Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions

1 / 25

# Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions - PowerPoint PPT Presentation

Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions. SAS 2004 Sumit Gulwani George Necula EECS Department University of California, Berkeley. Example. All 3 asserts are true. False. True. a=2?. y := a; z := 2;. y := 2; z := a;. True. False. a=2?.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions' - genero

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions

SAS 2004

Sumit Gulwani George Necula

EECS Department

University of California, Berkeley

Example

All 3 asserts are true

False

True

a=2?

y := a;

z := 2;

y := 2;

z := a;

True

False

a=2?

u := 1;

v := 1+a;

u := a-1;

v := 3;

t1 := y-u; t2 := v-z;

Assert(t1=t2 Æ t1=1 Æ z=2);

Path-Insensitive Analysis

• Most PTIME analyses treat conditionals as non-deterministic.
• They will verify only t1=t2

False

True

*

y := a;

z := 2;

y := 2;

z := a;

True

False

*

u := 1;

v := 1+a;

u := a-1;

v := 3;

t1 := y-u; t2 := v-z;

Assert(t1=t2 Æ t1=1 Æ z=2);

Path-Sensitive Analysis

• We can do better by doing a boolean abstraction of conditionals.
• Each atomic predicate is abstracted to a boolean variable
• This will also verify t1=1
• This is still abstract though!
• z=2 not verified
• undecidable to reason completely

False

True

c1

y := a;

z := 2;

y := 2;

z := a;

True

False

c1

u := 1;

v := 1+a;

u := a-1;

v := 3;

t1 := y-u; t2 := v-z;

Assert(t1=t2 Æ t1=1 Æ z=2);

Outline
• Existing approach (MVR) vs. our approach (FCED)
• FCEDs for linear arithmetic
• FCEDs for uninterpreted function terms

c1

t1 =

c2

y=

c1

u=

c2

c2

2

a

1

a-1

1

-a+3

a-1

1

Multi-Valued ROBDDs (MVRs)

True

False

c1

y := a;

z := 2;

y := 2;

z := a;

True

False

c2

• |MVR(t1)| = |MVR(y)| £ |MVR(u)|
• MVR(t1) does not share nodes with MVR(y) and MVR(u)
• Need a normal form for leaves

u := 1;

v := 1+a;

u := a-1;

v := 3;

t1 := y-u; t2 := v-z;

Assert(t1=t2); Assert(t1=1);

Free Conditional Expression Diagrams (FCEDs)

t1 =

-

True

False

c1

y=

c1

u=

c2

y := a;

z := 2;

y := 2;

z := a;

2

a

1

a-1

True

False

c2

• |FCED(t1)| = |FCED(y)| + |FCED(u)|
• FCED(t1) shares nodes with FCED(y) and FCED(u)
• No need for normal form

u := 1;

v := 1+a;

u := a-1;

v := 3;

t1 := y-u; t2 := v-z;

Assert(t1=t2); Assert(t1=1);

Outline
• Existing approach (MVR) vs. our approach (FCEDs)
• FCEDs for linear arithmetic
• FCEDs for uninterpreted function terms
Problem Definition

e = q | y | e1§ e2| q £ e | if b then e1 else e2

b = c | b1Æ b2| b1Ç b2

e: conditional linear arithmetic expression

b: boolean formula

y: rational variable

c: boolean variable

q: rational constant

• Construct FCED for an expression e, given FCEDs for its subexpressions.
• Check 2 FCEDs for equivalence
FCED

An FCED f is a DAG with the following kind of nodes.

f := y | q | Plus(f1,f2) | Minus(f1,f2) | Times(q,f) | Choose(f1,f2) | Guard(g,f)

Choose(f1,f2) means f1 or f2

Guard(g,f) means if g then f

Boolean expressions g are represented using ROBDDs

g := true | false | c | If(c,g1,g2)

plus

+

choose

choose

c1

c2

guard

guard

guard

guard

2

a

1

a-1

a-1

R(:c2)

R(c2)

1

a

R(c1)

2

R(:c1)

Example

Formalization

plus

+

choose

choose

c1

c2

guard

guard

guard

guard

2

a

1

a-1

a-1

R(:c2)

R(c2)

1

a

R(c1)

2

R(:c1)

Example

Formalization

FCED Construction
• FCED(y) = Leaf(y)
• FCED(q) = Leaf(q)
• FCED(e1+e2) = Plus (FCED(e1), FCED(e2))
• FCED(q £ e) = Times(q,FCED(e))
• FCED(if b then e1 else e2) =

Choose(Guard(R(b),e1), Guard(R(NOT(b)),e2)

FCED Construction
• FCED(y) = Leaf(y)
• FCED(q) = Leaf(q)
• FCED(e1+e2) = Plus (FCED(e1), FCED(e2))
• FCED(q £ e) = Times(q,FCED(e))
• FCED(if b then e1 else e2) =

Choose(||R(b),FCED(e1)||, ||NOT R(b), FCED(e2)||)

Normalize Guard Operator
• Inputs: guard g, FCED f
• Output: FCED f’ s.t.
• f ´ f’
• 8 guard nodes Guard(g,f’’) in f’, BV(g) < BV(f’’)
• ||g,f|| = Guard(g,f), if BV(g) < BV(f)
• ||g, Plus(f1,f2) = Plus(||g,f1||, ||g, f2||)
• ||g, Choose(f1,f2) = Choose(||g,f1||, ||g, f2||)
• ||g1, Guard(g2,f )|| = Guard(|| INTERSECT(g1,g2),f ||)

guard

guard

guard

R(c1)

R(c1)

R(c1)

choose

choose

guard

guard

guard

guard

guard

z

6

R(:c2)

R(c2)

2

R(c1)

R(:c1)

3

3

R(:c1Æc1)

choose

guard

guard

guard

2

R(c1Æc1)

2

R(c1)

R(:c1)

3

Example: Normalize Guard Operator

Given f, construct ||R(c1),f||

plus

choose

Randomized Equivalence Testing for FCEDs

Assign hash values to nodes of FCEDs in bottom-up manner

V: FCED Node ! Integer

• V(Leaf(q)) = q
• V(Leaf(y)) = ry
• V(Plus(f1,f2)) = V(f1) + V(f2)
• V(Choose(f1,f2)) = V(f1) + V(f2)
• V(Guard(g,f)) = H(g) £ V(f)

H: Guard ! Integer

• H(true) = 1, H(false) = 0
• H(c) = rc
• H(If(c,g1,g2)) = rc£ H(g1) + (1-rc) £ H(g2)
Randomized Equivalence Testing for FCEDs

Completeness

f1´ f2) V(f1) = V(f2)

Soundness

f1´ f2) Pr[V(f1) = V(f2)] · s/t

s: maximum # of nodes in a FCED

t: size of set from which random values are chosen

Proof: 9 1-1 Poly: FCED ! Polynomials such that V(f) is the value of Poly(f)

Outline
• Existing approach (MVR) vs. our approach (FCEDs)
• FCEDs for linear arithmetic
• FCEDs for uninterpreted function terms
Problem Definition

e = y | F(e1,e2) | if b then e1 else e2

b = c | b1Æ b2| b1Ç b2

e: conditional uninterpreted function term

b: boolean formula

y: variable

c: boolean variable

• Construct FCED for an expression e, given FCEDs for its subexpressions.
• Check 2 FCEDs for equivalence
FCED

An FCED f is a DAG with the following kind of nodes.

f := y | F(f1,f2) | Choose(f1,f2) | Guard(g,f)

Choose(f1,f2) means f1 or f2

Guard(g,f) means if g then f

Boolean expressions g are represented using ROBDDs

g := true | false | c | If(c,g1,g2)

FCED Construction

FCED(y) = Leaf(y)

FCED(F(e1,e2)) = F(FCED(e1), FCED(e2))

FCED(if b then e1 else e2) = Choose(||R(b),FCED(e1)||, ||NOT R(b), FCED(e2)||)

Randomized Equivalence Testing of FCEDs

Assign hash values to nodes of FCEDs in bottom-up manner

V: FCED Node ! Tuple of k integers

K ¸ depth of any FCED

• V(y) = [ry,…ry]
• V(Choose(f1,f2)) = V(f1) + V(f2)
• V(Guard(g,f)) = H(g) £ V(f)
• V(F(f1,f2)) = V(f1) £ M + V(f2) £ N

M, N: random k £ k matrices

Randomized Equivalence Testing for FCEDs

Completeness

f1´ f2) V(f1) = V(f2)

Soundness

f1´ f2) Pr[V(f1) = V(f2)] ·

s: maximum # of nodes in a FCED

t: size of set from which random values are chosen

Proof: more involved

Conclusion and Future Work
• Randomization can help achieve simplicity and efficiency at the expense of making soundness probabilistic.
• Integrate randomized techniques with symbolic algorithms
• Few interesting possible extensions:
• Combination of uninterpreted functions with arithmetic
• Partially interpreted functions like commutative and/or associative functions
• Model memory