Title: Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions
1Assertion Checking over Combined Abstraction of
Linear Arithmetic and Uninterpreted Functions
- Sumit Gulwani
- Microsoft Research, Redmond
- Ashish Tiwari
- SRI
2Precision of combined abstraction
a1 0 a2 0 b1 1 b2 F(1) c1 2
c2 2
a1 a11 a2 a22 b1 F(b1) b2
F(b2) c1 F(2c1-c2) c2 F(c2)
True
False
- Analysis over abstractions of linear arithmetic
uninterpreted functions can verify first and
second assertions resp. - Third assertion can be verified only over the
combined abstraction.
Assert(a22a1) Assert(b2 F(b1)) Assert(c2c1)
3Abstract Program Model / Problem Statement
- Linear Arithmetic
- e y c e1 e2 c e
- Uninterpreted Functions
- e y F(e1,e2)
- Combination
- e y c e1 e2 c e F(e1,e2)
4Earlier Results
Abstraction Assertion Checking Complexity
Linear Arithmetic O(n2) Gulwani-Necula (POPL 03)
Uninterpreted Functions O(n4) Gulwani-Necula (POPL 04)
Combination
Decision Procedure Complexity
O(n3) Gaussian Elimination
O(n log n) Congruence Closure
O(n4) Nelson-Oppen Comb
coNP-hard! This paper
5Outline
- Connection between assertion checking and
unification - coNP-hardness
- Algorithm
- Remarks
6Unification Terminology
- A substitution ? is a (acyclic) mapping of some
variables to expressions. - A substitution ?1 is more general than ?2 if
there exists ? such that ?1 ?(?2). - A substitution ? is a unifier for an equality
e1e2 if e1y/?(y) e2y/?(y). - Example
- Consider the equality F(y) F(a) F(b)
F(ab-y). - y à a is a unifier for it and so is y à 1,
a à 1 . The former unifier is more general than
the latter.
7Unification Terminology Continued
- A set of unifiers ?1,,?k for e1e2 is complete
if for all unifiers ? of e1e2, 9 i s.t. ?i is
more general than ?.
Example Consider the equality F(y) F(a) F(b)
F(ab-y). y à a, y à b is a complete
set of unifiers for it. Hence, Unif(F(y)
F(a)F(b)-F(ab-y)) (ya Ç yb).
8Connection between Assertion Checking
Unification
- An assertion e1 e2 holds at a program point ?
iff - the assertion Unif(e1e2) holds at ?.
Example To prove, F(y) F(a) F(b) F(ab-y),
you need to prove that ya Ç yb is true.
9Outline
- Connection between assertion checking and
unification - coNP-hardness
- Algorithm
- Remarks
10Reducing Unsatisfiability to Assertion Checking
- ? boolean 3-SAT instance with m clauses
- IsUnsatisfiable(?)
- for j1 to m
- cj 0
- for i1 to k do
- if ()
- 8 j s.t. var i occurs positively in
clause j, cj 1 - else
- 8 j s.t. var i occurs negatively in clause
j, cj 1 - y c1 c2 cm
- Assert (y0 Ç y1 Ç ym-1)
-
11Encoding disjunction
- The check y1 Ç y2 can be encoded by the
assertion F(y) F(1)F(2)-F(3-y)). - The above trick can be recursively applied to
construct an assertion that encodes y0 Ç y1 Ç
Ç ym-1 - Eg., y0 Ç y1 Ç y2 can be encoded by encoding
- F(y)F(0) Ç F(y)F(1)F(2)-F(3-y)
12Outline
- Connection between assertion checking and
unification - coNP-hardnes
- Algorithm
- Remarks
13Assertion Checking Algorithm
- Backward Analysis
- Perform weakest precondition computation.
- At each step replace the formula ? by Unif(?),
which is a stronger and simpler formula. - Termination (reach fixpoint across loops)?
- Yes, because of unifier computations.
- This result is interesting because forward
analysis (which attempts to infer invariants)
does not terminate, as lattice has infinite
height.
14Proof of Termination
- At each program point, the proof obligation has
the form
i1
Ç Æ y ?i(y)
y
k
- In each successive loop iteration, above formula
becomes stronger. We prove this cannot happen
indefinitely - Assign the following measure to the above formula
- of conjuncts representing unifier ?i i1
to k - Show this measure decreases in some well-founded
ordering.
15Outline
- Connection between assertion checking and
unification - coNP-hardnes
- Algorithm
- Remarks
16Further Connections between Assertion Checking
Unification
- Can we explain the complexity results more
naturally? - Answer
- Complexity of assertion checking appears to
depend on the cardinality of complete set of
unifiers for equalities in the corresponding
abstraction.
Abstraction Cardinality Complexity
Linear Arithmetic Unitary PTime
Uninterpreted Functions Unitary PTime
Combination Finitary coNP-hard, but decidable
17Related work on combining abstract interpreters
- Is there an efficient analysis to reason about
most assertions? - Answer
- (PLDI 06) Given abstract interpreters for
- Lattice L1 (eg, linear equalities, Gulwani-Necula
POPL 03) - Lattice L2 (eg, uninterpreted funs,
Gulwani-Necula POPL 04) - Can obtain abstract interpreter for logical
product of L1 L2. - Cons
- Cannot reason about all assertions.
- Pros
- Polynomial time.
- Can reason about conditionals.
18Conclusion
- Assertion checking for combination of linear
arithmetic and uninterpreted functions is - coNP-hard.
- but decidable.
- We prove these (surprising!) results by
establishing connections between assertion
checking unification. - These results motivate logical product
combination of lattices, which entail slightly
imprecise, but efficient automated reasoning
(PLDI 06).