Loading...

PPT – Logical Abstract Interpretation PowerPoint presentation | free to view - id: d32a7-ZDc1Z

The Adobe Flash plugin is needed to view this content

Logical Abstract Interpretation

- Sumit Gulwani
- Microsoft Research, Redmond

Final Goal of the class

- Automatically verify partial correctness of

programs like the following using abstract

interpretation. - Void Init(int A, int n)
- for (i 0 iltn i)
- Ai 0
- for (j 0 jltn j)
- Assert(Aj 0)

Outline

- Decision Procedures
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Logical Abstract Interpretation
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Universally Quantified Formulas
- Hardness of Assertion Checking
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns

Decision Procedures

- DPT(?) Yes, if ? is satisfiable
- No, if ? is unsatisfiable
- Without loss of generality, we can assume that ?

is a conjunction of atomic facts. - Why?
- DP(?1Ç?2) is sat iff DP(?1) is sat or DP(?2) is

sat - What is the trade-off?
- Converting ? into DNF may incur exponential

blow-up

Outline

- Decision Procedures
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Logical Abstract Interpretation
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Universally Quantified Formulas
- Hardness of Assertion Checking
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns

Linear Arithmetic

- Expressions e y c e1 e2 c e
- Atomic facts g e0 e?0
- Note that e0 can be represented as e0 Æ e0
- egt0 can be represented as e-10
- (over integer LA)
- The decision problem for integer LA is NP-hard.
- The decision problem for rational LA is PTime.
- PTime algorithms are complicated to implement.

Popular choice is an exponential algorithm called

Simplex - We will study a PTime algorithm for a special

case.

Difference Constraints

- A special case of Linear Arithmetic
- Constraints of the form xc and x-yc
- We can represent xc by x-uc, where u is a

special zero variable. Wlog, we will assume

henceforth that we only have constraints x-yc - Reasoning required x-yc1 Æ y-zc2 ) x-zc1c2
- O(n3) (saturation-based) decision procedure
- Represent contraints by a matrix Mnn
- where Mij c represents xixj c
- Perform transitive closure of M
- Mij min Mij, MikMkj
- ? is unsat iff 9i Mii lt 0

Outline

- Decision Procedures
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Logical Abstract Interpretation
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Universally Quantified Formulas
- Hardness of Assertion Checking
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns

Uninterpreted Functions

- Expressions e x F(e1,e2)
- Atomic fact g e1e2 e1?e2
- Axiom 8e1,e2,e1,e2 e1e1 Æ e2e2 )

F(e1,e2)F(e1,e2) - (called congruence axiom)
- (saturation-based) Decision Procedure
- Represent equalities e1e2 2 G in Equivalence DAG

(EDAG) - Nodes of an EDAG represent congruence classes of

expressions that are known to be equal. - Saturate equalities in the EDAG by following

rule - If C(e1)C(e1) Æ C(e2)C(e2), Merge

C(F(e1,e2)), C(F(e1,e2)) - where C(e) denotes congruence class of expression

e - Declare unsatisfiability iff 9 e1?e2 in G s.t.

C(e1) C(e2)

Uninterpreted Functions Example

yF5(y)

y?F(y)

yF3(y)

Æ

Æ

F

F

F(y)F4(y)

F

F2(y)F5(y)

F

yF2(y)

F

F(y)F3(y)

y

yF(y)

? unsat

Uninterpreted Functions Complexity

- Complexity of congruence closure O(n log n),

where n is the size of the input formula - In each step, we merge 2 congruence classes. The

total number of steps required is thus n, where n

is a bound on the original number of congruence

classes. - The complexity of each step can be O(log n) by

using union-find data structure

Outline

- Decision Procedures
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Logical Abstract Interpretation
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Universally Quantified Formulas
- Hardness of Assertion Checking
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns

Combination of Linear Arithmetic and

Uninterpreted Functions

- Expressions e y c e1 e2 c e

F(e1,e2) - Atomic Facts g e0 e?0
- Axioms Combined axioms of linear arithmetic

uninterpreted fns. - Decision Procedure Nelson-Oppen methodology for

combining decision procedures

Combining Decision Procedures

- Nelson-Oppen gave an algorithm in 1979 to combine

decision procedures for theories T1 and T2,

where - T1 and T2 have disjoint signatures
- except equality
- T1, T2 are stably infinite
- Complexity is O(2n2(W1(n)W2(n)).
- If T1, T2 are convex, complexity is

O(n3(W1(n)W2(n)). - The theories of linear arithmetic and

uninterpreted functions satisfy all of the above

criterions.

Convex Theory

- A theory is convex if the following holds.
- Let G g1 Æ Æ gn
- If G ) e1e2 Ç e3e4, then G ) e1e2 or G ) e3e4
- Examples of convex theory
- Rational Linear Arithmetic
- Uninterpreted Functions

Examples of Non-convex Theory

- Theory of Integer Linear Arithmetic
- Theory of Arrays

ysel(upd(M,a,0),b) ) y0 Ç ysel(M,b) But

ysel(upd(M,a,0),b) ) y0 and

ysel(upd(M,a,0),b) ) ysel(M,b)

/

/

Stably Infinite Theory

- A theory T is stably infinite if for all

quantifier-free formulas ? over T, the following

holds - If ? is satisfiable, then ? is satisfiable

over an infinite model. - Examples of stably infinite theories
- Linear arithmetic, Uninterpreted Functions
- Examples of non-stably infinite theories
- A theory that enforces finite of distinct

elements. Eg., a theory with the axiom 8x,y,z

(xy Ç xz Ç yz). Consider the quantifier free

formula ? y1y2. - ? is satisfiable but doesnt have an

infinite model.

Nelson-Oppen Methodology

- Purification Decompose ? into ?1 Æ ?2 such that

?i contains symbols from theory Ti. - This can be done by introducing dummy variables.
- Exchange variable equalities between ?1 and ?2

until no more equalities can be deduced. - Sharing of disequalities is not required because

of stably-infiniteness. - Sharing of disjunctions of equalities is not

required because of convexity. - ? is unsat iff ?1 is unsat or ?2 is unsat.

Combining Decision Procedures Example

y1 4y3 F(2y2-y1) Æ y1F(y1) Æ y2F(F(y1))

Æ y1?4y3

Purification

a12y2-y1 y14y3a2 Æ y1?4y3 y1 y2 y1 a2

a2F(a1) y1F(y1) Æ y2F(F(y1)) y1 a1

Saturation

? unsat

Outline

- Decision Procedures
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Logical Abstract Interpretation
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Universally Quantified Formulas
- Hardness of Assertion Checking
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns

Logical Abstract Interpretation

- Abstract Interpretation of a program involves

interpreting the program over abstract values

from some abstract domain D equipped with a

partial order ¹ - Logical Abstract Interpretation refers to the

case when - D logical formulas over theory T
- ¹ logical implication relationship, i.e., E ¹

E iff E )T E - We will study following examples of logical

interpretation - D consists of finite conjunctions of atomic facts

over T. - Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Functions - D consists of universally quantified formulas

over T.

Transfer Functions for Logical Abstract

Interpreter

- An abstract interpreter computes abstract values

or facts at each program point from facts at

preceding program points using appropriate

transfer fns.

- Transfer functions for a logical abstract

interpreter thus involve providing operators for

over-approximating disjunction and existential

quantifier elimination.

Fixed-point Computation

- In presence of loops, fixed-point computation is

required. The process is accelerated by using a

widening operator, which takes the facts in the

current and previous iteration (at some point

inside a loop) and generates something weaker

than the current fact. - A widening operator should guarantee convergence

in a bounded number of steps. - Widening is typically applied at loop header

points. - Facts generated after fixed-point are invariants

and can be used to validate assertions using

decision procedures.

G

assert(g)

Validate iff GÆ g is unsat

Initialization

- The fact at program entry is initialized to gt,

which in our setting is the logical formula

true. - This denotes that we make no assumptions about

inputs, and whatever we prove will be valid for

all inputs. - The facts at all other program points are

initialized to ?, which in our setting is the

logical formula false. - This denotes our optimistic assumption of

unreachability of program locations (unless we

can prove them reachable in the process of

fixed-point computation).

Outline

- Decision Procedures
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Logical Abstract Interpretation
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Universally Quantified Formulas
- Hardness of Assertion Checking
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns

Difference Constraints

- Abstract element
- conjunction of xi-xj cij
- can be represented using matrix M, where

Mijcij - Decide(M)
- M Saturate(M)
- Declare unsat iff 9i Mii lt 0
- Join(M1, M2)
- M1 Saturate(M1) M2 Saturate(M2)
- Let M3 be s.t. M3ij Max M1ij,

M2ij - return M3

Difference Constraints

- Eliminate(M, xi)
- M Saturate(M)
- Let M1 be s.t. M1jk 1 (if ji or ki)

Mjk otherwise - return M1
- Widen(M1, M2)
- M1 Saturate(M1) M2 Saturate(M2)
- Let M3 be s.t. M3ij M1ij (if M1ij

M2ij)) 1 (otherwise) - return M3

Difference Constraints Example

true

y 0 z 2

y0, z2

?

y0 Æ z2

?

0y1 Æ zy2

0y2 Æ zy2

0y Æ zy2

0ylt51 Æ zy2

1ylt51 Æ zy2

1y2 Æ zy2

y1 Æ z3

?

y lt 50

y50 Æ zy2

False

True

Assert (z52)

y0 Æ z2

0y1 Æ zy2

0ylt50 Æ zy2

?

y z

Outline

- Decision Procedures
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Logical Abstract Interpretation
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Universally Quantified Formulas
- Hardness of Assertion Checking
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns

Uninterpreted Functions

- Abstract element
- conjunction of e1e2, where e y F(e1,e2)
- can be represented using EDAGs
- Decide(G)
- G Saturate(G)
- Declare unsat iff G contains e1 ? e2 and G has

e1, e2 in the same congruence class. - Eliminate(G, y)
- G Saturate(G)
- Erase y (might need to delete some dangling

expressions) - return G

Uninterpreted Functions

- Join(G1, G2)
- G1 Saturate(G1) G2 Saturate(G2)
- G Intersect(G1, G2)
- return G
- For each node n ltU, ni,nigt in G 1
- and node m ltV, mj, mjgt in G2,
- G contains a node n,m ltU Å V, ni,

mj, ni,mjgt

Uninterpreted Functions Example of Join

G1

G2

G Join(G1,G2)

Outline

- Decision Procedures
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Logical Abstract Interpretation
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Universally Quantified Formulas
- Hardness of Assertion Checking
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns

Combination Decision Procedure

- DP(E12)
- ltE1, E2gt PurifySaturate(E12)
- Return DPT1(E1) Æ DPT2(E2)

Combination Join Algorithm

- JoinT12(L12, R12)
- ltL1, L2gt PurifySaturate(L12) ltR1, R2gt

PurifySaturate(R12) - DL Æ viltvi,vjgt vi2Vars(L1ÆL2),

vj2Vars(R1ÆR2) DR Æ vjltvi,vjgt

vi2Vars(L1ÆL2), vj2Vars(R1ÆR2) - L1 L1 Æ DL R1 R1 Æ DR L2 L2 Æ

DL R2 R2 Æ DR - A1 JoinT1(L1, R1) A2 JoinT2(L2,

R2) - V Vars(A1ÆA2) Program Variables

A12 EliminateT12(A1ÆA2, V) - Return A12

Combination Example of Join Algorithm

za-1 Æ yF(a)

zb-1 Æ yF(b)

Joinufla

za-1 aha,bi

yF(a) aha,bi

zb-1 bha,bi

yF(b) bha,bi

Joinuf

Joinla

ha,bi1z

yF(ha,bi)

Eliminateufla

ha,bi

yF(1z)

Combination Existential Quantifier Elimination

- ElimintateT12(E12, V)
- ltE1, E2gt PurifySaturate(E12)
- ltD, Defsgt DefSaturate(E1, E2, V Temp

Variables) - V V Temp Variables D E1

EliminateT1(E1, V) E2 EliminateT2(E2,

V) - E (E1 Æ E2) Defs(y)/y
- Return E
- DefSaturate(E1, E2, U) returns the set of all

variables D that have definitions Defs in terms

of variables not in U as implied by E1 Æ E2.

Combination Example of Existential Elimination

aby Æ zc1 Æ aF2(b) Æ cF(b)

a, b, c

Eliminateufla

aby Æ zc1

aF2(b) Æ cF(b)

Defla

Defuf

b

Eliminatela

Eliminateuf

c ? z-1 a ?F(z-1)

a y Æ zc1

a F(c)

Substitute

F(z-1) y

Abstract Interpretation over Combined Domain

Example

true

struct List struct List next x, y N(z)

0, if z null 1 N(z!next)

y x i 0

yx, i0

?

0i1 N(x)N(y)i

0i2, N(x)N(y)i

0i, N(x)N(y)i

1i2, N(x)N(y)i

?

yx, i0

1i, N(x)N(y)i

yx!next, i1, x?null N(x)N(x!next)1

?

y?null

0i1, y ? null N(x)N(y)i

0i, y ? null N(x)N(y)i

?

yx, i0, y?null

i i1 y y!next

Outline

- Decision Procedures
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Logical Abstract Interpretation
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Universally Quantified Formulas
- Hardness of Assertion Checking
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns

Universally Quantified Abstract Domain

- Abstract element is of the form E Æ Æi(8X Ai)Bi)
- where E, Ai, Bi are from some underlying base

domain(s) D. - The partial order ¹ is a refinement of the more

natural implication relationship. - E Æ Æi(8X Ai)Bi) ¹ E Æ Æj(8X Aj)Bj)

iff - E ) E
- 8j 9i s.t. EÆAj)Ai and EÆBi)Bj
- Another way to state the above thing would be to

say that the partial order is still the

implication relationship but transfer functions

are incomplete.

Quantified Abstract Domain Join Algorithm

- Consider a simpler case first.
- Let (E Æ 8XA)B) Join(E1 Æ 8XA1)B1, E2

Æ 8XA2)B2). Then, - (E1 Æ 8XA1)B1) ¹ (E Æ 8XA)B)
- (E2 Æ 8XA2)B2) ¹ (E Æ 8XA)B)
- Or, equivalently,
- E1)E and E2)E. Thus, E Join(E1, E2).
- E1ÆA)A1 and E2ÆA)A2, i.e., A ) (E1)A1 Æ E2)A2).

Thus, A bE1)A1 Æ E2)A2c. - E1ÆB1 ) B and E2ÆB2 ) B. Thus, B Join(E1ÆB1,

E2ÆB2). - Join(E1 Æ Æi(8X A1i)B1i), E2Æ Æi(8X A2i)B2i))
- result JoinD(E1, E2)
- Forall i,j
- A bE1)A1i Æ E2)A2jc B

JoinD(E1ÆB1i, E2ÆB2j) - result result Æ 8XA)B
- return result

Quantified Abstract Domain Example of Join

- Let G1 (i0 Æ 8k k0 ) Fki)
- G2 (i1 Æ 8k 0k1 ) Fk0)
- Then Join(G1, G2) 0i1 Æ 8k A)B, where
- A b(i0)k0) Æ (i1)0k1)c 0ki
- B JoinD(i0 Æ Fki, i1 Æ Fk0) Fk0

Quantified Abstract Domain Eliminate

- Let (E Æ 8XA)B) Eliminate(E Æ 8XA)B, s).

Then, - (E Æ 8XA)B) ¹ (E Æ 8XA)B) among other

things. - For simplicity, assume that s doesnt affect

terms in A,B involving X. Then, - E)E and E doesnt contain any term affected by

change to s. - Thus, E EliminateD(E,s).
- EÆA)A and A doesnt contain any term affected by

change to s. - Thus, A b8sE)Ac.
- EÆB)B and B doesnt contain any term affected

by change to s. - Thus, B EliminateD(EÆB, s).

Quantified Abstract Domain Eliminate

- Eliminate(G, s)
- Let G be E Æ 8XA)B
- Psuedo-code can be easily extended for multiple 8
- T e e occurs in A or B Vars(e) Å X ?
- A A Æ Æe2T NotEffect(lts,Ggt, e)
- E EliminateD(E,s)
- B EliminateD(BÆE,s)
- A b8sE)Ac
- return (E Æ 8X A)B)
- NotEffect(lts,Ggt, e) denotes a constraint g s.t.

GÆg implies that s does not affect e.

Quantified Abstract Domain Example of Eliminate

- Let G (F0gt10 Æ 8k 0kltF0 ) FkgtF0 )
- Then Eliminate(G, F0) true Æ 8k A)B, where
- T k, Fk
- NotEffect(ltF0,Ggt, Fk) k?0
- NotEffect(ltF0,Ggt, Fk) true
- A1 0kltF0 Æ k ? 0 Æ true 1kltF0
- A b8F0 F0gt10 ) 1kltF0c 1klt10
- B Eliminate(FkgtF0 Æ F0gt10, F0)

Fklt10

Quantified Abstract Domain Example

true

F0 0 i 1

i1 Æ F00

i1 Æ 8kk0 ) Fk0

?

2in Æ 8k 0klti ) Fk0

i2 Æ F00 Æ F10

2i3 Æ 8k 0klti ) Fk0

i2 Æ 8k0k1 ) Fk0

i1 Æ F00

?

1i2 Æ 8k 0klti ) Fk0

1i3 Æ 8k 0klti ) Fk0

1i Æ 8k 0klti ) Fk0

1i Æ 8k 0klti ) Fk0

?

i lt n

False

in Æ 8k 0klti ) Fk0

True

i1 Æ F00

1i2 Æ 8k 0klti ) Fk0

1iltn Æ 8k 0klti ) Fk0

?

i 0

Fi 0 i

i0 Æ 8k 0kltn ) Fk0

References

- Uninterpreted Functions
- A polynomial time algorithm for global value

numbering SAS 2004, S. Gulwani, G. Necula - Join algorithms for the theory of uninterpreted

fns FSTTCS 2004, S. Gulwani, A. Tiwari, G.

Necula - Combination of Linear Arithmetic and

Uninterpreted Fns - Combining Abstract Interpreters
- PLDI 2006, S. Gulwani, A. Tiwari
- Universally Quantified Abstract Domain
- Lifting Abstract Interpreters to Quantified

Logical Domains POPL 2008, S. Gulwani, B.

McCloskey, A. Tiwari

Outline

- Decision Procedures
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Logical Abstract Interpretation
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Universally Quantified Formulas
- Hardness of Assertion Checking
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns

Abstract Program Model / Problem Statement

- Linear Arithmetic
- e y c e1 e2 c e g

e0 - Uninterpreted Functions
- e y F(e1,e2) g e1e2
- Combination
- e y c e1 e2 c e F(e1,e2) g

e0

Outline

- Decision Procedures
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Logical Abstract Interpretation
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Universally Quantified Formulas
- Hardness of Assertion Checking
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns

Assertion Checking Linear Arithmetic

- Non-deterministic Conditionals
- Equality Assertions PTIME
- Perform abstract interpretation over linear

equalities. - Affine relationships among variables of a

program, Karr 76 - Inequality assertions ?
- Deterministic Conditionals Undecidable
- Even with equality conditionals and equality

assertions - PCP Problem can be reduced to it.
- A Note on Karrs Algorithm, H. Seidl, M.

Muller-Olm, ICALP 2004

Reducing PCP Problem to Assertion Checking

- The following problem (PCP Problem) is

undecidable. Given pairs (u1,v1), , (um,vm),

where ui, vi 2 0,1 - Decide 9 a non-empty sequence i1, , in such

that - ui1 uin vi1 vin
- Given a PCP instance, we will construct an

assertion checking problem over linear arithmetic

such that the assertion holds iff the solution to

PCP instance is false.

Reducing PCP Problem to Assertion Checking

y 1 z 1

y 2um y ltumgt z 2vm z ltvmgt

y 2u1 y ltu1gt z 2v1 z ltv1gt

yz ?

False

True

d 1

d 0

Assert (d0)

Outline

- Decision Procedures
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Logical Abstract Interpretation
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Universally Quantified Formulas
- Hardness of Assertion Checking
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns

Assertion Checking Uninterpreted Functions

- Non-deterministic Conditionals PTIME
- Abstract interpretation over uninterpreted fns.
- Deterministic Conditionals Undecidable
- PCP Problem can be reduced to it.
- Checking Herbrand Equalities and Beyond, H.

Seidl, M. Muller-Olm, VMCAI 2005

Reducing PCP Problem to Assertion Checking

y 1 z 1

y um(y) z vm(z)

y u1(y) z v1(z)

Think of ui, vi as sequences of applications of

unary fns, one corresponding to 0 and other

corresponding to 1.

yz ?

False

True

d 1

d 0

Assert (d0)

Outline

- Decision Procedures
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Logical Abstract Interpretation
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns - Universally Quantified Formulas
- Hardness of Assertion Checking
- Linear Arithmetic
- Uninterpreted Functions
- Combination of Linear Arithmetic and

Uninterpreted Fns

Assertion Checking Combination of Linear

Arithmetic Uninterpreted Functions

- Deterministic Conditionals Undecidable
- No surprise since problem is undecidable for

individual cases of linear arithmetic and

uninterpreted fns. - Non-deterministic Conditionals ? At least

coNP-hard - Even for equality conditionals.
- A surprising result since assertion checking for

individual cases of linear arithmetic

(equalities) and uninterpreted fns is PTIME, but

not for combination. - In contrast, decision procedures for linear

arithmetic and uninterpreted fns can be combined

in PTIME using Nelson-Oppen methodology. - Assertion checking over combination of linear

arithmetic and uninterpreted fns, S. Gulwani, A.

Tiwari, ESOP 2006

Reducing Unsatisfiability to Assertion Checking

- ? boolean 3-SAT instance with m clauses
- IsUnsatisfiable(?)
- for j1 to m
- cj 0
- for i1 to k do
- if ()
- 8 j s.t. var i occurs positively in

clause j, cj 1 - else
- 8 j s.t. var i occurs negatively in clause

j, cj 1 - y c1 c2 cm
- Assert (y0 Ç y1 Ç ym-1)

Encoding disjunction

- The check y1 Ç y2 can be encoded by the

assertion F(y) F(1)F(2)-F(3-y)). - The above trick can be recursively applied to

construct an assertion that encodes y0 Ç y1 Ç

Ç ym-1 - Eg., y0 Ç y1 Ç y2 can be encoded by encoding
- F(y)F(0) Ç F(y)F(1)F(2)-F(3-y)

Conclusion

- We showed how logical reasoning traditionally

used in theorem proving can be exploited in an

abstract interpretation setting. - We focused on conjunctive and universally

quantified invariants over the domain of linear

arithmetic and uninterpreted fns. - There are several other interesting issues in

program analysis that we did not address - Destructive updates
- Points-to analysis, Shape analysis
- Path-sensitive analysis
- Disjunctive invariants
- Inter-procedural analysis
- Procedure summaries