path-sensitive analysis for linear arithmetic and uninterpreted functions sas 2004 sumit gulwani...

Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions

SAS 2004

Sumit Gulwani George Necula

EECS DepartmentUniversity of California, Berkeley

2

y := 2; z := a;

y := a; z := 2;

u := 1; v := 1+a;

t1 := y-u; t2 := v-z;

True

True

False

False

Example

u := a-1; v := 3;

Assert(t1=t2 Æ t1=1 Æ z=2);

a=2?

All 3 asserts are truea=2?

3

y := 2; z := a;

y := a; z := 2;

u := 1; v := 1+a;

t1 := y-u; t2 := v-z;

True

True

False

False

Path-Insensitive Analysis

u := a-1; v := 3;

Assert(t1=t2 Æ t1=1 Æ z=2);

*

•Most PTIME analyses treat conditionals as non-deterministic.

•They will verify only t1=t2

*

4

y := 2; z := a;

y := a; z := 2;

u := 1; v := 1+a;

t1 := y-u; t2 := v-z;

True

True

False

False

Path-Sensitive Analysis

u := a-1; v := 3;

Assert(t1=t2 Æ t1=1 Æ z=2);

c1

•We can do better by doing a boolean abstraction of conditionals.

• Each atomic predicate is abstracted to a boolean variable

•This will also verify t1=1

•This is still abstract though!

•z=2 not verified

•undecidable to reason completely

c1

5

Outline

• Existing approach (MVR) vs. our approach (FCED)

• FCEDs for linear arithmetic

• FCEDs for uninterpreted function terms

6

y := 2; z := a;

y := a; z := 2;

u := 1; v := 1+a;

t1 := y-u; t2 := v-z;

True

True False

False

Multi-Valued ROBDDs (MVRs)

c1

2 a

y = c2

1 a-1

u =

u := a-1; v := 3;

Assert(t1=t2); Assert(t1=1);

c1

c2

•|MVR(t1)| = |MVR(y)| £ |MVR(u)|

•MVR(t1) does not share nodes with MVR(y) and MVR(u)

•Need a normal form for leaves

c1

c2 c2

1 -a+3

a-1 1

t1 =

7

y := 2; z := a;

y := a; z := 2;

u := 1; v := 1+a;

t1 := y-u; t2 := v-z;

True

True False

False

Free Conditional Expression Diagrams (FCEDs)

c1

2 a

y = c2

1 a-1

u =

-t1 =

u := a-1; v := 3;

Assert(t1=t2); Assert(t1=1);

c1

c2

•|FCED(t1)| = |FCED(y)| + |FCED(u)|

•FCED(t1) shares nodes with FCED(y) and FCED(u)

•No need for normal form

8

Outline

• Existing approach (MVR) vs. our approach (FCEDs)

• FCEDs for linear arithmetic

• FCEDs for uninterpreted function terms

9

Problem Definition

e = q | y | e1 § e2 | q £ e | if b then e1 else e2

b = c | b1 Æ b2 | b1 Ç b2

e: conditional linear arithmetic expressionb: boolean formulay: rational variablec: boolean variableq: rational constant

• Construct FCED for an expression e, given FCEDs for its subexpressions.

• Check 2 FCEDs for equivalence

10

FCED

An FCED f is a DAG with the following kind of nodes.

f := y | q | Plus(f1,f2) | Minus(f1,f2) | Times(q,f) | Choose(f1,f2) | Guard(g,f)

Choose(f1,f2) means f1 or f2

Guard(g,f) means if g then f

Boolean expressions g are represented using ROBDDs

g := true | false | c | If(c,g1,g2)

11

Example

c1

2 a

c2

1 a-1

+

choose

guard guard

choose

guard guard

plus

R(c1)

2 R(:c1) a R(c2) 1 R(:c2) a-1

Formalization

12

Example

c1

2 a

c2

1 a-1

+

choose

guard guard

choose

guard guard

plus

R(c1)

2 R(:c1) a R(c2) 1 R(:c2) a-1

Formalization

13

FCED Construction

• FCED(y) = Leaf(y)

• FCED(q) = Leaf(q)

• FCED(e1+e2) = Plus (FCED(e1), FCED(e2))

• FCED(q £ e) = Times(q,FCED(e))

• FCED(if b then e1 else e2) = Choose(Guard(R(b),e1), Guard(R(NOT(b)),e2)

14

FCED Construction

• FCED(y) = Leaf(y)

• FCED(q) = Leaf(q)

• FCED(e1+e2) = Plus (FCED(e1), FCED(e2))

• FCED(q £ e) = Times(q,FCED(e))

• FCED(if b then e1 else e2) = Choose(||R(b),FCED(e1)||, ||NOT R(b), FCED(e2)||)

15

Normalize Guard Operator

Inputs: guard g, FCED f

Output: FCED f’ s.t.

•f ´ f’

• 8 guard nodes Guard(g,f’’) in f’, BV(g) < BV(f’’)

||g,f|| = Guard(g,f), if BV(g) < BV(f)

||g, Plus(f1,f2) = Plus(||g,f1||, ||g, f2||)

||g, Choose(f1,f2) = Choose(||g,f1||, ||g, f2||)

||g1, Guard(g2,f )|| = Guard(|| INTERSECT(g1,g2),f ||)

…

16

guard

R(c1)

guard

R(c1)

guard

R(c1)

Example: Normalize Guard Operator

plus

choose

guard guard

R(c2)

z R(:c2) 6

Given f, construct ||R(c1),f||

guard

choose

guard

R(c1)

R(:c1) 32

choose

guard

R(:c1) 3

guard

R(c1)

2R(c1Æc1)

guard

2 R(:c1Æc1)

guard

3

choose

17

Randomized Equivalence Testing for FCEDs

Assign hash values to nodes of FCEDs in bottom-up manner

V: FCED Node ! Integer• V(Leaf(q)) = q• V(Leaf(y)) = ry

• V(Plus(f1,f2)) = V(f1) + V(f2)• V(Choose(f1,f2)) = V(f1) + V(f2)• V(Guard(g,f)) = H(g) £ V(f)

H: Guard ! Integer• H(true) = 1, H(false) = 0• H(c) = rc

• H(If(c,g1,g2)) = rc £ H(g1) + (1-rc) £ H(g2)

18

Randomized Equivalence Testing for FCEDs

Completenessf1 ´ f2 ) V(f1) = V(f2)

Soundnessf1 ´ f2 ) Pr[V(f1) = V(f2)] · s/t

s: maximum # of nodes in a FCEDt: size of set from which random values are

chosen

Proof: 9 1-1 Poly: FCED ! Polynomials such that V(f) is the value of Poly(f)

19

Outline

• Existing approach (MVR) vs. our approach (FCEDs)

• FCEDs for linear arithmetic

• FCEDs for uninterpreted function terms

20

Problem Definition

e = y | F(e1,e2) | if b then e1 else e2

b = c | b1 Æ b2 | b1 Ç b2

e: conditional uninterpreted function termb: boolean formulay: variablec: boolean variable

• Construct FCED for an expression e, given FCEDs for its subexpressions.

• Check 2 FCEDs for equivalence

21

FCED

An FCED f is a DAG with the following kind of nodes.

f := y | F(f1,f2) | Choose(f1,f2) | Guard(g,f)

Choose(f1,f2) means f1 or f2

Guard(g,f) means if g then f

Boolean expressions g are represented using ROBDDs

g := true | false | c | If(c,g1,g2)

22

FCED Construction

FCED(y) = Leaf(y)

FCED(F(e1,e2)) = F(FCED(e1), FCED(e2))

FCED(if b then e1 else e2) = Choose(||R(b),FCED(e1)||, ||NOT R(b), FCED(e2)||)

23

Randomized Equivalence Testing of FCEDs

Assign hash values to nodes of FCEDs in bottom-up manner

V: FCED Node ! Tuple of k integersK ¸ depth of any FCED

• V(y) = [ry,…ry]

• V(Choose(f1,f2)) = V(f1) + V(f2)

• V(Guard(g,f)) = H(g) £ V(f)

• V(F(f1,f2)) = V(f1) £ M + V(f2) £ N

M, N: random k £ k matrices

24

Randomized Equivalence Testing for FCEDs

Completenessf1 ´ f2 ) V(f1) = V(f2)

Soundnessf1 ´ f2 ) Pr[V(f1) = V(f2)] ·

s: maximum # of nodes in a FCEDt: size of set from which random values are

chosen

Proof: more involved

25

Conclusion and Future Work

• Randomization can help achieve simplicity and efficiency at the expense of making soundness probabilistic.

• Integrate randomized techniques with symbolic algorithms

• Few interesting possible extensions:– Combination of uninterpreted functions with

arithmetic– Partially interpreted functions like commutative

and/or associative functions– Model memory