# KQuery

## The reference manual for the KQuery language

Contents

## Introduction

The KQuery language is the textual representation of constraint expressions and queries which is used as input to the Kleaver constraint solver.

Currently the language is capable of representing quantifier free formulas over bitvectors and arrays, with direct support for all standard operations on bitvectors. The language has been designed to be compact and easy to read and write.

The KQuery language is closely related to the C++ API for Exprs, see also the doxygen Expr documentation.

## Notation

In this document, syntax is given in Extended Backus-Naur Form and appears as:

Unless noted, the rules are described in terms of tokens not characters, and tokens can be separate by white space and comments.

In some case, a production like `child-expression`

is used as an alias for the `expression`

production, when subsequent text needs to differentiate the expression.

Examples are shown using:

```
(Eq w32 a b)
```

## Structure

A KQuery source file consists of a sequence of declarations.

**Syntax:**

Currently, the language supports two kinds of declarations:

*Array Declarations*: Use to declare an array of bitvectors for use in subsequent expressions.*Query Commands*: Used to define queries which should be executed by the constraint solver. A query consists of a set of constraints (assumptions), a query expression, and optionally expressions and arrays to compute values for if the query expression is invalid.

Comments begin with “#” and continue until the end of line. For example:

```
(Add w32 1 1) # Two, hopefully
```

### Expression and Version Labels

Expressions are frequently shared among constraints and query expressions. In order to keep the output succinct and readable, expression labels can be used to introduce a lexical binding which can be used in subsequent expressions. Expression labels are globally scoped through the entire source file, and a definition must preceed any use in the source file.

**Syntax:**

Likewise, versions are frequently shared among reads and can be labelled in the same fashion.

**Examples:**

```
(Add w32 N0:(Add w32 1 1) N0) # Four
```

```
array const_array[] : w32 -> w8 = [5,6]
(Read w8 0 U0:[0=255] @ const_array) # U0 now refers to an array [255,6]
(Read w8 1 U0) # Read from byte offset 1 of [255,6]
```

## Literals

### Identifiers

Identifiers are used for specifying array names and for expression labels.

**Syntax:**

**Examples:**

```
_foo
arr10_20
```

Note that in order to keep open the possibility to introduce explicit integral and floating-point types, the following identifiers are treated as reserved keywords:

```
floating-point-type = "fp[0-9]+([.].*)?"
integer-type = "i[0-9]+"
```

### Numbers

Numeric constants can be specified as follows.

**Syntax:**

**Examples:**

```
false
-10
0b1000_0001 # 129
```

Non-decimal constants can be signed. The “_” character is ignored when evaluating constants, but is available for use as a separator.

### Types

Types are explicit operands to most expressions, and indicate the bit-width of the type.

**Syntax:**

**Example:**

```
w32
```

The numeric portion of the token is taken to be a decimal integer specifying the bit-width of the type.

## Declarations

### Arrays

Arrays are the basic type for defining symbolic variables (the language does not currently support simple variables).

**Syntax:**

Arrays can be initialized to be either symbolic, or to have a given list of constant values. For constant arrays, the initializer list must exactly match the size of the array (if the size was unspecified, it will be the number of constant values).

**Examples:**

```
array foo[10] : w32 -> w8 = symbolic # A ten element symbolic array
array foo[] : w8 -> w1 = [ true, false, false, true ] # A constant array of
four booleans
```

### Query Commands

Query declarations describe the queries that the constraint solver should run, along with optional additional arguments to specify expressions and arrays for which counterexamples should be provided.

**Syntax:**

**Examples:**

```
(query [] false)
(query [(Eq w8 (Read w8 0 mem) 10)] false [] [ mem ])
```

A query command consists a query, consisting of a constraint list and a query expression, and two optional lists for use when a counterexample is desired.

The `constraint-list`

is a list of expressions (with boolean type) which are assumed to hold. Although not required in the language, many solvers require that this set of constraints be consistent. The `query-expression`

is the expression to determine the validity of.

If a counterexample is desired for invalid queries, `eval-expr-list`

is a list of expressions for which a possible value should be constructed, and `eval- array-list`

is a list of arrays for which values for the entire array should be provided. All counterexamples results must be simultaneously feasible.

## Versions

Versions are used to refer to an array with an ordered sequence of writes to it.

**Syntax:**

**Examples:**

```
array small_array[2] : w32 -> w8 = symbolic # The array we will read from
(Read w8 0 small_array) # No Updates to small_array
(Read w8 1 [1=0xff] @ small_array) # Read from small_array at byte offset 1
with update where byte 1 set to decimal 255
```

A version can be specified either by an identifier, which can refer to an array or a labelled version, or by an explicit list of writes which are to be concatenated to another version (the most recent writes are first).

## Expressions

Expressions are strongly typed, and have the following general form:

where `EXPR_NAME`

is the expression name, `EXPR_TYPE`

is the expression type (which may be optional), followed by any additional arguments.

### Primitive Expressions

#### Expression References

An expression reference can be used to refer to a previously labelled expression.

**Syntax:**

Expression and version labels are in separate namespaces, it is the users responsibility to use separate labels to preserve readability.

#### Constants

Constants are specified by a numeric token or a type and numeric token.

**Syntax:**

When a constant is specified without a type, the resulting expression is only well-formed if its type can be inferred from the enclosing context. The `true`

and `false`

constants always have type `w1`

.

**Examples:**

```
true
(w32 0)
(Add w32 10 20) # The type for 10 and 20 is inferred to be w32.
```

### Arithmetic Operations

#### Add, Sub, Mul, UDiv, SDiv, URem, SRem

**Syntax:**

Arithmetic operations are always binary and the types of the left- and right- hand side expressions must match the expression type.

#### UDiv

Truncated unsigned division. Undefined if divisor is 0.

#### URem

Unsigned remainder. Undefined if divisor is 0.

#### SDiv

Signed division. Undefined if divisor is 0.

#### SRem

Signed remainder. Undefined if divisor is 0. Sign of the remainder is the same as that of the dividend.

### Bitwise Operations

#### Not

**Syntax:**

Bitwise negation. The result is the bitwise negation (one’s complement) of the input expression. If the type is specified, it must match the expression type.

#### And, Or, Xor, Shl, LShr, AShr

**Syntax:**

These bitwise operations are always binary and the types of the left- and right-hand side expressions must match the expression type.

#### Shl

Logical shift left. Moves each bit of `X`

to the left by `Y`

positions. The `Y`

right-most bits of `X`

are replaced with zero, and the left-most bits discarded.

#### LShr

Logical shift right. Moves each bit of `X`

to the right by `Y`

positions. The `Y`

left-most bits of `X`

are replaced with zero, and the right-most bits discarded.

#### AShr

Arithmetic shift right. Behaves as `LShr`

except that the left-most bits of `X`

copy the initial left-most bit (the sign bit) of `X`

.

### Comparisons

#### Eq, Ne, Ult, Ule, Ugt, Uge, Slt, Sle, Sgt, Sge

**Syntax:**

Comparison operations are always binary and the types of the left- and right- hand side expression must match. If the type is specified, it must be `w1`

.

### Bitvector Manipulation

#### Concat

**Syntax:**

*Concat* evaluates to a `type`

bits formed by concatenating `lsb-expression`

to `msb-expression`

.

#### Extract

**Syntax:**

*Extract* evaluates to `type`

bits from `child-expression`

taken from `offset-number`

, where `offset-number`

is the index of the least-significant bit in `child-expression`

which should be extracted.

#### ZExt

**Syntax:**

*ZExt* evaluates to the lowest `type`

bits of `child-expression`

, with undefined bits set to zero.

#### SExt

**Syntax:**

*SExt* evaluates to the lowest `type`

bits of `child-expression`

, with undefined bits set to the most-significant bit of `input-expression`

.

### Special Expressions

#### Read

**Syntax:**

The *Read* expression evaluates to the first write in `version`

for which `index-expression`

is equivalent to the index in the write. The type of the expression must match the range of the root array in `version`

, and the type of `index-expression`

must match the domain.

#### Select

**Syntax:**

The *Select* expression evalues to `true-expression`

if the condition evaluates to true, and to `false-expression`

if the condition evaluates to false. The `cond-expression`

must have type `w1`

.

Both the true and false expressions must be well-formed, regardless of the condition expression. In particular, it is not legal for one of the expressions to cause a division-by-zero during evaluation, even if the *Select* expression will never evaluate to that expression.

### Macro Expressions

Several common expressions are not implemented directly in the Expr library, but can be expressed in terms of other operations. A number of these are implemented as “macros”. The pretty printer recognizes and prints the appropriate Expr forms as the macro, and the parser recognizes them and turns them into the underlying representation.

#### Neg

**Syntax:**

This macro form can be used to generate a **Sub** from zero.

#### ReadLSB, ReadMSB

**Syntax:**

*ReadLSB* and *ReadMSB* can be used to simplify contiguous array accesses. The type of the expression must be a multiple `N`

of the array range type. The expression expands to a concatenation of `N`

read expressions, where each read is done at a subsequent offset from the `index-expression`

. For *ReadLSB* (*ReadMSB*), the concatentation is done such that the read at `index-expression`

forms the least- (most-) significant bits.