_{∈ ℘(℘(V )) and a bit-vector v ∈ V . As a preprocessing} step, ϕ is projected on v using existential quantifier elimination (line 3 in Alg. 2). Projection thus yields a formula ψ_{∈ ℘(℘({v})). Then, to compute the value sets} of v, the algorithm alternates between over- and under-approximations. First, lower and upper bounds ` and u for hvi are computed using minimization and maximization as given in Alg. 1, and we set S =<sub>{`, . . . , u}. In a second iteration, an</sub> over-approximate range of _{hvi described by ¬ψ is computed; this range is removed} from S. The third iteration again extends S, etc. until the result stabilizes.

Proposition 3.2. Alg. 2 computes the least value set abstraction of _{hvi subject to} ϕ, i.e., αval(ϕ, v) ={v | v ∈ [0, 2w− 1] and ϕ ∧ (hvi = v) is satisfiable}.

3.1 Block-Level Abstraction

Algorithm 2 αval: (℘(℘(V ))× V ) → Val

1: S _{← ∅}

2: p← true

3: ψ_{← project(ϕ, v)}

4: `_{← 0}

5: u← 2w_{− 1}

6: while _{hli < hui do}

7: `<sub>← minimum(ψ ∧ (` ≤ hvi), v)</sub>

8: u← maximum(ψ ∧ (hvi ≤ u), v)

9: if p then 10: S<sub>← S ∪ {`, . . . u}</sub> 11: else 12: S← S \ {`, . . . u} 13: end if 14: ψ← ¬ψ 15: p← ¬p 16: end while 17: return S

The difference of Alg. 2 compared to [21, Sect. 3] is found in line 3. Here, ϕ is projected onto v to give ψ. To illustrate the difference, let bV = V _{\ {v}. In general,} c such that c|= (∃ bV : ϕ∧ ∃ bV :¬ϕ) may exist, hence the need to operate on ∃ bV : ϕ and _{¬(∃ b}V : ϕ) since c _{|= ∃ b}V : ϕ iff c_{6|= ¬∃ b}V : ϕ. Projection ensures progress of Alg. 2 in each iteration, and thus sidesteps the requirement V =_{{v} of the original} algorithm.

Example 3.3. Consider ϕ defined as in Ex. 3.2. In the first iteration of Alg. 2, we obtain ` = 22 and u = 42, which gives S = {22, . . . , 42}. Then, the formula ¬ψ restricted to ` ≤ hyi ≤ u is analyzed to give bounds 23 and 39, and we update S to give S\ {23, . . . , 39} = {22, 40, 41, 42}. A further restriction of ϕ yields an unsatisfiable formula, and thus, the output is αval(ϕ, y) ={22, 40, 41, 42}.