Presentation is loading. Please wait.

Presentation is loading. Please wait.

Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,

Published byJohn Sullivan Modified over 10 years ago

Similar presentations

Presentation on theme: "Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,"— Presentation transcript:

1 Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California, Berkeley

2 1 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Example u := a-1; v := 3; Assert(t 1 =t 2 Æ t 1 =1 Æ z=2); a=2? All 3 asserts are true a=2?

3 2 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Path-Insensitive Analysis u := a-1; v := 3; Assert(t 1 =t 2 Æ t 1 =1 Æ z=2); * Most PTIME analyses treat conditionals as non-deterministic. They will verify only t 1 =t 2 *

4 3 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Path-Sensitive Analysis u := a-1; v := 3; Assert(t 1 =t 2 Æ t 1 =1 Æ z=2); c1c1 We can do better by doing a boolean abstraction of conditionals. Each atomic predicate is abstracted to a boolean variable This will also verify t 1 =1 This is still abstract though! z=2 not verified undecidable to reason completely c1c1

5 4 Outline Existing approach (MVR) vs. our approach (FCED) FCEDs for linear arithmetic FCEDs for uninterpreted function terms

6 5 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Multi-Valued ROBDDs (MVRs) c1 2a y =c2 1a-1 u = u := a-1; v := 3; Assert(t 1 =t 2 ); Assert(t 1 =1); c1c1 c2c2 |MVR(t 1 )| = |MVR(y)| £ |MVR(u)| MVR(t 1 ) does not share nodes with MVR(y) and MVR(u) Need a normal form for leaves c1 c2 1-a+3a-11 t 1 =

7 6 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Free Conditional Expression Diagrams (FCEDs) c1 2a y =c2 1a-1 u = -t 1 = u := a-1; v := 3; Assert(t 1 =t 2 ); Assert(t 1 =1); c1c1 c2c2 |FCED(t 1 )| = |FCED(y)| + |FCED(u)| FCED(t 1 ) shares nodes with FCED(y) and FCED(u) No need for normal form

8 7 Outline Existing approach (MVR) vs. our approach (FCEDs) FCEDs for linear arithmetic FCEDs for uninterpreted function terms

9 8 Problem Definition e = q | y | e 1 § e 2 | q £ e | if b then e 1 else e 2 b = c | b 1 Æ b 2 | b 1 Ç b 2 e: conditional linear arithmetic expression b: boolean formula y: rational variable c: boolean variable q: rational constant Construct FCED for an expression e, given FCEDs for its subexpressions. Check 2 FCEDs for equivalence

10 9 FCED An FCED f is a DAG with the following kind of nodes. f := y | q | Plus(f 1,f 2 ) | Minus(f 1,f 2 ) | Times(q,f) | Choose(f 1,f 2 ) | Guard(g,f) Choose(f 1,f 2 ) means f 1 or f 2 Guard(g,f) means if g then f Boolean expressions g are represented using ROBDDs g := true | false | c | If(c,g 1,g 2 )

11 10 Example c1 2a c2 1a-1 + choose guard choose guard plus R(c1) 2 R( : c1) a R(c2) 1 R( : c2) a-1 Formalization

12 11 Example c1 2a c2 1a-1 + choose guard choose guard plus R(c1) 2 R( : c1) a R(c2) 1 R( : c2) a-1 Formalization

13 12 FCED Construction FCED(y) = Leaf(y) FCED(q) = Leaf(q) FCED(e1+e2) = Plus (FCED(e1), FCED(e2)) FCED(q £ e) = Times(q,FCED(e)) FCED(if b then e1 else e2) = Choose(Guard(R(b),e1), Guard(R(NOT(b)),e2)

14 13 FCED Construction FCED(y) = Leaf(y) FCED(q) = Leaf(q) FCED(e1+e2) = Plus (FCED(e1), FCED(e2)) FCED(q £ e) = Times(q,FCED(e)) FCED(if b then e1 else e2) = Choose(||R(b),FCED(e1)||, ||NOT R(b), FCED(e2)||)

15 14 Normalize Guard Operator Inputs: guard g, FCED f Output: FCED f s.t. f ´ f 8 guard nodes Guard(g,f) in f, BV(g) < BV(f) ||g,f|| = Guard(g,f), if BV(g) < BV(f) ||g, Plus(f 1,f 2 ) = Plus(||g,f 1 ||, ||g, f 2 ||) ||g, Choose(f1,f2) = Choose(||g,f1||, ||g, f2||) ||g 1, Guard(g 2,f )|| = Guard(|| INTERSECT(g 1,g 2 ),f ||) …

16 15 guard R(c1) guard R(c1) guard R(c1) Example: Normalize Guard Operator plus choose guard R(c2) z R( : c2) 6 Given f, construct ||R(c1),f|| guard choose guard R(c1)R( : c1) 3 2 choose guard R( : c1) 3 guard R(c1) 2 R(c1 Æ c1) guard 2 R ( : c1 Æ c1) guard 3 choose

17 16 Randomized Equivalence Testing for FCEDs Assign hash values to nodes of FCEDs in bottom-up manner V: FCED Node ! Integer V(Leaf(q)) = q V(Leaf(y)) = r y V(Plus(f 1,f 2 )) = V(f 1 ) + V(f 2 ) V(Choose(f 1,f 2 )) = V(f 1 ) + V(f 2 ) V(Guard(g,f)) = H(g) £ V(f) H: Guard ! Integer H(true) = 1, H(false) = 0 H(c) = r c H(If(c,g 1,g 2 )) = r c £ H(g 1 ) + (1-r c ) £ H(g 2 )

18 17 Randomized Equivalence Testing for FCEDs Completeness f 1 ´ f 2 ) V(f 1 ) = V(f 2 ) Soundness f 1 ´ f 2 ) Pr[V(f 1 ) = V(f 2 )] · s/t s: maximum # of nodes in a FCED t: size of set from which random values are chosen Proof: 9 1-1 Poly: FCED ! Polynomials such that V(f) is the value of Poly(f)

19 18 Outline Existing approach (MVR) vs. our approach (FCEDs) FCEDs for linear arithmetic FCEDs for uninterpreted function terms

20 19 Problem Definition e = y | F(e 1,e 2 ) | if b then e 1 else e 2 b = c | b 1 Æ b 2 | b 1 Ç b 2 e: conditional uninterpreted function term b: boolean formula y: variable c: boolean variable Construct FCED for an expression e, given FCEDs for its subexpressions. Check 2 FCEDs for equivalence

21 20 FCED An FCED f is a DAG with the following kind of nodes. f := y | F(f 1,f 2 ) | Choose(f 1,f 2 ) | Guard(g,f) Choose(f 1,f 2 ) means f 1 or f 2 Guard(g,f) means if g then f Boolean expressions g are represented using ROBDDs g := true | false | c | If(c,g 1,g 2 )

22 21 FCED Construction FCED(y) = Leaf(y) FCED(F(e 1,e 2 )) = F(FCED(e 1 ), FCED(e 2 )) FCED(if b then e 1 else e 2 ) = Choose(||R(b),FCED(e 1 )||, ||NOT R(b), FCED(e 2 )||)

23 22 Randomized Equivalence Testing of FCEDs Assign hash values to nodes of FCEDs in bottom-up manner V: FCED Node ! Tuple of k integers K ¸ depth of any FCED V(y) = [r y,…r y ] V(Choose(f 1,f 2 )) = V(f 1 ) + V(f 2 ) V(Guard(g,f)) = H(g) £ V(f) V(F(f 1,f 2 )) = V(f 1 ) £ M + V(f 2 ) £ N M, N: random k £ k matrices

24 23 Randomized Equivalence Testing for FCEDs Completeness f 1 ´ f 2 ) V(f 1 ) = V(f 2 ) Soundness f 1 ´ f 2 ) Pr[V(f 1 ) = V(f 2 )] · s: maximum # of nodes in a FCED t: size of set from which random values are chosen Proof: more involved

25 24 Conclusion and Future Work Randomization can help achieve simplicity and efficiency at the expense of making soundness probabilistic. Integrate randomized techniques with symbolic algorithms Few interesting possible extensions: –Combination of uninterpreted functions with arithmetic –Partially interpreted functions like commutative and/or associative functions –Model memory

Download ppt "Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,"

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…

You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…
Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Join Algorithms for the Theory of Uninterpreted Functions Sumit Gulwani Ashish Tiwari George Necula UC-Berkeley SRI UC-Berkeley.

Join Algorithms for the Theory of Uninterpreted Functions Sumit Gulwani Ashish Tiwari George Necula UC-Berkeley SRI UC-Berkeley.
Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.

Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.
A Randomized Satisfiability Procedure for Arithmetic and Uninterpreted Function Symbols Sumit Gulwani George Necula EECS Department University of California,

A Randomized Satisfiability Procedure for Arithmetic and Uninterpreted Function Symbols Sumit Gulwani George Necula EECS Department University of California,
A Polynomial-Time Algorithm for Global Value Numbering SAS 2004 Sumit Gulwani George C. Necula.

A Polynomial-Time Algorithm for Global Value Numbering SAS 2004 Sumit Gulwani George C. Necula.
Program Verification using Probabilistic Techniques Sumit Gulwani Microsoft Research Invited Talk: VSTTE Workshop August 2006 Joint work with George Necula.

Program Verification using Probabilistic Techniques Sumit Gulwani Microsoft Research Invited Talk: VSTTE Workshop August 2006 Joint work with George Necula.
Global Value Numbering using Random Interpretation Sumit Gulwani George C. Necula CS Department University of California, Berkeley.

Global Value Numbering using Random Interpretation Sumit Gulwani George C. Necula CS Department University of California, Berkeley.
Mathematical Preliminaries

Mathematical Preliminaries
Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.

Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.
Program Analysis using Random Interpretation Sumit Gulwani UC-Berkeley March 2005.

Program Analysis using Random Interpretation Sumit Gulwani UC-Berkeley March 2005.
Advanced Piloting Cruise Plot.

Advanced Piloting Cruise Plot.
Generating Random Spanning Trees Sourav Chatterji Sumit Gulwani EECS Department University of California, Berkeley.

Generating Random Spanning Trees Sourav Chatterji Sumit Gulwani EECS Department University of California, Berkeley.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 5 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 5 Author: Julia Richards and R. Scott Hawley.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.

By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Analysis of Algorithms

Analysis of Algorithms
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.

Similar presentations

Ads by Google