1 / 25

Path-Sensitive Analysis of Linear Arithmetic and Uninterpreted Functions

This paper presents a path-sensitive analysis method for linear arithmetic and uninterpreted functions, contrasting it with traditional path-insensitive analyses. We introduce Free Conditional Expression Diagrams (FCEDs) to validate assertions more effectively in the context of conditional expressions. The proposed techniques promise improvements in verification capabilities, allowing deeper insights into equivalence checking of expressions while handling conditional constructs and boolean abstractions effectively. This work provides a comprehensive overview of FCEDs and their implication in formal verification.

genero
Download Presentation

Path-Sensitive Analysis of Linear Arithmetic and Uninterpreted Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California, Berkeley

  2. Example All 3 asserts are true False True a=2? y := a; z := 2; y := 2; z := a; True False a=2? u := 1; v := 1+a; u := a-1; v := 3; t1 := y-u; t2 := v-z; Assert(t1=t2 Æ t1=1 Æ z=2);

  3. Path-Insensitive Analysis • Most PTIME analyses treat conditionals as non-deterministic. • They will verify only t1=t2 False True * y := a; z := 2; y := 2; z := a; True False * u := 1; v := 1+a; u := a-1; v := 3; t1 := y-u; t2 := v-z; Assert(t1=t2 Æ t1=1 Æ z=2);

  4. Path-Sensitive Analysis • We can do better by doing a boolean abstraction of conditionals. • Each atomic predicate is abstracted to a boolean variable • This will also verify t1=1 • This is still abstract though! • z=2 not verified • undecidable to reason completely False True c1 y := a; z := 2; y := 2; z := a; True False c1 u := 1; v := 1+a; u := a-1; v := 3; t1 := y-u; t2 := v-z; Assert(t1=t2 Æ t1=1 Æ z=2);

  5. Outline • Existing approach (MVR) vs. our approach (FCED) • FCEDs for linear arithmetic • FCEDs for uninterpreted function terms

  6. c1 t1 = c2 y= c1 u= c2 c2 2 a 1 a-1 1 -a+3 a-1 1 Multi-Valued ROBDDs (MVRs) True False c1 y := a; z := 2; y := 2; z := a; True False c2 • |MVR(t1)| = |MVR(y)| £ |MVR(u)| • MVR(t1) does not share nodes with MVR(y) and MVR(u) • Need a normal form for leaves u := 1; v := 1+a; u := a-1; v := 3; t1 := y-u; t2 := v-z; Assert(t1=t2); Assert(t1=1);

  7. Free Conditional Expression Diagrams (FCEDs) t1 = - True False c1 y= c1 u= c2 y := a; z := 2; y := 2; z := a; 2 a 1 a-1 True False c2 • |FCED(t1)| = |FCED(y)| + |FCED(u)| • FCED(t1) shares nodes with FCED(y) and FCED(u) • No need for normal form u := 1; v := 1+a; u := a-1; v := 3; t1 := y-u; t2 := v-z; Assert(t1=t2); Assert(t1=1);

  8. Outline • Existing approach (MVR) vs. our approach (FCEDs) • FCEDs for linear arithmetic • FCEDs for uninterpreted function terms

  9. Problem Definition e = q | y | e1§ e2| q £ e | if b then e1 else e2 b = c | b1Æ b2| b1Ç b2 e: conditional linear arithmetic expression b: boolean formula y: rational variable c: boolean variable q: rational constant • Construct FCED for an expression e, given FCEDs for its subexpressions. • Check 2 FCEDs for equivalence

  10. FCED An FCED f is a DAG with the following kind of nodes. f := y | q | Plus(f1,f2) | Minus(f1,f2) | Times(q,f) | Choose(f1,f2) | Guard(g,f) Choose(f1,f2) means f1 or f2 Guard(g,f) means if g then f Boolean expressions g are represented using ROBDDs g := true | false | c | If(c,g1,g2)

  11. plus + choose choose c1 c2 guard guard guard guard 2 a 1 a-1 a-1 R(:c2) R(c2) 1 a R(c1) 2 R(:c1) Example Formalization

  12. plus + choose choose c1 c2 guard guard guard guard 2 a 1 a-1 a-1 R(:c2) R(c2) 1 a R(c1) 2 R(:c1) Example Formalization

  13. FCED Construction • FCED(y) = Leaf(y) • FCED(q) = Leaf(q) • FCED(e1+e2) = Plus (FCED(e1), FCED(e2)) • FCED(q £ e) = Times(q,FCED(e)) • FCED(if b then e1 else e2) = Choose(Guard(R(b),e1), Guard(R(NOT(b)),e2)

  14. FCED Construction • FCED(y) = Leaf(y) • FCED(q) = Leaf(q) • FCED(e1+e2) = Plus (FCED(e1), FCED(e2)) • FCED(q £ e) = Times(q,FCED(e)) • FCED(if b then e1 else e2) = Choose(||R(b),FCED(e1)||, ||NOT R(b), FCED(e2)||)

  15. Normalize Guard Operator • Inputs: guard g, FCED f • Output: FCED f’ s.t. • f ´ f’ • 8 guard nodes Guard(g,f’’) in f’, BV(g) < BV(f’’) • ||g,f|| = Guard(g,f), if BV(g) < BV(f) • ||g, Plus(f1,f2) = Plus(||g,f1||, ||g, f2||) • ||g, Choose(f1,f2) = Choose(||g,f1||, ||g, f2||) • ||g1, Guard(g2,f )|| = Guard(|| INTERSECT(g1,g2),f ||) • …

  16. guard guard guard R(c1) R(c1) R(c1) choose choose guard guard guard guard guard z 6 R(:c2) R(c2) 2 R(c1) R(:c1) 3 3 R(:c1Æc1) choose guard guard guard 2 R(c1Æc1) 2 R(c1) R(:c1) 3 Example: Normalize Guard Operator Given f, construct ||R(c1),f|| plus choose

  17. Randomized Equivalence Testing for FCEDs Assign hash values to nodes of FCEDs in bottom-up manner V: FCED Node ! Integer • V(Leaf(q)) = q • V(Leaf(y)) = ry • V(Plus(f1,f2)) = V(f1) + V(f2) • V(Choose(f1,f2)) = V(f1) + V(f2) • V(Guard(g,f)) = H(g) £ V(f) H: Guard ! Integer • H(true) = 1, H(false) = 0 • H(c) = rc • H(If(c,g1,g2)) = rc£ H(g1) + (1-rc) £ H(g2)

  18. Randomized Equivalence Testing for FCEDs Completeness f1´ f2) V(f1) = V(f2) Soundness f1´ f2) Pr[V(f1) = V(f2)] · s/t s: maximum # of nodes in a FCED t: size of set from which random values are chosen Proof: 9 1-1 Poly: FCED ! Polynomials such that V(f) is the value of Poly(f)

  19. Outline • Existing approach (MVR) vs. our approach (FCEDs) • FCEDs for linear arithmetic • FCEDs for uninterpreted function terms

  20. Problem Definition e = y | F(e1,e2) | if b then e1 else e2 b = c | b1Æ b2| b1Ç b2 e: conditional uninterpreted function term b: boolean formula y: variable c: boolean variable • Construct FCED for an expression e, given FCEDs for its subexpressions. • Check 2 FCEDs for equivalence

  21. FCED An FCED f is a DAG with the following kind of nodes. f := y | F(f1,f2) | Choose(f1,f2) | Guard(g,f) Choose(f1,f2) means f1 or f2 Guard(g,f) means if g then f Boolean expressions g are represented using ROBDDs g := true | false | c | If(c,g1,g2)

  22. FCED Construction FCED(y) = Leaf(y) FCED(F(e1,e2)) = F(FCED(e1), FCED(e2)) FCED(if b then e1 else e2) = Choose(||R(b),FCED(e1)||, ||NOT R(b), FCED(e2)||)

  23. Randomized Equivalence Testing of FCEDs Assign hash values to nodes of FCEDs in bottom-up manner V: FCED Node ! Tuple of k integers K ¸ depth of any FCED • V(y) = [ry,…ry] • V(Choose(f1,f2)) = V(f1) + V(f2) • V(Guard(g,f)) = H(g) £ V(f) • V(F(f1,f2)) = V(f1) £ M + V(f2) £ N M, N: random k £ k matrices

  24. Randomized Equivalence Testing for FCEDs Completeness f1´ f2) V(f1) = V(f2) Soundness f1´ f2) Pr[V(f1) = V(f2)] · s: maximum # of nodes in a FCED t: size of set from which random values are chosen Proof: more involved

  25. Conclusion and Future Work • Randomization can help achieve simplicity and efficiency at the expense of making soundness probabilistic. • Integrate randomized techniques with symbolic algorithms • Few interesting possible extensions: • Combination of uninterpreted functions with arithmetic • Partially interpreted functions like commutative and/or associative functions • Model memory

More Related