path sensitive analysis for linear arithmetic and uninterpreted functions l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions PowerPoint Presentation
Download Presentation
Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions

Loading in 2 Seconds...

play fullscreen
1 / 25

Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions - PowerPoint PPT Presentation


  • 99 Views
  • Uploaded on

Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions. SAS 2004 Sumit Gulwani George Necula EECS Department University of California, Berkeley. Example. All 3 asserts are true. False. True. a=2?. y := a; z := 2;. y := 2; z := a;. True. False. a=2?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions' - genero


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
path sensitive analysis for linear arithmetic and uninterpreted functions

Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions

SAS 2004

Sumit Gulwani George Necula

EECS Department

University of California, Berkeley

slide2

Example

All 3 asserts are true

False

True

a=2?

y := a;

z := 2;

y := 2;

z := a;

True

False

a=2?

u := 1;

v := 1+a;

u := a-1;

v := 3;

t1 := y-u; t2 := v-z;

Assert(t1=t2 Æ t1=1 Æ z=2);

slide3

Path-Insensitive Analysis

  • Most PTIME analyses treat conditionals as non-deterministic.
  • They will verify only t1=t2

False

True

*

y := a;

z := 2;

y := 2;

z := a;

True

False

*

u := 1;

v := 1+a;

u := a-1;

v := 3;

t1 := y-u; t2 := v-z;

Assert(t1=t2 Æ t1=1 Æ z=2);

slide4

Path-Sensitive Analysis

  • We can do better by doing a boolean abstraction of conditionals.
    • Each atomic predicate is abstracted to a boolean variable
  • This will also verify t1=1
  • This is still abstract though!
    • z=2 not verified
    • undecidable to reason completely

False

True

c1

y := a;

z := 2;

y := 2;

z := a;

True

False

c1

u := 1;

v := 1+a;

u := a-1;

v := 3;

t1 := y-u; t2 := v-z;

Assert(t1=t2 Æ t1=1 Æ z=2);

outline
Outline
  • Existing approach (MVR) vs. our approach (FCED)
  • FCEDs for linear arithmetic
  • FCEDs for uninterpreted function terms
slide6

c1

t1 =

c2

y=

c1

u=

c2

c2

2

a

1

a-1

1

-a+3

a-1

1

Multi-Valued ROBDDs (MVRs)

True

False

c1

y := a;

z := 2;

y := 2;

z := a;

True

False

c2

  • |MVR(t1)| = |MVR(y)| £ |MVR(u)|
  • MVR(t1) does not share nodes with MVR(y) and MVR(u)
  • Need a normal form for leaves

u := 1;

v := 1+a;

u := a-1;

v := 3;

t1 := y-u; t2 := v-z;

Assert(t1=t2); Assert(t1=1);

slide7

Free Conditional Expression Diagrams (FCEDs)

t1 =

-

True

False

c1

y=

c1

u=

c2

y := a;

z := 2;

y := 2;

z := a;

2

a

1

a-1

True

False

c2

  • |FCED(t1)| = |FCED(y)| + |FCED(u)|
  • FCED(t1) shares nodes with FCED(y) and FCED(u)
  • No need for normal form

u := 1;

v := 1+a;

u := a-1;

v := 3;

t1 := y-u; t2 := v-z;

Assert(t1=t2); Assert(t1=1);

outline8
Outline
  • Existing approach (MVR) vs. our approach (FCEDs)
  • FCEDs for linear arithmetic
  • FCEDs for uninterpreted function terms
problem definition
Problem Definition

e = q | y | e1§ e2| q £ e | if b then e1 else e2

b = c | b1Æ b2| b1Ç b2

e: conditional linear arithmetic expression

b: boolean formula

y: rational variable

c: boolean variable

q: rational constant

  • Construct FCED for an expression e, given FCEDs for its subexpressions.
  • Check 2 FCEDs for equivalence
slide10
FCED

An FCED f is a DAG with the following kind of nodes.

f := y | q | Plus(f1,f2) | Minus(f1,f2) | Times(q,f) | Choose(f1,f2) | Guard(g,f)

Choose(f1,f2) means f1 or f2

Guard(g,f) means if g then f

Boolean expressions g are represented using ROBDDs

g := true | false | c | If(c,g1,g2)

example

plus

+

choose

choose

c1

c2

guard

guard

guard

guard

2

a

1

a-1

a-1

R(:c2)

R(c2)

1

a

R(c1)

2

R(:c1)

Example

Formalization

example12

plus

+

choose

choose

c1

c2

guard

guard

guard

guard

2

a

1

a-1

a-1

R(:c2)

R(c2)

1

a

R(c1)

2

R(:c1)

Example

Formalization

fced construction
FCED Construction
  • FCED(y) = Leaf(y)
  • FCED(q) = Leaf(q)
  • FCED(e1+e2) = Plus (FCED(e1), FCED(e2))
  • FCED(q £ e) = Times(q,FCED(e))
  • FCED(if b then e1 else e2) =

Choose(Guard(R(b),e1), Guard(R(NOT(b)),e2)

fced construction14
FCED Construction
  • FCED(y) = Leaf(y)
  • FCED(q) = Leaf(q)
  • FCED(e1+e2) = Plus (FCED(e1), FCED(e2))
  • FCED(q £ e) = Times(q,FCED(e))
  • FCED(if b then e1 else e2) =

Choose(||R(b),FCED(e1)||, ||NOT R(b), FCED(e2)||)

normalize guard operator
Normalize Guard Operator
  • Inputs: guard g, FCED f
  • Output: FCED f’ s.t.
  • f ´ f’
  • 8 guard nodes Guard(g,f’’) in f’, BV(g) < BV(f’’)
  • ||g,f|| = Guard(g,f), if BV(g) < BV(f)
  • ||g, Plus(f1,f2) = Plus(||g,f1||, ||g, f2||)
  • ||g, Choose(f1,f2) = Choose(||g,f1||, ||g, f2||)
    • ||g1, Guard(g2,f )|| = Guard(|| INTERSECT(g1,g2),f ||)
example normalize guard operator

guard

guard

guard

R(c1)

R(c1)

R(c1)

choose

choose

guard

guard

guard

guard

guard

z

6

R(:c2)

R(c2)

2

R(c1)

R(:c1)

3

3

R(:c1Æc1)

choose

guard

guard

guard

2

R(c1Æc1)

2

R(c1)

R(:c1)

3

Example: Normalize Guard Operator

Given f, construct ||R(c1),f||

plus

choose

randomized equivalence testing for fceds
Randomized Equivalence Testing for FCEDs

Assign hash values to nodes of FCEDs in bottom-up manner

V: FCED Node ! Integer

  • V(Leaf(q)) = q
  • V(Leaf(y)) = ry
  • V(Plus(f1,f2)) = V(f1) + V(f2)
  • V(Choose(f1,f2)) = V(f1) + V(f2)
  • V(Guard(g,f)) = H(g) £ V(f)

H: Guard ! Integer

  • H(true) = 1, H(false) = 0
  • H(c) = rc
  • H(If(c,g1,g2)) = rc£ H(g1) + (1-rc) £ H(g2)
randomized equivalence testing for fceds18
Randomized Equivalence Testing for FCEDs

Completeness

f1´ f2) V(f1) = V(f2)

Soundness

f1´ f2) Pr[V(f1) = V(f2)] · s/t

s: maximum # of nodes in a FCED

t: size of set from which random values are chosen

Proof: 9 1-1 Poly: FCED ! Polynomials such that V(f) is the value of Poly(f)

outline19
Outline
  • Existing approach (MVR) vs. our approach (FCEDs)
  • FCEDs for linear arithmetic
  • FCEDs for uninterpreted function terms
problem definition20
Problem Definition

e = y | F(e1,e2) | if b then e1 else e2

b = c | b1Æ b2| b1Ç b2

e: conditional uninterpreted function term

b: boolean formula

y: variable

c: boolean variable

  • Construct FCED for an expression e, given FCEDs for its subexpressions.
  • Check 2 FCEDs for equivalence
slide21
FCED

An FCED f is a DAG with the following kind of nodes.

f := y | F(f1,f2) | Choose(f1,f2) | Guard(g,f)

Choose(f1,f2) means f1 or f2

Guard(g,f) means if g then f

Boolean expressions g are represented using ROBDDs

g := true | false | c | If(c,g1,g2)

fced construction22
FCED Construction

FCED(y) = Leaf(y)

FCED(F(e1,e2)) = F(FCED(e1), FCED(e2))

FCED(if b then e1 else e2) = Choose(||R(b),FCED(e1)||, ||NOT R(b), FCED(e2)||)

randomized equivalence testing of fceds
Randomized Equivalence Testing of FCEDs

Assign hash values to nodes of FCEDs in bottom-up manner

V: FCED Node ! Tuple of k integers

K ¸ depth of any FCED

  • V(y) = [ry,…ry]
  • V(Choose(f1,f2)) = V(f1) + V(f2)
  • V(Guard(g,f)) = H(g) £ V(f)
  • V(F(f1,f2)) = V(f1) £ M + V(f2) £ N

M, N: random k £ k matrices

randomized equivalence testing for fceds24
Randomized Equivalence Testing for FCEDs

Completeness

f1´ f2) V(f1) = V(f2)

Soundness

f1´ f2) Pr[V(f1) = V(f2)] ·

s: maximum # of nodes in a FCED

t: size of set from which random values are chosen

Proof: more involved

conclusion and future work
Conclusion and Future Work
  • Randomization can help achieve simplicity and efficiency at the expense of making soundness probabilistic.
  • Integrate randomized techniques with symbolic algorithms
  • Few interesting possible extensions:
    • Combination of uninterpreted functions with arithmetic
    • Partially interpreted functions like commutative and/or associative functions
    • Model memory