

# Copyright ©: Lemma 1 Ltd 2016

Lemma 1 Ltd. 27, Brook St. Twyford Berks RG10 9NX

# SMT-LIB in Z

#### Abstract

This document specifies models of the theories of SMT-LIB in the Z notation.

Version: 56bcb6f

Date: 15 May 2016

Reference: LEMMA1/ZSMTLIB/01

Pages: 21

Prepared by: R.D. Arthan
Tel: +44 7947 030 682
E-Mail: rda@lemma-one.com



| 0.           | 1                                            | Contents                                |                                 |
|--------------|----------------------------------------------|-----------------------------------------|---------------------------------|
|              | 0.1<br>0.2<br>0.3<br>0.4                     | Changes History                         | 2<br>3<br>3<br>3                |
| 1            | IN'                                          | TRODUCTION                              | 4                               |
| 2            | TH<br>2.1<br>2.2<br>2.3<br>2.4<br>2.5<br>2.6 | Reals                                   | 4<br>5<br>7<br>8<br>8<br>9<br>9 |
| 3            | <b>TH</b> 3.1                                | IE SMT-LIB LOGICS Bit Vector Extensions | <b>13</b><br>13                 |
| 4            | IN                                           | DEX                                     | 19                              |
| $\mathbf{A}$ | so                                           | ME PROOFS                               | 21                              |

 $\sigma$ 

#### 0.2 References

- [1] Definitions of the SMT-LIB Logics. http://smtlib.cs.uiowa.edu/logics.shtml.
- [2] Definitions of the SMT-LIB Theories. http://smtlib.cs.uiowa.edu/theories.shtml.
- [3] Clark Barrett, Leonardo Mendonça de Moura, Silvio Ranise, Aaron Stump, and Cesare Tinelli. The SMT-LIB Initiative and the Rise of SMT (HVC 2010 Award Talk). In Sharon Barner, Ian G. Harris, Daniel Kroening, and Orna Raz, editors, Hardware and Software: Verification and Testing 6th International Haifa Verification Conference, HVC 2010, Haifa, Israel, October 4-7, 2010. Revised Selected Papers, volume 6504 of Lecture Notes in Computer Science, page 3. Springer, 2010.
- [4] Clark Barrett, Pascal Fontaine, and Cesare Tinelli. The SMT-LIB Standard: Version 2.5. Technical report, Department of Computer Science, The University of Iowa, 2015. Available at www.SMT-LIB.org.
- [5] International Standards Organisation. Information Technology Z Formal Specification Notation Syntax, Type System and Semantics. ISO/IEC 13568:2002.
- [6] J.M. Spivey. The Z Notation: A Reference Manual, Second Edition. Prentice-Hall, 1992.

## 0.3 Changes History

**2016/04/16** Initial draft.

2016/05/13 First commit to the ProofPower contrib repository.

#### 0.4 Distribution

Rob Arthan Lemma 1 Colin O'Halloran D-RisQ

ProofPower Repo https://github.com/RobArthan/pp-contrib

# 1 INTRODUCTION

This document gives a model written in the Z notation of each of the theories defined by the SMT-LIB standard version 2.5 [4, 2, 1]. This model was developed by Lemma 1 primarily to assist D-RisQ in reasoning about programming language datatypes that are modelled in Z and mapped into SMT-LIB to check assertions using and SMT solver. The model is made freely available to the Formal Methods community and comments are invited.

See [3] for an overview of SMT-LIB and its aims. See [6] for details of the Z notation, but note that the specification in this document makes use of features introduced in the ISO Z standard [5], specifically, it uses schemas with empty declaration parts to represent booleans as first-order values.

This document has been prepared using the document preparation tools supplied with Proof-Power. It includes the ML commands required to type-check the Z and load it into a Proof-Power database. Some small experimental proofs have been carried out and are included in the source of this document, but are omitted from the typeset document.

Please note this is work in progress.

## 2 THE SMT-LIB THEORIES

First we give the ML commands that set up the theory hierarchy for the SMT-LIB theories. Theory names comprise the SMT-LIB theory name prefixed with  $ZS_{-}$ . The Core theory uses the Z Library up to and including the material on sequences. Sequences are used to represent functions that take two or more arguments.

The remaining theories depend on the Core theory and (in the case of *Reals\_Ints* other SMT-LIB theories). The ML commands to set up the theories are given in the following table.

| Theory                   | ML set-up commands                                                                              |  |  |
|--------------------------|-------------------------------------------------------------------------------------------------|--|--|
| Core                     | $open\_theory"z\_library"; \\ new\_theory"ZS\_Core";$                                           |  |  |
| Integer Numbers          | open_theory" ZS_Core"; new_theory" ZS_Ints"; new_parent" z_numbers";                            |  |  |
| Real Numbers             | open_theory" ZS_Core"; new_theory" ZS_Reals"; new_parent" z_reals";                             |  |  |
| Real and Integer Numbers | open_theory" ZS_Core"; new_theory" ZS_Reals_Ints"; new_parent" ZS_Reals"; new_parent" ZS_Ints"; |  |  |
| Arrays                   | $open\_theory"ZS\_Core"; \\ new\_theory"ZS\_ArraysEx";$                                         |  |  |
| Bit Vectors              | $open\_theory" ZS\_Core"; \\ new\_theory" ZS\_FixedSizeBitVectors";$                            |  |  |

#### 2.1 Core

```
|open\_theory"ZS\_Core";
```

Standard Z is a form of first-order typed set theory. While the ProofPower system that we use to type-check and reason about Z actually supports a higher-order extension of Z, we prefer to stay within Standard Z in this specification. We will use what turns out to be a very convenient way of representing truth values as first-order objects following an idea of Sam Valentine. This uses a special case of the labelled record types provided in Z and referred to as schema types. The elements of schema types are called bindings. Z provides a convenient notation for denoting arbitrary subsets of schema types. For example,  $[x, y : \mathbb{Z} \mid x < y]$  denotes the set of all bindings (x == a, y == b) where a < b. In this notation, the declarations to the right of the vertical bar are called the signature. As a special case, [|true|] denotes the total set of the schema type over the empty signature, which has just one element. The power set of this type then has two elements, which we use to represent the two truth values.

```
egin{aligned} & \mathbf{Z} \\ & \mathbf{Bool} == \mathbb{P} \; [|\mathit{true}] \end{aligned} \mathbf{True} == [|\mathit{true}] \mathbf{False} == [|\mathit{false}]
```

Z has built-in operators (referred to collectively as the schema calculus) that combine sets of bindings by combining the defining properties of the sets with logical connectives. This gives us a direct representation of the propositional connectives on our chosen representation of truth values.

```
Not: Bool \rightarrow Bool;
And, Or, Xor, Implies: Bool \rightarrow Bool \rightarrow Bool
\forall p: Bool \bullet \ Not \ p = (\lnot_s \ p);
\forall p, \ q: Bool \bullet \ And \ p \ q = (p \land_s \ q);
\forall p, \ q: Bool \bullet \ Or \ p \ q = (p \lor_s \ q);
\forall p, \ q: Bool \bullet \ Xor \ p \ q = (\lnot_s(p \Leftrightarrow_s \ q));
\forall p, \ q: Bool \bullet \ Implies \ p \ q = (p \Rightarrow_s \ q)
```

It is now very straightforward to define the chainable equality and pairwise distict predicates:

We define if-then-else by pattern-matching:

```
[A] = [A]
[TE : Bool \rightarrow A \rightarrow A \rightarrow A]
\forall x, y : A \bullet ITE \ True \ x \ y = x;
\forall x, y : A \bullet ITE \ False \ x \ y = y
```

## 2.2 Integer Numbers

The integers from the Z toolkit provide the representation for the theory of Integers.

```
| open\_theory "ZS\_Ints";
| Int == \mathbb{Z}
```

Note that (unlike Lisp) addition and multiplication are binary operators not operators on lists. Division and modulus are defined the same way in the ProofPower Z toolkit as they are in SMT-LIB, but Standard Z offers a different definition

```
| INeg, IAbs : Int \rightarrow Int; | ISub, IAdd, IMul, IDiv, IMod : Int \rightarrow Int \rightarrow Int | \forall X : Int \circ INeg \( x = \simeq x; \) | \forall x : Int \circ IAbs \( x = abs \) \( x; \) | <math>\forall x : Int \circ IAdd \( x \ y = x - y; \) | \forall x, y : Int \circ IAdd \( x \ y = x + y; \) | \forall x, y : Int \circ IMul \( x \ y = x * y; \) | \forall x, y : Int \circ \gamma y = 0 \circ 0 \leq IMod \( x \ y \rightarrow x \) | <math>\forall x, y : Int \circ \gamma y = 0 \circ x = (IDiv \( x \ y \)) * y + IMod \( x \ y \) | | <math>\forall x, y : Int \circ \gamma y = 0 \circ x = (IDiv \circ x \ y) * y + IMod \( x \ y \) | | <math>\forall x, y : Int \circ \gamma y = 0 \circ IDiv \( x \ y \) * y + IMod \( x \ y \) | | <math>\forall x : seq \circ Int \circ ILE \( s = [[\ \forall i, j : dom \( s \circ i < j \Rightarrow s \circ i < j \Rightarrow s \circ i < j \Rightarrow s \circ i \rightarrow s \cir
```

 $\forall n, i : Int \bullet Divisible \ n \ i = [| \exists q: Int \bullet \ i = q*n ]$ 

#### 2.3 Reals

SML

The ProofPower-Z library defines the real numbers as a separate type with the operators distinguished from those for the integers by a subscript.

```
| open_theory "ZS_Reals";

| Real == \mathbb{R}
| RNeg : Real \rightarrow Real; | RSub, RAdd, RMul, RDiv : Real \rightarrow Real \rightarrow Real |
| \forall x : Real \circ RNeg x = \sigma_R x; | \forall x, y : Real \circ RSub x y = x -_R y; | \forall x, y : Real \circ RAdd x y = x +_R y; | \forall x, y : Real \circ RMul x y = x *_R y; | \forall x, y : Real \circ RDiv x y = x /_R y |
| RLE, RLT, RGE, RGT : seq Real \rightarrow Bool |
| \forall x : seq Real \circ RLE s = [| \forall i, j : dom s \circ i < j \Rightarrow s \circ i <_R s j]; | \forall s : seq Real \circ RGE s = [| \forall i, j : dom s \circ i < j \Rightarrow s \circ i \rightarrow s \circ s \circ s \rightarrow s \circ s \rightarrow s \circ s \circ s \rightarrow s \circ s
```

#### 2.4 Reals\_Ints

```
ig| open\_theory "ZS\_Reals\_Ints";

ig| oldsymbol{ToReal} : Int 
ightarrow Real

ig| ToReal = real
```

# 2.5 ArraysEx

```
SML |open\_theory "ZS\_ArraysEx";

|Array[X, Y] == X \rightarrow Y

|X,Y| = X \rightarrow Y

|Select : Array[X, Y] \rightarrow X \rightarrow Y;
|Store : Array[X, Y] \rightarrow X \rightarrow Y \rightarrow Array[X, Y]

|\forall a : Array[X, Y]; x : X \bullet Select \ a \ x = a \ x;
|\forall a : Array[X, Y]; x : X; y : Y \bullet Store \ a \ x \ y = a \oplus \{x \mapsto y\}
```

#### 2.6 FixedSizeBitVectors

```
 \begin{array}{c|c} & \\ open\_theory & "ZS\_FixedSizeBitVectors"; \end{array}
```

We represent SMTLIB bit vectors as (non-empty) sequences of bits:

$$Bit == \{0, 1\}$$

The bit vectors of lengths  $1, 2, \ldots$  partition the set of all non-empty bit strings:

```
BitString == seq_1 \; Bit
BitVec : \mathbb{N}_1 \to \mathbb{P} \; BitString
\forall m : \mathbb{N}_1 \bullet \; BitVec \; m = \{b : BitString \mid \#b = m\}
```

Note that in SMTLIB, the length of a bit vector is always a statically known. So SMTLIB can and does impose static restrictions that we will have to model in Z by treating *BitVec* like a dependent subtype constructor.

We need some auxiliary functions to assist in defining the sequence operations. We need the function that converts a bit string into the natural number it represents (in binary, most-significant bit at the left):

```
\begin{vmatrix} BV2Nat : BitString \to \mathbb{N} \\ \\ \forall x : Bit \bullet \ BV2Nat \ \langle x \rangle = x; \\ \\ \forall x : Bit; \ b : BitString \bullet \ BV2Nat \ (b \ ^{\ } \langle x \rangle) = 2*BV2Nat \ b + x \end{vmatrix}
```

To define the conversion from natural numbers to bit vectors, we need natural number powers of integers. This may be defined already in later versions of ProofPower. The following ML defends against that:

```
SML |val = \mathbb{Z}(\widehat{\phantom{a}}) |val = \mathbb{Z}(\widehat{\phantom{
```

Now we can define the conversion from natural numbers to bit vectors of a given length. Note that the restriction  $BitVec\ m\ \lhd\ BV2Nat$  is a bijection between  $BitVec\ m$  and  $0\ ...\ 2\ \widehat{\ m\ }-1$  for any m.

We need the logical operations on bits:

```
\begin{vmatrix} \textbf{BitNot} : Bit \rightarrow Bit; \\ \textbf{BitAnd}, \textbf{BitOr} : Bit \rightarrow Bit \rightarrow Bit \\ \\ \forall x : Bit \bullet BitNot \ x = 1 - x; \\ \forall x, \ y : Bit \bullet BitAnd \ x \ y = x * y; \\ \forall x, \ y : Bit \bullet BitOr \ x \ y = x + y - x * y \end{vmatrix}
```

Concat: BitString  $\rightarrow$  BitString  $\rightarrow$  BitString  $\rightarrow$  BitString  $\forall b1, b2$ : BitString  $\bullet$  Concat  $b1 \ b2 = b1 \ b2$ 

SMTLIB indexes bit vectors from right-to-left starting at 0. Z sequences are indexed left to right starting at 1. Hence in a bit vector of length n, SMTLIB index i corresponds to Z index n-i.

```
 \begin{vmatrix} \textbf{\textit{Extract}} : \mathbb{N} \to \mathbb{N} \to \textit{BitString} & \rightarrow \textit{BitString} \\ \\ | \forall i, j : \mathbb{N} \bullet \\ | dom (\textit{Extract } i \ j) = \{b : \textit{BitString} \mid \#b > i \geq j\}; \\ | \forall i, j : \mathbb{N} \bullet \ \forall b : dom (\textit{Extract } i \ j) \bullet \\ | \textit{Extract } i \ j \ b = ((\#b - i) \ldots (\#b - j)) \mid b
```

For completeness, we define the binary bitwise logical operations on operands of mixed length to give a result that has the same length as the shorter operand. Mixed length operands are statically disallowed allowed in SMTLIB.

For the binary arithmetic operations on operands of mixed length we take the result to have the same length as the longer operand. Again, SMTLIB disallows mixed length operands statically. The treatment of zero divisors is just inhereited from the Z toolkit.

```
BVNeg: BitString → BitString;

BVAdd, BVMul, BVUdiv, BVUrem: BitString → BitString → BitString

\forall s: BitString \bullet \ let \ m == \#s \bullet

BVNeg \ s = Nat2BV \ m \ (2^m - BV2Nat \ s);

\forall s, t: BitString \bullet \ let \ m == max\{\#s, \#t\} \bullet

BVAdd \ s \ t = Nat2BV \ m \ (BV2Nat \ s + BV2Nat \ t);

\forall s, t: BitString \bullet \ let \ m == max\{\#s, \#t\} \bullet

BVMul \ s \ t = Nat2BV \ m \ (BV2Nat \ s \ div \ BV2Nat \ t);

\forall s, t: BitString \bullet \ let \ m == max\{\#s, \#t\} \bullet

BVUdiv \ s \ t = Nat2BV \ m \ (BV2Nat \ s \ div \ BV2Nat \ t);

\forall s, t: BitString \bullet \ let \ m == max\{\#s, \#t\} \bullet

BVUrem \ s \ t = Nat2BV \ m \ (BV2Nat \ s \ mod \ BV2Nat \ t)
```

For the shift operations on operands of mixed length we take the result to have the same length as the first operand. Again, SMTLIB disallows mixed length operands statically.

```
| BVShl, BVLshr : BitString \rightarrow BitString \rightarrow BitString | \\ \forall s, t : BitString \bullet \ let \ m == \#s \bullet \\ BVShl \ s \ t = Nat2BV \ m \ (BV2Nat \ s \ * 2^BV2Nat \ t); \\ \forall s, t : BitString \bullet \ let \ m == \#s \bullet \\ BVLshr \ s \ t = Nat2BV \ m \ (BV2Nat \ s \ div \ 2^BV2Nat \ t)
```

Finally we have the arithmetic comparison operator:

# 3 THE SMT-LIB LOGICS

In this section, we give Z models that support the restrictions and extensions to the various theories that are defined to the SMT-LIB logics.

The ML commands to set up the theories for the logics are given in the following table.

| Theory            | ML set-up commands                                                           |
|-------------------|------------------------------------------------------------------------------|
| Bit Vector Logics | $open\_theory"ZS\_FixedSizeBitVectors"; \\ new\_theory"ZS\_BV\_Extensions";$ |

#### 3.1 Bit Vector Extensions

```
|open\_theory "ZS\_BV\_Extensions";
```

Note that the family of new constans  $(\_bvX n)$  for numerals X and n introduced in the BV logic is implemented by the constant Nat2BV that is already defined in our model of the fixed length bit vector theory.

The four additional bitwise logical operations are defined in terms of basic ones just as in the SMT-LIB definition.

```
\begin{array}{|c|c|c|c|c|c|c|c|} \hline \textbf{BVNand}, \ \textbf{BVNor}, \ \textbf{BVXor}, \ \textbf{BVXnor} : BitString \rightarrow BitString \rightarrow BitString \\ \hline \\ \forall s, \ t : BitString \bullet \ BVNand \ s \ t = BVNot \ (BVAnd \ s \ t); \\ \forall s, \ t : BitString \bullet \ BVNor \ s \ t = BVNot \ (BVOr \ s \ t); \\ \forall s, \ t : BitString \bullet \ BVXor \ s \ t = BVOr \ (BVAnd \ s \ (BVNot \ t)) \ (BVAnd \ (BVNot \ s) \ t); \\ \forall s, \ t : BitString \bullet \ BVXnor \ s \ t = BVOr \ (BVAnd \ s \ t) \ (BVAnd \ (BVNot \ s) \ (BVNot \ t)) \end{array}
```

We define the comparison operator in terms of equality rather than recursively. This extends the operation to operands of non-equal length so as to return #b0.

Subtraction is defined in terms of addition and 2s complement negation just as in the SMT-LIB definition.

The definitions of the other signed arithmetic operators are a little clearer in Z if we extract the sign bit using sequence indexing rather than *Extract* and if we use Z if-then-else rather than *ITE*.

The SMT-LIB sdiv operator is 2s-complement signed division truncating towards 0. It is defined by cases on the signs of the operands using negation and unsigned division. The definition is equivalent to the following:

```
s \operatorname{sdiv} t = \operatorname{sgn}(s) \cdot \operatorname{sgn}(t) \cdot (\operatorname{abs}(s) \operatorname{udiv} \operatorname{abs}(t)).
```

In m-bit 2s-complement arithmetic,  $s \operatorname{sdiv} t$  gives the correct signed result except (i) when t = 0, in which case the result is unspecified, and (ii) when  $s = -2^{m-1}$  and t = -1, in which case the result is  $-2^{m-1}$  (i.e., the absolute value is correct, but the sign is wrong).

```
| \textbf{BVSdiv} : BitString \rightarrow BitString \rightarrow BitString | \\ \forall s, \ t : BitString \bullet BVSdiv \ s \ t = \\ (let \ msb\_s = = s \ 1; \ msb\_t = = t \ 1 \bullet \\ if \ msb\_s = 0 \land msb\_t = 0 \\ then \ BVUdiv \ s \ t \\ else \ if \ msb\_s = 1 \land msb\_t = 0 \\ then \ BVNeg \ (BVUdiv \ (BVNeg \ s) \ t) \\ else \ if \ msb\_s = 0 \land msb\_t = 1 \\ then \ BVNeg \ (BVUdiv \ s \ (BVNeg \ t)) \\ else \ BVUdiv \ (BVNeg \ s) \ (BVNeg \ t))
```

The SMT-LIB srem operator is signed remainder with sign following the dividend. The definition is equivalent to the following:

```
s \operatorname{srem} t = \operatorname{sgn}(s) \cdot (\operatorname{abs}(s) \operatorname{urem abs}(t)).
```

If T=0 this is undefined, otherwise when t is an m-bit 2s-complement number,  $0 \le \mathsf{abs}(s) \mathsf{urem} \, \mathsf{abs}(t) < \mathsf{abs}(t) \le 2^{m-1}$ , hence the multiplication by  $\mathsf{sgn}(s)$  will not overflow in m-bit arithmetic.

The operators sdiv and srem satisfy the following identities:

```
\begin{aligned} \mathsf{abs}(s\,\mathsf{srem}\,t) &\leq \mathsf{abs}(t) &\quad \mathsf{provided}\,\,t \neq 0 \\ s &= (s\,\mathsf{sdiv}\,t) * t + s\,\mathsf{srem}\,t &\quad \mathsf{provided}\,\,t \neq 0 \;\mathrm{and}\,\,(s,t) \neq (-2^{m-1},-1). \end{aligned}
```

```
| \textbf{BVSrem} : \textit{BitString} \rightarrow \textit{BitString} \rightarrow \textit{BitString} 
| \forall s, t : \textit{BitString} \bullet \textit{BVSrem } s \ t = \\ (\textit{let} \quad \textit{msb\_s} = = s \ 1; \ \textit{msb\_t} = = t \ 1 \bullet \\ if \quad \textit{msb\_s} = 0 \land \textit{msb\_t} = 0 \\ then \quad \textit{BVUrem } s \ t \\ else \ \textit{if } \textit{msb\_s} = 1 \land \textit{msb\_t} = 0 \\ then \quad \textit{BVNeg } (\textit{BVUrem } (\textit{BVNeg } s) \ t) \\ else \ \textit{if } \textit{msb\_s} = 0 \land \textit{msb\_t} = 1 \\ then \quad \textit{BVUrem } s \ (\textit{BVNeg } t) \\ else \quad \textit{BVNeg} (\textit{BVUrem } (\textit{BVNeg } s) \ (\textit{BVNeg } t)))
```

The SMT-LIB smod operator is signed remainder with sign following the divisor. The definition is equivalent to the following:

$$s \operatorname{smod} t = s - |s/t| \cdot t$$
.

This is defined by cases in such a way as to give the correct result in 2s-complement arithmetic except when t = 0, in which case the result is undefined.

```
BVSmod: BitString \rightarrow BitString \rightarrow BitString
\forall s, t : BitString \bullet BVSmod \ s \ t =
               msb\_s == s 1; msb\_t == t 1 \bullet
       (let
               abs\_s == if \ msb\_s = 0 \ then \ s \ else \ BVNeg \ s;
        let
               abs_t = if \ msb_t = 0 \ then \ t \ else \ BVNeq \ t \bullet
               u == BVUrem \ abs\_s \ abs\_t \bullet
        let
                    u = Nat2BV (\#s) \theta
               if
               then u
               else if msb\_s = 0 \land msb\_t = 0
               then u
               else if msb\_s = 1 \land msb\_t = 0
               then BVAdd (BVNeq u) t
               else if msb\_s = 0 \land msb\_t = 1
               then \quad BVAdd \ u \ t
                       BVNeq u
               else
```

Unsigned less-than is already defined in the fixed size bit vector theory. The bit vector extensions add the three unsigned comparison operators.

```
 \begin{vmatrix} \textbf{BVULE}, \ \textbf{BVUGT}, \ \textbf{BVUGE} : BitString \rightarrow BitString \rightarrow Bool \\ | \forall s, \ t : BitString \bullet \ BVULE \ s \ t = [| \ BV2Nat \ s \leq BV2Nat \ t]; \\ | \forall s, \ t : BitString \bullet \ BVULE \ s \ t = [| \ BV2Nat \ s > BV2Nat \ t]; \\ | \forall s, \ t : BitString \bullet \ BVULE \ s \ t = [| \ BV2Nat \ s \geq BV2Nat \ t]
```

The BV logic extensions give the four signed comparison operators.

z

```
BVSLT, BVSLE, BVSGT, BVSGE: BitString \rightarrow BitString \rightarrow Bool
```

```
\forall s,\ t: BitString \bullet\ BVSLT\ s\ t = [|
s\ 1 = 1 \land t\ 1 = 0
\lor \quad s\ 1 = t\ 1 \land\ BV2Nat\ s < BV2Nat\ t];
\forall s,\ t: BitString \bullet\ BVSLT\ s\ t = [|
s\ 1 = 1 \land t\ 1 = 0
\lor \quad s\ 1 = t\ 1 \land\ BV2Nat\ s \leq BV2Nat\ t];
\forall s,\ t: BitString \bullet\ BVSGT\ s\ t = BVSLT\ t\ s;
\forall s,\ t: BitString \bullet\ BVSGE\ s\ t = BVSLE\ t\ s
```

The SMT-LIB operator ashr is an arithmetic right shift, i.e., it shifts in copies of the sign-bit from the left. (Note that left shifts are the same for signed and unsigned arithmetic.)

```
 \begin{vmatrix} \textbf{BVAshr} : BitString \rightarrow BitString \\ \\ \forall s, \ t : BitString \bullet \ BVAshr \ s \ t = \\ \\ if \ s \ 1 = 0 \ then \ BVLshr \ s \ t \ else \ BVNot \ (BVLshr \ (BVNot \ s) \ t) \\ \end{vmatrix}
```

The repeat operator replicates a bit vector a specified number of times. We define this using indexing rather than recursion.

The zero extension operator pads a bit vector on the left with a specified number of zeroes.

```
BVZeroExtend: \mathbb{N} 	o BitString 	o BitString
\forall i: \mathbb{N}; \ t: BitString ullet BVZeroExtend \ i \ t = ((1 ... i) 	imes \{0\}) \ ^t
```

Z

# $BVRotateLeft,\ BVRotateRight: \mathbb{N} ightarrow \textit{BitString} ightarrow \textit{BitString}$

 $\forall i : \mathbb{N}; \ t : BitString \bullet$ 

 $BVRotateLeft \ i \ t = (((i + 1) .. \#t) \upharpoonright t) \cap ((1 .. i) \upharpoonright t);$ 

 $\forall i : \mathbb{N}; \ t : BitString \bullet$ 

 $BVRotateRight \ i \ t = (((\#t - i + 1) \dots \#t) \upharpoonright t) \cap ((1 \dots (\#t - i)) \upharpoonright t)$ 

# 4 INDEX

| $And \dots \dots \dots \dots$                                                                                             | 6  | <i>IAbs</i>                                                                                                              | 7  |
|---------------------------------------------------------------------------------------------------------------------------|----|--------------------------------------------------------------------------------------------------------------------------|----|
| BitAnd                                                                                                                    | 11 | $IAdd \dots $      | 7  |
| BitNot                                                                                                                    | 11 | IDiv                                                                                                                     | 7  |
| BitOr                                                                                                                     | 11 | <i>IGE</i>                                                                                                               | 7  |
| BitVec                                                                                                                    | 10 | <i>IGT</i>                                                                                                               | 7  |
| Bool                                                                                                                      | 6  | ILE                                                                                                                      | 7  |
| BV2Nat                                                                                                                    | 10 | <i>ILT</i>                                                                                                               | 7  |
| $BVAdd\dots$                                                                                                              | 12 | <i>IMod</i>                                                                                                              | 7  |
| BVAnd                                                                                                                     | 12 | <i>Implies</i>                                                                                                           | 6  |
| $BVAshr\dots$                                                                                                             | 17 | IMul                                                                                                                     | 7  |
| $BVComp \dots \dots \dots$                                                                                                | 14 | $INeg \dots \dots$ | 7  |
| $\overline{BVLshr}$                                                                                                       | 13 | Int                                                                                                                      |    |
| BVMul                                                                                                                     | 12 | IsInt                                                                                                                    | 9  |
| $BVN and \dots \dots \dots$                                                                                               | 14 | ISub                                                                                                                     |    |
| BVNeg                                                                                                                     | 12 | <i>ITE</i>                                                                                                               | 6  |
| BVNor                                                                                                                     | 14 | Nat2BV                                                                                                                   | 11 |
| $BVNot \dots \dots BVNot \dots$                                                                                           | 12 | Not                                                                                                                      | 6  |
| $BVOr \dots \dots \dots \dots \dots$                                                                                      | 12 | <i>Or</i>                                                                                                                | 6  |
| BVRepeat                                                                                                                  | 17 | RAdd                                                                                                                     | 8  |
| $BVRotateLeft \dots BVRotateLeft \dots$                                                                                   | 18 | $RDiv \dots \dots$ |    |
| BVRotateRight                                                                                                             | 18 | Real                                                                                                                     | 8  |
| BVSdiv                                                                                                                    | 15 | $RGE \dots \dots$  | 8  |
| $BVSGE \dots \dots BVSGE \dots$                                                                                           | 17 | $RGT \dots \dots$  | 8  |
| BVSGT                                                                                                                     | 17 | RLE                                                                                                                      | 8  |
| BVShl                                                                                                                     | 13 | <i>RLT</i>                                                                                                               | 8  |
| BVSLE                                                                                                                     | 17 | $RMul \dots \dots$ | 8  |
| BVSLT                                                                                                                     | 17 | $RNeg \dots \dots$ | 8  |
| BVSmod                                                                                                                    | 16 | RSub                                                                                                                     | 8  |
| BVSrem                                                                                                                    | 15 | Select                                                                                                                   | 9  |
| BVSub                                                                                                                     | 14 | <i>Store</i>                                                                                                             | 9  |
| BVUdiv                                                                                                                    | 12 | <i>ToInt</i>                                                                                                             | 9  |
| $BVUGE\dots$                                                                                                              | 16 | <i>ToReal</i>                                                                                                            | 8  |
| BVUGT                                                                                                                     | 16 | <i>True</i>                                                                                                              | 6  |
| $BVULE \dots \dots$ | 16 | <i>Xor</i>                                                                                                               | 6  |
| BVULT                                                                                                                     | 13 | $zs\_bool\_def$                                                                                                          | 21 |
| $BVUrem \dots BVUrem \dots$                                                                                               | 12 | $zs\_bool\_true\_false\_thm \dots$                                                                                       | 21 |
| BVXnor                                                                                                                    | 14 | $zs\_bool\_u\_thm\dots$                                                                                                  | 21 |
| BVXor                                                                                                                     | 14 | $zs\_div\_mod\_thm\dots$                                                                                                 | 21 |
| BVZeroExtend                                                                                                              | 17 | $zs\_false\_def$                                                                                                         | 21 |
| Concat                                                                                                                    | 11 | $zs\_int\_def$                                                                                                           | 21 |
| Distinct                                                                                                                  | 6  | $zs\_i\_ops\_def$                                                                                                        | 21 |
| $Divisible \dots \dots \dots \dots \dots \dots$                                                                           | 7  | $zs\_mod\_thm \dots \dots \dots$                                                                                         | 21 |
| $Equal \dots \dots$ | 6  | $zs\_true\_def$                                                                                                          | 21 |
| Extract                                                                                                                   | 11 | $zs\_true\_neq\_false\_thm\dots$                                                                                         | 21 |
| False                                                                                                                     | 6  | ^                                                                                                                        | 10 |

### A SOME PROOFS

```
SML
val = open\_theory "ZS\_Core";
val = set_pc "z_language_ext";
val \ zs\_bool\_def : THM = z\_get\_spec_{z}^{r}Bool^{r};
val \ zs\_true\_def : THM = z\_get\_spec_Z True \urcorner;
 val \ zs\_false\_def : THM = z\_get\_spec_z^{\Gamma}False^{\neg};
val \ zs\_bool\_u\_thm = save\_thm("zs\_bool\_u\_thm", (
set\_goal([], \Xi Bool = \mathbb{U}^{\neg});
 a(rewrite\_tac[zs\_bool\_def]);
pop_-thm()
));
val \ zs\_bool\_true\_false\_thm = save\_thm("zs\_u\_true\_false\_thm", (
 set\_goal([], \Sigma \mathbb{U} = \{true, false\}^{\neg});
a(rewrite_tac[zs_true_def, zs_false_def] THEN REPEAT strip_tac THEN taut_tac);
pop_{-}thm()
));
val \ zs\_true\_neq\_false\_thm = save\_thm("zs\_true\_neq\_false\_thm", (
a(rewrite\_tac[zs\_true\_def, zs\_false\_def]);
pop_-thm()
));
val = open\_theory "ZS\_Ints";
 val = set_pc "z_library";
 val \ \mathbf{zs\_int\_def} = z\_get\_spec \ \overline{z}Int \overline{;}
 val \ \mathbf{zs}_{-}i_{-}ops_{-}def = z_{-}get_{-}spec \ \overline{z}INeg \overline{z};
local
          val thms = (strip_{\sim}rule\ o\ rewrite_rule\ [zs_int_def,\ z_get_spec_{\mathbb{Z}}^{\mathbb{Z}^{\neg}}])\ zs_i\_ops_def;
in
          val \ \mathbf{zs\_mod\_thm} = (hd \ o \ tl \ o \ rev) \ thms;
          val \ \mathbf{zs\_div\_mod\_thm} = (hd \ o \ rev) \ thms;
 end;
val \ zs\_div\_mod\_thm = save\_thm("zs\_div\_mod\_thm", (
set\_goal([], \exists \forall x, y : \mathbb{Z} \mid \neg y = 0 \bullet IDiv \ x \ y = x \ div \ y \land IMod \ x \ y = x \ mod \ y \urcorner);
 a(REPEAT\_UNTIL\ is\_\land\ strip\_tac);
 a(ante\_tac\ (z\_\forall\_elim_{\mathbb{Z}}^{\Gamma}(i\ \widehat{=}\ x,\ j\ \widehat{=}\ y,\ d\ \widehat{=}\ IDiv\ x\ y,\ r\ \widehat{=}\ IMod\ x\ y)^{\Gamma}\ z\_div\_mod\_unique\_thm));
 a(asm\_rewrite\_tac[]);
 a(\Rightarrow_T (rewrite\_thm\_tac\ o\ eq\_sym\_rule));
 a(ALL\_FC\_T (conv\_tac \ o \ LEFT\_C \ o \ once\_rewrite\_conv)[zs\_div\_mod\_thm]);
 a(rewrite\_tac[]);
```