1

Cover Algorithms and Their Combination

Sumit Gulwani, Madan MusuvathiMicrosoft Research, Redmond

2

Cover Definition

Cover operation is useful for simplifying a formula by discarding facts related to a set of variables

Given A quantifier-free formula in theory T A set of symbols V

Cover(, V) is The most-precise quantifier-free formula implied by

that does not involve V e.g. Cover(y=f(a+v)–f(b+v), {v}) : (a=b) ) y=0

3

Cover vs. Quantifier Elimination

Quantifier Elimination: Given a quantified formula, output a logically equivalent quantifier-free formula

9V ´ CoverT(,V) if T admits quantifier elimination

Some theories do not: theory of uninterpreted functions Example: f(y) = 0 Cannot say “0 is in the range of f” without using

quantifiers

Cover(,V) is the most-precise quantifier-free approximation to 9V

4

Applications

Strongest post-condition Useful for abstract interpretation on logical formulas Existential quantification of dead variables SP(, x := e) = 9 x’ ([x’/x] Æ x = e[x’/x])

Image computation Useful for reachability analysis in symbolic model

checking Existential quantification of old state variables Ri+1(S) = 9S’(Ri[S’/S] Æ T(S’,S)) Ç Ri(S)

5

Applications

Procedure summaries Existential quantification of local variables Useful for interprocedural analysis

Interpolants Suppose A ) B. Then I is the Interpolant(A,B) if

A ) I ) B I only contains variables common to A and B

Cover(A, VA) is most precise Interpolant(A,B) :Cover(:B, VB) is least precise Interpolant(A,B)

6

Outline

Symbolic model checking using Cover

Cover algorithm for uninterpreted functions

Cover algorithm for the combination of uninterpreted functions and linear arithmetic

Symbolic Model Checking Algorithm

I(S) : initial states, E(S) : error states T(S’,S) : transition from old state S’ to new state S R(S): reachable states

R0(S) = I(S)

Ri+1(S) = 9S’(Ri[S’/S] Æ T(S’,S)) Ç Ri(S)

Error found if Rn+1(S) Æ E(S) is satisfiable

7

Symbolic Model Checking Using Cover

I(S) : initial states, E(S) : error states T(S’,S) : transition from old state S’ to new state S R(S): reachable states

R0(S) = I(S)

Ri+1(S) = Cover(Ri[S’/S] Æ T(S’,S), S’) Ç Ri(S)

8

Symbolic Model Checking Using Cover

I(S) : initial states, E(S) : error states T(S’,S) : transition from old state S’ to new state S R(S): reachable states

R0(S) = I(S)

Ri+1(S) = Cover(Ri[S’/S] Æ T(S’,S), S’) Ç Ri(S)

This algorithm can find false errors As Cover over-approximates the set of reachable

states

9

Symbolic Model Checking Using Cover

I(S) : initial states, E(S) : error states T(S’,S) : transition from old state S’ to new state S R(S): reachable states

R0(S) = I(S)

Ri+1(S) = Cover(Ri[S’/S] Æ T(S’,S), S’) Ç Ri(S)

Theorem: If the transition system is described using quantifier-free formulas, symbolic model checking using cover is sound and precise

10

11

Outline

Symbolic model checking using Cover

Cover algorithm for uninterpreted functions

Cover algorithm for the combination of uninterpreted functions and linear arithmetic

12

Cover Algorithm for Unary Uninterpreted Functions

Cover(, V) = Erase V from congruence closure of

Example: Let be x=f(v1) Æ y=f(v2) Æ v1 = v2

Cover(, {v1,v2}) is x=y

v1

f

v2

fyx

13

Cover Algorithm for Binary Uninterpreted Functions

The erasure technique does not work Let be x=f(a,v) Æ y=f(b,v) Erasure(, {v}) is true Cover(, {v}) is a=b ) x=y

Cover(, V) is: For all partitions E of congruence classes in

E ) Erasure( Æ E, V)

14

Example

x1

b1

f

v

x2

b2

f

v

a1 v

y

f

f

f

a2 v

y

x1

f

x1

a1 = b1 Æ a2 = b1 )

y

x1

f

x2

a1 = b1 Æ a2 = b2 )

x2 x2

y

x2

f

x1

a1 = b2 Æ a2 = b1 )

y fa1 = b2 Æ a2 = b2 )

Cover(,{v})

Cover(, {v}) can be exponential in

15

Outline

Cover algorithm for linear arithmetic

Cover algorithm for uninterpreted functions

Cover algorithm for combination of theories

16

Combining Cover Algorithms: Idea 1

CoverT1 [ T2(1Æ2, V):

Return CoverT1(1,V) Æ CoverT2

(2,V)

Fails on x=v1+1 Æ y=v2+1 Æ v1=f(z) Æ v2=f(z)

Algorithm returns trueCover is x=y

Solution: Share variable equalities

17

Combining Cover Algorithms: Idea 2

CoverT1 [ T2(1Æ2, V):

E Ã Saturate(1,2)

Return CoverT1(1ÆE,V) Æ CoverT2

(2ÆE,V)

Fails on v=x+1 Æ y=f(v) Algorithm returns trueCover is y=f(x+1)

Solution: Share equalities between variables and “simple” terms

18

Combining Cover Algorithms: Idea 3

CoverT1 [ T2(1Æ2, V):

E Ã Saturate(1,2)

Return CoverT1(1ÆE,V) Æ CoverT2

(2ÆE,V)

Fails on x·v Æ v·y Æ v=f(z,v)Algorithm returns x·yCover is x·y Æ (x=y ) x=f(z,x))

Solution: Share conditional equalities

19

Example

Cover(y=f(a+v)–f(b+v), {v})

v1 = a+v

v2 = b+v

y = v3-v4

v3 = f(v1)

v4 = f(v2)

a=b ) v1=v2

a=b ) v3=v4

a=b ) y=0 true

20

Conclusion

Cover is the most-precise quantifier-free approximation to quantifier elimination

Cover algorithm for uninterpreted functions

Cover algorithm for combination of theories Exchange equalities between variables and good terms Exchange conditional equalities