path-sensitive analysis for linear arithmetic and uninterpreted functions sas 2004 sumit gulwani...
TRANSCRIPT
![Page 1: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/1.jpg)
Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions
SAS 2004
Sumit Gulwani George Necula
EECS DepartmentUniversity of California, Berkeley
![Page 2: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/2.jpg)
2
y := 2; z := a;
y := a; z := 2;
u := 1; v := 1+a;
t1 := y-u; t2 := v-z;
True
True
False
False
Example
u := a-1; v := 3;
Assert(t1=t2 Æ t1=1 Æ z=2);
a=2?
All 3 asserts are truea=2?
![Page 3: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/3.jpg)
3
y := 2; z := a;
y := a; z := 2;
u := 1; v := 1+a;
t1 := y-u; t2 := v-z;
True
True
False
False
Path-Insensitive Analysis
u := a-1; v := 3;
Assert(t1=t2 Æ t1=1 Æ z=2);
*
•Most PTIME analyses treat conditionals as non-deterministic.
•They will verify only t1=t2
*
![Page 4: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/4.jpg)
4
y := 2; z := a;
y := a; z := 2;
u := 1; v := 1+a;
t1 := y-u; t2 := v-z;
True
True
False
False
Path-Sensitive Analysis
u := a-1; v := 3;
Assert(t1=t2 Æ t1=1 Æ z=2);
c1
•We can do better by doing a boolean abstraction of conditionals.
• Each atomic predicate is abstracted to a boolean variable
•This will also verify t1=1
•This is still abstract though!
•z=2 not verified
•undecidable to reason completely
c1
![Page 5: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/5.jpg)
5
Outline
• Existing approach (MVR) vs. our approach (FCED)
• FCEDs for linear arithmetic
• FCEDs for uninterpreted function terms
![Page 6: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/6.jpg)
6
y := 2; z := a;
y := a; z := 2;
u := 1; v := 1+a;
t1 := y-u; t2 := v-z;
True
True False
False
Multi-Valued ROBDDs (MVRs)
c1
2 a
y = c2
1 a-1
u =
u := a-1; v := 3;
Assert(t1=t2); Assert(t1=1);
c1
c2
•|MVR(t1)| = |MVR(y)| £ |MVR(u)|
•MVR(t1) does not share nodes with MVR(y) and MVR(u)
•Need a normal form for leaves
c1
c2 c2
1 -a+3
a-1 1
t1 =
![Page 7: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/7.jpg)
7
y := 2; z := a;
y := a; z := 2;
u := 1; v := 1+a;
t1 := y-u; t2 := v-z;
True
True False
False
Free Conditional Expression Diagrams (FCEDs)
c1
2 a
y = c2
1 a-1
u =
-t1 =
u := a-1; v := 3;
Assert(t1=t2); Assert(t1=1);
c1
c2
•|FCED(t1)| = |FCED(y)| + |FCED(u)|
•FCED(t1) shares nodes with FCED(y) and FCED(u)
•No need for normal form
![Page 8: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/8.jpg)
8
Outline
• Existing approach (MVR) vs. our approach (FCEDs)
• FCEDs for linear arithmetic
• FCEDs for uninterpreted function terms
![Page 9: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/9.jpg)
9
Problem Definition
e = q | y | e1 § e2 | q £ e | if b then e1 else e2
b = c | b1 Æ b2 | b1 Ç b2
e: conditional linear arithmetic expressionb: boolean formulay: rational variablec: boolean variableq: rational constant
• Construct FCED for an expression e, given FCEDs for its subexpressions.
• Check 2 FCEDs for equivalence
![Page 10: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/10.jpg)
10
FCED
An FCED f is a DAG with the following kind of nodes.
f := y | q | Plus(f1,f2) | Minus(f1,f2) | Times(q,f) | Choose(f1,f2) | Guard(g,f)
Choose(f1,f2) means f1 or f2
Guard(g,f) means if g then f
Boolean expressions g are represented using ROBDDs
g := true | false | c | If(c,g1,g2)
![Page 11: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/11.jpg)
11
Example
c1
2 a
c2
1 a-1
+
choose
guard guard
choose
guard guard
plus
R(c1)
2 R(:c1) a R(c2) 1 R(:c2) a-1
Formalization
![Page 12: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/12.jpg)
12
Example
c1
2 a
c2
1 a-1
+
choose
guard guard
choose
guard guard
plus
R(c1)
2 R(:c1) a R(c2) 1 R(:c2) a-1
Formalization
![Page 13: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/13.jpg)
13
FCED Construction
• FCED(y) = Leaf(y)
• FCED(q) = Leaf(q)
• FCED(e1+e2) = Plus (FCED(e1), FCED(e2))
• FCED(q £ e) = Times(q,FCED(e))
• FCED(if b then e1 else e2) = Choose(Guard(R(b),e1), Guard(R(NOT(b)),e2)
![Page 14: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/14.jpg)
14
FCED Construction
• FCED(y) = Leaf(y)
• FCED(q) = Leaf(q)
• FCED(e1+e2) = Plus (FCED(e1), FCED(e2))
• FCED(q £ e) = Times(q,FCED(e))
• FCED(if b then e1 else e2) = Choose(||R(b),FCED(e1)||, ||NOT R(b), FCED(e2)||)
![Page 15: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/15.jpg)
15
Normalize Guard Operator
Inputs: guard g, FCED f
Output: FCED f’ s.t.
•f ´ f’
• 8 guard nodes Guard(g,f’’) in f’, BV(g) < BV(f’’)
||g,f|| = Guard(g,f), if BV(g) < BV(f)
||g, Plus(f1,f2) = Plus(||g,f1||, ||g, f2||)
||g, Choose(f1,f2) = Choose(||g,f1||, ||g, f2||)
||g1, Guard(g2,f )|| = Guard(|| INTERSECT(g1,g2),f ||)
…
![Page 16: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/16.jpg)
16
guard
R(c1)
guard
R(c1)
guard
R(c1)
Example: Normalize Guard Operator
plus
choose
guard guard
R(c2)
z R(:c2) 6
Given f, construct ||R(c1),f||
guard
choose
guard
R(c1)
R(:c1) 32
choose
guard
R(:c1) 3
guard
R(c1)
2R(c1Æc1)
guard
2 R(:c1Æc1)
guard
3
choose
![Page 17: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/17.jpg)
17
Randomized Equivalence Testing for FCEDs
Assign hash values to nodes of FCEDs in bottom-up manner
V: FCED Node ! Integer• V(Leaf(q)) = q• V(Leaf(y)) = ry
• V(Plus(f1,f2)) = V(f1) + V(f2)• V(Choose(f1,f2)) = V(f1) + V(f2)• V(Guard(g,f)) = H(g) £ V(f)
H: Guard ! Integer• H(true) = 1, H(false) = 0• H(c) = rc
• H(If(c,g1,g2)) = rc £ H(g1) + (1-rc) £ H(g2)
![Page 18: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/18.jpg)
18
Randomized Equivalence Testing for FCEDs
Completenessf1 ´ f2 ) V(f1) = V(f2)
Soundnessf1 ´ f2 ) Pr[V(f1) = V(f2)] · s/t
s: maximum # of nodes in a FCEDt: size of set from which random values are
chosen
Proof: 9 1-1 Poly: FCED ! Polynomials such that V(f) is the value of Poly(f)
![Page 19: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/19.jpg)
19
Outline
• Existing approach (MVR) vs. our approach (FCEDs)
• FCEDs for linear arithmetic
• FCEDs for uninterpreted function terms
![Page 20: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/20.jpg)
20
Problem Definition
e = y | F(e1,e2) | if b then e1 else e2
b = c | b1 Æ b2 | b1 Ç b2
e: conditional uninterpreted function termb: boolean formulay: variablec: boolean variable
• Construct FCED for an expression e, given FCEDs for its subexpressions.
• Check 2 FCEDs for equivalence
![Page 21: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/21.jpg)
21
FCED
An FCED f is a DAG with the following kind of nodes.
f := y | F(f1,f2) | Choose(f1,f2) | Guard(g,f)
Choose(f1,f2) means f1 or f2
Guard(g,f) means if g then f
Boolean expressions g are represented using ROBDDs
g := true | false | c | If(c,g1,g2)
![Page 22: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/22.jpg)
22
FCED Construction
FCED(y) = Leaf(y)
FCED(F(e1,e2)) = F(FCED(e1), FCED(e2))
FCED(if b then e1 else e2) = Choose(||R(b),FCED(e1)||, ||NOT R(b), FCED(e2)||)
![Page 23: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/23.jpg)
23
Randomized Equivalence Testing of FCEDs
Assign hash values to nodes of FCEDs in bottom-up manner
V: FCED Node ! Tuple of k integersK ¸ depth of any FCED
• V(y) = [ry,…ry]
• V(Choose(f1,f2)) = V(f1) + V(f2)
• V(Guard(g,f)) = H(g) £ V(f)
• V(F(f1,f2)) = V(f1) £ M + V(f2) £ N
M, N: random k £ k matrices
![Page 24: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/24.jpg)
24
Randomized Equivalence Testing for FCEDs
Completenessf1 ´ f2 ) V(f1) = V(f2)
Soundnessf1 ´ f2 ) Pr[V(f1) = V(f2)] ·
s: maximum # of nodes in a FCEDt: size of set from which random values are
chosen
Proof: more involved
![Page 25: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,](https://reader035.vdocuments.us/reader035/viewer/2022062618/5513f15555034646298b6066/html5/thumbnails/25.jpg)
25
Conclusion and Future Work
• Randomization can help achieve simplicity and efficiency at the expense of making soundness probabilistic.
• Integrate randomized techniques with symbolic algorithms
• Few interesting possible extensions:– Combination of uninterpreted functions with
arithmetic– Partially interpreted functions like commutative
and/or associative functions– Model memory