1 / 17

Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions

Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions. SAS 2004 Sumit Gulwani George Necula EECS Department University of California, Berkeley. Example. All 3 asserts are true. False. True. a=2?. x := a; y := 2;. x := 2; y := a;. True. False. a=2?.

ivory
Download Presentation

Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California, Berkeley

  2. Example All 3 asserts are true False True a=2? x := a; y := 2; x := 2; y := a; True False a=2? u := 1; v := 1+a; u := a-1; v := 3; t1 := x-u; t2 := v-y; Assert(t1=t2 Æ t1=1 Æ y=2);

  3. Path-Insensitive Analysis Most PTIME analyses treat conditionals as non-deterministic. They will verify only t1=t2 False True * x := a; y := 2; x := 2; y := a; True False * u := 1; v := 1+a; u := a-1; v := 3; t1 := x-u; t2 := v-y; Assert(t1=t2 Æ t1=1 Æ y=2);

  4. Path-Sensitive Analysis • We can do better by modeling conditionals as boolean formulas. • Each atomic predicate is abstracted to a boolean variable • They will also verify t1=1 • This is still abstract though! • y=2 not verified • undecidable to reason completely False True c1 x := a; y := 2; x := 2; y := a; True False c1 u := 1; v := 1+a; u := a-1; v := 3; t1 := x-u; t2 := v-y; Assert(t1=t2 Æ t1=1 Æ y=2);

  5. Multi-Valued ROBDDs (MVRs) c1 t1 = True False c1 c2 x= c1 u= c2 c2 x := a; y := 2; x := 2; y := a; 1 a 0 a-1 1 -a+3 a-1 1 True False c2 |MVR(t1)| = |MVR(x)| £ |MVR(u)| MVR(t1) does not share nodes with MVR(x) and MVR(u) Need a normal form for leaves u := 1; v := 1+a; u := a-1; v := 3; t1 := x-u; t2 := v-y; Assert(t1=t2); Assert(t1=1);

  6. Free Conditional Expression Diagrams (FCEDs) t1 = - True False c1 x= c1 u= c2 x := a; y := 2; x := 2; y := a; 1 a 0 a-1 True False c2 |FCED(t1)| = |FCED(x)| + |FCED(u)| FCED(t1) shares nodes with FCED(x) and FCED(u) No need for normal form u := 1; v := 1+a; u := a-1; v := 3; t1 := x-u; t2 := v-y; Assert(t1=t2); Assert(t1=1);

  7. FCEDs for Linear Arithmetic

  8. Plus choose choose guard guard guard guard a-1 R(:c2) R(c2) 0 a R(c1) 1 R(:c1) FCED Construction + Formalization c1 c2 1 a 0 a-1 FCED(x) = Leaf(x) FCED(n) = Leaf(n) FCED(e1+e2) = Plus (FCED(e1), FCED(e2)) FCED(if b then e1 else e2) = Choose(||R(b),FCED(e1)||, ||NOT R(b), FCED(e2)||)

  9. Normalize Guard Operator ||g,f|| = Guard(g,f), if BV(g) < BV(f) ||g, Plus(f1,f2) = Plus(||g,f1||, ||g, f2||) ||g, Choose(f1,f2) = Choose(||g,f1||, ||g, f2||) ||g1, Guard(g2,f )|| = Guard(|| INTERSECT(g1,g2),f ||) …

  10. guard R(c1) Example: Normalize Guard Operator Given f, construct ||R(c1),f|| Plus choose guard choose guard guard guard guard guard R(c1) R(c1) z 6 R(:c2) R(c2) R(c1) 2 R(:c1) 3 R(c1Æc1) R(:c1Æc1)

  11. Randomized Equivalence Testing for FCEDs Assign hash values to nodes of FCEDs in bottom-up manner V: FCED Node ! Integer • V(Leaf(n)) = n • V(Leaf(x)) = rx • V(Plus(f1,f2)) = V(f1) + V(f2) • V(Choose(f1,f2)) = V(f1) + V(f2) • V(Guard(g,f)) = H(g)*V(f) H: Guard ! Integer • H(true) = 1, H(false) = 0 • H(c) = rc • H(If(c,g1,g2)) = rc£ H(g1) + (1-rc) £ H(g2)

  12. Randomized Equivalence Testing for FCEDs Completeness f1´ f2) V(f1) = V(f2) Soundness f1´ f2) Pr[V(f1) = V(f2)] · s/t s: maximum # of nodes in a FCED t: size of set from which random values are chosen Proof: 9 1-1 Poly: FCED ! Polynomials such that V(f) is the value of Poly(f)

  13. FCEDs for Uninterpreted Functions

  14. FCED Construction FCED(x) = Leaf(x) FCED(F(e1,e2)) = F(FCED(e1), FCED(e2)) FCED(if b then e1 else e2) = Choose(||R(b),FCED(e1)||, ||NOT R(b), FCED(e2)||)

  15. Randomized Equivalence Testing of FCEDs Assign hash values to nodes of FCEDs in bottom-up manner V: FCED Node ! Tuple of k integers K ¸ depth of any FCED • V(x) = [rx,…rx] • V(Choose(f1,f2)) = V(f1) + V(f2) • V(Guard(g,f)) = H(g) £ V(f) • V(F(f1,f2)) = V(f1) £ M + V(f2) £ N M, N: random k £ k matrices

  16. Randomized Equivalence Testing for FCEDs Completeness f1´ f2) V(f1) = V(f2) Soundness f1´ f2) Pr[V(f1) = V(f2)] · s: maximum # of nodes in a FCED t: size of set from which random values are chosen Proof: more involved

  17. Conclusion and Future Work • Randomization can help achieve simplicity and efficiency at the expense of making soundness probabilistic • Other interesting possible extensions: • Combination of uninterpreted functions with arithmetic • Partially interpreted functions like associative functions • Memory • Inequalities

More Related