Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California, Berkeley
Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,
Mar 26, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions
SAS 2004
Sumit Gulwani George Necula
EECS DepartmentUniversity of California, Berkeley
2
y := 2; z := a;
y := a; z := 2;
u := 1; v := 1+a;
t1 := y-u; t2 := v-z;
True
True
False
False
Example
u := a-1; v := 3;
Assert(t1=t2 Æ t1=1 Æ z=2);
a=2?
All 3 asserts are truea=2?
3
y := 2; z := a;
y := a; z := 2;
u := 1; v := 1+a;
t1 := y-u; t2 := v-z;
True
True
False
False
Path-Insensitive Analysis
u := a-1; v := 3;
Assert(t1=t2 Æ t1=1 Æ z=2);
*
•Most PTIME analyses treat conditionals as non-deterministic.
•They will verify only t1=t2
*
4
y := 2; z := a;
y := a; z := 2;
u := 1; v := 1+a;
t1 := y-u; t2 := v-z;
True
True
False
False
Path-Sensitive Analysis
u := a-1; v := 3;
Assert(t1=t2 Æ t1=1 Æ z=2);
c1
•We can do better by doing a boolean abstraction of conditionals.
• Each atomic predicate is abstracted to a boolean variable
•This will also verify t1=1
•This is still abstract though!
•z=2 not verified
•undecidable to reason completely
c1
5
Outline
• Existing approach (MVR) vs. our approach (FCED)
• FCEDs for linear arithmetic
• FCEDs for uninterpreted function terms
6
y := 2; z := a;
y := a; z := 2;
u := 1; v := 1+a;
t1 := y-u; t2 := v-z;
True
True False
False
Multi-Valued ROBDDs (MVRs)
c1
2 a
y = c2
1 a-1
u =
u := a-1; v := 3;
Assert(t1=t2); Assert(t1=1);
c1
c2
•|MVR(t1)| = |MVR(y)| £ |MVR(u)|
•MVR(t1) does not share nodes with MVR(y) and MVR(u)
•Need a normal form for leaves
c1
c2 c2
1 -a+3
a-1 1
t1 =
7
y := 2; z := a;
y := a; z := 2;
u := 1; v := 1+a;
t1 := y-u; t2 := v-z;
True
True False
False
Free Conditional Expression Diagrams (FCEDs)
c1
2 a
y = c2
1 a-1
u =
-t1 =
u := a-1; v := 3;
Assert(t1=t2); Assert(t1=1);
c1
c2
•|FCED(t1)| = |FCED(y)| + |FCED(u)|
•FCED(t1) shares nodes with FCED(y) and FCED(u)
•No need for normal form
8
Outline
• Existing approach (MVR) vs. our approach (FCEDs)
• FCEDs for linear arithmetic
• FCEDs for uninterpreted function terms
9
Problem Definition
e = q | y | e1 § e2 | q £ e | if b then e1 else e2
b = c | b1 Æ b2 | b1 Ç b2
e: conditional linear arithmetic expressionb: boolean formulay: rational variablec: boolean variableq: rational constant
• Construct FCED for an expression e, given FCEDs for its subexpressions.
• Check 2 FCEDs for equivalence
10
FCED
An FCED f is a DAG with the following kind of nodes.
f := y | q | Plus(f1,f2) | Minus(f1,f2) | Times(q,f) | Choose(f1,f2) | Guard(g,f)
Choose(f1,f2) means f1 or f2
Guard(g,f) means if g then f
Boolean expressions g are represented using ROBDDs
g := true | false | c | If(c,g1,g2)
11
Example
c1
2 a
c2
1 a-1
+
choose
guard guard
choose
guard guard
plus
R(c1)
2 R(:c1) a R(c2) 1 R(:c2) a-1
Formalization
12
Example
c1
2 a
c2
1 a-1
+
choose
guard guard
choose
guard guard
plus
R(c1)
2 R(:c1) a R(c2) 1 R(:c2) a-1
Formalization
13
FCED Construction
• FCED(y) = Leaf(y)
• FCED(q) = Leaf(q)
• FCED(e1+e2) = Plus (FCED(e1), FCED(e2))
• FCED(q £ e) = Times(q,FCED(e))
• FCED(if b then e1 else e2) = Choose(Guard(R(b),e1), Guard(R(NOT(b)),e2)
14
FCED Construction
• FCED(y) = Leaf(y)
• FCED(q) = Leaf(q)
• FCED(e1+e2) = Plus (FCED(e1), FCED(e2))
• FCED(q £ e) = Times(q,FCED(e))
• FCED(if b then e1 else e2) = Choose(||R(b),FCED(e1)||, ||NOT R(b), FCED(e2)||)
15
Normalize Guard Operator
Inputs: guard g, FCED f
Output: FCED f’ s.t.
•f ´ f’
• 8 guard nodes Guard(g,f’’) in f’, BV(g) < BV(f’’)
||g,f|| = Guard(g,f), if BV(g) < BV(f)
||g, Plus(f1,f2) = Plus(||g,f1||, ||g, f2||)
||g, Choose(f1,f2) = Choose(||g,f1||, ||g, f2||)
||g1, Guard(g2,f )|| = Guard(|| INTERSECT(g1,g2),f ||)
…
16
guard
R(c1)
guard
R(c1)
guard
R(c1)
Example: Normalize Guard Operator
plus
choose
guard guard
R(c2)
z R(:c2) 6
Given f, construct ||R(c1),f||
guard
choose
guard
R(c1)
R(:c1) 32
choose
guard
R(:c1) 3
guard
R(c1)
2R(c1Æc1)
guard
2 R(:c1Æc1)
guard
3
choose
17
Randomized Equivalence Testing for FCEDs
Assign hash values to nodes of FCEDs in bottom-up manner
V: FCED Node ! Integer• V(Leaf(q)) = q• V(Leaf(y)) = ry
• V(Plus(f1,f2)) = V(f1) + V(f2)• V(Choose(f1,f2)) = V(f1) + V(f2)• V(Guard(g,f)) = H(g) £ V(f)
H: Guard ! Integer• H(true) = 1, H(false) = 0• H(c) = rc
• H(If(c,g1,g2)) = rc £ H(g1) + (1-rc) £ H(g2)
18
Randomized Equivalence Testing for FCEDs
Completenessf1 ´ f2 ) V(f1) = V(f2)
Soundnessf1 ´ f2 ) Pr[V(f1) = V(f2)] · s/t
s: maximum # of nodes in a FCEDt: size of set from which random values are
chosen
Proof: 9 1-1 Poly: FCED ! Polynomials such that V(f) is the value of Poly(f)
19
Outline
• Existing approach (MVR) vs. our approach (FCEDs)
• FCEDs for linear arithmetic
• FCEDs for uninterpreted function terms
20
Problem Definition
e = y | F(e1,e2) | if b then e1 else e2
b = c | b1 Æ b2 | b1 Ç b2
e: conditional uninterpreted function termb: boolean formulay: variablec: boolean variable
• Construct FCED for an expression e, given FCEDs for its subexpressions.
• Check 2 FCEDs for equivalence
21
FCED
An FCED f is a DAG with the following kind of nodes.
f := y | F(f1,f2) | Choose(f1,f2) | Guard(g,f)
Choose(f1,f2) means f1 or f2
Guard(g,f) means if g then f
Boolean expressions g are represented using ROBDDs
g := true | false | c | If(c,g1,g2)
22
FCED Construction
FCED(y) = Leaf(y)
FCED(F(e1,e2)) = F(FCED(e1), FCED(e2))
FCED(if b then e1 else e2) = Choose(||R(b),FCED(e1)||, ||NOT R(b), FCED(e2)||)
23
Randomized Equivalence Testing of FCEDs
Assign hash values to nodes of FCEDs in bottom-up manner
V: FCED Node ! Tuple of k integersK ¸ depth of any FCED
• V(y) = [ry,…ry]
• V(Choose(f1,f2)) = V(f1) + V(f2)
• V(Guard(g,f)) = H(g) £ V(f)
• V(F(f1,f2)) = V(f1) £ M + V(f2) £ N
M, N: random k £ k matrices
24
Randomized Equivalence Testing for FCEDs
Completenessf1 ´ f2 ) V(f1) = V(f2)
Soundnessf1 ´ f2 ) Pr[V(f1) = V(f2)] ·
s: maximum # of nodes in a FCEDt: size of set from which random values are
chosen
Proof: more involved
25
Conclusion and Future Work
• Randomization can help achieve simplicity and efficiency at the expense of making soundness probabilistic.
• Integrate randomized techniques with symbolic algorithms
• Few interesting possible extensions:– Combination of uninterpreted functions with
arithmetic– Partially interpreted functions like commutative
and/or associative functions– Model memory
Related Documents
