Global Value Numbering Using Random Interpretation OSQ Retreat, May 2003 Sumit Gulwani George Necula EECS Department University of California, Berkeley.

Slides:



Advertisements
Similar presentations
Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Advertisements

Join Algorithms for the Theory of Uninterpreted Functions Sumit Gulwani Ashish Tiwari George Necula UC-Berkeley SRI UC-Berkeley.
Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.
A Randomized Satisfiability Procedure for Arithmetic and Uninterpreted Function Symbols Sumit Gulwani George Necula EECS Department University of California,
A Polynomial-Time Algorithm for Global Value Numbering SAS 2004 Sumit Gulwani George C. Necula.
Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,
Program Verification using Probabilistic Techniques Sumit Gulwani Microsoft Research Invited Talk: VSTTE Workshop August 2006 Joint work with George Necula.
Global Value Numbering using Random Interpretation Sumit Gulwani George C. Necula CS Department University of California, Berkeley.
Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.
Program Analysis using Random Interpretation Sumit Gulwani UC-Berkeley March 2005.
Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Satisfiability Modulo Theories (An introduction)
Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna
1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.
Probabilistic Algorithms Michael Sipser Presented by: Brian Lawnichak.
Discovering Affine Equalities Using Random Interpretation Sumit Gulwani George Necula EECS Department University of California, Berkeley.
Assertion Checking Unified Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Computational problems, algorithms, runtime, hardness
Class Presentation on Binary Moment Diagrams by Krishna Chillara Base Paper: “Verification of Arithmetic Circuits using Binary Moment Diagrams” by.
Towards a unifying view of block cipher cryptanalysis David Wagner University of California, Berkeley.
Early Global Program Optimizations Chapter Mooly Sagiv.
1 Static Analysis Methods CSSE 376 Software Quality Assurance Rose-Hulman Institute of Technology March 20, 2007.
Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.
Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.
1 Deciding separation formulas with SAT Ofer Strichman Sanjit A. Seshia Randal E. Bryant School of Computer Science, Carnegie Mellon University.
Class notes for ISE 201 San Jose State University
ECE Synthesis & Verification - Lecture 18 1 ECE 697B (667) Spring 2006 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Word-level.
Program Analysis Using Randomization Sumit Gulwani, George Necula (U.C. Berkeley)
Analysis of Algorithms CS 477/677
Technion 1 Generating minimum transitivity constraints in P-time for deciding Equality Logic Ofer Strichman and Mirron Rozanov Technion, Haifa, Israel.
Technion 1 (Yet another) decision procedure for Equality Logic Ofer Strichman and Orly Meir Technion.
Randomized Analysis with Repeated Conditionals for Affine Equalities Bor-Yuh Evan Chang CS263 Final Project December 4, 2002.
1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.
A Polynomial-Time Algorithm for Global Value Numbering SAS 2004 Sumit Gulwani George C. Necula.
Prof. Necula CS Lecture 111 Theorem Proving for FOL Satisfiability Procedures CS Lecture 11.
Lecture 20: April 12 Introduction to Randomized Algorithms and the Probabilistic Method.
Using Decision Procedures for Program Verification Christopher Lynch Clarkson University.
Extensible Untrusted Code Verification Robert Schneck with George Necula and Bor-Yuh Evan Chang May 14, 2003 OSQ Retreat.
New Approach to Quantum Calculation of Spectral Coefficients Marek Perkowski Department of Electrical Engineering, 2005.
On Solving Presburger and Linear Arithmetic with SAT Ofer Strichman Carnegie Mellon University.
Farzan Fallah Srinivas Devadas Laboratory for Computer Science MIT Farzan Fallah Srinivas Devadas Laboratory for Computer Science MIT Functional Vector.
Graph Coalition Structure Generation Maria Polukarov University of Southampton Joint work with Tom Voice and Nick Jennings HUJI, 25 th September 2011.
An equation is a mathematical statement that two expressions are equivalent. The solution set of an equation is the value or values of the variable that.
1 Statistical Analysis Professor Lynne Stokes Department of Statistical Science Lecture 6 Solving Normal Equations and Estimating Estimable Model Parameters.
Linear Equations in One variable Nonlinear Equations 4x = 8 3x – = –9 2x – 5 = 0.1x +2 Notice that the variable in a linear equation is not under a radical.
10.1: Confidence Intervals – The Basics. Introduction Is caffeine dependence real? What proportion of college students engage in binge drinking? How do.
CSC401: Analysis of Algorithms CSC401 – Analysis of Algorithms Chapter Dynamic Programming Objectives: Present the Dynamic Programming paradigm.
Prof. Amr Goneid, AUC1 Analysis & Design of Algorithms (CSCE 321) Prof. Amr Goneid Department of Computer Science, AUC Part 8. Greedy Algorithms.
Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View BDDs.
Introduction to Parsing
Ch. 13 Ch. 131 jcmt CSE 3302 Programming Languages CSE3302 Programming Languages (notes?) Dr. Carter Tiernan.
Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View BDDs.
Verification & Validation By: Amir Masoud Gharehbaghi
NP-completeness Section 7.4 Giorgi Japaridze Theory of Computability.
Random Interpretation Sumit Gulwani UC-Berkeley. 1 Program Analysis Applications in all aspects of software development, e.g. Program correctness Compiler.
CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
1 BN Semantics 2 – Representation Theorem The revenge of d-separation Graphical Models – Carlos Guestrin Carnegie Mellon University September 17.
Complexity 24-1 Complexity Andrei Bulatov Interactive Proofs.
Huffman code and Lossless Decomposition Prof. Sin-Min Lee Department of Computer Science.
Computer Systems Laboratory Stanford University Clark W. Barrett David L. Dill Aaron Stump A Framework for Cooperating Decision Procedures.
Code Optimization.
Probabilistic Algorithms
Introduction to Randomized Algorithms and the Probabilistic Method
On the Size of Pairing-based Non-interactive Arguments
Chapter 2 Equations and Inequalities in One Variable
Intro to Theory of Computation
3.5 Minimum Cuts in Undirected Graphs
Instructor: Aaron Roth
Presentation transcript:

Global Value Numbering Using Random Interpretation OSQ Retreat, May 2003 Sumit Gulwani George Necula EECS Department University of California, Berkeley

May 15, 2003OSQ Retreat 2003 Outline Value numbering on linear arithmetic (POPL ’03) How can we handle other operators ? –Program Analysis How can we handle multiple occurrences of a conditional ? –Model Checking How can we interpret conditionals ? (CADE ’03) –Theorem Proving

a := 0; b := 1;a := 1; b := 0; c := b – a; d := 1 – 2b; assert (c + d = 0); assert (c = a + 1) c := 2a + b; d := b – 2; T T F F Example 1 Random testing: test the program for random inputs ¾ probability of unsoundness here 1 – (½) n in worst case Want the same simplicity, with better odds We will execute the program once, in a way that it captures the “effect” of all the paths

May 15, 2003OSQ Retreat 2003 The Affine Join Operation Execute both the branches Combine the values of the variables at joins using the affine join operation © w for some randomly chosen w v 1 © w v 2 ´ w £ v 1 + (1-w) £ v 2 a := 2; b := 3; a := 4; b := 6; a = 2 © 7 4 b = 3 © 7 6 (w = 7)

a := 0; b := 1;a := 1; b := 0; c := b – a; d := 1 – 2b; assert (c + d = 0); assert (c = a + 1) a = -4, b = 5 c = -39, d = 39 c := 2a + b; d := b – 2; a = 1, b = 0a = 0, b = 1 a = -4, b = 5 c = -3, d = 3 a = -4, b = 5 c = 9, d = -9 T T F F w 1 = 5 w 2 = -3 Example 1 Choose a random weight for each join independently. All choices of random weights verify the first assertion Almost all choices contradict the second assertion.

May 15, 2003OSQ Retreat 2003 Outline Value numbering on linear arithmetic (POPL ’03) How can we handle other operators ? –Program Analysis How can we handle multiple occurrences of a conditional ? –Model Checking How can we interpret conditionals ? (CADE ’03) –Theorem Proving

May 15, 2003OSQ Retreat 2003 Uninterpreted Functions Choose random interpretations Non-linear interpretation –Works for basic blocks –Loss of completeness at join points Naïve linear interpretation –Works for join points –Loss of soundness in basic blocks k linear interpretations –Fixes the above problems

May 15, 2003OSQ Retreat 2003 Non-linear interpretation Model F(e) as e 2 Works for basic blocks But, incomplete for joins a := y; b := F(y); c := F(a); assert (b = c) a := z; b := F(z); a = w(y) + (1-w)(z) b = w(y 2 ) + (1-w)(z 2 ) c = [w(y)+(1-w)(z)] 2 = w 2 (y 2 ) + (1-w) 2 (z 2 ) + w(1-w)(2yz) = b [only if w=w 2 and (1-w)=(1-w) 2 and w(1-w)=0]

May 15, 2003OSQ Retreat 2003 Naïve linear interpretation Encode F(e 1,e 2 ) = r 1 e 1 + r 2 e 2 Complete for affine joins But, unsound for basic blocks F FF abcd e =e = F FF acbd e’ = V(e) = V(e’) even though e  e’ too few random coefficients! V(e) = r 1 (r 1 a+r 2 b)+r 2 (r 1 c+r 2 d) = r 1 2 (a) + r 1 r 2 (b+c) + r 2 2 (d) V(e’) = r 1 (r 1 a+r 2 c)+r 2 (r 1 b+r 2 d) = r 1 2 (a) + r 1 r 2 (b+c) + r 2 2 (d)

May 15, 2003OSQ Retreat 2003 k linear interpretations Perform k runs in parallel Encode F i (e 1,e 2 ) =  r i,j e 1 j +  r’ i,j e 2 j Each linear interpretation is linear in 2k terms Choose k linear random interpretations ) 2k 2 random variables We believe that k = n 0.5 ; perhaps log(n) 0.5 F1F1 FkFk e11e11 e12e12 …e1ke1k e21e21 …e2ke2k … j=1 kk

May 15, 2003OSQ Retreat 2003 k linear interpretations: Example (with k=2) V(e 1 1 ) = r 1 (a) + r 2 (a) + r 3 (b)+ r 4 (b) V(e 1 2 ) = r 5 (a) + r 6 (a) + r 7 (b)+ r 8 (b) V(e 2 1 ) = r 1 (c) + r 2 (c) + r 3 (d)+ r 4 (d) V(e 2 2 ) = r 5 (c) + r 6 (c) + r 7 (d)+ r 8 (d) V(e 1 ) = r 1 [r 1 (a) + r 2 (a) + r 3 (b)+ r 4 (b)] + r 2 [r 5 (a) + r 6 (a) + r 7 (b)+ r 8 (b)] + r 3 [r 1 (c) + r 2 (c) + r 3 (d)+ r 4 (d)] + r 4 [r 5 (c) + r 6 (c) + r 7 (d)+ r 8 (d)] V(e 2 ) = r 5 [r 1 (a) + r 2 (a) + r 3 (b)+ r 4 (b)] + r 6 [r 5 (a) + r 6 (a) + r 7 (b)+ r 8 (b)] + r 7 [r 1 (c) + r 2 (c) + r 3 (d)+ r 4 (d)] + r 8 [ r 5 (c) + r 6 (c) + r 7 (d)+ r 8 (d)] F FF abcd e = e 1 = = e 2

May 15, 2003OSQ Retreat 2003 Outline Value numbering on linear arithmetic (POPL ’03) How can we handle other operators ? –Program Analysis How can we handle repeated multiple occurrences of a conditional ? –Model Checking How can we interpret conditionals ? (CADE ’03) –Theorem Proving

May 15, 2003OSQ Retreat 2003 Repeated Conditionals a := 1;a := 4; b := 2; assert (b - a – 1 = 0) b := 5; T TF F B B a = w 1 + 4(1-w 1 ) = 4 – 3w 1 w1w1 w2w2 b = 2w 2 + 5(1-w 2 ) = 5 – 3w 2 b-a-1 = 3w 1 – 3w 2 Choose same random weights for equivalent conditionals Can’t really be so easy as SAT can be encoded as such a problem!

May 15, 2003OSQ Retreat 2003 Repeated Conditionals a := 1;a := 4; b := a+1; assert (b - a – 1 = 0) b := 5; T TF F B B w w b = (4-3w+1)w + 5(1-w) = 5 – 3w 2 b-a-1 = 3w - 3w 2 a = w + 4(1-w) = 4 – 3w Lost Completeness –We can verify the assert only if w = w 2, but we choose w from a large set for soundness Idea: Simplify the polynomial so that it does not contain terms like w 2 –Need to maintain symbolic expressions

May 15, 2003OSQ Retreat 2003 Repeated Conditionals A state maps a variable to a expression: E ::= n | E 1 + E 2 | if B then E 1 else E B ::= c | : c | B 1 Æ B 2 | B 1 Ç B 2 Representation for expressions must satisfy: –Easy to construct representation of E from representations of its subexpressions –Easy to verify equivalence of two expressions How about Multi-valued ROBDDs ? Free Conditional Expression DAGs (FCEDs) – Our representation

May 15, 2003OSQ Retreat 2003 Multi-valued ROBDDs c1 23 a =c2 z6 b = a := 2;a := 3; b := z; y := b + a; b := 6; T T F F c2 c1 c2 z+283+z9 y = |D(y)| = |D(a)| * |D(b)| D(y) does not share nodes with D(a) and D(b) Need a normal form for leaves

May 15, 2003OSQ Retreat 2003 FCEDs: Free Conditional Expression DAGs c1 23 a =c2 z6 b = a := 2;a := 3; b := z; y := b + a; b := 6; T T F F c2 c1 |D(y)| = |D(a)| + |D(b)| D(y) does share nodes with D(a) and D(b) No need for normal form for arithmetic +y =

FCED Construction c1 23 c2 z6 + choose guard choose guard Plus R(c1) 2 R( : c1) 3 R(c2) z R( : c2) 6 D(x) = Leaf(x) D(n) = Leaf(n) D(e 1 +e 2 ) = Plus (D(e 1 ), D(e 2 )) D(if b then e 1 else e 2 ) = Choose(||R(b),D(e 1 )||, ||NOT R(b), D(e 2 )||) Formalization

May 15, 2003OSQ Retreat 2003 Normalize Guard Operator ||g,f|| = Guard(g,f), if BV(g) Å BV(f) = ; ||g, Plus(f 1,f 2 ) = Plus(||g,f 1 ||, ||g, f 2 ||) ||g, Choose(f1,f2) = Choose(||g,f1||, ||g, f2||) ||g 1, Guard(g 2,f)|| = Guard(g 1,||g 2,f||), if BV(g 1 ) Å BV(g 2 ) = ; ||g 1, Guard(g 2,f )|| = Guard(|| INTERSECT(g 1,g 2 ),f ||)

May 15, 2003OSQ Retreat 2003 Example: Normalize Guard Operator choose guard choose guard Plus R(c1)R( : c1) 3 R(c2) z R( : c2) 6 2 guard R(c1) guard R(c1) R(c1 Æ c1) R( : c1 Æ c1 ) Given f, construct ||c 1,f||

May 15, 2003OSQ Retreat 2003 Randomized Equivalence testing for FCEDs V(Leaf(n)) = n V(Leaf(x)) = r x V(Plus(f 1,f 2 )) = V(f 1 ) + V(f 2 ) V(Choose(f 1,f 2 )) = V(f 1 ) + V(f 2 ) V(Guard(g,f)) = V(g)*V(f) V(c(g 1,g 2 ) = r c *V(g 1 ) + (1-r c )*V(g 2 ) V(0) = 0, V(1) = 1 V(and(g 1,g 2 )) = V(g 1 )*V(g 2 ) V(or(g 1,g 2 )) = V(g 1 )+V(g 2 ) V(c) = r c, V( : c) = 1 – r c

May 15, 2003OSQ Retreat 2003 Outline Value numbering on linear arithmetic (POPL ’03) How can we handle other operators ? –Program Analysis How can we handle multiple occurrences of a conditional ? –Model Checking How can we interpret conditionals ? (CADE ’03) –Theorem Proving

May 15, 2003OSQ Retreat 2003 Example a := x + y b := ab := 2 * x assert (b = 2x) TF If (x = y) Affine join is not enough We need to make use of the conditional x = y on the true branch

May 15, 2003OSQ Retreat 2003 The Adjust Operation Execute multiple runs of the program in parallel Sample = Collection of states at each program point “Adjust” the sample before a conditional (by taking affine joins of the states in the sample) such that –Adjustment preserves original relationships –Adjustment satisfies the equality in the conditional Use adjusted sample on the true branch

May 15, 2003OSQ Retreat 2003 Experience We built a randomized satisfiability procedure for linear equalities E.g., show that z = x + y Æ x = y ) z = 2x –Encode it as a program with “if … then … else” –We use Adjust but no Join here Compared with ICS (from SRI) on randomly- generated examples –Randomized algorithm times faster (for arith.) –Simple algorithm –Simple data structure: an array of states (Caveat: our tool is written in C and ICS in Ocaml)

May 15, 2003OSQ Retreat 2003 Conclusion and Future Work Randomization can help achieve simplicity and efficiency at the expense of making soundness probabilistic Other interesting possible extensions: –Combination of uninterpreted functions with arithmetic –Partially interpreted functions like associative functions –Memory –Inequalities

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.