Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,

Slides:



Advertisements
Similar presentations
TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
Advertisements

You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…
Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Join Algorithms for the Theory of Uninterpreted Functions Sumit Gulwani Ashish Tiwari George Necula UC-Berkeley SRI UC-Berkeley.
Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.
A Randomized Satisfiability Procedure for Arithmetic and Uninterpreted Function Symbols Sumit Gulwani George Necula EECS Department University of California,
A Polynomial-Time Algorithm for Global Value Numbering SAS 2004 Sumit Gulwani George C. Necula.
Program Verification using Probabilistic Techniques Sumit Gulwani Microsoft Research Invited Talk: VSTTE Workshop August 2006 Joint work with George Necula.
Global Value Numbering using Random Interpretation Sumit Gulwani George C. Necula CS Department University of California, Berkeley.
Mathematical Preliminaries
Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.
Program Analysis using Random Interpretation Sumit Gulwani UC-Berkeley March 2005.
Advanced Piloting Cruise Plot.
Generating Random Spanning Trees Sourav Chatterji Sumit Gulwani EECS Department University of California, Berkeley.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 5 Author: Julia Richards and R. Scott Hawley.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Analysis of Algorithms
Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.
My Alphabet Book abcdefghijklm nopqrstuvwxyz.
Multiplying binomials You will have 20 seconds to answer each of the following multiplication problems. If you get hung up, go to the next problem when.
0 - 0.
ALGEBRAIC EXPRESSIONS
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)
ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.
SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts
Preview Warm Up California Standards Lesson Presentation.
ALGEBRAIC EXPRESSIONS
CS4026 Formal Models of Computation Part II The Logic Model Lecture 1 – Programming in Logic.
ZMQS ZMQS
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
R O O T S Field-Sensitive Points-to-Analysis Eda GÜNGÖR
Richmond House, Liverpool (1) 26 th January 2004.
1 First order theories (Chapter 1, Sections 1.4 – 1.5)
BT Wholesale October Creating your own telephone network WHOLESALE CALLS LINE ASSOCIATED.
ABC Technology Project
Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat.
©2004 Brooks/Cole FIGURES FOR CHAPTER 7 MULTI-LEVEL GATE CIRCUITS NAND AND NOR GATES Click the mouse to move to the next page. Use the ESC key to exit.
© Charles van Marrewijk, An Introduction to Geographical Economics Brakman, Garretsen, and Van Marrewijk.
Probability for a First-Order Language Ken Presting University of North Carolina at Chapel Hill.
Lower Bounds for Exact Model Counting and Applications in Probabilistic Databases Paul Beame Jerry Li Sudeepa Roy Dan Suciu University of Washington.
1 Decision Procedures An algorithmic point of view Equality Logic and Uninterpreted Functions.
Squares and Square Root WALK. Solve each problem REVIEW:
1 Chapter 4 The while loop and boolean operators Samuel Marateck ©2010.
Chapter 5 Test Review Sections 5-1 through 5-4.
GG Consulting, LLC I-SUITE. Source: TEA SHARS Frequently asked questions 2.
More Two-Step Equations
Addition 1’s to 20.
25 seconds left…...
Test B, 100 Subtraction Facts
Complexity ©D.Moshkovits 1 Where Can We Draw The Line? On the Hardness of Satisfiability Problems.
Week 1.
We will resume in: 25 Minutes.
Dantzig-Wolfe Decomposition
1 Chapter 3:Operators and Expressions| SCP1103 Programming Technique C | Jumail, FSKSM, UTM, 2006 | Last Updated: July 2006 Slide 1 Operators and Expressions.
1 Unit 1 Kinematics Chapter 1 Day
How Cells Obtain Energy from Food
1 Programming Languages (CS 550) Mini Language Interpreter Jeremy R. Johnson.
Discovering Affine Equalities Using Random Interpretation Sumit Gulwani George Necula EECS Department University of California, Berkeley.
Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.
Global Value Numbering Using Random Interpretation OSQ Retreat, May 2003 Sumit Gulwani George Necula EECS Department University of California, Berkeley.
Random Interpretation Sumit Gulwani UC-Berkeley. 1 Program Analysis Applications in all aspects of software development, e.g. Program correctness Compiler.
Presentation transcript:

Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California, Berkeley

1 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Example u := a-1; v := 3; Assert(t 1 =t 2 Æ t 1 =1 Æ z=2); a=2? All 3 asserts are true a=2?

2 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Path-Insensitive Analysis u := a-1; v := 3; Assert(t 1 =t 2 Æ t 1 =1 Æ z=2); * Most PTIME analyses treat conditionals as non-deterministic. They will verify only t 1 =t 2 *

3 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Path-Sensitive Analysis u := a-1; v := 3; Assert(t 1 =t 2 Æ t 1 =1 Æ z=2); c1c1 We can do better by doing a boolean abstraction of conditionals. Each atomic predicate is abstracted to a boolean variable This will also verify t 1 =1 This is still abstract though! z=2 not verified undecidable to reason completely c1c1

4 Outline Existing approach (MVR) vs. our approach (FCED) FCEDs for linear arithmetic FCEDs for uninterpreted function terms

5 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Multi-Valued ROBDDs (MVRs) c1 2a y =c2 1a-1 u = u := a-1; v := 3; Assert(t 1 =t 2 ); Assert(t 1 =1); c1c1 c2c2 |MVR(t 1 )| = |MVR(y)| £ |MVR(u)| MVR(t 1 ) does not share nodes with MVR(y) and MVR(u) Need a normal form for leaves c1 c2 1-a+3a-11 t 1 =

6 y := 2; z := a; y := a; z := 2; u := 1; v := 1+a; t 1 := y-u; t 2 := v-z; True False Free Conditional Expression Diagrams (FCEDs) c1 2a y =c2 1a-1 u = -t 1 = u := a-1; v := 3; Assert(t 1 =t 2 ); Assert(t 1 =1); c1c1 c2c2 |FCED(t 1 )| = |FCED(y)| + |FCED(u)| FCED(t 1 ) shares nodes with FCED(y) and FCED(u) No need for normal form

7 Outline Existing approach (MVR) vs. our approach (FCEDs) FCEDs for linear arithmetic FCEDs for uninterpreted function terms

8 Problem Definition e = q | y | e 1 § e 2 | q £ e | if b then e 1 else e 2 b = c | b 1 Æ b 2 | b 1 Ç b 2 e: conditional linear arithmetic expression b: boolean formula y: rational variable c: boolean variable q: rational constant Construct FCED for an expression e, given FCEDs for its subexpressions. Check 2 FCEDs for equivalence

9 FCED An FCED f is a DAG with the following kind of nodes. f := y | q | Plus(f 1,f 2 ) | Minus(f 1,f 2 ) | Times(q,f) | Choose(f 1,f 2 ) | Guard(g,f) Choose(f 1,f 2 ) means f 1 or f 2 Guard(g,f) means if g then f Boolean expressions g are represented using ROBDDs g := true | false | c | If(c,g 1,g 2 )

10 Example c1 2a c2 1a-1 + choose guard choose guard plus R(c1) 2 R( : c1) a R(c2) 1 R( : c2) a-1 Formalization

11 Example c1 2a c2 1a-1 + choose guard choose guard plus R(c1) 2 R( : c1) a R(c2) 1 R( : c2) a-1 Formalization

12 FCED Construction FCED(y) = Leaf(y) FCED(q) = Leaf(q) FCED(e1+e2) = Plus (FCED(e1), FCED(e2)) FCED(q £ e) = Times(q,FCED(e)) FCED(if b then e1 else e2) = Choose(Guard(R(b),e1), Guard(R(NOT(b)),e2)

13 FCED Construction FCED(y) = Leaf(y) FCED(q) = Leaf(q) FCED(e1+e2) = Plus (FCED(e1), FCED(e2)) FCED(q £ e) = Times(q,FCED(e)) FCED(if b then e1 else e2) = Choose(||R(b),FCED(e1)||, ||NOT R(b), FCED(e2)||)

14 Normalize Guard Operator Inputs: guard g, FCED f Output: FCED f s.t. f ´ f 8 guard nodes Guard(g,f) in f, BV(g) < BV(f) ||g,f|| = Guard(g,f), if BV(g) < BV(f) ||g, Plus(f 1,f 2 ) = Plus(||g,f 1 ||, ||g, f 2 ||) ||g, Choose(f1,f2) = Choose(||g,f1||, ||g, f2||) ||g 1, Guard(g 2,f )|| = Guard(|| INTERSECT(g 1,g 2 ),f ||) …

15 guard R(c1) guard R(c1) guard R(c1) Example: Normalize Guard Operator plus choose guard R(c2) z R( : c2) 6 Given f, construct ||R(c1),f|| guard choose guard R(c1)R( : c1) 3 2 choose guard R( : c1) 3 guard R(c1) 2 R(c1 Æ c1) guard 2 R ( : c1 Æ c1) guard 3 choose

16 Randomized Equivalence Testing for FCEDs Assign hash values to nodes of FCEDs in bottom-up manner V: FCED Node ! Integer V(Leaf(q)) = q V(Leaf(y)) = r y V(Plus(f 1,f 2 )) = V(f 1 ) + V(f 2 ) V(Choose(f 1,f 2 )) = V(f 1 ) + V(f 2 ) V(Guard(g,f)) = H(g) £ V(f) H: Guard ! Integer H(true) = 1, H(false) = 0 H(c) = r c H(If(c,g 1,g 2 )) = r c £ H(g 1 ) + (1-r c ) £ H(g 2 )

17 Randomized Equivalence Testing for FCEDs Completeness f 1 ´ f 2 ) V(f 1 ) = V(f 2 ) Soundness f 1 ´ f 2 ) Pr[V(f 1 ) = V(f 2 )] · s/t s: maximum # of nodes in a FCED t: size of set from which random values are chosen Proof: Poly: FCED ! Polynomials such that V(f) is the value of Poly(f)

18 Outline Existing approach (MVR) vs. our approach (FCEDs) FCEDs for linear arithmetic FCEDs for uninterpreted function terms

19 Problem Definition e = y | F(e 1,e 2 ) | if b then e 1 else e 2 b = c | b 1 Æ b 2 | b 1 Ç b 2 e: conditional uninterpreted function term b: boolean formula y: variable c: boolean variable Construct FCED for an expression e, given FCEDs for its subexpressions. Check 2 FCEDs for equivalence

20 FCED An FCED f is a DAG with the following kind of nodes. f := y | F(f 1,f 2 ) | Choose(f 1,f 2 ) | Guard(g,f) Choose(f 1,f 2 ) means f 1 or f 2 Guard(g,f) means if g then f Boolean expressions g are represented using ROBDDs g := true | false | c | If(c,g 1,g 2 )

21 FCED Construction FCED(y) = Leaf(y) FCED(F(e 1,e 2 )) = F(FCED(e 1 ), FCED(e 2 )) FCED(if b then e 1 else e 2 ) = Choose(||R(b),FCED(e 1 )||, ||NOT R(b), FCED(e 2 )||)

22 Randomized Equivalence Testing of FCEDs Assign hash values to nodes of FCEDs in bottom-up manner V: FCED Node ! Tuple of k integers K ¸ depth of any FCED V(y) = [r y,…r y ] V(Choose(f 1,f 2 )) = V(f 1 ) + V(f 2 ) V(Guard(g,f)) = H(g) £ V(f) V(F(f 1,f 2 )) = V(f 1 ) £ M + V(f 2 ) £ N M, N: random k £ k matrices

23 Randomized Equivalence Testing for FCEDs Completeness f 1 ´ f 2 ) V(f 1 ) = V(f 2 ) Soundness f 1 ´ f 2 ) Pr[V(f 1 ) = V(f 2 )] · s: maximum # of nodes in a FCED t: size of set from which random values are chosen Proof: more involved

24 Conclusion and Future Work Randomization can help achieve simplicity and efficiency at the expense of making soundness probabilistic. Integrate randomized techniques with symbolic algorithms Few interesting possible extensions: –Combination of uninterpreted functions with arithmetic –Partially interpreted functions like commutative and/or associative functions –Model memory

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.