# Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,

## Presentation on theme: "Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,"— Presentation transcript:

Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California, Berkeley

1 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Example u := a-1; v := 3; Assert(t 1 =t 2 Æ t 1 =1 Æ z=2); a=2? All 3 asserts are true a=2?

2 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Path-Insensitive Analysis u := a-1; v := 3; Assert(t 1 =t 2 Æ t 1 =1 Æ z=2); * Most PTIME analyses treat conditionals as non-deterministic. They will verify only t 1 =t 2 *

3 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Path-Sensitive Analysis u := a-1; v := 3; Assert(t 1 =t 2 Æ t 1 =1 Æ z=2); c1c1 We can do better by doing a boolean abstraction of conditionals. Each atomic predicate is abstracted to a boolean variable This will also verify t 1 =1 This is still abstract though! z=2 not verified undecidable to reason completely c1c1

4 Outline Existing approach (MVR) vs. our approach (FCED) FCEDs for linear arithmetic FCEDs for uninterpreted function terms

5 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Multi-Valued ROBDDs (MVRs) c1 2a y =c2 1a-1 u = u := a-1; v := 3; Assert(t 1 =t 2 ); Assert(t 1 =1); c1c1 c2c2 |MVR(t 1 )| = |MVR(y)| £ |MVR(u)| MVR(t 1 ) does not share nodes with MVR(y) and MVR(u) Need a normal form for leaves c1 c2 1-a+3a-11 t 1 =

6 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Free Conditional Expression Diagrams (FCEDs) c1 2a y =c2 1a-1 u = -t 1 = u := a-1; v := 3; Assert(t 1 =t 2 ); Assert(t 1 =1); c1c1 c2c2 |FCED(t 1 )| = |FCED(y)| + |FCED(u)| FCED(t 1 ) shares nodes with FCED(y) and FCED(u) No need for normal form

7 Outline Existing approach (MVR) vs. our approach (FCEDs) FCEDs for linear arithmetic FCEDs for uninterpreted function terms

8 Problem Definition e = q | y | e 1 § e 2 | q £ e | if b then e 1 else e 2 b = c | b 1 Æ b 2 | b 1 Ç b 2 e: conditional linear arithmetic expression b: boolean formula y: rational variable c: boolean variable q: rational constant Construct FCED for an expression e, given FCEDs for its subexpressions. Check 2 FCEDs for equivalence

9 FCED An FCED f is a DAG with the following kind of nodes. f := y | q | Plus(f 1,f 2 ) | Minus(f 1,f 2 ) | Times(q,f) | Choose(f 1,f 2 ) | Guard(g,f) Choose(f 1,f 2 ) means f 1 or f 2 Guard(g,f) means if g then f Boolean expressions g are represented using ROBDDs g := true | false | c | If(c,g 1,g 2 )

10 Example c1 2a c2 1a-1 + choose guard choose guard plus R(c1) 2 R( : c1) a R(c2) 1 R( : c2) a-1 Formalization

11 Example c1 2a c2 1a-1 + choose guard choose guard plus R(c1) 2 R( : c1) a R(c2) 1 R( : c2) a-1 Formalization

12 FCED Construction FCED(y) = Leaf(y) FCED(q) = Leaf(q) FCED(e1+e2) = Plus (FCED(e1), FCED(e2)) FCED(q £ e) = Times(q,FCED(e)) FCED(if b then e1 else e2) = Choose(Guard(R(b),e1), Guard(R(NOT(b)),e2)

13 FCED Construction FCED(y) = Leaf(y) FCED(q) = Leaf(q) FCED(e1+e2) = Plus (FCED(e1), FCED(e2)) FCED(q £ e) = Times(q,FCED(e)) FCED(if b then e1 else e2) = Choose(||R(b),FCED(e1)||, ||NOT R(b), FCED(e2)||)

14 Normalize Guard Operator Inputs: guard g, FCED f Output: FCED f s.t. f ´ f 8 guard nodes Guard(g,f) in f, BV(g) < BV(f) ||g,f|| = Guard(g,f), if BV(g) < BV(f) ||g, Plus(f 1,f 2 ) = Plus(||g,f 1 ||, ||g, f 2 ||) ||g, Choose(f1,f2) = Choose(||g,f1||, ||g, f2||) ||g 1, Guard(g 2,f )|| = Guard(|| INTERSECT(g 1,g 2 ),f ||) …

15 guard R(c1) guard R(c1) guard R(c1) Example: Normalize Guard Operator plus choose guard R(c2) z R( : c2) 6 Given f, construct ||R(c1),f|| guard choose guard R(c1)R( : c1) 3 2 choose guard R( : c1) 3 guard R(c1) 2 R(c1 Æ c1) guard 2 R ( : c1 Æ c1) guard 3 choose

16 Randomized Equivalence Testing for FCEDs Assign hash values to nodes of FCEDs in bottom-up manner V: FCED Node ! Integer V(Leaf(q)) = q V(Leaf(y)) = r y V(Plus(f 1,f 2 )) = V(f 1 ) + V(f 2 ) V(Choose(f 1,f 2 )) = V(f 1 ) + V(f 2 ) V(Guard(g,f)) = H(g) £ V(f) H: Guard ! Integer H(true) = 1, H(false) = 0 H(c) = r c H(If(c,g 1,g 2 )) = r c £ H(g 1 ) + (1-r c ) £ H(g 2 )

17 Randomized Equivalence Testing for FCEDs Completeness f 1 ´ f 2 ) V(f 1 ) = V(f 2 ) Soundness f 1 ´ f 2 ) Pr[V(f 1 ) = V(f 2 )] · s/t s: maximum # of nodes in a FCED t: size of set from which random values are chosen Proof: 9 1-1 Poly: FCED ! Polynomials such that V(f) is the value of Poly(f)

18 Outline Existing approach (MVR) vs. our approach (FCEDs) FCEDs for linear arithmetic FCEDs for uninterpreted function terms

19 Problem Definition e = y | F(e 1,e 2 ) | if b then e 1 else e 2 b = c | b 1 Æ b 2 | b 1 Ç b 2 e: conditional uninterpreted function term b: boolean formula y: variable c: boolean variable Construct FCED for an expression e, given FCEDs for its subexpressions. Check 2 FCEDs for equivalence

20 FCED An FCED f is a DAG with the following kind of nodes. f := y | F(f 1,f 2 ) | Choose(f 1,f 2 ) | Guard(g,f) Choose(f 1,f 2 ) means f 1 or f 2 Guard(g,f) means if g then f Boolean expressions g are represented using ROBDDs g := true | false | c | If(c,g 1,g 2 )

21 FCED Construction FCED(y) = Leaf(y) FCED(F(e 1,e 2 )) = F(FCED(e 1 ), FCED(e 2 )) FCED(if b then e 1 else e 2 ) = Choose(||R(b),FCED(e 1 )||, ||NOT R(b), FCED(e 2 )||)

22 Randomized Equivalence Testing of FCEDs Assign hash values to nodes of FCEDs in bottom-up manner V: FCED Node ! Tuple of k integers K ¸ depth of any FCED V(y) = [r y,…r y ] V(Choose(f 1,f 2 )) = V(f 1 ) + V(f 2 ) V(Guard(g,f)) = H(g) £ V(f) V(F(f 1,f 2 )) = V(f 1 ) £ M + V(f 2 ) £ N M, N: random k £ k matrices

23 Randomized Equivalence Testing for FCEDs Completeness f 1 ´ f 2 ) V(f 1 ) = V(f 2 ) Soundness f 1 ´ f 2 ) Pr[V(f 1 ) = V(f 2 )] · s: maximum # of nodes in a FCED t: size of set from which random values are chosen Proof: more involved

24 Conclusion and Future Work Randomization can help achieve simplicity and efficiency at the expense of making soundness probabilistic. Integrate randomized techniques with symbolic algorithms Few interesting possible extensions: –Combination of uninterpreted functions with arithmetic –Partially interpreted functions like commutative and/or associative functions –Model memory

Download ppt "Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,"

Similar presentations