Download presentation

Presentation is loading. Please wait.

Published byJohn Sullivan Modified over 4 years ago

1
Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California, Berkeley

2
1 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Example u := a-1; v := 3; Assert(t 1 =t 2 Æ t 1 =1 Æ z=2); a=2? All 3 asserts are true a=2?

3
2 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Path-Insensitive Analysis u := a-1; v := 3; Assert(t 1 =t 2 Æ t 1 =1 Æ z=2); * Most PTIME analyses treat conditionals as non-deterministic. They will verify only t 1 =t 2 *

4
3 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Path-Sensitive Analysis u := a-1; v := 3; Assert(t 1 =t 2 Æ t 1 =1 Æ z=2); c1c1 We can do better by doing a boolean abstraction of conditionals. Each atomic predicate is abstracted to a boolean variable This will also verify t 1 =1 This is still abstract though! z=2 not verified undecidable to reason completely c1c1

5
4 Outline Existing approach (MVR) vs. our approach (FCED) FCEDs for linear arithmetic FCEDs for uninterpreted function terms

6
5 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Multi-Valued ROBDDs (MVRs) c1 2a y =c2 1a-1 u = u := a-1; v := 3; Assert(t 1 =t 2 ); Assert(t 1 =1); c1c1 c2c2 |MVR(t 1 )| = |MVR(y)| £ |MVR(u)| MVR(t 1 ) does not share nodes with MVR(y) and MVR(u) Need a normal form for leaves c1 c2 1-a+3a-11 t 1 =

7
6 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Free Conditional Expression Diagrams (FCEDs) c1 2a y =c2 1a-1 u = -t 1 = u := a-1; v := 3; Assert(t 1 =t 2 ); Assert(t 1 =1); c1c1 c2c2 |FCED(t 1 )| = |FCED(y)| + |FCED(u)| FCED(t 1 ) shares nodes with FCED(y) and FCED(u) No need for normal form

8
7 Outline Existing approach (MVR) vs. our approach (FCEDs) FCEDs for linear arithmetic FCEDs for uninterpreted function terms

9
8 Problem Definition e = q | y | e 1 § e 2 | q £ e | if b then e 1 else e 2 b = c | b 1 Æ b 2 | b 1 Ç b 2 e: conditional linear arithmetic expression b: boolean formula y: rational variable c: boolean variable q: rational constant Construct FCED for an expression e, given FCEDs for its subexpressions. Check 2 FCEDs for equivalence

10
9 FCED An FCED f is a DAG with the following kind of nodes. f := y | q | Plus(f 1,f 2 ) | Minus(f 1,f 2 ) | Times(q,f) | Choose(f 1,f 2 ) | Guard(g,f) Choose(f 1,f 2 ) means f 1 or f 2 Guard(g,f) means if g then f Boolean expressions g are represented using ROBDDs g := true | false | c | If(c,g 1,g 2 )

11
10 Example c1 2a c2 1a-1 + choose guard choose guard plus R(c1) 2 R( : c1) a R(c2) 1 R( : c2) a-1 Formalization

12
11 Example c1 2a c2 1a-1 + choose guard choose guard plus R(c1) 2 R( : c1) a R(c2) 1 R( : c2) a-1 Formalization

13
12 FCED Construction FCED(y) = Leaf(y) FCED(q) = Leaf(q) FCED(e1+e2) = Plus (FCED(e1), FCED(e2)) FCED(q £ e) = Times(q,FCED(e)) FCED(if b then e1 else e2) = Choose(Guard(R(b),e1), Guard(R(NOT(b)),e2)

14
13 FCED Construction FCED(y) = Leaf(y) FCED(q) = Leaf(q) FCED(e1+e2) = Plus (FCED(e1), FCED(e2)) FCED(q £ e) = Times(q,FCED(e)) FCED(if b then e1 else e2) = Choose(||R(b),FCED(e1)||, ||NOT R(b), FCED(e2)||)

15
14 Normalize Guard Operator Inputs: guard g, FCED f Output: FCED f s.t. f ´ f 8 guard nodes Guard(g,f) in f, BV(g) < BV(f) ||g,f|| = Guard(g,f), if BV(g) < BV(f) ||g, Plus(f 1,f 2 ) = Plus(||g,f 1 ||, ||g, f 2 ||) ||g, Choose(f1,f2) = Choose(||g,f1||, ||g, f2||) ||g 1, Guard(g 2,f )|| = Guard(|| INTERSECT(g 1,g 2 ),f ||) …

16
15 guard R(c1) guard R(c1) guard R(c1) Example: Normalize Guard Operator plus choose guard R(c2) z R( : c2) 6 Given f, construct ||R(c1),f|| guard choose guard R(c1)R( : c1) 3 2 choose guard R( : c1) 3 guard R(c1) 2 R(c1 Æ c1) guard 2 R ( : c1 Æ c1) guard 3 choose

17
16 Randomized Equivalence Testing for FCEDs Assign hash values to nodes of FCEDs in bottom-up manner V: FCED Node ! Integer V(Leaf(q)) = q V(Leaf(y)) = r y V(Plus(f 1,f 2 )) = V(f 1 ) + V(f 2 ) V(Choose(f 1,f 2 )) = V(f 1 ) + V(f 2 ) V(Guard(g,f)) = H(g) £ V(f) H: Guard ! Integer H(true) = 1, H(false) = 0 H(c) = r c H(If(c,g 1,g 2 )) = r c £ H(g 1 ) + (1-r c ) £ H(g 2 )

18
17 Randomized Equivalence Testing for FCEDs Completeness f 1 ´ f 2 ) V(f 1 ) = V(f 2 ) Soundness f 1 ´ f 2 ) Pr[V(f 1 ) = V(f 2 )] · s/t s: maximum # of nodes in a FCED t: size of set from which random values are chosen Proof: 9 1-1 Poly: FCED ! Polynomials such that V(f) is the value of Poly(f)

19
18 Outline Existing approach (MVR) vs. our approach (FCEDs) FCEDs for linear arithmetic FCEDs for uninterpreted function terms

20
19 Problem Definition e = y | F(e 1,e 2 ) | if b then e 1 else e 2 b = c | b 1 Æ b 2 | b 1 Ç b 2 e: conditional uninterpreted function term b: boolean formula y: variable c: boolean variable Construct FCED for an expression e, given FCEDs for its subexpressions. Check 2 FCEDs for equivalence

21
20 FCED An FCED f is a DAG with the following kind of nodes. f := y | F(f 1,f 2 ) | Choose(f 1,f 2 ) | Guard(g,f) Choose(f 1,f 2 ) means f 1 or f 2 Guard(g,f) means if g then f Boolean expressions g are represented using ROBDDs g := true | false | c | If(c,g 1,g 2 )

22
21 FCED Construction FCED(y) = Leaf(y) FCED(F(e 1,e 2 )) = F(FCED(e 1 ), FCED(e 2 )) FCED(if b then e 1 else e 2 ) = Choose(||R(b),FCED(e 1 )||, ||NOT R(b), FCED(e 2 )||)

23
22 Randomized Equivalence Testing of FCEDs Assign hash values to nodes of FCEDs in bottom-up manner V: FCED Node ! Tuple of k integers K ¸ depth of any FCED V(y) = [r y,…r y ] V(Choose(f 1,f 2 )) = V(f 1 ) + V(f 2 ) V(Guard(g,f)) = H(g) £ V(f) V(F(f 1,f 2 )) = V(f 1 ) £ M + V(f 2 ) £ N M, N: random k £ k matrices

24
23 Randomized Equivalence Testing for FCEDs Completeness f 1 ´ f 2 ) V(f 1 ) = V(f 2 ) Soundness f 1 ´ f 2 ) Pr[V(f 1 ) = V(f 2 )] · s: maximum # of nodes in a FCED t: size of set from which random values are chosen Proof: more involved

25
24 Conclusion and Future Work Randomization can help achieve simplicity and efficiency at the expense of making soundness probabilistic. Integrate randomized techniques with symbolic algorithms Few interesting possible extensions: –Combination of uninterpreted functions with arithmetic –Partially interpreted functions like commutative and/or associative functions –Model memory

Similar presentations

OK

Random Interpretation Sumit Gulwani UC-Berkeley. 1 Program Analysis Applications in all aspects of software development, e.g. Program correctness Compiler.

Random Interpretation Sumit Gulwani UC-Berkeley. 1 Program Analysis Applications in all aspects of software development, e.g. Program correctness Compiler.

© 2018 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google