# Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.

## Presentation on theme: "Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI."— Presentation transcript:

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI

/171 Precision of combined abstraction a 1 := a 1 +1; a 2 := a 2 +2; b 1 := F(b 1 ); b 2 := F(b 2 ); c 1 := F(2c 1 -c 2 ); c 2 := F(c 2 ); a 1 := 0; a 2 := 0; b 1 := 1; b 2 := F(1); c 1 := 2; c 2 := 2; Assert(a 2 =2a 1 ); Assert(b 2 = F(b 1 )); Assert(c 2 =c 1 ); * False True Analysis over abstractions of linear arithmetic & uninterpreted functions can verify first and second assertions resp. Third assertion can be verified only over the combined abstraction.

/172 Abstract Program Model / Problem Statement Linear Arithmetic e = y | c | e 1 § e 2 | c e Uninterpreted Functions e = y | F(e 1,e 2 ) Combination e = y | c | e 1 § e 2 | c e | F(e 1,e 2 ) Assignment y := e Non-deterministic Conditional * True False Non-deterministic Assignment y := ? Assertion Assert(e 1 =e 2 )

/173 Earlier Results AbstractionAssertion Checking Complexity Linear Arithmetic O(n 2 ) Gulwani-Necula (POPL 03) Uninterpreted Functions O(n 4 ) Gulwani-Necula (POPL 04) Combination Decision Procedure Complexity O(n 3 ) Gaussian Elimination O(n log n) Congruence Closure O(n 4 ) Nelson-Oppen Comb coNP-hard! This paper

/174 Outline Connection between assertion checking and unification coNP-hardness Algorithm Remarks

/175 Unification Terminology A substitution is a (acyclic) mapping of some variables to expressions. A substitution 1 is more general than 2 if there exists such that 1 = ( 2 ). A substitution is a unifier for an equality e 1 =e 2 if e 1 [y/ (y)] = e 2 [y/ (y)]. Example Consider the equality F(y) = F(a) + F(b) – F(a+b-y). { y Ã a } is a unifier for it and so is { y Ã 1, a Ã 1 }. The former unifier is more general than the latter.

/176 Unification Terminology Continued … A set of unifiers { 1,…, k } for e 1 =e 2 is complete if for all unifiers of e 1 =e 2, 9 i s.t. i is more general than Let Unif(e 1 =e 2 ) = Ç Æ y = i (y) i=1 k y Example Consider the equality F(y) = F(a) + F(b) – F(a+b-y). { {y Ã a}, {y Ã b} } is a complete set of unifiers for it. Hence, Unif(F(y) = F(a)+F(b)-F(a+b-y)) = (y=a Ç y=b).

/177 An assertion e 1 = e 2 holds at a program point iff the assertion Unif(e 1 =e 2 ) holds at Connection between Assertion Checking & Unification Example To prove, F(y) = F(a) + F(b) – F(a+b-y), you need to prove that y=a Ç y=b is true.

/178 Outline Connection between assertion checking and unification coNP-hardness Algorithm Remarks

/179 Reducing Unsatisfiability to Assertion Checking boolean 3-SAT instance with m clauses IsUnsatisfiable( ) { for j=1 to m c j := 0; for i=1 to k do if (*) 8 j s.t. var i occurs positively in clause j, c j := 1; else 8 j s.t. var i occurs negatively in clause j, c j := 1; y = c 1 + c 2 + … + c m ; Assert (y=0 Ç y=1 … Ç y=m-1); }

/1710 Encoding disjunction The check y=1 Ç y=2 can be encoded by the assertion F(y) = F(1)+F(2)-F(3-y)). The above trick can be recursively applied to construct an assertion that encodes y=0 Ç y=1 Ç … Ç y=m-1 –Eg., y=0 Ç y=1 Ç y=2 can be encoded by encoding F(y)=F(0) Ç F(y)=F(1)+F(2)-F(3-y)

/1711 Outline Connection between assertion checking and unification coNP-hardnes Algorithm Remarks

/1712 Assertion Checking Algorithm Backward Analysis –Perform weakest precondition computation. –At each step replace the formula by Unif( ), which is a stronger and simpler formula. Termination (reach fixpoint across loops)? –Yes, because of unifier computations. –This result is interesting because forward analysis (which attempts to infer invariants) does not terminate, as lattice has infinite height.

/1713 Proof of Termination At each program point, the proof obligation has the form: Ç Æ y = i (y) i=1 k y In each successive loop iteration, above formula becomes stronger. We prove this cannot happen indefinitely: –Assign the following measure to the above formula { # of conjuncts representing unifier i | i=1 to k } –Show this measure decreases in some well-founded ordering.

/1714 Outline Connection between assertion checking and unification coNP-hardnes Algorithm Remarks

/1715 Further Connections between Assertion Checking & Unification Can we explain the complexity results more naturally? Answer Complexity of assertion checking appears to depend on the cardinality of complete set of unifiers for equalities in the corresponding abstraction. AbstractionCardinalityComplexity Linear Arithmetic UnitaryPTime Uninterpreted Functions UnitaryPTime CombinationFinitarycoNP-hard, but decidable

/1716 Related work on combining abstract interpreters Is there an efficient analysis to reason about most assertions? Answer (PLDI 06): Given abstract interpreters for Lattice L1 (eg, linear equalities, Gulwani-Necula POPL 03) Lattice L2 (eg, uninterpreted funs, Gulwani-Necula POPL 04) Can obtain abstract interpreter for logical product of L1 & L2. Cons: Cannot reason about all assertions. Pros: Polynomial time. Can reason about conditionals.

/1717 Conclusion Assertion checking for combination of linear arithmetic and uninterpreted functions is: –coNP-hard. –but decidable. We prove these (surprising!) results by establishing connections between assertion checking & unification. These results motivate logical product combination of lattices, which entail slightly imprecise, but efficient & automated reasoning (PLDI 06).

Download ppt "Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI."

Similar presentations