Equations
Instances For
Equations
Instances For
Equations
Instances For
Equations
Instances For
Instances For
Instances For
Instances For
msb #
cast #
toInt/ofInt #
sle/slt #
setWidth, zeroExtend and truncate #
extractLsb #
Get the most significant bit after extractLsb'. With extractLsb', we extract
a BitVec len x' with length len from BitVec w x, starting from the
element at position start. The function getMsb extracts a bit counting from
the most significant bit. Assuming certain conditions,
(@extractLsbD' w x start len).getMsbD i is equal to
@getMsbD w x (w - (start + len - i)).
Example (w := 10, start := 3, len := 4):
                            |---| = w - (start + len) = 3
                                  |start + len|       = 7
                                        |start|       = 3
                                  | len |             = 4
let x = 9 8 7 6 5 4 3 2 1 0 let x' = x.extractLsb' 3 4 = 6 5 4 3 | | | x'.getMsbD 1 = x.getMsbD (i := w - (start + len - i) = 10 - (3 + 4 - 1) = 4) | x'.getMsbD 0 = x.getMsbD (i := w - (start + len - i) = 10 - (3 + 4 - 0) = 3)
Condition 1: i < len #
The index i must be within the range of len.
Condition 2: start + len - i ≤ w #
If start + len is larger than w, the high bits at i with w ≤ i are filled with 0,
meaning that getMsbD[i] = false for these i.
If i is large enough, getMsbD[i] is again within the bounds x.
The precise condition is:
start + len - i ≤ w
Example (w := 10, start := 7, len := 5):
                                |= w - (start + len)    = 0
                            |      start + len    |     = 12
                                    |    start    |     = 7
                            |  len  |                   = 5
let x = 9 8 7 6 5 4 3 2 1 0 let x' = x.extractLsb' 7 5 = _ _ 9 8 7 | | | x'.getMsbD (i := 2) = | x.getMsbD (i := w - (start + len - i) = 10 - (7 + 5 - 2)) = | x.getMsbD 0 | ✅ start + len - i ≤ w | 7 + 5 - 2 = 10 ≤ 10 | x'.getMsbD (i := 0) = x.getMsbD (i := w - (start + len - i) = 10 - (7 + 5 - 0)) = x.getMsbD (i := w - (start + len - i) = x.getMsbD (i := -2) -- in Nat becomes 0 ❌ start + len - i ≤ w 7 + 5 - 0 ≤ w
Extracting all the bits of a bitvector is an identity operation.
allOnes #
or #
and #
xor #
not #
Equations
Instances For
Negating x and then extracting [start..start+len) is the same as extracting and then negating,
as long as the range [start..start+len) is in bounds.
See that if the index is out-of-bounds, then extractLsb will return false,
which makes the operation not commute.
Negating x and then extracting [lo:hi] is the same as extracting and then negating.
For the extraction to be well-behaved,
we need the range [lo:hi] to be a valid closed interval inside the bitvector:
- lo ≤ hifor the interval to be a well-formed closed interval.
- hi < w, for the interval to be contained inside the bitvector.
cast #
shiftLeft #
shiftLeft reductions from BitVec to Nat #
ushiftRight #
Unsigned shift right by at least one bit makes the interpretations of the bitvector as an Int or Nat agree,
because it makes the value of the bitvector less than or equal to 2^(w-1).
In the case when n = 0, then the shift right value equals the integer interpretation.
ushiftRight reductions from BitVec to Nat #
sshiftRight #
If the msb is true, the arithmetic shift right equals negating,
then logical shifting right, then negating again.
The double negation preserves the lower bits that have been shifted,
and the outer negation ensures that the high bits are '1'.
The msb after arithmetic shifting right equals the original msb.
sshiftRight reductions from BitVec to Nat #
signExtend #
The sign extension is a bitwise not, followed by a zero extend, followed by another bitwise not
when msb = true. The double bitwise not ensures that the high bits are '1',
and the lower bits are preserved.
Sign extending to a width smaller than the starting width is a truncation.
Sign extending to the same bitwidth is a no op.
Sign extending to a larger bitwidth depends on the msb.
If the msb is false, then the result equals the original value.
If the msb is true, then we add a value of (2^v - 2^w), which arises from the sign extension.
If the current width w is smaller than the extended width v,
then the value when interpreted as an integer does not change.
Interpreting the sign extension of (x : BitVec w) to width v
computes x % 2^v (where % is the balanced mod). See toInt_signExtend for a version stated
in terms of toInt instead of toNat.
append #
A (x : BitVec v) set to width w equals (v - w) zeros,
followed by the low (min v w) bits of x`
Combine adjacent extractLsb' operations into a single extractLsb'.
Combine adjacent ~~~ (extractLsb _)' operations into a single ~~~ (extractLsb _)'.
A sign extension of x : BitVec w equals high bits of either 0 or 1 depending on x.msb,
followed by the low bits of x.
A sign extension of x : BitVec w to a larger bitwidth v ≥ w
equals high bits of either 0 or 1 depending on x.msb, followed by x.
The 'master theorem' for extracting bits from (xhi ++ xlo),
which performs a case analysis on the start index, length, and the lengths of xlo, xhi.
· If the start index is entirely out of the xlo bitvector, then grab the bits from xhi.
· If the start index is entirely contained in the xlo bitvector, then grab the bits from xlo.
· If the start index is split between the two bitvectors,
then append (w - start) bits from xlo with (len - (w - start)) bits from xhi.
Diagramatically:
               xhi                      xlo
        (<---------------------](<-------w--------]
start+len..start:  (<-----len---*------]
w - start:                      *------*
len - (w -start):  *------------*
rev #
cons #
concat #
shiftConcat #
add #
sub/neg #
Equations
Instances For
Equations
Instances For
add self #
fill #
mul #
pow #
le and lt #
udiv #
umod #
smtUDiv #
sdiv #
Given the definition of ediv/emod for signed integer division (https://dl.acm.org/doi/pdf/10.1145/128861.128862)
we have that for two integers x and y: x/y = q ↔ x.ediv y = q ↔ r = x.emod y
and in particular: -1/y = q ↔ -1.ediv y = q ↔ r = -1.emod y.
from which it follows that:
(-1)/0 = 0
(-1)/y = -1 when 0 < y
(-1)/(-5) = 1 when y < 0
smtSDiv #
srem #
smod #
Equation theorem for smod in terms of umod.
ofBoolList #
Instances For
Rotate Left #
rotateLeft is invariant under mod by the bitwidth.
rotateLeft equals the bit fiddling definition of rotateLeftAux when the rotation amount is
smaller than the bitwidth.
Accessing bits in x.rotateLeft r the range [0, r) is equal to
accessing bits x in the range [w - r, w).
Proof by example: Let x := <6 5 4 3 2 1 0> : BitVec 7. x.rotateLeft 2 = (<6 5 | 4 3 2 1 0>).rotateLeft 2 = <3 2 1 0 | 6 5>
(x.rotateLeft 2).getLsbD ⟨i, i < 2⟩ = <3 2 1 0 | 6 5>.getLsbD ⟨i, i < 2⟩ = <6 5>[i] = <6 5 | 4 3 2 1 0>[i + len(<4 3 2 1 0>)] = <6 5 | 4 3 2 1 0>[i + 7 - 2]
Accessing bits in x.rotateLeft r the range [r, w) is equal to
accessing bits x in the range [0, w - r).
Proof by example: Let x := <6 5 4 3 2 1 0> : BitVec 7. x.rotateLeft 2 = (<6 5 | 4 3 2 1 0>).rotateLeft 2 = <3 2 1 0 | 6 5>
(x.rotateLeft 2).getLsbD ⟨i, i ≥ 2⟩ = <3 2 1 0 | 6 5>.getLsbD ⟨i, i ≥ 2⟩ = <3 2 1 0>[i - 2] = <6 5 | 3 2 1 0>[i - 2]
Intuitively, grab the full width (7), then move the marker | by r to the right (-2)
Then, access the bit at i from the right (+i).
Instances For
Instances For
Rotate Right #
Accessing bits in x.rotateRight r the range [0, w-r) is equal to
accessing bits x in the range [r, w).
Proof by example: Let x := <6 5 4 3 2 1 0> : BitVec 7. x.rotateRight 2 = (<6 5 4 3 2 | 1 0>).rotateRight 2 = <1 0 | 6 5 4 3 2>
(x.rotateLeft 2).getLsbD ⟨i, i ≤ 7 - 2⟩ = <1 0 | 6 5 4 3 2>.getLsbD ⟨i, i ≤ 7 - 2⟩ = <6 5 4 3 2>.getLsbD i = <6 5 4 3 2 | 1 0>[i + 2]
Accessing bits in x.rotateRight r the range [w-r, w) is equal to
accessing bits x in the range [0, r).
Proof by example: Let x := <6 5 4 3 2 1 0> : BitVec 7. x.rotateRight 2 = (<6 5 4 3 2 | 1 0>).rotateRight 2 = <1 0 | 6 5 4 3 2>
(x.rotateLeft 2).getLsbD ⟨i, i ≥ 7 - 2⟩ = <1 0 | 6 5 4 3 2>.getLsbD ⟨i, i ≤ 7 - 2⟩ = <1 0>.getLsbD (i - len(<6 5 4 3 2>) = <6 5 4 3 2 | 1 0> (i - len<6 4 4 3 2>)
rotateRight equals the bit fiddling definition of rotateRightAux when the rotation amount is
smaller than the bitwidth.
rotateRight is invariant under mod by the bitwidth.
When the (i+1)th bit of x is true,
keeping the lower (i + 1) bits of x equalsk eeping the lower i bits
and then performing bitwise-or with twoPow i = (1 << i),
intMin #
The bitvector of width w that has the smallest value when interpreted as an integer.
Equations
- BitVec.intMin w = BitVec.twoPow w (w - 1)
Instances For
intMax #
The bitvector of width w that has the largest value when interpreted as an integer.
Equations
- BitVec.intMax w = BitVec.twoPow w (w - 1) - 1
Instances For
Non-overflow theorems #
neg #
abs #
The absolute value of x : BitVec w, interpreted as an integer, is a case split:
- When x = intMin w, thenx.abs = intMin w
- Otherwise, x.abs.toIntequals the absolute value (x.toInt.natAbs).
This is a simpler version of BitVec.toInt_abs_eq_ite, which hides a case split on x.msb.
Reverse #
Decidable quantifiers #
Equations
- BitVec.instDecidableForallBitVecSucc P = decidable_of_iff' (∀ (x : Bool) (v : BitVec n), P (BitVec.cons x v)) ⋯
Equations
- BitVec.instDecidableExistsBitVecSucc P = decidable_of_iff (¬∀ (v : BitVec (n + 1)), ¬P v) ⋯
For small numerals this isn't necessary (as typeclass search can use the above two instances),
but for large numerals this provides a shortcut.
Note, however, that for large numerals the decision procedure may be very slow,
and you should use bv_decide if possible.
Equations
For small numerals this isn't necessary (as typeclass search can use the above two instances), but for large numerals this provides a shortcut. Note, however, that for large numerals the decision procedure may be very slow.