Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Slides:



Advertisements
Similar presentations
Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Advertisements

Join Algorithms for the Theory of Uninterpreted Functions Sumit Gulwani Ashish Tiwari George Necula UC-Berkeley SRI UC-Berkeley.
Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.
A Randomized Satisfiability Procedure for Arithmetic and Uninterpreted Function Symbols Sumit Gulwani George Necula EECS Department University of California,
A Polynomial-Time Algorithm for Global Value Numbering SAS 2004 Sumit Gulwani George C. Necula.
Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,
Program Verification using Probabilistic Techniques Sumit Gulwani Microsoft Research Invited Talk: VSTTE Workshop August 2006 Joint work with George Necula.
Global Value Numbering using Random Interpretation Sumit Gulwani George C. Necula CS Department University of California, Berkeley.
Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.
Program Analysis using Random Interpretation Sumit Gulwani UC-Berkeley March 2005.
Automated Theorem Proving
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Linear real and integer arithmetic. Fixed-size bit-vectors Uninterpreted functions Extensional arrays Quantifiers Model generation Several input formats.
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Satisfiability Modulo Theories (An introduction)
Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.
IP=PSPACE Nikhil Srivastava CPSC 468/568. Outline IP Warmup: coNP  IP by arithmetization PSPACE (wrong) attempt at PSPACE  IP (revised) PSPACE  IP.
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.
CSE Winter 2008 Introduction to Program Verification January 24 tautology checking, take 2.
Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.
Lifting Abstract Interpreters to Quantified Logical Domains Sumit Gulwani, MSR Bill McCloskey, UCB Ashish Tiwari, SRI 1.
Program Verification as Probabilistic Inference Sumit Gulwani Nebojsa Jojic Microsoft Research, Redmond.
Assertion Checking Unified Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.
1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Interpolants [Craig 1957] G(y,z) F(x,y)
Program Analysis Using Randomization Sumit Gulwani, George Necula (U.C. Berkeley)
Technion 1 Generating minimum transitivity constraints in P-time for deciding Equality Logic Ofer Strichman and Mirron Rozanov Technion, Haifa, Israel.
A Numerical Abstract Domain based on Expression Abstraction + Max Operator with Application in Timing Analysis Sumit Gulwani (MSR Redmond) Bhargav Gulavani.
VS 3 : Verification and Synthesis using SMT Solvers SMT Solvers for Program Verification Saurabh Srivastava * Sumit Gulwani ** Jeffrey S. Foster * * University.
Program Verification using Templates over Predicate Abstraction Saurabh Srivastava University of Maryland, College Park Sumit Gulwani Microsoft Research,
ECI 2007: Specification and Verification of Object- Oriented Programs Lecture 4.
A Polynomial-Time Algorithm for Global Value Numbering SAS 2004 Sumit Gulwani George C. Necula.
1 A Combination Method for Generating Interpolants by G. Yorsh and M. Masuvathi Presentation by: Emilia Katz.
TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A Sumit Gulwani (Microsoft Research, Redmond, USA) Symbolic Bound Computation.
Ofer Strichman, Technion Deciding Combined Theories.
Daniel Kroening and Ofer Strichman 1 Decision Procedures in First Order Logic Decision Procedures for Equality Logic.
1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.
Deciding a Combination of Theories - Decision Procedure - Changki pswlab Combination of Theories Daniel Kroening, Ofer Strichman Presented by Changki.
1 A Combination Method for Generating Interpolants Greta Yorsh Madan Musuvathi Tel Aviv University, Israel Microsoft Research, Redmond, US CAV’05.
SAT and SMT solvers Ayrat Khalimov (based on Georg Hofferek‘s slides) AKDV 2014.
Program Correctness. 2 Program Verification An object is a finite state machine: –Its attribute values are its state. –Its methods optionally: Transition.
Slide 1 Propositional Definite Clause Logic: Syntax, Semantics and Bottom-up Proofs Jim Little UBC CS 322 – CSP October 20, 2014.
Lazy Annotation for Program Testing and Verification Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang November 26,
Ruzica Piskac Max Planck Institute for Software Systems, Germany.
Decision methods for arithmetic Third summer school on formal methods Leonardo de Moura Microsoft Research.
Random Interpretation Sumit Gulwani UC-Berkeley. 1 Program Analysis Applications in all aspects of software development, e.g. Program correctness Compiler.
Chapter Relations and Their Properties
Visual Basic CDA College Limassol Campus COM123 Visual Basic Programming Semester C Lecture:Pelekanou Olga Week 4: Understand and implement Decisions.
Daniel Kroening and Ofer Strichman Decision Procedures An Algorithmic Point of View Deciding Combined Theories.
Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications Chapter.
1/20 Arrays Changki PSWLAB Arrays Daniel Kroening and Ofer Strichman Decision Procedure.
Operational Semantics Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
1 A framework for eager encoding Daniel Kroening ETH, Switzerland Ofer Strichman Technion, Israel (Executive summary) (submitted to: Formal Aspects of.
Deciding Combined Theories Presented by Adi Sosnovich Based on presentation from: Decision Procedures An Algorithmic Point of View Daniel Kroening and.
Computer Systems Laboratory Stanford University Clark W. Barrett David L. Dill Aaron Stump A Framework for Cooperating Decision Procedures.
Daniel Kroening and Ofer Strichman 1 Decision Procedures in First Order Logic Decision Procedures for Equality Logic.
Complexity 27-1 Complexity Andrei Bulatov Interactive Proofs (continued)
Daniel Kroening and Ofer Strichman 1 Decision Procedures for Equality Logic 1.
Decision Procedures in First Order Logic
Lifting Abstract Interpreters to Quantified Logical Domains (POPL’08)
Nested Quantifiers Goals: Explain how to work with nested quantifiers
Great Theoretical Ideas in Computer Science
Decidability of logical theories
Symbolic Characterization of Heap Abstractions
Decidability of logical theories
Presentation transcript:

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond

Final Goal of the class Automatically verify partial correctness of programs like the following using abstract interpretation. Void Init(int* A, int n) { for (i := 0; i<n; i++;) A[i] := 0; for (j := 0; j<n; j++;) Assert(A[j] = 0); }

Outline Decision Procedures –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns Logical Abstract Interpretation –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns –Universally Quantified Formulas Hardness of Assertion Checking –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns

Decision Procedures DP T ( ) = Yes, if is satisfiable = No, if is unsatisfiable Without loss of generality, we can assume that is a conjunction of atomic facts. Why? –DP( 1 Ç 2 ) is sat iff DP( 1 ) is sat or DP( 2 ) is sat What is the trade-off? –Converting into DNF may incur exponential blow-up

Outline Decision Procedures Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns Logical Abstract Interpretation –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns –Universally Quantified Formulas Hardness of Assertion Checking –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns

Linear Arithmetic Expressions e := y | c | e 1 § e 2 | c £ e Atomic facts g := e ¸ 0 | e 0 Note that e=0 can be represented as e ¸ 0 Æ e · 0 e>0 can be represented as e-1 ¸ 0 (over integer LA) The decision problem for integer LA is NP-hard. The decision problem for rational LA is PTime. –PTime algorithms are complicated to implement. Popular choice is an exponential algorithm called Simplex –We will study a PTime algorithm for a special case.

Difference Constraints A special case of Linear Arithmetic Constraints of the form x · c and x-y · c –We can represent x · c by x-u · c, where u is a special zero variable. Wlog, we will assume henceforth that we only have constraints x-y · c Reasoning required: x-y · c 1 Æ y-z · c 2 ) x-z · c 1 +c 2 O(n 3 ) (saturation-based) decision procedure –Represent contraints by a matrix M n £ n where M[i][j] = c represents x i –x j · c –Perform transitive closure of M M[i][j] = min { M[i][j], M[i][k]+M[k][j] } – is unsat iff 9 i: M[i][i] < 0

Outline Decision Procedures –Linear Arithmetic Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns Logical Abstract Interpretation –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns –Universally Quantified Formulas Hardness of Assertion Checking –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns

Uninterpreted Functions Expressions e := x | F(e 1,e 2 ) Atomic fact g := e 1 =e 2 | e 1 e 2 Axiom 8 e 1,e 2,e 1,e 2 : e 1 =e 1 Æ e 2 =e 2 ) F(e 1,e 2 )=F(e 1,e 2 ) (called congruence axiom) (saturation-based) Decision Procedure Represent equalities e 1 =e 2 2 G in Equivalence DAG (EDAG) –Nodes of an EDAG represent congruence classes of expressions that are known to be equal. Saturate equalities in the EDAG by following rule: –If C(e 1 )=C(e 1 ) Æ C(e 2 )=C(e 2 ), Merge C(F(e 1,e 2 )), C(F(e 1,e 2 )) where C(e) denotes congruence class of expression e Declare unsatisfiability iff 9 e 1 e 2 in G s.t. C(e 1 ) = C(e 2 )

Uninterpreted Functions: Example y F F F F F y=F 3 (y) F(y)=F 4 (y) F 2 (y)=F 5 (y) y=F 2 (y) y=F 5 (y)y F(y) F(y)=F 3 (y) y=F(y) ? : unsat Æ Æ

Uninterpreted Functions: Complexity Complexity of congruence closure : O(n log n), where n is the size of the input formula –In each step, we merge 2 congruence classes. The total number of steps required is thus n, where n is a bound on the original number of congruence classes. –The complexity of each step can be O(log n) by using union-find data structure

Outline Decision Procedures –Linear Arithmetic –Uninterpreted Functions Combination of Linear Arithmetic and Uninterpreted Fns Logical Abstract Interpretation –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns –Universally Quantified Formulas Hardness of Assertion Checking –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns

Combination of Linear Arithmetic and Uninterpreted Functions Expressions e := y | c | e 1 § e 2 | c £ e | F(e 1,e 2 ) Atomic Facts g := e ¸ 0 | e 0 Axioms: Combined axioms of linear arithmetic + uninterpreted fns. Decision Procedure: Nelson-Oppen methodology for combining decision procedures

Combining Decision Procedures Nelson-Oppen gave an algorithm in 1979 to combine decision procedures for theories T 1 and T 2, where: –T 1 and T 2 have disjoint signatures except equality –T 1, T 2 are stably infinite Complexity is O(2 n 2 £ (W 1 (n)+W 2 (n)). If T 1, T 2 are convex, complexity is O(n 3 £ (W 1 (n)+W 2 (n)). The theories of linear arithmetic and uninterpreted functions satisfy all of the above criterions.

Convex Theory A theory is convex if the following holds. Let G = g 1 Æ … Æ g n If G ) e 1 =e 2 Ç e 3 =e 4, then G ) e 1 =e 2 or G ) e 3 =e 4 Examples of convex theory: -Rational Linear Arithmetic -Uninterpreted Functions

Examples of Non-convex Theory y=sel(upd(M,a,0),b) ) y=0 Ç y=sel(M,b) But y=sel(upd(M,a,0),b) ) y=0 and y=sel(upd(M,a,0),b) ) y=sel(M,b) / / Theory of Integer Linear Arithmetic Theory of Arrays 2 · y · 3 ) y=2 Ç y=3 But 2 · y · 3 ) y=2 and 2 · y · 3 ) y=3 / /

Stably Infinite Theory A theory T is stably infinite if for all quantifier-free formulas over T, the following holds: If is satisfiable, then is satisfiable over an infinite model. Examples of stably infinite theories –Linear arithmetic, Uninterpreted Functions Examples of non-stably infinite theories –A theory that enforces finite # of distinct elements. Eg., a theory with the axiom: 8 x,y,z (x=y Ç x=z Ç y=z). Consider the quantifier free formula : y 1 =y 2. is satisfiable but doesnt have an infinite model.

Nelson-Oppen Methodology Purification: Decompose into 1 Æ 2 such that i contains symbols from theory T i. –This can be done by introducing dummy variables. Exchange variable equalities between 1 and 2 until no more equalities can be deduced. –Sharing of disequalities is not required because of stably-infiniteness. –Sharing of disjunctions of equalities is not required because of convexity. is unsat iff 1 is unsat or 2 is unsat.

Combining Decision Procedures: Example a 1 =2y 2 -y 1 y 1 · 4y 3 · a 2 Æ y 1 4y 3 y 1 = y 2 y 1 = a 2 a 2 =F(a 1 ) y 1 =F(y 1 ) Æ y 2 =F(F(y 1 )) y 1 = a 1 y 1 · 4y 3 · F(2y 2 -y 1 ) Æ y 1 =F(y 1 ) Æ y 2 =F(F(y 1 )) Æ y 1 4y 3 Purification y 1 =y 2 y 1 =a 1 y 1 =a 2 ? : unsat Saturation

Outline Decision Procedures –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns Logical Abstract Interpretation –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns –Universally Quantified Formulas Hardness of Assertion Checking –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns

Logical Abstract Interpretation Abstract Interpretation of a program involves interpreting the program over abstract values from some abstract domain D equipped with a partial order ¹ Logical Abstract Interpretation refers to the case when –D = logical formulas over theory T – ¹ = logical implication relationship, i.e., E ¹ E iff E ) T E We will study following examples of logical interpretation –D consists of finite conjunctions of atomic facts over T. Linear Arithmetic Uninterpreted Functions Combination of Linear Arithmetic and Uninterpreted Functions –D consists of universally quantified formulas over T.

Transfer Functions for Logical Abstract Interpreter G =Join(G 1,G 2 ) = d G 1 Ç G 2 e G2G2 G1G1 Join Node G 2 = G Æ: g g True False G G 1 = G Æ g Conditional Node G =Postcondition(y := e, G) = d 9 y: G[y/y] Æ y=e[y/y] e y := e G Assignment Node An abstract interpreter computes abstract values or facts at each program point from facts at preceding program points using appropriate transfer fns. Transfer functions for a logical abstract interpreter thus involve providing operators for over-approximating disjunction and existential quantifier elimination.

Fixed-point Computation In presence of loops, fixed-point computation is required. The process is accelerated by using a widening operator, which takes the facts in the current and previous iteration (at some point inside a loop) and generates something weaker than the current fact. –A widening operator should guarantee convergence in a bounded number of steps. –Widening is typically applied at loop header points. Facts generated after fixed-point are invariants and can be used to validate assertions using decision procedures. assert(g) G Validate iff G Æ: g is unsat

Initialization The fact at program entry is initialized to >, which in our setting is the logical formula true. –This denotes that we make no assumptions about inputs, and whatever we prove will be valid for all inputs. The facts at all other program points are initialized to ?, which in our setting is the logical formula false. –This denotes our optimistic assumption of unreachability of program locations (unless we can prove them reachable in the process of fixed-point computation).

Outline Decision Procedures –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns Logical Abstract Interpretation Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns –Universally Quantified Formulas Hardness of Assertion Checking –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns

Difference Constraints Abstract element: –conjunction of x i -x j · c ij –can be represented using matrix M, where M[i][j]=c ij Decide(M): 1.M := Saturate(M) 2.Declare unsat iff 9 i: M[i][i] < 0 Join(M 1, M 2 ): 1.M 1 := Saturate(M 1 ); M 2 := Saturate(M 2 ); 2.Let M 3 be s.t. M 3 [i][j] = Max { M 1 [i][j], M 2 [i][j] } 3.return M 3

Difference Constraints Eliminate(M, x i ): 1.M := Saturate(M); 2.Let M 1 be s.t. M 1 [j][k] = 1 (if j=i or k=i) = M[j][k] otherwise 3.return M 1 Widen(M 1, M 2 ): 1.M 1 := Saturate(M 1 ); M 2 := Saturate(M 2 ); 2.Let M 3 be s.t. M 3 [i][j] = M 1 [i][j] (if M 1 [i][j] = M 2 [i][j])) = 1 (otherwise) 3.return M 3

1 · y<51 Æ z=y+2 Difference Constraints: Example y < 50 y := 0; z := 2; y++; z++; y=0, z=2 y=1 Æ z=3 ? ? ? ? true y=0 Æ z=2 0 · y · 1 Æ z=y+2 1 · y · 2 Æ z=y+2 0 · y · 2 Æ z=y+2 0 · y Æ z=y+2 0 · y<50 Æ z=y+2 0 · y<51 Æ z=y+2 y=50 Æ z=y+2 False True Assert (z=52)

Outline Decision Procedures –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns Logical Abstract Interpretation –Linear Arithmetic Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns –Universally Quantified Formulas Hardness of Assertion Checking –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns

Uninterpreted Functions Abstract element: –conjunction of e 1 =e 2, where e := y | F(e 1,e 2 ) –can be represented using EDAGs Decide(G): 1.G := Saturate(G); 2.Declare unsat iff G contains e 1 e 2 and G has e 1, e 2 in the same congruence class. Eliminate(G, y): 1.G := Saturate(G); 2.Erase y; (might need to delete some dangling expressions) 3.return G

Uninterpreted Functions Join(G 1, G 2 ): 1.G 1 := Saturate(G 1 ); G 2 := Saturate(G 2 ); 2.G := Intersect(G 1, G 2 ); 3.return G; For each node n = in G 1 and node m = in G 2, G contains a node [n,m] =

Uninterpreted Functions: Example of Join G1G1 G2G2 F y 2, F y 1, F y 3,y 4 y 5 F y 6 y 7 F y 2, F y 1, F y 4,y 5 F y 6,y 7 y 3 G = Join(G 1,G 2 ) F y 2, F y 1, F y 4,y 5 F y 6 y 3 y 7

Outline Decision Procedures –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns Logical Abstract Interpretation –Linear Arithmetic –Uninterpreted Functions Combination of Linear Arithmetic and Uninterpreted Fns –Universally Quantified Formulas Hardness of Assertion Checking –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns

Combination: Decision Procedure DP(E 12 ): 1. := Purify&Saturate(E 12 ); 2.Return DP T 1 (E 1 ) Æ DP T 2 (E 2 );

Combination: Join Algorithm Join T 12 (L 12, R 12 ): 1. := Purify&Saturate(L 12 ); := Purify&Saturate(R 12 ); 2.D L := Æ {v i = | v i 2 Vars(L 1 Æ L 2 ), v j 2 Vars(R 1 Æ R 2 ) }; D R := Æ {v j = | v i 2 Vars(L 1 Æ L 2 ), v j 2 Vars(R 1 Æ R 2 ) }; 3.L 1 := L 1 Æ D L ; R 1 := R 1 Æ D R ; L 2 := L 2 Æ D L ; R 2 := R 2 Æ D R ; 4.A 1 := Join T 1 (L 1, R 1 ); A 2 := Join T 2 (L 2, R 2 ); 5. V := Vars(A 1 Æ A 2 ) – Program Variables; A 12 := Eliminate T 12 (A 1 Æ A 2, V); 6.Return A 12 ;

y=F(a) a= h a,b i z=a-1 a= h a,b i y=F(b) b= h a,b i z=b-1 b= h a,b i z=a-1 Æ y=F(a) z=b-1 Æ y=F(b) h a,b i =1+z y=F( h a,b i ) Join la Join uf Eliminate uf+la y=F(1+z) { h a,b i } Join uf+la Combination: Example of Join Algorithm

Combination: Existential Quantifier Elimination Elimintate T 12 (E 12, V): 1. := Purify&Saturate(E 12 ); 2. := DefSaturate(E 1, E 2, V [ Temp Variables); 3.V := V [ Temp Variables – D; E 1 := Eliminate T 1 (E 1, V); E 2 := Eliminate T 2 (E 2, V); 4.E := (E 1 Æ E 2 ) [Defs(y)/y]; 5.Return E; DefSaturate(E 1, E 2, U) returns the set of all variables D that have definitions Defs in terms of variables not in U as implied by E 1 Æ E 2.

a=F 2 (b) Æ c=F(b) a · b · y Æ z=c+1 a · b · y Æ z=c+1 Æ a=F 2 (b) Æ c=F(b) { a, b, c } { b } a · y Æ z=c+1 Eliminate uf Substitute F(z-1) · y c z-1 a F(z-1) Eliminate uf+la Combination: Example of Existential Elimination c z-1 a F(z-1) Def la Def uf Eliminate la a = F(c)

1 · i, N(x)=N(y)+i struct List { struct List* next; } x, y; N(z) = 0, if z = null = 1 + N(z ! next) Abstract Interpretation over Combined Domain: Example y null y := x; i := 0; i := i+1; y := y ! next; y=x, i=0 y=x ! next, i=1, x null N(x)=N(x ! next)+1 ? ? ? ? true y=x, i=0 y=x, i=0, y null 0 · i · 1 N(x)=N(y)+i 0 · i · 1, y null N(x)=N(y)+i 1 · i · 2, N(x)=N(y)+i 0 · i · 2, N(x)=N(y)+i 0 · i, N(x)=N(y)+i 0 · i, y null N(x)=N(y)+i

Outline Decision Procedures –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns Logical Abstract Interpretation –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns Universally Quantified Formulas Hardness of Assertion Checking –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns

Universally Quantified Abstract Domain Abstract element is of the form E Æ Æ i ( 8 X: A i ) B i ) –where E, A i, B i are from some underlying base domain(s) D. The partial order ¹ is a refinement of the more natural implication relationship. E Æ Æ i ( 8 X: A i ) B i ) ¹ E Æ Æ j ( 8 X: A j ) B j ) iff –E ) E – 8 j 9 i s.t. E Æ A j ) A i and E Æ B i ) B j Another way to state the above thing would be to say that the partial order is still the implication relationship but transfer functions are incomplete.

Quantified Abstract Domain: Join Algorithm Consider a simpler case first. Let (E Æ 8 X:A ) B) = Join(E 1 Æ 8 X:A 1 ) B 1, E 2 Æ 8 X:A 2 ) B 2 ). Then, –(E 1 Æ 8 X:A 1 ) B 1 ) ¹ (E Æ 8 X:A ) B) –(E 2 Æ 8 X:A 2 ) B 2 ) ¹ (E Æ 8 X:A ) B) Or, equivalently, –E 1 ) E and E 2 ) E. Thus, E = Join(E 1, E 2 ). –E 1 Æ A ) A 1 and E 2 Æ A ) A 2, i.e., A ) (E 1 ) A 1 Æ E 2 ) A 2 ). Thus, A = b E 1 ) A 1 Æ E 2 ) A 2 c. –E 1 Æ B 1 ) B and E 2 Æ B 2 ) B. Thus, B = Join(E 1 Æ B 1, E 2 Æ B 2 ). Join(E 1 Æ Æ i ( 8 X: A 1 i ) B 1 i ), E 2 Æ Æ i ( 8 X: A 2 i ) B 2 i )): 1.result := Join D (E 1, E 2 ); 2.Forall i,j: 3. A := b E 1 ) A 1 i Æ E 2 ) A 2 j c ; B := Join D (E 1 Æ B 1 i, E 2 Æ B 2 j ); 4. result := result Æ 8 X:A ) B 5.return result;

Quantified Abstract Domain: Example of Join Let G 1 = (i=0 Æ 8 k: k=0 ) F[k]=i) G 2 = (i=1 Æ 8 k: 0 · k · 1 ) F[k]=0) Then Join(G 1, G 2 ) = 0 · i · 1 Æ 8 k: A ) B, where A = b (i=0 ) k=0) Æ (i=1 ) 0 · k · 1) c = 0 · k · i B = Join D (i=0 Æ F[k]=i, i=1 Æ F[k]=0) = F[k]=0

Quantified Abstract Domain: Eliminate Let (E Æ 8 X:A ) B) = Eliminate(E Æ 8 X:A ) B, s). Then, (E Æ 8 X:A ) B) ¹ (E Æ 8 X:A ) B) among other things. For simplicity, assume that s doesnt affect terms in A,B involving X. Then, –E ) E and E doesnt contain any term affected by change to s. Thus, E = Eliminate D (E,s). –E Æ A ) A and A doesnt contain any term affected by change to s. Thus, A = b8 s:E ) A c. –E Æ B ) B and B doesnt contain any term affected by change to s. Thus, B = Eliminate D (E Æ B, s).

Quantified Abstract Domain: Eliminate Eliminate(G, s): 1.Let G be E Æ 8 X:A ) B –Psuedo-code can be easily extended for multiple 8 2.T := { e | e occurs in A or B; Vars(e) Å X ; } 3.A := A Æ Æ e 2 T NotEffect(, e); 4.E := Eliminate D (E,s); 5.B := Eliminate D (B Æ E,s); 6.A := b8 s:E ) A c ; 7.return (E Æ 8 X: A ) B) NotEffect(, e) denotes a constraint g s.t. G Æ g implies that s does not affect e.

Quantified Abstract Domain: Example of Eliminate Let G = (F[0]>10 Æ 8 k: 0 · k F[0] ) Then Eliminate(G, F[0]) = true Æ 8 k: A ) B, where T = { k, F[k] } NotEffect(, F[k]) = k 0 NotEffect(, F[k]) = true A 1 = 0 · k<F[0] Æ k 0 Æ true = 1 · k<F[0] A = b8 F[0]: F[0]>10 ) 1 · k<F[0] c = 1 · k<10 B = Eliminate(F[k]>F[0] Æ F[0]>10, F[0]) = F[k]<10

2 · i · n Æ 8 k: 0 · k<i ) F[k]=0 Quantified Abstract Domain : Example i < n F[0] := 0; i := 1; F[i] := 0; i++; i=1 Æ F[0]=0 i=2 Æ F[0]=0 Æ F[1]=0 ? ? ? ? true i=1 Æ F[0]=0 1 · i · 2 Æ 8 k: 0 · k<i ) F[k]=0 2 · i · 3 Æ 8 k: 0 · k<i ) F[k]=0 1 · i · 3 Æ 8 k: 0 · k<i ) F[k]=0 1 · i Æ 8 k: 0 · k<i ) F[k]=0 1 · i<n Æ 8 k: 0 · k<i ) F[k]=0 1 · i Æ 8 k: 0 · k<i ) F[k]=0 i ¸ n Æ 8 k: 0 · k<i ) F[k]=0 False True i := 0; i=2 Æ 8 k:0 · k · 1 ) F[k]=0 i=1 Æ 8 k:k=0 ) F[k]=0 i=0 Æ 8 k: 0 · k<n ) F[k]=0

References Uninterpreted Functions –A polynomial time algorithm for global value numbering SAS 2004, S. Gulwani, G. Necula –Join algorithms for the theory of uninterpreted fns FSTTCS 2004, S. Gulwani, A. Tiwari, G. Necula Combination of Linear Arithmetic and Uninterpreted Fns –Combining Abstract Interpreters PLDI 2006, S. Gulwani, A. Tiwari Universally Quantified Abstract Domain –Lifting Abstract Interpreters to Quantified Logical Domains POPL 2008, S. Gulwani, B. McCloskey, A. Tiwari

Outline Decision Procedures –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns Logical Abstract Interpretation –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns –Universally Quantified Formulas Hardness of Assertion Checking –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns

Abstract Program Model / Problem Statement Linear Arithmetic e := y | c | e 1 § e 2 | c e g := e ¸ 0 Uninterpreted Functions e := y | F(e 1,e 2 ) g := e 1 =e 2 Combination e := y | c | e 1 § e 2 | c e | F(e 1,e 2 ) g := e ¸ 0 Assignment y := e Conditional g True False Non-deterministic Assignment y := ? Assertion Assert(g)

Outline Decision Procedures –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns Logical Abstract Interpretation –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns –Universally Quantified Formulas Hardness of Assertion Checking Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns

Assertion Checking: Linear Arithmetic Non-deterministic Conditionals –Equality Assertions: PTIME Perform abstract interpretation over linear equalities. Affine relationships among variables of a program, Karr 76 –Inequality assertions: ? Deterministic Conditionals: Undecidable –Even with equality conditionals and equality assertions –PCP Problem can be reduced to it. –A Note on Karrs Algorithm, H. Seidl, M. Muller-Olm, ICALP 2004

Reducing PCP Problem to Assertion Checking The following problem (PCP Problem) is undecidable. Given pairs: (u 1,v 1 ), …, (u m,v m ), where u i, v i 2 {0,1} * Decide: 9 a non-empty sequence i 1, …, i n such that u i 1 … u i n = v i 1 … v i n Given a PCP instance, we will construct an assertion checking problem over linear arithmetic such that the assertion holds iff the solution to PCP instance is false.

y=z ? Reducing PCP Problem to Assertion Checking y := 1; z := 1; y := 2 |u 1 | £ y + ; z := 2 |v 1 | £ z + ; False True Assert (d=0); y := 2 |u m | £ y + ; z := 2 |v m | £ z + ; * d := 1; d := 0;

Outline Decision Procedures –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns Logical Abstract Interpretation –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns –Universally Quantified Formulas Hardness of Assertion Checking –Linear Arithmetic Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns

Assertion Checking: Uninterpreted Functions Non-deterministic Conditionals: PTIME –Abstract interpretation over uninterpreted fns. Deterministic Conditionals: Undecidable –PCP Problem can be reduced to it. –Checking Herbrand Equalities and Beyond, H. Seidl, M. Muller-Olm, VMCAI 2005

y=z ? Reducing PCP Problem to Assertion Checking y := 1; z := 1; y := u 1 (y); z := v 1 (z); False True Assert (d=0); y := u m (y); z := v m (z); * d := 1; d := 0; Think of u i, v i as sequences of applications of unary fns, one corresponding to 0 and other corresponding to 1.

Outline Decision Procedures –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns Logical Abstract Interpretation –Linear Arithmetic –Uninterpreted Functions –Combination of Linear Arithmetic and Uninterpreted Fns –Universally Quantified Formulas Hardness of Assertion Checking –Linear Arithmetic –Uninterpreted Functions Combination of Linear Arithmetic and Uninterpreted Fns

Assertion Checking: Combination of Linear Arithmetic & Uninterpreted Functions Deterministic Conditionals: Undecidable –No surprise since problem is undecidable for individual cases of linear arithmetic and uninterpreted fns. Non-deterministic Conditionals: ? At least coNP-hard –Even for equality conditionals. –A surprising result since assertion checking for individual cases of linear arithmetic (equalities) and uninterpreted fns is PTIME, but not for combination. –In contrast, decision procedures for linear arithmetic and uninterpreted fns can be combined in PTIME using Nelson- Oppen methodology. –Assertion checking over combination of linear arithmetic and uninterpreted fns, S. Gulwani, A. Tiwari, ESOP 2006

Reducing Unsatisfiability to Assertion Checking boolean 3-SAT instance with m clauses IsUnsatisfiable( ) { for j=1 to m c j := 0; for i=1 to k do if (*) 8 j s.t. var i occurs positively in clause j, c j := 1; else 8 j s.t. var i occurs negatively in clause j, c j := 1; y = c 1 + c 2 + … + c m ; Assert (y=0 Ç y=1 … Ç y=m-1); }

Encoding disjunction The check y=1 Ç y=2 can be encoded by the assertion F(y) = F(1)+F(2)-F(3-y)). The above trick can be recursively applied to construct an assertion that encodes y=0 Ç y=1 Ç … Ç y=m-1 –Eg., y=0 Ç y=1 Ç y=2 can be encoded by encoding F(y)=F(0) Ç F(y)=F(1)+F(2)-F(3-y)

Conclusion We showed how logical reasoning traditionally used in theorem proving can be exploited in an abstract interpretation setting. –We focused on conjunctive and universally quantified invariants over the domain of linear arithmetic and uninterpreted fns. There are several other interesting issues in program analysis that we did not address: –Destructive updates Points-to analysis, Shape analysis –Path-sensitive analysis Disjunctive invariants –Inter-procedural analysis Procedure summaries

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.