Logical Abstract Interpretation - PowerPoint PPT Presentation

Loading...

PPT – Logical Abstract Interpretation PowerPoint presentation | free to view - id: d32a7-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Logical Abstract Interpretation

Description:

Logical Abstract Interpretation – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 63
Provided by: ResearchM53
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Logical Abstract Interpretation


1
Logical Abstract Interpretation
  • Sumit Gulwani
  • Microsoft Research, Redmond

2
Final Goal of the class
  • Automatically verify partial correctness of
    programs like the following using abstract
    interpretation.
  • Void Init(int A, int n)
  • for (i 0 iltn i)
  • Ai 0
  • for (j 0 jltn j)
  • Assert(Aj 0)

3
Outline
  • Decision Procedures
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Logical Abstract Interpretation
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Universally Quantified Formulas
  • Hardness of Assertion Checking
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns

4
Decision Procedures
  • DPT(?) Yes, if ? is satisfiable
  • No, if ? is unsatisfiable
  • Without loss of generality, we can assume that ?
    is a conjunction of atomic facts.
  • Why?
  • DP(?1Ç?2) is sat iff DP(?1) is sat or DP(?2) is
    sat
  • What is the trade-off?
  • Converting ? into DNF may incur exponential
    blow-up

5
Outline
  • Decision Procedures
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Logical Abstract Interpretation
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Universally Quantified Formulas
  • Hardness of Assertion Checking
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns

6
Linear Arithmetic
  • Expressions e y c e1 e2 c e
  • Atomic facts g e0 e?0
  • Note that e0 can be represented as e0 Æ e0
  • egt0 can be represented as e-10
  • (over integer LA)
  • The decision problem for integer LA is NP-hard.
  • The decision problem for rational LA is PTime.
  • PTime algorithms are complicated to implement.
    Popular choice is an exponential algorithm called
    Simplex
  • We will study a PTime algorithm for a special
    case.

7
Difference Constraints
  • A special case of Linear Arithmetic
  • Constraints of the form xc and x-yc
  • We can represent xc by x-uc, where u is a
    special zero variable. Wlog, we will assume
    henceforth that we only have constraints x-yc
  • Reasoning required x-yc1 Æ y-zc2 ) x-zc1c2
  • O(n3) (saturation-based) decision procedure
  • Represent contraints by a matrix Mnn
  • where Mij c represents xixj c
  • Perform transitive closure of M
  • Mij min Mij, MikMkj
  • ? is unsat iff 9i Mii lt 0

8
Outline
  • Decision Procedures
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Logical Abstract Interpretation
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Universally Quantified Formulas
  • Hardness of Assertion Checking
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns

9
Uninterpreted Functions
  • Expressions e x F(e1,e2)
  • Atomic fact g e1e2 e1?e2
  • Axiom 8e1,e2,e1,e2 e1e1 Æ e2e2 )
    F(e1,e2)F(e1,e2)
  • (called congruence axiom)
  • (saturation-based) Decision Procedure
  • Represent equalities e1e2 2 G in Equivalence DAG
    (EDAG)
  • Nodes of an EDAG represent congruence classes of
    expressions that are known to be equal.
  • Saturate equalities in the EDAG by following
    rule
  • If C(e1)C(e1) Æ C(e2)C(e2), Merge
    C(F(e1,e2)), C(F(e1,e2))
  • where C(e) denotes congruence class of expression
    e
  • Declare unsatisfiability iff 9 e1?e2 in G s.t.
    C(e1) C(e2)

10
Uninterpreted Functions Example
yF5(y)
y?F(y)
yF3(y)
Æ
Æ
F
F
F(y)F4(y)
F
F2(y)F5(y)
F
yF2(y)
F
F(y)F3(y)
y
yF(y)
? unsat
11
Uninterpreted Functions Complexity
  • Complexity of congruence closure O(n log n),
    where n is the size of the input formula
  • In each step, we merge 2 congruence classes. The
    total number of steps required is thus n, where n
    is a bound on the original number of congruence
    classes.
  • The complexity of each step can be O(log n) by
    using union-find data structure

12
Outline
  • Decision Procedures
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Logical Abstract Interpretation
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Universally Quantified Formulas
  • Hardness of Assertion Checking
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns

13
Combination of Linear Arithmetic and
Uninterpreted Functions
  • Expressions e y c e1 e2 c e
    F(e1,e2)
  • Atomic Facts g e0 e?0
  • Axioms Combined axioms of linear arithmetic
    uninterpreted fns.
  • Decision Procedure Nelson-Oppen methodology for
    combining decision procedures

14
Combining Decision Procedures
  • Nelson-Oppen gave an algorithm in 1979 to combine
    decision procedures for theories T1 and T2,
    where
  • T1 and T2 have disjoint signatures
  • except equality
  • T1, T2 are stably infinite
  • Complexity is O(2n2(W1(n)W2(n)).
  • If T1, T2 are convex, complexity is
    O(n3(W1(n)W2(n)).
  • The theories of linear arithmetic and
    uninterpreted functions satisfy all of the above
    criterions.

15
Convex Theory
  • A theory is convex if the following holds.
  • Let G g1 Æ Æ gn
  • If G ) e1e2 Ç e3e4, then G ) e1e2 or G ) e3e4
  • Examples of convex theory
  • Rational Linear Arithmetic
  • Uninterpreted Functions

16
Examples of Non-convex Theory
  • Theory of Integer Linear Arithmetic
  • Theory of Arrays

ysel(upd(M,a,0),b) ) y0 Ç ysel(M,b) But
ysel(upd(M,a,0),b) ) y0 and
ysel(upd(M,a,0),b) ) ysel(M,b)
/
/
17
Stably Infinite Theory
  • A theory T is stably infinite if for all
    quantifier-free formulas ? over T, the following
    holds
  • If ? is satisfiable, then ? is satisfiable
    over an infinite model.
  • Examples of stably infinite theories
  • Linear arithmetic, Uninterpreted Functions
  • Examples of non-stably infinite theories
  • A theory that enforces finite of distinct
    elements. Eg., a theory with the axiom 8x,y,z
    (xy Ç xz Ç yz). Consider the quantifier free
    formula ? y1y2.
  • ? is satisfiable but doesnt have an
    infinite model.

18
Nelson-Oppen Methodology
  • Purification Decompose ? into ?1 Æ ?2 such that
    ?i contains symbols from theory Ti.
  • This can be done by introducing dummy variables.
  • Exchange variable equalities between ?1 and ?2
    until no more equalities can be deduced.
  • Sharing of disequalities is not required because
    of stably-infiniteness.
  • Sharing of disjunctions of equalities is not
    required because of convexity.
  • ? is unsat iff ?1 is unsat or ?2 is unsat.

19
Combining Decision Procedures Example
y1 4y3 F(2y2-y1) Æ y1F(y1) Æ y2F(F(y1))
Æ y1?4y3
Purification
a12y2-y1 y14y3a2 Æ y1?4y3 y1 y2 y1 a2
a2F(a1) y1F(y1) Æ y2F(F(y1)) y1 a1
Saturation
? unsat
20
Outline
  • Decision Procedures
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Logical Abstract Interpretation
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Universally Quantified Formulas
  • Hardness of Assertion Checking
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns

21
Logical Abstract Interpretation
  • Abstract Interpretation of a program involves
    interpreting the program over abstract values
    from some abstract domain D equipped with a
    partial order ¹
  • Logical Abstract Interpretation refers to the
    case when
  • D logical formulas over theory T
  • ¹ logical implication relationship, i.e., E ¹
    E iff E )T E
  • We will study following examples of logical
    interpretation
  • D consists of finite conjunctions of atomic facts
    over T.
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Functions
  • D consists of universally quantified formulas
    over T.

22
Transfer Functions for Logical Abstract
Interpreter
  • An abstract interpreter computes abstract values
    or facts at each program point from facts at
    preceding program points using appropriate
    transfer fns.
  • Transfer functions for a logical abstract
    interpreter thus involve providing operators for
    over-approximating disjunction and existential
    quantifier elimination.

23
Fixed-point Computation
  • In presence of loops, fixed-point computation is
    required. The process is accelerated by using a
    widening operator, which takes the facts in the
    current and previous iteration (at some point
    inside a loop) and generates something weaker
    than the current fact.
  • A widening operator should guarantee convergence
    in a bounded number of steps.
  • Widening is typically applied at loop header
    points.
  • Facts generated after fixed-point are invariants
    and can be used to validate assertions using
    decision procedures.

G
assert(g)
Validate iff GÆ g is unsat
24
Initialization
  • The fact at program entry is initialized to gt,
    which in our setting is the logical formula
    true.
  • This denotes that we make no assumptions about
    inputs, and whatever we prove will be valid for
    all inputs.
  • The facts at all other program points are
    initialized to ?, which in our setting is the
    logical formula false.
  • This denotes our optimistic assumption of
    unreachability of program locations (unless we
    can prove them reachable in the process of
    fixed-point computation).

25
Outline
  • Decision Procedures
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Logical Abstract Interpretation
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Universally Quantified Formulas
  • Hardness of Assertion Checking
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns

26
Difference Constraints
  • Abstract element
  • conjunction of xi-xj cij
  • can be represented using matrix M, where
    Mijcij
  • Decide(M)
  • M Saturate(M)
  • Declare unsat iff 9i Mii lt 0
  • Join(M1, M2)
  • M1 Saturate(M1) M2 Saturate(M2)
  • Let M3 be s.t. M3ij Max M1ij,
    M2ij
  • return M3

27
Difference Constraints
  • Eliminate(M, xi)
  • M Saturate(M)
  • Let M1 be s.t. M1jk 1 (if ji or ki)
    Mjk otherwise
  • return M1
  • Widen(M1, M2)
  • M1 Saturate(M1) M2 Saturate(M2)
  • Let M3 be s.t. M3ij M1ij (if M1ij
    M2ij)) 1 (otherwise)
  • return M3

28
Difference Constraints Example
true
y 0 z 2
y0, z2
?
y0 Æ z2
?
0y1 Æ zy2
0y2 Æ zy2
0y Æ zy2
0ylt51 Æ zy2
1ylt51 Æ zy2
1y2 Æ zy2
y1 Æ z3
?
y lt 50
y50 Æ zy2
False
True
Assert (z52)
y0 Æ z2
0y1 Æ zy2
0ylt50 Æ zy2
?
y z
29
Outline
  • Decision Procedures
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Logical Abstract Interpretation
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Universally Quantified Formulas
  • Hardness of Assertion Checking
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns

30
Uninterpreted Functions
  • Abstract element
  • conjunction of e1e2, where e y F(e1,e2)
  • can be represented using EDAGs
  • Decide(G)
  • G Saturate(G)
  • Declare unsat iff G contains e1 ? e2 and G has
    e1, e2 in the same congruence class.
  • Eliminate(G, y)
  • G Saturate(G)
  • Erase y (might need to delete some dangling
    expressions)
  • return G

31
Uninterpreted Functions
  • Join(G1, G2)
  • G1 Saturate(G1) G2 Saturate(G2)
  • G Intersect(G1, G2)
  • return G
  • For each node n ltU, ni,nigt in G 1
  • and node m ltV, mj, mjgt in G2,
  • G contains a node n,m ltU Å V, ni,
    mj, ni,mjgt

32
Uninterpreted Functions Example of Join
G1
G2
G Join(G1,G2)
33
Outline
  • Decision Procedures
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Logical Abstract Interpretation
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Universally Quantified Formulas
  • Hardness of Assertion Checking
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns

34
Combination Decision Procedure
  • DP(E12)
  • ltE1, E2gt PurifySaturate(E12)
  • Return DPT1(E1) Æ DPT2(E2)

35
Combination Join Algorithm
  • JoinT12(L12, R12)
  • ltL1, L2gt PurifySaturate(L12) ltR1, R2gt
    PurifySaturate(R12)
  • DL Æ viltvi,vjgt vi2Vars(L1ÆL2),
    vj2Vars(R1ÆR2) DR Æ vjltvi,vjgt
    vi2Vars(L1ÆL2), vj2Vars(R1ÆR2)
  • L1 L1 Æ DL R1 R1 Æ DR L2 L2 Æ
    DL R2 R2 Æ DR
  • A1 JoinT1(L1, R1) A2 JoinT2(L2,
    R2)
  • V Vars(A1ÆA2) Program Variables
    A12 EliminateT12(A1ÆA2, V)
  • Return A12

36

Combination Example of Join Algorithm
za-1 Æ yF(a)
zb-1 Æ yF(b)
Joinufla
za-1 aha,bi
yF(a) aha,bi
zb-1 bha,bi
yF(b) bha,bi
Joinuf
Joinla
ha,bi1z
yF(ha,bi)
Eliminateufla
ha,bi
yF(1z)
37
Combination Existential Quantifier Elimination
  • ElimintateT12(E12, V)
  • ltE1, E2gt PurifySaturate(E12)
  • ltD, Defsgt DefSaturate(E1, E2, V Temp
    Variables)
  • V V Temp Variables D E1
    EliminateT1(E1, V) E2 EliminateT2(E2,
    V)
  • E (E1 Æ E2) Defs(y)/y
  • Return E
  • DefSaturate(E1, E2, U) returns the set of all
    variables D that have definitions Defs in terms
    of variables not in U as implied by E1 Æ E2.

38

Combination Example of Existential Elimination
aby Æ zc1 Æ aF2(b) Æ cF(b)
a, b, c
Eliminateufla
aby Æ zc1
aF2(b) Æ cF(b)
Defla
Defuf
b
Eliminatela
Eliminateuf
c ? z-1 a ?F(z-1)
a y Æ zc1
a F(c)
Substitute
F(z-1) y
39
Abstract Interpretation over Combined Domain
Example
true
struct List struct List next x, y N(z)
0, if z null 1 N(z!next)
y x i 0
yx, i0
?
0i1 N(x)N(y)i
0i2, N(x)N(y)i
0i, N(x)N(y)i
1i2, N(x)N(y)i
?
yx, i0
1i, N(x)N(y)i
yx!next, i1, x?null N(x)N(x!next)1
?
y?null
0i1, y ? null N(x)N(y)i
0i, y ? null N(x)N(y)i
?
yx, i0, y?null
i i1 y y!next
40
Outline
  • Decision Procedures
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Logical Abstract Interpretation
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Universally Quantified Formulas
  • Hardness of Assertion Checking
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns

41
Universally Quantified Abstract Domain
  • Abstract element is of the form E Æ Æi(8X Ai)Bi)
  • where E, Ai, Bi are from some underlying base
    domain(s) D.
  • The partial order ¹ is a refinement of the more
    natural implication relationship.
  • E Æ Æi(8X Ai)Bi) ¹ E Æ Æj(8X Aj)Bj)
    iff
  • E ) E
  • 8j 9i s.t. EÆAj)Ai and EÆBi)Bj
  • Another way to state the above thing would be to
    say that the partial order is still the
    implication relationship but transfer functions
    are incomplete.

42
Quantified Abstract Domain Join Algorithm
  • Consider a simpler case first.
  • Let (E Æ 8XA)B) Join(E1 Æ 8XA1)B1, E2
    Æ 8XA2)B2). Then,
  • (E1 Æ 8XA1)B1) ¹ (E Æ 8XA)B)
  • (E2 Æ 8XA2)B2) ¹ (E Æ 8XA)B)
  • Or, equivalently,
  • E1)E and E2)E. Thus, E Join(E1, E2).
  • E1ÆA)A1 and E2ÆA)A2, i.e., A ) (E1)A1 Æ E2)A2).
    Thus, A bE1)A1 Æ E2)A2c.
  • E1ÆB1 ) B and E2ÆB2 ) B. Thus, B Join(E1ÆB1,
    E2ÆB2).
  • Join(E1 Æ Æi(8X A1i)B1i), E2Æ Æi(8X A2i)B2i))
  • result JoinD(E1, E2)
  • Forall i,j
  • A bE1)A1i Æ E2)A2jc B
    JoinD(E1ÆB1i, E2ÆB2j)
  • result result Æ 8XA)B
  • return result

43
Quantified Abstract Domain Example of Join
  • Let G1 (i0 Æ 8k k0 ) Fki)
  • G2 (i1 Æ 8k 0k1 ) Fk0)
  • Then Join(G1, G2) 0i1 Æ 8k A)B, where
  • A b(i0)k0) Æ (i1)0k1)c 0ki
  • B JoinD(i0 Æ Fki, i1 Æ Fk0) Fk0

44
Quantified Abstract Domain Eliminate
  • Let (E Æ 8XA)B) Eliminate(E Æ 8XA)B, s).
    Then,
  • (E Æ 8XA)B) ¹ (E Æ 8XA)B) among other
    things.
  • For simplicity, assume that s doesnt affect
    terms in A,B involving X. Then,
  • E)E and E doesnt contain any term affected by
    change to s.
  • Thus, E EliminateD(E,s).
  • EÆA)A and A doesnt contain any term affected by
    change to s.
  • Thus, A b8sE)Ac.
  • EÆB)B and B doesnt contain any term affected
    by change to s.
  • Thus, B EliminateD(EÆB, s).

45
Quantified Abstract Domain Eliminate
  • Eliminate(G, s)
  • Let G be E Æ 8XA)B
  • Psuedo-code can be easily extended for multiple 8
  • T e e occurs in A or B Vars(e) Å X ?
  • A A Æ Æe2T NotEffect(lts,Ggt, e)
  • E EliminateD(E,s)
  • B EliminateD(BÆE,s)
  • A b8sE)Ac
  • return (E Æ 8X A)B)
  • NotEffect(lts,Ggt, e) denotes a constraint g s.t.
    GÆg implies that s does not affect e.

46
Quantified Abstract Domain Example of Eliminate
  • Let G (F0gt10 Æ 8k 0kltF0 ) FkgtF0 )
  • Then Eliminate(G, F0) true Æ 8k A)B, where
  • T k, Fk
  • NotEffect(ltF0,Ggt, Fk) k?0
  • NotEffect(ltF0,Ggt, Fk) true
  • A1 0kltF0 Æ k ? 0 Æ true 1kltF0
  • A b8F0 F0gt10 ) 1kltF0c 1klt10
  • B Eliminate(FkgtF0 Æ F0gt10, F0)
    Fklt10

47
Quantified Abstract Domain Example
true
F0 0 i 1
i1 Æ F00
i1 Æ 8kk0 ) Fk0
?
2in Æ 8k 0klti ) Fk0
i2 Æ F00 Æ F10
2i3 Æ 8k 0klti ) Fk0
i2 Æ 8k0k1 ) Fk0
i1 Æ F00
?
1i2 Æ 8k 0klti ) Fk0
1i3 Æ 8k 0klti ) Fk0
1i Æ 8k 0klti ) Fk0
1i Æ 8k 0klti ) Fk0
?
i lt n
False
in Æ 8k 0klti ) Fk0
True
i1 Æ F00
1i2 Æ 8k 0klti ) Fk0
1iltn Æ 8k 0klti ) Fk0
?
i 0
Fi 0 i
i0 Æ 8k 0kltn ) Fk0
48
References
  • Uninterpreted Functions
  • A polynomial time algorithm for global value
    numbering SAS 2004, S. Gulwani, G. Necula
  • Join algorithms for the theory of uninterpreted
    fns FSTTCS 2004, S. Gulwani, A. Tiwari, G.
    Necula
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Combining Abstract Interpreters
  • PLDI 2006, S. Gulwani, A. Tiwari
  • Universally Quantified Abstract Domain
  • Lifting Abstract Interpreters to Quantified
    Logical Domains POPL 2008, S. Gulwani, B.
    McCloskey, A. Tiwari

49
Outline
  • Decision Procedures
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Logical Abstract Interpretation
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Universally Quantified Formulas
  • Hardness of Assertion Checking
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns

50
Abstract Program Model / Problem Statement
  • Linear Arithmetic
  • e y c e1 e2 c e g
    e0
  • Uninterpreted Functions
  • e y F(e1,e2) g e1e2
  • Combination
  • e y c e1 e2 c e F(e1,e2) g
    e0

51
Outline
  • Decision Procedures
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Logical Abstract Interpretation
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Universally Quantified Formulas
  • Hardness of Assertion Checking
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns

52
Assertion Checking Linear Arithmetic
  • Non-deterministic Conditionals
  • Equality Assertions PTIME
  • Perform abstract interpretation over linear
    equalities.
  • Affine relationships among variables of a
    program, Karr 76
  • Inequality assertions ?
  • Deterministic Conditionals Undecidable
  • Even with equality conditionals and equality
    assertions
  • PCP Problem can be reduced to it.
  • A Note on Karrs Algorithm, H. Seidl, M.
    Muller-Olm, ICALP 2004

53
Reducing PCP Problem to Assertion Checking
  • The following problem (PCP Problem) is
    undecidable. Given pairs (u1,v1), , (um,vm),
    where ui, vi 2 0,1
  • Decide 9 a non-empty sequence i1, , in such
    that
  • ui1 uin vi1 vin
  • Given a PCP instance, we will construct an
    assertion checking problem over linear arithmetic
    such that the assertion holds iff the solution to
    PCP instance is false.

54
Reducing PCP Problem to Assertion Checking
y 1 z 1
y 2um y ltumgt z 2vm z ltvmgt
y 2u1 y ltu1gt z 2v1 z ltv1gt

yz ?
False
True
d 1
d 0
Assert (d0)
55
Outline
  • Decision Procedures
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Logical Abstract Interpretation
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Universally Quantified Formulas
  • Hardness of Assertion Checking
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns

56
Assertion Checking Uninterpreted Functions
  • Non-deterministic Conditionals PTIME
  • Abstract interpretation over uninterpreted fns.
  • Deterministic Conditionals Undecidable
  • PCP Problem can be reduced to it.
  • Checking Herbrand Equalities and Beyond, H.
    Seidl, M. Muller-Olm, VMCAI 2005

57
Reducing PCP Problem to Assertion Checking
y 1 z 1
y um(y) z vm(z)
y u1(y) z v1(z)
Think of ui, vi as sequences of applications of
unary fns, one corresponding to 0 and other
corresponding to 1.

yz ?
False
True
d 1
d 0
Assert (d0)
58
Outline
  • Decision Procedures
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Logical Abstract Interpretation
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns
  • Universally Quantified Formulas
  • Hardness of Assertion Checking
  • Linear Arithmetic
  • Uninterpreted Functions
  • Combination of Linear Arithmetic and
    Uninterpreted Fns

59
Assertion Checking Combination of Linear
Arithmetic Uninterpreted Functions
  • Deterministic Conditionals Undecidable
  • No surprise since problem is undecidable for
    individual cases of linear arithmetic and
    uninterpreted fns.
  • Non-deterministic Conditionals ? At least
    coNP-hard
  • Even for equality conditionals.
  • A surprising result since assertion checking for
    individual cases of linear arithmetic
    (equalities) and uninterpreted fns is PTIME, but
    not for combination.
  • In contrast, decision procedures for linear
    arithmetic and uninterpreted fns can be combined
    in PTIME using Nelson-Oppen methodology.
  • Assertion checking over combination of linear
    arithmetic and uninterpreted fns, S. Gulwani, A.
    Tiwari, ESOP 2006

60
Reducing Unsatisfiability to Assertion Checking
  • ? boolean 3-SAT instance with m clauses
  • IsUnsatisfiable(?)
  • for j1 to m
  • cj 0
  • for i1 to k do
  • if ()
  • 8 j s.t. var i occurs positively in
    clause j, cj 1
  • else
  • 8 j s.t. var i occurs negatively in clause
    j, cj 1
  • y c1 c2 cm
  • Assert (y0 Ç y1 Ç ym-1)

61
Encoding disjunction
  • The check y1 Ç y2 can be encoded by the
    assertion F(y) F(1)F(2)-F(3-y)).
  • The above trick can be recursively applied to
    construct an assertion that encodes y0 Ç y1 Ç
    Ç ym-1
  • Eg., y0 Ç y1 Ç y2 can be encoded by encoding
  • F(y)F(0) Ç F(y)F(1)F(2)-F(3-y)

62
Conclusion
  • We showed how logical reasoning traditionally
    used in theorem proving can be exploited in an
    abstract interpretation setting.
  • We focused on conjunctive and universally
    quantified invariants over the domain of linear
    arithmetic and uninterpreted fns.
  • There are several other interesting issues in
    program analysis that we did not address
  • Destructive updates
  • Points-to analysis, Shape analysis
  • Path-sensitive analysis
  • Disjunctive invariants
  • Inter-procedural analysis
  • Procedure summaries
About PowerShow.com